@noy-db/hub 0.1.0-pre.10

package/dist/i18n/index.cjs

@@ -0,0 +1,840 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/i18n/index.ts
+var i18n_exports = {};
+__export(i18n_exports, {
+  DICT_COLLECTION_PREFIX: () => DICT_COLLECTION_PREFIX,
+  DictKeyInUseError: () => DictKeyInUseError,
+  DictKeyMissingError: () => DictKeyMissingError,
+  DictionaryHandle: () => DictionaryHandle,
+  LocaleNotSpecifiedError: () => LocaleNotSpecifiedError,
+  MissingTranslationError: () => MissingTranslationError,
+  ReservedCollectionNameError: () => ReservedCollectionNameError,
+  TranslatorNotConfiguredError: () => TranslatorNotConfiguredError,
+  applyI18nLocale: () => applyI18nLocale,
+  dictCollectionName: () => dictCollectionName,
+  dictKey: () => dictKey,
+  i18nText: () => i18nText,
+  isDictCollectionName: () => isDictCollectionName,
+  isDictKeyDescriptor: () => isDictKeyDescriptor,
+  isI18nTextDescriptor: () => isI18nTextDescriptor,
+  resolveI18nText: () => resolveI18nText,
+  validateI18nTextValue: () => validateI18nTextValue,
+  withI18n: () => withI18n
+});
+module.exports = __toCommonJS(i18n_exports);
+
+// src/errors.ts
+var NoydbError = class extends Error {
+  /** Machine-readable error code. Stable across library versions. */
+  code;
+  constructor(code, message) {
+    super(message);
+    this.name = "NoydbError";
+    this.code = code;
+  }
+};
+var DecryptionError = class extends NoydbError {
+  constructor(message = "Decryption failed") {
+    super("DECRYPTION_FAILED", message);
+    this.name = "DecryptionError";
+  }
+};
+var TamperedError = class extends NoydbError {
+  constructor(message = "Data integrity check failed \u2014 record may have been tampered with") {
+    super("TAMPERED", message);
+    this.name = "TamperedError";
+  }
+};
+var PermissionDeniedError = class extends NoydbError {
+  constructor(message = "Permission denied \u2014 insufficient role for this operation") {
+    super("PERMISSION_DENIED", message);
+    this.name = "PermissionDeniedError";
+  }
+};
+var ValidationError = class extends NoydbError {
+  constructor(message = "Validation error") {
+    super("VALIDATION_ERROR", message);
+    this.name = "ValidationError";
+  }
+};
+var ReservedCollectionNameError = class extends NoydbError {
+  /** The rejected collection name. */
+  collectionName;
+  constructor(collectionName) {
+    super(
+      "RESERVED_COLLECTION_NAME",
+      `"${collectionName}" is a reserved collection name. Use vault.dictionary("${collectionName.replace(/^_dict_/, "")}") to access dictionary collections.`
+    );
+    this.name = "ReservedCollectionNameError";
+    this.collectionName = collectionName;
+  }
+};
+var DictKeyMissingError = class extends NoydbError {
+  /** The dictionary name. */
+  dictionaryName;
+  /** The key that was not found. */
+  key;
+  constructor(dictionaryName, key) {
+    super(
+      "DICT_KEY_MISSING",
+      `Dictionary "${dictionaryName}" has no entry for key "${key}".`
+    );
+    this.name = "DictKeyMissingError";
+    this.dictionaryName = dictionaryName;
+    this.key = key;
+  }
+};
+var DictKeyInUseError = class extends NoydbError {
+  /** The dictionary name. */
+  dictionaryName;
+  /** The key that is still referenced. */
+  key;
+  /** Name of the first collection found to reference this key. */
+  usedBy;
+  /** Number of records in `usedBy` that reference this key. */
+  count;
+  constructor(dictionaryName, key, usedBy, count) {
+    super(
+      "DICT_KEY_IN_USE",
+      `Cannot delete key "${key}" from dictionary "${dictionaryName}": ${count} record(s) in "${usedBy}" still reference it. Use dictionary.rename("${key}", newKey) to rewrite references first.`
+    );
+    this.name = "DictKeyInUseError";
+    this.dictionaryName = dictionaryName;
+    this.key = key;
+    this.usedBy = usedBy;
+    this.count = count;
+  }
+};
+var MissingTranslationError = class extends NoydbError {
+  /** The field name whose translation(s) are missing. */
+  field;
+  /** Locale codes that were required but absent. */
+  missing;
+  constructor(field, missing, message) {
+    super(
+      "MISSING_TRANSLATION",
+      message ?? `Field "${field}": missing required translation(s): ${missing.join(", ")}.`
+    );
+    this.name = "MissingTranslationError";
+    this.field = field;
+    this.missing = missing;
+  }
+};
+var LocaleNotSpecifiedError = class extends NoydbError {
+  /** The field name that required a locale. */
+  field;
+  constructor(field, message) {
+    super(
+      "LOCALE_NOT_SPECIFIED",
+      message ?? `Cannot read i18nText field "${field}" without a locale. Pass { locale } to get()/list()/query() or set a default via openVault(name, { locale }).`
+    );
+    this.name = "LocaleNotSpecifiedError";
+    this.field = field;
+  }
+};
+var TranslatorNotConfiguredError = class extends NoydbError {
+  /** The field that requested auto-translation. */
+  field;
+  /** The collection the put was targeting. */
+  collection;
+  constructor(field, collection) {
+    super(
+      "TRANSLATOR_NOT_CONFIGURED",
+      `Field "${field}" in collection "${collection}" has autoTranslate: true, but no plaintextTranslator was configured on createNoydb(). Either configure a plaintextTranslator or remove autoTranslate from the schema.`
+    );
+    this.name = "TranslatorNotConfiguredError";
+    this.field = field;
+    this.collection = collection;
+  }
+};
+
+// src/i18n/core.ts
+function i18nText(options) {
+  return { _noydbI18nText: true, options };
+}
+function isI18nTextDescriptor(x) {
+  return typeof x === "object" && x !== null && x._noydbI18nText === true;
+}
+function validateI18nTextValue(value, field, descriptor) {
+  const { options } = descriptor;
+  if (typeof value !== "object" || value === null || Array.isArray(value)) {
+    throw new MissingTranslationError(
+      field,
+      options.languages,
+      `Field "${field}" must be a { [locale]: string } map, got ${typeof value}.`
+    );
+  }
+  const map = value;
+  for (const [locale, v] of Object.entries(map)) {
+    if (typeof v !== "string") {
+      throw new MissingTranslationError(
+        field,
+        [locale],
+        `Field "${field}": locale "${locale}" must be a string, got ${typeof v}.`
+      );
+    }
+  }
+  const { required } = options;
+  if (required === "all") {
+    const missing = options.languages.filter(
+      (lang) => !(lang in map) || map[lang] === ""
+    );
+    if (missing.length > 0) {
+      throw new MissingTranslationError(
+        field,
+        missing,
+        `Field "${field}" requires all declared languages. Missing: ${missing.join(", ")}.`
+      );
+    }
+  } else if (required === "any") {
+    const present = options.languages.some(
+      (lang) => lang in map && map[lang] !== ""
+    );
+    if (!present) {
+      throw new MissingTranslationError(
+        field,
+        options.languages,
+        `Field "${field}" requires at least one declared language. None present.`
+      );
+    }
+  } else {
+    const requiredList = required;
+    const missing = requiredList.filter(
+      (lang) => !(lang in map) || map[lang] === ""
+    );
+    if (missing.length > 0) {
+      throw new MissingTranslationError(
+        field,
+        missing,
+        `Field "${field}" requires: ${requiredList.join(", ")}. Missing: ${missing.join(", ")}.`
+      );
+    }
+  }
+}
+function resolveI18nText(value, locale, fallback, field) {
+  if (locale === "raw") {
+    return value;
+  }
+  if (!locale) {
+    throw new LocaleNotSpecifiedError(field ?? "<unknown>");
+  }
+  if (value[locale] !== void 0 && value[locale] !== "") {
+    return value[locale];
+  }
+  const chain = Array.isArray(fallback) ? fallback : fallback ? [fallback] : [];
+  for (const fb of chain) {
+    if (fb === "any") {
+      const any = Object.values(value).find((v) => v !== "");
+      if (any !== void 0) return any;
+    } else if (value[fb] !== void 0 && value[fb] !== "") {
+      return value[fb];
+    }
+  }
+  throw new LocaleNotSpecifiedError(
+    field ?? "<unknown>",
+    `No translation available for locale "${locale}"` + (chain.length > 0 ? ` or fallback chain [${chain.join(", ")}]` : "") + "."
+  );
+}
+function applyI18nLocale(record, i18nFields, locale, fallback) {
+  const fieldNames = Object.keys(i18nFields);
+  if (fieldNames.length === 0) return record;
+  const result = { ...record };
+  for (const field of fieldNames) {
+    const raw = result[field];
+    if (raw === void 0 || raw === null) continue;
+    if (typeof raw !== "object" || Array.isArray(raw)) continue;
+    result[field] = resolveI18nText(
+      raw,
+      locale,
+      fallback,
+      field
+    );
+  }
+  return result;
+}
+
+// src/types.ts
+var NOYDB_FORMAT_VERSION = 1;
+var NOYDB_KEYRING_VERSION = 1;
+
+// src/crypto.ts
+var IV_BYTES = 12;
+var KEY_BITS = 256;
+var subtle = globalThis.crypto.subtle;
+async function generateDEK() {
+  return subtle.generateKey(
+    { name: "AES-GCM", length: KEY_BITS },
+    true,
+    // extractable — needed for AES-KW wrapping
+    ["encrypt", "decrypt"]
+  );
+}
+async function wrapKey(dek, kek) {
+  const wrapped = await subtle.wrapKey("raw", dek, kek, "AES-KW");
+  return bufferToBase64(wrapped);
+}
+async function encrypt(plaintext, dek) {
+  const iv = generateIV();
+  const encoded = new TextEncoder().encode(plaintext);
+  const ciphertext = await subtle.encrypt(
+    { name: "AES-GCM", iv },
+    dek,
+    encoded
+  );
+  return {
+    iv: bufferToBase64(iv),
+    data: bufferToBase64(ciphertext)
+  };
+}
+async function decrypt(ivBase64, dataBase64, dek) {
+  const iv = base64ToBuffer(ivBase64);
+  const ciphertext = base64ToBuffer(dataBase64);
+  try {
+    const plaintext = await subtle.decrypt(
+      { name: "AES-GCM", iv },
+      dek,
+      ciphertext
+    );
+    return new TextDecoder().decode(plaintext);
+  } catch (err) {
+    if (err instanceof Error && err.name === "OperationError") {
+      throw new TamperedError();
+    }
+    throw new DecryptionError(
+      err instanceof Error ? err.message : "Decryption failed"
+    );
+  }
+}
+function generateIV() {
+  return globalThis.crypto.getRandomValues(new Uint8Array(IV_BYTES));
+}
+function bufferToBase64(buffer) {
+  const bytes = buffer instanceof Uint8Array ? buffer : new Uint8Array(buffer);
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary);
+}
+function base64ToBuffer(base64) {
+  const binary = atob(base64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+
+// src/team/keyring.ts
+var CANARY_PLAINTEXT_BYTES = new Uint8Array(32);
+var canaryKeyPromise = null;
+function getCanaryKey() {
+  if (canaryKeyPromise === null) {
+    canaryKeyPromise = globalThis.crypto.subtle.importKey(
+      "raw",
+      CANARY_PLAINTEXT_BYTES,
+      { name: "AES-GCM", length: 256 },
+      true,
+      // extractable so AES-KW can wrap it
+      ["encrypt", "decrypt"]
+    );
+  }
+  return canaryKeyPromise;
+}
+async function mintKeyringCanary(kek) {
+  const canaryKey = await getCanaryKey();
+  return wrapKey(canaryKey, kek);
+}
+async function ensureCollectionDEK(adapter, vault, keyring) {
+  const inFlight = /* @__PURE__ */ new Map();
+  return async (collectionName) => {
+    const existing = keyring.deks.get(collectionName);
+    if (existing) return existing;
+    const pending = inFlight.get(collectionName);
+    if (pending) return pending;
+    const promise = (async () => {
+      const dek = await generateDEK();
+      keyring.deks.set(collectionName, dek);
+      await persistKeyring(adapter, vault, keyring);
+      return dek;
+    })();
+    inFlight.set(collectionName, promise);
+    try {
+      return await promise;
+    } finally {
+      inFlight.delete(collectionName);
+    }
+  };
+}
+async function persistKeyring(adapter, vault, keyring) {
+  if (!keyring.kek) {
+    throw new ValidationError(
+      "persistKeyring: keyring.kek is null \u2014 cannot wrap DEKs without the KEK. This typically means the keyring was opened via tier-3 PIN resume, session restore, or a wrap-DEKs tier-2 unlock. Re-authenticate at tier 1 (passphrase) before persisting."
+    );
+  }
+  const wrappedDeks = {};
+  for (const [collName, dek] of keyring.deks) {
+    wrappedDeks[collName] = await wrapKey(dek, keyring.kek);
+  }
+  const canary = await mintKeyringCanary(keyring.kek);
+  const keyringFile = {
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    user_id: keyring.userId,
+    display_name: keyring.displayName,
+    role: keyring.role,
+    permissions: keyring.permissions,
+    deks: wrappedDeks,
+    salt: bufferToBase64(keyring.salt),
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    granted_by: keyring.userId,
+    canary,
+    ...keyring.exportCapability !== void 0 && { export_capability: keyring.exportCapability },
+    ...keyring.importCapability !== void 0 && { import_capability: keyring.importCapability },
+    ...keyring.authenticators.length > 0 && { authenticators: keyring.authenticators },
+    ...keyring.policy !== void 0 && { policy: keyring.policy }
+  };
+  await writeKeyringFile(adapter, vault, keyring.userId, keyringFile);
+}
+async function writeKeyringFile(adapter, vault, userId, keyringFile) {
+  const envelope = {
+    _noydb: 1,
+    _v: 1,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    _iv: "",
+    _data: JSON.stringify(keyringFile)
+  };
+  await adapter.put(vault, "_keyring", userId, envelope);
+}
+
+// src/history/ledger/entry.ts
+async function sha256Hex(input) {
+  const bytes = new TextEncoder().encode(input);
+  const digest = await globalThis.crypto.subtle.digest("SHA-256", bytes);
+  return bytesToHex(new Uint8Array(digest));
+}
+function bytesToHex(bytes) {
+  const hex = new Array(bytes.length);
+  for (let i = 0; i < bytes.length; i++) {
+    hex[i] = (bytes[i] ?? 0).toString(16).padStart(2, "0");
+  }
+  return hex.join("");
+}
+
+// src/history/ledger/hash.ts
+async function envelopePayloadHash(envelope) {
+  if (!envelope) return "";
+  return sha256Hex(envelope._data);
+}
+
+// src/i18n/dictionary.ts
+var DICT_COLLECTION_PREFIX = "_dict_";
+function dictCollectionName(dictionaryName) {
+  return `${DICT_COLLECTION_PREFIX}${dictionaryName}`;
+}
+function isDictCollectionName(name) {
+  return name.startsWith(DICT_COLLECTION_PREFIX);
+}
+function dictKey(name, keys) {
+  return { _noydbDictKey: true, name, keys };
+}
+function isDictKeyDescriptor(x) {
+  return typeof x === "object" && x !== null && x._noydbDictKey === true;
+}
+var DictionaryHandle = class {
+  constructor(adapter, compartmentName, dictionaryName, keyring, getDEK, encrypted, ledger, options, findAndUpdateReferences, emitter) {
+    this.adapter = adapter;
+    this.compartmentName = compartmentName;
+    this.dictionaryName = dictionaryName;
+    this.keyring = keyring;
+    this.getDEK = getDEK;
+    this.encrypted = encrypted;
+    this.ledger = ledger;
+    this.options = options;
+    this.findAndUpdateReferences = findAndUpdateReferences;
+    this.emitter = emitter;
+    this.collName = dictCollectionName(dictionaryName);
+  }
+  adapter;
+  compartmentName;
+  dictionaryName;
+  keyring;
+  getDEK;
+  encrypted;
+  ledger;
+  options;
+  findAndUpdateReferences;
+  emitter;
+  collName;
+  /**
+   * Synchronous write-through cache for dict-join support.
+   * Populated on every `put()`, `delete()`, and `rename()`. The snapshot
+   * is built from this cache by `snapshotEntries()` — the query executor
+   * calls this synchronously inside `.toArray()`.
+   *
+   * `null` means "not yet initialized" — callers should use `list()`
+   * to warm the cache before using dict joins on pre-existing data.
+   */
+  _syncCache = /* @__PURE__ */ new Map();
+  /**
+   * Return all cached entries as `{ key, labels, ...labels }` records —
+   * usable synchronously by the join executor's `snapshot()` call.
+   * Returns an empty array when the cache has never been populated.
+   */
+  snapshotEntries() {
+    return Array.from(this._syncCache.values()).map((e) => ({
+      key: e.key,
+      labels: e.labels,
+      ...e.labels
+    }));
+  }
+  // ─── Access checks ────────────────────────────────────────────────
+  requireWriteAccess() {
+    const minRole = this.options.writableBy ?? "admin";
+    const roleRank = {
+      client: 1,
+      viewer: 2,
+      operator: 3,
+      admin: 4,
+      owner: 5
+    };
+    const callerRank = roleRank[this.keyring.role] ?? 0;
+    const requiredRank = roleRank[minRole] ?? 4;
+    if (callerRank < requiredRank) {
+      throw new PermissionDeniedError(
+        `Dictionary "${this.dictionaryName}" writes require "${minRole}" role or above. Current role: "${this.keyring.role}".`
+      );
+    }
+  }
+  // ─── Internal helpers ─────────────────────────────────────────────
+  async getDekForDict() {
+    const resolve = await ensureCollectionDEK(
+      this.adapter,
+      this.compartmentName,
+      this.keyring
+    );
+    return resolve(this.collName);
+  }
+  async encryptEntry(entry, version) {
+    if (!this.encrypted) {
+      return {
+        _noydb: NOYDB_FORMAT_VERSION,
+        _v: version,
+        _ts: (/* @__PURE__ */ new Date()).toISOString(),
+        _iv: "",
+        _data: JSON.stringify(entry),
+        _by: this.keyring.userId
+      };
+    }
+    const dek = await this.getDekForDict();
+    const { iv, data } = await encrypt(JSON.stringify(entry), dek);
+    return {
+      _noydb: NOYDB_FORMAT_VERSION,
+      _v: version,
+      _ts: (/* @__PURE__ */ new Date()).toISOString(),
+      _iv: iv,
+      _data: data,
+      _by: this.keyring.userId
+    };
+  }
+  async decryptEntry(envelope) {
+    if (!this.encrypted) {
+      return JSON.parse(envelope._data);
+    }
+    const dek = await this.getDekForDict();
+    const json = await decrypt(envelope._iv, envelope._data, dek);
+    return JSON.parse(json);
+  }
+  // ─── Public API ───────────────────────────────────────────────────
+  /**
+   * Add or overwrite a single dictionary entry.
+   *
+   * @param key    The stable key to store (e.g. `'paid'`).
+   * @param labels Locale → label map (e.g. `{ en: 'Paid', th: 'ชำระแล้ว' }`).
+   */
+  async put(key, labels) {
+    this.requireWriteAccess();
+    const entry = { key, labels };
+    const existing = await this.adapter.get(
+      this.compartmentName,
+      this.collName,
+      key
+    );
+    const version = existing ? existing._v + 1 : 1;
+    const envelope = await this.encryptEntry(entry, version);
+    await this.adapter.put(
+      this.compartmentName,
+      this.collName,
+      key,
+      envelope,
+      existing ? existing._v : void 0
+    );
+    this._syncCache.set(key, entry);
+    this.emitter.emit("change", {
+      vault: this.compartmentName,
+      collection: this.collName,
+      id: key,
+      action: "put"
+    });
+    if (this.ledger) {
+      await this.ledger.append({
+        op: "put",
+        collection: this.collName,
+        id: key,
+        version,
+        actor: this.keyring.userId,
+        //  — must be the real envelope hash so
+        // vault.verifyBackupIntegrity()'s data-cross-check matches.
+        payloadHash: await envelopePayloadHash(envelope)
+      });
+    }
+  }
+  /**
+   * Batch-add or overwrite multiple dictionary entries in one call.
+   *
+   * @param entries  `{ key: { locale: label } }` map.
+   */
+  async putAll(entries) {
+    this.requireWriteAccess();
+    for (const [key, labels] of Object.entries(entries)) {
+      await this.put(key, labels);
+    }
+  }
+  /**
+   * Load the label map for a single key.
+   *
+   * @returns The label map, or `null` if the key doesn't exist.
+   */
+  async get(key) {
+    const envelope = await this.adapter.get(
+      this.compartmentName,
+      this.collName,
+      key
+    );
+    if (!envelope) return null;
+    const entry = await this.decryptEntry(envelope);
+    return entry.labels;
+  }
+  /**
+   * Delete a dictionary key.
+   *
+   * Default mode is `'strict'` — throws `DictKeyInUseError` if any
+   * registered collection has a record referencing this key. Pass
+   * `{ mode: 'warn' }` to skip the check (dev-mode cleanup only).
+   */
+  async delete(key, opts = {}) {
+    this.requireWriteAccess();
+    const existing = await this.adapter.get(
+      this.compartmentName,
+      this.collName,
+      key
+    );
+    if (!existing) {
+      throw new DictKeyMissingError(this.dictionaryName, key);
+    }
+    const mode = opts.mode ?? "strict";
+    if (mode === "strict" && this.findAndUpdateReferences) {
+    }
+    await this.adapter.delete(this.compartmentName, this.collName, key);
+    this._syncCache.delete(key);
+    this.emitter.emit("change", {
+      vault: this.compartmentName,
+      collection: this.collName,
+      id: key,
+      action: "delete"
+    });
+    if (this.ledger) {
+      await this.ledger.append({
+        op: "delete",
+        collection: this.collName,
+        id: key,
+        version: existing._v,
+        actor: this.keyring.userId,
+        //  — for delete the prior envelope is what was just
+        // removed; we hash it so the chain captures intent. The
+        // verifyBackupIntegrity data-cross-check skips delete
+        // entries entirely (the live record is gone), but the
+        // chain still benefits from a stable non-empty hash.
+        payloadHash: await envelopePayloadHash(existing)
+      });
+    }
+  }
+  /**
+   * Rename a dictionary key — the only sanctioned mass-mutation path.
+   *
+   * Atomically:
+   * 1. Adds the new key with the same labels as the old key.
+   * 2. Updates every registered record that stores the old key to
+   *    store the new key instead.
+   * 3. Deletes the old key.
+   * 4. Appends a single ledger entry recording the rename.
+   *
+   * Respects ACL: throws `PermissionDeniedError` before any mutation
+   * if the caller can't write. The cascade is best-effort atomic
+   * within this call — no two-phase commit across adapter calls.
+   *
+   * Cascade-on-delete is NOT supported. Use `rename()` when you need
+   * to change a key that records reference.
+   */
+  async rename(oldKey, newKey) {
+    this.requireWriteAccess();
+    const existing = await this.adapter.get(
+      this.compartmentName,
+      this.collName,
+      oldKey
+    );
+    if (!existing) {
+      throw new DictKeyMissingError(this.dictionaryName, oldKey);
+    }
+    const oldEntry = await this.decryptEntry(existing);
+    const newEntry = { key: newKey, labels: oldEntry.labels };
+    const newEnvelope = await this.encryptEntry(newEntry, 1);
+    await this.adapter.put(
+      this.compartmentName,
+      this.collName,
+      newKey,
+      newEnvelope
+    );
+    if (this.findAndUpdateReferences) {
+      await this.findAndUpdateReferences(this.dictionaryName, oldKey, newKey);
+    }
+    await this.adapter.delete(this.compartmentName, this.collName, oldKey);
+    this._syncCache.delete(oldKey);
+    this._syncCache.set(newKey, newEntry);
+    this.emitter.emit("change", {
+      vault: this.compartmentName,
+      collection: this.collName,
+      id: oldKey,
+      action: "delete"
+    });
+    this.emitter.emit("change", {
+      vault: this.compartmentName,
+      collection: this.collName,
+      id: newKey,
+      action: "put"
+    });
+    if (this.ledger) {
+      await this.ledger.append({
+        op: "delete",
+        collection: this.collName,
+        id: oldKey,
+        version: existing._v,
+        actor: this.keyring.userId,
+        payloadHash: await envelopePayloadHash(existing)
+      });
+      await this.ledger.append({
+        op: "put",
+        collection: this.collName,
+        id: newKey,
+        version: 1,
+        actor: this.keyring.userId,
+        payloadHash: await envelopePayloadHash(newEnvelope)
+      });
+    }
+  }
+  /**
+   * List all entries in this dictionary.
+   *
+   * @returns Array of `{ key, labels }` objects.
+   */
+  async list() {
+    const keys = await this.adapter.list(this.compartmentName, this.collName);
+    const entries = [];
+    for (const key of keys) {
+      const envelope = await this.adapter.get(
+        this.compartmentName,
+        this.collName,
+        key
+      );
+      if (!envelope) continue;
+      const entry = await this.decryptEntry(envelope);
+      entries.push(entry);
+      this._syncCache.set(key, entry);
+    }
+    return entries;
+  }
+  /**
+   * Resolve a key to its label for the given locale.
+   *
+   * Used by the collection's locale-aware read path to populate
+   * `<field>Label` virtual fields. Returns `undefined` when the
+   * key doesn't exist or has no label for the requested locale
+   * (after exhausting the fallback chain).
+   */
+  async resolveLabel(key, locale, fallback) {
+    const labels = await this.get(key);
+    if (!labels) return void 0;
+    if (labels[locale] !== void 0) return labels[locale];
+    const chain = Array.isArray(fallback) ? fallback : fallback ? [fallback] : [];
+    for (const fb of chain) {
+      if (fb === "any") {
+        const any = Object.values(labels)[0];
+        if (any !== void 0) return any;
+      } else if (labels[fb] !== void 0) {
+        return labels[fb];
+      }
+    }
+    return void 0;
+  }
+};
+
+// src/i18n/active.ts
+function withI18n() {
+  return {
+    applyI18nLocale,
+    validateI18nTextValue,
+    buildDictionaryHandle(opts) {
+      return new DictionaryHandle(
+        opts.adapter,
+        opts.compartmentName,
+        opts.dictionaryName,
+        opts.keyring,
+        opts.getDEK,
+        opts.encrypted,
+        opts.ledger,
+        opts.options,
+        opts.findAndUpdateReferences,
+        opts.emitter
+      );
+    }
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  DICT_COLLECTION_PREFIX,
+  DictKeyInUseError,
+  DictKeyMissingError,
+  DictionaryHandle,
+  LocaleNotSpecifiedError,
+  MissingTranslationError,
+  ReservedCollectionNameError,
+  TranslatorNotConfiguredError,
+  applyI18nLocale,
+  dictCollectionName,
+  dictKey,
+  i18nText,
+  isDictCollectionName,
+  isDictKeyDescriptor,
+  isI18nTextDescriptor,
+  resolveI18nText,
+  validateI18nTextValue,
+  withI18n
+});
+//# sourceMappingURL=index.cjs.map