@noy-db/hub 0.1.0-pre.10

package/dist/team/index.d.cts

@@ -0,0 +1,117 @@
+import { at as NoydbStore, ar as UnlockedKeyring } from '../types-zwwMOqkg.cjs';
+export { b0 as BundleRecipient, bk as EnrollAuthenticatorOptions, bl as EnrollAuthenticatorWrappingDEKsOptions, bm as EnrollAuthenticatorWrappingKEKOptions, c1 as PaperRecoveryEntry, c8 as PresenceHandle, ct as RecoverPassphraseInput, cu as RecoverPassphraseResult, cv as RecoverUserOptions, cw as RecoveryProof, cz as RotatePassphraseInput, cC as SlotRewrapCeremony, cD as SlotRewrapContext, cK as SyncEngine, cS as SyncTransaction, c_ as UpdateAuthenticatorOptions, db as WrappedDeksBlob, dd as buildRecipientKeyringFile, de as burnPaperRecoveryEntry, dT as changeSecret, dU as createOwnerKeyring, dh as deriveMagicLinkContentKey, di as enrollAuthenticator, dV as ensureCollectionDEK, dk as evaluateExportCapability, dl as evaluateImportCapability, dm as findAuthenticator, dW as grant, dn as hasExportCapability, dp as hasImportCapability, dr as isMagicLinkGrantExpired, dw as listMagicLinkGrants, dx as listUsers, dy as listUsersWithEnvelopes, dX as loadKeyring, dA as loadPaperRecoveryEntries, dB as magicLinkGrantRecordId, dC as mintPaperRecoveryEntry, dD as mintWrappedDeksBlob, dY as persistKeyring, dE as readMagicLinkGrantRecord, du as recoverPassphrase, dF as recoverUser, dG as removeAuthenticator, dZ as revoke, dJ as revokeMagicLinkGrant, dv as rotatePassphrase, dK as savePaperRecoveryEntries, dL as unwrapDeksFromBlob, dM as unwrapDeksFromPaperEntry, dN as unwrapMagicLinkGrant, d_ as updateAuthenticator, d$ as updateKeyringIdentity, dS as writeMagicLinkGrant } from '../types-zwwMOqkg.cjs';
+import '../lazy-builder-CZVLKh0Z.cjs';
+import '../predicate-SBHmi6D0.cjs';
+import '../strategy-D-SrOLCl.cjs';
+import '../strategy-BSxFXGzb.cjs';
+import '../index-CLRxPs-W.cjs';
+
+/**
+ * _sync_credentials reserved collection —
+ *
+ * Stores per-adapter OAuth tokens (and any other long-lived sync secrets) as
+ * encrypted records inside the vault itself. Tokens are wrapped with the
+ * compartment's own DEK, live on disk as ciphertext like any other record, and
+ * are accessed only through the dedicated API in this module — never via
+ * `vault.collection('_sync_credentials')`.
+ *
+ * Design decisions
+ * ────────────────
+ *
+ * **Why a reserved collection, not a separate store?**
+ * The compartment's existing encryption stack (AES-256-GCM + collection DEK)
+ * is exactly the right primitive for protecting OAuth tokens at rest. Using a
+ * separate store would require a new encryption surface, new adapter calls,
+ * and a new backup/restore path — all of which already exist for collections.
+ *
+ * **Why not exposed as a regular collection?**
+ * The same reason `_keyring` and `_ledger` aren't: they have invariants that
+ * must be enforced (naming scheme, no cross-user leakage, no schema
+ * validation, no history/ledger writes for privacy). Routing through a
+ * dedicated API enforces those invariants.
+ *
+ * **Token lifecycle:**
+ * - `putCredential(vault, adapterId, token)` — store or overwrite
+ * - `getCredential(vault, adapterId)` — load and decrypt
+ * - `deleteCredential(vault, adapterId)` — remove
+ * - `listCredentials(vault)` — enumerate adapter IDs (not tokens)
+ *
+ * The `adapterId` is the record ID within the `_sync_credentials` collection.
+ * It should be a stable, human-readable identifier for the adapter instance
+ * (e.g. `'google-drive'`, `'dropbox'`, `'s3-prod'`).
+ *
+ * **ACL:** only `owner` and `admin` roles can read/write sync credentials.
+ * Operators, viewers, and clients cannot call this API. The check is made
+ * against the caller's keyring role at call time.
+ */
+
+/** The reserved collection name. Never collides with user collections. */
+declare const SYNC_CREDENTIALS_COLLECTION = "_sync_credentials";
+/**
+ * An OAuth/auth token stored in `_sync_credentials`.
+ *
+ * Fields mirror the OAuth2 token response shape. `customData` is an escape
+ * hatch for adapter-specific secrets (API keys, connection strings, etc.)
+ * that don't fit the OAuth2 shape.
+ */
+interface SyncCredential {
+    /** Stable identifier for the adapter instance (e.g. 'google-drive'). */
+    readonly adapterId: string;
+    /** OAuth token type, usually 'Bearer'. */
+    readonly tokenType: string;
+    /** The access token. Expires at `expiresAt` if set. */
+    readonly accessToken: string;
+    /** Long-lived refresh token for renewing the access token. */
+    readonly refreshToken?: string;
+    /** ISO timestamp when `accessToken` expires. Absent means "no expiry". */
+    readonly expiresAt?: string;
+    /** Space-separated OAuth scopes. */
+    readonly scopes?: string;
+    /** Adapter-specific opaque data (API keys, endpoints, etc.). */
+    readonly customData?: Record<string, string>;
+}
+/**
+ * Store or overwrite a sync credential for the given adapter.
+ *
+ * The credential is encrypted with the `_sync_credentials` collection DEK
+ * (auto-generated on first use). The record ID is the `adapterId`.
+ *
+ * Requires owner or admin role.
+ */
+declare function putCredential(adapter: NoydbStore, vault: string, keyring: UnlockedKeyring, credential: SyncCredential): Promise<void>;
+/**
+ * Load and decrypt a sync credential for the given adapter ID.
+ *
+ * Returns `null` if no credential exists for this adapter.
+ * Requires owner or admin role.
+ */
+declare function getCredential(adapter: NoydbStore, vault: string, keyring: UnlockedKeyring, adapterId: string): Promise<SyncCredential | null>;
+/**
+ * Delete a sync credential by adapter ID.
+ *
+ * No-op if the credential doesn't exist. Requires owner or admin role.
+ */
+declare function deleteCredential(adapter: NoydbStore, vault: string, keyring: UnlockedKeyring, adapterId: string): Promise<void>;
+/**
+ * List all adapter IDs that have stored credentials.
+ *
+ * Returns only the IDs, never the credential payloads. Useful for
+ * displaying "connected adapters" in UI without decrypting tokens.
+ * Requires owner or admin role.
+ */
+declare function listCredentials(adapter: NoydbStore, vault: string, keyring: UnlockedKeyring): Promise<string[]>;
+/**
+ * Check whether a credential exists and whether its access token has expired.
+ *
+ * Returns `{ exists: false }` if no credential is stored, or
+ * `{ exists: true, expired: boolean }` based on the `expiresAt` field.
+ * Requires owner or admin role.
+ */
+declare function credentialStatus(adapter: NoydbStore, vault: string, keyring: UnlockedKeyring, adapterId: string): Promise<{
+    exists: false;
+} | {
+    exists: true;
+    expired: boolean;
+}>;
+
+export { SYNC_CREDENTIALS_COLLECTION, type SyncCredential, UnlockedKeyring, credentialStatus, deleteCredential, getCredential, listCredentials, putCredential };

package/dist/team/index.d.ts

@@ -0,0 +1,117 @@
+import { at as NoydbStore, ar as UnlockedKeyring } from '../types-DSFLtbKg.js';
+export { b0 as BundleRecipient, bk as EnrollAuthenticatorOptions, bl as EnrollAuthenticatorWrappingDEKsOptions, bm as EnrollAuthenticatorWrappingKEKOptions, c1 as PaperRecoveryEntry, c8 as PresenceHandle, ct as RecoverPassphraseInput, cu as RecoverPassphraseResult, cv as RecoverUserOptions, cw as RecoveryProof, cz as RotatePassphraseInput, cC as SlotRewrapCeremony, cD as SlotRewrapContext, cK as SyncEngine, cS as SyncTransaction, c_ as UpdateAuthenticatorOptions, db as WrappedDeksBlob, dd as buildRecipientKeyringFile, de as burnPaperRecoveryEntry, dT as changeSecret, dU as createOwnerKeyring, dh as deriveMagicLinkContentKey, di as enrollAuthenticator, dV as ensureCollectionDEK, dk as evaluateExportCapability, dl as evaluateImportCapability, dm as findAuthenticator, dW as grant, dn as hasExportCapability, dp as hasImportCapability, dr as isMagicLinkGrantExpired, dw as listMagicLinkGrants, dx as listUsers, dy as listUsersWithEnvelopes, dX as loadKeyring, dA as loadPaperRecoveryEntries, dB as magicLinkGrantRecordId, dC as mintPaperRecoveryEntry, dD as mintWrappedDeksBlob, dY as persistKeyring, dE as readMagicLinkGrantRecord, du as recoverPassphrase, dF as recoverUser, dG as removeAuthenticator, dZ as revoke, dJ as revokeMagicLinkGrant, dv as rotatePassphrase, dK as savePaperRecoveryEntries, dL as unwrapDeksFromBlob, dM as unwrapDeksFromPaperEntry, dN as unwrapMagicLinkGrant, d_ as updateAuthenticator, d$ as updateKeyringIdentity, dS as writeMagicLinkGrant } from '../types-DSFLtbKg.js';
+import '../lazy-builder-BwEoBQZ9.js';
+import '../predicate-SBHmi6D0.js';
+import '../strategy-D-SrOLCl.js';
+import '../strategy-BSxFXGzb.js';
+import '../index-DtV93TMP.js';
+
+/**
+ * _sync_credentials reserved collection —
+ *
+ * Stores per-adapter OAuth tokens (and any other long-lived sync secrets) as
+ * encrypted records inside the vault itself. Tokens are wrapped with the
+ * compartment's own DEK, live on disk as ciphertext like any other record, and
+ * are accessed only through the dedicated API in this module — never via
+ * `vault.collection('_sync_credentials')`.
+ *
+ * Design decisions
+ * ────────────────
+ *
+ * **Why a reserved collection, not a separate store?**
+ * The compartment's existing encryption stack (AES-256-GCM + collection DEK)
+ * is exactly the right primitive for protecting OAuth tokens at rest. Using a
+ * separate store would require a new encryption surface, new adapter calls,
+ * and a new backup/restore path — all of which already exist for collections.
+ *
+ * **Why not exposed as a regular collection?**
+ * The same reason `_keyring` and `_ledger` aren't: they have invariants that
+ * must be enforced (naming scheme, no cross-user leakage, no schema
+ * validation, no history/ledger writes for privacy). Routing through a
+ * dedicated API enforces those invariants.
+ *
+ * **Token lifecycle:**
+ * - `putCredential(vault, adapterId, token)` — store or overwrite
+ * - `getCredential(vault, adapterId)` — load and decrypt
+ * - `deleteCredential(vault, adapterId)` — remove
+ * - `listCredentials(vault)` — enumerate adapter IDs (not tokens)
+ *
+ * The `adapterId` is the record ID within the `_sync_credentials` collection.
+ * It should be a stable, human-readable identifier for the adapter instance
+ * (e.g. `'google-drive'`, `'dropbox'`, `'s3-prod'`).
+ *
+ * **ACL:** only `owner` and `admin` roles can read/write sync credentials.
+ * Operators, viewers, and clients cannot call this API. The check is made
+ * against the caller's keyring role at call time.
+ */
+
+/** The reserved collection name. Never collides with user collections. */
+declare const SYNC_CREDENTIALS_COLLECTION = "_sync_credentials";
+/**
+ * An OAuth/auth token stored in `_sync_credentials`.
+ *
+ * Fields mirror the OAuth2 token response shape. `customData` is an escape
+ * hatch for adapter-specific secrets (API keys, connection strings, etc.)
+ * that don't fit the OAuth2 shape.
+ */
+interface SyncCredential {
+    /** Stable identifier for the adapter instance (e.g. 'google-drive'). */
+    readonly adapterId: string;
+    /** OAuth token type, usually 'Bearer'. */
+    readonly tokenType: string;
+    /** The access token. Expires at `expiresAt` if set. */
+    readonly accessToken: string;
+    /** Long-lived refresh token for renewing the access token. */
+    readonly refreshToken?: string;
+    /** ISO timestamp when `accessToken` expires. Absent means "no expiry". */
+    readonly expiresAt?: string;
+    /** Space-separated OAuth scopes. */
+    readonly scopes?: string;
+    /** Adapter-specific opaque data (API keys, endpoints, etc.). */
+    readonly customData?: Record<string, string>;
+}
+/**
+ * Store or overwrite a sync credential for the given adapter.
+ *
+ * The credential is encrypted with the `_sync_credentials` collection DEK
+ * (auto-generated on first use). The record ID is the `adapterId`.
+ *
+ * Requires owner or admin role.
+ */
+declare function putCredential(adapter: NoydbStore, vault: string, keyring: UnlockedKeyring, credential: SyncCredential): Promise<void>;
+/**
+ * Load and decrypt a sync credential for the given adapter ID.
+ *
+ * Returns `null` if no credential exists for this adapter.
+ * Requires owner or admin role.
+ */
+declare function getCredential(adapter: NoydbStore, vault: string, keyring: UnlockedKeyring, adapterId: string): Promise<SyncCredential | null>;
+/**
+ * Delete a sync credential by adapter ID.
+ *
+ * No-op if the credential doesn't exist. Requires owner or admin role.
+ */
+declare function deleteCredential(adapter: NoydbStore, vault: string, keyring: UnlockedKeyring, adapterId: string): Promise<void>;
+/**
+ * List all adapter IDs that have stored credentials.
+ *
+ * Returns only the IDs, never the credential payloads. Useful for
+ * displaying "connected adapters" in UI without decrypting tokens.
+ * Requires owner or admin role.
+ */
+declare function listCredentials(adapter: NoydbStore, vault: string, keyring: UnlockedKeyring): Promise<string[]>;
+/**
+ * Check whether a credential exists and whether its access token has expired.
+ *
+ * Returns `{ exists: false }` if no credential is stored, or
+ * `{ exists: true, expired: boolean }` based on the `expiresAt` field.
+ * Requires owner or admin role.
+ */
+declare function credentialStatus(adapter: NoydbStore, vault: string, keyring: UnlockedKeyring, adapterId: string): Promise<{
+    exists: false;
+} | {
+    exists: true;
+    expired: boolean;
+}>;
+
+export { SYNC_CREDENTIALS_COLLECTION, type SyncCredential, UnlockedKeyring, credentialStatus, deleteCredential, getCredential, listCredentials, putCredential };

package/dist/team/index.js

@@ -0,0 +1,106 @@
+import {
+  SYNC_CREDENTIALS_COLLECTION,
+  burnPaperRecoveryEntry,
+  credentialStatus,
+  deleteCredential,
+  deriveMagicLinkContentKey,
+  enrollAuthenticator,
+  findAuthenticator,
+  getCredential,
+  isMagicLinkGrantExpired,
+  listCredentials,
+  listMagicLinkGrants,
+  loadPaperRecoveryEntries,
+  magicLinkGrantRecordId,
+  mintPaperRecoveryEntry,
+  mintWrappedDeksBlob,
+  putCredential,
+  readMagicLinkGrantRecord,
+  recoverPassphrase,
+  recoverUser,
+  removeAuthenticator,
+  revokeMagicLinkGrant,
+  rotatePassphrase,
+  savePaperRecoveryEntries,
+  unwrapDeksFromBlob,
+  unwrapDeksFromPaperEntry,
+  unwrapMagicLinkGrant,
+  updateAuthenticator,
+  writeMagicLinkGrant
+} from "../chunk-YWKJZZGV.js";
+import {
+  PresenceHandle,
+  SyncEngine,
+  SyncTransaction
+} from "../chunk-A4NFZKRW.js";
+import "../chunk-IGAROPKM.js";
+import {
+  buildRecipientKeyringFile,
+  changeSecret,
+  createOwnerKeyring,
+  ensureCollectionDEK,
+  evaluateExportCapability,
+  evaluateImportCapability,
+  grant,
+  hasExportCapability,
+  hasImportCapability,
+  listUsers,
+  listUsersWithEnvelopes,
+  loadKeyring,
+  persistKeyring,
+  revoke,
+  updateKeyringIdentity
+} from "../chunk-GHGXG53C.js";
+import "../chunk-2QR2PQTT.js";
+import "../chunk-UMMAVAYW.js";
+import "../chunk-LVMMDXFT.js";
+import "../chunk-NBYQNDXA.js";
+export {
+  PresenceHandle,
+  SYNC_CREDENTIALS_COLLECTION,
+  SyncEngine,
+  SyncTransaction,
+  buildRecipientKeyringFile,
+  burnPaperRecoveryEntry,
+  changeSecret,
+  createOwnerKeyring,
+  credentialStatus,
+  deleteCredential,
+  deriveMagicLinkContentKey,
+  enrollAuthenticator,
+  ensureCollectionDEK,
+  evaluateExportCapability,
+  evaluateImportCapability,
+  findAuthenticator,
+  getCredential,
+  grant,
+  hasExportCapability,
+  hasImportCapability,
+  isMagicLinkGrantExpired,
+  listCredentials,
+  listMagicLinkGrants,
+  listUsers,
+  listUsersWithEnvelopes,
+  loadKeyring,
+  loadPaperRecoveryEntries,
+  magicLinkGrantRecordId,
+  mintPaperRecoveryEntry,
+  mintWrappedDeksBlob,
+  persistKeyring,
+  putCredential,
+  readMagicLinkGrantRecord,
+  recoverPassphrase,
+  recoverUser,
+  removeAuthenticator,
+  revoke,
+  revokeMagicLinkGrant,
+  rotatePassphrase,
+  savePaperRecoveryEntries,
+  unwrapDeksFromBlob,
+  unwrapDeksFromPaperEntry,
+  unwrapMagicLinkGrant,
+  updateAuthenticator,
+  updateKeyringIdentity,
+  writeMagicLinkGrant
+};
+//# sourceMappingURL=index.js.map

package/dist/team/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/dist/tx/index.cjs

@@ -0,0 +1,212 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/tx/index.ts
+var tx_exports = {};
+__export(tx_exports, {
+  TxCollection: () => TxCollection,
+  TxContext: () => TxContext,
+  TxVault: () => TxVault,
+  runTransaction: () => runTransaction,
+  withTransactions: () => withTransactions
+});
+module.exports = __toCommonJS(tx_exports);
+
+// src/errors.ts
+var NoydbError = class extends Error {
+  /** Machine-readable error code. Stable across library versions. */
+  code;
+  constructor(code, message) {
+    super(message);
+    this.name = "NoydbError";
+    this.code = code;
+  }
+};
+var ConflictError = class extends NoydbError {
+  /** The actual stored version at the time of conflict. */
+  version;
+  constructor(version, message = "Version conflict") {
+    super("CONFLICT", message);
+    this.name = "ConflictError";
+    this.version = version;
+  }
+};
+
+// src/tx/transaction.ts
+var TxContext = class {
+  /** @internal */
+  _ops = [];
+  /** @internal */
+  _db;
+  /** @internal */
+  constructor(db) {
+    this._db = db;
+  }
+  /** Scope subsequent `collection()` calls to the named vault. */
+  vault(name) {
+    const v = this._db.vault(name);
+    return new TxVault(this, v);
+  }
+};
+var TxVault = class {
+  /** @internal */
+  _ctx;
+  /** @internal */
+  _vault;
+  /** @internal */
+  constructor(ctx, vault) {
+    this._ctx = ctx;
+    this._vault = vault;
+  }
+  /** Scope subsequent op calls to the named collection. */
+  collection(name) {
+    const c = this._vault.collection(name);
+    return new TxCollection(this._ctx, this._vault, c, name);
+  }
+};
+var TxCollection = class {
+  /** @internal */
+  _ctx;
+  /** @internal */
+  _vault;
+  /** @internal */
+  _coll;
+  /** @internal */
+  _name;
+  /** @internal */
+  constructor(ctx, vault, coll, name) {
+    this._ctx = ctx;
+    this._vault = vault;
+    this._coll = coll;
+    this._name = name;
+  }
+  /**
+   * Read the current committed value, or the most-recently-staged
+   * value from the same transaction if one exists.
+   */
+  async get(id) {
+    for (let i = this._ctx._ops.length - 1; i >= 0; i--) {
+      const op = this._ctx._ops[i];
+      if (op.vaultName === this._vault.name && op.collectionName === this._name && op.id === id) {
+        if (op.type === "delete") return null;
+        return op.record;
+      }
+    }
+    return this._coll.get(id);
+  }
+  /**
+   * Stage a put. Does not write until the transaction body returns.
+   * Supply `{ expectedVersion }` to enforce optimistic concurrency
+   * during the commit pre-flight.
+   */
+  put(id, record, options) {
+    const op = {
+      type: "put",
+      vaultName: this._vault.name,
+      collectionName: this._name,
+      id,
+      record
+    };
+    if (options?.expectedVersion !== void 0) op.expectedVersion = options.expectedVersion;
+    this._ctx._ops.push(op);
+  }
+  /**
+   * Stage a delete. Does not write until the transaction body returns.
+   * Supply `{ expectedVersion }` to enforce optimistic concurrency
+   * during the commit pre-flight.
+   */
+  delete(id, options) {
+    const op = {
+      type: "delete",
+      vaultName: this._vault.name,
+      collectionName: this._name,
+      id
+    };
+    if (options?.expectedVersion !== void 0) op.expectedVersion = options.expectedVersion;
+    this._ctx._ops.push(op);
+  }
+};
+async function runTransaction(db, fn) {
+  const ctx = new TxContext(db);
+  const bodyResult = await fn(ctx);
+  if (ctx._ops.length === 0) return bodyResult;
+  const priorEnvelopes = /* @__PURE__ */ new Map();
+  const store = db._store;
+  for (const op of ctx._ops) {
+    const key = keyOf(op);
+    if (!priorEnvelopes.has(key)) {
+      const env = await store.get(op.vaultName, op.collectionName, op.id);
+      priorEnvelopes.set(key, env);
+    }
+    if (op.expectedVersion !== void 0) {
+      const env = priorEnvelopes.get(key) ?? null;
+      const actual = env?._v ?? 0;
+      if (actual !== op.expectedVersion) {
+        throw new ConflictError(
+          actual,
+          `Transaction pre-flight: ${op.vaultName}/${op.collectionName}/${op.id} expected v${op.expectedVersion}, found v${actual}`
+        );
+      }
+    }
+  }
+  const executed = [];
+  try {
+    for (const op of ctx._ops) {
+      const coll = db.vault(op.vaultName).collection(op.collectionName);
+      const key = keyOf(op);
+      const prior = priorEnvelopes.get(key) ?? null;
+      if (op.type === "put") {
+        await coll.put(op.id, op.record);
+      } else {
+        await coll.delete(op.id);
+      }
+      executed.push({ op, priorEnvelope: prior });
+    }
+    return bodyResult;
+  } catch (err) {
+    for (const { op, priorEnvelope } of executed.slice().reverse()) {
+      try {
+        if (priorEnvelope) {
+          await store.put(op.vaultName, op.collectionName, op.id, priorEnvelope);
+        } else {
+          await store.delete(op.vaultName, op.collectionName, op.id);
+        }
+      } catch {
+      }
+    }
+    throw err;
+  }
+}
+function keyOf(op) {
+  return `${op.vaultName}\0${op.collectionName}\0${op.id}`;
+}
+
+// src/tx/active.ts
+function withTransactions() {
+  return { runTransaction };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  TxCollection,
+  TxContext,
+  TxVault,
+  runTransaction,
+  withTransactions
+});
+//# sourceMappingURL=index.cjs.map