@noy-db/hub 0.1.0-pre.3

package/dist/chunk-NXFEYLVG.js

@@ -0,0 +1,311 @@
+import {
+  decrypt
+} from "./chunk-MR4424N3.js";
+import {
+  ReadOnlyAtInstantError
+} from "./chunk-ACLDOTNQ.js";
+
+// src/history/history.ts
+var HISTORY_COLLECTION = "_history";
+var VERSION_PAD = 10;
+function historyId(collection, recordId, version) {
+  return `${collection}:${recordId}:${String(version).padStart(VERSION_PAD, "0")}`;
+}
+function matchesPrefix(id, collection, recordId) {
+  if (recordId) {
+    return id.startsWith(`${collection}:${recordId}:`);
+  }
+  return id.startsWith(`${collection}:`);
+}
+async function saveHistory(adapter, vault, collection, recordId, envelope) {
+  const id = historyId(collection, recordId, envelope._v);
+  await adapter.put(vault, HISTORY_COLLECTION, id, envelope);
+}
+async function getHistory(adapter, vault, collection, recordId, options) {
+  const allIds = await adapter.list(vault, HISTORY_COLLECTION);
+  const matchingIds = allIds.filter((id) => matchesPrefix(id, collection, recordId)).sort().reverse();
+  const entries = [];
+  for (const id of matchingIds) {
+    const envelope = await adapter.get(vault, HISTORY_COLLECTION, id);
+    if (!envelope) continue;
+    if (options?.from && envelope._ts < options.from) continue;
+    if (options?.to && envelope._ts > options.to) continue;
+    entries.push(envelope);
+    if (options?.limit && entries.length >= options.limit) break;
+  }
+  return entries;
+}
+async function getVersionEnvelope(adapter, vault, collection, recordId, version) {
+  const id = historyId(collection, recordId, version);
+  return adapter.get(vault, HISTORY_COLLECTION, id);
+}
+async function pruneHistory(adapter, vault, collection, recordId, options) {
+  const allIds = await adapter.list(vault, HISTORY_COLLECTION);
+  const matchingIds = allIds.filter((id) => recordId ? matchesPrefix(id, collection, recordId) : matchesPrefix(id, collection)).sort();
+  let toDelete = [];
+  if (options.keepVersions !== void 0) {
+    const keep = options.keepVersions;
+    if (matchingIds.length > keep) {
+      toDelete = matchingIds.slice(0, matchingIds.length - keep);
+    }
+  }
+  if (options.beforeDate) {
+    for (const id of matchingIds) {
+      if (toDelete.includes(id)) continue;
+      const envelope = await adapter.get(vault, HISTORY_COLLECTION, id);
+      if (envelope && envelope._ts < options.beforeDate) {
+        toDelete.push(id);
+      }
+    }
+  }
+  const uniqueDeletes = [...new Set(toDelete)];
+  for (const id of uniqueDeletes) {
+    await adapter.delete(vault, HISTORY_COLLECTION, id);
+  }
+  return uniqueDeletes.length;
+}
+async function clearHistory(adapter, vault, collection, recordId) {
+  const allIds = await adapter.list(vault, HISTORY_COLLECTION);
+  let toDelete;
+  if (collection && recordId) {
+    toDelete = allIds.filter((id) => matchesPrefix(id, collection, recordId));
+  } else if (collection) {
+    toDelete = allIds.filter((id) => matchesPrefix(id, collection));
+  } else {
+    toDelete = allIds;
+  }
+  for (const id of toDelete) {
+    await adapter.delete(vault, HISTORY_COLLECTION, id);
+  }
+  return toDelete.length;
+}
+
+// src/history/time-machine.ts
+var VaultInstant = class {
+  constructor(engine, timestamp) {
+    this.engine = engine;
+    this.timestamp = timestamp;
+  }
+  engine;
+  timestamp;
+  /** Get a point-in-time view of a collection. */
+  collection(name) {
+    return new CollectionInstant(this.engine, this.timestamp, name);
+  }
+};
+var CollectionInstant = class {
+  constructor(engine, targetTs, name) {
+    this.engine = engine;
+    this.targetTs = targetTs;
+    this.name = name;
+  }
+  engine;
+  targetTs;
+  name;
+  /**
+   * Return the record as it existed at the target timestamp, or
+   * `null` if the record had not been created yet or had already been
+   * deleted by then.
+   */
+  async get(id) {
+    const envelope = await this.resolveEnvelope(id);
+    if (!envelope) return null;
+    const plaintext = this.engine.encrypted ? await decrypt(envelope._iv, envelope._data, await this.engine.getDEK(this.name)) : envelope._data;
+    return JSON.parse(plaintext);
+  }
+  /**
+   * IDs of records that existed (had at least one `put` and were not
+   * subsequently deleted) at the target timestamp.
+   *
+   * Implemented as a linear scan over history + ledger. Performance
+   * is bounded by total history size (not live-vault size), so the
+   * memory-first vault-scale cap (1K–50K records × average history
+   * depth) still applies.
+   */
+  async list() {
+    const historyIds = await collectHistoryIds(this.engine.adapter, this.engine.name, this.name);
+    const liveIds = await this.engine.adapter.list(this.engine.name, this.name);
+    const candidateIds = /* @__PURE__ */ new Set([...historyIds, ...liveIds]);
+    const alive = [];
+    for (const id of candidateIds) {
+      const env = await this.resolveEnvelope(id);
+      if (env) alive.push(id);
+    }
+    return alive.sort();
+  }
+  // ── write guards ───────────────────────────────────────────────────
+  async put(_id, _record) {
+    throw new ReadOnlyAtInstantError("put", this.targetTs);
+  }
+  async delete(_id) {
+    throw new ReadOnlyAtInstantError("delete", this.targetTs);
+  }
+  async update(_id, _patch) {
+    throw new ReadOnlyAtInstantError("update", this.targetTs);
+  }
+  // ── internals ─────────────────────────────────────────────────────
+  /**
+   * Return the envelope that represents the record's state at
+   * `targetTs`, accounting for deletes. `null` if the record didn't
+   * exist at that instant.
+   *
+   * ## Why we use the ledger as the authoritative timeline
+   *
+   * The per-version history snapshots saved by `saveHistory()` do
+   * carry a `_ts` field, but that timestamp is the moment the
+   * snapshot was *captured* (i.e. the instant right before the
+   * subsequent overwrite), not the original write time. The ledger,
+   * by contrast, records `ts` at the moment of each `put` / `delete`
+   * — it's the only source that tracks the real timeline. So:
+   *
+   *   1. Walk the ledger; find the latest entry for `(collection, id)`
+   *      with `ts ≤ targetTs`.
+   *   2. If that entry is a `delete`, the record was gone at the
+   *      target instant — return null.
+   *   3. Otherwise it's a `put` with a specific `version`. Load the
+   *      envelope for that version from history, falling back to the
+   *      live collection for the most recent version.
+   *
+   * ## Fallback when the ledger is disabled
+   *
+   * If the vault has history disabled, `getLedger()` returns null and
+   * we fall back to comparing envelope `_ts` fields. This is
+   * approximate and gets the *last write* right but may confuse the
+   * intermediate versions; adopters needing accurate time-machine
+   * reads should leave history enabled.
+   */
+  async resolveEnvelope(id) {
+    const ledger = this.engine.getLedger();
+    if (ledger) {
+      return this.resolveViaLedger(id, ledger);
+    }
+    return this.resolveViaEnvelopeTs(id);
+  }
+  async resolveViaLedger(id, ledger) {
+    const entries = await ledger.entries();
+    let latest = null;
+    for (const e of entries) {
+      if (e.collection !== this.name || e.id !== id) continue;
+      if (e.ts > this.targetTs) break;
+      latest = { op: e.op, version: e.version };
+    }
+    if (!latest) return null;
+    if (latest.op === "delete") return null;
+    return this.loadVersion(id, latest.version);
+  }
+  async resolveViaEnvelopeTs(id) {
+    const history = await getHistory(
+      this.engine.adapter,
+      this.engine.name,
+      this.name,
+      id
+    );
+    const live = await this.engine.adapter.get(this.engine.name, this.name, id);
+    const byVersion = /* @__PURE__ */ new Map();
+    for (const e of history) byVersion.set(e._v, e);
+    if (live) byVersion.set(live._v, live);
+    const sorted = [...byVersion.values()].sort(
+      (a, b) => a._ts < b._ts ? 1 : a._ts > b._ts ? -1 : 0
+    );
+    return sorted.find((e) => e._ts <= this.targetTs) ?? null;
+  }
+  /**
+   * Fetch the envelope for a specific version. The live record (most
+   * recent put) lives in the main collection; prior versions live in
+   * `_history`. We check live first because the common case after a
+   * delete is that we're trying to load the last-live version from
+   * history, and skipping live for the current-version case avoids a
+   * redundant lookup.
+   */
+  async loadVersion(id, version) {
+    const live = await this.engine.adapter.get(this.engine.name, this.name, id);
+    if (live && live._v === version) return live;
+    const historyId2 = `${this.name}:${id}:${String(version).padStart(10, "0")}`;
+    return await this.engine.adapter.get(this.engine.name, "_history", historyId2);
+  }
+};
+async function collectHistoryIds(adapter, vault, collection) {
+  const all = await adapter.list(vault, "_history");
+  const prefix = `${collection}:`;
+  const seen = /* @__PURE__ */ new Set();
+  for (const key of all) {
+    if (!key.startsWith(prefix)) continue;
+    const lastColon = key.lastIndexOf(":");
+    if (lastColon <= prefix.length) continue;
+    const middle = key.slice(prefix.length, lastColon);
+    seen.add(middle);
+  }
+  return [...seen];
+}
+
+// src/history/diff.ts
+function diff(oldObj, newObj, basePath = "") {
+  const changes = [];
+  if (oldObj === newObj) return changes;
+  if (oldObj == null && newObj != null) {
+    return [{ path: basePath || "(root)", type: "added", to: newObj }];
+  }
+  if (oldObj != null && newObj == null) {
+    return [{ path: basePath || "(root)", type: "removed", from: oldObj }];
+  }
+  if (typeof oldObj !== typeof newObj) {
+    return [{ path: basePath || "(root)", type: "changed", from: oldObj, to: newObj }];
+  }
+  if (typeof oldObj !== "object") {
+    return [{ path: basePath || "(root)", type: "changed", from: oldObj, to: newObj }];
+  }
+  if (Array.isArray(oldObj) && Array.isArray(newObj)) {
+    const maxLen = Math.max(oldObj.length, newObj.length);
+    for (let i = 0; i < maxLen; i++) {
+      const p = basePath ? `${basePath}[${i}]` : `[${i}]`;
+      if (i >= oldObj.length) {
+        changes.push({ path: p, type: "added", to: newObj[i] });
+      } else if (i >= newObj.length) {
+        changes.push({ path: p, type: "removed", from: oldObj[i] });
+      } else {
+        changes.push(...diff(oldObj[i], newObj[i], p));
+      }
+    }
+    return changes;
+  }
+  const oldRecord = oldObj;
+  const newRecord = newObj;
+  const allKeys = /* @__PURE__ */ new Set([...Object.keys(oldRecord), ...Object.keys(newRecord)]);
+  for (const key of allKeys) {
+    const p = basePath ? `${basePath}.${key}` : key;
+    if (!(key in oldRecord)) {
+      changes.push({ path: p, type: "added", to: newRecord[key] });
+    } else if (!(key in newRecord)) {
+      changes.push({ path: p, type: "removed", from: oldRecord[key] });
+    } else {
+      changes.push(...diff(oldRecord[key], newRecord[key], p));
+    }
+  }
+  return changes;
+}
+function formatDiff(changes) {
+  if (changes.length === 0) return "(no changes)";
+  return changes.map((c) => {
+    switch (c.type) {
+      case "added":
+        return `+ ${c.path}: ${JSON.stringify(c.to)}`;
+      case "removed":
+        return `- ${c.path}: ${JSON.stringify(c.from)}`;
+      case "changed":
+        return `~ ${c.path}: ${JSON.stringify(c.from)} \u2192 ${JSON.stringify(c.to)}`;
+    }
+  }).join("\n");
+}
+
+export {
+  saveHistory,
+  getHistory,
+  getVersionEnvelope,
+  pruneHistory,
+  clearHistory,
+  VaultInstant,
+  CollectionInstant,
+  diff,
+  formatDiff
+};
+//# sourceMappingURL=chunk-NXFEYLVG.js.map

package/dist/chunk-NXFEYLVG.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/history/history.ts","../src/history/time-machine.ts","../src/history/diff.ts"],"sourcesContent":["import type { NoydbStore, EncryptedEnvelope, HistoryOptions, PruneOptions } from '../types.js'\n\n/**\n * History storage convention:\n * Collection: `_history`\n * ID format: `{collection}:{recordId}:{paddedVersion}`\n * Version is zero-padded to 10 digits for lexicographic sorting.\n */\n\nconst HISTORY_COLLECTION = '_history'\nconst VERSION_PAD = 10\n\nfunction historyId(collection: string, recordId: string, version: number): string {\n  return `${collection}:${recordId}:${String(version).padStart(VERSION_PAD, '0')}`\n}\n\n// Unused today, kept for future history-id parsing utilities.\n// eslint-disable-next-line @typescript-eslint/no-unused-vars\nfunction parseHistoryId(id: string): { collection: string; recordId: string; version: number } | null {\n  const lastColon = id.lastIndexOf(':')\n  if (lastColon < 0) return null\n  const versionStr = id.slice(lastColon + 1)\n  const rest = id.slice(0, lastColon)\n  const firstColon = rest.indexOf(':')\n  if (firstColon < 0) return null\n  return {\n    collection: rest.slice(0, firstColon),\n    recordId: rest.slice(firstColon + 1),\n    version: parseInt(versionStr, 10),\n  }\n}\n\nfunction matchesPrefix(id: string, collection: string, recordId?: string): boolean {\n  if (recordId) {\n    return id.startsWith(`${collection}:${recordId}:`)\n  }\n  return id.startsWith(`${collection}:`)\n}\n\n/** Save a history entry (a complete encrypted envelope snapshot). */\nexport async function saveHistory(\n  adapter: NoydbStore,\n  vault: string,\n  collection: string,\n  recordId: string,\n  envelope: EncryptedEnvelope,\n): Promise<void> {\n  const id = historyId(collection, recordId, envelope._v)\n  await adapter.put(vault, HISTORY_COLLECTION, id, envelope)\n}\n\n/** Get history entries for a record, sorted newest-first. */\nexport async function getHistory(\n  adapter: NoydbStore,\n  vault: string,\n  collection: string,\n  recordId: string,\n  options?: HistoryOptions,\n): Promise<EncryptedEnvelope[]> {\n  const allIds = await adapter.list(vault, HISTORY_COLLECTION)\n  const matchingIds = allIds\n    .filter(id => matchesPrefix(id, collection, recordId))\n    .sort()\n    .reverse() // newest first\n\n  const entries: EncryptedEnvelope[] = []\n\n  for (const id of matchingIds) {\n    const envelope = await adapter.get(vault, HISTORY_COLLECTION, id)\n    if (!envelope) continue\n\n    // Apply time filters\n    if (options?.from && envelope._ts < options.from) continue\n    if (options?.to && envelope._ts > options.to) continue\n\n    entries.push(envelope)\n\n    if (options?.limit && entries.length >= options.limit) break\n  }\n\n  return entries\n}\n\n/** Get a specific version's envelope from history. */\nexport async function getVersionEnvelope(\n  adapter: NoydbStore,\n  vault: string,\n  collection: string,\n  recordId: string,\n  version: number,\n): Promise<EncryptedEnvelope | null> {\n  const id = historyId(collection, recordId, version)\n  return adapter.get(vault, HISTORY_COLLECTION, id)\n}\n\n/** Prune history entries. Returns the number of entries deleted. */\nexport async function pruneHistory(\n  adapter: NoydbStore,\n  vault: string,\n  collection: string,\n  recordId: string | undefined,\n  options: PruneOptions,\n): Promise<number> {\n  const allIds = await adapter.list(vault, HISTORY_COLLECTION)\n  const matchingIds = allIds\n    .filter(id => recordId ? matchesPrefix(id, collection, recordId) : matchesPrefix(id, collection))\n    .sort()\n\n  let toDelete: string[] = []\n\n  if (options.keepVersions !== undefined) {\n    // Keep only the N most recent, delete the rest\n    const keep = options.keepVersions\n    if (matchingIds.length > keep) {\n      toDelete = matchingIds.slice(0, matchingIds.length - keep)\n    }\n  }\n\n  if (options.beforeDate) {\n    // Delete entries older than the specified date\n    for (const id of matchingIds) {\n      if (toDelete.includes(id)) continue\n      const envelope = await adapter.get(vault, HISTORY_COLLECTION, id)\n      if (envelope && envelope._ts < options.beforeDate) {\n        toDelete.push(id)\n      }\n    }\n  }\n\n  // Deduplicate\n  const uniqueDeletes = [...new Set(toDelete)]\n\n  for (const id of uniqueDeletes) {\n    await adapter.delete(vault, HISTORY_COLLECTION, id)\n  }\n\n  return uniqueDeletes.length\n}\n\n/** Clear all history for a vault, optionally scoped to a collection or record. */\nexport async function clearHistory(\n  adapter: NoydbStore,\n  vault: string,\n  collection?: string,\n  recordId?: string,\n): Promise<number> {\n  const allIds = await adapter.list(vault, HISTORY_COLLECTION)\n  let toDelete: string[]\n\n  if (collection && recordId) {\n    toDelete = allIds.filter(id => matchesPrefix(id, collection, recordId))\n  } else if (collection) {\n    toDelete = allIds.filter(id => matchesPrefix(id, collection))\n  } else {\n    toDelete = allIds\n  }\n\n  for (const id of toDelete) {\n    await adapter.delete(vault, HISTORY_COLLECTION, id)\n  }\n\n  return toDelete.length\n}\n","/**\n * Time-machine queries — point-in-time reads reconstructed from the\n * existing history + ledger infrastructure.\n *\n * ## Usage\n *\n * ```ts\n * const vault = await db.openVault('acme', { passphrase })\n * const q1End = vault.at('2026-03-31T23:59:59Z')\n * const invoice = await q1End.collection<Invoice>('invoices').get('inv-001')\n * // → the record as it stood at the close of Q1 2026\n * ```\n *\n * ## How it works\n *\n * Every write path already fans out into two persistence lanes:\n *\n * 1. `saveHistory(...)` persists a **full encrypted envelope snapshot**\n *    per version under the `_history` collection (one envelope per\n *    version, keyed by `{collection}:{id}:{paddedVersion}`). Each\n *    envelope carries its own `_ts` (the write timestamp).\n * 2. `ledger.append(...)` appends a hash-chained audit entry that\n *    records the `op` (put / delete), `version`, and `ts`.\n *\n * Reconstruction at a target timestamp T is therefore:\n *\n * - Find the newest history envelope for `(collection, id)` whose\n *   `_ts ≤ T` — that's the state the record was in at T.\n * - Check the ledger for any `op: 'delete'` entry for the same\n *   `(collection, id)` with `entry.ts` in `(latestEnvelope._ts, T]` —\n *   if present, the record was deleted before T, so return `null`.\n * - Decrypt the surviving envelope with the current collection DEK\n *   (DEKs are per-collection but stable across versions — the same\n *   key encrypts v1 and v15 of a record).\n *\n * No delta replay. The existing `history.ts` module already stores\n * complete snapshots; we just pick the right one.\n *\n * ## Read-only contract\n *\n * Every write method on `CollectionInstant` throws\n * {@link ReadOnlyAtInstantError}. A historical view is a *read*\n * surface — mutating the past would require either a branch/shadow\n * mechanism (tracked under shadow vaults) or a rewrite of\n * history, which breaks the ledger's tamper-evidence guarantee.\n *\n * @module\n */\nimport type { EncryptedEnvelope, NoydbStore } from '../types.js'\nimport type { LedgerStore } from './ledger/store.js'\nimport { getHistory } from './history.js'\nimport { decrypt } from '../crypto.js'\nimport { ReadOnlyAtInstantError } from '../errors.js'\n\n/**\n * Narrow view of a {@link Vault}'s internals that\n * {@link VaultInstant} needs. Passed in by `Vault.at()` rather than\n * constructed here so all crypto + adapter access stays inside the\n * Vault class.\n *\n * Not exported from the public barrel — consumers should get a\n * `VaultInstant` via `vault.at(ts)`, never by constructing one\n * directly.\n */\nexport interface VaultEngine {\n  readonly adapter: NoydbStore\n  /** Vault name (the compartment). */\n  readonly name: string\n  /**\n   * `true` when the vault was opened with a passphrase (the normal\n   * case). `false` in plaintext-mode vaults (`encrypt: false`) — in\n   * that case `envelope._data` is raw JSON and we skip the DEK lookup.\n   */\n  readonly encrypted: boolean\n  /**\n   * Resolves the DEK used to decrypt a given collection's envelopes.\n   * Not called when `encrypted` is false.\n   */\n  getDEK(collection: string): Promise<CryptoKey>\n  /**\n   * Lazily-initialised ledger. We consult it to detect deletes that\n   * happened between the latest history snapshot and the target\n   * timestamp. `null` when history is disabled for this vault — in\n   * that case time-machine reads fall back to history-only\n   * reconstruction (which may miss deletes).\n   */\n  getLedger(): LedgerStore | null\n}\n\n/**\n * A vault at a fixed instant. Produced by `vault.at(timestamp)`.\n * Carries no session state of its own — every read is a fresh\n * lookup through the vault's adapter.\n *\n * Cheap to construct; safe to throw away. Create one per query.\n */\nexport class VaultInstant {\n  constructor(\n    private readonly engine: VaultEngine,\n    /** Fully-resolved target timestamp (ISO-8601 UTC). */\n    public readonly timestamp: string,\n  ) {}\n\n  /** Get a point-in-time view of a collection. */\n  collection<T = unknown>(name: string): CollectionInstant<T> {\n    return new CollectionInstant<T>(this.engine, this.timestamp, name)\n  }\n}\n\n/**\n * A read-only collection view anchored to a past instant.\n *\n * Every write method throws {@link ReadOnlyAtInstantError} — see the\n * module docstring for why. The read surface is intentionally smaller\n * than the live {@link Collection}: `get` and `list` cover the\n * \"what did the books look like on date X\" use case without pulling\n * in the full query DSL / joins / aggregates at this stage. Follow-up\n * work tracked under.\n */\nexport class CollectionInstant<T = unknown> {\n  constructor(\n    private readonly engine: VaultEngine,\n    private readonly targetTs: string,\n    public readonly name: string,\n  ) {}\n\n  /**\n   * Return the record as it existed at the target timestamp, or\n   * `null` if the record had not been created yet or had already been\n   * deleted by then.\n   */\n  async get(id: string): Promise<T | null> {\n    const envelope = await this.resolveEnvelope(id)\n    if (!envelope) return null\n    const plaintext = this.engine.encrypted\n      ? await decrypt(envelope._iv, envelope._data, await this.engine.getDEK(this.name))\n      : envelope._data\n    return JSON.parse(plaintext) as T\n  }\n\n  /**\n   * IDs of records that existed (had at least one `put` and were not\n   * subsequently deleted) at the target timestamp.\n   *\n   * Implemented as a linear scan over history + ledger. Performance\n   * is bounded by total history size (not live-vault size), so the\n   * memory-first vault-scale cap (1K–50K records × average history\n   * depth) still applies.\n   */\n  async list(): Promise<string[]> {\n    const historyIds = await collectHistoryIds(this.engine.adapter, this.engine.name, this.name)\n    const liveIds = await this.engine.adapter.list(this.engine.name, this.name)\n    const candidateIds = new Set<string>([...historyIds, ...liveIds])\n    const alive: string[] = []\n    for (const id of candidateIds) {\n      const env = await this.resolveEnvelope(id)\n      if (env) alive.push(id)\n    }\n    return alive.sort()\n  }\n\n  // ── write guards ───────────────────────────────────────────────────\n\n  async put(_id: string, _record: T): Promise<never> {\n    throw new ReadOnlyAtInstantError('put', this.targetTs)\n  }\n  async delete(_id: string): Promise<never> {\n    throw new ReadOnlyAtInstantError('delete', this.targetTs)\n  }\n  async update(_id: string, _patch: Partial<T>): Promise<never> {\n    throw new ReadOnlyAtInstantError('update', this.targetTs)\n  }\n\n  // ── internals ─────────────────────────────────────────────────────\n\n  /**\n   * Return the envelope that represents the record's state at\n   * `targetTs`, accounting for deletes. `null` if the record didn't\n   * exist at that instant.\n   *\n   * ## Why we use the ledger as the authoritative timeline\n   *\n   * The per-version history snapshots saved by `saveHistory()` do\n   * carry a `_ts` field, but that timestamp is the moment the\n   * snapshot was *captured* (i.e. the instant right before the\n   * subsequent overwrite), not the original write time. The ledger,\n   * by contrast, records `ts` at the moment of each `put` / `delete`\n   * — it's the only source that tracks the real timeline. So:\n   *\n   *   1. Walk the ledger; find the latest entry for `(collection, id)`\n   *      with `ts ≤ targetTs`.\n   *   2. If that entry is a `delete`, the record was gone at the\n   *      target instant — return null.\n   *   3. Otherwise it's a `put` with a specific `version`. Load the\n   *      envelope for that version from history, falling back to the\n   *      live collection for the most recent version.\n   *\n   * ## Fallback when the ledger is disabled\n   *\n   * If the vault has history disabled, `getLedger()` returns null and\n   * we fall back to comparing envelope `_ts` fields. This is\n   * approximate and gets the *last write* right but may confuse the\n   * intermediate versions; adopters needing accurate time-machine\n   * reads should leave history enabled.\n   */\n  private async resolveEnvelope(id: string): Promise<EncryptedEnvelope | null> {\n    const ledger = this.engine.getLedger()\n    if (ledger) {\n      return this.resolveViaLedger(id, ledger)\n    }\n    return this.resolveViaEnvelopeTs(id)\n  }\n\n  private async resolveViaLedger(id: string, ledger: LedgerStore): Promise<EncryptedEnvelope | null> {\n    const entries = await ledger.entries()\n    // Entries are already ordered by index which is the mutation order.\n    let latest: { op: 'put' | 'delete'; version: number } | null = null\n    for (const e of entries) {\n      if (e.collection !== this.name || e.id !== id) continue\n      if (e.ts > this.targetTs) break   // entries are time-ordered by index\n      latest = { op: e.op, version: e.version }\n    }\n    if (!latest) return null\n    if (latest.op === 'delete') return null\n    return this.loadVersion(id, latest.version)\n  }\n\n  private async resolveViaEnvelopeTs(id: string): Promise<EncryptedEnvelope | null> {\n    const history = await getHistory(\n      this.engine.adapter, this.engine.name, this.name, id,\n    )\n    const live = await this.engine.adapter.get(this.engine.name, this.name, id)\n    const byVersion = new Map<number, EncryptedEnvelope>()\n    for (const e of history) byVersion.set(e._v, e)\n    if (live) byVersion.set(live._v, live)\n    const sorted = [...byVersion.values()].sort((a, b) =>\n      a._ts < b._ts ? 1 : a._ts > b._ts ? -1 : 0,\n    )\n    return sorted.find((e) => e._ts <= this.targetTs) ?? null\n  }\n\n  /**\n   * Fetch the envelope for a specific version. The live record (most\n   * recent put) lives in the main collection; prior versions live in\n   * `_history`. We check live first because the common case after a\n   * delete is that we're trying to load the last-live version from\n   * history, and skipping live for the current-version case avoids a\n   * redundant lookup.\n   */\n  private async loadVersion(id: string, version: number): Promise<EncryptedEnvelope | null> {\n    const live = await this.engine.adapter.get(this.engine.name, this.name, id)\n    if (live && live._v === version) return live\n\n    // Direct lookup by (collection, id, version) — avoids scanning all history.\n    const historyId = `${this.name}:${id}:${String(version).padStart(10, '0')}`\n    return await this.engine.adapter.get(this.engine.name, '_history', historyId)\n  }\n}\n\n/**\n * Scan the `_history` collection once and collect every distinct\n * `recordId` for the given collection. History keys follow the\n * shape `<collection>:<recordId>:<paddedVersion>`; we split on the\n * last two colons (delimiter-safe because `paddedVersion` is\n * exactly 10 digits).\n */\nasync function collectHistoryIds(\n  adapter: NoydbStore,\n  vault: string,\n  collection: string,\n): Promise<string[]> {\n  const all = await adapter.list(vault, '_history')\n  const prefix = `${collection}:`\n  const seen = new Set<string>()\n  for (const key of all) {\n    if (!key.startsWith(prefix)) continue\n    const lastColon = key.lastIndexOf(':')\n    if (lastColon <= prefix.length) continue\n    const middle = key.slice(prefix.length, lastColon)\n    seen.add(middle)\n  }\n  return [...seen]\n}\n","/**\n * Zero-dependency JSON diff.\n * Produces a flat list of changes between two plain objects.\n */\n\nexport type ChangeType = 'added' | 'removed' | 'changed'\n\nexport interface DiffEntry {\n  /** Dot-separated path to the changed field (e.g. \"address.city\"). */\n  readonly path: string\n  /** Type of change. */\n  readonly type: ChangeType\n  /** Previous value (undefined for 'added'). */\n  readonly from?: unknown\n  /** New value (undefined for 'removed'). */\n  readonly to?: unknown\n}\n\n/**\n * Compute differences between two objects.\n * Returns an array of DiffEntry describing each changed field.\n * Returns empty array if objects are identical.\n */\nexport function diff(oldObj: unknown, newObj: unknown, basePath = ''): DiffEntry[] {\n  const changes: DiffEntry[] = []\n\n  // Both primitives or nulls\n  if (oldObj === newObj) return changes\n\n  // One is null/undefined\n  if (oldObj == null && newObj != null) {\n    return [{ path: basePath || '(root)', type: 'added', to: newObj }]\n  }\n  if (oldObj != null && newObj == null) {\n    return [{ path: basePath || '(root)', type: 'removed', from: oldObj }]\n  }\n\n  // Different types\n  if (typeof oldObj !== typeof newObj) {\n    return [{ path: basePath || '(root)', type: 'changed', from: oldObj, to: newObj }]\n  }\n\n  // Both primitives (and not equal — checked above)\n  if (typeof oldObj !== 'object') {\n    return [{ path: basePath || '(root)', type: 'changed', from: oldObj, to: newObj }]\n  }\n\n  // Both arrays\n  if (Array.isArray(oldObj) && Array.isArray(newObj)) {\n    const maxLen = Math.max(oldObj.length, newObj.length)\n    for (let i = 0; i < maxLen; i++) {\n      const p = basePath ? `${basePath}[${i}]` : `[${i}]`\n      if (i >= oldObj.length) {\n        changes.push({ path: p, type: 'added', to: newObj[i] })\n      } else if (i >= newObj.length) {\n        changes.push({ path: p, type: 'removed', from: oldObj[i] })\n      } else {\n        changes.push(...diff(oldObj[i], newObj[i], p))\n      }\n    }\n    return changes\n  }\n\n  // Both objects\n  const oldRecord = oldObj as Record<string, unknown>\n  const newRecord = newObj as Record<string, unknown>\n  const allKeys = new Set([...Object.keys(oldRecord), ...Object.keys(newRecord)])\n\n  for (const key of allKeys) {\n    const p = basePath ? `${basePath}.${key}` : key\n    if (!(key in oldRecord)) {\n      changes.push({ path: p, type: 'added', to: newRecord[key] })\n    } else if (!(key in newRecord)) {\n      changes.push({ path: p, type: 'removed', from: oldRecord[key] })\n    } else {\n      changes.push(...diff(oldRecord[key], newRecord[key], p))\n    }\n  }\n\n  return changes\n}\n\n/** Format a diff as a human-readable string. */\nexport function formatDiff(changes: DiffEntry[]): string {\n  if (changes.length === 0) return '(no changes)'\n  return changes.map(c => {\n    switch (c.type) {\n      case 'added':\n        return `+ ${c.path}: ${JSON.stringify(c.to)}`\n      case 'removed':\n        return `- ${c.path}: ${JSON.stringify(c.from)}`\n      case 'changed':\n        return `~ ${c.path}: ${JSON.stringify(c.from)} → ${JSON.stringify(c.to)}`\n    }\n  }).join('\\n')\n}\n"],"mappings":";;;;;;;;AASA,IAAM,qBAAqB;AAC3B,IAAM,cAAc;AAEpB,SAAS,UAAU,YAAoB,UAAkB,SAAyB;AAChF,SAAO,GAAG,UAAU,IAAI,QAAQ,IAAI,OAAO,OAAO,EAAE,SAAS,aAAa,GAAG,CAAC;AAChF;AAkBA,SAAS,cAAc,IAAY,YAAoB,UAA4B;AACjF,MAAI,UAAU;AACZ,WAAO,GAAG,WAAW,GAAG,UAAU,IAAI,QAAQ,GAAG;AAAA,EACnD;AACA,SAAO,GAAG,WAAW,GAAG,UAAU,GAAG;AACvC;AAGA,eAAsB,YACpB,SACA,OACA,YACA,UACA,UACe;AACf,QAAM,KAAK,UAAU,YAAY,UAAU,SAAS,EAAE;AACtD,QAAM,QAAQ,IAAI,OAAO,oBAAoB,IAAI,QAAQ;AAC3D;AAGA,eAAsB,WACpB,SACA,OACA,YACA,UACA,SAC8B;AAC9B,QAAM,SAAS,MAAM,QAAQ,KAAK,OAAO,kBAAkB;AAC3D,QAAM,cAAc,OACjB,OAAO,QAAM,cAAc,IAAI,YAAY,QAAQ,CAAC,EACpD,KAAK,EACL,QAAQ;AAEX,QAAM,UAA+B,CAAC;AAEtC,aAAW,MAAM,aAAa;AAC5B,UAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,oBAAoB,EAAE;AAChE,QAAI,CAAC,SAAU;AAGf,QAAI,SAAS,QAAQ,SAAS,MAAM,QAAQ,KAAM;AAClD,QAAI,SAAS,MAAM,SAAS,MAAM,QAAQ,GAAI;AAE9C,YAAQ,KAAK,QAAQ;AAErB,QAAI,SAAS,SAAS,QAAQ,UAAU,QAAQ,MAAO;AAAA,EACzD;AAEA,SAAO;AACT;AAGA,eAAsB,mBACpB,SACA,OACA,YACA,UACA,SACmC;AACnC,QAAM,KAAK,UAAU,YAAY,UAAU,OAAO;AAClD,SAAO,QAAQ,IAAI,OAAO,oBAAoB,EAAE;AAClD;AAGA,eAAsB,aACpB,SACA,OACA,YACA,UACA,SACiB;AACjB,QAAM,SAAS,MAAM,QAAQ,KAAK,OAAO,kBAAkB;AAC3D,QAAM,cAAc,OACjB,OAAO,QAAM,WAAW,cAAc,IAAI,YAAY,QAAQ,IAAI,cAAc,IAAI,UAAU,CAAC,EAC/F,KAAK;AAER,MAAI,WAAqB,CAAC;AAE1B,MAAI,QAAQ,iBAAiB,QAAW;AAEtC,UAAM,OAAO,QAAQ;AACrB,QAAI,YAAY,SAAS,MAAM;AAC7B,iBAAW,YAAY,MAAM,GAAG,YAAY,SAAS,IAAI;AAAA,IAC3D;AAAA,EACF;AAEA,MAAI,QAAQ,YAAY;AAEtB,eAAW,MAAM,aAAa;AAC5B,UAAI,SAAS,SAAS,EAAE,EAAG;AAC3B,YAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,oBAAoB,EAAE;AAChE,UAAI,YAAY,SAAS,MAAM,QAAQ,YAAY;AACjD,iBAAS,KAAK,EAAE;AAAA,MAClB;AAAA,IACF;AAAA,EACF;AAGA,QAAM,gBAAgB,CAAC,GAAG,IAAI,IAAI,QAAQ,CAAC;AAE3C,aAAW,MAAM,eAAe;AAC9B,UAAM,QAAQ,OAAO,OAAO,oBAAoB,EAAE;AAAA,EACpD;AAEA,SAAO,cAAc;AACvB;AAGA,eAAsB,aACpB,SACA,OACA,YACA,UACiB;AACjB,QAAM,SAAS,MAAM,QAAQ,KAAK,OAAO,kBAAkB;AAC3D,MAAI;AAEJ,MAAI,cAAc,UAAU;AAC1B,eAAW,OAAO,OAAO,QAAM,cAAc,IAAI,YAAY,QAAQ,CAAC;AAAA,EACxE,WAAW,YAAY;AACrB,eAAW,OAAO,OAAO,QAAM,cAAc,IAAI,UAAU,CAAC;AAAA,EAC9D,OAAO;AACL,eAAW;AAAA,EACb;AAEA,aAAW,MAAM,UAAU;AACzB,UAAM,QAAQ,OAAO,OAAO,oBAAoB,EAAE;AAAA,EACpD;AAEA,SAAO,SAAS;AAClB;;;AClEO,IAAM,eAAN,MAAmB;AAAA,EACxB,YACmB,QAED,WAChB;AAHiB;AAED;AAAA,EACf;AAAA,EAHgB;AAAA,EAED;AAAA;AAAA,EAIlB,WAAwB,MAAoC;AAC1D,WAAO,IAAI,kBAAqB,KAAK,QAAQ,KAAK,WAAW,IAAI;AAAA,EACnE;AACF;AAYO,IAAM,oBAAN,MAAqC;AAAA,EAC1C,YACmB,QACA,UACD,MAChB;AAHiB;AACA;AACD;AAAA,EACf;AAAA,EAHgB;AAAA,EACA;AAAA,EACD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQlB,MAAM,IAAI,IAA+B;AACvC,UAAM,WAAW,MAAM,KAAK,gBAAgB,EAAE;AAC9C,QAAI,CAAC,SAAU,QAAO;AACtB,UAAM,YAAY,KAAK,OAAO,YAC1B,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,MAAM,KAAK,OAAO,OAAO,KAAK,IAAI,CAAC,IAC/E,SAAS;AACb,WAAO,KAAK,MAAM,SAAS;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,OAA0B;AAC9B,UAAM,aAAa,MAAM,kBAAkB,KAAK,OAAO,SAAS,KAAK,OAAO,MAAM,KAAK,IAAI;AAC3F,UAAM,UAAU,MAAM,KAAK,OAAO,QAAQ,KAAK,KAAK,OAAO,MAAM,KAAK,IAAI;AAC1E,UAAM,eAAe,oBAAI,IAAY,CAAC,GAAG,YAAY,GAAG,OAAO,CAAC;AAChE,UAAM,QAAkB,CAAC;AACzB,eAAW,MAAM,cAAc;AAC7B,YAAM,MAAM,MAAM,KAAK,gBAAgB,EAAE;AACzC,UAAI,IAAK,OAAM,KAAK,EAAE;AAAA,IACxB;AACA,WAAO,MAAM,KAAK;AAAA,EACpB;AAAA;AAAA,EAIA,MAAM,IAAI,KAAa,SAA4B;AACjD,UAAM,IAAI,uBAAuB,OAAO,KAAK,QAAQ;AAAA,EACvD;AAAA,EACA,MAAM,OAAO,KAA6B;AACxC,UAAM,IAAI,uBAAuB,UAAU,KAAK,QAAQ;AAAA,EAC1D;AAAA,EACA,MAAM,OAAO,KAAa,QAAoC;AAC5D,UAAM,IAAI,uBAAuB,UAAU,KAAK,QAAQ;AAAA,EAC1D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAkCA,MAAc,gBAAgB,IAA+C;AAC3E,UAAM,SAAS,KAAK,OAAO,UAAU;AACrC,QAAI,QAAQ;AACV,aAAO,KAAK,iBAAiB,IAAI,MAAM;AAAA,IACzC;AACA,WAAO,KAAK,qBAAqB,EAAE;AAAA,EACrC;AAAA,EAEA,MAAc,iBAAiB,IAAY,QAAwD;AACjG,UAAM,UAAU,MAAM,OAAO,QAAQ;AAErC,QAAI,SAA2D;AAC/D,eAAW,KAAK,SAAS;AACvB,UAAI,EAAE,eAAe,KAAK,QAAQ,EAAE,OAAO,GAAI;AAC/C,UAAI,EAAE,KAAK,KAAK,SAAU;AAC1B,eAAS,EAAE,IAAI,EAAE,IAAI,SAAS,EAAE,QAAQ;AAAA,IAC1C;AACA,QAAI,CAAC,OAAQ,QAAO;AACpB,QAAI,OAAO,OAAO,SAAU,QAAO;AACnC,WAAO,KAAK,YAAY,IAAI,OAAO,OAAO;AAAA,EAC5C;AAAA,EAEA,MAAc,qBAAqB,IAA+C;AAChF,UAAM,UAAU,MAAM;AAAA,MACpB,KAAK,OAAO;AAAA,MAAS,KAAK,OAAO;AAAA,MAAM,KAAK;AAAA,MAAM;AAAA,IACpD;AACA,UAAM,OAAO,MAAM,KAAK,OAAO,QAAQ,IAAI,KAAK,OAAO,MAAM,KAAK,MAAM,EAAE;AAC1E,UAAM,YAAY,oBAAI,IAA+B;AACrD,eAAW,KAAK,QAAS,WAAU,IAAI,EAAE,IAAI,CAAC;AAC9C,QAAI,KAAM,WAAU,IAAI,KAAK,IAAI,IAAI;AACrC,UAAM,SAAS,CAAC,GAAG,UAAU,OAAO,CAAC,EAAE;AAAA,MAAK,CAAC,GAAG,MAC9C,EAAE,MAAM,EAAE,MAAM,IAAI,EAAE,MAAM,EAAE,MAAM,KAAK;AAAA,IAC3C;AACA,WAAO,OAAO,KAAK,CAAC,MAAM,EAAE,OAAO,KAAK,QAAQ,KAAK;AAAA,EACvD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAc,YAAY,IAAY,SAAoD;AACxF,UAAM,OAAO,MAAM,KAAK,OAAO,QAAQ,IAAI,KAAK,OAAO,MAAM,KAAK,MAAM,EAAE;AAC1E,QAAI,QAAQ,KAAK,OAAO,QAAS,QAAO;AAGxC,UAAMA,aAAY,GAAG,KAAK,IAAI,IAAI,EAAE,IAAI,OAAO,OAAO,EAAE,SAAS,IAAI,GAAG,CAAC;AACzE,WAAO,MAAM,KAAK,OAAO,QAAQ,IAAI,KAAK,OAAO,MAAM,YAAYA,UAAS;AAAA,EAC9E;AACF;AASA,eAAe,kBACb,SACA,OACA,YACmB;AACnB,QAAM,MAAM,MAAM,QAAQ,KAAK,OAAO,UAAU;AAChD,QAAM,SAAS,GAAG,UAAU;AAC5B,QAAM,OAAO,oBAAI,IAAY;AAC7B,aAAW,OAAO,KAAK;AACrB,QAAI,CAAC,IAAI,WAAW,MAAM,EAAG;AAC7B,UAAM,YAAY,IAAI,YAAY,GAAG;AACrC,QAAI,aAAa,OAAO,OAAQ;AAChC,UAAM,SAAS,IAAI,MAAM,OAAO,QAAQ,SAAS;AACjD,SAAK,IAAI,MAAM;AAAA,EACjB;AACA,SAAO,CAAC,GAAG,IAAI;AACjB;;;ACnQO,SAAS,KAAK,QAAiB,QAAiB,WAAW,IAAiB;AACjF,QAAM,UAAuB,CAAC;AAG9B,MAAI,WAAW,OAAQ,QAAO;AAG9B,MAAI,UAAU,QAAQ,UAAU,MAAM;AACpC,WAAO,CAAC,EAAE,MAAM,YAAY,UAAU,MAAM,SAAS,IAAI,OAAO,CAAC;AAAA,EACnE;AACA,MAAI,UAAU,QAAQ,UAAU,MAAM;AACpC,WAAO,CAAC,EAAE,MAAM,YAAY,UAAU,MAAM,WAAW,MAAM,OAAO,CAAC;AAAA,EACvE;AAGA,MAAI,OAAO,WAAW,OAAO,QAAQ;AACnC,WAAO,CAAC,EAAE,MAAM,YAAY,UAAU,MAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,CAAC;AAAA,EACnF;AAGA,MAAI,OAAO,WAAW,UAAU;AAC9B,WAAO,CAAC,EAAE,MAAM,YAAY,UAAU,MAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,CAAC;AAAA,EACnF;AAGA,MAAI,MAAM,QAAQ,MAAM,KAAK,MAAM,QAAQ,MAAM,GAAG;AAClD,UAAM,SAAS,KAAK,IAAI,OAAO,QAAQ,OAAO,MAAM;AACpD,aAAS,IAAI,GAAG,IAAI,QAAQ,KAAK;AAC/B,YAAM,IAAI,WAAW,GAAG,QAAQ,IAAI,CAAC,MAAM,IAAI,CAAC;AAChD,UAAI,KAAK,OAAO,QAAQ;AACtB,gBAAQ,KAAK,EAAE,MAAM,GAAG,MAAM,SAAS,IAAI,OAAO,CAAC,EAAE,CAAC;AAAA,MACxD,WAAW,KAAK,OAAO,QAAQ;AAC7B,gBAAQ,KAAK,EAAE,MAAM,GAAG,MAAM,WAAW,MAAM,OAAO,CAAC,EAAE,CAAC;AAAA,MAC5D,OAAO;AACL,gBAAQ,KAAK,GAAG,KAAK,OAAO,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;AAAA,MAC/C;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAGA,QAAM,YAAY;AAClB,QAAM,YAAY;AAClB,QAAM,UAAU,oBAAI,IAAI,CAAC,GAAG,OAAO,KAAK,SAAS,GAAG,GAAG,OAAO,KAAK,SAAS,CAAC,CAAC;AAE9E,aAAW,OAAO,SAAS;AACzB,UAAM,IAAI,WAAW,GAAG,QAAQ,IAAI,GAAG,KAAK;AAC5C,QAAI,EAAE,OAAO,YAAY;AACvB,cAAQ,KAAK,EAAE,MAAM,GAAG,MAAM,SAAS,IAAI,UAAU,GAAG,EAAE,CAAC;AAAA,IAC7D,WAAW,EAAE,OAAO,YAAY;AAC9B,cAAQ,KAAK,EAAE,MAAM,GAAG,MAAM,WAAW,MAAM,UAAU,GAAG,EAAE,CAAC;AAAA,IACjE,OAAO;AACL,cAAQ,KAAK,GAAG,KAAK,UAAU,GAAG,GAAG,UAAU,GAAG,GAAG,CAAC,CAAC;AAAA,IACzD;AAAA,EACF;AAEA,SAAO;AACT;AAGO,SAAS,WAAW,SAA8B;AACvD,MAAI,QAAQ,WAAW,EAAG,QAAO;AACjC,SAAO,QAAQ,IAAI,OAAK;AACtB,YAAQ,EAAE,MAAM;AAAA,MACd,KAAK;AACH,eAAO,KAAK,EAAE,IAAI,KAAK,KAAK,UAAU,EAAE,EAAE,CAAC;AAAA,MAC7C,KAAK;AACH,eAAO,KAAK,EAAE,IAAI,KAAK,KAAK,UAAU,EAAE,IAAI,CAAC;AAAA,MAC/C,KAAK;AACH,eAAO,KAAK,EAAE,IAAI,KAAK,KAAK,UAAU,EAAE,IAAI,CAAC,WAAM,KAAK,UAAU,EAAE,EAAE,CAAC;AAAA,IAC3E;AAAA,EACF,CAAC,EAAE,KAAK,IAAI;AACd;","names":["historyId"]}

package/dist/chunk-R36SIKES.js

@@ -0,0 +1,79 @@
+import {
+  ReadOnlyFrameError
+} from "./chunk-ACLDOTNQ.js";
+
+// src/shadow/vault-frame.ts
+var VaultFrame = class {
+  constructor(vault) {
+    this.vault = vault;
+  }
+  vault;
+  /**
+   * Get a read-only view of one collection. The returned
+   * {@link CollectionFrame} delegates all reads to the underlying
+   * live collection — cache, locale handling, and validation all
+   * work identically to the live collection.
+   */
+  collection(name) {
+    return new CollectionFrame(this.vault.collection(name), name);
+  }
+  /** List all collection names visible in the underlying vault. */
+  async collections() {
+    return this.vault.collections();
+  }
+};
+var CollectionFrame = class {
+  constructor(inner, name) {
+    this.inner = inner;
+    this.name = name;
+  }
+  inner;
+  name;
+  // ── reads (delegated) ──────────────────────────────────────────────
+  get(id, locale) {
+    return this.inner.get(id, locale);
+  }
+  list(locale) {
+    return this.inner.list(locale);
+  }
+  /**
+   * Return the chainable query builder. Terminals like `.toArray()`,
+   * `.first()`, `.count()`, `.aggregate()` all work; the builder has
+   * no write surface of its own, so exposing it directly is safe.
+   */
+  query(...args) {
+    return this.inner.query(...args);
+  }
+  /** History reads — allowed (history is read-only by nature). */
+  history(...args) {
+    return this.inner.history(...args);
+  }
+  getVersion(id, version) {
+    return this.inner.getVersion(id, version);
+  }
+  // ── write guards ──────────────────────────────────────────────────
+  async put(_id, _record) {
+    throw new ReadOnlyFrameError("put");
+  }
+  async delete(_id) {
+    throw new ReadOnlyFrameError("delete");
+  }
+  async update(_id, _patch) {
+    throw new ReadOnlyFrameError("update");
+  }
+  async revert(_id, _version) {
+    throw new ReadOnlyFrameError("revert");
+  }
+  async putMany(_entries) {
+    throw new ReadOnlyFrameError("putMany");
+  }
+  async deleteMany(_ids) {
+    throw new ReadOnlyFrameError("deleteMany");
+  }
+};
+
+export {
+  VaultFrame,
+  CollectionFrame
+};
+//# sourceMappingURL=chunk-R36SIKES.js.map

package/dist/chunk-R36SIKES.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/shadow/vault-frame.ts"],"sourcesContent":["/**\n * Shadow vaults — `vault.frame()` returns a read-only view of the\n * CURRENT vault state.\n *\n * Companion to {@link VaultInstant} from `history/time-machine.ts`:\n *\n * | Type | Reads from | Use case |\n * |------|------------|----------|\n * | `VaultInstant` | past snapshots (ledger + history) | \"books on date X\" |\n * | `VaultFrame`   | live vault state                  | screen-share / demo / audit |\n *\n * ```ts\n * const readonly = vault.frame()\n * const invoices = await readonly.collection<Invoice>('invoices').list()\n * await readonly.collection<Invoice>('invoices').put(...)\n * // → throws ReadOnlyFrameError\n * ```\n *\n * ## Contract\n *\n * Every write method on {@link CollectionFrame} throws\n * {@link ReadOnlyFrameError}. Reads delegate to the underlying\n * collection, so validation, locale handling, and caching all work\n * exactly as they do on the live collection.\n *\n * ## Security note: behaviour-enforced, not cryptographically-enforced\n *\n * A VaultFrame rejects writes by contract in the JavaScript layer.\n * It does NOT strip the DEKs from the underlying keyring — the same\n * in-memory keys that decrypt records could, in principle, encrypt\n * new writes via a hand-crafted adapter call. Cryptographic\n * enforcement (keyring variants with the write half of each DEK\n * removed) is hierarchical-access work. Use a VaultFrame to\n * prevent *accidental* writes in a read-scoped flow — do not rely on\n * it as a security boundary against a hostile caller sharing the\n * same process.\n *\n * @module\n */\nimport type { Collection } from '../collection.js'\nimport type { Vault } from '../vault.js'\nimport type { LocaleReadOptions } from '../types.js'\nimport { ReadOnlyFrameError } from '../errors.js'\n\n/**\n * A read-only view of a vault's current state. Produced by\n * `vault.frame()`. Cheap to construct; safe to throw away.\n */\nexport class VaultFrame {\n  constructor(private readonly vault: Vault) {}\n\n  /**\n   * Get a read-only view of one collection. The returned\n   * {@link CollectionFrame} delegates all reads to the underlying\n   * live collection — cache, locale handling, and validation all\n   * work identically to the live collection.\n   */\n  collection<T = unknown>(name: string): CollectionFrame<T> {\n    return new CollectionFrame<T>(this.vault.collection<T>(name), name)\n  }\n\n  /** List all collection names visible in the underlying vault. */\n  async collections(): Promise<string[]> {\n    return this.vault.collections()\n  }\n}\n\n/**\n * Read-only collection view. All write methods throw\n * {@link ReadOnlyFrameError}; all read methods delegate to the\n * underlying live {@link Collection}.\n */\nexport class CollectionFrame<T = unknown> {\n  constructor(\n    private readonly inner: Collection<T>,\n    /** The underlying collection name. Captured at construction so\n     *  we don't need to peek into the private Collection state. */\n    public readonly name: string,\n  ) {}\n\n  // ── reads (delegated) ──────────────────────────────────────────────\n\n  get(id: string, locale?: LocaleReadOptions): Promise<T | null> {\n    return this.inner.get(id, locale)\n  }\n\n  list(locale?: LocaleReadOptions): Promise<T[]> {\n    return this.inner.list(locale)\n  }\n\n  /**\n   * Return the chainable query builder. Terminals like `.toArray()`,\n   * `.first()`, `.count()`, `.aggregate()` all work; the builder has\n   * no write surface of its own, so exposing it directly is safe.\n   */\n  query(...args: Parameters<Collection<T>['query']>): ReturnType<Collection<T>['query']> {\n    return this.inner.query(...args)\n  }\n\n  /** History reads — allowed (history is read-only by nature). */\n  history(...args: Parameters<Collection<T>['history']>): ReturnType<Collection<T>['history']> {\n    return this.inner.history(...args)\n  }\n\n  getVersion(id: string, version: number): Promise<T | null> {\n    return this.inner.getVersion(id, version)\n  }\n\n  // ── write guards ──────────────────────────────────────────────────\n\n  async put(_id: string, _record: T): Promise<never> {\n    throw new ReadOnlyFrameError('put')\n  }\n  async delete(_id: string): Promise<never> {\n    throw new ReadOnlyFrameError('delete')\n  }\n  async update(_id: string, _patch: Partial<T>): Promise<never> {\n    throw new ReadOnlyFrameError('update')\n  }\n  async revert(_id: string, _version: number): Promise<never> {\n    throw new ReadOnlyFrameError('revert')\n  }\n  async putMany(_entries: ReadonlyArray<readonly [string, T]>): Promise<never> {\n    throw new ReadOnlyFrameError('putMany')\n  }\n  async deleteMany(_ids: readonly string[]): Promise<never> {\n    throw new ReadOnlyFrameError('deleteMany')\n  }\n}\n"],"mappings":";;;;;AAgDO,IAAM,aAAN,MAAiB;AAAA,EACtB,YAA6B,OAAc;AAAd;AAAA,EAAe;AAAA,EAAf;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQ7B,WAAwB,MAAkC;AACxD,WAAO,IAAI,gBAAmB,KAAK,MAAM,WAAc,IAAI,GAAG,IAAI;AAAA,EACpE;AAAA;AAAA,EAGA,MAAM,cAAiC;AACrC,WAAO,KAAK,MAAM,YAAY;AAAA,EAChC;AACF;AAOO,IAAM,kBAAN,MAAmC;AAAA,EACxC,YACmB,OAGD,MAChB;AAJiB;AAGD;AAAA,EACf;AAAA,EAJgB;AAAA,EAGD;AAAA;AAAA,EAKlB,IAAI,IAAY,QAA+C;AAC7D,WAAO,KAAK,MAAM,IAAI,IAAI,MAAM;AAAA,EAClC;AAAA,EAEA,KAAK,QAA0C;AAC7C,WAAO,KAAK,MAAM,KAAK,MAAM;AAAA,EAC/B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,SAAS,MAA8E;AACrF,WAAO,KAAK,MAAM,MAAM,GAAG,IAAI;AAAA,EACjC;AAAA;AAAA,EAGA,WAAW,MAAkF;AAC3F,WAAO,KAAK,MAAM,QAAQ,GAAG,IAAI;AAAA,EACnC;AAAA,EAEA,WAAW,IAAY,SAAoC;AACzD,WAAO,KAAK,MAAM,WAAW,IAAI,OAAO;AAAA,EAC1C;AAAA;AAAA,EAIA,MAAM,IAAI,KAAa,SAA4B;AACjD,UAAM,IAAI,mBAAmB,KAAK;AAAA,EACpC;AAAA,EACA,MAAM,OAAO,KAA6B;AACxC,UAAM,IAAI,mBAAmB,QAAQ;AAAA,EACvC;AAAA,EACA,MAAM,OAAO,KAAa,QAAoC;AAC5D,UAAM,IAAI,mBAAmB,QAAQ;AAAA,EACvC;AAAA,EACA,MAAM,OAAO,KAAa,UAAkC;AAC1D,UAAM,IAAI,mBAAmB,QAAQ;AAAA,EACvC;AAAA,EACA,MAAM,QAAQ,UAA+D;AAC3E,UAAM,IAAI,mBAAmB,SAAS;AAAA,EACxC;AAAA,EACA,MAAM,WAAW,MAAyC;AACxD,UAAM,IAAI,mBAAmB,YAAY;AAAA,EAC3C;AACF;","names":[]}