@noy-db/hub 0.1.0-pre.3

package/dist/blobs/index.cjs

@@ -0,0 +1,1480 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/errors.ts
+var NoydbError, DecryptionError, TamperedError, InvalidKeyError, ConflictError, NotFoundError;
+var init_errors = __esm({
+  "src/errors.ts"() {
+    "use strict";
+    NoydbError = class extends Error {
+      /** Machine-readable error code. Stable across library versions. */
+      code;
+      constructor(code, message) {
+        super(message);
+        this.name = "NoydbError";
+        this.code = code;
+      }
+    };
+    DecryptionError = class extends NoydbError {
+      constructor(message = "Decryption failed") {
+        super("DECRYPTION_FAILED", message);
+        this.name = "DecryptionError";
+      }
+    };
+    TamperedError = class extends NoydbError {
+      constructor(message = "Data integrity check failed \u2014 record may have been tampered with") {
+        super("TAMPERED", message);
+        this.name = "TamperedError";
+      }
+    };
+    InvalidKeyError = class extends NoydbError {
+      constructor(message = "Invalid key \u2014 wrong passphrase or corrupted keyring") {
+        super("INVALID_KEY", message);
+        this.name = "InvalidKeyError";
+      }
+    };
+    ConflictError = class extends NoydbError {
+      /** The actual stored version at the time of conflict. */
+      version;
+      constructor(version, message = "Version conflict") {
+        super("CONFLICT", message);
+        this.name = "ConflictError";
+        this.version = version;
+      }
+    };
+    NotFoundError = class extends NoydbError {
+      constructor(message = "Record not found") {
+        super("NOT_FOUND", message);
+        this.name = "NotFoundError";
+      }
+    };
+  }
+});
+
+// src/crypto.ts
+var crypto_exports = {};
+__export(crypto_exports, {
+  base64ToBuffer: () => base64ToBuffer,
+  bufferToBase64: () => bufferToBase64,
+  decrypt: () => decrypt,
+  decryptBytes: () => decryptBytes,
+  decryptBytesWithAAD: () => decryptBytesWithAAD,
+  decryptDeterministic: () => decryptDeterministic,
+  deriveKey: () => deriveKey,
+  derivePresenceKey: () => derivePresenceKey,
+  encrypt: () => encrypt,
+  encryptBytes: () => encryptBytes,
+  encryptBytesWithAAD: () => encryptBytesWithAAD,
+  encryptDeterministic: () => encryptDeterministic,
+  generateDEK: () => generateDEK,
+  generateIV: () => generateIV,
+  generateSalt: () => generateSalt,
+  hmacSha256Hex: () => hmacSha256Hex,
+  sha256Hex: () => sha256Hex,
+  unwrapKey: () => unwrapKey,
+  wrapKey: () => wrapKey
+});
+async function deriveKey(passphrase, salt) {
+  const keyMaterial = await subtle.importKey(
+    "raw",
+    new TextEncoder().encode(passphrase),
+    "PBKDF2",
+    false,
+    ["deriveKey"]
+  );
+  return subtle.deriveKey(
+    {
+      name: "PBKDF2",
+      salt,
+      iterations: PBKDF2_ITERATIONS,
+      hash: "SHA-256"
+    },
+    keyMaterial,
+    { name: "AES-KW", length: KEY_BITS },
+    false,
+    ["wrapKey", "unwrapKey"]
+  );
+}
+async function generateDEK() {
+  return subtle.generateKey(
+    { name: "AES-GCM", length: KEY_BITS },
+    true,
+    // extractable — needed for AES-KW wrapping
+    ["encrypt", "decrypt"]
+  );
+}
+async function wrapKey(dek, kek) {
+  const wrapped = await subtle.wrapKey("raw", dek, kek, "AES-KW");
+  return bufferToBase64(wrapped);
+}
+async function unwrapKey(wrappedBase64, kek) {
+  try {
+    return await subtle.unwrapKey(
+      "raw",
+      base64ToBuffer(wrappedBase64),
+      kek,
+      "AES-KW",
+      { name: "AES-GCM", length: KEY_BITS },
+      true,
+      ["encrypt", "decrypt"]
+    );
+  } catch {
+    throw new InvalidKeyError();
+  }
+}
+async function encrypt(plaintext, dek) {
+  const iv = generateIV();
+  const encoded = new TextEncoder().encode(plaintext);
+  const ciphertext = await subtle.encrypt(
+    { name: "AES-GCM", iv },
+    dek,
+    encoded
+  );
+  return {
+    iv: bufferToBase64(iv),
+    data: bufferToBase64(ciphertext)
+  };
+}
+async function decrypt(ivBase64, dataBase64, dek) {
+  const iv = base64ToBuffer(ivBase64);
+  const ciphertext = base64ToBuffer(dataBase64);
+  try {
+    const plaintext = await subtle.decrypt(
+      { name: "AES-GCM", iv },
+      dek,
+      ciphertext
+    );
+    return new TextDecoder().decode(plaintext);
+  } catch (err) {
+    if (err instanceof Error && err.name === "OperationError") {
+      throw new TamperedError();
+    }
+    throw new DecryptionError(
+      err instanceof Error ? err.message : "Decryption failed"
+    );
+  }
+}
+async function encryptBytes(data, dek) {
+  const iv = generateIV();
+  const ciphertext = await subtle.encrypt(
+    { name: "AES-GCM", iv },
+    dek,
+    data
+  );
+  return {
+    iv: bufferToBase64(iv),
+    data: bufferToBase64(ciphertext)
+  };
+}
+async function decryptBytes(ivBase64, dataBase64, dek) {
+  const iv = base64ToBuffer(ivBase64);
+  const ciphertext = base64ToBuffer(dataBase64);
+  try {
+    const plaintext = await subtle.decrypt(
+      { name: "AES-GCM", iv },
+      dek,
+      ciphertext
+    );
+    return new Uint8Array(plaintext);
+  } catch (err) {
+    if (err instanceof Error && err.name === "OperationError") {
+      throw new TamperedError();
+    }
+    throw new DecryptionError(
+      err instanceof Error ? err.message : "Decryption failed"
+    );
+  }
+}
+async function sha256Hex(data) {
+  const hash = await subtle.digest("SHA-256", data);
+  return Array.from(new Uint8Array(hash)).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function hmacSha256Hex(key, data) {
+  const rawKey = await subtle.exportKey("raw", key);
+  const hmacKey = await subtle.importKey(
+    "raw",
+    rawKey,
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const sig = await subtle.sign("HMAC", hmacKey, data);
+  return Array.from(new Uint8Array(sig)).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function encryptBytesWithAAD(data, dek, aad) {
+  const iv = generateIV();
+  const ciphertext = await subtle.encrypt(
+    {
+      name: "AES-GCM",
+      iv,
+      additionalData: aad
+    },
+    dek,
+    data
+  );
+  return {
+    iv: bufferToBase64(iv),
+    data: bufferToBase64(ciphertext)
+  };
+}
+async function decryptBytesWithAAD(ivBase64, dataBase64, dek, aad) {
+  const iv = base64ToBuffer(ivBase64);
+  const ciphertext = base64ToBuffer(dataBase64);
+  try {
+    const plaintext = await subtle.decrypt(
+      {
+        name: "AES-GCM",
+        iv,
+        additionalData: aad
+      },
+      dek,
+      ciphertext
+    );
+    return new Uint8Array(plaintext);
+  } catch (err) {
+    if (err instanceof Error && err.name === "OperationError") {
+      throw new TamperedError();
+    }
+    throw new DecryptionError(
+      err instanceof Error ? err.message : "Decryption failed"
+    );
+  }
+}
+async function derivePresenceKey(dek, collectionName) {
+  const rawDek = await subtle.exportKey("raw", dek);
+  const hkdfKey = await subtle.importKey(
+    "raw",
+    rawDek,
+    "HKDF",
+    false,
+    ["deriveBits"]
+  );
+  const salt = new TextEncoder().encode("noydb-presence");
+  const info = new TextEncoder().encode(collectionName);
+  const bits = await subtle.deriveBits(
+    { name: "HKDF", hash: "SHA-256", salt, info },
+    hkdfKey,
+    KEY_BITS
+  );
+  return subtle.importKey(
+    "raw",
+    bits,
+    { name: "AES-GCM", length: KEY_BITS },
+    false,
+    ["encrypt", "decrypt"]
+  );
+}
+async function deriveDeterministicIV(dek, context, plaintext) {
+  const rawDek = await subtle.exportKey("raw", dek);
+  const hkdfKey = await subtle.importKey("raw", rawDek, "HKDF", false, ["deriveBits"]);
+  const salt = new TextEncoder().encode("noydb-deterministic-v1");
+  const info = new TextEncoder().encode(`${context}\0${plaintext}`);
+  const bits = await subtle.deriveBits(
+    { name: "HKDF", hash: "SHA-256", salt, info },
+    hkdfKey,
+    IV_BYTES * 8
+  );
+  return new Uint8Array(bits);
+}
+async function encryptDeterministic(plaintext, dek, context) {
+  const iv = await deriveDeterministicIV(dek, context, plaintext);
+  const encoded = new TextEncoder().encode(plaintext);
+  const ciphertext = await subtle.encrypt(
+    { name: "AES-GCM", iv },
+    dek,
+    encoded
+  );
+  return {
+    iv: bufferToBase64(iv),
+    data: bufferToBase64(ciphertext)
+  };
+}
+async function decryptDeterministic(ivBase64, dataBase64, dek) {
+  return decrypt(ivBase64, dataBase64, dek);
+}
+function generateIV() {
+  return globalThis.crypto.getRandomValues(new Uint8Array(IV_BYTES));
+}
+function generateSalt() {
+  return globalThis.crypto.getRandomValues(new Uint8Array(SALT_BYTES));
+}
+function bufferToBase64(buffer) {
+  const bytes = buffer instanceof Uint8Array ? buffer : new Uint8Array(buffer);
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary);
+}
+function base64ToBuffer(base64) {
+  const binary = atob(base64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+var PBKDF2_ITERATIONS, SALT_BYTES, IV_BYTES, KEY_BITS, subtle;
+var init_crypto = __esm({
+  "src/crypto.ts"() {
+    "use strict";
+    init_errors();
+    PBKDF2_ITERATIONS = 6e5;
+    SALT_BYTES = 32;
+    IV_BYTES = 12;
+    KEY_BITS = 256;
+    subtle = globalThis.crypto.subtle;
+  }
+});
+
+// src/blobs/index.ts
+var blobs_exports = {};
+__export(blobs_exports, {
+  BLOB_CHUNKS_COLLECTION: () => BLOB_CHUNKS_COLLECTION,
+  BLOB_COLLECTION: () => BLOB_COLLECTION,
+  BLOB_EVICTION_AUDIT_COLLECTION: () => BLOB_EVICTION_AUDIT_COLLECTION,
+  BLOB_INDEX_COLLECTION: () => BLOB_INDEX_COLLECTION,
+  BLOB_SLOTS_PREFIX: () => BLOB_SLOTS_PREFIX,
+  BLOB_VERSIONS_PREFIX: () => BLOB_VERSIONS_PREFIX,
+  BlobSet: () => BlobSet,
+  DEFAULT_CHUNK_SIZE: () => DEFAULT_CHUNK_SIZE,
+  EXPORT_AUDIT_COLLECTION: () => EXPORT_AUDIT_COLLECTION,
+  ExportBlobsAbortedError: () => ExportBlobsAbortedError,
+  createExportBlobsHandle: () => createExportBlobsHandle,
+  detectMagic: () => detectMagic,
+  detectMimeType: () => detectMimeType,
+  isPreCompressed: () => isPreCompressed,
+  runCompaction: () => runCompaction,
+  withBlobs: () => withBlobs
+});
+module.exports = __toCommonJS(blobs_exports);
+
+// src/types.ts
+var NOYDB_FORMAT_VERSION = 1;
+
+// src/blobs/blob-set.ts
+init_crypto();
+init_errors();
+
+// src/blobs/mime-magic.ts
+function hex(s) {
+  return new Uint8Array(s.split(" ").map((b) => parseInt(b, 16)));
+}
+var MAGIC_RULES = [
+  // ── Images ───────────────────────────────────────────────────────────
+  // #2  PNG — full 8-byte signature (RFC 2083)
+  { mime: "image/png", format: "PNG", bytes: hex("89 50 4E 47 0D 0A 1A 0A"), preCompressed: true },
+  // #1  JPEG — FF D8 FF (third byte is start of APP marker, always FF)
+  { mime: "image/jpeg", format: "JPEG", bytes: hex("FF D8 FF"), preCompressed: true },
+  // #7  WebP — RIFF compound: bytes 0-3 = RIFF, bytes 8-11 = WEBP
+  {
+    mime: "image/webp",
+    format: "WebP",
+    bytes: hex("52 49 46 46"),
+    secondaryBytes: hex("57 45 42 50"),
+    secondaryOffset: 8,
+    preCompressed: true
+  },
+  // #5  TIFF (little-endian) — II + version 42
+  { mime: "image/tiff", format: "TIFF", bytes: hex("49 49 2A 00") },
+  // #6  TIFF (big-endian) — MM + version 42
+  { mime: "image/tiff", format: "TIFF", bytes: hex("4D 4D 00 2A") },
+  // #3  GIF — GIF8 (covers GIF87a and GIF89a)
+  { mime: "image/gif", format: "GIF", bytes: hex("47 49 46 38"), preCompressed: true },
+  // #4  BMP — BM
+  { mime: "image/bmp", format: "BMP", bytes: hex("42 4D") },
+  //  PSD — 8BPS
+  { mime: "image/vnd.adobe.photoshop", format: "PSD", bytes: hex("38 42 50 53") },
+  // #8  ICO — 00 00 01 00 (note: 00 00 02 00 is CUR cursor format)
+  { mime: "image/x-icon", format: "ICO", bytes: hex("00 00 01 00") },
+  // #9  HEIC — ISOBMFF: ftyp at offset 4, brand "heic" at offset 8
+  {
+    mime: "image/heic",
+    format: "HEIC",
+    bytes: hex("66 74 79 70"),
+    offset: 4,
+    secondaryBytes: hex("68 65 69 63"),
+    secondaryOffset: 8,
+    preCompressed: true
+  },
+  // ── Documents ────────────────────────────────────────────────────────
+  //  PDF — %PDF
+  { mime: "application/pdf", format: "PDF", bytes: hex("25 50 44 46") },
+  //  RTF — {\rtf
+  { mime: "application/rtf", format: "RTF", bytes: hex("7B 5C 72 74 66") },
+  // ── Archives & compression ───────────────────────────────────────────
+  //  RAR v5 — 8-byte signature (test before RAR v4)
+  { mime: "application/vnd.rar", format: "RAR v5", bytes: hex("52 61 72 21 1A 07 01 00"), preCompressed: true },
+  //  RAR v4 — 7-byte signature
+  { mime: "application/vnd.rar", format: "RAR v4", bytes: hex("52 61 72 21 1A 07 00"), preCompressed: true },
+  //  7-Zip — 6-byte signature
+  { mime: "application/x-7z-compressed", format: "7Z", bytes: hex("37 7A BC AF 27 1C"), preCompressed: true },
+  //  XZ — 6-byte stream header
+  { mime: "application/x-xz", format: "XZ", bytes: hex("FD 37 7A 58 5A 00"), preCompressed: true },
+  //  ZIP — PK\x03\x04 (local file header)
+  { mime: "application/zip", format: "ZIP", bytes: hex("50 4B 03 04"), preCompressed: true },
+  //  GZIP — 1F 8B
+  { mime: "application/gzip", format: "GZIP", bytes: hex("1F 8B"), preCompressed: true },
+  //  BZIP2 — BZh
+  { mime: "application/x-bzip2", format: "BZIP2", bytes: hex("42 5A 68"), preCompressed: true },
+  //  LZIP — LZIP
+  { mime: "application/x-lzip", format: "LZIP", bytes: hex("4C 5A 49 50"), preCompressed: true },
+  // ── Audio ────────────────────────────────────────────────────────────
+  //  WAV — RIFF compound: bytes 0-3 = RIFF, bytes 8-11 = WAVE
+  {
+    mime: "audio/wav",
+    format: "WAV",
+    bytes: hex("52 49 46 46"),
+    secondaryBytes: hex("57 41 56 45"),
+    secondaryOffset: 8
+  },
+  //  AIFF — FORM compound: bytes 0-3 = FORM, bytes 8-11 = AIFF
+  {
+    mime: "audio/aiff",
+    format: "AIFF",
+    bytes: hex("46 4F 52 4D"),
+    secondaryBytes: hex("41 49 46 46"),
+    secondaryOffset: 8
+  },
+  //  FLAC — fLaC
+  { mime: "audio/flac", format: "FLAC", bytes: hex("66 4C 61 43") },
+  //  OGG — OggS (container — may hold Vorbis, Opus, Theora, etc.)
+  { mime: "application/ogg", format: "OGG", bytes: hex("4F 67 67 53") },
+  //  MIDI — MThd
+  { mime: "audio/midi", format: "MIDI", bytes: hex("4D 54 68 64") },
+  //  MP3 (ID3-tagged) — ID3
+  { mime: "audio/mpeg", format: "MP3", bytes: hex("49 44 33"), preCompressed: true },
+  // ── Video ────────────────────────────────────────────────────────────
+  //  AVI — RIFF compound: bytes 0-3 = RIFF, bytes 8-11 = AVI\x20
+  {
+    mime: "video/x-msvideo",
+    format: "AVI",
+    bytes: hex("52 49 46 46"),
+    secondaryBytes: hex("41 56 49 20"),
+    secondaryOffset: 8,
+    preCompressed: true
+  },
+  //  WMV/ASF — 8-byte ASF header GUID prefix
+  { mime: "video/x-ms-wmv", format: "WMV", bytes: hex("30 26 B2 75 8E 66 CF 11"), preCompressed: true },
+  //  MKV/WebM — EBML header (Matroska container)
+  { mime: "video/x-matroska", format: "MKV", bytes: hex("1A 45 DF A3"), preCompressed: true },
+  //  FLV — FLV
+  { mime: "video/x-flv", format: "FLV", bytes: hex("46 4C 56"), preCompressed: true },
+  //  MOV — ISOBMFF: ftyp at offset 4, brand "qt  " at offset 8
+  {
+    mime: "video/quicktime",
+    format: "MOV",
+    bytes: hex("66 74 79 70"),
+    offset: 4,
+    secondaryBytes: hex("71 74 20 20"),
+    secondaryOffset: 8,
+    preCompressed: true
+  },
+  //  MP4 — ISOBMFF: ftyp at offset 4 (brands vary: isom, mp41, mp42, etc.)
+  //     Tested AFTER MOV and HEIC so their specific brands match first.
+  { mime: "video/mp4", format: "MP4", bytes: hex("66 74 79 70"), offset: 4, preCompressed: true },
+  // ── Executables & binaries ───────────────────────────────────────────
+  //  SQLite — "SQLite 3" (first 8 bytes of the 16-byte header)
+  { mime: "application/vnd.sqlite3", format: "SQLite", bytes: hex("53 51 4C 69 74 65 20 33") },
+  //  WASM — \0asm
+  { mime: "application/wasm", format: "WASM", bytes: hex("00 61 73 6D") },
+  //  ELF — \x7FELF
+  { mime: "application/x-elf", format: "ELF", bytes: hex("7F 45 4C 46") },
+  //  PE (EXE/DLL) — MZ
+  { mime: "application/vnd.microsoft.portable-executable", format: "PE", bytes: hex("4D 5A") },
+  //  Mach-O — all four single-arch variants
+  { mime: "application/x-mach-binary", format: "Mach-O 64 LE", bytes: hex("CF FA ED FE") },
+  { mime: "application/x-mach-binary", format: "Mach-O 64 BE", bytes: hex("FE ED FA CF") },
+  { mime: "application/x-mach-binary", format: "Mach-O 32 LE", bytes: hex("CE FA ED FE") },
+  { mime: "application/x-mach-binary", format: "Mach-O 32 BE", bytes: hex("FE ED FA CE") },
+  //  Java Class — CA FE BA BE
+  //     Note: collides with Mach-O Universal Binary. Disambiguated by checking
+  //     bytes 4-7: Java class version is >= 0x002D (45), while fat binary
+  //     arch count is a small number (typically 0x00000002).
+  //     We place Java after Mach-O single-arch entries so the more common
+  //     Mach-O variants match first. The CA FE BA BE collision between Java
+  //     and Mach-O fat binary is resolved by the caller if needed.
+  { mime: "application/java-vm", format: "Java Class", bytes: hex("CA FE BA BE") },
+  //  DEX — dex\n (Android Dalvik Executable)
+  { mime: "application/vnd.android.dex", format: "DEX", bytes: hex("64 65 78 0A") },
+  // ── Package formats ──────────────────────────────────────────────────
+  //  DEB — !<arch> (ar archive; DEB-specific member follows)
+  { mime: "application/vnd.debian.binary-package", format: "DEB", bytes: hex("21 3C 61 72 63 68 3E") },
+  //  RPM — ED AB EE DB
+  { mime: "application/x-rpm", format: "RPM", bytes: hex("ED AB EE DB") },
+  //  CAB — MSCF
+  { mime: "application/vnd.ms-cab-compressed", format: "CAB", bytes: hex("4D 53 43 46"), preCompressed: true },
+  // ── Capture & Flash ──────────────────────────────────────────────────
+  //  PCAP (little-endian) — D4 C3 B2 A1
+  { mime: "application/vnd.tcpdump.pcap", format: "PCAP", bytes: hex("D4 C3 B2 A1") },
+  //  PCAP (big-endian) — A1 B2 C3 D4
+  { mime: "application/vnd.tcpdump.pcap", format: "PCAP BE", bytes: hex("A1 B2 C3 D4") },
+  //  PCAPNG — Section Header Block
+  { mime: "application/x-pcapng", format: "PCAPNG", bytes: hex("0A 0D 0D 0A") },
+  //  SWF — all three variants (uncompressed, zlib, LZMA)
+  { mime: "application/x-shockwave-flash", format: "SWF", bytes: hex("46 57 53") },
+  { mime: "application/x-shockwave-flash", format: "SWF zlib", bytes: hex("43 57 53"), preCompressed: true },
+  { mime: "application/x-shockwave-flash", format: "SWF LZMA", bytes: hex("5A 57 53"), preCompressed: true },
+  // ── Data formats ─────────────────────────────────────────────────────
+  //  Parquet — PAR1 (no registered IANA MIME; using Apache's informal type)
+  { mime: "application/vnd.apache.parquet", format: "Parquet", bytes: hex("50 41 52 31") },
+  //  Avro Object Container — Obj\x01
+  { mime: "application/avro", format: "Avro", bytes: hex("4F 62 6A 01") },
+  //  NES ROM — NES\x1A (iNES header)
+  { mime: "application/x-nintendo-nes-rom", format: "NES ROM", bytes: hex("4E 45 53 1A") }
+];
+function isMp3SyncWord(byte0, byte1) {
+  return byte0 === 255 && (byte1 & 224) === 224;
+}
+function detectMimeType(header) {
+  const result = detectMagic(header);
+  return result?.mime ?? "application/octet-stream";
+}
+function detectMagic(header) {
+  for (const rule of MAGIC_RULES) {
+    if (matchRule(header, rule)) {
+      return {
+        mime: rule.mime,
+        format: rule.format,
+        preCompressed: rule.preCompressed ?? false
+      };
+    }
+  }
+  if (header.length >= 2 && isMp3SyncWord(header[0], header[1])) {
+    return { mime: "audio/mpeg", format: "MP3", preCompressed: true };
+  }
+  return null;
+}
+function isPreCompressed(mimeType) {
+  return PRE_COMPRESSED_MIMES.has(mimeType);
+}
+function matchRule(header, rule) {
+  const offset = rule.offset ?? 0;
+  const end = offset + rule.bytes.length;
+  if (header.length < end) return false;
+  for (let i = 0; i < rule.bytes.length; i++) {
+    if (header[offset + i] !== rule.bytes[i]) return false;
+  }
+  if (rule.secondaryBytes && rule.secondaryOffset !== void 0) {
+    const sEnd = rule.secondaryOffset + rule.secondaryBytes.length;
+    if (header.length < sEnd) return false;
+    for (let i = 0; i < rule.secondaryBytes.length; i++) {
+      if (header[rule.secondaryOffset + i] !== rule.secondaryBytes[i]) return false;
+    }
+  }
+  return true;
+}
+var PRE_COMPRESSED_MIMES = new Set(
+  MAGIC_RULES.filter((r) => r.preCompressed).map((r) => r.mime)
+);
+
+// src/blobs/blob-set.ts
+init_crypto();
+var BLOB_COLLECTION = "_blob";
+var BLOB_INDEX_COLLECTION = "_blob_index";
+var BLOB_CHUNKS_COLLECTION = "_blob_chunks";
+var BLOB_SLOTS_PREFIX = "_blob_slots_";
+var BLOB_VERSIONS_PREFIX = "_blob_versions_";
+var DEFAULT_CHUNK_SIZE = 256 * 1024;
+var MAX_CAS_RETRIES = 5;
+async function compressBytes(data) {
+  if (typeof CompressionStream === "undefined") {
+    return { bytes: data, algorithm: "none" };
+  }
+  const cs = new CompressionStream("gzip");
+  const writer = cs.writable.getWriter();
+  await writer.write(data);
+  await writer.close();
+  const buf = await new Response(cs.readable).arrayBuffer();
+  return { bytes: new Uint8Array(buf), algorithm: "gzip" };
+}
+async function decompressBytes(data) {
+  if (typeof DecompressionStream === "undefined") {
+    throw new Error(
+      "[noy-db] DecompressionStream not available \u2014 cannot decompress blob chunk"
+    );
+  }
+  const ds = new DecompressionStream("gzip");
+  const writer = ds.writable.getWriter();
+  await writer.write(data);
+  await writer.close();
+  const buf = await new Response(ds.readable).arrayBuffer();
+  return new Uint8Array(buf);
+}
+function concatChunks(chunks) {
+  const total = chunks.reduce((s, c) => s + c.byteLength, 0);
+  const out = new Uint8Array(total);
+  let offset = 0;
+  for (const c of chunks) {
+    out.set(c, offset);
+    offset += c.byteLength;
+  }
+  return out;
+}
+function chunkAAD(eTag, chunkIndex, chunkCount) {
+  return new TextEncoder().encode(`${eTag}:${chunkIndex}:${chunkCount}`);
+}
+var BlobSet = class {
+  store;
+  vault;
+  collection;
+  recordId;
+  getDEK;
+  encrypted;
+  userId;
+  maxBlobBytes;
+  constructor(opts) {
+    this.store = opts.store;
+    this.vault = opts.vault;
+    this.collection = opts.collection;
+    this.recordId = opts.recordId;
+    this.getDEK = opts.getDEK;
+    this.encrypted = opts.encrypted;
+    this.userId = opts.userId;
+    this.maxBlobBytes = opts.maxBlobBytes;
+  }
+  /** The internal collection that holds slot metadata for this collection's blobs. */
+  get slotsCollection() {
+    return `${BLOB_SLOTS_PREFIX}${this.collection}`;
+  }
+  /** The internal collection that holds published versions for this collection's blobs. */
+  get versionsCollection() {
+    return `${BLOB_VERSIONS_PREFIX}${this.collection}`;
+  }
+  // ─── Slot Metadata I/O (CAS-protected) ─────────────────────────────
+  async loadSlots() {
+    const envelope = await this.store.get(this.vault, this.slotsCollection, this.recordId);
+    if (!envelope) return { slots: {}, version: 0 };
+    if (!this.encrypted) {
+      return {
+        slots: JSON.parse(envelope._data),
+        version: envelope._v
+      };
+    }
+    const dek = await this.getDEK(this.collection);
+    const json = await decrypt(envelope._iv, envelope._data, dek);
+    return {
+      slots: JSON.parse(json),
+      version: envelope._v
+    };
+  }
+  async saveSlots(slots, currentVersion) {
+    const json = JSON.stringify(slots);
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    let envelope;
+    if (this.encrypted) {
+      const dek = await this.getDEK(this.collection);
+      const { iv, data } = await encrypt(json, dek);
+      envelope = {
+        _noydb: NOYDB_FORMAT_VERSION,
+        _v: currentVersion + 1,
+        _ts: now,
+        _iv: iv,
+        _data: data
+      };
+    } else {
+      envelope = {
+        _noydb: NOYDB_FORMAT_VERSION,
+        _v: currentVersion + 1,
+        _ts: now,
+        _iv: "",
+        _data: json
+      };
+    }
+    await this.store.put(
+      this.vault,
+      this.slotsCollection,
+      this.recordId,
+      envelope,
+      currentVersion > 0 ? currentVersion : void 0
+    );
+  }
+  /**
+   * CAS retry loop for slot metadata updates. Re-reads slots on conflict
+   * and re-applies the mutation function.
+   */
+  async casUpdateSlots(mutate) {
+    for (let attempt = 0; attempt < MAX_CAS_RETRIES; attempt++) {
+      const { slots, version } = await this.loadSlots();
+      const updated = mutate(slots);
+      if (updated === null) return;
+      try {
+        await this.saveSlots(updated, version);
+        return;
+      } catch (err) {
+        if (err instanceof ConflictError && attempt < MAX_CAS_RETRIES - 1) continue;
+        throw err;
+      }
+    }
+  }
+  // ─── Blob Index I/O (versioned for CAS refCount) ──────────────────
+  async loadBlobObject(eTag) {
+    const envelope = await this.store.get(this.vault, BLOB_INDEX_COLLECTION, eTag);
+    if (!envelope) return null;
+    if (!this.encrypted) {
+      return { blob: JSON.parse(envelope._data), version: envelope._v };
+    }
+    const dek = await this.getDEK(BLOB_COLLECTION);
+    const json = await decrypt(envelope._iv, envelope._data, dek);
+    return { blob: JSON.parse(json), version: envelope._v };
+  }
+  async writeBlobObject(blob, expectedVersion) {
+    const json = JSON.stringify(blob);
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const newVersion = (expectedVersion ?? 0) + 1;
+    let envelope;
+    if (this.encrypted) {
+      const dek = await this.getDEK(BLOB_COLLECTION);
+      const { iv, data } = await encrypt(json, dek);
+      envelope = { _noydb: NOYDB_FORMAT_VERSION, _v: newVersion, _ts: now, _iv: iv, _data: data };
+    } else {
+      envelope = { _noydb: NOYDB_FORMAT_VERSION, _v: newVersion, _ts: now, _iv: "", _data: json };
+    }
+    await this.store.put(
+      this.vault,
+      BLOB_INDEX_COLLECTION,
+      blob.eTag,
+      envelope,
+      expectedVersion
+    );
+  }
+  /**
+   * CAS retry loop for refCount changes on a BlobObject.
+   */
+  async casUpdateRefCount(eTag, delta) {
+    for (let attempt = 0; attempt < MAX_CAS_RETRIES; attempt++) {
+      const result = await this.loadBlobObject(eTag);
+      if (!result) throw new NotFoundError(`BlobObject ${eTag} not found`);
+      const { blob, version } = result;
+      const updated = { ...blob, refCount: blob.refCount + delta };
+      try {
+        await this.writeBlobObject(updated, version);
+        return;
+      } catch (err) {
+        if (err instanceof ConflictError && attempt < MAX_CAS_RETRIES - 1) continue;
+        throw err;
+      }
+    }
+  }
+  // ─── Chunk I/O (with AAD binding) ─────────────────────────────────
+  async writeChunk(eTag, index, chunkCount, chunk, dek) {
+    const id = `${eTag}_${index}`;
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    let envelope;
+    if (dek) {
+      const aad = chunkAAD(eTag, index, chunkCount);
+      const { iv, data } = await encryptBytesWithAAD(chunk, dek, aad);
+      envelope = { _noydb: NOYDB_FORMAT_VERSION, _v: 1, _ts: now, _iv: iv, _data: data };
+    } else {
+      envelope = {
+        _noydb: NOYDB_FORMAT_VERSION,
+        _v: 1,
+        _ts: now,
+        _iv: "",
+        _data: bufferToBase64(chunk)
+      };
+    }
+    await this.store.put(this.vault, BLOB_CHUNKS_COLLECTION, id, envelope);
+  }
+  async readChunk(eTag, index, chunkCount, dek) {
+    const envelope = await this.store.get(this.vault, BLOB_CHUNKS_COLLECTION, `${eTag}_${index}`);
+    if (!envelope) return null;
+    if (dek) {
+      const aad = chunkAAD(eTag, index, chunkCount);
+      return await decryptBytesWithAAD(envelope._iv, envelope._data, dek, aad);
+    }
+    return base64ToBuffer(envelope._data);
+  }
+  // ─── Version record I/O ───────────────────────────────────────────
+  versionKey(slotName, label) {
+    return `${this.recordId}::${slotName}::${label}`;
+  }
+  async loadVersionRecord(slotName, label) {
+    const key = this.versionKey(slotName, label);
+    const envelope = await this.store.get(this.vault, this.versionsCollection, key);
+    if (!envelope) return null;
+    if (!this.encrypted) {
+      return JSON.parse(envelope._data);
+    }
+    const dek = await this.getDEK(this.collection);
+    const json = await decrypt(envelope._iv, envelope._data, dek);
+    return JSON.parse(json);
+  }
+  async writeVersionRecord(slotName, record) {
+    const key = this.versionKey(slotName, record.label);
+    const json = JSON.stringify(record);
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    let envelope;
+    if (this.encrypted) {
+      const dek = await this.getDEK(this.collection);
+      const { iv, data } = await encrypt(json, dek);
+      envelope = { _noydb: NOYDB_FORMAT_VERSION, _v: 1, _ts: now, _iv: iv, _data: data };
+    } else {
+      envelope = { _noydb: NOYDB_FORMAT_VERSION, _v: 1, _ts: now, _iv: "", _data: json };
+    }
+    await this.store.put(this.vault, this.versionsCollection, key, envelope);
+  }
+  async deleteVersionRecord(slotName, label) {
+    const key = this.versionKey(slotName, label);
+    await this.store.delete(this.vault, this.versionsCollection, key);
+  }
+  // ─── Effective chunk size ─────────────────────────────────────────
+  effectiveChunkSize(opts) {
+    if (opts?.chunkSize) return opts.chunkSize;
+    if (this.maxBlobBytes) return this.maxBlobBytes;
+    return DEFAULT_CHUNK_SIZE;
+  }
+  // ─── Fetch all chunks for a blob ──────────────────────────────────
+  async fetchAllChunks(blob) {
+    const blobDEK = this.encrypted ? await this.getDEK(BLOB_COLLECTION) : null;
+    const chunks = [];
+    for (let i = 0; i < blob.chunkCount; i++) {
+      const chunk = await this.readChunk(blob.eTag, i, blob.chunkCount, blobDEK);
+      if (!chunk) {
+        throw new NotFoundError(
+          `Blob chunk ${i}/${blob.chunkCount} missing for eTag "${blob.eTag}" on record "${this.recordId}"`
+        );
+      }
+      chunks.push(chunk);
+    }
+    const assembled = concatChunks(chunks);
+    return blob.compression === "gzip" ? await decompressBytes(assembled) : assembled;
+  }
+  // ─── Public API: Slot management ──────────────────────────────────
+  /**
+   * Upload bytes and attach them to this record under `slotName`.
+   *
+   * 1. Computes `eTag = HMAC-SHA-256(blobDEK, plaintext)` for keyed content-addressing.
+   * 2. Auto-detects MIME type from magic bytes if not provided.
+   * 3. If a blob with this eTag already exists, skips chunk upload (deduplication)
+   *    and CAS-increments refCount.
+   * 4. Otherwise: compresses → splits into chunks → encrypts each chunk with
+   *    AAD binding → writes `_blob_chunks` → writes `BlobObject` to `_blob_index`.
+   * 5. CAS-updates the slot metadata in `_blob_slots_{collection}`.
+   *    If overwriting an existing slot, decrements the old eTag's refCount.
+   */
+  async put(slotName, data, opts) {
+    const blobDEK = this.encrypted ? await this.getDEK(BLOB_COLLECTION) : null;
+    const eTag = blobDEK ? await hmacSha256Hex(blobDEK, data) : await plainSha256Hex(data);
+    let mimeType = opts?.mimeType;
+    if (!mimeType) {
+      const detected = detectMagic(data.subarray(0, 16));
+      if (detected) mimeType = detected.mime;
+    }
+    let shouldCompress;
+    if (opts?.compress !== void 0) {
+      shouldCompress = opts.compress;
+    } else if (mimeType && isPreCompressed(mimeType)) {
+      shouldCompress = false;
+    } else {
+      shouldCompress = true;
+    }
+    const existingBlob = await this.loadBlobObject(eTag);
+    if (existingBlob) {
+      await this.casUpdateRefCount(eTag, 1);
+    } else {
+      const { bytes: compressed, algorithm } = shouldCompress ? await compressBytes(data) : { bytes: data, algorithm: "none" };
+      const chunkSize = this.effectiveChunkSize(opts);
+      const chunkCount = Math.max(1, Math.ceil(compressed.byteLength / chunkSize));
+      for (let i = 0; i < chunkCount; i++) {
+        const start = i * chunkSize;
+        await this.writeChunk(
+          eTag,
+          i,
+          chunkCount,
+          compressed.subarray(start, start + chunkSize),
+          blobDEK
+        );
+      }
+      await this.writeBlobObject({
+        eTag,
+        size: data.byteLength,
+        compressedSize: compressed.byteLength,
+        compression: algorithm,
+        chunkSize,
+        chunkCount,
+        ...mimeType !== void 0 ? { mimeType } : {},
+        createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+        refCount: 1
+      });
+    }
+    const uploaderUserId = opts?.uploadedBy ?? this.userId;
+    await this.casUpdateSlots((slots) => {
+      const oldETag = slots[slotName]?.eTag;
+      slots[slotName] = {
+        eTag,
+        filename: slotName,
+        size: data.byteLength,
+        ...mimeType !== void 0 ? { mimeType } : {},
+        uploadedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        ...uploaderUserId !== void 0 ? { uploadedBy: uploaderUserId } : {}
+      };
+      if (oldETag && oldETag !== eTag) {
+        this._deferredRefDecrement = oldETag;
+      }
+      return slots;
+    });
+    if (this._deferredRefDecrement) {
+      const oldETag = this._deferredRefDecrement;
+      this._deferredRefDecrement = void 0;
+      await this.casUpdateRefCount(oldETag, -1).catch(() => {
+      });
+    }
+  }
+  _deferredRefDecrement;
+  /**
+   * Fetch all bytes for the named slot.
+   * Returns `null` if the slot does not exist.
+   * Throws `NotFoundError` if the index entry exists but a chunk is missing.
+   */
+  async get(slotName) {
+    const { slots } = await this.loadSlots();
+    const slot = slots[slotName];
+    if (!slot) return null;
+    const result = await this.loadBlobObject(slot.eTag);
+    if (!result) return null;
+    return this.fetchAllChunks(result.blob);
+  }
+  /**
+   * List all slot entries for this record.
+   * Returns metadata only — no chunk data is loaded.
+   */
+  async list() {
+    const { slots } = await this.loadSlots();
+    return Object.entries(slots).map(([name, slot]) => ({ name, ...slot }));
+  }
+  /**
+   * Delete the named slot from this record.
+   * Decrements refCount on the blob. Chunks are GC'd by `vault.blobGC()`.
+   */
+  async delete(slotName) {
+    let eTagToDecrement;
+    await this.casUpdateSlots((slots) => {
+      if (!(slotName in slots)) return null;
+      eTagToDecrement = slots[slotName].eTag;
+      delete slots[slotName];
+      return slots;
+    });
+    if (eTagToDecrement) {
+      await this.casUpdateRefCount(eTagToDecrement, -1).catch(() => {
+      });
+    }
+  }
+  /**
+   * Return a native `Response` whose body streams the decrypted,
+   * decompressed blob bytes with full HTTP metadata headers.
+   *
+   * Note: implementation is buffered — all chunks are loaded into
+   * memory before being enqueued. True streaming deferred to.
+   *
+   * Returns `null` if the slot does not exist.
+   */
+  async response(slotName, opts) {
+    const { slots } = await this.loadSlots();
+    const slot = slots[slotName];
+    if (!slot) return null;
+    const result = await this.loadBlobObject(slot.eTag);
+    if (!result) return null;
+    return this.buildResponse(slot, result.blob, opts);
+  }
+  /**
+   * Decrypt the slot and wrap the bytes in a browser ObjectURL ready
+   * to feed into `<img src>`, `<a href>`, etc. The caller MUST call
+   * `revoke()` when the URL is no longer needed — otherwise the URL
+   * (and the underlying decrypted Blob) are pinned for the lifetime
+   * of the document, which leaks memory in long-lived pages.
+   *
+   * Returns `null` when the slot does not exist.
+   *
+   * Throws when `URL.createObjectURL` is unavailable in the host
+   * environment (Node without DOM, restricted workers). Framework
+   * adapters — `useBlobURL` in `@noy-db/in-vue`, etc. — guard against
+   * this for SSR contexts and stay at `null` instead of propagating.
+   */
+  async objectURL(slotName, opts) {
+    if (typeof URL === "undefined" || typeof URL.createObjectURL !== "function") {
+      throw new Error(
+        "BlobSet.objectURL: URL.createObjectURL is unavailable in this environment. Call this from the browser, or use BlobSet.get() and create the URL yourself."
+      );
+    }
+    const bytes = await this.get(slotName);
+    if (!bytes) return null;
+    const { slots } = await this.loadSlots();
+    const slot = slots[slotName];
+    const type = opts?.mimeType ?? slot?.mimeType ?? "application/octet-stream";
+    const buffer = bytes.buffer.slice(bytes.byteOffset, bytes.byteOffset + bytes.byteLength);
+    const blob = new Blob([buffer], { type });
+    const url = URL.createObjectURL(blob);
+    let revoked = false;
+    const revoke = () => {
+      if (revoked) return;
+      revoked = true;
+      URL.revokeObjectURL(url);
+    };
+    return { url, revoke };
+  }
+  // ─── Public API: Published versions (UC-3 amendment versioning) ───
+  /**
+   * Publish the current slot content as a named version snapshot.
+   *
+   * The published version holds an independent refCount reference to
+   * the blob. Even if the slot is later overwritten or deleted, the
+   * published version keeps the blob data alive.
+   *
+   * Publishing with an existing label overwrites it — if the eTags differ,
+   * refCounts are adjusted accordingly.
+   */
+  async publish(slotName, label) {
+    const { slots } = await this.loadSlots();
+    const slot = slots[slotName];
+    if (!slot) throw new NotFoundError(`Slot "${slotName}" not found on record "${this.recordId}"`);
+    const existing = await this.loadVersionRecord(slotName, label);
+    if (existing && existing.eTag === slot.eTag) return;
+    const record = {
+      label,
+      eTag: slot.eTag,
+      publishedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      ...this.userId !== void 0 ? { publishedBy: this.userId } : {}
+    };
+    await this.writeVersionRecord(slotName, record);
+    await this.casUpdateRefCount(slot.eTag, 1);
+    if (existing && existing.eTag !== slot.eTag) {
+      await this.casUpdateRefCount(existing.eTag, -1).catch(() => {
+      });
+    }
+  }
+  /**
+   * Fetch bytes for a published version.
+   * Returns `null` if the version does not exist.
+   */
+  async getVersion(slotName, label) {
+    const record = await this.loadVersionRecord(slotName, label);
+    if (!record) return null;
+    const result = await this.loadBlobObject(record.eTag);
+    if (!result) return null;
+    return this.fetchAllChunks(result.blob);
+  }
+  /**
+   * List all published versions for a slot.
+   */
+  async listVersions(slotName) {
+    const prefix = `${this.recordId}::${slotName}::`;
+    const allKeys = await this.store.list(this.vault, this.versionsCollection);
+    const matchingKeys = allKeys.filter((k) => k.startsWith(prefix));
+    const versions = [];
+    for (const key of matchingKeys) {
+      const envelope = await this.store.get(this.vault, this.versionsCollection, key);
+      if (!envelope) continue;
+      if (!this.encrypted) {
+        versions.push(JSON.parse(envelope._data));
+      } else {
+        const dek = await this.getDEK(this.collection);
+        const json = await decrypt(envelope._iv, envelope._data, dek);
+        versions.push(JSON.parse(json));
+      }
+    }
+    return versions;
+  }
+  /**
+   * Delete a published version. Decrements refCount on its blob.
+   */
+  async deleteVersion(slotName, label) {
+    const record = await this.loadVersionRecord(slotName, label);
+    if (!record) return;
+    await this.deleteVersionRecord(slotName, label);
+    await this.casUpdateRefCount(record.eTag, -1).catch(() => {
+    });
+  }
+  /**
+   * Return a `Response` for a published version — same as `response()`
+   * but reads from the version record's eTag instead of the current slot.
+   */
+  async responseVersion(slotName, label, opts) {
+    const record = await this.loadVersionRecord(slotName, label);
+    if (!record) return null;
+    const result = await this.loadBlobObject(record.eTag);
+    if (!result) return null;
+    const slotLike = {
+      eTag: record.eTag,
+      filename: opts?.filename ?? `${slotName}-${label}`,
+      size: result.blob.size,
+      ...result.blob.mimeType !== void 0 ? { mimeType: result.blob.mimeType } : {},
+      uploadedAt: record.publishedAt,
+      ...record.publishedBy !== void 0 ? { uploadedBy: record.publishedBy } : {}
+    };
+    return this.buildResponse(slotLike, result.blob, opts);
+  }
+  // ─── Diagnostics ──────────────────────────────────────────────────
+  /**
+   * Return the `BlobObject` metadata for the named slot.
+   * Returns `null` if the slot or blob does not exist.
+   */
+  async blobInfo(slotName) {
+    const { slots } = await this.loadSlots();
+    const slot = slots[slotName];
+    if (!slot) return null;
+    const result = await this.loadBlobObject(slot.eTag);
+    return result?.blob ?? null;
+  }
+  // ─── Presigned URL (E5) ────────────────────────────────────────────
+  /**
+   * Generate a presigned URL for direct client download of the blob's
+   * ciphertext. Only works when the blob store supports `presignUrl`.
+   *
+   * **Important:** The URL returns encrypted data. The caller must
+   * decrypt client-side using `decryptResponse()` or a service worker.
+   *
+   * Returns `null` if the slot doesn't exist or the store doesn't support presigning.
+   */
+  async presignedUrl(slotName, expiresInSeconds = 3600) {
+    const { slots } = await this.loadSlots();
+    const slot = slots[slotName];
+    if (!slot) return null;
+    const result = await this.loadBlobObject(slot.eTag);
+    if (!result) return null;
+    if (result.blob.chunkCount !== 1) return null;
+    if (!this.store.presignUrl) return null;
+    const chunkId = `${slot.eTag}_0`;
+    return this.store.presignUrl(this.vault, "_blob_chunks", chunkId, expiresInSeconds);
+  }
+  /**
+   * Decrypt a ciphertext Response (e.g. from a presigned URL fetch)
+   * back into a plaintext Response with correct headers.
+   *
+   * Usage with service worker or client-side fetch:
+   * ```ts
+   * const url = await blobs.presignedUrl('invoice.pdf')
+   * const cipherResponse = await fetch(url)
+   * const plainResponse = await blobs.decryptResponse('invoice.pdf', cipherResponse)
+   * ```
+   */
+  async decryptResponse(slotName, cipherResponse) {
+    const { slots } = await this.loadSlots();
+    const slot = slots[slotName];
+    if (!slot) return null;
+    const result = await this.loadBlobObject(slot.eTag);
+    if (!result) return null;
+    const text = await cipherResponse.text();
+    const envelope = JSON.parse(text);
+    const blobDEK = this.encrypted ? await this.getDEK("_blob") : null;
+    if (!blobDEK) {
+      return this.buildResponse(slot, result.blob, { inline: true });
+    }
+    const aad = chunkAAD(slot.eTag, 0, result.blob.chunkCount);
+    const { decryptBytesWithAAD: decryptAAD } = await Promise.resolve().then(() => (init_crypto(), crypto_exports));
+    const decrypted = await decryptAAD(envelope._iv, envelope._data, blobDEK, aad);
+    const plaintext = result.blob.compression === "gzip" ? await decompressBytes(decrypted) : decrypted;
+    const body = new ReadableStream({
+      start(controller) {
+        controller.enqueue(plaintext);
+        controller.close();
+      }
+    });
+    const filename = slot.filename;
+    return new Response(body, {
+      headers: {
+        "Content-Type": slot.mimeType ?? "application/octet-stream",
+        "Content-Length": String(slot.size),
+        "ETag": `"${slot.eTag}"`,
+        "Content-Disposition": `inline; filename="${filename}"`,
+        "Last-Modified": new Date(slot.uploadedAt).toUTCString()
+      }
+    });
+  }
+  // ─── Internal: build Response from slot + blob ────────────────────
+  async buildResponse(slot, blob, opts) {
+    const fetchAllChunks = this.fetchAllChunks.bind(this);
+    const body = new ReadableStream({
+      async start(controller) {
+        try {
+          const output = await fetchAllChunks(blob);
+          controller.enqueue(output);
+          controller.close();
+        } catch (err) {
+          controller.error(err);
+        }
+      }
+    });
+    const filename = opts?.filename ?? slot.filename;
+    const disposition = opts?.inline ? `inline; filename="${filename}"` : `attachment; filename="${filename}"`;
+    return new Response(body, {
+      headers: {
+        "Content-Type": slot.mimeType ?? "application/octet-stream",
+        "Content-Length": String(slot.size),
+        "ETag": `"${slot.eTag}"`,
+        "Content-Disposition": disposition,
+        "Last-Modified": new Date(slot.uploadedAt).toUTCString()
+      }
+    });
+  }
+};
+async function plainSha256Hex(data) {
+  return sha256Hex(data);
+}
+
+// src/blobs/active.ts
+function withBlobs() {
+  return {
+    openSlot(args) {
+      return new BlobSet(args);
+    }
+  };
+}
+
+// src/blobs/blob-compaction.ts
+init_crypto();
+var BLOB_EVICTION_AUDIT_COLLECTION = "_blob_eviction_audit";
+async function runCompaction(ctx, options = {}) {
+  const now = options.now ?? /* @__PURE__ */ new Date();
+  const maxEvictions = options.maxEvictions ?? Infinity;
+  const dryRun = options.dryRun === true;
+  const allCollections = await ctx.listCollections();
+  const byCollection = {};
+  let evicted = 0;
+  let records = 0;
+  let auditEntries = 0;
+  let collectionsWithPolicy = 0;
+  outer: for (const collectionName of allCollections) {
+    if (collectionName.startsWith("_")) continue;
+    const config = ctx.getBlobFields(collectionName);
+    if (!config) continue;
+    const configuredSlots = Object.keys(config);
+    if (configuredSlots.length === 0) continue;
+    collectionsWithPolicy += 1;
+    byCollection[collectionName] = { records: 0, evicted: 0 };
+    const ids = await ctx.listRecords(collectionName);
+    for (const recordId of ids) {
+      if (evicted >= maxEvictions) break outer;
+      const record = await ctx.getRecord(collectionName, recordId).catch(() => null);
+      if (record === null) continue;
+      records += 1;
+      byCollection[collectionName].records += 1;
+      const slots = await ctx.listSlots(collectionName, recordId).catch(() => []);
+      for (const slot of slots) {
+        if (evicted >= maxEvictions) break outer;
+        const policy = config[slot.name];
+        if (!policy) continue;
+        const reason = evaluatePolicy(policy, record, slot, now);
+        if (!reason) continue;
+        if (!dryRun) {
+          await ctx.deleteSlot(collectionName, recordId, slot.name);
+          await writeAuditEntry(ctx, {
+            id: generateEvictionId(collectionName, recordId, slot.name),
+            collection: collectionName,
+            recordId,
+            slotName: slot.name,
+            blobHash: slot.eTag,
+            reason,
+            evictedAt: now.toISOString(),
+            actor: ctx.actor
+          });
+          auditEntries += 1;
+        }
+        evicted += 1;
+        byCollection[collectionName].evicted += 1;
+      }
+    }
+  }
+  return {
+    evicted,
+    records,
+    collections: collectionsWithPolicy,
+    auditEntries,
+    byCollection
+  };
+}
+function evaluatePolicy(policy, record, slot, now) {
+  let ttlTriggered = false;
+  let predicateTriggered = false;
+  if (policy.retainDays !== void 0 && policy.retainDays > 0) {
+    const uploadedAt = Date.parse(slot.uploadedAt);
+    if (Number.isFinite(uploadedAt)) {
+      const ageMs = now.getTime() - uploadedAt;
+      const limitMs = policy.retainDays * 864e5;
+      if (ageMs > limitMs) ttlTriggered = true;
+    }
+  }
+  if (policy.evictWhen) {
+    try {
+      if (policy.evictWhen(record)) predicateTriggered = true;
+    } catch {
+    }
+  }
+  if (ttlTriggered && predicateTriggered) return "both";
+  if (ttlTriggered) return "ttl";
+  if (predicateTriggered) return "predicate";
+  return null;
+}
+function generateEvictionId(collection, recordId, slotName) {
+  const rand = globalThis.crypto.getRandomValues(new Uint8Array(8));
+  let suffix = "";
+  for (const b of rand) suffix += b.toString(16).padStart(2, "0");
+  return `${collection}__${recordId}__${slotName}__${suffix}`;
+}
+async function writeAuditEntry(ctx, entry) {
+  const json = JSON.stringify(entry);
+  let envelope;
+  if (ctx.encrypted) {
+    const dek = await ctx.getDEK(BLOB_EVICTION_AUDIT_COLLECTION);
+    const { iv, data } = await encrypt(json, dek);
+    envelope = {
+      _noydb: NOYDB_FORMAT_VERSION,
+      _v: 1,
+      _ts: entry.evictedAt,
+      _iv: iv,
+      _data: data,
+      _by: entry.actor
+    };
+  } else {
+    envelope = {
+      _noydb: NOYDB_FORMAT_VERSION,
+      _v: 1,
+      _ts: entry.evictedAt,
+      _iv: "",
+      _data: json,
+      _by: entry.actor
+    };
+  }
+  await ctx.adapter.put(ctx.vault, BLOB_EVICTION_AUDIT_COLLECTION, entry.id, envelope);
+}
+
+// src/blobs/export-blobs.ts
+var ExportBlobsAbortedError = class extends Error {
+  constructor(reason) {
+    super(`exportBlobs aborted: ${reason}`);
+    this.name = "ExportBlobsAbortedError";
+  }
+};
+var EXPORT_AUDIT_COLLECTION = "_export_audit";
+function createExportBlobsHandle(actor, listAccessibleCollections, getCollection, writeAudit, options) {
+  let aborted = false;
+  const abort = () => {
+    aborted = true;
+  };
+  if (options.signal) {
+    if (options.signal.aborted) aborted = true;
+    options.signal.addEventListener("abort", () => {
+      aborted = true;
+    });
+  }
+  function assertLive() {
+    if (aborted) throw new ExportBlobsAbortedError("aborted by caller");
+  }
+  const allowlist = options.collections ? new Set(options.collections) : null;
+  let auditPromise = null;
+  function writeAuditOnce() {
+    if (!auditPromise) {
+      auditPromise = writeAudit({
+        id: generateBatchId(),
+        mechanism: "exportBlobs",
+        actor,
+        startedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        collections: options.collections ?? null,
+        predicate: Boolean(options.where),
+        afterBlobId: options.afterBlobId ?? null
+      });
+    }
+    return auditPromise;
+  }
+  async function* generate() {
+    await writeAuditOnce();
+    assertLive();
+    const allCollections = await listAccessibleCollections();
+    const targets = allCollections.filter((name) => {
+      if (name.startsWith("_")) return false;
+      if (allowlist && !allowlist.has(name)) return false;
+      return true;
+    });
+    let resumeCursorHit = options.afterBlobId === void 0;
+    for (const collectionName of targets) {
+      if (aborted) return;
+      const coll = getCollection(collectionName);
+      const records = await coll.list().catch(() => []);
+      for (const record of records) {
+        if (aborted) return;
+        assertLive();
+        const idField = record.id;
+        if (typeof idField !== "string") continue;
+        if (options.where && !options.where(record, { collection: collectionName, id: idField })) continue;
+        const blobSet = coll.blob(idField);
+        const slots = await blobSet.list().catch(() => []);
+        for (const slot of slots) {
+          if (aborted) return;
+          if (!resumeCursorHit) {
+            if (slot.eTag === options.afterBlobId) {
+              resumeCursorHit = true;
+            }
+            continue;
+          }
+          const bytes = await blobSet.get(slot.name);
+          if (!bytes) continue;
+          const item = {
+            blobId: slot.eTag,
+            recordRef: { collection: collectionName, id: idField, slot: slot.name },
+            bytes,
+            meta: {
+              size: slot.size,
+              filename: slot.filename,
+              ...slot.mimeType !== void 0 && { mimeType: slot.mimeType },
+              ...slot.uploadedAt !== void 0 && { createdAt: slot.uploadedAt }
+            }
+          };
+          yield item;
+        }
+      }
+    }
+  }
+  const handle = {
+    abort,
+    get aborted() {
+      return aborted;
+    },
+    [Symbol.asyncIterator]: () => generate()
+  };
+  return handle;
+}
+function generateBatchId() {
+  const raw = globalThis.crypto.getRandomValues(new Uint8Array(16));
+  let s = "";
+  for (const b of raw) s += b.toString(16).padStart(2, "0");
+  return `batch-${Date.now().toString(36)}-${s.slice(0, 12)}`;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  BLOB_CHUNKS_COLLECTION,
+  BLOB_COLLECTION,
+  BLOB_EVICTION_AUDIT_COLLECTION,
+  BLOB_INDEX_COLLECTION,
+  BLOB_SLOTS_PREFIX,
+  BLOB_VERSIONS_PREFIX,
+  BlobSet,
+  DEFAULT_CHUNK_SIZE,
+  EXPORT_AUDIT_COLLECTION,
+  ExportBlobsAbortedError,
+  createExportBlobsHandle,
+  detectMagic,
+  detectMimeType,
+  isPreCompressed,
+  runCompaction,
+  withBlobs
+});
+//# sourceMappingURL=index.cjs.map