@noy-db/hub 0.1.0-pre.3

package/dist/index.d.cts

@@ -0,0 +1,269 @@
+import { ar as UnlockedKeyring, aR as Vault, aA as DiffEntry } from './types-Bfs0qr5F.cjs';
+export { aS as AccessibleVault, ax as AppendInput, p as BLOB_CHUNKS_COLLECTION, q as BLOB_COLLECTION, t as BLOB_INDEX_COLLECTION, u as BLOB_SLOTS_PREFIX, w as BLOB_VERSIONS_PREFIX, aT as BUNDLE_STORE_POLICY, A as BlobObject, C as BlobPutOptions, E as BlobResponseOptions, F as BlobSet, aU as BundleRecipient, _ as CONSENT_AUDIT_COLLECTION, aV as CacheOptions, aW as CacheStats, aX as ChangeEvent, ay as ChangeType, a7 as ClosePeriodOptions, aY as Collection, aZ as CollectionChangeEvent, a_ as CollectionConflictResolver, ai as CollectionFrame, az as CollectionInstant, a$ as Conflict, b0 as ConflictPolicy, b1 as ConflictStrategy, $ as ConsentAuditEntry, a0 as ConsentAuditFilter, a1 as ConsentContext, a2 as ConsentOp, b2 as CrossTierAccessEvent, L as DEFAULT_CHUNK_SIZE, b3 as DELEGATIONS_COLLECTION, D as DICT_COLLECTION_PREFIX, b4 as DelegationToken, b5 as DeleteManyResult, a as DictEntry, b as DictKeyDescriptor, c as DictionaryHandle, d as DictionaryOptions, b6 as DirtyEntry, b7 as ELEVATION_AUDIT_COLLECTION, b8 as ElevatedHandle, av as EncryptedEnvelope, b9 as ExportCapability, ba as ExportChunk, bb as ExportFormat, bc as ExportStreamOptions, bd as GhostRecord, be as GrantOptions, bf as HistoryConfig, bg as HistoryEntry, au as HistoryOptions, e as I18nTextDescriptor, f as I18nTextOptions, bh as INDEXED_STORE_POLICY, bi as ImportCapability, bj as InferOutput, bk as IssueDelegationOptions, bl as IssueMagicLinkGrantOptions, aB as JsonPatch, aC as JsonPatchOp, bm as KeyringFile, aD as LedgerEntry, aE as LedgerStore, bn as ListAccessibleVaultsOptions, bo as ListPageResult, bp as LocaleReadOptions, bq as Lru, br as LruOptions, bs as LruStats, bt as MAGIC_LINK_CONTENT_INFO_PREFIX, bu as MAGIC_LINK_GRANTS_COLLECTION, bv as MAGIC_LINK_KEK_INFO_PREFIX, bw as MagicLinkGrantPayload, bx as MagicLinkGrantRecord, by as NOYDB_BACKUP_VERSION, bz as NOYDB_FORMAT_VERSION, bA as NOYDB_KEYRING_VERSION, bB as NOYDB_SYNC_VERSION, bC as Noydb, bD as NoydbBundleStore, bE as NoydbEventMap, bF as NoydbOptions, at as NoydbStore, a8 as OpenPeriodOptions, a9 as PERIODS_COLLECTION, aa as PeriodRecord, bG as Permission, bH as Permissions, bI as PlaintextTranslatorContext, bJ as PlaintextTranslatorFn, P as PolicyEnforcer, bK as PresenceHandle, bL as PresencePeer, aw as PruneOptions, bM as PullMode, bN as PullOptions, bO as PullPolicy, bP as PullResult, bQ as PushMode, bR as PushOptions, bS as PushPolicy, bT as PushResult, bU as PutManyItemOptions, bV as PutManyOptions, bW as PutManyResult, bX as QueryAcrossOptions, bY as QueryAcrossResult, bZ as ReAuthOperation, b_ as RevokeOptions, aq as Role, b$ as SessionPolicy, U as SlotInfo, V as SlotRecord, c0 as StandardSchemaV1, c1 as StandardSchemaV1Issue, c2 as StandardSchemaV1SyncResult, c3 as StoreAuth, c4 as StoreAuthKind, c5 as StoreCapabilities, c6 as SyncEngine, c7 as SyncMetadata, c8 as SyncPolicy, c9 as SyncScheduler, ca as SyncSchedulerStatus, cb as SyncStatus, cc as SyncTarget, cd as SyncTargetRole, ce as SyncTransaction, cf as SyncTransactionResult, cg as TierMode, ch as TranslatorAuditEntry, al as TxCollection, am as TxContext, ci as TxOp, an as TxVault, cj as UserInfo, ck as VaultBackup, aF as VaultEngine, aj as VaultFrame, aG as VaultInstant, cl as VaultSnapshot, aH as VerifyResult, W as VersionRecord, g as applyI18nLocale, aI as applyPatch, cm as buildRecipientKeyringFile, aJ as canonicalJson, aK as computePatch, n as createEnforcer, cn as createNoydb, co as createStore, cp as deriveMagicLinkContentKey, h as dictCollectionName, i as dictKey, aL as diff, cq as evaluateExportCapability, cr as evaluateImportCapability, aM as formatDiff, cs as hasExportCapability, ct as hasImportCapability, aN as hashEntry, j as i18nText, k as isDictCollectionName, l as isDictKeyDescriptor, m as isI18nTextDescriptor, cu as isMagicLinkGrantExpired, cv as issueDelegation, cw as listMagicLinkGrants, cx as loadActiveDelegations, cy as magicLinkGrantRecordId, aO as paddedIndex, aP as parseIndex, cz as readMagicLinkGrantRecord, r as resolveI18nText, cA as revokeDelegation, cB as revokeMagicLinkGrant, ao as runTransaction, aQ as sha256Hex, cC as unwrapMagicLinkGrant, v as validateI18nTextValue, cD as validateSchemaInput, cE as validateSchemaOutput, o as validateSessionPolicy, cF as writeMagicLinkGrant } from './types-Bfs0qr5F.cjs';
+export { d as detectMagic, a as detectMimeType, i as isPreCompressed } from './mime-magic-CBBSOkjm.cjs';
+export { AgeRoute, BlobLifecyclePolicy, BlobStoreRoute, CircuitBreakerOptions, HealthCheckOptions, LogLevel, LoggingOptions, MetricsOptions, OverrideOptions, OverrideTarget, RetryOptions, RouteStatus, RouteStoreOptions, RoutedNoydbStore, StoreCacheOptions, StoreMiddleware, StoreOperation, SuspendOptions, WrapBundleStoreOptions, WrappedBundleNoydbStore, createBundleStore, routeStore, withCache, withCircuitBreaker, withHealthCheck, withLogging, withMetrics, withRetry, wrapBundleStore, wrapStore } from './store/index.cjs';
+export { A as AlreadyElevatedError, B as BackupCorruptedError, a as BackupLedgerError, b as BundleIntegrityError, c as BundleVersionConflictError, C as ConflictError, D as DEFAULT_JOIN_MAX_ROWS, d as DanglingReferenceError, e as DecryptionError, f as DelegationTargetMissingError, g as DictKeyInUseError, h as DictKeyMissingError, E as ElevationExpiredError, i as ExportCapabilityError, F as FilenameSanitizationError, G as GroupCardinalityError, I as ImportCapabilityError, j as IndexRequiredError, k as IndexWriteFailureError, l as InvalidKeyError, J as JoinContext, m as JoinLeg, n as JoinStrategy, o as JoinTooLargeError, p as JoinableSource, K as KeyringExpiredError, L as LedgerContentionError, q as LiveQuery, r as LiveUpstream, s as LocaleNotSpecifiedError, M as MissingTranslationError, N as NetworkError, t as NoAccessError, u as NotFoundError, v as NoydbError, O as OrderBy, P as PathEscapeError, w as PeriodClosedError, x as PermissionDeniedError, y as PrivilegeEscalationError, Q as Query, z as QueryPlan, H as QuerySource, R as ReadOnlyAtInstantError, S as ReadOnlyError, T as ReadOnlyFrameError, U as RefDescriptor, V as RefIntegrityError, W as RefMode, X as RefRegistry, Y as RefScopeError, Z as RefViolation, _ as ReservedCollectionNameError, $ as ScanBuilder, a0 as ScanPageProvider, a1 as SchemaValidationError, a2 as SessionExpiredError, a3 as SessionNotFoundError, a4 as SessionPolicyError, a5 as StoreCapabilityError, a6 as TamperedError, a7 as TierDemoteDeniedError, a8 as TierNotGrantedError, a9 as TranslatorNotConfiguredError, aa as ValidationError, ab as applyJoins, ac as buildLiveQuery, ad as executePlan, ae as ref, af as resetJoinWarnings } from './index-DN-J-5wT.cjs';
+export { C as CompressionAlgo, N as NOYDB_BUNDLE_FORMAT_VERSION, a as NOYDB_BUNDLE_MAGIC, b as NOYDB_BUNDLE_PREFIX_BYTES, c as NoydbBundleHeader, d as NoydbBundleReadResult, W as WriteNoydbBundleOptions, g as generateULID, h as hasNoydbBundleMagic, i as isULID, r as readNoydbBundle, e as readNoydbBundleHeader, f as resetBrotliSupportCache, w as writeNoydbBundle } from './index-DhjMjz7L.cjs';
+export { a as CrdtMode, b as CrdtState, L as LwwMapState, R as RgaState, Y as YjsState, m as mergeCrdtStates, r as resolveCrdtSnapshot } from './strategy-BSxFXGzb.cjs';
+export { SYNC_CREDENTIALS_COLLECTION, SyncCredential, credentialStatus, deleteCredential, getCredential, listCredentials, putCredential } from './team/index.cjs';
+export { C as CreateSessionOptions, a as CreateSessionResult, D as DevUnlockOptions, S as SessionToken, b as activeSessionCount, c as clearDevUnlock, d as createSession, e as enableDevUnlock, i as isDevUnlockActive, f as isSessionAlive, l as loadDevUnlock, r as resolveSession, g as revokeAllSessions, h as revokeSession } from './dev-unlock-CeXic1xC.cjs';
+export { a as Clause, C as CollectionIndexes, F as FieldClause, b as FilterClause, G as GroupClause, H as HashIndex, I as IndexDef, O as Operator, e as evaluateClause, c as evaluateFieldClause, r as readPath } from './predicate-SBHmi6D0.cjs';
+export { a as AggregateResult, b as AggregateSpec, c as Aggregation, d as AggregationUpstream, G as GROUPBY_MAX_CARDINALITY, e as GROUPBY_WARN_CARDINALITY, f as GroupedAggregation, g as GroupedQuery, h as GroupedRow, L as LiveAggregation, R as Reducer, i as ReducerOptions, j as avg, l as count, m as groupAndReduce, n as max, o as min, r as reduceRecords, s as sum } from './strategy-D-SrOLCl.cjs';
+export { L as LEDGER_COLLECTION, a as LEDGER_DELTAS_COLLECTION, e as envelopePayloadHash } from './hash-9KO1BGxh.cjs';
+import './lazy-builder-CZVLKh0Z.cjs';
+
+/**
+ * Cache policy helpers — parse human-friendly byte budgets into raw numbers.
+ *
+ * Accepted shapes (case-insensitive on suffix):
+ *   number       — interpreted as raw bytes
+ *   '1024'       — string of digits, raw bytes
+ *   '50KB'       — kilobytes (×1024)
+ *   '50MB'       — megabytes (×1024²)
+ *   '1GB'        — gigabytes (×1024³)
+ *
+ * Decimals are accepted (`'1.5GB'` → 1610612736 bytes).
+ *
+ * Anything else throws — better to fail loud at construction time than
+ * to silently treat a typo as 0 bytes (which would evict everything).
+ */
+/** Parse a byte budget into a positive integer number of bytes. */
+declare function parseBytes(input: number | string): number;
+/**
+ * Estimate the in-memory byte size of a decrypted record.
+ *
+ * Uses `JSON.stringify().length` as a stand-in for actual heap usage.
+ * It's a deliberate approximation: real V8 heap size includes pointer
+ * overhead, hidden classes, and string interning that we can't measure
+ * from JavaScript. The JSON length is a stable, monotonic proxy that
+ * costs O(record size) per insert — fine when records are typically
+ * < 1 KB and the cache eviction is the slow path anyway.
+ *
+ * Returns `0` (and the caller must treat it as 1 for accounting) if
+ * stringification throws on circular references; this is documented
+ * but in practice records always come from JSON-decoded envelopes.
+ */
+declare function estimateRecordBytes(record: unknown): number;
+
+interface EncryptResult {
+    iv: string;
+    data: string;
+}
+/**
+ * Encrypt raw bytes with AES-256-GCM using a fresh random IV.
+ * Used by the attachment store so binary blobs avoid double base64 encoding
+ * (the existing `encrypt()` function calls `TextEncoder` on a string — here
+ * we pass the `Uint8Array` directly to `subtle.encrypt`).
+ */
+declare function encryptBytes(data: Uint8Array, dek: CryptoKey): Promise<EncryptResult>;
+/**
+ * Decrypt AES-256-GCM ciphertext back to raw bytes.
+ * Counterpart to `encryptBytes`. Throws `TamperedError` on auth-tag failure.
+ */
+declare function decryptBytes(ivBase64: string, dataBase64: string, dek: CryptoKey): Promise<Uint8Array>;
+/**
+ * Derive an AES-256-GCM presence key from a collection DEK using HKDF-SHA256.
+ *
+ * The presence key is domain-separated from the data DEK by the fixed salt
+ * `'noydb-presence'` and the `info` = collection name. This means:
+ *  - The adapter never sees the presence key.
+ *  - Presence payloads rotate automatically when the collection DEK is rotated.
+ *  - Revoked users cannot derive the new presence key after a DEK rotation.
+ *
+ * @param dek            The collection's AES-256-GCM DEK (extractable).
+ * @param collectionName Used as the HKDF `info` parameter for domain separation.
+ * @returns A non-extractable AES-256-GCM key suitable for presence payload encryption.
+ */
+declare function derivePresenceKey(dek: CryptoKey, collectionName: string): Promise<CryptoKey>;
+/**
+ * Encrypt a plaintext string with AES-256-GCM and a deterministic,
+ * HKDF-derived IV.
+ *
+ * The same `{ dek, context, plaintext }` triple always produces the
+ * same `{ iv, data }` — call this twice and you can string-compare the
+ * ciphertexts to check equality of the inputs without decrypting them.
+ *
+ * @param context  Domain-separation string — by convention
+ *                 `'<collection>/<field>'`. Different contexts encrypt
+ *                 the same plaintext to different ciphertexts, so
+ *                 `email` in collection `users` does not collide with
+ *                 `email` in collection `customers`.
+ */
+declare function encryptDeterministic(plaintext: string, dek: CryptoKey, context: string): Promise<EncryptResult>;
+/**
+ * Counterpart to {@link encryptDeterministic}. The IV is stored
+ * alongside the ciphertext (exactly like the randomized path), so
+ * decrypt uses the stored IV and verifies the GCM auth tag — a tampered
+ * ciphertext throws `TamperedError` just like randomized AES-GCM.
+ */
+declare function decryptDeterministic(ivBase64: string, dataBase64: string, dek: CryptoKey): Promise<string>;
+declare function bufferToBase64(buffer: ArrayBuffer | Uint8Array): string;
+declare function base64ToBuffer(base64: string): Uint8Array<ArrayBuffer>;
+
+/**
+ * Hierarchical access — tier-aware keyring helpers.
+ *
+ * The keyring's existing `deks: Map<string, CryptoKey>` is keyed by
+ * collection name. extends the key space:
+ *
+ *   `'invoices'`      — tier-0 DEK (unchanged from v0.x)
+ *   `'invoices#1'`    — tier-1 DEK
+ *   `'invoices#2'`    — tier-2 DEK
+ *
+ * Tier 0 keeps the bare collection name so any keyring written
+ * before tiers existed loads without migration. Tiers ≥ 1 use `#N`
+ * suffixes that
+ * would be invalid as user-supplied collection names (see
+ * `ReservedCollectionNameError` — `#` is reserved).
+ *
+ * @module
+ */
+
+/** Canonical DEK key for a given collection + tier. Tier 0 → bare name. */
+declare function dekKey(collection: string, tier: number): string;
+/**
+ * Returns the user's effective clearance for a given collection: the
+ * maximum tier for which their keyring holds a DEK. Falls back to 0
+ * when the user has only the tier-0 DEK (or none — the getDEK caller
+ * will raise separately).
+ */
+declare function effectiveClearance(keyring: UnlockedKeyring, collection: string): number;
+/**
+ * Assert the caller is cleared for the requested tier. Owners and
+ * admins always pass (they can mint any new tier DEK on demand);
+ * other roles must already hold the tier DEK — via a prior grant or
+ * an active delegation — otherwise this throws `TierNotGrantedError`.
+ *
+ * This gate runs BEFORE `getDEK()` on the mutation path so a
+ * non-cleared operator never has the opportunity to silently
+ * auto-create a tier DEK they shouldn't have.
+ */
+declare function assertTierAccess(keyring: UnlockedKeyring, collection: string, tier: number): void;
+
+/**
+ * Vault-level diff orchestrator.
+ *
+ * Compares a live `Vault`'s plaintext state against a candidate state
+ * (another vault, a plain `{ collection: records[] }` map, or a vault
+ * dump JSON) and returns a structured `VaultDiff` plan listing the
+ * records that would be added, modified, or deleted to bring the live
+ * vault into the candidate's shape.
+ *
+ * Builds on two existing record-level helpers:
+ *
+ *   1. `diff(a, b)` from `./history/diff.ts` — emits dot-pathed
+ *      `DiffEntry[]` with `type: 'added' | 'removed' | 'changed'` for
+ *      each changed field of two records. Used here for the
+ *      `fieldDiffs` of every `modified` entry, and (with empty result)
+ *      as the default deep-equal check.
+ *
+ *   2. `Vault.exportStream()` from `./vault.ts` — the canonical
+ *      decrypt-and-stream-records iterator. Used to walk both sides
+ *      when the candidate is itself a `Vault`. ACL-scoped: collections
+ *      the caller can't read silently drop out, the same way every
+ *      other plaintext-emitting export pipeline filters them.
+ *
+ * The new orchestration is the **vault-level** enumeration: bucket
+ * each record id into added (only in candidate), deleted (only in
+ * vault), or modified (in both with field changes); leave the
+ * field-level granularity to the existing `diff()`.
+ *
+ * Use cases:
+ *
+ *   - Import preview (`@noy-db/as-*` `fromString` returns a plan
+ *     whose body is a `VaultDiff`).
+ *   - Backup verification ("does this `.noydb` bundle from yesterday
+ *     match the current vault?").
+ *   - Two-vault reconciliation ("what's different between Office A
+ *     and Office B before we sync?").
+ *   - Test assertions (golden-file testing with one-liner
+ *     `expect(plan.summary).toEqual(...)`).
+ *
+ * @module
+ */
+
+/** Per-record entry shape — added and deleted records carry only the record value. */
+interface VaultDiffEntry<T = unknown> {
+    readonly collection: string;
+    readonly id: string;
+    readonly record: T;
+}
+/** Modified records carry both halves of the diff plus the field-level breakdown. */
+interface VaultDiffModifiedEntry<T = unknown> extends VaultDiffEntry<T> {
+    /** The record as it stands in the live vault. */
+    readonly before: T;
+    /** Top-level keys whose values differ between `before` and `record`. */
+    readonly fieldsChanged: readonly string[];
+    /**
+     * Field-level diff entries from `diff(before, record)`. Reuses the
+     * existing per-record diff helper so consumers can render git-style
+     * `path: from → to` rows without re-walking the records.
+     */
+    readonly fieldDiffs: readonly DiffEntry[];
+}
+interface VaultDiff<T = unknown> {
+    readonly added: readonly VaultDiffEntry<T>[];
+    readonly modified: readonly VaultDiffModifiedEntry<T>[];
+    readonly deleted: readonly VaultDiffEntry<T>[];
+    /** Only populated when `options.includeUnchanged: true`. */
+    readonly unchanged: readonly VaultDiffEntry<T>[] | undefined;
+    readonly summary: {
+        readonly add: number;
+        readonly modify: number;
+        readonly delete: number;
+        readonly total: number;
+    };
+    /**
+     * Format the diff as a human-readable string.
+     *
+     *   - `'count'`   — one line, just the numbers (`12 added · 3 modified · 0 deleted`)
+     *   - `'one-line'` — count plus a single overview line
+     *   - `'full'`    — count + one row per added/modified/deleted record (default)
+     */
+    format(opts?: {
+        detail?: 'count' | 'one-line' | 'full';
+    }): string;
+}
+interface DiffOptions {
+    /** Restrict the diff to a subset of collections. */
+    readonly collections?: readonly string[];
+    /** Field on each record that carries its id. Defaults to `'id'`. */
+    readonly idKey?: string;
+    /** Override the default deep-equal check for "modified vs unchanged". */
+    readonly compareFn?: (a: unknown, b: unknown) => boolean;
+    /** If true, include unchanged records in the diff (off by default to save memory). */
+    readonly includeUnchanged?: boolean;
+}
+/**
+ * Candidate state to diff the vault against:
+ *
+ *   - A `Vault` instance — both sides are walked via `exportStream()`.
+ *   - A `Record<collection, records[]>` map — same shape `as-json.toObject()`
+ *     produces. Useful for diffing parsed file content against the live vault.
+ *   - A `VaultDump` (output of `vault.dump()`) — a JSON string carrying the
+ *     full vault state. Parsed and reduced to the map shape above.
+ */
+type DiffCandidate<T = unknown> = Vault | Record<string, readonly T[]> | string;
+/**
+ * Compute the diff between a live vault and a candidate state.
+ *
+ * Returns a fully buffered `VaultDiff` — no streaming. Memory cost is
+ * O(n + m) in the row count of vault + candidate. For documented
+ * 1K-50K-record vaults this is fine; a streaming variant lands as a
+ * follow-up if a > 100K-record consumer arrives.
+ */
+declare function diffVault<T = unknown>(vault: Vault, candidate: DiffCandidate<T>, options?: DiffOptions): Promise<VaultDiff<T>>;
+
+/**
+ * Validate passphrase strength.
+ * Checks length and basic entropy heuristics.
+ * Throws ValidationError if too weak.
+ */
+declare function validatePassphrase(passphrase: string): void;
+/**
+ * Estimate passphrase entropy in bits.
+ * Uses character class analysis (not dictionary-based).
+ */
+declare function estimateEntropy(passphrase: string): number;
+
+export { type DiffCandidate, DiffEntry, type DiffOptions, UnlockedKeyring, Vault, type VaultDiff, type VaultDiffEntry, type VaultDiffModifiedEntry, assertTierAccess, base64ToBuffer, bufferToBase64, decryptBytes, decryptDeterministic, dekKey, derivePresenceKey, diffVault, effectiveClearance, encryptBytes, encryptDeterministic, estimateEntropy, estimateRecordBytes, parseBytes, validatePassphrase };

package/dist/index.d.ts

@@ -0,0 +1,269 @@
+import { ar as UnlockedKeyring, aR as Vault, aA as DiffEntry } from './types-BZpCZB8N.js';
+export { aS as AccessibleVault, ax as AppendInput, p as BLOB_CHUNKS_COLLECTION, q as BLOB_COLLECTION, t as BLOB_INDEX_COLLECTION, u as BLOB_SLOTS_PREFIX, w as BLOB_VERSIONS_PREFIX, aT as BUNDLE_STORE_POLICY, A as BlobObject, C as BlobPutOptions, E as BlobResponseOptions, F as BlobSet, aU as BundleRecipient, _ as CONSENT_AUDIT_COLLECTION, aV as CacheOptions, aW as CacheStats, aX as ChangeEvent, ay as ChangeType, a7 as ClosePeriodOptions, aY as Collection, aZ as CollectionChangeEvent, a_ as CollectionConflictResolver, ai as CollectionFrame, az as CollectionInstant, a$ as Conflict, b0 as ConflictPolicy, b1 as ConflictStrategy, $ as ConsentAuditEntry, a0 as ConsentAuditFilter, a1 as ConsentContext, a2 as ConsentOp, b2 as CrossTierAccessEvent, L as DEFAULT_CHUNK_SIZE, b3 as DELEGATIONS_COLLECTION, D as DICT_COLLECTION_PREFIX, b4 as DelegationToken, b5 as DeleteManyResult, a as DictEntry, b as DictKeyDescriptor, c as DictionaryHandle, d as DictionaryOptions, b6 as DirtyEntry, b7 as ELEVATION_AUDIT_COLLECTION, b8 as ElevatedHandle, av as EncryptedEnvelope, b9 as ExportCapability, ba as ExportChunk, bb as ExportFormat, bc as ExportStreamOptions, bd as GhostRecord, be as GrantOptions, bf as HistoryConfig, bg as HistoryEntry, au as HistoryOptions, e as I18nTextDescriptor, f as I18nTextOptions, bh as INDEXED_STORE_POLICY, bi as ImportCapability, bj as InferOutput, bk as IssueDelegationOptions, bl as IssueMagicLinkGrantOptions, aB as JsonPatch, aC as JsonPatchOp, bm as KeyringFile, aD as LedgerEntry, aE as LedgerStore, bn as ListAccessibleVaultsOptions, bo as ListPageResult, bp as LocaleReadOptions, bq as Lru, br as LruOptions, bs as LruStats, bt as MAGIC_LINK_CONTENT_INFO_PREFIX, bu as MAGIC_LINK_GRANTS_COLLECTION, bv as MAGIC_LINK_KEK_INFO_PREFIX, bw as MagicLinkGrantPayload, bx as MagicLinkGrantRecord, by as NOYDB_BACKUP_VERSION, bz as NOYDB_FORMAT_VERSION, bA as NOYDB_KEYRING_VERSION, bB as NOYDB_SYNC_VERSION, bC as Noydb, bD as NoydbBundleStore, bE as NoydbEventMap, bF as NoydbOptions, at as NoydbStore, a8 as OpenPeriodOptions, a9 as PERIODS_COLLECTION, aa as PeriodRecord, bG as Permission, bH as Permissions, bI as PlaintextTranslatorContext, bJ as PlaintextTranslatorFn, P as PolicyEnforcer, bK as PresenceHandle, bL as PresencePeer, aw as PruneOptions, bM as PullMode, bN as PullOptions, bO as PullPolicy, bP as PullResult, bQ as PushMode, bR as PushOptions, bS as PushPolicy, bT as PushResult, bU as PutManyItemOptions, bV as PutManyOptions, bW as PutManyResult, bX as QueryAcrossOptions, bY as QueryAcrossResult, bZ as ReAuthOperation, b_ as RevokeOptions, aq as Role, b$ as SessionPolicy, U as SlotInfo, V as SlotRecord, c0 as StandardSchemaV1, c1 as StandardSchemaV1Issue, c2 as StandardSchemaV1SyncResult, c3 as StoreAuth, c4 as StoreAuthKind, c5 as StoreCapabilities, c6 as SyncEngine, c7 as SyncMetadata, c8 as SyncPolicy, c9 as SyncScheduler, ca as SyncSchedulerStatus, cb as SyncStatus, cc as SyncTarget, cd as SyncTargetRole, ce as SyncTransaction, cf as SyncTransactionResult, cg as TierMode, ch as TranslatorAuditEntry, al as TxCollection, am as TxContext, ci as TxOp, an as TxVault, cj as UserInfo, ck as VaultBackup, aF as VaultEngine, aj as VaultFrame, aG as VaultInstant, cl as VaultSnapshot, aH as VerifyResult, W as VersionRecord, g as applyI18nLocale, aI as applyPatch, cm as buildRecipientKeyringFile, aJ as canonicalJson, aK as computePatch, n as createEnforcer, cn as createNoydb, co as createStore, cp as deriveMagicLinkContentKey, h as dictCollectionName, i as dictKey, aL as diff, cq as evaluateExportCapability, cr as evaluateImportCapability, aM as formatDiff, cs as hasExportCapability, ct as hasImportCapability, aN as hashEntry, j as i18nText, k as isDictCollectionName, l as isDictKeyDescriptor, m as isI18nTextDescriptor, cu as isMagicLinkGrantExpired, cv as issueDelegation, cw as listMagicLinkGrants, cx as loadActiveDelegations, cy as magicLinkGrantRecordId, aO as paddedIndex, aP as parseIndex, cz as readMagicLinkGrantRecord, r as resolveI18nText, cA as revokeDelegation, cB as revokeMagicLinkGrant, ao as runTransaction, aQ as sha256Hex, cC as unwrapMagicLinkGrant, v as validateI18nTextValue, cD as validateSchemaInput, cE as validateSchemaOutput, o as validateSessionPolicy, cF as writeMagicLinkGrant } from './types-BZpCZB8N.js';
+export { d as detectMagic, a as detectMimeType, i as isPreCompressed } from './mime-magic-CBBSOkjm.js';
+export { AgeRoute, BlobLifecyclePolicy, BlobStoreRoute, CircuitBreakerOptions, HealthCheckOptions, LogLevel, LoggingOptions, MetricsOptions, OverrideOptions, OverrideTarget, RetryOptions, RouteStatus, RouteStoreOptions, RoutedNoydbStore, StoreCacheOptions, StoreMiddleware, StoreOperation, SuspendOptions, WrapBundleStoreOptions, WrappedBundleNoydbStore, createBundleStore, routeStore, withCache, withCircuitBreaker, withHealthCheck, withLogging, withMetrics, withRetry, wrapBundleStore, wrapStore } from './store/index.js';
+export { A as AlreadyElevatedError, B as BackupCorruptedError, a as BackupLedgerError, b as BundleIntegrityError, c as BundleVersionConflictError, C as ConflictError, D as DEFAULT_JOIN_MAX_ROWS, d as DanglingReferenceError, e as DecryptionError, f as DelegationTargetMissingError, g as DictKeyInUseError, h as DictKeyMissingError, E as ElevationExpiredError, i as ExportCapabilityError, F as FilenameSanitizationError, G as GroupCardinalityError, I as ImportCapabilityError, j as IndexRequiredError, k as IndexWriteFailureError, l as InvalidKeyError, J as JoinContext, m as JoinLeg, n as JoinStrategy, o as JoinTooLargeError, p as JoinableSource, K as KeyringExpiredError, L as LedgerContentionError, q as LiveQuery, r as LiveUpstream, s as LocaleNotSpecifiedError, M as MissingTranslationError, N as NetworkError, t as NoAccessError, u as NotFoundError, v as NoydbError, O as OrderBy, P as PathEscapeError, w as PeriodClosedError, x as PermissionDeniedError, y as PrivilegeEscalationError, Q as Query, z as QueryPlan, H as QuerySource, R as ReadOnlyAtInstantError, S as ReadOnlyError, T as ReadOnlyFrameError, U as RefDescriptor, V as RefIntegrityError, W as RefMode, X as RefRegistry, Y as RefScopeError, Z as RefViolation, _ as ReservedCollectionNameError, $ as ScanBuilder, a0 as ScanPageProvider, a1 as SchemaValidationError, a2 as SessionExpiredError, a3 as SessionNotFoundError, a4 as SessionPolicyError, a5 as StoreCapabilityError, a6 as TamperedError, a7 as TierDemoteDeniedError, a8 as TierNotGrantedError, a9 as TranslatorNotConfiguredError, aa as ValidationError, ab as applyJoins, ac as buildLiveQuery, ad as executePlan, ae as ref, af as resetJoinWarnings } from './index-BRHBCmLt.js';
+export { C as CompressionAlgo, N as NOYDB_BUNDLE_FORMAT_VERSION, a as NOYDB_BUNDLE_MAGIC, b as NOYDB_BUNDLE_PREFIX_BYTES, c as NoydbBundleHeader, d as NoydbBundleReadResult, W as WriteNoydbBundleOptions, g as generateULID, h as hasNoydbBundleMagic, i as isULID, r as readNoydbBundle, e as readNoydbBundleHeader, f as resetBrotliSupportCache, w as writeNoydbBundle } from './index-C8kQtmOk.js';
+export { a as CrdtMode, b as CrdtState, L as LwwMapState, R as RgaState, Y as YjsState, m as mergeCrdtStates, r as resolveCrdtSnapshot } from './strategy-BSxFXGzb.js';
+export { SYNC_CREDENTIALS_COLLECTION, SyncCredential, credentialStatus, deleteCredential, getCredential, listCredentials, putCredential } from './team/index.js';
+export { C as CreateSessionOptions, a as CreateSessionResult, D as DevUnlockOptions, S as SessionToken, b as activeSessionCount, c as clearDevUnlock, d as createSession, e as enableDevUnlock, i as isDevUnlockActive, f as isSessionAlive, l as loadDevUnlock, r as resolveSession, g as revokeAllSessions, h as revokeSession } from './dev-unlock-KrKkcqD3.js';
+export { a as Clause, C as CollectionIndexes, F as FieldClause, b as FilterClause, G as GroupClause, H as HashIndex, I as IndexDef, O as Operator, e as evaluateClause, c as evaluateFieldClause, r as readPath } from './predicate-SBHmi6D0.js';
+export { a as AggregateResult, b as AggregateSpec, c as Aggregation, d as AggregationUpstream, G as GROUPBY_MAX_CARDINALITY, e as GROUPBY_WARN_CARDINALITY, f as GroupedAggregation, g as GroupedQuery, h as GroupedRow, L as LiveAggregation, R as Reducer, i as ReducerOptions, j as avg, l as count, m as groupAndReduce, n as max, o as min, r as reduceRecords, s as sum } from './strategy-D-SrOLCl.js';
+export { L as LEDGER_COLLECTION, a as LEDGER_DELTAS_COLLECTION, e as envelopePayloadHash } from './hash-ChfJjRjQ.js';
+import './lazy-builder-BwEoBQZ9.js';
+
+/**
+ * Cache policy helpers — parse human-friendly byte budgets into raw numbers.
+ *
+ * Accepted shapes (case-insensitive on suffix):
+ *   number       — interpreted as raw bytes
+ *   '1024'       — string of digits, raw bytes
+ *   '50KB'       — kilobytes (×1024)
+ *   '50MB'       — megabytes (×1024²)
+ *   '1GB'        — gigabytes (×1024³)
+ *
+ * Decimals are accepted (`'1.5GB'` → 1610612736 bytes).
+ *
+ * Anything else throws — better to fail loud at construction time than
+ * to silently treat a typo as 0 bytes (which would evict everything).
+ */
+/** Parse a byte budget into a positive integer number of bytes. */
+declare function parseBytes(input: number | string): number;
+/**
+ * Estimate the in-memory byte size of a decrypted record.
+ *
+ * Uses `JSON.stringify().length` as a stand-in for actual heap usage.
+ * It's a deliberate approximation: real V8 heap size includes pointer
+ * overhead, hidden classes, and string interning that we can't measure
+ * from JavaScript. The JSON length is a stable, monotonic proxy that
+ * costs O(record size) per insert — fine when records are typically
+ * < 1 KB and the cache eviction is the slow path anyway.
+ *
+ * Returns `0` (and the caller must treat it as 1 for accounting) if
+ * stringification throws on circular references; this is documented
+ * but in practice records always come from JSON-decoded envelopes.
+ */
+declare function estimateRecordBytes(record: unknown): number;
+
+interface EncryptResult {
+    iv: string;
+    data: string;
+}
+/**
+ * Encrypt raw bytes with AES-256-GCM using a fresh random IV.
+ * Used by the attachment store so binary blobs avoid double base64 encoding
+ * (the existing `encrypt()` function calls `TextEncoder` on a string — here
+ * we pass the `Uint8Array` directly to `subtle.encrypt`).
+ */
+declare function encryptBytes(data: Uint8Array, dek: CryptoKey): Promise<EncryptResult>;
+/**
+ * Decrypt AES-256-GCM ciphertext back to raw bytes.
+ * Counterpart to `encryptBytes`. Throws `TamperedError` on auth-tag failure.
+ */
+declare function decryptBytes(ivBase64: string, dataBase64: string, dek: CryptoKey): Promise<Uint8Array>;
+/**
+ * Derive an AES-256-GCM presence key from a collection DEK using HKDF-SHA256.
+ *
+ * The presence key is domain-separated from the data DEK by the fixed salt
+ * `'noydb-presence'` and the `info` = collection name. This means:
+ *  - The adapter never sees the presence key.
+ *  - Presence payloads rotate automatically when the collection DEK is rotated.
+ *  - Revoked users cannot derive the new presence key after a DEK rotation.
+ *
+ * @param dek            The collection's AES-256-GCM DEK (extractable).
+ * @param collectionName Used as the HKDF `info` parameter for domain separation.
+ * @returns A non-extractable AES-256-GCM key suitable for presence payload encryption.
+ */
+declare function derivePresenceKey(dek: CryptoKey, collectionName: string): Promise<CryptoKey>;
+/**
+ * Encrypt a plaintext string with AES-256-GCM and a deterministic,
+ * HKDF-derived IV.
+ *
+ * The same `{ dek, context, plaintext }` triple always produces the
+ * same `{ iv, data }` — call this twice and you can string-compare the
+ * ciphertexts to check equality of the inputs without decrypting them.
+ *
+ * @param context  Domain-separation string — by convention
+ *                 `'<collection>/<field>'`. Different contexts encrypt
+ *                 the same plaintext to different ciphertexts, so
+ *                 `email` in collection `users` does not collide with
+ *                 `email` in collection `customers`.
+ */
+declare function encryptDeterministic(plaintext: string, dek: CryptoKey, context: string): Promise<EncryptResult>;
+/**
+ * Counterpart to {@link encryptDeterministic}. The IV is stored
+ * alongside the ciphertext (exactly like the randomized path), so
+ * decrypt uses the stored IV and verifies the GCM auth tag — a tampered
+ * ciphertext throws `TamperedError` just like randomized AES-GCM.
+ */
+declare function decryptDeterministic(ivBase64: string, dataBase64: string, dek: CryptoKey): Promise<string>;
+declare function bufferToBase64(buffer: ArrayBuffer | Uint8Array): string;
+declare function base64ToBuffer(base64: string): Uint8Array<ArrayBuffer>;
+
+/**
+ * Hierarchical access — tier-aware keyring helpers.
+ *
+ * The keyring's existing `deks: Map<string, CryptoKey>` is keyed by
+ * collection name. extends the key space:
+ *
+ *   `'invoices'`      — tier-0 DEK (unchanged from v0.x)
+ *   `'invoices#1'`    — tier-1 DEK
+ *   `'invoices#2'`    — tier-2 DEK
+ *
+ * Tier 0 keeps the bare collection name so any keyring written
+ * before tiers existed loads without migration. Tiers ≥ 1 use `#N`
+ * suffixes that
+ * would be invalid as user-supplied collection names (see
+ * `ReservedCollectionNameError` — `#` is reserved).
+ *
+ * @module
+ */
+
+/** Canonical DEK key for a given collection + tier. Tier 0 → bare name. */
+declare function dekKey(collection: string, tier: number): string;
+/**
+ * Returns the user's effective clearance for a given collection: the
+ * maximum tier for which their keyring holds a DEK. Falls back to 0
+ * when the user has only the tier-0 DEK (or none — the getDEK caller
+ * will raise separately).
+ */
+declare function effectiveClearance(keyring: UnlockedKeyring, collection: string): number;
+/**
+ * Assert the caller is cleared for the requested tier. Owners and
+ * admins always pass (they can mint any new tier DEK on demand);
+ * other roles must already hold the tier DEK — via a prior grant or
+ * an active delegation — otherwise this throws `TierNotGrantedError`.
+ *
+ * This gate runs BEFORE `getDEK()` on the mutation path so a
+ * non-cleared operator never has the opportunity to silently
+ * auto-create a tier DEK they shouldn't have.
+ */
+declare function assertTierAccess(keyring: UnlockedKeyring, collection: string, tier: number): void;
+
+/**
+ * Vault-level diff orchestrator.
+ *
+ * Compares a live `Vault`'s plaintext state against a candidate state
+ * (another vault, a plain `{ collection: records[] }` map, or a vault
+ * dump JSON) and returns a structured `VaultDiff` plan listing the
+ * records that would be added, modified, or deleted to bring the live
+ * vault into the candidate's shape.
+ *
+ * Builds on two existing record-level helpers:
+ *
+ *   1. `diff(a, b)` from `./history/diff.ts` — emits dot-pathed
+ *      `DiffEntry[]` with `type: 'added' | 'removed' | 'changed'` for
+ *      each changed field of two records. Used here for the
+ *      `fieldDiffs` of every `modified` entry, and (with empty result)
+ *      as the default deep-equal check.
+ *
+ *   2. `Vault.exportStream()` from `./vault.ts` — the canonical
+ *      decrypt-and-stream-records iterator. Used to walk both sides
+ *      when the candidate is itself a `Vault`. ACL-scoped: collections
+ *      the caller can't read silently drop out, the same way every
+ *      other plaintext-emitting export pipeline filters them.
+ *
+ * The new orchestration is the **vault-level** enumeration: bucket
+ * each record id into added (only in candidate), deleted (only in
+ * vault), or modified (in both with field changes); leave the
+ * field-level granularity to the existing `diff()`.
+ *
+ * Use cases:
+ *
+ *   - Import preview (`@noy-db/as-*` `fromString` returns a plan
+ *     whose body is a `VaultDiff`).
+ *   - Backup verification ("does this `.noydb` bundle from yesterday
+ *     match the current vault?").
+ *   - Two-vault reconciliation ("what's different between Office A
+ *     and Office B before we sync?").
+ *   - Test assertions (golden-file testing with one-liner
+ *     `expect(plan.summary).toEqual(...)`).
+ *
+ * @module
+ */
+
+/** Per-record entry shape — added and deleted records carry only the record value. */
+interface VaultDiffEntry<T = unknown> {
+    readonly collection: string;
+    readonly id: string;
+    readonly record: T;
+}
+/** Modified records carry both halves of the diff plus the field-level breakdown. */
+interface VaultDiffModifiedEntry<T = unknown> extends VaultDiffEntry<T> {
+    /** The record as it stands in the live vault. */
+    readonly before: T;
+    /** Top-level keys whose values differ between `before` and `record`. */
+    readonly fieldsChanged: readonly string[];
+    /**
+     * Field-level diff entries from `diff(before, record)`. Reuses the
+     * existing per-record diff helper so consumers can render git-style
+     * `path: from → to` rows without re-walking the records.
+     */
+    readonly fieldDiffs: readonly DiffEntry[];
+}
+interface VaultDiff<T = unknown> {
+    readonly added: readonly VaultDiffEntry<T>[];
+    readonly modified: readonly VaultDiffModifiedEntry<T>[];
+    readonly deleted: readonly VaultDiffEntry<T>[];
+    /** Only populated when `options.includeUnchanged: true`. */
+    readonly unchanged: readonly VaultDiffEntry<T>[] | undefined;
+    readonly summary: {
+        readonly add: number;
+        readonly modify: number;
+        readonly delete: number;
+        readonly total: number;
+    };
+    /**
+     * Format the diff as a human-readable string.
+     *
+     *   - `'count'`   — one line, just the numbers (`12 added · 3 modified · 0 deleted`)
+     *   - `'one-line'` — count plus a single overview line
+     *   - `'full'`    — count + one row per added/modified/deleted record (default)
+     */
+    format(opts?: {
+        detail?: 'count' | 'one-line' | 'full';
+    }): string;
+}
+interface DiffOptions {
+    /** Restrict the diff to a subset of collections. */
+    readonly collections?: readonly string[];
+    /** Field on each record that carries its id. Defaults to `'id'`. */
+    readonly idKey?: string;
+    /** Override the default deep-equal check for "modified vs unchanged". */
+    readonly compareFn?: (a: unknown, b: unknown) => boolean;
+    /** If true, include unchanged records in the diff (off by default to save memory). */
+    readonly includeUnchanged?: boolean;
+}
+/**
+ * Candidate state to diff the vault against:
+ *
+ *   - A `Vault` instance — both sides are walked via `exportStream()`.
+ *   - A `Record<collection, records[]>` map — same shape `as-json.toObject()`
+ *     produces. Useful for diffing parsed file content against the live vault.
+ *   - A `VaultDump` (output of `vault.dump()`) — a JSON string carrying the
+ *     full vault state. Parsed and reduced to the map shape above.
+ */
+type DiffCandidate<T = unknown> = Vault | Record<string, readonly T[]> | string;
+/**
+ * Compute the diff between a live vault and a candidate state.
+ *
+ * Returns a fully buffered `VaultDiff` — no streaming. Memory cost is
+ * O(n + m) in the row count of vault + candidate. For documented
+ * 1K-50K-record vaults this is fine; a streaming variant lands as a
+ * follow-up if a > 100K-record consumer arrives.
+ */
+declare function diffVault<T = unknown>(vault: Vault, candidate: DiffCandidate<T>, options?: DiffOptions): Promise<VaultDiff<T>>;
+
+/**
+ * Validate passphrase strength.
+ * Checks length and basic entropy heuristics.
+ * Throws ValidationError if too weak.
+ */
+declare function validatePassphrase(passphrase: string): void;
+/**
+ * Estimate passphrase entropy in bits.
+ * Uses character class analysis (not dictionary-based).
+ */
+declare function estimateEntropy(passphrase: string): number;
+
+export { type DiffCandidate, DiffEntry, type DiffOptions, UnlockedKeyring, Vault, type VaultDiff, type VaultDiffEntry, type VaultDiffModifiedEntry, assertTierAccess, base64ToBuffer, bufferToBase64, decryptBytes, decryptDeterministic, dekKey, derivePresenceKey, diffVault, effectiveClearance, encryptBytes, encryptDeterministic, estimateEntropy, estimateRecordBytes, parseBytes, validatePassphrase };