@noy-db/hub 0.1.0-pre.3

package/dist/chunk-BTDCBVJW.js

@@ -0,0 +1,160 @@
+import {
+  ConflictError
+} from "./chunk-ACLDOTNQ.js";
+
+// src/tx/transaction.ts
+var TxContext = class {
+  /** @internal */
+  _ops = [];
+  /** @internal */
+  _db;
+  /** @internal */
+  constructor(db) {
+    this._db = db;
+  }
+  /** Scope subsequent `collection()` calls to the named vault. */
+  vault(name) {
+    const v = this._db.vault(name);
+    return new TxVault(this, v);
+  }
+};
+var TxVault = class {
+  /** @internal */
+  _ctx;
+  /** @internal */
+  _vault;
+  /** @internal */
+  constructor(ctx, vault) {
+    this._ctx = ctx;
+    this._vault = vault;
+  }
+  /** Scope subsequent op calls to the named collection. */
+  collection(name) {
+    const c = this._vault.collection(name);
+    return new TxCollection(this._ctx, this._vault, c, name);
+  }
+};
+var TxCollection = class {
+  /** @internal */
+  _ctx;
+  /** @internal */
+  _vault;
+  /** @internal */
+  _coll;
+  /** @internal */
+  _name;
+  /** @internal */
+  constructor(ctx, vault, coll, name) {
+    this._ctx = ctx;
+    this._vault = vault;
+    this._coll = coll;
+    this._name = name;
+  }
+  /**
+   * Read the current committed value, or the most-recently-staged
+   * value from the same transaction if one exists.
+   */
+  async get(id) {
+    for (let i = this._ctx._ops.length - 1; i >= 0; i--) {
+      const op = this._ctx._ops[i];
+      if (op.vaultName === this._vault.name && op.collectionName === this._name && op.id === id) {
+        if (op.type === "delete") return null;
+        return op.record;
+      }
+    }
+    return this._coll.get(id);
+  }
+  /**
+   * Stage a put. Does not write until the transaction body returns.
+   * Supply `{ expectedVersion }` to enforce optimistic concurrency
+   * during the commit pre-flight.
+   */
+  put(id, record, options) {
+    const op = {
+      type: "put",
+      vaultName: this._vault.name,
+      collectionName: this._name,
+      id,
+      record
+    };
+    if (options?.expectedVersion !== void 0) op.expectedVersion = options.expectedVersion;
+    this._ctx._ops.push(op);
+  }
+  /**
+   * Stage a delete. Does not write until the transaction body returns.
+   * Supply `{ expectedVersion }` to enforce optimistic concurrency
+   * during the commit pre-flight.
+   */
+  delete(id, options) {
+    const op = {
+      type: "delete",
+      vaultName: this._vault.name,
+      collectionName: this._name,
+      id
+    };
+    if (options?.expectedVersion !== void 0) op.expectedVersion = options.expectedVersion;
+    this._ctx._ops.push(op);
+  }
+};
+async function runTransaction(db, fn) {
+  const ctx = new TxContext(db);
+  const bodyResult = await fn(ctx);
+  if (ctx._ops.length === 0) return bodyResult;
+  const priorEnvelopes = /* @__PURE__ */ new Map();
+  const store = db._store;
+  for (const op of ctx._ops) {
+    const key = keyOf(op);
+    if (!priorEnvelopes.has(key)) {
+      const env = await store.get(op.vaultName, op.collectionName, op.id);
+      priorEnvelopes.set(key, env);
+    }
+    if (op.expectedVersion !== void 0) {
+      const env = priorEnvelopes.get(key) ?? null;
+      const actual = env?._v ?? 0;
+      if (actual !== op.expectedVersion) {
+        throw new ConflictError(
+          actual,
+          `Transaction pre-flight: ${op.vaultName}/${op.collectionName}/${op.id} expected v${op.expectedVersion}, found v${actual}`
+        );
+      }
+    }
+  }
+  const executed = [];
+  try {
+    for (const op of ctx._ops) {
+      const coll = db.vault(op.vaultName).collection(op.collectionName);
+      const key = keyOf(op);
+      const prior = priorEnvelopes.get(key) ?? null;
+      if (op.type === "put") {
+        await coll.put(op.id, op.record);
+      } else {
+        await coll.delete(op.id);
+      }
+      executed.push({ op, priorEnvelope: prior });
+    }
+    return bodyResult;
+  } catch (err) {
+    for (const { op, priorEnvelope } of executed.slice().reverse()) {
+      try {
+        if (priorEnvelope) {
+          await store.put(op.vaultName, op.collectionName, op.id, priorEnvelope);
+        } else {
+          await store.delete(op.vaultName, op.collectionName, op.id);
+        }
+      } catch {
+      }
+    }
+    throw err;
+  }
+}
+function keyOf(op) {
+  return `${op.vaultName}\0${op.collectionName}\0${op.id}`;
+}
+
+export {
+  TxContext,
+  TxVault,
+  TxCollection,
+  runTransaction
+};
+//# sourceMappingURL=chunk-BTDCBVJW.js.map

package/dist/chunk-BTDCBVJW.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/tx/transaction.ts"],"sourcesContent":["/**\n * Multi-record atomic transactions.\n *\n * Lets an application stage writes across two or more collections (or\n * vaults) and commit them all-or-nothing.\n *\n * ```ts\n * await db.transaction(async (tx) => {\n *   const inv = tx.vault('acme').collection<Invoice>('invoices')\n *   const pay = tx.vault('acme').collection<Payment>('payments')\n *   await inv.put(invoiceId, { ...invoice, status: 'paid' })\n *   await pay.put(paymentId, { invoiceId, amount, paidAt })\n * })\n * // If the body throws before returning: nothing persisted.\n * // If the body returns: all puts committed; any CAS mismatch rolls\n * // the batch back and surfaces as ConflictError.\n * ```\n *\n * ## Atomicity semantics\n *\n * Ops are buffered during the body. On body-return the hub:\n *\n * 1. **Pre-flight** — re-reads every touched envelope and enforces\n *    any caller-supplied `expectedVersion`. A mismatch throws\n *    `ConflictError` with *no* writes performed.\n * 2. **Execute** — calls `Collection.put()` / `.delete()` for each\n *    staged op in declaration order. History snapshots, ledger\n *    appends, and change events fire as normal per op.\n * 3. **Unwind on failure** — if step 2 throws mid-batch, each\n *    already-committed op is reverted via the raw store (restoring\n *    the captured prior envelope, or deleting if none existed). The\n *    ledger is NOT rewritten — audit history preserves the partial\n *    commit and the revert.\n *\n * **Crash window.** Steps 2–3 are not a storage-layer transaction —\n * if the process dies between two executed ops, the on-disk state is\n * partial. True all-or-nothing atomicity requires a store that\n * implements `NoydbStore.tx()` (DynamoDB `TransactWriteItems`,\n * IndexedDB `readwrite` transaction, …). This executor declares\n * that future integration point via the `tx?()` method + the\n * `StoreCapabilities.txAtomic` bit, but does not yet delegate\n * to it — the cascade into `Fork · Stores` tracks the per-adapter\n * wire-up.\n *\n * ## Not covered\n *\n * - Cross-sync-peer atomicity. Transactions commit against the\n *   primary store only; the sync engine pushes on its normal\n *   schedule. For cross-peer two-phase commit use `SyncTransaction`\n * via `db.transaction(vaultName)`.\n * - Read-your-writes within the body. `tx.collection().get(id)`\n *   returns the most-recently-staged value for that id when one\n *   exists; if no staged op has touched the id, it reads the current\n *   committed state. Version numbers returned by `get` reflect the\n *   pre-transaction state (staged puts have no version yet).\n *\n * @module\n */\n\nimport type { Noydb } from '../noydb.js'\nimport type { Vault } from '../vault.js'\nimport type { Collection } from '../collection.js'\nimport type { EncryptedEnvelope } from '../types.js'\nimport { ConflictError } from '../errors.js'\n\n/** One op buffered inside a running `TxContext`. @internal */\ninterface StagedOp {\n  type: 'put' | 'delete'\n  vaultName: string\n  collectionName: string\n  id: string\n  record?: unknown\n  expectedVersion?: number\n}\n\n/**\n * Transaction handle passed to the user's body. Use\n * `tx.vault(name).collection<T>(name)` to get a per-collection\n * facade; its `put`/`delete`/`get` calls stage ops against the tx.\n */\nexport class TxContext {\n  /** @internal */\n  readonly _ops: StagedOp[] = []\n  /** @internal */\n  readonly _db: Noydb\n\n  /** @internal */\n  constructor(db: Noydb) {\n    this._db = db\n  }\n\n  /** Scope subsequent `collection()` calls to the named vault. */\n  vault(name: string): TxVault {\n    const v = this._db.vault(name)\n    return new TxVault(this, v)\n  }\n}\n\n/** Per-vault facade inside a running transaction. */\nexport class TxVault {\n  /** @internal */\n  readonly _ctx: TxContext\n  /** @internal */\n  readonly _vault: Vault\n\n  /** @internal */\n  constructor(ctx: TxContext, vault: Vault) {\n    this._ctx = ctx\n    this._vault = vault\n  }\n\n  /** Scope subsequent op calls to the named collection. */\n  collection<T>(name: string): TxCollection<T> {\n    const c = this._vault.collection<T>(name)\n    return new TxCollection<T>(this._ctx, this._vault, c, name)\n  }\n}\n\n/** Per-collection facade inside a running transaction. */\nexport class TxCollection<T> {\n  /** @internal */\n  readonly _ctx: TxContext\n  /** @internal */\n  readonly _vault: Vault\n  /** @internal */\n  readonly _coll: Collection<T>\n  /** @internal */\n  readonly _name: string\n\n  /** @internal */\n  constructor(ctx: TxContext, vault: Vault, coll: Collection<T>, name: string) {\n    this._ctx = ctx\n    this._vault = vault\n    this._coll = coll\n    this._name = name\n  }\n\n  /**\n   * Read the current committed value, or the most-recently-staged\n   * value from the same transaction if one exists.\n   */\n  async get(id: string): Promise<T | null> {\n    for (let i = this._ctx._ops.length - 1; i >= 0; i--) {\n      const op = this._ctx._ops[i]!\n      if (\n        op.vaultName === this._vault.name &&\n        op.collectionName === this._name &&\n        op.id === id\n      ) {\n        if (op.type === 'delete') return null\n        return op.record as T\n      }\n    }\n    return this._coll.get(id)\n  }\n\n  /**\n   * Stage a put. Does not write until the transaction body returns.\n   * Supply `{ expectedVersion }` to enforce optimistic concurrency\n   * during the commit pre-flight.\n   */\n  put(id: string, record: T, options?: { expectedVersion?: number }): void {\n    const op: StagedOp = {\n      type: 'put',\n      vaultName: this._vault.name,\n      collectionName: this._name,\n      id,\n      record,\n    }\n    if (options?.expectedVersion !== undefined) op.expectedVersion = options.expectedVersion\n    this._ctx._ops.push(op)\n  }\n\n  /**\n   * Stage a delete. Does not write until the transaction body returns.\n   * Supply `{ expectedVersion }` to enforce optimistic concurrency\n   * during the commit pre-flight.\n   */\n  delete(id: string, options?: { expectedVersion?: number }): void {\n    const op: StagedOp = {\n      type: 'delete',\n      vaultName: this._vault.name,\n      collectionName: this._name,\n      id,\n    }\n    if (options?.expectedVersion !== undefined) op.expectedVersion = options.expectedVersion\n    this._ctx._ops.push(op)\n  }\n}\n\n/**\n * Commit plan: pre-flight check + execution + revert plan. Returned\n * from `runTransaction`.\n *\n * @internal — exposed only for the `Collection.putMany({atomic:true})`\n * wire-up so the bulk path can share the executor without creating\n * an outer TxContext.\n */\nexport async function runTransaction<T>(\n  db: Noydb,\n  fn: (tx: TxContext) => Promise<T> | T,\n): Promise<T> {\n  const ctx = new TxContext(db)\n  const bodyResult = await fn(ctx)\n\n  if (ctx._ops.length === 0) return bodyResult\n\n  // Phase 1 — pre-flight: snapshot every touched envelope and enforce\n  // any caller-supplied expectedVersion. Same (vault, coll, id) touched\n  // more than once in one tx snapshots only the *initial* committed\n  // state; the in-order replay in Phase 2 takes care of successor ops.\n  const priorEnvelopes = new Map<string, EncryptedEnvelope | null>()\n  const store = db._store\n  for (const op of ctx._ops) {\n    const key = keyOf(op)\n    if (!priorEnvelopes.has(key)) {\n      const env = await store.get(op.vaultName, op.collectionName, op.id)\n      priorEnvelopes.set(key, env)\n    }\n    if (op.expectedVersion !== undefined) {\n      const env = priorEnvelopes.get(key) ?? null\n      const actual = env?._v ?? 0\n      if (actual !== op.expectedVersion) {\n        throw new ConflictError(\n          actual,\n          `Transaction pre-flight: ${op.vaultName}/${op.collectionName}/${op.id} ` +\n            `expected v${op.expectedVersion}, found v${actual}`,\n        )\n      }\n    }\n  }\n\n  // Phase 2 — execute via the Collection layer so history snapshots,\n  // ledger entries, and change events fire normally. We capture each\n  // successful op so a mid-batch throw can revert in Phase 3.\n  const executed: Array<{ op: StagedOp; priorEnvelope: EncryptedEnvelope | null }> = []\n  try {\n    for (const op of ctx._ops) {\n      const coll = db.vault(op.vaultName).collection(op.collectionName)\n      const key = keyOf(op)\n      const prior = priorEnvelopes.get(key) ?? null\n      if (op.type === 'put') {\n        // eslint-disable-next-line @typescript-eslint/no-explicit-any\n        await coll.put(op.id, op.record as any)\n      } else {\n        await coll.delete(op.id)\n      }\n      executed.push({ op, priorEnvelope: prior })\n    }\n    return bodyResult\n  } catch (err) {\n    // Phase 3 — best-effort revert. Restore captured prior envelopes\n    // via the raw store to avoid re-firing Collection-level side\n    // effects (we don't want a cascade of change events undoing\n    // themselves). The ledger is left as-is: each committed op\n    // appended an entry; the revert is deliberately not recorded as a\n    // compensating entry because 's contract is \"atomic or not at\n    // all\" from the caller's view, not \"every write visible in the\n    // audit trail.\" Auditors who need the intermediate state can still\n    // reconstruct it by walking the ledger through the failed-tx\n    // timestamp.\n    for (const { op, priorEnvelope } of executed.slice().reverse()) {\n      try {\n        if (priorEnvelope) {\n          await store.put(op.vaultName, op.collectionName, op.id, priorEnvelope)\n        } else {\n          await store.delete(op.vaultName, op.collectionName, op.id)\n        }\n      } catch {\n        // swallow — best-effort. Surfacing the revert error would\n        // mask the original one that triggered the rollback.\n      }\n    }\n    throw err\n  }\n}\n\nfunction keyOf(op: StagedOp): string {\n  return `${op.vaultName}\\x00${op.collectionName}\\x00${op.id}`\n}\n"],"mappings":";;;;;AAgFO,IAAM,YAAN,MAAgB;AAAA;AAAA,EAEZ,OAAmB,CAAC;AAAA;AAAA,EAEpB;AAAA;AAAA,EAGT,YAAY,IAAW;AACrB,SAAK,MAAM;AAAA,EACb;AAAA;AAAA,EAGA,MAAM,MAAuB;AAC3B,UAAM,IAAI,KAAK,IAAI,MAAM,IAAI;AAC7B,WAAO,IAAI,QAAQ,MAAM,CAAC;AAAA,EAC5B;AACF;AAGO,IAAM,UAAN,MAAc;AAAA;AAAA,EAEV;AAAA;AAAA,EAEA;AAAA;AAAA,EAGT,YAAY,KAAgB,OAAc;AACxC,SAAK,OAAO;AACZ,SAAK,SAAS;AAAA,EAChB;AAAA;AAAA,EAGA,WAAc,MAA+B;AAC3C,UAAM,IAAI,KAAK,OAAO,WAAc,IAAI;AACxC,WAAO,IAAI,aAAgB,KAAK,MAAM,KAAK,QAAQ,GAAG,IAAI;AAAA,EAC5D;AACF;AAGO,IAAM,eAAN,MAAsB;AAAA;AAAA,EAElB;AAAA;AAAA,EAEA;AAAA;AAAA,EAEA;AAAA;AAAA,EAEA;AAAA;AAAA,EAGT,YAAY,KAAgB,OAAc,MAAqB,MAAc;AAC3E,SAAK,OAAO;AACZ,SAAK,SAAS;AACd,SAAK,QAAQ;AACb,SAAK,QAAQ;AAAA,EACf;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,IAAI,IAA+B;AACvC,aAAS,IAAI,KAAK,KAAK,KAAK,SAAS,GAAG,KAAK,GAAG,KAAK;AACnD,YAAM,KAAK,KAAK,KAAK,KAAK,CAAC;AAC3B,UACE,GAAG,cAAc,KAAK,OAAO,QAC7B,GAAG,mBAAmB,KAAK,SAC3B,GAAG,OAAO,IACV;AACA,YAAI,GAAG,SAAS,SAAU,QAAO;AACjC,eAAO,GAAG;AAAA,MACZ;AAAA,IACF;AACA,WAAO,KAAK,MAAM,IAAI,EAAE;AAAA,EAC1B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,IAAI,IAAY,QAAW,SAA8C;AACvE,UAAM,KAAe;AAAA,MACnB,MAAM;AAAA,MACN,WAAW,KAAK,OAAO;AAAA,MACvB,gBAAgB,KAAK;AAAA,MACrB;AAAA,MACA;AAAA,IACF;AACA,QAAI,SAAS,oBAAoB,OAAW,IAAG,kBAAkB,QAAQ;AACzE,SAAK,KAAK,KAAK,KAAK,EAAE;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,OAAO,IAAY,SAA8C;AAC/D,UAAM,KAAe;AAAA,MACnB,MAAM;AAAA,MACN,WAAW,KAAK,OAAO;AAAA,MACvB,gBAAgB,KAAK;AAAA,MACrB;AAAA,IACF;AACA,QAAI,SAAS,oBAAoB,OAAW,IAAG,kBAAkB,QAAQ;AACzE,SAAK,KAAK,KAAK,KAAK,EAAE;AAAA,EACxB;AACF;AAUA,eAAsB,eACpB,IACA,IACY;AACZ,QAAM,MAAM,IAAI,UAAU,EAAE;AAC5B,QAAM,aAAa,MAAM,GAAG,GAAG;AAE/B,MAAI,IAAI,KAAK,WAAW,EAAG,QAAO;AAMlC,QAAM,iBAAiB,oBAAI,IAAsC;AACjE,QAAM,QAAQ,GAAG;AACjB,aAAW,MAAM,IAAI,MAAM;AACzB,UAAM,MAAM,MAAM,EAAE;AACpB,QAAI,CAAC,eAAe,IAAI,GAAG,GAAG;AAC5B,YAAM,MAAM,MAAM,MAAM,IAAI,GAAG,WAAW,GAAG,gBAAgB,GAAG,EAAE;AAClE,qBAAe,IAAI,KAAK,GAAG;AAAA,IAC7B;AACA,QAAI,GAAG,oBAAoB,QAAW;AACpC,YAAM,MAAM,eAAe,IAAI,GAAG,KAAK;AACvC,YAAM,SAAS,KAAK,MAAM;AAC1B,UAAI,WAAW,GAAG,iBAAiB;AACjC,cAAM,IAAI;AAAA,UACR;AAAA,UACA,2BAA2B,GAAG,SAAS,IAAI,GAAG,cAAc,IAAI,GAAG,EAAE,cACtD,GAAG,eAAe,YAAY,MAAM;AAAA,QACrD;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAKA,QAAM,WAA6E,CAAC;AACpF,MAAI;AACF,eAAW,MAAM,IAAI,MAAM;AACzB,YAAM,OAAO,GAAG,MAAM,GAAG,SAAS,EAAE,WAAW,GAAG,cAAc;AAChE,YAAM,MAAM,MAAM,EAAE;AACpB,YAAM,QAAQ,eAAe,IAAI,GAAG,KAAK;AACzC,UAAI,GAAG,SAAS,OAAO;AAErB,cAAM,KAAK,IAAI,GAAG,IAAI,GAAG,MAAa;AAAA,MACxC,OAAO;AACL,cAAM,KAAK,OAAO,GAAG,EAAE;AAAA,MACzB;AACA,eAAS,KAAK,EAAE,IAAI,eAAe,MAAM,CAAC;AAAA,IAC5C;AACA,WAAO;AAAA,EACT,SAAS,KAAK;AAWZ,eAAW,EAAE,IAAI,cAAc,KAAK,SAAS,MAAM,EAAE,QAAQ,GAAG;AAC9D,UAAI;AACF,YAAI,eAAe;AACjB,gBAAM,MAAM,IAAI,GAAG,WAAW,GAAG,gBAAgB,GAAG,IAAI,aAAa;AAAA,QACvE,OAAO;AACL,gBAAM,MAAM,OAAO,GAAG,WAAW,GAAG,gBAAgB,GAAG,EAAE;AAAA,QAC3D;AAAA,MACF,QAAQ;AAAA,MAGR;AAAA,IACF;AACA,UAAM;AAAA,EACR;AACF;AAEA,SAAS,MAAM,IAAsB;AACnC,SAAO,GAAG,GAAG,SAAS,KAAO,GAAG,cAAc,KAAO,GAAG,EAAE;AAC5D;","names":[]}

package/dist/chunk-CIMZBAZB.js

@@ -0,0 +1,72 @@
+// src/history/ledger/entry.ts
+function canonicalJson(value) {
+  if (value === null) return "null";
+  if (typeof value === "boolean") return value ? "true" : "false";
+  if (typeof value === "number") {
+    if (!Number.isFinite(value)) {
+      throw new Error(
+        `canonicalJson: refusing to encode non-finite number ${String(value)}`
+      );
+    }
+    return JSON.stringify(value);
+  }
+  if (typeof value === "string") return JSON.stringify(value);
+  if (typeof value === "bigint") {
+    throw new Error("canonicalJson: BigInt is not JSON-serializable");
+  }
+  if (typeof value === "undefined" || typeof value === "function") {
+    throw new Error(
+      `canonicalJson: refusing to encode ${typeof value} \u2014 include all fields explicitly`
+    );
+  }
+  if (Array.isArray(value)) {
+    return "[" + value.map((v) => canonicalJson(v)).join(",") + "]";
+  }
+  if (typeof value === "object") {
+    const obj = value;
+    const keys = Object.keys(obj).sort();
+    const parts = [];
+    for (const key of keys) {
+      parts.push(JSON.stringify(key) + ":" + canonicalJson(obj[key]));
+    }
+    return "{" + parts.join(",") + "}";
+  }
+  throw new Error(`canonicalJson: unexpected value type: ${typeof value}`);
+}
+async function sha256Hex(input) {
+  const bytes = new TextEncoder().encode(input);
+  const digest = await globalThis.crypto.subtle.digest("SHA-256", bytes);
+  return bytesToHex(new Uint8Array(digest));
+}
+async function hashEntry(entry) {
+  return sha256Hex(canonicalJson(entry));
+}
+function bytesToHex(bytes) {
+  const hex = new Array(bytes.length);
+  for (let i = 0; i < bytes.length; i++) {
+    hex[i] = (bytes[i] ?? 0).toString(16).padStart(2, "0");
+  }
+  return hex.join("");
+}
+function paddedIndex(index) {
+  return String(index).padStart(10, "0");
+}
+function parseIndex(key) {
+  return Number.parseInt(key, 10);
+}
+
+// src/history/ledger/hash.ts
+async function envelopePayloadHash(envelope) {
+  if (!envelope) return "";
+  return sha256Hex(envelope._data);
+}
+
+export {
+  canonicalJson,
+  sha256Hex,
+  hashEntry,
+  paddedIndex,
+  parseIndex,
+  envelopePayloadHash
+};
+//# sourceMappingURL=chunk-CIMZBAZB.js.map

package/dist/chunk-CIMZBAZB.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/history/ledger/entry.ts","../src/history/ledger/hash.ts"],"sourcesContent":["/**\n * Ledger entry shape + canonical JSON + sha256 helpers.\n *\n * This file holds the PURE primitives used by the hash-chained ledger:\n * the entry type, the deterministic (sort-stable) JSON encoder, and\n * the sha256 hasher that produces `prevHash` and `ledger.head()`.\n *\n * Everything here is validator-free and side-effect free — the only\n * runtime dep is Web Crypto's `subtle.digest` for the sha256 call,\n * which we already use for every other hashing operation in the core.\n *\n * The hash chain property works like this:\n *\n *   hash(entry[i])       = sha256(canonicalJSON(entry[i]))\n *   entry[i+1].prevHash  = hash(entry[i])\n *\n * Any modification to `entry[i]` (field values, field order, whitespace)\n * produces a different `hash(entry[i])`, which means `entry[i+1]`'s\n * stored `prevHash` no longer matches the recomputed hash, which means\n * `verify()` returns `{ ok: false, divergedAt: i + 1 }`. The chain is\n * append-only and tamper-evident without external anchoring.\n */\n\n/**\n * A single ledger entry in its plaintext form — what gets serialized,\n * hashed, and then encrypted with the ledger DEK before being written\n * to the `_ledger/` adapter collection.\n *\n * ## Why hash the ciphertext, not the plaintext?\n *\n * `payloadHash` is the sha256 of the record's ENCRYPTED envelope bytes,\n * not its plaintext. This matters:\n *\n *   1. **Zero-knowledge preserved.** A user (or a third party) can\n *      verify the ledger against the stored envelopes without any\n *      decryption keys. The adapter layer already holds only\n *      ciphertext, so hashing the ciphertext keeps the ledger at the\n *      same privacy level as the adapter.\n *\n *   2. **Determinism.** Plaintext → ciphertext is randomized by the\n *      fresh per-write IV, so `hash(plaintext)` would need extra\n *      normalization. `hash(ciphertext)` is already deterministic and\n *      unique per write.\n *\n *   3. **Detection property.** If an attacker modifies even one byte of\n *      the stored ciphertext (trying to flip a record), the hash\n *      changes, the ledger's recorded `payloadHash` no longer matches,\n *      and a data-integrity check fails. We don't do that check in\n *      `verify()` today, but the\n *      hook is there for a future `verifyIntegrity()` follow-up.\n *\n * Fields marked `op`, `collection`, `id`, `version`, `ts`, `actor` are\n * plaintext METADATA about the operation — NOT the record itself. The\n * entry is still encrypted at rest via the ledger DEK, but adapters\n * could theoretically infer operation patterns from the sizes and\n * timestamps. This is an accepted trade-off for the tamper-evidence\n * property; full ORAM-level privacy is out of scope for noy-db.\n */\nexport interface LedgerEntry {\n  /**\n   * Zero-based sequential position of this entry in the chain. The\n   * canonical adapter key is this number zero-padded to 10 digits\n   * (`\"0000000001\"`) so lexicographic ordering matches numeric order.\n   */\n  readonly index: number\n\n  /**\n   * Hex-encoded sha256 of the canonical JSON of the PREVIOUS entry.\n   * The genesis entry (index 0) has `prevHash === ''` — the first\n   * entry in a fresh vault has nothing to point back to.\n   */\n  readonly prevHash: string\n\n  /**\n   * Which kind of mutation this entry records. only supports\n   * data operations (`put`, `delete`). Access-control operations\n   * (`grant`, `revoke`, `rotate`) will be added in a follow-up once\n   * the keyring write path is instrumented — that's tracked in the\n   * epic issue.\n   */\n  readonly op: 'put' | 'delete'\n\n  /** The collection the mutation targeted. */\n  readonly collection: string\n\n  /** The record id the mutation targeted. */\n  readonly id: string\n\n  /**\n   * The record version AFTER this mutation. For `put` this is the\n   * newly assigned version; for `delete` this is the version that\n   * was deleted (the last version visible to reads).\n   */\n  readonly version: number\n\n  /** ISO timestamp of the mutation. */\n  readonly ts: string\n\n  /** User id of the actor who performed the mutation. */\n  readonly actor: string\n\n  /**\n   * Hex-encoded sha256 of the encrypted envelope's `_data` field.\n   * For `put`, this is the hash of the new ciphertext. For `delete`,\n   * it's the hash of the last visible ciphertext at deletion time,\n   * or the empty string if nothing was there to delete. Hashing the\n   * ciphertext (not the plaintext) preserves zero-knowledge — see\n   * the file docstring.\n   */\n  readonly payloadHash: string\n\n  /**\n   * Optional hex-encoded sha256 of the encrypted JSON Patch delta\n   * blob stored alongside this entry in `_ledger_deltas/`. Present\n   * only for `put` operations that had a previous version — the\n   * genesis put of a new record, and every `delete`, leave this\n   * field undefined.\n   *\n   * The delta payload itself lives in a sibling internal collection\n   * (`_ledger_deltas/<paddedIndex>`) and is encrypted with the\n   * ledger DEK. Callers use `ledger.loadDelta(index)` to decrypt and\n   * deserialize it when reconstructing a historical version.\n   *\n   * Why optional instead of always-present: the first put of a\n   * record has no previous version to diff against, so storing an\n   * empty patch would be noise. For deletes there's no \"next\" state\n   * to describe with a delta. Both cases set this field to undefined.\n   *\n   * Note: the canonical-JSON hasher treats `undefined` as invalid\n   * (it's one of the guard rails), so on the wire this field is\n   * either `{ deltaHash: '<hex>' }` or absent from the JSON\n   * entirely — never `{ deltaHash: undefined }`.\n   */\n  readonly deltaHash?: string\n}\n\n/**\n * Canonical (sort-stable) JSON encoder.\n *\n * This function is the load-bearing primitive of the hash chain:\n * `sha256(canonicalJSON(entry))` must produce the same hex string\n * every time, on every machine, for the same logical entry — otherwise\n * `verify()` would return `{ ok: false }` on cross-platform reads.\n *\n * JavaScript's `JSON.stringify` is almost canonical, but NOT quite:\n * it preserves the insertion order of object keys, which means\n * `{a:1,b:2}` and `{b:2,a:1}` serialize differently. We fix this by\n * recursively walking objects and sorting their keys before\n * concatenation.\n *\n * Arrays keep their original order (reordering them would change\n * semantics). Numbers, strings, booleans, and `null` use the default\n * JSON encoding. `undefined` and functions are rejected — ledger\n * entries are plain data, and silently dropping `undefined` would\n * break the \"same input → same hash\" property if a caller forgot to\n * omit a field.\n *\n * Performance: one pass per nesting level; O(n log n) for key sorting\n * at each object. Entries are small (< 1 KB) so this is negligible\n * compared to the sha256 call.\n */\nexport function canonicalJson(value: unknown): string {\n  if (value === null) return 'null'\n  if (typeof value === 'boolean') return value ? 'true' : 'false'\n  if (typeof value === 'number') {\n    if (!Number.isFinite(value)) {\n      throw new Error(\n        `canonicalJson: refusing to encode non-finite number ${String(value)}`,\n      )\n    }\n    return JSON.stringify(value)\n  }\n  if (typeof value === 'string') return JSON.stringify(value)\n  if (typeof value === 'bigint') {\n    throw new Error('canonicalJson: BigInt is not JSON-serializable')\n  }\n  if (typeof value === 'undefined' || typeof value === 'function') {\n    throw new Error(\n      `canonicalJson: refusing to encode ${typeof value} — include all fields explicitly`,\n    )\n  }\n  if (Array.isArray(value)) {\n    return '[' + value.map((v) => canonicalJson(v)).join(',') + ']'\n  }\n  if (typeof value === 'object') {\n    const obj = value as Record<string, unknown>\n    const keys = Object.keys(obj).sort()\n    const parts: string[] = []\n    for (const key of keys) {\n      parts.push(JSON.stringify(key) + ':' + canonicalJson(obj[key]))\n    }\n    return '{' + parts.join(',') + '}'\n  }\n  throw new Error(`canonicalJson: unexpected value type: ${typeof value}`)\n}\n\n/**\n * Compute a hex-encoded sha256 of a string via Web Crypto's subtle API.\n *\n * We use hex (not base64) for hashes because hex is case-insensitive,\n * fixed-length (64 chars), and easier to compare visually in debug\n * output. Base64 would save a few bytes in storage but every encrypted\n * ledger entry is already much larger than the hash itself.\n */\nexport async function sha256Hex(input: string): Promise<string> {\n  const bytes = new TextEncoder().encode(input)\n  const digest = await globalThis.crypto.subtle.digest('SHA-256', bytes)\n  return bytesToHex(new Uint8Array(digest))\n}\n\n/**\n * Compute the canonical hash of a ledger entry. Short wrapper around\n * `canonicalJson` + `sha256Hex`; callers use this instead of composing\n * the two functions every time, so any future change to the hashing\n * pipeline (e.g., adding a domain-separation prefix) lives in one place.\n */\nexport async function hashEntry(entry: LedgerEntry): Promise<string> {\n  return sha256Hex(canonicalJson(entry))\n}\n\n/** Convert a Uint8Array to a lowercase hex string. */\nfunction bytesToHex(bytes: Uint8Array): string {\n  const hex = new Array<string>(bytes.length)\n  for (let i = 0; i < bytes.length; i++) {\n    // Non-null assertion: indexing a Uint8Array within bounds always\n    // returns a number, but the compiler's noUncheckedIndexedAccess\n    // flag widens it to `number | undefined`. Safe here by construction.\n    hex[i] = (bytes[i] ?? 0).toString(16).padStart(2, '0')\n  }\n  return hex.join('')\n}\n\n/**\n * Pad an index to the canonical 10-digit form used as the adapter key.\n * Ten digits is enough for ~10 billion ledger entries per vault\n * — far beyond any realistic use case, but cheap enough that the extra\n * digits don't hurt storage.\n */\nexport function paddedIndex(index: number): string {\n  return String(index).padStart(10, '0')\n}\n\n/** Parse a padded adapter key back into a number. Returns NaN on malformed input. */\nexport function parseIndex(key: string): number {\n  return Number.parseInt(key, 10)\n}\n","/**\n * Envelope payload hash — pinned in its own leaf module so consumers\n * (DictionaryHandle, the active history strategy) can import it\n * without dragging in the `LedgerStore` class.\n *\n * see `constants.ts` for the broader rationale.\n *\n * @internal\n */\n\nimport type { EncryptedEnvelope } from '../../types.js'\nimport { sha256Hex } from './entry.js'\n\n/**\n * Compute the `payloadHash` value for an encrypted envelope. Used by\n * `LedgerStore.append` for both put (hash the new envelope) and\n * delete (hash the previous envelope) paths, and by\n * `DictionaryHandle` so its ledger entries match the same contract.\n *\n * Returns the empty string when there is no envelope (delete of a\n * never-existed record). The empty string tolerated by the ledger\n * entry's `payloadHash` field as the canonical \"nothing here\" value.\n */\nexport async function envelopePayloadHash(\n  envelope: EncryptedEnvelope | null,\n): Promise<string> {\n  if (!envelope) return ''\n  // `_data` is a base64 string for encrypted envelopes and the raw\n  // JSON for plaintext ones. Both are strings, so a single sha256Hex\n  // call works for both modes — the hash value differs between\n  // encrypted/plaintext compartments because the bytes on disk\n  // differ.\n  return sha256Hex(envelope._data)\n}\n"],"mappings":";AAiKO,SAAS,cAAc,OAAwB;AACpD,MAAI,UAAU,KAAM,QAAO;AAC3B,MAAI,OAAO,UAAU,UAAW,QAAO,QAAQ,SAAS;AACxD,MAAI,OAAO,UAAU,UAAU;AAC7B,QAAI,CAAC,OAAO,SAAS,KAAK,GAAG;AAC3B,YAAM,IAAI;AAAA,QACR,uDAAuD,OAAO,KAAK,CAAC;AAAA,MACtE;AAAA,IACF;AACA,WAAO,KAAK,UAAU,KAAK;AAAA,EAC7B;AACA,MAAI,OAAO,UAAU,SAAU,QAAO,KAAK,UAAU,KAAK;AAC1D,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,IAAI,MAAM,gDAAgD;AAAA,EAClE;AACA,MAAI,OAAO,UAAU,eAAe,OAAO,UAAU,YAAY;AAC/D,UAAM,IAAI;AAAA,MACR,qCAAqC,OAAO,KAAK;AAAA,IACnD;AAAA,EACF;AACA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,MAAM,MAAM,IAAI,CAAC,MAAM,cAAc,CAAC,CAAC,EAAE,KAAK,GAAG,IAAI;AAAA,EAC9D;AACA,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,MAAM;AACZ,UAAM,OAAO,OAAO,KAAK,GAAG,EAAE,KAAK;AACnC,UAAM,QAAkB,CAAC;AACzB,eAAW,OAAO,MAAM;AACtB,YAAM,KAAK,KAAK,UAAU,GAAG,IAAI,MAAM,cAAc,IAAI,GAAG,CAAC,CAAC;AAAA,IAChE;AACA,WAAO,MAAM,MAAM,KAAK,GAAG,IAAI;AAAA,EACjC;AACA,QAAM,IAAI,MAAM,yCAAyC,OAAO,KAAK,EAAE;AACzE;AAUA,eAAsB,UAAU,OAAgC;AAC9D,QAAM,QAAQ,IAAI,YAAY,EAAE,OAAO,KAAK;AAC5C,QAAM,SAAS,MAAM,WAAW,OAAO,OAAO,OAAO,WAAW,KAAK;AACrE,SAAO,WAAW,IAAI,WAAW,MAAM,CAAC;AAC1C;AAQA,eAAsB,UAAU,OAAqC;AACnE,SAAO,UAAU,cAAc,KAAK,CAAC;AACvC;AAGA,SAAS,WAAW,OAA2B;AAC7C,QAAM,MAAM,IAAI,MAAc,MAAM,MAAM;AAC1C,WAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AAIrC,QAAI,CAAC,KAAK,MAAM,CAAC,KAAK,GAAG,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG;AAAA,EACvD;AACA,SAAO,IAAI,KAAK,EAAE;AACpB;AAQO,SAAS,YAAY,OAAuB;AACjD,SAAO,OAAO,KAAK,EAAE,SAAS,IAAI,GAAG;AACvC;AAGO,SAAS,WAAW,KAAqB;AAC9C,SAAO,OAAO,SAAS,KAAK,EAAE;AAChC;;;AC9NA,eAAsB,oBACpB,UACiB;AACjB,MAAI,CAAC,SAAU,QAAO;AAMtB,SAAO,UAAU,SAAS,KAAK;AACjC;","names":[]}

package/dist/chunk-E445ICYI.js

@@ -0,0 +1,365 @@
+import {
+  generateULID
+} from "./chunk-FZU343FL.js";
+import {
+  base64ToBuffer,
+  bufferToBase64
+} from "./chunk-MR4424N3.js";
+import {
+  SessionExpiredError,
+  SessionNotFoundError,
+  SessionPolicyError,
+  ValidationError
+} from "./chunk-ACLDOTNQ.js";
+
+// src/session/session.ts
+var subtle = globalThis.crypto.subtle;
+var DEFAULT_TTL_MS = 60 * 60 * 1e3;
+var sessionKeyStore = /* @__PURE__ */ new Map();
+async function createSession(keyring, vault, options = {}) {
+  const ttlMs = options.ttlMs ?? DEFAULT_TTL_MS;
+  const sessionId = generateULID();
+  const expiresAt = new Date(Date.now() + ttlMs).toISOString();
+  const sessionKey = await subtle.generateKey(
+    { name: "AES-GCM", length: 256 },
+    false,
+    // non-extractable — this is the tab-scope security invariant
+    ["encrypt", "decrypt"]
+  );
+  const dekMap = {};
+  for (const [collName, dek] of keyring.deks) {
+    const raw = await subtle.exportKey("raw", dek);
+    dekMap[collName] = bufferToBase64(raw);
+  }
+  const payload = JSON.stringify({
+    userId: keyring.userId,
+    displayName: keyring.displayName,
+    role: keyring.role,
+    permissions: keyring.permissions,
+    deks: dekMap,
+    salt: bufferToBase64(keyring.salt)
+  });
+  const iv = globalThis.crypto.getRandomValues(new Uint8Array(12));
+  const encrypted = await subtle.encrypt(
+    { name: "AES-GCM", iv },
+    sessionKey,
+    new TextEncoder().encode(payload)
+  );
+  const token = {
+    _noydb_session: 1,
+    sessionId,
+    userId: keyring.userId,
+    vault,
+    role: keyring.role,
+    expiresAt,
+    wrappedKek: bufferToBase64(encrypted),
+    kekIv: bufferToBase64(iv)
+  };
+  sessionKeyStore.set(sessionId, sessionKey);
+  return { token, sessionId };
+}
+async function resolveSession(token) {
+  if (Date.now() > new Date(token.expiresAt).getTime()) {
+    sessionKeyStore.delete(token.sessionId);
+    throw new SessionExpiredError(token.sessionId);
+  }
+  const sessionKey = sessionKeyStore.get(token.sessionId);
+  if (!sessionKey) {
+    throw new SessionNotFoundError(token.sessionId);
+  }
+  const iv = base64ToBuffer(token.kekIv);
+  const ciphertext = base64ToBuffer(token.wrappedKek);
+  let plaintext;
+  try {
+    plaintext = await subtle.decrypt(
+      { name: "AES-GCM", iv },
+      sessionKey,
+      ciphertext
+    );
+  } catch {
+    throw new SessionNotFoundError(token.sessionId);
+  }
+  const payload = JSON.parse(new TextDecoder().decode(plaintext));
+  const deks = /* @__PURE__ */ new Map();
+  for (const [collName, rawBase64] of Object.entries(payload.deks)) {
+    const dek = await subtle.importKey(
+      "raw",
+      base64ToBuffer(rawBase64),
+      { name: "AES-GCM", length: 256 },
+      true,
+      ["encrypt", "decrypt"]
+    );
+    deks.set(collName, dek);
+  }
+  return {
+    userId: payload.userId,
+    displayName: payload.displayName,
+    role: payload.role,
+    permissions: payload.permissions,
+    deks,
+    kek: null,
+    // KEK not available in session context
+    salt: base64ToBuffer(payload.salt)
+  };
+}
+function revokeSession(sessionId) {
+  sessionKeyStore.delete(sessionId);
+}
+function isSessionAlive(token) {
+  if (Date.now() > new Date(token.expiresAt).getTime()) return false;
+  return sessionKeyStore.has(token.sessionId);
+}
+function revokeAllSessions() {
+  sessionKeyStore.clear();
+}
+function activeSessionCount() {
+  return sessionKeyStore.size;
+}
+
+// src/session/session-policy.ts
+var PolicyEnforcer = class {
+  policy;
+  sessionId;
+  onRevoke;
+  createdAt;
+  lastActivityAt;
+  idleTimer = null;
+  absoluteTimer = null;
+  visibilityHandler = null;
+  constructor(opts) {
+    this.policy = opts.policy;
+    this.sessionId = opts.sessionId;
+    this.onRevoke = opts.onRevoke;
+    this.createdAt = Date.now();
+    this.lastActivityAt = Date.now();
+    this.scheduleIdleTimer();
+    this.scheduleAbsoluteTimer();
+    this.registerBackgroundLock();
+  }
+  /**
+   * Record an activity timestamp and reset the idle timer.
+   * Call this at the top of every Noydb public method.
+   */
+  touch() {
+    this.lastActivityAt = Date.now();
+    this.scheduleIdleTimer();
+  }
+  /**
+   * Check whether the given operation is allowed under the active policy.
+   * Throws `SessionPolicyError` if the operation requires re-authentication.
+   * Throws `SessionExpiredError` if the absolute timeout has been exceeded
+   * (defensive check in case the timer fired before the call arrived).
+   *
+   * This is a synchronous check — callers don't await it.
+   */
+  checkOperation(op) {
+    const { absoluteTimeoutMs } = this.policy;
+    if (absoluteTimeoutMs !== void 0 && Date.now() - this.createdAt >= absoluteTimeoutMs) {
+      this.expire("absolute");
+      throw new SessionExpiredError(this.sessionId);
+    }
+    const required = this.policy.requireReAuthFor ?? [];
+    if (required.includes(op)) {
+      throw new SessionPolicyError(op);
+    }
+  }
+  /**
+   * Tear down timers and background-lock listener. Call from `Noydb.close()`
+   * and whenever the session is revoked externally.
+   */
+  destroy() {
+    if (this.idleTimer) {
+      clearTimeout(this.idleTimer);
+      this.idleTimer = null;
+    }
+    if (this.absoluteTimer) {
+      clearTimeout(this.absoluteTimer);
+      this.absoluteTimer = null;
+    }
+    if (this.visibilityHandler && typeof document !== "undefined") {
+      document.removeEventListener("visibilitychange", this.visibilityHandler);
+      this.visibilityHandler = null;
+    }
+  }
+  /** How long since the last activity, in ms. */
+  get idleMs() {
+    return Date.now() - this.lastActivityAt;
+  }
+  /** How long since session creation, in ms. */
+  get ageMs() {
+    return Date.now() - this.createdAt;
+  }
+  // ── Private ──────────────────────────────────────────────────────────
+  scheduleIdleTimer() {
+    const { idleTimeoutMs } = this.policy;
+    if (!idleTimeoutMs) return;
+    if (this.idleTimer) clearTimeout(this.idleTimer);
+    this.idleTimer = setTimeout(() => {
+      this.expire("idle");
+    }, idleTimeoutMs);
+  }
+  scheduleAbsoluteTimer() {
+    const { absoluteTimeoutMs } = this.policy;
+    if (!absoluteTimeoutMs) return;
+    if (this.absoluteTimer) clearTimeout(this.absoluteTimer);
+    this.absoluteTimer = setTimeout(() => {
+      this.expire("absolute");
+    }, absoluteTimeoutMs);
+  }
+  registerBackgroundLock() {
+    if (!this.policy.lockOnBackground) return;
+    if (typeof document === "undefined") return;
+    this.visibilityHandler = () => {
+      if (document.hidden) {
+        this.expire("background");
+      }
+    };
+    document.addEventListener("visibilitychange", this.visibilityHandler);
+  }
+  expire(reason) {
+    this.destroy();
+    revokeSession(this.sessionId);
+    this.onRevoke(reason);
+  }
+};
+function createEnforcer(opts) {
+  return new PolicyEnforcer(opts);
+}
+function validateSessionPolicy(policy) {
+  const { idleTimeoutMs, absoluteTimeoutMs } = policy;
+  if (idleTimeoutMs !== void 0 && (typeof idleTimeoutMs !== "number" || idleTimeoutMs <= 0)) {
+    throw new Error(`SessionPolicy.idleTimeoutMs must be a positive number, got ${idleTimeoutMs}`);
+  }
+  if (absoluteTimeoutMs !== void 0 && (typeof absoluteTimeoutMs !== "number" || absoluteTimeoutMs <= 0)) {
+    throw new Error(`SessionPolicy.absoluteTimeoutMs must be a positive number, got ${absoluteTimeoutMs}`);
+  }
+  if (idleTimeoutMs !== void 0 && absoluteTimeoutMs !== void 0 && idleTimeoutMs >= absoluteTimeoutMs) {
+    throw new Error(
+      `SessionPolicy.idleTimeoutMs (${idleTimeoutMs}ms) must be less than absoluteTimeoutMs (${absoluteTimeoutMs}ms)`
+    );
+  }
+}
+
+// src/session/dev-unlock.ts
+var REQUIRED_ACKNOWLEDGE = "I-UNDERSTAND-THIS-DISABLES-UNLOCK-SECURITY";
+var STORAGE_PREFIX = "noydb:dev-unlock:";
+function assertDevEnvironment() {
+  if (typeof process !== "undefined" && process.env.NODE_ENV === "production") {
+    throw new ValidationError(
+      'devUnlock is not available in production builds. process.env.NODE_ENV is "production".'
+    );
+  }
+  if (typeof globalThis !== "undefined" && globalThis.__vite_is_production__ === true) {
+    throw new ValidationError("devUnlock is not available in production builds.");
+  }
+  if (typeof window !== "undefined" && typeof window.location !== "undefined") {
+    const host = window.location.hostname;
+    if (host !== "localhost" && host !== "127.0.0.1" && host !== "::1" && !host.endsWith(".local")) {
+      throw new ValidationError(
+        `devUnlock is only available on localhost. Current hostname: "${host}". Set NODE_ENV=development and run on localhost to use dev unlock.`
+      );
+    }
+  }
+}
+function storageKey(vault, userId) {
+  return `${STORAGE_PREFIX}${vault}:${userId}`;
+}
+function resolveStorage(persistAcrossTabs) {
+  if (typeof window === "undefined") {
+    throw new ValidationError("devUnlock requires a browser environment (window.sessionStorage / window.localStorage).");
+  }
+  return persistAcrossTabs ? window.localStorage : window.sessionStorage;
+}
+async function enableDevUnlock(vault, userId, keyring, options) {
+  if (options.acknowledge !== REQUIRED_ACKNOWLEDGE) {
+    throw new ValidationError(
+      `devUnlock requires acknowledge: '${REQUIRED_ACKNOWLEDGE}'. Got: '${options.acknowledge}'. This is intentional \u2014 the full string must appear in your source.`
+    );
+  }
+  assertDevEnvironment();
+  const storage = resolveStorage(options.persistAcrossTabs);
+  const dekMap = {};
+  for (const [collName, dek] of keyring.deks) {
+    const raw = await globalThis.crypto.subtle.exportKey("raw", dek);
+    dekMap[collName] = bufferToBase64(raw);
+  }
+  const payload = JSON.stringify({
+    _noydb_dev_unlock: 1,
+    userId: keyring.userId,
+    displayName: keyring.displayName,
+    role: keyring.role,
+    permissions: keyring.permissions,
+    deks: dekMap,
+    salt: bufferToBase64(keyring.salt)
+  });
+  storage.setItem(storageKey(vault, userId), payload);
+  console.warn(
+    "%c\u26A0\uFE0F NOYDB DEV UNLOCK ACTIVE \u26A0\uFE0F",
+    "color: red; font-size: 16px; font-weight: bold",
+    `
+
+Compartment "${vault}" user "${userId}" is stored in ${options.persistAcrossTabs ? "localStorage" : "sessionStorage"} in PLAINTEXT DEKs.
+This is ONLY safe for local development. Never use in production.
+Call clearDevUnlock() to remove.`
+  );
+}
+async function loadDevUnlock(vault, userId, options = {}) {
+  if (typeof window === "undefined") return null;
+  const storage = resolveStorage(options.persistAcrossTabs);
+  const raw = storage.getItem(storageKey(vault, userId));
+  if (!raw) return null;
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    return null;
+  }
+  if (parsed._noydb_dev_unlock !== 1) return null;
+  const deks = /* @__PURE__ */ new Map();
+  for (const [collName, rawBase64] of Object.entries(parsed.deks)) {
+    const dek = await globalThis.crypto.subtle.importKey(
+      "raw",
+      base64ToBuffer(rawBase64),
+      { name: "AES-GCM", length: 256 },
+      true,
+      ["encrypt", "decrypt"]
+    );
+    deks.set(collName, dek);
+  }
+  return {
+    userId: parsed.userId,
+    displayName: parsed.displayName,
+    role: parsed.role,
+    permissions: parsed.permissions,
+    deks,
+    kek: null,
+    salt: base64ToBuffer(parsed.salt)
+  };
+}
+function clearDevUnlock(vault, userId, options = {}) {
+  if (typeof window === "undefined") return;
+  const storage = resolveStorage(options.persistAcrossTabs);
+  storage.removeItem(storageKey(vault, userId));
+}
+function isDevUnlockActive(vault, userId, options = {}) {
+  if (typeof window === "undefined") return false;
+  const storage = resolveStorage(options.persistAcrossTabs);
+  return storage.getItem(storageKey(vault, userId)) !== null;
+}
+
+export {
+  createSession,
+  resolveSession,
+  revokeSession,
+  isSessionAlive,
+  revokeAllSessions,
+  activeSessionCount,
+  PolicyEnforcer,
+  createEnforcer,
+  validateSessionPolicy,
+  enableDevUnlock,
+  loadDevUnlock,
+  clearDevUnlock,
+  isDevUnlockActive
+};
+//# sourceMappingURL=chunk-E445ICYI.js.map