@noy-db/hub 0.1.0-pre.8 → 0.2.0-pre.1

package/dist/chunk-DYBQG5PQ.js

@@ -0,0 +1,34 @@
+import {
+  TierNotGrantedError
+} from "./chunk-ADQ5MQ54.js";
+
+// src/team/tiers.ts
+function dekKey(collection, tier) {
+  if (tier <= 0) return collection;
+  return `${collection}#${tier}`;
+}
+function effectiveClearance(keyring, collection) {
+  let max = 0;
+  const prefix = `${collection}#`;
+  for (const key of keyring.deks.keys()) {
+    if (!key.startsWith(prefix)) continue;
+    const suffix = key.slice(prefix.length);
+    const n = Number.parseInt(suffix, 10);
+    if (Number.isFinite(n) && n > max) max = n;
+  }
+  return max;
+}
+function assertTierAccess(keyring, collection, tier) {
+  if (tier <= 0) return;
+  if (keyring.role === "owner" || keyring.role === "admin") return;
+  if (!keyring.deks.has(dekKey(collection, tier))) {
+    throw new TierNotGrantedError(collection, tier);
+  }
+}
+
+export {
+  dekKey,
+  effectiveClearance,
+  assertTierAccess
+};
+//# sourceMappingURL=chunk-DYBQG5PQ.js.map

package/dist/chunk-DYBQG5PQ.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/team/tiers.ts"],"sourcesContent":["/**\n * Hierarchical access — tier-aware keyring helpers.\n *\n * The keyring's existing `deks: Map<string, CryptoKey>` is keyed by\n * collection name. extends the key space:\n *\n *   `'invoices'`      — tier-0 DEK (unchanged from v0.x)\n *   `'invoices#1'`    — tier-1 DEK\n *   `'invoices#2'`    — tier-2 DEK\n *\n * Tier 0 keeps the bare collection name so any keyring written\n * before tiers existed loads without migration. Tiers ≥ 1 use `#N`\n * suffixes that\n * would be invalid as user-supplied collection names (see\n * `ReservedCollectionNameError` — `#` is reserved).\n *\n * @module\n */\n\nimport type { UnlockedKeyring } from './keyring.js'\nimport { TierNotGrantedError } from '../errors.js'\n\n/** Canonical DEK key for a given collection + tier. Tier 0 → bare name. */\nexport function dekKey(collection: string, tier: number): string {\n  if (tier <= 0) return collection\n  return `${collection}#${tier}`\n}\n\n/**\n * Returns the user's effective clearance for a given collection: the\n * maximum tier for which their keyring holds a DEK. Falls back to 0\n * when the user has only the tier-0 DEK (or none — the getDEK caller\n * will raise separately).\n */\nexport function effectiveClearance(keyring: UnlockedKeyring, collection: string): number {\n  let max = 0\n  const prefix = `${collection}#`\n  for (const key of keyring.deks.keys()) {\n    if (!key.startsWith(prefix)) continue\n    const suffix = key.slice(prefix.length)\n    const n = Number.parseInt(suffix, 10)\n    if (Number.isFinite(n) && n > max) max = n\n  }\n  return max\n}\n\n/**\n * Assert the caller is cleared for the requested tier. Owners and\n * admins always pass (they can mint any new tier DEK on demand);\n * other roles must already hold the tier DEK — via a prior grant or\n * an active delegation — otherwise this throws `TierNotGrantedError`.\n *\n * This gate runs BEFORE `getDEK()` on the mutation path so a\n * non-cleared operator never has the opportunity to silently\n * auto-create a tier DEK they shouldn't have.\n */\nexport function assertTierAccess(\n  keyring: UnlockedKeyring,\n  collection: string,\n  tier: number,\n): void {\n  if (tier <= 0) return\n  if (keyring.role === 'owner' || keyring.role === 'admin') return\n  if (!keyring.deks.has(dekKey(collection, tier))) {\n    throw new TierNotGrantedError(collection, tier)\n  }\n}\n"],"mappings":";;;;;AAuBO,SAAS,OAAO,YAAoB,MAAsB;AAC/D,MAAI,QAAQ,EAAG,QAAO;AACtB,SAAO,GAAG,UAAU,IAAI,IAAI;AAC9B;AAQO,SAAS,mBAAmB,SAA0B,YAA4B;AACvF,MAAI,MAAM;AACV,QAAM,SAAS,GAAG,UAAU;AAC5B,aAAW,OAAO,QAAQ,KAAK,KAAK,GAAG;AACrC,QAAI,CAAC,IAAI,WAAW,MAAM,EAAG;AAC7B,UAAM,SAAS,IAAI,MAAM,OAAO,MAAM;AACtC,UAAM,IAAI,OAAO,SAAS,QAAQ,EAAE;AACpC,QAAI,OAAO,SAAS,CAAC,KAAK,IAAI,IAAK,OAAM;AAAA,EAC3C;AACA,SAAO;AACT;AAYO,SAAS,iBACd,SACA,YACA,MACM;AACN,MAAI,QAAQ,EAAG;AACf,MAAI,QAAQ,SAAS,WAAW,QAAQ,SAAS,QAAS;AAC1D,MAAI,CAAC,QAAQ,KAAK,IAAI,OAAO,YAAY,IAAI,CAAC,GAAG;AAC/C,UAAM,IAAI,oBAAoB,YAAY,IAAI;AAAA,EAChD;AACF;","names":[]}

package/dist/{chunk-ZFKD4QMV.js → chunk-DYECX3IX.js}

@@ -1,10 +1,10 @@
 import {
   evaluateClause,
   readPath
-} from "./chunk-M5INGEFC.js";
+} from "./chunk-MRIBLZL3.js";
 import {
   IndexRequiredError
-} from "./chunk-ACLDOTNQ.js";
+} from "./chunk-ADQ5MQ54.js";
 
 // src/indexing/persisted-indexes.ts
 var IDX_PREFIX = "_idx/";
@@ -427,4 +427,4 @@ export {
   PersistedCollectionIndex,
   LazyQuery
 };
-//# sourceMappingURL=chunk-ZFKD4QMV.js.map
+//# sourceMappingURL=chunk-DYECX3IX.js.map

package/dist/chunk-EGQYGYIU.js

@@ -0,0 +1,51 @@
+import {
+  ValidationError
+} from "./chunk-ADQ5MQ54.js";
+
+// src/derivations/with-derivation.ts
+function withDerivation(spec) {
+  if (!spec.source || spec.source.length === 0) {
+    throw new ValidationError("withDerivation: source collection name is required");
+  }
+  if (!spec.outputs || Object.keys(spec.outputs).length === 0) {
+    throw new ValidationError("withDerivation: outputs map must declare at least one output");
+  }
+  if (spec.deterministic !== true) {
+    throw new ValidationError("withDerivation: v1 only supports deterministic derivations");
+  }
+  if (typeof spec.derive !== "function") {
+    throw new ValidationError("withDerivation: derive must be a function");
+  }
+  const lifecycleMode = typeof spec.lifecycle === "string" ? spec.lifecycle : spec.lifecycle.mode;
+  for (const [outputKey, outputSpec] of Object.entries(spec.outputs)) {
+    if (outputSpec.shape === "array") {
+      if (lifecycleMode !== "eager") {
+        throw new ValidationError(
+          `withDerivation: shape 'array' supports lifecycle 'eager' only in this release (#200 slice 1). Output "${outputKey}" declared lifecycle '${lifecycleMode}'. Switch to \`lifecycle: "eager"\` or use shape: "record".`
+        );
+      }
+      if (typeof outputSpec.key !== "function") {
+        throw new ValidationError(
+          `withDerivation: shape 'array' output "${outputKey}" requires \`key: (out) => string\`.`
+        );
+      }
+      if (outputSpec.maxFanout !== void 0) {
+        if (!Number.isInteger(outputSpec.maxFanout) || outputSpec.maxFanout < 1) {
+          throw new ValidationError(
+            `withDerivation: maxFanout for output "${outputKey}" must be a positive integer (got ${String(outputSpec.maxFanout)}).`
+          );
+        }
+      }
+    }
+  }
+  return {
+    __noydb_strategy: "derivation",
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    spec
+  };
+}
+
+export {
+  withDerivation
+};
+//# sourceMappingURL=chunk-EGQYGYIU.js.map

package/dist/chunk-EGQYGYIU.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/derivations/with-derivation.ts"],"sourcesContent":["import { ValidationError } from '../errors.js'\nimport type { DerivationStrategy, DerivationStrategyHandle } from './types.js'\n\n/**\n * Register a deterministic derivation: one source collection → one or\n * more typed outputs, computed by the user's `derive` function on\n * plaintext after DEK unwrap. Outputs are encrypted with the same DEK\n * as the source and written via the standard `Collection.put` path.\n *\n * See docs/superpowers/specs/2026-05-01-dim14-derivation-v1-design.md.\n */\nexport function withDerivation<\n  TSource extends Record<string, unknown>,\n  TOutputs extends Record<string, Record<string, unknown>>,\n>(spec: DerivationStrategy<TSource, TOutputs>): DerivationStrategyHandle {\n  if (!spec.source || spec.source.length === 0) {\n    throw new ValidationError('withDerivation: source collection name is required')\n  }\n  if (!spec.outputs || Object.keys(spec.outputs).length === 0) {\n    throw new ValidationError('withDerivation: outputs map must declare at least one output')\n  }\n  if (spec.deterministic !== true) {\n    throw new ValidationError('withDerivation: v1 only supports deterministic derivations')\n  }\n  if (typeof spec.derive !== 'function') {\n    throw new ValidationError('withDerivation: derive must be a function')\n  }\n\n  // #200 slice 1 — validate array-shape outputs.\n  const lifecycleMode = typeof spec.lifecycle === 'string' ? spec.lifecycle : spec.lifecycle.mode\n  for (const [outputKey, outputSpec] of Object.entries(spec.outputs)) {\n    if (outputSpec.shape === 'array') {\n      if (lifecycleMode !== 'eager') {\n        throw new ValidationError(\n          `withDerivation: shape 'array' supports lifecycle 'eager' only in this release `\n          + `(#200 slice 1). Output \"${outputKey}\" declared lifecycle '${lifecycleMode}'. `\n          + 'Switch to `lifecycle: \"eager\"` or use shape: \"record\".',\n        )\n      }\n      if (typeof outputSpec.key !== 'function') {\n        throw new ValidationError(\n          `withDerivation: shape 'array' output \"${outputKey}\" requires \\`key: (out) => string\\`.`,\n        )\n      }\n      if (outputSpec.maxFanout !== undefined) {\n        if (!Number.isInteger(outputSpec.maxFanout) || outputSpec.maxFanout < 1) {\n          throw new ValidationError(\n            `withDerivation: maxFanout for output \"${outputKey}\" must be a positive integer `\n            + `(got ${String(outputSpec.maxFanout)}).`,\n          )\n        }\n      }\n    }\n  }\n\n  return {\n    __noydb_strategy: 'derivation',\n    // eslint-disable-next-line @typescript-eslint/no-explicit-any\n    spec: spec as DerivationStrategy<any, any>,\n  }\n}\n"],"mappings":";;;;;AAWO,SAAS,eAGd,MAAuE;AACvE,MAAI,CAAC,KAAK,UAAU,KAAK,OAAO,WAAW,GAAG;AAC5C,UAAM,IAAI,gBAAgB,oDAAoD;AAAA,EAChF;AACA,MAAI,CAAC,KAAK,WAAW,OAAO,KAAK,KAAK,OAAO,EAAE,WAAW,GAAG;AAC3D,UAAM,IAAI,gBAAgB,8DAA8D;AAAA,EAC1F;AACA,MAAI,KAAK,kBAAkB,MAAM;AAC/B,UAAM,IAAI,gBAAgB,4DAA4D;AAAA,EACxF;AACA,MAAI,OAAO,KAAK,WAAW,YAAY;AACrC,UAAM,IAAI,gBAAgB,2CAA2C;AAAA,EACvE;AAGA,QAAM,gBAAgB,OAAO,KAAK,cAAc,WAAW,KAAK,YAAY,KAAK,UAAU;AAC3F,aAAW,CAAC,WAAW,UAAU,KAAK,OAAO,QAAQ,KAAK,OAAO,GAAG;AAClE,QAAI,WAAW,UAAU,SAAS;AAChC,UAAI,kBAAkB,SAAS;AAC7B,cAAM,IAAI;AAAA,UACR,yGAC6B,SAAS,yBAAyB,aAAa;AAAA,QAE9E;AAAA,MACF;AACA,UAAI,OAAO,WAAW,QAAQ,YAAY;AACxC,cAAM,IAAI;AAAA,UACR,yCAAyC,SAAS;AAAA,QACpD;AAAA,MACF;AACA,UAAI,WAAW,cAAc,QAAW;AACtC,YAAI,CAAC,OAAO,UAAU,WAAW,SAAS,KAAK,WAAW,YAAY,GAAG;AACvE,gBAAM,IAAI;AAAA,YACR,yCAAyC,SAAS,qCACxC,OAAO,WAAW,SAAS,CAAC;AAAA,UACxC;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,kBAAkB;AAAA;AAAA,IAElB;AAAA,EACF;AACF;","names":[]}

package/dist/chunk-FCXOFQAJ.js

@@ -0,0 +1,79 @@
+import {
+  DerivationCycleError
+} from "./chunk-ADQ5MQ54.js";
+
+// src/derivations/strategy-hash.ts
+async function computeStrategyHash(source, outputKeys, derive) {
+  const canonical = JSON.stringify({
+    source,
+    outputs: [...outputKeys].sort(),
+    derive: derive.toString()
+  });
+  const bytes = new TextEncoder().encode(canonical);
+  const digest = await crypto.subtle.digest("SHA-256", bytes);
+  return Array.from(new Uint8Array(digest)).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+
+// src/derivations/registry.ts
+var DerivationRegistry = class {
+  _bySource = /* @__PURE__ */ new Map();
+  _byOutput = /* @__PURE__ */ new Map();
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  async register(spec) {
+    const outputKeys = Object.keys(spec.outputs);
+    const strategyHash = await computeStrategyHash(spec.source, outputKeys, spec.derive);
+    const reg = { spec, strategyHash };
+    const fromSource = this._bySource.get(spec.source);
+    if (fromSource) fromSource.push(reg);
+    else this._bySource.set(spec.source, [reg]);
+    for (const key of outputKeys) {
+      const output = spec.outputs[key];
+      if (!output) continue;
+      const outputCollection = output.collection;
+      const arr = this._byOutput.get(outputCollection);
+      if (arr) arr.push(reg);
+      else this._byOutput.set(outputCollection, [reg]);
+    }
+  }
+  strategiesForSource(source) {
+    return this._bySource.get(source) ?? [];
+  }
+  strategiesProducingOutput(collection) {
+    return this._byOutput.get(collection) ?? [];
+  }
+  /**
+   * Cycle detection over the source → output → … graph. Call after all
+   * `register()` calls complete (i.e. at vault open). Throws
+   * `DerivationCycleError` on the first cycle found.
+   */
+  validate() {
+    const visited = /* @__PURE__ */ new Set();
+    const stack = [];
+    const visit = (node) => {
+      if (stack.includes(node)) {
+        const cycle = stack.slice(stack.indexOf(node)).concat(node);
+        throw new DerivationCycleError(cycle);
+      }
+      if (visited.has(node)) return;
+      stack.push(node);
+      const strategies = this._bySource.get(node);
+      if (strategies) {
+        for (const s of strategies) {
+          for (const key of Object.keys(s.spec.outputs)) {
+            const output = s.spec.outputs[key];
+            if (!output) continue;
+            visit(output.collection);
+          }
+        }
+      }
+      stack.pop();
+      visited.add(node);
+    };
+    for (const src of this._bySource.keys()) visit(src);
+  }
+};
+
+export {
+  DerivationRegistry
+};
+//# sourceMappingURL=chunk-FCXOFQAJ.js.map

package/dist/chunk-FCXOFQAJ.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/derivations/strategy-hash.ts","../src/derivations/registry.ts"],"sourcesContent":["/**\n * Deterministic hash of a derivation strategy's \"shape\": source\n * collection, output keys, derive function source. Used to detect\n * strategy drift: a record whose `_derivedFrom.strategyHash` doesn't\n * match the current strategy is considered stale.\n *\n * Web Crypto SHA-256 — no extra deps.\n */\nexport async function computeStrategyHash(\n  source: string,\n  outputKeys: readonly string[],\n  // eslint-disable-next-line @typescript-eslint/no-explicit-any\n  derive: (...args: any[]) => any,\n): Promise<string> {\n  const canonical = JSON.stringify({\n    source,\n    outputs: [...outputKeys].sort(),\n    derive: derive.toString(),\n  })\n  const bytes = new TextEncoder().encode(canonical)\n  const digest = await crypto.subtle.digest('SHA-256', bytes)\n  return Array.from(new Uint8Array(digest))\n    .map(b => b.toString(16).padStart(2, '0'))\n    .join('')\n}\n","import { DerivationCycleError } from '../errors.js'\nimport { computeStrategyHash } from './strategy-hash.js'\nimport type { DerivationStrategy } from './types.js'\n\ninterface RegisteredStrategy {\n  // Type-erased to allow the registry to hold heterogeneous strategies.\n  // eslint-disable-next-line @typescript-eslint/no-explicit-any\n  spec: DerivationStrategy<any, any>\n  strategyHash: string\n}\n\n/**\n * Vault-internal registry of derivation strategies. Owned by `Vault`;\n * not exported.\n *\n * @internal\n */\nexport class DerivationRegistry {\n  private readonly _bySource = new Map<string, RegisteredStrategy[]>()\n  private readonly _byOutput = new Map<string, RegisteredStrategy[]>()\n\n  // eslint-disable-next-line @typescript-eslint/no-explicit-any\n  async register(spec: DerivationStrategy<any, any>): Promise<void> {\n    const outputKeys = Object.keys(spec.outputs)\n    const strategyHash = await computeStrategyHash(spec.source, outputKeys, spec.derive)\n    const reg: RegisteredStrategy = { spec, strategyHash }\n\n    const fromSource = this._bySource.get(spec.source)\n    if (fromSource) fromSource.push(reg)\n    else this._bySource.set(spec.source, [reg])\n\n    for (const key of outputKeys) {\n      const output = spec.outputs[key]\n      if (!output) continue\n      const outputCollection = output.collection\n      const arr = this._byOutput.get(outputCollection)\n      if (arr) arr.push(reg)\n      else this._byOutput.set(outputCollection, [reg])\n    }\n  }\n\n  strategiesForSource(source: string): ReadonlyArray<RegisteredStrategy> {\n    return this._bySource.get(source) ?? []\n  }\n\n  strategiesProducingOutput(collection: string): ReadonlyArray<RegisteredStrategy> {\n    return this._byOutput.get(collection) ?? []\n  }\n\n  /**\n   * Cycle detection over the source → output → … graph. Call after all\n   * `register()` calls complete (i.e. at vault open). Throws\n   * `DerivationCycleError` on the first cycle found.\n   */\n  validate(): void {\n    const visited = new Set<string>()\n    const stack: string[] = []\n\n    const visit = (node: string): void => {\n      if (stack.includes(node)) {\n        const cycle = stack.slice(stack.indexOf(node)).concat(node)\n        throw new DerivationCycleError(cycle)\n      }\n      if (visited.has(node)) return\n      stack.push(node)\n      const strategies = this._bySource.get(node)\n      if (strategies) {\n        for (const s of strategies) {\n          for (const key of Object.keys(s.spec.outputs)) {\n            const output = s.spec.outputs[key]\n            if (!output) continue\n            visit(output.collection)\n          }\n        }\n      }\n      stack.pop()\n      visited.add(node)\n    }\n\n    for (const src of this._bySource.keys()) visit(src)\n  }\n}\n"],"mappings":";;;;;AAQA,eAAsB,oBACpB,QACA,YAEA,QACiB;AACjB,QAAM,YAAY,KAAK,UAAU;AAAA,IAC/B;AAAA,IACA,SAAS,CAAC,GAAG,UAAU,EAAE,KAAK;AAAA,IAC9B,QAAQ,OAAO,SAAS;AAAA,EAC1B,CAAC;AACD,QAAM,QAAQ,IAAI,YAAY,EAAE,OAAO,SAAS;AAChD,QAAM,SAAS,MAAM,OAAO,OAAO,OAAO,WAAW,KAAK;AAC1D,SAAO,MAAM,KAAK,IAAI,WAAW,MAAM,CAAC,EACrC,IAAI,OAAK,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EACxC,KAAK,EAAE;AACZ;;;ACPO,IAAM,qBAAN,MAAyB;AAAA,EACb,YAAY,oBAAI,IAAkC;AAAA,EAClD,YAAY,oBAAI,IAAkC;AAAA;AAAA,EAGnE,MAAM,SAAS,MAAmD;AAChE,UAAM,aAAa,OAAO,KAAK,KAAK,OAAO;AAC3C,UAAM,eAAe,MAAM,oBAAoB,KAAK,QAAQ,YAAY,KAAK,MAAM;AACnF,UAAM,MAA0B,EAAE,MAAM,aAAa;AAErD,UAAM,aAAa,KAAK,UAAU,IAAI,KAAK,MAAM;AACjD,QAAI,WAAY,YAAW,KAAK,GAAG;AAAA,QAC9B,MAAK,UAAU,IAAI,KAAK,QAAQ,CAAC,GAAG,CAAC;AAE1C,eAAW,OAAO,YAAY;AAC5B,YAAM,SAAS,KAAK,QAAQ,GAAG;AAC/B,UAAI,CAAC,OAAQ;AACb,YAAM,mBAAmB,OAAO;AAChC,YAAM,MAAM,KAAK,UAAU,IAAI,gBAAgB;AAC/C,UAAI,IAAK,KAAI,KAAK,GAAG;AAAA,UAChB,MAAK,UAAU,IAAI,kBAAkB,CAAC,GAAG,CAAC;AAAA,IACjD;AAAA,EACF;AAAA,EAEA,oBAAoB,QAAmD;AACrE,WAAO,KAAK,UAAU,IAAI,MAAM,KAAK,CAAC;AAAA,EACxC;AAAA,EAEA,0BAA0B,YAAuD;AAC/E,WAAO,KAAK,UAAU,IAAI,UAAU,KAAK,CAAC;AAAA,EAC5C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,WAAiB;AACf,UAAM,UAAU,oBAAI,IAAY;AAChC,UAAM,QAAkB,CAAC;AAEzB,UAAM,QAAQ,CAAC,SAAuB;AACpC,UAAI,MAAM,SAAS,IAAI,GAAG;AACxB,cAAM,QAAQ,MAAM,MAAM,MAAM,QAAQ,IAAI,CAAC,EAAE,OAAO,IAAI;AAC1D,cAAM,IAAI,qBAAqB,KAAK;AAAA,MACtC;AACA,UAAI,QAAQ,IAAI,IAAI,EAAG;AACvB,YAAM,KAAK,IAAI;AACf,YAAM,aAAa,KAAK,UAAU,IAAI,IAAI;AAC1C,UAAI,YAAY;AACd,mBAAW,KAAK,YAAY;AAC1B,qBAAW,OAAO,OAAO,KAAK,EAAE,KAAK,OAAO,GAAG;AAC7C,kBAAM,SAAS,EAAE,KAAK,QAAQ,GAAG;AACjC,gBAAI,CAAC,OAAQ;AACb,kBAAM,OAAO,UAAU;AAAA,UACzB;AAAA,QACF;AAAA,MACF;AACA,YAAM,IAAI;AACV,cAAQ,IAAI,IAAI;AAAA,IAClB;AAEA,eAAW,OAAO,KAAK,UAAU,KAAK,EAAG,OAAM,GAAG;AAAA,EACpD;AACF;","names":[]}

package/dist/chunk-HB3Z2GCR.js

@@ -0,0 +1,124 @@
+import {
+  DerivationCapExceededError,
+  DerivationOutputShapeError
+} from "./chunk-ADQ5MQ54.js";
+
+// src/derivations/executor.ts
+var DerivationExecutor = {
+  /**
+   * Run `derive` once, validate output shape against the spec, stamp
+   * `_derivedFrom` onto every output. Returns per-output success or
+   * failure; throws only for shape mismatches (a contract violation).
+   */
+  async run(strategy, source, sourceVersion, strategyHash, ctx) {
+    const outputs = {};
+    let derived;
+    try {
+      derived = await Promise.resolve(strategy.derive(source, ctx));
+    } catch (err) {
+      for (const key of Object.keys(strategy.outputs)) {
+        outputs[key] = {
+          kind: "failed",
+          value: {},
+          ok: false,
+          error: err instanceof Error ? err : new Error(String(err))
+        };
+      }
+      return { outputs, failed: true };
+    }
+    const meta = {
+      source: strategy.source,
+      sourceId: source.id,
+      sourceVersion,
+      derivedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      strategyHash
+    };
+    for (const key of Object.keys(strategy.outputs)) {
+      const outSpec = strategy.outputs[key];
+      if (!outSpec) continue;
+      const value = derived[key];
+      if (outSpec.shape === "array") {
+        if (value === void 0 || value === null) {
+          outputs[key] = { kind: "array", ok: true, entries: [] };
+          continue;
+        }
+        if (!Array.isArray(value)) {
+          throw new DerivationOutputShapeError(
+            key,
+            `shape 'array' expects an array, got ${typeof value}`
+          );
+        }
+        const maxFanout = outSpec.maxFanout ?? 64;
+        if (value.length > maxFanout) {
+          throw new DerivationCapExceededError(key, value.length, maxFanout);
+        }
+        const entries = [];
+        const seenKeys = /* @__PURE__ */ new Set();
+        for (let i = 0; i < value.length; i++) {
+          const row = value[i];
+          if (row === null || typeof row !== "object") {
+            throw new DerivationOutputShapeError(
+              key,
+              `array member at index ${i} must be a non-null object (got ${row === null ? "null" : typeof row})`
+            );
+          }
+          let derivedKey;
+          try {
+            derivedKey = outSpec.key(row);
+          } catch (err) {
+            throw new DerivationOutputShapeError(
+              key,
+              `key extractor threw on array member at index ${i}: ` + (err instanceof Error ? err.message : String(err))
+            );
+          }
+          if (typeof derivedKey !== "string" || derivedKey.length === 0) {
+            throw new DerivationOutputShapeError(
+              key,
+              `key extractor returned ${typeof derivedKey === "string" ? "empty string" : typeof derivedKey} at index ${i}; expected non-empty string`
+            );
+          }
+          if (seenKeys.has(derivedKey)) {
+            throw new DerivationOutputShapeError(
+              key,
+              `duplicate key "${derivedKey}" in array output (index ${i}); each derived row must have a unique key within a single derive() invocation`
+            );
+          }
+          seenKeys.add(derivedKey);
+          entries.push({
+            key: derivedKey,
+            value: { ...row, _derivedFrom: meta }
+          });
+        }
+        outputs[key] = { kind: "array", ok: true, entries };
+        continue;
+      }
+      if (value === void 0 || value === null) {
+        if (outSpec.optional === true) {
+          outputs[key] = { kind: "record", value: {}, ok: true, skipped: true };
+          continue;
+        }
+        throw new DerivationOutputShapeError(
+          key,
+          `expected object, got ${value === void 0 ? "undefined" : "null"}`
+        );
+      }
+      if (typeof value !== "object") {
+        throw new DerivationOutputShapeError(
+          key,
+          `expected object, got ${typeof value}`
+        );
+      }
+      outputs[key] = {
+        kind: "record",
+        value: { ...value, _derivedFrom: meta },
+        ok: true
+      };
+    }
+    return { outputs, failed: false };
+  }
+};
+
+export {
+  DerivationExecutor
+};
+//# sourceMappingURL=chunk-HB3Z2GCR.js.map

package/dist/chunk-HB3Z2GCR.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/derivations/executor.ts"],"sourcesContent":["import { DerivationCapExceededError, DerivationOutputShapeError } from '../errors.js'\nimport type { DerivationContext, DerivationStrategy, DerivedFromMeta } from './types.js'\n\nexport interface RunResult {\n  outputs: Record<string, OutputResult>\n  failed: boolean\n}\n\n/**\n * Per-output result of a strategy invocation. Discriminated by\n * `kind`:\n *\n * - `record` — the existing v1 shape: one value (or a \"skipped\"\n *   marker if the output was optional and `derive` returned null).\n * - `array` — the #200 shape: a list of `(key, value)` entries.\n *   The caller diffs these against the previously-emitted key set\n *   (loaded from the fanout sidecar) to compute deletes + upserts.\n */\nexport type OutputResult =\n  | RecordOutputResult\n  | ArrayOutputResult\n  | FailedOutputResult\n\nexport interface RecordOutputResult {\n  kind: 'record'\n  value: Record<string, unknown>\n  ok: true\n  /**\n   * `true` when an optional output (#144) returned `null` /\n   * `undefined`. The caller deletes any previously-emitted output at\n   * the same id (mirrors \"tombstone for derived data\"); a never-emitted\n   * output is a silent no-op. `ok: true` because skipping is a\n   * successful outcome, not a failure.\n   */\n  skipped?: boolean\n}\n\nexport interface ArrayOutputResult {\n  kind: 'array'\n  ok: true\n  /** One `(key, value)` per derived row. Empty array means \"all prior outputs for this source go.\" */\n  entries: ReadonlyArray<{ readonly key: string; readonly value: Record<string, unknown> }>\n}\n\nexport interface FailedOutputResult {\n  kind: 'failed'\n  ok: false\n  error: Error\n  /** Always empty on failure; present so consumers don't have to narrow. */\n  value: Record<string, unknown>\n}\n\n/**\n * Stateless functions that execute a derivation strategy. Persistence\n * (encrypt + store.put) is the caller's job — typically\n * `DerivationRegistry.onSourceWrite` which iterates run() results and\n * writes each output via `Collection.put`.\n */\nexport const DerivationExecutor = {\n  /**\n   * Run `derive` once, validate output shape against the spec, stamp\n   * `_derivedFrom` onto every output. Returns per-output success or\n   * failure; throws only for shape mismatches (a contract violation).\n   */\n  async run<\n    TSource extends Record<string, unknown>,\n    TOutputs extends Record<string, Record<string, unknown>>,\n  >(\n    strategy: DerivationStrategy<TSource, TOutputs>,\n    source: TSource & { id: string },\n    sourceVersion: number,\n    strategyHash: string,\n    ctx: DerivationContext,\n  ): Promise<RunResult> {\n    const outputs: Record<string, OutputResult> = {}\n    let derived: Partial<TOutputs>\n\n    try {\n      derived = await Promise.resolve(strategy.derive(source as TSource, ctx))\n    } catch (err) {\n      for (const key of Object.keys(strategy.outputs)) {\n        outputs[key] = {\n          kind: 'failed',\n          value: {},\n          ok: false,\n          error: err instanceof Error ? err : new Error(String(err)),\n        }\n      }\n      return { outputs, failed: true }\n    }\n\n    const meta: DerivedFromMeta = {\n      source: strategy.source,\n      sourceId: source.id,\n      sourceVersion,\n      derivedAt: new Date().toISOString(),\n      strategyHash,\n    }\n\n    for (const key of Object.keys(strategy.outputs)) {\n      const outSpec = strategy.outputs[key]\n      if (!outSpec) continue\n      const value = (derived as Record<string, unknown>)[key]\n\n      // ── Array-shape branch (#200 slice 1) ──────────────────────\n      if (outSpec.shape === 'array') {\n        if (value === undefined || value === null) {\n          // Treat null/undefined as \"empty array\" — clears all prior\n          // outputs for this (source, output) pair. The caller's\n          // diff turns that into deletes.\n          outputs[key] = { kind: 'array', ok: true, entries: [] }\n          continue\n        }\n        if (!Array.isArray(value)) {\n          throw new DerivationOutputShapeError(\n            key,\n            `shape 'array' expects an array, got ${typeof value}`,\n          )\n        }\n        const maxFanout = outSpec.maxFanout ?? 64\n        if (value.length > maxFanout) {\n          throw new DerivationCapExceededError(key, value.length, maxFanout)\n        }\n        const entries: Array<{ key: string; value: Record<string, unknown> }> = []\n        const seenKeys = new Set<string>()\n        for (let i = 0; i < value.length; i++) {\n          const row = value[i] as unknown\n          if (row === null || typeof row !== 'object') {\n            throw new DerivationOutputShapeError(\n              key,\n              `array member at index ${i} must be a non-null object (got ${row === null ? 'null' : typeof row})`,\n            )\n          }\n          let derivedKey: string\n          try {\n            derivedKey = outSpec.key(row as Record<string, unknown>)\n          } catch (err) {\n            throw new DerivationOutputShapeError(\n              key,\n              `key extractor threw on array member at index ${i}: `\n              + (err instanceof Error ? err.message : String(err)),\n            )\n          }\n          if (typeof derivedKey !== 'string' || derivedKey.length === 0) {\n            throw new DerivationOutputShapeError(\n              key,\n              `key extractor returned ${typeof derivedKey === 'string' ? 'empty string' : typeof derivedKey} at index ${i}; expected non-empty string`,\n            )\n          }\n          if (seenKeys.has(derivedKey)) {\n            throw new DerivationOutputShapeError(\n              key,\n              `duplicate key \"${derivedKey}\" in array output (index ${i}); each derived row must have a unique key within a single derive() invocation`,\n            )\n          }\n          seenKeys.add(derivedKey)\n          entries.push({\n            key: derivedKey,\n            value: { ...(row as Record<string, unknown>), _derivedFrom: meta },\n          })\n        }\n        outputs[key] = { kind: 'array', ok: true, entries }\n        continue\n      }\n\n      // ── Record-shape branch (existing v1 behavior) ─────────────\n      if (value === undefined || value === null) {\n        if (outSpec.optional === true) {\n          // #144: optional output explicitly skipped. Mark for caller\n          // so any prior-emitted output at this id can be deleted.\n          outputs[key] = { kind: 'record', value: {}, ok: true, skipped: true }\n          continue\n        }\n        throw new DerivationOutputShapeError(\n          key,\n          `expected object, got ${value === undefined ? 'undefined' : 'null'}`,\n        )\n      }\n      if (typeof value !== 'object') {\n        throw new DerivationOutputShapeError(\n          key,\n          `expected object, got ${typeof value}`,\n        )\n      }\n      outputs[key] = {\n        kind: 'record',\n        value: { ...(value as Record<string, unknown>), _derivedFrom: meta },\n        ok: true,\n      }\n    }\n    return { outputs, failed: false }\n  },\n}\n"],"mappings":";;;;;;AA0DO,IAAM,qBAAqB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMhC,MAAM,IAIJ,UACA,QACA,eACA,cACA,KACoB;AACpB,UAAM,UAAwC,CAAC;AAC/C,QAAI;AAEJ,QAAI;AACF,gBAAU,MAAM,QAAQ,QAAQ,SAAS,OAAO,QAAmB,GAAG,CAAC;AAAA,IACzE,SAAS,KAAK;AACZ,iBAAW,OAAO,OAAO,KAAK,SAAS,OAAO,GAAG;AAC/C,gBAAQ,GAAG,IAAI;AAAA,UACb,MAAM;AAAA,UACN,OAAO,CAAC;AAAA,UACR,IAAI;AAAA,UACJ,OAAO,eAAe,QAAQ,MAAM,IAAI,MAAM,OAAO,GAAG,CAAC;AAAA,QAC3D;AAAA,MACF;AACA,aAAO,EAAE,SAAS,QAAQ,KAAK;AAAA,IACjC;AAEA,UAAM,OAAwB;AAAA,MAC5B,QAAQ,SAAS;AAAA,MACjB,UAAU,OAAO;AAAA,MACjB;AAAA,MACA,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,MAClC;AAAA,IACF;AAEA,eAAW,OAAO,OAAO,KAAK,SAAS,OAAO,GAAG;AAC/C,YAAM,UAAU,SAAS,QAAQ,GAAG;AACpC,UAAI,CAAC,QAAS;AACd,YAAM,QAAS,QAAoC,GAAG;AAGtD,UAAI,QAAQ,UAAU,SAAS;AAC7B,YAAI,UAAU,UAAa,UAAU,MAAM;AAIzC,kBAAQ,GAAG,IAAI,EAAE,MAAM,SAAS,IAAI,MAAM,SAAS,CAAC,EAAE;AACtD;AAAA,QACF;AACA,YAAI,CAAC,MAAM,QAAQ,KAAK,GAAG;AACzB,gBAAM,IAAI;AAAA,YACR;AAAA,YACA,uCAAuC,OAAO,KAAK;AAAA,UACrD;AAAA,QACF;AACA,cAAM,YAAY,QAAQ,aAAa;AACvC,YAAI,MAAM,SAAS,WAAW;AAC5B,gBAAM,IAAI,2BAA2B,KAAK,MAAM,QAAQ,SAAS;AAAA,QACnE;AACA,cAAM,UAAkE,CAAC;AACzE,cAAM,WAAW,oBAAI,IAAY;AACjC,iBAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AACrC,gBAAM,MAAM,MAAM,CAAC;AACnB,cAAI,QAAQ,QAAQ,OAAO,QAAQ,UAAU;AAC3C,kBAAM,IAAI;AAAA,cACR;AAAA,cACA,yBAAyB,CAAC,mCAAmC,QAAQ,OAAO,SAAS,OAAO,GAAG;AAAA,YACjG;AAAA,UACF;AACA,cAAI;AACJ,cAAI;AACF,yBAAa,QAAQ,IAAI,GAA8B;AAAA,UACzD,SAAS,KAAK;AACZ,kBAAM,IAAI;AAAA,cACR;AAAA,cACA,gDAAgD,CAAC,QAC9C,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAAA,YACpD;AAAA,UACF;AACA,cAAI,OAAO,eAAe,YAAY,WAAW,WAAW,GAAG;AAC7D,kBAAM,IAAI;AAAA,cACR;AAAA,cACA,0BAA0B,OAAO,eAAe,WAAW,iBAAiB,OAAO,UAAU,aAAa,CAAC;AAAA,YAC7G;AAAA,UACF;AACA,cAAI,SAAS,IAAI,UAAU,GAAG;AAC5B,kBAAM,IAAI;AAAA,cACR;AAAA,cACA,kBAAkB,UAAU,4BAA4B,CAAC;AAAA,YAC3D;AAAA,UACF;AACA,mBAAS,IAAI,UAAU;AACvB,kBAAQ,KAAK;AAAA,YACX,KAAK;AAAA,YACL,OAAO,EAAE,GAAI,KAAiC,cAAc,KAAK;AAAA,UACnE,CAAC;AAAA,QACH;AACA,gBAAQ,GAAG,IAAI,EAAE,MAAM,SAAS,IAAI,MAAM,QAAQ;AAClD;AAAA,MACF;AAGA,UAAI,UAAU,UAAa,UAAU,MAAM;AACzC,YAAI,QAAQ,aAAa,MAAM;AAG7B,kBAAQ,GAAG,IAAI,EAAE,MAAM,UAAU,OAAO,CAAC,GAAG,IAAI,MAAM,SAAS,KAAK;AACpE;AAAA,QACF;AACA,cAAM,IAAI;AAAA,UACR;AAAA,UACA,wBAAwB,UAAU,SAAY,cAAc,MAAM;AAAA,QACpE;AAAA,MACF;AACA,UAAI,OAAO,UAAU,UAAU;AAC7B,cAAM,IAAI;AAAA,UACR;AAAA,UACA,wBAAwB,OAAO,KAAK;AAAA,QACtC;AAAA,MACF;AACA,cAAQ,GAAG,IAAI;AAAA,QACb,MAAM;AAAA,QACN,OAAO,EAAE,GAAI,OAAmC,cAAc,KAAK;AAAA,QACnE,IAAI;AAAA,MACN;AAAA,IACF;AACA,WAAO,EAAE,SAAS,QAAQ,MAAM;AAAA,EAClC;AACF;","names":[]}

package/dist/{chunk-SCZXXXU4.js → chunk-I6MX32UC.js}

@@ -1,3 +1,6 @@
+import {
+  dekKey
+} from "./chunk-DYBQG5PQ.js";
 import {
   generateULID
 } from "./chunk-FZU343FL.js";
@@ -6,35 +9,10 @@ import {
   encrypt,
   unwrapKey,
   wrapKey
-} from "./chunk-MR4424N3.js";
+} from "./chunk-WCA2NROQ.js";
 import {
-  DelegationTargetMissingError,
-  TierNotGrantedError
-} from "./chunk-ACLDOTNQ.js";
-
-// src/team/tiers.ts
-function dekKey(collection, tier) {
-  if (tier <= 0) return collection;
-  return `${collection}#${tier}`;
-}
-function effectiveClearance(keyring, collection) {
-  let max = 0;
-  const prefix = `${collection}#`;
-  for (const key of keyring.deks.keys()) {
-    if (!key.startsWith(prefix)) continue;
-    const suffix = key.slice(prefix.length);
-    const n = Number.parseInt(suffix, 10);
-    if (Number.isFinite(n) && n > max) max = n;
-  }
-  return max;
-}
-function assertTierAccess(keyring, collection, tier) {
-  if (tier <= 0) return;
-  if (keyring.role === "owner" || keyring.role === "admin") return;
-  if (!keyring.deks.has(dekKey(collection, tier))) {
-    throw new TierNotGrantedError(collection, tier);
-  }
-}
+  DelegationTargetMissingError
+} from "./chunk-ADQ5MQ54.js";
 
 // src/team/delegation.ts
 var DELEGATIONS_COLLECTION = "_delegations";
@@ -111,12 +89,9 @@ async function revokeDelegation(store, vault, id) {
 }
 
 export {
-  dekKey,
-  effectiveClearance,
-  assertTierAccess,
   DELEGATIONS_COLLECTION,
   issueDelegation,
   loadActiveDelegations,
   revokeDelegation
 };
-//# sourceMappingURL=chunk-SCZXXXU4.js.map
+//# sourceMappingURL=chunk-I6MX32UC.js.map

package/dist/chunk-I6MX32UC.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/team/delegation.ts"],"sourcesContent":["/**\n * Time-boxed cross-tier delegation tokens.\n *\n * A higher-tier user can issue a delegation that grants another user\n * temporary access to records at a specified tier. The delegation is\n * persisted as an encrypted envelope in the reserved `_delegations`\n * collection. The target user's runtime scans this collection on every\n * open and, while `until` is still in the future, merges the\n * unwrapped tier DEKs into their in-memory DEK map.\n *\n * ## Token shape\n *\n * ```\n * {\n *   id,             // ULID, also the _delegations record id\n *   toUser,         // grantee user id\n *   fromUser,       // grantor user id (owner/admin/higher-tier principal)\n *   tier,           // tier being delegated\n *   collection,     // collection name OR null for \"every collection\"\n *   record,         // optional specific record id\n *   until,          // ISO timestamp — token expires at this instant\n *   wrappedDek,     // base64 AES-KW-wrapped tier DEK, wrapped under target KEK\n *   createdAt,      // ISO timestamp\n * }\n * ```\n *\n * The ciphertext is stored as a normal noy-db envelope — the\n * `_delegations` collection has its own DEK shared across all vault\n * users, so an operator can enumerate active delegations for audit\n * without being able to *use* them (the `wrappedDek` inside is still\n * keyed to the target user's KEK).\n *\n * ## Revocation\n *\n * Delete the `_delegations/<id>` envelope. The target user's runtime\n * reloads the delegation list at each open and at periodic intervals\n * (tracked by the caller — this module is pure logic).\n *\n * @module\n */\n\nimport type { NoydbStore, EncryptedEnvelope } from '../types.js'\nimport type { UnlockedKeyring } from './keyring.js'\nimport { encrypt, decrypt, wrapKey, unwrapKey } from '../crypto.js'\nimport { dekKey } from './tiers.js'\nimport { DelegationTargetMissingError } from '../errors.js'\nimport { generateULID } from '../bundle/ulid.js'\n\nexport const DELEGATIONS_COLLECTION = '_delegations'\n\n/**\n * Durable payload of a delegation token. Encrypted under the vault's\n * `_delegations` DEK; the `wrappedDek` inside is additionally wrapped\n * under the target user's KEK.\n */\nexport interface DelegationToken {\n  readonly id: string\n  readonly toUser: string\n  readonly fromUser: string\n  readonly tier: number\n  /** Collection name or `null` for all collections. */\n  readonly collection: string | null\n  /** Optional specific record id scope. */\n  readonly record?: string\n  readonly until: string\n  readonly wrappedDek: string\n  readonly createdAt: string\n}\n\nexport interface IssueDelegationOptions {\n  readonly toUser: string\n  readonly tier: number\n  readonly collection?: string\n  readonly record?: string\n  readonly until: Date | string\n}\n\n/**\n * Build and persist a delegation token. The caller must hold a tier-N\n * DEK and must have already located the target user's keyring file\n * (so the `wrappedDek` can be re-wrapped against their KEK).\n */\nexport async function issueDelegation(\n  store: NoydbStore,\n  vault: string,\n  grantor: UnlockedKeyring,\n  targetKek: CryptoKey | null,\n  delegationsDek: CryptoKey,\n  opts: IssueDelegationOptions,\n): Promise<DelegationToken> {\n  if (!targetKek) {\n    throw new DelegationTargetMissingError(opts.toUser)\n  }\n  const tier = opts.tier\n  const collectionName = opts.collection ?? null\n  const dekLookupCollection = collectionName ?? ''\n  // Tier DEK to delegate — fetched from the grantor's own keyring.\n  const sourceDek = collectionName\n    ? grantor.deks.get(dekKey(collectionName, tier))\n    : undefined\n  if (!sourceDek) {\n    throw new DelegationTargetMissingError(\n      `grantor cannot find tier ${tier} DEK for ${dekLookupCollection || '(any)'}`,\n    )\n  }\n  const wrappedDek = await wrapKey(sourceDek, targetKek)\n\n  const until = typeof opts.until === 'string' ? opts.until : opts.until.toISOString()\n  const token: DelegationToken = {\n    id: generateULID(),\n    toUser: opts.toUser,\n    fromUser: grantor.userId,\n    tier,\n    collection: collectionName,\n    ...(opts.record && { record: opts.record }),\n    until,\n    wrappedDek,\n    createdAt: new Date().toISOString(),\n  }\n\n  const plaintext = JSON.stringify(token)\n  const { iv, data } = await encrypt(plaintext, delegationsDek)\n  const envelope: EncryptedEnvelope = {\n    _noydb: 1,\n    _v: 1,\n    _ts: token.createdAt,\n    _iv: iv,\n    _data: data,\n    _by: grantor.userId,\n  }\n  await store.put(vault, DELEGATIONS_COLLECTION, token.id, envelope)\n  return token\n}\n\n/**\n * Enumerate every live (non-expired) delegation addressed to `toUser`\n * and merge the unwrapped tier DEKs into their keyring. Returns the\n * list of merged delegations so the caller can register per-access\n * audit context.\n */\nexport async function loadActiveDelegations(\n  store: NoydbStore,\n  vault: string,\n  user: UnlockedKeyring,\n  delegationsDek: CryptoKey,\n  now: Date = new Date(),\n): Promise<DelegationToken[]> {\n  const ids = await store.list(vault, DELEGATIONS_COLLECTION)\n  const merged: DelegationToken[] = []\n  const nowIso = now.toISOString()\n  for (const id of ids) {\n    const env = await store.get(vault, DELEGATIONS_COLLECTION, id)\n    if (!env) continue\n    let token: DelegationToken\n    try {\n      const plaintext = await decrypt(env._iv, env._data, delegationsDek)\n      token = JSON.parse(plaintext) as DelegationToken\n    } catch {\n      continue\n    }\n    if (token.toUser !== user.userId) continue\n    if (token.until <= nowIso) continue\n\n    // A user without a KEK in memory (tier-3 PIN resume, wrap-DEKs\n    // tier-2 unlock, session restore) cannot unwrap delegation tokens\n    // — those were wrapped under the user's KEK at issue time. Skip\n    // this token; the consumer reaches it again at tier-1 unlock.\n    if (!user.kek) continue\n    let dek: CryptoKey\n    try {\n      dek = await unwrapKey(token.wrappedDek, user.kek)\n    } catch {\n      continue\n    }\n    const k = token.collection\n      ? dekKey(token.collection, token.tier)\n      : `__any#${token.tier}`\n    user.deks.set(k, dek)\n    merged.push(token)\n  }\n  return merged\n}\n\n/**\n * Revoke a delegation by id — the caller resolves the envelope and\n * issues a `delete`. Provided as a stable helper so the naming is\n * symmetric to `issueDelegation`.\n */\nexport async function revokeDelegation(\n  store: NoydbStore,\n  vault: string,\n  id: string,\n): Promise<void> {\n  await store.delete(vault, DELEGATIONS_COLLECTION, id)\n}\n"],"mappings":";;;;;;;;;;;;;;;;;AAgDO,IAAM,yBAAyB;AAkCtC,eAAsB,gBACpB,OACA,OACA,SACA,WACA,gBACA,MAC0B;AAC1B,MAAI,CAAC,WAAW;AACd,UAAM,IAAI,6BAA6B,KAAK,MAAM;AAAA,EACpD;AACA,QAAM,OAAO,KAAK;AAClB,QAAM,iBAAiB,KAAK,cAAc;AAC1C,QAAM,sBAAsB,kBAAkB;AAE9C,QAAM,YAAY,iBACd,QAAQ,KAAK,IAAI,OAAO,gBAAgB,IAAI,CAAC,IAC7C;AACJ,MAAI,CAAC,WAAW;AACd,UAAM,IAAI;AAAA,MACR,4BAA4B,IAAI,YAAY,uBAAuB,OAAO;AAAA,IAC5E;AAAA,EACF;AACA,QAAM,aAAa,MAAM,QAAQ,WAAW,SAAS;AAErD,QAAM,QAAQ,OAAO,KAAK,UAAU,WAAW,KAAK,QAAQ,KAAK,MAAM,YAAY;AACnF,QAAM,QAAyB;AAAA,IAC7B,IAAI,aAAa;AAAA,IACjB,QAAQ,KAAK;AAAA,IACb,UAAU,QAAQ;AAAA,IAClB;AAAA,IACA,YAAY;AAAA,IACZ,GAAI,KAAK,UAAU,EAAE,QAAQ,KAAK,OAAO;AAAA,IACzC;AAAA,IACA;AAAA,IACA,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,EACpC;AAEA,QAAM,YAAY,KAAK,UAAU,KAAK;AACtC,QAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,WAAW,cAAc;AAC5D,QAAM,WAA8B;AAAA,IAClC,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,KAAK,MAAM;AAAA,IACX,KAAK;AAAA,IACL,OAAO;AAAA,IACP,KAAK,QAAQ;AAAA,EACf;AACA,QAAM,MAAM,IAAI,OAAO,wBAAwB,MAAM,IAAI,QAAQ;AACjE,SAAO;AACT;AAQA,eAAsB,sBACpB,OACA,OACA,MACA,gBACA,MAAY,oBAAI,KAAK,GACO;AAC5B,QAAM,MAAM,MAAM,MAAM,KAAK,OAAO,sBAAsB;AAC1D,QAAM,SAA4B,CAAC;AACnC,QAAM,SAAS,IAAI,YAAY;AAC/B,aAAW,MAAM,KAAK;AACpB,UAAM,MAAM,MAAM,MAAM,IAAI,OAAO,wBAAwB,EAAE;AAC7D,QAAI,CAAC,IAAK;AACV,QAAI;AACJ,QAAI;AACF,YAAM,YAAY,MAAM,QAAQ,IAAI,KAAK,IAAI,OAAO,cAAc;AAClE,cAAQ,KAAK,MAAM,SAAS;AAAA,IAC9B,QAAQ;AACN;AAAA,IACF;AACA,QAAI,MAAM,WAAW,KAAK,OAAQ;AAClC,QAAI,MAAM,SAAS,OAAQ;AAM3B,QAAI,CAAC,KAAK,IAAK;AACf,QAAI;AACJ,QAAI;AACF,YAAM,MAAM,UAAU,MAAM,YAAY,KAAK,GAAG;AAAA,IAClD,QAAQ;AACN;AAAA,IACF;AACA,UAAM,IAAI,MAAM,aACZ,OAAO,MAAM,YAAY,MAAM,IAAI,IACnC,SAAS,MAAM,IAAI;AACvB,SAAK,KAAK,IAAI,GAAG,GAAG;AACpB,WAAO,KAAK,KAAK;AAAA,EACnB;AACA,SAAO;AACT;AAOA,eAAsB,iBACpB,OACA,OACA,IACe;AACf,QAAM,MAAM,OAAO,OAAO,wBAAwB,EAAE;AACtD;","names":[]}

package/dist/{chunk-VQBTTTUN.js → chunk-KESP7GOK.js}

@@ -4,13 +4,13 @@ import {
 import {
   base64ToBuffer,
   bufferToBase64
-} from "./chunk-MR4424N3.js";
+} from "./chunk-WCA2NROQ.js";
 import {
   SessionExpiredError,
   SessionNotFoundError,
   SessionPolicyError,
   ValidationError
-} from "./chunk-ACLDOTNQ.js";
+} from "./chunk-ADQ5MQ54.js";
 
 // src/session/session.ts
 var subtle = globalThis.crypto.subtle;
@@ -299,7 +299,7 @@ async function enableDevUnlock(vault, userId, keyring, options) {
     "color: red; font-size: 16px; font-weight: bold",
     `
 
-Compartment "${vault}" user "${userId}" is stored in ${options.persistAcrossTabs ? "localStorage" : "sessionStorage"} in PLAINTEXT DEKs.
+Vault "${vault}" user "${userId}" is stored in ${options.persistAcrossTabs ? "localStorage" : "sessionStorage"} in PLAINTEXT DEKs.
 This is ONLY safe for local development. Never use in production.
 Call clearDevUnlock() to remove.`
   );
@@ -364,4 +364,4 @@ export {
   clearDevUnlock,
   isDevUnlockActive
 };
-//# sourceMappingURL=chunk-VQBTTTUN.js.map
+//# sourceMappingURL=chunk-KESP7GOK.js.map