@noy-db/hub 0.1.0-pre.8 → 0.2.0-pre.1

package/dist/{chunk-VQBTTTUN.js.map → chunk-KESP7GOK.js.map}

@@ -1 +1 @@
-{"version":3,"sources":["../src/session/session.ts","../src/session/session-policy.ts","../src/session/dev-unlock.ts"],"sourcesContent":["/**\n * Session tokens —\n *\n * After a vault is unlocked (via passphrase, WebAuthn, OIDC, or magic-\n * link), the caller can call `createSession()` to get a session token that\n * allows re-establishing the KEK for the session lifetime without re-running\n * PBKDF2 or any interactive auth challenge.\n *\n * Security model\n * ──────────────\n * A session consists of two pieces that must both be present to recover the\n * KEK:\n *\n *   1. The **session key** — a non-extractable AES-256-GCM CryptoKey that\n *      exists only in memory. \"Non-extractable\" is enforced by the WebCrypto\n *      API: the key object cannot be serialized, exported, or sent over\n *      postMessage. When the JS context is GC'd (tab close, navigation away,\n *      worker termination) the key becomes unrecoverable.\n *\n *   2. The **session token** — a JSON object that carries the KEK wrapped\n *      with the session key (AES-256-GCM, fresh IV per session), plus\n *      unencrypted session metadata (sessionId, userId, vault, role,\n *      expiresAt). The token can be serialized to JSON and stored in\n *      sessionStorage or passed across callsites within the same tab, but\n *      it is useless without the session key.\n *\n * The session key is kept in a module-level Map indexed by sessionId. Callers\n * that need to re-use a session must hold on to the sessionId returned from\n * `createSession()`; the key is looked up automatically by `resolveSession()`.\n *\n * Revocation: `revokeSession()` removes the entry from the Map. Because the\n * key is non-extractable, removal is sufficient — no one holds a serializable\n * copy of the key.\n *\n * Tab-scoped lifetime: the module-level Map lives only as long as the JS\n * module. Tab close → module unloaded → Map GC'd → all session keys gone.\n * This is the zero-effort logout: closing the tab is always a secure logout.\n *\n * Expiry: `createSession()` accepts a `ttlMs` option. `resolveSession()`\n * checks `expiresAt` and throws `SessionExpiredError` if the token is stale,\n * even if the session key is still in the Map.\n */\n\nimport { bufferToBase64, base64ToBuffer } from '../crypto.js'\nimport { generateULID } from '../bundle/ulid.js'\nimport type { Role } from '../types.js'\nimport type { UnlockedKeyring } from '../team/keyring.js'\nimport { SessionExpiredError, SessionNotFoundError } from '../errors.js'\n\nconst subtle = globalThis.crypto.subtle\n\n// Default session TTL: 60 minutes\nconst DEFAULT_TTL_MS = 60 * 60 * 1000\n\n// Module-level session key store. Tab-scoped by construction.\nconst sessionKeyStore = new Map<string, CryptoKey>()\n\n// ─── Public types ──────────────────────────────────────────────────────\n\n/** The serializable part of a session token. Safe to store in sessionStorage. */\nexport interface SessionToken {\n  readonly _noydb_session: 1\n  /** Unique session identifier (ULID). Use this as the handle for resolve/revoke. */\n  readonly sessionId: string\n  readonly userId: string\n  readonly vault: string\n  readonly role: Role\n  /** ISO timestamp — resolveSession() rejects this token after this time. */\n  readonly expiresAt: string\n  /** KEK wrapped with the session key (AES-256-GCM). Base64. */\n  readonly wrappedKek: string\n  /** IV used for the wrapping operation. Base64. */\n  readonly kekIv: string\n}\n\n/** Result returned from `createSession()`. */\nexport interface CreateSessionResult {\n  /** Serializable token — store in sessionStorage or pass to `resolveSession()`. */\n  token: SessionToken\n  /** The sessionId — use this handle for `resolveSession()` and `revokeSession()`. */\n  sessionId: string\n}\n\n/** Options for `createSession()`. */\nexport interface CreateSessionOptions {\n  /**\n   * Session lifetime in milliseconds. Defaults to 60 minutes.\n   * After this duration, `resolveSession()` throws `SessionExpiredError`.\n   */\n  ttlMs?: number\n}\n\n// ─── Core session operations ───────────────────────────────────────────\n\n/**\n * Create a session for an already-unlocked keyring.\n *\n * Call this after any successful unlock (passphrase, WebAuthn, OIDC,\n * magic-link). The returned `sessionId` is the handle for later\n * `resolveSession()` and `revokeSession()` calls.\n *\n * The session key is generated fresh (non-extractable) and stored in the\n * module-level Map. The KEK from `keyring.kek` is exported (it must be\n * extractable — it was derived by `deriveKey()` which sets extractable: false,\n * but it's unwrapped from the keyring which sets extractable: true) and then\n * re-wrapped with the session key.\n *\n * @param keyring - An already-unlocked keyring whose `kek` is available.\n * @param vault - The vault name this session is scoped to.\n * @param options - Optional session configuration.\n */\nexport async function createSession(\n  keyring: UnlockedKeyring,\n  vault: string,\n  options: CreateSessionOptions = {},\n): Promise<CreateSessionResult> {\n  const ttlMs = options.ttlMs ?? DEFAULT_TTL_MS\n  const sessionId = generateULID()\n  const expiresAt = new Date(Date.now() + ttlMs).toISOString()\n\n  // Generate a fresh non-extractable session key.\n  // AES-256-GCM is used here (rather than AES-KW) because the session key\n  // wraps raw key bytes (the exported KEK) rather than a CryptoKey object.\n  const sessionKey = await subtle.generateKey(\n    { name: 'AES-GCM', length: 256 },\n    false, // non-extractable — this is the tab-scope security invariant\n    ['encrypt', 'decrypt'],\n  )\n\n  // Export the KEK as raw bytes so we can wrap it.\n  // The KEK is AES-256-KW, which must have been importable (extractable: true)\n  // to allow wrapKey — it is, because unwrapKey sets extractable: true for\n  // DEKs, but the KEK itself is derived with extractable: false (see\n  // crypto.ts deriveKey). We use a separate raw export + encrypt path.\n  //\n  // Wait — the KEK is AES-KW with extractable:false. We cannot export it.\n  // Instead, we wrap the DEKs (which ARE extractable) and the salt+role+userId\n  // metadata together. This means resolveSession() reconstructs an\n  // UnlockedKeyring by re-wrapping the DEKs list from the token.\n  //\n  // Simpler approach: export each DEK (they're extractable) and encrypt\n  // the serialized DEK map with the session key. The keyring is reconstructed\n  // from the session token without the original KEK — only DEKs matter for\n  // record operations.\n  //\n  // This is the right design: sessions don't need the KEK (no re-grant,\n  // no re-derive during session lifetime). They need the DEK set.\n\n  const dekMap: Record<string, string> = {}\n  for (const [collName, dek] of keyring.deks) {\n    const raw = await subtle.exportKey('raw', dek)\n    dekMap[collName] = bufferToBase64(raw)\n  }\n\n  const payload = JSON.stringify({\n    userId: keyring.userId,\n    displayName: keyring.displayName,\n    role: keyring.role,\n    permissions: keyring.permissions,\n    deks: dekMap,\n    salt: bufferToBase64(keyring.salt),\n  })\n\n  const iv = globalThis.crypto.getRandomValues(new Uint8Array(12))\n  const encrypted = await subtle.encrypt(\n    { name: 'AES-GCM', iv },\n    sessionKey,\n    new TextEncoder().encode(payload),\n  )\n\n  const token: SessionToken = {\n    _noydb_session: 1,\n    sessionId,\n    userId: keyring.userId,\n    vault,\n    role: keyring.role,\n    expiresAt,\n    wrappedKek: bufferToBase64(encrypted),\n    kekIv: bufferToBase64(iv),\n  }\n\n  sessionKeyStore.set(sessionId, sessionKey)\n  return { token, sessionId }\n}\n\n/**\n * Resolve a session token back into an UnlockedKeyring.\n *\n * Looks up the session key by `sessionId`, checks the token is not expired,\n * then decrypts the payload to reconstruct the keyring's DEK set.\n *\n * Throws `SessionExpiredError` if the token's `expiresAt` is in the past.\n * Throws `SessionNotFoundError` if the session key is not in the store\n * (tab was reloaded, session was revoked, or the sessionId is wrong).\n *\n * @param token - The SessionToken from `createSession()`.\n */\nexport async function resolveSession(token: SessionToken): Promise<UnlockedKeyring> {\n  // Expiry check first — fast path without touching crypto\n  if (Date.now() > new Date(token.expiresAt).getTime()) {\n    sessionKeyStore.delete(token.sessionId)\n    throw new SessionExpiredError(token.sessionId)\n  }\n\n  const sessionKey = sessionKeyStore.get(token.sessionId)\n  if (!sessionKey) {\n    throw new SessionNotFoundError(token.sessionId)\n  }\n\n  const iv = base64ToBuffer(token.kekIv)\n  const ciphertext = base64ToBuffer(token.wrappedKek)\n\n  let plaintext: ArrayBuffer\n  try {\n    plaintext = await subtle.decrypt(\n      { name: 'AES-GCM', iv },\n      sessionKey,\n      ciphertext,\n    )\n  } catch {\n    throw new SessionNotFoundError(token.sessionId)\n  }\n\n  const payload = JSON.parse(new TextDecoder().decode(plaintext)) as {\n    userId: string\n    displayName: string\n    role: Role\n    permissions: Record<string, 'rw' | 'ro'>\n    deks: Record<string, string>\n    salt: string\n  }\n\n  const deks = new Map<string, CryptoKey>()\n  for (const [collName, rawBase64] of Object.entries(payload.deks)) {\n    const dek = await subtle.importKey(\n      'raw',\n      base64ToBuffer(rawBase64),\n      { name: 'AES-GCM', length: 256 },\n      true,\n      ['encrypt', 'decrypt'],\n    )\n    deks.set(collName, dek)\n  }\n\n  return {\n    userId: payload.userId,\n    displayName: payload.displayName,\n    role: payload.role,\n    permissions: payload.permissions,\n    deks,\n    kek: null, // KEK not available in session context\n    salt: base64ToBuffer(payload.salt),\n    authenticators: [],\n  }\n}\n\n/**\n * Revoke a session by removing its key from the store.\n *\n * After revocation, `resolveSession()` will throw `SessionNotFoundError`\n * for this sessionId. The session token (if held by the caller) becomes\n * permanently useless. This is the explicit logout path.\n *\n * No-op if the session was already expired or does not exist.\n */\nexport function revokeSession(sessionId: string): void {\n  sessionKeyStore.delete(sessionId)\n}\n\n/**\n * Check if a session is still alive (key in store + not expired).\n * Does not decrypt anything — purely a metadata check.\n */\nexport function isSessionAlive(token: SessionToken): boolean {\n  if (Date.now() > new Date(token.expiresAt).getTime()) return false\n  return sessionKeyStore.has(token.sessionId)\n}\n\n/**\n * Revoke all active sessions. Used by `Noydb.close()` to ensure that\n * closing the instance destroys all session state, not just the keyring\n * cache.\n */\nexport function revokeAllSessions(): void {\n  sessionKeyStore.clear()\n}\n\n/**\n * Return the number of active sessions currently in the store.\n * Useful for diagnostics and tests.\n */\nexport function activeSessionCount(): number {\n  return sessionKeyStore.size\n}\n","/**\n * Session policies —\n *\n * A `SessionPolicy` is a small declarative object that controls how long a\n * session lives and which operations require re-authentication. It is\n * evaluated by the `PolicyEnforcer` class, which the Noydb instance\n * integrates to replace the bare `sessionTimeout` timer from.\n *\n * Design decisions\n * ────────────────\n * Policies are stateless value objects — no timers, no event listeners.\n * The Noydb instance is the stateful coordinator: it holds the enforcer,\n * calls `enforcer.touch()` on every operation, and calls\n * `enforcer.checkOperation()` before high-risk operations.\n *\n * This keeps the policy module easy to unit-test (no global timers to mock)\n * and avoids the \"who owns cleanup\" problem that comes with timer-based\n * callbacks embedded in a value object.\n *\n * `lockOnBackground` registers a `visibilitychange` listener on the document\n * at enforcer creation time and removes it on `destroy()`. It is a no-op in\n * non-browser environments (no `document`).\n */\n\nimport type { SessionPolicy, ReAuthOperation } from '../types.js'\nimport { SessionExpiredError, SessionPolicyError } from '../errors.js'\nimport { revokeSession } from './session.js'\n\n// ─── PolicyEnforcer ────────────────────────────────────────────────────\n\nexport interface PolicyEnforcerOptions {\n  /** The policy to enforce. */\n  policy: SessionPolicy\n  /** The session ID to revoke when idle/absolute timeouts fire. */\n  sessionId: string\n  /**\n   * Called when the policy decides the session should end (idle timeout,\n   * absolute timeout, or lockOnBackground). Use this to trigger the\n   * same cleanup that `Noydb.close()` would perform.\n   */\n  onRevoke: (reason: 'idle' | 'absolute' | 'background') => void\n}\n\n/**\n * Stateful enforcer for a single session policy.\n *\n * Create one per open session, call `touch()` on every operation,\n * call `checkOperation(op)` before export/grant/revoke/rotate/changeSecret,\n * and call `destroy()` when the session ends.\n */\nexport class PolicyEnforcer {\n  private readonly policy: SessionPolicy\n  private readonly sessionId: string\n  private readonly onRevoke: PolicyEnforcerOptions['onRevoke']\n  private readonly createdAt: number\n  private lastActivityAt: number\n  private idleTimer: ReturnType<typeof setTimeout> | null = null\n  private absoluteTimer: ReturnType<typeof setTimeout> | null = null\n  private visibilityHandler: (() => void) | null = null\n\n  constructor(opts: PolicyEnforcerOptions) {\n    this.policy = opts.policy\n    this.sessionId = opts.sessionId\n    this.onRevoke = opts.onRevoke\n    this.createdAt = Date.now()\n    this.lastActivityAt = Date.now()\n\n    this.scheduleIdleTimer()\n    this.scheduleAbsoluteTimer()\n    this.registerBackgroundLock()\n  }\n\n  /**\n   * Record an activity timestamp and reset the idle timer.\n   * Call this at the top of every Noydb public method.\n   */\n  touch(): void {\n    this.lastActivityAt = Date.now()\n    this.scheduleIdleTimer()\n  }\n\n  /**\n   * Check whether the given operation is allowed under the active policy.\n   * Throws `SessionPolicyError` if the operation requires re-authentication.\n   * Throws `SessionExpiredError` if the absolute timeout has been exceeded\n   * (defensive check in case the timer fired before the call arrived).\n   *\n   * This is a synchronous check — callers don't await it.\n   */\n  checkOperation(op: ReAuthOperation): void {\n    // Defensive absolute-timeout check (timer may have fired late)\n    const { absoluteTimeoutMs } = this.policy\n    if (absoluteTimeoutMs !== undefined && Date.now() - this.createdAt >= absoluteTimeoutMs) {\n      this.expire('absolute')\n      throw new SessionExpiredError(this.sessionId)\n    }\n\n    const required = this.policy.requireReAuthFor ?? []\n    if (required.includes(op)) {\n      throw new SessionPolicyError(op)\n    }\n  }\n\n  /**\n   * Tear down timers and background-lock listener. Call from `Noydb.close()`\n   * and whenever the session is revoked externally.\n   */\n  destroy(): void {\n    if (this.idleTimer) {\n      clearTimeout(this.idleTimer)\n      this.idleTimer = null\n    }\n    if (this.absoluteTimer) {\n      clearTimeout(this.absoluteTimer)\n      this.absoluteTimer = null\n    }\n    if (this.visibilityHandler && typeof document !== 'undefined') {\n      document.removeEventListener('visibilitychange', this.visibilityHandler)\n      this.visibilityHandler = null\n    }\n  }\n\n  /** How long since the last activity, in ms. */\n  get idleMs(): number {\n    return Date.now() - this.lastActivityAt\n  }\n\n  /** How long since session creation, in ms. */\n  get ageMs(): number {\n    return Date.now() - this.createdAt\n  }\n\n  // ── Private ──────────────────────────────────────────────────────────\n\n  private scheduleIdleTimer(): void {\n    const { idleTimeoutMs } = this.policy\n    if (!idleTimeoutMs) return\n\n    if (this.idleTimer) clearTimeout(this.idleTimer)\n    this.idleTimer = setTimeout(() => {\n      this.expire('idle')\n    }, idleTimeoutMs)\n  }\n\n  private scheduleAbsoluteTimer(): void {\n    const { absoluteTimeoutMs } = this.policy\n    if (!absoluteTimeoutMs) return\n\n    if (this.absoluteTimer) clearTimeout(this.absoluteTimer)\n    this.absoluteTimer = setTimeout(() => {\n      this.expire('absolute')\n    }, absoluteTimeoutMs)\n  }\n\n  private registerBackgroundLock(): void {\n    if (!this.policy.lockOnBackground) return\n    if (typeof document === 'undefined') return\n\n    this.visibilityHandler = () => {\n      if (document.hidden) {\n        this.expire('background')\n      }\n    }\n    document.addEventListener('visibilitychange', this.visibilityHandler)\n  }\n\n  private expire(reason: 'idle' | 'absolute' | 'background'): void {\n    this.destroy()\n    revokeSession(this.sessionId)\n    this.onRevoke(reason)\n  }\n}\n\n// ─── Helpers ───────────────────────────────────────────────────────────\n\n/**\n * Build a `PolicyEnforcer` from a policy + session token, and return it\n * alongside a cleanup function. Convenience wrapper for Noydb.\n */\nexport function createEnforcer(opts: PolicyEnforcerOptions): PolicyEnforcer {\n  return new PolicyEnforcer(opts)\n}\n\n/**\n * Validate that a `SessionPolicy` is well-formed.\n * Throws a plain `Error` (not `NoydbError`) because this is a developer\n * error — invalid policies passed at construction time, not at runtime.\n */\nexport function validateSessionPolicy(policy: SessionPolicy): void {\n  const { idleTimeoutMs, absoluteTimeoutMs } = policy\n  if (idleTimeoutMs !== undefined && (typeof idleTimeoutMs !== 'number' || idleTimeoutMs <= 0)) {\n    throw new Error(`SessionPolicy.idleTimeoutMs must be a positive number, got ${idleTimeoutMs}`)\n  }\n  if (absoluteTimeoutMs !== undefined && (typeof absoluteTimeoutMs !== 'number' || absoluteTimeoutMs <= 0)) {\n    throw new Error(`SessionPolicy.absoluteTimeoutMs must be a positive number, got ${absoluteTimeoutMs}`)\n  }\n  if (idleTimeoutMs !== undefined && absoluteTimeoutMs !== undefined && idleTimeoutMs >= absoluteTimeoutMs) {\n    throw new Error(\n      `SessionPolicy.idleTimeoutMs (${idleTimeoutMs}ms) must be less than absoluteTimeoutMs (${absoluteTimeoutMs}ms)`,\n    )\n  }\n}\n","/**\n * Dev-mode persistent unlock —\n *\n * Solves the developer inner-loop friction: hot-reload destroys the session\n * (page navigation semantics), forcing a passphrase re-entry every refresh.\n *\n * This module provides an opt-in, deliberately-named escape hatch that lets\n * developers store the keyring payload in sessionStorage or localStorage so\n * the vault auto-unlocks on every page load — without a passphrase,\n * without a biometric prompt, without any OIDC flow.\n *\n * ⚠️ WARNING — this is a loaded footgun ⚠️\n * ─────────────────────────────────────────\n * The keyring payload stored by this module contains the DEKs. Whoever has\n * access to sessionStorage/localStorage has access to the DEKs. On a shared\n * development machine, a compromised browser extension, or a mis-configured\n * origin, this is a complete key exposure.\n *\n * This module is ONLY safe for local development. It must NEVER be active\n * in production builds.\n *\n * Guardrails (all enforced by the module, not by the caller)\n * ──────────────────────────────────────────────────────────\n * 1. **Production guard:** `enableDevUnlock()` throws immediately if\n *    `process.env.NODE_ENV === 'production'` or if `import.meta.env?.PROD === true`\n *    (Vite convention). Also throws if the hostname is NOT localhost or 127.0.0.1.\n *\n * 2. **Explicit acknowledgement string:** the caller must pass\n *    `acknowledge: 'I-UNDERSTAND-THIS-DISABLES-UNLOCK-SECURITY'` or the call\n *    throws. This string appears in every grep for `devUnlock` in the codebase,\n *    making it impossible to enable this feature accidentally.\n *\n * 3. **Scope is vault + userId:** the storage key includes both the\n *    vault name and the userId, so dev-unlock for vault-A does\n *    NOT auto-unlock vault-B.\n *\n * 4. **Storage scope:** default is `sessionStorage` (cleared on tab close).\n *    `localStorage` is opt-in and requires an additional\n *    `persistAcrossTabs: true` flag in the options.\n *\n * 5. **Clear method:** `clearDevUnlock()` removes the stored payload. Wire\n *    this to a dev toolbar button or `Ctrl+Shift+L` so clearing is one action.\n *\n * 6. **Console banner:** on first enable, a highly visible console warning\n *    fires. Cannot be suppressed.\n *\n * Usage\n * ─────\n * ```ts\n * // In your dev entry point only (guarded by import.meta.env.DEV):\n * if (import.meta.env.DEV) {\n *   const { enableDevUnlock, loadDevUnlock } = await import('@noy-db/hub')\n *   enableDevUnlock('my-compartment', 'alice', keyring, {\n *     acknowledge: 'I-UNDERSTAND-THIS-DISABLES-UNLOCK-SECURITY',\n *   })\n * }\n *\n * // On page load:\n * if (import.meta.env.DEV) {\n *   const keyring = await loadDevUnlock('my-compartment', 'alice')\n *   if (keyring) {\n *     // Skip unlock prompt, use keyring directly\n *   }\n * }\n * ```\n */\n\nimport { bufferToBase64, base64ToBuffer } from '../crypto.js'\nimport { ValidationError } from '../errors.js'\nimport type { UnlockedKeyring } from '../team/keyring.js'\nimport type { Role } from '../types.js'\n\n// The exact acknowledgement string callers must pass\nconst REQUIRED_ACKNOWLEDGE = 'I-UNDERSTAND-THIS-DISABLES-UNLOCK-SECURITY'\n\nconst STORAGE_PREFIX = 'noydb:dev-unlock:'\n\n// ─── Options ──────────────────────────────────────────────────────────\n\nexport interface DevUnlockOptions {\n  /**\n   * Required: the exact string 'I-UNDERSTAND-THIS-DISABLES-UNLOCK-SECURITY'.\n   * Any other value causes `enableDevUnlock()` to throw.\n   */\n  acknowledge: string\n  /**\n   * If `true`, stores in localStorage (persists across tabs and browser restarts).\n   * If `false` (default), stores in sessionStorage (cleared on tab close).\n   */\n  persistAcrossTabs?: boolean\n}\n\n// ─── Production guard ─────────────────────────────────────────────────\n\nfunction assertDevEnvironment(): void {\n  // Node.js: check NODE_ENV\n  if (\n    typeof process !== 'undefined' &&\n    process.env.NODE_ENV === 'production'\n  ) {\n    throw new ValidationError(\n      'devUnlock is not available in production builds. ' +\n      'process.env.NODE_ENV is \"production\".',\n    )\n  }\n\n  // Vite / build tool convention\n  if (\n    typeof globalThis !== 'undefined' &&\n    (globalThis as Record<string, unknown>).__vite_is_production__ === true\n  ) {\n    throw new ValidationError('devUnlock is not available in production builds.')\n  }\n\n  // Browser: only allow on localhost\n  if (\n    typeof window !== 'undefined' &&\n    typeof window.location !== 'undefined'\n  ) {\n    const host = window.location.hostname\n    if (host !== 'localhost' && host !== '127.0.0.1' && host !== '::1' && !host.endsWith('.local')) {\n      throw new ValidationError(\n        `devUnlock is only available on localhost. Current hostname: \"${host}\". ` +\n        'Set NODE_ENV=development and run on localhost to use dev unlock.',\n      )\n    }\n  }\n}\n\n// ─── Storage key ──────────────────────────────────────────────────────\n\nfunction storageKey(vault: string, userId: string): string {\n  return `${STORAGE_PREFIX}${vault}:${userId}`\n}\n\nfunction resolveStorage(persistAcrossTabs?: boolean): Storage {\n  if (typeof window === 'undefined') {\n    throw new ValidationError('devUnlock requires a browser environment (window.sessionStorage / window.localStorage).')\n  }\n  return persistAcrossTabs ? window.localStorage : window.sessionStorage\n}\n\n// ─── Public API ────────────────────────────────────────────────────────\n\n/**\n * Serialize and store a keyring to browser storage for dev-mode auto-unlock.\n *\n * Throws immediately if:\n *   - The acknowledge string is wrong.\n *   - Running in a production environment (NODE_ENV=production).\n *   - Running on a non-localhost hostname.\n *\n * Emits a highly visible console warning that cannot be suppressed.\n *\n * @param vault - The vault name.\n * @param userId - The user ID.\n * @param keyring - The unlocked keyring to persist.\n * @param options - Options including the required acknowledge string.\n */\nexport async function enableDevUnlock(\n  vault: string,\n  userId: string,\n  keyring: UnlockedKeyring,\n  options: DevUnlockOptions,\n): Promise<void> {\n  if (options.acknowledge !== REQUIRED_ACKNOWLEDGE) {\n    throw new ValidationError(\n      `devUnlock requires acknowledge: '${REQUIRED_ACKNOWLEDGE}'. ` +\n      `Got: '${options.acknowledge}'. This is intentional — the full string must appear in your source.`,\n    )\n  }\n\n  assertDevEnvironment()\n\n  const storage = resolveStorage(options.persistAcrossTabs)\n\n  const dekMap: Record<string, string> = {}\n  for (const [collName, dek] of keyring.deks) {\n    const raw = await globalThis.crypto.subtle.exportKey('raw', dek)\n    dekMap[collName] = bufferToBase64(raw)\n  }\n\n  const payload = JSON.stringify({\n    _noydb_dev_unlock: 1,\n    userId: keyring.userId,\n    displayName: keyring.displayName,\n    role: keyring.role,\n    permissions: keyring.permissions,\n    deks: dekMap,\n    salt: bufferToBase64(keyring.salt),\n  })\n\n  storage.setItem(storageKey(vault, userId), payload)\n\n  // Visible, unsuppressable warning\n  console.warn(\n    '%c⚠️ NOYDB DEV UNLOCK ACTIVE ⚠️',\n    'color: red; font-size: 16px; font-weight: bold',\n    `\\n\\nCompartment \"${vault}\" user \"${userId}\" is stored in ` +\n    `${options.persistAcrossTabs ? 'localStorage' : 'sessionStorage'} in PLAINTEXT DEKs.\\n` +\n    'This is ONLY safe for local development. Never use in production.\\n' +\n    'Call clearDevUnlock() to remove.',\n  )\n}\n\n/**\n * Load a dev-mode keyring from browser storage.\n *\n * Returns `null` if no dev-unlock state is stored for this vault + user,\n * or if the stored payload is malformed.\n *\n * Does NOT perform the production environment check — it's safe to CALL\n * `loadDevUnlock` in production (it will simply return `null` because no\n * dev-unlock state was ever written). The guard only fires on `enableDevUnlock`.\n *\n * @param vault - The vault name.\n * @param userId - The user ID.\n * @param options - Optional storage override.\n */\nexport async function loadDevUnlock(\n  vault: string,\n  userId: string,\n  options: { persistAcrossTabs?: boolean } = {},\n): Promise<UnlockedKeyring | null> {\n  if (typeof window === 'undefined') return null\n\n  const storage = resolveStorage(options.persistAcrossTabs)\n  const raw = storage.getItem(storageKey(vault, userId))\n  if (!raw) return null\n\n  let parsed: {\n    _noydb_dev_unlock?: number\n    userId: string\n    displayName: string\n    role: Role\n    permissions: Record<string, 'rw' | 'ro'>\n    deks: Record<string, string>\n    salt: string\n  }\n  try {\n    parsed = JSON.parse(raw)\n  } catch {\n    return null\n  }\n\n  if (parsed._noydb_dev_unlock !== 1) return null\n\n  const deks = new Map<string, CryptoKey>()\n  for (const [collName, rawBase64] of Object.entries(parsed.deks)) {\n    const dek = await globalThis.crypto.subtle.importKey(\n      'raw',\n      base64ToBuffer(rawBase64),\n      { name: 'AES-GCM', length: 256 },\n      true,\n      ['encrypt', 'decrypt'],\n    )\n    deks.set(collName, dek)\n  }\n\n  return {\n    userId: parsed.userId,\n    displayName: parsed.displayName,\n    role: parsed.role,\n    permissions: parsed.permissions,\n    deks,\n    kek: null,\n    salt: base64ToBuffer(parsed.salt),\n    authenticators: [],\n  }\n}\n\n/**\n * Remove dev-unlock state from browser storage.\n *\n * Safe to call in production (no-op if no dev state exists).\n */\nexport function clearDevUnlock(\n  vault: string,\n  userId: string,\n  options: { persistAcrossTabs?: boolean } = {},\n): void {\n  if (typeof window === 'undefined') return\n  const storage = resolveStorage(options.persistAcrossTabs)\n  storage.removeItem(storageKey(vault, userId))\n}\n\n/**\n * Check if dev-unlock state exists for this vault + user.\n *\n * Safe to call in production (returns false if nothing is stored).\n */\nexport function isDevUnlockActive(\n  vault: string,\n  userId: string,\n  options: { persistAcrossTabs?: boolean } = {},\n): boolean {\n  if (typeof window === 'undefined') return false\n  const storage = resolveStorage(options.persistAcrossTabs)\n  return storage.getItem(storageKey(vault, userId)) !== null\n}\n"],"mappings":";;;;;;;;;;;;;;;AAiDA,IAAM,SAAS,WAAW,OAAO;AAGjC,IAAM,iBAAiB,KAAK,KAAK;AAGjC,IAAM,kBAAkB,oBAAI,IAAuB;AAwDnD,eAAsB,cACpB,SACA,OACA,UAAgC,CAAC,GACH;AAC9B,QAAM,QAAQ,QAAQ,SAAS;AAC/B,QAAM,YAAY,aAAa;AAC/B,QAAM,YAAY,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,EAAE,YAAY;AAK3D,QAAM,aAAa,MAAM,OAAO;AAAA,IAC9B,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,IAC/B;AAAA;AAAA,IACA,CAAC,WAAW,SAAS;AAAA,EACvB;AAqBA,QAAM,SAAiC,CAAC;AACxC,aAAW,CAAC,UAAU,GAAG,KAAK,QAAQ,MAAM;AAC1C,UAAM,MAAM,MAAM,OAAO,UAAU,OAAO,GAAG;AAC7C,WAAO,QAAQ,IAAI,eAAe,GAAG;AAAA,EACvC;AAEA,QAAM,UAAU,KAAK,UAAU;AAAA,IAC7B,QAAQ,QAAQ;AAAA,IAChB,aAAa,QAAQ;AAAA,IACrB,MAAM,QAAQ;AAAA,IACd,aAAa,QAAQ;AAAA,IACrB,MAAM;AAAA,IACN,MAAM,eAAe,QAAQ,IAAI;AAAA,EACnC,CAAC;AAED,QAAM,KAAK,WAAW,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AAC/D,QAAM,YAAY,MAAM,OAAO;AAAA,IAC7B,EAAE,MAAM,WAAW,GAAG;AAAA,IACtB;AAAA,IACA,IAAI,YAAY,EAAE,OAAO,OAAO;AAAA,EAClC;AAEA,QAAM,QAAsB;AAAA,IAC1B,gBAAgB;AAAA,IAChB;AAAA,IACA,QAAQ,QAAQ;AAAA,IAChB;AAAA,IACA,MAAM,QAAQ;AAAA,IACd;AAAA,IACA,YAAY,eAAe,SAAS;AAAA,IACpC,OAAO,eAAe,EAAE;AAAA,EAC1B;AAEA,kBAAgB,IAAI,WAAW,UAAU;AACzC,SAAO,EAAE,OAAO,UAAU;AAC5B;AAcA,eAAsB,eAAe,OAA+C;AAElF,MAAI,KAAK,IAAI,IAAI,IAAI,KAAK,MAAM,SAAS,EAAE,QAAQ,GAAG;AACpD,oBAAgB,OAAO,MAAM,SAAS;AACtC,UAAM,IAAI,oBAAoB,MAAM,SAAS;AAAA,EAC/C;AAEA,QAAM,aAAa,gBAAgB,IAAI,MAAM,SAAS;AACtD,MAAI,CAAC,YAAY;AACf,UAAM,IAAI,qBAAqB,MAAM,SAAS;AAAA,EAChD;AAEA,QAAM,KAAK,eAAe,MAAM,KAAK;AACrC,QAAM,aAAa,eAAe,MAAM,UAAU;AAElD,MAAI;AACJ,MAAI;AACF,gBAAY,MAAM,OAAO;AAAA,MACvB,EAAE,MAAM,WAAW,GAAG;AAAA,MACtB;AAAA,MACA;AAAA,IACF;AAAA,EACF,QAAQ;AACN,UAAM,IAAI,qBAAqB,MAAM,SAAS;AAAA,EAChD;AAEA,QAAM,UAAU,KAAK,MAAM,IAAI,YAAY,EAAE,OAAO,SAAS,CAAC;AAS9D,QAAM,OAAO,oBAAI,IAAuB;AACxC,aAAW,CAAC,UAAU,SAAS,KAAK,OAAO,QAAQ,QAAQ,IAAI,GAAG;AAChE,UAAM,MAAM,MAAM,OAAO;AAAA,MACvB;AAAA,MACA,eAAe,SAAS;AAAA,MACxB,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,MAC/B;AAAA,MACA,CAAC,WAAW,SAAS;AAAA,IACvB;AACA,SAAK,IAAI,UAAU,GAAG;AAAA,EACxB;AAEA,SAAO;AAAA,IACL,QAAQ,QAAQ;AAAA,IAChB,aAAa,QAAQ;AAAA,IACrB,MAAM,QAAQ;AAAA,IACd,aAAa,QAAQ;AAAA,IACrB;AAAA,IACA,KAAK;AAAA;AAAA,IACL,MAAM,eAAe,QAAQ,IAAI;AAAA,IACjC,gBAAgB,CAAC;AAAA,EACnB;AACF;AAWO,SAAS,cAAc,WAAyB;AACrD,kBAAgB,OAAO,SAAS;AAClC;AAMO,SAAS,eAAe,OAA8B;AAC3D,MAAI,KAAK,IAAI,IAAI,IAAI,KAAK,MAAM,SAAS,EAAE,QAAQ,EAAG,QAAO;AAC7D,SAAO,gBAAgB,IAAI,MAAM,SAAS;AAC5C;AAOO,SAAS,oBAA0B;AACxC,kBAAgB,MAAM;AACxB;AAMO,SAAS,qBAA6B;AAC3C,SAAO,gBAAgB;AACzB;;;ACnPO,IAAM,iBAAN,MAAqB;AAAA,EACT;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACT;AAAA,EACA,YAAkD;AAAA,EAClD,gBAAsD;AAAA,EACtD,oBAAyC;AAAA,EAEjD,YAAY,MAA6B;AACvC,SAAK,SAAS,KAAK;AACnB,SAAK,YAAY,KAAK;AACtB,SAAK,WAAW,KAAK;AACrB,SAAK,YAAY,KAAK,IAAI;AAC1B,SAAK,iBAAiB,KAAK,IAAI;AAE/B,SAAK,kBAAkB;AACvB,SAAK,sBAAsB;AAC3B,SAAK,uBAAuB;AAAA,EAC9B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,QAAc;AACZ,SAAK,iBAAiB,KAAK,IAAI;AAC/B,SAAK,kBAAkB;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,eAAe,IAA2B;AAExC,UAAM,EAAE,kBAAkB,IAAI,KAAK;AACnC,QAAI,sBAAsB,UAAa,KAAK,IAAI,IAAI,KAAK,aAAa,mBAAmB;AACvF,WAAK,OAAO,UAAU;AACtB,YAAM,IAAI,oBAAoB,KAAK,SAAS;AAAA,IAC9C;AAEA,UAAM,WAAW,KAAK,OAAO,oBAAoB,CAAC;AAClD,QAAI,SAAS,SAAS,EAAE,GAAG;AACzB,YAAM,IAAI,mBAAmB,EAAE;AAAA,IACjC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,UAAgB;AACd,QAAI,KAAK,WAAW;AAClB,mBAAa,KAAK,SAAS;AAC3B,WAAK,YAAY;AAAA,IACnB;AACA,QAAI,KAAK,eAAe;AACtB,mBAAa,KAAK,aAAa;AAC/B,WAAK,gBAAgB;AAAA,IACvB;AACA,QAAI,KAAK,qBAAqB,OAAO,aAAa,aAAa;AAC7D,eAAS,oBAAoB,oBAAoB,KAAK,iBAAiB;AACvE,WAAK,oBAAoB;AAAA,IAC3B;AAAA,EACF;AAAA;AAAA,EAGA,IAAI,SAAiB;AACnB,WAAO,KAAK,IAAI,IAAI,KAAK;AAAA,EAC3B;AAAA;AAAA,EAGA,IAAI,QAAgB;AAClB,WAAO,KAAK,IAAI,IAAI,KAAK;AAAA,EAC3B;AAAA;AAAA,EAIQ,oBAA0B;AAChC,UAAM,EAAE,cAAc,IAAI,KAAK;AAC/B,QAAI,CAAC,cAAe;AAEpB,QAAI,KAAK,UAAW,cAAa,KAAK,SAAS;AAC/C,SAAK,YAAY,WAAW,MAAM;AAChC,WAAK,OAAO,MAAM;AAAA,IACpB,GAAG,aAAa;AAAA,EAClB;AAAA,EAEQ,wBAA8B;AACpC,UAAM,EAAE,kBAAkB,IAAI,KAAK;AACnC,QAAI,CAAC,kBAAmB;AAExB,QAAI,KAAK,cAAe,cAAa,KAAK,aAAa;AACvD,SAAK,gBAAgB,WAAW,MAAM;AACpC,WAAK,OAAO,UAAU;AAAA,IACxB,GAAG,iBAAiB;AAAA,EACtB;AAAA,EAEQ,yBAA+B;AACrC,QAAI,CAAC,KAAK,OAAO,iBAAkB;AACnC,QAAI,OAAO,aAAa,YAAa;AAErC,SAAK,oBAAoB,MAAM;AAC7B,UAAI,SAAS,QAAQ;AACnB,aAAK,OAAO,YAAY;AAAA,MAC1B;AAAA,IACF;AACA,aAAS,iBAAiB,oBAAoB,KAAK,iBAAiB;AAAA,EACtE;AAAA,EAEQ,OAAO,QAAkD;AAC/D,SAAK,QAAQ;AACb,kBAAc,KAAK,SAAS;AAC5B,SAAK,SAAS,MAAM;AAAA,EACtB;AACF;AAQO,SAAS,eAAe,MAA6C;AAC1E,SAAO,IAAI,eAAe,IAAI;AAChC;AAOO,SAAS,sBAAsB,QAA6B;AACjE,QAAM,EAAE,eAAe,kBAAkB,IAAI;AAC7C,MAAI,kBAAkB,WAAc,OAAO,kBAAkB,YAAY,iBAAiB,IAAI;AAC5F,UAAM,IAAI,MAAM,8DAA8D,aAAa,EAAE;AAAA,EAC/F;AACA,MAAI,sBAAsB,WAAc,OAAO,sBAAsB,YAAY,qBAAqB,IAAI;AACxG,UAAM,IAAI,MAAM,kEAAkE,iBAAiB,EAAE;AAAA,EACvG;AACA,MAAI,kBAAkB,UAAa,sBAAsB,UAAa,iBAAiB,mBAAmB;AACxG,UAAM,IAAI;AAAA,MACR,gCAAgC,aAAa,4CAA4C,iBAAiB;AAAA,IAC5G;AAAA,EACF;AACF;;;AChIA,IAAM,uBAAuB;AAE7B,IAAM,iBAAiB;AAmBvB,SAAS,uBAA6B;AAEpC,MACE,OAAO,YAAY,eACnB,QAAQ,IAAI,aAAa,cACzB;AACA,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AAGA,MACE,OAAO,eAAe,eACrB,WAAuC,2BAA2B,MACnE;AACA,UAAM,IAAI,gBAAgB,kDAAkD;AAAA,EAC9E;AAGA,MACE,OAAO,WAAW,eAClB,OAAO,OAAO,aAAa,aAC3B;AACA,UAAM,OAAO,OAAO,SAAS;AAC7B,QAAI,SAAS,eAAe,SAAS,eAAe,SAAS,SAAS,CAAC,KAAK,SAAS,QAAQ,GAAG;AAC9F,YAAM,IAAI;AAAA,QACR,gEAAgE,IAAI;AAAA,MAEtE;AAAA,IACF;AAAA,EACF;AACF;AAIA,SAAS,WAAW,OAAe,QAAwB;AACzD,SAAO,GAAG,cAAc,GAAG,KAAK,IAAI,MAAM;AAC5C;AAEA,SAAS,eAAe,mBAAsC;AAC5D,MAAI,OAAO,WAAW,aAAa;AACjC,UAAM,IAAI,gBAAgB,yFAAyF;AAAA,EACrH;AACA,SAAO,oBAAoB,OAAO,eAAe,OAAO;AAC1D;AAmBA,eAAsB,gBACpB,OACA,QACA,SACA,SACe;AACf,MAAI,QAAQ,gBAAgB,sBAAsB;AAChD,UAAM,IAAI;AAAA,MACR,oCAAoC,oBAAoB,YAC/C,QAAQ,WAAW;AAAA,IAC9B;AAAA,EACF;AAEA,uBAAqB;AAErB,QAAM,UAAU,eAAe,QAAQ,iBAAiB;AAExD,QAAM,SAAiC,CAAC;AACxC,aAAW,CAAC,UAAU,GAAG,KAAK,QAAQ,MAAM;AAC1C,UAAM,MAAM,MAAM,WAAW,OAAO,OAAO,UAAU,OAAO,GAAG;AAC/D,WAAO,QAAQ,IAAI,eAAe,GAAG;AAAA,EACvC;AAEA,QAAM,UAAU,KAAK,UAAU;AAAA,IAC7B,mBAAmB;AAAA,IACnB,QAAQ,QAAQ;AAAA,IAChB,aAAa,QAAQ;AAAA,IACrB,MAAM,QAAQ;AAAA,IACd,aAAa,QAAQ;AAAA,IACrB,MAAM;AAAA,IACN,MAAM,eAAe,QAAQ,IAAI;AAAA,EACnC,CAAC;AAED,UAAQ,QAAQ,WAAW,OAAO,MAAM,GAAG,OAAO;AAGlD,UAAQ;AAAA,IACN;AAAA,IACA;AAAA,IACA;AAAA;AAAA,eAAoB,KAAK,WAAW,MAAM,kBACvC,QAAQ,oBAAoB,iBAAiB,gBAAgB;AAAA;AAAA;AAAA,EAGlE;AACF;AAgBA,eAAsB,cACpB,OACA,QACA,UAA2C,CAAC,GACX;AACjC,MAAI,OAAO,WAAW,YAAa,QAAO;AAE1C,QAAM,UAAU,eAAe,QAAQ,iBAAiB;AACxD,QAAM,MAAM,QAAQ,QAAQ,WAAW,OAAO,MAAM,CAAC;AACrD,MAAI,CAAC,IAAK,QAAO;AAEjB,MAAI;AASJ,MAAI;AACF,aAAS,KAAK,MAAM,GAAG;AAAA,EACzB,QAAQ;AACN,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,sBAAsB,EAAG,QAAO;AAE3C,QAAM,OAAO,oBAAI,IAAuB;AACxC,aAAW,CAAC,UAAU,SAAS,KAAK,OAAO,QAAQ,OAAO,IAAI,GAAG;AAC/D,UAAM,MAAM,MAAM,WAAW,OAAO,OAAO;AAAA,MACzC;AAAA,MACA,eAAe,SAAS;AAAA,MACxB,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,MAC/B;AAAA,MACA,CAAC,WAAW,SAAS;AAAA,IACvB;AACA,SAAK,IAAI,UAAU,GAAG;AAAA,EACxB;AAEA,SAAO;AAAA,IACL,QAAQ,OAAO;AAAA,IACf,aAAa,OAAO;AAAA,IACpB,MAAM,OAAO;AAAA,IACb,aAAa,OAAO;AAAA,IACpB;AAAA,IACA,KAAK;AAAA,IACL,MAAM,eAAe,OAAO,IAAI;AAAA,IAChC,gBAAgB,CAAC;AAAA,EACnB;AACF;AAOO,SAAS,eACd,OACA,QACA,UAA2C,CAAC,GACtC;AACN,MAAI,OAAO,WAAW,YAAa;AACnC,QAAM,UAAU,eAAe,QAAQ,iBAAiB;AACxD,UAAQ,WAAW,WAAW,OAAO,MAAM,CAAC;AAC9C;AAOO,SAAS,kBACd,OACA,QACA,UAA2C,CAAC,GACnC;AACT,MAAI,OAAO,WAAW,YAAa,QAAO;AAC1C,QAAM,UAAU,eAAe,QAAQ,iBAAiB;AACxD,SAAO,QAAQ,QAAQ,WAAW,OAAO,MAAM,CAAC,MAAM;AACxD;","names":[]}
+{"version":3,"sources":["../src/session/session.ts","../src/session/session-policy.ts","../src/session/dev-unlock.ts"],"sourcesContent":["/**\n * Session tokens —\n *\n * After a vault is unlocked (via passphrase, WebAuthn, OIDC, or magic-\n * link), the caller can call `createSession()` to get a session token that\n * allows re-establishing the KEK for the session lifetime without re-running\n * PBKDF2 or any interactive auth challenge.\n *\n * Security model\n * ──────────────\n * A session consists of two pieces that must both be present to recover the\n * KEK:\n *\n *   1. The **session key** — a non-extractable AES-256-GCM CryptoKey that\n *      exists only in memory. \"Non-extractable\" is enforced by the WebCrypto\n *      API: the key object cannot be serialized, exported, or sent over\n *      postMessage. When the JS context is GC'd (tab close, navigation away,\n *      worker termination) the key becomes unrecoverable.\n *\n *   2. The **session token** — a JSON object that carries the KEK wrapped\n *      with the session key (AES-256-GCM, fresh IV per session), plus\n *      unencrypted session metadata (sessionId, userId, vault, role,\n *      expiresAt). The token can be serialized to JSON and stored in\n *      sessionStorage or passed across callsites within the same tab, but\n *      it is useless without the session key.\n *\n * The session key is kept in a module-level Map indexed by sessionId. Callers\n * that need to re-use a session must hold on to the sessionId returned from\n * `createSession()`; the key is looked up automatically by `resolveSession()`.\n *\n * Revocation: `revokeSession()` removes the entry from the Map. Because the\n * key is non-extractable, removal is sufficient — no one holds a serializable\n * copy of the key.\n *\n * Tab-scoped lifetime: the module-level Map lives only as long as the JS\n * module. Tab close → module unloaded → Map GC'd → all session keys gone.\n * This is the zero-effort logout: closing the tab is always a secure logout.\n *\n * Expiry: `createSession()` accepts a `ttlMs` option. `resolveSession()`\n * checks `expiresAt` and throws `SessionExpiredError` if the token is stale,\n * even if the session key is still in the Map.\n */\n\nimport { bufferToBase64, base64ToBuffer } from '../crypto.js'\nimport { generateULID } from '../bundle/ulid.js'\nimport type { Role } from '../types.js'\nimport type { UnlockedKeyring } from '../team/keyring.js'\nimport { SessionExpiredError, SessionNotFoundError } from '../errors.js'\n\nconst subtle = globalThis.crypto.subtle\n\n// Default session TTL: 60 minutes\nconst DEFAULT_TTL_MS = 60 * 60 * 1000\n\n// Module-level session key store. Tab-scoped by construction.\nconst sessionKeyStore = new Map<string, CryptoKey>()\n\n// ─── Public types ──────────────────────────────────────────────────────\n\n/** The serializable part of a session token. Safe to store in sessionStorage. */\nexport interface SessionToken {\n  readonly _noydb_session: 1\n  /** Unique session identifier (ULID). Use this as the handle for resolve/revoke. */\n  readonly sessionId: string\n  readonly userId: string\n  readonly vault: string\n  readonly role: Role\n  /** ISO timestamp — resolveSession() rejects this token after this time. */\n  readonly expiresAt: string\n  /** KEK wrapped with the session key (AES-256-GCM). Base64. */\n  readonly wrappedKek: string\n  /** IV used for the wrapping operation. Base64. */\n  readonly kekIv: string\n}\n\n/** Result returned from `createSession()`. */\nexport interface CreateSessionResult {\n  /** Serializable token — store in sessionStorage or pass to `resolveSession()`. */\n  token: SessionToken\n  /** The sessionId — use this handle for `resolveSession()` and `revokeSession()`. */\n  sessionId: string\n}\n\n/** Options for `createSession()`. */\nexport interface CreateSessionOptions {\n  /**\n   * Session lifetime in milliseconds. Defaults to 60 minutes.\n   * After this duration, `resolveSession()` throws `SessionExpiredError`.\n   */\n  ttlMs?: number\n}\n\n// ─── Core session operations ───────────────────────────────────────────\n\n/**\n * Create a session for an already-unlocked keyring.\n *\n * Call this after any successful unlock (passphrase, WebAuthn, OIDC,\n * magic-link). The returned `sessionId` is the handle for later\n * `resolveSession()` and `revokeSession()` calls.\n *\n * The session key is generated fresh (non-extractable) and stored in the\n * module-level Map. The KEK from `keyring.kek` is exported (it must be\n * extractable — it was derived by `deriveKey()` which sets extractable: false,\n * but it's unwrapped from the keyring which sets extractable: true) and then\n * re-wrapped with the session key.\n *\n * @param keyring - An already-unlocked keyring whose `kek` is available.\n * @param vault - The vault name this session is scoped to.\n * @param options - Optional session configuration.\n */\nexport async function createSession(\n  keyring: UnlockedKeyring,\n  vault: string,\n  options: CreateSessionOptions = {},\n): Promise<CreateSessionResult> {\n  const ttlMs = options.ttlMs ?? DEFAULT_TTL_MS\n  const sessionId = generateULID()\n  const expiresAt = new Date(Date.now() + ttlMs).toISOString()\n\n  // Generate a fresh non-extractable session key.\n  // AES-256-GCM is used here (rather than AES-KW) because the session key\n  // wraps raw key bytes (the exported KEK) rather than a CryptoKey object.\n  const sessionKey = await subtle.generateKey(\n    { name: 'AES-GCM', length: 256 },\n    false, // non-extractable — this is the tab-scope security invariant\n    ['encrypt', 'decrypt'],\n  )\n\n  // Export the KEK as raw bytes so we can wrap it.\n  // The KEK is AES-256-KW, which must have been importable (extractable: true)\n  // to allow wrapKey — it is, because unwrapKey sets extractable: true for\n  // DEKs, but the KEK itself is derived with extractable: false (see\n  // crypto.ts deriveKey). We use a separate raw export + encrypt path.\n  //\n  // Wait — the KEK is AES-KW with extractable:false. We cannot export it.\n  // Instead, we wrap the DEKs (which ARE extractable) and the salt+role+userId\n  // metadata together. This means resolveSession() reconstructs an\n  // UnlockedKeyring by re-wrapping the DEKs list from the token.\n  //\n  // Simpler approach: export each DEK (they're extractable) and encrypt\n  // the serialized DEK map with the session key. The keyring is reconstructed\n  // from the session token without the original KEK — only DEKs matter for\n  // record operations.\n  //\n  // This is the right design: sessions don't need the KEK (no re-grant,\n  // no re-derive during session lifetime). They need the DEK set.\n\n  const dekMap: Record<string, string> = {}\n  for (const [collName, dek] of keyring.deks) {\n    const raw = await subtle.exportKey('raw', dek)\n    dekMap[collName] = bufferToBase64(raw)\n  }\n\n  const payload = JSON.stringify({\n    userId: keyring.userId,\n    displayName: keyring.displayName,\n    role: keyring.role,\n    permissions: keyring.permissions,\n    deks: dekMap,\n    salt: bufferToBase64(keyring.salt),\n  })\n\n  const iv = globalThis.crypto.getRandomValues(new Uint8Array(12))\n  const encrypted = await subtle.encrypt(\n    { name: 'AES-GCM', iv },\n    sessionKey,\n    new TextEncoder().encode(payload),\n  )\n\n  const token: SessionToken = {\n    _noydb_session: 1,\n    sessionId,\n    userId: keyring.userId,\n    vault,\n    role: keyring.role,\n    expiresAt,\n    wrappedKek: bufferToBase64(encrypted),\n    kekIv: bufferToBase64(iv),\n  }\n\n  sessionKeyStore.set(sessionId, sessionKey)\n  return { token, sessionId }\n}\n\n/**\n * Resolve a session token back into an UnlockedKeyring.\n *\n * Looks up the session key by `sessionId`, checks the token is not expired,\n * then decrypts the payload to reconstruct the keyring's DEK set.\n *\n * Throws `SessionExpiredError` if the token's `expiresAt` is in the past.\n * Throws `SessionNotFoundError` if the session key is not in the store\n * (tab was reloaded, session was revoked, or the sessionId is wrong).\n *\n * @param token - The SessionToken from `createSession()`.\n */\nexport async function resolveSession(token: SessionToken): Promise<UnlockedKeyring> {\n  // Expiry check first — fast path without touching crypto\n  if (Date.now() > new Date(token.expiresAt).getTime()) {\n    sessionKeyStore.delete(token.sessionId)\n    throw new SessionExpiredError(token.sessionId)\n  }\n\n  const sessionKey = sessionKeyStore.get(token.sessionId)\n  if (!sessionKey) {\n    throw new SessionNotFoundError(token.sessionId)\n  }\n\n  const iv = base64ToBuffer(token.kekIv)\n  const ciphertext = base64ToBuffer(token.wrappedKek)\n\n  let plaintext: ArrayBuffer\n  try {\n    plaintext = await subtle.decrypt(\n      { name: 'AES-GCM', iv },\n      sessionKey,\n      ciphertext,\n    )\n  } catch {\n    throw new SessionNotFoundError(token.sessionId)\n  }\n\n  const payload = JSON.parse(new TextDecoder().decode(plaintext)) as {\n    userId: string\n    displayName: string\n    role: Role\n    permissions: Record<string, 'rw' | 'ro'>\n    deks: Record<string, string>\n    salt: string\n  }\n\n  const deks = new Map<string, CryptoKey>()\n  for (const [collName, rawBase64] of Object.entries(payload.deks)) {\n    const dek = await subtle.importKey(\n      'raw',\n      base64ToBuffer(rawBase64),\n      { name: 'AES-GCM', length: 256 },\n      true,\n      ['encrypt', 'decrypt'],\n    )\n    deks.set(collName, dek)\n  }\n\n  return {\n    userId: payload.userId,\n    displayName: payload.displayName,\n    role: payload.role,\n    permissions: payload.permissions,\n    deks,\n    kek: null, // KEK not available in session context\n    salt: base64ToBuffer(payload.salt),\n    authenticators: [],\n  }\n}\n\n/**\n * Revoke a session by removing its key from the store.\n *\n * After revocation, `resolveSession()` will throw `SessionNotFoundError`\n * for this sessionId. The session token (if held by the caller) becomes\n * permanently useless. This is the explicit logout path.\n *\n * No-op if the session was already expired or does not exist.\n */\nexport function revokeSession(sessionId: string): void {\n  sessionKeyStore.delete(sessionId)\n}\n\n/**\n * Check if a session is still alive (key in store + not expired).\n * Does not decrypt anything — purely a metadata check.\n */\nexport function isSessionAlive(token: SessionToken): boolean {\n  if (Date.now() > new Date(token.expiresAt).getTime()) return false\n  return sessionKeyStore.has(token.sessionId)\n}\n\n/**\n * Revoke all active sessions. Used by `Noydb.close()` to ensure that\n * closing the instance destroys all session state, not just the keyring\n * cache.\n */\nexport function revokeAllSessions(): void {\n  sessionKeyStore.clear()\n}\n\n/**\n * Return the number of active sessions currently in the store.\n * Useful for diagnostics and tests.\n */\nexport function activeSessionCount(): number {\n  return sessionKeyStore.size\n}\n","/**\n * Session policies —\n *\n * A `SessionPolicy` is a small declarative object that controls how long a\n * session lives and which operations require re-authentication. It is\n * evaluated by the `PolicyEnforcer` class, which the Noydb instance\n * integrates to replace the bare `sessionTimeout` timer from.\n *\n * Design decisions\n * ────────────────\n * Policies are stateless value objects — no timers, no event listeners.\n * The Noydb instance is the stateful coordinator: it holds the enforcer,\n * calls `enforcer.touch()` on every operation, and calls\n * `enforcer.checkOperation()` before high-risk operations.\n *\n * This keeps the policy module easy to unit-test (no global timers to mock)\n * and avoids the \"who owns cleanup\" problem that comes with timer-based\n * callbacks embedded in a value object.\n *\n * `lockOnBackground` registers a `visibilitychange` listener on the document\n * at enforcer creation time and removes it on `destroy()`. It is a no-op in\n * non-browser environments (no `document`).\n */\n\nimport type { SessionPolicy, ReAuthOperation } from '../types.js'\nimport { SessionExpiredError, SessionPolicyError } from '../errors.js'\nimport { revokeSession } from './session.js'\n\n// ─── PolicyEnforcer ────────────────────────────────────────────────────\n\nexport interface PolicyEnforcerOptions {\n  /** The policy to enforce. */\n  policy: SessionPolicy\n  /** The session ID to revoke when idle/absolute timeouts fire. */\n  sessionId: string\n  /**\n   * Called when the policy decides the session should end (idle timeout,\n   * absolute timeout, or lockOnBackground). Use this to trigger the\n   * same cleanup that `Noydb.close()` would perform.\n   */\n  onRevoke: (reason: 'idle' | 'absolute' | 'background') => void\n}\n\n/**\n * Stateful enforcer for a single session policy.\n *\n * Create one per open session, call `touch()` on every operation,\n * call `checkOperation(op)` before export/grant/revoke/rotate/changeSecret,\n * and call `destroy()` when the session ends.\n */\nexport class PolicyEnforcer {\n  private readonly policy: SessionPolicy\n  private readonly sessionId: string\n  private readonly onRevoke: PolicyEnforcerOptions['onRevoke']\n  private readonly createdAt: number\n  private lastActivityAt: number\n  private idleTimer: ReturnType<typeof setTimeout> | null = null\n  private absoluteTimer: ReturnType<typeof setTimeout> | null = null\n  private visibilityHandler: (() => void) | null = null\n\n  constructor(opts: PolicyEnforcerOptions) {\n    this.policy = opts.policy\n    this.sessionId = opts.sessionId\n    this.onRevoke = opts.onRevoke\n    this.createdAt = Date.now()\n    this.lastActivityAt = Date.now()\n\n    this.scheduleIdleTimer()\n    this.scheduleAbsoluteTimer()\n    this.registerBackgroundLock()\n  }\n\n  /**\n   * Record an activity timestamp and reset the idle timer.\n   * Call this at the top of every Noydb public method.\n   */\n  touch(): void {\n    this.lastActivityAt = Date.now()\n    this.scheduleIdleTimer()\n  }\n\n  /**\n   * Check whether the given operation is allowed under the active policy.\n   * Throws `SessionPolicyError` if the operation requires re-authentication.\n   * Throws `SessionExpiredError` if the absolute timeout has been exceeded\n   * (defensive check in case the timer fired before the call arrived).\n   *\n   * This is a synchronous check — callers don't await it.\n   */\n  checkOperation(op: ReAuthOperation): void {\n    // Defensive absolute-timeout check (timer may have fired late)\n    const { absoluteTimeoutMs } = this.policy\n    if (absoluteTimeoutMs !== undefined && Date.now() - this.createdAt >= absoluteTimeoutMs) {\n      this.expire('absolute')\n      throw new SessionExpiredError(this.sessionId)\n    }\n\n    const required = this.policy.requireReAuthFor ?? []\n    if (required.includes(op)) {\n      throw new SessionPolicyError(op)\n    }\n  }\n\n  /**\n   * Tear down timers and background-lock listener. Call from `Noydb.close()`\n   * and whenever the session is revoked externally.\n   */\n  destroy(): void {\n    if (this.idleTimer) {\n      clearTimeout(this.idleTimer)\n      this.idleTimer = null\n    }\n    if (this.absoluteTimer) {\n      clearTimeout(this.absoluteTimer)\n      this.absoluteTimer = null\n    }\n    if (this.visibilityHandler && typeof document !== 'undefined') {\n      document.removeEventListener('visibilitychange', this.visibilityHandler)\n      this.visibilityHandler = null\n    }\n  }\n\n  /** How long since the last activity, in ms. */\n  get idleMs(): number {\n    return Date.now() - this.lastActivityAt\n  }\n\n  /** How long since session creation, in ms. */\n  get ageMs(): number {\n    return Date.now() - this.createdAt\n  }\n\n  // ── Private ──────────────────────────────────────────────────────────\n\n  private scheduleIdleTimer(): void {\n    const { idleTimeoutMs } = this.policy\n    if (!idleTimeoutMs) return\n\n    if (this.idleTimer) clearTimeout(this.idleTimer)\n    this.idleTimer = setTimeout(() => {\n      this.expire('idle')\n    }, idleTimeoutMs)\n  }\n\n  private scheduleAbsoluteTimer(): void {\n    const { absoluteTimeoutMs } = this.policy\n    if (!absoluteTimeoutMs) return\n\n    if (this.absoluteTimer) clearTimeout(this.absoluteTimer)\n    this.absoluteTimer = setTimeout(() => {\n      this.expire('absolute')\n    }, absoluteTimeoutMs)\n  }\n\n  private registerBackgroundLock(): void {\n    if (!this.policy.lockOnBackground) return\n    if (typeof document === 'undefined') return\n\n    this.visibilityHandler = () => {\n      if (document.hidden) {\n        this.expire('background')\n      }\n    }\n    document.addEventListener('visibilitychange', this.visibilityHandler)\n  }\n\n  private expire(reason: 'idle' | 'absolute' | 'background'): void {\n    this.destroy()\n    revokeSession(this.sessionId)\n    this.onRevoke(reason)\n  }\n}\n\n// ─── Helpers ───────────────────────────────────────────────────────────\n\n/**\n * Build a `PolicyEnforcer` from a policy + session token, and return it\n * alongside a cleanup function. Convenience wrapper for Noydb.\n */\nexport function createEnforcer(opts: PolicyEnforcerOptions): PolicyEnforcer {\n  return new PolicyEnforcer(opts)\n}\n\n/**\n * Validate that a `SessionPolicy` is well-formed.\n * Throws a plain `Error` (not `NoydbError`) because this is a developer\n * error — invalid policies passed at construction time, not at runtime.\n */\nexport function validateSessionPolicy(policy: SessionPolicy): void {\n  const { idleTimeoutMs, absoluteTimeoutMs } = policy\n  if (idleTimeoutMs !== undefined && (typeof idleTimeoutMs !== 'number' || idleTimeoutMs <= 0)) {\n    throw new Error(`SessionPolicy.idleTimeoutMs must be a positive number, got ${idleTimeoutMs}`)\n  }\n  if (absoluteTimeoutMs !== undefined && (typeof absoluteTimeoutMs !== 'number' || absoluteTimeoutMs <= 0)) {\n    throw new Error(`SessionPolicy.absoluteTimeoutMs must be a positive number, got ${absoluteTimeoutMs}`)\n  }\n  if (idleTimeoutMs !== undefined && absoluteTimeoutMs !== undefined && idleTimeoutMs >= absoluteTimeoutMs) {\n    throw new Error(\n      `SessionPolicy.idleTimeoutMs (${idleTimeoutMs}ms) must be less than absoluteTimeoutMs (${absoluteTimeoutMs}ms)`,\n    )\n  }\n}\n","/**\n * Dev-mode persistent unlock —\n *\n * Solves the developer inner-loop friction: hot-reload destroys the session\n * (page navigation semantics), forcing a passphrase re-entry every refresh.\n *\n * This module provides an opt-in, deliberately-named escape hatch that lets\n * developers store the keyring payload in sessionStorage or localStorage so\n * the vault auto-unlocks on every page load — without a passphrase,\n * without a biometric prompt, without any OIDC flow.\n *\n * ⚠️ WARNING — this is a loaded footgun ⚠️\n * ─────────────────────────────────────────\n * The keyring payload stored by this module contains the DEKs. Whoever has\n * access to sessionStorage/localStorage has access to the DEKs. On a shared\n * development machine, a compromised browser extension, or a mis-configured\n * origin, this is a complete key exposure.\n *\n * This module is ONLY safe for local development. It must NEVER be active\n * in production builds.\n *\n * Guardrails (all enforced by the module, not by the caller)\n * ──────────────────────────────────────────────────────────\n * 1. **Production guard:** `enableDevUnlock()` throws immediately if\n *    `process.env.NODE_ENV === 'production'` or if `import.meta.env?.PROD === true`\n *    (Vite convention). Also throws if the hostname is NOT localhost or 127.0.0.1.\n *\n * 2. **Explicit acknowledgement string:** the caller must pass\n *    `acknowledge: 'I-UNDERSTAND-THIS-DISABLES-UNLOCK-SECURITY'` or the call\n *    throws. This string appears in every grep for `devUnlock` in the codebase,\n *    making it impossible to enable this feature accidentally.\n *\n * 3. **Scope is vault + userId:** the storage key includes both the\n *    vault name and the userId, so dev-unlock for vault-A does\n *    NOT auto-unlock vault-B.\n *\n * 4. **Storage scope:** default is `sessionStorage` (cleared on tab close).\n *    `localStorage` is opt-in and requires an additional\n *    `persistAcrossTabs: true` flag in the options.\n *\n * 5. **Clear method:** `clearDevUnlock()` removes the stored payload. Wire\n *    this to a dev toolbar button or `Ctrl+Shift+L` so clearing is one action.\n *\n * 6. **Console banner:** on first enable, a highly visible console warning\n *    fires. Cannot be suppressed.\n *\n * Usage\n * ─────\n * ```ts\n * // In your dev entry point only (guarded by import.meta.env.DEV):\n * if (import.meta.env.DEV) {\n *   const { enableDevUnlock, loadDevUnlock } = await import('@noy-db/hub')\n *   enableDevUnlock('my-compartment', 'alice', keyring, {\n *     acknowledge: 'I-UNDERSTAND-THIS-DISABLES-UNLOCK-SECURITY',\n *   })\n * }\n *\n * // On page load:\n * if (import.meta.env.DEV) {\n *   const keyring = await loadDevUnlock('my-compartment', 'alice')\n *   if (keyring) {\n *     // Skip unlock prompt, use keyring directly\n *   }\n * }\n * ```\n */\n\nimport { bufferToBase64, base64ToBuffer } from '../crypto.js'\nimport { ValidationError } from '../errors.js'\nimport type { UnlockedKeyring } from '../team/keyring.js'\nimport type { Role } from '../types.js'\n\n// The exact acknowledgement string callers must pass\nconst REQUIRED_ACKNOWLEDGE = 'I-UNDERSTAND-THIS-DISABLES-UNLOCK-SECURITY'\n\nconst STORAGE_PREFIX = 'noydb:dev-unlock:'\n\n// ─── Options ──────────────────────────────────────────────────────────\n\nexport interface DevUnlockOptions {\n  /**\n   * Required: the exact string 'I-UNDERSTAND-THIS-DISABLES-UNLOCK-SECURITY'.\n   * Any other value causes `enableDevUnlock()` to throw.\n   */\n  acknowledge: string\n  /**\n   * If `true`, stores in localStorage (persists across tabs and browser restarts).\n   * If `false` (default), stores in sessionStorage (cleared on tab close).\n   */\n  persistAcrossTabs?: boolean\n}\n\n// ─── Production guard ─────────────────────────────────────────────────\n\nfunction assertDevEnvironment(): void {\n  // Node.js: check NODE_ENV\n  if (\n    typeof process !== 'undefined' &&\n    process.env.NODE_ENV === 'production'\n  ) {\n    throw new ValidationError(\n      'devUnlock is not available in production builds. ' +\n      'process.env.NODE_ENV is \"production\".',\n    )\n  }\n\n  // Vite / build tool convention\n  if (\n    typeof globalThis !== 'undefined' &&\n    (globalThis as Record<string, unknown>).__vite_is_production__ === true\n  ) {\n    throw new ValidationError('devUnlock is not available in production builds.')\n  }\n\n  // Browser: only allow on localhost\n  if (\n    typeof window !== 'undefined' &&\n    typeof window.location !== 'undefined'\n  ) {\n    const host = window.location.hostname\n    if (host !== 'localhost' && host !== '127.0.0.1' && host !== '::1' && !host.endsWith('.local')) {\n      throw new ValidationError(\n        `devUnlock is only available on localhost. Current hostname: \"${host}\". ` +\n        'Set NODE_ENV=development and run on localhost to use dev unlock.',\n      )\n    }\n  }\n}\n\n// ─── Storage key ──────────────────────────────────────────────────────\n\nfunction storageKey(vault: string, userId: string): string {\n  return `${STORAGE_PREFIX}${vault}:${userId}`\n}\n\nfunction resolveStorage(persistAcrossTabs?: boolean): Storage {\n  if (typeof window === 'undefined') {\n    throw new ValidationError('devUnlock requires a browser environment (window.sessionStorage / window.localStorage).')\n  }\n  return persistAcrossTabs ? window.localStorage : window.sessionStorage\n}\n\n// ─── Public API ────────────────────────────────────────────────────────\n\n/**\n * Serialize and store a keyring to browser storage for dev-mode auto-unlock.\n *\n * Throws immediately if:\n *   - The acknowledge string is wrong.\n *   - Running in a production environment (NODE_ENV=production).\n *   - Running on a non-localhost hostname.\n *\n * Emits a highly visible console warning that cannot be suppressed.\n *\n * @param vault - The vault name.\n * @param userId - The user ID.\n * @param keyring - The unlocked keyring to persist.\n * @param options - Options including the required acknowledge string.\n */\nexport async function enableDevUnlock(\n  vault: string,\n  userId: string,\n  keyring: UnlockedKeyring,\n  options: DevUnlockOptions,\n): Promise<void> {\n  if (options.acknowledge !== REQUIRED_ACKNOWLEDGE) {\n    throw new ValidationError(\n      `devUnlock requires acknowledge: '${REQUIRED_ACKNOWLEDGE}'. ` +\n      `Got: '${options.acknowledge}'. This is intentional — the full string must appear in your source.`,\n    )\n  }\n\n  assertDevEnvironment()\n\n  const storage = resolveStorage(options.persistAcrossTabs)\n\n  const dekMap: Record<string, string> = {}\n  for (const [collName, dek] of keyring.deks) {\n    const raw = await globalThis.crypto.subtle.exportKey('raw', dek)\n    dekMap[collName] = bufferToBase64(raw)\n  }\n\n  const payload = JSON.stringify({\n    _noydb_dev_unlock: 1,\n    userId: keyring.userId,\n    displayName: keyring.displayName,\n    role: keyring.role,\n    permissions: keyring.permissions,\n    deks: dekMap,\n    salt: bufferToBase64(keyring.salt),\n  })\n\n  storage.setItem(storageKey(vault, userId), payload)\n\n  // Visible, unsuppressable warning\n  console.warn(\n    '%c⚠️ NOYDB DEV UNLOCK ACTIVE ⚠️',\n    'color: red; font-size: 16px; font-weight: bold',\n    `\\n\\nVault \"${vault}\" user \"${userId}\" is stored in ` +\n    `${options.persistAcrossTabs ? 'localStorage' : 'sessionStorage'} in PLAINTEXT DEKs.\\n` +\n    'This is ONLY safe for local development. Never use in production.\\n' +\n    'Call clearDevUnlock() to remove.',\n  )\n}\n\n/**\n * Load a dev-mode keyring from browser storage.\n *\n * Returns `null` if no dev-unlock state is stored for this vault + user,\n * or if the stored payload is malformed.\n *\n * Does NOT perform the production environment check — it's safe to CALL\n * `loadDevUnlock` in production (it will simply return `null` because no\n * dev-unlock state was ever written). The guard only fires on `enableDevUnlock`.\n *\n * @param vault - The vault name.\n * @param userId - The user ID.\n * @param options - Optional storage override.\n */\nexport async function loadDevUnlock(\n  vault: string,\n  userId: string,\n  options: { persistAcrossTabs?: boolean } = {},\n): Promise<UnlockedKeyring | null> {\n  if (typeof window === 'undefined') return null\n\n  const storage = resolveStorage(options.persistAcrossTabs)\n  const raw = storage.getItem(storageKey(vault, userId))\n  if (!raw) return null\n\n  let parsed: {\n    _noydb_dev_unlock?: number\n    userId: string\n    displayName: string\n    role: Role\n    permissions: Record<string, 'rw' | 'ro'>\n    deks: Record<string, string>\n    salt: string\n  }\n  try {\n    parsed = JSON.parse(raw)\n  } catch {\n    return null\n  }\n\n  if (parsed._noydb_dev_unlock !== 1) return null\n\n  const deks = new Map<string, CryptoKey>()\n  for (const [collName, rawBase64] of Object.entries(parsed.deks)) {\n    const dek = await globalThis.crypto.subtle.importKey(\n      'raw',\n      base64ToBuffer(rawBase64),\n      { name: 'AES-GCM', length: 256 },\n      true,\n      ['encrypt', 'decrypt'],\n    )\n    deks.set(collName, dek)\n  }\n\n  return {\n    userId: parsed.userId,\n    displayName: parsed.displayName,\n    role: parsed.role,\n    permissions: parsed.permissions,\n    deks,\n    kek: null,\n    salt: base64ToBuffer(parsed.salt),\n    authenticators: [],\n  }\n}\n\n/**\n * Remove dev-unlock state from browser storage.\n *\n * Safe to call in production (no-op if no dev state exists).\n */\nexport function clearDevUnlock(\n  vault: string,\n  userId: string,\n  options: { persistAcrossTabs?: boolean } = {},\n): void {\n  if (typeof window === 'undefined') return\n  const storage = resolveStorage(options.persistAcrossTabs)\n  storage.removeItem(storageKey(vault, userId))\n}\n\n/**\n * Check if dev-unlock state exists for this vault + user.\n *\n * Safe to call in production (returns false if nothing is stored).\n */\nexport function isDevUnlockActive(\n  vault: string,\n  userId: string,\n  options: { persistAcrossTabs?: boolean } = {},\n): boolean {\n  if (typeof window === 'undefined') return false\n  const storage = resolveStorage(options.persistAcrossTabs)\n  return storage.getItem(storageKey(vault, userId)) !== null\n}\n"],"mappings":";;;;;;;;;;;;;;;AAiDA,IAAM,SAAS,WAAW,OAAO;AAGjC,IAAM,iBAAiB,KAAK,KAAK;AAGjC,IAAM,kBAAkB,oBAAI,IAAuB;AAwDnD,eAAsB,cACpB,SACA,OACA,UAAgC,CAAC,GACH;AAC9B,QAAM,QAAQ,QAAQ,SAAS;AAC/B,QAAM,YAAY,aAAa;AAC/B,QAAM,YAAY,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,EAAE,YAAY;AAK3D,QAAM,aAAa,MAAM,OAAO;AAAA,IAC9B,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,IAC/B;AAAA;AAAA,IACA,CAAC,WAAW,SAAS;AAAA,EACvB;AAqBA,QAAM,SAAiC,CAAC;AACxC,aAAW,CAAC,UAAU,GAAG,KAAK,QAAQ,MAAM;AAC1C,UAAM,MAAM,MAAM,OAAO,UAAU,OAAO,GAAG;AAC7C,WAAO,QAAQ,IAAI,eAAe,GAAG;AAAA,EACvC;AAEA,QAAM,UAAU,KAAK,UAAU;AAAA,IAC7B,QAAQ,QAAQ;AAAA,IAChB,aAAa,QAAQ;AAAA,IACrB,MAAM,QAAQ;AAAA,IACd,aAAa,QAAQ;AAAA,IACrB,MAAM;AAAA,IACN,MAAM,eAAe,QAAQ,IAAI;AAAA,EACnC,CAAC;AAED,QAAM,KAAK,WAAW,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AAC/D,QAAM,YAAY,MAAM,OAAO;AAAA,IAC7B,EAAE,MAAM,WAAW,GAAG;AAAA,IACtB;AAAA,IACA,IAAI,YAAY,EAAE,OAAO,OAAO;AAAA,EAClC;AAEA,QAAM,QAAsB;AAAA,IAC1B,gBAAgB;AAAA,IAChB;AAAA,IACA,QAAQ,QAAQ;AAAA,IAChB;AAAA,IACA,MAAM,QAAQ;AAAA,IACd;AAAA,IACA,YAAY,eAAe,SAAS;AAAA,IACpC,OAAO,eAAe,EAAE;AAAA,EAC1B;AAEA,kBAAgB,IAAI,WAAW,UAAU;AACzC,SAAO,EAAE,OAAO,UAAU;AAC5B;AAcA,eAAsB,eAAe,OAA+C;AAElF,MAAI,KAAK,IAAI,IAAI,IAAI,KAAK,MAAM,SAAS,EAAE,QAAQ,GAAG;AACpD,oBAAgB,OAAO,MAAM,SAAS;AACtC,UAAM,IAAI,oBAAoB,MAAM,SAAS;AAAA,EAC/C;AAEA,QAAM,aAAa,gBAAgB,IAAI,MAAM,SAAS;AACtD,MAAI,CAAC,YAAY;AACf,UAAM,IAAI,qBAAqB,MAAM,SAAS;AAAA,EAChD;AAEA,QAAM,KAAK,eAAe,MAAM,KAAK;AACrC,QAAM,aAAa,eAAe,MAAM,UAAU;AAElD,MAAI;AACJ,MAAI;AACF,gBAAY,MAAM,OAAO;AAAA,MACvB,EAAE,MAAM,WAAW,GAAG;AAAA,MACtB;AAAA,MACA;AAAA,IACF;AAAA,EACF,QAAQ;AACN,UAAM,IAAI,qBAAqB,MAAM,SAAS;AAAA,EAChD;AAEA,QAAM,UAAU,KAAK,MAAM,IAAI,YAAY,EAAE,OAAO,SAAS,CAAC;AAS9D,QAAM,OAAO,oBAAI,IAAuB;AACxC,aAAW,CAAC,UAAU,SAAS,KAAK,OAAO,QAAQ,QAAQ,IAAI,GAAG;AAChE,UAAM,MAAM,MAAM,OAAO;AAAA,MACvB;AAAA,MACA,eAAe,SAAS;AAAA,MACxB,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,MAC/B;AAAA,MACA,CAAC,WAAW,SAAS;AAAA,IACvB;AACA,SAAK,IAAI,UAAU,GAAG;AAAA,EACxB;AAEA,SAAO;AAAA,IACL,QAAQ,QAAQ;AAAA,IAChB,aAAa,QAAQ;AAAA,IACrB,MAAM,QAAQ;AAAA,IACd,aAAa,QAAQ;AAAA,IACrB;AAAA,IACA,KAAK;AAAA;AAAA,IACL,MAAM,eAAe,QAAQ,IAAI;AAAA,IACjC,gBAAgB,CAAC;AAAA,EACnB;AACF;AAWO,SAAS,cAAc,WAAyB;AACrD,kBAAgB,OAAO,SAAS;AAClC;AAMO,SAAS,eAAe,OAA8B;AAC3D,MAAI,KAAK,IAAI,IAAI,IAAI,KAAK,MAAM,SAAS,EAAE,QAAQ,EAAG,QAAO;AAC7D,SAAO,gBAAgB,IAAI,MAAM,SAAS;AAC5C;AAOO,SAAS,oBAA0B;AACxC,kBAAgB,MAAM;AACxB;AAMO,SAAS,qBAA6B;AAC3C,SAAO,gBAAgB;AACzB;;;ACnPO,IAAM,iBAAN,MAAqB;AAAA,EACT;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACT;AAAA,EACA,YAAkD;AAAA,EAClD,gBAAsD;AAAA,EACtD,oBAAyC;AAAA,EAEjD,YAAY,MAA6B;AACvC,SAAK,SAAS,KAAK;AACnB,SAAK,YAAY,KAAK;AACtB,SAAK,WAAW,KAAK;AACrB,SAAK,YAAY,KAAK,IAAI;AAC1B,SAAK,iBAAiB,KAAK,IAAI;AAE/B,SAAK,kBAAkB;AACvB,SAAK,sBAAsB;AAC3B,SAAK,uBAAuB;AAAA,EAC9B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,QAAc;AACZ,SAAK,iBAAiB,KAAK,IAAI;AAC/B,SAAK,kBAAkB;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,eAAe,IAA2B;AAExC,UAAM,EAAE,kBAAkB,IAAI,KAAK;AACnC,QAAI,sBAAsB,UAAa,KAAK,IAAI,IAAI,KAAK,aAAa,mBAAmB;AACvF,WAAK,OAAO,UAAU;AACtB,YAAM,IAAI,oBAAoB,KAAK,SAAS;AAAA,IAC9C;AAEA,UAAM,WAAW,KAAK,OAAO,oBAAoB,CAAC;AAClD,QAAI,SAAS,SAAS,EAAE,GAAG;AACzB,YAAM,IAAI,mBAAmB,EAAE;AAAA,IACjC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,UAAgB;AACd,QAAI,KAAK,WAAW;AAClB,mBAAa,KAAK,SAAS;AAC3B,WAAK,YAAY;AAAA,IACnB;AACA,QAAI,KAAK,eAAe;AACtB,mBAAa,KAAK,aAAa;AAC/B,WAAK,gBAAgB;AAAA,IACvB;AACA,QAAI,KAAK,qBAAqB,OAAO,aAAa,aAAa;AAC7D,eAAS,oBAAoB,oBAAoB,KAAK,iBAAiB;AACvE,WAAK,oBAAoB;AAAA,IAC3B;AAAA,EACF;AAAA;AAAA,EAGA,IAAI,SAAiB;AACnB,WAAO,KAAK,IAAI,IAAI,KAAK;AAAA,EAC3B;AAAA;AAAA,EAGA,IAAI,QAAgB;AAClB,WAAO,KAAK,IAAI,IAAI,KAAK;AAAA,EAC3B;AAAA;AAAA,EAIQ,oBAA0B;AAChC,UAAM,EAAE,cAAc,IAAI,KAAK;AAC/B,QAAI,CAAC,cAAe;AAEpB,QAAI,KAAK,UAAW,cAAa,KAAK,SAAS;AAC/C,SAAK,YAAY,WAAW,MAAM;AAChC,WAAK,OAAO,MAAM;AAAA,IACpB,GAAG,aAAa;AAAA,EAClB;AAAA,EAEQ,wBAA8B;AACpC,UAAM,EAAE,kBAAkB,IAAI,KAAK;AACnC,QAAI,CAAC,kBAAmB;AAExB,QAAI,KAAK,cAAe,cAAa,KAAK,aAAa;AACvD,SAAK,gBAAgB,WAAW,MAAM;AACpC,WAAK,OAAO,UAAU;AAAA,IACxB,GAAG,iBAAiB;AAAA,EACtB;AAAA,EAEQ,yBAA+B;AACrC,QAAI,CAAC,KAAK,OAAO,iBAAkB;AACnC,QAAI,OAAO,aAAa,YAAa;AAErC,SAAK,oBAAoB,MAAM;AAC7B,UAAI,SAAS,QAAQ;AACnB,aAAK,OAAO,YAAY;AAAA,MAC1B;AAAA,IACF;AACA,aAAS,iBAAiB,oBAAoB,KAAK,iBAAiB;AAAA,EACtE;AAAA,EAEQ,OAAO,QAAkD;AAC/D,SAAK,QAAQ;AACb,kBAAc,KAAK,SAAS;AAC5B,SAAK,SAAS,MAAM;AAAA,EACtB;AACF;AAQO,SAAS,eAAe,MAA6C;AAC1E,SAAO,IAAI,eAAe,IAAI;AAChC;AAOO,SAAS,sBAAsB,QAA6B;AACjE,QAAM,EAAE,eAAe,kBAAkB,IAAI;AAC7C,MAAI,kBAAkB,WAAc,OAAO,kBAAkB,YAAY,iBAAiB,IAAI;AAC5F,UAAM,IAAI,MAAM,8DAA8D,aAAa,EAAE;AAAA,EAC/F;AACA,MAAI,sBAAsB,WAAc,OAAO,sBAAsB,YAAY,qBAAqB,IAAI;AACxG,UAAM,IAAI,MAAM,kEAAkE,iBAAiB,EAAE;AAAA,EACvG;AACA,MAAI,kBAAkB,UAAa,sBAAsB,UAAa,iBAAiB,mBAAmB;AACxG,UAAM,IAAI;AAAA,MACR,gCAAgC,aAAa,4CAA4C,iBAAiB;AAAA,IAC5G;AAAA,EACF;AACF;;;AChIA,IAAM,uBAAuB;AAE7B,IAAM,iBAAiB;AAmBvB,SAAS,uBAA6B;AAEpC,MACE,OAAO,YAAY,eACnB,QAAQ,IAAI,aAAa,cACzB;AACA,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AAGA,MACE,OAAO,eAAe,eACrB,WAAuC,2BAA2B,MACnE;AACA,UAAM,IAAI,gBAAgB,kDAAkD;AAAA,EAC9E;AAGA,MACE,OAAO,WAAW,eAClB,OAAO,OAAO,aAAa,aAC3B;AACA,UAAM,OAAO,OAAO,SAAS;AAC7B,QAAI,SAAS,eAAe,SAAS,eAAe,SAAS,SAAS,CAAC,KAAK,SAAS,QAAQ,GAAG;AAC9F,YAAM,IAAI;AAAA,QACR,gEAAgE,IAAI;AAAA,MAEtE;AAAA,IACF;AAAA,EACF;AACF;AAIA,SAAS,WAAW,OAAe,QAAwB;AACzD,SAAO,GAAG,cAAc,GAAG,KAAK,IAAI,MAAM;AAC5C;AAEA,SAAS,eAAe,mBAAsC;AAC5D,MAAI,OAAO,WAAW,aAAa;AACjC,UAAM,IAAI,gBAAgB,yFAAyF;AAAA,EACrH;AACA,SAAO,oBAAoB,OAAO,eAAe,OAAO;AAC1D;AAmBA,eAAsB,gBACpB,OACA,QACA,SACA,SACe;AACf,MAAI,QAAQ,gBAAgB,sBAAsB;AAChD,UAAM,IAAI;AAAA,MACR,oCAAoC,oBAAoB,YAC/C,QAAQ,WAAW;AAAA,IAC9B;AAAA,EACF;AAEA,uBAAqB;AAErB,QAAM,UAAU,eAAe,QAAQ,iBAAiB;AAExD,QAAM,SAAiC,CAAC;AACxC,aAAW,CAAC,UAAU,GAAG,KAAK,QAAQ,MAAM;AAC1C,UAAM,MAAM,MAAM,WAAW,OAAO,OAAO,UAAU,OAAO,GAAG;AAC/D,WAAO,QAAQ,IAAI,eAAe,GAAG;AAAA,EACvC;AAEA,QAAM,UAAU,KAAK,UAAU;AAAA,IAC7B,mBAAmB;AAAA,IACnB,QAAQ,QAAQ;AAAA,IAChB,aAAa,QAAQ;AAAA,IACrB,MAAM,QAAQ;AAAA,IACd,aAAa,QAAQ;AAAA,IACrB,MAAM;AAAA,IACN,MAAM,eAAe,QAAQ,IAAI;AAAA,EACnC,CAAC;AAED,UAAQ,QAAQ,WAAW,OAAO,MAAM,GAAG,OAAO;AAGlD,UAAQ;AAAA,IACN;AAAA,IACA;AAAA,IACA;AAAA;AAAA,SAAc,KAAK,WAAW,MAAM,kBACjC,QAAQ,oBAAoB,iBAAiB,gBAAgB;AAAA;AAAA;AAAA,EAGlE;AACF;AAgBA,eAAsB,cACpB,OACA,QACA,UAA2C,CAAC,GACX;AACjC,MAAI,OAAO,WAAW,YAAa,QAAO;AAE1C,QAAM,UAAU,eAAe,QAAQ,iBAAiB;AACxD,QAAM,MAAM,QAAQ,QAAQ,WAAW,OAAO,MAAM,CAAC;AACrD,MAAI,CAAC,IAAK,QAAO;AAEjB,MAAI;AASJ,MAAI;AACF,aAAS,KAAK,MAAM,GAAG;AAAA,EACzB,QAAQ;AACN,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,sBAAsB,EAAG,QAAO;AAE3C,QAAM,OAAO,oBAAI,IAAuB;AACxC,aAAW,CAAC,UAAU,SAAS,KAAK,OAAO,QAAQ,OAAO,IAAI,GAAG;AAC/D,UAAM,MAAM,MAAM,WAAW,OAAO,OAAO;AAAA,MACzC;AAAA,MACA,eAAe,SAAS;AAAA,MACxB,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,MAC/B;AAAA,MACA,CAAC,WAAW,SAAS;AAAA,IACvB;AACA,SAAK,IAAI,UAAU,GAAG;AAAA,EACxB;AAEA,SAAO;AAAA,IACL,QAAQ,OAAO;AAAA,IACf,aAAa,OAAO;AAAA,IACpB,MAAM,OAAO;AAAA,IACb,aAAa,OAAO;AAAA,IACpB;AAAA,IACA,KAAK;AAAA,IACL,MAAM,eAAe,OAAO,IAAI;AAAA,IAChC,gBAAgB,CAAC;AAAA,EACnB;AACF;AAOO,SAAS,eACd,OACA,QACA,UAA2C,CAAC,GACtC;AACN,MAAI,OAAO,WAAW,YAAa;AACnC,QAAM,UAAU,eAAe,QAAQ,iBAAiB;AACxD,UAAQ,WAAW,WAAW,OAAO,MAAM,CAAC;AAC9C;AAOO,SAAS,kBACd,OACA,QACA,UAA2C,CAAC,GACnC;AACT,MAAI,OAAO,WAAW,YAAa,QAAO;AAC1C,QAAM,UAAU,eAAe,QAAQ,iBAAiB;AACxD,SAAO,QAAQ,QAAQ,WAAW,OAAO,MAAM,CAAC,MAAM;AACxD;","names":[]}

package/dist/{chunk-NXFEYLVG.js → chunk-MIQHZESA.js}

@@ -1,9 +1,9 @@
 import {
   decrypt
-} from "./chunk-MR4424N3.js";
+} from "./chunk-WCA2NROQ.js";
 import {
   ReadOnlyAtInstantError
-} from "./chunk-ACLDOTNQ.js";
+} from "./chunk-ADQ5MQ54.js";
 
 // src/history/history.ts
 var HISTORY_COLLECTION = "_history";
@@ -187,6 +187,7 @@ var CollectionInstant = class {
     for (const e of entries) {
       if (e.collection !== this.name || e.id !== id) continue;
       if (e.ts > this.targetTs) break;
+      if (e.op === "amendment") continue;
       latest = { op: e.op, version: e.version };
     }
     if (!latest) return null;
@@ -308,4 +309,4 @@ export {
   diff,
   formatDiff
 };
-//# sourceMappingURL=chunk-NXFEYLVG.js.map
+//# sourceMappingURL=chunk-MIQHZESA.js.map

package/dist/{chunk-NXFEYLVG.js.map → chunk-MIQHZESA.js.map}

@@ -1 +1 @@
-{"version":3,"sources":["../src/history/history.ts","../src/history/time-machine.ts","../src/history/diff.ts"],"sourcesContent":["import type { NoydbStore, EncryptedEnvelope, HistoryOptions, PruneOptions } from '../types.js'\n\n/**\n * History storage convention:\n * Collection: `_history`\n * ID format: `{collection}:{recordId}:{paddedVersion}`\n * Version is zero-padded to 10 digits for lexicographic sorting.\n */\n\nconst HISTORY_COLLECTION = '_history'\nconst VERSION_PAD = 10\n\nfunction historyId(collection: string, recordId: string, version: number): string {\n  return `${collection}:${recordId}:${String(version).padStart(VERSION_PAD, '0')}`\n}\n\n// Unused today, kept for future history-id parsing utilities.\n// eslint-disable-next-line @typescript-eslint/no-unused-vars\nfunction parseHistoryId(id: string): { collection: string; recordId: string; version: number } | null {\n  const lastColon = id.lastIndexOf(':')\n  if (lastColon < 0) return null\n  const versionStr = id.slice(lastColon + 1)\n  const rest = id.slice(0, lastColon)\n  const firstColon = rest.indexOf(':')\n  if (firstColon < 0) return null\n  return {\n    collection: rest.slice(0, firstColon),\n    recordId: rest.slice(firstColon + 1),\n    version: parseInt(versionStr, 10),\n  }\n}\n\nfunction matchesPrefix(id: string, collection: string, recordId?: string): boolean {\n  if (recordId) {\n    return id.startsWith(`${collection}:${recordId}:`)\n  }\n  return id.startsWith(`${collection}:`)\n}\n\n/** Save a history entry (a complete encrypted envelope snapshot). */\nexport async function saveHistory(\n  adapter: NoydbStore,\n  vault: string,\n  collection: string,\n  recordId: string,\n  envelope: EncryptedEnvelope,\n): Promise<void> {\n  const id = historyId(collection, recordId, envelope._v)\n  await adapter.put(vault, HISTORY_COLLECTION, id, envelope)\n}\n\n/** Get history entries for a record, sorted newest-first. */\nexport async function getHistory(\n  adapter: NoydbStore,\n  vault: string,\n  collection: string,\n  recordId: string,\n  options?: HistoryOptions,\n): Promise<EncryptedEnvelope[]> {\n  const allIds = await adapter.list(vault, HISTORY_COLLECTION)\n  const matchingIds = allIds\n    .filter(id => matchesPrefix(id, collection, recordId))\n    .sort()\n    .reverse() // newest first\n\n  const entries: EncryptedEnvelope[] = []\n\n  for (const id of matchingIds) {\n    const envelope = await adapter.get(vault, HISTORY_COLLECTION, id)\n    if (!envelope) continue\n\n    // Apply time filters\n    if (options?.from && envelope._ts < options.from) continue\n    if (options?.to && envelope._ts > options.to) continue\n\n    entries.push(envelope)\n\n    if (options?.limit && entries.length >= options.limit) break\n  }\n\n  return entries\n}\n\n/** Get a specific version's envelope from history. */\nexport async function getVersionEnvelope(\n  adapter: NoydbStore,\n  vault: string,\n  collection: string,\n  recordId: string,\n  version: number,\n): Promise<EncryptedEnvelope | null> {\n  const id = historyId(collection, recordId, version)\n  return adapter.get(vault, HISTORY_COLLECTION, id)\n}\n\n/** Prune history entries. Returns the number of entries deleted. */\nexport async function pruneHistory(\n  adapter: NoydbStore,\n  vault: string,\n  collection: string,\n  recordId: string | undefined,\n  options: PruneOptions,\n): Promise<number> {\n  const allIds = await adapter.list(vault, HISTORY_COLLECTION)\n  const matchingIds = allIds\n    .filter(id => recordId ? matchesPrefix(id, collection, recordId) : matchesPrefix(id, collection))\n    .sort()\n\n  let toDelete: string[] = []\n\n  if (options.keepVersions !== undefined) {\n    // Keep only the N most recent, delete the rest\n    const keep = options.keepVersions\n    if (matchingIds.length > keep) {\n      toDelete = matchingIds.slice(0, matchingIds.length - keep)\n    }\n  }\n\n  if (options.beforeDate) {\n    // Delete entries older than the specified date\n    for (const id of matchingIds) {\n      if (toDelete.includes(id)) continue\n      const envelope = await adapter.get(vault, HISTORY_COLLECTION, id)\n      if (envelope && envelope._ts < options.beforeDate) {\n        toDelete.push(id)\n      }\n    }\n  }\n\n  // Deduplicate\n  const uniqueDeletes = [...new Set(toDelete)]\n\n  for (const id of uniqueDeletes) {\n    await adapter.delete(vault, HISTORY_COLLECTION, id)\n  }\n\n  return uniqueDeletes.length\n}\n\n/** Clear all history for a vault, optionally scoped to a collection or record. */\nexport async function clearHistory(\n  adapter: NoydbStore,\n  vault: string,\n  collection?: string,\n  recordId?: string,\n): Promise<number> {\n  const allIds = await adapter.list(vault, HISTORY_COLLECTION)\n  let toDelete: string[]\n\n  if (collection && recordId) {\n    toDelete = allIds.filter(id => matchesPrefix(id, collection, recordId))\n  } else if (collection) {\n    toDelete = allIds.filter(id => matchesPrefix(id, collection))\n  } else {\n    toDelete = allIds\n  }\n\n  for (const id of toDelete) {\n    await adapter.delete(vault, HISTORY_COLLECTION, id)\n  }\n\n  return toDelete.length\n}\n","/**\n * Time-machine queries — point-in-time reads reconstructed from the\n * existing history + ledger infrastructure.\n *\n * ## Usage\n *\n * ```ts\n * const vault = await db.openVault('acme', { passphrase })\n * const q1End = vault.at('2026-03-31T23:59:59Z')\n * const invoice = await q1End.collection<Invoice>('invoices').get('inv-001')\n * // → the record as it stood at the close of Q1 2026\n * ```\n *\n * ## How it works\n *\n * Every write path already fans out into two persistence lanes:\n *\n * 1. `saveHistory(...)` persists a **full encrypted envelope snapshot**\n *    per version under the `_history` collection (one envelope per\n *    version, keyed by `{collection}:{id}:{paddedVersion}`). Each\n *    envelope carries its own `_ts` (the write timestamp).\n * 2. `ledger.append(...)` appends a hash-chained audit entry that\n *    records the `op` (put / delete), `version`, and `ts`.\n *\n * Reconstruction at a target timestamp T is therefore:\n *\n * - Find the newest history envelope for `(collection, id)` whose\n *   `_ts ≤ T` — that's the state the record was in at T.\n * - Check the ledger for any `op: 'delete'` entry for the same\n *   `(collection, id)` with `entry.ts` in `(latestEnvelope._ts, T]` —\n *   if present, the record was deleted before T, so return `null`.\n * - Decrypt the surviving envelope with the current collection DEK\n *   (DEKs are per-collection but stable across versions — the same\n *   key encrypts v1 and v15 of a record).\n *\n * No delta replay. The existing `history.ts` module already stores\n * complete snapshots; we just pick the right one.\n *\n * ## Read-only contract\n *\n * Every write method on `CollectionInstant` throws\n * {@link ReadOnlyAtInstantError}. A historical view is a *read*\n * surface — mutating the past would require either a branch/shadow\n * mechanism (tracked under shadow vaults) or a rewrite of\n * history, which breaks the ledger's tamper-evidence guarantee.\n *\n * @module\n */\nimport type { EncryptedEnvelope, NoydbStore } from '../types.js'\nimport type { LedgerStore } from './ledger/store.js'\nimport { getHistory } from './history.js'\nimport { decrypt } from '../crypto.js'\nimport { ReadOnlyAtInstantError } from '../errors.js'\n\n/**\n * Narrow view of a {@link Vault}'s internals that\n * {@link VaultInstant} needs. Passed in by `Vault.at()` rather than\n * constructed here so all crypto + adapter access stays inside the\n * Vault class.\n *\n * Not exported from the public barrel — consumers should get a\n * `VaultInstant` via `vault.at(ts)`, never by constructing one\n * directly.\n */\nexport interface VaultEngine {\n  readonly adapter: NoydbStore\n  /** Vault name (the compartment). */\n  readonly name: string\n  /**\n   * `true` when the vault was opened with a passphrase (the normal\n   * case). `false` in plaintext-mode vaults (`encrypt: false`) — in\n   * that case `envelope._data` is raw JSON and we skip the DEK lookup.\n   */\n  readonly encrypted: boolean\n  /**\n   * Resolves the DEK used to decrypt a given collection's envelopes.\n   * Not called when `encrypted` is false.\n   */\n  getDEK(collection: string): Promise<CryptoKey>\n  /**\n   * Lazily-initialised ledger. We consult it to detect deletes that\n   * happened between the latest history snapshot and the target\n   * timestamp. `null` when history is disabled for this vault — in\n   * that case time-machine reads fall back to history-only\n   * reconstruction (which may miss deletes).\n   */\n  getLedger(): LedgerStore | null\n}\n\n/**\n * A vault at a fixed instant. Produced by `vault.at(timestamp)`.\n * Carries no session state of its own — every read is a fresh\n * lookup through the vault's adapter.\n *\n * Cheap to construct; safe to throw away. Create one per query.\n */\nexport class VaultInstant {\n  constructor(\n    private readonly engine: VaultEngine,\n    /** Fully-resolved target timestamp (ISO-8601 UTC). */\n    public readonly timestamp: string,\n  ) {}\n\n  /** Get a point-in-time view of a collection. */\n  collection<T = unknown>(name: string): CollectionInstant<T> {\n    return new CollectionInstant<T>(this.engine, this.timestamp, name)\n  }\n}\n\n/**\n * A read-only collection view anchored to a past instant.\n *\n * Every write method throws {@link ReadOnlyAtInstantError} — see the\n * module docstring for why. The read surface is intentionally smaller\n * than the live {@link Collection}: `get` and `list` cover the\n * \"what did the books look like on date X\" use case without pulling\n * in the full query DSL / joins / aggregates at this stage. Follow-up\n * work tracked under.\n */\nexport class CollectionInstant<T = unknown> {\n  constructor(\n    private readonly engine: VaultEngine,\n    private readonly targetTs: string,\n    public readonly name: string,\n  ) {}\n\n  /**\n   * Return the record as it existed at the target timestamp, or\n   * `null` if the record had not been created yet or had already been\n   * deleted by then.\n   */\n  async get(id: string): Promise<T | null> {\n    const envelope = await this.resolveEnvelope(id)\n    if (!envelope) return null\n    const plaintext = this.engine.encrypted\n      ? await decrypt(envelope._iv, envelope._data, await this.engine.getDEK(this.name))\n      : envelope._data\n    return JSON.parse(plaintext) as T\n  }\n\n  /**\n   * IDs of records that existed (had at least one `put` and were not\n   * subsequently deleted) at the target timestamp.\n   *\n   * Implemented as a linear scan over history + ledger. Performance\n   * is bounded by total history size (not live-vault size), so the\n   * memory-first vault-scale cap (1K–50K records × average history\n   * depth) still applies.\n   */\n  async list(): Promise<string[]> {\n    const historyIds = await collectHistoryIds(this.engine.adapter, this.engine.name, this.name)\n    const liveIds = await this.engine.adapter.list(this.engine.name, this.name)\n    const candidateIds = new Set<string>([...historyIds, ...liveIds])\n    const alive: string[] = []\n    for (const id of candidateIds) {\n      const env = await this.resolveEnvelope(id)\n      if (env) alive.push(id)\n    }\n    return alive.sort()\n  }\n\n  // ── write guards ───────────────────────────────────────────────────\n\n  async put(_id: string, _record: T): Promise<never> {\n    throw new ReadOnlyAtInstantError('put', this.targetTs)\n  }\n  async delete(_id: string): Promise<never> {\n    throw new ReadOnlyAtInstantError('delete', this.targetTs)\n  }\n  async update(_id: string, _patch: Partial<T>): Promise<never> {\n    throw new ReadOnlyAtInstantError('update', this.targetTs)\n  }\n\n  // ── internals ─────────────────────────────────────────────────────\n\n  /**\n   * Return the envelope that represents the record's state at\n   * `targetTs`, accounting for deletes. `null` if the record didn't\n   * exist at that instant.\n   *\n   * ## Why we use the ledger as the authoritative timeline\n   *\n   * The per-version history snapshots saved by `saveHistory()` do\n   * carry a `_ts` field, but that timestamp is the moment the\n   * snapshot was *captured* (i.e. the instant right before the\n   * subsequent overwrite), not the original write time. The ledger,\n   * by contrast, records `ts` at the moment of each `put` / `delete`\n   * — it's the only source that tracks the real timeline. So:\n   *\n   *   1. Walk the ledger; find the latest entry for `(collection, id)`\n   *      with `ts ≤ targetTs`.\n   *   2. If that entry is a `delete`, the record was gone at the\n   *      target instant — return null.\n   *   3. Otherwise it's a `put` with a specific `version`. Load the\n   *      envelope for that version from history, falling back to the\n   *      live collection for the most recent version.\n   *\n   * ## Fallback when the ledger is disabled\n   *\n   * If the vault has history disabled, `getLedger()` returns null and\n   * we fall back to comparing envelope `_ts` fields. This is\n   * approximate and gets the *last write* right but may confuse the\n   * intermediate versions; adopters needing accurate time-machine\n   * reads should leave history enabled.\n   */\n  private async resolveEnvelope(id: string): Promise<EncryptedEnvelope | null> {\n    const ledger = this.engine.getLedger()\n    if (ledger) {\n      return this.resolveViaLedger(id, ledger)\n    }\n    return this.resolveViaEnvelopeTs(id)\n  }\n\n  private async resolveViaLedger(id: string, ledger: LedgerStore): Promise<EncryptedEnvelope | null> {\n    const entries = await ledger.entries()\n    // Entries are already ordered by index which is the mutation order.\n    let latest: { op: 'put' | 'delete'; version: number } | null = null\n    for (const e of entries) {\n      if (e.collection !== this.name || e.id !== id) continue\n      if (e.ts > this.targetTs) break   // entries are time-ordered by index\n      latest = { op: e.op, version: e.version }\n    }\n    if (!latest) return null\n    if (latest.op === 'delete') return null\n    return this.loadVersion(id, latest.version)\n  }\n\n  private async resolveViaEnvelopeTs(id: string): Promise<EncryptedEnvelope | null> {\n    const history = await getHistory(\n      this.engine.adapter, this.engine.name, this.name, id,\n    )\n    const live = await this.engine.adapter.get(this.engine.name, this.name, id)\n    const byVersion = new Map<number, EncryptedEnvelope>()\n    for (const e of history) byVersion.set(e._v, e)\n    if (live) byVersion.set(live._v, live)\n    const sorted = [...byVersion.values()].sort((a, b) =>\n      a._ts < b._ts ? 1 : a._ts > b._ts ? -1 : 0,\n    )\n    return sorted.find((e) => e._ts <= this.targetTs) ?? null\n  }\n\n  /**\n   * Fetch the envelope for a specific version. The live record (most\n   * recent put) lives in the main collection; prior versions live in\n   * `_history`. We check live first because the common case after a\n   * delete is that we're trying to load the last-live version from\n   * history, and skipping live for the current-version case avoids a\n   * redundant lookup.\n   */\n  private async loadVersion(id: string, version: number): Promise<EncryptedEnvelope | null> {\n    const live = await this.engine.adapter.get(this.engine.name, this.name, id)\n    if (live && live._v === version) return live\n\n    // Direct lookup by (collection, id, version) — avoids scanning all history.\n    const historyId = `${this.name}:${id}:${String(version).padStart(10, '0')}`\n    return await this.engine.adapter.get(this.engine.name, '_history', historyId)\n  }\n}\n\n/**\n * Scan the `_history` collection once and collect every distinct\n * `recordId` for the given collection. History keys follow the\n * shape `<collection>:<recordId>:<paddedVersion>`; we split on the\n * last two colons (delimiter-safe because `paddedVersion` is\n * exactly 10 digits).\n */\nasync function collectHistoryIds(\n  adapter: NoydbStore,\n  vault: string,\n  collection: string,\n): Promise<string[]> {\n  const all = await adapter.list(vault, '_history')\n  const prefix = `${collection}:`\n  const seen = new Set<string>()\n  for (const key of all) {\n    if (!key.startsWith(prefix)) continue\n    const lastColon = key.lastIndexOf(':')\n    if (lastColon <= prefix.length) continue\n    const middle = key.slice(prefix.length, lastColon)\n    seen.add(middle)\n  }\n  return [...seen]\n}\n","/**\n * Zero-dependency JSON diff.\n * Produces a flat list of changes between two plain objects.\n */\n\nexport type ChangeType = 'added' | 'removed' | 'changed'\n\nexport interface DiffEntry {\n  /** Dot-separated path to the changed field (e.g. \"address.city\"). */\n  readonly path: string\n  /** Type of change. */\n  readonly type: ChangeType\n  /** Previous value (undefined for 'added'). */\n  readonly from?: unknown\n  /** New value (undefined for 'removed'). */\n  readonly to?: unknown\n}\n\n/**\n * Compute differences between two objects.\n * Returns an array of DiffEntry describing each changed field.\n * Returns empty array if objects are identical.\n */\nexport function diff(oldObj: unknown, newObj: unknown, basePath = ''): DiffEntry[] {\n  const changes: DiffEntry[] = []\n\n  // Both primitives or nulls\n  if (oldObj === newObj) return changes\n\n  // One is null/undefined\n  if (oldObj == null && newObj != null) {\n    return [{ path: basePath || '(root)', type: 'added', to: newObj }]\n  }\n  if (oldObj != null && newObj == null) {\n    return [{ path: basePath || '(root)', type: 'removed', from: oldObj }]\n  }\n\n  // Different types\n  if (typeof oldObj !== typeof newObj) {\n    return [{ path: basePath || '(root)', type: 'changed', from: oldObj, to: newObj }]\n  }\n\n  // Both primitives (and not equal — checked above)\n  if (typeof oldObj !== 'object') {\n    return [{ path: basePath || '(root)', type: 'changed', from: oldObj, to: newObj }]\n  }\n\n  // Both arrays\n  if (Array.isArray(oldObj) && Array.isArray(newObj)) {\n    const maxLen = Math.max(oldObj.length, newObj.length)\n    for (let i = 0; i < maxLen; i++) {\n      const p = basePath ? `${basePath}[${i}]` : `[${i}]`\n      if (i >= oldObj.length) {\n        changes.push({ path: p, type: 'added', to: newObj[i] })\n      } else if (i >= newObj.length) {\n        changes.push({ path: p, type: 'removed', from: oldObj[i] })\n      } else {\n        changes.push(...diff(oldObj[i], newObj[i], p))\n      }\n    }\n    return changes\n  }\n\n  // Both objects\n  const oldRecord = oldObj as Record<string, unknown>\n  const newRecord = newObj as Record<string, unknown>\n  const allKeys = new Set([...Object.keys(oldRecord), ...Object.keys(newRecord)])\n\n  for (const key of allKeys) {\n    const p = basePath ? `${basePath}.${key}` : key\n    if (!(key in oldRecord)) {\n      changes.push({ path: p, type: 'added', to: newRecord[key] })\n    } else if (!(key in newRecord)) {\n      changes.push({ path: p, type: 'removed', from: oldRecord[key] })\n    } else {\n      changes.push(...diff(oldRecord[key], newRecord[key], p))\n    }\n  }\n\n  return changes\n}\n\n/** Format a diff as a human-readable string. */\nexport function formatDiff(changes: DiffEntry[]): string {\n  if (changes.length === 0) return '(no changes)'\n  return changes.map(c => {\n    switch (c.type) {\n      case 'added':\n        return `+ ${c.path}: ${JSON.stringify(c.to)}`\n      case 'removed':\n        return `- ${c.path}: ${JSON.stringify(c.from)}`\n      case 'changed':\n        return `~ ${c.path}: ${JSON.stringify(c.from)} → ${JSON.stringify(c.to)}`\n    }\n  }).join('\\n')\n}\n"],"mappings":";;;;;;;;AASA,IAAM,qBAAqB;AAC3B,IAAM,cAAc;AAEpB,SAAS,UAAU,YAAoB,UAAkB,SAAyB;AAChF,SAAO,GAAG,UAAU,IAAI,QAAQ,IAAI,OAAO,OAAO,EAAE,SAAS,aAAa,GAAG,CAAC;AAChF;AAkBA,SAAS,cAAc,IAAY,YAAoB,UAA4B;AACjF,MAAI,UAAU;AACZ,WAAO,GAAG,WAAW,GAAG,UAAU,IAAI,QAAQ,GAAG;AAAA,EACnD;AACA,SAAO,GAAG,WAAW,GAAG,UAAU,GAAG;AACvC;AAGA,eAAsB,YACpB,SACA,OACA,YACA,UACA,UACe;AACf,QAAM,KAAK,UAAU,YAAY,UAAU,SAAS,EAAE;AACtD,QAAM,QAAQ,IAAI,OAAO,oBAAoB,IAAI,QAAQ;AAC3D;AAGA,eAAsB,WACpB,SACA,OACA,YACA,UACA,SAC8B;AAC9B,QAAM,SAAS,MAAM,QAAQ,KAAK,OAAO,kBAAkB;AAC3D,QAAM,cAAc,OACjB,OAAO,QAAM,cAAc,IAAI,YAAY,QAAQ,CAAC,EACpD,KAAK,EACL,QAAQ;AAEX,QAAM,UAA+B,CAAC;AAEtC,aAAW,MAAM,aAAa;AAC5B,UAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,oBAAoB,EAAE;AAChE,QAAI,CAAC,SAAU;AAGf,QAAI,SAAS,QAAQ,SAAS,MAAM,QAAQ,KAAM;AAClD,QAAI,SAAS,MAAM,SAAS,MAAM,QAAQ,GAAI;AAE9C,YAAQ,KAAK,QAAQ;AAErB,QAAI,SAAS,SAAS,QAAQ,UAAU,QAAQ,MAAO;AAAA,EACzD;AAEA,SAAO;AACT;AAGA,eAAsB,mBACpB,SACA,OACA,YACA,UACA,SACmC;AACnC,QAAM,KAAK,UAAU,YAAY,UAAU,OAAO;AAClD,SAAO,QAAQ,IAAI,OAAO,oBAAoB,EAAE;AAClD;AAGA,eAAsB,aACpB,SACA,OACA,YACA,UACA,SACiB;AACjB,QAAM,SAAS,MAAM,QAAQ,KAAK,OAAO,kBAAkB;AAC3D,QAAM,cAAc,OACjB,OAAO,QAAM,WAAW,cAAc,IAAI,YAAY,QAAQ,IAAI,cAAc,IAAI,UAAU,CAAC,EAC/F,KAAK;AAER,MAAI,WAAqB,CAAC;AAE1B,MAAI,QAAQ,iBAAiB,QAAW;AAEtC,UAAM,OAAO,QAAQ;AACrB,QAAI,YAAY,SAAS,MAAM;AAC7B,iBAAW,YAAY,MAAM,GAAG,YAAY,SAAS,IAAI;AAAA,IAC3D;AAAA,EACF;AAEA,MAAI,QAAQ,YAAY;AAEtB,eAAW,MAAM,aAAa;AAC5B,UAAI,SAAS,SAAS,EAAE,EAAG;AAC3B,YAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,oBAAoB,EAAE;AAChE,UAAI,YAAY,SAAS,MAAM,QAAQ,YAAY;AACjD,iBAAS,KAAK,EAAE;AAAA,MAClB;AAAA,IACF;AAAA,EACF;AAGA,QAAM,gBAAgB,CAAC,GAAG,IAAI,IAAI,QAAQ,CAAC;AAE3C,aAAW,MAAM,eAAe;AAC9B,UAAM,QAAQ,OAAO,OAAO,oBAAoB,EAAE;AAAA,EACpD;AAEA,SAAO,cAAc;AACvB;AAGA,eAAsB,aACpB,SACA,OACA,YACA,UACiB;AACjB,QAAM,SAAS,MAAM,QAAQ,KAAK,OAAO,kBAAkB;AAC3D,MAAI;AAEJ,MAAI,cAAc,UAAU;AAC1B,eAAW,OAAO,OAAO,QAAM,cAAc,IAAI,YAAY,QAAQ,CAAC;AAAA,EACxE,WAAW,YAAY;AACrB,eAAW,OAAO,OAAO,QAAM,cAAc,IAAI,UAAU,CAAC;AAAA,EAC9D,OAAO;AACL,eAAW;AAAA,EACb;AAEA,aAAW,MAAM,UAAU;AACzB,UAAM,QAAQ,OAAO,OAAO,oBAAoB,EAAE;AAAA,EACpD;AAEA,SAAO,SAAS;AAClB;;;AClEO,IAAM,eAAN,MAAmB;AAAA,EACxB,YACmB,QAED,WAChB;AAHiB;AAED;AAAA,EACf;AAAA,EAHgB;AAAA,EAED;AAAA;AAAA,EAIlB,WAAwB,MAAoC;AAC1D,WAAO,IAAI,kBAAqB,KAAK,QAAQ,KAAK,WAAW,IAAI;AAAA,EACnE;AACF;AAYO,IAAM,oBAAN,MAAqC;AAAA,EAC1C,YACmB,QACA,UACD,MAChB;AAHiB;AACA;AACD;AAAA,EACf;AAAA,EAHgB;AAAA,EACA;AAAA,EACD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQlB,MAAM,IAAI,IAA+B;AACvC,UAAM,WAAW,MAAM,KAAK,gBAAgB,EAAE;AAC9C,QAAI,CAAC,SAAU,QAAO;AACtB,UAAM,YAAY,KAAK,OAAO,YAC1B,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,MAAM,KAAK,OAAO,OAAO,KAAK,IAAI,CAAC,IAC/E,SAAS;AACb,WAAO,KAAK,MAAM,SAAS;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,OAA0B;AAC9B,UAAM,aAAa,MAAM,kBAAkB,KAAK,OAAO,SAAS,KAAK,OAAO,MAAM,KAAK,IAAI;AAC3F,UAAM,UAAU,MAAM,KAAK,OAAO,QAAQ,KAAK,KAAK,OAAO,MAAM,KAAK,IAAI;AAC1E,UAAM,eAAe,oBAAI,IAAY,CAAC,GAAG,YAAY,GAAG,OAAO,CAAC;AAChE,UAAM,QAAkB,CAAC;AACzB,eAAW,MAAM,cAAc;AAC7B,YAAM,MAAM,MAAM,KAAK,gBAAgB,EAAE;AACzC,UAAI,IAAK,OAAM,KAAK,EAAE;AAAA,IACxB;AACA,WAAO,MAAM,KAAK;AAAA,EACpB;AAAA;AAAA,EAIA,MAAM,IAAI,KAAa,SAA4B;AACjD,UAAM,IAAI,uBAAuB,OAAO,KAAK,QAAQ;AAAA,EACvD;AAAA,EACA,MAAM,OAAO,KAA6B;AACxC,UAAM,IAAI,uBAAuB,UAAU,KAAK,QAAQ;AAAA,EAC1D;AAAA,EACA,MAAM,OAAO,KAAa,QAAoC;AAC5D,UAAM,IAAI,uBAAuB,UAAU,KAAK,QAAQ;AAAA,EAC1D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAkCA,MAAc,gBAAgB,IAA+C;AAC3E,UAAM,SAAS,KAAK,OAAO,UAAU;AACrC,QAAI,QAAQ;AACV,aAAO,KAAK,iBAAiB,IAAI,MAAM;AAAA,IACzC;AACA,WAAO,KAAK,qBAAqB,EAAE;AAAA,EACrC;AAAA,EAEA,MAAc,iBAAiB,IAAY,QAAwD;AACjG,UAAM,UAAU,MAAM,OAAO,QAAQ;AAErC,QAAI,SAA2D;AAC/D,eAAW,KAAK,SAAS;AACvB,UAAI,EAAE,eAAe,KAAK,QAAQ,EAAE,OAAO,GAAI;AAC/C,UAAI,EAAE,KAAK,KAAK,SAAU;AAC1B,eAAS,EAAE,IAAI,EAAE,IAAI,SAAS,EAAE,QAAQ;AAAA,IAC1C;AACA,QAAI,CAAC,OAAQ,QAAO;AACpB,QAAI,OAAO,OAAO,SAAU,QAAO;AACnC,WAAO,KAAK,YAAY,IAAI,OAAO,OAAO;AAAA,EAC5C;AAAA,EAEA,MAAc,qBAAqB,IAA+C;AAChF,UAAM,UAAU,MAAM;AAAA,MACpB,KAAK,OAAO;AAAA,MAAS,KAAK,OAAO;AAAA,MAAM,KAAK;AAAA,MAAM;AAAA,IACpD;AACA,UAAM,OAAO,MAAM,KAAK,OAAO,QAAQ,IAAI,KAAK,OAAO,MAAM,KAAK,MAAM,EAAE;AAC1E,UAAM,YAAY,oBAAI,IAA+B;AACrD,eAAW,KAAK,QAAS,WAAU,IAAI,EAAE,IAAI,CAAC;AAC9C,QAAI,KAAM,WAAU,IAAI,KAAK,IAAI,IAAI;AACrC,UAAM,SAAS,CAAC,GAAG,UAAU,OAAO,CAAC,EAAE;AAAA,MAAK,CAAC,GAAG,MAC9C,EAAE,MAAM,EAAE,MAAM,IAAI,EAAE,MAAM,EAAE,MAAM,KAAK;AAAA,IAC3C;AACA,WAAO,OAAO,KAAK,CAAC,MAAM,EAAE,OAAO,KAAK,QAAQ,KAAK;AAAA,EACvD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAc,YAAY,IAAY,SAAoD;AACxF,UAAM,OAAO,MAAM,KAAK,OAAO,QAAQ,IAAI,KAAK,OAAO,MAAM,KAAK,MAAM,EAAE;AAC1E,QAAI,QAAQ,KAAK,OAAO,QAAS,QAAO;AAGxC,UAAMA,aAAY,GAAG,KAAK,IAAI,IAAI,EAAE,IAAI,OAAO,OAAO,EAAE,SAAS,IAAI,GAAG,CAAC;AACzE,WAAO,MAAM,KAAK,OAAO,QAAQ,IAAI,KAAK,OAAO,MAAM,YAAYA,UAAS;AAAA,EAC9E;AACF;AASA,eAAe,kBACb,SACA,OACA,YACmB;AACnB,QAAM,MAAM,MAAM,QAAQ,KAAK,OAAO,UAAU;AAChD,QAAM,SAAS,GAAG,UAAU;AAC5B,QAAM,OAAO,oBAAI,IAAY;AAC7B,aAAW,OAAO,KAAK;AACrB,QAAI,CAAC,IAAI,WAAW,MAAM,EAAG;AAC7B,UAAM,YAAY,IAAI,YAAY,GAAG;AACrC,QAAI,aAAa,OAAO,OAAQ;AAChC,UAAM,SAAS,IAAI,MAAM,OAAO,QAAQ,SAAS;AACjD,SAAK,IAAI,MAAM;AAAA,EACjB;AACA,SAAO,CAAC,GAAG,IAAI;AACjB;;;ACnQO,SAAS,KAAK,QAAiB,QAAiB,WAAW,IAAiB;AACjF,QAAM,UAAuB,CAAC;AAG9B,MAAI,WAAW,OAAQ,QAAO;AAG9B,MAAI,UAAU,QAAQ,UAAU,MAAM;AACpC,WAAO,CAAC,EAAE,MAAM,YAAY,UAAU,MAAM,SAAS,IAAI,OAAO,CAAC;AAAA,EACnE;AACA,MAAI,UAAU,QAAQ,UAAU,MAAM;AACpC,WAAO,CAAC,EAAE,MAAM,YAAY,UAAU,MAAM,WAAW,MAAM,OAAO,CAAC;AAAA,EACvE;AAGA,MAAI,OAAO,WAAW,OAAO,QAAQ;AACnC,WAAO,CAAC,EAAE,MAAM,YAAY,UAAU,MAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,CAAC;AAAA,EACnF;AAGA,MAAI,OAAO,WAAW,UAAU;AAC9B,WAAO,CAAC,EAAE,MAAM,YAAY,UAAU,MAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,CAAC;AAAA,EACnF;AAGA,MAAI,MAAM,QAAQ,MAAM,KAAK,MAAM,QAAQ,MAAM,GAAG;AAClD,UAAM,SAAS,KAAK,IAAI,OAAO,QAAQ,OAAO,MAAM;AACpD,aAAS,IAAI,GAAG,IAAI,QAAQ,KAAK;AAC/B,YAAM,IAAI,WAAW,GAAG,QAAQ,IAAI,CAAC,MAAM,IAAI,CAAC;AAChD,UAAI,KAAK,OAAO,QAAQ;AACtB,gBAAQ,KAAK,EAAE,MAAM,GAAG,MAAM,SAAS,IAAI,OAAO,CAAC,EAAE,CAAC;AAAA,MACxD,WAAW,KAAK,OAAO,QAAQ;AAC7B,gBAAQ,KAAK,EAAE,MAAM,GAAG,MAAM,WAAW,MAAM,OAAO,CAAC,EAAE,CAAC;AAAA,MAC5D,OAAO;AACL,gBAAQ,KAAK,GAAG,KAAK,OAAO,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;AAAA,MAC/C;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAGA,QAAM,YAAY;AAClB,QAAM,YAAY;AAClB,QAAM,UAAU,oBAAI,IAAI,CAAC,GAAG,OAAO,KAAK,SAAS,GAAG,GAAG,OAAO,KAAK,SAAS,CAAC,CAAC;AAE9E,aAAW,OAAO,SAAS;AACzB,UAAM,IAAI,WAAW,GAAG,QAAQ,IAAI,GAAG,KAAK;AAC5C,QAAI,EAAE,OAAO,YAAY;AACvB,cAAQ,KAAK,EAAE,MAAM,GAAG,MAAM,SAAS,IAAI,UAAU,GAAG,EAAE,CAAC;AAAA,IAC7D,WAAW,EAAE,OAAO,YAAY;AAC9B,cAAQ,KAAK,EAAE,MAAM,GAAG,MAAM,WAAW,MAAM,UAAU,GAAG,EAAE,CAAC;AAAA,IACjE,OAAO;AACL,cAAQ,KAAK,GAAG,KAAK,UAAU,GAAG,GAAG,UAAU,GAAG,GAAG,CAAC,CAAC;AAAA,IACzD;AAAA,EACF;AAEA,SAAO;AACT;AAGO,SAAS,WAAW,SAA8B;AACvD,MAAI,QAAQ,WAAW,EAAG,QAAO;AACjC,SAAO,QAAQ,IAAI,OAAK;AACtB,YAAQ,EAAE,MAAM;AAAA,MACd,KAAK;AACH,eAAO,KAAK,EAAE,IAAI,KAAK,KAAK,UAAU,EAAE,EAAE,CAAC;AAAA,MAC7C,KAAK;AACH,eAAO,KAAK,EAAE,IAAI,KAAK,KAAK,UAAU,EAAE,IAAI,CAAC;AAAA,MAC/C,KAAK;AACH,eAAO,KAAK,EAAE,IAAI,KAAK,KAAK,UAAU,EAAE,IAAI,CAAC,WAAM,KAAK,UAAU,EAAE,EAAE,CAAC;AAAA,IAC3E;AAAA,EACF,CAAC,EAAE,KAAK,IAAI;AACd;","names":["historyId"]}
+{"version":3,"sources":["../src/history/history.ts","../src/history/time-machine.ts","../src/history/diff.ts"],"sourcesContent":["import type { NoydbStore, EncryptedEnvelope, HistoryOptions, PruneOptions } from '../types.js'\n\n/**\n * History storage convention:\n * Collection: `_history`\n * ID format: `{collection}:{recordId}:{paddedVersion}`\n * Version is zero-padded to 10 digits for lexicographic sorting.\n */\n\nconst HISTORY_COLLECTION = '_history'\nconst VERSION_PAD = 10\n\nfunction historyId(collection: string, recordId: string, version: number): string {\n  return `${collection}:${recordId}:${String(version).padStart(VERSION_PAD, '0')}`\n}\n\n// Unused today, kept for future history-id parsing utilities.\n// eslint-disable-next-line @typescript-eslint/no-unused-vars\nfunction parseHistoryId(id: string): { collection: string; recordId: string; version: number } | null {\n  const lastColon = id.lastIndexOf(':')\n  if (lastColon < 0) return null\n  const versionStr = id.slice(lastColon + 1)\n  const rest = id.slice(0, lastColon)\n  const firstColon = rest.indexOf(':')\n  if (firstColon < 0) return null\n  return {\n    collection: rest.slice(0, firstColon),\n    recordId: rest.slice(firstColon + 1),\n    version: parseInt(versionStr, 10),\n  }\n}\n\nfunction matchesPrefix(id: string, collection: string, recordId?: string): boolean {\n  if (recordId) {\n    return id.startsWith(`${collection}:${recordId}:`)\n  }\n  return id.startsWith(`${collection}:`)\n}\n\n/** Save a history entry (a complete encrypted envelope snapshot). */\nexport async function saveHistory(\n  adapter: NoydbStore,\n  vault: string,\n  collection: string,\n  recordId: string,\n  envelope: EncryptedEnvelope,\n): Promise<void> {\n  const id = historyId(collection, recordId, envelope._v)\n  await adapter.put(vault, HISTORY_COLLECTION, id, envelope)\n}\n\n/** Get history entries for a record, sorted newest-first. */\nexport async function getHistory(\n  adapter: NoydbStore,\n  vault: string,\n  collection: string,\n  recordId: string,\n  options?: HistoryOptions,\n): Promise<EncryptedEnvelope[]> {\n  const allIds = await adapter.list(vault, HISTORY_COLLECTION)\n  const matchingIds = allIds\n    .filter(id => matchesPrefix(id, collection, recordId))\n    .sort()\n    .reverse() // newest first\n\n  const entries: EncryptedEnvelope[] = []\n\n  for (const id of matchingIds) {\n    const envelope = await adapter.get(vault, HISTORY_COLLECTION, id)\n    if (!envelope) continue\n\n    // Apply time filters\n    if (options?.from && envelope._ts < options.from) continue\n    if (options?.to && envelope._ts > options.to) continue\n\n    entries.push(envelope)\n\n    if (options?.limit && entries.length >= options.limit) break\n  }\n\n  return entries\n}\n\n/** Get a specific version's envelope from history. */\nexport async function getVersionEnvelope(\n  adapter: NoydbStore,\n  vault: string,\n  collection: string,\n  recordId: string,\n  version: number,\n): Promise<EncryptedEnvelope | null> {\n  const id = historyId(collection, recordId, version)\n  return adapter.get(vault, HISTORY_COLLECTION, id)\n}\n\n/** Prune history entries. Returns the number of entries deleted. */\nexport async function pruneHistory(\n  adapter: NoydbStore,\n  vault: string,\n  collection: string,\n  recordId: string | undefined,\n  options: PruneOptions,\n): Promise<number> {\n  const allIds = await adapter.list(vault, HISTORY_COLLECTION)\n  const matchingIds = allIds\n    .filter(id => recordId ? matchesPrefix(id, collection, recordId) : matchesPrefix(id, collection))\n    .sort()\n\n  let toDelete: string[] = []\n\n  if (options.keepVersions !== undefined) {\n    // Keep only the N most recent, delete the rest\n    const keep = options.keepVersions\n    if (matchingIds.length > keep) {\n      toDelete = matchingIds.slice(0, matchingIds.length - keep)\n    }\n  }\n\n  if (options.beforeDate) {\n    // Delete entries older than the specified date\n    for (const id of matchingIds) {\n      if (toDelete.includes(id)) continue\n      const envelope = await adapter.get(vault, HISTORY_COLLECTION, id)\n      if (envelope && envelope._ts < options.beforeDate) {\n        toDelete.push(id)\n      }\n    }\n  }\n\n  // Deduplicate\n  const uniqueDeletes = [...new Set(toDelete)]\n\n  for (const id of uniqueDeletes) {\n    await adapter.delete(vault, HISTORY_COLLECTION, id)\n  }\n\n  return uniqueDeletes.length\n}\n\n/** Clear all history for a vault, optionally scoped to a collection or record. */\nexport async function clearHistory(\n  adapter: NoydbStore,\n  vault: string,\n  collection?: string,\n  recordId?: string,\n): Promise<number> {\n  const allIds = await adapter.list(vault, HISTORY_COLLECTION)\n  let toDelete: string[]\n\n  if (collection && recordId) {\n    toDelete = allIds.filter(id => matchesPrefix(id, collection, recordId))\n  } else if (collection) {\n    toDelete = allIds.filter(id => matchesPrefix(id, collection))\n  } else {\n    toDelete = allIds\n  }\n\n  for (const id of toDelete) {\n    await adapter.delete(vault, HISTORY_COLLECTION, id)\n  }\n\n  return toDelete.length\n}\n","/**\n * Time-machine queries — point-in-time reads reconstructed from the\n * existing history + ledger infrastructure.\n *\n * ## Usage\n *\n * ```ts\n * const vault = await db.openVault('acme', { passphrase })\n * const q1End = vault.at('2026-03-31T23:59:59Z')\n * const invoice = await q1End.collection<Invoice>('invoices').get('inv-001')\n * // → the record as it stood at the close of Q1 2026\n * ```\n *\n * ## How it works\n *\n * Every write path already fans out into two persistence lanes:\n *\n * 1. `saveHistory(...)` persists a **full encrypted envelope snapshot**\n *    per version under the `_history` collection (one envelope per\n *    version, keyed by `{collection}:{id}:{paddedVersion}`). Each\n *    envelope carries its own `_ts` (the write timestamp).\n * 2. `ledger.append(...)` appends a hash-chained audit entry that\n *    records the `op` (put / delete), `version`, and `ts`.\n *\n * Reconstruction at a target timestamp T is therefore:\n *\n * - Find the newest history envelope for `(collection, id)` whose\n *   `_ts ≤ T` — that's the state the record was in at T.\n * - Check the ledger for any `op: 'delete'` entry for the same\n *   `(collection, id)` with `entry.ts` in `(latestEnvelope._ts, T]` —\n *   if present, the record was deleted before T, so return `null`.\n * - Decrypt the surviving envelope with the current collection DEK\n *   (DEKs are per-collection but stable across versions — the same\n *   key encrypts v1 and v15 of a record).\n *\n * No delta replay. The existing `history.ts` module already stores\n * complete snapshots; we just pick the right one.\n *\n * ## Read-only contract\n *\n * Every write method on `CollectionInstant` throws\n * {@link ReadOnlyAtInstantError}. A historical view is a *read*\n * surface — mutating the past would require either a branch/shadow\n * mechanism (tracked under shadow vaults) or a rewrite of\n * history, which breaks the ledger's tamper-evidence guarantee.\n *\n * @module\n */\nimport type { EncryptedEnvelope, NoydbStore } from '../types.js'\nimport type { LedgerStore } from './ledger/store.js'\nimport { getHistory } from './history.js'\nimport { decrypt } from '../crypto.js'\nimport { ReadOnlyAtInstantError } from '../errors.js'\n\n/**\n * Narrow view of a {@link Vault}'s internals that\n * {@link VaultInstant} needs. Passed in by `Vault.at()` rather than\n * constructed here so all crypto + adapter access stays inside the\n * Vault class.\n *\n * Not exported from the public barrel — consumers should get a\n * `VaultInstant` via `vault.at(ts)`, never by constructing one\n * directly.\n */\nexport interface VaultEngine {\n  readonly adapter: NoydbStore\n  /** Vault name (the compartment). */\n  readonly name: string\n  /**\n   * `true` when the vault was opened with a passphrase (the normal\n   * case). `false` in plaintext-mode vaults (`encrypt: false`) — in\n   * that case `envelope._data` is raw JSON and we skip the DEK lookup.\n   */\n  readonly encrypted: boolean\n  /**\n   * Resolves the DEK used to decrypt a given collection's envelopes.\n   * Not called when `encrypted` is false.\n   */\n  getDEK(collection: string): Promise<CryptoKey>\n  /**\n   * Lazily-initialised ledger. We consult it to detect deletes that\n   * happened between the latest history snapshot and the target\n   * timestamp. `null` when history is disabled for this vault — in\n   * that case time-machine reads fall back to history-only\n   * reconstruction (which may miss deletes).\n   */\n  getLedger(): LedgerStore | null\n}\n\n/**\n * A vault at a fixed instant. Produced by `vault.at(timestamp)`.\n * Carries no session state of its own — every read is a fresh\n * lookup through the vault's adapter.\n *\n * Cheap to construct; safe to throw away. Create one per query.\n */\nexport class VaultInstant {\n  constructor(\n    private readonly engine: VaultEngine,\n    /** Fully-resolved target timestamp (ISO-8601 UTC). */\n    public readonly timestamp: string,\n  ) {}\n\n  /** Get a point-in-time view of a collection. */\n  collection<T = unknown>(name: string): CollectionInstant<T> {\n    return new CollectionInstant<T>(this.engine, this.timestamp, name)\n  }\n}\n\n/**\n * A read-only collection view anchored to a past instant.\n *\n * Every write method throws {@link ReadOnlyAtInstantError} — see the\n * module docstring for why. The read surface is intentionally smaller\n * than the live {@link Collection}: `get` and `list` cover the\n * \"what did the books look like on date X\" use case without pulling\n * in the full query DSL / joins / aggregates at this stage. Follow-up\n * work tracked under.\n */\nexport class CollectionInstant<T = unknown> {\n  constructor(\n    private readonly engine: VaultEngine,\n    private readonly targetTs: string,\n    public readonly name: string,\n  ) {}\n\n  /**\n   * Return the record as it existed at the target timestamp, or\n   * `null` if the record had not been created yet or had already been\n   * deleted by then.\n   */\n  async get(id: string): Promise<T | null> {\n    const envelope = await this.resolveEnvelope(id)\n    if (!envelope) return null\n    const plaintext = this.engine.encrypted\n      ? await decrypt(envelope._iv, envelope._data, await this.engine.getDEK(this.name))\n      : envelope._data\n    return JSON.parse(plaintext) as T\n  }\n\n  /**\n   * IDs of records that existed (had at least one `put` and were not\n   * subsequently deleted) at the target timestamp.\n   *\n   * Implemented as a linear scan over history + ledger. Performance\n   * is bounded by total history size (not live-vault size), so the\n   * memory-first vault-scale cap (1K–50K records × average history\n   * depth) still applies.\n   */\n  async list(): Promise<string[]> {\n    const historyIds = await collectHistoryIds(this.engine.adapter, this.engine.name, this.name)\n    const liveIds = await this.engine.adapter.list(this.engine.name, this.name)\n    const candidateIds = new Set<string>([...historyIds, ...liveIds])\n    const alive: string[] = []\n    for (const id of candidateIds) {\n      const env = await this.resolveEnvelope(id)\n      if (env) alive.push(id)\n    }\n    return alive.sort()\n  }\n\n  // ── write guards ───────────────────────────────────────────────────\n\n  async put(_id: string, _record: T): Promise<never> {\n    throw new ReadOnlyAtInstantError('put', this.targetTs)\n  }\n  async delete(_id: string): Promise<never> {\n    throw new ReadOnlyAtInstantError('delete', this.targetTs)\n  }\n  async update(_id: string, _patch: Partial<T>): Promise<never> {\n    throw new ReadOnlyAtInstantError('update', this.targetTs)\n  }\n\n  // ── internals ─────────────────────────────────────────────────────\n\n  /**\n   * Return the envelope that represents the record's state at\n   * `targetTs`, accounting for deletes. `null` if the record didn't\n   * exist at that instant.\n   *\n   * ## Why we use the ledger as the authoritative timeline\n   *\n   * The per-version history snapshots saved by `saveHistory()` do\n   * carry a `_ts` field, but that timestamp is the moment the\n   * snapshot was *captured* (i.e. the instant right before the\n   * subsequent overwrite), not the original write time. The ledger,\n   * by contrast, records `ts` at the moment of each `put` / `delete`\n   * — it's the only source that tracks the real timeline. So:\n   *\n   *   1. Walk the ledger; find the latest entry for `(collection, id)`\n   *      with `ts ≤ targetTs`.\n   *   2. If that entry is a `delete`, the record was gone at the\n   *      target instant — return null.\n   *   3. Otherwise it's a `put` with a specific `version`. Load the\n   *      envelope for that version from history, falling back to the\n   *      live collection for the most recent version.\n   *\n   * ## Fallback when the ledger is disabled\n   *\n   * If the vault has history disabled, `getLedger()` returns null and\n   * we fall back to comparing envelope `_ts` fields. This is\n   * approximate and gets the *last write* right but may confuse the\n   * intermediate versions; adopters needing accurate time-machine\n   * reads should leave history enabled.\n   */\n  private async resolveEnvelope(id: string): Promise<EncryptedEnvelope | null> {\n    const ledger = this.engine.getLedger()\n    if (ledger) {\n      return this.resolveViaLedger(id, ledger)\n    }\n    return this.resolveViaEnvelopeTs(id)\n  }\n\n  private async resolveViaLedger(id: string, ledger: LedgerStore): Promise<EncryptedEnvelope | null> {\n    const entries = await ledger.entries()\n    // Entries are already ordered by index which is the mutation order.\n    let latest: { op: 'put' | 'delete'; version: number } | null = null\n    for (const e of entries) {\n      if (e.collection !== this.name || e.id !== id) continue\n      if (e.ts > this.targetTs) break   // entries are time-ordered by index\n      // `amendment` entries are audit-only summaries — they carry no\n      // (collection, id) tuple of their own and would never match the\n      // filter above. The narrow here is a type guard, not a runtime\n      // skip.\n      if (e.op === 'amendment') continue\n      latest = { op: e.op, version: e.version }\n    }\n    if (!latest) return null\n    if (latest.op === 'delete') return null\n    return this.loadVersion(id, latest.version)\n  }\n\n  private async resolveViaEnvelopeTs(id: string): Promise<EncryptedEnvelope | null> {\n    const history = await getHistory(\n      this.engine.adapter, this.engine.name, this.name, id,\n    )\n    const live = await this.engine.adapter.get(this.engine.name, this.name, id)\n    const byVersion = new Map<number, EncryptedEnvelope>()\n    for (const e of history) byVersion.set(e._v, e)\n    if (live) byVersion.set(live._v, live)\n    const sorted = [...byVersion.values()].sort((a, b) =>\n      a._ts < b._ts ? 1 : a._ts > b._ts ? -1 : 0,\n    )\n    return sorted.find((e) => e._ts <= this.targetTs) ?? null\n  }\n\n  /**\n   * Fetch the envelope for a specific version. The live record (most\n   * recent put) lives in the main collection; prior versions live in\n   * `_history`. We check live first because the common case after a\n   * delete is that we're trying to load the last-live version from\n   * history, and skipping live for the current-version case avoids a\n   * redundant lookup.\n   */\n  private async loadVersion(id: string, version: number): Promise<EncryptedEnvelope | null> {\n    const live = await this.engine.adapter.get(this.engine.name, this.name, id)\n    if (live && live._v === version) return live\n\n    // Direct lookup by (collection, id, version) — avoids scanning all history.\n    const historyId = `${this.name}:${id}:${String(version).padStart(10, '0')}`\n    return await this.engine.adapter.get(this.engine.name, '_history', historyId)\n  }\n}\n\n/**\n * Scan the `_history` collection once and collect every distinct\n * `recordId` for the given collection. History keys follow the\n * shape `<collection>:<recordId>:<paddedVersion>`; we split on the\n * last two colons (delimiter-safe because `paddedVersion` is\n * exactly 10 digits).\n */\nasync function collectHistoryIds(\n  adapter: NoydbStore,\n  vault: string,\n  collection: string,\n): Promise<string[]> {\n  const all = await adapter.list(vault, '_history')\n  const prefix = `${collection}:`\n  const seen = new Set<string>()\n  for (const key of all) {\n    if (!key.startsWith(prefix)) continue\n    const lastColon = key.lastIndexOf(':')\n    if (lastColon <= prefix.length) continue\n    const middle = key.slice(prefix.length, lastColon)\n    seen.add(middle)\n  }\n  return [...seen]\n}\n","/**\n * Zero-dependency JSON diff.\n * Produces a flat list of changes between two plain objects.\n */\n\nexport type ChangeType = 'added' | 'removed' | 'changed'\n\nexport interface DiffEntry {\n  /** Dot-separated path to the changed field (e.g. \"address.city\"). */\n  readonly path: string\n  /** Type of change. */\n  readonly type: ChangeType\n  /** Previous value (undefined for 'added'). */\n  readonly from?: unknown\n  /** New value (undefined for 'removed'). */\n  readonly to?: unknown\n}\n\n/**\n * Compute differences between two objects.\n * Returns an array of DiffEntry describing each changed field.\n * Returns empty array if objects are identical.\n */\nexport function diff(oldObj: unknown, newObj: unknown, basePath = ''): DiffEntry[] {\n  const changes: DiffEntry[] = []\n\n  // Both primitives or nulls\n  if (oldObj === newObj) return changes\n\n  // One is null/undefined\n  if (oldObj == null && newObj != null) {\n    return [{ path: basePath || '(root)', type: 'added', to: newObj }]\n  }\n  if (oldObj != null && newObj == null) {\n    return [{ path: basePath || '(root)', type: 'removed', from: oldObj }]\n  }\n\n  // Different types\n  if (typeof oldObj !== typeof newObj) {\n    return [{ path: basePath || '(root)', type: 'changed', from: oldObj, to: newObj }]\n  }\n\n  // Both primitives (and not equal — checked above)\n  if (typeof oldObj !== 'object') {\n    return [{ path: basePath || '(root)', type: 'changed', from: oldObj, to: newObj }]\n  }\n\n  // Both arrays\n  if (Array.isArray(oldObj) && Array.isArray(newObj)) {\n    const maxLen = Math.max(oldObj.length, newObj.length)\n    for (let i = 0; i < maxLen; i++) {\n      const p = basePath ? `${basePath}[${i}]` : `[${i}]`\n      if (i >= oldObj.length) {\n        changes.push({ path: p, type: 'added', to: newObj[i] })\n      } else if (i >= newObj.length) {\n        changes.push({ path: p, type: 'removed', from: oldObj[i] })\n      } else {\n        changes.push(...diff(oldObj[i], newObj[i], p))\n      }\n    }\n    return changes\n  }\n\n  // Both objects\n  const oldRecord = oldObj as Record<string, unknown>\n  const newRecord = newObj as Record<string, unknown>\n  const allKeys = new Set([...Object.keys(oldRecord), ...Object.keys(newRecord)])\n\n  for (const key of allKeys) {\n    const p = basePath ? `${basePath}.${key}` : key\n    if (!(key in oldRecord)) {\n      changes.push({ path: p, type: 'added', to: newRecord[key] })\n    } else if (!(key in newRecord)) {\n      changes.push({ path: p, type: 'removed', from: oldRecord[key] })\n    } else {\n      changes.push(...diff(oldRecord[key], newRecord[key], p))\n    }\n  }\n\n  return changes\n}\n\n/** Format a diff as a human-readable string. */\nexport function formatDiff(changes: DiffEntry[]): string {\n  if (changes.length === 0) return '(no changes)'\n  return changes.map(c => {\n    switch (c.type) {\n      case 'added':\n        return `+ ${c.path}: ${JSON.stringify(c.to)}`\n      case 'removed':\n        return `- ${c.path}: ${JSON.stringify(c.from)}`\n      case 'changed':\n        return `~ ${c.path}: ${JSON.stringify(c.from)} → ${JSON.stringify(c.to)}`\n    }\n  }).join('\\n')\n}\n"],"mappings":";;;;;;;;AASA,IAAM,qBAAqB;AAC3B,IAAM,cAAc;AAEpB,SAAS,UAAU,YAAoB,UAAkB,SAAyB;AAChF,SAAO,GAAG,UAAU,IAAI,QAAQ,IAAI,OAAO,OAAO,EAAE,SAAS,aAAa,GAAG,CAAC;AAChF;AAkBA,SAAS,cAAc,IAAY,YAAoB,UAA4B;AACjF,MAAI,UAAU;AACZ,WAAO,GAAG,WAAW,GAAG,UAAU,IAAI,QAAQ,GAAG;AAAA,EACnD;AACA,SAAO,GAAG,WAAW,GAAG,UAAU,GAAG;AACvC;AAGA,eAAsB,YACpB,SACA,OACA,YACA,UACA,UACe;AACf,QAAM,KAAK,UAAU,YAAY,UAAU,SAAS,EAAE;AACtD,QAAM,QAAQ,IAAI,OAAO,oBAAoB,IAAI,QAAQ;AAC3D;AAGA,eAAsB,WACpB,SACA,OACA,YACA,UACA,SAC8B;AAC9B,QAAM,SAAS,MAAM,QAAQ,KAAK,OAAO,kBAAkB;AAC3D,QAAM,cAAc,OACjB,OAAO,QAAM,cAAc,IAAI,YAAY,QAAQ,CAAC,EACpD,KAAK,EACL,QAAQ;AAEX,QAAM,UAA+B,CAAC;AAEtC,aAAW,MAAM,aAAa;AAC5B,UAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,oBAAoB,EAAE;AAChE,QAAI,CAAC,SAAU;AAGf,QAAI,SAAS,QAAQ,SAAS,MAAM,QAAQ,KAAM;AAClD,QAAI,SAAS,MAAM,SAAS,MAAM,QAAQ,GAAI;AAE9C,YAAQ,KAAK,QAAQ;AAErB,QAAI,SAAS,SAAS,QAAQ,UAAU,QAAQ,MAAO;AAAA,EACzD;AAEA,SAAO;AACT;AAGA,eAAsB,mBACpB,SACA,OACA,YACA,UACA,SACmC;AACnC,QAAM,KAAK,UAAU,YAAY,UAAU,OAAO;AAClD,SAAO,QAAQ,IAAI,OAAO,oBAAoB,EAAE;AAClD;AAGA,eAAsB,aACpB,SACA,OACA,YACA,UACA,SACiB;AACjB,QAAM,SAAS,MAAM,QAAQ,KAAK,OAAO,kBAAkB;AAC3D,QAAM,cAAc,OACjB,OAAO,QAAM,WAAW,cAAc,IAAI,YAAY,QAAQ,IAAI,cAAc,IAAI,UAAU,CAAC,EAC/F,KAAK;AAER,MAAI,WAAqB,CAAC;AAE1B,MAAI,QAAQ,iBAAiB,QAAW;AAEtC,UAAM,OAAO,QAAQ;AACrB,QAAI,YAAY,SAAS,MAAM;AAC7B,iBAAW,YAAY,MAAM,GAAG,YAAY,SAAS,IAAI;AAAA,IAC3D;AAAA,EACF;AAEA,MAAI,QAAQ,YAAY;AAEtB,eAAW,MAAM,aAAa;AAC5B,UAAI,SAAS,SAAS,EAAE,EAAG;AAC3B,YAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,oBAAoB,EAAE;AAChE,UAAI,YAAY,SAAS,MAAM,QAAQ,YAAY;AACjD,iBAAS,KAAK,EAAE;AAAA,MAClB;AAAA,IACF;AAAA,EACF;AAGA,QAAM,gBAAgB,CAAC,GAAG,IAAI,IAAI,QAAQ,CAAC;AAE3C,aAAW,MAAM,eAAe;AAC9B,UAAM,QAAQ,OAAO,OAAO,oBAAoB,EAAE;AAAA,EACpD;AAEA,SAAO,cAAc;AACvB;AAGA,eAAsB,aACpB,SACA,OACA,YACA,UACiB;AACjB,QAAM,SAAS,MAAM,QAAQ,KAAK,OAAO,kBAAkB;AAC3D,MAAI;AAEJ,MAAI,cAAc,UAAU;AAC1B,eAAW,OAAO,OAAO,QAAM,cAAc,IAAI,YAAY,QAAQ,CAAC;AAAA,EACxE,WAAW,YAAY;AACrB,eAAW,OAAO,OAAO,QAAM,cAAc,IAAI,UAAU,CAAC;AAAA,EAC9D,OAAO;AACL,eAAW;AAAA,EACb;AAEA,aAAW,MAAM,UAAU;AACzB,UAAM,QAAQ,OAAO,OAAO,oBAAoB,EAAE;AAAA,EACpD;AAEA,SAAO,SAAS;AAClB;;;AClEO,IAAM,eAAN,MAAmB;AAAA,EACxB,YACmB,QAED,WAChB;AAHiB;AAED;AAAA,EACf;AAAA,EAHgB;AAAA,EAED;AAAA;AAAA,EAIlB,WAAwB,MAAoC;AAC1D,WAAO,IAAI,kBAAqB,KAAK,QAAQ,KAAK,WAAW,IAAI;AAAA,EACnE;AACF;AAYO,IAAM,oBAAN,MAAqC;AAAA,EAC1C,YACmB,QACA,UACD,MAChB;AAHiB;AACA;AACD;AAAA,EACf;AAAA,EAHgB;AAAA,EACA;AAAA,EACD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQlB,MAAM,IAAI,IAA+B;AACvC,UAAM,WAAW,MAAM,KAAK,gBAAgB,EAAE;AAC9C,QAAI,CAAC,SAAU,QAAO;AACtB,UAAM,YAAY,KAAK,OAAO,YAC1B,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,MAAM,KAAK,OAAO,OAAO,KAAK,IAAI,CAAC,IAC/E,SAAS;AACb,WAAO,KAAK,MAAM,SAAS;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,OAA0B;AAC9B,UAAM,aAAa,MAAM,kBAAkB,KAAK,OAAO,SAAS,KAAK,OAAO,MAAM,KAAK,IAAI;AAC3F,UAAM,UAAU,MAAM,KAAK,OAAO,QAAQ,KAAK,KAAK,OAAO,MAAM,KAAK,IAAI;AAC1E,UAAM,eAAe,oBAAI,IAAY,CAAC,GAAG,YAAY,GAAG,OAAO,CAAC;AAChE,UAAM,QAAkB,CAAC;AACzB,eAAW,MAAM,cAAc;AAC7B,YAAM,MAAM,MAAM,KAAK,gBAAgB,EAAE;AACzC,UAAI,IAAK,OAAM,KAAK,EAAE;AAAA,IACxB;AACA,WAAO,MAAM,KAAK;AAAA,EACpB;AAAA;AAAA,EAIA,MAAM,IAAI,KAAa,SAA4B;AACjD,UAAM,IAAI,uBAAuB,OAAO,KAAK,QAAQ;AAAA,EACvD;AAAA,EACA,MAAM,OAAO,KAA6B;AACxC,UAAM,IAAI,uBAAuB,UAAU,KAAK,QAAQ;AAAA,EAC1D;AAAA,EACA,MAAM,OAAO,KAAa,QAAoC;AAC5D,UAAM,IAAI,uBAAuB,UAAU,KAAK,QAAQ;AAAA,EAC1D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAkCA,MAAc,gBAAgB,IAA+C;AAC3E,UAAM,SAAS,KAAK,OAAO,UAAU;AACrC,QAAI,QAAQ;AACV,aAAO,KAAK,iBAAiB,IAAI,MAAM;AAAA,IACzC;AACA,WAAO,KAAK,qBAAqB,EAAE;AAAA,EACrC;AAAA,EAEA,MAAc,iBAAiB,IAAY,QAAwD;AACjG,UAAM,UAAU,MAAM,OAAO,QAAQ;AAErC,QAAI,SAA2D;AAC/D,eAAW,KAAK,SAAS;AACvB,UAAI,EAAE,eAAe,KAAK,QAAQ,EAAE,OAAO,GAAI;AAC/C,UAAI,EAAE,KAAK,KAAK,SAAU;AAK1B,UAAI,EAAE,OAAO,YAAa;AAC1B,eAAS,EAAE,IAAI,EAAE,IAAI,SAAS,EAAE,QAAQ;AAAA,IAC1C;AACA,QAAI,CAAC,OAAQ,QAAO;AACpB,QAAI,OAAO,OAAO,SAAU,QAAO;AACnC,WAAO,KAAK,YAAY,IAAI,OAAO,OAAO;AAAA,EAC5C;AAAA,EAEA,MAAc,qBAAqB,IAA+C;AAChF,UAAM,UAAU,MAAM;AAAA,MACpB,KAAK,OAAO;AAAA,MAAS,KAAK,OAAO;AAAA,MAAM,KAAK;AAAA,MAAM;AAAA,IACpD;AACA,UAAM,OAAO,MAAM,KAAK,OAAO,QAAQ,IAAI,KAAK,OAAO,MAAM,KAAK,MAAM,EAAE;AAC1E,UAAM,YAAY,oBAAI,IAA+B;AACrD,eAAW,KAAK,QAAS,WAAU,IAAI,EAAE,IAAI,CAAC;AAC9C,QAAI,KAAM,WAAU,IAAI,KAAK,IAAI,IAAI;AACrC,UAAM,SAAS,CAAC,GAAG,UAAU,OAAO,CAAC,EAAE;AAAA,MAAK,CAAC,GAAG,MAC9C,EAAE,MAAM,EAAE,MAAM,IAAI,EAAE,MAAM,EAAE,MAAM,KAAK;AAAA,IAC3C;AACA,WAAO,OAAO,KAAK,CAAC,MAAM,EAAE,OAAO,KAAK,QAAQ,KAAK;AAAA,EACvD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAc,YAAY,IAAY,SAAoD;AACxF,UAAM,OAAO,MAAM,KAAK,OAAO,QAAQ,IAAI,KAAK,OAAO,MAAM,KAAK,MAAM,EAAE;AAC1E,QAAI,QAAQ,KAAK,OAAO,QAAS,QAAO;AAGxC,UAAMA,aAAY,GAAG,KAAK,IAAI,IAAI,EAAE,IAAI,OAAO,OAAO,EAAE,SAAS,IAAI,GAAG,CAAC;AACzE,WAAO,MAAM,KAAK,OAAO,QAAQ,IAAI,KAAK,OAAO,MAAM,YAAYA,UAAS;AAAA,EAC9E;AACF;AASA,eAAe,kBACb,SACA,OACA,YACmB;AACnB,QAAM,MAAM,MAAM,QAAQ,KAAK,OAAO,UAAU;AAChD,QAAM,SAAS,GAAG,UAAU;AAC5B,QAAM,OAAO,oBAAI,IAAY;AAC7B,aAAW,OAAO,KAAK;AACrB,QAAI,CAAC,IAAI,WAAW,MAAM,EAAG;AAC7B,UAAM,YAAY,IAAI,YAAY,GAAG;AACrC,QAAI,aAAa,OAAO,OAAQ;AAChC,UAAM,SAAS,IAAI,MAAM,OAAO,QAAQ,SAAS;AACjD,SAAK,IAAI,MAAM;AAAA,EACjB;AACA,SAAO,CAAC,GAAG,IAAI;AACjB;;;ACxQO,SAAS,KAAK,QAAiB,QAAiB,WAAW,IAAiB;AACjF,QAAM,UAAuB,CAAC;AAG9B,MAAI,WAAW,OAAQ,QAAO;AAG9B,MAAI,UAAU,QAAQ,UAAU,MAAM;AACpC,WAAO,CAAC,EAAE,MAAM,YAAY,UAAU,MAAM,SAAS,IAAI,OAAO,CAAC;AAAA,EACnE;AACA,MAAI,UAAU,QAAQ,UAAU,MAAM;AACpC,WAAO,CAAC,EAAE,MAAM,YAAY,UAAU,MAAM,WAAW,MAAM,OAAO,CAAC;AAAA,EACvE;AAGA,MAAI,OAAO,WAAW,OAAO,QAAQ;AACnC,WAAO,CAAC,EAAE,MAAM,YAAY,UAAU,MAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,CAAC;AAAA,EACnF;AAGA,MAAI,OAAO,WAAW,UAAU;AAC9B,WAAO,CAAC,EAAE,MAAM,YAAY,UAAU,MAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,CAAC;AAAA,EACnF;AAGA,MAAI,MAAM,QAAQ,MAAM,KAAK,MAAM,QAAQ,MAAM,GAAG;AAClD,UAAM,SAAS,KAAK,IAAI,OAAO,QAAQ,OAAO,MAAM;AACpD,aAAS,IAAI,GAAG,IAAI,QAAQ,KAAK;AAC/B,YAAM,IAAI,WAAW,GAAG,QAAQ,IAAI,CAAC,MAAM,IAAI,CAAC;AAChD,UAAI,KAAK,OAAO,QAAQ;AACtB,gBAAQ,KAAK,EAAE,MAAM,GAAG,MAAM,SAAS,IAAI,OAAO,CAAC,EAAE,CAAC;AAAA,MACxD,WAAW,KAAK,OAAO,QAAQ;AAC7B,gBAAQ,KAAK,EAAE,MAAM,GAAG,MAAM,WAAW,MAAM,OAAO,CAAC,EAAE,CAAC;AAAA,MAC5D,OAAO;AACL,gBAAQ,KAAK,GAAG,KAAK,OAAO,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;AAAA,MAC/C;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAGA,QAAM,YAAY;AAClB,QAAM,YAAY;AAClB,QAAM,UAAU,oBAAI,IAAI,CAAC,GAAG,OAAO,KAAK,SAAS,GAAG,GAAG,OAAO,KAAK,SAAS,CAAC,CAAC;AAE9E,aAAW,OAAO,SAAS;AACzB,UAAM,IAAI,WAAW,GAAG,QAAQ,IAAI,GAAG,KAAK;AAC5C,QAAI,EAAE,OAAO,YAAY;AACvB,cAAQ,KAAK,EAAE,MAAM,GAAG,MAAM,SAAS,IAAI,UAAU,GAAG,EAAE,CAAC;AAAA,IAC7D,WAAW,EAAE,OAAO,YAAY;AAC9B,cAAQ,KAAK,EAAE,MAAM,GAAG,MAAM,WAAW,MAAM,UAAU,GAAG,EAAE,CAAC;AAAA,IACjE,OAAO;AACL,cAAQ,KAAK,GAAG,KAAK,UAAU,GAAG,GAAG,UAAU,GAAG,GAAG,CAAC,CAAC;AAAA,IACzD;AAAA,EACF;AAEA,SAAO;AACT;AAGO,SAAS,WAAW,SAA8B;AACvD,MAAI,QAAQ,WAAW,EAAG,QAAO;AACjC,SAAO,QAAQ,IAAI,OAAK;AACtB,YAAQ,EAAE,MAAM;AAAA,MACd,KAAK;AACH,eAAO,KAAK,EAAE,IAAI,KAAK,KAAK,UAAU,EAAE,EAAE,CAAC;AAAA,MAC7C,KAAK;AACH,eAAO,KAAK,EAAE,IAAI,KAAK,KAAK,UAAU,EAAE,IAAI,CAAC;AAAA,MAC/C,KAAK;AACH,eAAO,KAAK,EAAE,IAAI,KAAK,KAAK,UAAU,EAAE,IAAI,CAAC,WAAM,KAAK,UAAU,EAAE,EAAE,CAAC;AAAA,IAC3E;AAAA,EACF,CAAC,EAAE,KAAK,IAAI;AACd;","names":["historyId"]}

package/dist/chunk-MKSA2V7A.js

@@ -0,0 +1,19 @@
+import {
+  ValidationError
+} from "./chunk-ADQ5MQ54.js";
+
+// src/guards/with-guard.ts
+function withGuard(strategy) {
+  if (!strategy.collection || strategy.collection.length === 0) {
+    throw new ValidationError("withGuard: collection name is required");
+  }
+  return {
+    __noydb_strategy: "guard",
+    spec: strategy
+  };
+}
+
+export {
+  withGuard
+};
+//# sourceMappingURL=chunk-MKSA2V7A.js.map

package/dist/chunk-MKSA2V7A.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/guards/with-guard.ts"],"sourcesContent":["import { ValidationError } from '../errors.js'\nimport type { GuardStrategy, GuardStrategyHandle } from './types.js'\n\n/**\n * Register a guard for a collection. Guards run on every `put()` /\n * `delete()` for the named collection (after permissions, before\n * encryption) and may:\n *\n *   - `check` — block writes by throwing (typically `RecordLockedError`)\n *   - `frozenFields` — freeze specific fields once a condition is true\n *   - `amendment` — declare an authorized-override path with invariant\n *\n * Pass the returned handle to `createNoydb({ strategies: [...] })`.\n *\n * @see docs/superpowers/specs/2026-05-18-guards-design.md\n */\nexport function withGuard<T extends Record<string, unknown>>(\n  strategy: GuardStrategy<T>,\n): GuardStrategyHandle<T> {\n  if (!strategy.collection || strategy.collection.length === 0) {\n    throw new ValidationError('withGuard: collection name is required')\n  }\n  return {\n    __noydb_strategy: 'guard',\n    spec: strategy,\n  }\n}\n"],"mappings":";;;;;AAgBO,SAAS,UACd,UACwB;AACxB,MAAI,CAAC,SAAS,cAAc,SAAS,WAAW,WAAW,GAAG;AAC5D,UAAM,IAAI,gBAAgB,wCAAwC;AAAA,EACpE;AACA,SAAO;AAAA,IACL,kBAAkB;AAAA,IAClB,MAAM;AAAA,EACR;AACF;","names":[]}

package/dist/{chunk-M5INGEFC.js → chunk-MRIBLZL3.js}

@@ -61,6 +61,8 @@ function evaluateClause(record, clause) {
       return evaluateFieldClause(record, clause);
     case "filter":
       return clause.fn(record);
+    case "wherePredicate":
+      return clause.fn(record, clause.ctx);
     case "group":
       if (clause.op === "and") {
         for (const child of clause.clauses) {
@@ -81,4 +83,4 @@ export {
   evaluateFieldClause,
   evaluateClause
 };
-//# sourceMappingURL=chunk-M5INGEFC.js.map
+//# sourceMappingURL=chunk-MRIBLZL3.js.map

package/dist/chunk-MRIBLZL3.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/query/predicate.ts"],"sourcesContent":["/**\n * Operator implementations for the query DSL.\n *\n * All predicates run client-side, AFTER decryption — they never see ciphertext.\n * This file is dependency-free and tree-shakeable.\n */\n\n/** Comparison operators supported by the where() builder. */\nexport type Operator =\n  | '=='\n  | '!='\n  | '<'\n  | '<='\n  | '>'\n  | '>='\n  | 'in'\n  | 'contains'\n  | 'startsWith'\n  | 'between'\n\n/**\n * A single field comparison clause inside a query plan.\n * Plans are JSON-serializable, so this type uses primitives only.\n */\nexport interface FieldClause {\n  readonly type: 'field'\n  readonly field: string\n  readonly op: Operator\n  readonly value: unknown\n}\n\n/**\n * A user-supplied predicate function escape hatch. Not serializable.\n *\n * The predicate accepts `unknown` at the type level so the surrounding\n * Clause type can stay non-parametric — this keeps Collection<T> covariant\n * in T at the public API surface. Builder methods cast user predicates\n * (typed `(record: T) => boolean`) into this shape on the way in.\n */\nexport interface FilterClause {\n  readonly type: 'filter'\n  readonly fn: (record: unknown) => boolean\n}\n\n/**\n * A declared deterministic predicate reference (#153). The query\n * builder produces this via `.wherePredicate(name, ctx?)` when a\n * Query has been augmented with a predicates map (typically by the\n * materialized-view registry — see MV v2 spec § Function-based\n * source-row predicates).\n *\n * `predicateHash` is the consumer-supplied stable hash for the\n * function body; `ctxHash` is the canonical-JSON SHA-256 of `ctx`.\n * Both fold into the MV's `queryHash` so a function or ctx change\n * forces refresh on next visit.\n *\n * `fn` is resolved at builder time from the predicates map and\n * embedded directly — so `evaluateClause` can fire it without a\n * runtime lookup.\n */\nexport interface WherePredicateClause {\n  readonly type: 'wherePredicate'\n  readonly name: string\n  readonly ctx: unknown\n  readonly predicateHash: string\n  readonly ctxHash: string\n  readonly fn: (record: unknown, ctx?: unknown) => boolean\n}\n\n/** A logical group of clauses combined by AND or OR. */\nexport interface GroupClause {\n  readonly type: 'group'\n  readonly op: 'and' | 'or'\n  readonly clauses: readonly Clause[]\n}\n\nexport type Clause = FieldClause | FilterClause | WherePredicateClause | GroupClause\n\n/**\n * Read a possibly nested field path like \"address.city\" from a record.\n * Returns undefined if any segment is missing.\n */\nexport function readPath(record: unknown, path: string): unknown {\n  if (record === null || record === undefined) return undefined\n  if (!path.includes('.')) {\n    return (record as Record<string, unknown>)[path]\n  }\n  const segments = path.split('.')\n  let cursor: unknown = record\n  for (const segment of segments) {\n    if (cursor === null || cursor === undefined) return undefined\n    cursor = (cursor as Record<string, unknown>)[segment]\n  }\n  return cursor\n}\n\n/**\n * Evaluate a single field clause against a record.\n * Returns false on type mismatches rather than throwing — query results\n * exclude non-matching records by definition.\n */\nexport function evaluateFieldClause(record: unknown, clause: FieldClause): boolean {\n  const actual = readPath(record, clause.field)\n  const { op, value } = clause\n\n  switch (op) {\n    case '==':\n      return actual === value\n    case '!=':\n      return actual !== value\n    case '<':\n      return isComparable(actual, value) && (actual as number) < (value as number)\n    case '<=':\n      return isComparable(actual, value) && (actual as number) <= (value as number)\n    case '>':\n      return isComparable(actual, value) && (actual as number) > (value as number)\n    case '>=':\n      return isComparable(actual, value) && (actual as number) >= (value as number)\n    case 'in':\n      return Array.isArray(value) && value.includes(actual)\n    case 'contains':\n      if (typeof actual === 'string') return typeof value === 'string' && actual.includes(value)\n      if (Array.isArray(actual)) return actual.includes(value)\n      return false\n    case 'startsWith':\n      return typeof actual === 'string' && typeof value === 'string' && actual.startsWith(value)\n    case 'between': {\n      if (!Array.isArray(value) || value.length !== 2) return false\n      const [lo, hi] = value\n      if (!isComparable(actual, lo) || !isComparable(actual, hi)) return false\n      return (actual as number) >= (lo as number) && (actual as number) <= (hi as number)\n    }\n    default: {\n      // Exhaustiveness — TS will error if a new operator is added without a case.\n      const _exhaustive: never = op\n      void _exhaustive\n      return false\n    }\n  }\n}\n\n/**\n * Two values are \"comparable\" if they share an order-defined runtime type.\n * Strings compare lexicographically; numbers and Dates numerically; otherwise false.\n */\nfunction isComparable(a: unknown, b: unknown): boolean {\n  if (typeof a === 'number' && typeof b === 'number') return true\n  if (typeof a === 'string' && typeof b === 'string') return true\n  if (a instanceof Date && b instanceof Date) return true\n  return false\n}\n\n/**\n * Evaluate any clause (field / filter / group) against a record.\n * The recursion depth is bounded by the user's query expression — no risk of\n * blowing the stack on a 50K-record collection.\n */\nexport function evaluateClause(record: unknown, clause: Clause): boolean {\n  switch (clause.type) {\n    case 'field':\n      return evaluateFieldClause(record, clause)\n    case 'filter':\n      return clause.fn(record)\n    case 'wherePredicate':\n      return clause.fn(record, clause.ctx)\n    case 'group':\n      if (clause.op === 'and') {\n        for (const child of clause.clauses) {\n          if (!evaluateClause(record, child)) return false\n        }\n        return true\n      } else {\n        for (const child of clause.clauses) {\n          if (evaluateClause(record, child)) return true\n        }\n        return false\n      }\n  }\n}\n"],"mappings":";AAkFO,SAAS,SAAS,QAAiB,MAAuB;AAC/D,MAAI,WAAW,QAAQ,WAAW,OAAW,QAAO;AACpD,MAAI,CAAC,KAAK,SAAS,GAAG,GAAG;AACvB,WAAQ,OAAmC,IAAI;AAAA,EACjD;AACA,QAAM,WAAW,KAAK,MAAM,GAAG;AAC/B,MAAI,SAAkB;AACtB,aAAW,WAAW,UAAU;AAC9B,QAAI,WAAW,QAAQ,WAAW,OAAW,QAAO;AACpD,aAAU,OAAmC,OAAO;AAAA,EACtD;AACA,SAAO;AACT;AAOO,SAAS,oBAAoB,QAAiB,QAA8B;AACjF,QAAM,SAAS,SAAS,QAAQ,OAAO,KAAK;AAC5C,QAAM,EAAE,IAAI,MAAM,IAAI;AAEtB,UAAQ,IAAI;AAAA,IACV,KAAK;AACH,aAAO,WAAW;AAAA,IACpB,KAAK;AACH,aAAO,WAAW;AAAA,IACpB,KAAK;AACH,aAAO,aAAa,QAAQ,KAAK,KAAM,SAAqB;AAAA,IAC9D,KAAK;AACH,aAAO,aAAa,QAAQ,KAAK,KAAM,UAAsB;AAAA,IAC/D,KAAK;AACH,aAAO,aAAa,QAAQ,KAAK,KAAM,SAAqB;AAAA,IAC9D,KAAK;AACH,aAAO,aAAa,QAAQ,KAAK,KAAM,UAAsB;AAAA,IAC/D,KAAK;AACH,aAAO,MAAM,QAAQ,KAAK,KAAK,MAAM,SAAS,MAAM;AAAA,IACtD,KAAK;AACH,UAAI,OAAO,WAAW,SAAU,QAAO,OAAO,UAAU,YAAY,OAAO,SAAS,KAAK;AACzF,UAAI,MAAM,QAAQ,MAAM,EAAG,QAAO,OAAO,SAAS,KAAK;AACvD,aAAO;AAAA,IACT,KAAK;AACH,aAAO,OAAO,WAAW,YAAY,OAAO,UAAU,YAAY,OAAO,WAAW,KAAK;AAAA,IAC3F,KAAK,WAAW;AACd,UAAI,CAAC,MAAM,QAAQ,KAAK,KAAK,MAAM,WAAW,EAAG,QAAO;AACxD,YAAM,CAAC,IAAI,EAAE,IAAI;AACjB,UAAI,CAAC,aAAa,QAAQ,EAAE,KAAK,CAAC,aAAa,QAAQ,EAAE,EAAG,QAAO;AACnE,aAAQ,UAAsB,MAAkB,UAAsB;AAAA,IACxE;AAAA,IACA,SAAS;AAEP,YAAM,cAAqB;AAC3B,WAAK;AACL,aAAO;AAAA,IACT;AAAA,EACF;AACF;AAMA,SAAS,aAAa,GAAY,GAAqB;AACrD,MAAI,OAAO,MAAM,YAAY,OAAO,MAAM,SAAU,QAAO;AAC3D,MAAI,OAAO,MAAM,YAAY,OAAO,MAAM,SAAU,QAAO;AAC3D,MAAI,aAAa,QAAQ,aAAa,KAAM,QAAO;AACnD,SAAO;AACT;AAOO,SAAS,eAAe,QAAiB,QAAyB;AACvE,UAAQ,OAAO,MAAM;AAAA,IACnB,KAAK;AACH,aAAO,oBAAoB,QAAQ,MAAM;AAAA,IAC3C,KAAK;AACH,aAAO,OAAO,GAAG,MAAM;AAAA,IACzB,KAAK;AACH,aAAO,OAAO,GAAG,QAAQ,OAAO,GAAG;AAAA,IACrC,KAAK;AACH,UAAI,OAAO,OAAO,OAAO;AACvB,mBAAW,SAAS,OAAO,SAAS;AAClC,cAAI,CAAC,eAAe,QAAQ,KAAK,EAAG,QAAO;AAAA,QAC7C;AACA,eAAO;AAAA,MACT,OAAO;AACL,mBAAW,SAAS,OAAO,SAAS;AAClC,cAAI,eAAe,QAAQ,KAAK,EAAG,QAAO;AAAA,QAC5C;AACA,eAAO;AAAA,MACT;AAAA,EACJ;AACF;","names":[]}

package/dist/{chunk-2WGMYBYS.js → chunk-NIOHFJPJ.js}

@@ -1,22 +1,22 @@
 import {
   ensureCollectionDEK
-} from "./chunk-YVFTBQHL.js";
+} from "./chunk-PA6R5ZCI.js";
 import {
   envelopePayloadHash
-} from "./chunk-CIMZBAZB.js";
+} from "./chunk-2AXFIYHT.js";
 import {
   NOYDB_FORMAT_VERSION
-} from "./chunk-PJK6IOBC.js";
+} from "./chunk-YS3POABP.js";
 import {
   decrypt,
   encrypt
-} from "./chunk-MR4424N3.js";
+} from "./chunk-WCA2NROQ.js";
 import {
   DictKeyMissingError,
   LocaleNotSpecifiedError,
   MissingTranslationError,
   PermissionDeniedError
-} from "./chunk-ACLDOTNQ.js";
+} from "./chunk-ADQ5MQ54.js";
 
 // src/i18n/dictionary.ts
 var DICT_COLLECTION_PREFIX = "_dict_";
@@ -487,4 +487,4 @@ export {
   resolveI18nText,
   applyI18nLocale
 };
-//# sourceMappingURL=chunk-2WGMYBYS.js.map
+//# sourceMappingURL=chunk-NIOHFJPJ.js.map

package/dist/chunk-OMLIZL2P.js

@@ -0,0 +1,61 @@
+import {
+  OverlayBaseIsVirtualError,
+  OverlayCollectionUnavailableError,
+  OverlayNameCollisionError
+} from "./chunk-ADQ5MQ54.js";
+
+// src/overlay-views/registry.ts
+var OverlayedViewRegistry = class {
+  _byName = /* @__PURE__ */ new Map();
+  /**
+   * Register an overlay. Validates name uniqueness, base concreteness,
+   * and overlay availability AGAINST the MV registry — overlays
+   * declared without the MV registry context skip cross-registry
+   * checks but still validate self-consistency.
+   */
+  register(spec, options) {
+    const { isOverlayName, isMVOutput, isKnownCollection } = options;
+    if (isMVOutput?.(spec.name) || isOverlayName?.(spec.name)) {
+      throw new OverlayNameCollisionError(spec.name);
+    }
+    if (isOverlayName?.(spec.base)) {
+      throw new OverlayBaseIsVirtualError(spec.name, spec.base);
+    }
+    if (isMVOutput?.(spec.overlay)) {
+      throw new OverlayCollectionUnavailableError(spec.name, spec.overlay);
+    }
+    void isKnownCollection;
+    this._byName.set(spec.name, spec);
+  }
+  byName(name) {
+    return this._byName.get(name);
+  }
+  /** All overlay virtual names. */
+  names() {
+    return new Set(this._byName.keys());
+  }
+  isOverlay(name) {
+    return this._byName.has(name);
+  }
+  /**
+   * Resolve the `rowKey` function for an overlay's base MV. Returns
+   * `undefined` if the base isn't an MV (raw source collection) or
+   * if the MV registry isn't supplied. Used by the virtual-collection
+   * proxy to derive ids from `put(record)` calls.
+   */
+  resolveBaseRowKey(name, mvRegistry) {
+    const spec = this._byName.get(name);
+    if (!spec || !mvRegistry) return void 0;
+    for (const reg of mvRegistry.all()) {
+      if (reg.outputCollection === spec.base || reg.spec.name === spec.base) {
+        return (row) => reg.spec.rowKey(row);
+      }
+    }
+    return void 0;
+  }
+};
+
+export {
+  OverlayedViewRegistry
+};
+//# sourceMappingURL=chunk-OMLIZL2P.js.map

package/dist/chunk-OMLIZL2P.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/overlay-views/registry.ts"],"sourcesContent":["import {\n  OverlayBaseIsVirtualError,\n  OverlayCollectionUnavailableError,\n  OverlayNameCollisionError,\n} from '../errors.js'\nimport type { MaterializedViewRegistry } from '../materialized-views/registry.js'\nimport type { OverlayedViewStrategy } from './types.js'\n\n/**\n * Vault-internal registry of overlay strategies. Resolves the base\n * MV's `rowKey` lazily so virtual-collection writes can derive ids\n * from the row.\n *\n * @internal\n */\nexport class OverlayedViewRegistry {\n  private readonly _byName = new Map<string, OverlayedViewStrategy>()\n\n  /**\n   * Register an overlay. Validates name uniqueness, base concreteness,\n   * and overlay availability AGAINST the MV registry — overlays\n   * declared without the MV registry context skip cross-registry\n   * checks but still validate self-consistency.\n   */\n  register(\n    spec: OverlayedViewStrategy,\n    options: {\n      isOverlayName?: (name: string) => boolean\n      isMVOutput?: (name: string) => boolean\n      isKnownCollection?: (name: string) => boolean\n    },\n  ): void {\n    const { isOverlayName, isMVOutput, isKnownCollection } = options\n\n    // 1. Virtual name must not collide with an MV output or a concrete\n    //    source collection. Concrete-source detection is best-effort:\n    //    if `isKnownCollection` is supplied, a hit there + no MV match\n    //    is treated as a collision.\n    if (isMVOutput?.(spec.name) || isOverlayName?.(spec.name)) {\n      throw new OverlayNameCollisionError(spec.name)\n    }\n    // (We don't check isKnownCollection for `name` collision because\n    // virtual names are typically NOT pre-existing — they're created\n    // by the overlay declaration itself. Future versions may tighten.)\n\n    // 2. base must be concrete: NOT another overlay's virtual name.\n    if (isOverlayName?.(spec.base)) {\n      throw new OverlayBaseIsVirtualError(spec.name, spec.base)\n    }\n\n    // 3. overlay must be available: a real, vault-known collection\n    //    that is NOT an MV output (since MVs own their outputs).\n    if (isMVOutput?.(spec.overlay)) {\n      throw new OverlayCollectionUnavailableError(spec.name, spec.overlay)\n    }\n    // Best-effort known-collection check — when the vault can answer\n    // it. Unknown collections aren't a hard failure (the overlay may\n    // be implicitly created on first write), so we only throw on the\n    // MV-output case above.\n    void isKnownCollection\n\n    this._byName.set(spec.name, spec)\n  }\n\n  byName(name: string): OverlayedViewStrategy | undefined {\n    return this._byName.get(name)\n  }\n\n  /** All overlay virtual names. */\n  names(): ReadonlySet<string> {\n    return new Set(this._byName.keys())\n  }\n\n  isOverlay(name: string): boolean {\n    return this._byName.has(name)\n  }\n\n  /**\n   * Resolve the `rowKey` function for an overlay's base MV. Returns\n   * `undefined` if the base isn't an MV (raw source collection) or\n   * if the MV registry isn't supplied. Used by the virtual-collection\n   * proxy to derive ids from `put(record)` calls.\n   */\n  resolveBaseRowKey(\n    name: string,\n    mvRegistry: MaterializedViewRegistry | null,\n  ): ((row: Record<string, unknown>) => string) | undefined {\n    const spec = this._byName.get(name)\n    if (!spec || !mvRegistry) return undefined\n    // The base might be an MV's `output.collection` OR the MV's `name`\n    // (when no output.collection is declared). Search by both.\n    for (const reg of mvRegistry.all()) {\n      if (reg.outputCollection === spec.base || reg.spec.name === spec.base) {\n        return (row) => reg.spec.rowKey(row)\n      }\n    }\n    return undefined\n  }\n}\n"],"mappings":";;;;;;;AAeO,IAAM,wBAAN,MAA4B;AAAA,EAChB,UAAU,oBAAI,IAAmC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQlE,SACE,MACA,SAKM;AACN,UAAM,EAAE,eAAe,YAAY,kBAAkB,IAAI;AAMzD,QAAI,aAAa,KAAK,IAAI,KAAK,gBAAgB,KAAK,IAAI,GAAG;AACzD,YAAM,IAAI,0BAA0B,KAAK,IAAI;AAAA,IAC/C;AAMA,QAAI,gBAAgB,KAAK,IAAI,GAAG;AAC9B,YAAM,IAAI,0BAA0B,KAAK,MAAM,KAAK,IAAI;AAAA,IAC1D;AAIA,QAAI,aAAa,KAAK,OAAO,GAAG;AAC9B,YAAM,IAAI,kCAAkC,KAAK,MAAM,KAAK,OAAO;AAAA,IACrE;AAKA,SAAK;AAEL,SAAK,QAAQ,IAAI,KAAK,MAAM,IAAI;AAAA,EAClC;AAAA,EAEA,OAAO,MAAiD;AACtD,WAAO,KAAK,QAAQ,IAAI,IAAI;AAAA,EAC9B;AAAA;AAAA,EAGA,QAA6B;AAC3B,WAAO,IAAI,IAAI,KAAK,QAAQ,KAAK,CAAC;AAAA,EACpC;AAAA,EAEA,UAAU,MAAuB;AAC/B,WAAO,KAAK,QAAQ,IAAI,IAAI;AAAA,EAC9B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,kBACE,MACA,YACwD;AACxD,UAAM,OAAO,KAAK,QAAQ,IAAI,IAAI;AAClC,QAAI,CAAC,QAAQ,CAAC,WAAY,QAAO;AAGjC,eAAW,OAAO,WAAW,IAAI,GAAG;AAClC,UAAI,IAAI,qBAAqB,KAAK,QAAQ,IAAI,KAAK,SAAS,KAAK,MAAM;AACrE,eAAO,CAAC,QAAQ,IAAI,KAAK,OAAO,GAAG;AAAA,MACrC;AAAA,IACF;AACA,WAAO;AAAA,EACT;AACF;","names":[]}

package/dist/{chunk-USKYUS74.js → chunk-P7EQ2S5O.js}

@@ -1,7 +1,7 @@
 import {
   BundleVersionConflictError,
   ConflictError
-} from "./chunk-ACLDOTNQ.js";
+} from "./chunk-ADQ5MQ54.js";
 
 // src/store/bundle-store.ts
 var BUNDLE_STORE_VERSION = 1;
@@ -790,4 +790,4 @@ export {
   withCache,
   withHealthCheck
 };
-//# sourceMappingURL=chunk-USKYUS74.js.map
+//# sourceMappingURL=chunk-P7EQ2S5O.js.map