@noy-db/hub 0.1.0-pre.8 → 0.2.0-pre.1

package/dist/chunk-TDR6T5CJ.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/aggregate/reducers.ts","../src/aggregate/aggregation.ts","../src/aggregate/groupby.ts"],"sourcesContent":["/**\n * Aggregation reducers for the query DSL.\n *\n * the reducer protocol plus five built-in factories\n * (`count`, `sum`, `avg`, `min`, `max`) consumed by `Query.aggregate()`\n * and, in the future, `Scan.aggregate()`. Every factory accepts\n * an optional `{ seed }` parameter that is plumbed through the\n * protocol but unused by the executor — that's the load-bearing\n * half of  constraint #2. When partition-aware aggregation\n * lands, the seed carries the previous partition's running total into\n * the next partition without requiring a protocol change.\n *\n * Reducers are intentionally generic over their internal state type\n * `S` so compound reducers (avg keeps `{sum, count}`, min/max keep a\n * value bag) can model internal bookkeeping without leaking the\n * implementation through the accumulator's public shape. `finalize`\n * collapses `S` back into the user-visible `R`.\n *\n * Reducers are pure data — `init` / `step` / `finalize` / optional\n * `remove` are stateless functions that receive and return `S`. This\n * is the shape that admits O(1) incremental maintenance in a future\n * optimization (delta-aware `LiveAggregation` applies `step` or\n * `remove` per delta), without blocking the simpler \"full re-run on\n * source change\" that ships.\n */\n\nimport { readPath } from '../query/predicate.js'\n\n/**\n * A single reducer: factory-produced, ready to plug into an\n * `.aggregate()` spec.\n *\n * Type parameters:\n *   - `R` — user-visible result type (what the aggregation returns\n *     for this slot, e.g. `number` for `sum()`)\n *   - `S` — internal state type, defaults to `R` for simple reducers\n *     that don't need compound bookkeeping\n *\n * A reducer is stateless: every method is pure over `S`. `init()` is\n * called once per aggregation run to build the initial state; `step()`\n * folds a record into the state; `remove()` (optional) un-folds a\n * record, enabling incremental live maintenance; `finalize()` reads\n * the final answer out of the state at the end of the run.\n */\nexport interface Reducer<R, S = R> {\n  /** Build the initial state for a fresh aggregation run. */\n  init(): S\n  /** Fold a record into the state. Returns the new state. */\n  step(state: S, record: unknown): S\n  /**\n   * Un-fold a record from the state. Returns the new state.\n   *\n   * Optional — reducers without `remove` cannot be maintained\n   * incrementally and must be re-run from scratch when the underlying\n   * record set changes. `sum`, `count`, `avg` implement `remove` in\n   * O(1); `min` and `max` implement it in O(N) worst case (when the\n   * extremum itself is removed and the next extremum must be\n   * recomputed from the remaining contributing values).\n   */\n  remove?(state: S, record: unknown): S\n  /** Collapse the internal state into the user-visible result. */\n  finalize(state: S): R\n}\n\n/**\n * Common options accepted by every reducer factory.\n *\n * `seed` — optional initial value for the internal state. **Unused by\n * the executor**, plumbed through the protocol for  constraint\n * #2 (partition-aware aggregation seam). In, partitioned\n * aggregations will pass the previous partition's carry as `seed` so\n * a long time series can be rolled forward one partition at a time\n * without re-aggregating closed partitions.\n *\n * always uses `init()` with the factory's zero value, regardless\n * of whether `seed` was passed. Do not remove the parameter — that's\n * the whole point of having it exist now.\n */\nexport interface ReducerOptions<TSeed = unknown> {\n  /**  constraint #2 — seed is plumbed through but unused in. */\n  readonly seed?: TSeed\n}\n\n// ---------------------------------------------------------------------------\n// Factories\n// ---------------------------------------------------------------------------\n\n/**\n * Count the number of records that match the query. Ignores field\n * values entirely — the count is over the number of records, not over\n * the number of non-null field values in any column.\n */\nexport function count(opts?: ReducerOptions<number>): Reducer<number> {\n  // Seed captured on the closure but unused at execution time in\n  //. The reference in _seed keeps lint happy.\n  const _seed = opts?.seed\n  void _seed\n  return {\n    init: () => 0,\n    step: (state) => state + 1,\n    remove: (state) => state - 1,\n    finalize: (state) => state,\n  }\n}\n\n/**\n * Sum a numeric field across all matching records. Non-number values\n * at the field path are coerced to 0 — consumers who want a different\n * behavior (throw, skip, treat as NaN) should filter upstream via\n * `.where()` or write a custom reducer.\n */\nexport function sum(\n  field: string,\n  opts?: ReducerOptions<number>,\n): Reducer<number> {\n  const _seed = opts?.seed\n  void _seed\n  return {\n    init: () => 0,\n    step: (state, record) => state + readNumber(record, field),\n    remove: (state, record) => state - readNumber(record, field),\n    finalize: (state) => state,\n  }\n}\n\n/**\n * Arithmetic mean of a numeric field across all matching records.\n *\n * Returns `null` for an empty result set (zero records is not a\n * well-defined denominator — returning NaN would poison downstream\n * arithmetic, and throwing would force every consumer to wrap in\n * try/catch just to handle \"no matches\"). Consumers who want an\n * explicit zero should coalesce with `?? 0`.\n *\n * Internal state is `{sum, count}` so the running average can be\n * maintained incrementally — on each delta, both fields update in\n * O(1) and `finalize` divides. Directly storing `avg` as state would\n * not admit incremental removal without also tracking count.\n */\nexport function avg(\n  field: string,\n  opts?: ReducerOptions<{ sum: number; count: number }>,\n): Reducer<number | null, { sum: number; count: number }> {\n  const _seed = opts?.seed\n  void _seed\n  return {\n    init: () => ({ sum: 0, count: 0 }),\n    step: (state, record) => ({\n      sum: state.sum + readNumber(record, field),\n      count: state.count + 1,\n    }),\n    remove: (state, record) => ({\n      sum: state.sum - readNumber(record, field),\n      count: state.count - 1,\n    }),\n    finalize: (state) => (state.count === 0 ? null : state.sum / state.count),\n  }\n}\n\ninterface MinMaxState {\n  /**\n   * Multiset of contributing field values. Stored as a plain array\n   * because we need to support `remove` and a plain array gives us\n   * O(1) push + O(N) worst-case removal — which matches the\n   * documented min/max removal complexity. A sorted structure would\n   * let us drop the O(N) rescan but adds complexity that doesn't\n   * need; consumers hitting the O(N) ceiling should file an issue.\n   */\n  readonly values: number[]\n}\n\nfunction pushValue(state: MinMaxState, value: number): MinMaxState {\n  return { values: [...state.values, value] }\n}\n\nfunction removeValue(state: MinMaxState, value: number): MinMaxState {\n  // Remove the first matching value — duplicates are fine, we only\n  // need to drop one instance per `remove()` call so the multiset\n  // count stays consistent with the record count.\n  const idx = state.values.indexOf(value)\n  if (idx < 0) return state\n  const next = state.values.slice()\n  next.splice(idx, 1)\n  return { values: next }\n}\n\n/**\n * Smallest numeric value of a field across all matching records.\n * Returns `null` for an empty result set. See `avg()` for the\n * reasoning on `null` vs NaN vs throwing.\n *\n * Incremental complexity: O(1) for `step`, O(N) worst case for\n * `remove` when the current minimum is removed (the state holds the\n * full multiset of contributing values and `finalize` scans for the\n * new minimum). Consumers with very large result sets and frequent\n * removals of the current extremum should either accept the cost or\n * wait for a future optimization.\n */\nexport function min(\n  field: string,\n  opts?: ReducerOptions<number>,\n): Reducer<number | null, MinMaxState> {\n  const _seed = opts?.seed\n  void _seed\n  return {\n    init: () => ({ values: [] }),\n    step: (state, record) => pushValue(state, readNumber(record, field)),\n    remove: (state, record) => removeValue(state, readNumber(record, field)),\n    finalize: (state) => {\n      if (state.values.length === 0) return null\n      let out = state.values[0]!\n      for (let i = 1; i < state.values.length; i++) {\n        const v = state.values[i]!\n        if (v < out) out = v\n      }\n      return out\n    },\n  }\n}\n\n/**\n * Largest numeric value of a field across all matching records.\n * Mirror of `min()` — see that doc for semantics, null-on-empty\n * behavior, and the O(N) removal caveat.\n */\nexport function max(\n  field: string,\n  opts?: ReducerOptions<number>,\n): Reducer<number | null, MinMaxState> {\n  const _seed = opts?.seed\n  void _seed\n  return {\n    init: () => ({ values: [] }),\n    step: (state, record) => pushValue(state, readNumber(record, field)),\n    remove: (state, record) => removeValue(state, readNumber(record, field)),\n    finalize: (state) => {\n      if (state.values.length === 0) return null\n      let out = state.values[0]!\n      for (let i = 1; i < state.values.length; i++) {\n        const v = state.values[i]!\n        if (v > out) out = v\n      }\n      return out\n    },\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Helpers\n// ---------------------------------------------------------------------------\n\n/**\n * Read a numeric field from a record. Non-number values (null,\n * undefined, strings, objects) coerce to 0 so sum/avg/min/max don't\n * produce NaN on one bad row. Consumers who want strict typing should\n * validate upstream with Standard Schema, which NOYDB already runs on\n * every `put()`.\n */\nfunction readNumber(record: unknown, field: string): number {\n  const value = readPath(record, field)\n  return typeof value === 'number' && Number.isFinite(value) ? value : 0\n}\n","/**\n * Aggregate execution — the runtime behind `Query.aggregate()`.\n *\n * takes an `AggregateSpec` (a record of named reducers\n * built from `reducers.ts`) and runs every reducer over the records\n * produced by the underlying query. Two terminal surfaces:\n *\n *   - `.run(): R` — synchronous one-shot reduction. Matches the\n *     existing `Query.toArray()` / `.first()` / `.count()` style.\n *   - `.live(): LiveAggregation<R>` — reactive primitive that\n *     re-runs the reduction whenever the query's source notifies of\n *     a change. uses naive full re-run; incremental delta\n *     maintenance is admitted by the reducer protocol (`remove()`)\n *     but not wired to the executor yet — a follow-up optimization\n *     can switch from full re-run to delta-based without breaking\n *     the public API. Consumers get correct, reactive values today.\n *\n * The `Aggregation<R>` wrapper is deliberately tiny — it exists so\n * `.aggregate(spec)` can be chained with either `.run()` or `.live()`\n * without the builder needing two separate terminal methods. It\n * holds the closure over the query execution (produces the current\n * matching record set) and the spec, and stitches them together in\n * either mode.\n *\n * This file depends ONLY on `reducers.ts` — it has no knowledge of\n * the `Query` class. Tests can therefore exercise the reduction\n * surface with plain record arrays, without spinning up a Collection.\n */\n\nimport type { Reducer } from './reducers.js'\n\n/**\n * A named set of reducers, keyed by output field name. Each key\n * becomes a field on the aggregated result.\n *\n * ```ts\n * const spec = {\n *   total: sum('amount'),\n *   n:     count(),\n *   avgAmount: avg('amount'),\n * }\n * ```\n */\nexport type AggregateSpec = Readonly<Record<string, Reducer<unknown, unknown>>>\n\n/**\n * Map an `AggregateSpec` to its reduced result shape — each key\n * carries the finalized result type from its reducer. A spec built\n * from `{ total: sum('amount'), n: count() }` yields a result of\n * `{ total: number, n: number }`.\n *\n * This uses a mapped type with a conditional to extract `R` from\n * each `Reducer<R, _>`. The `infer` captures the user-visible result\n * type, discarding the internal state type `S`.\n */\nexport type AggregateResult<Spec extends AggregateSpec> = {\n  [K in keyof Spec]: Spec[K] extends Reducer<infer R, unknown> ? R : never\n}\n\n/**\n * Pure reduction over a record array. Runs every reducer's\n * `init → step* → finalize` pipeline exactly once over the records.\n *\n * Called by `Aggregation.run()` and by the live-mode refresh path.\n * Exported for tests and for future `scan().aggregate()` reuse\n * — the streaming path will call the same reducer protocol with a\n * per-page loop instead of a single array.\n */\nexport function reduceRecords<Spec extends AggregateSpec>(\n  records: readonly unknown[],\n  spec: Spec,\n): AggregateResult<Spec> {\n  // Per-slot state, keyed by the spec's output field name.\n  const state: Record<string, unknown> = {}\n  for (const key of Object.keys(spec)) {\n    state[key] = spec[key]!.init()\n  }\n  for (const record of records) {\n    for (const key of Object.keys(spec)) {\n      state[key] = spec[key]!.step(state[key], record)\n    }\n  }\n  const result: Record<string, unknown> = {}\n  for (const key of Object.keys(spec)) {\n    result[key] = spec[key]!.finalize(state[key])\n  }\n  return result as AggregateResult<Spec>\n}\n\n/**\n * A minimal reactive primitive for aggregation results.\n *\n * Same spirit as the `LiveQuery` in : frame-agnostic, a plain\n * object with `value` / `error` fields and a `subscribe(cb)`\n * notification channel that Vue / React / Solid adapters wrap in\n * their own primitive. Intentionally NOT a Promise — aggregations\n * have a well-defined \"current value\" at every instant, and the\n * reactive consumer wants to read that value synchronously.\n *\n * Error semantics mirror `LiveQuery`: if a re-run throws, the\n * previous successful `value` is preserved and the error is stored\n * in `error` so consumers can render an error state without losing\n * the last-known-good result. The throw does NOT propagate out of\n * the source's change handler (which would tear down the upstream\n * emitter).\n *\n * `stop()` tears down the upstream subscription. It is idempotent —\n * calling it multiple times is safe — and subscribe calls after\n * stop are no-ops (they immediately return a no-op unsubscribe).\n * Always call `stop()` when done; Vue's `onUnmounted` is the\n * canonical place. Raw consumers must do it themselves.\n */\nexport interface LiveAggregation<R> {\n  /** Current reduced value. Undefined only if the first compute threw. */\n  readonly value: R | undefined\n  /** Last execution error, if any. Cleared on the next successful run. */\n  readonly error: unknown\n  /** Notify on every recomputation (success or error). Returns unsubscribe. */\n  subscribe(cb: () => void): () => void\n  /** Tear down the upstream subscription. Idempotent. */\n  stop(): void\n}\n\n/**\n * Upstream change-notification hook for live aggregation.\n *\n * Matches the shape that `QuerySource.subscribe` already uses — a\n * single method that accepts a callback and returns an unsubscribe\n * function. The `Aggregation` wrapper collects upstreams from the\n * query's source and wires them into a single re-run trigger.\n */\nexport interface AggregationUpstream {\n  subscribe(cb: () => void): () => void\n}\n\n/**\n * Internal implementation of `LiveAggregation`. Not exported —\n * consumers get the interface only. The class wraps a `recompute`\n * closure (which runs the full reduction and returns the new value)\n * and a list of upstreams (sources whose changes should trigger a\n * re-run).\n *\n * Error isolation: if an individual listener callback throws, the\n * other listeners still fire and the error is logged to the warn\n * channel. This matches `LiveQuery` from  and keeps one misbehaving\n * consumer from tearing down the whole live aggregation.\n */\nclass LiveAggregationImpl<R> implements LiveAggregation<R> {\n  public value: R | undefined\n  public error: unknown\n  private readonly listeners = new Set<() => void>()\n  private readonly unsubscribes: Array<() => void> = []\n  private stopped = false\n\n  constructor(\n    private readonly recompute: () => R,\n    upstreams: readonly AggregationUpstream[],\n  ) {\n    // Initial computation — surface any error through the `error`\n    // field rather than letting the constructor throw, so consumers\n    // can always construct a LiveAggregation and check its state\n    // afterwards. Throwing from a constructor would force every\n    // caller to wrap in try/catch, which is the opposite of the\n    // \"reactive value with error state\" ergonomics we want.\n    try {\n      this.value = recompute()\n      this.error = undefined\n    } catch (err) {\n      this.value = undefined\n      this.error = err\n    }\n\n    // Wire up upstream subscriptions. Each one triggers a full\n    // recomputation; we don't attempt incremental updates in.\n    for (const upstream of upstreams) {\n      const unsub = upstream.subscribe(() => this.refresh())\n      this.unsubscribes.push(unsub)\n    }\n  }\n\n  private refresh(): void {\n    if (this.stopped) return\n    try {\n      this.value = this.recompute()\n      this.error = undefined\n    } catch (err) {\n      // Preserve the previous successful value — consumers render an\n      // error state using `error` without losing the last-known-good\n      // number. This matches LiveQuery's error-preservation contract.\n      this.error = err\n    }\n    for (const listener of this.listeners) {\n      try {\n        listener()\n      } catch (err) {\n        // Isolate listener errors so one bad consumer can't tear\n        // down every other subscriber on the same aggregation.\n        console.warn('[noy-db] LiveAggregation listener threw:', err)\n      }\n    }\n  }\n\n  subscribe(cb: () => void): () => void {\n    if (this.stopped) {\n      // No-op after stop. Returning a harmless unsubscribe lets\n      // consumers use the same teardown pattern unconditionally.\n      return () => {}\n    }\n    this.listeners.add(cb)\n    return () => {\n      this.listeners.delete(cb)\n    }\n  }\n\n  stop(): void {\n    if (this.stopped) return\n    this.stopped = true\n    for (const unsub of this.unsubscribes) {\n      try {\n        unsub()\n      } catch (err) {\n        console.warn('[noy-db] LiveAggregation upstream unsubscribe threw:', err)\n      }\n    }\n    this.unsubscribes.length = 0\n    this.listeners.clear()\n  }\n}\n\n/**\n * Chainable wrapper returned by `Query.aggregate(spec)`. Holds the\n * execute-records closure and the spec; terminal methods (`run`,\n * `live`) stitch them together in either mode.\n *\n * Why a wrapper instead of two terminal methods on `Query` directly?\n *\n * The `.aggregate(spec)` call is where the spec is bound — both\n * `.run()` and `.live()` need the same spec, and the consumer's\n * fluent style is `query.where(...).aggregate(spec).run()` or\n * `.aggregate(spec).live()`. Wrapping lets the spec be named once\n * and reused for either terminal, and keeps the `Query` class\n * from growing a pair of near-duplicate method overloads\n * (`aggregateRun` / `aggregateLive`) that would be harder to\n * discover.\n */\nexport class Aggregation<R> {\n  constructor(\n    private readonly executeRecords: () => readonly unknown[],\n    private readonly spec: AggregateSpec,\n    private readonly upstreams: readonly AggregationUpstream[],\n  ) {}\n\n  /**\n   * Execute the query and reduce the results synchronously.\n   * Returns the reduced shape matching the spec — e.g. a spec of\n   * `{ total: sum('amount'), n: count() }` returns\n   * `{ total: number, n: number }`.\n   */\n  run(): R {\n    return reduceRecords(this.executeRecords(), this.spec) as unknown as R\n  }\n\n  /**\n   * Build a reactive `LiveAggregation<R>` that re-runs the reduction\n   * whenever any upstream source notifies of a change. The initial\n   * value is computed eagerly in the constructor, so consumers can\n   * read `live.value` immediately after calling `.live()`.\n   *\n   * Always call `live.stop()` when finished — it tears down the\n   * upstream subscriptions. Vue's `onUnmounted` is the canonical\n   * place.\n   *\n   * **Implementation note:** every upstream change triggers a full\n   * re-reduction. Incremental maintenance (O(1) per delta for\n   * sum/count/avg via the reducer protocol's `remove()` method) is a\n   * planned follow-up optimization — the protocol already supports\n   * it, but the executor doesn't drive it yet. Consumers get\n   * correct, reactive values today; future PRs can switch to\n   * delta-based maintenance without changing this API.\n   */\n  live(): LiveAggregation<R> {\n    const recompute = (): R =>\n      reduceRecords(this.executeRecords(), this.spec) as unknown as R\n    return new LiveAggregationImpl<R>(recompute, this.upstreams)\n  }\n}\n\n/**\n * Build a `LiveAggregation<V>` from a recompute closure and a list\n * of upstreams. Exposed so sibling files in the query DSL\n * (currently `groupby.ts`) can reuse the reactive primitive\n * without reaching into `LiveAggregationImpl` directly. This keeps\n * the implementation class private while still allowing planned\n * composition with `.groupBy().aggregate().live()`.\n */\nexport function buildLiveAggregation<V>(\n  recompute: () => V,\n  upstreams: readonly AggregationUpstream[],\n): LiveAggregation<V> {\n  return new LiveAggregationImpl<V>(recompute, upstreams)\n}\n","/**\n * Query DSL `.groupBy()` —.\n *\n * Chains after `.where()` / `.filter()` / `.or()` / `.and()` on a\n * Query and before a reducer spec, so consumers can compute\n * per-bucket aggregates without folding in userland:\n *\n * ```ts\n * const byClient = invoices.query()\n *   .where('status', '==', 'open')\n *   .groupBy('clientId')\n *   .aggregate({ total: sum('amount'), n: count() })\n *   .run()\n * // → [ { clientId: 'c1', total: 5250, n: 3 }, … ]\n * ```\n *\n * Execution pipeline:\n *\n *   1. Run the query's where/filter clauses (same candidate /\n *      filter pipeline as `.aggregate()` directly on Query).\n *   2. Partition the matching records into buckets keyed by\n *      `readPath(record, field)`. JS `Map` preserves insertion\n *      order, so the first-seen key for a bucket determines its\n *      position in the result array — consumers who want a\n *      specific ordering should `.sort()` downstream.\n *   3. Enforce cardinality: warn once per field at 10% of the cap\n *      (10_000 buckets), throw `GroupCardinalityError` at 100% of\n *      the cap (100_000 buckets).\n *   4. For each bucket, build a per-group reducer state and\n *      step every record in the bucket through it.\n *   5. Emit one result row per bucket, shaped as\n *      `{ [field]: key, ...reduced }`.\n *\n * **Null / undefined keys:** `Map` distinguishes `null` from\n * `undefined`, so records with a missing group field get their own\n * bucket, and records with an explicit `null` value get a separate\n * bucket from that. Consumers who want them merged can coalesce\n * upstream with `.filter()`.\n *\n * **Live mode:** `.groupBy().aggregate().live()` re-runs the full\n * grouping pipeline on every source change. Per-bucket incremental\n * delta maintenance is a future optimization — the reducer\n * protocol's `remove()` hook admits it, but ships naive\n * re-grouping for simplicity.\n *\n * **Type-level stable-key narrowing:** when\n * `dictKey` lands, `groupBy<DictField>()` will narrow the group key\n * type to the stable dictionary key rather than the resolved locale\n * label. That prevents grouping by the locale-resolved label,\n * which would produce different buckets per reader. types the\n * key as `unknown` at the result shape; the dictKey narrowing\n * layers on top without an API break.\n *\n * Partition-awareness seam: when partitioned collections land,\n * per-partition grouping will need to merge sub-results across\n * partitions. The reducer protocol's `{ seed }` parameter\n * (already plumbed through in `reducers.ts`) is the mechanism —\n * groupBy doesn't need its own seam for the moment, because it\n * delegates to the reducer protocol for all per-bucket state.\n */\n\nimport { readPath } from '../query/predicate.js'\nimport type {\n  AggregateSpec,\n  AggregateResult,\n  AggregationUpstream,\n  LiveAggregation,\n} from './aggregation.js'\nimport { buildLiveAggregation } from './aggregation.js'\nimport { GroupCardinalityError } from '../errors.js'\n\n/**\n * Cardinality thresholds for `.groupBy()`. The warn threshold gives\n * consumers a heads-up before the hard error; the cap is a fixed\n * constant in (not overridable). A `{ maxGroups }` override\n * can be added later without a break if a real consumer asks.\n */\nexport const GROUPBY_WARN_CARDINALITY = 10_000\nexport const GROUPBY_MAX_CARDINALITY = 100_000\n\n/**\n * One-shot warning dedup per-field — reactive dashboards\n * re-executing the same grouped query should produce the warning\n * once, not once per re-fire. Keyed on the grouping field name\n * because \"this field has high cardinality on your current data\"\n * is a field-level property, not a per-query one.\n */\nconst warnedCardinalityFields = new Set<string>()\nfunction warnCardinalityApproaching(field: string, observed: number): void {\n  if (warnedCardinalityFields.has(field)) return\n  warnedCardinalityFields.add(field)\n  console.warn(\n    `[noy-db] .groupBy(\"${field}\") produced ${observed} distinct groups, ` +\n      `${Math.round((observed / GROUPBY_MAX_CARDINALITY) * 100)}% of the ` +\n      `${GROUPBY_MAX_CARDINALITY}-group ceiling. Narrow the query with ` +\n      `.where() before grouping, or switch to a lower-cardinality field.`,\n  )\n}\n\n/**\n * Test-only: clear the per-field cardinality warning dedup between\n * tests. Production code never calls this — matching the\n * `resetJoinWarnings` pattern in `join.ts`.\n */\nexport function resetGroupByWarnings(): void {\n  warnedCardinalityFields.clear()\n}\n\n/**\n * Result row shape for a grouped aggregation. Each row carries the\n * group key value under the grouping field name plus every reducer\n * output from the spec.\n *\n * types the group key as `unknown` at the result shape — the\n * runtime read via `readPath` can return any value, and narrowing\n * to a specific type would require the caller to assert at the\n * call site. `dictKey` narrowing layers on top of this by\n * adding an overload that constrains `F` when the grouping field\n * is a `dictKey`.\n */\nexport type GroupedRow<F extends string, R> = { [K in F]: unknown } & R\n\n/**\n * Chainable wrapper returned by `Query.groupBy(field)`. Terminates\n * with `.aggregate(spec)` which returns a `GroupedAggregation`.\n *\n * Kept minimal — the only operation on a grouped query is\n * aggregation. Ordering, limiting, and further filtering belong on\n * the underlying `Query` before `.groupBy()` is called; applying\n * them post-group would be a different operation (`having` /\n * `groupOrderBy`), out of scope for.\n */\nexport class GroupedQuery<T, F extends string> {\n  constructor(\n    private readonly executeRecords: () => readonly unknown[],\n    private readonly field: F,\n    private readonly upstreams: readonly AggregationUpstream[],\n    /**\n     * Optional dict label resolver attached by the query builder when\n     * the grouping field is a dictKey.\n     */\n    private readonly dictLabelResolver?: (\n      key: string,\n      locale: string,\n      fallback?: string | readonly string[],\n    ) => Promise<string | undefined>,\n  ) {\n    // T is phantom on the wrapper so consumers can still see the\n    // source row type on hover. Reference it to keep lint quiet.\n    void undefined as T | undefined\n  }\n\n  /**\n   * Build a grouped aggregation. Returns a `GroupedAggregation`\n   * with `.run()`, `.runAsync()`, and `.live()` terminals — same shape\n   * as the non-grouped `.aggregate()` wrapper, just with an array\n   * result (one row per bucket) instead of a single reduced object.\n   */\n  aggregate<Spec extends AggregateSpec>(\n    spec: Spec,\n  ): GroupedAggregation<GroupedRow<F, AggregateResult<Spec>>> {\n    return new GroupedAggregation<GroupedRow<F, AggregateResult<Spec>>>(\n      this.executeRecords,\n      this.field,\n      spec,\n      this.upstreams,\n      this.dictLabelResolver,\n    )\n  }\n}\n\n/**\n * Execute the group-and-reduce pipeline. Pure function over a\n * record array and a spec — shared by `GroupedAggregation.run()`\n * and the live-mode refresh path. Exported for tests and for any\n * future `scan().groupBy().aggregate()` reuse.\n *\n * Enforces the cardinality cap incrementally during the partition\n * loop, so a runaway grouping throws at the moment the 100_001st\n * bucket would be created — the consumer doesn't have to wait for\n * the full partition to materialize before the error fires.\n */\nexport function groupAndReduce<R>(\n  records: readonly unknown[],\n  field: string,\n  spec: AggregateSpec,\n): R[] {\n  // Map preserves insertion order natively (ES2015), so first-seen\n  // keys determine output ordering without a parallel order array.\n  const buckets = new Map<unknown, unknown[]>()\n  for (const record of records) {\n    const key = readPath(record, field)\n    let bucket = buckets.get(key)\n    if (bucket === undefined) {\n      if (buckets.size >= GROUPBY_MAX_CARDINALITY) {\n        throw new GroupCardinalityError(\n          field,\n          buckets.size + 1,\n          GROUPBY_MAX_CARDINALITY,\n        )\n      }\n      bucket = []\n      buckets.set(key, bucket)\n    }\n    bucket.push(record)\n  }\n\n  if (buckets.size >= GROUPBY_WARN_CARDINALITY) {\n    warnCardinalityApproaching(field, buckets.size)\n  }\n\n  // Reduce each bucket through the spec. Same init/step/finalize\n  // pipeline as `reduceRecords` in aggregate.ts, but one state per\n  // bucket. Inlining the loop here keeps the per-bucket path tight\n  // — calling `reduceRecords` per bucket would recompute\n  // `Object.keys(spec)` once per bucket unnecessarily.\n  const keys = Object.keys(spec)\n  const out: R[] = []\n  for (const [groupKey, bucketRecords] of buckets) {\n    const state: Record<string, unknown> = {}\n    for (const key of keys) {\n      state[key] = spec[key]!.init()\n    }\n    for (const record of bucketRecords) {\n      for (const key of keys) {\n        state[key] = spec[key]!.step(state[key], record)\n      }\n    }\n    const row: Record<string, unknown> = { [field]: groupKey }\n    for (const key of keys) {\n      row[key] = spec[key]!.finalize(state[key])\n    }\n    out.push(row as unknown as R)\n  }\n  return out\n}\n\n/**\n * Grouped aggregation wrapper — the `.groupBy(field).aggregate(spec)`\n * terminal. Shape mirrors `Aggregation<R>` from aggregate.ts: two\n * terminals (`.run()` and `.live()`), spec bound at construction\n * time, upstreams collected for live mode.\n *\n * The generic `R` is the per-row result shape (i.e. a single\n * grouped row), and the terminals return `R[]` — one row per\n * bucket.\n */\nexport class GroupedAggregation<R> {\n  constructor(\n    private readonly executeRecords: () => readonly unknown[],\n    private readonly field: string,\n    private readonly spec: AggregateSpec,\n    private readonly upstreams: readonly AggregationUpstream[],\n    /**\n     * Optional dict label resolver for `<field>Label` projection\n     *. Present when the grouping field is a dictKey.\n     */\n    private readonly dictLabelResolver?: (\n      key: string,\n      locale: string,\n      fallback?: string | readonly string[],\n    ) => Promise<string | undefined>,\n  ) {}\n\n  /** Execute the query, group, reduce, and return an array of rows. */\n  run(): R[] {\n    return groupAndReduce<R>(this.executeRecords(), this.field, this.spec)\n  }\n\n  /**\n   * Execute the query, group, reduce, and resolve `<field>Label` for\n   * each result row when the grouping field is a `dictKey` and a\n   * `locale` is provided. Returns `R[]` synchronously when\n   * no locale is specified (identical to `.run()`).\n   *\n   * The `<field>Label` field is appended to each row. Rows whose group\n   * key has no dictionary entry get `<field>Label: undefined`.\n   */\n  async runAsync(opts?: {\n    locale?: string\n    fallback?: string | readonly string[]\n  }): Promise<R[]> {\n    const rows = groupAndReduce<R>(this.executeRecords(), this.field, this.spec)\n    if (!opts?.locale || !this.dictLabelResolver) return rows\n\n    const resolve = this.dictLabelResolver\n    const locale = opts.locale\n    const fallback = opts.fallback\n    const labelKey = `${this.field}Label`\n\n    return Promise.all(\n      rows.map(async (row) => {\n        const key = (row as Record<string, unknown>)[this.field]\n        if (typeof key !== 'string') return row\n        const label = await resolve(key, locale, fallback)\n        return { ...(row as Record<string, unknown>), [labelKey]: label } as unknown as R\n      }),\n    )\n  }\n\n  /**\n   * Build a reactive `LiveAggregation<R[]>` that re-runs the full\n   * group-and-reduce pipeline whenever any upstream source notifies\n   * of a change. Same error-isolation and idempotent-stop contract\n   * as `Aggregation.live()` — the implementation delegates to the\n   * same `LiveAggregationImpl` class by threading a fresh\n   * recompute closure through the existing constructor.\n   *\n   * uses naive full re-run on every change. Incremental\n   * per-bucket maintenance (apply `step` on inserted records,\n   * `remove` on deleted records, route by bucket key) is a future\n   * optimization — the reducer protocol admits it, but wiring\n   * delta-aware source subscriptions is a separate PR.\n   *\n   * Always call `live.stop()` when finished.\n   */\n  live(): LiveAggregation<R[]> {\n    const recompute = (): R[] =>\n      groupAndReduce<R>(this.executeRecords(), this.field, this.spec)\n    return buildLiveAggregation<R[]>(recompute, this.upstreams)\n  }\n}\n"],"mappings":";;;;;;;;AA4FO,SAAS,MAAM,MAAgD;AAGpE,QAAM,QAAQ,MAAM;AACpB,OAAK;AACL,SAAO;AAAA,IACL,MAAM,MAAM;AAAA,IACZ,MAAM,CAAC,UAAU,QAAQ;AAAA,IACzB,QAAQ,CAAC,UAAU,QAAQ;AAAA,IAC3B,UAAU,CAAC,UAAU;AAAA,EACvB;AACF;AAQO,SAAS,IACd,OACA,MACiB;AACjB,QAAM,QAAQ,MAAM;AACpB,OAAK;AACL,SAAO;AAAA,IACL,MAAM,MAAM;AAAA,IACZ,MAAM,CAAC,OAAO,WAAW,QAAQ,WAAW,QAAQ,KAAK;AAAA,IACzD,QAAQ,CAAC,OAAO,WAAW,QAAQ,WAAW,QAAQ,KAAK;AAAA,IAC3D,UAAU,CAAC,UAAU;AAAA,EACvB;AACF;AAgBO,SAAS,IACd,OACA,MACwD;AACxD,QAAM,QAAQ,MAAM;AACpB,OAAK;AACL,SAAO;AAAA,IACL,MAAM,OAAO,EAAE,KAAK,GAAG,OAAO,EAAE;AAAA,IAChC,MAAM,CAAC,OAAO,YAAY;AAAA,MACxB,KAAK,MAAM,MAAM,WAAW,QAAQ,KAAK;AAAA,MACzC,OAAO,MAAM,QAAQ;AAAA,IACvB;AAAA,IACA,QAAQ,CAAC,OAAO,YAAY;AAAA,MAC1B,KAAK,MAAM,MAAM,WAAW,QAAQ,KAAK;AAAA,MACzC,OAAO,MAAM,QAAQ;AAAA,IACvB;AAAA,IACA,UAAU,CAAC,UAAW,MAAM,UAAU,IAAI,OAAO,MAAM,MAAM,MAAM;AAAA,EACrE;AACF;AAcA,SAAS,UAAU,OAAoB,OAA4B;AACjE,SAAO,EAAE,QAAQ,CAAC,GAAG,MAAM,QAAQ,KAAK,EAAE;AAC5C;AAEA,SAAS,YAAY,OAAoB,OAA4B;AAInE,QAAM,MAAM,MAAM,OAAO,QAAQ,KAAK;AACtC,MAAI,MAAM,EAAG,QAAO;AACpB,QAAM,OAAO,MAAM,OAAO,MAAM;AAChC,OAAK,OAAO,KAAK,CAAC;AAClB,SAAO,EAAE,QAAQ,KAAK;AACxB;AAcO,SAAS,IACd,OACA,MACqC;AACrC,QAAM,QAAQ,MAAM;AACpB,OAAK;AACL,SAAO;AAAA,IACL,MAAM,OAAO,EAAE,QAAQ,CAAC,EAAE;AAAA,IAC1B,MAAM,CAAC,OAAO,WAAW,UAAU,OAAO,WAAW,QAAQ,KAAK,CAAC;AAAA,IACnE,QAAQ,CAAC,OAAO,WAAW,YAAY,OAAO,WAAW,QAAQ,KAAK,CAAC;AAAA,IACvE,UAAU,CAAC,UAAU;AACnB,UAAI,MAAM,OAAO,WAAW,EAAG,QAAO;AACtC,UAAI,MAAM,MAAM,OAAO,CAAC;AACxB,eAAS,IAAI,GAAG,IAAI,MAAM,OAAO,QAAQ,KAAK;AAC5C,cAAM,IAAI,MAAM,OAAO,CAAC;AACxB,YAAI,IAAI,IAAK,OAAM;AAAA,MACrB;AACA,aAAO;AAAA,IACT;AAAA,EACF;AACF;AAOO,SAAS,IACd,OACA,MACqC;AACrC,QAAM,QAAQ,MAAM;AACpB,OAAK;AACL,SAAO;AAAA,IACL,MAAM,OAAO,EAAE,QAAQ,CAAC,EAAE;AAAA,IAC1B,MAAM,CAAC,OAAO,WAAW,UAAU,OAAO,WAAW,QAAQ,KAAK,CAAC;AAAA,IACnE,QAAQ,CAAC,OAAO,WAAW,YAAY,OAAO,WAAW,QAAQ,KAAK,CAAC;AAAA,IACvE,UAAU,CAAC,UAAU;AACnB,UAAI,MAAM,OAAO,WAAW,EAAG,QAAO;AACtC,UAAI,MAAM,MAAM,OAAO,CAAC;AACxB,eAAS,IAAI,GAAG,IAAI,MAAM,OAAO,QAAQ,KAAK;AAC5C,cAAM,IAAI,MAAM,OAAO,CAAC;AACxB,YAAI,IAAI,IAAK,OAAM;AAAA,MACrB;AACA,aAAO;AAAA,IACT;AAAA,EACF;AACF;AAaA,SAAS,WAAW,QAAiB,OAAuB;AAC1D,QAAM,QAAQ,SAAS,QAAQ,KAAK;AACpC,SAAO,OAAO,UAAU,YAAY,OAAO,SAAS,KAAK,IAAI,QAAQ;AACvE;;;ACjMO,SAAS,cACd,SACA,MACuB;AAEvB,QAAM,QAAiC,CAAC;AACxC,aAAW,OAAO,OAAO,KAAK,IAAI,GAAG;AACnC,UAAM,GAAG,IAAI,KAAK,GAAG,EAAG,KAAK;AAAA,EAC/B;AACA,aAAW,UAAU,SAAS;AAC5B,eAAW,OAAO,OAAO,KAAK,IAAI,GAAG;AACnC,YAAM,GAAG,IAAI,KAAK,GAAG,EAAG,KAAK,MAAM,GAAG,GAAG,MAAM;AAAA,IACjD;AAAA,EACF;AACA,QAAM,SAAkC,CAAC;AACzC,aAAW,OAAO,OAAO,KAAK,IAAI,GAAG;AACnC,WAAO,GAAG,IAAI,KAAK,GAAG,EAAG,SAAS,MAAM,GAAG,CAAC;AAAA,EAC9C;AACA,SAAO;AACT;AA4DA,IAAM,sBAAN,MAA2D;AAAA,EAOzD,YACmB,WACjB,WACA;AAFiB;AASjB,QAAI;AACF,WAAK,QAAQ,UAAU;AACvB,WAAK,QAAQ;AAAA,IACf,SAAS,KAAK;AACZ,WAAK,QAAQ;AACb,WAAK,QAAQ;AAAA,IACf;AAIA,eAAW,YAAY,WAAW;AAChC,YAAM,QAAQ,SAAS,UAAU,MAAM,KAAK,QAAQ,CAAC;AACrD,WAAK,aAAa,KAAK,KAAK;AAAA,IAC9B;AAAA,EACF;AAAA,EAvBmB;AAAA,EAPZ;AAAA,EACA;AAAA,EACU,YAAY,oBAAI,IAAgB;AAAA,EAChC,eAAkC,CAAC;AAAA,EAC5C,UAAU;AAAA,EA4BV,UAAgB;AACtB,QAAI,KAAK,QAAS;AAClB,QAAI;AACF,WAAK,QAAQ,KAAK,UAAU;AAC5B,WAAK,QAAQ;AAAA,IACf,SAAS,KAAK;AAIZ,WAAK,QAAQ;AAAA,IACf;AACA,eAAW,YAAY,KAAK,WAAW;AACrC,UAAI;AACF,iBAAS;AAAA,MACX,SAAS,KAAK;AAGZ,gBAAQ,KAAK,4CAA4C,GAAG;AAAA,MAC9D;AAAA,IACF;AAAA,EACF;AAAA,EAEA,UAAU,IAA4B;AACpC,QAAI,KAAK,SAAS;AAGhB,aAAO,MAAM;AAAA,MAAC;AAAA,IAChB;AACA,SAAK,UAAU,IAAI,EAAE;AACrB,WAAO,MAAM;AACX,WAAK,UAAU,OAAO,EAAE;AAAA,IAC1B;AAAA,EACF;AAAA,EAEA,OAAa;AACX,QAAI,KAAK,QAAS;AAClB,SAAK,UAAU;AACf,eAAW,SAAS,KAAK,cAAc;AACrC,UAAI;AACF,cAAM;AAAA,MACR,SAAS,KAAK;AACZ,gBAAQ,KAAK,wDAAwD,GAAG;AAAA,MAC1E;AAAA,IACF;AACA,SAAK,aAAa,SAAS;AAC3B,SAAK,UAAU,MAAM;AAAA,EACvB;AACF;AAkBO,IAAM,cAAN,MAAqB;AAAA,EAC1B,YACmB,gBACA,MACA,WACjB;AAHiB;AACA;AACA;AAAA,EAChB;AAAA,EAHgB;AAAA,EACA;AAAA,EACA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASnB,MAAS;AACP,WAAO,cAAc,KAAK,eAAe,GAAG,KAAK,IAAI;AAAA,EACvD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAoBA,OAA2B;AACzB,UAAM,YAAY,MAChB,cAAc,KAAK,eAAe,GAAG,KAAK,IAAI;AAChD,WAAO,IAAI,oBAAuB,WAAW,KAAK,SAAS;AAAA,EAC7D;AACF;AAUO,SAAS,qBACd,WACA,WACoB;AACpB,SAAO,IAAI,oBAAuB,WAAW,SAAS;AACxD;;;AC/NO,IAAM,2BAA2B;AACjC,IAAM,0BAA0B;AASvC,IAAM,0BAA0B,oBAAI,IAAY;AAChD,SAAS,2BAA2B,OAAe,UAAwB;AACzE,MAAI,wBAAwB,IAAI,KAAK,EAAG;AACxC,0BAAwB,IAAI,KAAK;AACjC,UAAQ;AAAA,IACN,sBAAsB,KAAK,eAAe,QAAQ,qBAC7C,KAAK,MAAO,WAAW,0BAA2B,GAAG,CAAC,YACtD,uBAAuB;AAAA,EAE9B;AACF;AAOO,SAAS,uBAA6B;AAC3C,0BAAwB,MAAM;AAChC;AA0BO,IAAM,eAAN,MAAwC;AAAA,EAC7C,YACmB,gBACA,OACA,WAKA,mBAKjB;AAZiB;AACA;AACA;AAKA;AAAA,EASnB;AAAA,EAhBmB;AAAA,EACA;AAAA,EACA;AAAA,EAKA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBnB,UACE,MAC0D;AAC1D,WAAO,IAAI;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AAAA,MACL;AAAA,MACA,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AACF;AAaO,SAAS,eACd,SACA,OACA,MACK;AAGL,QAAM,UAAU,oBAAI,IAAwB;AAC5C,aAAW,UAAU,SAAS;AAC5B,UAAM,MAAM,SAAS,QAAQ,KAAK;AAClC,QAAI,SAAS,QAAQ,IAAI,GAAG;AAC5B,QAAI,WAAW,QAAW;AACxB,UAAI,QAAQ,QAAQ,yBAAyB;AAC3C,cAAM,IAAI;AAAA,UACR;AAAA,UACA,QAAQ,OAAO;AAAA,UACf;AAAA,QACF;AAAA,MACF;AACA,eAAS,CAAC;AACV,cAAQ,IAAI,KAAK,MAAM;AAAA,IACzB;AACA,WAAO,KAAK,MAAM;AAAA,EACpB;AAEA,MAAI,QAAQ,QAAQ,0BAA0B;AAC5C,+BAA2B,OAAO,QAAQ,IAAI;AAAA,EAChD;AAOA,QAAM,OAAO,OAAO,KAAK,IAAI;AAC7B,QAAM,MAAW,CAAC;AAClB,aAAW,CAAC,UAAU,aAAa,KAAK,SAAS;AAC/C,UAAM,QAAiC,CAAC;AACxC,eAAW,OAAO,MAAM;AACtB,YAAM,GAAG,IAAI,KAAK,GAAG,EAAG,KAAK;AAAA,IAC/B;AACA,eAAW,UAAU,eAAe;AAClC,iBAAW,OAAO,MAAM;AACtB,cAAM,GAAG,IAAI,KAAK,GAAG,EAAG,KAAK,MAAM,GAAG,GAAG,MAAM;AAAA,MACjD;AAAA,IACF;AACA,UAAM,MAA+B,EAAE,CAAC,KAAK,GAAG,SAAS;AACzD,eAAW,OAAO,MAAM;AACtB,UAAI,GAAG,IAAI,KAAK,GAAG,EAAG,SAAS,MAAM,GAAG,CAAC;AAAA,IAC3C;AACA,QAAI,KAAK,GAAmB;AAAA,EAC9B;AACA,SAAO;AACT;AAYO,IAAM,qBAAN,MAA4B;AAAA,EACjC,YACmB,gBACA,OACA,MACA,WAKA,mBAKjB;AAbiB;AACA;AACA;AACA;AAKA;AAAA,EAKhB;AAAA,EAbgB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAKA;AAAA;AAAA,EAQnB,MAAW;AACT,WAAO,eAAkB,KAAK,eAAe,GAAG,KAAK,OAAO,KAAK,IAAI;AAAA,EACvE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,SAAS,MAGE;AACf,UAAM,OAAO,eAAkB,KAAK,eAAe,GAAG,KAAK,OAAO,KAAK,IAAI;AAC3E,QAAI,CAAC,MAAM,UAAU,CAAC,KAAK,kBAAmB,QAAO;AAErD,UAAM,UAAU,KAAK;AACrB,UAAM,SAAS,KAAK;AACpB,UAAM,WAAW,KAAK;AACtB,UAAM,WAAW,GAAG,KAAK,KAAK;AAE9B,WAAO,QAAQ;AAAA,MACb,KAAK,IAAI,OAAO,QAAQ;AACtB,cAAM,MAAO,IAAgC,KAAK,KAAK;AACvD,YAAI,OAAO,QAAQ,SAAU,QAAO;AACpC,cAAM,QAAQ,MAAM,QAAQ,KAAK,QAAQ,QAAQ;AACjD,eAAO,EAAE,GAAI,KAAiC,CAAC,QAAQ,GAAG,MAAM;AAAA,MAClE,CAAC;AAAA,IACH;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAkBA,OAA6B;AAC3B,UAAM,YAAY,MAChB,eAAkB,KAAK,eAAe,GAAG,KAAK,OAAO,KAAK,IAAI;AAChE,WAAO,qBAA0B,WAAW,KAAK,SAAS;AAAA,EAC5D;AACF;","names":[]}

package/dist/chunk-TOQK4KAN.js

@@ -1,79 +0,0 @@
-import {
-  ensureCollectionDEK
-} from "./chunk-YVFTBQHL.js";
-import {
-  NOYDB_FORMAT_VERSION
-} from "./chunk-PJK6IOBC.js";
-import {
-  decrypt,
-  encrypt
-} from "./chunk-MR4424N3.js";
-import {
-  PermissionDeniedError
-} from "./chunk-ACLDOTNQ.js";
-
-// src/team/sync-credentials.ts
-var SYNC_CREDENTIALS_COLLECTION = "_sync_credentials";
-function requireAdminAccess(keyring) {
-  if (keyring.role !== "owner" && keyring.role !== "admin") {
-    throw new PermissionDeniedError(
-      `Sync credentials require owner or admin role. Current role: "${keyring.role}"`
-    );
-  }
-}
-async function putCredential(adapter, vault, keyring, credential) {
-  requireAdminAccess(keyring);
-  const getDek = await ensureCollectionDEK(adapter, vault, keyring);
-  const dek = await getDek(SYNC_CREDENTIALS_COLLECTION);
-  const { iv, data } = await encrypt(JSON.stringify(credential), dek);
-  const existing = await adapter.get(vault, SYNC_CREDENTIALS_COLLECTION, credential.adapterId);
-  const version = existing ? existing._v + 1 : 1;
-  const envelope = {
-    _noydb: NOYDB_FORMAT_VERSION,
-    _v: version,
-    _ts: (/* @__PURE__ */ new Date()).toISOString(),
-    _iv: iv,
-    _data: data,
-    _by: keyring.userId
-  };
-  await adapter.put(
-    vault,
-    SYNC_CREDENTIALS_COLLECTION,
-    credential.adapterId,
-    envelope,
-    existing ? existing._v : void 0
-  );
-}
-async function getCredential(adapter, vault, keyring, adapterId) {
-  requireAdminAccess(keyring);
-  const getDek = await ensureCollectionDEK(adapter, vault, keyring);
-  const dek = await getDek(SYNC_CREDENTIALS_COLLECTION);
-  const envelope = await adapter.get(vault, SYNC_CREDENTIALS_COLLECTION, adapterId);
-  if (!envelope) return null;
-  const plaintext = await decrypt(envelope._iv, envelope._data, dek);
-  return JSON.parse(plaintext);
-}
-async function deleteCredential(adapter, vault, keyring, adapterId) {
-  requireAdminAccess(keyring);
-  await adapter.delete(vault, SYNC_CREDENTIALS_COLLECTION, adapterId);
-}
-async function listCredentials(adapter, vault, keyring) {
-  requireAdminAccess(keyring);
-  return adapter.list(vault, SYNC_CREDENTIALS_COLLECTION);
-}
-async function credentialStatus(adapter, vault, keyring, adapterId) {
-  const credential = await getCredential(adapter, vault, keyring, adapterId);
-  if (!credential) return { exists: false };
-  const expired = credential.expiresAt ? Date.now() > new Date(credential.expiresAt).getTime() : false;
-  return { exists: true, expired };
-}
-
-export {
-  SYNC_CREDENTIALS_COLLECTION,
-  putCredential,
-  getCredential,
-  deleteCredential,
-  listCredentials,
-  credentialStatus
-};
-//# sourceMappingURL=chunk-TOQK4KAN.js.map

package/dist/chunk-TOQK4KAN.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/team/sync-credentials.ts"],"sourcesContent":["/**\n * _sync_credentials reserved collection —\n *\n * Stores per-adapter OAuth tokens (and any other long-lived sync secrets) as\n * encrypted records inside the vault itself. Tokens are wrapped with the\n * compartment's own DEK, live on disk as ciphertext like any other record, and\n * are accessed only through the dedicated API in this module — never via\n * `vault.collection('_sync_credentials')`.\n *\n * Design decisions\n * ────────────────\n *\n * **Why a reserved collection, not a separate store?**\n * The compartment's existing encryption stack (AES-256-GCM + collection DEK)\n * is exactly the right primitive for protecting OAuth tokens at rest. Using a\n * separate store would require a new encryption surface, new adapter calls,\n * and a new backup/restore path — all of which already exist for collections.\n *\n * **Why not exposed as a regular collection?**\n * The same reason `_keyring` and `_ledger` aren't: they have invariants that\n * must be enforced (naming scheme, no cross-user leakage, no schema\n * validation, no history/ledger writes for privacy). Routing through a\n * dedicated API enforces those invariants.\n *\n * **Token lifecycle:**\n * - `putCredential(vault, adapterId, token)` — store or overwrite\n * - `getCredential(vault, adapterId)` — load and decrypt\n * - `deleteCredential(vault, adapterId)` — remove\n * - `listCredentials(vault)` — enumerate adapter IDs (not tokens)\n *\n * The `adapterId` is the record ID within the `_sync_credentials` collection.\n * It should be a stable, human-readable identifier for the adapter instance\n * (e.g. `'google-drive'`, `'dropbox'`, `'s3-prod'`).\n *\n * **ACL:** only `owner` and `admin` roles can read/write sync credentials.\n * Operators, viewers, and clients cannot call this API. The check is made\n * against the caller's keyring role at call time.\n */\n\nimport type { NoydbStore, EncryptedEnvelope } from '../types.js'\nimport { NOYDB_FORMAT_VERSION } from '../types.js'\nimport type { UnlockedKeyring } from './keyring.js'\nimport { encrypt, decrypt } from '../crypto.js'\nimport { ensureCollectionDEK } from './keyring.js'\nimport { PermissionDeniedError } from '../errors.js'\n\n/** The reserved collection name. Never collides with user collections. */\nexport const SYNC_CREDENTIALS_COLLECTION = '_sync_credentials'\n\n// ─── Token types ──────────────────────────────────────────────────────\n\n/**\n * An OAuth/auth token stored in `_sync_credentials`.\n *\n * Fields mirror the OAuth2 token response shape. `customData` is an escape\n * hatch for adapter-specific secrets (API keys, connection strings, etc.)\n * that don't fit the OAuth2 shape.\n */\nexport interface SyncCredential {\n  /** Stable identifier for the adapter instance (e.g. 'google-drive'). */\n  readonly adapterId: string\n  /** OAuth token type, usually 'Bearer'. */\n  readonly tokenType: string\n  /** The access token. Expires at `expiresAt` if set. */\n  readonly accessToken: string\n  /** Long-lived refresh token for renewing the access token. */\n  readonly refreshToken?: string\n  /** ISO timestamp when `accessToken` expires. Absent means \"no expiry\". */\n  readonly expiresAt?: string\n  /** Space-separated OAuth scopes. */\n  readonly scopes?: string\n  /** Adapter-specific opaque data (API keys, endpoints, etc.). */\n  readonly customData?: Record<string, string>\n}\n\n// ─── Access check ─────────────────────────────────────────────────────\n\nfunction requireAdminAccess(keyring: UnlockedKeyring): void {\n  if (keyring.role !== 'owner' && keyring.role !== 'admin') {\n    throw new PermissionDeniedError(\n      `Sync credentials require owner or admin role. Current role: \"${keyring.role}\"`,\n    )\n  }\n}\n\n// ─── Public API ────────────────────────────────────────────────────────\n\n/**\n * Store or overwrite a sync credential for the given adapter.\n *\n * The credential is encrypted with the `_sync_credentials` collection DEK\n * (auto-generated on first use). The record ID is the `adapterId`.\n *\n * Requires owner or admin role.\n */\nexport async function putCredential(\n  adapter: NoydbStore,\n  vault: string,\n  keyring: UnlockedKeyring,\n  credential: SyncCredential,\n): Promise<void> {\n  requireAdminAccess(keyring)\n\n  const getDek = await ensureCollectionDEK(adapter, vault, keyring)\n  const dek = await getDek(SYNC_CREDENTIALS_COLLECTION)\n\n  const { iv, data } = await encrypt(JSON.stringify(credential), dek)\n\n  const existing = await adapter.get(vault, SYNC_CREDENTIALS_COLLECTION, credential.adapterId)\n  const version = existing ? existing._v + 1 : 1\n\n  const envelope: EncryptedEnvelope = {\n    _noydb: NOYDB_FORMAT_VERSION,\n    _v: version,\n    _ts: new Date().toISOString(),\n    _iv: iv,\n    _data: data,\n    _by: keyring.userId,\n  }\n\n  await adapter.put(\n    vault,\n    SYNC_CREDENTIALS_COLLECTION,\n    credential.adapterId,\n    envelope,\n    existing ? existing._v : undefined,\n  )\n}\n\n/**\n * Load and decrypt a sync credential for the given adapter ID.\n *\n * Returns `null` if no credential exists for this adapter.\n * Requires owner or admin role.\n */\nexport async function getCredential(\n  adapter: NoydbStore,\n  vault: string,\n  keyring: UnlockedKeyring,\n  adapterId: string,\n): Promise<SyncCredential | null> {\n  requireAdminAccess(keyring)\n\n  const getDek = await ensureCollectionDEK(adapter, vault, keyring)\n  const dek = await getDek(SYNC_CREDENTIALS_COLLECTION)\n\n  const envelope = await adapter.get(vault, SYNC_CREDENTIALS_COLLECTION, adapterId)\n  if (!envelope) return null\n\n  const plaintext = await decrypt(envelope._iv, envelope._data, dek)\n  return JSON.parse(plaintext) as SyncCredential\n}\n\n/**\n * Delete a sync credential by adapter ID.\n *\n * No-op if the credential doesn't exist. Requires owner or admin role.\n */\nexport async function deleteCredential(\n  adapter: NoydbStore,\n  vault: string,\n  keyring: UnlockedKeyring,\n  adapterId: string,\n): Promise<void> {\n  requireAdminAccess(keyring)\n  await adapter.delete(vault, SYNC_CREDENTIALS_COLLECTION, adapterId)\n}\n\n/**\n * List all adapter IDs that have stored credentials.\n *\n * Returns only the IDs, never the credential payloads. Useful for\n * displaying \"connected adapters\" in UI without decrypting tokens.\n * Requires owner or admin role.\n */\nexport async function listCredentials(\n  adapter: NoydbStore,\n  vault: string,\n  keyring: UnlockedKeyring,\n): Promise<string[]> {\n  requireAdminAccess(keyring)\n  return adapter.list(vault, SYNC_CREDENTIALS_COLLECTION)\n}\n\n/**\n * Check whether a credential exists and whether its access token has expired.\n *\n * Returns `{ exists: false }` if no credential is stored, or\n * `{ exists: true, expired: boolean }` based on the `expiresAt` field.\n * Requires owner or admin role.\n */\nexport async function credentialStatus(\n  adapter: NoydbStore,\n  vault: string,\n  keyring: UnlockedKeyring,\n  adapterId: string,\n): Promise<{ exists: false } | { exists: true; expired: boolean }> {\n  const credential = await getCredential(adapter, vault, keyring, adapterId)\n  if (!credential) return { exists: false }\n\n  const expired = credential.expiresAt\n    ? Date.now() > new Date(credential.expiresAt).getTime()\n    : false\n\n  return { exists: true, expired }\n}\n"],"mappings":";;;;;;;;;;;;;;;AA+CO,IAAM,8BAA8B;AA8B3C,SAAS,mBAAmB,SAAgC;AAC1D,MAAI,QAAQ,SAAS,WAAW,QAAQ,SAAS,SAAS;AACxD,UAAM,IAAI;AAAA,MACR,gEAAgE,QAAQ,IAAI;AAAA,IAC9E;AAAA,EACF;AACF;AAYA,eAAsB,cACpB,SACA,OACA,SACA,YACe;AACf,qBAAmB,OAAO;AAE1B,QAAM,SAAS,MAAM,oBAAoB,SAAS,OAAO,OAAO;AAChE,QAAM,MAAM,MAAM,OAAO,2BAA2B;AAEpD,QAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,KAAK,UAAU,UAAU,GAAG,GAAG;AAElE,QAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,6BAA6B,WAAW,SAAS;AAC3F,QAAM,UAAU,WAAW,SAAS,KAAK,IAAI;AAE7C,QAAM,WAA8B;AAAA,IAClC,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC5B,KAAK;AAAA,IACL,OAAO;AAAA,IACP,KAAK,QAAQ;AAAA,EACf;AAEA,QAAM,QAAQ;AAAA,IACZ;AAAA,IACA;AAAA,IACA,WAAW;AAAA,IACX;AAAA,IACA,WAAW,SAAS,KAAK;AAAA,EAC3B;AACF;AAQA,eAAsB,cACpB,SACA,OACA,SACA,WACgC;AAChC,qBAAmB,OAAO;AAE1B,QAAM,SAAS,MAAM,oBAAoB,SAAS,OAAO,OAAO;AAChE,QAAM,MAAM,MAAM,OAAO,2BAA2B;AAEpD,QAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,6BAA6B,SAAS;AAChF,MAAI,CAAC,SAAU,QAAO;AAEtB,QAAM,YAAY,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,GAAG;AACjE,SAAO,KAAK,MAAM,SAAS;AAC7B;AAOA,eAAsB,iBACpB,SACA,OACA,SACA,WACe;AACf,qBAAmB,OAAO;AAC1B,QAAM,QAAQ,OAAO,OAAO,6BAA6B,SAAS;AACpE;AASA,eAAsB,gBACpB,SACA,OACA,SACmB;AACnB,qBAAmB,OAAO;AAC1B,SAAO,QAAQ,KAAK,OAAO,2BAA2B;AACxD;AASA,eAAsB,iBACpB,SACA,OACA,SACA,WACiE;AACjE,QAAM,aAAa,MAAM,cAAc,SAAS,OAAO,SAAS,SAAS;AACzE,MAAI,CAAC,WAAY,QAAO,EAAE,QAAQ,MAAM;AAExC,QAAM,UAAU,WAAW,YACvB,KAAK,IAAI,IAAI,IAAI,KAAK,WAAW,SAAS,EAAE,QAAQ,IACpD;AAEJ,SAAO,EAAE,QAAQ,MAAM,QAAQ;AACjC;","names":[]}

package/dist/chunk-WN6UK7PM.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/bundle/format.ts","../src/bundle/bundle.ts"],"sourcesContent":["/**\n * `.noydb` container format — byte layout, header schema, validators.\n *\n *. Wraps a `vault.dump()` JSON string in a thin\n * binary container with a magic-byte prefix, a minimum-disclosure\n * unencrypted header, and a compressed body.\n *\n * **Byte layout** (read in order from offset 0):\n *\n * ```\n * +--------+--------+--------+--------+\n * |  N=78  |  D=68  |  B=66  |  1=49  |  Magic 'NDB1' (4 bytes)\n * +--------+--------+--------+--------+\n * | flags  | compr  |  header_length (uint32 BE)            |\n * +--------+--------+--------+--------+--------+--------+--------+\n * | header_length bytes of UTF-8 JSON header                       ...\n * +--------+--------+\n * | compressed body bytes                                            ...\n * ```\n *\n * Total fixed prefix before the header JSON is **10 bytes**:\n *   - 4 bytes magic\n *   - 1 byte flags\n *   - 1 byte compression algorithm\n *   - 4 bytes header length (uint32 big-endian)\n *\n * **Why a binary container** at all? `vault.dump()` already\n * produces a JSON string with encrypted records inside. Wrapping it\n * again seems redundant — but the wrap is what makes the file safe\n * to drop into cloud storage (Drive, Dropbox, iCloud) without\n * leaking the vault name and exporter identity through the\n * cloud's metadata API. The minimum-disclosure header is the only\n * thing visible without downloading and decompressing the body.\n * The dump JSON inside the body still contains the original\n * metadata, but that's only readable by someone who already has the\n * file bytes — the same person who could read the encrypted records\n * with the right passphrase.\n *\n * **Why minimum disclosure** in the header? Because consumers will\n * inevitably store these in services where the filename, file size,\n * and any unencrypted metadata are indexed for search. A field like\n * `vault: \"Acme Corp\"` would let an attacker (or a curious\n * cloud admin) enumerate which compartments exist and who exported\n * them, even with zero access to the encrypted body. The header\n * carries only what's needed to identify the file as a NOYDB\n * bundle and verify its integrity — nothing about the contents.\n */\n\nimport type { PublicEnvelope } from '../meta/public-envelope/types.js'\n\n/** Magic bytes 'NDB1' (ASCII), identifying a NOYDB bundle. */\nexport const NOYDB_BUNDLE_MAGIC = new Uint8Array([0x4e, 0x44, 0x42, 0x31])\n\n/** Total fixed prefix before the header JSON: 4+1+1+4 bytes. */\nexport const NOYDB_BUNDLE_PREFIX_BYTES = 10\n\n/** Current bundle format version. Bumped on layout changes. */\nexport const NOYDB_BUNDLE_FORMAT_VERSION = 1\n\n/**\n * Bitfield interpretation of the flags byte.\n *\n * Bit 0 — body is compressed (0 = raw, 1 = compressed)\n * Bit 1 — header carries an integrity hash over the body bytes\n * Bits 2-7 — reserved, must be 0 in\n */\nexport const FLAG_COMPRESSED = 0b0000_0001\nexport const FLAG_HAS_INTEGRITY_HASH = 0b0000_0010\n\n/**\n * Compression algorithm encoding for the byte at offset 5.\n *\n * `none` is admitted for round-trip testing and for callers that\n * want to bundle without compression (e.g. when piping into a\n * separately compressed transport). `gzip` is the universally\n * available baseline (Node 18+, all modern browsers). `brotli` is\n * preferred when the runtime supports it — typically 30-50% smaller\n * for JSON payloads — but Node 22+ / Chrome 124+ / Firefox 122+\n * are required, so the writer feature-detects at runtime and falls\n * back to gzip. The reader must handle all three.\n */\nexport const COMPRESSION_NONE = 0\nexport const COMPRESSION_GZIP = 1\nexport const COMPRESSION_BROTLI = 2\n\nexport type CompressionAlgo = 0 | 1 | 2\n\n/**\n * The unencrypted header carried in every `.noydb` bundle.\n *\n * **Minimum-disclosure rules:** these are the ONLY allowed keys.\n * Any other key in a parsed header causes\n * `validateBundleHeader` to throw. The set is kept short to\n * minimize attack surface from cloud-storage metadata indexing —\n * see the file-level doc comment for the rationale.\n *\n * Forbidden in particular:\n *   - `vault` / `_compartment` — would leak the tenant name\n *   - `exporter` / `_exported_by` — would leak user identity\n *   - `timestamp` / `_exported_at` — would leak activity timing\n *   - `kdfParams` / salt fields — would leak crypto config that\n *     could narrow brute-force search space\n *   - any field starting with `_` (reserved by the dump format)\n */\nexport interface NoydbBundleHeader {\n  /** Bundle format version — bumped on layout changes. */\n  readonly formatVersion: number\n  /**\n   * Opaque ULID identifier — generated once per vault and\n   * stable across re-exports of the same vault. Does not\n   * leak any information about contents (the timestamp prefix is\n   * just monotonicity for sortability, not exporter activity —\n   * see `bundle/ulid.ts` for the design notes).\n   */\n  readonly handle: string\n  /** Compressed body length in bytes. Lets readers verify completeness without decompressing. */\n  readonly bodyBytes: number\n  /** SHA-256 of the compressed body bytes (lowercase hex). Lets readers verify integrity without decompressing. */\n  readonly bodySha256: string\n  /**\n   * Owner-curated public envelope (`docs/subsystems/public-envelope.md`).\n   * Optional — present only when the source vault has a\n   * `_meta/public-envelope` document AND the writer's hub is opted\n   * into the feature. Treat as **untrusted hint**; the body's\n   * encrypted contents remain the source of truth.\n   *\n   * The envelope deliberately widens the minimum-disclosure rule\n   * for explicit, owner-curated label fields (name, icon, …). Every\n   * other unknown header key still rejects at parse time.\n   */\n  readonly publicEnvelope?: PublicEnvelope\n}\n\n/**\n * Allowlist of header keys. Any key not in this set is forbidden\n * and causes `validateBundleHeader` to throw. Kept as a Set for\n * O(1) lookup; the validator iterates over the parsed header and\n * checks each key against this set.\n */\nconst ALLOWED_HEADER_KEYS: ReadonlySet<string> = new Set([\n  'formatVersion',\n  'handle',\n  'bodyBytes',\n  'bodySha256',\n  'publicEnvelope',\n])\n\n/**\n * Validate a parsed bundle header. Throws on any deviation from\n * the minimum-disclosure schema:\n *\n *   - Missing required field\n *   - Wrong type for any field\n *   - Any extra key not in `ALLOWED_HEADER_KEYS`\n *   - Unsupported `formatVersion`\n *   - Negative or non-integer `bodyBytes`\n *   - Malformed `handle` (must be 26-char Crockford base32)\n *   - Malformed `bodySha256` (must be 64-char lowercase hex)\n *\n * The error messages name the offending field so consumers can\n * fix the producer rather than the reader.\n */\nexport function validateBundleHeader(\n  parsed: unknown,\n): asserts parsed is NoydbBundleHeader {\n  if (parsed === null || typeof parsed !== 'object') {\n    throw new Error(\n      `.noydb bundle header must be a JSON object, got ${parsed === null ? 'null' : typeof parsed}`,\n    )\n  }\n  // Disallow any unknown key — minimum disclosure means we reject\n  // forward-compat extension keys at the format layer; new fields\n  // require a format version bump and a new validator.\n  for (const key of Object.keys(parsed)) {\n    if (!ALLOWED_HEADER_KEYS.has(key)) {\n      throw new Error(\n        `.noydb bundle header contains forbidden key \"${key}\". ` +\n          `Only minimum-disclosure fields are allowed: ` +\n          `${[...ALLOWED_HEADER_KEYS].join(', ')}.`,\n      )\n    }\n  }\n  const h = parsed as Record<string, unknown>\n  if (typeof h['formatVersion'] !== 'number' || h['formatVersion'] !== NOYDB_BUNDLE_FORMAT_VERSION) {\n    throw new Error(\n      `.noydb bundle header.formatVersion must be ${NOYDB_BUNDLE_FORMAT_VERSION}, ` +\n        `got ${String(h['formatVersion'])}. The reader does not support ` +\n        `forward-compat versions; upgrade the reader to handle newer bundles.`,\n    )\n  }\n  if (typeof h['handle'] !== 'string' || !/^[0-9A-HJKMNP-TV-Z]{26}$/.test(h['handle'])) {\n    throw new Error(\n      `.noydb bundle header.handle must be a 26-character Crockford base32 ULID, ` +\n        `got ${typeof h['handle'] === 'string' ? `\"${h['handle']}\"` : String(h['handle'])}.`,\n    )\n  }\n  if (typeof h['bodyBytes'] !== 'number' || !Number.isInteger(h['bodyBytes']) || h['bodyBytes'] < 0) {\n    throw new Error(\n      `.noydb bundle header.bodyBytes must be a non-negative integer, ` +\n        `got ${String(h['bodyBytes'])}.`,\n    )\n  }\n  if (typeof h['bodySha256'] !== 'string' || !/^[0-9a-f]{64}$/.test(h['bodySha256'])) {\n    throw new Error(\n      `.noydb bundle header.bodySha256 must be a 64-character lowercase hex string, ` +\n        `got ${typeof h['bodySha256'] === 'string' ? `\"${h['bodySha256']}\"` : String(h['bodySha256'])}.`,\n    )\n  }\n  if (h['publicEnvelope'] !== undefined) {\n    const env = h['publicEnvelope']\n    if (env === null || typeof env !== 'object' || Array.isArray(env)) {\n      throw new Error(\n        `.noydb bundle header.publicEnvelope must be a JSON object when present, got ${typeof env}.`,\n      )\n    }\n    const e = env as Record<string, unknown>\n    if (e['_noydb_public'] !== 1) {\n      throw new Error(\n        `.noydb bundle header.publicEnvelope._noydb_public must be 1, got ${String(e['_noydb_public'])}.`,\n      )\n    }\n    if (typeof e['version'] !== 'number' || !Number.isInteger(e['version']) || e['version'] < 1) {\n      throw new Error(\n        `.noydb bundle header.publicEnvelope.version must be a positive integer, got ${String(e['version'])}.`,\n      )\n    }\n  }\n}\n\n/**\n * Encode a header object to UTF-8 JSON bytes after validating\n * minimum disclosure. Used by the writer to serialize the header\n * region of the container.\n */\nexport function encodeBundleHeader(header: NoydbBundleHeader): Uint8Array {\n  validateBundleHeader(header)\n  // Stable key ordering — JSON.stringify with no replacer uses\n  // insertion order, which is fine here because we control the\n  // object construction. Stable ordering means two bundles with\n  // identical contents produce byte-identical headers.\n  const json = JSON.stringify({\n    formatVersion: header.formatVersion,\n    handle: header.handle,\n    bodyBytes: header.bodyBytes,\n    bodySha256: header.bodySha256,\n    ...(header.publicEnvelope !== undefined ? { publicEnvelope: header.publicEnvelope } : {}),\n  })\n  return new TextEncoder().encode(json)\n}\n\n/**\n * Parse a bundle header from its UTF-8 JSON bytes. Throws on\n * invalid JSON or any minimum-disclosure violation.\n */\nexport function decodeBundleHeader(bytes: Uint8Array): NoydbBundleHeader {\n  const json = new TextDecoder('utf-8', { fatal: true }).decode(bytes)\n  let parsed: unknown\n  try {\n    parsed = JSON.parse(json)\n  } catch (err) {\n    throw new Error(\n      `.noydb bundle header is not valid JSON: ${(err as Error).message}`,\n    )\n  }\n  validateBundleHeader(parsed)\n  return parsed\n}\n\n/**\n * Read a uint32 from `bytes` at `offset` in big-endian byte order.\n * No bounds check — callers must guarantee `offset + 4 <= bytes.length`.\n * Used to decode the header length field; kept inline so the parser\n * doesn't depend on DataView allocation per call.\n */\nexport function readUint32BE(bytes: Uint8Array, offset: number): number {\n  return (\n    (bytes[offset]! << 24 >>> 0) +\n    (bytes[offset + 1]! << 16) +\n    (bytes[offset + 2]! << 8) +\n    bytes[offset + 3]!\n  )\n}\n\n/**\n * Write a uint32 to `bytes` at `offset` in big-endian byte order.\n * No bounds check — callers must guarantee `offset + 4 <= bytes.length`.\n */\nexport function writeUint32BE(bytes: Uint8Array, offset: number, value: number): void {\n  bytes[offset] = (value >>> 24) & 0xff\n  bytes[offset + 1] = (value >>> 16) & 0xff\n  bytes[offset + 2] = (value >>> 8) & 0xff\n  bytes[offset + 3] = value & 0xff\n}\n\n/**\n * Verify the magic prefix of a bundle. Returns true if the first\n * 4 bytes match `NDB1`. Used by readers as a fast file-type check\n * before any further parsing.\n */\nexport function hasNoydbBundleMagic(bytes: Uint8Array): boolean {\n  if (bytes.length < NOYDB_BUNDLE_MAGIC.length) return false\n  for (let i = 0; i < NOYDB_BUNDLE_MAGIC.length; i++) {\n    if (bytes[i] !== NOYDB_BUNDLE_MAGIC[i]) return false\n  }\n  return true\n}\n","/**\n * `.noydb` container primitives — write, read, header-only read.\n *\n *. Wraps a `vault.dump()` JSON string in the\n * binary container described in `format.ts`.\n *\n * **Three primitives:**\n *\n *   - `writeNoydbBundle(vault, opts?)` — produces the\n *     full container bytes ready to write to disk or upload\n *   - `readNoydbBundleHeader(bytes)` — parses just the header\n *     without decompressing the body, fast file-type and\n *     metadata read for cloud listing UIs\n *   - `readNoydbBundle(bytes)` — full read: validates magic,\n *     header, integrity hash, and decompresses the body to\n *     return the original `dump()` JSON string for use with\n *     `vault.load()`\n *\n * **Compression strategy:** brotli when available (Node 22+,\n * Chrome 124+, Firefox 122+), gzip fallback elsewhere. The\n * algorithm choice is encoded in the format byte at offset 5,\n * so readers handle either transparently. Brotli wins ~30-50%\n * on JSON payloads with repeated keys (which vault dumps\n * are).\n *\n * **Why split read/load?** `readNoydbBundle` returns the\n * *unwrapped JSON string*, not a Vault object. The caller\n * is responsible for piping that JSON into\n * `vault.load(json, passphrase)`. Splitting the layers\n * keeps the bundle module free of any crypto/passphrase\n * concerns — it's purely a format layer. The same `readNoydbBundle`\n * call can also feed verification tools, format inspectors, or\n * archive utilities that don't care about decryption.\n */\n\nimport {\n  COMPRESSION_BROTLI,\n  COMPRESSION_GZIP,\n  COMPRESSION_NONE,\n  FLAG_COMPRESSED,\n  FLAG_HAS_INTEGRITY_HASH,\n  NOYDB_BUNDLE_FORMAT_VERSION,\n  NOYDB_BUNDLE_MAGIC,\n  NOYDB_BUNDLE_PREFIX_BYTES,\n  decodeBundleHeader,\n  encodeBundleHeader,\n  hasNoydbBundleMagic,\n  readUint32BE,\n  writeUint32BE,\n  type CompressionAlgo,\n  type NoydbBundleHeader,\n} from './format.js'\nimport { BundleIntegrityError } from '../errors.js'\nimport type { Vault } from '../vault.js'\nimport type { BundleRecipient } from '../team/keyring.js'\nimport { pickLocale } from '../meta/public-envelope/storage.js'\nimport type { PublicEnvelope } from '../meta/public-envelope/types.js'\n\n/**\n * Options accepted by `writeNoydbBundle`.\n *\n * - `compression: 'auto'` (default) — try brotli, fall back to gzip\n * - `compression: 'brotli'` — force brotli, throw if unsupported\n * - `compression: 'gzip'` — force gzip\n * - `compression: 'none'` — no compression (round-trip testing only)\n *\n * **Slice filtering** (added in ):\n * - `collections` — allowlist of collection names to include. Internal\n *   collections (keyrings, ledger) and excluded user collections are\n *   dropped from the bundle. Records inside included collections are\n *   carried through verbatim.\n * - `since` — only records whose envelope `_ts` is on/after the given\n *   instant survive. Operates on the unencrypted envelope timestamp,\n *   so plaintext access to records is not required.\n *\n * Both filters intersect (AND). When neither is provided the bundle is\n * a whole-vault snapshot, identical to today's behaviour.\n */\nexport interface WriteNoydbBundleOptions {\n  readonly compression?: 'auto' | 'brotli' | 'gzip' | 'none'\n  /** Allowlist of user-collection names to include. */\n  readonly collections?: readonly string[]\n  /**\n   * Drop records whose envelope `_ts` is strictly older than this\n   * instant. Accepts a `Date` or any ISO-8601 string parseable by\n   * `new Date()`.\n   */\n  readonly since?: Date | string\n  /**\n   * Plaintext-pipeline record predicate. Decrypts each record\n   * with the vault's per-collection DEK, runs the predicate, and\n   * keeps the original ciphertext for survivors (no re-encrypt —\n   * preserves zero-knowledge cleanly). Records the predicate returns\n   * `false` for are dropped from the bundle.\n   *\n   * Async predicates are supported. Mutating the record from inside\n   * the predicate is undefined behaviour.\n   */\n  readonly where?: (\n    record: unknown,\n    ctx: { collection: string; id: string },\n  ) => boolean | Promise<boolean>\n  /**\n   * Hierarchical-tier ceiling. Records whose envelope `_tier`\n   * is strictly greater than this number are dropped. Operates on the\n   * envelope `_tier` (no decryption needed) — vault.exportStream is\n   * referenced in the issue body for symmetry, but the tier value\n   * lives on the unencrypted envelope. Vault without tiers is a no-op.\n   */\n  readonly tierAtMost?: number\n  /**\n   * Single-recipient re-keying shorthand. When set, the\n   * bundle's keyring is replaced with one freshly-derived entry sealed\n   * with this passphrase. The recipient inherits the source keyring's\n   * userId, role, and permissions. Mutually exclusive with `recipients`.\n   */\n  readonly exportPassphrase?: string\n  /**\n   * Multi-recipient re-keying. Replaces the bundle's keyring\n   * map with one slot per recipient, each sealed with its own\n   * passphrase. DEKs are unwrapped from the source keyring once and\n   * re-wrapped per recipient — record ciphertext is unchanged.\n   *\n   * Mutually exclusive with `exportPassphrase`. When neither is set,\n   * the bundle inherits the source keyring as-is (today's behaviour,\n   * suited to personal backup-and-restore).\n   */\n  readonly recipients?: readonly BundleRecipient[]\n}\n\n/**\n * Result returned by `readNoydbBundle`. The caller is expected to\n * pass `dumpJson` into `vault.load(json, passphrase)` to\n * actually restore a vault. Splitting the layers keeps the\n * bundle module free of crypto concerns — see file-level docs.\n */\nexport interface NoydbBundleReadResult {\n  readonly header: NoydbBundleHeader\n  readonly dumpJson: string\n}\n\n/**\n * Detect whether the runtime's `CompressionStream` supports brotli.\n *\n * Brotli requires Node 22+ / Chrome 124+ / Firefox 122+. The\n * detection runs the `CompressionStream` constructor in a\n * try/catch — unsupported formats throw `TypeError` synchronously,\n * making this a safe one-shot check that we cache for the\n * lifetime of the process.\n */\nlet cachedBrotliSupport: boolean | null = null\nfunction supportsBrotliCompression(): boolean {\n  if (cachedBrotliSupport !== null) return cachedBrotliSupport\n  try {\n    new CompressionStream('br' as CompressionFormat)\n    cachedBrotliSupport = true\n  } catch {\n    cachedBrotliSupport = false\n  }\n  return cachedBrotliSupport\n}\n\n/** Test-only: reset the brotli detection cache between tests. */\nexport function resetBrotliSupportCache(): void {\n  cachedBrotliSupport = null\n}\n\n/**\n * Pick the compression algorithm and the corresponding format byte\n * from a user option. Throws if the user explicitly requests brotli\n * on a runtime that doesn't support it — a silent fallback would\n * make the produced bundle smaller-than-expected and confuse\n * size-bound tests.\n */\nfunction selectCompression(option: WriteNoydbBundleOptions['compression']): {\n  format: CompressionAlgo\n  streamFormat: CompressionFormat | null\n} {\n  const choice = option ?? 'auto'\n  if (choice === 'none') return { format: COMPRESSION_NONE, streamFormat: null }\n  if (choice === 'gzip') return { format: COMPRESSION_GZIP, streamFormat: 'gzip' }\n  if (choice === 'brotli') {\n    if (!supportsBrotliCompression()) {\n      throw new Error(\n        `writeNoydbBundle({ compression: 'brotli' }) is not supported on this ` +\n          `runtime. Brotli requires Node 22+, Chrome 124+, or Firefox 122+. ` +\n          `Use { compression: 'auto' } to fall back to gzip silently, or ` +\n          `{ compression: 'gzip' } to be explicit.`,\n      )\n    }\n    return { format: COMPRESSION_BROTLI, streamFormat: 'br' as CompressionFormat }\n  }\n  // 'auto' — prefer brotli, fall back to gzip\n  if (supportsBrotliCompression()) {\n    return { format: COMPRESSION_BROTLI, streamFormat: 'br' as CompressionFormat }\n  }\n  return { format: COMPRESSION_GZIP, streamFormat: 'gzip' }\n}\n\n/**\n * Pump a Uint8Array through a CompressionStream / DecompressionStream\n * and collect the output. Both APIs are universally available in\n * Node 18+ and modern browsers; the only variance is which\n * formats they support, handled by `selectCompression` above.\n *\n * Implementation: build a single-chunk ReadableStream from the\n * input, pipe through the transform, then drain the resulting\n * ReadableStream into a single concatenated Uint8Array. This is\n * O(N) memory in the input + output sizes, which is fine for the\n * dump-sized payloads (typically <50MB) targets.\n */\nasync function pumpThroughStream(\n  input: Uint8Array,\n  stream: CompressionStream | DecompressionStream,\n): Promise<Uint8Array> {\n  const readable = new Blob([input as BlobPart]).stream().pipeThrough(stream)\n  const reader = readable.getReader()\n  const chunks: Uint8Array[] = []\n  let total = 0\n  for (;;) {\n    const { value, done } = await reader.read()\n    if (done) break\n    if (value) {\n      chunks.push(value as Uint8Array)\n      total += value.length\n    }\n  }\n  const out = new Uint8Array(total)\n  let offset = 0\n  for (const chunk of chunks) {\n    out.set(chunk, offset)\n    offset += chunk.length\n  }\n  return out\n}\n\n/**\n * SHA-256 hex digest of `bytes`. Used for the bundle integrity\n * hash carried in the header. Web Crypto API only — no Node\n * crypto module, no third-party hash library.\n *\n * The output format is lowercase hex (64 chars for SHA-256). The\n * format validator pins this — uppercase or mixed-case digests\n * are rejected, so the writer and reader agree on canonicalization.\n */\nasync function sha256Hex(bytes: Uint8Array): Promise<string> {\n  // Copy into a fresh ArrayBuffer-backed Uint8Array. The\n  // underlying buffer of `bytes` may be SharedArrayBuffer (e.g.\n  // from a worker), which `subtle.digest` rejects via TypeScript's\n  // BufferSource type. Allocating a fresh ArrayBuffer-backed view\n  // sidesteps the type narrowing and is portable across all\n  // runtimes — the copy cost is O(N) but bundle bodies are\n  // typically <50MB, well below the threshold where the copy\n  // matters.\n  const copy = new Uint8Array(bytes.length)\n  copy.set(bytes)\n  const digest = await crypto.subtle.digest('SHA-256', copy)\n  const view = new Uint8Array(digest)\n  let hex = ''\n  for (let i = 0; i < view.length; i++) {\n    hex += view[i]!.toString(16).padStart(2, '0')\n  }\n  return hex\n}\n\n/**\n * Concatenate any number of Uint8Arrays into a single new buffer.\n * Used to assemble the final bundle from its prefix + header +\n * body parts.\n */\nfunction concatBytes(parts: readonly Uint8Array[]): Uint8Array {\n  let total = 0\n  for (const p of parts) total += p.length\n  const out = new Uint8Array(total)\n  let offset = 0\n  for (const p of parts) {\n    out.set(p, offset)\n    offset += p.length\n  }\n  return out\n}\n\n/**\n * Replace the bundle's keyrings with freshly built recipient slots,\n * one per supplied recipient. No-op when neither `exportPassphrase`\n * nor `recipients` is set — the source keyring is inherited as-is.\n *\n * The single-passphrase shorthand creates a one-recipient list whose\n * id, role, and permissions inherit from the source vault — useful\n * for \"back up to a different passphrase\" without changing role\n * semantics. The multi-recipient form wraps each slot independently\n * with its declared role + permissions.\n *\n * @internal\n */\nasync function applyRecipientRewrap(\n  vault: Vault,\n  dumpJson: string,\n  opts: WriteNoydbBundleOptions,\n): Promise<string> {\n  if (opts.exportPassphrase === undefined && opts.recipients === undefined) {\n    return dumpJson\n  }\n\n  const recipients: readonly BundleRecipient[] =\n    opts.recipients ?? [\n      {\n        id: vault.userId,\n        passphrase: opts.exportPassphrase as string,\n        role: vault.role,\n      },\n    ]\n\n  const recipientKeyrings = await vault.buildBundleRecipientKeyrings(recipients)\n\n  const backup = JSON.parse(dumpJson) as { keyrings: unknown; [k: string]: unknown }\n  backup.keyrings = recipientKeyrings\n  return JSON.stringify(backup)\n}\n\n/**\n * Apply opt-in slice filters to a vault dump JSON string. Filters that\n * narrow the bundle without crossing the encryption boundary — both\n * operate on metadata (collection name, envelope `_ts`) and never need\n * to decrypt records. When neither filter is set, the dump is returned\n * unchanged so the no-arg path stays a pure passthrough.\n *\n * Internal-collection filtering: when a `collections` allowlist is\n * provided, the bundle still carries `_internal` (ledger entries) and\n * the keyrings — they're necessary for the receiver to verify and\n * unlock the bundle. The allowlist applies to the user-collection\n * map only.\n *\n * @internal\n */\nfunction applySliceFilters(\n  dumpJson: string,\n  opts: WriteNoydbBundleOptions,\n): string {\n  const collectionsFilter = opts.collections\n    ? new Set(opts.collections)\n    : null\n  const sinceMs =\n    opts.since !== undefined ? new Date(opts.since).getTime() : null\n  if (collectionsFilter === null && sinceMs === null) return dumpJson\n\n  // Parse, prune, re-serialize. The dump shape is stable\n  // (VaultBackup) so this is a one-off allocation; for vaults beyond\n  // the documented 1K–50K target a streaming variant would be a\n  // follow-up, but the simple parse path keeps the slice path\n  // type-safe and trivially auditable.\n  const backup = JSON.parse(dumpJson) as {\n    collections?: Record<string, Record<string, { _ts?: string }>>\n    [k: string]: unknown\n  }\n\n  if (backup.collections && typeof backup.collections === 'object') {\n    const next: Record<string, Record<string, unknown>> = {}\n    for (const [name, records] of Object.entries(backup.collections)) {\n      if (collectionsFilter && !collectionsFilter.has(name)) continue\n      if (sinceMs === null) {\n        next[name] = records\n        continue\n      }\n      const kept: Record<string, unknown> = {}\n      for (const [id, env] of Object.entries(records)) {\n        const envTs = env._ts ? new Date(env._ts).getTime() : NaN\n        if (Number.isFinite(envTs) && envTs >= sinceMs) {\n          kept[id] = env\n        }\n      }\n      next[name] = kept\n    }\n    backup.collections = next as typeof backup.collections\n  }\n\n  return JSON.stringify(backup)\n}\n\n/**\n * Apply opt-in plaintext-tier filters\n * to a vault dump. Operates BEFORE `applySliceFilters` so the metadata\n * pass sees the trimmed record set.\n *\n * The filter never re-encrypts: surviving records carry their original\n * envelope unchanged. Failing records are dropped from the\n * `collections` map. Internal collections (ledger, deltas) and the\n * keyrings map are untouched.\n *\n * @internal\n */\nasync function applyPlaintextFilters(\n  vault: Vault,\n  dumpJson: string,\n  opts: WriteNoydbBundleOptions,\n): Promise<string> {\n  if (opts.where === undefined && opts.tierAtMost === undefined) {\n    return dumpJson\n  }\n\n  type Env = { _ts?: string; _tier?: number; _iv: string; _data: string }\n  const backup = JSON.parse(dumpJson) as {\n    collections?: Record<string, Record<string, Env>>\n    [k: string]: unknown\n  }\n  if (!backup.collections || typeof backup.collections !== 'object') {\n    return dumpJson\n  }\n\n  const tierCeiling = opts.tierAtMost\n  const where = opts.where\n\n  const next: Record<string, Record<string, Env>> = {}\n  for (const [collName, records] of Object.entries(backup.collections)) {\n    const kept: Record<string, Env> = {}\n    for (const [id, env] of Object.entries(records)) {\n      // Tier ceiling — runs FIRST so we don't waste a decrypt on\n      // records about to be dropped anyway. Envelope tier defaults to\n      // 0 when absent (matches Vault's tier-0 conventions).\n      if (tierCeiling !== undefined) {\n        const tier = env._tier ?? 0\n        if (tier > tierCeiling) continue\n      }\n      // Plaintext predicate — decrypt, run, keep on truthy. Errors\n      // from inside the predicate propagate (callers want to see why\n      // their filter blew up rather than getting a silent passthrough).\n      if (where !== undefined) {\n        const record = await vault._decryptEnvelopeForBundleFilter(\n          env as never,\n          collName,\n        )\n        const ok = await where(record, { collection: collName, id })\n        if (!ok) continue\n      }\n      kept[id] = env\n    }\n    next[collName] = kept\n  }\n  backup.collections = next\n  return JSON.stringify(backup)\n}\n\n/**\n * Write a `.noydb` bundle for the given vault.\n *\n * Pipeline:\n *   1. Resolve or create the compartment's stable bundle handle\n *      via `vault.getBundleHandle()` — same handle on\n *      every export from the same vault instance, so cloud\n *      adapters can use it as a primary key.\n *   2. `vault.dump()` → JSON string with encrypted records\n *      inside.\n *   3. UTF-8 encode the dump string.\n *   4. Compress (brotli if available, gzip fallback by default).\n *   5. Compute SHA-256 of the compressed body for integrity.\n *   6. Build the minimum-disclosure header from format version,\n *      handle, body length, body sha.\n *   7. Serialize: magic (4) + flags (1) + algo (1) + headerLen (4)\n *      + header JSON (N) + compressed body (M).\n *\n * The output is a single `Uint8Array`. Consumers writing to disk\n * pass it to `fs.writeFile`; consumers uploading to cloud storage\n * pass it as the request body. The `@noy-db/file` adapter wraps\n * this with a `saveBundle(path, vault)` helper.\n */\nexport async function writeNoydbBundle(\n  vault: Vault,\n  opts: WriteNoydbBundleOptions = {},\n): Promise<Uint8Array> {\n  if (opts.exportPassphrase !== undefined && opts.recipients !== undefined) {\n    throw new Error(\n      'writeNoydbBundle: pass either exportPassphrase or recipients, not both',\n    )\n  }\n\n  const handle = await vault.getBundleHandle()\n  const dumpJson = await vault.dump()\n\n  // Re-keying: when caller supplied recipients (or the single-recipient\n  // shorthand), substitute the bundle's `keyrings` map with freshly\n  // built recipient slots before slice filters run.\n  const rekeyed = await applyRecipientRewrap(vault, dumpJson, opts)\n  // Plaintext-tier filters run BEFORE\n  // the metadata-only slice — that way the metadata pass sees the\n  // already-trimmed record set and the two filter chains compose\n  // cleanly.\n  const plainFiltered = await applyPlaintextFilters(vault, rekeyed, opts)\n  const filtered = applySliceFilters(plainFiltered, opts)\n  const dumpBytes = new TextEncoder().encode(filtered)\n\n  const { format, streamFormat } = selectCompression(opts.compression)\n  const body = streamFormat === null\n    ? dumpBytes\n    : await pumpThroughStream(dumpBytes, new CompressionStream(streamFormat))\n\n  const bodySha256 = await sha256Hex(body)\n\n  // Snapshot the source vault's public envelope into the header\n  // when one is persisted. `Vault.getPublicEnvelope` tolerates a\n  // missing document and returns undefined, which we propagate as\n  // \"no envelope in the header.\" Vaults without a\n  // `_meta/public-envelope` document produce minimum-disclosure\n  // headers exactly like before, preserving back-compat.\n  const publicEnvelope = await vault.getPublicEnvelope()\n\n  const header: NoydbBundleHeader = {\n    formatVersion: NOYDB_BUNDLE_FORMAT_VERSION,\n    handle,\n    bodyBytes: body.length,\n    bodySha256,\n    ...(publicEnvelope !== undefined ? { publicEnvelope } : {}),\n  }\n  const headerBytes = encodeBundleHeader(header)\n\n  // Assemble the fixed prefix in a 10-byte buffer.\n  const prefix = new Uint8Array(NOYDB_BUNDLE_PREFIX_BYTES)\n  prefix.set(NOYDB_BUNDLE_MAGIC, 0)\n  prefix[4] =\n    (streamFormat === null ? 0 : FLAG_COMPRESSED) | FLAG_HAS_INTEGRITY_HASH\n  prefix[5] = format\n  writeUint32BE(prefix, 6, headerBytes.length)\n\n  return concatBytes([prefix, headerBytes, body])\n}\n\n/**\n * Internal helper shared by both readers — parses just the prefix\n * + header region of a bundle without touching the body. Returns\n * the parsed header plus the offset where the body starts and the\n * compression algorithm needed to decompress it.\n *\n * Throws on any format violation: missing/invalid magic, truncated\n * prefix, header length larger than the file, or unknown\n * compression algorithm.\n */\nfunction parsePrefixAndHeader(bytes: Uint8Array): {\n  header: NoydbBundleHeader\n  bodyOffset: number\n  algo: CompressionAlgo\n  flags: number\n} {\n  if (!hasNoydbBundleMagic(bytes)) {\n    throw new Error(\n      `Not a .noydb bundle: missing 'NDB1' magic prefix. The first 4 bytes ` +\n        `are ${[...bytes.slice(0, 4)].map((b) => b.toString(16).padStart(2, '0')).join(' ')}.`,\n    )\n  }\n  if (bytes.length < NOYDB_BUNDLE_PREFIX_BYTES) {\n    throw new Error(\n      `Truncated .noydb bundle: file is only ${bytes.length} bytes, ` +\n        `which is less than the ${NOYDB_BUNDLE_PREFIX_BYTES}-byte fixed prefix.`,\n    )\n  }\n  const flags = bytes[4]!\n  const algo = bytes[5]!\n  if (algo !== COMPRESSION_NONE && algo !== COMPRESSION_GZIP && algo !== COMPRESSION_BROTLI) {\n    throw new Error(\n      `.noydb bundle declares unknown compression algorithm ${algo}. ` +\n        `Known values: 0 (none), 1 (gzip), 2 (brotli).`,\n    )\n  }\n  const headerLength = readUint32BE(bytes, 6)\n  const bodyOffset = NOYDB_BUNDLE_PREFIX_BYTES + headerLength\n  if (bodyOffset > bytes.length) {\n    throw new Error(\n      `Truncated .noydb bundle: declared header length ${headerLength} ` +\n        `would extend past end of file (${bytes.length} bytes).`,\n    )\n  }\n  const headerBytes = bytes.slice(NOYDB_BUNDLE_PREFIX_BYTES, bodyOffset)\n  const header = decodeBundleHeader(headerBytes)\n  return { header, bodyOffset, algo: algo as CompressionAlgo, flags }\n}\n\n/**\n * Read just the bundle header — no body decompression, no\n * integrity verification. Intended for cloud-listing UIs that want\n * to show the handle and size before downloading the full body.\n *\n * Returns the same `NoydbBundleHeader` shape as the writer, with\n * minimum-disclosure validation already applied.\n *\n * **Cost** — O(prefix + header bytes). The header is normally well\n * under 1 KB, but may grow to roughly 256 KB when a `publicEnvelope`\n * with an inline icon is present. Cloud-listing UIs that previously\n * assumed sub-KB header reads should account for this when sizing\n * range requests against bundles that may carry icons.\n */\nexport function readNoydbBundleHeader(bytes: Uint8Array): NoydbBundleHeader {\n  return parsePrefixAndHeader(bytes).header\n}\n\n/**\n * Read just the bundle's public envelope (`docs/subsystems/public-envelope.md`)\n * — without verifying the body or even parsing the dump JSON. Pass\n * the raw bundle bytes; receive the owner-curated metadata or\n * `undefined` if the bundle was written without one.\n *\n * Locale-resolves any `name` / `description` map fields when `locale`\n * is supplied. Omitting `locale` returns the raw envelope.\n *\n * Same security caveat as the on-vault read path — the public\n * envelope is **untrusted hint** in v1; the encrypted body remains\n * the source of truth for vault contents.\n */\nexport function readNoydbBundlePublicEnvelope(\n  bytes: Uint8Array,\n  opts: { readonly locale?: string } = {},\n): PublicEnvelope | undefined {\n  const header = parsePrefixAndHeader(bytes).header\n  const env = header.publicEnvelope\n  if (!env) return undefined\n  if (opts.locale === undefined) return env\n  return {\n    ...env,\n    ...(env.name !== undefined ? { name: pickLocale(env.name, opts.locale, env.defaultLocale) } : {}),\n    ...(env.description !== undefined ? { description: pickLocale(env.description, opts.locale, env.defaultLocale) } : {}),\n  }\n}\n\n/**\n * Read a full `.noydb` bundle: validate magic + header, verify\n * integrity hash over the body bytes, decompress, and return the\n * original `vault.dump()` JSON string ready to pass to\n * `vault.load()`.\n *\n * Throws `BundleIntegrityError` if the body's actual SHA-256 does\n * not match the value declared in the header. Distinct from a\n * format error so consumers can pattern-match in catch blocks\n * (corrupted-in-transit vs malformed-by-producer).\n *\n * Note: this function does NOT take a passphrase. The dump JSON\n * inside the body still contains encrypted records — restoring\n * the vault requires `vault.load(dumpJson, passphrase)`\n * after this call. Splitting the layers keeps the bundle module\n * free of crypto concerns and lets the same code feed format\n * inspectors that never decrypt anything.\n */\nexport async function readNoydbBundle(\n  bytes: Uint8Array,\n): Promise<NoydbBundleReadResult> {\n  const { header, bodyOffset, algo } = parsePrefixAndHeader(bytes)\n  const body = bytes.slice(bodyOffset)\n\n  // Length check before hash check — a length mismatch is the\n  // cheapest tamper signal and produces a more actionable error.\n  if (body.length !== header.bodyBytes) {\n    throw new BundleIntegrityError(\n      `body length ${body.length} does not match header.bodyBytes ` +\n        `${header.bodyBytes}. The bundle was truncated or padded ` +\n        `between write and read.`,\n    )\n  }\n\n  const actualSha = await sha256Hex(body)\n  if (actualSha !== header.bodySha256) {\n    throw new BundleIntegrityError(\n      `body sha256 ${actualSha} does not match header.bodySha256 ` +\n        `${header.bodySha256}. The bundle bytes were modified between ` +\n        `write and read — refuse to decompress.`,\n    )\n  }\n\n  let dumpBytes: Uint8Array\n  if (algo === COMPRESSION_NONE) {\n    dumpBytes = body\n  } else {\n    const streamFormat: CompressionFormat =\n      algo === COMPRESSION_BROTLI ? ('br' as CompressionFormat) : 'gzip'\n    try {\n      dumpBytes = await pumpThroughStream(body, new DecompressionStream(streamFormat))\n    } catch (err) {\n      throw new BundleIntegrityError(\n        `decompression failed: ${(err as Error).message}. The bundle ` +\n          `passed the integrity hash but the body is not valid ` +\n          `${streamFormat} data — likely a producer bug.`,\n      )\n    }\n  }\n\n  const dumpJson = new TextDecoder('utf-8', { fatal: true }).decode(dumpBytes)\n  return { header, dumpJson }\n}\n"],"mappings":";;;;;;;;AAmDO,IAAM,qBAAqB,IAAI,WAAW,CAAC,IAAM,IAAM,IAAM,EAAI,CAAC;AAGlE,IAAM,4BAA4B;AAGlC,IAAM,8BAA8B;AASpC,IAAM,kBAAkB;AACxB,IAAM,0BAA0B;AAchC,IAAM,mBAAmB;AACzB,IAAM,mBAAmB;AACzB,IAAM,qBAAqB;AAwDlC,IAAM,sBAA2C,oBAAI,IAAI;AAAA,EACvD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAiBM,SAAS,qBACd,QACqC;AACrC,MAAI,WAAW,QAAQ,OAAO,WAAW,UAAU;AACjD,UAAM,IAAI;AAAA,MACR,mDAAmD,WAAW,OAAO,SAAS,OAAO,MAAM;AAAA,IAC7F;AAAA,EACF;AAIA,aAAW,OAAO,OAAO,KAAK,MAAM,GAAG;AACrC,QAAI,CAAC,oBAAoB,IAAI,GAAG,GAAG;AACjC,YAAM,IAAI;AAAA,QACR,gDAAgD,GAAG,kDAE9C,CAAC,GAAG,mBAAmB,EAAE,KAAK,IAAI,CAAC;AAAA,MAC1C;AAAA,IACF;AAAA,EACF;AACA,QAAM,IAAI;AACV,MAAI,OAAO,EAAE,eAAe,MAAM,YAAY,EAAE,eAAe,MAAM,6BAA6B;AAChG,UAAM,IAAI;AAAA,MACR,8CAA8C,2BAA2B,SAChE,OAAO,EAAE,eAAe,CAAC,CAAC;AAAA,IAErC;AAAA,EACF;AACA,MAAI,OAAO,EAAE,QAAQ,MAAM,YAAY,CAAC,2BAA2B,KAAK,EAAE,QAAQ,CAAC,GAAG;AACpF,UAAM,IAAI;AAAA,MACR,iFACS,OAAO,EAAE,QAAQ,MAAM,WAAW,IAAI,EAAE,QAAQ,CAAC,MAAM,OAAO,EAAE,QAAQ,CAAC,CAAC;AAAA,IACrF;AAAA,EACF;AACA,MAAI,OAAO,EAAE,WAAW,MAAM,YAAY,CAAC,OAAO,UAAU,EAAE,WAAW,CAAC,KAAK,EAAE,WAAW,IAAI,GAAG;AACjG,UAAM,IAAI;AAAA,MACR,sEACS,OAAO,EAAE,WAAW,CAAC,CAAC;AAAA,IACjC;AAAA,EACF;AACA,MAAI,OAAO,EAAE,YAAY,MAAM,YAAY,CAAC,iBAAiB,KAAK,EAAE,YAAY,CAAC,GAAG;AAClF,UAAM,IAAI;AAAA,MACR,oFACS,OAAO,EAAE,YAAY,MAAM,WAAW,IAAI,EAAE,YAAY,CAAC,MAAM,OAAO,EAAE,YAAY,CAAC,CAAC;AAAA,IACjG;AAAA,EACF;AACA,MAAI,EAAE,gBAAgB,MAAM,QAAW;AACrC,UAAM,MAAM,EAAE,gBAAgB;AAC9B,QAAI,QAAQ,QAAQ,OAAO,QAAQ,YAAY,MAAM,QAAQ,GAAG,GAAG;AACjE,YAAM,IAAI;AAAA,QACR,+EAA+E,OAAO,GAAG;AAAA,MAC3F;AAAA,IACF;AACA,UAAM,IAAI;AACV,QAAI,EAAE,eAAe,MAAM,GAAG;AAC5B,YAAM,IAAI;AAAA,QACR,oEAAoE,OAAO,EAAE,eAAe,CAAC,CAAC;AAAA,MAChG;AAAA,IACF;AACA,QAAI,OAAO,EAAE,SAAS,MAAM,YAAY,CAAC,OAAO,UAAU,EAAE,SAAS,CAAC,KAAK,EAAE,SAAS,IAAI,GAAG;AAC3F,YAAM,IAAI;AAAA,QACR,+EAA+E,OAAO,EAAE,SAAS,CAAC,CAAC;AAAA,MACrG;AAAA,IACF;AAAA,EACF;AACF;AAOO,SAAS,mBAAmB,QAAuC;AACxE,uBAAqB,MAAM;AAK3B,QAAM,OAAO,KAAK,UAAU;AAAA,IAC1B,eAAe,OAAO;AAAA,IACtB,QAAQ,OAAO;AAAA,IACf,WAAW,OAAO;AAAA,IAClB,YAAY,OAAO;AAAA,IACnB,GAAI,OAAO,mBAAmB,SAAY,EAAE,gBAAgB,OAAO,eAAe,IAAI,CAAC;AAAA,EACzF,CAAC;AACD,SAAO,IAAI,YAAY,EAAE,OAAO,IAAI;AACtC;AAMO,SAAS,mBAAmB,OAAsC;AACvE,QAAM,OAAO,IAAI,YAAY,SAAS,EAAE,OAAO,KAAK,CAAC,EAAE,OAAO,KAAK;AACnE,MAAI;AACJ,MAAI;AACF,aAAS,KAAK,MAAM,IAAI;AAAA,EAC1B,SAAS,KAAK;AACZ,UAAM,IAAI;AAAA,MACR,2CAA4C,IAAc,OAAO;AAAA,IACnE;AAAA,EACF;AACA,uBAAqB,MAAM;AAC3B,SAAO;AACT;AAQO,SAAS,aAAa,OAAmB,QAAwB;AACtE,UACG,MAAM,MAAM,KAAM,OAAO,MACzB,MAAM,SAAS,CAAC,KAAM,OACtB,MAAM,SAAS,CAAC,KAAM,KACvB,MAAM,SAAS,CAAC;AAEpB;AAMO,SAAS,cAAc,OAAmB,QAAgB,OAAqB;AACpF,QAAM,MAAM,IAAK,UAAU,KAAM;AACjC,QAAM,SAAS,CAAC,IAAK,UAAU,KAAM;AACrC,QAAM,SAAS,CAAC,IAAK,UAAU,IAAK;AACpC,QAAM,SAAS,CAAC,IAAI,QAAQ;AAC9B;AAOO,SAAS,oBAAoB,OAA4B;AAC9D,MAAI,MAAM,SAAS,mBAAmB,OAAQ,QAAO;AACrD,WAAS,IAAI,GAAG,IAAI,mBAAmB,QAAQ,KAAK;AAClD,QAAI,MAAM,CAAC,MAAM,mBAAmB,CAAC,EAAG,QAAO;AAAA,EACjD;AACA,SAAO;AACT;;;AC3JA,IAAI,sBAAsC;AAC1C,SAAS,4BAAqC;AAC5C,MAAI,wBAAwB,KAAM,QAAO;AACzC,MAAI;AACF,QAAI,kBAAkB,IAAyB;AAC/C,0BAAsB;AAAA,EACxB,QAAQ;AACN,0BAAsB;AAAA,EACxB;AACA,SAAO;AACT;AAGO,SAAS,0BAAgC;AAC9C,wBAAsB;AACxB;AASA,SAAS,kBAAkB,QAGzB;AACA,QAAM,SAAS,UAAU;AACzB,MAAI,WAAW,OAAQ,QAAO,EAAE,QAAQ,kBAAkB,cAAc,KAAK;AAC7E,MAAI,WAAW,OAAQ,QAAO,EAAE,QAAQ,kBAAkB,cAAc,OAAO;AAC/E,MAAI,WAAW,UAAU;AACvB,QAAI,CAAC,0BAA0B,GAAG;AAChC,YAAM,IAAI;AAAA,QACR;AAAA,MAIF;AAAA,IACF;AACA,WAAO,EAAE,QAAQ,oBAAoB,cAAc,KAA0B;AAAA,EAC/E;AAEA,MAAI,0BAA0B,GAAG;AAC/B,WAAO,EAAE,QAAQ,oBAAoB,cAAc,KAA0B;AAAA,EAC/E;AACA,SAAO,EAAE,QAAQ,kBAAkB,cAAc,OAAO;AAC1D;AAcA,eAAe,kBACb,OACA,QACqB;AACrB,QAAM,WAAW,IAAI,KAAK,CAAC,KAAiB,CAAC,EAAE,OAAO,EAAE,YAAY,MAAM;AAC1E,QAAM,SAAS,SAAS,UAAU;AAClC,QAAM,SAAuB,CAAC;AAC9B,MAAI,QAAQ;AACZ,aAAS;AACP,UAAM,EAAE,OAAO,KAAK,IAAI,MAAM,OAAO,KAAK;AAC1C,QAAI,KAAM;AACV,QAAI,OAAO;AACT,aAAO,KAAK,KAAmB;AAC/B,eAAS,MAAM;AAAA,IACjB;AAAA,EACF;AACA,QAAM,MAAM,IAAI,WAAW,KAAK;AAChC,MAAI,SAAS;AACb,aAAW,SAAS,QAAQ;AAC1B,QAAI,IAAI,OAAO,MAAM;AACrB,cAAU,MAAM;AAAA,EAClB;AACA,SAAO;AACT;AAWA,eAAe,UAAU,OAAoC;AAS3D,QAAM,OAAO,IAAI,WAAW,MAAM,MAAM;AACxC,OAAK,IAAI,KAAK;AACd,QAAM,SAAS,MAAM,OAAO,OAAO,OAAO,WAAW,IAAI;AACzD,QAAM,OAAO,IAAI,WAAW,MAAM;AAClC,MAAI,MAAM;AACV,WAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK;AACpC,WAAO,KAAK,CAAC,EAAG,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG;AAAA,EAC9C;AACA,SAAO;AACT;AAOA,SAAS,YAAY,OAA0C;AAC7D,MAAI,QAAQ;AACZ,aAAW,KAAK,MAAO,UAAS,EAAE;AAClC,QAAM,MAAM,IAAI,WAAW,KAAK;AAChC,MAAI,SAAS;AACb,aAAW,KAAK,OAAO;AACrB,QAAI,IAAI,GAAG,MAAM;AACjB,cAAU,EAAE;AAAA,EACd;AACA,SAAO;AACT;AAeA,eAAe,qBACb,OACA,UACA,MACiB;AACjB,MAAI,KAAK,qBAAqB,UAAa,KAAK,eAAe,QAAW;AACxE,WAAO;AAAA,EACT;AAEA,QAAM,aACJ,KAAK,cAAc;AAAA,IACjB;AAAA,MACE,IAAI,MAAM;AAAA,MACV,YAAY,KAAK;AAAA,MACjB,MAAM,MAAM;AAAA,IACd;AAAA,EACF;AAEF,QAAM,oBAAoB,MAAM,MAAM,6BAA6B,UAAU;AAE7E,QAAM,SAAS,KAAK,MAAM,QAAQ;AAClC,SAAO,WAAW;AAClB,SAAO,KAAK,UAAU,MAAM;AAC9B;AAiBA,SAAS,kBACP,UACA,MACQ;AACR,QAAM,oBAAoB,KAAK,cAC3B,IAAI,IAAI,KAAK,WAAW,IACxB;AACJ,QAAM,UACJ,KAAK,UAAU,SAAY,IAAI,KAAK,KAAK,KAAK,EAAE,QAAQ,IAAI;AAC9D,MAAI,sBAAsB,QAAQ,YAAY,KAAM,QAAO;AAO3D,QAAM,SAAS,KAAK,MAAM,QAAQ;AAKlC,MAAI,OAAO,eAAe,OAAO,OAAO,gBAAgB,UAAU;AAChE,UAAM,OAAgD,CAAC;AACvD,eAAW,CAAC,MAAM,OAAO,KAAK,OAAO,QAAQ,OAAO,WAAW,GAAG;AAChE,UAAI,qBAAqB,CAAC,kBAAkB,IAAI,IAAI,EAAG;AACvD,UAAI,YAAY,MAAM;AACpB,aAAK,IAAI,IAAI;AACb;AAAA,MACF;AACA,YAAM,OAAgC,CAAC;AACvC,iBAAW,CAAC,IAAI,GAAG,KAAK,OAAO,QAAQ,OAAO,GAAG;AAC/C,cAAM,QAAQ,IAAI,MAAM,IAAI,KAAK,IAAI,GAAG,EAAE,QAAQ,IAAI;AACtD,YAAI,OAAO,SAAS,KAAK,KAAK,SAAS,SAAS;AAC9C,eAAK,EAAE,IAAI;AAAA,QACb;AAAA,MACF;AACA,WAAK,IAAI,IAAI;AAAA,IACf;AACA,WAAO,cAAc;AAAA,EACvB;AAEA,SAAO,KAAK,UAAU,MAAM;AAC9B;AAcA,eAAe,sBACb,OACA,UACA,MACiB;AACjB,MAAI,KAAK,UAAU,UAAa,KAAK,eAAe,QAAW;AAC7D,WAAO;AAAA,EACT;AAGA,QAAM,SAAS,KAAK,MAAM,QAAQ;AAIlC,MAAI,CAAC,OAAO,eAAe,OAAO,OAAO,gBAAgB,UAAU;AACjE,WAAO;AAAA,EACT;AAEA,QAAM,cAAc,KAAK;AACzB,QAAM,QAAQ,KAAK;AAEnB,QAAM,OAA4C,CAAC;AACnD,aAAW,CAAC,UAAU,OAAO,KAAK,OAAO,QAAQ,OAAO,WAAW,GAAG;AACpE,UAAM,OAA4B,CAAC;AACnC,eAAW,CAAC,IAAI,GAAG,KAAK,OAAO,QAAQ,OAAO,GAAG;AAI/C,UAAI,gBAAgB,QAAW;AAC7B,cAAM,OAAO,IAAI,SAAS;AAC1B,YAAI,OAAO,YAAa;AAAA,MAC1B;AAIA,UAAI,UAAU,QAAW;AACvB,cAAM,SAAS,MAAM,MAAM;AAAA,UACzB;AAAA,UACA;AAAA,QACF;AACA,cAAM,KAAK,MAAM,MAAM,QAAQ,EAAE,YAAY,UAAU,GAAG,CAAC;AAC3D,YAAI,CAAC,GAAI;AAAA,MACX;AACA,WAAK,EAAE,IAAI;AAAA,IACb;AACA,SAAK,QAAQ,IAAI;AAAA,EACnB;AACA,SAAO,cAAc;AACrB,SAAO,KAAK,UAAU,MAAM;AAC9B;AAyBA,eAAsB,iBACpB,OACA,OAAgC,CAAC,GACZ;AACrB,MAAI,KAAK,qBAAqB,UAAa,KAAK,eAAe,QAAW;AACxE,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,QAAM,SAAS,MAAM,MAAM,gBAAgB;AAC3C,QAAM,WAAW,MAAM,MAAM,KAAK;AAKlC,QAAM,UAAU,MAAM,qBAAqB,OAAO,UAAU,IAAI;AAKhE,QAAM,gBAAgB,MAAM,sBAAsB,OAAO,SAAS,IAAI;AACtE,QAAM,WAAW,kBAAkB,eAAe,IAAI;AACtD,QAAM,YAAY,IAAI,YAAY,EAAE,OAAO,QAAQ;AAEnD,QAAM,EAAE,QAAQ,aAAa,IAAI,kBAAkB,KAAK,WAAW;AACnE,QAAM,OAAO,iBAAiB,OAC1B,YACA,MAAM,kBAAkB,WAAW,IAAI,kBAAkB,YAAY,CAAC;AAE1E,QAAM,aAAa,MAAM,UAAU,IAAI;AAQvC,QAAM,iBAAiB,MAAM,MAAM,kBAAkB;AAErD,QAAM,SAA4B;AAAA,IAChC,eAAe;AAAA,IACf;AAAA,IACA,WAAW,KAAK;AAAA,IAChB;AAAA,IACA,GAAI,mBAAmB,SAAY,EAAE,eAAe,IAAI,CAAC;AAAA,EAC3D;AACA,QAAM,cAAc,mBAAmB,MAAM;AAG7C,QAAM,SAAS,IAAI,WAAW,yBAAyB;AACvD,SAAO,IAAI,oBAAoB,CAAC;AAChC,SAAO,CAAC,KACL,iBAAiB,OAAO,IAAI,mBAAmB;AAClD,SAAO,CAAC,IAAI;AACZ,gBAAc,QAAQ,GAAG,YAAY,MAAM;AAE3C,SAAO,YAAY,CAAC,QAAQ,aAAa,IAAI,CAAC;AAChD;AAYA,SAAS,qBAAqB,OAK5B;AACA,MAAI,CAAC,oBAAoB,KAAK,GAAG;AAC/B,UAAM,IAAI;AAAA,MACR,2EACS,CAAC,GAAG,MAAM,MAAM,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAAE,KAAK,GAAG,CAAC;AAAA,IACvF;AAAA,EACF;AACA,MAAI,MAAM,SAAS,2BAA2B;AAC5C,UAAM,IAAI;AAAA,MACR,yCAAyC,MAAM,MAAM,kCACzB,yBAAyB;AAAA,IACvD;AAAA,EACF;AACA,QAAM,QAAQ,MAAM,CAAC;AACrB,QAAM,OAAO,MAAM,CAAC;AACpB,MAAI,SAAS,oBAAoB,SAAS,oBAAoB,SAAS,oBAAoB;AACzF,UAAM,IAAI;AAAA,MACR,wDAAwD,IAAI;AAAA,IAE9D;AAAA,EACF;AACA,QAAM,eAAe,aAAa,OAAO,CAAC;AAC1C,QAAM,aAAa,4BAA4B;AAC/C,MAAI,aAAa,MAAM,QAAQ;AAC7B,UAAM,IAAI;AAAA,MACR,mDAAmD,YAAY,mCAC3B,MAAM,MAAM;AAAA,IAClD;AAAA,EACF;AACA,QAAM,cAAc,MAAM,MAAM,2BAA2B,UAAU;AACrE,QAAM,SAAS,mBAAmB,WAAW;AAC7C,SAAO,EAAE,QAAQ,YAAY,MAA+B,MAAM;AACpE;AAgBO,SAAS,sBAAsB,OAAsC;AAC1E,SAAO,qBAAqB,KAAK,EAAE;AACrC;AAeO,SAAS,8BACd,OACA,OAAqC,CAAC,GACV;AAC5B,QAAM,SAAS,qBAAqB,KAAK,EAAE;AAC3C,QAAM,MAAM,OAAO;AACnB,MAAI,CAAC,IAAK,QAAO;AACjB,MAAI,KAAK,WAAW,OAAW,QAAO;AACtC,SAAO;AAAA,IACL,GAAG;AAAA,IACH,GAAI,IAAI,SAAS,SAAY,EAAE,MAAM,WAAW,IAAI,MAAM,KAAK,QAAQ,IAAI,aAAa,EAAE,IAAI,CAAC;AAAA,IAC/F,GAAI,IAAI,gBAAgB,SAAY,EAAE,aAAa,WAAW,IAAI,aAAa,KAAK,QAAQ,IAAI,aAAa,EAAE,IAAI,CAAC;AAAA,EACtH;AACF;AAoBA,eAAsB,gBACpB,OACgC;AAChC,QAAM,EAAE,QAAQ,YAAY,KAAK,IAAI,qBAAqB,KAAK;AAC/D,QAAM,OAAO,MAAM,MAAM,UAAU;AAInC,MAAI,KAAK,WAAW,OAAO,WAAW;AACpC,UAAM,IAAI;AAAA,MACR,eAAe,KAAK,MAAM,oCACrB,OAAO,SAAS;AAAA,IAEvB;AAAA,EACF;AAEA,QAAM,YAAY,MAAM,UAAU,IAAI;AACtC,MAAI,cAAc,OAAO,YAAY;AACnC,UAAM,IAAI;AAAA,MACR,eAAe,SAAS,qCACnB,OAAO,UAAU;AAAA,IAExB;AAAA,EACF;AAEA,MAAI;AACJ,MAAI,SAAS,kBAAkB;AAC7B,gBAAY;AAAA,EACd,OAAO;AACL,UAAM,eACJ,SAAS,qBAAsB,OAA6B;AAC9D,QAAI;AACF,kBAAY,MAAM,kBAAkB,MAAM,IAAI,oBAAoB,YAAY,CAAC;AAAA,IACjF,SAAS,KAAK;AACZ,YAAM,IAAI;AAAA,QACR,yBAA0B,IAAc,OAAO,oEAE1C,YAAY;AAAA,MACnB;AAAA,IACF;AAAA,EACF;AAEA,QAAM,WAAW,IAAI,YAAY,SAAS,EAAE,OAAO,KAAK,CAAC,EAAE,OAAO,SAAS;AAC3E,SAAO,EAAE,QAAQ,SAAS;AAC5B;","names":[]}

package/dist/chunk-Y4CMTMUW.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/history/ledger/patch.ts","../src/history/ledger/constants.ts","../src/history/ledger/store.ts"],"sourcesContent":["/**\n * RFC 6902 JSON Patch — compute + apply.\n *\n * This module is the \"delta history\" primitive: instead of\n * snapshotting the full record on every put (the behavior),\n * `Collection.put` computes a JSON Patch from the previous version to\n * the new version and stores only the patch in the ledger. To\n * reconstruct version N, we walk from the genesis snapshot forward\n * applying patches. Storage scales with **edit size**, not record\n * size — a 10 KB record edited 1000 times costs ~10 KB of deltas\n * instead of ~10 MB of snapshots.\n *\n * ## Why hand-roll instead of using a library?\n *\n * RFC 6902 has good libraries (`fast-json-patch`, `rfc6902`) but every\n * single one of them adds a runtime dependency to `@noy-db/core`. The\n * \"zero runtime dependencies\" promise is one of the core's load-bearing\n * features, and the patch surface we actually need is small enough\n * (~150 LoC) that vendoring is the right call.\n *\n * What we implement:\n *   - `add`     — insert a value at a path\n *   - `remove`  — delete the value at a path\n *   - `replace` — overwrite the value at a path\n *\n * What we deliberately skip (out of scope for the ledger use):\n *   - `move` and `copy` — optimizations; the diff algorithm doesn't\n *     emit them, so the apply path doesn't need them\n *   - `test` — used for transactional patches; we already have\n *     optimistic concurrency via `_v` at the envelope layer\n *   - Sophisticated array diffing (LCS, edit distance) — we treat\n *     arrays as atomic values and emit a single `replace` op when\n *     they differ. The accounting domain has small arrays where this\n *     is fine; if we ever need patch-level array diffing we can add\n *     it without changing the storage format.\n *\n * ## Path encoding (RFC 6902 §3)\n *\n * Paths look like `/foo/bar/0`. Each path segment is either an object\n * key or a numeric array index. Two characters need escaping inside\n * keys: `~` becomes `~0` and `/` becomes `~1`. We implement both.\n *\n * Empty path (`\"\"`) refers to the root document. Only `replace` makes\n * sense at the root, and our diff function emits it as a top-level\n * `replace` when `prev` and `next` differ in shape (object vs array,\n * primitive vs object, etc.).\n */\n\n/** A single JSON Patch operation. Subset of RFC 6902 — see file docstring. */\nexport type JsonPatchOp =\n  | { readonly op: 'add'; readonly path: string; readonly value: unknown }\n  | { readonly op: 'remove'; readonly path: string }\n  | { readonly op: 'replace'; readonly path: string; readonly value: unknown }\n\n/** A complete JSON Patch document — an array of operations. */\nexport type JsonPatch = readonly JsonPatchOp[]\n\n// ─── Compute (diff) ──────────────────────────────────────────────────\n\n/**\n * Compute a JSON Patch that, when applied to `prev`, produces `next`.\n *\n * The algorithm is a straightforward recursive object walk:\n *\n *   1. If both inputs are plain objects (and not arrays/null):\n *      - For each key in `prev`, recurse if `next` has it, else emit `remove`\n *      - For each key in `next` not in `prev`, emit `add`\n *   2. If both inputs are arrays AND structurally equal, no-op.\n *      Otherwise emit a single `replace` for the whole array.\n *   3. If both inputs are deeply equal primitives, no-op.\n *   4. Otherwise emit a `replace` at the current path.\n *\n * We do not minimize patches across move-like rearrangements — every\n * generated patch is straightforward enough to apply by hand if you\n * had to debug it.\n */\nexport function computePatch(prev: unknown, next: unknown): JsonPatch {\n  const ops: JsonPatchOp[] = []\n  diff(prev, next, '', ops)\n  return ops\n}\n\nfunction diff(\n  prev: unknown,\n  next: unknown,\n  path: string,\n  out: JsonPatchOp[],\n): void {\n  // Both null / both undefined → no-op (we don't differentiate them\n  // in JSON terms; canonicalJson would reject undefined anyway).\n  if (prev === next) return\n\n  // One side null, the other not → straight replace.\n  if (prev === null || next === null) {\n    out.push({ op: 'replace', path, value: next })\n    return\n  }\n\n  const prevIsArray = Array.isArray(prev)\n  const nextIsArray = Array.isArray(next)\n  const prevIsObject = typeof prev === 'object' && !prevIsArray\n  const nextIsObject = typeof next === 'object' && !nextIsArray\n\n  // Type changed (e.g., object → primitive, array → object). Replace.\n  if (prevIsArray !== nextIsArray || prevIsObject !== nextIsObject) {\n    out.push({ op: 'replace', path, value: next })\n    return\n  }\n\n  // Both arrays. We don't do clever LCS-based diffing — emit a single\n  // replace for the whole array if they differ. See file docstring for\n  // the rationale.\n  if (prevIsArray && nextIsArray) {\n    if (!arrayDeepEqual(prev as unknown[], next as unknown[])) {\n      out.push({ op: 'replace', path, value: next })\n    }\n    return\n  }\n\n  // Both plain objects. Recurse key by key.\n  if (prevIsObject && nextIsObject) {\n    const prevObj = prev as Record<string, unknown>\n    const nextObj = next as Record<string, unknown>\n    const prevKeys = Object.keys(prevObj)\n    const nextKeys = Object.keys(nextObj)\n\n    // Handle removes and overlapping recursions in one pass over prev.\n    for (const key of prevKeys) {\n      const childPath = path + '/' + escapePathSegment(key)\n      if (!(key in nextObj)) {\n        out.push({ op: 'remove', path: childPath })\n      } else {\n        diff(prevObj[key], nextObj[key], childPath, out)\n      }\n    }\n    // Handle adds.\n    for (const key of nextKeys) {\n      if (!(key in prevObj)) {\n        out.push({\n          op: 'add',\n          path: path + '/' + escapePathSegment(key),\n          value: nextObj[key],\n        })\n      }\n    }\n    return\n  }\n\n  // Two primitives that aren't strictly equal — replace.\n  out.push({ op: 'replace', path, value: next })\n}\n\nfunction arrayDeepEqual(a: unknown[], b: unknown[]): boolean {\n  if (a.length !== b.length) return false\n  for (let i = 0; i < a.length; i++) {\n    if (!deepEqual(a[i], b[i])) return false\n  }\n  return true\n}\n\nfunction deepEqual(a: unknown, b: unknown): boolean {\n  if (a === b) return true\n  if (a === null || b === null) return false\n  if (typeof a !== typeof b) return false\n  if (typeof a !== 'object') return false\n  const aArray = Array.isArray(a)\n  const bArray = Array.isArray(b)\n  if (aArray !== bArray) return false\n  if (aArray && bArray) return arrayDeepEqual(a, b as unknown[])\n  const aObj = a as Record<string, unknown>\n  const bObj = b as Record<string, unknown>\n  const aKeys = Object.keys(aObj)\n  const bKeys = Object.keys(bObj)\n  if (aKeys.length !== bKeys.length) return false\n  for (const key of aKeys) {\n    if (!(key in bObj)) return false\n    if (!deepEqual(aObj[key], bObj[key])) return false\n  }\n  return true\n}\n\n// ─── Apply ──────────────────────────────────────────────────────────\n\n/**\n * Apply a JSON Patch to a base document and return the result.\n *\n * The base document is **not mutated** — every op clones the parent\n * container before writing to it, so the caller's reference to `base`\n * stays untouched. This costs an extra allocation per op but makes\n * the apply pipeline reorderable and safe to interrupt.\n *\n * Throws on:\n *   - Removing a path that doesn't exist\n *   - Adding to a path whose parent doesn't exist\n *   - A path component that doesn't match the document shape (e.g.,\n *     trying to step into a primitive)\n *\n * Throwing is the right behavior for the ledger use case: a failed\n * apply means the chain is corrupted, which should be loud rather\n * than silently producing a wrong reconstruction.\n */\nexport function applyPatch<T = unknown>(base: T, patch: JsonPatch): T {\n  let result: unknown = clone(base)\n  for (const op of patch) {\n    result = applyOp(result, op)\n  }\n  return result as T\n}\n\nfunction applyOp(doc: unknown, op: JsonPatchOp): unknown {\n  // Empty path → operation targets the root. Only `replace` and `add`\n  // make sense at the root, but we handle `remove` for completeness\n  // (root removal returns null).\n  if (op.path === '') {\n    if (op.op === 'remove') return null\n    return clone(op.value)\n  }\n\n  const segments = parsePath(op.path)\n  return walkAndApply(doc, segments, op)\n}\n\nfunction walkAndApply(\n  doc: unknown,\n  segments: string[],\n  op: JsonPatchOp,\n): unknown {\n  if (segments.length === 0) {\n    // Should never happen — empty path is handled in applyOp().\n    throw new Error('walkAndApply: empty segments (internal error)')\n  }\n\n  const [head, ...rest] = segments\n  if (head === undefined) throw new Error('walkAndApply: undefined segment')\n\n  if (rest.length === 0) {\n    return applyAtTerminal(doc, head, op)\n  }\n\n  // Recurse into the child container, then rebuild the parent with\n  // the modified child.\n  if (Array.isArray(doc)) {\n    const idx = parseArrayIndex(head, doc.length)\n    const child = doc[idx]\n    const newChild = walkAndApply(child, rest, op)\n    const next = doc.slice()\n    next[idx] = newChild\n    return next\n  }\n  if (doc !== null && typeof doc === 'object') {\n    const obj = doc as Record<string, unknown>\n    if (!(head in obj)) {\n      throw new Error(`applyPatch: path segment \"${head}\" not found in object`)\n    }\n    const newChild = walkAndApply(obj[head], rest, op)\n    return { ...obj, [head]: newChild }\n  }\n  throw new Error(\n    `applyPatch: cannot step into ${typeof doc} at segment \"${head}\"`,\n  )\n}\n\nfunction applyAtTerminal(\n  doc: unknown,\n  segment: string,\n  op: JsonPatchOp,\n): unknown {\n  if (Array.isArray(doc)) {\n    const idx =\n      segment === '-' ? doc.length : parseArrayIndex(segment, doc.length + 1)\n    const next = doc.slice()\n    if (op.op === 'remove') {\n      next.splice(idx, 1)\n      return next\n    }\n    if (op.op === 'add') {\n      next.splice(idx, 0, clone(op.value))\n      return next\n    }\n    if (op.op === 'replace') {\n      if (idx >= doc.length) {\n        throw new Error(\n          `applyPatch: replace at out-of-bounds array index ${idx}`,\n        )\n      }\n      next[idx] = clone(op.value)\n      return next\n    }\n  }\n  if (doc !== null && typeof doc === 'object') {\n    const obj = doc as Record<string, unknown>\n    if (op.op === 'remove') {\n      if (!(segment in obj)) {\n        throw new Error(\n          `applyPatch: remove on missing key \"${segment}\"`,\n        )\n      }\n      const next = { ...obj }\n      delete next[segment]\n      return next\n    }\n    if (op.op === 'add') {\n      // RFC 6902: `add` on an existing key replaces it.\n      return { ...obj, [segment]: clone(op.value) }\n    }\n    if (op.op === 'replace') {\n      if (!(segment in obj)) {\n        throw new Error(\n          `applyPatch: replace on missing key \"${segment}\"`,\n        )\n      }\n      return { ...obj, [segment]: clone(op.value) }\n    }\n  }\n  throw new Error(\n    `applyPatch: cannot apply ${op.op} at terminal segment \"${segment}\"`,\n  )\n}\n\n// ─── Path encoding (RFC 6902 §3) ─────────────────────────────────────\n\n/**\n * Escape a single path segment per RFC 6902 §3:\n *   `~` → `~0`\n *   `/` → `~1`\n *\n * Order matters: `~` must be escaped first, otherwise the `~1` we\n * just emitted would be re-escaped to `~01`.\n */\nfunction escapePathSegment(segment: string): string {\n  return segment.replace(/~/g, '~0').replace(/\\//g, '~1')\n}\n\nfunction unescapePathSegment(segment: string): string {\n  return segment.replace(/~1/g, '/').replace(/~0/g, '~')\n}\n\nfunction parsePath(path: string): string[] {\n  if (!path.startsWith('/')) {\n    throw new Error(`applyPatch: path must start with '/', got \"${path}\"`)\n  }\n  return path\n    .slice(1)\n    .split('/')\n    .map(unescapePathSegment)\n}\n\nfunction parseArrayIndex(segment: string, max: number): number {\n  if (!/^\\d+$/.test(segment)) {\n    throw new Error(\n      `applyPatch: array index must be a non-negative integer, got \"${segment}\"`,\n    )\n  }\n  const idx = Number.parseInt(segment, 10)\n  if (idx < 0 || idx > max) {\n    throw new Error(\n      `applyPatch: array index ${idx} out of range [0, ${max}]`,\n    )\n  }\n  return idx\n}\n\n// ─── Cheap structural clone ─────────────────────────────────────────\n\n/**\n * Plain-JSON clone via JSON.parse(JSON.stringify(value)).\n *\n * Faster than `structuredClone` for our use because (a) we know our\n * inputs are JSON-compatible (no Dates, Maps, or BigInts — anything\n * else gets rejected by canonicalJson upstream), and (b) `structuredClone`\n * has overhead for handling arbitrary structured data we don't need.\n *\n * For tiny ledger entries (< 1 KB), the JSON round-trip is in the\n * single-digit microsecond range.\n */\nfunction clone<T>(value: T): T {\n  if (value === null || value === undefined) return value\n  if (typeof value !== 'object') return value\n  return JSON.parse(JSON.stringify(value)) as T\n}\n","/**\n * Ledger storage constants — pinned in their own leaf module so\n * always-on core code (vault.ts, dictionary.ts) can import them\n * without dragging the `LedgerStore` class into the bundle.\n *\n * `splitting: true` in tsup is not enough on its own: when a\n * source file exports both pure constants and a heavyweight class,\n * the bundler keeps the entire chunk reachable from any importer.\n * Extracting the constants lets the floor scenario import them\n * without paying for the class.\n *\n * @internal\n */\n\n/** The internal collection name used for ledger entry storage. */\nexport const LEDGER_COLLECTION = '_ledger'\n\n/**\n * The internal collection name used for delta payload storage.\n *\n * Deltas live in a sibling collection (not inside `_ledger`) for two\n * reasons:\n *\n *   1. **Listing efficiency.** `ledger.loadAllEntries()` calls\n *      `adapter.list(_ledger)` which would otherwise return every\n *      delta key alongside every entry key. Splitting them keeps the\n *      list small (one key per ledger entry) and the delta reads\n *      keyed by the entry's index.\n *\n *   2. **Prune-friendliness.** A future `pruneHistory()` will delete\n *      old deltas while keeping the ledger chain intact (folding old\n *      deltas into a base snapshot). Separating the storage makes\n *      that deletion a targeted operation on one collection instead\n *      of a filter across a mixed list.\n *\n * Both collections share the same ledger DEK — one DEK, two\n * internal collections, same zero-knowledge guarantees.\n */\nexport const LEDGER_DELTAS_COLLECTION = '_ledger_deltas'\n","/**\n * `LedgerStore` — read/write access to a compartment's hash-chained\n * audit log.\n *\n * The store is a thin wrapper around the adapter's `_ledger/` internal\n * collection. Every append:\n *\n *   1. Loads the current head (or treats an empty ledger as head = -1)\n *   2. Computes `prevHash` = sha256(canonicalJson(head))\n *   3. Builds the new entry with `index = head.index + 1`\n *   4. Encrypts the entry with the compartment's ledger DEK\n *   5. Writes the encrypted envelope to `_ledger/<paddedIndex>`\n *\n * `verify()` walks the chain from genesis forward and returns\n * `{ ok: true, head }` on success or `{ ok: false, divergedAt }` on the\n * first broken link.\n *\n * ## Thread / concurrency model\n *\n * For we assume a **single writer per vault**. Two\n * concurrent `append()` calls would race on the \"read head, write\n * head+1\" cycle and could produce a broken chain. The sync engine\n * is the primary concurrent-writer scenario, and it uses\n * optimistic-concurrency via `expectedVersion` on the adapter — but\n * the ledger path has no such guard today. Multi-writer hardening is a\n * follow-up.\n *\n * Single-writer usage IS safe, including across process restarts:\n * `head()` reads the adapter fresh each call, so a crash between the\n * adapter.put of a data record and the ledger append just means the\n * ledger is missing an entry for that record. `verify()` still\n * succeeds; a future `verifyIntegrity()` helper can cross-check the\n * ledger against the data collections to catch the gap.\n *\n * ## Why hide the ledger from `vault.collection()`?\n *\n * The `_ledger` name starts with `_`, matching the existing prefix\n * convention for internal collections (`_keyring`, `_sync`,\n * `_history`). The Vault's public `collection()` method already\n * returns entries for any name, but `loadAll()` filters out\n * underscore-prefixed collections so backups and exports don't leak\n * ledger metadata. We keep the ledger accessible ONLY via\n * `vault.ledger()` to enforce the hash-chain invariants — direct\n * puts via `collection('_ledger')` would bypass the `append()` logic.\n */\n\nimport type { NoydbStore, EncryptedEnvelope } from '../../types.js'\nimport { NOYDB_FORMAT_VERSION } from '../../types.js'\nimport { encrypt, decrypt } from '../../crypto.js'\nimport { ConflictError, LedgerContentionError } from '../../errors.js'\nimport {\n  canonicalJson,\n  hashEntry,\n  paddedIndex,\n  sha256Hex,\n  type LedgerEntry,\n} from './entry.js'\nimport type { JsonPatch } from './patch.js'\nimport { applyPatch } from './patch.js'\nimport { LEDGER_COLLECTION, LEDGER_DELTAS_COLLECTION } from './constants.js'\nimport { envelopePayloadHash } from './hash.js'\n\n/**\n * Maximum optimistic-CAS retries on the ledger head. Each failed\n * attempt invalidates the head cache, re-reads, and retries with a\n * fresh next-index. After N failures we surface\n * `LedgerContentionError` so the caller can decide whether to retry,\n * queue, or alert.\n */\nconst MAX_APPEND_ATTEMPTS = 8\n\n//  — re-export the constants + helper so any existing\n// `import { LEDGER_COLLECTION } from '...store.js'` paths keep\n// working. Internal core paths (vault.ts) import from the leaf\n// modules directly to avoid pulling this file's class into the\n// floor bundle.\nexport { LEDGER_COLLECTION, LEDGER_DELTAS_COLLECTION, envelopePayloadHash }\n\n/**\n * Input shape for `LedgerStore.append()`. The caller supplies the\n * operation metadata; the store fills in `index` and `prevHash`.\n */\nexport interface AppendInput {\n  op: LedgerEntry['op']\n  collection: string\n  id: string\n  version: number\n  actor: string\n  payloadHash: string\n  /**\n   * Optional JSON Patch representing the delta from the previous\n   * version to the new version. Present only for `put` operations\n   * that had a previous version; omitted for genesis puts and for\n   * deletes. When present, `LedgerStore.append` persists the patch\n   * in `_ledger_deltas/<paddedIndex>` and records its sha256 hash\n   * as the entry's `deltaHash` field.\n   */\n  delta?: JsonPatch\n}\n\n/**\n * Result of `LedgerStore.verify()`. On success, `head` is the hash of\n * the last entry — the same value that should be published to any\n * external anchoring service (blockchain, OpenTimestamps, etc.). On\n * failure, `divergedAt` is the 0-based index of the first entry whose\n * recorded `prevHash` does not match the recomputed hash of its\n * predecessor. Entries at `divergedAt` and later are untrustworthy;\n * entries before that index are still valid.\n */\nexport type VerifyResult =\n  | { readonly ok: true; readonly head: string; readonly length: number }\n  | {\n      readonly ok: false\n      readonly divergedAt: number\n      readonly expected: string\n      readonly actual: string\n    }\n\n/**\n * A LedgerStore is bound to a single vault. Callers obtain one\n * via `vault.ledger()` — there is no public constructor to keep\n * the hash-chain invariants in one place.\n *\n * The class holds no mutable state beyond its dependencies (adapter,\n * vault name, DEK resolver, actor id). Every method reads the\n * adapter fresh so multiple instances against the same vault\n * see each other's writes immediately (at the cost of re-parsing the\n * ledger on every head() / verify() call; acceptable at scale).\n */\nexport class LedgerStore {\n  private readonly adapter: NoydbStore\n  private readonly vault: string\n  private readonly encrypted: boolean\n  private readonly getDEK: (collectionName: string) => Promise<CryptoKey>\n  private readonly actor: string\n\n  /**\n   * In-memory cache of the chain head — the most recently appended\n   * entry along with its precomputed hash. Without this, every\n   * `append()` would re-load every prior entry to recompute the\n   * prevHash, making N puts O(N²) — a 1K-record stress test goes from\n   * < 100ms to a multi-second timeout.\n   *\n   * The cache is populated on first read (`append`, `head`, `verify`)\n   * and updated in-place on every successful `append`. Single-writer\n   * usage (the assumption) keeps it consistent. A second\n   * LedgerStore instance writing to the same vault would not\n   * see the first instance's appends in its cached state — that's the\n   * concurrency caveat documented at the class level.\n   *\n   * Sentinel `undefined` means \"not yet loaded\"; an explicit `null`\n   * value means \"loaded and confirmed empty\" — distinguishing these\n   * matters because an empty ledger is a valid state (genesis prevHash\n   * is the empty string), and we don't want to re-scan the adapter\n   * just because the chain is freshly initialized.\n   */\n  private headCache: { entry: LedgerEntry; hash: string } | null | undefined = undefined\n\n  constructor(opts: {\n    adapter: NoydbStore\n    vault: string\n    encrypted: boolean\n    getDEK: (collectionName: string) => Promise<CryptoKey>\n    actor: string\n  }) {\n    this.adapter = opts.adapter\n    this.vault = opts.vault\n    this.encrypted = opts.encrypted\n    this.getDEK = opts.getDEK\n    this.actor = opts.actor\n  }\n\n  /**\n   * Lazily load (or return cached) the current chain head. The cache\n   * sentinel is `undefined` until first access; after the first call,\n   * the cache holds either a `{ entry, hash }` for non-empty ledgers\n   * or `null` for empty ones.\n   */\n  private async getCachedHead(): Promise<{ entry: LedgerEntry; hash: string } | null> {\n    if (this.headCache !== undefined) return this.headCache\n    const entries = await this.loadAllEntries()\n    const last = entries[entries.length - 1]\n    if (!last) {\n      this.headCache = null\n      return null\n    }\n    this.headCache = { entry: last, hash: await hashEntry(last) }\n    return this.headCache\n  }\n\n  /**\n   * Append a new entry to the ledger. Returns the full entry that was\n   * written (with its assigned index and computed prevHash) so the\n   * caller can use the hash for downstream purposes (e.g., embedding\n   * in a verifiable backup).\n   *\n   * This is the **only** way to add entries. Direct adapter writes to\n   * `_ledger/` would bypass the chain math and would be caught by the\n   * next `verify()` call as a divergence.\n   *\n   * ## Multi-writer correctness\n   *\n   * Append is implemented as an optimistic-CAS retry loop. On every\n   * attempt:\n   *\n   *   1. Read fresh head (cache invalidated on retry).\n   *   2. Compute `nextIndex = head.index + 1`, `prevHash = hash(head)`.\n   *   3. Encrypt delta payload IN MEMORY (no adapter write yet) so we\n   *      can compute `deltaHash` before claiming the chain slot.\n   *   4. Build + encrypt the entry envelope.\n   *   5. `adapter.put(_ledger, paddedIndex, envelope, expectedVersion: 0)`\n   *      — the `expectedVersion: 0` asserts \"this slot must not exist.\"\n   *      Stores with `casAtomic: true` honor the CAS check; under\n   *      contention the second writer's put throws `ConflictError`.\n   *   6. On `ConflictError`: invalidate the head cache, sleep with\n   *      bounded backoff + jitter, retry. After `MAX_APPEND_ATTEMPTS`\n   *      retries throw {@link LedgerContentionError}.\n   *   7. On success: write the delta envelope (if any) at the same\n   *      index. Update the head cache.\n   *\n   * Entry-first ordering matters: writing the delta first under\n   * contention would orphan delta records at indices the writer never\n   * actually claimed. The deltaHash is computed off the encrypted\n   * envelope's `_data` field, which doesn't require the envelope to\n   * be persisted.\n   *\n   * Stores with `casAtomic: false` (file, s3, r2 by default) silently\n   * accept the `expectedVersion: 0` argument and proceed without a\n   * CAS check. Concurrent appends against those stores remain\n   * best-effort — pair them with an advisory lock or with sync\n   * single-writer discipline.\n   */\n  async append(input: AppendInput): Promise<LedgerEntry> {\n    let lastConflict: ConflictError | undefined\n    for (let attempt = 0; attempt < MAX_APPEND_ATTEMPTS; attempt++) {\n      // Force a fresh head read on every retry. The first attempt may\n      // hit the cache; subsequent attempts must re-scan the adapter\n      // because the prior conflict means our cached state is stale.\n      if (attempt > 0) {\n        this.headCache = undefined\n      }\n      try {\n        return await this.appendOnce(input)\n      } catch (err) {\n        if (err instanceof ConflictError) {\n          lastConflict = err\n          if (attempt < MAX_APPEND_ATTEMPTS - 1) {\n            await sleepBackoff(attempt)\n          }\n          continue\n        }\n        throw err\n      }\n    }\n    void lastConflict\n    throw new LedgerContentionError(MAX_APPEND_ATTEMPTS)\n  }\n\n  /**\n   * One attempt at the append cycle. Throws `ConflictError` when the\n   * CAS check on the entry put fails — `append()` catches that and\n   * retries. Any other error propagates to the caller.\n   */\n  private async appendOnce(input: AppendInput): Promise<LedgerEntry> {\n    const cached = await this.getCachedHead()\n    const lastEntry = cached?.entry\n    const prevHash = cached?.hash ?? ''\n    const nextIndex = lastEntry ? lastEntry.index + 1 : 0\n\n    // Encrypt the delta in memory so we can compute deltaHash WITHOUT\n    // claiming the deltas slot yet — entry-put is the chain claim.\n    let deltaEnvelope: EncryptedEnvelope | undefined\n    let deltaHash: string | undefined\n    if (input.delta !== undefined) {\n      deltaEnvelope = await this.encryptDelta(input.delta)\n      deltaHash = await sha256Hex(deltaEnvelope._data)\n    }\n\n    // Build the entry. Conditionally include `deltaHash` so\n    // canonicalJson (which rejects undefined) never sees it when\n    // there's no delta.\n    const entryBase = {\n      index: nextIndex,\n      prevHash,\n      op: input.op,\n      collection: input.collection,\n      id: input.id,\n      version: input.version,\n      ts: new Date().toISOString(),\n      actor: input.actor === '' ? this.actor : input.actor,\n      payloadHash: input.payloadHash,\n    } as const\n    const entry: LedgerEntry =\n      deltaHash !== undefined\n        ? { ...entryBase, deltaHash }\n        : entryBase\n\n    const envelope = await this.encryptEntry(entry)\n    // expectedVersion: 0 ≡ \"the slot must not yet exist.\" Honored by\n    // casAtomic stores; silently passed through by non-CAS stores.\n    await this.adapter.put(\n      this.vault,\n      LEDGER_COLLECTION,\n      paddedIndex(entry.index),\n      envelope,\n      0,\n    )\n\n    // Chain slot claimed. Now write the delta record (if any).\n    if (deltaEnvelope) {\n      await this.adapter.put(\n        this.vault,\n        LEDGER_DELTAS_COLLECTION,\n        paddedIndex(entry.index),\n        deltaEnvelope,\n        0,\n      )\n    }\n\n    // Update the head cache so the next append() doesn't re-scan the\n    // adapter.\n    this.headCache = { entry, hash: await hashEntry(entry) }\n    return entry\n  }\n\n  /**\n   * Load a delta payload by its entry index. Returns `null` if the\n   * entry at that index doesn't reference a delta (genesis puts and\n   * deletes leave the slot empty) or if the delta row is missing\n   * (possible after a `pruneHistory` fold).\n   *\n   * The caller is responsible for deciding what to do with a missing\n   * delta — `ledger.reconstruct()` uses it as a \"stop walking\n   * backward\" signal and falls back to the on-disk current value.\n   */\n  async loadDelta(index: number): Promise<JsonPatch | null> {\n    const envelope = await this.adapter.get(\n      this.vault,\n      LEDGER_DELTAS_COLLECTION,\n      paddedIndex(index),\n    )\n    if (!envelope) return null\n    if (!this.encrypted) {\n      return JSON.parse(envelope._data) as JsonPatch\n    }\n    const dek = await this.getDEK(LEDGER_COLLECTION)\n    const json = await decrypt(envelope._iv, envelope._data, dek)\n    return JSON.parse(json) as JsonPatch\n  }\n\n  /** Encrypt a JSON Patch into an envelope for storage. Mirrors encryptEntry. */\n  private async encryptDelta(patch: JsonPatch): Promise<EncryptedEnvelope> {\n    const json = JSON.stringify(patch)\n    if (!this.encrypted) {\n      return {\n        _noydb: NOYDB_FORMAT_VERSION,\n        _v: 1,\n        _ts: new Date().toISOString(),\n        _iv: '',\n        _data: json,\n        _by: this.actor,\n      }\n    }\n    const dek = await this.getDEK(LEDGER_COLLECTION)\n    const { iv, data } = await encrypt(json, dek)\n    return {\n      _noydb: NOYDB_FORMAT_VERSION,\n      _v: 1,\n      _ts: new Date().toISOString(),\n      _iv: iv,\n      _data: data,\n      _by: this.actor,\n    }\n  }\n\n  /**\n   * Read all entries in ascending-index order. Used internally by\n   * `append()`, `head()`, `verify()`, and `entries()`. Decryption is\n   * serial because the entries are tiny and the overhead of a Promise\n   * pool would dominate at realistic chain lengths (< 100K entries).\n   */\n  async loadAllEntries(): Promise<LedgerEntry[]> {\n    const keys = await this.adapter.list(this.vault, LEDGER_COLLECTION)\n    // Sort lexicographically, which matches numeric order because\n    // keys are zero-padded to 10 digits.\n    keys.sort()\n    const entries: LedgerEntry[] = []\n    for (const key of keys) {\n      const envelope = await this.adapter.get(\n        this.vault,\n        LEDGER_COLLECTION,\n        key,\n      )\n      if (!envelope) continue\n      entries.push(await this.decryptEntry(envelope))\n    }\n    return entries\n  }\n\n  /**\n   * Return the current head of the ledger: the last entry, its hash,\n   * and the total chain length. `null` on an empty ledger so callers\n   * can distinguish \"no history yet\" from \"empty history\".\n   */\n  async head(): Promise<\n    | { readonly entry: LedgerEntry; readonly hash: string; readonly length: number }\n    | null\n  > {\n    const cached = await this.getCachedHead()\n    if (!cached) return null\n    // `length` is `entry.index + 1` because indices are zero-based and\n    // contiguous. We don't need to re-scan the adapter to compute it.\n    return {\n      entry: cached.entry,\n      hash: cached.hash,\n      length: cached.entry.index + 1,\n    }\n  }\n\n  /**\n   * Return entries in the requested half-open range `[from, to)`.\n   * Defaults: `from = 0`, `to = length`. The indices are clipped to\n   * the valid range; no error is thrown for out-of-range queries.\n   */\n  async entries(opts: { from?: number; to?: number } = {}): Promise<LedgerEntry[]> {\n    const all = await this.loadAllEntries()\n    const from = Math.max(0, opts.from ?? 0)\n    const to = Math.min(all.length, opts.to ?? all.length)\n    return all.slice(from, to)\n  }\n\n  /**\n   * Reconstruct a record's state at a given historical version by\n   * walking the ledger's delta chain backward from the current state.\n   *\n   * ## Algorithm\n   *\n   * Ledger deltas are stored in **reverse** form — each entry's\n   * patch describes how to undo that put, transforming the new\n   * record back into the previous one. `reconstruct` exploits this\n   * by:\n   *\n   *   1. Finding every ledger entry for `(collection, id)` in the\n   *      chain, sorted by index ascending.\n   *   2. Starting from `current` (the present value of the record,\n   *      as held by the caller — typically fetched via\n   *      `Collection.get()`).\n   *   3. Walking entries in **descending** index order and applying\n   *      each entry's reverse patch, stopping when we reach the\n   *      entry whose version equals `atVersion`.\n   *\n   * The result is the record as it existed immediately AFTER the\n   * put at `atVersion`. To get the state at the genesis put\n   * (version 1), the walk runs all the way back through every put\n   * after the first.\n   *\n   * ## Caveats\n   *\n   * - **Delete entries** break the walk: once we see a delete, the\n   *   record didn't exist before that point, so there's nothing to\n   *   reconstruct. We return `null` in that case.\n   * - **Missing deltas** (e.g., after `pruneHistory` folds old\n   *   entries into a base snapshot) also stop the walk. does\n   *   not ship pruneHistory, so today this only happens if an entry\n   *   was deleted out-of-band.\n   * - The caller MUST pass the correct current value. Passing a\n   *   mutated object would corrupt the reconstruction — the patch\n   *   chain is only valid against the exact state that was in\n   *   effect when the most recent put happened.\n   *\n   * For, `reconstruct` is the only way to read a historical\n   * version via deltas. The legacy `_history` collection still\n   * holds full snapshots and `Collection.getVersion()` still reads\n   * from there — the two paths coexist until pruneHistory lands in\n   * a follow-up and delta becomes the default.\n   */\n  async reconstruct<T>(\n    collection: string,\n    id: string,\n    current: T,\n    atVersion: number,\n  ): Promise<T | null> {\n    const all = await this.loadAllEntries()\n    // Filter to entries for this (collection, id), in ascending index.\n    const matching = all.filter(\n      (e) => e.collection === collection && e.id === id,\n    )\n    if (matching.length === 0) {\n      // No ledger history at all; the current state IS version 1\n      // (or there's nothing), so the only valid atVersion is the\n      // current record's version. We can't verify that here, so\n      // return current if atVersion is plausible, null otherwise.\n      return null\n    }\n\n    // Walk entries in descending index order, applying each reverse\n    // delta until we reach the target version.\n    let state: T | null = current\n    for (let i = matching.length - 1; i >= 0; i--) {\n      const entry = matching[i]\n      if (!entry) continue\n\n      // Match check FIRST — before applying this entry's reverse\n      // patch. `state` at this point is the record state immediately\n      // after this entry's put (or before this entry's delete), so\n      // if the caller asked for this exact version, we're done.\n      if (entry.version === atVersion && entry.op !== 'delete') {\n        return state\n      }\n\n      if (entry.op === 'delete') {\n        // A delete erases the live state. If the caller asks for a\n        // version older than the delete we should continue walking\n        // (state becomes null and the next put resets it). But we\n        // can't reconstruct that pre-delete state from the current\n        // in-memory `state` — the delete has no reverse patch. So\n        // anything past this point is unreachable; return null.\n        return null\n      }\n\n      if (entry.deltaHash === undefined) {\n        // Genesis put — the earliest state for this lifecycle. We\n        // can't walk further back. If the caller asked for exactly\n        // this version, return the current state (we already failed\n        // the match check above because a fresh genesis after a\n        // delete can have version === atVersion). Otherwise the\n        // target is unreachable from here.\n        if (entry.version === atVersion) return state\n        return null\n      }\n\n      const patch = await this.loadDelta(entry.index)\n      if (!patch) {\n        // Delta row is missing (probably pruned). Stop walking.\n        return null\n      }\n\n      if (state === null) {\n        // We're trying to walk back across a delete range and there's\n        // nothing to apply a reverse patch to. Bail.\n        return null\n      }\n\n      state = applyPatch(state, patch)\n    }\n\n    // Ran off the end of the walk without matching. The target\n    // version doesn't exist in this record's chain.\n    return null\n  }\n\n  /**\n   * Walk the chain from genesis forward and verify every link.\n   *\n   * Returns `{ ok: true, head, length }` if every entry's `prevHash`\n   * matches the recomputed hash of its predecessor (and the genesis\n   * entry's `prevHash` is the empty string).\n   *\n   * Returns `{ ok: false, divergedAt, expected, actual }` on the first\n   * mismatch. `divergedAt` is the 0-based index of the BROKEN entry\n   * — entries before that index still verify cleanly; entries at and\n   * after `divergedAt` are untrustworthy.\n   *\n   * This method detects:\n   *   - Mutated entry content (fields changed)\n   *   - Reordered entries (if any adjacent pair swaps, the prevHash\n   *     of the second no longer matches)\n   *   - Inserted entries (the inserted entry's prevHash likely fails,\n   *     and the following entry's prevHash definitely fails)\n   *   - Deleted entries (the entry after the deletion sees a wrong\n   *     prevHash)\n   *\n   * It does NOT detect:\n   *   - Tampering with the DATA collections that bypassed the ledger\n   *     entirely (e.g., an attacker who modifies records without\n   *     appending matching ledger entries — this is why we also\n   *     plan a `verifyIntegrity()` helper in a follow-up)\n   *   - Truncation of the chain at the tail (dropping the last N\n   *     entries leaves a shorter but still consistent chain). External\n   *     anchoring of `head.hash` to a trusted service is the defense\n   *     against this.\n   */\n  async verify(): Promise<VerifyResult> {\n    const entries = await this.loadAllEntries()\n    let expectedPrevHash = ''\n    for (let i = 0; i < entries.length; i++) {\n      const entry = entries[i]\n      if (!entry) continue\n      if (entry.prevHash !== expectedPrevHash) {\n        return {\n          ok: false,\n          divergedAt: i,\n          expected: expectedPrevHash,\n          actual: entry.prevHash,\n        }\n      }\n      if (entry.index !== i) {\n        // An entry whose stored index doesn't match its position in\n        // the sorted list means someone rewrote the adapter keys.\n        // Treat as divergence.\n        return {\n          ok: false,\n          divergedAt: i,\n          expected: `index=${i}`,\n          actual: `index=${entry.index}`,\n        }\n      }\n      expectedPrevHash = await hashEntry(entry)\n    }\n    return {\n      ok: true,\n      head: expectedPrevHash,\n      length: entries.length,\n    }\n  }\n\n  // ─── Encryption plumbing ─────────────────────────────────────────\n\n  /**\n   * Serialize + encrypt a ledger entry into an EncryptedEnvelope. The\n   * envelope's `_v` field is set to `entry.index + 1` so the usual\n   * optimistic-concurrency machinery has a reasonable version number\n   * to compare against (the ledger is append-only, so concurrent\n   * writes should always bump the index).\n   */\n  private async encryptEntry(entry: LedgerEntry): Promise<EncryptedEnvelope> {\n    const json = canonicalJson(entry)\n    if (!this.encrypted) {\n      return {\n        _noydb: NOYDB_FORMAT_VERSION,\n        _v: entry.index + 1,\n        _ts: entry.ts,\n        _iv: '',\n        _data: json,\n        _by: entry.actor,\n      }\n    }\n    const dek = await this.getDEK(LEDGER_COLLECTION)\n    const { iv, data } = await encrypt(json, dek)\n    return {\n      _noydb: NOYDB_FORMAT_VERSION,\n      _v: entry.index + 1,\n      _ts: entry.ts,\n      _iv: iv,\n      _data: data,\n      _by: entry.actor,\n    }\n  }\n\n  /** Decrypt an envelope into a LedgerEntry. Throws on bad key / tamper. */\n  private async decryptEntry(envelope: EncryptedEnvelope): Promise<LedgerEntry> {\n    if (!this.encrypted) {\n      return JSON.parse(envelope._data) as LedgerEntry\n    }\n    const dek = await this.getDEK(LEDGER_COLLECTION)\n    const json = await decrypt(envelope._iv, envelope._data, dek)\n    return JSON.parse(json) as LedgerEntry\n  }\n}\n\n// `envelopePayloadHash` was moved to `./hash.ts` so it can be\n// imported by core code without dragging this file's `LedgerStore`\n// class into the floor bundle. The re-export at the top of this\n// file keeps the original `import { envelopePayloadHash } from '.../store.js'`\n// path working.\n\n/**\n * Exponential backoff with jitter for the append CAS retry loop.\n * Attempt 0 → ~5–10 ms, attempt 7 → ~640–1280 ms. Jitter avoids the\n * thundering-herd problem when multiple writers collide repeatedly.\n */\nfunction sleepBackoff(attempt: number): Promise<void> {\n  const base = 5 * Math.pow(2, attempt)\n  const jitter = Math.random() * base\n  return new Promise((resolve) => setTimeout(resolve, base + jitter))\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;AA4EO,SAAS,aAAa,MAAe,MAA0B;AACpE,QAAM,MAAqB,CAAC;AAC5B,OAAK,MAAM,MAAM,IAAI,GAAG;AACxB,SAAO;AACT;AAEA,SAAS,KACP,MACA,MACA,MACA,KACM;AAGN,MAAI,SAAS,KAAM;AAGnB,MAAI,SAAS,QAAQ,SAAS,MAAM;AAClC,QAAI,KAAK,EAAE,IAAI,WAAW,MAAM,OAAO,KAAK,CAAC;AAC7C;AAAA,EACF;AAEA,QAAM,cAAc,MAAM,QAAQ,IAAI;AACtC,QAAM,cAAc,MAAM,QAAQ,IAAI;AACtC,QAAM,eAAe,OAAO,SAAS,YAAY,CAAC;AAClD,QAAM,eAAe,OAAO,SAAS,YAAY,CAAC;AAGlD,MAAI,gBAAgB,eAAe,iBAAiB,cAAc;AAChE,QAAI,KAAK,EAAE,IAAI,WAAW,MAAM,OAAO,KAAK,CAAC;AAC7C;AAAA,EACF;AAKA,MAAI,eAAe,aAAa;AAC9B,QAAI,CAAC,eAAe,MAAmB,IAAiB,GAAG;AACzD,UAAI,KAAK,EAAE,IAAI,WAAW,MAAM,OAAO,KAAK,CAAC;AAAA,IAC/C;AACA;AAAA,EACF;AAGA,MAAI,gBAAgB,cAAc;AAChC,UAAM,UAAU;AAChB,UAAM,UAAU;AAChB,UAAM,WAAW,OAAO,KAAK,OAAO;AACpC,UAAM,WAAW,OAAO,KAAK,OAAO;AAGpC,eAAW,OAAO,UAAU;AAC1B,YAAM,YAAY,OAAO,MAAM,kBAAkB,GAAG;AACpD,UAAI,EAAE,OAAO,UAAU;AACrB,YAAI,KAAK,EAAE,IAAI,UAAU,MAAM,UAAU,CAAC;AAAA,MAC5C,OAAO;AACL,aAAK,QAAQ,GAAG,GAAG,QAAQ,GAAG,GAAG,WAAW,GAAG;AAAA,MACjD;AAAA,IACF;AAEA,eAAW,OAAO,UAAU;AAC1B,UAAI,EAAE,OAAO,UAAU;AACrB,YAAI,KAAK;AAAA,UACP,IAAI;AAAA,UACJ,MAAM,OAAO,MAAM,kBAAkB,GAAG;AAAA,UACxC,OAAO,QAAQ,GAAG;AAAA,QACpB,CAAC;AAAA,MACH;AAAA,IACF;AACA;AAAA,EACF;AAGA,MAAI,KAAK,EAAE,IAAI,WAAW,MAAM,OAAO,KAAK,CAAC;AAC/C;AAEA,SAAS,eAAe,GAAc,GAAuB;AAC3D,MAAI,EAAE,WAAW,EAAE,OAAQ,QAAO;AAClC,WAAS,IAAI,GAAG,IAAI,EAAE,QAAQ,KAAK;AACjC,QAAI,CAAC,UAAU,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,EAAG,QAAO;AAAA,EACrC;AACA,SAAO;AACT;AAEA,SAAS,UAAU,GAAY,GAAqB;AAClD,MAAI,MAAM,EAAG,QAAO;AACpB,MAAI,MAAM,QAAQ,MAAM,KAAM,QAAO;AACrC,MAAI,OAAO,MAAM,OAAO,EAAG,QAAO;AAClC,MAAI,OAAO,MAAM,SAAU,QAAO;AAClC,QAAM,SAAS,MAAM,QAAQ,CAAC;AAC9B,QAAM,SAAS,MAAM,QAAQ,CAAC;AAC9B,MAAI,WAAW,OAAQ,QAAO;AAC9B,MAAI,UAAU,OAAQ,QAAO,eAAe,GAAG,CAAc;AAC7D,QAAM,OAAO;AACb,QAAM,OAAO;AACb,QAAM,QAAQ,OAAO,KAAK,IAAI;AAC9B,QAAM,QAAQ,OAAO,KAAK,IAAI;AAC9B,MAAI,MAAM,WAAW,MAAM,OAAQ,QAAO;AAC1C,aAAW,OAAO,OAAO;AACvB,QAAI,EAAE,OAAO,MAAO,QAAO;AAC3B,QAAI,CAAC,UAAU,KAAK,GAAG,GAAG,KAAK,GAAG,CAAC,EAAG,QAAO;AAAA,EAC/C;AACA,SAAO;AACT;AAsBO,SAAS,WAAwB,MAAS,OAAqB;AACpE,MAAI,SAAkB,MAAM,IAAI;AAChC,aAAW,MAAM,OAAO;AACtB,aAAS,QAAQ,QAAQ,EAAE;AAAA,EAC7B;AACA,SAAO;AACT;AAEA,SAAS,QAAQ,KAAc,IAA0B;AAIvD,MAAI,GAAG,SAAS,IAAI;AAClB,QAAI,GAAG,OAAO,SAAU,QAAO;AAC/B,WAAO,MAAM,GAAG,KAAK;AAAA,EACvB;AAEA,QAAM,WAAW,UAAU,GAAG,IAAI;AAClC,SAAO,aAAa,KAAK,UAAU,EAAE;AACvC;AAEA,SAAS,aACP,KACA,UACA,IACS;AACT,MAAI,SAAS,WAAW,GAAG;AAEzB,UAAM,IAAI,MAAM,+CAA+C;AAAA,EACjE;AAEA,QAAM,CAAC,MAAM,GAAG,IAAI,IAAI;AACxB,MAAI,SAAS,OAAW,OAAM,IAAI,MAAM,iCAAiC;AAEzE,MAAI,KAAK,WAAW,GAAG;AACrB,WAAO,gBAAgB,KAAK,MAAM,EAAE;AAAA,EACtC;AAIA,MAAI,MAAM,QAAQ,GAAG,GAAG;AACtB,UAAM,MAAM,gBAAgB,MAAM,IAAI,MAAM;AAC5C,UAAM,QAAQ,IAAI,GAAG;AACrB,UAAM,WAAW,aAAa,OAAO,MAAM,EAAE;AAC7C,UAAM,OAAO,IAAI,MAAM;AACvB,SAAK,GAAG,IAAI;AACZ,WAAO;AAAA,EACT;AACA,MAAI,QAAQ,QAAQ,OAAO,QAAQ,UAAU;AAC3C,UAAM,MAAM;AACZ,QAAI,EAAE,QAAQ,MAAM;AAClB,YAAM,IAAI,MAAM,6BAA6B,IAAI,uBAAuB;AAAA,IAC1E;AACA,UAAM,WAAW,aAAa,IAAI,IAAI,GAAG,MAAM,EAAE;AACjD,WAAO,EAAE,GAAG,KAAK,CAAC,IAAI,GAAG,SAAS;AAAA,EACpC;AACA,QAAM,IAAI;AAAA,IACR,gCAAgC,OAAO,GAAG,gBAAgB,IAAI;AAAA,EAChE;AACF;AAEA,SAAS,gBACP,KACA,SACA,IACS;AACT,MAAI,MAAM,QAAQ,GAAG,GAAG;AACtB,UAAM,MACJ,YAAY,MAAM,IAAI,SAAS,gBAAgB,SAAS,IAAI,SAAS,CAAC;AACxE,UAAM,OAAO,IAAI,MAAM;AACvB,QAAI,GAAG,OAAO,UAAU;AACtB,WAAK,OAAO,KAAK,CAAC;AAClB,aAAO;AAAA,IACT;AACA,QAAI,GAAG,OAAO,OAAO;AACnB,WAAK,OAAO,KAAK,GAAG,MAAM,GAAG,KAAK,CAAC;AACnC,aAAO;AAAA,IACT;AACA,QAAI,GAAG,OAAO,WAAW;AACvB,UAAI,OAAO,IAAI,QAAQ;AACrB,cAAM,IAAI;AAAA,UACR,oDAAoD,GAAG;AAAA,QACzD;AAAA,MACF;AACA,WAAK,GAAG,IAAI,MAAM,GAAG,KAAK;AAC1B,aAAO;AAAA,IACT;AAAA,EACF;AACA,MAAI,QAAQ,QAAQ,OAAO,QAAQ,UAAU;AAC3C,UAAM,MAAM;AACZ,QAAI,GAAG,OAAO,UAAU;AACtB,UAAI,EAAE,WAAW,MAAM;AACrB,cAAM,IAAI;AAAA,UACR,sCAAsC,OAAO;AAAA,QAC/C;AAAA,MACF;AACA,YAAM,OAAO,EAAE,GAAG,IAAI;AACtB,aAAO,KAAK,OAAO;AACnB,aAAO;AAAA,IACT;AACA,QAAI,GAAG,OAAO,OAAO;AAEnB,aAAO,EAAE,GAAG,KAAK,CAAC,OAAO,GAAG,MAAM,GAAG,KAAK,EAAE;AAAA,IAC9C;AACA,QAAI,GAAG,OAAO,WAAW;AACvB,UAAI,EAAE,WAAW,MAAM;AACrB,cAAM,IAAI;AAAA,UACR,uCAAuC,OAAO;AAAA,QAChD;AAAA,MACF;AACA,aAAO,EAAE,GAAG,KAAK,CAAC,OAAO,GAAG,MAAM,GAAG,KAAK,EAAE;AAAA,IAC9C;AAAA,EACF;AACA,QAAM,IAAI;AAAA,IACR,4BAA4B,GAAG,EAAE,yBAAyB,OAAO;AAAA,EACnE;AACF;AAYA,SAAS,kBAAkB,SAAyB;AAClD,SAAO,QAAQ,QAAQ,MAAM,IAAI,EAAE,QAAQ,OAAO,IAAI;AACxD;AAEA,SAAS,oBAAoB,SAAyB;AACpD,SAAO,QAAQ,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,GAAG;AACvD;AAEA,SAAS,UAAU,MAAwB;AACzC,MAAI,CAAC,KAAK,WAAW,GAAG,GAAG;AACzB,UAAM,IAAI,MAAM,8CAA8C,IAAI,GAAG;AAAA,EACvE;AACA,SAAO,KACJ,MAAM,CAAC,EACP,MAAM,GAAG,EACT,IAAI,mBAAmB;AAC5B;AAEA,SAAS,gBAAgB,SAAiB,KAAqB;AAC7D,MAAI,CAAC,QAAQ,KAAK,OAAO,GAAG;AAC1B,UAAM,IAAI;AAAA,MACR,gEAAgE,OAAO;AAAA,IACzE;AAAA,EACF;AACA,QAAM,MAAM,OAAO,SAAS,SAAS,EAAE;AACvC,MAAI,MAAM,KAAK,MAAM,KAAK;AACxB,UAAM,IAAI;AAAA,MACR,2BAA2B,GAAG,qBAAqB,GAAG;AAAA,IACxD;AAAA,EACF;AACA,SAAO;AACT;AAeA,SAAS,MAAS,OAAa;AAC7B,MAAI,UAAU,QAAQ,UAAU,OAAW,QAAO;AAClD,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,SAAO,KAAK,MAAM,KAAK,UAAU,KAAK,CAAC;AACzC;;;AC5WO,IAAM,oBAAoB;AAuB1B,IAAM,2BAA2B;;;AC+BxC,IAAM,sBAAsB;AA4DrB,IAAM,cAAN,MAAkB;AAAA,EACN;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAsBT,YAAqE;AAAA,EAE7E,YAAY,MAMT;AACD,SAAK,UAAU,KAAK;AACpB,SAAK,QAAQ,KAAK;AAClB,SAAK,YAAY,KAAK;AACtB,SAAK,SAAS,KAAK;AACnB,SAAK,QAAQ,KAAK;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAc,gBAAsE;AAClF,QAAI,KAAK,cAAc,OAAW,QAAO,KAAK;AAC9C,UAAM,UAAU,MAAM,KAAK,eAAe;AAC1C,UAAM,OAAO,QAAQ,QAAQ,SAAS,CAAC;AACvC,QAAI,CAAC,MAAM;AACT,WAAK,YAAY;AACjB,aAAO;AAAA,IACT;AACA,SAAK,YAAY,EAAE,OAAO,MAAM,MAAM,MAAM,UAAU,IAAI,EAAE;AAC5D,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4CA,MAAM,OAAO,OAA0C;AACrD,QAAI;AACJ,aAAS,UAAU,GAAG,UAAU,qBAAqB,WAAW;AAI9D,UAAI,UAAU,GAAG;AACf,aAAK,YAAY;AAAA,MACnB;AACA,UAAI;AACF,eAAO,MAAM,KAAK,WAAW,KAAK;AAAA,MACpC,SAAS,KAAK;AACZ,YAAI,eAAe,eAAe;AAChC,yBAAe;AACf,cAAI,UAAU,sBAAsB,GAAG;AACrC,kBAAM,aAAa,OAAO;AAAA,UAC5B;AACA;AAAA,QACF;AACA,cAAM;AAAA,MACR;AAAA,IACF;AACA,SAAK;AACL,UAAM,IAAI,sBAAsB,mBAAmB;AAAA,EACrD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAc,WAAW,OAA0C;AACjE,UAAM,SAAS,MAAM,KAAK,cAAc;AACxC,UAAM,YAAY,QAAQ;AAC1B,UAAM,WAAW,QAAQ,QAAQ;AACjC,UAAM,YAAY,YAAY,UAAU,QAAQ,IAAI;AAIpD,QAAI;AACJ,QAAI;AACJ,QAAI,MAAM,UAAU,QAAW;AAC7B,sBAAgB,MAAM,KAAK,aAAa,MAAM,KAAK;AACnD,kBAAY,MAAM,UAAU,cAAc,KAAK;AAAA,IACjD;AAKA,UAAM,YAAY;AAAA,MAChB,OAAO;AAAA,MACP;AAAA,MACA,IAAI,MAAM;AAAA,MACV,YAAY,MAAM;AAAA,MAClB,IAAI,MAAM;AAAA,MACV,SAAS,MAAM;AAAA,MACf,KAAI,oBAAI,KAAK,GAAE,YAAY;AAAA,MAC3B,OAAO,MAAM,UAAU,KAAK,KAAK,QAAQ,MAAM;AAAA,MAC/C,aAAa,MAAM;AAAA,IACrB;AACA,UAAM,QACJ,cAAc,SACV,EAAE,GAAG,WAAW,UAAU,IAC1B;AAEN,UAAM,WAAW,MAAM,KAAK,aAAa,KAAK;AAG9C,UAAM,KAAK,QAAQ;AAAA,MACjB,KAAK;AAAA,MACL;AAAA,MACA,YAAY,MAAM,KAAK;AAAA,MACvB;AAAA,MACA;AAAA,IACF;AAGA,QAAI,eAAe;AACjB,YAAM,KAAK,QAAQ;AAAA,QACjB,KAAK;AAAA,QACL;AAAA,QACA,YAAY,MAAM,KAAK;AAAA,QACvB;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAIA,SAAK,YAAY,EAAE,OAAO,MAAM,MAAM,UAAU,KAAK,EAAE;AACvD,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,UAAU,OAA0C;AACxD,UAAM,WAAW,MAAM,KAAK,QAAQ;AAAA,MAClC,KAAK;AAAA,MACL;AAAA,MACA,YAAY,KAAK;AAAA,IACnB;AACA,QAAI,CAAC,SAAU,QAAO;AACtB,QAAI,CAAC,KAAK,WAAW;AACnB,aAAO,KAAK,MAAM,SAAS,KAAK;AAAA,IAClC;AACA,UAAM,MAAM,MAAM,KAAK,OAAO,iBAAiB;AAC/C,UAAM,OAAO,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,GAAG;AAC5D,WAAO,KAAK,MAAM,IAAI;AAAA,EACxB;AAAA;AAAA,EAGA,MAAc,aAAa,OAA8C;AACvE,UAAM,OAAO,KAAK,UAAU,KAAK;AACjC,QAAI,CAAC,KAAK,WAAW;AACnB,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,IAAI;AAAA,QACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,QAC5B,KAAK;AAAA,QACL,OAAO;AAAA,QACP,KAAK,KAAK;AAAA,MACZ;AAAA,IACF;AACA,UAAM,MAAM,MAAM,KAAK,OAAO,iBAAiB;AAC/C,UAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,MAAM,GAAG;AAC5C,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,IAAI;AAAA,MACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,MAC5B,KAAK;AAAA,MACL,OAAO;AAAA,MACP,KAAK,KAAK;AAAA,IACZ;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,iBAAyC;AAC7C,UAAM,OAAO,MAAM,KAAK,QAAQ,KAAK,KAAK,OAAO,iBAAiB;AAGlE,SAAK,KAAK;AACV,UAAM,UAAyB,CAAC;AAChC,eAAW,OAAO,MAAM;AACtB,YAAM,WAAW,MAAM,KAAK,QAAQ;AAAA,QAClC,KAAK;AAAA,QACL;AAAA,QACA;AAAA,MACF;AACA,UAAI,CAAC,SAAU;AACf,cAAQ,KAAK,MAAM,KAAK,aAAa,QAAQ,CAAC;AAAA,IAChD;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,OAGJ;AACA,UAAM,SAAS,MAAM,KAAK,cAAc;AACxC,QAAI,CAAC,OAAQ,QAAO;AAGpB,WAAO;AAAA,MACL,OAAO,OAAO;AAAA,MACd,MAAM,OAAO;AAAA,MACb,QAAQ,OAAO,MAAM,QAAQ;AAAA,IAC/B;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,QAAQ,OAAuC,CAAC,GAA2B;AAC/E,UAAM,MAAM,MAAM,KAAK,eAAe;AACtC,UAAM,OAAO,KAAK,IAAI,GAAG,KAAK,QAAQ,CAAC;AACvC,UAAM,KAAK,KAAK,IAAI,IAAI,QAAQ,KAAK,MAAM,IAAI,MAAM;AACrD,WAAO,IAAI,MAAM,MAAM,EAAE;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA+CA,MAAM,YACJ,YACA,IACA,SACA,WACmB;AACnB,UAAM,MAAM,MAAM,KAAK,eAAe;AAEtC,UAAM,WAAW,IAAI;AAAA,MACnB,CAAC,MAAM,EAAE,eAAe,cAAc,EAAE,OAAO;AAAA,IACjD;AACA,QAAI,SAAS,WAAW,GAAG;AAKzB,aAAO;AAAA,IACT;AAIA,QAAI,QAAkB;AACtB,aAAS,IAAI,SAAS,SAAS,GAAG,KAAK,GAAG,KAAK;AAC7C,YAAM,QAAQ,SAAS,CAAC;AACxB,UAAI,CAAC,MAAO;AAMZ,UAAI,MAAM,YAAY,aAAa,MAAM,OAAO,UAAU;AACxD,eAAO;AAAA,MACT;AAEA,UAAI,MAAM,OAAO,UAAU;AAOzB,eAAO;AAAA,MACT;AAEA,UAAI,MAAM,cAAc,QAAW;AAOjC,YAAI,MAAM,YAAY,UAAW,QAAO;AACxC,eAAO;AAAA,MACT;AAEA,YAAM,QAAQ,MAAM,KAAK,UAAU,MAAM,KAAK;AAC9C,UAAI,CAAC,OAAO;AAEV,eAAO;AAAA,MACT;AAEA,UAAI,UAAU,MAAM;AAGlB,eAAO;AAAA,MACT;AAEA,cAAQ,WAAW,OAAO,KAAK;AAAA,IACjC;AAIA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiCA,MAAM,SAAgC;AACpC,UAAM,UAAU,MAAM,KAAK,eAAe;AAC1C,QAAI,mBAAmB;AACvB,aAAS,IAAI,GAAG,IAAI,QAAQ,QAAQ,KAAK;AACvC,YAAM,QAAQ,QAAQ,CAAC;AACvB,UAAI,CAAC,MAAO;AACZ,UAAI,MAAM,aAAa,kBAAkB;AACvC,eAAO;AAAA,UACL,IAAI;AAAA,UACJ,YAAY;AAAA,UACZ,UAAU;AAAA,UACV,QAAQ,MAAM;AAAA,QAChB;AAAA,MACF;AACA,UAAI,MAAM,UAAU,GAAG;AAIrB,eAAO;AAAA,UACL,IAAI;AAAA,UACJ,YAAY;AAAA,UACZ,UAAU,SAAS,CAAC;AAAA,UACpB,QAAQ,SAAS,MAAM,KAAK;AAAA,QAC9B;AAAA,MACF;AACA,yBAAmB,MAAM,UAAU,KAAK;AAAA,IAC1C;AACA,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,MAAM;AAAA,MACN,QAAQ,QAAQ;AAAA,IAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAc,aAAa,OAAgD;AACzE,UAAM,OAAO,cAAc,KAAK;AAChC,QAAI,CAAC,KAAK,WAAW;AACnB,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,IAAI,MAAM,QAAQ;AAAA,QAClB,KAAK,MAAM;AAAA,QACX,KAAK;AAAA,QACL,OAAO;AAAA,QACP,KAAK,MAAM;AAAA,MACb;AAAA,IACF;AACA,UAAM,MAAM,MAAM,KAAK,OAAO,iBAAiB;AAC/C,UAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,MAAM,GAAG;AAC5C,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,IAAI,MAAM,QAAQ;AAAA,MAClB,KAAK,MAAM;AAAA,MACX,KAAK;AAAA,MACL,OAAO;AAAA,MACP,KAAK,MAAM;AAAA,IACb;AAAA,EACF;AAAA;AAAA,EAGA,MAAc,aAAa,UAAmD;AAC5E,QAAI,CAAC,KAAK,WAAW;AACnB,aAAO,KAAK,MAAM,SAAS,KAAK;AAAA,IAClC;AACA,UAAM,MAAM,MAAM,KAAK,OAAO,iBAAiB;AAC/C,UAAM,OAAO,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,GAAG;AAC5D,WAAO,KAAK,MAAM,IAAI;AAAA,EACxB;AACF;AAaA,SAAS,aAAa,SAAgC;AACpD,QAAM,OAAO,IAAI,KAAK,IAAI,GAAG,OAAO;AACpC,QAAM,SAAS,KAAK,OAAO,IAAI;AAC/B,SAAO,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,OAAO,MAAM,CAAC;AACpE;","names":[]}