@noy-db/hub 0.1.0-pre.9 → 0.2.0-pre.2

package/dist/{chunk-VQBTTTUN.js.map → chunk-7Q5PLD5C.js.map}

@@ -1 +1 @@
-{"version":3,"sources":["../src/session/session.ts","../src/session/session-policy.ts","../src/session/dev-unlock.ts"],"sourcesContent":["/**\n * Session tokens —\n *\n * After a vault is unlocked (via passphrase, WebAuthn, OIDC, or magic-\n * link), the caller can call `createSession()` to get a session token that\n * allows re-establishing the KEK for the session lifetime without re-running\n * PBKDF2 or any interactive auth challenge.\n *\n * Security model\n * ──────────────\n * A session consists of two pieces that must both be present to recover the\n * KEK:\n *\n *   1. The **session key** — a non-extractable AES-256-GCM CryptoKey that\n *      exists only in memory. \"Non-extractable\" is enforced by the WebCrypto\n *      API: the key object cannot be serialized, exported, or sent over\n *      postMessage. When the JS context is GC'd (tab close, navigation away,\n *      worker termination) the key becomes unrecoverable.\n *\n *   2. The **session token** — a JSON object that carries the KEK wrapped\n *      with the session key (AES-256-GCM, fresh IV per session), plus\n *      unencrypted session metadata (sessionId, userId, vault, role,\n *      expiresAt). The token can be serialized to JSON and stored in\n *      sessionStorage or passed across callsites within the same tab, but\n *      it is useless without the session key.\n *\n * The session key is kept in a module-level Map indexed by sessionId. Callers\n * that need to re-use a session must hold on to the sessionId returned from\n * `createSession()`; the key is looked up automatically by `resolveSession()`.\n *\n * Revocation: `revokeSession()` removes the entry from the Map. Because the\n * key is non-extractable, removal is sufficient — no one holds a serializable\n * copy of the key.\n *\n * Tab-scoped lifetime: the module-level Map lives only as long as the JS\n * module. Tab close → module unloaded → Map GC'd → all session keys gone.\n * This is the zero-effort logout: closing the tab is always a secure logout.\n *\n * Expiry: `createSession()` accepts a `ttlMs` option. `resolveSession()`\n * checks `expiresAt` and throws `SessionExpiredError` if the token is stale,\n * even if the session key is still in the Map.\n */\n\nimport { bufferToBase64, base64ToBuffer } from '../crypto.js'\nimport { generateULID } from '../bundle/ulid.js'\nimport type { Role } from '../types.js'\nimport type { UnlockedKeyring } from '../team/keyring.js'\nimport { SessionExpiredError, SessionNotFoundError } from '../errors.js'\n\nconst subtle = globalThis.crypto.subtle\n\n// Default session TTL: 60 minutes\nconst DEFAULT_TTL_MS = 60 * 60 * 1000\n\n// Module-level session key store. Tab-scoped by construction.\nconst sessionKeyStore = new Map<string, CryptoKey>()\n\n// ─── Public types ──────────────────────────────────────────────────────\n\n/** The serializable part of a session token. Safe to store in sessionStorage. */\nexport interface SessionToken {\n  readonly _noydb_session: 1\n  /** Unique session identifier (ULID). Use this as the handle for resolve/revoke. */\n  readonly sessionId: string\n  readonly userId: string\n  readonly vault: string\n  readonly role: Role\n  /** ISO timestamp — resolveSession() rejects this token after this time. */\n  readonly expiresAt: string\n  /** KEK wrapped with the session key (AES-256-GCM). Base64. */\n  readonly wrappedKek: string\n  /** IV used for the wrapping operation. Base64. */\n  readonly kekIv: string\n}\n\n/** Result returned from `createSession()`. */\nexport interface CreateSessionResult {\n  /** Serializable token — store in sessionStorage or pass to `resolveSession()`. */\n  token: SessionToken\n  /** The sessionId — use this handle for `resolveSession()` and `revokeSession()`. */\n  sessionId: string\n}\n\n/** Options for `createSession()`. */\nexport interface CreateSessionOptions {\n  /**\n   * Session lifetime in milliseconds. Defaults to 60 minutes.\n   * After this duration, `resolveSession()` throws `SessionExpiredError`.\n   */\n  ttlMs?: number\n}\n\n// ─── Core session operations ───────────────────────────────────────────\n\n/**\n * Create a session for an already-unlocked keyring.\n *\n * Call this after any successful unlock (passphrase, WebAuthn, OIDC,\n * magic-link). The returned `sessionId` is the handle for later\n * `resolveSession()` and `revokeSession()` calls.\n *\n * The session key is generated fresh (non-extractable) and stored in the\n * module-level Map. The KEK from `keyring.kek` is exported (it must be\n * extractable — it was derived by `deriveKey()` which sets extractable: false,\n * but it's unwrapped from the keyring which sets extractable: true) and then\n * re-wrapped with the session key.\n *\n * @param keyring - An already-unlocked keyring whose `kek` is available.\n * @param vault - The vault name this session is scoped to.\n * @param options - Optional session configuration.\n */\nexport async function createSession(\n  keyring: UnlockedKeyring,\n  vault: string,\n  options: CreateSessionOptions = {},\n): Promise<CreateSessionResult> {\n  const ttlMs = options.ttlMs ?? DEFAULT_TTL_MS\n  const sessionId = generateULID()\n  const expiresAt = new Date(Date.now() + ttlMs).toISOString()\n\n  // Generate a fresh non-extractable session key.\n  // AES-256-GCM is used here (rather than AES-KW) because the session key\n  // wraps raw key bytes (the exported KEK) rather than a CryptoKey object.\n  const sessionKey = await subtle.generateKey(\n    { name: 'AES-GCM', length: 256 },\n    false, // non-extractable — this is the tab-scope security invariant\n    ['encrypt', 'decrypt'],\n  )\n\n  // Export the KEK as raw bytes so we can wrap it.\n  // The KEK is AES-256-KW, which must have been importable (extractable: true)\n  // to allow wrapKey — it is, because unwrapKey sets extractable: true for\n  // DEKs, but the KEK itself is derived with extractable: false (see\n  // crypto.ts deriveKey). We use a separate raw export + encrypt path.\n  //\n  // Wait — the KEK is AES-KW with extractable:false. We cannot export it.\n  // Instead, we wrap the DEKs (which ARE extractable) and the salt+role+userId\n  // metadata together. This means resolveSession() reconstructs an\n  // UnlockedKeyring by re-wrapping the DEKs list from the token.\n  //\n  // Simpler approach: export each DEK (they're extractable) and encrypt\n  // the serialized DEK map with the session key. The keyring is reconstructed\n  // from the session token without the original KEK — only DEKs matter for\n  // record operations.\n  //\n  // This is the right design: sessions don't need the KEK (no re-grant,\n  // no re-derive during session lifetime). They need the DEK set.\n\n  const dekMap: Record<string, string> = {}\n  for (const [collName, dek] of keyring.deks) {\n    const raw = await subtle.exportKey('raw', dek)\n    dekMap[collName] = bufferToBase64(raw)\n  }\n\n  const payload = JSON.stringify({\n    userId: keyring.userId,\n    displayName: keyring.displayName,\n    role: keyring.role,\n    permissions: keyring.permissions,\n    deks: dekMap,\n    salt: bufferToBase64(keyring.salt),\n  })\n\n  const iv = globalThis.crypto.getRandomValues(new Uint8Array(12))\n  const encrypted = await subtle.encrypt(\n    { name: 'AES-GCM', iv },\n    sessionKey,\n    new TextEncoder().encode(payload),\n  )\n\n  const token: SessionToken = {\n    _noydb_session: 1,\n    sessionId,\n    userId: keyring.userId,\n    vault,\n    role: keyring.role,\n    expiresAt,\n    wrappedKek: bufferToBase64(encrypted),\n    kekIv: bufferToBase64(iv),\n  }\n\n  sessionKeyStore.set(sessionId, sessionKey)\n  return { token, sessionId }\n}\n\n/**\n * Resolve a session token back into an UnlockedKeyring.\n *\n * Looks up the session key by `sessionId`, checks the token is not expired,\n * then decrypts the payload to reconstruct the keyring's DEK set.\n *\n * Throws `SessionExpiredError` if the token's `expiresAt` is in the past.\n * Throws `SessionNotFoundError` if the session key is not in the store\n * (tab was reloaded, session was revoked, or the sessionId is wrong).\n *\n * @param token - The SessionToken from `createSession()`.\n */\nexport async function resolveSession(token: SessionToken): Promise<UnlockedKeyring> {\n  // Expiry check first — fast path without touching crypto\n  if (Date.now() > new Date(token.expiresAt).getTime()) {\n    sessionKeyStore.delete(token.sessionId)\n    throw new SessionExpiredError(token.sessionId)\n  }\n\n  const sessionKey = sessionKeyStore.get(token.sessionId)\n  if (!sessionKey) {\n    throw new SessionNotFoundError(token.sessionId)\n  }\n\n  const iv = base64ToBuffer(token.kekIv)\n  const ciphertext = base64ToBuffer(token.wrappedKek)\n\n  let plaintext: ArrayBuffer\n  try {\n    plaintext = await subtle.decrypt(\n      { name: 'AES-GCM', iv },\n      sessionKey,\n      ciphertext,\n    )\n  } catch {\n    throw new SessionNotFoundError(token.sessionId)\n  }\n\n  const payload = JSON.parse(new TextDecoder().decode(plaintext)) as {\n    userId: string\n    displayName: string\n    role: Role\n    permissions: Record<string, 'rw' | 'ro'>\n    deks: Record<string, string>\n    salt: string\n  }\n\n  const deks = new Map<string, CryptoKey>()\n  for (const [collName, rawBase64] of Object.entries(payload.deks)) {\n    const dek = await subtle.importKey(\n      'raw',\n      base64ToBuffer(rawBase64),\n      { name: 'AES-GCM', length: 256 },\n      true,\n      ['encrypt', 'decrypt'],\n    )\n    deks.set(collName, dek)\n  }\n\n  return {\n    userId: payload.userId,\n    displayName: payload.displayName,\n    role: payload.role,\n    permissions: payload.permissions,\n    deks,\n    kek: null, // KEK not available in session context\n    salt: base64ToBuffer(payload.salt),\n    authenticators: [],\n  }\n}\n\n/**\n * Revoke a session by removing its key from the store.\n *\n * After revocation, `resolveSession()` will throw `SessionNotFoundError`\n * for this sessionId. The session token (if held by the caller) becomes\n * permanently useless. This is the explicit logout path.\n *\n * No-op if the session was already expired or does not exist.\n */\nexport function revokeSession(sessionId: string): void {\n  sessionKeyStore.delete(sessionId)\n}\n\n/**\n * Check if a session is still alive (key in store + not expired).\n * Does not decrypt anything — purely a metadata check.\n */\nexport function isSessionAlive(token: SessionToken): boolean {\n  if (Date.now() > new Date(token.expiresAt).getTime()) return false\n  return sessionKeyStore.has(token.sessionId)\n}\n\n/**\n * Revoke all active sessions. Used by `Noydb.close()` to ensure that\n * closing the instance destroys all session state, not just the keyring\n * cache.\n */\nexport function revokeAllSessions(): void {\n  sessionKeyStore.clear()\n}\n\n/**\n * Return the number of active sessions currently in the store.\n * Useful for diagnostics and tests.\n */\nexport function activeSessionCount(): number {\n  return sessionKeyStore.size\n}\n","/**\n * Session policies —\n *\n * A `SessionPolicy` is a small declarative object that controls how long a\n * session lives and which operations require re-authentication. It is\n * evaluated by the `PolicyEnforcer` class, which the Noydb instance\n * integrates to replace the bare `sessionTimeout` timer from.\n *\n * Design decisions\n * ────────────────\n * Policies are stateless value objects — no timers, no event listeners.\n * The Noydb instance is the stateful coordinator: it holds the enforcer,\n * calls `enforcer.touch()` on every operation, and calls\n * `enforcer.checkOperation()` before high-risk operations.\n *\n * This keeps the policy module easy to unit-test (no global timers to mock)\n * and avoids the \"who owns cleanup\" problem that comes with timer-based\n * callbacks embedded in a value object.\n *\n * `lockOnBackground` registers a `visibilitychange` listener on the document\n * at enforcer creation time and removes it on `destroy()`. It is a no-op in\n * non-browser environments (no `document`).\n */\n\nimport type { SessionPolicy, ReAuthOperation } from '../types.js'\nimport { SessionExpiredError, SessionPolicyError } from '../errors.js'\nimport { revokeSession } from './session.js'\n\n// ─── PolicyEnforcer ────────────────────────────────────────────────────\n\nexport interface PolicyEnforcerOptions {\n  /** The policy to enforce. */\n  policy: SessionPolicy\n  /** The session ID to revoke when idle/absolute timeouts fire. */\n  sessionId: string\n  /**\n   * Called when the policy decides the session should end (idle timeout,\n   * absolute timeout, or lockOnBackground). Use this to trigger the\n   * same cleanup that `Noydb.close()` would perform.\n   */\n  onRevoke: (reason: 'idle' | 'absolute' | 'background') => void\n}\n\n/**\n * Stateful enforcer for a single session policy.\n *\n * Create one per open session, call `touch()` on every operation,\n * call `checkOperation(op)` before export/grant/revoke/rotate/changeSecret,\n * and call `destroy()` when the session ends.\n */\nexport class PolicyEnforcer {\n  private readonly policy: SessionPolicy\n  private readonly sessionId: string\n  private readonly onRevoke: PolicyEnforcerOptions['onRevoke']\n  private readonly createdAt: number\n  private lastActivityAt: number\n  private idleTimer: ReturnType<typeof setTimeout> | null = null\n  private absoluteTimer: ReturnType<typeof setTimeout> | null = null\n  private visibilityHandler: (() => void) | null = null\n\n  constructor(opts: PolicyEnforcerOptions) {\n    this.policy = opts.policy\n    this.sessionId = opts.sessionId\n    this.onRevoke = opts.onRevoke\n    this.createdAt = Date.now()\n    this.lastActivityAt = Date.now()\n\n    this.scheduleIdleTimer()\n    this.scheduleAbsoluteTimer()\n    this.registerBackgroundLock()\n  }\n\n  /**\n   * Record an activity timestamp and reset the idle timer.\n   * Call this at the top of every Noydb public method.\n   */\n  touch(): void {\n    this.lastActivityAt = Date.now()\n    this.scheduleIdleTimer()\n  }\n\n  /**\n   * Check whether the given operation is allowed under the active policy.\n   * Throws `SessionPolicyError` if the operation requires re-authentication.\n   * Throws `SessionExpiredError` if the absolute timeout has been exceeded\n   * (defensive check in case the timer fired before the call arrived).\n   *\n   * This is a synchronous check — callers don't await it.\n   */\n  checkOperation(op: ReAuthOperation): void {\n    // Defensive absolute-timeout check (timer may have fired late)\n    const { absoluteTimeoutMs } = this.policy\n    if (absoluteTimeoutMs !== undefined && Date.now() - this.createdAt >= absoluteTimeoutMs) {\n      this.expire('absolute')\n      throw new SessionExpiredError(this.sessionId)\n    }\n\n    const required = this.policy.requireReAuthFor ?? []\n    if (required.includes(op)) {\n      throw new SessionPolicyError(op)\n    }\n  }\n\n  /**\n   * Tear down timers and background-lock listener. Call from `Noydb.close()`\n   * and whenever the session is revoked externally.\n   */\n  destroy(): void {\n    if (this.idleTimer) {\n      clearTimeout(this.idleTimer)\n      this.idleTimer = null\n    }\n    if (this.absoluteTimer) {\n      clearTimeout(this.absoluteTimer)\n      this.absoluteTimer = null\n    }\n    if (this.visibilityHandler && typeof document !== 'undefined') {\n      document.removeEventListener('visibilitychange', this.visibilityHandler)\n      this.visibilityHandler = null\n    }\n  }\n\n  /** How long since the last activity, in ms. */\n  get idleMs(): number {\n    return Date.now() - this.lastActivityAt\n  }\n\n  /** How long since session creation, in ms. */\n  get ageMs(): number {\n    return Date.now() - this.createdAt\n  }\n\n  // ── Private ──────────────────────────────────────────────────────────\n\n  private scheduleIdleTimer(): void {\n    const { idleTimeoutMs } = this.policy\n    if (!idleTimeoutMs) return\n\n    if (this.idleTimer) clearTimeout(this.idleTimer)\n    this.idleTimer = setTimeout(() => {\n      this.expire('idle')\n    }, idleTimeoutMs)\n  }\n\n  private scheduleAbsoluteTimer(): void {\n    const { absoluteTimeoutMs } = this.policy\n    if (!absoluteTimeoutMs) return\n\n    if (this.absoluteTimer) clearTimeout(this.absoluteTimer)\n    this.absoluteTimer = setTimeout(() => {\n      this.expire('absolute')\n    }, absoluteTimeoutMs)\n  }\n\n  private registerBackgroundLock(): void {\n    if (!this.policy.lockOnBackground) return\n    if (typeof document === 'undefined') return\n\n    this.visibilityHandler = () => {\n      if (document.hidden) {\n        this.expire('background')\n      }\n    }\n    document.addEventListener('visibilitychange', this.visibilityHandler)\n  }\n\n  private expire(reason: 'idle' | 'absolute' | 'background'): void {\n    this.destroy()\n    revokeSession(this.sessionId)\n    this.onRevoke(reason)\n  }\n}\n\n// ─── Helpers ───────────────────────────────────────────────────────────\n\n/**\n * Build a `PolicyEnforcer` from a policy + session token, and return it\n * alongside a cleanup function. Convenience wrapper for Noydb.\n */\nexport function createEnforcer(opts: PolicyEnforcerOptions): PolicyEnforcer {\n  return new PolicyEnforcer(opts)\n}\n\n/**\n * Validate that a `SessionPolicy` is well-formed.\n * Throws a plain `Error` (not `NoydbError`) because this is a developer\n * error — invalid policies passed at construction time, not at runtime.\n */\nexport function validateSessionPolicy(policy: SessionPolicy): void {\n  const { idleTimeoutMs, absoluteTimeoutMs } = policy\n  if (idleTimeoutMs !== undefined && (typeof idleTimeoutMs !== 'number' || idleTimeoutMs <= 0)) {\n    throw new Error(`SessionPolicy.idleTimeoutMs must be a positive number, got ${idleTimeoutMs}`)\n  }\n  if (absoluteTimeoutMs !== undefined && (typeof absoluteTimeoutMs !== 'number' || absoluteTimeoutMs <= 0)) {\n    throw new Error(`SessionPolicy.absoluteTimeoutMs must be a positive number, got ${absoluteTimeoutMs}`)\n  }\n  if (idleTimeoutMs !== undefined && absoluteTimeoutMs !== undefined && idleTimeoutMs >= absoluteTimeoutMs) {\n    throw new Error(\n      `SessionPolicy.idleTimeoutMs (${idleTimeoutMs}ms) must be less than absoluteTimeoutMs (${absoluteTimeoutMs}ms)`,\n    )\n  }\n}\n","/**\n * Dev-mode persistent unlock —\n *\n * Solves the developer inner-loop friction: hot-reload destroys the session\n * (page navigation semantics), forcing a passphrase re-entry every refresh.\n *\n * This module provides an opt-in, deliberately-named escape hatch that lets\n * developers store the keyring payload in sessionStorage or localStorage so\n * the vault auto-unlocks on every page load — without a passphrase,\n * without a biometric prompt, without any OIDC flow.\n *\n * ⚠️ WARNING — this is a loaded footgun ⚠️\n * ─────────────────────────────────────────\n * The keyring payload stored by this module contains the DEKs. Whoever has\n * access to sessionStorage/localStorage has access to the DEKs. On a shared\n * development machine, a compromised browser extension, or a mis-configured\n * origin, this is a complete key exposure.\n *\n * This module is ONLY safe for local development. It must NEVER be active\n * in production builds.\n *\n * Guardrails (all enforced by the module, not by the caller)\n * ──────────────────────────────────────────────────────────\n * 1. **Production guard:** `enableDevUnlock()` throws immediately if\n *    `process.env.NODE_ENV === 'production'` or if `import.meta.env?.PROD === true`\n *    (Vite convention). Also throws if the hostname is NOT localhost or 127.0.0.1.\n *\n * 2. **Explicit acknowledgement string:** the caller must pass\n *    `acknowledge: 'I-UNDERSTAND-THIS-DISABLES-UNLOCK-SECURITY'` or the call\n *    throws. This string appears in every grep for `devUnlock` in the codebase,\n *    making it impossible to enable this feature accidentally.\n *\n * 3. **Scope is vault + userId:** the storage key includes both the\n *    vault name and the userId, so dev-unlock for vault-A does\n *    NOT auto-unlock vault-B.\n *\n * 4. **Storage scope:** default is `sessionStorage` (cleared on tab close).\n *    `localStorage` is opt-in and requires an additional\n *    `persistAcrossTabs: true` flag in the options.\n *\n * 5. **Clear method:** `clearDevUnlock()` removes the stored payload. Wire\n *    this to a dev toolbar button or `Ctrl+Shift+L` so clearing is one action.\n *\n * 6. **Console banner:** on first enable, a highly visible console warning\n *    fires. Cannot be suppressed.\n *\n * Usage\n * ─────\n * ```ts\n * // In your dev entry point only (guarded by import.meta.env.DEV):\n * if (import.meta.env.DEV) {\n *   const { enableDevUnlock, loadDevUnlock } = await import('@noy-db/hub')\n *   enableDevUnlock('my-compartment', 'alice', keyring, {\n *     acknowledge: 'I-UNDERSTAND-THIS-DISABLES-UNLOCK-SECURITY',\n *   })\n * }\n *\n * // On page load:\n * if (import.meta.env.DEV) {\n *   const keyring = await loadDevUnlock('my-compartment', 'alice')\n *   if (keyring) {\n *     // Skip unlock prompt, use keyring directly\n *   }\n * }\n * ```\n */\n\nimport { bufferToBase64, base64ToBuffer } from '../crypto.js'\nimport { ValidationError } from '../errors.js'\nimport type { UnlockedKeyring } from '../team/keyring.js'\nimport type { Role } from '../types.js'\n\n// The exact acknowledgement string callers must pass\nconst REQUIRED_ACKNOWLEDGE = 'I-UNDERSTAND-THIS-DISABLES-UNLOCK-SECURITY'\n\nconst STORAGE_PREFIX = 'noydb:dev-unlock:'\n\n// ─── Options ──────────────────────────────────────────────────────────\n\nexport interface DevUnlockOptions {\n  /**\n   * Required: the exact string 'I-UNDERSTAND-THIS-DISABLES-UNLOCK-SECURITY'.\n   * Any other value causes `enableDevUnlock()` to throw.\n   */\n  acknowledge: string\n  /**\n   * If `true`, stores in localStorage (persists across tabs and browser restarts).\n   * If `false` (default), stores in sessionStorage (cleared on tab close).\n   */\n  persistAcrossTabs?: boolean\n}\n\n// ─── Production guard ─────────────────────────────────────────────────\n\nfunction assertDevEnvironment(): void {\n  // Node.js: check NODE_ENV\n  if (\n    typeof process !== 'undefined' &&\n    process.env.NODE_ENV === 'production'\n  ) {\n    throw new ValidationError(\n      'devUnlock is not available in production builds. ' +\n      'process.env.NODE_ENV is \"production\".',\n    )\n  }\n\n  // Vite / build tool convention\n  if (\n    typeof globalThis !== 'undefined' &&\n    (globalThis as Record<string, unknown>).__vite_is_production__ === true\n  ) {\n    throw new ValidationError('devUnlock is not available in production builds.')\n  }\n\n  // Browser: only allow on localhost\n  if (\n    typeof window !== 'undefined' &&\n    typeof window.location !== 'undefined'\n  ) {\n    const host = window.location.hostname\n    if (host !== 'localhost' && host !== '127.0.0.1' && host !== '::1' && !host.endsWith('.local')) {\n      throw new ValidationError(\n        `devUnlock is only available on localhost. Current hostname: \"${host}\". ` +\n        'Set NODE_ENV=development and run on localhost to use dev unlock.',\n      )\n    }\n  }\n}\n\n// ─── Storage key ──────────────────────────────────────────────────────\n\nfunction storageKey(vault: string, userId: string): string {\n  return `${STORAGE_PREFIX}${vault}:${userId}`\n}\n\nfunction resolveStorage(persistAcrossTabs?: boolean): Storage {\n  if (typeof window === 'undefined') {\n    throw new ValidationError('devUnlock requires a browser environment (window.sessionStorage / window.localStorage).')\n  }\n  return persistAcrossTabs ? window.localStorage : window.sessionStorage\n}\n\n// ─── Public API ────────────────────────────────────────────────────────\n\n/**\n * Serialize and store a keyring to browser storage for dev-mode auto-unlock.\n *\n * Throws immediately if:\n *   - The acknowledge string is wrong.\n *   - Running in a production environment (NODE_ENV=production).\n *   - Running on a non-localhost hostname.\n *\n * Emits a highly visible console warning that cannot be suppressed.\n *\n * @param vault - The vault name.\n * @param userId - The user ID.\n * @param keyring - The unlocked keyring to persist.\n * @param options - Options including the required acknowledge string.\n */\nexport async function enableDevUnlock(\n  vault: string,\n  userId: string,\n  keyring: UnlockedKeyring,\n  options: DevUnlockOptions,\n): Promise<void> {\n  if (options.acknowledge !== REQUIRED_ACKNOWLEDGE) {\n    throw new ValidationError(\n      `devUnlock requires acknowledge: '${REQUIRED_ACKNOWLEDGE}'. ` +\n      `Got: '${options.acknowledge}'. This is intentional — the full string must appear in your source.`,\n    )\n  }\n\n  assertDevEnvironment()\n\n  const storage = resolveStorage(options.persistAcrossTabs)\n\n  const dekMap: Record<string, string> = {}\n  for (const [collName, dek] of keyring.deks) {\n    const raw = await globalThis.crypto.subtle.exportKey('raw', dek)\n    dekMap[collName] = bufferToBase64(raw)\n  }\n\n  const payload = JSON.stringify({\n    _noydb_dev_unlock: 1,\n    userId: keyring.userId,\n    displayName: keyring.displayName,\n    role: keyring.role,\n    permissions: keyring.permissions,\n    deks: dekMap,\n    salt: bufferToBase64(keyring.salt),\n  })\n\n  storage.setItem(storageKey(vault, userId), payload)\n\n  // Visible, unsuppressable warning\n  console.warn(\n    '%c⚠️ NOYDB DEV UNLOCK ACTIVE ⚠️',\n    'color: red; font-size: 16px; font-weight: bold',\n    `\\n\\nCompartment \"${vault}\" user \"${userId}\" is stored in ` +\n    `${options.persistAcrossTabs ? 'localStorage' : 'sessionStorage'} in PLAINTEXT DEKs.\\n` +\n    'This is ONLY safe for local development. Never use in production.\\n' +\n    'Call clearDevUnlock() to remove.',\n  )\n}\n\n/**\n * Load a dev-mode keyring from browser storage.\n *\n * Returns `null` if no dev-unlock state is stored for this vault + user,\n * or if the stored payload is malformed.\n *\n * Does NOT perform the production environment check — it's safe to CALL\n * `loadDevUnlock` in production (it will simply return `null` because no\n * dev-unlock state was ever written). The guard only fires on `enableDevUnlock`.\n *\n * @param vault - The vault name.\n * @param userId - The user ID.\n * @param options - Optional storage override.\n */\nexport async function loadDevUnlock(\n  vault: string,\n  userId: string,\n  options: { persistAcrossTabs?: boolean } = {},\n): Promise<UnlockedKeyring | null> {\n  if (typeof window === 'undefined') return null\n\n  const storage = resolveStorage(options.persistAcrossTabs)\n  const raw = storage.getItem(storageKey(vault, userId))\n  if (!raw) return null\n\n  let parsed: {\n    _noydb_dev_unlock?: number\n    userId: string\n    displayName: string\n    role: Role\n    permissions: Record<string, 'rw' | 'ro'>\n    deks: Record<string, string>\n    salt: string\n  }\n  try {\n    parsed = JSON.parse(raw)\n  } catch {\n    return null\n  }\n\n  if (parsed._noydb_dev_unlock !== 1) return null\n\n  const deks = new Map<string, CryptoKey>()\n  for (const [collName, rawBase64] of Object.entries(parsed.deks)) {\n    const dek = await globalThis.crypto.subtle.importKey(\n      'raw',\n      base64ToBuffer(rawBase64),\n      { name: 'AES-GCM', length: 256 },\n      true,\n      ['encrypt', 'decrypt'],\n    )\n    deks.set(collName, dek)\n  }\n\n  return {\n    userId: parsed.userId,\n    displayName: parsed.displayName,\n    role: parsed.role,\n    permissions: parsed.permissions,\n    deks,\n    kek: null,\n    salt: base64ToBuffer(parsed.salt),\n    authenticators: [],\n  }\n}\n\n/**\n * Remove dev-unlock state from browser storage.\n *\n * Safe to call in production (no-op if no dev state exists).\n */\nexport function clearDevUnlock(\n  vault: string,\n  userId: string,\n  options: { persistAcrossTabs?: boolean } = {},\n): void {\n  if (typeof window === 'undefined') return\n  const storage = resolveStorage(options.persistAcrossTabs)\n  storage.removeItem(storageKey(vault, userId))\n}\n\n/**\n * Check if dev-unlock state exists for this vault + user.\n *\n * Safe to call in production (returns false if nothing is stored).\n */\nexport function isDevUnlockActive(\n  vault: string,\n  userId: string,\n  options: { persistAcrossTabs?: boolean } = {},\n): boolean {\n  if (typeof window === 'undefined') return false\n  const storage = resolveStorage(options.persistAcrossTabs)\n  return storage.getItem(storageKey(vault, userId)) !== null\n}\n"],"mappings":";;;;;;;;;;;;;;;AAiDA,IAAM,SAAS,WAAW,OAAO;AAGjC,IAAM,iBAAiB,KAAK,KAAK;AAGjC,IAAM,kBAAkB,oBAAI,IAAuB;AAwDnD,eAAsB,cACpB,SACA,OACA,UAAgC,CAAC,GACH;AAC9B,QAAM,QAAQ,QAAQ,SAAS;AAC/B,QAAM,YAAY,aAAa;AAC/B,QAAM,YAAY,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,EAAE,YAAY;AAK3D,QAAM,aAAa,MAAM,OAAO;AAAA,IAC9B,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,IAC/B;AAAA;AAAA,IACA,CAAC,WAAW,SAAS;AAAA,EACvB;AAqBA,QAAM,SAAiC,CAAC;AACxC,aAAW,CAAC,UAAU,GAAG,KAAK,QAAQ,MAAM;AAC1C,UAAM,MAAM,MAAM,OAAO,UAAU,OAAO,GAAG;AAC7C,WAAO,QAAQ,IAAI,eAAe,GAAG;AAAA,EACvC;AAEA,QAAM,UAAU,KAAK,UAAU;AAAA,IAC7B,QAAQ,QAAQ;AAAA,IAChB,aAAa,QAAQ;AAAA,IACrB,MAAM,QAAQ;AAAA,IACd,aAAa,QAAQ;AAAA,IACrB,MAAM;AAAA,IACN,MAAM,eAAe,QAAQ,IAAI;AAAA,EACnC,CAAC;AAED,QAAM,KAAK,WAAW,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AAC/D,QAAM,YAAY,MAAM,OAAO;AAAA,IAC7B,EAAE,MAAM,WAAW,GAAG;AAAA,IACtB;AAAA,IACA,IAAI,YAAY,EAAE,OAAO,OAAO;AAAA,EAClC;AAEA,QAAM,QAAsB;AAAA,IAC1B,gBAAgB;AAAA,IAChB;AAAA,IACA,QAAQ,QAAQ;AAAA,IAChB;AAAA,IACA,MAAM,QAAQ;AAAA,IACd;AAAA,IACA,YAAY,eAAe,SAAS;AAAA,IACpC,OAAO,eAAe,EAAE;AAAA,EAC1B;AAEA,kBAAgB,IAAI,WAAW,UAAU;AACzC,SAAO,EAAE,OAAO,UAAU;AAC5B;AAcA,eAAsB,eAAe,OAA+C;AAElF,MAAI,KAAK,IAAI,IAAI,IAAI,KAAK,MAAM,SAAS,EAAE,QAAQ,GAAG;AACpD,oBAAgB,OAAO,MAAM,SAAS;AACtC,UAAM,IAAI,oBAAoB,MAAM,SAAS;AAAA,EAC/C;AAEA,QAAM,aAAa,gBAAgB,IAAI,MAAM,SAAS;AACtD,MAAI,CAAC,YAAY;AACf,UAAM,IAAI,qBAAqB,MAAM,SAAS;AAAA,EAChD;AAEA,QAAM,KAAK,eAAe,MAAM,KAAK;AACrC,QAAM,aAAa,eAAe,MAAM,UAAU;AAElD,MAAI;AACJ,MAAI;AACF,gBAAY,MAAM,OAAO;AAAA,MACvB,EAAE,MAAM,WAAW,GAAG;AAAA,MACtB;AAAA,MACA;AAAA,IACF;AAAA,EACF,QAAQ;AACN,UAAM,IAAI,qBAAqB,MAAM,SAAS;AAAA,EAChD;AAEA,QAAM,UAAU,KAAK,MAAM,IAAI,YAAY,EAAE,OAAO,SAAS,CAAC;AAS9D,QAAM,OAAO,oBAAI,IAAuB;AACxC,aAAW,CAAC,UAAU,SAAS,KAAK,OAAO,QAAQ,QAAQ,IAAI,GAAG;AAChE,UAAM,MAAM,MAAM,OAAO;AAAA,MACvB;AAAA,MACA,eAAe,SAAS;AAAA,MACxB,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,MAC/B;AAAA,MACA,CAAC,WAAW,SAAS;AAAA,IACvB;AACA,SAAK,IAAI,UAAU,GAAG;AAAA,EACxB;AAEA,SAAO;AAAA,IACL,QAAQ,QAAQ;AAAA,IAChB,aAAa,QAAQ;AAAA,IACrB,MAAM,QAAQ;AAAA,IACd,aAAa,QAAQ;AAAA,IACrB;AAAA,IACA,KAAK;AAAA;AAAA,IACL,MAAM,eAAe,QAAQ,IAAI;AAAA,IACjC,gBAAgB,CAAC;AAAA,EACnB;AACF;AAWO,SAAS,cAAc,WAAyB;AACrD,kBAAgB,OAAO,SAAS;AAClC;AAMO,SAAS,eAAe,OAA8B;AAC3D,MAAI,KAAK,IAAI,IAAI,IAAI,KAAK,MAAM,SAAS,EAAE,QAAQ,EAAG,QAAO;AAC7D,SAAO,gBAAgB,IAAI,MAAM,SAAS;AAC5C;AAOO,SAAS,oBAA0B;AACxC,kBAAgB,MAAM;AACxB;AAMO,SAAS,qBAA6B;AAC3C,SAAO,gBAAgB;AACzB;;;ACnPO,IAAM,iBAAN,MAAqB;AAAA,EACT;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACT;AAAA,EACA,YAAkD;AAAA,EAClD,gBAAsD;AAAA,EACtD,oBAAyC;AAAA,EAEjD,YAAY,MAA6B;AACvC,SAAK,SAAS,KAAK;AACnB,SAAK,YAAY,KAAK;AACtB,SAAK,WAAW,KAAK;AACrB,SAAK,YAAY,KAAK,IAAI;AAC1B,SAAK,iBAAiB,KAAK,IAAI;AAE/B,SAAK,kBAAkB;AACvB,SAAK,sBAAsB;AAC3B,SAAK,uBAAuB;AAAA,EAC9B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,QAAc;AACZ,SAAK,iBAAiB,KAAK,IAAI;AAC/B,SAAK,kBAAkB;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,eAAe,IAA2B;AAExC,UAAM,EAAE,kBAAkB,IAAI,KAAK;AACnC,QAAI,sBAAsB,UAAa,KAAK,IAAI,IAAI,KAAK,aAAa,mBAAmB;AACvF,WAAK,OAAO,UAAU;AACtB,YAAM,IAAI,oBAAoB,KAAK,SAAS;AAAA,IAC9C;AAEA,UAAM,WAAW,KAAK,OAAO,oBAAoB,CAAC;AAClD,QAAI,SAAS,SAAS,EAAE,GAAG;AACzB,YAAM,IAAI,mBAAmB,EAAE;AAAA,IACjC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,UAAgB;AACd,QAAI,KAAK,WAAW;AAClB,mBAAa,KAAK,SAAS;AAC3B,WAAK,YAAY;AAAA,IACnB;AACA,QAAI,KAAK,eAAe;AACtB,mBAAa,KAAK,aAAa;AAC/B,WAAK,gBAAgB;AAAA,IACvB;AACA,QAAI,KAAK,qBAAqB,OAAO,aAAa,aAAa;AAC7D,eAAS,oBAAoB,oBAAoB,KAAK,iBAAiB;AACvE,WAAK,oBAAoB;AAAA,IAC3B;AAAA,EACF;AAAA;AAAA,EAGA,IAAI,SAAiB;AACnB,WAAO,KAAK,IAAI,IAAI,KAAK;AAAA,EAC3B;AAAA;AAAA,EAGA,IAAI,QAAgB;AAClB,WAAO,KAAK,IAAI,IAAI,KAAK;AAAA,EAC3B;AAAA;AAAA,EAIQ,oBAA0B;AAChC,UAAM,EAAE,cAAc,IAAI,KAAK;AAC/B,QAAI,CAAC,cAAe;AAEpB,QAAI,KAAK,UAAW,cAAa,KAAK,SAAS;AAC/C,SAAK,YAAY,WAAW,MAAM;AAChC,WAAK,OAAO,MAAM;AAAA,IACpB,GAAG,aAAa;AAAA,EAClB;AAAA,EAEQ,wBAA8B;AACpC,UAAM,EAAE,kBAAkB,IAAI,KAAK;AACnC,QAAI,CAAC,kBAAmB;AAExB,QAAI,KAAK,cAAe,cAAa,KAAK,aAAa;AACvD,SAAK,gBAAgB,WAAW,MAAM;AACpC,WAAK,OAAO,UAAU;AAAA,IACxB,GAAG,iBAAiB;AAAA,EACtB;AAAA,EAEQ,yBAA+B;AACrC,QAAI,CAAC,KAAK,OAAO,iBAAkB;AACnC,QAAI,OAAO,aAAa,YAAa;AAErC,SAAK,oBAAoB,MAAM;AAC7B,UAAI,SAAS,QAAQ;AACnB,aAAK,OAAO,YAAY;AAAA,MAC1B;AAAA,IACF;AACA,aAAS,iBAAiB,oBAAoB,KAAK,iBAAiB;AAAA,EACtE;AAAA,EAEQ,OAAO,QAAkD;AAC/D,SAAK,QAAQ;AACb,kBAAc,KAAK,SAAS;AAC5B,SAAK,SAAS,MAAM;AAAA,EACtB;AACF;AAQO,SAAS,eAAe,MAA6C;AAC1E,SAAO,IAAI,eAAe,IAAI;AAChC;AAOO,SAAS,sBAAsB,QAA6B;AACjE,QAAM,EAAE,eAAe,kBAAkB,IAAI;AAC7C,MAAI,kBAAkB,WAAc,OAAO,kBAAkB,YAAY,iBAAiB,IAAI;AAC5F,UAAM,IAAI,MAAM,8DAA8D,aAAa,EAAE;AAAA,EAC/F;AACA,MAAI,sBAAsB,WAAc,OAAO,sBAAsB,YAAY,qBAAqB,IAAI;AACxG,UAAM,IAAI,MAAM,kEAAkE,iBAAiB,EAAE;AAAA,EACvG;AACA,MAAI,kBAAkB,UAAa,sBAAsB,UAAa,iBAAiB,mBAAmB;AACxG,UAAM,IAAI;AAAA,MACR,gCAAgC,aAAa,4CAA4C,iBAAiB;AAAA,IAC5G;AAAA,EACF;AACF;;;AChIA,IAAM,uBAAuB;AAE7B,IAAM,iBAAiB;AAmBvB,SAAS,uBAA6B;AAEpC,MACE,OAAO,YAAY,eACnB,QAAQ,IAAI,aAAa,cACzB;AACA,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AAGA,MACE,OAAO,eAAe,eACrB,WAAuC,2BAA2B,MACnE;AACA,UAAM,IAAI,gBAAgB,kDAAkD;AAAA,EAC9E;AAGA,MACE,OAAO,WAAW,eAClB,OAAO,OAAO,aAAa,aAC3B;AACA,UAAM,OAAO,OAAO,SAAS;AAC7B,QAAI,SAAS,eAAe,SAAS,eAAe,SAAS,SAAS,CAAC,KAAK,SAAS,QAAQ,GAAG;AAC9F,YAAM,IAAI;AAAA,QACR,gEAAgE,IAAI;AAAA,MAEtE;AAAA,IACF;AAAA,EACF;AACF;AAIA,SAAS,WAAW,OAAe,QAAwB;AACzD,SAAO,GAAG,cAAc,GAAG,KAAK,IAAI,MAAM;AAC5C;AAEA,SAAS,eAAe,mBAAsC;AAC5D,MAAI,OAAO,WAAW,aAAa;AACjC,UAAM,IAAI,gBAAgB,yFAAyF;AAAA,EACrH;AACA,SAAO,oBAAoB,OAAO,eAAe,OAAO;AAC1D;AAmBA,eAAsB,gBACpB,OACA,QACA,SACA,SACe;AACf,MAAI,QAAQ,gBAAgB,sBAAsB;AAChD,UAAM,IAAI;AAAA,MACR,oCAAoC,oBAAoB,YAC/C,QAAQ,WAAW;AAAA,IAC9B;AAAA,EACF;AAEA,uBAAqB;AAErB,QAAM,UAAU,eAAe,QAAQ,iBAAiB;AAExD,QAAM,SAAiC,CAAC;AACxC,aAAW,CAAC,UAAU,GAAG,KAAK,QAAQ,MAAM;AAC1C,UAAM,MAAM,MAAM,WAAW,OAAO,OAAO,UAAU,OAAO,GAAG;AAC/D,WAAO,QAAQ,IAAI,eAAe,GAAG;AAAA,EACvC;AAEA,QAAM,UAAU,KAAK,UAAU;AAAA,IAC7B,mBAAmB;AAAA,IACnB,QAAQ,QAAQ;AAAA,IAChB,aAAa,QAAQ;AAAA,IACrB,MAAM,QAAQ;AAAA,IACd,aAAa,QAAQ;AAAA,IACrB,MAAM;AAAA,IACN,MAAM,eAAe,QAAQ,IAAI;AAAA,EACnC,CAAC;AAED,UAAQ,QAAQ,WAAW,OAAO,MAAM,GAAG,OAAO;AAGlD,UAAQ;AAAA,IACN;AAAA,IACA;AAAA,IACA;AAAA;AAAA,eAAoB,KAAK,WAAW,MAAM,kBACvC,QAAQ,oBAAoB,iBAAiB,gBAAgB;AAAA;AAAA;AAAA,EAGlE;AACF;AAgBA,eAAsB,cACpB,OACA,QACA,UAA2C,CAAC,GACX;AACjC,MAAI,OAAO,WAAW,YAAa,QAAO;AAE1C,QAAM,UAAU,eAAe,QAAQ,iBAAiB;AACxD,QAAM,MAAM,QAAQ,QAAQ,WAAW,OAAO,MAAM,CAAC;AACrD,MAAI,CAAC,IAAK,QAAO;AAEjB,MAAI;AASJ,MAAI;AACF,aAAS,KAAK,MAAM,GAAG;AAAA,EACzB,QAAQ;AACN,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,sBAAsB,EAAG,QAAO;AAE3C,QAAM,OAAO,oBAAI,IAAuB;AACxC,aAAW,CAAC,UAAU,SAAS,KAAK,OAAO,QAAQ,OAAO,IAAI,GAAG;AAC/D,UAAM,MAAM,MAAM,WAAW,OAAO,OAAO;AAAA,MACzC;AAAA,MACA,eAAe,SAAS;AAAA,MACxB,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,MAC/B;AAAA,MACA,CAAC,WAAW,SAAS;AAAA,IACvB;AACA,SAAK,IAAI,UAAU,GAAG;AAAA,EACxB;AAEA,SAAO;AAAA,IACL,QAAQ,OAAO;AAAA,IACf,aAAa,OAAO;AAAA,IACpB,MAAM,OAAO;AAAA,IACb,aAAa,OAAO;AAAA,IACpB;AAAA,IACA,KAAK;AAAA,IACL,MAAM,eAAe,OAAO,IAAI;AAAA,IAChC,gBAAgB,CAAC;AAAA,EACnB;AACF;AAOO,SAAS,eACd,OACA,QACA,UAA2C,CAAC,GACtC;AACN,MAAI,OAAO,WAAW,YAAa;AACnC,QAAM,UAAU,eAAe,QAAQ,iBAAiB;AACxD,UAAQ,WAAW,WAAW,OAAO,MAAM,CAAC;AAC9C;AAOO,SAAS,kBACd,OACA,QACA,UAA2C,CAAC,GACnC;AACT,MAAI,OAAO,WAAW,YAAa,QAAO;AAC1C,QAAM,UAAU,eAAe,QAAQ,iBAAiB;AACxD,SAAO,QAAQ,QAAQ,WAAW,OAAO,MAAM,CAAC,MAAM;AACxD;","names":[]}
+{"version":3,"sources":["../src/session/session.ts","../src/session/session-policy.ts","../src/session/dev-unlock.ts"],"sourcesContent":["/**\n * Session tokens —\n *\n * After a vault is unlocked (via passphrase, WebAuthn, OIDC, or magic-\n * link), the caller can call `createSession()` to get a session token that\n * allows re-establishing the KEK for the session lifetime without re-running\n * PBKDF2 or any interactive auth challenge.\n *\n * Security model\n * ──────────────\n * A session consists of two pieces that must both be present to recover the\n * KEK:\n *\n *   1. The **session key** — a non-extractable AES-256-GCM CryptoKey that\n *      exists only in memory. \"Non-extractable\" is enforced by the WebCrypto\n *      API: the key object cannot be serialized, exported, or sent over\n *      postMessage. When the JS context is GC'd (tab close, navigation away,\n *      worker termination) the key becomes unrecoverable.\n *\n *   2. The **session token** — a JSON object that carries the KEK wrapped\n *      with the session key (AES-256-GCM, fresh IV per session), plus\n *      unencrypted session metadata (sessionId, userId, vault, role,\n *      expiresAt). The token can be serialized to JSON and stored in\n *      sessionStorage or passed across callsites within the same tab, but\n *      it is useless without the session key.\n *\n * The session key is kept in a module-level Map indexed by sessionId. Callers\n * that need to re-use a session must hold on to the sessionId returned from\n * `createSession()`; the key is looked up automatically by `resolveSession()`.\n *\n * Revocation: `revokeSession()` removes the entry from the Map. Because the\n * key is non-extractable, removal is sufficient — no one holds a serializable\n * copy of the key.\n *\n * Tab-scoped lifetime: the module-level Map lives only as long as the JS\n * module. Tab close → module unloaded → Map GC'd → all session keys gone.\n * This is the zero-effort logout: closing the tab is always a secure logout.\n *\n * Expiry: `createSession()` accepts a `ttlMs` option. `resolveSession()`\n * checks `expiresAt` and throws `SessionExpiredError` if the token is stale,\n * even if the session key is still in the Map.\n */\n\nimport { bufferToBase64, base64ToBuffer } from '../crypto.js'\nimport { generateULID } from '../bundle/ulid.js'\nimport type { Role } from '../types.js'\nimport type { UnlockedKeyring } from '../team/keyring.js'\nimport { SessionExpiredError, SessionNotFoundError } from '../errors.js'\n\nconst subtle = globalThis.crypto.subtle\n\n// Default session TTL: 60 minutes\nconst DEFAULT_TTL_MS = 60 * 60 * 1000\n\n// Module-level session key store. Tab-scoped by construction.\nconst sessionKeyStore = new Map<string, CryptoKey>()\n\n// ─── Public types ──────────────────────────────────────────────────────\n\n/** The serializable part of a session token. Safe to store in sessionStorage. */\nexport interface SessionToken {\n  readonly _noydb_session: 1\n  /** Unique session identifier (ULID). Use this as the handle for resolve/revoke. */\n  readonly sessionId: string\n  readonly userId: string\n  readonly vault: string\n  readonly role: Role\n  /** ISO timestamp — resolveSession() rejects this token after this time. */\n  readonly expiresAt: string\n  /** KEK wrapped with the session key (AES-256-GCM). Base64. */\n  readonly wrappedKek: string\n  /** IV used for the wrapping operation. Base64. */\n  readonly kekIv: string\n}\n\n/** Result returned from `createSession()`. */\nexport interface CreateSessionResult {\n  /** Serializable token — store in sessionStorage or pass to `resolveSession()`. */\n  token: SessionToken\n  /** The sessionId — use this handle for `resolveSession()` and `revokeSession()`. */\n  sessionId: string\n}\n\n/** Options for `createSession()`. */\nexport interface CreateSessionOptions {\n  /**\n   * Session lifetime in milliseconds. Defaults to 60 minutes.\n   * After this duration, `resolveSession()` throws `SessionExpiredError`.\n   */\n  ttlMs?: number\n}\n\n// ─── Core session operations ───────────────────────────────────────────\n\n/**\n * Create a session for an already-unlocked keyring.\n *\n * Call this after any successful unlock (passphrase, WebAuthn, OIDC,\n * magic-link). The returned `sessionId` is the handle for later\n * `resolveSession()` and `revokeSession()` calls.\n *\n * The session key is generated fresh (non-extractable) and stored in the\n * module-level Map. The KEK from `keyring.kek` is exported (it must be\n * extractable — it was derived by `deriveKey()` which sets extractable: false,\n * but it's unwrapped from the keyring which sets extractable: true) and then\n * re-wrapped with the session key.\n *\n * @param keyring - An already-unlocked keyring whose `kek` is available.\n * @param vault - The vault name this session is scoped to.\n * @param options - Optional session configuration.\n */\nexport async function createSession(\n  keyring: UnlockedKeyring,\n  vault: string,\n  options: CreateSessionOptions = {},\n): Promise<CreateSessionResult> {\n  const ttlMs = options.ttlMs ?? DEFAULT_TTL_MS\n  const sessionId = generateULID()\n  const expiresAt = new Date(Date.now() + ttlMs).toISOString()\n\n  // Generate a fresh non-extractable session key.\n  // AES-256-GCM is used here (rather than AES-KW) because the session key\n  // wraps raw key bytes (the exported KEK) rather than a CryptoKey object.\n  const sessionKey = await subtle.generateKey(\n    { name: 'AES-GCM', length: 256 },\n    false, // non-extractable — this is the tab-scope security invariant\n    ['encrypt', 'decrypt'],\n  )\n\n  // Export the KEK as raw bytes so we can wrap it.\n  // The KEK is AES-256-KW, which must have been importable (extractable: true)\n  // to allow wrapKey — it is, because unwrapKey sets extractable: true for\n  // DEKs, but the KEK itself is derived with extractable: false (see\n  // crypto.ts deriveKey). We use a separate raw export + encrypt path.\n  //\n  // Wait — the KEK is AES-KW with extractable:false. We cannot export it.\n  // Instead, we wrap the DEKs (which ARE extractable) and the salt+role+userId\n  // metadata together. This means resolveSession() reconstructs an\n  // UnlockedKeyring by re-wrapping the DEKs list from the token.\n  //\n  // Simpler approach: export each DEK (they're extractable) and encrypt\n  // the serialized DEK map with the session key. The keyring is reconstructed\n  // from the session token without the original KEK — only DEKs matter for\n  // record operations.\n  //\n  // This is the right design: sessions don't need the KEK (no re-grant,\n  // no re-derive during session lifetime). They need the DEK set.\n\n  const dekMap: Record<string, string> = {}\n  for (const [collName, dek] of keyring.deks) {\n    const raw = await subtle.exportKey('raw', dek)\n    dekMap[collName] = bufferToBase64(raw)\n  }\n\n  const payload = JSON.stringify({\n    userId: keyring.userId,\n    displayName: keyring.displayName,\n    role: keyring.role,\n    permissions: keyring.permissions,\n    deks: dekMap,\n    salt: bufferToBase64(keyring.salt),\n  })\n\n  const iv = globalThis.crypto.getRandomValues(new Uint8Array(12))\n  const encrypted = await subtle.encrypt(\n    { name: 'AES-GCM', iv },\n    sessionKey,\n    new TextEncoder().encode(payload),\n  )\n\n  const token: SessionToken = {\n    _noydb_session: 1,\n    sessionId,\n    userId: keyring.userId,\n    vault,\n    role: keyring.role,\n    expiresAt,\n    wrappedKek: bufferToBase64(encrypted),\n    kekIv: bufferToBase64(iv),\n  }\n\n  sessionKeyStore.set(sessionId, sessionKey)\n  return { token, sessionId }\n}\n\n/**\n * Resolve a session token back into an UnlockedKeyring.\n *\n * Looks up the session key by `sessionId`, checks the token is not expired,\n * then decrypts the payload to reconstruct the keyring's DEK set.\n *\n * Throws `SessionExpiredError` if the token's `expiresAt` is in the past.\n * Throws `SessionNotFoundError` if the session key is not in the store\n * (tab was reloaded, session was revoked, or the sessionId is wrong).\n *\n * @param token - The SessionToken from `createSession()`.\n */\nexport async function resolveSession(token: SessionToken): Promise<UnlockedKeyring> {\n  // Expiry check first — fast path without touching crypto\n  if (Date.now() > new Date(token.expiresAt).getTime()) {\n    sessionKeyStore.delete(token.sessionId)\n    throw new SessionExpiredError(token.sessionId)\n  }\n\n  const sessionKey = sessionKeyStore.get(token.sessionId)\n  if (!sessionKey) {\n    throw new SessionNotFoundError(token.sessionId)\n  }\n\n  const iv = base64ToBuffer(token.kekIv)\n  const ciphertext = base64ToBuffer(token.wrappedKek)\n\n  let plaintext: ArrayBuffer\n  try {\n    plaintext = await subtle.decrypt(\n      { name: 'AES-GCM', iv },\n      sessionKey,\n      ciphertext,\n    )\n  } catch {\n    throw new SessionNotFoundError(token.sessionId)\n  }\n\n  const payload = JSON.parse(new TextDecoder().decode(plaintext)) as {\n    userId: string\n    displayName: string\n    role: Role\n    permissions: Record<string, 'rw' | 'ro'>\n    deks: Record<string, string>\n    salt: string\n  }\n\n  const deks = new Map<string, CryptoKey>()\n  for (const [collName, rawBase64] of Object.entries(payload.deks)) {\n    const dek = await subtle.importKey(\n      'raw',\n      base64ToBuffer(rawBase64),\n      { name: 'AES-GCM', length: 256 },\n      true,\n      ['encrypt', 'decrypt'],\n    )\n    deks.set(collName, dek)\n  }\n\n  return {\n    userId: payload.userId,\n    displayName: payload.displayName,\n    role: payload.role,\n    permissions: payload.permissions,\n    deks,\n    kek: null, // KEK not available in session context\n    salt: base64ToBuffer(payload.salt),\n    authenticators: [],\n  }\n}\n\n/**\n * Revoke a session by removing its key from the store.\n *\n * After revocation, `resolveSession()` will throw `SessionNotFoundError`\n * for this sessionId. The session token (if held by the caller) becomes\n * permanently useless. This is the explicit logout path.\n *\n * No-op if the session was already expired or does not exist.\n */\nexport function revokeSession(sessionId: string): void {\n  sessionKeyStore.delete(sessionId)\n}\n\n/**\n * Check if a session is still alive (key in store + not expired).\n * Does not decrypt anything — purely a metadata check.\n */\nexport function isSessionAlive(token: SessionToken): boolean {\n  if (Date.now() > new Date(token.expiresAt).getTime()) return false\n  return sessionKeyStore.has(token.sessionId)\n}\n\n/**\n * Revoke all active sessions. Used by `Noydb.close()` to ensure that\n * closing the instance destroys all session state, not just the keyring\n * cache.\n */\nexport function revokeAllSessions(): void {\n  sessionKeyStore.clear()\n}\n\n/**\n * Return the number of active sessions currently in the store.\n * Useful for diagnostics and tests.\n */\nexport function activeSessionCount(): number {\n  return sessionKeyStore.size\n}\n","/**\n * Session policies —\n *\n * A `SessionPolicy` is a small declarative object that controls how long a\n * session lives and which operations require re-authentication. It is\n * evaluated by the `PolicyEnforcer` class, which the Noydb instance\n * integrates to replace the bare `sessionTimeout` timer from.\n *\n * Design decisions\n * ────────────────\n * Policies are stateless value objects — no timers, no event listeners.\n * The Noydb instance is the stateful coordinator: it holds the enforcer,\n * calls `enforcer.touch()` on every operation, and calls\n * `enforcer.checkOperation()` before high-risk operations.\n *\n * This keeps the policy module easy to unit-test (no global timers to mock)\n * and avoids the \"who owns cleanup\" problem that comes with timer-based\n * callbacks embedded in a value object.\n *\n * `lockOnBackground` registers a `visibilitychange` listener on the document\n * at enforcer creation time and removes it on `destroy()`. It is a no-op in\n * non-browser environments (no `document`).\n */\n\nimport type { SessionPolicy, ReAuthOperation } from '../types.js'\nimport { SessionExpiredError, SessionPolicyError } from '../errors.js'\nimport { revokeSession } from './session.js'\n\n// ─── PolicyEnforcer ────────────────────────────────────────────────────\n\nexport interface PolicyEnforcerOptions {\n  /** The policy to enforce. */\n  policy: SessionPolicy\n  /** The session ID to revoke when idle/absolute timeouts fire. */\n  sessionId: string\n  /**\n   * Called when the policy decides the session should end (idle timeout,\n   * absolute timeout, or lockOnBackground). Use this to trigger the\n   * same cleanup that `Noydb.close()` would perform.\n   */\n  onRevoke: (reason: 'idle' | 'absolute' | 'background') => void\n}\n\n/**\n * Stateful enforcer for a single session policy.\n *\n * Create one per open session, call `touch()` on every operation,\n * call `checkOperation(op)` before export/grant/revoke/rotate/changeSecret,\n * and call `destroy()` when the session ends.\n */\nexport class PolicyEnforcer {\n  private readonly policy: SessionPolicy\n  private readonly sessionId: string\n  private readonly onRevoke: PolicyEnforcerOptions['onRevoke']\n  private readonly createdAt: number\n  private lastActivityAt: number\n  private idleTimer: ReturnType<typeof setTimeout> | null = null\n  private absoluteTimer: ReturnType<typeof setTimeout> | null = null\n  private visibilityHandler: (() => void) | null = null\n\n  constructor(opts: PolicyEnforcerOptions) {\n    this.policy = opts.policy\n    this.sessionId = opts.sessionId\n    this.onRevoke = opts.onRevoke\n    this.createdAt = Date.now()\n    this.lastActivityAt = Date.now()\n\n    this.scheduleIdleTimer()\n    this.scheduleAbsoluteTimer()\n    this.registerBackgroundLock()\n  }\n\n  /**\n   * Record an activity timestamp and reset the idle timer.\n   * Call this at the top of every Noydb public method.\n   */\n  touch(): void {\n    this.lastActivityAt = Date.now()\n    this.scheduleIdleTimer()\n  }\n\n  /**\n   * Check whether the given operation is allowed under the active policy.\n   * Throws `SessionPolicyError` if the operation requires re-authentication.\n   * Throws `SessionExpiredError` if the absolute timeout has been exceeded\n   * (defensive check in case the timer fired before the call arrived).\n   *\n   * This is a synchronous check — callers don't await it.\n   */\n  checkOperation(op: ReAuthOperation): void {\n    // Defensive absolute-timeout check (timer may have fired late)\n    const { absoluteTimeoutMs } = this.policy\n    if (absoluteTimeoutMs !== undefined && Date.now() - this.createdAt >= absoluteTimeoutMs) {\n      this.expire('absolute')\n      throw new SessionExpiredError(this.sessionId)\n    }\n\n    const required = this.policy.requireReAuthFor ?? []\n    if (required.includes(op)) {\n      throw new SessionPolicyError(op)\n    }\n  }\n\n  /**\n   * Tear down timers and background-lock listener. Call from `Noydb.close()`\n   * and whenever the session is revoked externally.\n   */\n  destroy(): void {\n    if (this.idleTimer) {\n      clearTimeout(this.idleTimer)\n      this.idleTimer = null\n    }\n    if (this.absoluteTimer) {\n      clearTimeout(this.absoluteTimer)\n      this.absoluteTimer = null\n    }\n    if (this.visibilityHandler && typeof document !== 'undefined') {\n      document.removeEventListener('visibilitychange', this.visibilityHandler)\n      this.visibilityHandler = null\n    }\n  }\n\n  /** How long since the last activity, in ms. */\n  get idleMs(): number {\n    return Date.now() - this.lastActivityAt\n  }\n\n  /** How long since session creation, in ms. */\n  get ageMs(): number {\n    return Date.now() - this.createdAt\n  }\n\n  // ── Private ──────────────────────────────────────────────────────────\n\n  private scheduleIdleTimer(): void {\n    const { idleTimeoutMs } = this.policy\n    if (!idleTimeoutMs) return\n\n    if (this.idleTimer) clearTimeout(this.idleTimer)\n    this.idleTimer = setTimeout(() => {\n      this.expire('idle')\n    }, idleTimeoutMs)\n  }\n\n  private scheduleAbsoluteTimer(): void {\n    const { absoluteTimeoutMs } = this.policy\n    if (!absoluteTimeoutMs) return\n\n    if (this.absoluteTimer) clearTimeout(this.absoluteTimer)\n    this.absoluteTimer = setTimeout(() => {\n      this.expire('absolute')\n    }, absoluteTimeoutMs)\n  }\n\n  private registerBackgroundLock(): void {\n    if (!this.policy.lockOnBackground) return\n    if (typeof document === 'undefined') return\n\n    this.visibilityHandler = () => {\n      if (document.hidden) {\n        this.expire('background')\n      }\n    }\n    document.addEventListener('visibilitychange', this.visibilityHandler)\n  }\n\n  private expire(reason: 'idle' | 'absolute' | 'background'): void {\n    this.destroy()\n    revokeSession(this.sessionId)\n    this.onRevoke(reason)\n  }\n}\n\n// ─── Helpers ───────────────────────────────────────────────────────────\n\n/**\n * Build a `PolicyEnforcer` from a policy + session token, and return it\n * alongside a cleanup function. Convenience wrapper for Noydb.\n */\nexport function createEnforcer(opts: PolicyEnforcerOptions): PolicyEnforcer {\n  return new PolicyEnforcer(opts)\n}\n\n/**\n * Validate that a `SessionPolicy` is well-formed.\n * Throws a plain `Error` (not `NoydbError`) because this is a developer\n * error — invalid policies passed at construction time, not at runtime.\n */\nexport function validateSessionPolicy(policy: SessionPolicy): void {\n  const { idleTimeoutMs, absoluteTimeoutMs } = policy\n  if (idleTimeoutMs !== undefined && (typeof idleTimeoutMs !== 'number' || idleTimeoutMs <= 0)) {\n    throw new Error(`SessionPolicy.idleTimeoutMs must be a positive number, got ${idleTimeoutMs}`)\n  }\n  if (absoluteTimeoutMs !== undefined && (typeof absoluteTimeoutMs !== 'number' || absoluteTimeoutMs <= 0)) {\n    throw new Error(`SessionPolicy.absoluteTimeoutMs must be a positive number, got ${absoluteTimeoutMs}`)\n  }\n  if (idleTimeoutMs !== undefined && absoluteTimeoutMs !== undefined && idleTimeoutMs >= absoluteTimeoutMs) {\n    throw new Error(\n      `SessionPolicy.idleTimeoutMs (${idleTimeoutMs}ms) must be less than absoluteTimeoutMs (${absoluteTimeoutMs}ms)`,\n    )\n  }\n}\n","/**\n * Dev-mode persistent unlock —\n *\n * Solves the developer inner-loop friction: hot-reload destroys the session\n * (page navigation semantics), forcing a passphrase re-entry every refresh.\n *\n * This module provides an opt-in, deliberately-named escape hatch that lets\n * developers store the keyring payload in sessionStorage or localStorage so\n * the vault auto-unlocks on every page load — without a passphrase,\n * without a biometric prompt, without any OIDC flow.\n *\n * ⚠️ WARNING — this is a loaded footgun ⚠️\n * ─────────────────────────────────────────\n * The keyring payload stored by this module contains the DEKs. Whoever has\n * access to sessionStorage/localStorage has access to the DEKs. On a shared\n * development machine, a compromised browser extension, or a mis-configured\n * origin, this is a complete key exposure.\n *\n * This module is ONLY safe for local development. It must NEVER be active\n * in production builds.\n *\n * Guardrails (all enforced by the module, not by the caller)\n * ──────────────────────────────────────────────────────────\n * 1. **Production guard:** `enableDevUnlock()` throws immediately if\n *    `process.env.NODE_ENV === 'production'` or if `import.meta.env?.PROD === true`\n *    (Vite convention). Also throws if the hostname is NOT localhost or 127.0.0.1.\n *\n * 2. **Explicit acknowledgement string:** the caller must pass\n *    `acknowledge: 'I-UNDERSTAND-THIS-DISABLES-UNLOCK-SECURITY'` or the call\n *    throws. This string appears in every grep for `devUnlock` in the codebase,\n *    making it impossible to enable this feature accidentally.\n *\n * 3. **Scope is vault + userId:** the storage key includes both the\n *    vault name and the userId, so dev-unlock for vault-A does\n *    NOT auto-unlock vault-B.\n *\n * 4. **Storage scope:** default is `sessionStorage` (cleared on tab close).\n *    `localStorage` is opt-in and requires an additional\n *    `persistAcrossTabs: true` flag in the options.\n *\n * 5. **Clear method:** `clearDevUnlock()` removes the stored payload. Wire\n *    this to a dev toolbar button or `Ctrl+Shift+L` so clearing is one action.\n *\n * 6. **Console banner:** on first enable, a highly visible console warning\n *    fires. Cannot be suppressed.\n *\n * Usage\n * ─────\n * ```ts\n * // In your dev entry point only (guarded by import.meta.env.DEV):\n * if (import.meta.env.DEV) {\n *   const { enableDevUnlock, loadDevUnlock } = await import('@noy-db/hub')\n *   enableDevUnlock('my-compartment', 'alice', keyring, {\n *     acknowledge: 'I-UNDERSTAND-THIS-DISABLES-UNLOCK-SECURITY',\n *   })\n * }\n *\n * // On page load:\n * if (import.meta.env.DEV) {\n *   const keyring = await loadDevUnlock('my-compartment', 'alice')\n *   if (keyring) {\n *     // Skip unlock prompt, use keyring directly\n *   }\n * }\n * ```\n */\n\nimport { bufferToBase64, base64ToBuffer } from '../crypto.js'\nimport { ValidationError } from '../errors.js'\nimport type { UnlockedKeyring } from '../team/keyring.js'\nimport type { Role } from '../types.js'\n\n// The exact acknowledgement string callers must pass\nconst REQUIRED_ACKNOWLEDGE = 'I-UNDERSTAND-THIS-DISABLES-UNLOCK-SECURITY'\n\nconst STORAGE_PREFIX = 'noydb:dev-unlock:'\n\n// ─── Options ──────────────────────────────────────────────────────────\n\nexport interface DevUnlockOptions {\n  /**\n   * Required: the exact string 'I-UNDERSTAND-THIS-DISABLES-UNLOCK-SECURITY'.\n   * Any other value causes `enableDevUnlock()` to throw.\n   */\n  acknowledge: string\n  /**\n   * If `true`, stores in localStorage (persists across tabs and browser restarts).\n   * If `false` (default), stores in sessionStorage (cleared on tab close).\n   */\n  persistAcrossTabs?: boolean\n}\n\n// ─── Production guard ─────────────────────────────────────────────────\n\nfunction assertDevEnvironment(): void {\n  // Node.js: check NODE_ENV\n  if (\n    typeof process !== 'undefined' &&\n    process.env.NODE_ENV === 'production'\n  ) {\n    throw new ValidationError(\n      'devUnlock is not available in production builds. ' +\n      'process.env.NODE_ENV is \"production\".',\n    )\n  }\n\n  // Vite / build tool convention\n  if (\n    typeof globalThis !== 'undefined' &&\n    (globalThis as Record<string, unknown>).__vite_is_production__ === true\n  ) {\n    throw new ValidationError('devUnlock is not available in production builds.')\n  }\n\n  // Browser: only allow on localhost\n  if (\n    typeof window !== 'undefined' &&\n    typeof window.location !== 'undefined'\n  ) {\n    const host = window.location.hostname\n    if (host !== 'localhost' && host !== '127.0.0.1' && host !== '::1' && !host.endsWith('.local')) {\n      throw new ValidationError(\n        `devUnlock is only available on localhost. Current hostname: \"${host}\". ` +\n        'Set NODE_ENV=development and run on localhost to use dev unlock.',\n      )\n    }\n  }\n}\n\n// ─── Storage key ──────────────────────────────────────────────────────\n\nfunction storageKey(vault: string, userId: string): string {\n  return `${STORAGE_PREFIX}${vault}:${userId}`\n}\n\nfunction resolveStorage(persistAcrossTabs?: boolean): Storage {\n  if (typeof window === 'undefined') {\n    throw new ValidationError('devUnlock requires a browser environment (window.sessionStorage / window.localStorage).')\n  }\n  return persistAcrossTabs ? window.localStorage : window.sessionStorage\n}\n\n// ─── Public API ────────────────────────────────────────────────────────\n\n/**\n * Serialize and store a keyring to browser storage for dev-mode auto-unlock.\n *\n * Throws immediately if:\n *   - The acknowledge string is wrong.\n *   - Running in a production environment (NODE_ENV=production).\n *   - Running on a non-localhost hostname.\n *\n * Emits a highly visible console warning that cannot be suppressed.\n *\n * @param vault - The vault name.\n * @param userId - The user ID.\n * @param keyring - The unlocked keyring to persist.\n * @param options - Options including the required acknowledge string.\n */\nexport async function enableDevUnlock(\n  vault: string,\n  userId: string,\n  keyring: UnlockedKeyring,\n  options: DevUnlockOptions,\n): Promise<void> {\n  if (options.acknowledge !== REQUIRED_ACKNOWLEDGE) {\n    throw new ValidationError(\n      `devUnlock requires acknowledge: '${REQUIRED_ACKNOWLEDGE}'. ` +\n      `Got: '${options.acknowledge}'. This is intentional — the full string must appear in your source.`,\n    )\n  }\n\n  assertDevEnvironment()\n\n  const storage = resolveStorage(options.persistAcrossTabs)\n\n  const dekMap: Record<string, string> = {}\n  for (const [collName, dek] of keyring.deks) {\n    const raw = await globalThis.crypto.subtle.exportKey('raw', dek)\n    dekMap[collName] = bufferToBase64(raw)\n  }\n\n  const payload = JSON.stringify({\n    _noydb_dev_unlock: 1,\n    userId: keyring.userId,\n    displayName: keyring.displayName,\n    role: keyring.role,\n    permissions: keyring.permissions,\n    deks: dekMap,\n    salt: bufferToBase64(keyring.salt),\n  })\n\n  storage.setItem(storageKey(vault, userId), payload)\n\n  // Visible, unsuppressable warning\n  console.warn(\n    '%c⚠️ NOYDB DEV UNLOCK ACTIVE ⚠️',\n    'color: red; font-size: 16px; font-weight: bold',\n    `\\n\\nVault \"${vault}\" user \"${userId}\" is stored in ` +\n    `${options.persistAcrossTabs ? 'localStorage' : 'sessionStorage'} in PLAINTEXT DEKs.\\n` +\n    'This is ONLY safe for local development. Never use in production.\\n' +\n    'Call clearDevUnlock() to remove.',\n  )\n}\n\n/**\n * Load a dev-mode keyring from browser storage.\n *\n * Returns `null` if no dev-unlock state is stored for this vault + user,\n * or if the stored payload is malformed.\n *\n * Does NOT perform the production environment check — it's safe to CALL\n * `loadDevUnlock` in production (it will simply return `null` because no\n * dev-unlock state was ever written). The guard only fires on `enableDevUnlock`.\n *\n * @param vault - The vault name.\n * @param userId - The user ID.\n * @param options - Optional storage override.\n */\nexport async function loadDevUnlock(\n  vault: string,\n  userId: string,\n  options: { persistAcrossTabs?: boolean } = {},\n): Promise<UnlockedKeyring | null> {\n  if (typeof window === 'undefined') return null\n\n  const storage = resolveStorage(options.persistAcrossTabs)\n  const raw = storage.getItem(storageKey(vault, userId))\n  if (!raw) return null\n\n  let parsed: {\n    _noydb_dev_unlock?: number\n    userId: string\n    displayName: string\n    role: Role\n    permissions: Record<string, 'rw' | 'ro'>\n    deks: Record<string, string>\n    salt: string\n  }\n  try {\n    parsed = JSON.parse(raw)\n  } catch {\n    return null\n  }\n\n  if (parsed._noydb_dev_unlock !== 1) return null\n\n  const deks = new Map<string, CryptoKey>()\n  for (const [collName, rawBase64] of Object.entries(parsed.deks)) {\n    const dek = await globalThis.crypto.subtle.importKey(\n      'raw',\n      base64ToBuffer(rawBase64),\n      { name: 'AES-GCM', length: 256 },\n      true,\n      ['encrypt', 'decrypt'],\n    )\n    deks.set(collName, dek)\n  }\n\n  return {\n    userId: parsed.userId,\n    displayName: parsed.displayName,\n    role: parsed.role,\n    permissions: parsed.permissions,\n    deks,\n    kek: null,\n    salt: base64ToBuffer(parsed.salt),\n    authenticators: [],\n  }\n}\n\n/**\n * Remove dev-unlock state from browser storage.\n *\n * Safe to call in production (no-op if no dev state exists).\n */\nexport function clearDevUnlock(\n  vault: string,\n  userId: string,\n  options: { persistAcrossTabs?: boolean } = {},\n): void {\n  if (typeof window === 'undefined') return\n  const storage = resolveStorage(options.persistAcrossTabs)\n  storage.removeItem(storageKey(vault, userId))\n}\n\n/**\n * Check if dev-unlock state exists for this vault + user.\n *\n * Safe to call in production (returns false if nothing is stored).\n */\nexport function isDevUnlockActive(\n  vault: string,\n  userId: string,\n  options: { persistAcrossTabs?: boolean } = {},\n): boolean {\n  if (typeof window === 'undefined') return false\n  const storage = resolveStorage(options.persistAcrossTabs)\n  return storage.getItem(storageKey(vault, userId)) !== null\n}\n"],"mappings":";;;;;;;;;;;;;;;AAiDA,IAAM,SAAS,WAAW,OAAO;AAGjC,IAAM,iBAAiB,KAAK,KAAK;AAGjC,IAAM,kBAAkB,oBAAI,IAAuB;AAwDnD,eAAsB,cACpB,SACA,OACA,UAAgC,CAAC,GACH;AAC9B,QAAM,QAAQ,QAAQ,SAAS;AAC/B,QAAM,YAAY,aAAa;AAC/B,QAAM,YAAY,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,EAAE,YAAY;AAK3D,QAAM,aAAa,MAAM,OAAO;AAAA,IAC9B,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,IAC/B;AAAA;AAAA,IACA,CAAC,WAAW,SAAS;AAAA,EACvB;AAqBA,QAAM,SAAiC,CAAC;AACxC,aAAW,CAAC,UAAU,GAAG,KAAK,QAAQ,MAAM;AAC1C,UAAM,MAAM,MAAM,OAAO,UAAU,OAAO,GAAG;AAC7C,WAAO,QAAQ,IAAI,eAAe,GAAG;AAAA,EACvC;AAEA,QAAM,UAAU,KAAK,UAAU;AAAA,IAC7B,QAAQ,QAAQ;AAAA,IAChB,aAAa,QAAQ;AAAA,IACrB,MAAM,QAAQ;AAAA,IACd,aAAa,QAAQ;AAAA,IACrB,MAAM;AAAA,IACN,MAAM,eAAe,QAAQ,IAAI;AAAA,EACnC,CAAC;AAED,QAAM,KAAK,WAAW,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AAC/D,QAAM,YAAY,MAAM,OAAO;AAAA,IAC7B,EAAE,MAAM,WAAW,GAAG;AAAA,IACtB;AAAA,IACA,IAAI,YAAY,EAAE,OAAO,OAAO;AAAA,EAClC;AAEA,QAAM,QAAsB;AAAA,IAC1B,gBAAgB;AAAA,IAChB;AAAA,IACA,QAAQ,QAAQ;AAAA,IAChB;AAAA,IACA,MAAM,QAAQ;AAAA,IACd;AAAA,IACA,YAAY,eAAe,SAAS;AAAA,IACpC,OAAO,eAAe,EAAE;AAAA,EAC1B;AAEA,kBAAgB,IAAI,WAAW,UAAU;AACzC,SAAO,EAAE,OAAO,UAAU;AAC5B;AAcA,eAAsB,eAAe,OAA+C;AAElF,MAAI,KAAK,IAAI,IAAI,IAAI,KAAK,MAAM,SAAS,EAAE,QAAQ,GAAG;AACpD,oBAAgB,OAAO,MAAM,SAAS;AACtC,UAAM,IAAI,oBAAoB,MAAM,SAAS;AAAA,EAC/C;AAEA,QAAM,aAAa,gBAAgB,IAAI,MAAM,SAAS;AACtD,MAAI,CAAC,YAAY;AACf,UAAM,IAAI,qBAAqB,MAAM,SAAS;AAAA,EAChD;AAEA,QAAM,KAAK,eAAe,MAAM,KAAK;AACrC,QAAM,aAAa,eAAe,MAAM,UAAU;AAElD,MAAI;AACJ,MAAI;AACF,gBAAY,MAAM,OAAO;AAAA,MACvB,EAAE,MAAM,WAAW,GAAG;AAAA,MACtB;AAAA,MACA;AAAA,IACF;AAAA,EACF,QAAQ;AACN,UAAM,IAAI,qBAAqB,MAAM,SAAS;AAAA,EAChD;AAEA,QAAM,UAAU,KAAK,MAAM,IAAI,YAAY,EAAE,OAAO,SAAS,CAAC;AAS9D,QAAM,OAAO,oBAAI,IAAuB;AACxC,aAAW,CAAC,UAAU,SAAS,KAAK,OAAO,QAAQ,QAAQ,IAAI,GAAG;AAChE,UAAM,MAAM,MAAM,OAAO;AAAA,MACvB;AAAA,MACA,eAAe,SAAS;AAAA,MACxB,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,MAC/B;AAAA,MACA,CAAC,WAAW,SAAS;AAAA,IACvB;AACA,SAAK,IAAI,UAAU,GAAG;AAAA,EACxB;AAEA,SAAO;AAAA,IACL,QAAQ,QAAQ;AAAA,IAChB,aAAa,QAAQ;AAAA,IACrB,MAAM,QAAQ;AAAA,IACd,aAAa,QAAQ;AAAA,IACrB;AAAA,IACA,KAAK;AAAA;AAAA,IACL,MAAM,eAAe,QAAQ,IAAI;AAAA,IACjC,gBAAgB,CAAC;AAAA,EACnB;AACF;AAWO,SAAS,cAAc,WAAyB;AACrD,kBAAgB,OAAO,SAAS;AAClC;AAMO,SAAS,eAAe,OAA8B;AAC3D,MAAI,KAAK,IAAI,IAAI,IAAI,KAAK,MAAM,SAAS,EAAE,QAAQ,EAAG,QAAO;AAC7D,SAAO,gBAAgB,IAAI,MAAM,SAAS;AAC5C;AAOO,SAAS,oBAA0B;AACxC,kBAAgB,MAAM;AACxB;AAMO,SAAS,qBAA6B;AAC3C,SAAO,gBAAgB;AACzB;;;ACnPO,IAAM,iBAAN,MAAqB;AAAA,EACT;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACT;AAAA,EACA,YAAkD;AAAA,EAClD,gBAAsD;AAAA,EACtD,oBAAyC;AAAA,EAEjD,YAAY,MAA6B;AACvC,SAAK,SAAS,KAAK;AACnB,SAAK,YAAY,KAAK;AACtB,SAAK,WAAW,KAAK;AACrB,SAAK,YAAY,KAAK,IAAI;AAC1B,SAAK,iBAAiB,KAAK,IAAI;AAE/B,SAAK,kBAAkB;AACvB,SAAK,sBAAsB;AAC3B,SAAK,uBAAuB;AAAA,EAC9B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,QAAc;AACZ,SAAK,iBAAiB,KAAK,IAAI;AAC/B,SAAK,kBAAkB;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,eAAe,IAA2B;AAExC,UAAM,EAAE,kBAAkB,IAAI,KAAK;AACnC,QAAI,sBAAsB,UAAa,KAAK,IAAI,IAAI,KAAK,aAAa,mBAAmB;AACvF,WAAK,OAAO,UAAU;AACtB,YAAM,IAAI,oBAAoB,KAAK,SAAS;AAAA,IAC9C;AAEA,UAAM,WAAW,KAAK,OAAO,oBAAoB,CAAC;AAClD,QAAI,SAAS,SAAS,EAAE,GAAG;AACzB,YAAM,IAAI,mBAAmB,EAAE;AAAA,IACjC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,UAAgB;AACd,QAAI,KAAK,WAAW;AAClB,mBAAa,KAAK,SAAS;AAC3B,WAAK,YAAY;AAAA,IACnB;AACA,QAAI,KAAK,eAAe;AACtB,mBAAa,KAAK,aAAa;AAC/B,WAAK,gBAAgB;AAAA,IACvB;AACA,QAAI,KAAK,qBAAqB,OAAO,aAAa,aAAa;AAC7D,eAAS,oBAAoB,oBAAoB,KAAK,iBAAiB;AACvE,WAAK,oBAAoB;AAAA,IAC3B;AAAA,EACF;AAAA;AAAA,EAGA,IAAI,SAAiB;AACnB,WAAO,KAAK,IAAI,IAAI,KAAK;AAAA,EAC3B;AAAA;AAAA,EAGA,IAAI,QAAgB;AAClB,WAAO,KAAK,IAAI,IAAI,KAAK;AAAA,EAC3B;AAAA;AAAA,EAIQ,oBAA0B;AAChC,UAAM,EAAE,cAAc,IAAI,KAAK;AAC/B,QAAI,CAAC,cAAe;AAEpB,QAAI,KAAK,UAAW,cAAa,KAAK,SAAS;AAC/C,SAAK,YAAY,WAAW,MAAM;AAChC,WAAK,OAAO,MAAM;AAAA,IACpB,GAAG,aAAa;AAAA,EAClB;AAAA,EAEQ,wBAA8B;AACpC,UAAM,EAAE,kBAAkB,IAAI,KAAK;AACnC,QAAI,CAAC,kBAAmB;AAExB,QAAI,KAAK,cAAe,cAAa,KAAK,aAAa;AACvD,SAAK,gBAAgB,WAAW,MAAM;AACpC,WAAK,OAAO,UAAU;AAAA,IACxB,GAAG,iBAAiB;AAAA,EACtB;AAAA,EAEQ,yBAA+B;AACrC,QAAI,CAAC,KAAK,OAAO,iBAAkB;AACnC,QAAI,OAAO,aAAa,YAAa;AAErC,SAAK,oBAAoB,MAAM;AAC7B,UAAI,SAAS,QAAQ;AACnB,aAAK,OAAO,YAAY;AAAA,MAC1B;AAAA,IACF;AACA,aAAS,iBAAiB,oBAAoB,KAAK,iBAAiB;AAAA,EACtE;AAAA,EAEQ,OAAO,QAAkD;AAC/D,SAAK,QAAQ;AACb,kBAAc,KAAK,SAAS;AAC5B,SAAK,SAAS,MAAM;AAAA,EACtB;AACF;AAQO,SAAS,eAAe,MAA6C;AAC1E,SAAO,IAAI,eAAe,IAAI;AAChC;AAOO,SAAS,sBAAsB,QAA6B;AACjE,QAAM,EAAE,eAAe,kBAAkB,IAAI;AAC7C,MAAI,kBAAkB,WAAc,OAAO,kBAAkB,YAAY,iBAAiB,IAAI;AAC5F,UAAM,IAAI,MAAM,8DAA8D,aAAa,EAAE;AAAA,EAC/F;AACA,MAAI,sBAAsB,WAAc,OAAO,sBAAsB,YAAY,qBAAqB,IAAI;AACxG,UAAM,IAAI,MAAM,kEAAkE,iBAAiB,EAAE;AAAA,EACvG;AACA,MAAI,kBAAkB,UAAa,sBAAsB,UAAa,iBAAiB,mBAAmB;AACxG,UAAM,IAAI;AAAA,MACR,gCAAgC,aAAa,4CAA4C,iBAAiB;AAAA,IAC5G;AAAA,EACF;AACF;;;AChIA,IAAM,uBAAuB;AAE7B,IAAM,iBAAiB;AAmBvB,SAAS,uBAA6B;AAEpC,MACE,OAAO,YAAY,eACnB,QAAQ,IAAI,aAAa,cACzB;AACA,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AAGA,MACE,OAAO,eAAe,eACrB,WAAuC,2BAA2B,MACnE;AACA,UAAM,IAAI,gBAAgB,kDAAkD;AAAA,EAC9E;AAGA,MACE,OAAO,WAAW,eAClB,OAAO,OAAO,aAAa,aAC3B;AACA,UAAM,OAAO,OAAO,SAAS;AAC7B,QAAI,SAAS,eAAe,SAAS,eAAe,SAAS,SAAS,CAAC,KAAK,SAAS,QAAQ,GAAG;AAC9F,YAAM,IAAI;AAAA,QACR,gEAAgE,IAAI;AAAA,MAEtE;AAAA,IACF;AAAA,EACF;AACF;AAIA,SAAS,WAAW,OAAe,QAAwB;AACzD,SAAO,GAAG,cAAc,GAAG,KAAK,IAAI,MAAM;AAC5C;AAEA,SAAS,eAAe,mBAAsC;AAC5D,MAAI,OAAO,WAAW,aAAa;AACjC,UAAM,IAAI,gBAAgB,yFAAyF;AAAA,EACrH;AACA,SAAO,oBAAoB,OAAO,eAAe,OAAO;AAC1D;AAmBA,eAAsB,gBACpB,OACA,QACA,SACA,SACe;AACf,MAAI,QAAQ,gBAAgB,sBAAsB;AAChD,UAAM,IAAI;AAAA,MACR,oCAAoC,oBAAoB,YAC/C,QAAQ,WAAW;AAAA,IAC9B;AAAA,EACF;AAEA,uBAAqB;AAErB,QAAM,UAAU,eAAe,QAAQ,iBAAiB;AAExD,QAAM,SAAiC,CAAC;AACxC,aAAW,CAAC,UAAU,GAAG,KAAK,QAAQ,MAAM;AAC1C,UAAM,MAAM,MAAM,WAAW,OAAO,OAAO,UAAU,OAAO,GAAG;AAC/D,WAAO,QAAQ,IAAI,eAAe,GAAG;AAAA,EACvC;AAEA,QAAM,UAAU,KAAK,UAAU;AAAA,IAC7B,mBAAmB;AAAA,IACnB,QAAQ,QAAQ;AAAA,IAChB,aAAa,QAAQ;AAAA,IACrB,MAAM,QAAQ;AAAA,IACd,aAAa,QAAQ;AAAA,IACrB,MAAM;AAAA,IACN,MAAM,eAAe,QAAQ,IAAI;AAAA,EACnC,CAAC;AAED,UAAQ,QAAQ,WAAW,OAAO,MAAM,GAAG,OAAO;AAGlD,UAAQ;AAAA,IACN;AAAA,IACA;AAAA,IACA;AAAA;AAAA,SAAc,KAAK,WAAW,MAAM,kBACjC,QAAQ,oBAAoB,iBAAiB,gBAAgB;AAAA;AAAA;AAAA,EAGlE;AACF;AAgBA,eAAsB,cACpB,OACA,QACA,UAA2C,CAAC,GACX;AACjC,MAAI,OAAO,WAAW,YAAa,QAAO;AAE1C,QAAM,UAAU,eAAe,QAAQ,iBAAiB;AACxD,QAAM,MAAM,QAAQ,QAAQ,WAAW,OAAO,MAAM,CAAC;AACrD,MAAI,CAAC,IAAK,QAAO;AAEjB,MAAI;AASJ,MAAI;AACF,aAAS,KAAK,MAAM,GAAG;AAAA,EACzB,QAAQ;AACN,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,sBAAsB,EAAG,QAAO;AAE3C,QAAM,OAAO,oBAAI,IAAuB;AACxC,aAAW,CAAC,UAAU,SAAS,KAAK,OAAO,QAAQ,OAAO,IAAI,GAAG;AAC/D,UAAM,MAAM,MAAM,WAAW,OAAO,OAAO;AAAA,MACzC;AAAA,MACA,eAAe,SAAS;AAAA,MACxB,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,MAC/B;AAAA,MACA,CAAC,WAAW,SAAS;AAAA,IACvB;AACA,SAAK,IAAI,UAAU,GAAG;AAAA,EACxB;AAEA,SAAO;AAAA,IACL,QAAQ,OAAO;AAAA,IACf,aAAa,OAAO;AAAA,IACpB,MAAM,OAAO;AAAA,IACb,aAAa,OAAO;AAAA,IACpB;AAAA,IACA,KAAK;AAAA,IACL,MAAM,eAAe,OAAO,IAAI;AAAA,IAChC,gBAAgB,CAAC;AAAA,EACnB;AACF;AAOO,SAAS,eACd,OACA,QACA,UAA2C,CAAC,GACtC;AACN,MAAI,OAAO,WAAW,YAAa;AACnC,QAAM,UAAU,eAAe,QAAQ,iBAAiB;AACxD,UAAQ,WAAW,WAAW,OAAO,MAAM,CAAC;AAC9C;AAOO,SAAS,kBACd,OACA,QACA,UAA2C,CAAC,GACnC;AACT,MAAI,OAAO,WAAW,YAAa,QAAO;AAC1C,QAAM,UAAU,eAAe,QAAQ,iBAAiB;AACxD,SAAO,QAAQ,QAAQ,WAAW,OAAO,MAAM,CAAC,MAAM;AACxD;","names":[]}

package/dist/{chunk-QAVUREFT.js → chunk-7Z23ZFLV.js}

@@ -3,18 +3,18 @@ import {
   hashEntry,
   paddedIndex,
   sha256Hex
-} from "./chunk-CIMZBAZB.js";
+} from "./chunk-XG3PTSCD.js";
 import {
   NOYDB_FORMAT_VERSION
-} from "./chunk-RKJ6OL7K.js";
+} from "./chunk-YS3POABP.js";
 import {
   decrypt,
   encrypt
-} from "./chunk-MR4424N3.js";
+} from "./chunk-2PAQNPE3.js";
 import {
   ConflictError,
   LedgerContentionError
-} from "./chunk-ACLDOTNQ.js";
+} from "./chunk-W3XXT26A.js";
 
 // src/history/ledger/patch.ts
 function computePatch(prev, next) {
@@ -369,7 +369,12 @@ var LedgerStore = class {
       actor: input.actor === "" ? this.actor : input.actor,
       payloadHash: input.payloadHash
     };
-    const entry = deltaHash !== void 0 ? { ...entryBase, deltaHash } : entryBase;
+    const entry = {
+      ...entryBase,
+      ...deltaHash !== void 0 ? { deltaHash } : {},
+      ...input.amendment !== void 0 ? { amendment: input.amendment } : {},
+      ...input.reason !== void 0 ? { reason: input.reason } : {}
+    };
     const envelope = await this.encryptEntry(entry);
     await this.adapter.put(
       this.vault,
@@ -541,6 +546,7 @@ var LedgerStore = class {
     for (let i = matching.length - 1; i >= 0; i--) {
       const entry = matching[i];
       if (!entry) continue;
+      if (entry.op !== "put" && entry.op !== "delete") continue;
       if (entry.version === atVersion && entry.op !== "delete") {
         return state;
       }
@@ -677,4 +683,4 @@ export {
   LEDGER_DELTAS_COLLECTION,
   LedgerStore
 };
-//# sourceMappingURL=chunk-QAVUREFT.js.map
+//# sourceMappingURL=chunk-7Z23ZFLV.js.map

package/dist/chunk-7Z23ZFLV.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/history/ledger/patch.ts","../src/history/ledger/constants.ts","../src/history/ledger/store.ts"],"sourcesContent":["/**\n * RFC 6902 JSON Patch — compute + apply.\n *\n * This module is the \"delta history\" primitive: instead of\n * snapshotting the full record on every put (the behavior),\n * `Collection.put` computes a JSON Patch from the previous version to\n * the new version and stores only the patch in the ledger. To\n * reconstruct version N, we walk from the genesis snapshot forward\n * applying patches. Storage scales with **edit size**, not record\n * size — a 10 KB record edited 1000 times costs ~10 KB of deltas\n * instead of ~10 MB of snapshots.\n *\n * ## Why hand-roll instead of using a library?\n *\n * RFC 6902 has good libraries (`fast-json-patch`, `rfc6902`) but every\n * single one of them adds a runtime dependency to `@noy-db/core`. The\n * \"zero runtime dependencies\" promise is one of the core's load-bearing\n * features, and the patch surface we actually need is small enough\n * (~150 LoC) that vendoring is the right call.\n *\n * What we implement:\n *   - `add`     — insert a value at a path\n *   - `remove`  — delete the value at a path\n *   - `replace` — overwrite the value at a path\n *\n * What we deliberately skip (out of scope for the ledger use):\n *   - `move` and `copy` — optimizations; the diff algorithm doesn't\n *     emit them, so the apply path doesn't need them\n *   - `test` — used for transactional patches; we already have\n *     optimistic concurrency via `_v` at the envelope layer\n *   - Sophisticated array diffing (LCS, edit distance) — we treat\n *     arrays as atomic values and emit a single `replace` op when\n *     they differ. The accounting domain has small arrays where this\n *     is fine; if we ever need patch-level array diffing we can add\n *     it without changing the storage format.\n *\n * ## Path encoding (RFC 6902 §3)\n *\n * Paths look like `/foo/bar/0`. Each path segment is either an object\n * key or a numeric array index. Two characters need escaping inside\n * keys: `~` becomes `~0` and `/` becomes `~1`. We implement both.\n *\n * Empty path (`\"\"`) refers to the root document. Only `replace` makes\n * sense at the root, and our diff function emits it as a top-level\n * `replace` when `prev` and `next` differ in shape (object vs array,\n * primitive vs object, etc.).\n */\n\n/** A single JSON Patch operation. Subset of RFC 6902 — see file docstring. */\nexport type JsonPatchOp =\n  | { readonly op: 'add'; readonly path: string; readonly value: unknown }\n  | { readonly op: 'remove'; readonly path: string }\n  | { readonly op: 'replace'; readonly path: string; readonly value: unknown }\n\n/** A complete JSON Patch document — an array of operations. */\nexport type JsonPatch = readonly JsonPatchOp[]\n\n// ─── Compute (diff) ──────────────────────────────────────────────────\n\n/**\n * Compute a JSON Patch that, when applied to `prev`, produces `next`.\n *\n * The algorithm is a straightforward recursive object walk:\n *\n *   1. If both inputs are plain objects (and not arrays/null):\n *      - For each key in `prev`, recurse if `next` has it, else emit `remove`\n *      - For each key in `next` not in `prev`, emit `add`\n *   2. If both inputs are arrays AND structurally equal, no-op.\n *      Otherwise emit a single `replace` for the whole array.\n *   3. If both inputs are deeply equal primitives, no-op.\n *   4. Otherwise emit a `replace` at the current path.\n *\n * We do not minimize patches across move-like rearrangements — every\n * generated patch is straightforward enough to apply by hand if you\n * had to debug it.\n */\nexport function computePatch(prev: unknown, next: unknown): JsonPatch {\n  const ops: JsonPatchOp[] = []\n  diff(prev, next, '', ops)\n  return ops\n}\n\nfunction diff(\n  prev: unknown,\n  next: unknown,\n  path: string,\n  out: JsonPatchOp[],\n): void {\n  // Both null / both undefined → no-op (we don't differentiate them\n  // in JSON terms; canonicalJson would reject undefined anyway).\n  if (prev === next) return\n\n  // One side null, the other not → straight replace.\n  if (prev === null || next === null) {\n    out.push({ op: 'replace', path, value: next })\n    return\n  }\n\n  const prevIsArray = Array.isArray(prev)\n  const nextIsArray = Array.isArray(next)\n  const prevIsObject = typeof prev === 'object' && !prevIsArray\n  const nextIsObject = typeof next === 'object' && !nextIsArray\n\n  // Type changed (e.g., object → primitive, array → object). Replace.\n  if (prevIsArray !== nextIsArray || prevIsObject !== nextIsObject) {\n    out.push({ op: 'replace', path, value: next })\n    return\n  }\n\n  // Both arrays. We don't do clever LCS-based diffing — emit a single\n  // replace for the whole array if they differ. See file docstring for\n  // the rationale.\n  if (prevIsArray && nextIsArray) {\n    if (!arrayDeepEqual(prev as unknown[], next as unknown[])) {\n      out.push({ op: 'replace', path, value: next })\n    }\n    return\n  }\n\n  // Both plain objects. Recurse key by key.\n  if (prevIsObject && nextIsObject) {\n    const prevObj = prev as Record<string, unknown>\n    const nextObj = next as Record<string, unknown>\n    const prevKeys = Object.keys(prevObj)\n    const nextKeys = Object.keys(nextObj)\n\n    // Handle removes and overlapping recursions in one pass over prev.\n    for (const key of prevKeys) {\n      const childPath = path + '/' + escapePathSegment(key)\n      if (!(key in nextObj)) {\n        out.push({ op: 'remove', path: childPath })\n      } else {\n        diff(prevObj[key], nextObj[key], childPath, out)\n      }\n    }\n    // Handle adds.\n    for (const key of nextKeys) {\n      if (!(key in prevObj)) {\n        out.push({\n          op: 'add',\n          path: path + '/' + escapePathSegment(key),\n          value: nextObj[key],\n        })\n      }\n    }\n    return\n  }\n\n  // Two primitives that aren't strictly equal — replace.\n  out.push({ op: 'replace', path, value: next })\n}\n\nfunction arrayDeepEqual(a: unknown[], b: unknown[]): boolean {\n  if (a.length !== b.length) return false\n  for (let i = 0; i < a.length; i++) {\n    if (!deepEqual(a[i], b[i])) return false\n  }\n  return true\n}\n\nfunction deepEqual(a: unknown, b: unknown): boolean {\n  if (a === b) return true\n  if (a === null || b === null) return false\n  if (typeof a !== typeof b) return false\n  if (typeof a !== 'object') return false\n  const aArray = Array.isArray(a)\n  const bArray = Array.isArray(b)\n  if (aArray !== bArray) return false\n  if (aArray && bArray) return arrayDeepEqual(a, b as unknown[])\n  const aObj = a as Record<string, unknown>\n  const bObj = b as Record<string, unknown>\n  const aKeys = Object.keys(aObj)\n  const bKeys = Object.keys(bObj)\n  if (aKeys.length !== bKeys.length) return false\n  for (const key of aKeys) {\n    if (!(key in bObj)) return false\n    if (!deepEqual(aObj[key], bObj[key])) return false\n  }\n  return true\n}\n\n// ─── Apply ──────────────────────────────────────────────────────────\n\n/**\n * Apply a JSON Patch to a base document and return the result.\n *\n * The base document is **not mutated** — every op clones the parent\n * container before writing to it, so the caller's reference to `base`\n * stays untouched. This costs an extra allocation per op but makes\n * the apply pipeline reorderable and safe to interrupt.\n *\n * Throws on:\n *   - Removing a path that doesn't exist\n *   - Adding to a path whose parent doesn't exist\n *   - A path component that doesn't match the document shape (e.g.,\n *     trying to step into a primitive)\n *\n * Throwing is the right behavior for the ledger use case: a failed\n * apply means the chain is corrupted, which should be loud rather\n * than silently producing a wrong reconstruction.\n */\nexport function applyPatch<T = unknown>(base: T, patch: JsonPatch): T {\n  let result: unknown = clone(base)\n  for (const op of patch) {\n    result = applyOp(result, op)\n  }\n  return result as T\n}\n\nfunction applyOp(doc: unknown, op: JsonPatchOp): unknown {\n  // Empty path → operation targets the root. Only `replace` and `add`\n  // make sense at the root, but we handle `remove` for completeness\n  // (root removal returns null).\n  if (op.path === '') {\n    if (op.op === 'remove') return null\n    return clone(op.value)\n  }\n\n  const segments = parsePath(op.path)\n  return walkAndApply(doc, segments, op)\n}\n\nfunction walkAndApply(\n  doc: unknown,\n  segments: string[],\n  op: JsonPatchOp,\n): unknown {\n  if (segments.length === 0) {\n    // Should never happen — empty path is handled in applyOp().\n    throw new Error('walkAndApply: empty segments (internal error)')\n  }\n\n  const [head, ...rest] = segments\n  if (head === undefined) throw new Error('walkAndApply: undefined segment')\n\n  if (rest.length === 0) {\n    return applyAtTerminal(doc, head, op)\n  }\n\n  // Recurse into the child container, then rebuild the parent with\n  // the modified child.\n  if (Array.isArray(doc)) {\n    const idx = parseArrayIndex(head, doc.length)\n    const child = doc[idx]\n    const newChild = walkAndApply(child, rest, op)\n    const next = doc.slice()\n    next[idx] = newChild\n    return next\n  }\n  if (doc !== null && typeof doc === 'object') {\n    const obj = doc as Record<string, unknown>\n    if (!(head in obj)) {\n      throw new Error(`applyPatch: path segment \"${head}\" not found in object`)\n    }\n    const newChild = walkAndApply(obj[head], rest, op)\n    return { ...obj, [head]: newChild }\n  }\n  throw new Error(\n    `applyPatch: cannot step into ${typeof doc} at segment \"${head}\"`,\n  )\n}\n\nfunction applyAtTerminal(\n  doc: unknown,\n  segment: string,\n  op: JsonPatchOp,\n): unknown {\n  if (Array.isArray(doc)) {\n    const idx =\n      segment === '-' ? doc.length : parseArrayIndex(segment, doc.length + 1)\n    const next = doc.slice()\n    if (op.op === 'remove') {\n      next.splice(idx, 1)\n      return next\n    }\n    if (op.op === 'add') {\n      next.splice(idx, 0, clone(op.value))\n      return next\n    }\n    if (op.op === 'replace') {\n      if (idx >= doc.length) {\n        throw new Error(\n          `applyPatch: replace at out-of-bounds array index ${idx}`,\n        )\n      }\n      next[idx] = clone(op.value)\n      return next\n    }\n  }\n  if (doc !== null && typeof doc === 'object') {\n    const obj = doc as Record<string, unknown>\n    if (op.op === 'remove') {\n      if (!(segment in obj)) {\n        throw new Error(\n          `applyPatch: remove on missing key \"${segment}\"`,\n        )\n      }\n      const next = { ...obj }\n      delete next[segment]\n      return next\n    }\n    if (op.op === 'add') {\n      // RFC 6902: `add` on an existing key replaces it.\n      return { ...obj, [segment]: clone(op.value) }\n    }\n    if (op.op === 'replace') {\n      if (!(segment in obj)) {\n        throw new Error(\n          `applyPatch: replace on missing key \"${segment}\"`,\n        )\n      }\n      return { ...obj, [segment]: clone(op.value) }\n    }\n  }\n  throw new Error(\n    `applyPatch: cannot apply ${op.op} at terminal segment \"${segment}\"`,\n  )\n}\n\n// ─── Path encoding (RFC 6902 §3) ─────────────────────────────────────\n\n/**\n * Escape a single path segment per RFC 6902 §3:\n *   `~` → `~0`\n *   `/` → `~1`\n *\n * Order matters: `~` must be escaped first, otherwise the `~1` we\n * just emitted would be re-escaped to `~01`.\n */\nfunction escapePathSegment(segment: string): string {\n  return segment.replace(/~/g, '~0').replace(/\\//g, '~1')\n}\n\nfunction unescapePathSegment(segment: string): string {\n  return segment.replace(/~1/g, '/').replace(/~0/g, '~')\n}\n\nfunction parsePath(path: string): string[] {\n  if (!path.startsWith('/')) {\n    throw new Error(`applyPatch: path must start with '/', got \"${path}\"`)\n  }\n  return path\n    .slice(1)\n    .split('/')\n    .map(unescapePathSegment)\n}\n\nfunction parseArrayIndex(segment: string, max: number): number {\n  if (!/^\\d+$/.test(segment)) {\n    throw new Error(\n      `applyPatch: array index must be a non-negative integer, got \"${segment}\"`,\n    )\n  }\n  const idx = Number.parseInt(segment, 10)\n  if (idx < 0 || idx > max) {\n    throw new Error(\n      `applyPatch: array index ${idx} out of range [0, ${max}]`,\n    )\n  }\n  return idx\n}\n\n// ─── Cheap structural clone ─────────────────────────────────────────\n\n/**\n * Plain-JSON clone via JSON.parse(JSON.stringify(value)).\n *\n * Faster than `structuredClone` for our use because (a) we know our\n * inputs are JSON-compatible (no Dates, Maps, or BigInts — anything\n * else gets rejected by canonicalJson upstream), and (b) `structuredClone`\n * has overhead for handling arbitrary structured data we don't need.\n *\n * For tiny ledger entries (< 1 KB), the JSON round-trip is in the\n * single-digit microsecond range.\n */\nfunction clone<T>(value: T): T {\n  if (value === null || value === undefined) return value\n  if (typeof value !== 'object') return value\n  return JSON.parse(JSON.stringify(value)) as T\n}\n","/**\n * Ledger storage constants — pinned in their own leaf module so\n * always-on core code (vault.ts, dictionary.ts) can import them\n * without dragging the `LedgerStore` class into the bundle.\n *\n * `splitting: true` in tsup is not enough on its own: when a\n * source file exports both pure constants and a heavyweight class,\n * the bundler keeps the entire chunk reachable from any importer.\n * Extracting the constants lets the floor scenario import them\n * without paying for the class.\n *\n * @internal\n */\n\n/** The internal collection name used for ledger entry storage. */\nexport const LEDGER_COLLECTION = '_ledger'\n\n/**\n * The internal collection name used for delta payload storage.\n *\n * Deltas live in a sibling collection (not inside `_ledger`) for two\n * reasons:\n *\n *   1. **Listing efficiency.** `ledger.loadAllEntries()` calls\n *      `adapter.list(_ledger)` which would otherwise return every\n *      delta key alongside every entry key. Splitting them keeps the\n *      list small (one key per ledger entry) and the delta reads\n *      keyed by the entry's index.\n *\n *   2. **Prune-friendliness.** A future `pruneHistory()` will delete\n *      old deltas while keeping the ledger chain intact (folding old\n *      deltas into a base snapshot). Separating the storage makes\n *      that deletion a targeted operation on one collection instead\n *      of a filter across a mixed list.\n *\n * Both collections share the same ledger DEK — one DEK, two\n * internal collections, same zero-knowledge guarantees.\n */\nexport const LEDGER_DELTAS_COLLECTION = '_ledger_deltas'\n","/**\n * `LedgerStore` — read/write access to a compartment's hash-chained\n * audit log.\n *\n * The store is a thin wrapper around the adapter's `_ledger/` internal\n * collection. Every append:\n *\n *   1. Loads the current head (or treats an empty ledger as head = -1)\n *   2. Computes `prevHash` = sha256(canonicalJson(head))\n *   3. Builds the new entry with `index = head.index + 1`\n *   4. Encrypts the entry with the compartment's ledger DEK\n *   5. Writes the encrypted envelope to `_ledger/<paddedIndex>`\n *\n * `verify()` walks the chain from genesis forward and returns\n * `{ ok: true, head }` on success or `{ ok: false, divergedAt }` on the\n * first broken link.\n *\n * ## Thread / concurrency model\n *\n * For we assume a **single writer per vault**. Two\n * concurrent `append()` calls would race on the \"read head, write\n * head+1\" cycle and could produce a broken chain. The sync engine\n * is the primary concurrent-writer scenario, and it uses\n * optimistic-concurrency via `expectedVersion` on the adapter — but\n * the ledger path has no such guard today. Multi-writer hardening is a\n * follow-up.\n *\n * Single-writer usage IS safe, including across process restarts:\n * `head()` reads the adapter fresh each call, so a crash between the\n * adapter.put of a data record and the ledger append just means the\n * ledger is missing an entry for that record. `verify()` still\n * succeeds; a future `verifyIntegrity()` helper can cross-check the\n * ledger against the data collections to catch the gap.\n *\n * ## Why hide the ledger from `vault.collection()`?\n *\n * The `_ledger` name starts with `_`, matching the existing prefix\n * convention for internal collections (`_keyring`, `_sync`,\n * `_history`). The Vault's public `collection()` method already\n * returns entries for any name, but `loadAll()` filters out\n * underscore-prefixed collections so backups and exports don't leak\n * ledger metadata. We keep the ledger accessible ONLY via\n * `vault.ledger()` to enforce the hash-chain invariants — direct\n * puts via `collection('_ledger')` would bypass the `append()` logic.\n */\n\nimport type { NoydbStore, EncryptedEnvelope } from '../../types.js'\nimport { NOYDB_FORMAT_VERSION } from '../../types.js'\nimport { encrypt, decrypt } from '../../crypto.js'\nimport { ConflictError, LedgerContentionError } from '../../errors.js'\nimport {\n  canonicalJson,\n  hashEntry,\n  paddedIndex,\n  sha256Hex,\n  type LedgerEntry,\n} from './entry.js'\nimport type { JsonPatch } from './patch.js'\nimport { applyPatch } from './patch.js'\nimport { LEDGER_COLLECTION, LEDGER_DELTAS_COLLECTION } from './constants.js'\nimport { envelopePayloadHash } from './hash.js'\n\n/**\n * Maximum optimistic-CAS retries on the ledger head. Each failed\n * attempt invalidates the head cache, re-reads, and retries with a\n * fresh next-index. After N failures we surface\n * `LedgerContentionError` so the caller can decide whether to retry,\n * queue, or alert.\n */\nconst MAX_APPEND_ATTEMPTS = 8\n\n//  — re-export the constants + helper so any existing\n// `import { LEDGER_COLLECTION } from '...store.js'` paths keep\n// working. Internal core paths (vault.ts) import from the leaf\n// modules directly to avoid pulling this file's class into the\n// floor bundle.\nexport { LEDGER_COLLECTION, LEDGER_DELTAS_COLLECTION, envelopePayloadHash }\n\n/**\n * Input shape for `LedgerStore.append()`. The caller supplies the\n * operation metadata; the store fills in `index` and `prevHash`.\n */\nexport interface AppendInput {\n  op: LedgerEntry['op']\n  collection: string\n  id: string\n  version: number\n  actor: string\n  payloadHash: string\n  /**\n   * Optional JSON Patch representing the delta from the previous\n   * version to the new version. Present only for `put` operations\n   * that had a previous version; omitted for genesis puts and for\n   * deletes. When present, `LedgerStore.append` persists the patch\n   * in `_ledger_deltas/<paddedIndex>` and records its sha256 hash\n   * as the entry's `deltaHash` field.\n   */\n  delta?: JsonPatch\n  /**\n   * Present only for `op === 'amendment'` — structured audit\n   * payload for multi-record repair operations performed via\n   * `withTransactions(...)`. Carried through verbatim to the\n   * resulting ledger entry.\n   */\n  amendment?: LedgerEntry['amendment']\n  /**\n   * Optional human-readable tag describing why this mutation happened\n   * (#1). Threaded from `collection.put(_, _, { reason })`.\n   * Carried verbatim onto the resulting ledger entry's `reason` field;\n   * omitted from canonical JSON when undefined.\n   */\n  reason?: string\n}\n\n/**\n * Result of `LedgerStore.verify()`. On success, `head` is the hash of\n * the last entry — the same value that should be published to any\n * external anchoring service (blockchain, OpenTimestamps, etc.). On\n * failure, `divergedAt` is the 0-based index of the first entry whose\n * recorded `prevHash` does not match the recomputed hash of its\n * predecessor. Entries at `divergedAt` and later are untrustworthy;\n * entries before that index are still valid.\n */\nexport type VerifyResult =\n  | { readonly ok: true; readonly head: string; readonly length: number }\n  | {\n      readonly ok: false\n      readonly divergedAt: number\n      readonly expected: string\n      readonly actual: string\n    }\n\n/**\n * A LedgerStore is bound to a single vault. Callers obtain one\n * via `vault.ledger()` — there is no public constructor to keep\n * the hash-chain invariants in one place.\n *\n * The class holds no mutable state beyond its dependencies (adapter,\n * vault name, DEK resolver, actor id). Every method reads the\n * adapter fresh so multiple instances against the same vault\n * see each other's writes immediately (at the cost of re-parsing the\n * ledger on every head() / verify() call; acceptable at scale).\n */\nexport class LedgerStore {\n  private readonly adapter: NoydbStore\n  private readonly vault: string\n  private readonly encrypted: boolean\n  private readonly getDEK: (collectionName: string) => Promise<CryptoKey>\n  private readonly actor: string\n\n  /**\n   * In-memory cache of the chain head — the most recently appended\n   * entry along with its precomputed hash. Without this, every\n   * `append()` would re-load every prior entry to recompute the\n   * prevHash, making N puts O(N²) — a 1K-record stress test goes from\n   * < 100ms to a multi-second timeout.\n   *\n   * The cache is populated on first read (`append`, `head`, `verify`)\n   * and updated in-place on every successful `append`. Single-writer\n   * usage (the assumption) keeps it consistent. A second\n   * LedgerStore instance writing to the same vault would not\n   * see the first instance's appends in its cached state — that's the\n   * concurrency caveat documented at the class level.\n   *\n   * Sentinel `undefined` means \"not yet loaded\"; an explicit `null`\n   * value means \"loaded and confirmed empty\" — distinguishing these\n   * matters because an empty ledger is a valid state (genesis prevHash\n   * is the empty string), and we don't want to re-scan the adapter\n   * just because the chain is freshly initialized.\n   */\n  private headCache: { entry: LedgerEntry; hash: string } | null | undefined = undefined\n\n  constructor(opts: {\n    adapter: NoydbStore\n    vault: string\n    encrypted: boolean\n    getDEK: (collectionName: string) => Promise<CryptoKey>\n    actor: string\n  }) {\n    this.adapter = opts.adapter\n    this.vault = opts.vault\n    this.encrypted = opts.encrypted\n    this.getDEK = opts.getDEK\n    this.actor = opts.actor\n  }\n\n  /**\n   * Lazily load (or return cached) the current chain head. The cache\n   * sentinel is `undefined` until first access; after the first call,\n   * the cache holds either a `{ entry, hash }` for non-empty ledgers\n   * or `null` for empty ones.\n   */\n  private async getCachedHead(): Promise<{ entry: LedgerEntry; hash: string } | null> {\n    if (this.headCache !== undefined) return this.headCache\n    const entries = await this.loadAllEntries()\n    const last = entries[entries.length - 1]\n    if (!last) {\n      this.headCache = null\n      return null\n    }\n    this.headCache = { entry: last, hash: await hashEntry(last) }\n    return this.headCache\n  }\n\n  /**\n   * Append a new entry to the ledger. Returns the full entry that was\n   * written (with its assigned index and computed prevHash) so the\n   * caller can use the hash for downstream purposes (e.g., embedding\n   * in a verifiable backup).\n   *\n   * This is the **only** way to add entries. Direct adapter writes to\n   * `_ledger/` would bypass the chain math and would be caught by the\n   * next `verify()` call as a divergence.\n   *\n   * ## Multi-writer correctness\n   *\n   * Append is implemented as an optimistic-CAS retry loop. On every\n   * attempt:\n   *\n   *   1. Read fresh head (cache invalidated on retry).\n   *   2. Compute `nextIndex = head.index + 1`, `prevHash = hash(head)`.\n   *   3. Encrypt delta payload IN MEMORY (no adapter write yet) so we\n   *      can compute `deltaHash` before claiming the chain slot.\n   *   4. Build + encrypt the entry envelope.\n   *   5. `adapter.put(_ledger, paddedIndex, envelope, expectedVersion: 0)`\n   *      — the `expectedVersion: 0` asserts \"this slot must not exist.\"\n   *      Stores with `casAtomic: true` honor the CAS check; under\n   *      contention the second writer's put throws `ConflictError`.\n   *   6. On `ConflictError`: invalidate the head cache, sleep with\n   *      bounded backoff + jitter, retry. After `MAX_APPEND_ATTEMPTS`\n   *      retries throw {@link LedgerContentionError}.\n   *   7. On success: write the delta envelope (if any) at the same\n   *      index. Update the head cache.\n   *\n   * Entry-first ordering matters: writing the delta first under\n   * contention would orphan delta records at indices the writer never\n   * actually claimed. The deltaHash is computed off the encrypted\n   * envelope's `_data` field, which doesn't require the envelope to\n   * be persisted.\n   *\n   * Stores with `casAtomic: false` (file, s3, r2 by default) silently\n   * accept the `expectedVersion: 0` argument and proceed without a\n   * CAS check. Concurrent appends against those stores remain\n   * best-effort — pair them with an advisory lock or with sync\n   * single-writer discipline.\n   */\n  async append(input: AppendInput): Promise<LedgerEntry> {\n    let lastConflict: ConflictError | undefined\n    for (let attempt = 0; attempt < MAX_APPEND_ATTEMPTS; attempt++) {\n      // Force a fresh head read on every retry. The first attempt may\n      // hit the cache; subsequent attempts must re-scan the adapter\n      // because the prior conflict means our cached state is stale.\n      if (attempt > 0) {\n        this.headCache = undefined\n      }\n      try {\n        return await this.appendOnce(input)\n      } catch (err) {\n        if (err instanceof ConflictError) {\n          lastConflict = err\n          if (attempt < MAX_APPEND_ATTEMPTS - 1) {\n            await sleepBackoff(attempt)\n          }\n          continue\n        }\n        throw err\n      }\n    }\n    void lastConflict\n    throw new LedgerContentionError(MAX_APPEND_ATTEMPTS)\n  }\n\n  /**\n   * One attempt at the append cycle. Throws `ConflictError` when the\n   * CAS check on the entry put fails — `append()` catches that and\n   * retries. Any other error propagates to the caller.\n   */\n  private async appendOnce(input: AppendInput): Promise<LedgerEntry> {\n    const cached = await this.getCachedHead()\n    const lastEntry = cached?.entry\n    const prevHash = cached?.hash ?? ''\n    const nextIndex = lastEntry ? lastEntry.index + 1 : 0\n\n    // Encrypt the delta in memory so we can compute deltaHash WITHOUT\n    // claiming the deltas slot yet — entry-put is the chain claim.\n    let deltaEnvelope: EncryptedEnvelope | undefined\n    let deltaHash: string | undefined\n    if (input.delta !== undefined) {\n      deltaEnvelope = await this.encryptDelta(input.delta)\n      deltaHash = await sha256Hex(deltaEnvelope._data)\n    }\n\n    // Build the entry. Conditionally include `deltaHash` so\n    // canonicalJson (which rejects undefined) never sees it when\n    // there's no delta.\n    const entryBase = {\n      index: nextIndex,\n      prevHash,\n      op: input.op,\n      collection: input.collection,\n      id: input.id,\n      version: input.version,\n      ts: new Date().toISOString(),\n      actor: input.actor === '' ? this.actor : input.actor,\n      payloadHash: input.payloadHash,\n    } as const\n    const entry: LedgerEntry = {\n      ...entryBase,\n      ...(deltaHash !== undefined ? { deltaHash } : {}),\n      ...(input.amendment !== undefined ? { amendment: input.amendment } : {}),\n      ...(input.reason !== undefined ? { reason: input.reason } : {}),\n    }\n\n    const envelope = await this.encryptEntry(entry)\n    // expectedVersion: 0 ≡ \"the slot must not yet exist.\" Honored by\n    // casAtomic stores; silently passed through by non-CAS stores.\n    await this.adapter.put(\n      this.vault,\n      LEDGER_COLLECTION,\n      paddedIndex(entry.index),\n      envelope,\n      0,\n    )\n\n    // Chain slot claimed. Now write the delta record (if any).\n    if (deltaEnvelope) {\n      await this.adapter.put(\n        this.vault,\n        LEDGER_DELTAS_COLLECTION,\n        paddedIndex(entry.index),\n        deltaEnvelope,\n        0,\n      )\n    }\n\n    // Update the head cache so the next append() doesn't re-scan the\n    // adapter.\n    this.headCache = { entry, hash: await hashEntry(entry) }\n    return entry\n  }\n\n  /**\n   * Load a delta payload by its entry index. Returns `null` if the\n   * entry at that index doesn't reference a delta (genesis puts and\n   * deletes leave the slot empty) or if the delta row is missing\n   * (possible after a `pruneHistory` fold).\n   *\n   * The caller is responsible for deciding what to do with a missing\n   * delta — `ledger.reconstruct()` uses it as a \"stop walking\n   * backward\" signal and falls back to the on-disk current value.\n   */\n  async loadDelta(index: number): Promise<JsonPatch | null> {\n    const envelope = await this.adapter.get(\n      this.vault,\n      LEDGER_DELTAS_COLLECTION,\n      paddedIndex(index),\n    )\n    if (!envelope) return null\n    if (!this.encrypted) {\n      return JSON.parse(envelope._data) as JsonPatch\n    }\n    const dek = await this.getDEK(LEDGER_COLLECTION)\n    const json = await decrypt(envelope._iv, envelope._data, dek)\n    return JSON.parse(json) as JsonPatch\n  }\n\n  /** Encrypt a JSON Patch into an envelope for storage. Mirrors encryptEntry. */\n  private async encryptDelta(patch: JsonPatch): Promise<EncryptedEnvelope> {\n    const json = JSON.stringify(patch)\n    if (!this.encrypted) {\n      return {\n        _noydb: NOYDB_FORMAT_VERSION,\n        _v: 1,\n        _ts: new Date().toISOString(),\n        _iv: '',\n        _data: json,\n        _by: this.actor,\n      }\n    }\n    const dek = await this.getDEK(LEDGER_COLLECTION)\n    const { iv, data } = await encrypt(json, dek)\n    return {\n      _noydb: NOYDB_FORMAT_VERSION,\n      _v: 1,\n      _ts: new Date().toISOString(),\n      _iv: iv,\n      _data: data,\n      _by: this.actor,\n    }\n  }\n\n  /**\n   * Read all entries in ascending-index order. Used internally by\n   * `append()`, `head()`, `verify()`, and `entries()`. Decryption is\n   * serial because the entries are tiny and the overhead of a Promise\n   * pool would dominate at realistic chain lengths (< 100K entries).\n   */\n  async loadAllEntries(): Promise<LedgerEntry[]> {\n    const keys = await this.adapter.list(this.vault, LEDGER_COLLECTION)\n    // Sort lexicographically, which matches numeric order because\n    // keys are zero-padded to 10 digits.\n    keys.sort()\n    const entries: LedgerEntry[] = []\n    for (const key of keys) {\n      const envelope = await this.adapter.get(\n        this.vault,\n        LEDGER_COLLECTION,\n        key,\n      )\n      if (!envelope) continue\n      entries.push(await this.decryptEntry(envelope))\n    }\n    return entries\n  }\n\n  /**\n   * Return the current head of the ledger: the last entry, its hash,\n   * and the total chain length. `null` on an empty ledger so callers\n   * can distinguish \"no history yet\" from \"empty history\".\n   */\n  async head(): Promise<\n    | { readonly entry: LedgerEntry; readonly hash: string; readonly length: number }\n    | null\n  > {\n    const cached = await this.getCachedHead()\n    if (!cached) return null\n    // `length` is `entry.index + 1` because indices are zero-based and\n    // contiguous. We don't need to re-scan the adapter to compute it.\n    return {\n      entry: cached.entry,\n      hash: cached.hash,\n      length: cached.entry.index + 1,\n    }\n  }\n\n  /**\n   * Return entries in the requested half-open range `[from, to)`.\n   * Defaults: `from = 0`, `to = length`. The indices are clipped to\n   * the valid range; no error is thrown for out-of-range queries.\n   */\n  async entries(opts: { from?: number; to?: number } = {}): Promise<LedgerEntry[]> {\n    const all = await this.loadAllEntries()\n    const from = Math.max(0, opts.from ?? 0)\n    const to = Math.min(all.length, opts.to ?? all.length)\n    return all.slice(from, to)\n  }\n\n  /**\n   * Reconstruct a record's state at a given historical version by\n   * walking the ledger's delta chain backward from the current state.\n   *\n   * ## Algorithm\n   *\n   * Ledger deltas are stored in **reverse** form — each entry's\n   * patch describes how to undo that put, transforming the new\n   * record back into the previous one. `reconstruct` exploits this\n   * by:\n   *\n   *   1. Finding every ledger entry for `(collection, id)` in the\n   *      chain, sorted by index ascending.\n   *   2. Starting from `current` (the present value of the record,\n   *      as held by the caller — typically fetched via\n   *      `Collection.get()`).\n   *   3. Walking entries in **descending** index order and applying\n   *      each entry's reverse patch, stopping when we reach the\n   *      entry whose version equals `atVersion`.\n   *\n   * The result is the record as it existed immediately AFTER the\n   * put at `atVersion`. To get the state at the genesis put\n   * (version 1), the walk runs all the way back through every put\n   * after the first.\n   *\n   * ## Caveats\n   *\n   * - **Delete entries** break the walk: once we see a delete, the\n   *   record didn't exist before that point, so there's nothing to\n   *   reconstruct. We return `null` in that case.\n   * - **Missing deltas** (e.g., after `pruneHistory` folds old\n   *   entries into a base snapshot) also stop the walk. does\n   *   not ship pruneHistory, so today this only happens if an entry\n   *   was deleted out-of-band.\n   * - The caller MUST pass the correct current value. Passing a\n   *   mutated object would corrupt the reconstruction — the patch\n   *   chain is only valid against the exact state that was in\n   *   effect when the most recent put happened.\n   *\n   * For, `reconstruct` is the only way to read a historical\n   * version via deltas. The legacy `_history` collection still\n   * holds full snapshots and `Collection.getVersion()` still reads\n   * from there — the two paths coexist until pruneHistory lands in\n   * a follow-up and delta becomes the default.\n   */\n  async reconstruct<T>(\n    collection: string,\n    id: string,\n    current: T,\n    atVersion: number,\n  ): Promise<T | null> {\n    const all = await this.loadAllEntries()\n    // Filter to entries for this (collection, id), in ascending index.\n    const matching = all.filter(\n      (e) => e.collection === collection && e.id === id,\n    )\n    if (matching.length === 0) {\n      // No ledger history at all; the current state IS version 1\n      // (or there's nothing), so the only valid atVersion is the\n      // current record's version. We can't verify that here, so\n      // return current if atVersion is plausible, null otherwise.\n      return null\n    }\n\n    // Walk entries in descending index order, applying each reverse\n    // delta until we reach the target version.\n    let state: T | null = current\n    for (let i = matching.length - 1; i >= 0; i--) {\n      const entry = matching[i]\n      if (!entry) continue\n\n      // Defensive: skip every non-put/non-delete op variant. The\n      // outer filter on `e.collection === collection && e.id === id`\n      // already excludes `amendment` entries (their collection/id are\n      // empty strings), but a top-of-loop guard keeps the walker\n      // robust if a future op variant slips through the filter.\n      if (entry.op !== 'put' && entry.op !== 'delete') continue\n\n      // Match check FIRST — before applying this entry's reverse\n      // patch. `state` at this point is the record state immediately\n      // after this entry's put (or before this entry's delete), so\n      // if the caller asked for this exact version, we're done.\n      if (entry.version === atVersion && entry.op !== 'delete') {\n        return state\n      }\n\n      if (entry.op === 'delete') {\n        // A delete erases the live state. If the caller asks for a\n        // version older than the delete we should continue walking\n        // (state becomes null and the next put resets it). But we\n        // can't reconstruct that pre-delete state from the current\n        // in-memory `state` — the delete has no reverse patch. So\n        // anything past this point is unreachable; return null.\n        return null\n      }\n\n      if (entry.deltaHash === undefined) {\n        // Genesis put — the earliest state for this lifecycle. We\n        // can't walk further back. If the caller asked for exactly\n        // this version, return the current state (we already failed\n        // the match check above because a fresh genesis after a\n        // delete can have version === atVersion). Otherwise the\n        // target is unreachable from here.\n        if (entry.version === atVersion) return state\n        return null\n      }\n\n      const patch = await this.loadDelta(entry.index)\n      if (!patch) {\n        // Delta row is missing (probably pruned). Stop walking.\n        return null\n      }\n\n      if (state === null) {\n        // We're trying to walk back across a delete range and there's\n        // nothing to apply a reverse patch to. Bail.\n        return null\n      }\n\n      state = applyPatch(state, patch)\n    }\n\n    // Ran off the end of the walk without matching. The target\n    // version doesn't exist in this record's chain.\n    return null\n  }\n\n  /**\n   * Walk the chain from genesis forward and verify every link.\n   *\n   * Returns `{ ok: true, head, length }` if every entry's `prevHash`\n   * matches the recomputed hash of its predecessor (and the genesis\n   * entry's `prevHash` is the empty string).\n   *\n   * Returns `{ ok: false, divergedAt, expected, actual }` on the first\n   * mismatch. `divergedAt` is the 0-based index of the BROKEN entry\n   * — entries before that index still verify cleanly; entries at and\n   * after `divergedAt` are untrustworthy.\n   *\n   * This method detects:\n   *   - Mutated entry content (fields changed)\n   *   - Reordered entries (if any adjacent pair swaps, the prevHash\n   *     of the second no longer matches)\n   *   - Inserted entries (the inserted entry's prevHash likely fails,\n   *     and the following entry's prevHash definitely fails)\n   *   - Deleted entries (the entry after the deletion sees a wrong\n   *     prevHash)\n   *\n   * It does NOT detect:\n   *   - Tampering with the DATA collections that bypassed the ledger\n   *     entirely (e.g., an attacker who modifies records without\n   *     appending matching ledger entries — this is why we also\n   *     plan a `verifyIntegrity()` helper in a follow-up)\n   *   - Truncation of the chain at the tail (dropping the last N\n   *     entries leaves a shorter but still consistent chain). External\n   *     anchoring of `head.hash` to a trusted service is the defense\n   *     against this.\n   */\n  async verify(): Promise<VerifyResult> {\n    const entries = await this.loadAllEntries()\n    let expectedPrevHash = ''\n    for (let i = 0; i < entries.length; i++) {\n      const entry = entries[i]\n      if (!entry) continue\n      if (entry.prevHash !== expectedPrevHash) {\n        return {\n          ok: false,\n          divergedAt: i,\n          expected: expectedPrevHash,\n          actual: entry.prevHash,\n        }\n      }\n      if (entry.index !== i) {\n        // An entry whose stored index doesn't match its position in\n        // the sorted list means someone rewrote the adapter keys.\n        // Treat as divergence.\n        return {\n          ok: false,\n          divergedAt: i,\n          expected: `index=${i}`,\n          actual: `index=${entry.index}`,\n        }\n      }\n      expectedPrevHash = await hashEntry(entry)\n    }\n    return {\n      ok: true,\n      head: expectedPrevHash,\n      length: entries.length,\n    }\n  }\n\n  // ─── Encryption plumbing ─────────────────────────────────────────\n\n  /**\n   * Serialize + encrypt a ledger entry into an EncryptedEnvelope. The\n   * envelope's `_v` field is set to `entry.index + 1` so the usual\n   * optimistic-concurrency machinery has a reasonable version number\n   * to compare against (the ledger is append-only, so concurrent\n   * writes should always bump the index).\n   */\n  private async encryptEntry(entry: LedgerEntry): Promise<EncryptedEnvelope> {\n    const json = canonicalJson(entry)\n    if (!this.encrypted) {\n      return {\n        _noydb: NOYDB_FORMAT_VERSION,\n        _v: entry.index + 1,\n        _ts: entry.ts,\n        _iv: '',\n        _data: json,\n        _by: entry.actor,\n      }\n    }\n    const dek = await this.getDEK(LEDGER_COLLECTION)\n    const { iv, data } = await encrypt(json, dek)\n    return {\n      _noydb: NOYDB_FORMAT_VERSION,\n      _v: entry.index + 1,\n      _ts: entry.ts,\n      _iv: iv,\n      _data: data,\n      _by: entry.actor,\n    }\n  }\n\n  /** Decrypt an envelope into a LedgerEntry. Throws on bad key / tamper. */\n  private async decryptEntry(envelope: EncryptedEnvelope): Promise<LedgerEntry> {\n    if (!this.encrypted) {\n      return JSON.parse(envelope._data) as LedgerEntry\n    }\n    const dek = await this.getDEK(LEDGER_COLLECTION)\n    const json = await decrypt(envelope._iv, envelope._data, dek)\n    return JSON.parse(json) as LedgerEntry\n  }\n}\n\n// `envelopePayloadHash` was moved to `./hash.ts` so it can be\n// imported by core code without dragging this file's `LedgerStore`\n// class into the floor bundle. The re-export at the top of this\n// file keeps the original `import { envelopePayloadHash } from '.../store.js'`\n// path working.\n\n/**\n * Exponential backoff with jitter for the append CAS retry loop.\n * Attempt 0 → ~5–10 ms, attempt 7 → ~640–1280 ms. Jitter avoids the\n * thundering-herd problem when multiple writers collide repeatedly.\n */\nfunction sleepBackoff(attempt: number): Promise<void> {\n  const base = 5 * Math.pow(2, attempt)\n  const jitter = Math.random() * base\n  return new Promise((resolve) => setTimeout(resolve, base + jitter))\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;AA4EO,SAAS,aAAa,MAAe,MAA0B;AACpE,QAAM,MAAqB,CAAC;AAC5B,OAAK,MAAM,MAAM,IAAI,GAAG;AACxB,SAAO;AACT;AAEA,SAAS,KACP,MACA,MACA,MACA,KACM;AAGN,MAAI,SAAS,KAAM;AAGnB,MAAI,SAAS,QAAQ,SAAS,MAAM;AAClC,QAAI,KAAK,EAAE,IAAI,WAAW,MAAM,OAAO,KAAK,CAAC;AAC7C;AAAA,EACF;AAEA,QAAM,cAAc,MAAM,QAAQ,IAAI;AACtC,QAAM,cAAc,MAAM,QAAQ,IAAI;AACtC,QAAM,eAAe,OAAO,SAAS,YAAY,CAAC;AAClD,QAAM,eAAe,OAAO,SAAS,YAAY,CAAC;AAGlD,MAAI,gBAAgB,eAAe,iBAAiB,cAAc;AAChE,QAAI,KAAK,EAAE,IAAI,WAAW,MAAM,OAAO,KAAK,CAAC;AAC7C;AAAA,EACF;AAKA,MAAI,eAAe,aAAa;AAC9B,QAAI,CAAC,eAAe,MAAmB,IAAiB,GAAG;AACzD,UAAI,KAAK,EAAE,IAAI,WAAW,MAAM,OAAO,KAAK,CAAC;AAAA,IAC/C;AACA;AAAA,EACF;AAGA,MAAI,gBAAgB,cAAc;AAChC,UAAM,UAAU;AAChB,UAAM,UAAU;AAChB,UAAM,WAAW,OAAO,KAAK,OAAO;AACpC,UAAM,WAAW,OAAO,KAAK,OAAO;AAGpC,eAAW,OAAO,UAAU;AAC1B,YAAM,YAAY,OAAO,MAAM,kBAAkB,GAAG;AACpD,UAAI,EAAE,OAAO,UAAU;AACrB,YAAI,KAAK,EAAE,IAAI,UAAU,MAAM,UAAU,CAAC;AAAA,MAC5C,OAAO;AACL,aAAK,QAAQ,GAAG,GAAG,QAAQ,GAAG,GAAG,WAAW,GAAG;AAAA,MACjD;AAAA,IACF;AAEA,eAAW,OAAO,UAAU;AAC1B,UAAI,EAAE,OAAO,UAAU;AACrB,YAAI,KAAK;AAAA,UACP,IAAI;AAAA,UACJ,MAAM,OAAO,MAAM,kBAAkB,GAAG;AAAA,UACxC,OAAO,QAAQ,GAAG;AAAA,QACpB,CAAC;AAAA,MACH;AAAA,IACF;AACA;AAAA,EACF;AAGA,MAAI,KAAK,EAAE,IAAI,WAAW,MAAM,OAAO,KAAK,CAAC;AAC/C;AAEA,SAAS,eAAe,GAAc,GAAuB;AAC3D,MAAI,EAAE,WAAW,EAAE,OAAQ,QAAO;AAClC,WAAS,IAAI,GAAG,IAAI,EAAE,QAAQ,KAAK;AACjC,QAAI,CAAC,UAAU,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,EAAG,QAAO;AAAA,EACrC;AACA,SAAO;AACT;AAEA,SAAS,UAAU,GAAY,GAAqB;AAClD,MAAI,MAAM,EAAG,QAAO;AACpB,MAAI,MAAM,QAAQ,MAAM,KAAM,QAAO;AACrC,MAAI,OAAO,MAAM,OAAO,EAAG,QAAO;AAClC,MAAI,OAAO,MAAM,SAAU,QAAO;AAClC,QAAM,SAAS,MAAM,QAAQ,CAAC;AAC9B,QAAM,SAAS,MAAM,QAAQ,CAAC;AAC9B,MAAI,WAAW,OAAQ,QAAO;AAC9B,MAAI,UAAU,OAAQ,QAAO,eAAe,GAAG,CAAc;AAC7D,QAAM,OAAO;AACb,QAAM,OAAO;AACb,QAAM,QAAQ,OAAO,KAAK,IAAI;AAC9B,QAAM,QAAQ,OAAO,KAAK,IAAI;AAC9B,MAAI,MAAM,WAAW,MAAM,OAAQ,QAAO;AAC1C,aAAW,OAAO,OAAO;AACvB,QAAI,EAAE,OAAO,MAAO,QAAO;AAC3B,QAAI,CAAC,UAAU,KAAK,GAAG,GAAG,KAAK,GAAG,CAAC,EAAG,QAAO;AAAA,EAC/C;AACA,SAAO;AACT;AAsBO,SAAS,WAAwB,MAAS,OAAqB;AACpE,MAAI,SAAkB,MAAM,IAAI;AAChC,aAAW,MAAM,OAAO;AACtB,aAAS,QAAQ,QAAQ,EAAE;AAAA,EAC7B;AACA,SAAO;AACT;AAEA,SAAS,QAAQ,KAAc,IAA0B;AAIvD,MAAI,GAAG,SAAS,IAAI;AAClB,QAAI,GAAG,OAAO,SAAU,QAAO;AAC/B,WAAO,MAAM,GAAG,KAAK;AAAA,EACvB;AAEA,QAAM,WAAW,UAAU,GAAG,IAAI;AAClC,SAAO,aAAa,KAAK,UAAU,EAAE;AACvC;AAEA,SAAS,aACP,KACA,UACA,IACS;AACT,MAAI,SAAS,WAAW,GAAG;AAEzB,UAAM,IAAI,MAAM,+CAA+C;AAAA,EACjE;AAEA,QAAM,CAAC,MAAM,GAAG,IAAI,IAAI;AACxB,MAAI,SAAS,OAAW,OAAM,IAAI,MAAM,iCAAiC;AAEzE,MAAI,KAAK,WAAW,GAAG;AACrB,WAAO,gBAAgB,KAAK,MAAM,EAAE;AAAA,EACtC;AAIA,MAAI,MAAM,QAAQ,GAAG,GAAG;AACtB,UAAM,MAAM,gBAAgB,MAAM,IAAI,MAAM;AAC5C,UAAM,QAAQ,IAAI,GAAG;AACrB,UAAM,WAAW,aAAa,OAAO,MAAM,EAAE;AAC7C,UAAM,OAAO,IAAI,MAAM;AACvB,SAAK,GAAG,IAAI;AACZ,WAAO;AAAA,EACT;AACA,MAAI,QAAQ,QAAQ,OAAO,QAAQ,UAAU;AAC3C,UAAM,MAAM;AACZ,QAAI,EAAE,QAAQ,MAAM;AAClB,YAAM,IAAI,MAAM,6BAA6B,IAAI,uBAAuB;AAAA,IAC1E;AACA,UAAM,WAAW,aAAa,IAAI,IAAI,GAAG,MAAM,EAAE;AACjD,WAAO,EAAE,GAAG,KAAK,CAAC,IAAI,GAAG,SAAS;AAAA,EACpC;AACA,QAAM,IAAI;AAAA,IACR,gCAAgC,OAAO,GAAG,gBAAgB,IAAI;AAAA,EAChE;AACF;AAEA,SAAS,gBACP,KACA,SACA,IACS;AACT,MAAI,MAAM,QAAQ,GAAG,GAAG;AACtB,UAAM,MACJ,YAAY,MAAM,IAAI,SAAS,gBAAgB,SAAS,IAAI,SAAS,CAAC;AACxE,UAAM,OAAO,IAAI,MAAM;AACvB,QAAI,GAAG,OAAO,UAAU;AACtB,WAAK,OAAO,KAAK,CAAC;AAClB,aAAO;AAAA,IACT;AACA,QAAI,GAAG,OAAO,OAAO;AACnB,WAAK,OAAO,KAAK,GAAG,MAAM,GAAG,KAAK,CAAC;AACnC,aAAO;AAAA,IACT;AACA,QAAI,GAAG,OAAO,WAAW;AACvB,UAAI,OAAO,IAAI,QAAQ;AACrB,cAAM,IAAI;AAAA,UACR,oDAAoD,GAAG;AAAA,QACzD;AAAA,MACF;AACA,WAAK,GAAG,IAAI,MAAM,GAAG,KAAK;AAC1B,aAAO;AAAA,IACT;AAAA,EACF;AACA,MAAI,QAAQ,QAAQ,OAAO,QAAQ,UAAU;AAC3C,UAAM,MAAM;AACZ,QAAI,GAAG,OAAO,UAAU;AACtB,UAAI,EAAE,WAAW,MAAM;AACrB,cAAM,IAAI;AAAA,UACR,sCAAsC,OAAO;AAAA,QAC/C;AAAA,MACF;AACA,YAAM,OAAO,EAAE,GAAG,IAAI;AACtB,aAAO,KAAK,OAAO;AACnB,aAAO;AAAA,IACT;AACA,QAAI,GAAG,OAAO,OAAO;AAEnB,aAAO,EAAE,GAAG,KAAK,CAAC,OAAO,GAAG,MAAM,GAAG,KAAK,EAAE;AAAA,IAC9C;AACA,QAAI,GAAG,OAAO,WAAW;AACvB,UAAI,EAAE,WAAW,MAAM;AACrB,cAAM,IAAI;AAAA,UACR,uCAAuC,OAAO;AAAA,QAChD;AAAA,MACF;AACA,aAAO,EAAE,GAAG,KAAK,CAAC,OAAO,GAAG,MAAM,GAAG,KAAK,EAAE;AAAA,IAC9C;AAAA,EACF;AACA,QAAM,IAAI;AAAA,IACR,4BAA4B,GAAG,EAAE,yBAAyB,OAAO;AAAA,EACnE;AACF;AAYA,SAAS,kBAAkB,SAAyB;AAClD,SAAO,QAAQ,QAAQ,MAAM,IAAI,EAAE,QAAQ,OAAO,IAAI;AACxD;AAEA,SAAS,oBAAoB,SAAyB;AACpD,SAAO,QAAQ,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,GAAG;AACvD;AAEA,SAAS,UAAU,MAAwB;AACzC,MAAI,CAAC,KAAK,WAAW,GAAG,GAAG;AACzB,UAAM,IAAI,MAAM,8CAA8C,IAAI,GAAG;AAAA,EACvE;AACA,SAAO,KACJ,MAAM,CAAC,EACP,MAAM,GAAG,EACT,IAAI,mBAAmB;AAC5B;AAEA,SAAS,gBAAgB,SAAiB,KAAqB;AAC7D,MAAI,CAAC,QAAQ,KAAK,OAAO,GAAG;AAC1B,UAAM,IAAI;AAAA,MACR,gEAAgE,OAAO;AAAA,IACzE;AAAA,EACF;AACA,QAAM,MAAM,OAAO,SAAS,SAAS,EAAE;AACvC,MAAI,MAAM,KAAK,MAAM,KAAK;AACxB,UAAM,IAAI;AAAA,MACR,2BAA2B,GAAG,qBAAqB,GAAG;AAAA,IACxD;AAAA,EACF;AACA,SAAO;AACT;AAeA,SAAS,MAAS,OAAa;AAC7B,MAAI,UAAU,QAAQ,UAAU,OAAW,QAAO;AAClD,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,SAAO,KAAK,MAAM,KAAK,UAAU,KAAK,CAAC;AACzC;;;AC5WO,IAAM,oBAAoB;AAuB1B,IAAM,2BAA2B;;;AC+BxC,IAAM,sBAAsB;AA0ErB,IAAM,cAAN,MAAkB;AAAA,EACN;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAsBT,YAAqE;AAAA,EAE7E,YAAY,MAMT;AACD,SAAK,UAAU,KAAK;AACpB,SAAK,QAAQ,KAAK;AAClB,SAAK,YAAY,KAAK;AACtB,SAAK,SAAS,KAAK;AACnB,SAAK,QAAQ,KAAK;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAc,gBAAsE;AAClF,QAAI,KAAK,cAAc,OAAW,QAAO,KAAK;AAC9C,UAAM,UAAU,MAAM,KAAK,eAAe;AAC1C,UAAM,OAAO,QAAQ,QAAQ,SAAS,CAAC;AACvC,QAAI,CAAC,MAAM;AACT,WAAK,YAAY;AACjB,aAAO;AAAA,IACT;AACA,SAAK,YAAY,EAAE,OAAO,MAAM,MAAM,MAAM,UAAU,IAAI,EAAE;AAC5D,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4CA,MAAM,OAAO,OAA0C;AACrD,QAAI;AACJ,aAAS,UAAU,GAAG,UAAU,qBAAqB,WAAW;AAI9D,UAAI,UAAU,GAAG;AACf,aAAK,YAAY;AAAA,MACnB;AACA,UAAI;AACF,eAAO,MAAM,KAAK,WAAW,KAAK;AAAA,MACpC,SAAS,KAAK;AACZ,YAAI,eAAe,eAAe;AAChC,yBAAe;AACf,cAAI,UAAU,sBAAsB,GAAG;AACrC,kBAAM,aAAa,OAAO;AAAA,UAC5B;AACA;AAAA,QACF;AACA,cAAM;AAAA,MACR;AAAA,IACF;AACA,SAAK;AACL,UAAM,IAAI,sBAAsB,mBAAmB;AAAA,EACrD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAc,WAAW,OAA0C;AACjE,UAAM,SAAS,MAAM,KAAK,cAAc;AACxC,UAAM,YAAY,QAAQ;AAC1B,UAAM,WAAW,QAAQ,QAAQ;AACjC,UAAM,YAAY,YAAY,UAAU,QAAQ,IAAI;AAIpD,QAAI;AACJ,QAAI;AACJ,QAAI,MAAM,UAAU,QAAW;AAC7B,sBAAgB,MAAM,KAAK,aAAa,MAAM,KAAK;AACnD,kBAAY,MAAM,UAAU,cAAc,KAAK;AAAA,IACjD;AAKA,UAAM,YAAY;AAAA,MAChB,OAAO;AAAA,MACP;AAAA,MACA,IAAI,MAAM;AAAA,MACV,YAAY,MAAM;AAAA,MAClB,IAAI,MAAM;AAAA,MACV,SAAS,MAAM;AAAA,MACf,KAAI,oBAAI,KAAK,GAAE,YAAY;AAAA,MAC3B,OAAO,MAAM,UAAU,KAAK,KAAK,QAAQ,MAAM;AAAA,MAC/C,aAAa,MAAM;AAAA,IACrB;AACA,UAAM,QAAqB;AAAA,MACzB,GAAG;AAAA,MACH,GAAI,cAAc,SAAY,EAAE,UAAU,IAAI,CAAC;AAAA,MAC/C,GAAI,MAAM,cAAc,SAAY,EAAE,WAAW,MAAM,UAAU,IAAI,CAAC;AAAA,MACtE,GAAI,MAAM,WAAW,SAAY,EAAE,QAAQ,MAAM,OAAO,IAAI,CAAC;AAAA,IAC/D;AAEA,UAAM,WAAW,MAAM,KAAK,aAAa,KAAK;AAG9C,UAAM,KAAK,QAAQ;AAAA,MACjB,KAAK;AAAA,MACL;AAAA,MACA,YAAY,MAAM,KAAK;AAAA,MACvB;AAAA,MACA;AAAA,IACF;AAGA,QAAI,eAAe;AACjB,YAAM,KAAK,QAAQ;AAAA,QACjB,KAAK;AAAA,QACL;AAAA,QACA,YAAY,MAAM,KAAK;AAAA,QACvB;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAIA,SAAK,YAAY,EAAE,OAAO,MAAM,MAAM,UAAU,KAAK,EAAE;AACvD,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,UAAU,OAA0C;AACxD,UAAM,WAAW,MAAM,KAAK,QAAQ;AAAA,MAClC,KAAK;AAAA,MACL;AAAA,MACA,YAAY,KAAK;AAAA,IACnB;AACA,QAAI,CAAC,SAAU,QAAO;AACtB,QAAI,CAAC,KAAK,WAAW;AACnB,aAAO,KAAK,MAAM,SAAS,KAAK;AAAA,IAClC;AACA,UAAM,MAAM,MAAM,KAAK,OAAO,iBAAiB;AAC/C,UAAM,OAAO,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,GAAG;AAC5D,WAAO,KAAK,MAAM,IAAI;AAAA,EACxB;AAAA;AAAA,EAGA,MAAc,aAAa,OAA8C;AACvE,UAAM,OAAO,KAAK,UAAU,KAAK;AACjC,QAAI,CAAC,KAAK,WAAW;AACnB,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,IAAI;AAAA,QACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,QAC5B,KAAK;AAAA,QACL,OAAO;AAAA,QACP,KAAK,KAAK;AAAA,MACZ;AAAA,IACF;AACA,UAAM,MAAM,MAAM,KAAK,OAAO,iBAAiB;AAC/C,UAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,MAAM,GAAG;AAC5C,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,IAAI;AAAA,MACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,MAC5B,KAAK;AAAA,MACL,OAAO;AAAA,MACP,KAAK,KAAK;AAAA,IACZ;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,iBAAyC;AAC7C,UAAM,OAAO,MAAM,KAAK,QAAQ,KAAK,KAAK,OAAO,iBAAiB;AAGlE,SAAK,KAAK;AACV,UAAM,UAAyB,CAAC;AAChC,eAAW,OAAO,MAAM;AACtB,YAAM,WAAW,MAAM,KAAK,QAAQ;AAAA,QAClC,KAAK;AAAA,QACL;AAAA,QACA;AAAA,MACF;AACA,UAAI,CAAC,SAAU;AACf,cAAQ,KAAK,MAAM,KAAK,aAAa,QAAQ,CAAC;AAAA,IAChD;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,OAGJ;AACA,UAAM,SAAS,MAAM,KAAK,cAAc;AACxC,QAAI,CAAC,OAAQ,QAAO;AAGpB,WAAO;AAAA,MACL,OAAO,OAAO;AAAA,MACd,MAAM,OAAO;AAAA,MACb,QAAQ,OAAO,MAAM,QAAQ;AAAA,IAC/B;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,QAAQ,OAAuC,CAAC,GAA2B;AAC/E,UAAM,MAAM,MAAM,KAAK,eAAe;AACtC,UAAM,OAAO,KAAK,IAAI,GAAG,KAAK,QAAQ,CAAC;AACvC,UAAM,KAAK,KAAK,IAAI,IAAI,QAAQ,KAAK,MAAM,IAAI,MAAM;AACrD,WAAO,IAAI,MAAM,MAAM,EAAE;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA+CA,MAAM,YACJ,YACA,IACA,SACA,WACmB;AACnB,UAAM,MAAM,MAAM,KAAK,eAAe;AAEtC,UAAM,WAAW,IAAI;AAAA,MACnB,CAAC,MAAM,EAAE,eAAe,cAAc,EAAE,OAAO;AAAA,IACjD;AACA,QAAI,SAAS,WAAW,GAAG;AAKzB,aAAO;AAAA,IACT;AAIA,QAAI,QAAkB;AACtB,aAAS,IAAI,SAAS,SAAS,GAAG,KAAK,GAAG,KAAK;AAC7C,YAAM,QAAQ,SAAS,CAAC;AACxB,UAAI,CAAC,MAAO;AAOZ,UAAI,MAAM,OAAO,SAAS,MAAM,OAAO,SAAU;AAMjD,UAAI,MAAM,YAAY,aAAa,MAAM,OAAO,UAAU;AACxD,eAAO;AAAA,MACT;AAEA,UAAI,MAAM,OAAO,UAAU;AAOzB,eAAO;AAAA,MACT;AAEA,UAAI,MAAM,cAAc,QAAW;AAOjC,YAAI,MAAM,YAAY,UAAW,QAAO;AACxC,eAAO;AAAA,MACT;AAEA,YAAM,QAAQ,MAAM,KAAK,UAAU,MAAM,KAAK;AAC9C,UAAI,CAAC,OAAO;AAEV,eAAO;AAAA,MACT;AAEA,UAAI,UAAU,MAAM;AAGlB,eAAO;AAAA,MACT;AAEA,cAAQ,WAAW,OAAO,KAAK;AAAA,IACjC;AAIA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiCA,MAAM,SAAgC;AACpC,UAAM,UAAU,MAAM,KAAK,eAAe;AAC1C,QAAI,mBAAmB;AACvB,aAAS,IAAI,GAAG,IAAI,QAAQ,QAAQ,KAAK;AACvC,YAAM,QAAQ,QAAQ,CAAC;AACvB,UAAI,CAAC,MAAO;AACZ,UAAI,MAAM,aAAa,kBAAkB;AACvC,eAAO;AAAA,UACL,IAAI;AAAA,UACJ,YAAY;AAAA,UACZ,UAAU;AAAA,UACV,QAAQ,MAAM;AAAA,QAChB;AAAA,MACF;AACA,UAAI,MAAM,UAAU,GAAG;AAIrB,eAAO;AAAA,UACL,IAAI;AAAA,UACJ,YAAY;AAAA,UACZ,UAAU,SAAS,CAAC;AAAA,UACpB,QAAQ,SAAS,MAAM,KAAK;AAAA,QAC9B;AAAA,MACF;AACA,yBAAmB,MAAM,UAAU,KAAK;AAAA,IAC1C;AACA,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,MAAM;AAAA,MACN,QAAQ,QAAQ;AAAA,IAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAc,aAAa,OAAgD;AACzE,UAAM,OAAO,cAAc,KAAK;AAChC,QAAI,CAAC,KAAK,WAAW;AACnB,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,IAAI,MAAM,QAAQ;AAAA,QAClB,KAAK,MAAM;AAAA,QACX,KAAK;AAAA,QACL,OAAO;AAAA,QACP,KAAK,MAAM;AAAA,MACb;AAAA,IACF;AACA,UAAM,MAAM,MAAM,KAAK,OAAO,iBAAiB;AAC/C,UAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,MAAM,GAAG;AAC5C,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,IAAI,MAAM,QAAQ;AAAA,MAClB,KAAK,MAAM;AAAA,MACX,KAAK;AAAA,MACL,OAAO;AAAA,MACP,KAAK,MAAM;AAAA,IACb;AAAA,EACF;AAAA;AAAA,EAGA,MAAc,aAAa,UAAmD;AAC5E,QAAI,CAAC,KAAK,WAAW;AACnB,aAAO,KAAK,MAAM,SAAS,KAAK;AAAA,IAClC;AACA,UAAM,MAAM,MAAM,KAAK,OAAO,iBAAiB;AAC/C,UAAM,OAAO,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,GAAG;AAC5D,WAAO,KAAK,MAAM,IAAI;AAAA,EACxB;AACF;AAaA,SAAS,aAAa,SAAgC;AACpD,QAAM,OAAO,IAAI,KAAK,IAAI,GAAG,OAAO;AACpC,QAAM,SAAS,KAAK,OAAO,IAAI;AAC/B,SAAO,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,OAAO,MAAM,CAAC;AACpE;","names":[]}

package/dist/chunk-AHPFONIL.js

@@ -0,0 +1,59 @@
+import {
+  ATTESTATIONS_COLLECTION,
+  loadOrCreateSigner
+} from "./chunk-4HIL6AHQ.js";
+import {
+  generateULID
+} from "./chunk-FZU343FL.js";
+import {
+  NOYDB_FORMAT_VERSION
+} from "./chunk-YS3POABP.js";
+import {
+  encrypt
+} from "./chunk-2PAQNPE3.js";
+import {
+  AttestationError
+} from "./chunk-W3XXT26A.js";
+
+// src/attestation/issue.ts
+import {
+  computeFieldHashes,
+  signPayloadCore,
+  encodeQr,
+  bytesToB64url
+} from "@noy-db/attestation";
+async function issueAttestationCore(ctx, args) {
+  if (ctx.role !== "owner") {
+    throw new AttestationError(`issueAttestation requires the 'owner' role; caller is '${ctx.role}'. Issuing a signed attestation is the firm's identity operation.`);
+  }
+  const src = await ctx.readRecord(args.collection, args.id);
+  if (!src) throw new AttestationError(`issueAttestation: source record '${args.collection}/${args.id}' not found.`);
+  const dek = await ctx.getDEK();
+  const signer = await loadOrCreateSigner(ctx.store, ctx.vault, () => Promise.resolve(dek));
+  const saltB64 = bytesToB64url(crypto.getRandomValues(new Uint8Array(16)));
+  let fieldHashes;
+  try {
+    fieldHashes = await computeFieldHashes(saltB64, args.fieldSchema, src.record);
+  } catch (e) {
+    throw new AttestationError(`issueAttestation: ${e.message}`);
+  }
+  const docId = generateULID();
+  const sig = await signPayloadCore({ v: 1, docId, salt: saltB64, keyId: signer.keyId, fieldHashes }, signer.privateKeyPkcs8B64);
+  const payload = { v: 1, docId, salt: saltB64, alg: "ed25519", keyId: signer.keyId, fieldHashes, sig };
+  const index = {
+    docId,
+    issuedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    keyId: signer.keyId,
+    fieldPaths: args.fieldSchema.fields.map((f) => f.path),
+    sourceRefs: [{ collection: args.collection, id: args.id, version: src.version }]
+  };
+  const { iv, data } = await encrypt(JSON.stringify(index), dek);
+  const env = { _noydb: NOYDB_FORMAT_VERSION, _v: 1, _ts: index.issuedAt, _iv: iv, _data: data };
+  await ctx.store.put(ctx.vault, ATTESTATIONS_COLLECTION, docId, env);
+  return { docId, qr: encodeQr(payload), payload, keyId: signer.keyId, publicKeyB64: signer.publicKeyB64 };
+}
+
+export {
+  issueAttestationCore
+};
+//# sourceMappingURL=chunk-AHPFONIL.js.map

package/dist/chunk-AHPFONIL.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/attestation/issue.ts"],"sourcesContent":["import type { NoydbStore, EncryptedEnvelope } from '../types.js'\nimport { NOYDB_FORMAT_VERSION } from '../types.js'\nimport { encrypt } from '../crypto.js'\nimport { AttestationError } from '../errors.js'\nimport { generateULID } from '../bundle/ulid.js'\nimport { loadOrCreateSigner, ATTESTATIONS_COLLECTION } from './signer.js'\nimport {\n  computeFieldHashes, signPayloadCore, encodeQr, bytesToB64url,\n  type AttestationFieldSchema, type QrPayload,\n} from '@noy-db/attestation'\n\n/** Everything issueAttestationCore needs from the Vault, injected for testability. */\nexport interface IssueContext {\n  readonly store: NoydbStore\n  readonly vault: string\n  readonly role: string\n  /** The _attestations collection DEK (AES-KW-wrapped under KEK by the keyring). */\n  getDEK(): Promise<CryptoKey>\n  /** Decrypted source record + its envelope version, or null if absent. */\n  readRecord(collection: string, id: string): Promise<{ record: Record<string, unknown>; version: number } | null>\n}\n\nexport interface IssueArgs {\n  readonly collection: string\n  readonly id: string\n  readonly fieldSchema: AttestationFieldSchema\n}\nexport interface IssueResult {\n  readonly docId: string\n  readonly qr: string\n  readonly payload: QrPayload\n  readonly keyId: string\n  readonly publicKeyB64: string\n}\n\nexport async function issueAttestationCore(ctx: IssueContext, args: IssueArgs): Promise<IssueResult> {\n  if (ctx.role !== 'owner') {\n    throw new AttestationError(`issueAttestation requires the 'owner' role; caller is '${ctx.role}'. Issuing a signed attestation is the firm's identity operation.`)\n  }\n  const src = await ctx.readRecord(args.collection, args.id)\n  if (!src) throw new AttestationError(`issueAttestation: source record '${args.collection}/${args.id}' not found.`)\n\n  const dek = await ctx.getDEK()\n  // ONE signer implementation, from signer.ts. Lazily minted + persisted.\n  const signer = await loadOrCreateSigner(ctx.store, ctx.vault, () => Promise.resolve(dek))\n\n  const saltB64 = bytesToB64url(crypto.getRandomValues(new Uint8Array(16)))\n  let fieldHashes: string[]\n  try {\n    fieldHashes = await computeFieldHashes(saltB64, args.fieldSchema, src.record)\n  } catch (e) {\n    throw new AttestationError(`issueAttestation: ${(e as Error).message}`)\n  }\n  const docId = generateULID()\n\n  const sig = await signPayloadCore({ v: 1, docId, salt: saltB64, keyId: signer.keyId, fieldHashes }, signer.privateKeyPkcs8B64)\n  const payload: QrPayload = { v: 1, docId, salt: saltB64, alg: 'ed25519', keyId: signer.keyId, fieldHashes, sig }\n\n  const index = {\n    docId, issuedAt: new Date().toISOString(), keyId: signer.keyId,\n    fieldPaths: args.fieldSchema.fields.map((f) => f.path),\n    sourceRefs: [{ collection: args.collection, id: args.id, version: src.version }],\n  }\n  const { iv, data } = await encrypt(JSON.stringify(index), dek)\n  const env: EncryptedEnvelope = { _noydb: NOYDB_FORMAT_VERSION, _v: 1, _ts: index.issuedAt, _iv: iv, _data: data }\n  await ctx.store.put(ctx.vault, ATTESTATIONS_COLLECTION, docId, env)\n\n  return { docId, qr: encodeQr(payload), payload, keyId: signer.keyId, publicKeyB64: signer.publicKeyB64 }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAMA;AAAA,EACE;AAAA,EAAoB;AAAA,EAAiB;AAAA,EAAU;AAAA,OAE1C;AA0BP,eAAsB,qBAAqB,KAAmB,MAAuC;AACnG,MAAI,IAAI,SAAS,SAAS;AACxB,UAAM,IAAI,iBAAiB,0DAA0D,IAAI,IAAI,mEAAmE;AAAA,EAClK;AACA,QAAM,MAAM,MAAM,IAAI,WAAW,KAAK,YAAY,KAAK,EAAE;AACzD,MAAI,CAAC,IAAK,OAAM,IAAI,iBAAiB,oCAAoC,KAAK,UAAU,IAAI,KAAK,EAAE,cAAc;AAEjH,QAAM,MAAM,MAAM,IAAI,OAAO;AAE7B,QAAM,SAAS,MAAM,mBAAmB,IAAI,OAAO,IAAI,OAAO,MAAM,QAAQ,QAAQ,GAAG,CAAC;AAExF,QAAM,UAAU,cAAc,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC,CAAC;AACxE,MAAI;AACJ,MAAI;AACF,kBAAc,MAAM,mBAAmB,SAAS,KAAK,aAAa,IAAI,MAAM;AAAA,EAC9E,SAAS,GAAG;AACV,UAAM,IAAI,iBAAiB,qBAAsB,EAAY,OAAO,EAAE;AAAA,EACxE;AACA,QAAM,QAAQ,aAAa;AAE3B,QAAM,MAAM,MAAM,gBAAgB,EAAE,GAAG,GAAG,OAAO,MAAM,SAAS,OAAO,OAAO,OAAO,YAAY,GAAG,OAAO,kBAAkB;AAC7H,QAAM,UAAqB,EAAE,GAAG,GAAG,OAAO,MAAM,SAAS,KAAK,WAAW,OAAO,OAAO,OAAO,aAAa,IAAI;AAE/G,QAAM,QAAQ;AAAA,IACZ;AAAA,IAAO,WAAU,oBAAI,KAAK,GAAE,YAAY;AAAA,IAAG,OAAO,OAAO;AAAA,IACzD,YAAY,KAAK,YAAY,OAAO,IAAI,CAAC,MAAM,EAAE,IAAI;AAAA,IACrD,YAAY,CAAC,EAAE,YAAY,KAAK,YAAY,IAAI,KAAK,IAAI,SAAS,IAAI,QAAQ,CAAC;AAAA,EACjF;AACA,QAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,KAAK,UAAU,KAAK,GAAG,GAAG;AAC7D,QAAM,MAAyB,EAAE,QAAQ,sBAAsB,IAAI,GAAG,KAAK,MAAM,UAAU,KAAK,IAAI,OAAO,KAAK;AAChH,QAAM,IAAI,MAAM,IAAI,IAAI,OAAO,yBAAyB,OAAO,GAAG;AAElE,SAAO,EAAE,OAAO,IAAI,SAAS,OAAO,GAAG,SAAS,OAAO,OAAO,OAAO,cAAc,OAAO,aAAa;AACzG;","names":[]}

package/dist/chunk-CXSCDO5T.js

@@ -0,0 +1,51 @@
+import {
+  ValidationError
+} from "./chunk-W3XXT26A.js";
+
+// src/derivations/with-derivation.ts
+function withDerivation(spec) {
+  if (!spec.source || spec.source.length === 0) {
+    throw new ValidationError("withDerivation: source collection name is required");
+  }
+  if (!spec.outputs || Object.keys(spec.outputs).length === 0) {
+    throw new ValidationError("withDerivation: outputs map must declare at least one output");
+  }
+  if (spec.deterministic !== true) {
+    throw new ValidationError("withDerivation: v1 only supports deterministic derivations");
+  }
+  if (typeof spec.derive !== "function") {
+    throw new ValidationError("withDerivation: derive must be a function");
+  }
+  const lifecycleMode = typeof spec.lifecycle === "string" ? spec.lifecycle : spec.lifecycle.mode;
+  for (const [outputKey, outputSpec] of Object.entries(spec.outputs)) {
+    if (outputSpec.shape === "array") {
+      if (lifecycleMode !== "eager") {
+        throw new ValidationError(
+          `withDerivation: shape 'array' supports lifecycle 'eager' only in this release (#200 slice 1). Output "${outputKey}" declared lifecycle '${lifecycleMode}'. Switch to \`lifecycle: "eager"\` or use shape: "record".`
+        );
+      }
+      if (typeof outputSpec.key !== "function") {
+        throw new ValidationError(
+          `withDerivation: shape 'array' output "${outputKey}" requires \`key: (out) => string\`.`
+        );
+      }
+      if (outputSpec.maxFanout !== void 0) {
+        if (!Number.isInteger(outputSpec.maxFanout) || outputSpec.maxFanout < 1) {
+          throw new ValidationError(
+            `withDerivation: maxFanout for output "${outputKey}" must be a positive integer (got ${String(outputSpec.maxFanout)}).`
+          );
+        }
+      }
+    }
+  }
+  return {
+    __noydb_strategy: "derivation",
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    spec
+  };
+}
+
+export {
+  withDerivation
+};
+//# sourceMappingURL=chunk-CXSCDO5T.js.map

package/dist/chunk-CXSCDO5T.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/derivations/with-derivation.ts"],"sourcesContent":["import { ValidationError } from '../errors.js'\nimport type { DerivationStrategy, DerivationStrategyHandle } from './types.js'\n\n/**\n * Register a deterministic derivation: one source collection → one or\n * more typed outputs, computed by the user's `derive` function on\n * plaintext after DEK unwrap. Outputs are encrypted with the same DEK\n * as the source and written via the standard `Collection.put` path.\n *\n * See docs/superpowers/specs/2026-05-01-dim14-derivation-v1-design.md.\n */\nexport function withDerivation<\n  TSource extends Record<string, unknown>,\n  TOutputs extends Record<string, Record<string, unknown>>,\n>(spec: DerivationStrategy<TSource, TOutputs>): DerivationStrategyHandle {\n  if (!spec.source || spec.source.length === 0) {\n    throw new ValidationError('withDerivation: source collection name is required')\n  }\n  if (!spec.outputs || Object.keys(spec.outputs).length === 0) {\n    throw new ValidationError('withDerivation: outputs map must declare at least one output')\n  }\n  if (spec.deterministic !== true) {\n    throw new ValidationError('withDerivation: v1 only supports deterministic derivations')\n  }\n  if (typeof spec.derive !== 'function') {\n    throw new ValidationError('withDerivation: derive must be a function')\n  }\n\n  // #200 slice 1 — validate array-shape outputs.\n  const lifecycleMode = typeof spec.lifecycle === 'string' ? spec.lifecycle : spec.lifecycle.mode\n  for (const [outputKey, outputSpec] of Object.entries(spec.outputs)) {\n    if (outputSpec.shape === 'array') {\n      if (lifecycleMode !== 'eager') {\n        throw new ValidationError(\n          `withDerivation: shape 'array' supports lifecycle 'eager' only in this release `\n          + `(#200 slice 1). Output \"${outputKey}\" declared lifecycle '${lifecycleMode}'. `\n          + 'Switch to `lifecycle: \"eager\"` or use shape: \"record\".',\n        )\n      }\n      if (typeof outputSpec.key !== 'function') {\n        throw new ValidationError(\n          `withDerivation: shape 'array' output \"${outputKey}\" requires \\`key: (out) => string\\`.`,\n        )\n      }\n      if (outputSpec.maxFanout !== undefined) {\n        if (!Number.isInteger(outputSpec.maxFanout) || outputSpec.maxFanout < 1) {\n          throw new ValidationError(\n            `withDerivation: maxFanout for output \"${outputKey}\" must be a positive integer `\n            + `(got ${String(outputSpec.maxFanout)}).`,\n          )\n        }\n      }\n    }\n  }\n\n  return {\n    __noydb_strategy: 'derivation',\n    // eslint-disable-next-line @typescript-eslint/no-explicit-any\n    spec: spec as DerivationStrategy<any, any>,\n  }\n}\n"],"mappings":";;;;;AAWO,SAAS,eAGd,MAAuE;AACvE,MAAI,CAAC,KAAK,UAAU,KAAK,OAAO,WAAW,GAAG;AAC5C,UAAM,IAAI,gBAAgB,oDAAoD;AAAA,EAChF;AACA,MAAI,CAAC,KAAK,WAAW,OAAO,KAAK,KAAK,OAAO,EAAE,WAAW,GAAG;AAC3D,UAAM,IAAI,gBAAgB,8DAA8D;AAAA,EAC1F;AACA,MAAI,KAAK,kBAAkB,MAAM;AAC/B,UAAM,IAAI,gBAAgB,4DAA4D;AAAA,EACxF;AACA,MAAI,OAAO,KAAK,WAAW,YAAY;AACrC,UAAM,IAAI,gBAAgB,2CAA2C;AAAA,EACvE;AAGA,QAAM,gBAAgB,OAAO,KAAK,cAAc,WAAW,KAAK,YAAY,KAAK,UAAU;AAC3F,aAAW,CAAC,WAAW,UAAU,KAAK,OAAO,QAAQ,KAAK,OAAO,GAAG;AAClE,QAAI,WAAW,UAAU,SAAS;AAChC,UAAI,kBAAkB,SAAS;AAC7B,cAAM,IAAI;AAAA,UACR,yGAC6B,SAAS,yBAAyB,aAAa;AAAA,QAE9E;AAAA,MACF;AACA,UAAI,OAAO,WAAW,QAAQ,YAAY;AACxC,cAAM,IAAI;AAAA,UACR,yCAAyC,SAAS;AAAA,QACpD;AAAA,MACF;AACA,UAAI,WAAW,cAAc,QAAW;AACtC,YAAI,CAAC,OAAO,UAAU,WAAW,SAAS,KAAK,WAAW,YAAY,GAAG;AACvE,gBAAM,IAAI;AAAA,YACR,yCAAyC,SAAS,qCACxC,OAAO,WAAW,SAAS,CAAC;AAAA,UACxC;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,kBAAkB;AAAA;AAAA,IAElB;AAAA,EACF;AACF;","names":[]}