@noy-db/hub 0.1.0-pre.9 → 0.2.0-pre.2

package/dist/chunk-PEULZC6M.js

@@ -0,0 +1,118 @@
+// src/guards/registry.ts
+var GuardRegistry = class {
+  _byCollection = /* @__PURE__ */ new Map();
+  _amendmentChanges = null;
+  _amendmentMeta = null;
+  /** Register a guard. Multiple guards per collection are allowed. */
+  register(spec) {
+    const existing = this._byCollection.get(spec.collection);
+    if (existing) existing.push(spec);
+    else this._byCollection.set(spec.collection, [spec]);
+  }
+  /** All guards registered against `collection` in registration order. */
+  guardsFor(collection) {
+    return this._byCollection.get(collection) ?? [];
+  }
+  /**
+   * Run every guard's `check` for this collection. First throw wins —
+   * remaining guards are not invoked. Guards without a `check` skip.
+   */
+  async runChecks(collection, incoming, ctx) {
+    const guards = this._byCollection.get(collection);
+    if (!guards) return;
+    for (const g of guards) {
+      if (g.check) {
+        await g.check(
+          incoming,
+          ctx
+        );
+      }
+    }
+  }
+  /**
+   * Run every guard's `onDelete` for this collection. First throw wins —
+   * remaining guards are not invoked. Guards without an `onDelete` skip.
+   * Mirrors {@link runChecks} but for the delete path.
+   */
+  async runOnDelete(collection, existing, ctx) {
+    const guards = this._byCollection.get(collection);
+    if (!guards) return;
+    for (const g of guards) {
+      if (g.onDelete) {
+        await g.onDelete(
+          existing,
+          ctx
+        );
+      }
+    }
+  }
+  /** True if any guard for `collection` declares an `amendment` block. */
+  hasAmendment(collection) {
+    const guards = this._byCollection.get(collection);
+    if (!guards) return false;
+    return guards.some((g) => g.amendment !== void 0);
+  }
+  /** Open a new amendment change-collection window. */
+  beginAmendment() {
+    this._amendmentChanges = /* @__PURE__ */ new Map();
+    this._amendmentMeta = /* @__PURE__ */ new Map();
+  }
+  /** True iff we're currently inside an amendment transaction. */
+  isAmendmentActive() {
+    return this._amendmentChanges !== null;
+  }
+  /**
+   * Record a {before, after} pair for the active amendment. `vBefore`
+   * and `vAfter` are stored in a parallel meta structure so the public
+   * {@link GuardChange} shape handed to invariant callbacks stays
+   * `{ before, after }` only — the audit ledger reads version metadata
+   * via {@link consumeMeta}.
+   */
+  collectChange(collection, id, before, after, vBefore = 0, vAfter = 0) {
+    if (this._amendmentChanges === null || this._amendmentMeta === null) {
+      throw new Error("GuardRegistry.collectChange called outside an amendment");
+    }
+    const list = this._amendmentChanges.get(collection);
+    const entry = { before, after };
+    if (list) list.push(entry);
+    else this._amendmentChanges.set(collection, [entry]);
+    const metaList = this._amendmentMeta.get(collection);
+    const metaEntry = { id, vBefore, vAfter };
+    if (metaList) metaList.push(metaEntry);
+    else this._amendmentMeta.set(collection, [metaEntry]);
+  }
+  /**
+   * Drain the change-set and close the amendment window. The caller
+   * (transaction commit) feeds these to each affected guard's invariant.
+   */
+  consumeChanges() {
+    const out = this._amendmentChanges ?? /* @__PURE__ */ new Map();
+    this._amendmentChanges = null;
+    return out;
+  }
+  /**
+   * Drain the parallel id/version metadata captured during the
+   * amendment. Returned as a flat list with `collection` denormalised
+   * so the audit ledger can emit one `{ collection, id, vBefore,
+   * vAfter }` tuple per record. Must be called AFTER
+   * {@link consumeChanges} (or independently) — calling it closes the
+   * meta window in the same way.
+   */
+  consumeMeta() {
+    const out = [];
+    if (this._amendmentMeta) {
+      for (const [collection, list] of this._amendmentMeta) {
+        for (const m of list) {
+          out.push({ collection, id: m.id, vBefore: m.vBefore, vAfter: m.vAfter });
+        }
+      }
+    }
+    this._amendmentMeta = null;
+    return out;
+  }
+};
+
+export {
+  GuardRegistry
+};
+//# sourceMappingURL=chunk-PEULZC6M.js.map

package/dist/chunk-PEULZC6M.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/guards/registry.ts"],"sourcesContent":["import type { GuardStrategy, GuardContext, GuardChange } from './types.js'\n\n/**\n * Per-record metadata attached to every entry in an amendment's\n * change-set. Carried in a parallel map alongside `_amendmentChanges`\n * so the public {@link GuardChange} shape (`{ before, after }`) stays\n * clean for invariant authors — the audit ledger reads this side\n * structure to produce the `{ collection, id, vBefore, vAfter }`\n * tuples for the amendment entry.\n *\n * @internal\n */\nexport interface AmendmentChangeMeta {\n  readonly id: string\n  readonly vBefore: number\n  readonly vAfter: number\n}\n\n/**\n * Vault-internal singleton that holds the guard graph and dispatches\n * per-collection guard execution. Owned by `Vault`; not exported.\n *\n * @internal\n */\n// Internal storage alias — guards are heterogeneous in their record type T,\n// so the registry stores them at the upper bound of GuardStrategy's T constraint.\ntype AnyGuard = GuardStrategy<Record<string, unknown>>\ntype AnyChange = GuardChange<Record<string, unknown>>\n\nexport class GuardRegistry {\n  private readonly _byCollection = new Map<string, AnyGuard[]>()\n  private _amendmentChanges: Map<string, AnyChange[]> | null = null\n  private _amendmentMeta: Map<string, AmendmentChangeMeta[]> | null = null\n\n  /** Register a guard. Multiple guards per collection are allowed. */\n  register<T extends Record<string, unknown>>(spec: GuardStrategy<T>): void {\n    const existing = this._byCollection.get(spec.collection)\n    if (existing) existing.push(spec as unknown as AnyGuard)\n    else this._byCollection.set(spec.collection, [spec as unknown as AnyGuard])\n  }\n\n  /** All guards registered against `collection` in registration order. */\n  guardsFor(collection: string): ReadonlyArray<AnyGuard> {\n    return this._byCollection.get(collection) ?? []\n  }\n\n  /**\n   * Run every guard's `check` for this collection. First throw wins —\n   * remaining guards are not invoked. Guards without a `check` skip.\n   */\n  async runChecks<T>(\n    collection: string,\n    incoming: T,\n    ctx: GuardContext<T>,\n  ): Promise<void> {\n    const guards = this._byCollection.get(collection)\n    if (!guards) return\n    for (const g of guards) {\n      if (g.check) {\n        await g.check(\n          incoming as unknown as Record<string, unknown>,\n          ctx as unknown as GuardContext<Record<string, unknown>>,\n        )\n      }\n    }\n  }\n\n  /**\n   * Run every guard's `onDelete` for this collection. First throw wins —\n   * remaining guards are not invoked. Guards without an `onDelete` skip.\n   * Mirrors {@link runChecks} but for the delete path.\n   */\n  async runOnDelete<T>(\n    collection: string,\n    existing: T,\n    ctx: GuardContext<T>,\n  ): Promise<void> {\n    const guards = this._byCollection.get(collection)\n    if (!guards) return\n    for (const g of guards) {\n      if (g.onDelete) {\n        await g.onDelete(\n          existing as unknown as Record<string, unknown>,\n          ctx as unknown as GuardContext<Record<string, unknown>>,\n        )\n      }\n    }\n  }\n\n  /** True if any guard for `collection` declares an `amendment` block. */\n  hasAmendment(collection: string): boolean {\n    const guards = this._byCollection.get(collection)\n    if (!guards) return false\n    return guards.some(g => g.amendment !== undefined)\n  }\n\n  /** Open a new amendment change-collection window. */\n  beginAmendment(): void {\n    this._amendmentChanges = new Map()\n    this._amendmentMeta = new Map()\n  }\n\n  /** True iff we're currently inside an amendment transaction. */\n  isAmendmentActive(): boolean {\n    return this._amendmentChanges !== null\n  }\n\n  /**\n   * Record a {before, after} pair for the active amendment. `vBefore`\n   * and `vAfter` are stored in a parallel meta structure so the public\n   * {@link GuardChange} shape handed to invariant callbacks stays\n   * `{ before, after }` only — the audit ledger reads version metadata\n   * via {@link consumeMeta}.\n   */\n  collectChange<T>(\n    collection: string,\n    id: string,\n    before: T | null,\n    after: T,\n    vBefore = 0,\n    vAfter = 0,\n  ): void {\n    if (this._amendmentChanges === null || this._amendmentMeta === null) {\n      throw new Error('GuardRegistry.collectChange called outside an amendment')\n    }\n    const list = this._amendmentChanges.get(collection)\n    const entry = { before, after } as unknown as AnyChange\n    if (list) list.push(entry)\n    else this._amendmentChanges.set(collection, [entry])\n\n    const metaList = this._amendmentMeta.get(collection)\n    const metaEntry: AmendmentChangeMeta = { id, vBefore, vAfter }\n    if (metaList) metaList.push(metaEntry)\n    else this._amendmentMeta.set(collection, [metaEntry])\n  }\n\n  /**\n   * Drain the change-set and close the amendment window. The caller\n   * (transaction commit) feeds these to each affected guard's invariant.\n   */\n  consumeChanges(): ReadonlyMap<string, ReadonlyArray<AnyChange>> {\n    const out = this._amendmentChanges ?? new Map()\n    this._amendmentChanges = null\n    return out\n  }\n\n  /**\n   * Drain the parallel id/version metadata captured during the\n   * amendment. Returned as a flat list with `collection` denormalised\n   * so the audit ledger can emit one `{ collection, id, vBefore,\n   * vAfter }` tuple per record. Must be called AFTER\n   * {@link consumeChanges} (or independently) — calling it closes the\n   * meta window in the same way.\n   */\n  consumeMeta(): ReadonlyArray<{ collection: string; id: string; vBefore: number; vAfter: number }> {\n    const out: { collection: string; id: string; vBefore: number; vAfter: number }[] = []\n    if (this._amendmentMeta) {\n      for (const [collection, list] of this._amendmentMeta) {\n        for (const m of list) {\n          out.push({ collection, id: m.id, vBefore: m.vBefore, vAfter: m.vAfter })\n        }\n      }\n    }\n    this._amendmentMeta = null\n    return out\n  }\n}\n"],"mappings":";AA6BO,IAAM,gBAAN,MAAoB;AAAA,EACR,gBAAgB,oBAAI,IAAwB;AAAA,EACrD,oBAAqD;AAAA,EACrD,iBAA4D;AAAA;AAAA,EAGpE,SAA4C,MAA8B;AACxE,UAAM,WAAW,KAAK,cAAc,IAAI,KAAK,UAAU;AACvD,QAAI,SAAU,UAAS,KAAK,IAA2B;AAAA,QAClD,MAAK,cAAc,IAAI,KAAK,YAAY,CAAC,IAA2B,CAAC;AAAA,EAC5E;AAAA;AAAA,EAGA,UAAU,YAA6C;AACrD,WAAO,KAAK,cAAc,IAAI,UAAU,KAAK,CAAC;AAAA,EAChD;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,UACJ,YACA,UACA,KACe;AACf,UAAM,SAAS,KAAK,cAAc,IAAI,UAAU;AAChD,QAAI,CAAC,OAAQ;AACb,eAAW,KAAK,QAAQ;AACtB,UAAI,EAAE,OAAO;AACX,cAAM,EAAE;AAAA,UACN;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,YACJ,YACA,UACA,KACe;AACf,UAAM,SAAS,KAAK,cAAc,IAAI,UAAU;AAChD,QAAI,CAAC,OAAQ;AACb,eAAW,KAAK,QAAQ;AACtB,UAAI,EAAE,UAAU;AACd,cAAM,EAAE;AAAA,UACN;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA;AAAA,EAGA,aAAa,YAA6B;AACxC,UAAM,SAAS,KAAK,cAAc,IAAI,UAAU;AAChD,QAAI,CAAC,OAAQ,QAAO;AACpB,WAAO,OAAO,KAAK,OAAK,EAAE,cAAc,MAAS;AAAA,EACnD;AAAA;AAAA,EAGA,iBAAuB;AACrB,SAAK,oBAAoB,oBAAI,IAAI;AACjC,SAAK,iBAAiB,oBAAI,IAAI;AAAA,EAChC;AAAA;AAAA,EAGA,oBAA6B;AAC3B,WAAO,KAAK,sBAAsB;AAAA,EACpC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,cACE,YACA,IACA,QACA,OACA,UAAU,GACV,SAAS,GACH;AACN,QAAI,KAAK,sBAAsB,QAAQ,KAAK,mBAAmB,MAAM;AACnE,YAAM,IAAI,MAAM,yDAAyD;AAAA,IAC3E;AACA,UAAM,OAAO,KAAK,kBAAkB,IAAI,UAAU;AAClD,UAAM,QAAQ,EAAE,QAAQ,MAAM;AAC9B,QAAI,KAAM,MAAK,KAAK,KAAK;AAAA,QACpB,MAAK,kBAAkB,IAAI,YAAY,CAAC,KAAK,CAAC;AAEnD,UAAM,WAAW,KAAK,eAAe,IAAI,UAAU;AACnD,UAAM,YAAiC,EAAE,IAAI,SAAS,OAAO;AAC7D,QAAI,SAAU,UAAS,KAAK,SAAS;AAAA,QAChC,MAAK,eAAe,IAAI,YAAY,CAAC,SAAS,CAAC;AAAA,EACtD;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,iBAAgE;AAC9D,UAAM,MAAM,KAAK,qBAAqB,oBAAI,IAAI;AAC9C,SAAK,oBAAoB;AACzB,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,cAAkG;AAChG,UAAM,MAA6E,CAAC;AACpF,QAAI,KAAK,gBAAgB;AACvB,iBAAW,CAAC,YAAY,IAAI,KAAK,KAAK,gBAAgB;AACpD,mBAAW,KAAK,MAAM;AACpB,cAAI,KAAK,EAAE,YAAY,IAAI,EAAE,IAAI,SAAS,EAAE,SAAS,QAAQ,EAAE,OAAO,CAAC;AAAA,QACzE;AAAA,MACF;AAAA,IACF;AACA,SAAK,iBAAiB;AACtB,WAAO;AAAA,EACT;AACF;","names":[]}

package/dist/chunk-PFSNOPBQ.js

@@ -0,0 +1,233 @@
+import {
+  NOYDB_FORMAT_VERSION
+} from "./chunk-YS3POABP.js";
+import {
+  encrypt
+} from "./chunk-2PAQNPE3.js";
+
+// src/blobs/export-blobs.ts
+var ExportBlobsAbortedError = class extends Error {
+  constructor(reason) {
+    super(`exportBlobs aborted: ${reason}`);
+    this.name = "ExportBlobsAbortedError";
+  }
+};
+var EXPORT_AUDIT_COLLECTION = "_export_audit";
+function createExportBlobsHandle(actor, listAccessibleCollections, getCollection, writeAudit, options) {
+  let aborted = false;
+  const abort = () => {
+    aborted = true;
+  };
+  if (options.signal) {
+    if (options.signal.aborted) aborted = true;
+    options.signal.addEventListener("abort", () => {
+      aborted = true;
+    });
+  }
+  function assertLive() {
+    if (aborted) throw new ExportBlobsAbortedError("aborted by caller");
+  }
+  const allowlist = options.collections ? new Set(options.collections) : null;
+  let auditPromise = null;
+  function writeAuditOnce() {
+    if (!auditPromise) {
+      auditPromise = writeAudit({
+        id: generateBatchId(),
+        mechanism: "exportBlobs",
+        actor,
+        startedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        collections: options.collections ?? null,
+        predicate: Boolean(options.where),
+        afterBlobId: options.afterBlobId ?? null
+      });
+    }
+    return auditPromise;
+  }
+  async function* generate() {
+    await writeAuditOnce();
+    assertLive();
+    const allCollections = await listAccessibleCollections();
+    const targets = allCollections.filter((name) => {
+      if (name.startsWith("_")) return false;
+      if (allowlist && !allowlist.has(name)) return false;
+      return true;
+    });
+    let resumeCursorHit = options.afterBlobId === void 0;
+    for (const collectionName of targets) {
+      if (aborted) return;
+      const coll = getCollection(collectionName);
+      const records = await coll.list().catch(() => []);
+      for (const record of records) {
+        if (aborted) return;
+        assertLive();
+        const idField = record.id;
+        if (typeof idField !== "string") continue;
+        if (options.where && !options.where(record, { collection: collectionName, id: idField })) continue;
+        const blobSet = coll.blob(idField);
+        const slots = await blobSet.list().catch(() => []);
+        for (const slot of slots) {
+          if (aborted) return;
+          if (!resumeCursorHit) {
+            if (slot.eTag === options.afterBlobId) {
+              resumeCursorHit = true;
+            }
+            continue;
+          }
+          const bytes = await blobSet.get(slot.name);
+          if (!bytes) continue;
+          const item = {
+            blobId: slot.eTag,
+            recordRef: { collection: collectionName, id: idField, slot: slot.name },
+            bytes,
+            meta: {
+              size: slot.size,
+              filename: slot.filename,
+              ...slot.mimeType !== void 0 && { mimeType: slot.mimeType },
+              ...slot.uploadedAt !== void 0 && { createdAt: slot.uploadedAt }
+            }
+          };
+          yield item;
+        }
+      }
+    }
+  }
+  const handle = {
+    abort,
+    get aborted() {
+      return aborted;
+    },
+    [Symbol.asyncIterator]: () => generate()
+  };
+  return handle;
+}
+function generateBatchId() {
+  const raw = globalThis.crypto.getRandomValues(new Uint8Array(16));
+  let s = "";
+  for (const b of raw) s += b.toString(16).padStart(2, "0");
+  return `batch-${Date.now().toString(36)}-${s.slice(0, 12)}`;
+}
+
+// src/blobs/blob-compaction.ts
+var BLOB_EVICTION_AUDIT_COLLECTION = "_blob_eviction_audit";
+async function runCompaction(ctx, options = {}) {
+  const now = options.now ?? /* @__PURE__ */ new Date();
+  const maxEvictions = options.maxEvictions ?? Infinity;
+  const dryRun = options.dryRun === true;
+  const allCollections = await ctx.listCollections();
+  const byCollection = {};
+  let evicted = 0;
+  let records = 0;
+  let auditEntries = 0;
+  let collectionsWithPolicy = 0;
+  outer: for (const collectionName of allCollections) {
+    if (collectionName.startsWith("_")) continue;
+    const config = ctx.getBlobFields(collectionName);
+    if (!config) continue;
+    const configuredSlots = Object.keys(config);
+    if (configuredSlots.length === 0) continue;
+    collectionsWithPolicy += 1;
+    byCollection[collectionName] = { records: 0, evicted: 0 };
+    const ids = await ctx.listRecords(collectionName);
+    for (const recordId of ids) {
+      if (evicted >= maxEvictions) break outer;
+      const record = await ctx.getRecord(collectionName, recordId).catch(() => null);
+      if (record === null) continue;
+      records += 1;
+      byCollection[collectionName].records += 1;
+      const slots = await ctx.listSlots(collectionName, recordId).catch(() => []);
+      for (const slot of slots) {
+        if (evicted >= maxEvictions) break outer;
+        const policy = config[slot.name];
+        if (!policy) continue;
+        const reason = evaluatePolicy(policy, record, slot, now);
+        if (!reason) continue;
+        if (!dryRun) {
+          await ctx.deleteSlot(collectionName, recordId, slot.name);
+          await writeAuditEntry(ctx, {
+            id: generateEvictionId(collectionName, recordId, slot.name),
+            collection: collectionName,
+            recordId,
+            slotName: slot.name,
+            blobHash: slot.eTag,
+            reason,
+            evictedAt: now.toISOString(),
+            actor: ctx.actor
+          });
+          auditEntries += 1;
+        }
+        evicted += 1;
+        byCollection[collectionName].evicted += 1;
+      }
+    }
+  }
+  return {
+    evicted,
+    records,
+    collections: collectionsWithPolicy,
+    auditEntries,
+    byCollection
+  };
+}
+function evaluatePolicy(policy, record, slot, now) {
+  let ttlTriggered = false;
+  let predicateTriggered = false;
+  if (policy.retainDays !== void 0 && policy.retainDays > 0) {
+    const uploadedAt = Date.parse(slot.uploadedAt);
+    if (Number.isFinite(uploadedAt)) {
+      const ageMs = now.getTime() - uploadedAt;
+      const limitMs = policy.retainDays * 864e5;
+      if (ageMs > limitMs) ttlTriggered = true;
+    }
+  }
+  if (policy.evictWhen) {
+    try {
+      if (policy.evictWhen(record)) predicateTriggered = true;
+    } catch {
+    }
+  }
+  if (ttlTriggered && predicateTriggered) return "both";
+  if (ttlTriggered) return "ttl";
+  if (predicateTriggered) return "predicate";
+  return null;
+}
+function generateEvictionId(collection, recordId, slotName) {
+  const rand = globalThis.crypto.getRandomValues(new Uint8Array(8));
+  let suffix = "";
+  for (const b of rand) suffix += b.toString(16).padStart(2, "0");
+  return `${collection}__${recordId}__${slotName}__${suffix}`;
+}
+async function writeAuditEntry(ctx, entry) {
+  const json = JSON.stringify(entry);
+  let envelope;
+  if (ctx.encrypted) {
+    const dek = await ctx.getDEK(BLOB_EVICTION_AUDIT_COLLECTION);
+    const { iv, data } = await encrypt(json, dek);
+    envelope = {
+      _noydb: NOYDB_FORMAT_VERSION,
+      _v: 1,
+      _ts: entry.evictedAt,
+      _iv: iv,
+      _data: data,
+      _by: entry.actor
+    };
+  } else {
+    envelope = {
+      _noydb: NOYDB_FORMAT_VERSION,
+      _v: 1,
+      _ts: entry.evictedAt,
+      _iv: "",
+      _data: json,
+      _by: entry.actor
+    };
+  }
+  await ctx.adapter.put(ctx.vault, BLOB_EVICTION_AUDIT_COLLECTION, entry.id, envelope);
+}
+
+export {
+  ExportBlobsAbortedError,
+  EXPORT_AUDIT_COLLECTION,
+  createExportBlobsHandle,
+  BLOB_EVICTION_AUDIT_COLLECTION,
+  runCompaction
+};
+//# sourceMappingURL=chunk-PFSNOPBQ.js.map

package/dist/chunk-PFSNOPBQ.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/blobs/export-blobs.ts","../src/blobs/blob-compaction.ts"],"sourcesContent":["/**\n * `vault.exportBlobs()` — bulk blob extraction primitive.\n *\n * Async-iterable handle over every blob attached to records in a\n * vault, optionally filtered by collection allowlist and per-record\n * predicate. Emits tuples of `{ blobId, recordRef, bytes, meta }` so\n * the consumer can pipe into any sink (zip stream, S3 multipart, USB\n * copy, cold-storage tape) without pulling the whole export into\n * memory.\n *\n * ## Auth + audit\n *\n * - Capability check runs **once** at handle creation via\n *   `Vault.assertCanExport('plaintext', 'blob')`. An operator whose\n *   keyring lacks that bit fails before a single byte of ciphertext\n *   is decrypted.\n * - Audit entry lands in `_export_audit` at handle creation: the\n *   actor, start timestamp, target collections, predicate presence,\n *   and batch mechanism. **No content hashes** — per the spec\n *   non-correlation invariant.\n *\n * ## Abort + resume\n *\n * - `handle.abort()` flips the internal signal; the next iteration\n *   boundary throws `AbortError`. Consumers already in `for await`\n *   can catch and exit cleanly.\n * - Restart after a partial failure with `{ afterBlobId }` — the\n *   iterator skips tuples up to (and including) that blob id before\n *   yielding again. Combined with a blob-count ceiling it supports\n *   idempotent batch re-runs.\n *\n * @module\n */\n\nimport type { Collection } from '../collection.js'\nimport type { SlotInfo } from '../types.js'\n\n// ─── Types ──────────────────────────────────────────────────────────────\n\nexport interface ExportBlobsOptions {\n  /**\n   * Collection allowlist. Omit to export blobs from every collection\n   * the caller has read access to.\n   */\n  readonly collections?: readonly string[]\n  /**\n   * Per-record predicate. Called on the decrypted record BEFORE any\n   * blob bytes are read for that record — returning false skips the\n   * record and all its slots without touching their chunks.\n   */\n  readonly where?: (record: unknown, context: { collection: string; id: string }) => boolean\n  /**\n   * Resume after a specific blob id. The iterator skips tuples up to\n   * and including this id, then yields. Format of the id is the same\n   * as `ExportedBlob.blobId` (the HMAC-keyed eTag).\n   */\n  readonly afterBlobId?: string\n  /**\n   * External abort signal. When fired, the next iterator tick throws\n   * `ExportBlobsAbortedError`. Honored alongside `handle.abort()`.\n   */\n  readonly signal?: AbortSignal\n}\n\nexport interface ExportedBlob {\n  /** Opaque blob identifier — HMAC-keyed eTag, stable across vaults. */\n  readonly blobId: string\n  /** Where this blob came from in the vault. */\n  readonly recordRef: {\n    readonly collection: string\n    readonly id: string\n    readonly slot: string\n  }\n  /** Decrypted plaintext bytes. */\n  readonly bytes: Uint8Array\n  /** Best-effort metadata (from the blob slot record). */\n  readonly meta: {\n    readonly size: number\n    /**\n     * User-visible filename stored on the slot. Often equal to the\n     * slot name; differs when the caller supplied an explicit\n     * `filename` to `BlobSet.put()`.\n     */\n    readonly filename: string\n    readonly mimeType?: string\n    readonly createdAt?: string\n  }\n}\n\nexport interface ExportBlobsHandle extends AsyncIterable<ExportedBlob> {\n  /** Abort the export. Safe to call multiple times. */\n  abort(): void\n  /** True once `abort()` has fired or the external signal aborted. */\n  readonly aborted: boolean\n}\n\nexport class ExportBlobsAbortedError extends Error {\n  constructor(reason: string) {\n    super(`exportBlobs aborted: ${reason}`)\n    this.name = 'ExportBlobsAbortedError'\n  }\n}\n\n// ─── Audit ──────────────────────────────────────────────────────────────\n\nexport const EXPORT_AUDIT_COLLECTION = '_export_audit'\n\nexport interface ExportBlobsAuditEntry {\n  readonly id: string\n  readonly mechanism: 'exportBlobs'\n  readonly actor: string\n  readonly startedAt: string\n  readonly collections: readonly string[] | null\n  readonly predicate: boolean\n  readonly afterBlobId: string | null\n}\n\n// ─── Implementation ─────────────────────────────────────────────────────\n\n/**\n * Build the handle. Factored out of `Vault.exportBlobs` so the\n * implementation can be unit-tested without going through the\n * compartment lifecycle.\n */\nexport function createExportBlobsHandle(\n  actor: string,\n  listAccessibleCollections: () => Promise<string[]>,\n  getCollection: <T>(name: string) => Collection<T>,\n  writeAudit: (entry: ExportBlobsAuditEntry) => Promise<void>,\n  options: ExportBlobsOptions,\n): ExportBlobsHandle {\n  let aborted = false\n\n  const abort = (): void => {\n    aborted = true\n  }\n\n  if (options.signal) {\n    if (options.signal.aborted) aborted = true\n    options.signal.addEventListener('abort', () => { aborted = true })\n  }\n\n  function assertLive(): void {\n    if (aborted) throw new ExportBlobsAbortedError('aborted by caller')\n  }\n\n  const allowlist = options.collections ? new Set(options.collections) : null\n\n  // Write the audit entry BEFORE the first yield so a blocked\n  // iteration still leaves an audit trail that the export started.\n  let auditPromise: Promise<void> | null = null\n  function writeAuditOnce(): Promise<void> {\n    if (!auditPromise) {\n      auditPromise = writeAudit({\n        id: generateBatchId(),\n        mechanism: 'exportBlobs',\n        actor,\n        startedAt: new Date().toISOString(),\n        collections: options.collections ?? null,\n        predicate: Boolean(options.where),\n        afterBlobId: options.afterBlobId ?? null,\n      })\n    }\n    return auditPromise\n  }\n\n  async function* generate(): AsyncGenerator<ExportedBlob> {\n    await writeAuditOnce()\n    assertLive()\n\n    // Resolve target collections lazily — also keeps the call async.\n    const allCollections = await listAccessibleCollections()\n    const targets = allCollections.filter(name => {\n      if (name.startsWith('_')) return false\n      if (allowlist && !allowlist.has(name)) return false\n      return true\n    })\n\n    let resumeCursorHit = options.afterBlobId === undefined\n\n    for (const collectionName of targets) {\n      if (aborted) return\n\n      const coll = getCollection<Record<string, unknown>>(collectionName)\n      const records = await coll.list().catch(() => [])\n      for (const record of records) {\n        if (aborted) return\n        assertLive()\n\n        const idField = (record as { id?: unknown }).id\n        if (typeof idField !== 'string') continue\n\n        if (options.where && !options.where(record, { collection: collectionName, id: idField })) continue\n\n        const blobSet = coll.blob(idField)\n        const slots = await blobSet.list().catch(() => [] as SlotInfo[])\n        for (const slot of slots) {\n          if (aborted) return\n\n          if (!resumeCursorHit) {\n            if (slot.eTag === options.afterBlobId) {\n              resumeCursorHit = true\n            }\n            continue\n          }\n\n          const bytes = await blobSet.get(slot.name)\n          if (!bytes) continue\n\n          const item: ExportedBlob = {\n            blobId: slot.eTag,\n            recordRef: { collection: collectionName, id: idField, slot: slot.name },\n            bytes,\n            meta: {\n              size: slot.size,\n              filename: slot.filename,\n              ...(slot.mimeType !== undefined && { mimeType: slot.mimeType }),\n              ...(slot.uploadedAt !== undefined && { createdAt: slot.uploadedAt }),\n            },\n          }\n          yield item\n        }\n      }\n    }\n  }\n\n  const handle: ExportBlobsHandle = {\n    abort,\n    get aborted() { return aborted },\n    [Symbol.asyncIterator]: () => generate(),\n  }\n  return handle\n}\n\n// ─── Helpers ────────────────────────────────────────────────────────────\n\nfunction generateBatchId(): string {\n  // 16 bytes of crypto randomness, URL-safe base64, no padding.\n  const raw = globalThis.crypto.getRandomValues(new Uint8Array(16))\n  let s = ''\n  for (const b of raw) s += b.toString(16).padStart(2, '0')\n  return `batch-${Date.now().toString(36)}-${s.slice(0, 12)}`\n}\n","/**\n * Blob retention + compaction.\n *\n * Declarative per-collection / per-slot eviction policy. Two\n * triggers:\n *\n *   - **`retainDays`** — age-based TTL. A slot uploaded more than N\n *     days ago is evicted.\n *   - **`evictWhen(record)`** — predicate over the **decrypted**\n *     record. Lets consumers express \"the image is safe to drop once\n *     the structured invoice has been reviewed and confirmed.\"\n *\n * Either trigger (or both) causes the slot to evict. Eviction removes\n * the slot entry from `_blob_slots_{collection}`, decrements the\n * blob's refCount (so unreferenced chunks can be GC'd by the next\n * sweep), and writes one entry to the `_blob_eviction_audit`\n * collection for tamper-evident record-keeping.\n *\n * The audit entry carries the eTag of the evicted blob (opaque HMAC\n * of plaintext under the vault's `_blob` DEK) — no plaintext leakage,\n * per the SPEC non-correlation invariant. Consumers reconstructing\n * \"what used to be attached\" can look up the audit entry by record\n * id.\n *\n * Compaction is **consumer-scheduled** — noy-db never runs a\n * background daemon. Call `vault.compact()` whenever your workflow\n * allows (cron, manual \"tidy\" button, cold-storage export prep, …).\n *\n * @module\n */\n\nimport type { NoydbStore, EncryptedEnvelope, SlotInfo } from '../types.js'\nimport { NOYDB_FORMAT_VERSION } from '../types.js'\nimport { encrypt } from '../crypto.js'\n\n// ─── Config types ───────────────────────────────────────────────────────\n\nexport interface BlobFieldPolicy<T = unknown> {\n  /**\n   * Age-based TTL in days. A slot whose `uploadedAt` is older than\n   * `now - retainDays × 86400s` evicts on the next `vault.compact()`.\n   * Omit to disable age-based eviction.\n   */\n  readonly retainDays?: number\n  /**\n   * Predicate evaluated against the decrypted record. When it returns\n   * `true`, every matching slot on that record evicts. Omit to\n   * disable predicate-based eviction.\n   */\n  readonly evictWhen?: (record: T) => boolean\n}\n\nexport type BlobFieldsConfig<T = unknown> = Record<string, BlobFieldPolicy<T>>\n\n// ─── Audit collection ──────────────────────────────────────────────────\n\nexport const BLOB_EVICTION_AUDIT_COLLECTION = '_blob_eviction_audit'\n\nexport interface BlobEvictionEntry {\n  readonly id: string\n  readonly collection: string\n  readonly recordId: string\n  readonly slotName: string\n  readonly blobHash: string\n  readonly reason: 'ttl' | 'predicate' | 'both'\n  readonly evictedAt: string\n  readonly actor: string\n}\n\n// ─── Compaction result ──────────────────────────────────────────────────\n\nexport interface CompactionResult {\n  /** Number of blob slots evicted across all collections. */\n  readonly evicted: number\n  /** Number of records touched (iterated + policy checked). */\n  readonly records: number\n  /** Number of collections with `blobFields` configured. */\n  readonly collections: number\n  /** Number of audit entries written. Equal to `evicted`. */\n  readonly auditEntries: number\n  /** Per-collection breakdown for diagnostics. */\n  readonly byCollection: Record<string, { records: number; evicted: number }>\n}\n\n// ─── Core ──────────────────────────────────────────────────────────────\n\nexport interface CompactRunOptions {\n  /** Override \"now\" for deterministic testing. */\n  readonly now?: Date\n  /**\n   * Stop after this many evictions. Useful for capped batches / cron\n   * jobs that need to fit in a time window. `undefined` = unbounded.\n   */\n  readonly maxEvictions?: number\n  /**\n   * Dry-run — evaluate policies and return the counts, but do NOT\n   * delete slots or write audit entries. Lets a consumer preview\n   * what would happen.\n   */\n  readonly dryRun?: boolean\n}\n\nexport interface CompactionContext {\n  readonly adapter: NoydbStore\n  readonly vault: string\n  readonly actor: string\n  readonly encrypted: boolean\n  readonly getDEK: (collection: string) => Promise<CryptoKey>\n  /**\n   * Resolve a collection's declared `blobFields` config. Returns an\n   * empty map for collections without the config — the walk skips\n   * those.\n   */\n  readonly getBlobFields: <T>(collection: string) => BlobFieldsConfig<T> | null\n  /** List collection names in the vault. */\n  readonly listCollections: () => Promise<string[]>\n  /** List record ids in a collection. */\n  readonly listRecords: (collection: string) => Promise<string[]>\n  /** Decrypt and return the record. Null when absent. */\n  readonly getRecord: <T>(collection: string, id: string) => Promise<T | null>\n  /** Return the BlobSet-like handle for a record's slots. */\n  readonly listSlots: (collection: string, id: string) => Promise<SlotInfo[]>\n  /** Delete a slot and decrement its blob's refCount. */\n  readonly deleteSlot: (collection: string, id: string, slotName: string) => Promise<void>\n}\n\nexport async function runCompaction(\n  ctx: CompactionContext,\n  options: CompactRunOptions = {},\n): Promise<CompactionResult> {\n  const now = options.now ?? new Date()\n  const maxEvictions = options.maxEvictions ?? Infinity\n  const dryRun = options.dryRun === true\n\n  const allCollections = await ctx.listCollections()\n  const byCollection: Record<string, { records: number; evicted: number }> = {}\n  let evicted = 0\n  let records = 0\n  let auditEntries = 0\n  let collectionsWithPolicy = 0\n\n  outer: for (const collectionName of allCollections) {\n    if (collectionName.startsWith('_')) continue\n    const config = ctx.getBlobFields(collectionName)\n    if (!config) continue\n    const configuredSlots = Object.keys(config)\n    if (configuredSlots.length === 0) continue\n    collectionsWithPolicy += 1\n    byCollection[collectionName] = { records: 0, evicted: 0 }\n\n    const ids = await ctx.listRecords(collectionName)\n    for (const recordId of ids) {\n      if (evicted >= maxEvictions) break outer\n\n      const record = await ctx.getRecord(collectionName, recordId).catch(() => null)\n      if (record === null) continue\n      records += 1\n      byCollection[collectionName].records += 1\n\n      const slots = await ctx.listSlots(collectionName, recordId).catch(() => [])\n      for (const slot of slots) {\n        if (evicted >= maxEvictions) break outer\n        const policy = config[slot.name]\n        if (!policy) continue\n\n        const reason = evaluatePolicy(policy, record, slot, now)\n        if (!reason) continue\n\n        if (!dryRun) {\n          await ctx.deleteSlot(collectionName, recordId, slot.name)\n          await writeAuditEntry(ctx, {\n            id: generateEvictionId(collectionName, recordId, slot.name),\n            collection: collectionName,\n            recordId,\n            slotName: slot.name,\n            blobHash: slot.eTag,\n            reason,\n            evictedAt: now.toISOString(),\n            actor: ctx.actor,\n          })\n          auditEntries += 1\n        }\n        evicted += 1\n        byCollection[collectionName].evicted += 1\n      }\n    }\n  }\n\n  return {\n    evicted,\n    records,\n    collections: collectionsWithPolicy,\n    auditEntries,\n    byCollection,\n  }\n}\n\nfunction evaluatePolicy<T>(\n  policy: BlobFieldPolicy<T>,\n  record: T,\n  slot: SlotInfo,\n  now: Date,\n): 'ttl' | 'predicate' | 'both' | null {\n  let ttlTriggered = false\n  let predicateTriggered = false\n\n  if (policy.retainDays !== undefined && policy.retainDays > 0) {\n    const uploadedAt = Date.parse(slot.uploadedAt)\n    if (Number.isFinite(uploadedAt)) {\n      const ageMs = now.getTime() - uploadedAt\n      const limitMs = policy.retainDays * 86_400_000\n      if (ageMs > limitMs) ttlTriggered = true\n    }\n  }\n\n  if (policy.evictWhen) {\n    try {\n      if (policy.evictWhen(record)) predicateTriggered = true\n    } catch {\n      // Predicate error → do NOT evict. Fail closed.\n    }\n  }\n\n  if (ttlTriggered && predicateTriggered) return 'both'\n  if (ttlTriggered) return 'ttl'\n  if (predicateTriggered) return 'predicate'\n  return null\n}\n\nfunction generateEvictionId(collection: string, recordId: string, slotName: string): string {\n  const rand = globalThis.crypto.getRandomValues(new Uint8Array(8))\n  let suffix = ''\n  for (const b of rand) suffix += b.toString(16).padStart(2, '0')\n  return `${collection}__${recordId}__${slotName}__${suffix}`\n}\n\nasync function writeAuditEntry(ctx: CompactionContext, entry: BlobEvictionEntry): Promise<void> {\n  const json = JSON.stringify(entry)\n  let envelope: EncryptedEnvelope\n  if (ctx.encrypted) {\n    const dek = await ctx.getDEK(BLOB_EVICTION_AUDIT_COLLECTION)\n    const { iv, data } = await encrypt(json, dek)\n    envelope = {\n      _noydb: NOYDB_FORMAT_VERSION,\n      _v: 1,\n      _ts: entry.evictedAt,\n      _iv: iv,\n      _data: data,\n      _by: entry.actor,\n    }\n  } else {\n    envelope = {\n      _noydb: NOYDB_FORMAT_VERSION,\n      _v: 1,\n      _ts: entry.evictedAt,\n      _iv: '',\n      _data: json,\n      _by: entry.actor,\n    }\n  }\n  await ctx.adapter.put(ctx.vault, BLOB_EVICTION_AUDIT_COLLECTION, entry.id, envelope)\n}\n"],"mappings":";;;;;;;;AAgGO,IAAM,0BAAN,cAAsC,MAAM;AAAA,EACjD,YAAY,QAAgB;AAC1B,UAAM,wBAAwB,MAAM,EAAE;AACtC,SAAK,OAAO;AAAA,EACd;AACF;AAIO,IAAM,0BAA0B;AAmBhC,SAAS,wBACd,OACA,2BACA,eACA,YACA,SACmB;AACnB,MAAI,UAAU;AAEd,QAAM,QAAQ,MAAY;AACxB,cAAU;AAAA,EACZ;AAEA,MAAI,QAAQ,QAAQ;AAClB,QAAI,QAAQ,OAAO,QAAS,WAAU;AACtC,YAAQ,OAAO,iBAAiB,SAAS,MAAM;AAAE,gBAAU;AAAA,IAAK,CAAC;AAAA,EACnE;AAEA,WAAS,aAAmB;AAC1B,QAAI,QAAS,OAAM,IAAI,wBAAwB,mBAAmB;AAAA,EACpE;AAEA,QAAM,YAAY,QAAQ,cAAc,IAAI,IAAI,QAAQ,WAAW,IAAI;AAIvE,MAAI,eAAqC;AACzC,WAAS,iBAAgC;AACvC,QAAI,CAAC,cAAc;AACjB,qBAAe,WAAW;AAAA,QACxB,IAAI,gBAAgB;AAAA,QACpB,WAAW;AAAA,QACX;AAAA,QACA,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,QAClC,aAAa,QAAQ,eAAe;AAAA,QACpC,WAAW,QAAQ,QAAQ,KAAK;AAAA,QAChC,aAAa,QAAQ,eAAe;AAAA,MACtC,CAAC;AAAA,IACH;AACA,WAAO;AAAA,EACT;AAEA,kBAAgB,WAAyC;AACvD,UAAM,eAAe;AACrB,eAAW;AAGX,UAAM,iBAAiB,MAAM,0BAA0B;AACvD,UAAM,UAAU,eAAe,OAAO,UAAQ;AAC5C,UAAI,KAAK,WAAW,GAAG,EAAG,QAAO;AACjC,UAAI,aAAa,CAAC,UAAU,IAAI,IAAI,EAAG,QAAO;AAC9C,aAAO;AAAA,IACT,CAAC;AAED,QAAI,kBAAkB,QAAQ,gBAAgB;AAE9C,eAAW,kBAAkB,SAAS;AACpC,UAAI,QAAS;AAEb,YAAM,OAAO,cAAuC,cAAc;AAClE,YAAM,UAAU,MAAM,KAAK,KAAK,EAAE,MAAM,MAAM,CAAC,CAAC;AAChD,iBAAW,UAAU,SAAS;AAC5B,YAAI,QAAS;AACb,mBAAW;AAEX,cAAM,UAAW,OAA4B;AAC7C,YAAI,OAAO,YAAY,SAAU;AAEjC,YAAI,QAAQ,SAAS,CAAC,QAAQ,MAAM,QAAQ,EAAE,YAAY,gBAAgB,IAAI,QAAQ,CAAC,EAAG;AAE1F,cAAM,UAAU,KAAK,KAAK,OAAO;AACjC,cAAM,QAAQ,MAAM,QAAQ,KAAK,EAAE,MAAM,MAAM,CAAC,CAAe;AAC/D,mBAAW,QAAQ,OAAO;AACxB,cAAI,QAAS;AAEb,cAAI,CAAC,iBAAiB;AACpB,gBAAI,KAAK,SAAS,QAAQ,aAAa;AACrC,gCAAkB;AAAA,YACpB;AACA;AAAA,UACF;AAEA,gBAAM,QAAQ,MAAM,QAAQ,IAAI,KAAK,IAAI;AACzC,cAAI,CAAC,MAAO;AAEZ,gBAAM,OAAqB;AAAA,YACzB,QAAQ,KAAK;AAAA,YACb,WAAW,EAAE,YAAY,gBAAgB,IAAI,SAAS,MAAM,KAAK,KAAK;AAAA,YACtE;AAAA,YACA,MAAM;AAAA,cACJ,MAAM,KAAK;AAAA,cACX,UAAU,KAAK;AAAA,cACf,GAAI,KAAK,aAAa,UAAa,EAAE,UAAU,KAAK,SAAS;AAAA,cAC7D,GAAI,KAAK,eAAe,UAAa,EAAE,WAAW,KAAK,WAAW;AAAA,YACpE;AAAA,UACF;AACA,gBAAM;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,QAAM,SAA4B;AAAA,IAChC;AAAA,IACA,IAAI,UAAU;AAAE,aAAO;AAAA,IAAQ;AAAA,IAC/B,CAAC,OAAO,aAAa,GAAG,MAAM,SAAS;AAAA,EACzC;AACA,SAAO;AACT;AAIA,SAAS,kBAA0B;AAEjC,QAAM,MAAM,WAAW,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AAChE,MAAI,IAAI;AACR,aAAW,KAAK,IAAK,MAAK,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG;AACxD,SAAO,SAAS,KAAK,IAAI,EAAE,SAAS,EAAE,CAAC,IAAI,EAAE,MAAM,GAAG,EAAE,CAAC;AAC3D;;;AC1LO,IAAM,iCAAiC;AAsE9C,eAAsB,cACpB,KACA,UAA6B,CAAC,GACH;AAC3B,QAAM,MAAM,QAAQ,OAAO,oBAAI,KAAK;AACpC,QAAM,eAAe,QAAQ,gBAAgB;AAC7C,QAAM,SAAS,QAAQ,WAAW;AAElC,QAAM,iBAAiB,MAAM,IAAI,gBAAgB;AACjD,QAAM,eAAqE,CAAC;AAC5E,MAAI,UAAU;AACd,MAAI,UAAU;AACd,MAAI,eAAe;AACnB,MAAI,wBAAwB;AAE5B,QAAO,YAAW,kBAAkB,gBAAgB;AAClD,QAAI,eAAe,WAAW,GAAG,EAAG;AACpC,UAAM,SAAS,IAAI,cAAc,cAAc;AAC/C,QAAI,CAAC,OAAQ;AACb,UAAM,kBAAkB,OAAO,KAAK,MAAM;AAC1C,QAAI,gBAAgB,WAAW,EAAG;AAClC,6BAAyB;AACzB,iBAAa,cAAc,IAAI,EAAE,SAAS,GAAG,SAAS,EAAE;AAExD,UAAM,MAAM,MAAM,IAAI,YAAY,cAAc;AAChD,eAAW,YAAY,KAAK;AAC1B,UAAI,WAAW,aAAc,OAAM;AAEnC,YAAM,SAAS,MAAM,IAAI,UAAU,gBAAgB,QAAQ,EAAE,MAAM,MAAM,IAAI;AAC7E,UAAI,WAAW,KAAM;AACrB,iBAAW;AACX,mBAAa,cAAc,EAAE,WAAW;AAExC,YAAM,QAAQ,MAAM,IAAI,UAAU,gBAAgB,QAAQ,EAAE,MAAM,MAAM,CAAC,CAAC;AAC1E,iBAAW,QAAQ,OAAO;AACxB,YAAI,WAAW,aAAc,OAAM;AACnC,cAAM,SAAS,OAAO,KAAK,IAAI;AAC/B,YAAI,CAAC,OAAQ;AAEb,cAAM,SAAS,eAAe,QAAQ,QAAQ,MAAM,GAAG;AACvD,YAAI,CAAC,OAAQ;AAEb,YAAI,CAAC,QAAQ;AACX,gBAAM,IAAI,WAAW,gBAAgB,UAAU,KAAK,IAAI;AACxD,gBAAM,gBAAgB,KAAK;AAAA,YACzB,IAAI,mBAAmB,gBAAgB,UAAU,KAAK,IAAI;AAAA,YAC1D,YAAY;AAAA,YACZ;AAAA,YACA,UAAU,KAAK;AAAA,YACf,UAAU,KAAK;AAAA,YACf;AAAA,YACA,WAAW,IAAI,YAAY;AAAA,YAC3B,OAAO,IAAI;AAAA,UACb,CAAC;AACD,0BAAgB;AAAA,QAClB;AACA,mBAAW;AACX,qBAAa,cAAc,EAAE,WAAW;AAAA,MAC1C;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,aAAa;AAAA,IACb;AAAA,IACA;AAAA,EACF;AACF;AAEA,SAAS,eACP,QACA,QACA,MACA,KACqC;AACrC,MAAI,eAAe;AACnB,MAAI,qBAAqB;AAEzB,MAAI,OAAO,eAAe,UAAa,OAAO,aAAa,GAAG;AAC5D,UAAM,aAAa,KAAK,MAAM,KAAK,UAAU;AAC7C,QAAI,OAAO,SAAS,UAAU,GAAG;AAC/B,YAAM,QAAQ,IAAI,QAAQ,IAAI;AAC9B,YAAM,UAAU,OAAO,aAAa;AACpC,UAAI,QAAQ,QAAS,gBAAe;AAAA,IACtC;AAAA,EACF;AAEA,MAAI,OAAO,WAAW;AACpB,QAAI;AACF,UAAI,OAAO,UAAU,MAAM,EAAG,sBAAqB;AAAA,IACrD,QAAQ;AAAA,IAER;AAAA,EACF;AAEA,MAAI,gBAAgB,mBAAoB,QAAO;AAC/C,MAAI,aAAc,QAAO;AACzB,MAAI,mBAAoB,QAAO;AAC/B,SAAO;AACT;AAEA,SAAS,mBAAmB,YAAoB,UAAkB,UAA0B;AAC1F,QAAM,OAAO,WAAW,OAAO,gBAAgB,IAAI,WAAW,CAAC,CAAC;AAChE,MAAI,SAAS;AACb,aAAW,KAAK,KAAM,WAAU,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG;AAC9D,SAAO,GAAG,UAAU,KAAK,QAAQ,KAAK,QAAQ,KAAK,MAAM;AAC3D;AAEA,eAAe,gBAAgB,KAAwB,OAAyC;AAC9F,QAAM,OAAO,KAAK,UAAU,KAAK;AACjC,MAAI;AACJ,MAAI,IAAI,WAAW;AACjB,UAAM,MAAM,MAAM,IAAI,OAAO,8BAA8B;AAC3D,UAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,MAAM,GAAG;AAC5C,eAAW;AAAA,MACT,QAAQ;AAAA,MACR,IAAI;AAAA,MACJ,KAAK,MAAM;AAAA,MACX,KAAK;AAAA,MACL,OAAO;AAAA,MACP,KAAK,MAAM;AAAA,IACb;AAAA,EACF,OAAO;AACL,eAAW;AAAA,MACT,QAAQ;AAAA,MACR,IAAI;AAAA,MACJ,KAAK,MAAM;AAAA,MACX,KAAK;AAAA,MACL,OAAO;AAAA,MACP,KAAK,MAAM;AAAA,IACb;AAAA,EACF;AACA,QAAM,IAAI,QAAQ,IAAI,IAAI,OAAO,gCAAgC,MAAM,IAAI,QAAQ;AACrF;","names":[]}

package/dist/chunk-PLI5TV7N.js

@@ -0,0 +1,53 @@
+// src/materialized-views/stale.ts
+var _staleByRegistry = /* @__PURE__ */ new WeakMap();
+function markMVStale(registry, mvName) {
+  let set = _staleByRegistry.get(registry);
+  if (!set) {
+    set = /* @__PURE__ */ new Set();
+    _staleByRegistry.set(registry, set);
+  }
+  set.add(mvName);
+}
+function isMVStale(registry, mvName) {
+  return _staleByRegistry.get(registry)?.has(mvName) ?? false;
+}
+async function resolveStaleMVOnRead(accessor, outputCollection) {
+  const registry = accessor.registry();
+  const pending = _staleByRegistry.get(registry);
+  if (!pending || pending.size === 0) return;
+  const candidates = [];
+  for (const mv of registry.all()) {
+    if (mv.outputCollection !== outputCollection) continue;
+    if (!pending.has(mv.spec.name)) continue;
+    candidates.push(mv.spec.name);
+  }
+  if (candidates.length === 0) return;
+  let executor = null;
+  for (const name of candidates) {
+    const reg = registry.byName(name);
+    if (!reg) {
+      pending.delete(name);
+      continue;
+    }
+    if (executor === null) {
+      ({ MaterializedViewExecutor: executor } = await import("./executor-AS2IDHKZ.js"));
+    }
+    await executor.refresh(reg, {
+      getCollection: (n) => accessor.getCollection(n),
+      getActiveTxContext: () => accessor.getActiveTxContext(),
+      getQueryContext: () => accessor.getQueryContext()
+    });
+    pending.delete(name);
+  }
+}
+function clearMVStale(registry, mvName) {
+  _staleByRegistry.get(registry)?.delete(mvName);
+}
+
+export {
+  markMVStale,
+  isMVStale,
+  resolveStaleMVOnRead,
+  clearMVStale
+};
+//# sourceMappingURL=chunk-PLI5TV7N.js.map

package/dist/chunk-PLI5TV7N.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/materialized-views/stale.ts"],"sourcesContent":["import type { Collection } from '../collection.js'\nimport type { TxContext } from '../tx/transaction.js'\nimport type { MaterializedViewRegistry } from './registry.js'\n// Type-only — runtime class loaded via dynamic import in\n// `resolveStaleMVOnRead` only when a stale flag actually fires.\n// Keeps the executor chunk out of the floor bundle (mirrors v1 #130).\nimport type { MaterializedViewExecutor as MVExecutorType } from './executor.js'\nimport type { MVQueryContext } from './types.js'\n\n/**\n * Accessor shape passed in from the owning Vault. Provides the\n * registry (used as a stable WeakMap key + to look up MVs by output\n * collection) and the runtime context the lazy refresh needs.\n * Mirrors v1's `DerivationStaleAccessor`.\n */\nexport interface MVStaleAccessor {\n  registry(): MaterializedViewRegistry\n  // eslint-disable-next-line @typescript-eslint/no-explicit-any\n  getCollection(name: string): Collection<any>\n  getActiveTxContext(): TxContext | null\n  getQueryContext(): MVQueryContext\n}\n\n/**\n * In-memory stale map keyed by `MaterializedViewRegistry` instance\n * (stable per vault). Each registry maps to a set of MV names that\n * have at least one pending source-change requiring a re-materialize.\n *\n * Persistence across vault close is NOT implemented in this iteration\n * (concern flagged in the v2 spec, mirrors v1 derivation behavior).\n * On vault re-open, the unset stale flag is interpreted as \"fresh\" —\n * `vault.refreshView(name)` is the explicit recompute escape hatch.\n *\n * @internal\n */\nconst _staleByRegistry = new WeakMap<MaterializedViewRegistry, Set<string>>()\n\n/**\n * Mark an MV as stale. Called from `Collection.dispatchMaterializedViews`\n * when a source-write fires for a `refresh: 'lazy'` MV.\n *\n * @internal\n */\nexport function markMVStale(registry: MaterializedViewRegistry, mvName: string): void {\n  let set = _staleByRegistry.get(registry)\n  if (!set) {\n    set = new Set()\n    _staleByRegistry.set(registry, set)\n  }\n  set.add(mvName)\n}\n\n/**\n * Test-only: check whether a given MV name is currently flagged stale\n * against a registry. Exported so the regression suite can pin the\n * stale-bit lifecycle without touching the internal `WeakMap`.\n *\n * @internal\n */\nexport function isMVStale(registry: MaterializedViewRegistry, mvName: string): boolean {\n  return _staleByRegistry.get(registry)?.has(mvName) ?? false\n}\n\n/**\n * Called from `Collection.get` (and any reader that materializes the\n * MV's output collection). If any MV producing `outputCollection` is\n * flagged stale, runs the executor against the live source state\n * before returning. No-op when there is no pending work — keeps the\n * read fast path negligible.\n *\n * Dynamic-imports the executor only when a stale flag actually fires\n * (the floor-bundle isolation pattern v1 derivations established in\n * #130).\n */\nexport async function resolveStaleMVOnRead(\n  accessor: MVStaleAccessor,\n  outputCollection: string,\n): Promise<void> {\n  const registry = accessor.registry()\n  const pending = _staleByRegistry.get(registry)\n  if (!pending || pending.size === 0) return\n\n  // Find every MV that writes to this output collection AND is\n  // currently flagged stale. Multiple MVs CAN share an output\n  // collection in theory; in practice the registration validation +\n  // cycle detection make this unusual.\n  const candidates: string[] = []\n  for (const mv of registry.all()) {\n    if (mv.outputCollection !== outputCollection) continue\n    if (!pending.has(mv.spec.name)) continue\n    candidates.push(mv.spec.name)\n  }\n  if (candidates.length === 0) return\n\n  let executor: typeof MVExecutorType | null = null\n  for (const name of candidates) {\n    const reg = registry.byName(name)\n    if (!reg) {\n      pending.delete(name)\n      continue\n    }\n    if (executor === null) {\n      ({ MaterializedViewExecutor: executor } = (await import('./executor.js')) as {\n        MaterializedViewExecutor: typeof MVExecutorType\n      })\n    }\n    await executor.refresh(reg, {\n      getCollection: (n) => accessor.getCollection(n),\n      getActiveTxContext: () => accessor.getActiveTxContext(),\n      getQueryContext: () => accessor.getQueryContext(),\n    })\n    pending.delete(name)\n  }\n}\n\n/**\n * Drop every stale flag for a registry. Used after a manual\n * `vault.refreshView(name)` runs the executor explicitly — the\n * post-refresh state matches the registered strategies, so\n * lingering stale bits would force a redundant refresh on the next\n * read.\n *\n * @internal\n */\nexport function clearMVStale(registry: MaterializedViewRegistry, mvName: string): void {\n  _staleByRegistry.get(registry)?.delete(mvName)\n}\n"],"mappings":";AAmCA,IAAM,mBAAmB,oBAAI,QAA+C;AAQrE,SAAS,YAAY,UAAoC,QAAsB;AACpF,MAAI,MAAM,iBAAiB,IAAI,QAAQ;AACvC,MAAI,CAAC,KAAK;AACR,UAAM,oBAAI,IAAI;AACd,qBAAiB,IAAI,UAAU,GAAG;AAAA,EACpC;AACA,MAAI,IAAI,MAAM;AAChB;AASO,SAAS,UAAU,UAAoC,QAAyB;AACrF,SAAO,iBAAiB,IAAI,QAAQ,GAAG,IAAI,MAAM,KAAK;AACxD;AAaA,eAAsB,qBACpB,UACA,kBACe;AACf,QAAM,WAAW,SAAS,SAAS;AACnC,QAAM,UAAU,iBAAiB,IAAI,QAAQ;AAC7C,MAAI,CAAC,WAAW,QAAQ,SAAS,EAAG;AAMpC,QAAM,aAAuB,CAAC;AAC9B,aAAW,MAAM,SAAS,IAAI,GAAG;AAC/B,QAAI,GAAG,qBAAqB,iBAAkB;AAC9C,QAAI,CAAC,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAG;AAChC,eAAW,KAAK,GAAG,KAAK,IAAI;AAAA,EAC9B;AACA,MAAI,WAAW,WAAW,EAAG;AAE7B,MAAI,WAAyC;AAC7C,aAAW,QAAQ,YAAY;AAC7B,UAAM,MAAM,SAAS,OAAO,IAAI;AAChC,QAAI,CAAC,KAAK;AACR,cAAQ,OAAO,IAAI;AACnB;AAAA,IACF;AACA,QAAI,aAAa,MAAM;AACrB,OAAC,EAAE,0BAA0B,SAAS,IAAK,MAAM,OAAO,wBAAe;AAAA,IAGzE;AACA,UAAM,SAAS,QAAQ,KAAK;AAAA,MAC1B,eAAe,CAAC,MAAM,SAAS,cAAc,CAAC;AAAA,MAC9C,oBAAoB,MAAM,SAAS,mBAAmB;AAAA,MACtD,iBAAiB,MAAM,SAAS,gBAAgB;AAAA,IAClD,CAAC;AACD,YAAQ,OAAO,IAAI;AAAA,EACrB;AACF;AAWO,SAAS,aAAa,UAAoC,QAAsB;AACrF,mBAAiB,IAAI,QAAQ,GAAG,OAAO,MAAM;AAC/C;","names":[]}