@noy-db/hub 0.1.0-pre.9 → 0.2.0-pre.2

package/dist/chunk-VCGTOS2A.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/bundle/format.ts","../src/bundle/bundle.ts"],"sourcesContent":["/**\n * `.noydb` container format — byte layout, header schema, validators.\n *\n *. Wraps a `vault.dump()` JSON string in a thin\n * binary container with a magic-byte prefix, a minimum-disclosure\n * unencrypted header, and a compressed body.\n *\n * **Byte layout** (read in order from offset 0):\n *\n * ```\n * +--------+--------+--------+--------+\n * |  N=78  |  D=68  |  B=66  |  1=49  |  Magic 'NDB1' (4 bytes)\n * +--------+--------+--------+--------+\n * | flags  | compr  |  header_length (uint32 BE)            |\n * +--------+--------+--------+--------+--------+--------+--------+\n * | header_length bytes of UTF-8 JSON header                       ...\n * +--------+--------+\n * | compressed body bytes                                            ...\n * ```\n *\n * Total fixed prefix before the header JSON is **10 bytes**:\n *   - 4 bytes magic\n *   - 1 byte flags\n *   - 1 byte compression algorithm\n *   - 4 bytes header length (uint32 big-endian)\n *\n * **Why a binary container** at all? `vault.dump()` already\n * produces a JSON string with encrypted records inside. Wrapping it\n * again seems redundant — but the wrap is what makes the file safe\n * to drop into cloud storage (Drive, Dropbox, iCloud) without\n * leaking the vault name and exporter identity through the\n * cloud's metadata API. The minimum-disclosure header is the only\n * thing visible without downloading and decompressing the body.\n * The dump JSON inside the body still contains the original\n * metadata, but that's only readable by someone who already has the\n * file bytes — the same person who could read the encrypted records\n * with the right passphrase.\n *\n * **Why minimum disclosure** in the header? Because consumers will\n * inevitably store these in services where the filename, file size,\n * and any unencrypted metadata are indexed for search. A field like\n * `vault: \"Acme Corp\"` would let an attacker (or a curious\n * cloud admin) enumerate which compartments exist and who exported\n * them, even with zero access to the encrypted body. The header\n * carries only what's needed to identify the file as a NOYDB\n * bundle and verify its integrity — nothing about the contents.\n */\n\nimport type { PublicEnvelope } from '../meta/public-envelope/types.js'\n\n/** Magic bytes 'NDB1' (ASCII), identifying a NOYDB bundle. */\nexport const NOYDB_BUNDLE_MAGIC = new Uint8Array([0x4e, 0x44, 0x42, 0x31])\n\n/** Total fixed prefix before the header JSON: 4+1+1+4 bytes. */\nexport const NOYDB_BUNDLE_PREFIX_BYTES = 10\n\n/** Current bundle format version. Bumped on layout changes. */\nexport const NOYDB_BUNDLE_FORMAT_VERSION = 1\n\n/**\n * Bitfield interpretation of the flags byte.\n *\n * Bit 0 — body is compressed (0 = raw, 1 = compressed)\n * Bit 1 — header carries an integrity hash over the body bytes\n * Bits 2-7 — reserved, must be 0 in\n */\nexport const FLAG_COMPRESSED = 0b0000_0001\nexport const FLAG_HAS_INTEGRITY_HASH = 0b0000_0010\n\n/**\n * Compression algorithm encoding for the byte at offset 5.\n *\n * `none` is admitted for round-trip testing and for callers that\n * want to bundle without compression (e.g. when piping into a\n * separately compressed transport). `gzip` is the universally\n * available baseline (Node 18+, all modern browsers). `brotli` is\n * preferred when the runtime supports it — typically 30-50% smaller\n * for JSON payloads — but Node 22+ / Chrome 124+ / Firefox 122+\n * are required, so the writer feature-detects at runtime and falls\n * back to gzip. The reader must handle all three.\n */\nexport const COMPRESSION_NONE = 0\nexport const COMPRESSION_GZIP = 1\nexport const COMPRESSION_BROTLI = 2\n\nexport type CompressionAlgo = 0 | 1 | 2\n\n/**\n * The unencrypted header carried in every `.noydb` bundle.\n *\n * **Minimum-disclosure rules:** these are the ONLY allowed keys.\n * Any other key in a parsed header causes\n * `validateBundleHeader` to throw. The set is kept short to\n * minimize attack surface from cloud-storage metadata indexing —\n * see the file-level doc comment for the rationale.\n *\n * Forbidden in particular:\n *   - `vault` / `_compartment` — would leak the tenant name\n *   - `exporter` / `_exported_by` — would leak user identity\n *   - `timestamp` / `_exported_at` — would leak activity timing\n *   - `kdfParams` / salt fields — would leak crypto config that\n *     could narrow brute-force search space\n *   - any field starting with `_` (reserved by the dump format)\n */\nexport interface NoydbBundleHeader {\n  /** Bundle format version — bumped on layout changes. */\n  readonly formatVersion: number\n  /**\n   * Opaque ULID identifier — generated once per vault and\n   * stable across re-exports of the same vault. Does not\n   * leak any information about contents (the timestamp prefix is\n   * just monotonicity for sortability, not exporter activity —\n   * see `bundle/ulid.ts` for the design notes).\n   */\n  readonly handle: string\n  /** Compressed body length in bytes. Lets readers verify completeness without decompressing. */\n  readonly bodyBytes: number\n  /** SHA-256 of the compressed body bytes (lowercase hex). Lets readers verify integrity without decompressing. */\n  readonly bodySha256: string\n  /**\n   * Owner-curated public envelope (`docs/subsystems/public-envelope.md`).\n   * Optional — present only when the source vault has a\n   * `_meta/public-envelope` document AND the writer's hub is opted\n   * into the feature. Treat as **untrusted hint**; the body's\n   * encrypted contents remain the source of truth.\n   *\n   * The envelope deliberately widens the minimum-disclosure rule\n   * for explicit, owner-curated label fields (name, icon, …). Every\n   * other unknown header key still rejects at parse time.\n   */\n  readonly publicEnvelope?: PublicEnvelope\n  /**\n   * Auto-unlock material indicator (#197). When present, the bundle\n   * body wraps the dump JSON in a structure carrying per-user\n   * passphrases — either plaintext (`'unsealed'`, public-by-design)\n   * or sealed under a `SealingKeyProvider` (`'sealed'`, requires\n   * matching provider on the recipient side).\n   *\n   * Visible pre-decompression so cloud listing UIs can warn before\n   * download: \"this bundle opens itself for anyone holding the file\"\n   * (unsealed) or \"this bundle is sealed for a specific provider\"\n   * (sealed).\n   *\n   * Absent → the body is a raw `vault.dump()` JSON string (the\n   * pre-#197 shape; back-compatible).\n   */\n  readonly autoUnlock?: 'unsealed' | 'sealed'\n  /**\n   * Bundle's role in the source → destination lifecycle (#203).\n   *   - omitted / 'snapshot' (default): backup/copy of an existing vault.\n   *   - 'extracted-partition': re-keyed projection awaiting adoption.\n   */\n  readonly bundleKind?: 'snapshot' | 'extracted-partition'\n  /**\n   * Transfer-seal INDICATOR (#206) — metadata only, no payload (the\n   * sealed DEKs live in the body). Present iff\n   * bundleKind === 'extracted-partition'.\n   */\n  readonly transferSeal?: {\n    readonly v: 1\n    readonly alg: 'aes-256-gcm-pre-shared'\n    readonly sealId: string\n  }\n}\n\n/**\n * Allowlist of header keys. Any key not in this set is forbidden\n * and causes `validateBundleHeader` to throw. Kept as a Set for\n * O(1) lookup; the validator iterates over the parsed header and\n * checks each key against this set.\n */\nconst ALLOWED_HEADER_KEYS: ReadonlySet<string> = new Set([\n  'formatVersion',\n  'handle',\n  'bodyBytes',\n  'bodySha256',\n  'publicEnvelope',\n  'autoUnlock',\n  'bundleKind',\n  'transferSeal',\n])\n\n/**\n * Validate a parsed bundle header. Throws on any deviation from\n * the minimum-disclosure schema:\n *\n *   - Missing required field\n *   - Wrong type for any field\n *   - Any extra key not in `ALLOWED_HEADER_KEYS`\n *   - Unsupported `formatVersion`\n *   - Negative or non-integer `bodyBytes`\n *   - Malformed `handle` (must be 26-char Crockford base32)\n *   - Malformed `bodySha256` (must be 64-char lowercase hex)\n *\n * The error messages name the offending field so consumers can\n * fix the producer rather than the reader.\n */\nexport function validateBundleHeader(\n  parsed: unknown,\n): asserts parsed is NoydbBundleHeader {\n  if (parsed === null || typeof parsed !== 'object') {\n    throw new Error(\n      `.noydb bundle header must be a JSON object, got ${parsed === null ? 'null' : typeof parsed}`,\n    )\n  }\n  // Disallow any unknown key — minimum disclosure means we reject\n  // forward-compat extension keys at the format layer; new fields\n  // require a format version bump and a new validator.\n  for (const key of Object.keys(parsed)) {\n    if (!ALLOWED_HEADER_KEYS.has(key)) {\n      throw new Error(\n        `.noydb bundle header contains forbidden key \"${key}\". ` +\n          `Only minimum-disclosure fields are allowed: ` +\n          `${[...ALLOWED_HEADER_KEYS].join(', ')}.`,\n      )\n    }\n  }\n  const h = parsed as Record<string, unknown>\n  if (typeof h['formatVersion'] !== 'number' || h['formatVersion'] !== NOYDB_BUNDLE_FORMAT_VERSION) {\n    throw new Error(\n      `.noydb bundle header.formatVersion must be ${NOYDB_BUNDLE_FORMAT_VERSION}, ` +\n        `got ${String(h['formatVersion'])}. The reader does not support ` +\n        `forward-compat versions; upgrade the reader to handle newer bundles.`,\n    )\n  }\n  if (typeof h['handle'] !== 'string' || !/^[0-9A-HJKMNP-TV-Z]{26}$/.test(h['handle'])) {\n    throw new Error(\n      `.noydb bundle header.handle must be a 26-character Crockford base32 ULID, ` +\n        `got ${typeof h['handle'] === 'string' ? `\"${h['handle']}\"` : String(h['handle'])}.`,\n    )\n  }\n  if (typeof h['bodyBytes'] !== 'number' || !Number.isInteger(h['bodyBytes']) || h['bodyBytes'] < 0) {\n    throw new Error(\n      `.noydb bundle header.bodyBytes must be a non-negative integer, ` +\n        `got ${String(h['bodyBytes'])}.`,\n    )\n  }\n  if (typeof h['bodySha256'] !== 'string' || !/^[0-9a-f]{64}$/.test(h['bodySha256'])) {\n    throw new Error(\n      `.noydb bundle header.bodySha256 must be a 64-character lowercase hex string, ` +\n        `got ${typeof h['bodySha256'] === 'string' ? `\"${h['bodySha256']}\"` : String(h['bodySha256'])}.`,\n    )\n  }\n  if (h['publicEnvelope'] !== undefined) {\n    const env = h['publicEnvelope']\n    if (env === null || typeof env !== 'object' || Array.isArray(env)) {\n      throw new Error(\n        `.noydb bundle header.publicEnvelope must be a JSON object when present, got ${typeof env}.`,\n      )\n    }\n    const e = env as Record<string, unknown>\n    if (e['_noydb_public'] !== 1) {\n      throw new Error(\n        `.noydb bundle header.publicEnvelope._noydb_public must be 1, got ${String(e['_noydb_public'])}.`,\n      )\n    }\n    if (typeof e['version'] !== 'number' || !Number.isInteger(e['version']) || e['version'] < 1) {\n      throw new Error(\n        `.noydb bundle header.publicEnvelope.version must be a positive integer, got ${String(e['version'])}.`,\n      )\n    }\n  }\n  if (h['autoUnlock'] !== undefined) {\n    if (h['autoUnlock'] !== 'unsealed' && h['autoUnlock'] !== 'sealed') {\n      const got = typeof h['autoUnlock'] === 'string' ? `\"${h['autoUnlock']}\"` : typeof h['autoUnlock']\n      throw new Error(\n        `.noydb bundle header.autoUnlock must be 'unsealed' or 'sealed' when present, got ${got}.`,\n      )\n    }\n  }\n  if (h['bundleKind'] !== undefined) {\n    if (h['bundleKind'] !== 'snapshot' && h['bundleKind'] !== 'extracted-partition') {\n      const got = typeof h['bundleKind'] === 'string' ? `\"${h['bundleKind']}\"` : typeof h['bundleKind']\n      throw new Error(\n        `.noydb bundle header.bundleKind must be 'snapshot' or 'extracted-partition' when present, got ${got}.`,\n      )\n    }\n  }\n  if (h['transferSeal'] !== undefined) {\n    const ts = h['transferSeal']\n    if (ts === null || typeof ts !== 'object' || Array.isArray(ts)) {\n      throw new Error(`.noydb bundle header.transferSeal must be a JSON object when present, got ${typeof ts}.`)\n    }\n    const t = ts as Record<string, unknown>\n    if (t['v'] !== 1) {\n      throw new Error(`.noydb bundle header.transferSeal.v must be 1, got ${String(t['v'])}.`)\n    }\n    if (t['alg'] !== 'aes-256-gcm-pre-shared') {\n      throw new Error(`.noydb bundle header.transferSeal.alg must be 'aes-256-gcm-pre-shared', got ${String(t['alg'])}.`)\n    }\n    if (typeof t['sealId'] !== 'string' || t['sealId'].length === 0) {\n      throw new Error(`.noydb bundle header.transferSeal.sealId must be a non-empty string, got ${String(t['sealId'])}.`)\n    }\n  }\n  // Cross-field invariant: the seal indicator and the extracted-partition\n  // kind imply each other. An extracted partition is unlocked via its\n  // transfer seal; a seal without the kind is a malformed header.\n  const isExtracted = h['bundleKind'] === 'extracted-partition'\n  const hasSeal = h['transferSeal'] !== undefined\n  if (hasSeal && !isExtracted) {\n    throw new Error(\n      `.noydb bundle header.transferSeal requires bundleKind === 'extracted-partition'.`,\n    )\n  }\n  if (isExtracted && !hasSeal) {\n    throw new Error(\n      `.noydb bundle header with bundleKind === 'extracted-partition' must carry a transferSeal indicator.`,\n    )\n  }\n  // An extracted partition's unlock path IS the transfer seal. A parallel\n  // autoUnlock credential would create two unlock paths and weaken the\n  // one-time-seal guarantee (spec §12.3). Reject the combination.\n  if (isExtracted && h['autoUnlock'] !== undefined) {\n    throw new Error(\n      `.noydb bundle header cannot carry both autoUnlock and bundleKind === 'extracted-partition' — `\n      + `an extracted partition is unlocked via its transfer seal, not an auto-credential.`,\n    )\n  }\n}\n\n/**\n * Encode a header object to UTF-8 JSON bytes after validating\n * minimum disclosure. Used by the writer to serialize the header\n * region of the container.\n */\nexport function encodeBundleHeader(header: NoydbBundleHeader): Uint8Array {\n  validateBundleHeader(header)\n  // Stable key ordering — JSON.stringify with no replacer uses\n  // insertion order, which is fine here because we control the\n  // object construction. Stable ordering means two bundles with\n  // identical contents produce byte-identical headers.\n  const json = JSON.stringify({\n    formatVersion: header.formatVersion,\n    handle: header.handle,\n    bodyBytes: header.bodyBytes,\n    bodySha256: header.bodySha256,\n    ...(header.publicEnvelope !== undefined ? { publicEnvelope: header.publicEnvelope } : {}),\n    ...(header.autoUnlock !== undefined ? { autoUnlock: header.autoUnlock } : {}),\n    ...(header.bundleKind !== undefined ? { bundleKind: header.bundleKind } : {}),\n    ...(header.transferSeal !== undefined ? { transferSeal: header.transferSeal } : {}),\n  })\n  return new TextEncoder().encode(json)\n}\n\n/**\n * Parse a bundle header from its UTF-8 JSON bytes. Throws on\n * invalid JSON or any minimum-disclosure violation.\n */\nexport function decodeBundleHeader(bytes: Uint8Array): NoydbBundleHeader {\n  const json = new TextDecoder('utf-8', { fatal: true }).decode(bytes)\n  let parsed: unknown\n  try {\n    parsed = JSON.parse(json)\n  } catch (err) {\n    throw new Error(\n      `.noydb bundle header is not valid JSON: ${(err as Error).message}`,\n    )\n  }\n  validateBundleHeader(parsed)\n  return parsed\n}\n\n/**\n * Read a uint32 from `bytes` at `offset` in big-endian byte order.\n * No bounds check — callers must guarantee `offset + 4 <= bytes.length`.\n * Used to decode the header length field; kept inline so the parser\n * doesn't depend on DataView allocation per call.\n */\nexport function readUint32BE(bytes: Uint8Array, offset: number): number {\n  return (\n    (bytes[offset]! << 24 >>> 0) +\n    (bytes[offset + 1]! << 16) +\n    (bytes[offset + 2]! << 8) +\n    bytes[offset + 3]!\n  )\n}\n\n/**\n * Write a uint32 to `bytes` at `offset` in big-endian byte order.\n * No bounds check — callers must guarantee `offset + 4 <= bytes.length`.\n */\nexport function writeUint32BE(bytes: Uint8Array, offset: number, value: number): void {\n  bytes[offset] = (value >>> 24) & 0xff\n  bytes[offset + 1] = (value >>> 16) & 0xff\n  bytes[offset + 2] = (value >>> 8) & 0xff\n  bytes[offset + 3] = value & 0xff\n}\n\n/**\n * Verify the magic prefix of a bundle. Returns true if the first\n * 4 bytes match `NDB1`. Used by readers as a fast file-type check\n * before any further parsing.\n */\nexport function hasNoydbBundleMagic(bytes: Uint8Array): boolean {\n  if (bytes.length < NOYDB_BUNDLE_MAGIC.length) return false\n  for (let i = 0; i < NOYDB_BUNDLE_MAGIC.length; i++) {\n    if (bytes[i] !== NOYDB_BUNDLE_MAGIC[i]) return false\n  }\n  return true\n}\n","/**\n * `.noydb` container primitives — write, read, header-only read.\n *\n *. Wraps a `vault.dump()` JSON string in the\n * binary container described in `format.ts`.\n *\n * **Three primitives:**\n *\n *   - `writeNoydbBundle(vault, opts?)` — produces the\n *     full container bytes ready to write to disk or upload\n *   - `readNoydbBundleHeader(bytes)` — parses just the header\n *     without decompressing the body, fast file-type and\n *     metadata read for cloud listing UIs\n *   - `readNoydbBundle(bytes)` — full read: validates magic,\n *     header, integrity hash, and decompresses the body to\n *     return the original `dump()` JSON string for use with\n *     `vault.load()`\n *\n * **Compression strategy:** brotli when available (Node 22+,\n * Chrome 124+, Firefox 122+), gzip fallback elsewhere. The\n * algorithm choice is encoded in the format byte at offset 5,\n * so readers handle either transparently. Brotli wins ~30-50%\n * on JSON payloads with repeated keys (which vault dumps\n * are).\n *\n * **Why split read/load?** `readNoydbBundle` returns the\n * *unwrapped JSON string*, not a Vault object. The caller\n * is responsible for piping that JSON into\n * `vault.load(json, passphrase)`. Splitting the layers\n * keeps the bundle module free of any crypto/passphrase\n * concerns — it's purely a format layer. The same `readNoydbBundle`\n * call can also feed verification tools, format inspectors, or\n * archive utilities that don't care about decryption.\n */\n\nimport {\n  COMPRESSION_BROTLI,\n  COMPRESSION_GZIP,\n  COMPRESSION_NONE,\n  FLAG_COMPRESSED,\n  FLAG_HAS_INTEGRITY_HASH,\n  NOYDB_BUNDLE_FORMAT_VERSION,\n  NOYDB_BUNDLE_MAGIC,\n  NOYDB_BUNDLE_PREFIX_BYTES,\n  decodeBundleHeader,\n  encodeBundleHeader,\n  hasNoydbBundleMagic,\n  readUint32BE,\n  writeUint32BE,\n  type CompressionAlgo,\n  type NoydbBundleHeader,\n} from './format.js'\nimport { BundleIntegrityError, BundleSealMismatchError, ValidationError } from '../errors.js'\nimport type { Vault } from '../vault.js'\nimport type { BundleRecipient } from '../team/keyring.js'\nimport { pickLocale } from '../meta/public-envelope/storage.js'\nimport type { PublicEnvelope } from '../meta/public-envelope/types.js'\nimport type { SealingKeyProvider, RecipientSealer, RecipientHint } from '../team/managed-passphrase.js'\n\n// ─── #215 auto-credential types ───────────────────────────────────────────────\n\n/**\n * The credential kinds that can be bundled for auto-unlock.\n * WebAuthn is intentionally excluded — it is hardware-bound and\n * cannot be embedded as a portable credential.\n */\nexport type AutoCredentialKind = 'passphrase' | 'password' | 'pin'\n\n/**\n * A typed credential for auto-unlock. Carries the credential `kind`\n * alongside the plaintext `value`, so consumers can dispatch the\n * correct login/prefill path rather than treating all credentials\n * as passphrases.\n *\n * `bundle.ts` is a pure format layer — it carries the credential\n * without interpreting it. The consumer is responsible for\n * dispatching on `kind`.\n */\nexport interface AutoCredential {\n  readonly kind: AutoCredentialKind\n  readonly value: string\n}\n\n/**\n * Options accepted by `writeNoydbBundle`.\n *\n * - `compression: 'auto'` (default) — try brotli, fall back to gzip\n * - `compression: 'brotli'` — force brotli, throw if unsupported\n * - `compression: 'gzip'` — force gzip\n * - `compression: 'none'` — no compression (round-trip testing only)\n *\n * **Slice filtering** (added in ):\n * - `collections` — allowlist of collection names to include. Internal\n *   collections (keyrings, ledger) and excluded user collections are\n *   dropped from the bundle. Records inside included collections are\n *   carried through verbatim.\n * - `since` — only records whose envelope `_ts` is on/after the given\n *   instant survive. Operates on the unencrypted envelope timestamp,\n *   so plaintext access to records is not required.\n *\n * Both filters intersect (AND). When neither is provided the bundle is\n * a whole-vault snapshot, identical to today's behaviour.\n */\nexport interface WriteNoydbBundleOptions {\n  readonly compression?: 'auto' | 'brotli' | 'gzip' | 'none'\n  /** Allowlist of user-collection names to include. */\n  readonly collections?: readonly string[]\n  /**\n   * Drop records whose envelope `_ts` is strictly older than this\n   * instant. Accepts a `Date` or any ISO-8601 string parseable by\n   * `new Date()`.\n   */\n  readonly since?: Date | string\n  /**\n   * Plaintext-pipeline record predicate. Decrypts each record\n   * with the vault's per-collection DEK, runs the predicate, and\n   * keeps the original ciphertext for survivors (no re-encrypt —\n   * preserves zero-knowledge cleanly). Records the predicate returns\n   * `false` for are dropped from the bundle.\n   *\n   * Async predicates are supported. Mutating the record from inside\n   * the predicate is undefined behaviour.\n   */\n  readonly where?: (\n    record: unknown,\n    ctx: { collection: string; id: string },\n  ) => boolean | Promise<boolean>\n  /**\n   * Hierarchical-tier ceiling. Records whose envelope `_tier`\n   * is strictly greater than this number are dropped. Operates on the\n   * envelope `_tier` (no decryption needed) — vault.exportStream is\n   * referenced in the issue body for symmetry, but the tier value\n   * lives on the unencrypted envelope. Vault without tiers is a no-op.\n   */\n  readonly tierAtMost?: number\n  /**\n   * Single-recipient re-keying shorthand. When set, the\n   * bundle's keyring is replaced with one freshly-derived entry sealed\n   * with this passphrase. The recipient inherits the source keyring's\n   * userId, role, and permissions. Mutually exclusive with `recipients`.\n   */\n  readonly exportPassphrase?: string\n  /**\n   * Multi-recipient re-keying. Replaces the bundle's keyring\n   * map with one slot per recipient, each sealed with its own\n   * passphrase. DEKs are unwrapped from the source keyring once and\n   * re-wrapped per recipient — record ciphertext is unchanged.\n   *\n   * Mutually exclusive with `exportPassphrase`. When neither is set,\n   * the bundle inherits the source keyring as-is (today's behaviour,\n   * suited to personal backup-and-restore).\n   */\n  readonly recipients?: readonly BundleRecipient[]\n  /**\n   * Auto-unlock — unsealed per-user credentials (#215).\n   *\n   * Generalises `autoPassphrases` to support any bundleable credential\n   * kind (`passphrase` | `password` | `pin`).\n   *\n   * Public-by-design: anyone holding the bundle bytes can read these\n   * plaintext credentials. Use for demo data, sample vaults,\n   * prospect onboarding.\n   *\n   * The `policy: 'public-by-design'` discriminant is mandatory. A\n   * bare `{ perUser }` without it is rejected at write time — the\n   * safety net against a careless call against a production vault.\n   *\n   * Mutually exclusive with `sealedCredentials`, `autoPassphrases`,\n   * and `sealedPassphrases`.\n   */\n  readonly autoCredentials?: {\n    readonly policy: 'public-by-design'\n    readonly perUser: Record<string, AutoCredential>\n  }\n  /**\n   * Auto-unlock — per-user credentials sealed under a\n   * {@link SealingKeyProvider} (#215).\n   *\n   * Generalises `sealedPassphrases` to support any bundleable\n   * credential kind (`passphrase` | `password` | `pin`).\n   *\n   * The hub seals each user's plaintext credential under `provider`\n   * and embeds the resulting sealed envelopes in the bundle. The\n   * recipient must hold a provider with a matching `pid` (i.e.,\n   * `provider.id`) to auto-unseal on import.\n   *\n   * `mode: 'self-target'` — sender and recipient share the same\n   * provider identity (same iCloud Keychain entry, same\n   * MDM-provisioned bundle id, same KMS account, etc.).\n   *\n   * `mode: 'recipient-target'` — asymmetric sealing via a\n   * {@link RecipientSealer}. Each user entry carries a\n   * `credential` and a `hint` (the recipient's public material).\n   * The bundle can only be unsealed by the holder of the matching\n   * private key.\n   *\n   * Mutually exclusive with `autoCredentials`, `autoPassphrases`,\n   * and `sealedPassphrases`.\n   */\n  readonly sealedCredentials?:\n    | {\n        readonly mode: 'self-target'\n        readonly provider: SealingKeyProvider\n        readonly perUser: Record<string, AutoCredential>\n      }\n    | {\n        readonly mode: 'recipient-target'\n        readonly provider: RecipientSealer\n        readonly perUser: Record<string, { readonly credential: AutoCredential; readonly hint: RecipientHint }>\n      }\n  /**\n   * @deprecated Use `autoCredentials` instead (#215).\n   *\n   * Auto-unlock — unsealed per-user passphrases (#197 slice 1).\n   *\n   * Public-by-design: anyone holding the bundle bytes can read these\n   * plaintext credentials. Use for demo data, sample vaults,\n   * prospect onboarding.\n   *\n   * The `policy: 'public-by-design'` discriminant is mandatory. A\n   * bare `{ perUser }` without it is rejected at write time — the\n   * safety net against a careless call against a production vault.\n   *\n   * Mutually exclusive with `autoCredentials`, `sealedCredentials`,\n   * and `sealedPassphrases`.\n   */\n  readonly autoPassphrases?: {\n    readonly policy: 'public-by-design'\n    readonly perUser: Record<string, string>\n  }\n  /**\n   * @deprecated Use `sealedCredentials` instead (#215).\n   *\n   * Auto-unlock — per-user passphrases sealed under a\n   * {@link SealingKeyProvider} (#197 slice 1, self-target only).\n   *\n   * The hub seals each user's plaintext passphrase under `provider`\n   * and embeds the resulting sealed envelopes in the bundle. The\n   * recipient must hold a provider with a matching `pid` (i.e.,\n   * `provider.id`) to auto-unseal on import.\n   *\n   * `mode: 'self-target'` is the only mode for `sealedPassphrases` — sender\n   * and recipient share the same provider identity (same iCloud Keychain\n   * entry, same MDM-provisioned bundle id, same KMS account, etc.).\n   * For recipient-target sealing via the `RecipientSealer` interface,\n   * use `sealedCredentials` with `mode: 'recipient-target'` (§11.4).\n   *\n   * Mutually exclusive with `autoCredentials`, `sealedCredentials`,\n   * and `autoPassphrases`.\n   */\n  readonly sealedPassphrases?: {\n    readonly mode: 'self-target'\n    readonly provider: SealingKeyProvider\n    readonly perUser: Record<string, string>\n  }\n}\n\n/**\n * Result returned by `readNoydbBundle`. The caller is expected to\n * pass `dumpJson` into `vault.load(json, passphrase)` to\n * actually restore a vault. Splitting the layers keeps the\n * bundle module free of crypto concerns — see file-level docs.\n */\nexport interface NoydbBundleReadResult {\n  readonly header: NoydbBundleHeader\n  readonly dumpJson: string\n  /**\n   * Auto-unlock material (#197, widened in #215). Present only when\n   * the header's `autoUnlock` flag is set AND the body's wrapped\n   * structure survived parsing. Values are typed credentials — either\n   * delivered plain (`kind: 'unsealed'`) or unsealed at read time\n   * using one of the supplied `sealingProviders` (`kind: 'sealed'`).\n   *\n   * Consumers dispatch on `cred.kind` to choose the correct login /\n   * prefill path. Pre-0.2 bundles (bare string entries) are coerced\n   * to `{ kind: 'passphrase', value }` on read for back-compat.\n   *\n   * For `kind: 'sealed'` bundles read without `sealingProviders`, the\n   * `value` field is the raw base64 sealed bytes — opaque to the\n   * consumer until unsealed elsewhere.\n   */\n  readonly autoUnlock?: {\n    readonly kind: 'unsealed' | 'sealed'\n    readonly perUser: Record<string, AutoCredential>\n  }\n}\n\n/**\n * Sealed credential entry as it appears in the bundle body's\n * `_autoUnlock.perUser` map when the bundle was written with\n * `sealedCredentials` (or the deprecated `sealedPassphrases`).\n * Provider's sealed output is base64-encoded; the `pid` is the\n * dispatch key matched against recipient-supplied\n * `SealingKeyProvider.id`. The `kind` carries the plaintext-tier\n * metadata so the consumer can dispatch on credential type without\n * unsealing first.\n *\n * Back-compat: `kind` is absent in pre-0.2 bundles — readers must\n * default to `'passphrase'` when not present.\n */\ninterface SealedAutoUnlockEntry {\n  readonly pid: string\n  readonly sealed: string\n  readonly alg: 'aes-256-gcm'\n  readonly kind?: AutoCredentialKind\n  /**\n   * Recipient-target only: the RecipientHint the sender used to seal.\n   * Carried for recipient verifiability (\"yes this was sealed against\n   * my published hint\"). Self-target entries omit it. Pre-0.2 readers\n   * ignore unknown fields, so this is back-compatible.\n   */\n  readonly hint?: RecipientHint\n}\n\n/**\n * Discriminated wrapper carried in the bundle body when the header's\n * `autoUnlock` flag is set. Without the flag, the body is the raw\n * `vault.dump()` JSON string (the pre-#197 shape).\n *\n * Back-compat: pre-0.2 bundles carry bare `string` values in the\n * unsealed `perUser` map. Readers must coerce those to\n * `{ kind: 'passphrase', value }`.\n */\ninterface AutoUnlockBody {\n  readonly _noydb_bundle_body: 1\n  readonly dump: string\n  readonly _autoUnlock:\n    | { readonly kind: 'unsealed'; readonly perUser: Record<string, AutoCredential | string> }\n    | { readonly kind: 'sealed'; readonly perUser: Record<string, SealedAutoUnlockEntry> }\n}\n\n/**\n * Options accepted by {@link readNoydbBundle} for the #197\n * auto-unlock paths. Without these the reader behaves exactly as\n * pre-#197 (header parsed; body returned as `dumpJson`).\n */\nexport interface ReadNoydbBundleOptions {\n  /**\n   * Recipient-side sealing providers used to unseal entries from\n   * `sealedPassphrases`. The reader picks the one whose `.id`\n   * matches each entry's `pid`. Multiple providers may be supplied\n   * (different users may seal under different identities).\n   *\n   * When unset and the bundle carries sealed envelopes, the\n   * `autoUnlock.perUser` map remains the SEALED entries unmodified\n   * — callers can inspect them or unseal elsewhere.\n   */\n  readonly sealingProviders?: readonly SealingKeyProvider[]\n  /**\n   * Opt-in trial mode for unsealing — when an entry's `pid` doesn't\n   * match a registered provider, try each provider whose alg\n   * matches. Default `false` (strict-pid dispatch per foundation\n   * §11.9.2). Surfaces extra credential prompts; use deliberately.\n   */\n  readonly attemptUnsealAcrossProviders?: boolean\n}\n\n// ─── #197/#215 auto-unlock helpers ────────────────────────────────────────────\n\n/**\n * Internal normalized form of the auto-unlock options, computed once\n * from the four public-facing fields (autoCredentials, sealedCredentials,\n * autoPassphrases, sealedPassphrases). Callers work against this shape\n * so the build + validate paths share a single normalizer.\n */\ninterface NormalizedAutoUnlock {\n  readonly mode: 'unsealed' | 'sealed-self' | 'sealed-recipient'\n  readonly provider?: SealingKeyProvider | RecipientSealer\n  readonly perUser: Record<string, AutoCredential>\n  /** Present only for `sealed-recipient`. Same key set as `perUser`. */\n  readonly hints?: Record<string, RecipientHint>\n}\n\n/**\n * Coerce a `Record<string, string>` (legacy passphrase-only map) into\n * a `Record<string, AutoCredential>` by tagging each entry as\n * `kind: 'passphrase'`. Used by the normalizer to promote the deprecated\n * `autoPassphrases`/`sealedPassphrases` sugar.\n */\nfunction toAutoCredentials(m: Record<string, string>): Record<string, AutoCredential> {\n  return Object.fromEntries(\n    Object.entries(m).map(([u, value]) => [u, { kind: 'passphrase' as const, value }]),\n  )\n}\n\n/**\n * Normalize the four auto-unlock option fields into a single\n * `NormalizedAutoUnlock` (or `null` when none is set). Enforces mutual\n * exclusion — exactly one of the four may be present. Promotes the\n * deprecated sugar fields to `AutoCredential` shape.\n *\n * Does NOT validate field-level constraints (policy marker, perUser\n * length, mode, provider presence, kind allowlist) — those are checked\n * in `validateAutoUnlockOptions` after normalization.\n */\nfunction normalizeAutoUnlock(opts: WriteNoydbBundleOptions): NormalizedAutoUnlock | null {\n  const set = [\n    opts.autoCredentials,\n    opts.sealedCredentials,\n    opts.autoPassphrases,\n    opts.sealedPassphrases,\n  ].filter(v => v !== undefined).length\n  if (set === 0) return null\n  if (set > 1) {\n    throw new ValidationError(\n      'writeNoydbBundle: only one of autoCredentials / sealedCredentials / '\n      + 'autoPassphrases / sealedPassphrases may be set.',\n    )\n  }\n  if (opts.autoCredentials !== undefined) {\n    return { mode: 'unsealed', perUser: opts.autoCredentials.perUser }\n  }\n  if (opts.autoPassphrases !== undefined) {\n    return { mode: 'unsealed', perUser: toAutoCredentials(opts.autoPassphrases.perUser) }\n  }\n  if (opts.sealedCredentials !== undefined) {\n    if (opts.sealedCredentials.mode === 'recipient-target') {\n      const perUser: Record<string, AutoCredential> = {}\n      const hints: Record<string, RecipientHint> = {}\n      for (const [userId, entry] of Object.entries(opts.sealedCredentials.perUser)) {\n        perUser[userId] = entry.credential\n        hints[userId] = entry.hint\n      }\n      return { mode: 'sealed-recipient', provider: opts.sealedCredentials.provider, perUser, hints }\n    }\n    return { mode: 'sealed-self', provider: opts.sealedCredentials.provider, perUser: opts.sealedCredentials.perUser }\n  }\n  // sealedPassphrases — only remaining option\n  return {\n    mode: 'sealed-self',\n    provider: opts.sealedPassphrases!.provider,\n    perUser: toAutoCredentials(opts.sealedPassphrases!.perUser),\n  }\n}\n\n/**\n * Validate the auto-unlock options and return the resulting header\n * `autoUnlock` value (or null when no auto-unlock requested).\n *\n * Takes the pre-computed `NormalizedAutoUnlock` so the caller (i.e.\n * `writeNoydbBundle`) can pass the same object to `buildAutoUnlockWrapper`\n * without a second `normalizeAutoUnlock` call.\n *\n * Validation per spec (#197 + #215 §3):\n *   - (mutual exclusion already enforced by normalizeAutoUnlock)\n *   - unsealed path: `policy: 'public-by-design'` marker required\n *   - non-empty `perUser` maps\n *   - sealed path: provider present; both `mode: 'self-target'` and `mode: 'recipient-target'` accepted; recipient-target requires a `RecipientSealer` provider and per-user `hint` (§11.4)\n *   - every AutoCredential.kind ∈ {passphrase, password, pin}\n *     (WebAuthn is hardware-bound and cannot be bundled)\n *\n * Throws {@link ValidationError} on any violation.\n */\nfunction validateAutoUnlockOptions(\n  opts: WriteNoydbBundleOptions,\n  normalized: NormalizedAutoUnlock | null,\n): 'unsealed' | 'sealed' | null {\n  if (normalized === null) return null\n\n  const VALID_KINDS: ReadonlySet<string> = new Set(['passphrase', 'password', 'pin'])\n\n  // Validate every credential kind before any further checks.\n  for (const [userId, cred] of Object.entries(normalized.perUser)) {\n    if (!VALID_KINDS.has(cred.kind)) {\n      throw new ValidationError(\n        `writeNoydbBundle: credential for user '${userId}' has unsupported kind '${cred.kind}'. `\n        + 'auto-unlock supports passphrase/password/pin only; WebAuthn is hardware-bound '\n        + 'and cannot be bundled.',\n      )\n    }\n  }\n\n  if (normalized.mode === 'unsealed') {\n    // Read the policy marker from whichever active option carries it.\n    const policy = opts.autoCredentials?.policy ?? opts.autoPassphrases?.policy\n    if (policy !== 'public-by-design') {\n      throw new ValidationError(\n        'writeNoydbBundle: `autoCredentials` (or `autoPassphrases`) requires '\n        + '`policy: \"public-by-design\"`. '\n        + 'This is an explicit opt-in marker — bundling plaintext credentials is '\n        + 'safe only when those credentials are intended to be public (demo data, '\n        + 'sample vaults). For production credentials, use `sealedCredentials` instead.',\n      )\n    }\n    const userCount = Object.keys(normalized.perUser).length\n    if (userCount === 0) {\n      throw new ValidationError(\n        'writeNoydbBundle: `autoCredentials.perUser` (or `autoPassphrases.perUser`) '\n        + 'must have at least one entry.',\n      )\n    }\n    return 'unsealed'\n  }\n\n  // Sealed path — branch on mode.\n  if (normalized.mode === 'sealed-recipient') {\n    const provider = normalized.provider\n    if (provider === undefined || typeof (provider as RecipientSealer).publishRecipientHint !== 'function'\n        || typeof (provider as RecipientSealer).sealForRecipient !== 'function') {\n      throw new ValidationError(\n        'writeNoydbBundle: `sealedCredentials.provider` for mode \\'recipient-target\\' must be a '\n        + 'RecipientSealer (publishRecipientHint + sealForRecipient). Self-only providers '\n        + '(MemorySealingKeyProvider, at-macos-keychain, etc.) do not satisfy this contract.',\n      )\n    }\n    const hints = normalized.hints\n    if (hints === undefined) {\n      throw new Error('unreachable — sealed-recipient normalization must populate hints')\n    }\n    for (const userId of Object.keys(normalized.perUser)) {\n      const hint = hints[userId]\n      if (hint === undefined) {\n        throw new ValidationError(\n          `writeNoydbBundle: \\`sealedCredentials.perUser['${userId}']\\` missing required \\`hint\\` for mode 'recipient-target'.`,\n        )\n      }\n      if (hint.v !== 1) {\n        throw new ValidationError(\n          `writeNoydbBundle: \\`sealedCredentials.perUser['${userId}'].hint.v\\` must be 1 (got ${String(hint.v)}).`,\n        )\n      }\n      if (typeof hint.pid !== 'string' || hint.pid.length === 0) {\n        throw new ValidationError(\n          `writeNoydbBundle: \\`sealedCredentials.perUser['${userId}'].hint.pid\\` must be a non-empty string identifying the recipient.`,\n        )\n      }\n      if (hint.alg !== 'rsa-oaep-sha256') {\n        throw new ValidationError(\n          `writeNoydbBundle: \\`sealedCredentials.perUser['${userId}'].hint.alg\\` must be 'rsa-oaep-sha256' in slice 1 (got '${String(hint.alg)}').`,\n        )\n      }\n      // Note: hint.pid identifies the recipient, not the sender — no pid===sender.id check here.\n      // The sender holds a RecipientSealer that calls sealForRecipient(plaintext, hint);\n      // the hint's pid is the dispatch key on the reader side (matched against recipient providers).\n    }\n    const userCount = Object.keys(normalized.perUser).length\n    if (userCount === 0) {\n      throw new ValidationError(\n        'writeNoydbBundle: `sealedCredentials.perUser` must have at least one entry.',\n      )\n    }\n    return 'sealed'\n  }\n\n  // mode === 'sealed-self'\n  const selfTargetMode = opts.sealedCredentials?.mode ?? opts.sealedPassphrases?.mode\n  if (selfTargetMode !== 'self-target') {\n    throw new ValidationError(\n      `writeNoydbBundle: \\`sealedCredentials.mode\\` (or \\`sealedPassphrases.mode\\`) must be `\n      + `'self-target' or 'recipient-target' (got '${String(selfTargetMode)}').`,\n    )\n  }\n  if (normalized.provider === undefined) {\n    throw new ValidationError(\n      'writeNoydbBundle: `sealedCredentials.provider` (or `sealedPassphrases.provider`) '\n      + 'is required (a `SealingKeyProvider`).',\n    )\n  }\n  const userCount = Object.keys(normalized.perUser).length\n  if (userCount === 0) {\n    throw new ValidationError(\n      'writeNoydbBundle: `sealedCredentials.perUser` (or `sealedPassphrases.perUser`) '\n      + 'must have at least one entry.',\n    )\n  }\n  return 'sealed'\n}\n\n/**\n * Build the body wrapper carrying the dump + `_autoUnlock` blob.\n * Takes the pre-computed `NormalizedAutoUnlock` so both validate and\n * build work off the same normalized form (no double-normalize).\n */\nasync function buildAutoUnlockWrapper(\n  dumpJson: string,\n  normalized: NormalizedAutoUnlock,\n): Promise<AutoUnlockBody> {\n  if (normalized.mode === 'unsealed') {\n    return {\n      _noydb_bundle_body: 1,\n      dump: dumpJson,\n      _autoUnlock: {\n        kind: 'unsealed',\n        perUser: { ...normalized.perUser },\n      },\n    }\n  }\n  // Sealed path — branch on mode.\n  const provider = normalized.provider\n  if (provider === undefined) {\n    throw new Error('unreachable — validation should have caught this')\n  }\n  const sealedPerUser: Record<string, SealedAutoUnlockEntry> = {}\n  const encoder = new TextEncoder()\n\n  if (normalized.mode === 'sealed-recipient') {\n    const recipientSealer = provider as RecipientSealer\n    const hints = normalized.hints\n    if (hints === undefined) {\n      throw new Error('unreachable — sealed-recipient normalization must populate hints')\n    }\n    for (const [userId, cred] of Object.entries(normalized.perUser)) {\n      const hint = hints[userId]!\n      const sealed = await recipientSealer.sealForRecipient(encoder.encode(cred.value), hint)\n      sealedPerUser[userId] = {\n        pid: hint.pid,                  // use the recipient's pid, not the sender's\n        sealed: bytesToBase64(sealed),\n        alg: 'aes-256-gcm',\n        kind: cred.kind,\n        hint,\n      }\n    }\n  } else {\n    // mode === 'sealed-self'\n    const selfSealer = provider as SealingKeyProvider\n    for (const [userId, cred] of Object.entries(normalized.perUser)) {\n      const sealed = await selfSealer.seal(encoder.encode(cred.value))\n      sealedPerUser[userId] = {\n        pid: selfSealer.id,\n        sealed: bytesToBase64(sealed),\n        alg: 'aes-256-gcm',\n        kind: cred.kind,\n      }\n    }\n  }\n\n  return {\n    _noydb_bundle_body: 1,\n    dump: dumpJson,\n    _autoUnlock: { kind: 'sealed', perUser: sealedPerUser },\n  }\n}\n\n/**\n * Parse the body bytes when the header signaled an auto-unlock.\n * Returns the inner `dump` JSON string + the `_autoUnlock` blob;\n * throws if the wrapper structure is malformed.\n */\nfunction parseAutoUnlockBody(bodyString: string): { dump: string; blob: AutoUnlockBody['_autoUnlock'] } {\n  let parsed: unknown\n  try {\n    parsed = JSON.parse(bodyString)\n  } catch (err) {\n    throw new BundleIntegrityError(\n      'header declared autoUnlock but body could not be parsed as JSON wrapper: '\n      + (err instanceof Error ? err.message : String(err)),\n    )\n  }\n  if (typeof parsed !== 'object' || parsed === null) {\n    throw new BundleIntegrityError('autoUnlock body is not a JSON object')\n  }\n  const obj = parsed as Record<string, unknown>\n  if (obj['_noydb_bundle_body'] !== 1) {\n    throw new BundleIntegrityError(\n      'autoUnlock body missing `_noydb_bundle_body: 1` discriminator',\n    )\n  }\n  if (typeof obj['dump'] !== 'string') {\n    throw new BundleIntegrityError('autoUnlock body must carry a string `dump` field')\n  }\n  const blob = obj['_autoUnlock']\n  if (typeof blob !== 'object' || blob === null) {\n    throw new BundleIntegrityError('autoUnlock body missing `_autoUnlock` blob')\n  }\n  const blobObj = blob as Record<string, unknown>\n  const kind = blobObj['kind']\n  if (kind !== 'unsealed' && kind !== 'sealed') {\n    throw new BundleIntegrityError(\n      `autoUnlock blob has invalid kind ${String(kind)}; expected 'unsealed' or 'sealed'`,\n    )\n  }\n  return {\n    dump: obj['dump'],\n    blob: blob as AutoUnlockBody['_autoUnlock'],\n  }\n}\n\n/**\n * Transfer-seal payload (#206). The destination DEKs, exported to raw\n * bytes and AES-256-GCM-sealed *as a set* under the one-time transfer\n * key. `adoptPartition` (#207) unseals this; `createOwnerOnAdoptedPartition`\n * (#208) re-wraps the raw DEKs under the recipient's KEK.\n */\nexport interface TransferSealPayload {\n  readonly v: 1\n  readonly alg: 'aes-256-gcm-pre-shared'\n  readonly sealId: string\n  /** base64(AES-256-GCM(transferKey, JSON of { collection: base64(rawDEK) })) — iv ‖ ct ‖ tag. */\n  readonly payload: string\n}\n\n/**\n * Body wrapper for an extracted, transfer-sealed partition (#203/#206).\n * Sibling to {@link AutoUnlockBody}; selected by `header.bundleKind ===\n * 'extracted-partition'`. The inner `dump` is a re-keyed projection with\n * an empty `keyrings` map.\n */\nexport interface ExtractedPartitionBody {\n  readonly _noydb_bundle_body: 1\n  readonly dump: string\n  readonly _transferSeal: TransferSealPayload\n}\n\nexport function buildExtractedPartitionWrapper(\n  dumpJson: string,\n  seal: TransferSealPayload,\n): ExtractedPartitionBody {\n  return { _noydb_bundle_body: 1, dump: dumpJson, _transferSeal: seal }\n}\n\nexport function parseExtractedPartitionBody(\n  bodyString: string,\n): { dump: string; seal: TransferSealPayload } {\n  let parsed: unknown\n  try {\n    parsed = JSON.parse(bodyString)\n  } catch (err) {\n    throw new BundleIntegrityError(\n      'header declared extracted-partition but body could not be parsed as JSON wrapper: '\n      + (err instanceof Error ? err.message : String(err)),\n    )\n  }\n  if (typeof parsed !== 'object' || parsed === null) {\n    throw new BundleIntegrityError('extracted-partition body is not a JSON object')\n  }\n  const obj = parsed as Record<string, unknown>\n  if (obj['_noydb_bundle_body'] !== 1) {\n    throw new BundleIntegrityError(\n      'extracted-partition body missing `_noydb_bundle_body: 1` discriminator',\n    )\n  }\n  if (typeof obj['dump'] !== 'string') {\n    throw new BundleIntegrityError('extracted-partition body must carry a string `dump` field')\n  }\n  const seal = obj['_transferSeal']\n  if (typeof seal !== 'object' || seal === null) {\n    throw new BundleIntegrityError('extracted-partition body missing `_transferSeal` blob')\n  }\n  const s = seal as Record<string, unknown>\n  if (s['v'] !== 1 || s['alg'] !== 'aes-256-gcm-pre-shared'\n      || typeof s['sealId'] !== 'string' || typeof s['payload'] !== 'string') {\n    throw new BundleIntegrityError('extracted-partition `_transferSeal` blob is malformed')\n  }\n  return { dump: obj['dump'], seal: seal as TransferSealPayload }\n}\n\n/**\n * Coerce an unsealed perUser entry to `AutoCredential`. Pre-0.2 bundles\n * store bare strings; 0.2+ bundles store `{ kind, value }` objects.\n */\nfunction coerceUnsealed(entry: AutoCredential | string): AutoCredential {\n  if (typeof entry === 'string') return { kind: 'passphrase', value: entry }\n  return entry\n}\n\n/**\n * Resolve the `_autoUnlock` blob into a typed per-user credential map.\n *\n * - For `kind: 'unsealed'`: pass through, coercing pre-0.2 bare strings\n *   to `{ kind: 'passphrase', value }`.\n * - For `kind: 'sealed'`: pick a `SealingKeyProvider` from\n *   `opts.sealingProviders` whose `.id` matches each entry's `pid`;\n *   unseal to `AutoCredential`. When no provider matches AND strict mode\n *   (default), throw `BundleSealMismatchError`. With\n *   `attemptUnsealAcrossProviders: true`, try each provider whose\n *   `alg` matches the envelope.\n *   Exception: if an unmatched entry carries a `hint` field (recipient-target\n *   entries), it passes through as `{ kind, value: base64sealed }` rather than\n *   throwing — multi-recipient bundles have N-1 unmatched entries from each\n *   recipient's perspective, and the consumer is expected to ignore entries\n *   not addressed to them.\n * - When `sealingProviders` is unset entirely on a `'sealed'` bundle,\n *   pass through the SEALED entries as `{ kind, value: base64sealed }` —\n *   the caller can inspect or unseal elsewhere.\n *\n * Pre-0.2 sealed entries missing `kind` default to `'passphrase'`.\n */\nasync function resolveAutoUnlock(\n  blob: AutoUnlockBody['_autoUnlock'],\n  opts: ReadNoydbBundleOptions,\n): Promise<{ kind: 'unsealed' | 'sealed'; perUser: Record<string, AutoCredential> }> {\n  if (blob.kind === 'unsealed') {\n    const resolved: Record<string, AutoCredential> = {}\n    for (const [userId, entry] of Object.entries(blob.perUser)) {\n      resolved[userId] = coerceUnsealed(entry)\n    }\n    return { kind: 'unsealed', perUser: resolved }\n  }\n  // Sealed path.\n  if (opts.sealingProviders === undefined || opts.sealingProviders.length === 0) {\n    // Inspection mode — pass the sealed payload through as a typed\n    // credential whose `value` is the opaque base64 sealed bytes.\n    // The caller is signalled by `kind: 'sealed'` on the outer result.\n    const passthrough: Record<string, AutoCredential> = {}\n    for (const [userId, entry] of Object.entries(blob.perUser)) {\n      passthrough[userId] = { kind: entry.kind ?? 'passphrase', value: entry.sealed }\n    }\n    return { kind: 'sealed', perUser: passthrough }\n  }\n  const providersByPid = new Map<string, SealingKeyProvider>()\n  for (const p of opts.sealingProviders) providersByPid.set(p.id, p)\n\n  const decoder = new TextDecoder()\n  const unsealedMap: Record<string, AutoCredential> = {}\n\n  for (const [userId, entry] of Object.entries(blob.perUser)) {\n    const credKind: AutoCredentialKind = entry.kind ?? 'passphrase'\n    const provider = providersByPid.get(entry.pid)\n    if (provider === undefined) {\n      if (opts.attemptUnsealAcrossProviders === true) {\n        // Try each provider; first that succeeds wins.\n        let opened: string | null = null\n        for (const candidate of opts.sealingProviders) {\n          try {\n            const plaintextBytes = await candidate.unseal(base64ToBytes(entry.sealed))\n            opened = decoder.decode(plaintextBytes)\n            break\n          } catch {\n            // try next\n          }\n        }\n        if (opened === null) {\n          if (entry.hint !== undefined) {\n            // Recipient-target entry not addressed to any held key — pass through sealed.\n            // Other recipients' entries in a multi-recipient bundle are opaque to us.\n            unsealedMap[userId] = { kind: credKind, value: entry.sealed }\n            continue\n          }\n          throw new BundleSealMismatchError(userId, entry.pid)\n        }\n        unsealedMap[userId] = { kind: credKind, value: opened }\n        continue\n      }\n      if (entry.hint !== undefined) {\n        // Recipient-target entry not addressed to any held key — pass through sealed.\n        // Multi-recipient bundles deliberately seal each user's entry under their own\n        // public key; a reader holding only alice's key will not match bob's pid.\n        unsealedMap[userId] = { kind: credKind, value: entry.sealed }\n        continue\n      }\n      throw new BundleSealMismatchError(userId, entry.pid)\n    }\n    const plaintextBytes = await provider.unseal(base64ToBytes(entry.sealed))\n    unsealedMap[userId] = { kind: credKind, value: decoder.decode(plaintextBytes) }\n  }\n  return { kind: 'sealed', perUser: unsealedMap }\n}\n\nfunction bytesToBase64(bytes: Uint8Array): string {\n  let binary = ''\n  for (let i = 0; i < bytes.length; i++) binary += String.fromCharCode(bytes[i]!)\n  return btoa(binary)\n}\n\nfunction base64ToBytes(b64: string): Uint8Array {\n  const binary = atob(b64)\n  const out = new Uint8Array(binary.length)\n  for (let i = 0; i < binary.length; i++) out[i] = binary.charCodeAt(i)\n  return out\n}\n\n/**\n * Detect whether the runtime's `CompressionStream` supports brotli.\n *\n * Brotli requires Node 22+ / Chrome 124+ / Firefox 122+. The\n * detection runs the `CompressionStream` constructor in a\n * try/catch — unsupported formats throw `TypeError` synchronously,\n * making this a safe one-shot check that we cache for the\n * lifetime of the process.\n */\nlet cachedBrotliSupport: boolean | null = null\nfunction supportsBrotliCompression(): boolean {\n  if (cachedBrotliSupport !== null) return cachedBrotliSupport\n  try {\n    new CompressionStream('br' as CompressionFormat)\n    cachedBrotliSupport = true\n  } catch {\n    cachedBrotliSupport = false\n  }\n  return cachedBrotliSupport\n}\n\n/** Test-only: reset the brotli detection cache between tests. */\nexport function resetBrotliSupportCache(): void {\n  cachedBrotliSupport = null\n}\n\n/**\n * Pick the compression algorithm and the corresponding format byte\n * from a user option. Throws if the user explicitly requests brotli\n * on a runtime that doesn't support it — a silent fallback would\n * make the produced bundle smaller-than-expected and confuse\n * size-bound tests.\n */\nfunction selectCompression(option: WriteNoydbBundleOptions['compression']): {\n  format: CompressionAlgo\n  streamFormat: CompressionFormat | null\n} {\n  const choice = option ?? 'auto'\n  if (choice === 'none') return { format: COMPRESSION_NONE, streamFormat: null }\n  if (choice === 'gzip') return { format: COMPRESSION_GZIP, streamFormat: 'gzip' }\n  if (choice === 'brotli') {\n    if (!supportsBrotliCompression()) {\n      throw new Error(\n        `writeNoydbBundle({ compression: 'brotli' }) is not supported on this ` +\n          `runtime. Brotli requires Node 22+, Chrome 124+, or Firefox 122+. ` +\n          `Use { compression: 'auto' } to fall back to gzip silently, or ` +\n          `{ compression: 'gzip' } to be explicit.`,\n      )\n    }\n    return { format: COMPRESSION_BROTLI, streamFormat: 'br' as CompressionFormat }\n  }\n  // 'auto' — prefer brotli, fall back to gzip\n  if (supportsBrotliCompression()) {\n    return { format: COMPRESSION_BROTLI, streamFormat: 'br' as CompressionFormat }\n  }\n  return { format: COMPRESSION_GZIP, streamFormat: 'gzip' }\n}\n\n/**\n * Pump a Uint8Array through a CompressionStream / DecompressionStream\n * and collect the output. Both APIs are universally available in\n * Node 18+ and modern browsers; the only variance is which\n * formats they support, handled by `selectCompression` above.\n *\n * Implementation: build a single-chunk ReadableStream from the\n * input, pipe through the transform, then drain the resulting\n * ReadableStream into a single concatenated Uint8Array. This is\n * O(N) memory in the input + output sizes, which is fine for the\n * dump-sized payloads (typically <50MB) targets.\n */\nasync function pumpThroughStream(\n  input: Uint8Array,\n  stream: CompressionStream | DecompressionStream,\n): Promise<Uint8Array> {\n  const readable = new Blob([input as BlobPart]).stream().pipeThrough(stream)\n  const reader = readable.getReader()\n  const chunks: Uint8Array[] = []\n  let total = 0\n  for (;;) {\n    const { value, done } = await reader.read()\n    if (done) break\n    if (value) {\n      chunks.push(value as Uint8Array)\n      total += value.length\n    }\n  }\n  const out = new Uint8Array(total)\n  let offset = 0\n  for (const chunk of chunks) {\n    out.set(chunk, offset)\n    offset += chunk.length\n  }\n  return out\n}\n\n/**\n * SHA-256 hex digest of `bytes`. Used for the bundle integrity\n * hash carried in the header. Web Crypto API only — no Node\n * crypto module, no third-party hash library.\n *\n * The output format is lowercase hex (64 chars for SHA-256). The\n * format validator pins this — uppercase or mixed-case digests\n * are rejected, so the writer and reader agree on canonicalization.\n */\nasync function sha256Hex(bytes: Uint8Array): Promise<string> {\n  // Copy into a fresh ArrayBuffer-backed Uint8Array. The\n  // underlying buffer of `bytes` may be SharedArrayBuffer (e.g.\n  // from a worker), which `subtle.digest` rejects via TypeScript's\n  // BufferSource type. Allocating a fresh ArrayBuffer-backed view\n  // sidesteps the type narrowing and is portable across all\n  // runtimes — the copy cost is O(N) but bundle bodies are\n  // typically <50MB, well below the threshold where the copy\n  // matters.\n  const copy = new Uint8Array(bytes.length)\n  copy.set(bytes)\n  const digest = await crypto.subtle.digest('SHA-256', copy)\n  const view = new Uint8Array(digest)\n  let hex = ''\n  for (let i = 0; i < view.length; i++) {\n    hex += view[i]!.toString(16).padStart(2, '0')\n  }\n  return hex\n}\n\n/**\n * Concatenate any number of Uint8Arrays into a single new buffer.\n * Used to assemble the final bundle from its prefix + header +\n * body parts.\n */\nfunction concatBytes(parts: readonly Uint8Array[]): Uint8Array {\n  let total = 0\n  for (const p of parts) total += p.length\n  const out = new Uint8Array(total)\n  let offset = 0\n  for (const p of parts) {\n    out.set(p, offset)\n    offset += p.length\n  }\n  return out\n}\n\n/**\n * Replace the bundle's keyrings with freshly built recipient slots,\n * one per supplied recipient. No-op when neither `exportPassphrase`\n * nor `recipients` is set — the source keyring is inherited as-is.\n *\n * The single-passphrase shorthand creates a one-recipient list whose\n * id, role, and permissions inherit from the source vault — useful\n * for \"back up to a different passphrase\" without changing role\n * semantics. The multi-recipient form wraps each slot independently\n * with its declared role + permissions.\n *\n * @internal\n */\nasync function applyRecipientRewrap(\n  vault: Vault,\n  dumpJson: string,\n  opts: WriteNoydbBundleOptions,\n): Promise<string> {\n  if (opts.exportPassphrase === undefined && opts.recipients === undefined) {\n    return dumpJson\n  }\n\n  const recipients: readonly BundleRecipient[] =\n    opts.recipients ?? [\n      {\n        id: vault.userId,\n        passphrase: opts.exportPassphrase as string,\n        role: vault.role,\n      },\n    ]\n\n  const recipientKeyrings = await vault.buildBundleRecipientKeyrings(recipients)\n\n  const backup = JSON.parse(dumpJson) as { keyrings: unknown; [k: string]: unknown }\n  backup.keyrings = recipientKeyrings\n  return JSON.stringify(backup)\n}\n\n/**\n * Apply opt-in slice filters to a vault dump JSON string. Filters that\n * narrow the bundle without crossing the encryption boundary — both\n * operate on metadata (collection name, envelope `_ts`) and never need\n * to decrypt records. When neither filter is set, the dump is returned\n * unchanged so the no-arg path stays a pure passthrough.\n *\n * Internal-collection filtering: when a `collections` allowlist is\n * provided, the bundle still carries `_internal` (ledger entries) and\n * the keyrings — they're necessary for the receiver to verify and\n * unlock the bundle. The allowlist applies to the user-collection\n * map only.\n *\n * @internal\n */\nfunction applySliceFilters(\n  dumpJson: string,\n  opts: WriteNoydbBundleOptions,\n): string {\n  const collectionsFilter = opts.collections\n    ? new Set(opts.collections)\n    : null\n  const sinceMs =\n    opts.since !== undefined ? new Date(opts.since).getTime() : null\n  if (collectionsFilter === null && sinceMs === null) return dumpJson\n\n  // Parse, prune, re-serialize. The dump shape is stable\n  // (VaultBackup) so this is a one-off allocation; for vaults beyond\n  // the documented 1K–50K target a streaming variant would be a\n  // follow-up, but the simple parse path keeps the slice path\n  // type-safe and trivially auditable.\n  const backup = JSON.parse(dumpJson) as {\n    collections?: Record<string, Record<string, { _ts?: string }>>\n    [k: string]: unknown\n  }\n\n  if (backup.collections && typeof backup.collections === 'object') {\n    const next: Record<string, Record<string, unknown>> = {}\n    for (const [name, records] of Object.entries(backup.collections)) {\n      if (collectionsFilter && !collectionsFilter.has(name)) continue\n      if (sinceMs === null) {\n        next[name] = records\n        continue\n      }\n      const kept: Record<string, unknown> = {}\n      for (const [id, env] of Object.entries(records)) {\n        const envTs = env._ts ? new Date(env._ts).getTime() : NaN\n        if (Number.isFinite(envTs) && envTs >= sinceMs) {\n          kept[id] = env\n        }\n      }\n      next[name] = kept\n    }\n    backup.collections = next as typeof backup.collections\n  }\n\n  return JSON.stringify(backup)\n}\n\n/**\n * Apply opt-in plaintext-tier filters\n * to a vault dump. Operates BEFORE `applySliceFilters` so the metadata\n * pass sees the trimmed record set.\n *\n * The filter never re-encrypts: surviving records carry their original\n * envelope unchanged. Failing records are dropped from the\n * `collections` map. Internal collections (ledger, deltas) and the\n * keyrings map are untouched.\n *\n * @internal\n */\nasync function applyPlaintextFilters(\n  vault: Vault,\n  dumpJson: string,\n  opts: WriteNoydbBundleOptions,\n): Promise<string> {\n  if (opts.where === undefined && opts.tierAtMost === undefined) {\n    return dumpJson\n  }\n\n  type Env = { _ts?: string; _tier?: number; _iv: string; _data: string }\n  const backup = JSON.parse(dumpJson) as {\n    collections?: Record<string, Record<string, Env>>\n    [k: string]: unknown\n  }\n  if (!backup.collections || typeof backup.collections !== 'object') {\n    return dumpJson\n  }\n\n  const tierCeiling = opts.tierAtMost\n  const where = opts.where\n\n  const next: Record<string, Record<string, Env>> = {}\n  for (const [collName, records] of Object.entries(backup.collections)) {\n    const kept: Record<string, Env> = {}\n    for (const [id, env] of Object.entries(records)) {\n      // Tier ceiling — runs FIRST so we don't waste a decrypt on\n      // records about to be dropped anyway. Envelope tier defaults to\n      // 0 when absent (matches Vault's tier-0 conventions).\n      if (tierCeiling !== undefined) {\n        const tier = env._tier ?? 0\n        if (tier > tierCeiling) continue\n      }\n      // Plaintext predicate — decrypt, run, keep on truthy. Errors\n      // from inside the predicate propagate (callers want to see why\n      // their filter blew up rather than getting a silent passthrough).\n      if (where !== undefined) {\n        const record = await vault._decryptEnvelopeForBundleFilter(\n          env as never,\n          collName,\n        )\n        const ok = await where(record, { collection: collName, id })\n        if (!ok) continue\n      }\n      kept[id] = env\n    }\n    next[collName] = kept\n  }\n  backup.collections = next\n  return JSON.stringify(backup)\n}\n\n/**\n * Write a `.noydb` bundle for the given vault.\n *\n * Pipeline:\n *   1. Resolve or create the compartment's stable bundle handle\n *      via `vault.getBundleHandle()` — same handle on\n *      every export from the same vault instance, so cloud\n *      adapters can use it as a primary key.\n *   2. `vault.dump()` → JSON string with encrypted records\n *      inside.\n *   3. UTF-8 encode the dump string.\n *   4. Compress (brotli if available, gzip fallback by default).\n *   5. Compute SHA-256 of the compressed body for integrity.\n *   6. Build the minimum-disclosure header from format version,\n *      handle, body length, body sha.\n *   7. Serialize: magic (4) + flags (1) + algo (1) + headerLen (4)\n *      + header JSON (N) + compressed body (M).\n *\n * The output is a single `Uint8Array`. Consumers writing to disk\n * pass it to `fs.writeFile`; consumers uploading to cloud storage\n * pass it as the request body. The `@noy-db/file` adapter wraps\n * this with a `saveBundle(path, vault)` helper.\n */\n/**\n * Assemble the final `.noydb` container bytes from a body JSON string +\n * header extras. Shared by `writeNoydbBundle` and `extractPartition`\n * so both producers go through one compress/hash/prefix path.\n *\n * @internal\n */\nexport async function assembleBundleContainer(opts: {\n  handle: string\n  bodyJsonStr: string\n  compression: WriteNoydbBundleOptions['compression']\n  /** Header fields beyond the always-present four. */\n  headerExtras?: Partial<Pick<NoydbBundleHeader, 'publicEnvelope' | 'autoUnlock' | 'bundleKind' | 'transferSeal'>>\n}): Promise<Uint8Array> {\n  const dumpBytes = new TextEncoder().encode(opts.bodyJsonStr)\n  const { format, streamFormat } = selectCompression(opts.compression)\n  const body = streamFormat === null\n    ? dumpBytes\n    : await pumpThroughStream(dumpBytes, new CompressionStream(streamFormat))\n  const bodySha256 = await sha256Hex(body)\n\n  const header: NoydbBundleHeader = {\n    formatVersion: NOYDB_BUNDLE_FORMAT_VERSION,\n    handle: opts.handle,\n    bodyBytes: body.length,\n    bodySha256,\n    ...(opts.headerExtras?.publicEnvelope !== undefined ? { publicEnvelope: opts.headerExtras.publicEnvelope } : {}),\n    ...(opts.headerExtras?.autoUnlock !== undefined ? { autoUnlock: opts.headerExtras.autoUnlock } : {}),\n    ...(opts.headerExtras?.bundleKind !== undefined ? { bundleKind: opts.headerExtras.bundleKind } : {}),\n    ...(opts.headerExtras?.transferSeal !== undefined ? { transferSeal: opts.headerExtras.transferSeal } : {}),\n  }\n  const headerBytes = encodeBundleHeader(header)\n\n  const prefix = new Uint8Array(NOYDB_BUNDLE_PREFIX_BYTES)\n  prefix.set(NOYDB_BUNDLE_MAGIC, 0)\n  prefix[4] = (streamFormat === null ? 0 : FLAG_COMPRESSED) | FLAG_HAS_INTEGRITY_HASH\n  prefix[5] = format\n  writeUint32BE(prefix, 6, headerBytes.length)\n\n  return concatBytes([prefix, headerBytes, body])\n}\n\nexport async function writeNoydbBundle(\n  vault: Vault,\n  opts: WriteNoydbBundleOptions = {},\n): Promise<Uint8Array> {\n  if (opts.exportPassphrase !== undefined && opts.recipients !== undefined) {\n    throw new Error(\n      'writeNoydbBundle: pass either exportPassphrase or recipients, not both',\n    )\n  }\n\n  // #197/#215 — auto-unlock: normalize once, validate + build from the\n  // same NormalizedAutoUnlock object so there's no double-normalize call.\n  const normalizedAutoUnlock = normalizeAutoUnlock(opts)\n  const autoUnlockMode = validateAutoUnlockOptions(opts, normalizedAutoUnlock)\n\n  const handle = await vault.getBundleHandle()\n  const dumpJson = await vault.dump()\n\n  // Re-keying: when caller supplied recipients (or the single-recipient\n  // shorthand), substitute the bundle's `keyrings` map with freshly\n  // built recipient slots before slice filters run.\n  const rekeyed = await applyRecipientRewrap(vault, dumpJson, opts)\n  // Plaintext-tier filters run BEFORE\n  // the metadata-only slice — that way the metadata pass sees the\n  // already-trimmed record set and the two filter chains compose\n  // cleanly.\n  const plainFiltered = await applyPlaintextFilters(vault, rekeyed, opts)\n  const filtered = applySliceFilters(plainFiltered, opts)\n\n  // If no auto-unlock requested, body remains the raw dump JSON\n  // (pre-#197 shape). Otherwise build the wrapped body containing the\n  // dump + `_autoUnlock` blob and serialize.\n  const bodyJsonStr = normalizedAutoUnlock === null\n    ? filtered\n    : JSON.stringify(await buildAutoUnlockWrapper(filtered, normalizedAutoUnlock))\n  // Snapshot the source vault's public envelope into the header\n  // when one is persisted. `Vault.getPublicEnvelope` tolerates a\n  // missing document and returns undefined, which we propagate as\n  // \"no envelope in the header.\" Vaults without a\n  // `_meta/public-envelope` document produce minimum-disclosure\n  // headers exactly like before, preserving back-compat.\n  const publicEnvelope = await vault.getPublicEnvelope()\n\n  return assembleBundleContainer({\n    handle,\n    bodyJsonStr,\n    compression: opts.compression,\n    headerExtras: {\n      ...(publicEnvelope !== undefined ? { publicEnvelope } : {}),\n      ...(autoUnlockMode !== null ? { autoUnlock: autoUnlockMode } : {}),\n    },\n  })\n}\n\n/**\n * Internal helper shared by both readers — parses just the prefix\n * + header region of a bundle without touching the body. Returns\n * the parsed header plus the offset where the body starts and the\n * compression algorithm needed to decompress it.\n *\n * Throws on any format violation: missing/invalid magic, truncated\n * prefix, header length larger than the file, or unknown\n * compression algorithm.\n */\nfunction parsePrefixAndHeader(bytes: Uint8Array): {\n  header: NoydbBundleHeader\n  bodyOffset: number\n  algo: CompressionAlgo\n  flags: number\n} {\n  if (!hasNoydbBundleMagic(bytes)) {\n    throw new Error(\n      `Not a .noydb bundle: missing 'NDB1' magic prefix. The first 4 bytes ` +\n        `are ${[...bytes.slice(0, 4)].map((b) => b.toString(16).padStart(2, '0')).join(' ')}.`,\n    )\n  }\n  if (bytes.length < NOYDB_BUNDLE_PREFIX_BYTES) {\n    throw new Error(\n      `Truncated .noydb bundle: file is only ${bytes.length} bytes, ` +\n        `which is less than the ${NOYDB_BUNDLE_PREFIX_BYTES}-byte fixed prefix.`,\n    )\n  }\n  const flags = bytes[4]!\n  const algo = bytes[5]!\n  if (algo !== COMPRESSION_NONE && algo !== COMPRESSION_GZIP && algo !== COMPRESSION_BROTLI) {\n    throw new Error(\n      `.noydb bundle declares unknown compression algorithm ${algo}. ` +\n        `Known values: 0 (none), 1 (gzip), 2 (brotli).`,\n    )\n  }\n  const headerLength = readUint32BE(bytes, 6)\n  const bodyOffset = NOYDB_BUNDLE_PREFIX_BYTES + headerLength\n  if (bodyOffset > bytes.length) {\n    throw new Error(\n      `Truncated .noydb bundle: declared header length ${headerLength} ` +\n        `would extend past end of file (${bytes.length} bytes).`,\n    )\n  }\n  const headerBytes = bytes.slice(NOYDB_BUNDLE_PREFIX_BYTES, bodyOffset)\n  const header = decodeBundleHeader(headerBytes)\n  return { header, bodyOffset, algo: algo as CompressionAlgo, flags }\n}\n\n/**\n * Read just the bundle header — no body decompression, no\n * integrity verification. Intended for cloud-listing UIs that want\n * to show the handle and size before downloading the full body.\n *\n * Returns the same `NoydbBundleHeader` shape as the writer, with\n * minimum-disclosure validation already applied.\n *\n * **Cost** — O(prefix + header bytes). The header is normally well\n * under 1 KB, but may grow to roughly 256 KB when a `publicEnvelope`\n * with an inline icon is present. Cloud-listing UIs that previously\n * assumed sub-KB header reads should account for this when sizing\n * range requests against bundles that may carry icons.\n */\nexport function readNoydbBundleHeader(bytes: Uint8Array): NoydbBundleHeader {\n  return parsePrefixAndHeader(bytes).header\n}\n\n/**\n * Read just the bundle's public envelope (`docs/subsystems/public-envelope.md`)\n * — without verifying the body or even parsing the dump JSON. Pass\n * the raw bundle bytes; receive the owner-curated metadata or\n * `undefined` if the bundle was written without one.\n *\n * Locale-resolves any `name` / `description` map fields when `locale`\n * is supplied. Omitting `locale` returns the raw envelope.\n *\n * Same security caveat as the on-vault read path — the public\n * envelope is **untrusted hint** in v1; the encrypted body remains\n * the source of truth for vault contents.\n */\nexport function readNoydbBundlePublicEnvelope(\n  bytes: Uint8Array,\n  opts: { readonly locale?: string } = {},\n): PublicEnvelope | undefined {\n  const header = parsePrefixAndHeader(bytes).header\n  const env = header.publicEnvelope\n  if (!env) return undefined\n  if (opts.locale === undefined) return env\n  return {\n    ...env,\n    ...(env.name !== undefined ? { name: pickLocale(env.name, opts.locale, env.defaultLocale) } : {}),\n    ...(env.description !== undefined ? { description: pickLocale(env.description, opts.locale, env.defaultLocale) } : {}),\n  }\n}\n\n/**\n * Read a full `.noydb` bundle: validate magic + header, verify\n * integrity hash over the body bytes, decompress, and return the\n * original `vault.dump()` JSON string ready to pass to\n * `vault.load()`.\n *\n * Throws `BundleIntegrityError` if the body's actual SHA-256 does\n * not match the value declared in the header. Distinct from a\n * format error so consumers can pattern-match in catch blocks\n * (corrupted-in-transit vs malformed-by-producer).\n *\n * Note: this function does NOT take a passphrase. The dump JSON\n * inside the body still contains encrypted records — restoring\n * the vault requires `vault.load(dumpJson, passphrase)`\n * after this call. Splitting the layers keeps the bundle module\n * free of crypto concerns and lets the same code feed format\n * inspectors that never decrypt anything.\n */\nexport async function readNoydbBundle(\n  bytes: Uint8Array,\n  opts: ReadNoydbBundleOptions = {},\n): Promise<NoydbBundleReadResult> {\n  const { header, bodyOffset, algo } = parsePrefixAndHeader(bytes)\n  const body = bytes.slice(bodyOffset)\n\n  // Length check before hash check — a length mismatch is the\n  // cheapest tamper signal and produces a more actionable error.\n  if (body.length !== header.bodyBytes) {\n    throw new BundleIntegrityError(\n      `body length ${body.length} does not match header.bodyBytes ` +\n        `${header.bodyBytes}. The bundle was truncated or padded ` +\n        `between write and read.`,\n    )\n  }\n\n  const actualSha = await sha256Hex(body)\n  if (actualSha !== header.bodySha256) {\n    throw new BundleIntegrityError(\n      `body sha256 ${actualSha} does not match header.bodySha256 ` +\n        `${header.bodySha256}. The bundle bytes were modified between ` +\n        `write and read — refuse to decompress.`,\n    )\n  }\n\n  let dumpBytes: Uint8Array\n  if (algo === COMPRESSION_NONE) {\n    dumpBytes = body\n  } else {\n    const streamFormat: CompressionFormat =\n      algo === COMPRESSION_BROTLI ? ('br' as CompressionFormat) : 'gzip'\n    try {\n      dumpBytes = await pumpThroughStream(body, new DecompressionStream(streamFormat))\n    } catch (err) {\n      throw new BundleIntegrityError(\n        `decompression failed: ${(err as Error).message}. The bundle ` +\n          `passed the integrity hash but the body is not valid ` +\n          `${streamFormat} data — likely a producer bug.`,\n      )\n    }\n  }\n\n  const bodyString = new TextDecoder('utf-8', { fatal: true }).decode(dumpBytes)\n\n  // #197 — when the header signaled an auto-unlock, the body is a\n  // JSON wrapper carrying the dump string + the auto-unlock blob.\n  // When absent, the body IS the raw dump JSON (pre-#197 shape).\n  if (header.autoUnlock === undefined) {\n    return { header, dumpJson: bodyString }\n  }\n  const { dump, blob } = parseAutoUnlockBody(bodyString)\n  const autoUnlock = await resolveAutoUnlock(blob, opts)\n  return { header, dumpJson: dump, autoUnlock }\n}\n"],"mappings":";;;;;;;;;;AAmDO,IAAM,qBAAqB,IAAI,WAAW,CAAC,IAAM,IAAM,IAAM,EAAI,CAAC;AAGlE,IAAM,4BAA4B;AAGlC,IAAM,8BAA8B;AASpC,IAAM,kBAAkB;AACxB,IAAM,0BAA0B;AAchC,IAAM,mBAAmB;AACzB,IAAM,mBAAmB;AACzB,IAAM,qBAAqB;AAwFlC,IAAM,sBAA2C,oBAAI,IAAI;AAAA,EACvD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAiBM,SAAS,qBACd,QACqC;AACrC,MAAI,WAAW,QAAQ,OAAO,WAAW,UAAU;AACjD,UAAM,IAAI;AAAA,MACR,mDAAmD,WAAW,OAAO,SAAS,OAAO,MAAM;AAAA,IAC7F;AAAA,EACF;AAIA,aAAW,OAAO,OAAO,KAAK,MAAM,GAAG;AACrC,QAAI,CAAC,oBAAoB,IAAI,GAAG,GAAG;AACjC,YAAM,IAAI;AAAA,QACR,gDAAgD,GAAG,kDAE9C,CAAC,GAAG,mBAAmB,EAAE,KAAK,IAAI,CAAC;AAAA,MAC1C;AAAA,IACF;AAAA,EACF;AACA,QAAM,IAAI;AACV,MAAI,OAAO,EAAE,eAAe,MAAM,YAAY,EAAE,eAAe,MAAM,6BAA6B;AAChG,UAAM,IAAI;AAAA,MACR,8CAA8C,2BAA2B,SAChE,OAAO,EAAE,eAAe,CAAC,CAAC;AAAA,IAErC;AAAA,EACF;AACA,MAAI,OAAO,EAAE,QAAQ,MAAM,YAAY,CAAC,2BAA2B,KAAK,EAAE,QAAQ,CAAC,GAAG;AACpF,UAAM,IAAI;AAAA,MACR,iFACS,OAAO,EAAE,QAAQ,MAAM,WAAW,IAAI,EAAE,QAAQ,CAAC,MAAM,OAAO,EAAE,QAAQ,CAAC,CAAC;AAAA,IACrF;AAAA,EACF;AACA,MAAI,OAAO,EAAE,WAAW,MAAM,YAAY,CAAC,OAAO,UAAU,EAAE,WAAW,CAAC,KAAK,EAAE,WAAW,IAAI,GAAG;AACjG,UAAM,IAAI;AAAA,MACR,sEACS,OAAO,EAAE,WAAW,CAAC,CAAC;AAAA,IACjC;AAAA,EACF;AACA,MAAI,OAAO,EAAE,YAAY,MAAM,YAAY,CAAC,iBAAiB,KAAK,EAAE,YAAY,CAAC,GAAG;AAClF,UAAM,IAAI;AAAA,MACR,oFACS,OAAO,EAAE,YAAY,MAAM,WAAW,IAAI,EAAE,YAAY,CAAC,MAAM,OAAO,EAAE,YAAY,CAAC,CAAC;AAAA,IACjG;AAAA,EACF;AACA,MAAI,EAAE,gBAAgB,MAAM,QAAW;AACrC,UAAM,MAAM,EAAE,gBAAgB;AAC9B,QAAI,QAAQ,QAAQ,OAAO,QAAQ,YAAY,MAAM,QAAQ,GAAG,GAAG;AACjE,YAAM,IAAI;AAAA,QACR,+EAA+E,OAAO,GAAG;AAAA,MAC3F;AAAA,IACF;AACA,UAAM,IAAI;AACV,QAAI,EAAE,eAAe,MAAM,GAAG;AAC5B,YAAM,IAAI;AAAA,QACR,oEAAoE,OAAO,EAAE,eAAe,CAAC,CAAC;AAAA,MAChG;AAAA,IACF;AACA,QAAI,OAAO,EAAE,SAAS,MAAM,YAAY,CAAC,OAAO,UAAU,EAAE,SAAS,CAAC,KAAK,EAAE,SAAS,IAAI,GAAG;AAC3F,YAAM,IAAI;AAAA,QACR,+EAA+E,OAAO,EAAE,SAAS,CAAC,CAAC;AAAA,MACrG;AAAA,IACF;AAAA,EACF;AACA,MAAI,EAAE,YAAY,MAAM,QAAW;AACjC,QAAI,EAAE,YAAY,MAAM,cAAc,EAAE,YAAY,MAAM,UAAU;AAClE,YAAM,MAAM,OAAO,EAAE,YAAY,MAAM,WAAW,IAAI,EAAE,YAAY,CAAC,MAAM,OAAO,EAAE,YAAY;AAChG,YAAM,IAAI;AAAA,QACR,oFAAoF,GAAG;AAAA,MACzF;AAAA,IACF;AAAA,EACF;AACA,MAAI,EAAE,YAAY,MAAM,QAAW;AACjC,QAAI,EAAE,YAAY,MAAM,cAAc,EAAE,YAAY,MAAM,uBAAuB;AAC/E,YAAM,MAAM,OAAO,EAAE,YAAY,MAAM,WAAW,IAAI,EAAE,YAAY,CAAC,MAAM,OAAO,EAAE,YAAY;AAChG,YAAM,IAAI;AAAA,QACR,iGAAiG,GAAG;AAAA,MACtG;AAAA,IACF;AAAA,EACF;AACA,MAAI,EAAE,cAAc,MAAM,QAAW;AACnC,UAAM,KAAK,EAAE,cAAc;AAC3B,QAAI,OAAO,QAAQ,OAAO,OAAO,YAAY,MAAM,QAAQ,EAAE,GAAG;AAC9D,YAAM,IAAI,MAAM,6EAA6E,OAAO,EAAE,GAAG;AAAA,IAC3G;AACA,UAAM,IAAI;AACV,QAAI,EAAE,GAAG,MAAM,GAAG;AAChB,YAAM,IAAI,MAAM,sDAAsD,OAAO,EAAE,GAAG,CAAC,CAAC,GAAG;AAAA,IACzF;AACA,QAAI,EAAE,KAAK,MAAM,0BAA0B;AACzC,YAAM,IAAI,MAAM,+EAA+E,OAAO,EAAE,KAAK,CAAC,CAAC,GAAG;AAAA,IACpH;AACA,QAAI,OAAO,EAAE,QAAQ,MAAM,YAAY,EAAE,QAAQ,EAAE,WAAW,GAAG;AAC/D,YAAM,IAAI,MAAM,4EAA4E,OAAO,EAAE,QAAQ,CAAC,CAAC,GAAG;AAAA,IACpH;AAAA,EACF;AAIA,QAAM,cAAc,EAAE,YAAY,MAAM;AACxC,QAAM,UAAU,EAAE,cAAc,MAAM;AACtC,MAAI,WAAW,CAAC,aAAa;AAC3B,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,MAAI,eAAe,CAAC,SAAS;AAC3B,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAIA,MAAI,eAAe,EAAE,YAAY,MAAM,QAAW;AAChD,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AACF;AAOO,SAAS,mBAAmB,QAAuC;AACxE,uBAAqB,MAAM;AAK3B,QAAM,OAAO,KAAK,UAAU;AAAA,IAC1B,eAAe,OAAO;AAAA,IACtB,QAAQ,OAAO;AAAA,IACf,WAAW,OAAO;AAAA,IAClB,YAAY,OAAO;AAAA,IACnB,GAAI,OAAO,mBAAmB,SAAY,EAAE,gBAAgB,OAAO,eAAe,IAAI,CAAC;AAAA,IACvF,GAAI,OAAO,eAAe,SAAY,EAAE,YAAY,OAAO,WAAW,IAAI,CAAC;AAAA,IAC3E,GAAI,OAAO,eAAe,SAAY,EAAE,YAAY,OAAO,WAAW,IAAI,CAAC;AAAA,IAC3E,GAAI,OAAO,iBAAiB,SAAY,EAAE,cAAc,OAAO,aAAa,IAAI,CAAC;AAAA,EACnF,CAAC;AACD,SAAO,IAAI,YAAY,EAAE,OAAO,IAAI;AACtC;AAMO,SAAS,mBAAmB,OAAsC;AACvE,QAAM,OAAO,IAAI,YAAY,SAAS,EAAE,OAAO,KAAK,CAAC,EAAE,OAAO,KAAK;AACnE,MAAI;AACJ,MAAI;AACF,aAAS,KAAK,MAAM,IAAI;AAAA,EAC1B,SAAS,KAAK;AACZ,UAAM,IAAI;AAAA,MACR,2CAA4C,IAAc,OAAO;AAAA,IACnE;AAAA,EACF;AACA,uBAAqB,MAAM;AAC3B,SAAO;AACT;AAQO,SAAS,aAAa,OAAmB,QAAwB;AACtE,UACG,MAAM,MAAM,KAAM,OAAO,MACzB,MAAM,SAAS,CAAC,KAAM,OACtB,MAAM,SAAS,CAAC,KAAM,KACvB,MAAM,SAAS,CAAC;AAEpB;AAMO,SAAS,cAAc,OAAmB,QAAgB,OAAqB;AACpF,QAAM,MAAM,IAAK,UAAU,KAAM;AACjC,QAAM,SAAS,CAAC,IAAK,UAAU,KAAM;AACrC,QAAM,SAAS,CAAC,IAAK,UAAU,IAAK;AACpC,QAAM,SAAS,CAAC,IAAI,QAAQ;AAC9B;AAOO,SAAS,oBAAoB,OAA4B;AAC9D,MAAI,MAAM,SAAS,mBAAmB,OAAQ,QAAO;AACrD,WAAS,IAAI,GAAG,IAAI,mBAAmB,QAAQ,KAAK;AAClD,QAAI,MAAM,CAAC,MAAM,mBAAmB,CAAC,EAAG,QAAO;AAAA,EACjD;AACA,SAAO;AACT;;;ACpBA,SAAS,kBAAkB,GAA2D;AACpF,SAAO,OAAO;AAAA,IACZ,OAAO,QAAQ,CAAC,EAAE,IAAI,CAAC,CAAC,GAAG,KAAK,MAAM,CAAC,GAAG,EAAE,MAAM,cAAuB,MAAM,CAAC,CAAC;AAAA,EACnF;AACF;AAYA,SAAS,oBAAoB,MAA4D;AACvF,QAAM,MAAM;AAAA,IACV,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,EACP,EAAE,OAAO,OAAK,MAAM,MAAS,EAAE;AAC/B,MAAI,QAAQ,EAAG,QAAO;AACtB,MAAI,MAAM,GAAG;AACX,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AACA,MAAI,KAAK,oBAAoB,QAAW;AACtC,WAAO,EAAE,MAAM,YAAY,SAAS,KAAK,gBAAgB,QAAQ;AAAA,EACnE;AACA,MAAI,KAAK,oBAAoB,QAAW;AACtC,WAAO,EAAE,MAAM,YAAY,SAAS,kBAAkB,KAAK,gBAAgB,OAAO,EAAE;AAAA,EACtF;AACA,MAAI,KAAK,sBAAsB,QAAW;AACxC,QAAI,KAAK,kBAAkB,SAAS,oBAAoB;AACtD,YAAM,UAA0C,CAAC;AACjD,YAAM,QAAuC,CAAC;AAC9C,iBAAW,CAAC,QAAQ,KAAK,KAAK,OAAO,QAAQ,KAAK,kBAAkB,OAAO,GAAG;AAC5E,gBAAQ,MAAM,IAAI,MAAM;AACxB,cAAM,MAAM,IAAI,MAAM;AAAA,MACxB;AACA,aAAO,EAAE,MAAM,oBAAoB,UAAU,KAAK,kBAAkB,UAAU,SAAS,MAAM;AAAA,IAC/F;AACA,WAAO,EAAE,MAAM,eAAe,UAAU,KAAK,kBAAkB,UAAU,SAAS,KAAK,kBAAkB,QAAQ;AAAA,EACnH;AAEA,SAAO;AAAA,IACL,MAAM;AAAA,IACN,UAAU,KAAK,kBAAmB;AAAA,IAClC,SAAS,kBAAkB,KAAK,kBAAmB,OAAO;AAAA,EAC5D;AACF;AAoBA,SAAS,0BACP,MACA,YAC8B;AAC9B,MAAI,eAAe,KAAM,QAAO;AAEhC,QAAM,cAAmC,oBAAI,IAAI,CAAC,cAAc,YAAY,KAAK,CAAC;AAGlF,aAAW,CAAC,QAAQ,IAAI,KAAK,OAAO,QAAQ,WAAW,OAAO,GAAG;AAC/D,QAAI,CAAC,YAAY,IAAI,KAAK,IAAI,GAAG;AAC/B,YAAM,IAAI;AAAA,QACR,0CAA0C,MAAM,2BAA2B,KAAK,IAAI;AAAA,MAGtF;AAAA,IACF;AAAA,EACF;AAEA,MAAI,WAAW,SAAS,YAAY;AAElC,UAAM,SAAS,KAAK,iBAAiB,UAAU,KAAK,iBAAiB;AACrE,QAAI,WAAW,oBAAoB;AACjC,YAAM,IAAI;AAAA,QACR;AAAA,MAKF;AAAA,IACF;AACA,UAAMA,aAAY,OAAO,KAAK,WAAW,OAAO,EAAE;AAClD,QAAIA,eAAc,GAAG;AACnB,YAAM,IAAI;AAAA,QACR;AAAA,MAEF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAGA,MAAI,WAAW,SAAS,oBAAoB;AAC1C,UAAM,WAAW,WAAW;AAC5B,QAAI,aAAa,UAAa,OAAQ,SAA6B,yBAAyB,cACrF,OAAQ,SAA6B,qBAAqB,YAAY;AAC3E,YAAM,IAAI;AAAA,QACR;AAAA,MAGF;AAAA,IACF;AACA,UAAM,QAAQ,WAAW;AACzB,QAAI,UAAU,QAAW;AACvB,YAAM,IAAI,MAAM,uEAAkE;AAAA,IACpF;AACA,eAAW,UAAU,OAAO,KAAK,WAAW,OAAO,GAAG;AACpD,YAAM,OAAO,MAAM,MAAM;AACzB,UAAI,SAAS,QAAW;AACtB,cAAM,IAAI;AAAA,UACR,kDAAkD,MAAM;AAAA,QAC1D;AAAA,MACF;AACA,UAAI,KAAK,MAAM,GAAG;AAChB,cAAM,IAAI;AAAA,UACR,kDAAkD,MAAM,8BAA8B,OAAO,KAAK,CAAC,CAAC;AAAA,QACtG;AAAA,MACF;AACA,UAAI,OAAO,KAAK,QAAQ,YAAY,KAAK,IAAI,WAAW,GAAG;AACzD,cAAM,IAAI;AAAA,UACR,kDAAkD,MAAM;AAAA,QAC1D;AAAA,MACF;AACA,UAAI,KAAK,QAAQ,mBAAmB;AAClC,cAAM,IAAI;AAAA,UACR,kDAAkD,MAAM,4DAA4D,OAAO,KAAK,GAAG,CAAC;AAAA,QACtI;AAAA,MACF;AAAA,IAIF;AACA,UAAMA,aAAY,OAAO,KAAK,WAAW,OAAO,EAAE;AAClD,QAAIA,eAAc,GAAG;AACnB,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAGA,QAAM,iBAAiB,KAAK,mBAAmB,QAAQ,KAAK,mBAAmB;AAC/E,MAAI,mBAAmB,eAAe;AACpC,UAAM,IAAI;AAAA,MACR,kIAC+C,OAAO,cAAc,CAAC;AAAA,IACvE;AAAA,EACF;AACA,MAAI,WAAW,aAAa,QAAW;AACrC,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AACA,QAAM,YAAY,OAAO,KAAK,WAAW,OAAO,EAAE;AAClD,MAAI,cAAc,GAAG;AACnB,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AACA,SAAO;AACT;AAOA,eAAe,uBACb,UACA,YACyB;AACzB,MAAI,WAAW,SAAS,YAAY;AAClC,WAAO;AAAA,MACL,oBAAoB;AAAA,MACpB,MAAM;AAAA,MACN,aAAa;AAAA,QACX,MAAM;AAAA,QACN,SAAS,EAAE,GAAG,WAAW,QAAQ;AAAA,MACnC;AAAA,IACF;AAAA,EACF;AAEA,QAAM,WAAW,WAAW;AAC5B,MAAI,aAAa,QAAW;AAC1B,UAAM,IAAI,MAAM,uDAAkD;AAAA,EACpE;AACA,QAAM,gBAAuD,CAAC;AAC9D,QAAM,UAAU,IAAI,YAAY;AAEhC,MAAI,WAAW,SAAS,oBAAoB;AAC1C,UAAM,kBAAkB;AACxB,UAAM,QAAQ,WAAW;AACzB,QAAI,UAAU,QAAW;AACvB,YAAM,IAAI,MAAM,uEAAkE;AAAA,IACpF;AACA,eAAW,CAAC,QAAQ,IAAI,KAAK,OAAO,QAAQ,WAAW,OAAO,GAAG;AAC/D,YAAM,OAAO,MAAM,MAAM;AACzB,YAAM,SAAS,MAAM,gBAAgB,iBAAiB,QAAQ,OAAO,KAAK,KAAK,GAAG,IAAI;AACtF,oBAAc,MAAM,IAAI;AAAA,QACtB,KAAK,KAAK;AAAA;AAAA,QACV,QAAQ,cAAc,MAAM;AAAA,QAC5B,KAAK;AAAA,QACL,MAAM,KAAK;AAAA,QACX;AAAA,MACF;AAAA,IACF;AAAA,EACF,OAAO;AAEL,UAAM,aAAa;AACnB,eAAW,CAAC,QAAQ,IAAI,KAAK,OAAO,QAAQ,WAAW,OAAO,GAAG;AAC/D,YAAM,SAAS,MAAM,WAAW,KAAK,QAAQ,OAAO,KAAK,KAAK,CAAC;AAC/D,oBAAc,MAAM,IAAI;AAAA,QACtB,KAAK,WAAW;AAAA,QAChB,QAAQ,cAAc,MAAM;AAAA,QAC5B,KAAK;AAAA,QACL,MAAM,KAAK;AAAA,MACb;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,oBAAoB;AAAA,IACpB,MAAM;AAAA,IACN,aAAa,EAAE,MAAM,UAAU,SAAS,cAAc;AAAA,EACxD;AACF;AAOA,SAAS,oBAAoB,YAA2E;AACtG,MAAI;AACJ,MAAI;AACF,aAAS,KAAK,MAAM,UAAU;AAAA,EAChC,SAAS,KAAK;AACZ,UAAM,IAAI;AAAA,MACR,+EACG,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAAA,IACpD;AAAA,EACF;AACA,MAAI,OAAO,WAAW,YAAY,WAAW,MAAM;AACjD,UAAM,IAAI,qBAAqB,sCAAsC;AAAA,EACvE;AACA,QAAM,MAAM;AACZ,MAAI,IAAI,oBAAoB,MAAM,GAAG;AACnC,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,MAAI,OAAO,IAAI,MAAM,MAAM,UAAU;AACnC,UAAM,IAAI,qBAAqB,kDAAkD;AAAA,EACnF;AACA,QAAM,OAAO,IAAI,aAAa;AAC9B,MAAI,OAAO,SAAS,YAAY,SAAS,MAAM;AAC7C,UAAM,IAAI,qBAAqB,4CAA4C;AAAA,EAC7E;AACA,QAAM,UAAU;AAChB,QAAM,OAAO,QAAQ,MAAM;AAC3B,MAAI,SAAS,cAAc,SAAS,UAAU;AAC5C,UAAM,IAAI;AAAA,MACR,oCAAoC,OAAO,IAAI,CAAC;AAAA,IAClD;AAAA,EACF;AACA,SAAO;AAAA,IACL,MAAM,IAAI,MAAM;AAAA,IAChB;AAAA,EACF;AACF;AA4BO,SAAS,+BACd,UACA,MACwB;AACxB,SAAO,EAAE,oBAAoB,GAAG,MAAM,UAAU,eAAe,KAAK;AACtE;AAEO,SAAS,4BACd,YAC6C;AAC7C,MAAI;AACJ,MAAI;AACF,aAAS,KAAK,MAAM,UAAU;AAAA,EAChC,SAAS,KAAK;AACZ,UAAM,IAAI;AAAA,MACR,wFACG,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAAA,IACpD;AAAA,EACF;AACA,MAAI,OAAO,WAAW,YAAY,WAAW,MAAM;AACjD,UAAM,IAAI,qBAAqB,+CAA+C;AAAA,EAChF;AACA,QAAM,MAAM;AACZ,MAAI,IAAI,oBAAoB,MAAM,GAAG;AACnC,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,MAAI,OAAO,IAAI,MAAM,MAAM,UAAU;AACnC,UAAM,IAAI,qBAAqB,2DAA2D;AAAA,EAC5F;AACA,QAAM,OAAO,IAAI,eAAe;AAChC,MAAI,OAAO,SAAS,YAAY,SAAS,MAAM;AAC7C,UAAM,IAAI,qBAAqB,uDAAuD;AAAA,EACxF;AACA,QAAM,IAAI;AACV,MAAI,EAAE,GAAG,MAAM,KAAK,EAAE,KAAK,MAAM,4BAC1B,OAAO,EAAE,QAAQ,MAAM,YAAY,OAAO,EAAE,SAAS,MAAM,UAAU;AAC1E,UAAM,IAAI,qBAAqB,uDAAuD;AAAA,EACxF;AACA,SAAO,EAAE,MAAM,IAAI,MAAM,GAAG,KAAkC;AAChE;AAMA,SAAS,eAAe,OAAgD;AACtE,MAAI,OAAO,UAAU,SAAU,QAAO,EAAE,MAAM,cAAc,OAAO,MAAM;AACzE,SAAO;AACT;AAwBA,eAAe,kBACb,MACA,MACmF;AACnF,MAAI,KAAK,SAAS,YAAY;AAC5B,UAAM,WAA2C,CAAC;AAClD,eAAW,CAAC,QAAQ,KAAK,KAAK,OAAO,QAAQ,KAAK,OAAO,GAAG;AAC1D,eAAS,MAAM,IAAI,eAAe,KAAK;AAAA,IACzC;AACA,WAAO,EAAE,MAAM,YAAY,SAAS,SAAS;AAAA,EAC/C;AAEA,MAAI,KAAK,qBAAqB,UAAa,KAAK,iBAAiB,WAAW,GAAG;AAI7E,UAAM,cAA8C,CAAC;AACrD,eAAW,CAAC,QAAQ,KAAK,KAAK,OAAO,QAAQ,KAAK,OAAO,GAAG;AAC1D,kBAAY,MAAM,IAAI,EAAE,MAAM,MAAM,QAAQ,cAAc,OAAO,MAAM,OAAO;AAAA,IAChF;AACA,WAAO,EAAE,MAAM,UAAU,SAAS,YAAY;AAAA,EAChD;AACA,QAAM,iBAAiB,oBAAI,IAAgC;AAC3D,aAAW,KAAK,KAAK,iBAAkB,gBAAe,IAAI,EAAE,IAAI,CAAC;AAEjE,QAAM,UAAU,IAAI,YAAY;AAChC,QAAM,cAA8C,CAAC;AAErD,aAAW,CAAC,QAAQ,KAAK,KAAK,OAAO,QAAQ,KAAK,OAAO,GAAG;AAC1D,UAAM,WAA+B,MAAM,QAAQ;AACnD,UAAM,WAAW,eAAe,IAAI,MAAM,GAAG;AAC7C,QAAI,aAAa,QAAW;AAC1B,UAAI,KAAK,iCAAiC,MAAM;AAE9C,YAAI,SAAwB;AAC5B,mBAAW,aAAa,KAAK,kBAAkB;AAC7C,cAAI;AACF,kBAAMC,kBAAiB,MAAM,UAAU,OAAO,cAAc,MAAM,MAAM,CAAC;AACzE,qBAAS,QAAQ,OAAOA,eAAc;AACtC;AAAA,UACF,QAAQ;AAAA,UAER;AAAA,QACF;AACA,YAAI,WAAW,MAAM;AACnB,cAAI,MAAM,SAAS,QAAW;AAG5B,wBAAY,MAAM,IAAI,EAAE,MAAM,UAAU,OAAO,MAAM,OAAO;AAC5D;AAAA,UACF;AACA,gBAAM,IAAI,wBAAwB,QAAQ,MAAM,GAAG;AAAA,QACrD;AACA,oBAAY,MAAM,IAAI,EAAE,MAAM,UAAU,OAAO,OAAO;AACtD;AAAA,MACF;AACA,UAAI,MAAM,SAAS,QAAW;AAI5B,oBAAY,MAAM,IAAI,EAAE,MAAM,UAAU,OAAO,MAAM,OAAO;AAC5D;AAAA,MACF;AACA,YAAM,IAAI,wBAAwB,QAAQ,MAAM,GAAG;AAAA,IACrD;AACA,UAAM,iBAAiB,MAAM,SAAS,OAAO,cAAc,MAAM,MAAM,CAAC;AACxE,gBAAY,MAAM,IAAI,EAAE,MAAM,UAAU,OAAO,QAAQ,OAAO,cAAc,EAAE;AAAA,EAChF;AACA,SAAO,EAAE,MAAM,UAAU,SAAS,YAAY;AAChD;AAEA,SAAS,cAAc,OAA2B;AAChD,MAAI,SAAS;AACb,WAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,IAAK,WAAU,OAAO,aAAa,MAAM,CAAC,CAAE;AAC9E,SAAO,KAAK,MAAM;AACpB;AAEA,SAAS,cAAc,KAAyB;AAC9C,QAAM,SAAS,KAAK,GAAG;AACvB,QAAM,MAAM,IAAI,WAAW,OAAO,MAAM;AACxC,WAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,IAAK,KAAI,CAAC,IAAI,OAAO,WAAW,CAAC;AACpE,SAAO;AACT;AAWA,IAAI,sBAAsC;AAC1C,SAAS,4BAAqC;AAC5C,MAAI,wBAAwB,KAAM,QAAO;AACzC,MAAI;AACF,QAAI,kBAAkB,IAAyB;AAC/C,0BAAsB;AAAA,EACxB,QAAQ;AACN,0BAAsB;AAAA,EACxB;AACA,SAAO;AACT;AAGO,SAAS,0BAAgC;AAC9C,wBAAsB;AACxB;AASA,SAAS,kBAAkB,QAGzB;AACA,QAAM,SAAS,UAAU;AACzB,MAAI,WAAW,OAAQ,QAAO,EAAE,QAAQ,kBAAkB,cAAc,KAAK;AAC7E,MAAI,WAAW,OAAQ,QAAO,EAAE,QAAQ,kBAAkB,cAAc,OAAO;AAC/E,MAAI,WAAW,UAAU;AACvB,QAAI,CAAC,0BAA0B,GAAG;AAChC,YAAM,IAAI;AAAA,QACR;AAAA,MAIF;AAAA,IACF;AACA,WAAO,EAAE,QAAQ,oBAAoB,cAAc,KAA0B;AAAA,EAC/E;AAEA,MAAI,0BAA0B,GAAG;AAC/B,WAAO,EAAE,QAAQ,oBAAoB,cAAc,KAA0B;AAAA,EAC/E;AACA,SAAO,EAAE,QAAQ,kBAAkB,cAAc,OAAO;AAC1D;AAcA,eAAe,kBACb,OACA,QACqB;AACrB,QAAM,WAAW,IAAI,KAAK,CAAC,KAAiB,CAAC,EAAE,OAAO,EAAE,YAAY,MAAM;AAC1E,QAAM,SAAS,SAAS,UAAU;AAClC,QAAM,SAAuB,CAAC;AAC9B,MAAI,QAAQ;AACZ,aAAS;AACP,UAAM,EAAE,OAAO,KAAK,IAAI,MAAM,OAAO,KAAK;AAC1C,QAAI,KAAM;AACV,QAAI,OAAO;AACT,aAAO,KAAK,KAAmB;AAC/B,eAAS,MAAM;AAAA,IACjB;AAAA,EACF;AACA,QAAM,MAAM,IAAI,WAAW,KAAK;AAChC,MAAI,SAAS;AACb,aAAW,SAAS,QAAQ;AAC1B,QAAI,IAAI,OAAO,MAAM;AACrB,cAAU,MAAM;AAAA,EAClB;AACA,SAAO;AACT;AAWA,eAAe,UAAU,OAAoC;AAS3D,QAAM,OAAO,IAAI,WAAW,MAAM,MAAM;AACxC,OAAK,IAAI,KAAK;AACd,QAAM,SAAS,MAAM,OAAO,OAAO,OAAO,WAAW,IAAI;AACzD,QAAM,OAAO,IAAI,WAAW,MAAM;AAClC,MAAI,MAAM;AACV,WAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK;AACpC,WAAO,KAAK,CAAC,EAAG,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG;AAAA,EAC9C;AACA,SAAO;AACT;AAOA,SAAS,YAAY,OAA0C;AAC7D,MAAI,QAAQ;AACZ,aAAW,KAAK,MAAO,UAAS,EAAE;AAClC,QAAM,MAAM,IAAI,WAAW,KAAK;AAChC,MAAI,SAAS;AACb,aAAW,KAAK,OAAO;AACrB,QAAI,IAAI,GAAG,MAAM;AACjB,cAAU,EAAE;AAAA,EACd;AACA,SAAO;AACT;AAeA,eAAe,qBACb,OACA,UACA,MACiB;AACjB,MAAI,KAAK,qBAAqB,UAAa,KAAK,eAAe,QAAW;AACxE,WAAO;AAAA,EACT;AAEA,QAAM,aACJ,KAAK,cAAc;AAAA,IACjB;AAAA,MACE,IAAI,MAAM;AAAA,MACV,YAAY,KAAK;AAAA,MACjB,MAAM,MAAM;AAAA,IACd;AAAA,EACF;AAEF,QAAM,oBAAoB,MAAM,MAAM,6BAA6B,UAAU;AAE7E,QAAM,SAAS,KAAK,MAAM,QAAQ;AAClC,SAAO,WAAW;AAClB,SAAO,KAAK,UAAU,MAAM;AAC9B;AAiBA,SAAS,kBACP,UACA,MACQ;AACR,QAAM,oBAAoB,KAAK,cAC3B,IAAI,IAAI,KAAK,WAAW,IACxB;AACJ,QAAM,UACJ,KAAK,UAAU,SAAY,IAAI,KAAK,KAAK,KAAK,EAAE,QAAQ,IAAI;AAC9D,MAAI,sBAAsB,QAAQ,YAAY,KAAM,QAAO;AAO3D,QAAM,SAAS,KAAK,MAAM,QAAQ;AAKlC,MAAI,OAAO,eAAe,OAAO,OAAO,gBAAgB,UAAU;AAChE,UAAM,OAAgD,CAAC;AACvD,eAAW,CAAC,MAAM,OAAO,KAAK,OAAO,QAAQ,OAAO,WAAW,GAAG;AAChE,UAAI,qBAAqB,CAAC,kBAAkB,IAAI,IAAI,EAAG;AACvD,UAAI,YAAY,MAAM;AACpB,aAAK,IAAI,IAAI;AACb;AAAA,MACF;AACA,YAAM,OAAgC,CAAC;AACvC,iBAAW,CAAC,IAAI,GAAG,KAAK,OAAO,QAAQ,OAAO,GAAG;AAC/C,cAAM,QAAQ,IAAI,MAAM,IAAI,KAAK,IAAI,GAAG,EAAE,QAAQ,IAAI;AACtD,YAAI,OAAO,SAAS,KAAK,KAAK,SAAS,SAAS;AAC9C,eAAK,EAAE,IAAI;AAAA,QACb;AAAA,MACF;AACA,WAAK,IAAI,IAAI;AAAA,IACf;AACA,WAAO,cAAc;AAAA,EACvB;AAEA,SAAO,KAAK,UAAU,MAAM;AAC9B;AAcA,eAAe,sBACb,OACA,UACA,MACiB;AACjB,MAAI,KAAK,UAAU,UAAa,KAAK,eAAe,QAAW;AAC7D,WAAO;AAAA,EACT;AAGA,QAAM,SAAS,KAAK,MAAM,QAAQ;AAIlC,MAAI,CAAC,OAAO,eAAe,OAAO,OAAO,gBAAgB,UAAU;AACjE,WAAO;AAAA,EACT;AAEA,QAAM,cAAc,KAAK;AACzB,QAAM,QAAQ,KAAK;AAEnB,QAAM,OAA4C,CAAC;AACnD,aAAW,CAAC,UAAU,OAAO,KAAK,OAAO,QAAQ,OAAO,WAAW,GAAG;AACpE,UAAM,OAA4B,CAAC;AACnC,eAAW,CAAC,IAAI,GAAG,KAAK,OAAO,QAAQ,OAAO,GAAG;AAI/C,UAAI,gBAAgB,QAAW;AAC7B,cAAM,OAAO,IAAI,SAAS;AAC1B,YAAI,OAAO,YAAa;AAAA,MAC1B;AAIA,UAAI,UAAU,QAAW;AACvB,cAAM,SAAS,MAAM,MAAM;AAAA,UACzB;AAAA,UACA;AAAA,QACF;AACA,cAAM,KAAK,MAAM,MAAM,QAAQ,EAAE,YAAY,UAAU,GAAG,CAAC;AAC3D,YAAI,CAAC,GAAI;AAAA,MACX;AACA,WAAK,EAAE,IAAI;AAAA,IACb;AACA,SAAK,QAAQ,IAAI;AAAA,EACnB;AACA,SAAO,cAAc;AACrB,SAAO,KAAK,UAAU,MAAM;AAC9B;AAgCA,eAAsB,wBAAwB,MAMtB;AACtB,QAAM,YAAY,IAAI,YAAY,EAAE,OAAO,KAAK,WAAW;AAC3D,QAAM,EAAE,QAAQ,aAAa,IAAI,kBAAkB,KAAK,WAAW;AACnE,QAAM,OAAO,iBAAiB,OAC1B,YACA,MAAM,kBAAkB,WAAW,IAAI,kBAAkB,YAAY,CAAC;AAC1E,QAAM,aAAa,MAAM,UAAU,IAAI;AAEvC,QAAM,SAA4B;AAAA,IAChC,eAAe;AAAA,IACf,QAAQ,KAAK;AAAA,IACb,WAAW,KAAK;AAAA,IAChB;AAAA,IACA,GAAI,KAAK,cAAc,mBAAmB,SAAY,EAAE,gBAAgB,KAAK,aAAa,eAAe,IAAI,CAAC;AAAA,IAC9G,GAAI,KAAK,cAAc,eAAe,SAAY,EAAE,YAAY,KAAK,aAAa,WAAW,IAAI,CAAC;AAAA,IAClG,GAAI,KAAK,cAAc,eAAe,SAAY,EAAE,YAAY,KAAK,aAAa,WAAW,IAAI,CAAC;AAAA,IAClG,GAAI,KAAK,cAAc,iBAAiB,SAAY,EAAE,cAAc,KAAK,aAAa,aAAa,IAAI,CAAC;AAAA,EAC1G;AACA,QAAM,cAAc,mBAAmB,MAAM;AAE7C,QAAM,SAAS,IAAI,WAAW,yBAAyB;AACvD,SAAO,IAAI,oBAAoB,CAAC;AAChC,SAAO,CAAC,KAAK,iBAAiB,OAAO,IAAI,mBAAmB;AAC5D,SAAO,CAAC,IAAI;AACZ,gBAAc,QAAQ,GAAG,YAAY,MAAM;AAE3C,SAAO,YAAY,CAAC,QAAQ,aAAa,IAAI,CAAC;AAChD;AAEA,eAAsB,iBACpB,OACA,OAAgC,CAAC,GACZ;AACrB,MAAI,KAAK,qBAAqB,UAAa,KAAK,eAAe,QAAW;AACxE,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAIA,QAAM,uBAAuB,oBAAoB,IAAI;AACrD,QAAM,iBAAiB,0BAA0B,MAAM,oBAAoB;AAE3E,QAAM,SAAS,MAAM,MAAM,gBAAgB;AAC3C,QAAM,WAAW,MAAM,MAAM,KAAK;AAKlC,QAAM,UAAU,MAAM,qBAAqB,OAAO,UAAU,IAAI;AAKhE,QAAM,gBAAgB,MAAM,sBAAsB,OAAO,SAAS,IAAI;AACtE,QAAM,WAAW,kBAAkB,eAAe,IAAI;AAKtD,QAAM,cAAc,yBAAyB,OACzC,WACA,KAAK,UAAU,MAAM,uBAAuB,UAAU,oBAAoB,CAAC;AAO/E,QAAM,iBAAiB,MAAM,MAAM,kBAAkB;AAErD,SAAO,wBAAwB;AAAA,IAC7B;AAAA,IACA;AAAA,IACA,aAAa,KAAK;AAAA,IAClB,cAAc;AAAA,MACZ,GAAI,mBAAmB,SAAY,EAAE,eAAe,IAAI,CAAC;AAAA,MACzD,GAAI,mBAAmB,OAAO,EAAE,YAAY,eAAe,IAAI,CAAC;AAAA,IAClE;AAAA,EACF,CAAC;AACH;AAYA,SAAS,qBAAqB,OAK5B;AACA,MAAI,CAAC,oBAAoB,KAAK,GAAG;AAC/B,UAAM,IAAI;AAAA,MACR,2EACS,CAAC,GAAG,MAAM,MAAM,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAAE,KAAK,GAAG,CAAC;AAAA,IACvF;AAAA,EACF;AACA,MAAI,MAAM,SAAS,2BAA2B;AAC5C,UAAM,IAAI;AAAA,MACR,yCAAyC,MAAM,MAAM,kCACzB,yBAAyB;AAAA,IACvD;AAAA,EACF;AACA,QAAM,QAAQ,MAAM,CAAC;AACrB,QAAM,OAAO,MAAM,CAAC;AACpB,MAAI,SAAS,oBAAoB,SAAS,oBAAoB,SAAS,oBAAoB;AACzF,UAAM,IAAI;AAAA,MACR,wDAAwD,IAAI;AAAA,IAE9D;AAAA,EACF;AACA,QAAM,eAAe,aAAa,OAAO,CAAC;AAC1C,QAAM,aAAa,4BAA4B;AAC/C,MAAI,aAAa,MAAM,QAAQ;AAC7B,UAAM,IAAI;AAAA,MACR,mDAAmD,YAAY,mCAC3B,MAAM,MAAM;AAAA,IAClD;AAAA,EACF;AACA,QAAM,cAAc,MAAM,MAAM,2BAA2B,UAAU;AACrE,QAAM,SAAS,mBAAmB,WAAW;AAC7C,SAAO,EAAE,QAAQ,YAAY,MAA+B,MAAM;AACpE;AAgBO,SAAS,sBAAsB,OAAsC;AAC1E,SAAO,qBAAqB,KAAK,EAAE;AACrC;AAeO,SAAS,8BACd,OACA,OAAqC,CAAC,GACV;AAC5B,QAAM,SAAS,qBAAqB,KAAK,EAAE;AAC3C,QAAM,MAAM,OAAO;AACnB,MAAI,CAAC,IAAK,QAAO;AACjB,MAAI,KAAK,WAAW,OAAW,QAAO;AACtC,SAAO;AAAA,IACL,GAAG;AAAA,IACH,GAAI,IAAI,SAAS,SAAY,EAAE,MAAM,WAAW,IAAI,MAAM,KAAK,QAAQ,IAAI,aAAa,EAAE,IAAI,CAAC;AAAA,IAC/F,GAAI,IAAI,gBAAgB,SAAY,EAAE,aAAa,WAAW,IAAI,aAAa,KAAK,QAAQ,IAAI,aAAa,EAAE,IAAI,CAAC;AAAA,EACtH;AACF;AAoBA,eAAsB,gBACpB,OACA,OAA+B,CAAC,GACA;AAChC,QAAM,EAAE,QAAQ,YAAY,KAAK,IAAI,qBAAqB,KAAK;AAC/D,QAAM,OAAO,MAAM,MAAM,UAAU;AAInC,MAAI,KAAK,WAAW,OAAO,WAAW;AACpC,UAAM,IAAI;AAAA,MACR,eAAe,KAAK,MAAM,oCACrB,OAAO,SAAS;AAAA,IAEvB;AAAA,EACF;AAEA,QAAM,YAAY,MAAM,UAAU,IAAI;AACtC,MAAI,cAAc,OAAO,YAAY;AACnC,UAAM,IAAI;AAAA,MACR,eAAe,SAAS,qCACnB,OAAO,UAAU;AAAA,IAExB;AAAA,EACF;AAEA,MAAI;AACJ,MAAI,SAAS,kBAAkB;AAC7B,gBAAY;AAAA,EACd,OAAO;AACL,UAAM,eACJ,SAAS,qBAAsB,OAA6B;AAC9D,QAAI;AACF,kBAAY,MAAM,kBAAkB,MAAM,IAAI,oBAAoB,YAAY,CAAC;AAAA,IACjF,SAAS,KAAK;AACZ,YAAM,IAAI;AAAA,QACR,yBAA0B,IAAc,OAAO,oEAE1C,YAAY;AAAA,MACnB;AAAA,IACF;AAAA,EACF;AAEA,QAAM,aAAa,IAAI,YAAY,SAAS,EAAE,OAAO,KAAK,CAAC,EAAE,OAAO,SAAS;AAK7E,MAAI,OAAO,eAAe,QAAW;AACnC,WAAO,EAAE,QAAQ,UAAU,WAAW;AAAA,EACxC;AACA,QAAM,EAAE,MAAM,KAAK,IAAI,oBAAoB,UAAU;AACrD,QAAM,aAAa,MAAM,kBAAkB,MAAM,IAAI;AACrD,SAAO,EAAE,QAAQ,UAAU,MAAM,WAAW;AAC9C;","names":["userCount","plaintextBytes"]}

package/dist/chunk-VE6YVP32.js

@@ -0,0 +1,19 @@
+import {
+  ValidationError
+} from "./chunk-W3XXT26A.js";
+
+// src/guards/with-guard.ts
+function withGuard(strategy) {
+  if (!strategy.collection || strategy.collection.length === 0) {
+    throw new ValidationError("withGuard: collection name is required");
+  }
+  return {
+    __noydb_strategy: "guard",
+    spec: strategy
+  };
+}
+
+export {
+  withGuard
+};
+//# sourceMappingURL=chunk-VE6YVP32.js.map

package/dist/chunk-VE6YVP32.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/guards/with-guard.ts"],"sourcesContent":["import { ValidationError } from '../errors.js'\nimport type { GuardStrategy, GuardStrategyHandle } from './types.js'\n\n/**\n * Register a guard for a collection. Guards run on every `put()` /\n * `delete()` for the named collection (after permissions, before\n * encryption) and may:\n *\n *   - `check` — block writes by throwing (typically `RecordLockedError`)\n *   - `frozenFields` — freeze specific fields once a condition is true\n *   - `amendment` — declare an authorized-override path with invariant\n *\n * Pass the returned handle to `createNoydb({ strategies: [...] })`.\n *\n * @see docs/superpowers/specs/2026-05-18-guards-design.md\n */\nexport function withGuard<T extends Record<string, unknown>>(\n  strategy: GuardStrategy<T>,\n): GuardStrategyHandle<T> {\n  if (!strategy.collection || strategy.collection.length === 0) {\n    throw new ValidationError('withGuard: collection name is required')\n  }\n  return {\n    __noydb_strategy: 'guard',\n    spec: strategy,\n  }\n}\n"],"mappings":";;;;;AAgBO,SAAS,UACd,UACwB;AACxB,MAAI,CAAC,SAAS,cAAc,SAAS,WAAW,WAAW,GAAG;AAC5D,UAAM,IAAI,gBAAgB,wCAAwC;AAAA,EACpE;AACA,SAAO;AAAA,IACL,kBAAkB;AAAA,IAClB,MAAM;AAAA,EACR;AACF;","names":[]}

package/dist/{chunk-M62XNWRA.js → chunk-VK5EER6C.js}

@@ -4,7 +4,7 @@ import {
 import {
   decrypt,
   encrypt
-} from "./chunk-MR4424N3.js";
+} from "./chunk-2PAQNPE3.js";
 
 // src/consent/consent.ts
 var CONSENT_AUDIT_COLLECTION = "_consent_audit";
@@ -69,4 +69,4 @@ export {
   writeConsentEntry,
   loadConsentEntries
 };
-//# sourceMappingURL=chunk-M62XNWRA.js.map
+//# sourceMappingURL=chunk-VK5EER6C.js.map

package/dist/{chunk-NXFEYLVG.js → chunk-VPSUZLOJ.js}

@@ -1,9 +1,9 @@
 import {
   decrypt
-} from "./chunk-MR4424N3.js";
+} from "./chunk-2PAQNPE3.js";
 import {
   ReadOnlyAtInstantError
-} from "./chunk-ACLDOTNQ.js";
+} from "./chunk-W3XXT26A.js";
 
 // src/history/history.ts
 var HISTORY_COLLECTION = "_history";
@@ -187,6 +187,7 @@ var CollectionInstant = class {
     for (const e of entries) {
       if (e.collection !== this.name || e.id !== id) continue;
       if (e.ts > this.targetTs) break;
+      if (e.op === "amendment" || e.op === "lifecycle") continue;
       latest = { op: e.op, version: e.version };
     }
     if (!latest) return null;
@@ -308,4 +309,4 @@ export {
   diff,
   formatDiff
 };
-//# sourceMappingURL=chunk-NXFEYLVG.js.map
+//# sourceMappingURL=chunk-VPSUZLOJ.js.map

package/dist/{chunk-NXFEYLVG.js.map → chunk-VPSUZLOJ.js.map}

@@ -1 +1 @@
-{"version":3,"sources":["../src/history/history.ts","../src/history/time-machine.ts","../src/history/diff.ts"],"sourcesContent":["import type { NoydbStore, EncryptedEnvelope, HistoryOptions, PruneOptions } from '../types.js'\n\n/**\n * History storage convention:\n * Collection: `_history`\n * ID format: `{collection}:{recordId}:{paddedVersion}`\n * Version is zero-padded to 10 digits for lexicographic sorting.\n */\n\nconst HISTORY_COLLECTION = '_history'\nconst VERSION_PAD = 10\n\nfunction historyId(collection: string, recordId: string, version: number): string {\n  return `${collection}:${recordId}:${String(version).padStart(VERSION_PAD, '0')}`\n}\n\n// Unused today, kept for future history-id parsing utilities.\n// eslint-disable-next-line @typescript-eslint/no-unused-vars\nfunction parseHistoryId(id: string): { collection: string; recordId: string; version: number } | null {\n  const lastColon = id.lastIndexOf(':')\n  if (lastColon < 0) return null\n  const versionStr = id.slice(lastColon + 1)\n  const rest = id.slice(0, lastColon)\n  const firstColon = rest.indexOf(':')\n  if (firstColon < 0) return null\n  return {\n    collection: rest.slice(0, firstColon),\n    recordId: rest.slice(firstColon + 1),\n    version: parseInt(versionStr, 10),\n  }\n}\n\nfunction matchesPrefix(id: string, collection: string, recordId?: string): boolean {\n  if (recordId) {\n    return id.startsWith(`${collection}:${recordId}:`)\n  }\n  return id.startsWith(`${collection}:`)\n}\n\n/** Save a history entry (a complete encrypted envelope snapshot). */\nexport async function saveHistory(\n  adapter: NoydbStore,\n  vault: string,\n  collection: string,\n  recordId: string,\n  envelope: EncryptedEnvelope,\n): Promise<void> {\n  const id = historyId(collection, recordId, envelope._v)\n  await adapter.put(vault, HISTORY_COLLECTION, id, envelope)\n}\n\n/** Get history entries for a record, sorted newest-first. */\nexport async function getHistory(\n  adapter: NoydbStore,\n  vault: string,\n  collection: string,\n  recordId: string,\n  options?: HistoryOptions,\n): Promise<EncryptedEnvelope[]> {\n  const allIds = await adapter.list(vault, HISTORY_COLLECTION)\n  const matchingIds = allIds\n    .filter(id => matchesPrefix(id, collection, recordId))\n    .sort()\n    .reverse() // newest first\n\n  const entries: EncryptedEnvelope[] = []\n\n  for (const id of matchingIds) {\n    const envelope = await adapter.get(vault, HISTORY_COLLECTION, id)\n    if (!envelope) continue\n\n    // Apply time filters\n    if (options?.from && envelope._ts < options.from) continue\n    if (options?.to && envelope._ts > options.to) continue\n\n    entries.push(envelope)\n\n    if (options?.limit && entries.length >= options.limit) break\n  }\n\n  return entries\n}\n\n/** Get a specific version's envelope from history. */\nexport async function getVersionEnvelope(\n  adapter: NoydbStore,\n  vault: string,\n  collection: string,\n  recordId: string,\n  version: number,\n): Promise<EncryptedEnvelope | null> {\n  const id = historyId(collection, recordId, version)\n  return adapter.get(vault, HISTORY_COLLECTION, id)\n}\n\n/** Prune history entries. Returns the number of entries deleted. */\nexport async function pruneHistory(\n  adapter: NoydbStore,\n  vault: string,\n  collection: string,\n  recordId: string | undefined,\n  options: PruneOptions,\n): Promise<number> {\n  const allIds = await adapter.list(vault, HISTORY_COLLECTION)\n  const matchingIds = allIds\n    .filter(id => recordId ? matchesPrefix(id, collection, recordId) : matchesPrefix(id, collection))\n    .sort()\n\n  let toDelete: string[] = []\n\n  if (options.keepVersions !== undefined) {\n    // Keep only the N most recent, delete the rest\n    const keep = options.keepVersions\n    if (matchingIds.length > keep) {\n      toDelete = matchingIds.slice(0, matchingIds.length - keep)\n    }\n  }\n\n  if (options.beforeDate) {\n    // Delete entries older than the specified date\n    for (const id of matchingIds) {\n      if (toDelete.includes(id)) continue\n      const envelope = await adapter.get(vault, HISTORY_COLLECTION, id)\n      if (envelope && envelope._ts < options.beforeDate) {\n        toDelete.push(id)\n      }\n    }\n  }\n\n  // Deduplicate\n  const uniqueDeletes = [...new Set(toDelete)]\n\n  for (const id of uniqueDeletes) {\n    await adapter.delete(vault, HISTORY_COLLECTION, id)\n  }\n\n  return uniqueDeletes.length\n}\n\n/** Clear all history for a vault, optionally scoped to a collection or record. */\nexport async function clearHistory(\n  adapter: NoydbStore,\n  vault: string,\n  collection?: string,\n  recordId?: string,\n): Promise<number> {\n  const allIds = await adapter.list(vault, HISTORY_COLLECTION)\n  let toDelete: string[]\n\n  if (collection && recordId) {\n    toDelete = allIds.filter(id => matchesPrefix(id, collection, recordId))\n  } else if (collection) {\n    toDelete = allIds.filter(id => matchesPrefix(id, collection))\n  } else {\n    toDelete = allIds\n  }\n\n  for (const id of toDelete) {\n    await adapter.delete(vault, HISTORY_COLLECTION, id)\n  }\n\n  return toDelete.length\n}\n","/**\n * Time-machine queries — point-in-time reads reconstructed from the\n * existing history + ledger infrastructure.\n *\n * ## Usage\n *\n * ```ts\n * const vault = await db.openVault('acme', { passphrase })\n * const q1End = vault.at('2026-03-31T23:59:59Z')\n * const invoice = await q1End.collection<Invoice>('invoices').get('inv-001')\n * // → the record as it stood at the close of Q1 2026\n * ```\n *\n * ## How it works\n *\n * Every write path already fans out into two persistence lanes:\n *\n * 1. `saveHistory(...)` persists a **full encrypted envelope snapshot**\n *    per version under the `_history` collection (one envelope per\n *    version, keyed by `{collection}:{id}:{paddedVersion}`). Each\n *    envelope carries its own `_ts` (the write timestamp).\n * 2. `ledger.append(...)` appends a hash-chained audit entry that\n *    records the `op` (put / delete), `version`, and `ts`.\n *\n * Reconstruction at a target timestamp T is therefore:\n *\n * - Find the newest history envelope for `(collection, id)` whose\n *   `_ts ≤ T` — that's the state the record was in at T.\n * - Check the ledger for any `op: 'delete'` entry for the same\n *   `(collection, id)` with `entry.ts` in `(latestEnvelope._ts, T]` —\n *   if present, the record was deleted before T, so return `null`.\n * - Decrypt the surviving envelope with the current collection DEK\n *   (DEKs are per-collection but stable across versions — the same\n *   key encrypts v1 and v15 of a record).\n *\n * No delta replay. The existing `history.ts` module already stores\n * complete snapshots; we just pick the right one.\n *\n * ## Read-only contract\n *\n * Every write method on `CollectionInstant` throws\n * {@link ReadOnlyAtInstantError}. A historical view is a *read*\n * surface — mutating the past would require either a branch/shadow\n * mechanism (tracked under shadow vaults) or a rewrite of\n * history, which breaks the ledger's tamper-evidence guarantee.\n *\n * @module\n */\nimport type { EncryptedEnvelope, NoydbStore } from '../types.js'\nimport type { LedgerStore } from './ledger/store.js'\nimport { getHistory } from './history.js'\nimport { decrypt } from '../crypto.js'\nimport { ReadOnlyAtInstantError } from '../errors.js'\n\n/**\n * Narrow view of a {@link Vault}'s internals that\n * {@link VaultInstant} needs. Passed in by `Vault.at()` rather than\n * constructed here so all crypto + adapter access stays inside the\n * Vault class.\n *\n * Not exported from the public barrel — consumers should get a\n * `VaultInstant` via `vault.at(ts)`, never by constructing one\n * directly.\n */\nexport interface VaultEngine {\n  readonly adapter: NoydbStore\n  /** Vault name (the compartment). */\n  readonly name: string\n  /**\n   * `true` when the vault was opened with a passphrase (the normal\n   * case). `false` in plaintext-mode vaults (`encrypt: false`) — in\n   * that case `envelope._data` is raw JSON and we skip the DEK lookup.\n   */\n  readonly encrypted: boolean\n  /**\n   * Resolves the DEK used to decrypt a given collection's envelopes.\n   * Not called when `encrypted` is false.\n   */\n  getDEK(collection: string): Promise<CryptoKey>\n  /**\n   * Lazily-initialised ledger. We consult it to detect deletes that\n   * happened between the latest history snapshot and the target\n   * timestamp. `null` when history is disabled for this vault — in\n   * that case time-machine reads fall back to history-only\n   * reconstruction (which may miss deletes).\n   */\n  getLedger(): LedgerStore | null\n}\n\n/**\n * A vault at a fixed instant. Produced by `vault.at(timestamp)`.\n * Carries no session state of its own — every read is a fresh\n * lookup through the vault's adapter.\n *\n * Cheap to construct; safe to throw away. Create one per query.\n */\nexport class VaultInstant {\n  constructor(\n    private readonly engine: VaultEngine,\n    /** Fully-resolved target timestamp (ISO-8601 UTC). */\n    public readonly timestamp: string,\n  ) {}\n\n  /** Get a point-in-time view of a collection. */\n  collection<T = unknown>(name: string): CollectionInstant<T> {\n    return new CollectionInstant<T>(this.engine, this.timestamp, name)\n  }\n}\n\n/**\n * A read-only collection view anchored to a past instant.\n *\n * Every write method throws {@link ReadOnlyAtInstantError} — see the\n * module docstring for why. The read surface is intentionally smaller\n * than the live {@link Collection}: `get` and `list` cover the\n * \"what did the books look like on date X\" use case without pulling\n * in the full query DSL / joins / aggregates at this stage. Follow-up\n * work tracked under.\n */\nexport class CollectionInstant<T = unknown> {\n  constructor(\n    private readonly engine: VaultEngine,\n    private readonly targetTs: string,\n    public readonly name: string,\n  ) {}\n\n  /**\n   * Return the record as it existed at the target timestamp, or\n   * `null` if the record had not been created yet or had already been\n   * deleted by then.\n   */\n  async get(id: string): Promise<T | null> {\n    const envelope = await this.resolveEnvelope(id)\n    if (!envelope) return null\n    const plaintext = this.engine.encrypted\n      ? await decrypt(envelope._iv, envelope._data, await this.engine.getDEK(this.name))\n      : envelope._data\n    return JSON.parse(plaintext) as T\n  }\n\n  /**\n   * IDs of records that existed (had at least one `put` and were not\n   * subsequently deleted) at the target timestamp.\n   *\n   * Implemented as a linear scan over history + ledger. Performance\n   * is bounded by total history size (not live-vault size), so the\n   * memory-first vault-scale cap (1K–50K records × average history\n   * depth) still applies.\n   */\n  async list(): Promise<string[]> {\n    const historyIds = await collectHistoryIds(this.engine.adapter, this.engine.name, this.name)\n    const liveIds = await this.engine.adapter.list(this.engine.name, this.name)\n    const candidateIds = new Set<string>([...historyIds, ...liveIds])\n    const alive: string[] = []\n    for (const id of candidateIds) {\n      const env = await this.resolveEnvelope(id)\n      if (env) alive.push(id)\n    }\n    return alive.sort()\n  }\n\n  // ── write guards ───────────────────────────────────────────────────\n\n  async put(_id: string, _record: T): Promise<never> {\n    throw new ReadOnlyAtInstantError('put', this.targetTs)\n  }\n  async delete(_id: string): Promise<never> {\n    throw new ReadOnlyAtInstantError('delete', this.targetTs)\n  }\n  async update(_id: string, _patch: Partial<T>): Promise<never> {\n    throw new ReadOnlyAtInstantError('update', this.targetTs)\n  }\n\n  // ── internals ─────────────────────────────────────────────────────\n\n  /**\n   * Return the envelope that represents the record's state at\n   * `targetTs`, accounting for deletes. `null` if the record didn't\n   * exist at that instant.\n   *\n   * ## Why we use the ledger as the authoritative timeline\n   *\n   * The per-version history snapshots saved by `saveHistory()` do\n   * carry a `_ts` field, but that timestamp is the moment the\n   * snapshot was *captured* (i.e. the instant right before the\n   * subsequent overwrite), not the original write time. The ledger,\n   * by contrast, records `ts` at the moment of each `put` / `delete`\n   * — it's the only source that tracks the real timeline. So:\n   *\n   *   1. Walk the ledger; find the latest entry for `(collection, id)`\n   *      with `ts ≤ targetTs`.\n   *   2. If that entry is a `delete`, the record was gone at the\n   *      target instant — return null.\n   *   3. Otherwise it's a `put` with a specific `version`. Load the\n   *      envelope for that version from history, falling back to the\n   *      live collection for the most recent version.\n   *\n   * ## Fallback when the ledger is disabled\n   *\n   * If the vault has history disabled, `getLedger()` returns null and\n   * we fall back to comparing envelope `_ts` fields. This is\n   * approximate and gets the *last write* right but may confuse the\n   * intermediate versions; adopters needing accurate time-machine\n   * reads should leave history enabled.\n   */\n  private async resolveEnvelope(id: string): Promise<EncryptedEnvelope | null> {\n    const ledger = this.engine.getLedger()\n    if (ledger) {\n      return this.resolveViaLedger(id, ledger)\n    }\n    return this.resolveViaEnvelopeTs(id)\n  }\n\n  private async resolveViaLedger(id: string, ledger: LedgerStore): Promise<EncryptedEnvelope | null> {\n    const entries = await ledger.entries()\n    // Entries are already ordered by index which is the mutation order.\n    let latest: { op: 'put' | 'delete'; version: number } | null = null\n    for (const e of entries) {\n      if (e.collection !== this.name || e.id !== id) continue\n      if (e.ts > this.targetTs) break   // entries are time-ordered by index\n      latest = { op: e.op, version: e.version }\n    }\n    if (!latest) return null\n    if (latest.op === 'delete') return null\n    return this.loadVersion(id, latest.version)\n  }\n\n  private async resolveViaEnvelopeTs(id: string): Promise<EncryptedEnvelope | null> {\n    const history = await getHistory(\n      this.engine.adapter, this.engine.name, this.name, id,\n    )\n    const live = await this.engine.adapter.get(this.engine.name, this.name, id)\n    const byVersion = new Map<number, EncryptedEnvelope>()\n    for (const e of history) byVersion.set(e._v, e)\n    if (live) byVersion.set(live._v, live)\n    const sorted = [...byVersion.values()].sort((a, b) =>\n      a._ts < b._ts ? 1 : a._ts > b._ts ? -1 : 0,\n    )\n    return sorted.find((e) => e._ts <= this.targetTs) ?? null\n  }\n\n  /**\n   * Fetch the envelope for a specific version. The live record (most\n   * recent put) lives in the main collection; prior versions live in\n   * `_history`. We check live first because the common case after a\n   * delete is that we're trying to load the last-live version from\n   * history, and skipping live for the current-version case avoids a\n   * redundant lookup.\n   */\n  private async loadVersion(id: string, version: number): Promise<EncryptedEnvelope | null> {\n    const live = await this.engine.adapter.get(this.engine.name, this.name, id)\n    if (live && live._v === version) return live\n\n    // Direct lookup by (collection, id, version) — avoids scanning all history.\n    const historyId = `${this.name}:${id}:${String(version).padStart(10, '0')}`\n    return await this.engine.adapter.get(this.engine.name, '_history', historyId)\n  }\n}\n\n/**\n * Scan the `_history` collection once and collect every distinct\n * `recordId` for the given collection. History keys follow the\n * shape `<collection>:<recordId>:<paddedVersion>`; we split on the\n * last two colons (delimiter-safe because `paddedVersion` is\n * exactly 10 digits).\n */\nasync function collectHistoryIds(\n  adapter: NoydbStore,\n  vault: string,\n  collection: string,\n): Promise<string[]> {\n  const all = await adapter.list(vault, '_history')\n  const prefix = `${collection}:`\n  const seen = new Set<string>()\n  for (const key of all) {\n    if (!key.startsWith(prefix)) continue\n    const lastColon = key.lastIndexOf(':')\n    if (lastColon <= prefix.length) continue\n    const middle = key.slice(prefix.length, lastColon)\n    seen.add(middle)\n  }\n  return [...seen]\n}\n","/**\n * Zero-dependency JSON diff.\n * Produces a flat list of changes between two plain objects.\n */\n\nexport type ChangeType = 'added' | 'removed' | 'changed'\n\nexport interface DiffEntry {\n  /** Dot-separated path to the changed field (e.g. \"address.city\"). */\n  readonly path: string\n  /** Type of change. */\n  readonly type: ChangeType\n  /** Previous value (undefined for 'added'). */\n  readonly from?: unknown\n  /** New value (undefined for 'removed'). */\n  readonly to?: unknown\n}\n\n/**\n * Compute differences between two objects.\n * Returns an array of DiffEntry describing each changed field.\n * Returns empty array if objects are identical.\n */\nexport function diff(oldObj: unknown, newObj: unknown, basePath = ''): DiffEntry[] {\n  const changes: DiffEntry[] = []\n\n  // Both primitives or nulls\n  if (oldObj === newObj) return changes\n\n  // One is null/undefined\n  if (oldObj == null && newObj != null) {\n    return [{ path: basePath || '(root)', type: 'added', to: newObj }]\n  }\n  if (oldObj != null && newObj == null) {\n    return [{ path: basePath || '(root)', type: 'removed', from: oldObj }]\n  }\n\n  // Different types\n  if (typeof oldObj !== typeof newObj) {\n    return [{ path: basePath || '(root)', type: 'changed', from: oldObj, to: newObj }]\n  }\n\n  // Both primitives (and not equal — checked above)\n  if (typeof oldObj !== 'object') {\n    return [{ path: basePath || '(root)', type: 'changed', from: oldObj, to: newObj }]\n  }\n\n  // Both arrays\n  if (Array.isArray(oldObj) && Array.isArray(newObj)) {\n    const maxLen = Math.max(oldObj.length, newObj.length)\n    for (let i = 0; i < maxLen; i++) {\n      const p = basePath ? `${basePath}[${i}]` : `[${i}]`\n      if (i >= oldObj.length) {\n        changes.push({ path: p, type: 'added', to: newObj[i] })\n      } else if (i >= newObj.length) {\n        changes.push({ path: p, type: 'removed', from: oldObj[i] })\n      } else {\n        changes.push(...diff(oldObj[i], newObj[i], p))\n      }\n    }\n    return changes\n  }\n\n  // Both objects\n  const oldRecord = oldObj as Record<string, unknown>\n  const newRecord = newObj as Record<string, unknown>\n  const allKeys = new Set([...Object.keys(oldRecord), ...Object.keys(newRecord)])\n\n  for (const key of allKeys) {\n    const p = basePath ? `${basePath}.${key}` : key\n    if (!(key in oldRecord)) {\n      changes.push({ path: p, type: 'added', to: newRecord[key] })\n    } else if (!(key in newRecord)) {\n      changes.push({ path: p, type: 'removed', from: oldRecord[key] })\n    } else {\n      changes.push(...diff(oldRecord[key], newRecord[key], p))\n    }\n  }\n\n  return changes\n}\n\n/** Format a diff as a human-readable string. */\nexport function formatDiff(changes: DiffEntry[]): string {\n  if (changes.length === 0) return '(no changes)'\n  return changes.map(c => {\n    switch (c.type) {\n      case 'added':\n        return `+ ${c.path}: ${JSON.stringify(c.to)}`\n      case 'removed':\n        return `- ${c.path}: ${JSON.stringify(c.from)}`\n      case 'changed':\n        return `~ ${c.path}: ${JSON.stringify(c.from)} → ${JSON.stringify(c.to)}`\n    }\n  }).join('\\n')\n}\n"],"mappings":";;;;;;;;AASA,IAAM,qBAAqB;AAC3B,IAAM,cAAc;AAEpB,SAAS,UAAU,YAAoB,UAAkB,SAAyB;AAChF,SAAO,GAAG,UAAU,IAAI,QAAQ,IAAI,OAAO,OAAO,EAAE,SAAS,aAAa,GAAG,CAAC;AAChF;AAkBA,SAAS,cAAc,IAAY,YAAoB,UAA4B;AACjF,MAAI,UAAU;AACZ,WAAO,GAAG,WAAW,GAAG,UAAU,IAAI,QAAQ,GAAG;AAAA,EACnD;AACA,SAAO,GAAG,WAAW,GAAG,UAAU,GAAG;AACvC;AAGA,eAAsB,YACpB,SACA,OACA,YACA,UACA,UACe;AACf,QAAM,KAAK,UAAU,YAAY,UAAU,SAAS,EAAE;AACtD,QAAM,QAAQ,IAAI,OAAO,oBAAoB,IAAI,QAAQ;AAC3D;AAGA,eAAsB,WACpB,SACA,OACA,YACA,UACA,SAC8B;AAC9B,QAAM,SAAS,MAAM,QAAQ,KAAK,OAAO,kBAAkB;AAC3D,QAAM,cAAc,OACjB,OAAO,QAAM,cAAc,IAAI,YAAY,QAAQ,CAAC,EACpD,KAAK,EACL,QAAQ;AAEX,QAAM,UAA+B,CAAC;AAEtC,aAAW,MAAM,aAAa;AAC5B,UAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,oBAAoB,EAAE;AAChE,QAAI,CAAC,SAAU;AAGf,QAAI,SAAS,QAAQ,SAAS,MAAM,QAAQ,KAAM;AAClD,QAAI,SAAS,MAAM,SAAS,MAAM,QAAQ,GAAI;AAE9C,YAAQ,KAAK,QAAQ;AAErB,QAAI,SAAS,SAAS,QAAQ,UAAU,QAAQ,MAAO;AAAA,EACzD;AAEA,SAAO;AACT;AAGA,eAAsB,mBACpB,SACA,OACA,YACA,UACA,SACmC;AACnC,QAAM,KAAK,UAAU,YAAY,UAAU,OAAO;AAClD,SAAO,QAAQ,IAAI,OAAO,oBAAoB,EAAE;AAClD;AAGA,eAAsB,aACpB,SACA,OACA,YACA,UACA,SACiB;AACjB,QAAM,SAAS,MAAM,QAAQ,KAAK,OAAO,kBAAkB;AAC3D,QAAM,cAAc,OACjB,OAAO,QAAM,WAAW,cAAc,IAAI,YAAY,QAAQ,IAAI,cAAc,IAAI,UAAU,CAAC,EAC/F,KAAK;AAER,MAAI,WAAqB,CAAC;AAE1B,MAAI,QAAQ,iBAAiB,QAAW;AAEtC,UAAM,OAAO,QAAQ;AACrB,QAAI,YAAY,SAAS,MAAM;AAC7B,iBAAW,YAAY,MAAM,GAAG,YAAY,SAAS,IAAI;AAAA,IAC3D;AAAA,EACF;AAEA,MAAI,QAAQ,YAAY;AAEtB,eAAW,MAAM,aAAa;AAC5B,UAAI,SAAS,SAAS,EAAE,EAAG;AAC3B,YAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,oBAAoB,EAAE;AAChE,UAAI,YAAY,SAAS,MAAM,QAAQ,YAAY;AACjD,iBAAS,KAAK,EAAE;AAAA,MAClB;AAAA,IACF;AAAA,EACF;AAGA,QAAM,gBAAgB,CAAC,GAAG,IAAI,IAAI,QAAQ,CAAC;AAE3C,aAAW,MAAM,eAAe;AAC9B,UAAM,QAAQ,OAAO,OAAO,oBAAoB,EAAE;AAAA,EACpD;AAEA,SAAO,cAAc;AACvB;AAGA,eAAsB,aACpB,SACA,OACA,YACA,UACiB;AACjB,QAAM,SAAS,MAAM,QAAQ,KAAK,OAAO,kBAAkB;AAC3D,MAAI;AAEJ,MAAI,cAAc,UAAU;AAC1B,eAAW,OAAO,OAAO,QAAM,cAAc,IAAI,YAAY,QAAQ,CAAC;AAAA,EACxE,WAAW,YAAY;AACrB,eAAW,OAAO,OAAO,QAAM,cAAc,IAAI,UAAU,CAAC;AAAA,EAC9D,OAAO;AACL,eAAW;AAAA,EACb;AAEA,aAAW,MAAM,UAAU;AACzB,UAAM,QAAQ,OAAO,OAAO,oBAAoB,EAAE;AAAA,EACpD;AAEA,SAAO,SAAS;AAClB;;;AClEO,IAAM,eAAN,MAAmB;AAAA,EACxB,YACmB,QAED,WAChB;AAHiB;AAED;AAAA,EACf;AAAA,EAHgB;AAAA,EAED;AAAA;AAAA,EAIlB,WAAwB,MAAoC;AAC1D,WAAO,IAAI,kBAAqB,KAAK,QAAQ,KAAK,WAAW,IAAI;AAAA,EACnE;AACF;AAYO,IAAM,oBAAN,MAAqC;AAAA,EAC1C,YACmB,QACA,UACD,MAChB;AAHiB;AACA;AACD;AAAA,EACf;AAAA,EAHgB;AAAA,EACA;AAAA,EACD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQlB,MAAM,IAAI,IAA+B;AACvC,UAAM,WAAW,MAAM,KAAK,gBAAgB,EAAE;AAC9C,QAAI,CAAC,SAAU,QAAO;AACtB,UAAM,YAAY,KAAK,OAAO,YAC1B,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,MAAM,KAAK,OAAO,OAAO,KAAK,IAAI,CAAC,IAC/E,SAAS;AACb,WAAO,KAAK,MAAM,SAAS;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,OAA0B;AAC9B,UAAM,aAAa,MAAM,kBAAkB,KAAK,OAAO,SAAS,KAAK,OAAO,MAAM,KAAK,IAAI;AAC3F,UAAM,UAAU,MAAM,KAAK,OAAO,QAAQ,KAAK,KAAK,OAAO,MAAM,KAAK,IAAI;AAC1E,UAAM,eAAe,oBAAI,IAAY,CAAC,GAAG,YAAY,GAAG,OAAO,CAAC;AAChE,UAAM,QAAkB,CAAC;AACzB,eAAW,MAAM,cAAc;AAC7B,YAAM,MAAM,MAAM,KAAK,gBAAgB,EAAE;AACzC,UAAI,IAAK,OAAM,KAAK,EAAE;AAAA,IACxB;AACA,WAAO,MAAM,KAAK;AAAA,EACpB;AAAA;AAAA,EAIA,MAAM,IAAI,KAAa,SAA4B;AACjD,UAAM,IAAI,uBAAuB,OAAO,KAAK,QAAQ;AAAA,EACvD;AAAA,EACA,MAAM,OAAO,KAA6B;AACxC,UAAM,IAAI,uBAAuB,UAAU,KAAK,QAAQ;AAAA,EAC1D;AAAA,EACA,MAAM,OAAO,KAAa,QAAoC;AAC5D,UAAM,IAAI,uBAAuB,UAAU,KAAK,QAAQ;AAAA,EAC1D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAkCA,MAAc,gBAAgB,IAA+C;AAC3E,UAAM,SAAS,KAAK,OAAO,UAAU;AACrC,QAAI,QAAQ;AACV,aAAO,KAAK,iBAAiB,IAAI,MAAM;AAAA,IACzC;AACA,WAAO,KAAK,qBAAqB,EAAE;AAAA,EACrC;AAAA,EAEA,MAAc,iBAAiB,IAAY,QAAwD;AACjG,UAAM,UAAU,MAAM,OAAO,QAAQ;AAErC,QAAI,SAA2D;AAC/D,eAAW,KAAK,SAAS;AACvB,UAAI,EAAE,eAAe,KAAK,QAAQ,EAAE,OAAO,GAAI;AAC/C,UAAI,EAAE,KAAK,KAAK,SAAU;AAC1B,eAAS,EAAE,IAAI,EAAE,IAAI,SAAS,EAAE,QAAQ;AAAA,IAC1C;AACA,QAAI,CAAC,OAAQ,QAAO;AACpB,QAAI,OAAO,OAAO,SAAU,QAAO;AACnC,WAAO,KAAK,YAAY,IAAI,OAAO,OAAO;AAAA,EAC5C;AAAA,EAEA,MAAc,qBAAqB,IAA+C;AAChF,UAAM,UAAU,MAAM;AAAA,MACpB,KAAK,OAAO;AAAA,MAAS,KAAK,OAAO;AAAA,MAAM,KAAK;AAAA,MAAM;AAAA,IACpD;AACA,UAAM,OAAO,MAAM,KAAK,OAAO,QAAQ,IAAI,KAAK,OAAO,MAAM,KAAK,MAAM,EAAE;AAC1E,UAAM,YAAY,oBAAI,IAA+B;AACrD,eAAW,KAAK,QAAS,WAAU,IAAI,EAAE,IAAI,CAAC;AAC9C,QAAI,KAAM,WAAU,IAAI,KAAK,IAAI,IAAI;AACrC,UAAM,SAAS,CAAC,GAAG,UAAU,OAAO,CAAC,EAAE;AAAA,MAAK,CAAC,GAAG,MAC9C,EAAE,MAAM,EAAE,MAAM,IAAI,EAAE,MAAM,EAAE,MAAM,KAAK;AAAA,IAC3C;AACA,WAAO,OAAO,KAAK,CAAC,MAAM,EAAE,OAAO,KAAK,QAAQ,KAAK;AAAA,EACvD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAc,YAAY,IAAY,SAAoD;AACxF,UAAM,OAAO,MAAM,KAAK,OAAO,QAAQ,IAAI,KAAK,OAAO,MAAM,KAAK,MAAM,EAAE;AAC1E,QAAI,QAAQ,KAAK,OAAO,QAAS,QAAO;AAGxC,UAAMA,aAAY,GAAG,KAAK,IAAI,IAAI,EAAE,IAAI,OAAO,OAAO,EAAE,SAAS,IAAI,GAAG,CAAC;AACzE,WAAO,MAAM,KAAK,OAAO,QAAQ,IAAI,KAAK,OAAO,MAAM,YAAYA,UAAS;AAAA,EAC9E;AACF;AASA,eAAe,kBACb,SACA,OACA,YACmB;AACnB,QAAM,MAAM,MAAM,QAAQ,KAAK,OAAO,UAAU;AAChD,QAAM,SAAS,GAAG,UAAU;AAC5B,QAAM,OAAO,oBAAI,IAAY;AAC7B,aAAW,OAAO,KAAK;AACrB,QAAI,CAAC,IAAI,WAAW,MAAM,EAAG;AAC7B,UAAM,YAAY,IAAI,YAAY,GAAG;AACrC,QAAI,aAAa,OAAO,OAAQ;AAChC,UAAM,SAAS,IAAI,MAAM,OAAO,QAAQ,SAAS;AACjD,SAAK,IAAI,MAAM;AAAA,EACjB;AACA,SAAO,CAAC,GAAG,IAAI;AACjB;;;ACnQO,SAAS,KAAK,QAAiB,QAAiB,WAAW,IAAiB;AACjF,QAAM,UAAuB,CAAC;AAG9B,MAAI,WAAW,OAAQ,QAAO;AAG9B,MAAI,UAAU,QAAQ,UAAU,MAAM;AACpC,WAAO,CAAC,EAAE,MAAM,YAAY,UAAU,MAAM,SAAS,IAAI,OAAO,CAAC;AAAA,EACnE;AACA,MAAI,UAAU,QAAQ,UAAU,MAAM;AACpC,WAAO,CAAC,EAAE,MAAM,YAAY,UAAU,MAAM,WAAW,MAAM,OAAO,CAAC;AAAA,EACvE;AAGA,MAAI,OAAO,WAAW,OAAO,QAAQ;AACnC,WAAO,CAAC,EAAE,MAAM,YAAY,UAAU,MAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,CAAC;AAAA,EACnF;AAGA,MAAI,OAAO,WAAW,UAAU;AAC9B,WAAO,CAAC,EAAE,MAAM,YAAY,UAAU,MAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,CAAC;AAAA,EACnF;AAGA,MAAI,MAAM,QAAQ,MAAM,KAAK,MAAM,QAAQ,MAAM,GAAG;AAClD,UAAM,SAAS,KAAK,IAAI,OAAO,QAAQ,OAAO,MAAM;AACpD,aAAS,IAAI,GAAG,IAAI,QAAQ,KAAK;AAC/B,YAAM,IAAI,WAAW,GAAG,QAAQ,IAAI,CAAC,MAAM,IAAI,CAAC;AAChD,UAAI,KAAK,OAAO,QAAQ;AACtB,gBAAQ,KAAK,EAAE,MAAM,GAAG,MAAM,SAAS,IAAI,OAAO,CAAC,EAAE,CAAC;AAAA,MACxD,WAAW,KAAK,OAAO,QAAQ;AAC7B,gBAAQ,KAAK,EAAE,MAAM,GAAG,MAAM,WAAW,MAAM,OAAO,CAAC,EAAE,CAAC;AAAA,MAC5D,OAAO;AACL,gBAAQ,KAAK,GAAG,KAAK,OAAO,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;AAAA,MAC/C;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAGA,QAAM,YAAY;AAClB,QAAM,YAAY;AAClB,QAAM,UAAU,oBAAI,IAAI,CAAC,GAAG,OAAO,KAAK,SAAS,GAAG,GAAG,OAAO,KAAK,SAAS,CAAC,CAAC;AAE9E,aAAW,OAAO,SAAS;AACzB,UAAM,IAAI,WAAW,GAAG,QAAQ,IAAI,GAAG,KAAK;AAC5C,QAAI,EAAE,OAAO,YAAY;AACvB,cAAQ,KAAK,EAAE,MAAM,GAAG,MAAM,SAAS,IAAI,UAAU,GAAG,EAAE,CAAC;AAAA,IAC7D,WAAW,EAAE,OAAO,YAAY;AAC9B,cAAQ,KAAK,EAAE,MAAM,GAAG,MAAM,WAAW,MAAM,UAAU,GAAG,EAAE,CAAC;AAAA,IACjE,OAAO;AACL,cAAQ,KAAK,GAAG,KAAK,UAAU,GAAG,GAAG,UAAU,GAAG,GAAG,CAAC,CAAC;AAAA,IACzD;AAAA,EACF;AAEA,SAAO;AACT;AAGO,SAAS,WAAW,SAA8B;AACvD,MAAI,QAAQ,WAAW,EAAG,QAAO;AACjC,SAAO,QAAQ,IAAI,OAAK;AACtB,YAAQ,EAAE,MAAM;AAAA,MACd,KAAK;AACH,eAAO,KAAK,EAAE,IAAI,KAAK,KAAK,UAAU,EAAE,EAAE,CAAC;AAAA,MAC7C,KAAK;AACH,eAAO,KAAK,EAAE,IAAI,KAAK,KAAK,UAAU,EAAE,IAAI,CAAC;AAAA,MAC/C,KAAK;AACH,eAAO,KAAK,EAAE,IAAI,KAAK,KAAK,UAAU,EAAE,IAAI,CAAC,WAAM,KAAK,UAAU,EAAE,EAAE,CAAC;AAAA,IAC3E;AAAA,EACF,CAAC,EAAE,KAAK,IAAI;AACd;","names":["historyId"]}
+{"version":3,"sources":["../src/history/history.ts","../src/history/time-machine.ts","../src/history/diff.ts"],"sourcesContent":["import type { NoydbStore, EncryptedEnvelope, HistoryOptions, PruneOptions } from '../types.js'\n\n/**\n * History storage convention:\n * Collection: `_history`\n * ID format: `{collection}:{recordId}:{paddedVersion}`\n * Version is zero-padded to 10 digits for lexicographic sorting.\n */\n\nconst HISTORY_COLLECTION = '_history'\nconst VERSION_PAD = 10\n\nfunction historyId(collection: string, recordId: string, version: number): string {\n  return `${collection}:${recordId}:${String(version).padStart(VERSION_PAD, '0')}`\n}\n\n// Unused today, kept for future history-id parsing utilities.\n// eslint-disable-next-line @typescript-eslint/no-unused-vars\nfunction parseHistoryId(id: string): { collection: string; recordId: string; version: number } | null {\n  const lastColon = id.lastIndexOf(':')\n  if (lastColon < 0) return null\n  const versionStr = id.slice(lastColon + 1)\n  const rest = id.slice(0, lastColon)\n  const firstColon = rest.indexOf(':')\n  if (firstColon < 0) return null\n  return {\n    collection: rest.slice(0, firstColon),\n    recordId: rest.slice(firstColon + 1),\n    version: parseInt(versionStr, 10),\n  }\n}\n\nfunction matchesPrefix(id: string, collection: string, recordId?: string): boolean {\n  if (recordId) {\n    return id.startsWith(`${collection}:${recordId}:`)\n  }\n  return id.startsWith(`${collection}:`)\n}\n\n/** Save a history entry (a complete encrypted envelope snapshot). */\nexport async function saveHistory(\n  adapter: NoydbStore,\n  vault: string,\n  collection: string,\n  recordId: string,\n  envelope: EncryptedEnvelope,\n): Promise<void> {\n  const id = historyId(collection, recordId, envelope._v)\n  await adapter.put(vault, HISTORY_COLLECTION, id, envelope)\n}\n\n/** Get history entries for a record, sorted newest-first. */\nexport async function getHistory(\n  adapter: NoydbStore,\n  vault: string,\n  collection: string,\n  recordId: string,\n  options?: HistoryOptions,\n): Promise<EncryptedEnvelope[]> {\n  const allIds = await adapter.list(vault, HISTORY_COLLECTION)\n  const matchingIds = allIds\n    .filter(id => matchesPrefix(id, collection, recordId))\n    .sort()\n    .reverse() // newest first\n\n  const entries: EncryptedEnvelope[] = []\n\n  for (const id of matchingIds) {\n    const envelope = await adapter.get(vault, HISTORY_COLLECTION, id)\n    if (!envelope) continue\n\n    // Apply time filters\n    if (options?.from && envelope._ts < options.from) continue\n    if (options?.to && envelope._ts > options.to) continue\n\n    entries.push(envelope)\n\n    if (options?.limit && entries.length >= options.limit) break\n  }\n\n  return entries\n}\n\n/** Get a specific version's envelope from history. */\nexport async function getVersionEnvelope(\n  adapter: NoydbStore,\n  vault: string,\n  collection: string,\n  recordId: string,\n  version: number,\n): Promise<EncryptedEnvelope | null> {\n  const id = historyId(collection, recordId, version)\n  return adapter.get(vault, HISTORY_COLLECTION, id)\n}\n\n/** Prune history entries. Returns the number of entries deleted. */\nexport async function pruneHistory(\n  adapter: NoydbStore,\n  vault: string,\n  collection: string,\n  recordId: string | undefined,\n  options: PruneOptions,\n): Promise<number> {\n  const allIds = await adapter.list(vault, HISTORY_COLLECTION)\n  const matchingIds = allIds\n    .filter(id => recordId ? matchesPrefix(id, collection, recordId) : matchesPrefix(id, collection))\n    .sort()\n\n  let toDelete: string[] = []\n\n  if (options.keepVersions !== undefined) {\n    // Keep only the N most recent, delete the rest\n    const keep = options.keepVersions\n    if (matchingIds.length > keep) {\n      toDelete = matchingIds.slice(0, matchingIds.length - keep)\n    }\n  }\n\n  if (options.beforeDate) {\n    // Delete entries older than the specified date\n    for (const id of matchingIds) {\n      if (toDelete.includes(id)) continue\n      const envelope = await adapter.get(vault, HISTORY_COLLECTION, id)\n      if (envelope && envelope._ts < options.beforeDate) {\n        toDelete.push(id)\n      }\n    }\n  }\n\n  // Deduplicate\n  const uniqueDeletes = [...new Set(toDelete)]\n\n  for (const id of uniqueDeletes) {\n    await adapter.delete(vault, HISTORY_COLLECTION, id)\n  }\n\n  return uniqueDeletes.length\n}\n\n/** Clear all history for a vault, optionally scoped to a collection or record. */\nexport async function clearHistory(\n  adapter: NoydbStore,\n  vault: string,\n  collection?: string,\n  recordId?: string,\n): Promise<number> {\n  const allIds = await adapter.list(vault, HISTORY_COLLECTION)\n  let toDelete: string[]\n\n  if (collection && recordId) {\n    toDelete = allIds.filter(id => matchesPrefix(id, collection, recordId))\n  } else if (collection) {\n    toDelete = allIds.filter(id => matchesPrefix(id, collection))\n  } else {\n    toDelete = allIds\n  }\n\n  for (const id of toDelete) {\n    await adapter.delete(vault, HISTORY_COLLECTION, id)\n  }\n\n  return toDelete.length\n}\n","/**\n * Time-machine queries — point-in-time reads reconstructed from the\n * existing history + ledger infrastructure.\n *\n * ## Usage\n *\n * ```ts\n * const vault = await db.openVault('acme', { passphrase })\n * const q1End = vault.at('2026-03-31T23:59:59Z')\n * const invoice = await q1End.collection<Invoice>('invoices').get('inv-001')\n * // → the record as it stood at the close of Q1 2026\n * ```\n *\n * ## How it works\n *\n * Every write path already fans out into two persistence lanes:\n *\n * 1. `saveHistory(...)` persists a **full encrypted envelope snapshot**\n *    per version under the `_history` collection (one envelope per\n *    version, keyed by `{collection}:{id}:{paddedVersion}`). Each\n *    envelope carries its own `_ts` (the write timestamp).\n * 2. `ledger.append(...)` appends a hash-chained audit entry that\n *    records the `op` (put / delete), `version`, and `ts`.\n *\n * Reconstruction at a target timestamp T is therefore:\n *\n * - Find the newest history envelope for `(collection, id)` whose\n *   `_ts ≤ T` — that's the state the record was in at T.\n * - Check the ledger for any `op: 'delete'` entry for the same\n *   `(collection, id)` with `entry.ts` in `(latestEnvelope._ts, T]` —\n *   if present, the record was deleted before T, so return `null`.\n * - Decrypt the surviving envelope with the current collection DEK\n *   (DEKs are per-collection but stable across versions — the same\n *   key encrypts v1 and v15 of a record).\n *\n * No delta replay. The existing `history.ts` module already stores\n * complete snapshots; we just pick the right one.\n *\n * ## Read-only contract\n *\n * Every write method on `CollectionInstant` throws\n * {@link ReadOnlyAtInstantError}. A historical view is a *read*\n * surface — mutating the past would require either a branch/shadow\n * mechanism (tracked under shadow vaults) or a rewrite of\n * history, which breaks the ledger's tamper-evidence guarantee.\n *\n * @module\n */\nimport type { EncryptedEnvelope, NoydbStore } from '../types.js'\nimport type { LedgerStore } from './ledger/store.js'\nimport { getHistory } from './history.js'\nimport { decrypt } from '../crypto.js'\nimport { ReadOnlyAtInstantError } from '../errors.js'\n\n/**\n * Narrow view of a {@link Vault}'s internals that\n * {@link VaultInstant} needs. Passed in by `Vault.at()` rather than\n * constructed here so all crypto + adapter access stays inside the\n * Vault class.\n *\n * Not exported from the public barrel — consumers should get a\n * `VaultInstant` via `vault.at(ts)`, never by constructing one\n * directly.\n */\nexport interface VaultEngine {\n  readonly adapter: NoydbStore\n  /** Vault name (the compartment). */\n  readonly name: string\n  /**\n   * `true` when the vault was opened with a passphrase (the normal\n   * case). `false` in plaintext-mode vaults (`encrypt: false`) — in\n   * that case `envelope._data` is raw JSON and we skip the DEK lookup.\n   */\n  readonly encrypted: boolean\n  /**\n   * Resolves the DEK used to decrypt a given collection's envelopes.\n   * Not called when `encrypted` is false.\n   */\n  getDEK(collection: string): Promise<CryptoKey>\n  /**\n   * Lazily-initialised ledger. We consult it to detect deletes that\n   * happened between the latest history snapshot and the target\n   * timestamp. `null` when history is disabled for this vault — in\n   * that case time-machine reads fall back to history-only\n   * reconstruction (which may miss deletes).\n   */\n  getLedger(): LedgerStore | null\n}\n\n/**\n * A vault at a fixed instant. Produced by `vault.at(timestamp)`.\n * Carries no session state of its own — every read is a fresh\n * lookup through the vault's adapter.\n *\n * Cheap to construct; safe to throw away. Create one per query.\n */\nexport class VaultInstant {\n  constructor(\n    private readonly engine: VaultEngine,\n    /** Fully-resolved target timestamp (ISO-8601 UTC). */\n    public readonly timestamp: string,\n  ) {}\n\n  /** Get a point-in-time view of a collection. */\n  collection<T = unknown>(name: string): CollectionInstant<T> {\n    return new CollectionInstant<T>(this.engine, this.timestamp, name)\n  }\n}\n\n/**\n * A read-only collection view anchored to a past instant.\n *\n * Every write method throws {@link ReadOnlyAtInstantError} — see the\n * module docstring for why. The read surface is intentionally smaller\n * than the live {@link Collection}: `get` and `list` cover the\n * \"what did the books look like on date X\" use case without pulling\n * in the full query DSL / joins / aggregates at this stage. Follow-up\n * work tracked under.\n */\nexport class CollectionInstant<T = unknown> {\n  constructor(\n    private readonly engine: VaultEngine,\n    private readonly targetTs: string,\n    public readonly name: string,\n  ) {}\n\n  /**\n   * Return the record as it existed at the target timestamp, or\n   * `null` if the record had not been created yet or had already been\n   * deleted by then.\n   */\n  async get(id: string): Promise<T | null> {\n    const envelope = await this.resolveEnvelope(id)\n    if (!envelope) return null\n    const plaintext = this.engine.encrypted\n      ? await decrypt(envelope._iv, envelope._data, await this.engine.getDEK(this.name))\n      : envelope._data\n    return JSON.parse(plaintext) as T\n  }\n\n  /**\n   * IDs of records that existed (had at least one `put` and were not\n   * subsequently deleted) at the target timestamp.\n   *\n   * Implemented as a linear scan over history + ledger. Performance\n   * is bounded by total history size (not live-vault size), so the\n   * memory-first vault-scale cap (1K–50K records × average history\n   * depth) still applies.\n   */\n  async list(): Promise<string[]> {\n    const historyIds = await collectHistoryIds(this.engine.adapter, this.engine.name, this.name)\n    const liveIds = await this.engine.adapter.list(this.engine.name, this.name)\n    const candidateIds = new Set<string>([...historyIds, ...liveIds])\n    const alive: string[] = []\n    for (const id of candidateIds) {\n      const env = await this.resolveEnvelope(id)\n      if (env) alive.push(id)\n    }\n    return alive.sort()\n  }\n\n  // ── write guards ───────────────────────────────────────────────────\n\n  async put(_id: string, _record: T): Promise<never> {\n    throw new ReadOnlyAtInstantError('put', this.targetTs)\n  }\n  async delete(_id: string): Promise<never> {\n    throw new ReadOnlyAtInstantError('delete', this.targetTs)\n  }\n  async update(_id: string, _patch: Partial<T>): Promise<never> {\n    throw new ReadOnlyAtInstantError('update', this.targetTs)\n  }\n\n  // ── internals ─────────────────────────────────────────────────────\n\n  /**\n   * Return the envelope that represents the record's state at\n   * `targetTs`, accounting for deletes. `null` if the record didn't\n   * exist at that instant.\n   *\n   * ## Why we use the ledger as the authoritative timeline\n   *\n   * The per-version history snapshots saved by `saveHistory()` do\n   * carry a `_ts` field, but that timestamp is the moment the\n   * snapshot was *captured* (i.e. the instant right before the\n   * subsequent overwrite), not the original write time. The ledger,\n   * by contrast, records `ts` at the moment of each `put` / `delete`\n   * — it's the only source that tracks the real timeline. So:\n   *\n   *   1. Walk the ledger; find the latest entry for `(collection, id)`\n   *      with `ts ≤ targetTs`.\n   *   2. If that entry is a `delete`, the record was gone at the\n   *      target instant — return null.\n   *   3. Otherwise it's a `put` with a specific `version`. Load the\n   *      envelope for that version from history, falling back to the\n   *      live collection for the most recent version.\n   *\n   * ## Fallback when the ledger is disabled\n   *\n   * If the vault has history disabled, `getLedger()` returns null and\n   * we fall back to comparing envelope `_ts` fields. This is\n   * approximate and gets the *last write* right but may confuse the\n   * intermediate versions; adopters needing accurate time-machine\n   * reads should leave history enabled.\n   */\n  private async resolveEnvelope(id: string): Promise<EncryptedEnvelope | null> {\n    const ledger = this.engine.getLedger()\n    if (ledger) {\n      return this.resolveViaLedger(id, ledger)\n    }\n    return this.resolveViaEnvelopeTs(id)\n  }\n\n  private async resolveViaLedger(id: string, ledger: LedgerStore): Promise<EncryptedEnvelope | null> {\n    const entries = await ledger.entries()\n    // Entries are already ordered by index which is the mutation order.\n    let latest: { op: 'put' | 'delete'; version: number } | null = null\n    for (const e of entries) {\n      if (e.collection !== this.name || e.id !== id) continue\n      if (e.ts > this.targetTs) break   // entries are time-ordered by index\n      // `amendment` + `lifecycle` entries are audit-only summaries — they\n      // carry no (collection, id) tuple of their own and would never match\n      // the filter above. The narrow here is a type guard, not a runtime\n      // skip.\n      if (e.op === 'amendment' || e.op === 'lifecycle') continue\n      latest = { op: e.op, version: e.version }\n    }\n    if (!latest) return null\n    if (latest.op === 'delete') return null\n    return this.loadVersion(id, latest.version)\n  }\n\n  private async resolveViaEnvelopeTs(id: string): Promise<EncryptedEnvelope | null> {\n    const history = await getHistory(\n      this.engine.adapter, this.engine.name, this.name, id,\n    )\n    const live = await this.engine.adapter.get(this.engine.name, this.name, id)\n    const byVersion = new Map<number, EncryptedEnvelope>()\n    for (const e of history) byVersion.set(e._v, e)\n    if (live) byVersion.set(live._v, live)\n    const sorted = [...byVersion.values()].sort((a, b) =>\n      a._ts < b._ts ? 1 : a._ts > b._ts ? -1 : 0,\n    )\n    return sorted.find((e) => e._ts <= this.targetTs) ?? null\n  }\n\n  /**\n   * Fetch the envelope for a specific version. The live record (most\n   * recent put) lives in the main collection; prior versions live in\n   * `_history`. We check live first because the common case after a\n   * delete is that we're trying to load the last-live version from\n   * history, and skipping live for the current-version case avoids a\n   * redundant lookup.\n   */\n  private async loadVersion(id: string, version: number): Promise<EncryptedEnvelope | null> {\n    const live = await this.engine.adapter.get(this.engine.name, this.name, id)\n    if (live && live._v === version) return live\n\n    // Direct lookup by (collection, id, version) — avoids scanning all history.\n    const historyId = `${this.name}:${id}:${String(version).padStart(10, '0')}`\n    return await this.engine.adapter.get(this.engine.name, '_history', historyId)\n  }\n}\n\n/**\n * Scan the `_history` collection once and collect every distinct\n * `recordId` for the given collection. History keys follow the\n * shape `<collection>:<recordId>:<paddedVersion>`; we split on the\n * last two colons (delimiter-safe because `paddedVersion` is\n * exactly 10 digits).\n */\nasync function collectHistoryIds(\n  adapter: NoydbStore,\n  vault: string,\n  collection: string,\n): Promise<string[]> {\n  const all = await adapter.list(vault, '_history')\n  const prefix = `${collection}:`\n  const seen = new Set<string>()\n  for (const key of all) {\n    if (!key.startsWith(prefix)) continue\n    const lastColon = key.lastIndexOf(':')\n    if (lastColon <= prefix.length) continue\n    const middle = key.slice(prefix.length, lastColon)\n    seen.add(middle)\n  }\n  return [...seen]\n}\n","/**\n * Zero-dependency JSON diff.\n * Produces a flat list of changes between two plain objects.\n */\n\nexport type ChangeType = 'added' | 'removed' | 'changed'\n\nexport interface DiffEntry {\n  /** Dot-separated path to the changed field (e.g. \"address.city\"). */\n  readonly path: string\n  /** Type of change. */\n  readonly type: ChangeType\n  /** Previous value (undefined for 'added'). */\n  readonly from?: unknown\n  /** New value (undefined for 'removed'). */\n  readonly to?: unknown\n}\n\n/**\n * Compute differences between two objects.\n * Returns an array of DiffEntry describing each changed field.\n * Returns empty array if objects are identical.\n */\nexport function diff(oldObj: unknown, newObj: unknown, basePath = ''): DiffEntry[] {\n  const changes: DiffEntry[] = []\n\n  // Both primitives or nulls\n  if (oldObj === newObj) return changes\n\n  // One is null/undefined\n  if (oldObj == null && newObj != null) {\n    return [{ path: basePath || '(root)', type: 'added', to: newObj }]\n  }\n  if (oldObj != null && newObj == null) {\n    return [{ path: basePath || '(root)', type: 'removed', from: oldObj }]\n  }\n\n  // Different types\n  if (typeof oldObj !== typeof newObj) {\n    return [{ path: basePath || '(root)', type: 'changed', from: oldObj, to: newObj }]\n  }\n\n  // Both primitives (and not equal — checked above)\n  if (typeof oldObj !== 'object') {\n    return [{ path: basePath || '(root)', type: 'changed', from: oldObj, to: newObj }]\n  }\n\n  // Both arrays\n  if (Array.isArray(oldObj) && Array.isArray(newObj)) {\n    const maxLen = Math.max(oldObj.length, newObj.length)\n    for (let i = 0; i < maxLen; i++) {\n      const p = basePath ? `${basePath}[${i}]` : `[${i}]`\n      if (i >= oldObj.length) {\n        changes.push({ path: p, type: 'added', to: newObj[i] })\n      } else if (i >= newObj.length) {\n        changes.push({ path: p, type: 'removed', from: oldObj[i] })\n      } else {\n        changes.push(...diff(oldObj[i], newObj[i], p))\n      }\n    }\n    return changes\n  }\n\n  // Both objects\n  const oldRecord = oldObj as Record<string, unknown>\n  const newRecord = newObj as Record<string, unknown>\n  const allKeys = new Set([...Object.keys(oldRecord), ...Object.keys(newRecord)])\n\n  for (const key of allKeys) {\n    const p = basePath ? `${basePath}.${key}` : key\n    if (!(key in oldRecord)) {\n      changes.push({ path: p, type: 'added', to: newRecord[key] })\n    } else if (!(key in newRecord)) {\n      changes.push({ path: p, type: 'removed', from: oldRecord[key] })\n    } else {\n      changes.push(...diff(oldRecord[key], newRecord[key], p))\n    }\n  }\n\n  return changes\n}\n\n/** Format a diff as a human-readable string. */\nexport function formatDiff(changes: DiffEntry[]): string {\n  if (changes.length === 0) return '(no changes)'\n  return changes.map(c => {\n    switch (c.type) {\n      case 'added':\n        return `+ ${c.path}: ${JSON.stringify(c.to)}`\n      case 'removed':\n        return `- ${c.path}: ${JSON.stringify(c.from)}`\n      case 'changed':\n        return `~ ${c.path}: ${JSON.stringify(c.from)} → ${JSON.stringify(c.to)}`\n    }\n  }).join('\\n')\n}\n"],"mappings":";;;;;;;;AASA,IAAM,qBAAqB;AAC3B,IAAM,cAAc;AAEpB,SAAS,UAAU,YAAoB,UAAkB,SAAyB;AAChF,SAAO,GAAG,UAAU,IAAI,QAAQ,IAAI,OAAO,OAAO,EAAE,SAAS,aAAa,GAAG,CAAC;AAChF;AAkBA,SAAS,cAAc,IAAY,YAAoB,UAA4B;AACjF,MAAI,UAAU;AACZ,WAAO,GAAG,WAAW,GAAG,UAAU,IAAI,QAAQ,GAAG;AAAA,EACnD;AACA,SAAO,GAAG,WAAW,GAAG,UAAU,GAAG;AACvC;AAGA,eAAsB,YACpB,SACA,OACA,YACA,UACA,UACe;AACf,QAAM,KAAK,UAAU,YAAY,UAAU,SAAS,EAAE;AACtD,QAAM,QAAQ,IAAI,OAAO,oBAAoB,IAAI,QAAQ;AAC3D;AAGA,eAAsB,WACpB,SACA,OACA,YACA,UACA,SAC8B;AAC9B,QAAM,SAAS,MAAM,QAAQ,KAAK,OAAO,kBAAkB;AAC3D,QAAM,cAAc,OACjB,OAAO,QAAM,cAAc,IAAI,YAAY,QAAQ,CAAC,EACpD,KAAK,EACL,QAAQ;AAEX,QAAM,UAA+B,CAAC;AAEtC,aAAW,MAAM,aAAa;AAC5B,UAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,oBAAoB,EAAE;AAChE,QAAI,CAAC,SAAU;AAGf,QAAI,SAAS,QAAQ,SAAS,MAAM,QAAQ,KAAM;AAClD,QAAI,SAAS,MAAM,SAAS,MAAM,QAAQ,GAAI;AAE9C,YAAQ,KAAK,QAAQ;AAErB,QAAI,SAAS,SAAS,QAAQ,UAAU,QAAQ,MAAO;AAAA,EACzD;AAEA,SAAO;AACT;AAGA,eAAsB,mBACpB,SACA,OACA,YACA,UACA,SACmC;AACnC,QAAM,KAAK,UAAU,YAAY,UAAU,OAAO;AAClD,SAAO,QAAQ,IAAI,OAAO,oBAAoB,EAAE;AAClD;AAGA,eAAsB,aACpB,SACA,OACA,YACA,UACA,SACiB;AACjB,QAAM,SAAS,MAAM,QAAQ,KAAK,OAAO,kBAAkB;AAC3D,QAAM,cAAc,OACjB,OAAO,QAAM,WAAW,cAAc,IAAI,YAAY,QAAQ,IAAI,cAAc,IAAI,UAAU,CAAC,EAC/F,KAAK;AAER,MAAI,WAAqB,CAAC;AAE1B,MAAI,QAAQ,iBAAiB,QAAW;AAEtC,UAAM,OAAO,QAAQ;AACrB,QAAI,YAAY,SAAS,MAAM;AAC7B,iBAAW,YAAY,MAAM,GAAG,YAAY,SAAS,IAAI;AAAA,IAC3D;AAAA,EACF;AAEA,MAAI,QAAQ,YAAY;AAEtB,eAAW,MAAM,aAAa;AAC5B,UAAI,SAAS,SAAS,EAAE,EAAG;AAC3B,YAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,oBAAoB,EAAE;AAChE,UAAI,YAAY,SAAS,MAAM,QAAQ,YAAY;AACjD,iBAAS,KAAK,EAAE;AAAA,MAClB;AAAA,IACF;AAAA,EACF;AAGA,QAAM,gBAAgB,CAAC,GAAG,IAAI,IAAI,QAAQ,CAAC;AAE3C,aAAW,MAAM,eAAe;AAC9B,UAAM,QAAQ,OAAO,OAAO,oBAAoB,EAAE;AAAA,EACpD;AAEA,SAAO,cAAc;AACvB;AAGA,eAAsB,aACpB,SACA,OACA,YACA,UACiB;AACjB,QAAM,SAAS,MAAM,QAAQ,KAAK,OAAO,kBAAkB;AAC3D,MAAI;AAEJ,MAAI,cAAc,UAAU;AAC1B,eAAW,OAAO,OAAO,QAAM,cAAc,IAAI,YAAY,QAAQ,CAAC;AAAA,EACxE,WAAW,YAAY;AACrB,eAAW,OAAO,OAAO,QAAM,cAAc,IAAI,UAAU,CAAC;AAAA,EAC9D,OAAO;AACL,eAAW;AAAA,EACb;AAEA,aAAW,MAAM,UAAU;AACzB,UAAM,QAAQ,OAAO,OAAO,oBAAoB,EAAE;AAAA,EACpD;AAEA,SAAO,SAAS;AAClB;;;AClEO,IAAM,eAAN,MAAmB;AAAA,EACxB,YACmB,QAED,WAChB;AAHiB;AAED;AAAA,EACf;AAAA,EAHgB;AAAA,EAED;AAAA;AAAA,EAIlB,WAAwB,MAAoC;AAC1D,WAAO,IAAI,kBAAqB,KAAK,QAAQ,KAAK,WAAW,IAAI;AAAA,EACnE;AACF;AAYO,IAAM,oBAAN,MAAqC;AAAA,EAC1C,YACmB,QACA,UACD,MAChB;AAHiB;AACA;AACD;AAAA,EACf;AAAA,EAHgB;AAAA,EACA;AAAA,EACD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQlB,MAAM,IAAI,IAA+B;AACvC,UAAM,WAAW,MAAM,KAAK,gBAAgB,EAAE;AAC9C,QAAI,CAAC,SAAU,QAAO;AACtB,UAAM,YAAY,KAAK,OAAO,YAC1B,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,MAAM,KAAK,OAAO,OAAO,KAAK,IAAI,CAAC,IAC/E,SAAS;AACb,WAAO,KAAK,MAAM,SAAS;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,OAA0B;AAC9B,UAAM,aAAa,MAAM,kBAAkB,KAAK,OAAO,SAAS,KAAK,OAAO,MAAM,KAAK,IAAI;AAC3F,UAAM,UAAU,MAAM,KAAK,OAAO,QAAQ,KAAK,KAAK,OAAO,MAAM,KAAK,IAAI;AAC1E,UAAM,eAAe,oBAAI,IAAY,CAAC,GAAG,YAAY,GAAG,OAAO,CAAC;AAChE,UAAM,QAAkB,CAAC;AACzB,eAAW,MAAM,cAAc;AAC7B,YAAM,MAAM,MAAM,KAAK,gBAAgB,EAAE;AACzC,UAAI,IAAK,OAAM,KAAK,EAAE;AAAA,IACxB;AACA,WAAO,MAAM,KAAK;AAAA,EACpB;AAAA;AAAA,EAIA,MAAM,IAAI,KAAa,SAA4B;AACjD,UAAM,IAAI,uBAAuB,OAAO,KAAK,QAAQ;AAAA,EACvD;AAAA,EACA,MAAM,OAAO,KAA6B;AACxC,UAAM,IAAI,uBAAuB,UAAU,KAAK,QAAQ;AAAA,EAC1D;AAAA,EACA,MAAM,OAAO,KAAa,QAAoC;AAC5D,UAAM,IAAI,uBAAuB,UAAU,KAAK,QAAQ;AAAA,EAC1D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAkCA,MAAc,gBAAgB,IAA+C;AAC3E,UAAM,SAAS,KAAK,OAAO,UAAU;AACrC,QAAI,QAAQ;AACV,aAAO,KAAK,iBAAiB,IAAI,MAAM;AAAA,IACzC;AACA,WAAO,KAAK,qBAAqB,EAAE;AAAA,EACrC;AAAA,EAEA,MAAc,iBAAiB,IAAY,QAAwD;AACjG,UAAM,UAAU,MAAM,OAAO,QAAQ;AAErC,QAAI,SAA2D;AAC/D,eAAW,KAAK,SAAS;AACvB,UAAI,EAAE,eAAe,KAAK,QAAQ,EAAE,OAAO,GAAI;AAC/C,UAAI,EAAE,KAAK,KAAK,SAAU;AAK1B,UAAI,EAAE,OAAO,eAAe,EAAE,OAAO,YAAa;AAClD,eAAS,EAAE,IAAI,EAAE,IAAI,SAAS,EAAE,QAAQ;AAAA,IAC1C;AACA,QAAI,CAAC,OAAQ,QAAO;AACpB,QAAI,OAAO,OAAO,SAAU,QAAO;AACnC,WAAO,KAAK,YAAY,IAAI,OAAO,OAAO;AAAA,EAC5C;AAAA,EAEA,MAAc,qBAAqB,IAA+C;AAChF,UAAM,UAAU,MAAM;AAAA,MACpB,KAAK,OAAO;AAAA,MAAS,KAAK,OAAO;AAAA,MAAM,KAAK;AAAA,MAAM;AAAA,IACpD;AACA,UAAM,OAAO,MAAM,KAAK,OAAO,QAAQ,IAAI,KAAK,OAAO,MAAM,KAAK,MAAM,EAAE;AAC1E,UAAM,YAAY,oBAAI,IAA+B;AACrD,eAAW,KAAK,QAAS,WAAU,IAAI,EAAE,IAAI,CAAC;AAC9C,QAAI,KAAM,WAAU,IAAI,KAAK,IAAI,IAAI;AACrC,UAAM,SAAS,CAAC,GAAG,UAAU,OAAO,CAAC,EAAE;AAAA,MAAK,CAAC,GAAG,MAC9C,EAAE,MAAM,EAAE,MAAM,IAAI,EAAE,MAAM,EAAE,MAAM,KAAK;AAAA,IAC3C;AACA,WAAO,OAAO,KAAK,CAAC,MAAM,EAAE,OAAO,KAAK,QAAQ,KAAK;AAAA,EACvD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAc,YAAY,IAAY,SAAoD;AACxF,UAAM,OAAO,MAAM,KAAK,OAAO,QAAQ,IAAI,KAAK,OAAO,MAAM,KAAK,MAAM,EAAE;AAC1E,QAAI,QAAQ,KAAK,OAAO,QAAS,QAAO;AAGxC,UAAMA,aAAY,GAAG,KAAK,IAAI,IAAI,EAAE,IAAI,OAAO,OAAO,EAAE,SAAS,IAAI,GAAG,CAAC;AACzE,WAAO,MAAM,KAAK,OAAO,QAAQ,IAAI,KAAK,OAAO,MAAM,YAAYA,UAAS;AAAA,EAC9E;AACF;AASA,eAAe,kBACb,SACA,OACA,YACmB;AACnB,QAAM,MAAM,MAAM,QAAQ,KAAK,OAAO,UAAU;AAChD,QAAM,SAAS,GAAG,UAAU;AAC5B,QAAM,OAAO,oBAAI,IAAY;AAC7B,aAAW,OAAO,KAAK;AACrB,QAAI,CAAC,IAAI,WAAW,MAAM,EAAG;AAC7B,UAAM,YAAY,IAAI,YAAY,GAAG;AACrC,QAAI,aAAa,OAAO,OAAQ;AAChC,UAAM,SAAS,IAAI,MAAM,OAAO,QAAQ,SAAS;AACjD,SAAK,IAAI,MAAM;AAAA,EACjB;AACA,SAAO,CAAC,GAAG,IAAI;AACjB;;;ACxQO,SAAS,KAAK,QAAiB,QAAiB,WAAW,IAAiB;AACjF,QAAM,UAAuB,CAAC;AAG9B,MAAI,WAAW,OAAQ,QAAO;AAG9B,MAAI,UAAU,QAAQ,UAAU,MAAM;AACpC,WAAO,CAAC,EAAE,MAAM,YAAY,UAAU,MAAM,SAAS,IAAI,OAAO,CAAC;AAAA,EACnE;AACA,MAAI,UAAU,QAAQ,UAAU,MAAM;AACpC,WAAO,CAAC,EAAE,MAAM,YAAY,UAAU,MAAM,WAAW,MAAM,OAAO,CAAC;AAAA,EACvE;AAGA,MAAI,OAAO,WAAW,OAAO,QAAQ;AACnC,WAAO,CAAC,EAAE,MAAM,YAAY,UAAU,MAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,CAAC;AAAA,EACnF;AAGA,MAAI,OAAO,WAAW,UAAU;AAC9B,WAAO,CAAC,EAAE,MAAM,YAAY,UAAU,MAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,CAAC;AAAA,EACnF;AAGA,MAAI,MAAM,QAAQ,MAAM,KAAK,MAAM,QAAQ,MAAM,GAAG;AAClD,UAAM,SAAS,KAAK,IAAI,OAAO,QAAQ,OAAO,MAAM;AACpD,aAAS,IAAI,GAAG,IAAI,QAAQ,KAAK;AAC/B,YAAM,IAAI,WAAW,GAAG,QAAQ,IAAI,CAAC,MAAM,IAAI,CAAC;AAChD,UAAI,KAAK,OAAO,QAAQ;AACtB,gBAAQ,KAAK,EAAE,MAAM,GAAG,MAAM,SAAS,IAAI,OAAO,CAAC,EAAE,CAAC;AAAA,MACxD,WAAW,KAAK,OAAO,QAAQ;AAC7B,gBAAQ,KAAK,EAAE,MAAM,GAAG,MAAM,WAAW,MAAM,OAAO,CAAC,EAAE,CAAC;AAAA,MAC5D,OAAO;AACL,gBAAQ,KAAK,GAAG,KAAK,OAAO,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;AAAA,MAC/C;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAGA,QAAM,YAAY;AAClB,QAAM,YAAY;AAClB,QAAM,UAAU,oBAAI,IAAI,CAAC,GAAG,OAAO,KAAK,SAAS,GAAG,GAAG,OAAO,KAAK,SAAS,CAAC,CAAC;AAE9E,aAAW,OAAO,SAAS;AACzB,UAAM,IAAI,WAAW,GAAG,QAAQ,IAAI,GAAG,KAAK;AAC5C,QAAI,EAAE,OAAO,YAAY;AACvB,cAAQ,KAAK,EAAE,MAAM,GAAG,MAAM,SAAS,IAAI,UAAU,GAAG,EAAE,CAAC;AAAA,IAC7D,WAAW,EAAE,OAAO,YAAY;AAC9B,cAAQ,KAAK,EAAE,MAAM,GAAG,MAAM,WAAW,MAAM,UAAU,GAAG,EAAE,CAAC;AAAA,IACjE,OAAO;AACL,cAAQ,KAAK,GAAG,KAAK,UAAU,GAAG,GAAG,UAAU,GAAG,GAAG,CAAC,CAAC;AAAA,IACzD;AAAA,EACF;AAEA,SAAO;AACT;AAGO,SAAS,WAAW,SAA8B;AACvD,MAAI,QAAQ,WAAW,EAAG,QAAO;AACjC,SAAO,QAAQ,IAAI,OAAK;AACtB,YAAQ,EAAE,MAAM;AAAA,MACd,KAAK;AACH,eAAO,KAAK,EAAE,IAAI,KAAK,KAAK,UAAU,EAAE,EAAE,CAAC;AAAA,MAC7C,KAAK;AACH,eAAO,KAAK,EAAE,IAAI,KAAK,KAAK,UAAU,EAAE,IAAI,CAAC;AAAA,MAC/C,KAAK;AACH,eAAO,KAAK,EAAE,IAAI,KAAK,KAAK,UAAU,EAAE,IAAI,CAAC,WAAM,KAAK,UAAU,EAAE,EAAE,CAAC;AAAA,IAC3E;AAAA,EACF,CAAC,EAAE,KAAK,IAAI;AACd;","names":["historyId"]}