@noy-db/hub 0.2.0-pre.1 → 0.2.0-pre.10

package/dist/chunk-5IXJGFF2.js

@@ -0,0 +1,83 @@
+import {
+  ATTESTATIONS_COLLECTION,
+  REVOKED_RECORD_ID,
+  loadOrCreateSigner
+} from "./chunk-HHOO7HGH.js";
+import {
+  NOYDB_FORMAT_VERSION
+} from "./chunk-WIRRPTFH.js";
+import {
+  decrypt,
+  encrypt
+} from "./chunk-R233SLY3.js";
+import {
+  AttestationError,
+  ConflictError
+} from "./chunk-O6EJ6WTI.js";
+
+// src/attestation/revoke.ts
+import { signRevocationList } from "@noy-db/attestation";
+function requireOwner(ctx, op) {
+  if (ctx.role !== "owner") {
+    throw new AttestationError(`${op} requires the 'owner' role; caller is '${ctx.role}'. Revocation is the firm's identity operation.`);
+  }
+}
+async function readSet(store, vault, dek) {
+  const env = await store.get(vault, ATTESTATIONS_COLLECTION, REVOKED_RECORD_ID);
+  if (!env) return { docIds: /* @__PURE__ */ new Set(), version: void 0 };
+  const set = JSON.parse(await decrypt(env._iv, env._data, dek));
+  return { docIds: new Set(set.docIds), version: env._v };
+}
+async function mutateSet(ctx, mutate) {
+  const dek = await ctx.getDEK();
+  for (let attempt = 0; attempt < 2; attempt++) {
+    const { docIds, version } = await readSet(ctx.store, ctx.vault, dek);
+    mutate(docIds);
+    const payload = { docIds: [...docIds].sort(), updatedAt: (/* @__PURE__ */ new Date()).toISOString() };
+    const { iv, data } = await encrypt(JSON.stringify(payload), dek);
+    const expectedVersion = version ?? 0;
+    const env = {
+      _noydb: NOYDB_FORMAT_VERSION,
+      _v: expectedVersion + 1,
+      _ts: payload.updatedAt,
+      _iv: iv,
+      _data: data
+    };
+    try {
+      await ctx.store.put(ctx.vault, ATTESTATIONS_COLLECTION, REVOKED_RECORD_ID, env, expectedVersion);
+      return;
+    } catch (e) {
+      if (e instanceof ConflictError && attempt === 0) continue;
+      throw e;
+    }
+  }
+}
+async function revokeDocCore(ctx, docId) {
+  requireOwner(ctx, "revokeAttestation");
+  const issued = await ctx.store.get(ctx.vault, ATTESTATIONS_COLLECTION, docId);
+  if (!issued) throw new AttestationError(`revokeAttestation: attestation '${docId}' not found (was it issued by this vault?).`);
+  await mutateSet(ctx, (ids) => ids.add(docId));
+}
+async function unrevokeDocCore(ctx, docId) {
+  requireOwner(ctx, "unrevokeAttestation");
+  await mutateSet(ctx, (ids) => ids.delete(docId));
+}
+async function getRevokedDocIdsCore(ctx) {
+  const dek = await ctx.getDEK();
+  const { docIds } = await readSet(ctx.store, ctx.vault, dek);
+  return [...docIds].sort();
+}
+async function publishRevocationListCore(ctx) {
+  requireOwner(ctx, "publishRevocationList");
+  const docIds = await getRevokedDocIdsCore(ctx);
+  const signer = await loadOrCreateSigner(ctx.store, ctx.vault, () => ctx.getDEK());
+  return signRevocationList(docIds, (/* @__PURE__ */ new Date()).toISOString(), signer.keyId, signer.privateKeyPkcs8B64);
+}
+
+export {
+  revokeDocCore,
+  unrevokeDocCore,
+  getRevokedDocIdsCore,
+  publishRevocationListCore
+};
+//# sourceMappingURL=chunk-5IXJGFF2.js.map

package/dist/chunk-5IXJGFF2.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/attestation/revoke.ts"],"sourcesContent":["import type { NoydbStore, EncryptedEnvelope } from '../types.js'\nimport { NOYDB_FORMAT_VERSION } from '../types.js'\nimport { encrypt, decrypt } from '../crypto.js'\nimport { AttestationError, ConflictError } from '../errors.js'\nimport { loadOrCreateSigner, ATTESTATIONS_COLLECTION, REVOKED_RECORD_ID } from './signer.js'\nimport { signRevocationList, type RevocationList } from '@noy-db/attestation'\n\n/** Everything the revoke core needs from the Vault, injected for testability. */\nexport interface RevokeContext {\n  readonly store: NoydbStore\n  readonly vault: string\n  readonly role: string\n  /** The _attestations collection DEK. */\n  getDEK(): Promise<CryptoKey>\n}\n\ninterface RevokedSet {\n  docIds: string[]\n  updatedAt: string\n}\n\nfunction requireOwner(ctx: RevokeContext, op: string): void {\n  if (ctx.role !== 'owner') {\n    throw new AttestationError(`${op} requires the 'owner' role; caller is '${ctx.role}'. Revocation is the firm's identity operation.`)\n  }\n}\n\nasync function readSet(store: NoydbStore, vault: string, dek: CryptoKey): Promise<{ docIds: Set<string>; version: number | undefined }> {\n  const env = await store.get(vault, ATTESTATIONS_COLLECTION, REVOKED_RECORD_ID)\n  if (!env) return { docIds: new Set<string>(), version: undefined }\n  const set = JSON.parse(await decrypt(env._iv, env._data, dek)) as RevokedSet\n  return { docIds: new Set(set.docIds), version: env._v }\n}\n\n/** Read-modify-write the _revoked set with optimistic concurrency + one retry. */\nasync function mutateSet(ctx: RevokeContext, mutate: (ids: Set<string>) => void): Promise<void> {\n  const dek = await ctx.getDEK()\n  for (let attempt = 0; attempt < 2; attempt++) {\n    const { docIds, version } = await readSet(ctx.store, ctx.vault, dek)\n    mutate(docIds)\n    const payload: RevokedSet = { docIds: [...docIds].sort(), updatedAt: new Date().toISOString() }\n    const { iv, data } = await encrypt(JSON.stringify(payload), dek)\n    const expectedVersion = version ?? 0\n    const env: EncryptedEnvelope = {\n      _noydb: NOYDB_FORMAT_VERSION, _v: expectedVersion + 1, _ts: payload.updatedAt, _iv: iv, _data: data,\n    }\n    try {\n      await ctx.store.put(ctx.vault, ATTESTATIONS_COLLECTION, REVOKED_RECORD_ID, env, expectedVersion)\n      return\n    } catch (e) {\n      if (e instanceof ConflictError && attempt === 0) continue\n      throw e\n    }\n  }\n}\n\nexport async function revokeDocCore(ctx: RevokeContext, docId: string): Promise<void> {\n  requireOwner(ctx, 'revokeAttestation')\n  const issued = await ctx.store.get(ctx.vault, ATTESTATIONS_COLLECTION, docId)\n  if (!issued) throw new AttestationError(`revokeAttestation: attestation '${docId}' not found (was it issued by this vault?).`)\n  await mutateSet(ctx, (ids) => ids.add(docId))\n}\n\nexport async function unrevokeDocCore(ctx: RevokeContext, docId: string): Promise<void> {\n  requireOwner(ctx, 'unrevokeAttestation')\n  await mutateSet(ctx, (ids) => ids.delete(docId))\n}\n\nexport async function getRevokedDocIdsCore(ctx: RevokeContext): Promise<string[]> {\n  const dek = await ctx.getDEK()\n  const { docIds } = await readSet(ctx.store, ctx.vault, dek)\n  return [...docIds].sort()\n}\n\nexport async function publishRevocationListCore(ctx: RevokeContext): Promise<RevocationList> {\n  requireOwner(ctx, 'publishRevocationList')\n  const docIds = await getRevokedDocIdsCore(ctx)\n  const signer = await loadOrCreateSigner(ctx.store, ctx.vault, () => ctx.getDEK())\n  return signRevocationList(docIds, new Date().toISOString(), signer.keyId, signer.privateKeyPkcs8B64)\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAKA,SAAS,0BAA+C;AAgBxD,SAAS,aAAa,KAAoB,IAAkB;AAC1D,MAAI,IAAI,SAAS,SAAS;AACxB,UAAM,IAAI,iBAAiB,GAAG,EAAE,0CAA0C,IAAI,IAAI,iDAAiD;AAAA,EACrI;AACF;AAEA,eAAe,QAAQ,OAAmB,OAAe,KAA+E;AACtI,QAAM,MAAM,MAAM,MAAM,IAAI,OAAO,yBAAyB,iBAAiB;AAC7E,MAAI,CAAC,IAAK,QAAO,EAAE,QAAQ,oBAAI,IAAY,GAAG,SAAS,OAAU;AACjE,QAAM,MAAM,KAAK,MAAM,MAAM,QAAQ,IAAI,KAAK,IAAI,OAAO,GAAG,CAAC;AAC7D,SAAO,EAAE,QAAQ,IAAI,IAAI,IAAI,MAAM,GAAG,SAAS,IAAI,GAAG;AACxD;AAGA,eAAe,UAAU,KAAoB,QAAmD;AAC9F,QAAM,MAAM,MAAM,IAAI,OAAO;AAC7B,WAAS,UAAU,GAAG,UAAU,GAAG,WAAW;AAC5C,UAAM,EAAE,QAAQ,QAAQ,IAAI,MAAM,QAAQ,IAAI,OAAO,IAAI,OAAO,GAAG;AACnE,WAAO,MAAM;AACb,UAAM,UAAsB,EAAE,QAAQ,CAAC,GAAG,MAAM,EAAE,KAAK,GAAG,YAAW,oBAAI,KAAK,GAAE,YAAY,EAAE;AAC9F,UAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,KAAK,UAAU,OAAO,GAAG,GAAG;AAC/D,UAAM,kBAAkB,WAAW;AACnC,UAAM,MAAyB;AAAA,MAC7B,QAAQ;AAAA,MAAsB,IAAI,kBAAkB;AAAA,MAAG,KAAK,QAAQ;AAAA,MAAW,KAAK;AAAA,MAAI,OAAO;AAAA,IACjG;AACA,QAAI;AACF,YAAM,IAAI,MAAM,IAAI,IAAI,OAAO,yBAAyB,mBAAmB,KAAK,eAAe;AAC/F;AAAA,IACF,SAAS,GAAG;AACV,UAAI,aAAa,iBAAiB,YAAY,EAAG;AACjD,YAAM;AAAA,IACR;AAAA,EACF;AACF;AAEA,eAAsB,cAAc,KAAoB,OAA8B;AACpF,eAAa,KAAK,mBAAmB;AACrC,QAAM,SAAS,MAAM,IAAI,MAAM,IAAI,IAAI,OAAO,yBAAyB,KAAK;AAC5E,MAAI,CAAC,OAAQ,OAAM,IAAI,iBAAiB,mCAAmC,KAAK,6CAA6C;AAC7H,QAAM,UAAU,KAAK,CAAC,QAAQ,IAAI,IAAI,KAAK,CAAC;AAC9C;AAEA,eAAsB,gBAAgB,KAAoB,OAA8B;AACtF,eAAa,KAAK,qBAAqB;AACvC,QAAM,UAAU,KAAK,CAAC,QAAQ,IAAI,OAAO,KAAK,CAAC;AACjD;AAEA,eAAsB,qBAAqB,KAAuC;AAChF,QAAM,MAAM,MAAM,IAAI,OAAO;AAC7B,QAAM,EAAE,OAAO,IAAI,MAAM,QAAQ,IAAI,OAAO,IAAI,OAAO,GAAG;AAC1D,SAAO,CAAC,GAAG,MAAM,EAAE,KAAK;AAC1B;AAEA,eAAsB,0BAA0B,KAA6C;AAC3F,eAAa,KAAK,uBAAuB;AACzC,QAAM,SAAS,MAAM,qBAAqB,GAAG;AAC7C,QAAM,SAAS,MAAM,mBAAmB,IAAI,OAAO,IAAI,OAAO,MAAM,IAAI,OAAO,CAAC;AAChF,SAAO,mBAAmB,SAAQ,oBAAI,KAAK,GAAE,YAAY,GAAG,OAAO,OAAO,OAAO,kBAAkB;AACrG;","names":[]}

package/dist/{chunk-HB3Z2GCR.js → chunk-5OEJ6GOT.js}

@@ -1,7 +1,7 @@
 import {
   DerivationCapExceededError,
   DerivationOutputShapeError
-} from "./chunk-ADQ5MQ54.js";
+} from "./chunk-O6EJ6WTI.js";
 
 // src/derivations/executor.ts
 var DerivationExecutor = {
@@ -121,4 +121,4 @@ var DerivationExecutor = {
 export {
   DerivationExecutor
 };
-//# sourceMappingURL=chunk-HB3Z2GCR.js.map
+//# sourceMappingURL=chunk-5OEJ6GOT.js.map

package/dist/chunk-5OEJ6GOT.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/derivations/executor.ts"],"sourcesContent":["import { DerivationCapExceededError, DerivationOutputShapeError } from '../errors.js'\nimport type { DerivationContext, DerivationStrategy, DerivedFromMeta } from './types.js'\n\nexport interface RunResult {\n  outputs: Record<string, OutputResult>\n  failed: boolean\n}\n\n/**\n * Per-output result of a strategy invocation. Discriminated by\n * `kind`:\n *\n * - `record` — the existing v1 shape: one value (or a \"skipped\"\n *   marker if the output was optional and `derive` returned null).\n * - `array` — a list of `(key, value)` entries.\n *   The caller diffs these against the previously-emitted key set\n *   (loaded from the fanout sidecar) to compute deletes + upserts.\n */\nexport type OutputResult =\n  | RecordOutputResult\n  | ArrayOutputResult\n  | FailedOutputResult\n\nexport interface RecordOutputResult {\n  kind: 'record'\n  value: Record<string, unknown>\n  ok: true\n  /**\n   * `true` when an optional output returned `null` /\n   * `undefined`. The caller deletes any previously-emitted output at\n   * the same id (mirrors \"tombstone for derived data\"); a never-emitted\n   * output is a silent no-op. `ok: true` because skipping is a\n   * successful outcome, not a failure.\n   */\n  skipped?: boolean\n}\n\nexport interface ArrayOutputResult {\n  kind: 'array'\n  ok: true\n  /** One `(key, value)` per derived row. Empty array means \"all prior outputs for this source go.\" */\n  entries: ReadonlyArray<{ readonly key: string; readonly value: Record<string, unknown> }>\n}\n\nexport interface FailedOutputResult {\n  kind: 'failed'\n  ok: false\n  error: Error\n  /** Always empty on failure; present so consumers don't have to narrow. */\n  value: Record<string, unknown>\n}\n\n/**\n * Stateless functions that execute a derivation strategy. Persistence\n * (encrypt + store.put) is the caller's job — typically\n * `DerivationRegistry.onSourceWrite` which iterates run() results and\n * writes each output via `Collection.put`.\n */\nexport const DerivationExecutor = {\n  /**\n   * Run `derive` once, validate output shape against the spec, stamp\n   * `_derivedFrom` onto every output. Returns per-output success or\n   * failure; throws only for shape mismatches (a contract violation).\n   */\n  async run<\n    TSource extends Record<string, unknown>,\n    TOutputs extends Record<string, Record<string, unknown>>,\n  >(\n    strategy: DerivationStrategy<TSource, TOutputs>,\n    source: TSource & { id: string },\n    sourceVersion: number,\n    strategyHash: string,\n    ctx: DerivationContext,\n  ): Promise<RunResult> {\n    const outputs: Record<string, OutputResult> = {}\n    let derived: Partial<TOutputs>\n\n    try {\n      derived = await Promise.resolve(strategy.derive(source as TSource, ctx))\n    } catch (err) {\n      for (const key of Object.keys(strategy.outputs)) {\n        outputs[key] = {\n          kind: 'failed',\n          value: {},\n          ok: false,\n          error: err instanceof Error ? err : new Error(String(err)),\n        }\n      }\n      return { outputs, failed: true }\n    }\n\n    const meta: DerivedFromMeta = {\n      source: strategy.source,\n      sourceId: source.id,\n      sourceVersion,\n      derivedAt: new Date().toISOString(),\n      strategyHash,\n    }\n\n    for (const key of Object.keys(strategy.outputs)) {\n      const outSpec = strategy.outputs[key]\n      if (!outSpec) continue\n      const value = (derived as Record<string, unknown>)[key]\n\n      // ── Array-shape branch ─────────────────────────────────────\n      if (outSpec.shape === 'array') {\n        if (value === undefined || value === null) {\n          // Treat null/undefined as \"empty array\" — clears all prior\n          // outputs for this (source, output) pair. The caller's\n          // diff turns that into deletes.\n          outputs[key] = { kind: 'array', ok: true, entries: [] }\n          continue\n        }\n        if (!Array.isArray(value)) {\n          throw new DerivationOutputShapeError(\n            key,\n            `shape 'array' expects an array, got ${typeof value}`,\n          )\n        }\n        const maxFanout = outSpec.maxFanout ?? 64\n        if (value.length > maxFanout) {\n          throw new DerivationCapExceededError(key, value.length, maxFanout)\n        }\n        const entries: Array<{ key: string; value: Record<string, unknown> }> = []\n        const seenKeys = new Set<string>()\n        for (let i = 0; i < value.length; i++) {\n          const row = value[i] as unknown\n          if (row === null || typeof row !== 'object') {\n            throw new DerivationOutputShapeError(\n              key,\n              `array member at index ${i} must be a non-null object (got ${row === null ? 'null' : typeof row})`,\n            )\n          }\n          let derivedKey: string\n          try {\n            derivedKey = outSpec.key(row as Record<string, unknown>)\n          } catch (err) {\n            throw new DerivationOutputShapeError(\n              key,\n              `key extractor threw on array member at index ${i}: `\n              + (err instanceof Error ? err.message : String(err)),\n            )\n          }\n          if (typeof derivedKey !== 'string' || derivedKey.length === 0) {\n            throw new DerivationOutputShapeError(\n              key,\n              `key extractor returned ${typeof derivedKey === 'string' ? 'empty string' : typeof derivedKey} at index ${i}; expected non-empty string`,\n            )\n          }\n          if (seenKeys.has(derivedKey)) {\n            throw new DerivationOutputShapeError(\n              key,\n              `duplicate key \"${derivedKey}\" in array output (index ${i}); each derived row must have a unique key within a single derive() invocation`,\n            )\n          }\n          seenKeys.add(derivedKey)\n          entries.push({\n            key: derivedKey,\n            value: { ...(row as Record<string, unknown>), _derivedFrom: meta },\n          })\n        }\n        outputs[key] = { kind: 'array', ok: true, entries }\n        continue\n      }\n\n      // ── Record-shape branch (existing v1 behavior) ─────────────\n      if (value === undefined || value === null) {\n        if (outSpec.optional === true) {\n          // Optional output explicitly skipped. Mark for caller\n          // so any prior-emitted output at this id can be deleted.\n          outputs[key] = { kind: 'record', value: {}, ok: true, skipped: true }\n          continue\n        }\n        throw new DerivationOutputShapeError(\n          key,\n          `expected object, got ${value === undefined ? 'undefined' : 'null'}`,\n        )\n      }\n      if (typeof value !== 'object') {\n        throw new DerivationOutputShapeError(\n          key,\n          `expected object, got ${typeof value}`,\n        )\n      }\n      outputs[key] = {\n        kind: 'record',\n        value: { ...(value as Record<string, unknown>), _derivedFrom: meta },\n        ok: true,\n      }\n    }\n    return { outputs, failed: false }\n  },\n}\n"],"mappings":";;;;;;AA0DO,IAAM,qBAAqB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMhC,MAAM,IAIJ,UACA,QACA,eACA,cACA,KACoB;AACpB,UAAM,UAAwC,CAAC;AAC/C,QAAI;AAEJ,QAAI;AACF,gBAAU,MAAM,QAAQ,QAAQ,SAAS,OAAO,QAAmB,GAAG,CAAC;AAAA,IACzE,SAAS,KAAK;AACZ,iBAAW,OAAO,OAAO,KAAK,SAAS,OAAO,GAAG;AAC/C,gBAAQ,GAAG,IAAI;AAAA,UACb,MAAM;AAAA,UACN,OAAO,CAAC;AAAA,UACR,IAAI;AAAA,UACJ,OAAO,eAAe,QAAQ,MAAM,IAAI,MAAM,OAAO,GAAG,CAAC;AAAA,QAC3D;AAAA,MACF;AACA,aAAO,EAAE,SAAS,QAAQ,KAAK;AAAA,IACjC;AAEA,UAAM,OAAwB;AAAA,MAC5B,QAAQ,SAAS;AAAA,MACjB,UAAU,OAAO;AAAA,MACjB;AAAA,MACA,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,MAClC;AAAA,IACF;AAEA,eAAW,OAAO,OAAO,KAAK,SAAS,OAAO,GAAG;AAC/C,YAAM,UAAU,SAAS,QAAQ,GAAG;AACpC,UAAI,CAAC,QAAS;AACd,YAAM,QAAS,QAAoC,GAAG;AAGtD,UAAI,QAAQ,UAAU,SAAS;AAC7B,YAAI,UAAU,UAAa,UAAU,MAAM;AAIzC,kBAAQ,GAAG,IAAI,EAAE,MAAM,SAAS,IAAI,MAAM,SAAS,CAAC,EAAE;AACtD;AAAA,QACF;AACA,YAAI,CAAC,MAAM,QAAQ,KAAK,GAAG;AACzB,gBAAM,IAAI;AAAA,YACR;AAAA,YACA,uCAAuC,OAAO,KAAK;AAAA,UACrD;AAAA,QACF;AACA,cAAM,YAAY,QAAQ,aAAa;AACvC,YAAI,MAAM,SAAS,WAAW;AAC5B,gBAAM,IAAI,2BAA2B,KAAK,MAAM,QAAQ,SAAS;AAAA,QACnE;AACA,cAAM,UAAkE,CAAC;AACzE,cAAM,WAAW,oBAAI,IAAY;AACjC,iBAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AACrC,gBAAM,MAAM,MAAM,CAAC;AACnB,cAAI,QAAQ,QAAQ,OAAO,QAAQ,UAAU;AAC3C,kBAAM,IAAI;AAAA,cACR;AAAA,cACA,yBAAyB,CAAC,mCAAmC,QAAQ,OAAO,SAAS,OAAO,GAAG;AAAA,YACjG;AAAA,UACF;AACA,cAAI;AACJ,cAAI;AACF,yBAAa,QAAQ,IAAI,GAA8B;AAAA,UACzD,SAAS,KAAK;AACZ,kBAAM,IAAI;AAAA,cACR;AAAA,cACA,gDAAgD,CAAC,QAC9C,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAAA,YACpD;AAAA,UACF;AACA,cAAI,OAAO,eAAe,YAAY,WAAW,WAAW,GAAG;AAC7D,kBAAM,IAAI;AAAA,cACR;AAAA,cACA,0BAA0B,OAAO,eAAe,WAAW,iBAAiB,OAAO,UAAU,aAAa,CAAC;AAAA,YAC7G;AAAA,UACF;AACA,cAAI,SAAS,IAAI,UAAU,GAAG;AAC5B,kBAAM,IAAI;AAAA,cACR;AAAA,cACA,kBAAkB,UAAU,4BAA4B,CAAC;AAAA,YAC3D;AAAA,UACF;AACA,mBAAS,IAAI,UAAU;AACvB,kBAAQ,KAAK;AAAA,YACX,KAAK;AAAA,YACL,OAAO,EAAE,GAAI,KAAiC,cAAc,KAAK;AAAA,UACnE,CAAC;AAAA,QACH;AACA,gBAAQ,GAAG,IAAI,EAAE,MAAM,SAAS,IAAI,MAAM,QAAQ;AAClD;AAAA,MACF;AAGA,UAAI,UAAU,UAAa,UAAU,MAAM;AACzC,YAAI,QAAQ,aAAa,MAAM;AAG7B,kBAAQ,GAAG,IAAI,EAAE,MAAM,UAAU,OAAO,CAAC,GAAG,IAAI,MAAM,SAAS,KAAK;AACpE;AAAA,QACF;AACA,cAAM,IAAI;AAAA,UACR;AAAA,UACA,wBAAwB,UAAU,SAAY,cAAc,MAAM;AAAA,QACpE;AAAA,MACF;AACA,UAAI,OAAO,UAAU,UAAU;AAC7B,cAAM,IAAI;AAAA,UACR;AAAA,UACA,wBAAwB,OAAO,KAAK;AAAA,QACtC;AAAA,MACF;AACA,cAAQ,GAAG,IAAI;AAAA,QACb,MAAM;AAAA,QACN,OAAO,EAAE,GAAI,OAAmC,cAAc,KAAK;AAAA,QACnE,IAAI;AAAA,MACN;AAAA,IACF;AACA,WAAO,EAAE,SAAS,QAAQ,MAAM;AAAA,EAClC;AACF;","names":[]}

package/dist/chunk-5OX6XVNS.js

@@ -0,0 +1,79 @@
+import {
+  ensureCollectionDEK
+} from "./chunk-HQSQC2XL.js";
+import {
+  NOYDB_FORMAT_VERSION
+} from "./chunk-WIRRPTFH.js";
+import {
+  decrypt,
+  encrypt
+} from "./chunk-R233SLY3.js";
+import {
+  PermissionDeniedError
+} from "./chunk-O6EJ6WTI.js";
+
+// src/team/sync-credentials.ts
+var SYNC_CREDENTIALS_COLLECTION = "_sync_credentials";
+function requireAdminAccess(keyring) {
+  if (keyring.role !== "owner" && keyring.role !== "admin") {
+    throw new PermissionDeniedError(
+      `Sync credentials require owner or admin role. Current role: "${keyring.role}"`
+    );
+  }
+}
+async function putCredential(adapter, vault, keyring, credential) {
+  requireAdminAccess(keyring);
+  const getDek = await ensureCollectionDEK(adapter, vault, keyring);
+  const dek = await getDek(SYNC_CREDENTIALS_COLLECTION);
+  const { iv, data } = await encrypt(JSON.stringify(credential), dek);
+  const existing = await adapter.get(vault, SYNC_CREDENTIALS_COLLECTION, credential.adapterId);
+  const version = existing ? existing._v + 1 : 1;
+  const envelope = {
+    _noydb: NOYDB_FORMAT_VERSION,
+    _v: version,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    _iv: iv,
+    _data: data,
+    _by: keyring.userId
+  };
+  await adapter.put(
+    vault,
+    SYNC_CREDENTIALS_COLLECTION,
+    credential.adapterId,
+    envelope,
+    existing ? existing._v : void 0
+  );
+}
+async function getCredential(adapter, vault, keyring, adapterId) {
+  requireAdminAccess(keyring);
+  const getDek = await ensureCollectionDEK(adapter, vault, keyring);
+  const dek = await getDek(SYNC_CREDENTIALS_COLLECTION);
+  const envelope = await adapter.get(vault, SYNC_CREDENTIALS_COLLECTION, adapterId);
+  if (!envelope) return null;
+  const plaintext = await decrypt(envelope._iv, envelope._data, dek);
+  return JSON.parse(plaintext);
+}
+async function deleteCredential(adapter, vault, keyring, adapterId) {
+  requireAdminAccess(keyring);
+  await adapter.delete(vault, SYNC_CREDENTIALS_COLLECTION, adapterId);
+}
+async function listCredentials(adapter, vault, keyring) {
+  requireAdminAccess(keyring);
+  return adapter.list(vault, SYNC_CREDENTIALS_COLLECTION);
+}
+async function credentialStatus(adapter, vault, keyring, adapterId) {
+  const credential = await getCredential(adapter, vault, keyring, adapterId);
+  if (!credential) return { exists: false };
+  const expired = credential.expiresAt ? Date.now() > new Date(credential.expiresAt).getTime() : false;
+  return { exists: true, expired };
+}
+
+export {
+  SYNC_CREDENTIALS_COLLECTION,
+  putCredential,
+  getCredential,
+  deleteCredential,
+  listCredentials,
+  credentialStatus
+};
+//# sourceMappingURL=chunk-5OX6XVNS.js.map

package/dist/chunk-5OX6XVNS.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/team/sync-credentials.ts"],"sourcesContent":["/**\n * _sync_credentials reserved collection —\n *\n * Stores per-adapter OAuth tokens (and any other long-lived sync secrets) as\n * encrypted records inside the vault itself. Tokens are wrapped with the\n * compartment's own DEK, live on disk as ciphertext like any other record, and\n * are accessed only through the dedicated API in this module — never via\n * `vault.collection('_sync_credentials')`.\n *\n * Design decisions\n * ────────────────\n *\n * **Why a reserved collection, not a separate store?**\n * The compartment's existing encryption stack (AES-256-GCM + collection DEK)\n * is exactly the right primitive for protecting OAuth tokens at rest. Using a\n * separate store would require a new encryption surface, new adapter calls,\n * and a new backup/restore path — all of which already exist for collections.\n *\n * **Why not exposed as a regular collection?**\n * The same reason `_keyring` and `_ledger` aren't: they have invariants that\n * must be enforced (naming scheme, no cross-user leakage, no schema\n * validation, no history/ledger writes for privacy). Routing through a\n * dedicated API enforces those invariants.\n *\n * **Token lifecycle:**\n * - `putCredential(vault, adapterId, token)` — store or overwrite\n * - `getCredential(vault, adapterId)` — load and decrypt\n * - `deleteCredential(vault, adapterId)` — remove\n * - `listCredentials(vault)` — enumerate adapter IDs (not tokens)\n *\n * The `adapterId` is the record ID within the `_sync_credentials` collection.\n * It should be a stable, human-readable identifier for the adapter instance\n * (e.g. `'google-drive'`, `'dropbox'`, `'s3-prod'`).\n *\n * **ACL:** only `owner` and `admin` roles can read/write sync credentials.\n * Operators, viewers, and clients cannot call this API. The check is made\n * against the caller's keyring role at call time.\n */\n\nimport type { NoydbStore, EncryptedEnvelope } from '../types.js'\nimport { NOYDB_FORMAT_VERSION } from '../types.js'\nimport type { UnlockedKeyring } from './keyring.js'\nimport { encrypt, decrypt } from '../crypto.js'\nimport { ensureCollectionDEK } from './keyring.js'\nimport { PermissionDeniedError } from '../errors.js'\n\n/** The reserved collection name. Never collides with user collections. */\nexport const SYNC_CREDENTIALS_COLLECTION = '_sync_credentials'\n\n// ─── Token types ──────────────────────────────────────────────────────\n\n/**\n * An OAuth/auth token stored in `_sync_credentials`.\n *\n * Fields mirror the OAuth2 token response shape. `customData` is an escape\n * hatch for adapter-specific secrets (API keys, connection strings, etc.)\n * that don't fit the OAuth2 shape.\n */\nexport interface SyncCredential {\n  /** Stable identifier for the adapter instance (e.g. 'google-drive'). */\n  readonly adapterId: string\n  /** OAuth token type, usually 'Bearer'. */\n  readonly tokenType: string\n  /** The access token. Expires at `expiresAt` if set. */\n  readonly accessToken: string\n  /** Long-lived refresh token for renewing the access token. */\n  readonly refreshToken?: string\n  /** ISO timestamp when `accessToken` expires. Absent means \"no expiry\". */\n  readonly expiresAt?: string\n  /** Space-separated OAuth scopes. */\n  readonly scopes?: string\n  /** Adapter-specific opaque data (API keys, endpoints, etc.). */\n  readonly customData?: Record<string, string>\n}\n\n// ─── Access check ─────────────────────────────────────────────────────\n\nfunction requireAdminAccess(keyring: UnlockedKeyring): void {\n  if (keyring.role !== 'owner' && keyring.role !== 'admin') {\n    throw new PermissionDeniedError(\n      `Sync credentials require owner or admin role. Current role: \"${keyring.role}\"`,\n    )\n  }\n}\n\n// ─── Public API ────────────────────────────────────────────────────────\n\n/**\n * Store or overwrite a sync credential for the given adapter.\n *\n * The credential is encrypted with the `_sync_credentials` collection DEK\n * (auto-generated on first use). The record ID is the `adapterId`.\n *\n * Requires owner or admin role.\n */\nexport async function putCredential(\n  adapter: NoydbStore,\n  vault: string,\n  keyring: UnlockedKeyring,\n  credential: SyncCredential,\n): Promise<void> {\n  requireAdminAccess(keyring)\n\n  const getDek = await ensureCollectionDEK(adapter, vault, keyring)\n  const dek = await getDek(SYNC_CREDENTIALS_COLLECTION)\n\n  const { iv, data } = await encrypt(JSON.stringify(credential), dek)\n\n  const existing = await adapter.get(vault, SYNC_CREDENTIALS_COLLECTION, credential.adapterId)\n  const version = existing ? existing._v + 1 : 1\n\n  const envelope: EncryptedEnvelope = {\n    _noydb: NOYDB_FORMAT_VERSION,\n    _v: version,\n    _ts: new Date().toISOString(),\n    _iv: iv,\n    _data: data,\n    _by: keyring.userId,\n  }\n\n  await adapter.put(\n    vault,\n    SYNC_CREDENTIALS_COLLECTION,\n    credential.adapterId,\n    envelope,\n    existing ? existing._v : undefined,\n  )\n}\n\n/**\n * Load and decrypt a sync credential for the given adapter ID.\n *\n * Returns `null` if no credential exists for this adapter.\n * Requires owner or admin role.\n */\nexport async function getCredential(\n  adapter: NoydbStore,\n  vault: string,\n  keyring: UnlockedKeyring,\n  adapterId: string,\n): Promise<SyncCredential | null> {\n  requireAdminAccess(keyring)\n\n  const getDek = await ensureCollectionDEK(adapter, vault, keyring)\n  const dek = await getDek(SYNC_CREDENTIALS_COLLECTION)\n\n  const envelope = await adapter.get(vault, SYNC_CREDENTIALS_COLLECTION, adapterId)\n  if (!envelope) return null\n\n  const plaintext = await decrypt(envelope._iv, envelope._data, dek)\n  return JSON.parse(plaintext) as SyncCredential\n}\n\n/**\n * Delete a sync credential by adapter ID.\n *\n * No-op if the credential doesn't exist. Requires owner or admin role.\n */\nexport async function deleteCredential(\n  adapter: NoydbStore,\n  vault: string,\n  keyring: UnlockedKeyring,\n  adapterId: string,\n): Promise<void> {\n  requireAdminAccess(keyring)\n  await adapter.delete(vault, SYNC_CREDENTIALS_COLLECTION, adapterId)\n}\n\n/**\n * List all adapter IDs that have stored credentials.\n *\n * Returns only the IDs, never the credential payloads. Useful for\n * displaying \"connected adapters\" in UI without decrypting tokens.\n * Requires owner or admin role.\n */\nexport async function listCredentials(\n  adapter: NoydbStore,\n  vault: string,\n  keyring: UnlockedKeyring,\n): Promise<string[]> {\n  requireAdminAccess(keyring)\n  return adapter.list(vault, SYNC_CREDENTIALS_COLLECTION)\n}\n\n/**\n * Check whether a credential exists and whether its access token has expired.\n *\n * Returns `{ exists: false }` if no credential is stored, or\n * `{ exists: true, expired: boolean }` based on the `expiresAt` field.\n * Requires owner or admin role.\n */\nexport async function credentialStatus(\n  adapter: NoydbStore,\n  vault: string,\n  keyring: UnlockedKeyring,\n  adapterId: string,\n): Promise<{ exists: false } | { exists: true; expired: boolean }> {\n  const credential = await getCredential(adapter, vault, keyring, adapterId)\n  if (!credential) return { exists: false }\n\n  const expired = credential.expiresAt\n    ? Date.now() > new Date(credential.expiresAt).getTime()\n    : false\n\n  return { exists: true, expired }\n}\n"],"mappings":";;;;;;;;;;;;;;;AA+CO,IAAM,8BAA8B;AA8B3C,SAAS,mBAAmB,SAAgC;AAC1D,MAAI,QAAQ,SAAS,WAAW,QAAQ,SAAS,SAAS;AACxD,UAAM,IAAI;AAAA,MACR,gEAAgE,QAAQ,IAAI;AAAA,IAC9E;AAAA,EACF;AACF;AAYA,eAAsB,cACpB,SACA,OACA,SACA,YACe;AACf,qBAAmB,OAAO;AAE1B,QAAM,SAAS,MAAM,oBAAoB,SAAS,OAAO,OAAO;AAChE,QAAM,MAAM,MAAM,OAAO,2BAA2B;AAEpD,QAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,KAAK,UAAU,UAAU,GAAG,GAAG;AAElE,QAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,6BAA6B,WAAW,SAAS;AAC3F,QAAM,UAAU,WAAW,SAAS,KAAK,IAAI;AAE7C,QAAM,WAA8B;AAAA,IAClC,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC5B,KAAK;AAAA,IACL,OAAO;AAAA,IACP,KAAK,QAAQ;AAAA,EACf;AAEA,QAAM,QAAQ;AAAA,IACZ;AAAA,IACA;AAAA,IACA,WAAW;AAAA,IACX;AAAA,IACA,WAAW,SAAS,KAAK;AAAA,EAC3B;AACF;AAQA,eAAsB,cACpB,SACA,OACA,SACA,WACgC;AAChC,qBAAmB,OAAO;AAE1B,QAAM,SAAS,MAAM,oBAAoB,SAAS,OAAO,OAAO;AAChE,QAAM,MAAM,MAAM,OAAO,2BAA2B;AAEpD,QAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,6BAA6B,SAAS;AAChF,MAAI,CAAC,SAAU,QAAO;AAEtB,QAAM,YAAY,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,GAAG;AACjE,SAAO,KAAK,MAAM,SAAS;AAC7B;AAOA,eAAsB,iBACpB,SACA,OACA,SACA,WACe;AACf,qBAAmB,OAAO;AAC1B,QAAM,QAAQ,OAAO,OAAO,6BAA6B,SAAS;AACpE;AASA,eAAsB,gBACpB,SACA,OACA,SACmB;AACnB,qBAAmB,OAAO;AAC1B,SAAO,QAAQ,KAAK,OAAO,2BAA2B;AACxD;AASA,eAAsB,iBACpB,SACA,OACA,SACA,WACiE;AACjE,QAAM,aAAa,MAAM,cAAc,SAAS,OAAO,SAAS,SAAS;AACzE,MAAI,CAAC,WAAY,QAAO,EAAE,QAAQ,MAAM;AAExC,QAAM,UAAU,WAAW,YACvB,KAAK,IAAI,IAAI,IAAI,KAAK,WAAW,SAAS,EAAE,QAAQ,IACpD;AAEJ,SAAO,EAAE,QAAQ,MAAM,QAAQ;AACjC;","names":[]}

package/dist/{chunk-VMIO4IXG.js → chunk-6EOXTJS2.js}

@@ -1,6 +1,6 @@
 import {
   NOYDB_FORMAT_VERSION
-} from "./chunk-YS3POABP.js";
+} from "./chunk-WIRRPTFH.js";
 import {
   base64ToBuffer,
   bufferToBase64,
@@ -10,11 +10,11 @@ import {
   encryptBytesWithAAD,
   hmacSha256Hex,
   sha256Hex
-} from "./chunk-WCA2NROQ.js";
+} from "./chunk-R233SLY3.js";
 import {
   ConflictError,
   NotFoundError
-} from "./chunk-ADQ5MQ54.js";
+} from "./chunk-O6EJ6WTI.js";
 
 // src/blobs/mime-magic.ts
 function hex(s) {
@@ -820,7 +820,7 @@ var BlobSet = class {
       return this.buildResponse(slot, result.blob, { inline: true });
     }
     const aad = chunkAAD(slot.eTag, 0, result.blob.chunkCount);
-    const { decryptBytesWithAAD: decryptAAD } = await import("./crypto-A7FRXYHC.js");
+    const { decryptBytesWithAAD: decryptAAD } = await import("./crypto-2CRLG4F4.js");
     const decrypted = await decryptAAD(envelope._iv, envelope._data, blobDEK, aad);
     const plaintext = result.blob.compression === "gzip" ? await decompressBytes(decrypted) : decrypted;
     const body = new ReadableStream({
@@ -871,224 +871,6 @@ async function plainSha256Hex(data) {
   return sha256Hex(data);
 }
 
-// src/blobs/export-blobs.ts
-var ExportBlobsAbortedError = class extends Error {
-  constructor(reason) {
-    super(`exportBlobs aborted: ${reason}`);
-    this.name = "ExportBlobsAbortedError";
-  }
-};
-var EXPORT_AUDIT_COLLECTION = "_export_audit";
-function createExportBlobsHandle(actor, listAccessibleCollections, getCollection, writeAudit, options) {
-  let aborted = false;
-  const abort = () => {
-    aborted = true;
-  };
-  if (options.signal) {
-    if (options.signal.aborted) aborted = true;
-    options.signal.addEventListener("abort", () => {
-      aborted = true;
-    });
-  }
-  function assertLive() {
-    if (aborted) throw new ExportBlobsAbortedError("aborted by caller");
-  }
-  const allowlist = options.collections ? new Set(options.collections) : null;
-  let auditPromise = null;
-  function writeAuditOnce() {
-    if (!auditPromise) {
-      auditPromise = writeAudit({
-        id: generateBatchId(),
-        mechanism: "exportBlobs",
-        actor,
-        startedAt: (/* @__PURE__ */ new Date()).toISOString(),
-        collections: options.collections ?? null,
-        predicate: Boolean(options.where),
-        afterBlobId: options.afterBlobId ?? null
-      });
-    }
-    return auditPromise;
-  }
-  async function* generate() {
-    await writeAuditOnce();
-    assertLive();
-    const allCollections = await listAccessibleCollections();
-    const targets = allCollections.filter((name) => {
-      if (name.startsWith("_")) return false;
-      if (allowlist && !allowlist.has(name)) return false;
-      return true;
-    });
-    let resumeCursorHit = options.afterBlobId === void 0;
-    for (const collectionName of targets) {
-      if (aborted) return;
-      const coll = getCollection(collectionName);
-      const records = await coll.list().catch(() => []);
-      for (const record of records) {
-        if (aborted) return;
-        assertLive();
-        const idField = record.id;
-        if (typeof idField !== "string") continue;
-        if (options.where && !options.where(record, { collection: collectionName, id: idField })) continue;
-        const blobSet = coll.blob(idField);
-        const slots = await blobSet.list().catch(() => []);
-        for (const slot of slots) {
-          if (aborted) return;
-          if (!resumeCursorHit) {
-            if (slot.eTag === options.afterBlobId) {
-              resumeCursorHit = true;
-            }
-            continue;
-          }
-          const bytes = await blobSet.get(slot.name);
-          if (!bytes) continue;
-          const item = {
-            blobId: slot.eTag,
-            recordRef: { collection: collectionName, id: idField, slot: slot.name },
-            bytes,
-            meta: {
-              size: slot.size,
-              filename: slot.filename,
-              ...slot.mimeType !== void 0 && { mimeType: slot.mimeType },
-              ...slot.uploadedAt !== void 0 && { createdAt: slot.uploadedAt }
-            }
-          };
-          yield item;
-        }
-      }
-    }
-  }
-  const handle = {
-    abort,
-    get aborted() {
-      return aborted;
-    },
-    [Symbol.asyncIterator]: () => generate()
-  };
-  return handle;
-}
-function generateBatchId() {
-  const raw = globalThis.crypto.getRandomValues(new Uint8Array(16));
-  let s = "";
-  for (const b of raw) s += b.toString(16).padStart(2, "0");
-  return `batch-${Date.now().toString(36)}-${s.slice(0, 12)}`;
-}
-
-// src/blobs/blob-compaction.ts
-var BLOB_EVICTION_AUDIT_COLLECTION = "_blob_eviction_audit";
-async function runCompaction(ctx, options = {}) {
-  const now = options.now ?? /* @__PURE__ */ new Date();
-  const maxEvictions = options.maxEvictions ?? Infinity;
-  const dryRun = options.dryRun === true;
-  const allCollections = await ctx.listCollections();
-  const byCollection = {};
-  let evicted = 0;
-  let records = 0;
-  let auditEntries = 0;
-  let collectionsWithPolicy = 0;
-  outer: for (const collectionName of allCollections) {
-    if (collectionName.startsWith("_")) continue;
-    const config = ctx.getBlobFields(collectionName);
-    if (!config) continue;
-    const configuredSlots = Object.keys(config);
-    if (configuredSlots.length === 0) continue;
-    collectionsWithPolicy += 1;
-    byCollection[collectionName] = { records: 0, evicted: 0 };
-    const ids = await ctx.listRecords(collectionName);
-    for (const recordId of ids) {
-      if (evicted >= maxEvictions) break outer;
-      const record = await ctx.getRecord(collectionName, recordId).catch(() => null);
-      if (record === null) continue;
-      records += 1;
-      byCollection[collectionName].records += 1;
-      const slots = await ctx.listSlots(collectionName, recordId).catch(() => []);
-      for (const slot of slots) {
-        if (evicted >= maxEvictions) break outer;
-        const policy = config[slot.name];
-        if (!policy) continue;
-        const reason = evaluatePolicy(policy, record, slot, now);
-        if (!reason) continue;
-        if (!dryRun) {
-          await ctx.deleteSlot(collectionName, recordId, slot.name);
-          await writeAuditEntry(ctx, {
-            id: generateEvictionId(collectionName, recordId, slot.name),
-            collection: collectionName,
-            recordId,
-            slotName: slot.name,
-            blobHash: slot.eTag,
-            reason,
-            evictedAt: now.toISOString(),
-            actor: ctx.actor
-          });
-          auditEntries += 1;
-        }
-        evicted += 1;
-        byCollection[collectionName].evicted += 1;
-      }
-    }
-  }
-  return {
-    evicted,
-    records,
-    collections: collectionsWithPolicy,
-    auditEntries,
-    byCollection
-  };
-}
-function evaluatePolicy(policy, record, slot, now) {
-  let ttlTriggered = false;
-  let predicateTriggered = false;
-  if (policy.retainDays !== void 0 && policy.retainDays > 0) {
-    const uploadedAt = Date.parse(slot.uploadedAt);
-    if (Number.isFinite(uploadedAt)) {
-      const ageMs = now.getTime() - uploadedAt;
-      const limitMs = policy.retainDays * 864e5;
-      if (ageMs > limitMs) ttlTriggered = true;
-    }
-  }
-  if (policy.evictWhen) {
-    try {
-      if (policy.evictWhen(record)) predicateTriggered = true;
-    } catch {
-    }
-  }
-  if (ttlTriggered && predicateTriggered) return "both";
-  if (ttlTriggered) return "ttl";
-  if (predicateTriggered) return "predicate";
-  return null;
-}
-function generateEvictionId(collection, recordId, slotName) {
-  const rand = globalThis.crypto.getRandomValues(new Uint8Array(8));
-  let suffix = "";
-  for (const b of rand) suffix += b.toString(16).padStart(2, "0");
-  return `${collection}__${recordId}__${slotName}__${suffix}`;
-}
-async function writeAuditEntry(ctx, entry) {
-  const json = JSON.stringify(entry);
-  let envelope;
-  if (ctx.encrypted) {
-    const dek = await ctx.getDEK(BLOB_EVICTION_AUDIT_COLLECTION);
-    const { iv, data } = await encrypt(json, dek);
-    envelope = {
-      _noydb: NOYDB_FORMAT_VERSION,
-      _v: 1,
-      _ts: entry.evictedAt,
-      _iv: iv,
-      _data: data,
-      _by: entry.actor
-    };
-  } else {
-    envelope = {
-      _noydb: NOYDB_FORMAT_VERSION,
-      _v: 1,
-      _ts: entry.evictedAt,
-      _iv: "",
-      _data: json,
-      _by: entry.actor
-    };
-  }
-  await ctx.adapter.put(ctx.vault, BLOB_EVICTION_AUDIT_COLLECTION, entry.id, envelope);
-}
-
 export {
   detectMimeType,
   detectMagic,
@@ -1099,11 +881,6 @@ export {
   BLOB_SLOTS_PREFIX,
   BLOB_VERSIONS_PREFIX,
   DEFAULT_CHUNK_SIZE,
-  BlobSet,
-  ExportBlobsAbortedError,
-  EXPORT_AUDIT_COLLECTION,
-  createExportBlobsHandle,
-  BLOB_EVICTION_AUDIT_COLLECTION,
-  runCompaction
+  BlobSet
 };
-//# sourceMappingURL=chunk-VMIO4IXG.js.map
+//# sourceMappingURL=chunk-6EOXTJS2.js.map