@noy-db/hub 0.2.0-pre.15 → 0.2.0-pre.17

package/dist/{chunk-TS26M2SB.js → chunk-M476FOQ7.js}

@@ -2,7 +2,7 @@ import {
   OverlayBaseIsVirtualError,
   OverlayCollectionUnavailableError,
   OverlayNameCollisionError
-} from "./chunk-535SSHBS.js";
+} from "./chunk-ZEGSDPB7.js";
 
 // src/overlay-views/registry.ts
 var OverlayedViewRegistry = class {
@@ -68,4 +68,4 @@ var OverlayedViewRegistry = class {
 export {
   OverlayedViewRegistry
 };
-//# sourceMappingURL=chunk-TS26M2SB.js.map
+//# sourceMappingURL=chunk-M476FOQ7.js.map

package/dist/{chunk-F4OJZIWQ.js → chunk-NBBMMJ2H.js}

@@ -1,6 +1,6 @@
 import {
   dekKey
-} from "./chunk-4TBBMHVC.js";
+} from "./chunk-5LIROIDM.js";
 import {
   generateULID
 } from "./chunk-FZU343FL.js";
@@ -9,10 +9,10 @@ import {
   encrypt,
   unwrapKey,
   wrapKey
-} from "./chunk-YULZKK4F.js";
+} from "./chunk-UNTGHX5A.js";
 import {
   DelegationTargetMissingError
-} from "./chunk-535SSHBS.js";
+} from "./chunk-ZEGSDPB7.js";
 
 // src/team/delegation.ts
 var DELEGATIONS_COLLECTION = "_delegations";
@@ -94,4 +94,4 @@ export {
   loadActiveDelegations,
   revokeDelegation
 };
-//# sourceMappingURL=chunk-F4OJZIWQ.js.map
+//# sourceMappingURL=chunk-NBBMMJ2H.js.map

package/dist/{chunk-CZI2A4MQ.js → chunk-NYSYPFXJ.js}

@@ -1,10 +1,10 @@
 import {
   evaluateClause,
   readPath
-} from "./chunk-CJORTUJ2.js";
+} from "./chunk-J7RWBXFY.js";
 import {
   IndexRequiredError
-} from "./chunk-535SSHBS.js";
+} from "./chunk-ZEGSDPB7.js";
 
 // src/indexing/persisted-indexes.ts
 var IDX_PREFIX = "_idx/";
@@ -427,4 +427,4 @@ export {
   PersistedCollectionIndex,
   LazyQuery
 };
-//# sourceMappingURL=chunk-CZI2A4MQ.js.map
+//# sourceMappingURL=chunk-NYSYPFXJ.js.map

package/dist/{chunk-EGD5DXFT.js → chunk-PDULVIBY.js}

@@ -1,6 +1,6 @@
 import {
   ValidationError
-} from "./chunk-535SSHBS.js";
+} from "./chunk-ZEGSDPB7.js";
 
 // src/derivations/with-derivation.ts
 function withDerivation(spec) {
@@ -16,6 +16,18 @@ function withDerivation(spec) {
   if (typeof spec.derive !== "function") {
     throw new ValidationError("withDerivation: derive must be a function");
   }
+  if (spec.sources !== void 0) {
+    for (const extra of spec.sources) {
+      if (typeof extra !== "string" || extra.length === 0) {
+        throw new ValidationError("withDerivation: each entry in sources[] must be a non-empty string");
+      }
+      if (extra === spec.source) {
+        throw new ValidationError(
+          `withDerivation: sources[] must not contain the primary source "${spec.source}"`
+        );
+      }
+    }
+  }
   const lifecycleMode = typeof spec.lifecycle === "string" ? spec.lifecycle : spec.lifecycle.mode;
   for (const [outputKey, outputSpec] of Object.entries(spec.outputs)) {
     if (outputSpec.shape === "array") {
@@ -48,4 +60,4 @@ function withDerivation(spec) {
 export {
   withDerivation
 };
-//# sourceMappingURL=chunk-EGD5DXFT.js.map
+//# sourceMappingURL=chunk-PDULVIBY.js.map

package/dist/chunk-PDULVIBY.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/derivations/with-derivation.ts"],"sourcesContent":["import { ValidationError } from '../errors.js'\nimport type { DerivationStrategy, DerivationStrategyHandle } from './types.js'\n\n/**\n * Register a deterministic derivation: one source collection → one or\n * more typed outputs, computed by the user's `derive` function on\n * plaintext after DEK unwrap. Outputs are encrypted with the same DEK\n * as the source and written via the standard `Collection.put` path.\n *\n * See docs/superpowers/specs/2026-05-01-dim14-derivation-v1-design.md.\n */\nexport function withDerivation<\n  TSource extends Record<string, unknown>,\n  TOutputs extends Record<string, Record<string, unknown>>,\n>(spec: DerivationStrategy<TSource, TOutputs>): DerivationStrategyHandle {\n  if (!spec.source || spec.source.length === 0) {\n    throw new ValidationError('withDerivation: source collection name is required')\n  }\n  if (!spec.outputs || Object.keys(spec.outputs).length === 0) {\n    throw new ValidationError('withDerivation: outputs map must declare at least one output')\n  }\n  if (spec.deterministic !== true) {\n    throw new ValidationError('withDerivation: v1 only supports deterministic derivations')\n  }\n  if (typeof spec.derive !== 'function') {\n    throw new ValidationError('withDerivation: derive must be a function')\n  }\n\n  // Validate declared sibling sources (#344). Each must be a non-empty\n  // string and must differ from the primary source — a self-reference\n  // would double-register the strategy under the same `_bySource` key.\n  if (spec.sources !== undefined) {\n    for (const extra of spec.sources) {\n      if (typeof extra !== 'string' || extra.length === 0) {\n        throw new ValidationError('withDerivation: each entry in sources[] must be a non-empty string')\n      }\n      if (extra === spec.source) {\n        throw new ValidationError(\n          `withDerivation: sources[] must not contain the primary source \"${spec.source}\"`,\n        )\n      }\n    }\n  }\n\n  // Validate array-shape outputs.\n  const lifecycleMode = typeof spec.lifecycle === 'string' ? spec.lifecycle : spec.lifecycle.mode\n  for (const [outputKey, outputSpec] of Object.entries(spec.outputs)) {\n    if (outputSpec.shape === 'array') {\n      if (lifecycleMode !== 'eager') {\n        throw new ValidationError(\n          `withDerivation: shape 'array' supports lifecycle 'eager' only in this release `\n          + `Output \"${outputKey}\" declared lifecycle '${lifecycleMode}'. `\n          + 'Switch to `lifecycle: \"eager\"` or use shape: \"record\".',\n        )\n      }\n      if (typeof outputSpec.key !== 'function') {\n        throw new ValidationError(\n          `withDerivation: shape 'array' output \"${outputKey}\" requires \\`key: (out) => string\\`.`,\n        )\n      }\n      if (outputSpec.maxFanout !== undefined) {\n        if (!Number.isInteger(outputSpec.maxFanout) || outputSpec.maxFanout < 1) {\n          throw new ValidationError(\n            `withDerivation: maxFanout for output \"${outputKey}\" must be a positive integer `\n            + `(got ${String(outputSpec.maxFanout)}).`,\n          )\n        }\n      }\n    }\n  }\n\n  return {\n    __noydb_strategy: 'derivation',\n    // eslint-disable-next-line @typescript-eslint/no-explicit-any\n    spec: spec as DerivationStrategy<any, any>,\n  }\n}\n"],"mappings":";;;;;AAWO,SAAS,eAGd,MAAuE;AACvE,MAAI,CAAC,KAAK,UAAU,KAAK,OAAO,WAAW,GAAG;AAC5C,UAAM,IAAI,gBAAgB,oDAAoD;AAAA,EAChF;AACA,MAAI,CAAC,KAAK,WAAW,OAAO,KAAK,KAAK,OAAO,EAAE,WAAW,GAAG;AAC3D,UAAM,IAAI,gBAAgB,8DAA8D;AAAA,EAC1F;AACA,MAAI,KAAK,kBAAkB,MAAM;AAC/B,UAAM,IAAI,gBAAgB,4DAA4D;AAAA,EACxF;AACA,MAAI,OAAO,KAAK,WAAW,YAAY;AACrC,UAAM,IAAI,gBAAgB,2CAA2C;AAAA,EACvE;AAKA,MAAI,KAAK,YAAY,QAAW;AAC9B,eAAW,SAAS,KAAK,SAAS;AAChC,UAAI,OAAO,UAAU,YAAY,MAAM,WAAW,GAAG;AACnD,cAAM,IAAI,gBAAgB,oEAAoE;AAAA,MAChG;AACA,UAAI,UAAU,KAAK,QAAQ;AACzB,cAAM,IAAI;AAAA,UACR,kEAAkE,KAAK,MAAM;AAAA,QAC/E;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAGA,QAAM,gBAAgB,OAAO,KAAK,cAAc,WAAW,KAAK,YAAY,KAAK,UAAU;AAC3F,aAAW,CAAC,WAAW,UAAU,KAAK,OAAO,QAAQ,KAAK,OAAO,GAAG;AAClE,QAAI,WAAW,UAAU,SAAS;AAChC,UAAI,kBAAkB,SAAS;AAC7B,cAAM,IAAI;AAAA,UACR,yFACa,SAAS,yBAAyB,aAAa;AAAA,QAE9D;AAAA,MACF;AACA,UAAI,OAAO,WAAW,QAAQ,YAAY;AACxC,cAAM,IAAI;AAAA,UACR,yCAAyC,SAAS;AAAA,QACpD;AAAA,MACF;AACA,UAAI,WAAW,cAAc,QAAW;AACtC,YAAI,CAAC,OAAO,UAAU,WAAW,SAAS,KAAK,WAAW,YAAY,GAAG;AACvE,gBAAM,IAAI;AAAA,YACR,yCAAyC,SAAS,qCACxC,OAAO,WAAW,SAAS,CAAC;AAAA,UACxC;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,kBAAkB;AAAA;AAAA,IAElB;AAAA,EACF;AACF;","names":[]}

package/dist/{chunk-Z6FNBOTC.js → chunk-PDVP3C2I.js}

@@ -69,4 +69,4 @@ export {
   parseIndex,
   envelopePayloadHash
 };
-//# sourceMappingURL=chunk-Z6FNBOTC.js.map
+//# sourceMappingURL=chunk-PDVP3C2I.js.map

package/dist/{chunk-Z6FNBOTC.js.map → chunk-PDVP3C2I.js.map}

@@ -1 +1 @@
-{"version":3,"sources":["../src/history/ledger/entry.ts","../src/history/ledger/hash.ts"],"sourcesContent":["/**\n * Ledger entry shape + canonical JSON + sha256 helpers.\n *\n * This file holds the PURE primitives used by the hash-chained ledger:\n * the entry type, the deterministic (sort-stable) JSON encoder, and\n * the sha256 hasher that produces `prevHash` and `ledger.head()`.\n *\n * Everything here is validator-free and side-effect free — the only\n * runtime dep is Web Crypto's `subtle.digest` for the sha256 call,\n * which we already use for every other hashing operation in the core.\n *\n * The hash chain property works like this:\n *\n *   hash(entry[i])       = sha256(canonicalJSON(entry[i]))\n *   entry[i+1].prevHash  = hash(entry[i])\n *\n * Any modification to `entry[i]` (field values, field order, whitespace)\n * produces a different `hash(entry[i])`, which means `entry[i+1]`'s\n * stored `prevHash` no longer matches the recomputed hash, which means\n * `verify()` returns `{ ok: false, divergedAt: i + 1 }`. The chain is\n * append-only and tamper-evident without external anchoring.\n */\n\n/**\n * A single ledger entry in its plaintext form — what gets serialized,\n * hashed, and then encrypted with the ledger DEK before being written\n * to the `_ledger/` adapter collection.\n *\n * ## Why hash the ciphertext, not the plaintext?\n *\n * `payloadHash` is the sha256 of the record's ENCRYPTED envelope bytes,\n * not its plaintext. This matters:\n *\n *   1. **Zero-knowledge preserved.** A user (or a third party) can\n *      verify the ledger against the stored envelopes without any\n *      decryption keys. The adapter layer already holds only\n *      ciphertext, so hashing the ciphertext keeps the ledger at the\n *      same privacy level as the adapter.\n *\n *   2. **Determinism.** Plaintext → ciphertext is randomized by the\n *      fresh per-write IV, so `hash(plaintext)` would need extra\n *      normalization. `hash(ciphertext)` is already deterministic and\n *      unique per write.\n *\n *   3. **Detection property.** If an attacker modifies even one byte of\n *      the stored ciphertext (trying to flip a record), the hash\n *      changes, the ledger's recorded `payloadHash` no longer matches,\n *      and a data-integrity check fails. We don't do that check in\n *      `verify()` today, but the\n *      hook is there for a future `verifyIntegrity()` follow-up.\n *\n * Fields marked `op`, `collection`, `id`, `version`, `ts`, `actor` are\n * plaintext METADATA about the operation — NOT the record itself. The\n * entry is still encrypted at rest via the ledger DEK, but adapters\n * could theoretically infer operation patterns from the sizes and\n * timestamps. This is an accepted trade-off for the tamper-evidence\n * property; full ORAM-level privacy is out of scope for noy-db.\n */\nexport interface LedgerEntry {\n  /**\n   * Zero-based sequential position of this entry in the chain. The\n   * canonical adapter key is this number zero-padded to 10 digits\n   * (`\"0000000001\"`) so lexicographic ordering matches numeric order.\n   */\n  readonly index: number\n\n  /**\n   * Hex-encoded sha256 of the canonical JSON of the PREVIOUS entry.\n   * The genesis entry (index 0) has `prevHash === ''` — the first\n   * entry in a fresh vault has nothing to point back to.\n   */\n  readonly prevHash: string\n\n  /**\n   * Which kind of mutation this entry records. only supports\n   * data operations (`put`, `delete`, `amendment`). Access-control\n   * operations (`grant`, `revoke`, `rotate`) will be added in a\n   * follow-up once the keyring write path is instrumented — that's\n   * tracked in the epic issue.\n   *\n   * `'amendment'` is the multi-record audit entry written by the\n   * guards subsystem when an admin/owner uses `withTransactions(...)`\n   * to repair a constraint-violating state. See `amendment` field\n   * below for the structured payload.\n   *\n   * `'lifecycle'` records a non-data audit event (e.g. partition\n   * handover) — `collection`/`id` are empty and the event detail\n   * lives in `reason` (e.g. `'partition-handed-over:<sealId>'`). Like\n   * `amendment`, it carries no data envelope, so `verifyBackupIntegrity`\n   * skips it in the data cross-check (it still participates in the\n   * tamper-evident chain).\n   */\n  readonly op: 'put' | 'delete' | 'amendment' | 'lifecycle' | 'migration'\n\n  /** The collection the mutation targeted. */\n  readonly collection: string\n\n  /** The record id the mutation targeted. */\n  readonly id: string\n\n  /**\n   * The record version AFTER this mutation. For `put` this is the\n   * newly assigned version; for `delete` this is the version that\n   * was deleted (the last version visible to reads).\n   */\n  readonly version: number\n\n  /** ISO timestamp of the mutation. */\n  readonly ts: string\n\n  /** User id of the actor who performed the mutation. */\n  readonly actor: string\n\n  /**\n   * Hex-encoded sha256 of the encrypted envelope's `_data` field.\n   * For `put`, this is the hash of the new ciphertext. For `delete`,\n   * it's the hash of the last visible ciphertext at deletion time,\n   * or the empty string if nothing was there to delete. Hashing the\n   * ciphertext (not the plaintext) preserves zero-knowledge — see\n   * the file docstring.\n   */\n  readonly payloadHash: string\n\n  /**\n   * Optional human-readable tag describing why this mutation happened.\n   * Threaded through `collection.put(_, _, { reason })`. Common\n   * values include `'import:csv'`, `'import:json'`, `'import:xlsx'` from\n   * `as-*` ImportPlan.apply(), but consumers can use any string for\n   * domain-specific audit filtering. Auto-strip via `canonicalJson` —\n   * absent on the wire, never serialized as `null`.\n   *\n   * Audit consumers filter: `entries.filter(e => e.reason?.startsWith('import:'))`.\n   */\n  readonly reason?: string\n\n  /**\n   * Optional hex-encoded sha256 of the encrypted JSON Patch delta\n   * blob stored alongside this entry in `_ledger_deltas/`. Present\n   * only for `put` operations that had a previous version — the\n   * genesis put of a new record, and every `delete`, leave this\n   * field undefined.\n   *\n   * The delta payload itself lives in a sibling internal collection\n   * (`_ledger_deltas/<paddedIndex>`) and is encrypted with the\n   * ledger DEK. Callers use `ledger.loadDelta(index)` to decrypt and\n   * deserialize it when reconstructing a historical version.\n   *\n   * Why optional instead of always-present: the first put of a\n   * record has no previous version to diff against, so storing an\n   * empty patch would be noise. For deletes there's no \"next\" state\n   * to describe with a delta. Both cases set this field to undefined.\n   *\n   * Note: the canonical-JSON hasher treats `undefined` as invalid\n   * (it's one of the guard rails), so on the wire this field is\n   * either `{ deltaHash: '<hex>' }` or absent from the JSON\n   * entirely — never `{ deltaHash: undefined }`.\n   */\n  readonly deltaHash?: string\n\n  /**\n   * Present only when `op === 'amendment'`. Records the human reason,\n   * the role of the actor, the (collection, id, vBefore, vAfter) tuple\n   * for every record touched, and which guard invariants passed.\n   *\n   * See docs/superpowers/specs/2026-05-18-guards-design.md.\n   */\n  readonly amendment?: {\n    readonly reason: string\n    readonly role: 'admin' | 'owner'\n    readonly changes: ReadonlyArray<{\n      readonly collection: string\n      readonly id: string\n      readonly vBefore: number\n      readonly vAfter: number\n    }>\n    readonly invariantsPassed: ReadonlyArray<string>\n  }\n}\n\n/**\n * Canonical (sort-stable) JSON encoder.\n *\n * This function is the load-bearing primitive of the hash chain:\n * `sha256(canonicalJSON(entry))` must produce the same hex string\n * every time, on every machine, for the same logical entry — otherwise\n * `verify()` would return `{ ok: false }` on cross-platform reads.\n *\n * JavaScript's `JSON.stringify` is almost canonical, but NOT quite:\n * it preserves the insertion order of object keys, which means\n * `{a:1,b:2}` and `{b:2,a:1}` serialize differently. We fix this by\n * recursively walking objects and sorting their keys before\n * concatenation.\n *\n * Arrays keep their original order (reordering them would change\n * semantics). Numbers, strings, booleans, and `null` use the default\n * JSON encoding. `undefined` and functions are rejected — ledger\n * entries are plain data, and silently dropping `undefined` would\n * break the \"same input → same hash\" property if a caller forgot to\n * omit a field.\n *\n * Performance: one pass per nesting level; O(n log n) for key sorting\n * at each object. Entries are small (< 1 KB) so this is negligible\n * compared to the sha256 call.\n */\nexport function canonicalJson(value: unknown): string {\n  if (value === null) return 'null'\n  if (typeof value === 'boolean') return value ? 'true' : 'false'\n  if (typeof value === 'number') {\n    if (!Number.isFinite(value)) {\n      throw new Error(\n        `canonicalJson: refusing to encode non-finite number ${String(value)}`,\n      )\n    }\n    return JSON.stringify(value)\n  }\n  if (typeof value === 'string') return JSON.stringify(value)\n  if (typeof value === 'bigint') {\n    throw new Error('canonicalJson: BigInt is not JSON-serializable')\n  }\n  if (typeof value === 'undefined' || typeof value === 'function') {\n    throw new Error(\n      `canonicalJson: refusing to encode ${typeof value} — include all fields explicitly`,\n    )\n  }\n  if (Array.isArray(value)) {\n    return '[' + value.map((v) => canonicalJson(v)).join(',') + ']'\n  }\n  if (typeof value === 'object') {\n    const obj = value as Record<string, unknown>\n    const keys = Object.keys(obj).sort()\n    const parts: string[] = []\n    for (const key of keys) {\n      parts.push(JSON.stringify(key) + ':' + canonicalJson(obj[key]))\n    }\n    return '{' + parts.join(',') + '}'\n  }\n  throw new Error(`canonicalJson: unexpected value type: ${typeof value}`)\n}\n\n/**\n * Compute a hex-encoded sha256 of a string via Web Crypto's subtle API.\n *\n * We use hex (not base64) for hashes because hex is case-insensitive,\n * fixed-length (64 chars), and easier to compare visually in debug\n * output. Base64 would save a few bytes in storage but every encrypted\n * ledger entry is already much larger than the hash itself.\n */\nexport async function sha256Hex(input: string): Promise<string> {\n  const bytes = new TextEncoder().encode(input)\n  const digest = await globalThis.crypto.subtle.digest('SHA-256', bytes)\n  return bytesToHex(new Uint8Array(digest))\n}\n\n/**\n * Compute the canonical hash of a ledger entry. Short wrapper around\n * `canonicalJson` + `sha256Hex`; callers use this instead of composing\n * the two functions every time, so any future change to the hashing\n * pipeline (e.g., adding a domain-separation prefix) lives in one place.\n */\nexport async function hashEntry(entry: LedgerEntry): Promise<string> {\n  return sha256Hex(canonicalJson(entry))\n}\n\n/** Convert a Uint8Array to a lowercase hex string. */\nfunction bytesToHex(bytes: Uint8Array): string {\n  const hex = new Array<string>(bytes.length)\n  for (let i = 0; i < bytes.length; i++) {\n    // Non-null assertion: indexing a Uint8Array within bounds always\n    // returns a number, but the compiler's noUncheckedIndexedAccess\n    // flag widens it to `number | undefined`. Safe here by construction.\n    hex[i] = (bytes[i] ?? 0).toString(16).padStart(2, '0')\n  }\n  return hex.join('')\n}\n\n/**\n * Pad an index to the canonical 10-digit form used as the adapter key.\n * Ten digits is enough for ~10 billion ledger entries per vault\n * — far beyond any realistic use case, but cheap enough that the extra\n * digits don't hurt storage.\n */\nexport function paddedIndex(index: number): string {\n  return String(index).padStart(10, '0')\n}\n\n/** Parse a padded adapter key back into a number. Returns NaN on malformed input. */\nexport function parseIndex(key: string): number {\n  return Number.parseInt(key, 10)\n}\n","/**\n * Envelope payload hash — pinned in its own leaf module so consumers\n * (DictionaryHandle, the active history strategy) can import it\n * without dragging in the `LedgerStore` class.\n *\n * see `constants.ts` for the broader rationale.\n *\n * @internal\n */\n\nimport type { EncryptedEnvelope } from '../../types.js'\nimport { sha256Hex } from './entry.js'\n\n/**\n * Compute the `payloadHash` value for an encrypted envelope. Used by\n * `LedgerStore.append` for both put (hash the new envelope) and\n * delete (hash the previous envelope) paths, and by\n * `DictionaryHandle` so its ledger entries match the same contract.\n *\n * Returns the empty string when there is no envelope (delete of a\n * never-existed record). The empty string tolerated by the ledger\n * entry's `payloadHash` field as the canonical \"nothing here\" value.\n */\nexport async function envelopePayloadHash(\n  envelope: EncryptedEnvelope | null,\n): Promise<string> {\n  if (!envelope) return ''\n  // `_data` is a base64 string for encrypted envelopes and the raw\n  // JSON for plaintext ones. Both are strings, so a single sha256Hex\n  // call works for both modes — the hash value differs between\n  // encrypted/plaintext compartments because the bytes on disk\n  // differ.\n  return sha256Hex(envelope._data)\n}\n"],"mappings":";AA4MO,SAAS,cAAc,OAAwB;AACpD,MAAI,UAAU,KAAM,QAAO;AAC3B,MAAI,OAAO,UAAU,UAAW,QAAO,QAAQ,SAAS;AACxD,MAAI,OAAO,UAAU,UAAU;AAC7B,QAAI,CAAC,OAAO,SAAS,KAAK,GAAG;AAC3B,YAAM,IAAI;AAAA,QACR,uDAAuD,OAAO,KAAK,CAAC;AAAA,MACtE;AAAA,IACF;AACA,WAAO,KAAK,UAAU,KAAK;AAAA,EAC7B;AACA,MAAI,OAAO,UAAU,SAAU,QAAO,KAAK,UAAU,KAAK;AAC1D,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,IAAI,MAAM,gDAAgD;AAAA,EAClE;AACA,MAAI,OAAO,UAAU,eAAe,OAAO,UAAU,YAAY;AAC/D,UAAM,IAAI;AAAA,MACR,qCAAqC,OAAO,KAAK;AAAA,IACnD;AAAA,EACF;AACA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,MAAM,MAAM,IAAI,CAAC,MAAM,cAAc,CAAC,CAAC,EAAE,KAAK,GAAG,IAAI;AAAA,EAC9D;AACA,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,MAAM;AACZ,UAAM,OAAO,OAAO,KAAK,GAAG,EAAE,KAAK;AACnC,UAAM,QAAkB,CAAC;AACzB,eAAW,OAAO,MAAM;AACtB,YAAM,KAAK,KAAK,UAAU,GAAG,IAAI,MAAM,cAAc,IAAI,GAAG,CAAC,CAAC;AAAA,IAChE;AACA,WAAO,MAAM,MAAM,KAAK,GAAG,IAAI;AAAA,EACjC;AACA,QAAM,IAAI,MAAM,yCAAyC,OAAO,KAAK,EAAE;AACzE;AAUA,eAAsB,UAAU,OAAgC;AAC9D,QAAM,QAAQ,IAAI,YAAY,EAAE,OAAO,KAAK;AAC5C,QAAM,SAAS,MAAM,WAAW,OAAO,OAAO,OAAO,WAAW,KAAK;AACrE,SAAO,WAAW,IAAI,WAAW,MAAM,CAAC;AAC1C;AAQA,eAAsB,UAAU,OAAqC;AACnE,SAAO,UAAU,cAAc,KAAK,CAAC;AACvC;AAGA,SAAS,WAAW,OAA2B;AAC7C,QAAM,MAAM,IAAI,MAAc,MAAM,MAAM;AAC1C,WAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AAIrC,QAAI,CAAC,KAAK,MAAM,CAAC,KAAK,GAAG,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG;AAAA,EACvD;AACA,SAAO,IAAI,KAAK,EAAE;AACpB;AAQO,SAAS,YAAY,OAAuB;AACjD,SAAO,OAAO,KAAK,EAAE,SAAS,IAAI,GAAG;AACvC;AAGO,SAAS,WAAW,KAAqB;AAC9C,SAAO,OAAO,SAAS,KAAK,EAAE;AAChC;;;ACzQA,eAAsB,oBACpB,UACiB;AACjB,MAAI,CAAC,SAAU,QAAO;AAMtB,SAAO,UAAU,SAAS,KAAK;AACjC;","names":[]}
+{"version":3,"sources":["../src/history/ledger/entry.ts","../src/history/ledger/hash.ts"],"sourcesContent":["/**\n * Ledger entry shape + canonical JSON + sha256 helpers.\n *\n * This file holds the PURE primitives used by the hash-chained ledger:\n * the entry type, the deterministic (sort-stable) JSON encoder, and\n * the sha256 hasher that produces `prevHash` and `ledger.head()`.\n *\n * Everything here is validator-free and side-effect free — the only\n * runtime dep is Web Crypto's `subtle.digest` for the sha256 call,\n * which we already use for every other hashing operation in the core.\n *\n * The hash chain property works like this:\n *\n *   hash(entry[i])       = sha256(canonicalJSON(entry[i]))\n *   entry[i+1].prevHash  = hash(entry[i])\n *\n * Any modification to `entry[i]` (field values, field order, whitespace)\n * produces a different `hash(entry[i])`, which means `entry[i+1]`'s\n * stored `prevHash` no longer matches the recomputed hash, which means\n * `verify()` returns `{ ok: false, divergedAt: i + 1 }`. The chain is\n * append-only and tamper-evident without external anchoring.\n */\n\n/**\n * A single ledger entry in its plaintext form — what gets serialized,\n * hashed, and then encrypted with the ledger DEK before being written\n * to the `_ledger/` adapter collection.\n *\n * ## Why hash the ciphertext, not the plaintext?\n *\n * `payloadHash` is the sha256 of the record's ENCRYPTED envelope bytes,\n * not its plaintext. This matters:\n *\n *   1. **Zero-knowledge preserved.** A user (or a third party) can\n *      verify the ledger against the stored envelopes without any\n *      decryption keys. The adapter layer already holds only\n *      ciphertext, so hashing the ciphertext keeps the ledger at the\n *      same privacy level as the adapter.\n *\n *   2. **Determinism.** Plaintext → ciphertext is randomized by the\n *      fresh per-write IV, so `hash(plaintext)` would need extra\n *      normalization. `hash(ciphertext)` is already deterministic and\n *      unique per write.\n *\n *   3. **Detection property.** If an attacker modifies even one byte of\n *      the stored ciphertext (trying to flip a record), the hash\n *      changes, the ledger's recorded `payloadHash` no longer matches,\n *      and a data-integrity check fails. We don't do that check in\n *      `verify()` today, but the\n *      hook is there for a future `verifyIntegrity()` follow-up.\n *\n * Fields marked `op`, `collection`, `id`, `version`, `ts`, `actor` are\n * plaintext METADATA about the operation — NOT the record itself. The\n * entry is still encrypted at rest via the ledger DEK, but adapters\n * could theoretically infer operation patterns from the sizes and\n * timestamps. This is an accepted trade-off for the tamper-evidence\n * property; full ORAM-level privacy is out of scope for noy-db.\n */\nexport interface LedgerEntry {\n  /**\n   * Zero-based sequential position of this entry in the chain. The\n   * canonical adapter key is this number zero-padded to 10 digits\n   * (`\"0000000001\"`) so lexicographic ordering matches numeric order.\n   */\n  readonly index: number\n\n  /**\n   * Hex-encoded sha256 of the canonical JSON of the PREVIOUS entry.\n   * The genesis entry (index 0) has `prevHash === ''` — the first\n   * entry in a fresh vault has nothing to point back to.\n   */\n  readonly prevHash: string\n\n  /**\n   * Which kind of mutation this entry records. only supports\n   * data operations (`put`, `delete`, `amendment`). Access-control\n   * operations (`grant`, `revoke`, `rotate`) will be added in a\n   * follow-up once the keyring write path is instrumented — that's\n   * tracked in the epic issue.\n   *\n   * `'amendment'` is the multi-record audit entry written by the\n   * guards subsystem when an admin/owner uses `withTransactions(...)`\n   * to repair a constraint-violating state. See `amendment` field\n   * below for the structured payload.\n   *\n   * `'lifecycle'` records a non-data audit event (e.g. partition\n   * handover) — `collection`/`id` are empty and the event detail\n   * lives in `reason` (e.g. `'partition-handed-over:<sealId>'`). Like\n   * `amendment`, it carries no data envelope, so `verifyBackupIntegrity`\n   * skips it in the data cross-check (it still participates in the\n   * tamper-evident chain).\n   *\n   * `'forget'` is the single summary entry written by `vault.forget()`\n   * (#304 GDPR crypto-shred). `collection`/`id` are empty and `version`\n   * is 0 — a forget is not scoped to one record. `payloadHash` carries\n   * `sha256Hex(subjectId)` so the ledger PROVES \"subject X existed and\n   * was erased on date D\" without retaining the subject id or any\n   * plaintext; `reason` holds a JSON summary of the shred counts. Like\n   * `amendment`/`lifecycle` it carries no data envelope and is skipped\n   * by the reconstruct walker (it still participates in the chain, so\n   * `verify()` passes after a shred).\n   */\n  readonly op: 'put' | 'delete' | 'amendment' | 'lifecycle' | 'migration' | 'forget'\n\n  /** The collection the mutation targeted. */\n  readonly collection: string\n\n  /** The record id the mutation targeted. */\n  readonly id: string\n\n  /**\n   * The record version AFTER this mutation. For `put` this is the\n   * newly assigned version; for `delete` this is the version that\n   * was deleted (the last version visible to reads).\n   */\n  readonly version: number\n\n  /** ISO timestamp of the mutation. */\n  readonly ts: string\n\n  /** User id of the actor who performed the mutation. */\n  readonly actor: string\n\n  /**\n   * Hex-encoded sha256 of the encrypted envelope's `_data` field.\n   * For `put`, this is the hash of the new ciphertext. For `delete`,\n   * it's the hash of the last visible ciphertext at deletion time,\n   * or the empty string if nothing was there to delete. Hashing the\n   * ciphertext (not the plaintext) preserves zero-knowledge — see\n   * the file docstring.\n   */\n  readonly payloadHash: string\n\n  /**\n   * Optional human-readable tag describing why this mutation happened.\n   * Threaded through `collection.put(_, _, { reason })`. Common\n   * values include `'import:csv'`, `'import:json'`, `'import:xlsx'` from\n   * `as-*` ImportPlan.apply(), but consumers can use any string for\n   * domain-specific audit filtering. Auto-strip via `canonicalJson` —\n   * absent on the wire, never serialized as `null`.\n   *\n   * Audit consumers filter: `entries.filter(e => e.reason?.startsWith('import:'))`.\n   */\n  readonly reason?: string\n\n  /**\n   * Optional hex-encoded sha256 of the encrypted JSON Patch delta\n   * blob stored alongside this entry in `_ledger_deltas/`. Present\n   * only for `put` operations that had a previous version — the\n   * genesis put of a new record, and every `delete`, leave this\n   * field undefined.\n   *\n   * The delta payload itself lives in a sibling internal collection\n   * (`_ledger_deltas/<paddedIndex>`) and is encrypted with the\n   * ledger DEK. Callers use `ledger.loadDelta(index)` to decrypt and\n   * deserialize it when reconstructing a historical version.\n   *\n   * Why optional instead of always-present: the first put of a\n   * record has no previous version to diff against, so storing an\n   * empty patch would be noise. For deletes there's no \"next\" state\n   * to describe with a delta. Both cases set this field to undefined.\n   *\n   * Note: the canonical-JSON hasher treats `undefined` as invalid\n   * (it's one of the guard rails), so on the wire this field is\n   * either `{ deltaHash: '<hex>' }` or absent from the JSON\n   * entirely — never `{ deltaHash: undefined }`.\n   */\n  readonly deltaHash?: string\n\n  /**\n   * Present only when `op === 'amendment'`. Records the human reason,\n   * the role of the actor, the (collection, id, vBefore, vAfter) tuple\n   * for every record touched, and which guard invariants passed.\n   *\n   * See docs/superpowers/specs/2026-05-18-guards-design.md.\n   */\n  readonly amendment?: {\n    readonly reason: string\n    readonly role: 'admin' | 'owner'\n    readonly changes: ReadonlyArray<{\n      readonly collection: string\n      readonly id: string\n      readonly vBefore: number\n      readonly vAfter: number\n    }>\n    readonly invariantsPassed: ReadonlyArray<string>\n  }\n}\n\n/**\n * Canonical (sort-stable) JSON encoder.\n *\n * This function is the load-bearing primitive of the hash chain:\n * `sha256(canonicalJSON(entry))` must produce the same hex string\n * every time, on every machine, for the same logical entry — otherwise\n * `verify()` would return `{ ok: false }` on cross-platform reads.\n *\n * JavaScript's `JSON.stringify` is almost canonical, but NOT quite:\n * it preserves the insertion order of object keys, which means\n * `{a:1,b:2}` and `{b:2,a:1}` serialize differently. We fix this by\n * recursively walking objects and sorting their keys before\n * concatenation.\n *\n * Arrays keep their original order (reordering them would change\n * semantics). Numbers, strings, booleans, and `null` use the default\n * JSON encoding. `undefined` and functions are rejected — ledger\n * entries are plain data, and silently dropping `undefined` would\n * break the \"same input → same hash\" property if a caller forgot to\n * omit a field.\n *\n * Performance: one pass per nesting level; O(n log n) for key sorting\n * at each object. Entries are small (< 1 KB) so this is negligible\n * compared to the sha256 call.\n */\nexport function canonicalJson(value: unknown): string {\n  if (value === null) return 'null'\n  if (typeof value === 'boolean') return value ? 'true' : 'false'\n  if (typeof value === 'number') {\n    if (!Number.isFinite(value)) {\n      throw new Error(\n        `canonicalJson: refusing to encode non-finite number ${String(value)}`,\n      )\n    }\n    return JSON.stringify(value)\n  }\n  if (typeof value === 'string') return JSON.stringify(value)\n  if (typeof value === 'bigint') {\n    throw new Error('canonicalJson: BigInt is not JSON-serializable')\n  }\n  if (typeof value === 'undefined' || typeof value === 'function') {\n    throw new Error(\n      `canonicalJson: refusing to encode ${typeof value} — include all fields explicitly`,\n    )\n  }\n  if (Array.isArray(value)) {\n    return '[' + value.map((v) => canonicalJson(v)).join(',') + ']'\n  }\n  if (typeof value === 'object') {\n    const obj = value as Record<string, unknown>\n    const keys = Object.keys(obj).sort()\n    const parts: string[] = []\n    for (const key of keys) {\n      parts.push(JSON.stringify(key) + ':' + canonicalJson(obj[key]))\n    }\n    return '{' + parts.join(',') + '}'\n  }\n  throw new Error(`canonicalJson: unexpected value type: ${typeof value}`)\n}\n\n/**\n * Compute a hex-encoded sha256 of a string via Web Crypto's subtle API.\n *\n * We use hex (not base64) for hashes because hex is case-insensitive,\n * fixed-length (64 chars), and easier to compare visually in debug\n * output. Base64 would save a few bytes in storage but every encrypted\n * ledger entry is already much larger than the hash itself.\n */\nexport async function sha256Hex(input: string): Promise<string> {\n  const bytes = new TextEncoder().encode(input)\n  const digest = await globalThis.crypto.subtle.digest('SHA-256', bytes)\n  return bytesToHex(new Uint8Array(digest))\n}\n\n/**\n * Compute the canonical hash of a ledger entry. Short wrapper around\n * `canonicalJson` + `sha256Hex`; callers use this instead of composing\n * the two functions every time, so any future change to the hashing\n * pipeline (e.g., adding a domain-separation prefix) lives in one place.\n */\nexport async function hashEntry(entry: LedgerEntry): Promise<string> {\n  return sha256Hex(canonicalJson(entry))\n}\n\n/** Convert a Uint8Array to a lowercase hex string. */\nfunction bytesToHex(bytes: Uint8Array): string {\n  const hex = new Array<string>(bytes.length)\n  for (let i = 0; i < bytes.length; i++) {\n    // Non-null assertion: indexing a Uint8Array within bounds always\n    // returns a number, but the compiler's noUncheckedIndexedAccess\n    // flag widens it to `number | undefined`. Safe here by construction.\n    hex[i] = (bytes[i] ?? 0).toString(16).padStart(2, '0')\n  }\n  return hex.join('')\n}\n\n/**\n * Pad an index to the canonical 10-digit form used as the adapter key.\n * Ten digits is enough for ~10 billion ledger entries per vault\n * — far beyond any realistic use case, but cheap enough that the extra\n * digits don't hurt storage.\n */\nexport function paddedIndex(index: number): string {\n  return String(index).padStart(10, '0')\n}\n\n/** Parse a padded adapter key back into a number. Returns NaN on malformed input. */\nexport function parseIndex(key: string): number {\n  return Number.parseInt(key, 10)\n}\n","/**\n * Envelope payload hash — pinned in its own leaf module so consumers\n * (DictionaryHandle, the active history strategy) can import it\n * without dragging in the `LedgerStore` class.\n *\n * see `constants.ts` for the broader rationale.\n *\n * @internal\n */\n\nimport type { EncryptedEnvelope } from '../../types.js'\nimport { sha256Hex } from './entry.js'\n\n/**\n * Compute the `payloadHash` value for an encrypted envelope. Used by\n * `LedgerStore.append` for both put (hash the new envelope) and\n * delete (hash the previous envelope) paths, and by\n * `DictionaryHandle` so its ledger entries match the same contract.\n *\n * Returns the empty string when there is no envelope (delete of a\n * never-existed record). The empty string tolerated by the ledger\n * entry's `payloadHash` field as the canonical \"nothing here\" value.\n */\nexport async function envelopePayloadHash(\n  envelope: EncryptedEnvelope | null,\n): Promise<string> {\n  if (!envelope) return ''\n  // `_data` is a base64 string for encrypted envelopes and the raw\n  // JSON for plaintext ones. Both are strings, so a single sha256Hex\n  // call works for both modes — the hash value differs between\n  // encrypted/plaintext compartments because the bytes on disk\n  // differ.\n  return sha256Hex(envelope._data)\n}\n"],"mappings":";AAsNO,SAAS,cAAc,OAAwB;AACpD,MAAI,UAAU,KAAM,QAAO;AAC3B,MAAI,OAAO,UAAU,UAAW,QAAO,QAAQ,SAAS;AACxD,MAAI,OAAO,UAAU,UAAU;AAC7B,QAAI,CAAC,OAAO,SAAS,KAAK,GAAG;AAC3B,YAAM,IAAI;AAAA,QACR,uDAAuD,OAAO,KAAK,CAAC;AAAA,MACtE;AAAA,IACF;AACA,WAAO,KAAK,UAAU,KAAK;AAAA,EAC7B;AACA,MAAI,OAAO,UAAU,SAAU,QAAO,KAAK,UAAU,KAAK;AAC1D,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,IAAI,MAAM,gDAAgD;AAAA,EAClE;AACA,MAAI,OAAO,UAAU,eAAe,OAAO,UAAU,YAAY;AAC/D,UAAM,IAAI;AAAA,MACR,qCAAqC,OAAO,KAAK;AAAA,IACnD;AAAA,EACF;AACA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,MAAM,MAAM,IAAI,CAAC,MAAM,cAAc,CAAC,CAAC,EAAE,KAAK,GAAG,IAAI;AAAA,EAC9D;AACA,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,MAAM;AACZ,UAAM,OAAO,OAAO,KAAK,GAAG,EAAE,KAAK;AACnC,UAAM,QAAkB,CAAC;AACzB,eAAW,OAAO,MAAM;AACtB,YAAM,KAAK,KAAK,UAAU,GAAG,IAAI,MAAM,cAAc,IAAI,GAAG,CAAC,CAAC;AAAA,IAChE;AACA,WAAO,MAAM,MAAM,KAAK,GAAG,IAAI;AAAA,EACjC;AACA,QAAM,IAAI,MAAM,yCAAyC,OAAO,KAAK,EAAE;AACzE;AAUA,eAAsB,UAAU,OAAgC;AAC9D,QAAM,QAAQ,IAAI,YAAY,EAAE,OAAO,KAAK;AAC5C,QAAM,SAAS,MAAM,WAAW,OAAO,OAAO,OAAO,WAAW,KAAK;AACrE,SAAO,WAAW,IAAI,WAAW,MAAM,CAAC;AAC1C;AAQA,eAAsB,UAAU,OAAqC;AACnE,SAAO,UAAU,cAAc,KAAK,CAAC;AACvC;AAGA,SAAS,WAAW,OAA2B;AAC7C,QAAM,MAAM,IAAI,MAAc,MAAM,MAAM;AAC1C,WAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AAIrC,QAAI,CAAC,KAAK,MAAM,CAAC,KAAK,GAAG,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG;AAAA,EACvD;AACA,SAAO,IAAI,KAAK,EAAE;AACpB;AAQO,SAAS,YAAY,OAAuB;AACjD,SAAO,OAAO,KAAK,EAAE,SAAS,IAAI,GAAG;AACvC;AAGO,SAAS,WAAW,KAAqB;AAC9C,SAAO,OAAO,SAAS,KAAK,EAAE;AAChC;;;ACnRA,eAAsB,oBACpB,UACiB;AACjB,MAAI,CAAC,SAAU,QAAO;AAMtB,SAAO,UAAU,SAAS,KAAK;AACjC;","names":[]}

package/dist/{chunk-COFPAMX6.js → chunk-QHM6XEAH.js}

@@ -1,15 +1,15 @@
 import {
   dekKey
-} from "./chunk-4TBBMHVC.js";
+} from "./chunk-5LIROIDM.js";
 import {
   assertStrongPassphrase,
   mintKeyringCanary,
   persistKeyring
-} from "./chunk-A5ZOOZFB.js";
+} from "./chunk-BSZOCSDZ.js";
 import {
   NOYDB_FORMAT_VERSION,
   NOYDB_KEYRING_VERSION
-} from "./chunk-GC4V7RU7.js";
+} from "./chunk-SISBMAPO.js";
 import {
   base64ToBuffer,
   bufferToBase64,
@@ -19,7 +19,7 @@ import {
   generateSalt,
   unwrapKey,
   wrapKey
-} from "./chunk-YULZKK4F.js";
+} from "./chunk-UNTGHX5A.js";
 import {
   DelegationTargetMissingError,
   InvalidKeyError,
@@ -28,7 +28,7 @@ import {
   PermissionDeniedError,
   PrivilegeEscalationError,
   ValidationError
-} from "./chunk-535SSHBS.js";
+} from "./chunk-ZEGSDPB7.js";
 
 // src/team/authenticators.ts
 async function enrollAuthenticator(store, vault, keyring, options) {
@@ -827,4 +827,4 @@ export {
   magicLinkGrantRecordId,
   isMagicLinkGrantExpired
 };
-//# sourceMappingURL=chunk-COFPAMX6.js.map
+//# sourceMappingURL=chunk-QHM6XEAH.js.map

package/dist/{chunk-C5T5AFWN.js → chunk-QO6RGLLD.js}

@@ -1,13 +1,13 @@
 import {
   wrapDbWithPredicates
-} from "./chunk-5LQG6ZO2.js";
+} from "./chunk-2FU2FTXD.js";
 import {
   canonicalGroupKey,
   groupAndReduce
-} from "./chunk-3EWXMOK3.js";
+} from "./chunk-7H2GEJ3O.js";
 import {
   MaterializedViewTooLargeError
-} from "./chunk-535SSHBS.js";
+} from "./chunk-ZEGSDPB7.js";
 
 // src/materialized-views/executor.ts
 var DEFAULT_MAX_ROWS = 1e5;
@@ -30,7 +30,13 @@ async function materializeUnionResult(spec, db) {
   const unified = [];
   for (const arm of spec.unionSources) {
     const coll = db.collection(arm.collection);
-    const sourceRows = coll.query().toArray();
+    let q = coll.query();
+    if (arm.join?.length) {
+      for (const leg of arm.join) {
+        q = q.join(leg.field, { as: leg.as, maxRows: leg.maxRows, strategy: leg.strategy });
+      }
+    }
+    const sourceRows = q.toArray();
     for (const r of sourceRows) {
       const mapped = arm.map(r);
       if (mapped == null) continue;
@@ -47,7 +53,7 @@ async function materializeUnionResult(spec, db) {
     }
     return [...seen.values()];
   }
-  return groupAndReduce(unified, groupFields, spec.aggregate);
+  return groupAndReduce(unified, groupFields, spec.aggregate, spec.moneyFields);
 }
 var MaterializedViewExecutor = {
   async refresh(reg, accessor) {
@@ -144,4 +150,4 @@ async function listOutputIds(outputColl) {
 export {
   MaterializedViewExecutor
 };
-//# sourceMappingURL=chunk-C5T5AFWN.js.map
+//# sourceMappingURL=chunk-QO6RGLLD.js.map

package/dist/chunk-QO6RGLLD.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/materialized-views/executor.ts"],"sourcesContent":["import type { Collection } from '../collection.js'\nimport type { TxContext } from '../tx/transaction.js'\nimport type { EncryptedEnvelope } from '../types.js'\nimport { MaterializedViewTooLargeError } from '../errors.js'\nimport type { MaterializedFromMeta, MVQueryContext, MaterializedViewStrategy } from './types.js'\nimport type { RegisteredMV } from './registry.js'\nimport { wrapDbWithPredicates } from './registry.js'\nimport { groupAndReduce } from '../aggregate/groupby.js'\nimport { canonicalGroupKey } from '../aggregate/canonical-key.js'\n\n/**\n * Accessor shape passed in from the owning Vault. Mirrors v1's\n * `DerivationStaleAccessor` — provides the per-collection resolver\n * and the active TxContext so refresh writes/tombstones register on\n * `_executed` for rollback symmetry.\n */\nexport interface MVExecutorAccessor {\n  // eslint-disable-next-line @typescript-eslint/no-explicit-any\n  getCollection(name: string): Collection<any>\n  getActiveTxContext(): TxContext | null\n  /**\n   * Vault-shaped accessor passed to the MV's `query()` callback at\n   * each refresh. Same instance the registry used at registration\n   * time; threading through the executor lets the refresh path\n   * re-evaluate the closure against the live vault state.\n   */\n  getQueryContext(): MVQueryContext\n}\n\nexport interface RefreshResult {\n  /** Rows newly written / overwritten. */\n  written: number\n  /** Rows tombstoned via `_internalDelete` (only when `onEmpty: 'delete'`). */\n  deleted: number\n  /** Failed row writes (non-strict mode). */\n  failed: number\n}\n\n/** Default cost ceiling — overridable per-MV via `spec.maxRows`. */\nconst DEFAULT_MAX_ROWS = 100_000\n\n/**\n * Materialize a query terminal that may be a `Query<T>` (call\n * `.toArray()`), an `Aggregation<R>` (call `.run()` returning a\n * single object — wrap as a one-row array), or a `GroupedAggregation<R>`\n * (call `.run()` returning an array of grouped rows). Branches on\n * available terminal at runtime — no type-discrimination at registration.\n */\nasync function materializeQueryResult(\n  // eslint-disable-next-line @typescript-eslint/no-explicit-any\n  q: any,\n  mvName: string,\n): Promise<ReadonlyArray<Record<string, unknown>>> {\n  if (typeof q?.toArray === 'function') {\n    // Query<T> — non-aggregate path. `.toArray()` returns Promise<T[]>.\n    return await q.toArray()\n  }\n  if (typeof q?.run === 'function') {\n    // Aggregation<R> or GroupedAggregation<R>. `.run()` is synchronous\n    // and returns either a single object (Aggregation) or an array of\n    // rows (GroupedAggregation). Promise.resolve() normalizes both\n    // sync and async (future) variants.\n    const result: unknown = await Promise.resolve(q.run())\n    if (Array.isArray(result)) {\n      return result as ReadonlyArray<Record<string, unknown>>\n    }\n    // Single-aggregate result — wrap as one-row array. The consumer's\n    // `rowKey()` should return a stable identity (often a literal\n    // constant like `'total'`) since there's only one row.\n    return [result as Record<string, unknown>]\n  }\n  throw new Error(\n    `MV \"${mvName}\": query() must return a Query<T>, Aggregation, or GroupedAggregation. ` +\n      `Got something without a .toArray() or .run() terminal.`,\n  )\n}\n\n/**\n * Materialize a UNION-form MV: read every arm's source\n * collection, apply each arm's `map` to project rows into the unified\n * MV row shape, concatenate the mapped streams, then optionally run\n * `groupBy` + `aggregate` over the result.\n *\n * Modes (driven by `spec.groupBy` / `spec.aggregate`):\n *\n *   - No `groupBy` → return the concatenated mapped rows unchanged.\n *   - `groupBy` without `aggregate` → dedupe by composite group key,\n *     keep the first row seen per key (later arms don't overwrite\n *     earlier arms — Map insertion order rules).\n *   - `groupBy` + `aggregate` → delegate to the shared `groupAndReduce`\n *     pipeline used by `Query.groupBy().aggregate()`.\n *\n * Per-arm `map` is the schema-unification boundary; the strategy's\n * `TRow` type parameter enforces that every arm projects into the\n * same shape at compile time.\n *\n * @internal\n */\nasync function materializeUnionResult<TRow extends Record<string, unknown>>(\n  spec: MaterializedViewStrategy<TRow>,\n  db: MVQueryContext,\n): Promise<ReadonlyArray<Record<string, unknown>>> {\n  const unified: TRow[] = []\n  for (const arm of spec.unionSources!) {\n    const coll = db.collection<Record<string, unknown>>(arm.collection)\n    // Optional per-arm FK joins: chain `.join(field, { as, ... })` for\n    // each declared leg before terminating. The aliased right-side\n    // record lands at `sourceRow[leg.as]`, where the arm's `map` reads\n    // it. Cast to `any` because the chained join widens the row type but\n    // the executor treats every row as `Record<string, unknown>` — same\n    // pattern the query-form join path uses.\n    // eslint-disable-next-line @typescript-eslint/no-explicit-any\n    let q: any = coll.query()\n    if (arm.join?.length) {\n      for (const leg of arm.join) {\n        q = q.join(leg.field, { as: leg.as, maxRows: leg.maxRows, strategy: leg.strategy })\n      }\n    }\n    const sourceRows = q.toArray() as ReadonlyArray<Record<string, unknown>>\n    for (const r of sourceRows) {\n      const mapped = arm.map(r)\n      // null / undefined means \"omit this source row\" — skip without\n      // pushing so groupBy/aggregate never see a null entry (#297).\n      if (mapped == null) continue\n      unified.push(mapped)\n    }\n  }\n\n  if (!spec.groupBy) return unified\n\n  const groupFields: readonly string[] =\n    typeof spec.groupBy === 'string' ? [spec.groupBy] : spec.groupBy\n\n  // groupBy without aggregate — dedupe by composite key, keep first\n  // seen row per key. Useful for cross-arm uniqueness (e.g. unify two\n  // sibling collections, keeping one row per natural key).\n  if (!spec.aggregate) {\n    const seen = new Map<string, TRow>()\n    for (const row of unified) {\n      const k = canonicalGroupKey(groupFields, row as Record<string, unknown>)\n      if (!seen.has(k)) seen.set(k, row)\n    }\n    return [...seen.values()]\n  }\n\n  // groupBy + aggregate — delegate to the shared pipeline used by\n  // `Query.groupBy().aggregate()`. Result rows carry each grouped\n  // field in declaration order followed by the spec's reducer outputs.\n  return groupAndReduce<Record<string, unknown>>(unified, groupFields, spec.aggregate, spec.moneyFields)\n}\n\n/**\n * Run an MV's `query()` and write the result rows to the output\n * collection. Same-DEK encryption: routes through the standard\n * `Collection.put` pipeline, so the output collection's DEK is what\n * gets used (matches the v2 spec's \"same DEK as the left-most source\"\n * invariant — `Collection.put` looks up the DEK by collection name,\n * and the output collection IS the MV's owned collection).\n *\n * Stamps `_materializedFrom` onto every emitted row.\n *\n * **Tombstoning:** when `spec.onEmpty: 'delete'` (default), rows\n * that existed in a prior refresh but no longer appear in the new\n * materialized result are deleted via `Collection._internalDelete` —\n * the housekeeping bypass primitive prevents user\n * `onDelete` guards on the output collection from firing on these\n * system-internal deletes. `onEmpty: 'keep'` opts out (rows from\n * prior refreshes linger even when the new result lacks them).\n *\n * **Cost ceiling:** if the materialized row count exceeds\n * `spec.maxRows` (default 100k), throws `MaterializedViewTooLargeError`\n * before any writes hit the store — so strict-mode rollback is\n * clean.\n *\n * **Strict mode:** `spec.strict === true` re-throws on any\n * row-write failure; the active TxContext registration means the\n * source-write rolls back atomically via `revertExecuted`.\n *\n * @internal\n */\nexport const MaterializedViewExecutor = {\n  async refresh(\n    reg: RegisteredMV,\n    accessor: MVExecutorAccessor,\n  ): Promise<RefreshResult> {\n    const spec = reg.spec\n    const outputColl = accessor.getCollection(reg.outputCollection)\n    const maxRows = spec.maxRows ?? DEFAULT_MAX_ROWS\n    const onEmpty = spec.onEmpty ?? 'delete'\n    const strict = spec.strict ?? false\n\n    // 1. Materialize the query (branches on terminal shape). If the\n    //    MV declared predicates, wrap the query context the same way\n    //    the registry did at registration time so `.wherePredicate()`\n    //    calls resolve to the registered functions.\n    const baseCtx = accessor.getQueryContext()\n    const ctxForQuery: MVQueryContext = spec.predicates\n      ? wrapDbWithPredicates(baseCtx, spec.predicates)\n      : baseCtx\n    // UNION-form strategies: read every arm, map to the unified\n    // row shape, concatenate, then optionally groupBy + aggregate. The\n    // single-source `query()` path is untouched.\n    let rows: ReadonlyArray<Record<string, unknown>>\n    if (spec.unionSources) {\n      rows = await materializeUnionResult(spec, ctxForQuery)\n    } else {\n      const q = spec.query!(ctxForQuery)\n      rows = await materializeQueryResult(q, spec.name)\n    }\n\n    // 2. Cost ceiling check BEFORE any writes — keeps the rollback\n    //    clean if the source-write is wrapped in a transaction.\n    if (rows.length > maxRows) {\n      throw new MaterializedViewTooLargeError(spec.name, rows.length, maxRows)\n    }\n\n    const txCtx = accessor.getActiveTxContext()\n    // eslint-disable-next-line @typescript-eslint/no-explicit-any\n    const adapter = (outputColl as any).adapter as {\n      get(v: string, c: string, i: string): Promise<EncryptedEnvelope | null>\n    }\n    // eslint-disable-next-line @typescript-eslint/no-explicit-any\n    const vaultName = (outputColl as any).vault as string\n\n    // 3. Compute the post-refresh id set so we can diff against the\n    //    prior-emitted id set for tombstoning (when onEmpty === 'delete').\n    const newIds = new Set<string>()\n    const enrichedRows: Array<{ id: string; record: Record<string, unknown> }> = []\n    for (const row of rows) {\n      const id = spec.rowKey(row)\n      newIds.add(id)\n      const meta: MaterializedFromMeta = {\n        mvName: spec.name,\n        queryHash: reg.queryHash,\n        sourceVersions: {},\n        materializedAt: new Date().toISOString(),\n      }\n      enrichedRows.push({ id, record: { ...row, _materializedFrom: meta } })\n    }\n\n    // 4. Write the new rows.\n    let written = 0\n    let failed = 0\n    for (const { id, record } of enrichedRows) {\n      try {\n        if (txCtx !== null) {\n          const prior = await adapter.get(vaultName, reg.outputCollection, id)\n          txCtx._executed.push({\n            op: { type: 'put', vaultName, collectionName: reg.outputCollection, id },\n            priorEnvelope: prior,\n          })\n        }\n        await outputColl.put(id, record)\n        written++\n      } catch (err) {\n        failed++\n        if (strict) throw err\n         \n        console.warn(`[mv] \"${spec.name}\" row write failed:`, err)\n      }\n    }\n\n    // 5. Tombstone rows that existed before but don't appear now.\n    //    `onEmpty: 'keep'` skips this pass entirely. Uses\n    //    `_internalDelete` so a user-registered `onDelete` on the\n    //    output collection does NOT fire on housekeeping (composition fix).\n    let deleted = 0\n    if (onEmpty === 'delete') {\n      const priorIds = await listOutputIds(outputColl)\n      for (const priorId of priorIds) {\n        if (newIds.has(priorId)) continue\n        try {\n          // eslint-disable-next-line @typescript-eslint/no-explicit-any\n          const outAny = outputColl as any\n          if (typeof outAny._internalDelete === 'function') {\n            await outAny._internalDelete(priorId, txCtx)\n            deleted++\n          } else {\n            // Defensive fallback — should never hit in real flow since\n            // every Collection has `_internalDelete`.\n            await outputColl.delete(priorId)\n            deleted++\n          }\n        } catch (err) {\n          failed++\n          if (strict) throw err\n           \n          console.warn(`[mv] \"${spec.name}\" tombstone failed for id=\"${priorId}\":`, err)\n        }\n      }\n    }\n\n    return { written, deleted, failed }\n  },\n}\n\n/**\n * List ids currently present in the MV's output collection via the\n * adapter directly (avoids triggering the lazy resolve-on-read path\n * we're INSIDE). Returns an empty array if the collection doesn't\n * exist or the adapter doesn't surface a list method.\n *\n * @internal\n */\nasync function listOutputIds(\n  // eslint-disable-next-line @typescript-eslint/no-explicit-any\n  outputColl: Collection<any>,\n): Promise<string[]> {\n  // eslint-disable-next-line @typescript-eslint/no-explicit-any\n  const cAny = outputColl as any\n  const adapter = cAny.adapter as { list?: (v: string, c: string) => Promise<readonly string[]> }\n  const vault = cAny.vault as string\n  const name = cAny.name as string\n  if (typeof adapter?.list !== 'function') return []\n  try {\n    const ids = await adapter.list(vault, name)\n    return [...ids]\n  } catch {\n    return []\n  }\n}\n"],"mappings":";;;;;;;;;;;;AAuCA,IAAM,mBAAmB;AASzB,eAAe,uBAEb,GACA,QACiD;AACjD,MAAI,OAAO,GAAG,YAAY,YAAY;AAEpC,WAAO,MAAM,EAAE,QAAQ;AAAA,EACzB;AACA,MAAI,OAAO,GAAG,QAAQ,YAAY;AAKhC,UAAM,SAAkB,MAAM,QAAQ,QAAQ,EAAE,IAAI,CAAC;AACrD,QAAI,MAAM,QAAQ,MAAM,GAAG;AACzB,aAAO;AAAA,IACT;AAIA,WAAO,CAAC,MAAiC;AAAA,EAC3C;AACA,QAAM,IAAI;AAAA,IACR,OAAO,MAAM;AAAA,EAEf;AACF;AAuBA,eAAe,uBACb,MACA,IACiD;AACjD,QAAM,UAAkB,CAAC;AACzB,aAAW,OAAO,KAAK,cAAe;AACpC,UAAM,OAAO,GAAG,WAAoC,IAAI,UAAU;AAQlE,QAAI,IAAS,KAAK,MAAM;AACxB,QAAI,IAAI,MAAM,QAAQ;AACpB,iBAAW,OAAO,IAAI,MAAM;AAC1B,YAAI,EAAE,KAAK,IAAI,OAAO,EAAE,IAAI,IAAI,IAAI,SAAS,IAAI,SAAS,UAAU,IAAI,SAAS,CAAC;AAAA,MACpF;AAAA,IACF;AACA,UAAM,aAAa,EAAE,QAAQ;AAC7B,eAAW,KAAK,YAAY;AAC1B,YAAM,SAAS,IAAI,IAAI,CAAC;AAGxB,UAAI,UAAU,KAAM;AACpB,cAAQ,KAAK,MAAM;AAAA,IACrB;AAAA,EACF;AAEA,MAAI,CAAC,KAAK,QAAS,QAAO;AAE1B,QAAM,cACJ,OAAO,KAAK,YAAY,WAAW,CAAC,KAAK,OAAO,IAAI,KAAK;AAK3D,MAAI,CAAC,KAAK,WAAW;AACnB,UAAM,OAAO,oBAAI,IAAkB;AACnC,eAAW,OAAO,SAAS;AACzB,YAAM,IAAI,kBAAkB,aAAa,GAA8B;AACvE,UAAI,CAAC,KAAK,IAAI,CAAC,EAAG,MAAK,IAAI,GAAG,GAAG;AAAA,IACnC;AACA,WAAO,CAAC,GAAG,KAAK,OAAO,CAAC;AAAA,EAC1B;AAKA,SAAO,eAAwC,SAAS,aAAa,KAAK,WAAW,KAAK,WAAW;AACvG;AA+BO,IAAM,2BAA2B;AAAA,EACtC,MAAM,QACJ,KACA,UACwB;AACxB,UAAM,OAAO,IAAI;AACjB,UAAM,aAAa,SAAS,cAAc,IAAI,gBAAgB;AAC9D,UAAM,UAAU,KAAK,WAAW;AAChC,UAAM,UAAU,KAAK,WAAW;AAChC,UAAM,SAAS,KAAK,UAAU;AAM9B,UAAM,UAAU,SAAS,gBAAgB;AACzC,UAAM,cAA8B,KAAK,aACrC,qBAAqB,SAAS,KAAK,UAAU,IAC7C;AAIJ,QAAI;AACJ,QAAI,KAAK,cAAc;AACrB,aAAO,MAAM,uBAAuB,MAAM,WAAW;AAAA,IACvD,OAAO;AACL,YAAM,IAAI,KAAK,MAAO,WAAW;AACjC,aAAO,MAAM,uBAAuB,GAAG,KAAK,IAAI;AAAA,IAClD;AAIA,QAAI,KAAK,SAAS,SAAS;AACzB,YAAM,IAAI,8BAA8B,KAAK,MAAM,KAAK,QAAQ,OAAO;AAAA,IACzE;AAEA,UAAM,QAAQ,SAAS,mBAAmB;AAE1C,UAAM,UAAW,WAAmB;AAIpC,UAAM,YAAa,WAAmB;AAItC,UAAM,SAAS,oBAAI,IAAY;AAC/B,UAAM,eAAuE,CAAC;AAC9E,eAAW,OAAO,MAAM;AACtB,YAAM,KAAK,KAAK,OAAO,GAAG;AAC1B,aAAO,IAAI,EAAE;AACb,YAAM,OAA6B;AAAA,QACjC,QAAQ,KAAK;AAAA,QACb,WAAW,IAAI;AAAA,QACf,gBAAgB,CAAC;AAAA,QACjB,iBAAgB,oBAAI,KAAK,GAAE,YAAY;AAAA,MACzC;AACA,mBAAa,KAAK,EAAE,IAAI,QAAQ,EAAE,GAAG,KAAK,mBAAmB,KAAK,EAAE,CAAC;AAAA,IACvE;AAGA,QAAI,UAAU;AACd,QAAI,SAAS;AACb,eAAW,EAAE,IAAI,OAAO,KAAK,cAAc;AACzC,UAAI;AACF,YAAI,UAAU,MAAM;AAClB,gBAAM,QAAQ,MAAM,QAAQ,IAAI,WAAW,IAAI,kBAAkB,EAAE;AACnE,gBAAM,UAAU,KAAK;AAAA,YACnB,IAAI,EAAE,MAAM,OAAO,WAAW,gBAAgB,IAAI,kBAAkB,GAAG;AAAA,YACvE,eAAe;AAAA,UACjB,CAAC;AAAA,QACH;AACA,cAAM,WAAW,IAAI,IAAI,MAAM;AAC/B;AAAA,MACF,SAAS,KAAK;AACZ;AACA,YAAI,OAAQ,OAAM;AAElB,gBAAQ,KAAK,SAAS,KAAK,IAAI,uBAAuB,GAAG;AAAA,MAC3D;AAAA,IACF;AAMA,QAAI,UAAU;AACd,QAAI,YAAY,UAAU;AACxB,YAAM,WAAW,MAAM,cAAc,UAAU;AAC/C,iBAAW,WAAW,UAAU;AAC9B,YAAI,OAAO,IAAI,OAAO,EAAG;AACzB,YAAI;AAEF,gBAAM,SAAS;AACf,cAAI,OAAO,OAAO,oBAAoB,YAAY;AAChD,kBAAM,OAAO,gBAAgB,SAAS,KAAK;AAC3C;AAAA,UACF,OAAO;AAGL,kBAAM,WAAW,OAAO,OAAO;AAC/B;AAAA,UACF;AAAA,QACF,SAAS,KAAK;AACZ;AACA,cAAI,OAAQ,OAAM;AAElB,kBAAQ,KAAK,SAAS,KAAK,IAAI,8BAA8B,OAAO,MAAM,GAAG;AAAA,QAC/E;AAAA,MACF;AAAA,IACF;AAEA,WAAO,EAAE,SAAS,SAAS,OAAO;AAAA,EACpC;AACF;AAUA,eAAe,cAEb,YACmB;AAEnB,QAAM,OAAO;AACb,QAAM,UAAU,KAAK;AACrB,QAAM,QAAQ,KAAK;AACnB,QAAM,OAAO,KAAK;AAClB,MAAI,OAAO,SAAS,SAAS,WAAY,QAAO,CAAC;AACjD,MAAI;AACF,UAAM,MAAM,MAAM,QAAQ,KAAK,OAAO,IAAI;AAC1C,WAAO,CAAC,GAAG,GAAG;AAAA,EAChB,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;","names":[]}

package/dist/{chunk-7HT2MEZ5.js → chunk-ROPJVUG3.js}

@@ -1,22 +1,22 @@
 import {
   ensureCollectionDEK
-} from "./chunk-A5ZOOZFB.js";
+} from "./chunk-BSZOCSDZ.js";
 import {
   envelopePayloadHash
-} from "./chunk-Z6FNBOTC.js";
+} from "./chunk-PDVP3C2I.js";
 import {
   NOYDB_FORMAT_VERSION
-} from "./chunk-GC4V7RU7.js";
+} from "./chunk-SISBMAPO.js";
 import {
   decrypt,
   encrypt
-} from "./chunk-YULZKK4F.js";
+} from "./chunk-UNTGHX5A.js";
 import {
   DictKeyMissingError,
   LocaleNotSpecifiedError,
   MissingTranslationError,
   PermissionDeniedError
-} from "./chunk-535SSHBS.js";
+} from "./chunk-ZEGSDPB7.js";
 
 // src/i18n/policy.ts
 function resolvePolicy(onMissing, layer) {
@@ -233,6 +233,21 @@ function dictKey(name, keys, opts) {
 function isDictKeyDescriptor(x) {
   return typeof x === "object" && x !== null && x._noydbDictKey === true;
 }
+function staticDict(name, table, opts) {
+  return {
+    _noydbStaticDict: true,
+    name,
+    table,
+    keys: Object.keys(table),
+    ...opts?.displayLocale !== void 0 ? { displayLocale: opts.displayLocale } : {},
+    ...opts?.onMissing !== void 0 ? { onMissing: opts.onMissing } : {},
+    ...opts?.substitute !== void 0 ? { substitute: opts.substitute } : {},
+    ...opts?.validateCodes !== void 0 ? { validateCodes: opts.validateCodes } : {}
+  };
+}
+function isStaticDictDescriptor(x) {
+  return typeof x === "object" && x !== null && x._noydbStaticDict === true;
+}
 var DictionaryHandle = class {
   constructor(adapter, compartmentName, dictionaryName, keyring, getDEK, encrypted, ledger, options, findAndUpdateReferences, emitter) {
     this.adapter = adapter;
@@ -584,6 +599,8 @@ export {
   isDictCollectionName,
   dictKey,
   isDictKeyDescriptor,
+  staticDict,
+  isStaticDictDescriptor,
   DictionaryHandle
 };
-//# sourceMappingURL=chunk-7HT2MEZ5.js.map
+//# sourceMappingURL=chunk-ROPJVUG3.js.map

package/dist/chunk-ROPJVUG3.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/i18n/policy.ts","../src/i18n/core.ts","../src/i18n/dictionary.ts"],"sourcesContent":["/**\n * Per-layer i18n resolution policy.\n *\n * `onMissing` governs what happens when a multilingual field is resolved\n * to a target locale that is absent. It may be a single scalar policy or\n * a per-layer map, so a field can be lenient at the app read boundary but\n * strict inside a materialized view.\n *\n * Effective policy for layer `λ`:\n *\n * ```\n * explicit(λ) = typeof onMissing === 'object' ? onMissing[λ] : undefined\n * scalar      = typeof onMissing === 'string' ? onMissing : undefined\n * policy(λ)   = explicit(λ) ?? layerDefault(λ) ?? scalar ?? 'throw'\n * ```\n *\n * - `layerDefault('guard') = 'substitute'` — guards are lenient unless\n *   EXPLICITLY overridden; they never inherit a scalar policy (a guard\n *   reading a display value must not hard-fail on a missing locale).\n * - every other layer has no default, so it inherits the scalar, else\n *   falls back to `'throw'` (today's behavior — zero breaking change).\n *\n * @public\n */\nexport type OnMissing = 'substitute' | 'null' | 'throw'\n\n/**\n * The contexts in which a multilingual field is resolved. Each can carry\n * its own `onMissing` policy.\n *\n * - `read`       — ordinary app reads (`get`/`list`/query projection).\n * - `guard`      — a guard callback reading a value.\n * - `join`       — a joined record expanded onto a row.\n * - `mv`         — materialized-view input.\n * - `derivation` — derivation input.\n * - `export`     — bundle/public-envelope export.\n */\nexport type Layer = 'read' | 'guard' | 'join' | 'mv' | 'derivation' | 'export'\n\n/** Field-level policy: a single scalar, or a per-layer map. */\nexport type OnMissingPolicy = OnMissing | Partial<Record<Layer, OnMissing>>\n\n/**\n * Resolve the effective `OnMissing` for a layer from a field's declared\n * policy. See module docs for the resolution rule.\n */\nexport function resolvePolicy(\n  onMissing: OnMissingPolicy | undefined,\n  layer: Layer,\n): OnMissing {\n  const explicit =\n    onMissing && typeof onMissing === 'object' ? onMissing[layer] : undefined\n  const scalar = typeof onMissing === 'string' ? onMissing : undefined\n  const layerDefault: OnMissing | undefined =\n    layer === 'guard' ? 'substitute' : undefined\n  return explicit ?? layerDefault ?? scalar ?? 'throw'\n}\n","/**\n * i18nText schema type —\n *\n * `i18nText({ languages, required })` creates a descriptor for a\n * multi-language content field whose value is stored as a\n * `{ [locale]: string }` map (e.g. `{ en: 'Consulting', th: 'ที่ปรึกษา' }`).\n *\n * On put, the descriptor validates that required languages are present.\n * On read (when a `locale` option is passed), the map is collapsed to the\n * caller's locale string via the fallback chain.\n *\n * Design decisions\n * ────────────────\n *\n * **Descriptor pattern (not a Zod type).**\n * `i18nText()` returns a plain descriptor object used in the collection's\n * `i18nFields` option — same pattern as `ref()` / `dictKey()`. This keeps\n * `@noy-db/core` at zero runtime dependencies and avoids Zod v3 field-type\n * constraints. TypeScript inference is handled via the descriptor's type.\n *\n * **Enforcement at the collection boundary.**\n * The `required` option is checked by `Collection.put()` via the compartment's\n * registered `i18nFields`. Failed validation throws `MissingTranslationError`\n * — a distinct class from `SchemaValidationError` so callers can tell\n * \"wrong shape\" from \"missing translations\".\n *\n * **Resolution is post-decryption.**\n * Locale resolution happens AFTER `decryptRecord()`, as a pure in-memory\n * transform. No additional crypto work is needed. The resolved record is\n * returned in place of the stored one, with i18nText fields replaced by\n * their locale-resolved strings.\n *\n * **`locale: 'raw'`.**\n * Passing `{ locale: 'raw' }` skips resolution and returns the full\n * `{ [locale]: string }` map — useful for bilingual exports, admin UIs,\n * and any context where all translations must be visible at once.\n *\n * **Out of scope.**\n * Pluralization, RTL rendering, date/number formatting, per-locale CRDT\n * merging.\n */\n\nimport { MissingTranslationError, LocaleNotSpecifiedError } from '../errors.js'\nimport type { OnMissing, OnMissingPolicy, Layer } from './policy.js'\nimport { resolvePolicy } from './policy.js'\n\n// ─── I18nMap type helper ───────────────────────────────────────────────\n\n/** Flatten an intersection into a single object literal for nicer hovers. */\ntype Prettify<T> = { [K in keyof T]: T[K] } & {}\n\n/**\n * The stored shape of a multilingual field, inferred from its `required`\n * mode — so the compiler forces you to handle an absent optional locale\n * (`string | undefined`) instead of silently yielding `undefined`.\n *\n * Mirrors `i18nText({ languages, required })`:\n * - `'all'` (default) — every locale required: `{ th: string; en: string }`\n * - `'any'`           — every locale optional: `{ th?: string; en?: string }`\n *   (the \"at least one present\" guarantee is runtime-only — not expressible\n *   in TypeScript — so each key is optional)\n * - `readonly L[]`    — listed locales required, the rest optional:\n *   `I18nMap<'th'|'en', ['th']>` → `{ th: string; en?: string }`\n *\n * @example\n * ```ts\n * type Lang = 'th' | 'en'\n * interface Contact {\n *   name: I18nMap<Lang, 'any'>      // { th?: string; en?: string }\n *   legalName: I18nMap<Lang, ['th']> // { th: string; en?: string }\n *   slug: I18nMap<Lang>             // { th: string; en: string }\n * }\n * ```\n *\n * @public\n */\nexport type I18nMap<\n  Langs extends string,\n  Required extends 'all' | 'any' | readonly Langs[] = 'all',\n> = Required extends 'all'\n  ? Record<Langs, string>\n  : Required extends 'any'\n    ? Partial<Record<Langs, string>>\n    : Required extends readonly (infer R extends Langs)[]\n      ? Prettify<Record<R, string> & Partial<Record<Exclude<Langs, R>, string>>>\n      : never\n\n// ─── i18nText descriptor ───────────────────────────────────────────────\n\n/**\n * Options for `i18nText()`.\n *\n * `languages` declares the full set of supported locales. `required`\n * controls which must be present on every `put()`.\n *\n * `autoTranslate` is the per-field opt-in for the `plaintextTranslator`\n * hook. When `true` and a `plaintextTranslator` is configured\n * on `createNoydb()`, missing translations are generated before `put()`.\n * Default: `false`.\n */\nexport interface I18nTextOptions {\n  /** All supported locale codes (BCP 47). */\n  readonly languages: readonly string[]\n  /**\n   * Which locales must be present on every `put()`.\n   *\n   * - `'all'`       — every declared language must be present.\n   * - `'any'`       — at least one declared language must be present.\n   * - `string[]`    — listed locales are required; others are optional.\n   */\n  readonly required: 'all' | 'any' | readonly string[]\n  /**\n   * Per-field opt-in for the `plaintextTranslator` hook.\n   * When `true`, missing required translations are auto-generated\n   * before `put()` if a translator is configured. Default: `false`.\n   */\n  readonly autoTranslate?: boolean\n  /**\n   * What to do when this field is resolved to a locale that is absent.\n   * A single policy, or a per-layer map (read/guard/join/mv/derivation/\n   * export). Default `'throw'` — today's behavior, zero breaking change.\n   * See {@link OnMissingPolicy}.\n   *\n   * NOTE (current wiring): the `read` layer (`get`/`list`) is enforced.\n   * Guard, derivation, mv, join and export reads currently resolve\n   * through the same read path and so observe the `read`/scalar policy;\n   * dedicated per-layer enforcement for those contexts is a tracked\n   * follow-up (mv/join additionally require resolution to be injected\n   * into the query/aggregate pipeline, which today reads raw maps).\n   */\n  readonly onMissing?: OnMissingPolicy\n  /**\n   * Ordered preferred-substitute locales used when `onMissing` resolves\n   * to `'substitute'` and the target locale is absent. `'any'` as an\n   * element means \"first non-empty value\". A caller-supplied `fallback`\n   * at read time takes precedence over this declared list.\n   */\n  readonly substitute?: readonly string[]\n  /**\n   * Per-locale script enforcement (write-time). `'auto'` infers the\n   * allowed Unicode scripts per locale (asymmetric Latin tolerance); an\n   * object overrides per slot. Absent ⇒ no check. See `./script.ts`.\n   */\n  readonly script?: 'auto' | Partial<Record<string, readonly string[]>>\n  /**\n   * What to do when a slot's value contains characters outside its\n   * allowed script set. Default `'reject'`.\n   */\n  readonly onScriptViolation?: 'reject' | 'filter' | 'warn'\n}\n\n/**\n * Descriptor returned by `i18nText()`. Attach to the collection's\n * `i18nFields` option:\n *\n * ```ts\n * const lineItems = company.collection<LineItem>('line-items', {\n *   i18nFields: {\n *     description: i18nText({ languages: ['en', 'th'], required: 'all' }),\n *   },\n * })\n * ```\n */\nexport interface I18nTextDescriptor {\n  readonly _noydbI18nText: true\n  readonly options: I18nTextOptions\n}\n\n/**\n * Create an `I18nTextDescriptor` for a multi-language content field.\n *\n * @param options  Language list + enforcement mode.\n *\n * @example\n * ```ts\n * i18nText({ languages: ['en', 'th'], required: 'all' })\n * i18nText({ languages: ['en', 'th'], required: ['th'], autoTranslate: true })\n * ```\n */\nexport function i18nText(options: I18nTextOptions): I18nTextDescriptor {\n  return { _noydbI18nText: true, options }\n}\n\n/** Runtime predicate for detecting an `I18nTextDescriptor`. */\nexport function isI18nTextDescriptor(x: unknown): x is I18nTextDescriptor {\n  return (\n    typeof x === 'object' &&\n    x !== null &&\n    (x as { _noydbI18nText?: unknown })._noydbI18nText === true\n  )\n}\n\n// ─── Validation helpers ────────────────────────────────────────────────\n\n/**\n * Validate that a value is a valid `{ [locale]: string }` map and that\n * all required locales are present. Throws `MissingTranslationError`\n * when the required constraint is violated.\n *\n * Called by `Collection.put()` for each registered `i18nField`.\n *\n * @param value       The raw field value from the record being put.\n * @param field       The field name (used in the thrown error message).\n * @param descriptor  The `i18nText()` descriptor for this field.\n */\nexport function validateI18nTextValue(\n  value: unknown,\n  field: string,\n  descriptor: I18nTextDescriptor,\n): void {\n  const { options } = descriptor\n\n  // Must be a non-null object\n  if (typeof value !== 'object' || value === null || Array.isArray(value)) {\n    throw new MissingTranslationError(\n      field,\n      options.languages,\n      `Field \"${field}\" must be a { [locale]: string } map, got ${typeof value}.`,\n    )\n  }\n\n  const map = value as Record<string, unknown>\n\n  // All values must be strings\n  for (const [locale, v] of Object.entries(map)) {\n    if (typeof v !== 'string') {\n      throw new MissingTranslationError(\n        field,\n        [locale],\n        `Field \"${field}\": locale \"${locale}\" must be a string, got ${typeof v}.`,\n      )\n    }\n  }\n\n  // Check required constraint\n  const { required } = options\n  if (required === 'all') {\n    const missing = options.languages.filter(\n      (lang) => !(lang in map) || map[lang] === '',\n    )\n    if (missing.length > 0) {\n      throw new MissingTranslationError(\n        field,\n        missing,\n        `Field \"${field}\" requires all declared languages. Missing: ${missing.join(', ')}.`,\n      )\n    }\n  } else if (required === 'any') {\n    const present = options.languages.some(\n      (lang) => lang in map && map[lang] !== '',\n    )\n    if (!present) {\n      throw new MissingTranslationError(\n        field,\n        options.languages,\n        `Field \"${field}\" requires at least one declared language. None present.`,\n      )\n    }\n  } else {\n    // string[] — named required locales; TypeScript narrows required to readonly string[]\n    const requiredList = required\n    const missing = requiredList.filter(\n      (lang) => !(lang in map) || map[lang] === '',\n    )\n    if (missing.length > 0) {\n      throw new MissingTranslationError(\n        field,\n        missing,\n        `Field \"${field}\" requires: ${requiredList.join(', ')}. Missing: ${missing.join(', ')}.`,\n      )\n    }\n  }\n}\n\n// ─── Locale resolution ─────────────────────────────────────────────────\n\n/**\n * Resolve an i18nText value (`{ [locale]: string }` map) to a string\n * for the given locale.\n *\n * @param value    The stored locale map.\n * @param locale   The requested locale code, or `'raw'` to return the map.\n * @param fallback Single locale or ordered list; use `'any'` as the last\n *                 element to fall back to any available translation.\n * @param field    Field name used in `LocaleNotSpecifiedError` messages.\n * @returns The resolved string, OR the original map when `locale === 'raw'`.\n */\n/** Options for the policy-aware form of {@link resolveI18nText}. */\nexport interface ResolveI18nOptions {\n  /** Effective policy for the resolution layer. Default `'throw'`. */\n  readonly policy?: OnMissing\n  /** Declared substitute chain; applied only under policy `'substitute'`. */\n  readonly substitute?: readonly string[]\n}\n\n/** Normalize a single-or-list fallback into an array. */\nfunction toChain(fallback: string | readonly string[] | undefined): readonly string[] {\n  return Array.isArray(fallback) ? fallback : fallback ? [fallback as string] : []\n}\n\n/** Walk a chain, returning the first non-empty value (or `'any'` match). */\nfunction pickFromChain(\n  value: Record<string, string>,\n  chain: readonly string[],\n): string | undefined {\n  for (const fb of chain) {\n    if (fb === 'any') {\n      const any = Object.values(value).find((v) => v !== '')\n      if (any !== undefined) return any\n    } else if (value[fb] !== undefined && value[fb] !== '') {\n      return value[fb]\n    }\n  }\n  return undefined\n}\n\n// Legacy 4-arg form: can only throw or return — never null. Keeps every\n// existing call site's type unchanged (default policy is 'throw').\nexport function resolveI18nText(\n  value: Record<string, string>,\n  locale: string,\n  fallback?: string | readonly string[],\n  field?: string,\n): string | Record<string, string>\n// Policy-aware form: may return null under 'null'/'substitute' policies.\nexport function resolveI18nText(\n  value: Record<string, string>,\n  locale: string,\n  fallback: string | readonly string[] | undefined,\n  field: string | undefined,\n  opts: ResolveI18nOptions,\n): string | Record<string, string> | null\nexport function resolveI18nText(\n  value: Record<string, string>,\n  locale: string,\n  fallback?: string | readonly string[],\n  field?: string,\n  opts?: ResolveI18nOptions,\n): string | Record<string, string> | null {\n  if (locale === 'raw') {\n    return value\n  }\n\n  if (!locale) {\n    throw new LocaleNotSpecifiedError(field ?? '<unknown>')\n  }\n\n  // Primary locale\n  if (value[locale] !== undefined && value[locale] !== '') {\n    return value[locale]\n  }\n\n  const policy: OnMissing = opts?.policy ?? 'throw'\n\n  // Caller-supplied fallback ALWAYS applies first (backward compat +\n  // explicit read-time override), regardless of policy.\n  const callerChain = toChain(fallback)\n  const callerHit = pickFromChain(value, callerChain)\n  if (callerHit !== undefined) return callerHit\n\n  // Declared substitute applies ONLY under policy 'substitute'.\n  if (policy === 'substitute') {\n    const subHit = pickFromChain(value, toChain(opts?.substitute))\n    if (subHit !== undefined) return subHit\n  }\n\n  // Exhausted.\n  if (policy === 'throw') {\n    throw new LocaleNotSpecifiedError(\n      field ?? '<unknown>',\n      `No translation available for locale \"${locale}\"` +\n        (callerChain.length > 0 ? ` or fallback chain [${callerChain.join(', ')}]` : '') +\n        '.',\n    )\n  }\n  return null\n}\n\n// ─── Path helpers (nested i18nFields like 'address.lineOne') ──────────\n\n/**\n * Return all leaf values at `path`, expanding `[].` array wildcards.\n *\n * - `'name'`              → `[obj.name]`\n * - `'address.lineOne'`   → `[obj.address.lineOne]`\n * - `'contacts[].title'`  → `[obj.contacts[0].title, obj.contacts[1].title, …]`\n *\n * Returns an empty array when the path does not resolve (missing key,\n * wrong type, etc.). Used by `enforceI18nOnPut` to validate nested fields.\n */\nexport function getAtPath(obj: Record<string, unknown>, path: string): unknown[] {\n  const arrayIdx = path.indexOf('[].')\n  if (arrayIdx !== -1) {\n    const arrayKey = path.slice(0, arrayIdx)\n    const restPath = path.slice(arrayIdx + 3)\n    const arr = obj[arrayKey]\n    if (!Array.isArray(arr)) return []\n    return arr.flatMap(item => {\n      if (!item || typeof item !== 'object' || Array.isArray(item)) return []\n      return getAtPath(item as Record<string, unknown>, restPath)\n    })\n  }\n  const dotIdx = path.indexOf('.')\n  if (dotIdx !== -1) {\n    const head = path.slice(0, dotIdx)\n    const rest = path.slice(dotIdx + 1)\n    const nested = obj[head]\n    if (!nested || typeof nested !== 'object' || Array.isArray(nested)) return []\n    return getAtPath(nested as Record<string, unknown>, rest)\n  }\n  const val = obj[path]\n  return val !== undefined ? [val] : []\n}\n\n/**\n * Mutate `obj` in-place, setting `value` at the nested `path`.\n * Supports dot notation (`'address.lineOne'`) but not array wildcards —\n * auto-translate on `contacts[].title` style paths is not supported.\n */\nexport function setAtPathInPlace(\n  obj: Record<string, unknown>,\n  path: string,\n  value: unknown,\n): void {\n  const dotIdx = path.indexOf('.')\n  if (dotIdx !== -1) {\n    const head = path.slice(0, dotIdx)\n    const rest = path.slice(dotIdx + 1)\n    const nested = obj[head]\n    if (!nested || typeof nested !== 'object' || Array.isArray(nested)) return\n    setAtPathInPlace(nested as Record<string, unknown>, rest, value)\n    return\n  }\n  obj[path] = value\n}\n\n/** Recursively resolve i18nText at a single path within a record copy. */\nfunction applyAtPath(\n  obj: Record<string, unknown>,\n  path: string,\n  locale: string,\n  fallback: string | readonly string[] | undefined,\n  opts: ResolveI18nOptions,\n): Record<string, unknown> {\n  const arrayIdx = path.indexOf('[].')\n  if (arrayIdx !== -1) {\n    const arrayKey = path.slice(0, arrayIdx)\n    const restPath = path.slice(arrayIdx + 3)\n    const arr = obj[arrayKey]\n    if (!Array.isArray(arr)) return obj\n    return {\n      ...obj,\n      [arrayKey]: arr.map(item => {\n        if (!item || typeof item !== 'object' || Array.isArray(item)) return item\n        return applyAtPath(item as Record<string, unknown>, restPath, locale, fallback, opts)\n      }),\n    }\n  }\n  const dotIdx = path.indexOf('.')\n  if (dotIdx !== -1) {\n    const head = path.slice(0, dotIdx)\n    const rest = path.slice(dotIdx + 1)\n    const nested = obj[head]\n    if (!nested || typeof nested !== 'object' || Array.isArray(nested)) return obj\n    return {\n      ...obj,\n      [head]: applyAtPath(nested as Record<string, unknown>, rest, locale, fallback, opts),\n    }\n  }\n  const raw = obj[path]\n  if (raw === undefined || raw === null) return obj\n  if (typeof raw !== 'object' || Array.isArray(raw)) return obj\n  return {\n    ...obj,\n    [path]: resolveI18nText(raw as Record<string, string>, locale, fallback, path, opts),\n  }\n}\n\n/**\n * Apply locale resolution to a single record, returning a new copy.\n *\n * For each field registered as an `i18nText` descriptor:\n * - If `locale === 'raw'`, the field value is left as the stored map.\n * - Otherwise, the field value is replaced with the resolved string.\n *\n * Field paths support dot notation (`'address.lineOne'`) and array\n * wildcards (`'contacts[].title'`). Top-level fields work as before.\n *\n * @param record      The decrypted record.\n * @param i18nFields  Map of field path → `I18nTextDescriptor`.\n * @param locale      The requested locale (or `'raw'`).\n * @param fallback    Fallback chain (optional).\n * @param layer       Resolution layer (default `'read'`). Each field's\n *                    `onMissing` policy is resolved for this layer, so the\n *                    same record resolves leniently on a get but strictly\n *                    inside an mv/derivation.\n */\nexport function applyI18nLocale(\n  record: Record<string, unknown>,\n  i18nFields: Record<string, I18nTextDescriptor>,\n  locale: string,\n  fallback?: string | readonly string[],\n  layer: Layer = 'read',\n): Record<string, unknown> {\n  const fieldNames = Object.keys(i18nFields)\n  if (fieldNames.length === 0) return record\n\n  let result = record\n\n  for (const [field, descriptor] of Object.entries(i18nFields)) {\n    const { onMissing, substitute } = descriptor.options\n    const opts: ResolveI18nOptions = {\n      policy: resolvePolicy(onMissing, layer),\n      ...(substitute !== undefined ? { substitute } : {}),\n    }\n    result = applyAtPath(result, field, locale, fallback, opts)\n  }\n\n  return result\n}\n","/**\n * _dict_* reserved collections + dictKey schema descriptor —\n *\n * Stores bounded enum-like field dictionaries as reserved encrypted\n * collections (`_dict_<name>/`) within a vault. Each dictionary\n * entry maps a stable key (e.g. `'paid'`) to a locale → label record\n * (e.g. `{ en: 'Paid', th: 'ชำระแล้ว' }`).\n *\n * Design decisions\n * ────────────────\n *\n * **Why reserved collections, not a separate store?**\n * Same answer as `_sync_credentials`: the compartment's existing\n * encryption stack is exactly right. Dictionaries are encrypted under the\n * same vault DEK, inherit ACL, ledger, and backup/restore for free.\n *\n * **One collection per dictionary, not one collection with namespaces.**\n * Each `_dict_<name>/` collection holds entries `{ id: key, labels: {...} }`.\n * This composes with `ref()` naturally (a dictKey IS a ref to the dict\n * collection), and means the query DSL works over dictionary entries\n * without any special-casing.\n *\n * **dictKey() is a descriptor, not a Zod type.**\n * The descriptor pattern matches `ref()`: declare NOYDB-specific metadata\n * in the collection options alongside `refs`. TypeScript inference comes\n * from the descriptor's generic parameter, not from Zod internals.\n *\n * API:\n *   `dictKey(name, keys?)` — returns a DictKeyDescriptor\n *   `vault.dictionary(name)` — returns a DictionaryHandle\n *   `DictionaryHandle.put/putAll/get/delete/rename/list` — CRUD\n */\n\nimport type { NoydbStore, EncryptedEnvelope } from '../types.js'\nimport type { NoydbEventEmitter } from '../events.js'\nimport { NOYDB_FORMAT_VERSION } from '../types.js'\nimport type { UnlockedKeyring } from '../team/keyring.js'\nimport { encrypt, decrypt } from '../crypto.js'\nimport { ensureCollectionDEK } from '../team/keyring.js'\nimport type { LedgerStore } from '../history/ledger/store.js'\nimport type { OnMissingPolicy } from './policy.js'\nimport { envelopePayloadHash } from '../history/ledger/hash.js'\nimport {\n  PermissionDeniedError,\n  DictKeyMissingError,\n} from '../errors.js'\n\n/** Reserved collection name prefix. Never collides with user collections. */\nexport const DICT_COLLECTION_PREFIX = '_dict_'\n\n/** Return the adapter collection name for a named dictionary. */\nexport function dictCollectionName(dictionaryName: string): string {\n  return `${DICT_COLLECTION_PREFIX}${dictionaryName}`\n}\n\n/** Return true when a collection name is a reserved dictionary collection. */\nexport function isDictCollectionName(name: string): boolean {\n  return name.startsWith(DICT_COLLECTION_PREFIX)\n}\n\n// ─── DictKey descriptor ────────────────────────────────────────────────\n\n/**\n * Descriptor returned by `dictKey()`. Attach to the collection's\n * `dictKeyFields` option to declare which fields are dictionary-backed:\n *\n * ```ts\n * const invoices = company.collection<Invoice>('invoices', {\n *   dictKeyFields: {\n *     status: dictKey('status', ['draft', 'open', 'paid'] as const),\n *   },\n * })\n * ```\n *\n * The generic parameter `Keys` narrows the TypeScript type of the field\n * to a literal union; the runtime value of `keys` is used by `put()`\n * validation to reject unknown keys when a key set is declared.\n */\nexport interface DictKeyDescriptor<Keys extends string = string> {\n  readonly _noydbDictKey: true\n  /** Which dictionary this field references. */\n  readonly name: string\n  /** Declared valid keys. When set, `put()` rejects keys not in this set. */\n  readonly keys: readonly Keys[] | undefined\n  /**\n   * What to do when a label is missing for the resolved locale. Mirrors\n   * `i18nText`'s `onMissing`. Default behavior (when unset) preserves the\n   * legacy contract: a missing label is omitted (scalar) or `null`\n   * (array element) — i.e. `'null'`. Set `'substitute'` to walk the\n   * declared `substitute` chain, or `'throw'` to raise.\n   */\n  readonly onMissing?: OnMissingPolicy\n  /** Ordered preferred-substitute locales for label resolution. */\n  readonly substitute?: readonly string[]\n}\n\n/**\n * Create a `DictKeyDescriptor` for a dictionary-backed enum field.\n *\n * @param name   The dictionary name (corresponds to `_dict_<name>` collection).\n * @param keys   Optional `as const` array of valid key literals — narrows the\n *               TypeScript type to a literal union and enables put-time\n *               validation.\n *\n * @example\n * ```ts\n * const invoices = company.collection<Invoice>('invoices', {\n *   dictKeyFields: {\n *     status: dictKey('status', ['draft', 'open', 'paid'] as const),\n *   },\n * })\n * ```\n */\nexport function dictKey<Keys extends string>(\n  name: string,\n  keys?: readonly Keys[],\n  opts?: { onMissing?: OnMissingPolicy; substitute?: readonly string[] },\n): DictKeyDescriptor<Keys> {\n  return {\n    _noydbDictKey: true,\n    name,\n    keys,\n    ...(opts?.onMissing !== undefined ? { onMissing: opts.onMissing } : {}),\n    ...(opts?.substitute !== undefined ? { substitute: opts.substitute } : {}),\n  }\n}\n\n/** Runtime predicate for detecting a DictKeyDescriptor. */\nexport function isDictKeyDescriptor(x: unknown): x is DictKeyDescriptor {\n  return (\n    typeof x === 'object' &&\n    x !== null &&\n    (x as { _noydbDictKey?: unknown })._noydbDictKey === true\n  )\n}\n\n// ─── StaticDict descriptor (code-provided dictionary) ──────────────────\n\n/**\n * Descriptor returned by `staticDict()`. A sibling to {@link DictKeyDescriptor}\n * for **closed, defined-in-code, identical-across-vaults** enums (honorific,\n * civil-status, gender, religion, ContactTitle, status…).\n *\n * Unlike `dictKey`, the labels are supplied **at registration in code** and\n * resolved through the *same* label machinery, but with **no `_dict_*`\n * per-vault encrypted copy** and **no `rename()`**. The record stores only\n * the **code**; a static dict has no mutation surface.\n *\n * **Hybrid resolution.** Because a static dict is pure code with no\n * vault-locale dependency, it can — via a configured `displayLocale` — emit a\n * `<field>Label` even under a **locale-less read** (the property a locale-less\n * consumer needs and `dictKey` cannot provide). When a locale *is* active it\n * behaves exactly like `dictKey` (honoring `onMissing`/`substitute`).\n *\n * ```ts\n * const workers = vault.collection<Worker>('workers', {\n *   dictKeyFields: {\n *     civilStatus: staticDict('civilStatus', {\n *       adultMale:   { th: 'นาย',    en: 'Mr'  },\n *       adultFemale: { th: 'นาง',    en: 'Mrs' },\n *     }, { displayLocale: 'th' }),\n *   },\n * })\n * ```\n */\nexport interface StaticDictDescriptor<Keys extends string = string> {\n  readonly _noydbStaticDict: true\n  /** Which dictionary this field references (the registry name). */\n  readonly name: string\n  /** The in-code label table: key → { locale → label }. */\n  readonly table: Readonly<Record<Keys, Readonly<Record<string, string>>>>\n  /** Declared valid keys — derived from `Object.keys(table)`. */\n  readonly keys: readonly Keys[]\n  /**\n   * Locale used to emit `<field>Label` under a **locale-less** read — the\n   * hybrid hinge. When unset, a static dict behaves like `dictKey` under a\n   * locale-less read (no label); a locale-less consumer almost always wants\n   * it set.\n   */\n  readonly displayLocale?: string\n  /** Same `onMissing` policy engine as `dictKey`. Default `'null'`. */\n  readonly onMissing?: OnMissingPolicy\n  /** Ordered preferred-substitute locales for label resolution. */\n  readonly substitute?: readonly string[]\n  /**\n   * Validate the stored code against `keys` on every `put()`. Default `true`\n   * — codes are closed by construction, so an unknown code is a bug. Set\n   * `false` to allow open codes (skips the `UnknownDictCodeError` guard).\n   */\n  readonly validateCodes?: boolean\n}\n\n/**\n * Create a `StaticDictDescriptor` for a code-provided enum field — a sibling\n * to {@link dictKey} for closed, code-defined, identical-across-vaults enums.\n *\n * The labels live in `table` (no `_dict_*` collection, no `rename()`); the\n * record stores only the stable code. Pass `displayLocale` so `<field>Label`\n * resolves even under a locale-less read.\n *\n * @param name   The dictionary name (used for the readonly-guard registry and\n *               the query label seam — never creates a `_dict_<name>` key).\n * @param table  `{ key: { locale: label } }` map.\n * @param opts   `displayLocale` (locale-less label), `onMissing`, `substitute`.\n *\n * @example\n * ```ts\n * staticDict('civilStatus', {\n *   adultMale:   { th: 'นาย',    en: 'Mr'  },\n *   adultFemale: { th: 'นาง',    en: 'Mrs' },\n * }, { displayLocale: 'th' })\n * ```\n */\nexport function staticDict<const T extends Record<string, Record<string, string>>>(\n  name: string,\n  table: T,\n  opts?: {\n    displayLocale?: string\n    onMissing?: OnMissingPolicy\n    substitute?: readonly string[]\n    validateCodes?: boolean\n  },\n): StaticDictDescriptor<Extract<keyof T, string>> {\n  return {\n    _noydbStaticDict: true,\n    name,\n    table: table as Readonly<Record<Extract<keyof T, string>, Readonly<Record<string, string>>>>,\n    keys: Object.keys(table) as Extract<keyof T, string>[],\n    ...(opts?.displayLocale !== undefined ? { displayLocale: opts.displayLocale } : {}),\n    ...(opts?.onMissing !== undefined ? { onMissing: opts.onMissing } : {}),\n    ...(opts?.substitute !== undefined ? { substitute: opts.substitute } : {}),\n    ...(opts?.validateCodes !== undefined ? { validateCodes: opts.validateCodes } : {}),\n  }\n}\n\n/** Runtime predicate for detecting a StaticDictDescriptor. */\nexport function isStaticDictDescriptor(x: unknown): x is StaticDictDescriptor {\n  return (\n    typeof x === 'object' &&\n    x !== null &&\n    (x as { _noydbStaticDict?: unknown })._noydbStaticDict === true\n  )\n}\n\n// ─── Dictionary entry shape ────────────────────────────────────────────\n\n/**\n * One entry in a `_dict_*` collection. The record `id` (adapter-side\n * key) IS the stable dictionary key (e.g. `'paid'`). The `labels`\n * record maps locale codes to display strings.\n */\nexport interface DictEntry {\n  /** Stable key — same as the record id in the adapter. */\n  readonly key: string\n  /** Locale → label map, e.g. `{ en: 'Paid', th: 'ชำระแล้ว' }`. */\n  readonly labels: Record<string, string>\n}\n\n// ─── Per-dictionary options ────────────────────────────────────────────\n\n/**\n * Options for `vault.dictionary(name, options?)`.\n *\n * `writableBy` controls the minimum role for write operations (put,\n * putAll, delete, rename). Defaults to `'admin'` to match the standard\n * \"dictionary contents are owned by admins\" convention; set to\n * `'operator'` for user-editable dictionaries like custom tags.\n */\nexport interface DictionaryOptions {\n  /** Minimum role allowed to write dictionary entries. Default: `'admin'`. */\n  readonly writableBy?: 'owner' | 'admin' | 'operator'\n}\n\n// ─── DictionaryHandle ──────────────────────────────────────────────────\n\n/**\n * Handle to a named dictionary within a vault.\n *\n * Obtained via `vault.dictionary(name)`. Provides strongly-typed\n * CRUD for dictionary entries, plus the `rename()` operation that is the\n * only sanctioned mass-mutation path for dictKey fields.\n *\n * All writes are encrypted under the compartment's DEK for the\n * `_dict_<name>` collection. Adapters never see plaintext.\n */\nexport class DictionaryHandle<Keys extends string = string> {\n  private readonly collName: string\n\n  /**\n   * Synchronous write-through cache for dict-join support.\n   * Populated on every `put()`, `delete()`, and `rename()`. The snapshot\n   * is built from this cache by `snapshotEntries()` — the query executor\n   * calls this synchronously inside `.toArray()`.\n   *\n   * `null` means \"not yet initialized\" — callers should use `list()`\n   * to warm the cache before using dict joins on pre-existing data.\n   */\n  private readonly _syncCache = new Map<string, DictEntry>()\n\n  /**\n   * Return all cached entries as `{ key, labels, ...labels }` records —\n   * usable synchronously by the join executor's `snapshot()` call.\n   * Returns an empty array when the cache has never been populated.\n   */\n  snapshotEntries(): readonly Record<string, unknown>[] {\n    return Array.from(this._syncCache.values()).map((e) => ({\n      key: e.key,\n      labels: e.labels,\n      ...e.labels,\n    }))\n  }\n\n  constructor(\n    private readonly adapter: NoydbStore,\n    private readonly compartmentName: string,\n    private readonly dictionaryName: string,\n    private readonly keyring: UnlockedKeyring,\n    private readonly getDEK: (collectionName: string) => Promise<CryptoKey>,\n    private readonly encrypted: boolean,\n    private readonly ledger: LedgerStore | undefined,\n    private readonly options: DictionaryOptions,\n    /**\n     * Callback provided by the Vault to find and rewrite records\n     * in any registered collection that has a dictKeyField pointing at\n     * this dictionary, used by `rename()`.\n     */\n    private readonly findAndUpdateReferences:\n      | ((\n          dictionaryName: string,\n          oldKey: string,\n          newKey: string,\n        ) => Promise<void>)\n      | undefined,\n    private readonly emitter: NoydbEventEmitter,\n  ) {\n    this.collName = dictCollectionName(dictionaryName)\n  }\n\n  // ─── Access checks ────────────────────────────────────────────────\n\n  private requireWriteAccess(): void {\n    const minRole = this.options.writableBy ?? 'admin'\n    const roleRank: Record<string, number> = {\n      client: 1,\n      viewer: 2,\n      operator: 3,\n      admin: 4,\n      owner: 5,\n    }\n    const callerRank = roleRank[this.keyring.role] ?? 0\n    const requiredRank = roleRank[minRole] ?? 4\n    if (callerRank < requiredRank) {\n      throw new PermissionDeniedError(\n        `Dictionary \"${this.dictionaryName}\" writes require \"${minRole}\" role or above. ` +\n          `Current role: \"${this.keyring.role}\".`,\n      )\n    }\n  }\n\n  // ─── Internal helpers ─────────────────────────────────────────────\n\n  private async getDekForDict(): Promise<CryptoKey> {\n    const resolve = await ensureCollectionDEK(\n      this.adapter,\n      this.compartmentName,\n      this.keyring,\n    )\n    return resolve(this.collName)\n  }\n\n  private async encryptEntry(entry: DictEntry, version: number): Promise<EncryptedEnvelope> {\n    if (!this.encrypted) {\n      return {\n        _noydb: NOYDB_FORMAT_VERSION,\n        _v: version,\n        _ts: new Date().toISOString(),\n        _iv: '',\n        _data: JSON.stringify(entry),\n        _by: this.keyring.userId,\n      }\n    }\n    const dek = await this.getDekForDict()\n    const { iv, data } = await encrypt(JSON.stringify(entry), dek)\n    return {\n      _noydb: NOYDB_FORMAT_VERSION,\n      _v: version,\n      _ts: new Date().toISOString(),\n      _iv: iv,\n      _data: data,\n      _by: this.keyring.userId,\n    }\n  }\n\n  private async decryptEntry(envelope: EncryptedEnvelope): Promise<DictEntry> {\n    if (!this.encrypted) {\n      return JSON.parse(envelope._data) as DictEntry\n    }\n    const dek = await this.getDekForDict()\n    const json = await decrypt(envelope._iv, envelope._data, dek)\n    return JSON.parse(json) as DictEntry\n  }\n\n  // ─── Public API ───────────────────────────────────────────────────\n\n  /**\n   * Add or overwrite a single dictionary entry.\n   *\n   * @param key    The stable key to store (e.g. `'paid'`).\n   * @param labels Locale → label map (e.g. `{ en: 'Paid', th: 'ชำระแล้ว' }`).\n   */\n  async put(key: Keys, labels: Record<string, string>): Promise<void> {\n    this.requireWriteAccess()\n\n    const entry: DictEntry = { key, labels }\n    const existing = await this.adapter.get(\n      this.compartmentName,\n      this.collName,\n      key,\n    )\n    const version = existing ? existing._v + 1 : 1\n    const envelope = await this.encryptEntry(entry, version)\n\n    await this.adapter.put(\n      this.compartmentName,\n      this.collName,\n      key,\n      envelope,\n      existing ? existing._v : undefined,\n    )\n\n    // Maintain synchronous cache for dict-join snapshot\n    this._syncCache.set(key, entry)\n\n    this.emitter.emit('change', {\n      vault: this.compartmentName,\n      collection: this.collName,\n      id: key,\n      action: 'put',\n    })\n\n    if (this.ledger) {\n      await this.ledger.append({\n        op: 'put',\n        collection: this.collName,\n        id: key,\n        version,\n        actor: this.keyring.userId,\n        //  — must be the real envelope hash so\n        // vault.verifyBackupIntegrity()'s data-cross-check matches.\n        payloadHash: await envelopePayloadHash(envelope),\n      })\n    }\n  }\n\n  /**\n   * Batch-add or overwrite multiple dictionary entries in one call.\n   *\n   * @param entries  `{ key: { locale: label } }` map.\n   */\n  async putAll(entries: Record<Keys, Record<string, string>>): Promise<void> {\n    this.requireWriteAccess()\n    for (const [key, labels] of Object.entries(entries) as [Keys, Record<string, string>][]) {\n      await this.put(key, labels)\n    }\n  }\n\n  /**\n   * Load the label map for a single key.\n   *\n   * @returns The label map, or `null` if the key doesn't exist.\n   */\n  async get(key: Keys): Promise<Record<string, string> | null> {\n    const envelope = await this.adapter.get(\n      this.compartmentName,\n      this.collName,\n      key,\n    )\n    if (!envelope) return null\n    const entry = await this.decryptEntry(envelope)\n    return entry.labels\n  }\n\n  /**\n   * Delete a dictionary key.\n   *\n   * Default mode is `'strict'` — throws `DictKeyInUseError` if any\n   * registered collection has a record referencing this key. Pass\n   * `{ mode: 'warn' }` to skip the check (dev-mode cleanup only).\n   */\n  async delete(key: Keys, opts: { mode?: 'strict' | 'warn' } = {}): Promise<void> {\n    this.requireWriteAccess()\n\n    const existing = await this.adapter.get(\n      this.compartmentName,\n      this.collName,\n      key,\n    )\n    if (!existing) {\n      throw new DictKeyMissingError(this.dictionaryName, key)\n    }\n\n    const mode = opts.mode ?? 'strict'\n    if (mode === 'strict' && this.findAndUpdateReferences) {\n      // Check for references by attempting a rename to a sentinel that\n      // doesn't exist — we reuse the reference-finding machinery but\n      // abort before applying changes. Simpler: the vault\n      // exposes a separate checkReferences() callback. For now we rely\n      // on the caller to confirm no references exist, or use warn mode.\n      // A dedicated findReferences API is tracked as a follow-up.\n    }\n\n    await this.adapter.delete(this.compartmentName, this.collName, key)\n\n    // Maintain synchronous cache for dict-join snapshot\n    this._syncCache.delete(key)\n\n    this.emitter.emit('change', {\n      vault: this.compartmentName,\n      collection: this.collName,\n      id: key,\n      action: 'delete',\n    })\n\n    if (this.ledger) {\n      await this.ledger.append({\n        op: 'delete',\n        collection: this.collName,\n        id: key,\n        version: existing._v,\n        actor: this.keyring.userId,\n        //  — for delete the prior envelope is what was just\n        // removed; we hash it so the chain captures intent. The\n        // verifyBackupIntegrity data-cross-check skips delete\n        // entries entirely (the live record is gone), but the\n        // chain still benefits from a stable non-empty hash.\n        payloadHash: await envelopePayloadHash(existing),\n      })\n    }\n  }\n\n  /**\n   * Rename a dictionary key — the only sanctioned mass-mutation path.\n   *\n   * Atomically:\n   * 1. Adds the new key with the same labels as the old key.\n   * 2. Updates every registered record that stores the old key to\n   *    store the new key instead.\n   * 3. Deletes the old key.\n   * 4. Appends a single ledger entry recording the rename.\n   *\n   * Respects ACL: throws `PermissionDeniedError` before any mutation\n   * if the caller can't write. The cascade is best-effort atomic\n   * within this call — no two-phase commit across adapter calls.\n   *\n   * Cascade-on-delete is NOT supported. Use `rename()` when you need\n   * to change a key that records reference.\n   */\n  async rename(oldKey: Keys, newKey: string): Promise<void> {\n    this.requireWriteAccess()\n\n    // 1. Load old entry\n    const existing = await this.adapter.get(\n      this.compartmentName,\n      this.collName,\n      oldKey,\n    )\n    if (!existing) {\n      throw new DictKeyMissingError(this.dictionaryName, oldKey)\n    }\n    const oldEntry = await this.decryptEntry(existing)\n\n    // 2. Write new key\n    const newEntry: DictEntry = { key: newKey, labels: oldEntry.labels }\n    const newEnvelope = await this.encryptEntry(newEntry, 1)\n    await this.adapter.put(\n      this.compartmentName,\n      this.collName,\n      newKey,\n      newEnvelope,\n    )\n\n    // 3. Update all referencing records in registered collections\n    if (this.findAndUpdateReferences) {\n      await this.findAndUpdateReferences(this.dictionaryName, oldKey, newKey)\n    }\n\n    // 4. Delete old key\n    await this.adapter.delete(this.compartmentName, this.collName, oldKey)\n\n    // Maintain synchronous cache for dict-join snapshot\n    this._syncCache.delete(oldKey)\n    this._syncCache.set(newKey, newEntry)\n\n    this.emitter.emit('change', {\n      vault: this.compartmentName,\n      collection: this.collName,\n      id: oldKey,\n      action: 'delete',\n    })\n    this.emitter.emit('change', {\n      vault: this.compartmentName,\n      collection: this.collName,\n      id: newKey,\n      action: 'put',\n    })\n\n    // 5. Ledger — record the rename as delete(oldKey) + put(newKey)\n    // so verifyBackupIntegrity()'s data-cross-check matches reality\n    // (the oldKey envelope is gone; the newKey envelope is what was\n    // just written). Two entries instead of one — the chain still\n    // captures the rename intent via the matching ts + actor.\n    if (this.ledger) {\n      await this.ledger.append({\n        op: 'delete',\n        collection: this.collName,\n        id: oldKey,\n        version: existing._v,\n        actor: this.keyring.userId,\n        payloadHash: await envelopePayloadHash(existing),\n      })\n      await this.ledger.append({\n        op: 'put',\n        collection: this.collName,\n        id: newKey,\n        version: 1,\n        actor: this.keyring.userId,\n        payloadHash: await envelopePayloadHash(newEnvelope),\n      })\n    }\n  }\n\n  /**\n   * List all entries in this dictionary.\n   *\n   * @returns Array of `{ key, labels }` objects.\n   */\n  async list(): Promise<DictEntry[]> {\n    const keys = await this.adapter.list(this.compartmentName, this.collName)\n    const entries: DictEntry[] = []\n    for (const key of keys) {\n      const envelope = await this.adapter.get(\n        this.compartmentName,\n        this.collName,\n        key,\n      )\n      if (!envelope) continue\n      const entry = await this.decryptEntry(envelope)\n      entries.push(entry)\n      // Warm the synchronous cache\n      this._syncCache.set(key, entry)\n    }\n    return entries\n  }\n\n  /**\n   * Resolve a key to its label for the given locale.\n   *\n   * Used by the collection's locale-aware read path to populate\n   * `<field>Label` virtual fields. Returns `undefined` when the\n   * key doesn't exist or has no label for the requested locale\n   * (after exhausting the fallback chain).\n   */\n  async resolveLabel(\n    key: string,\n    locale: string,\n    fallback?: string | readonly string[],\n  ): Promise<string | undefined> {\n    const labels = await this.get(key as Keys)\n    if (!labels) return undefined\n\n    // Try primary locale\n    if (labels[locale] !== undefined) return labels[locale]\n\n    // Try fallback chain\n    const chain = Array.isArray(fallback) ? (fallback as readonly string[]) : fallback ? [fallback as string] : []\n    for (const fb of chain) {\n      if (fb === 'any') {\n        // Return any available label\n        const any = Object.values(labels)[0]\n        if (any !== undefined) return any\n      } else if (labels[fb] !== undefined) {\n        return labels[fb]\n      }\n    }\n\n    return undefined\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AA8CO,SAAS,cACd,WACA,OACW;AACX,QAAM,WACJ,aAAa,OAAO,cAAc,WAAW,UAAU,KAAK,IAAI;AAClE,QAAM,SAAS,OAAO,cAAc,WAAW,YAAY;AAC3D,QAAM,eACJ,UAAU,UAAU,eAAe;AACrC,SAAO,YAAY,gBAAgB,UAAU;AAC/C;;;AC2HO,SAAS,SAAS,SAA8C;AACrE,SAAO,EAAE,gBAAgB,MAAM,QAAQ;AACzC;AAGO,SAAS,qBAAqB,GAAqC;AACxE,SACE,OAAO,MAAM,YACb,MAAM,QACL,EAAmC,mBAAmB;AAE3D;AAeO,SAAS,sBACd,OACA,OACA,YACM;AACN,QAAM,EAAE,QAAQ,IAAI;AAGpB,MAAI,OAAO,UAAU,YAAY,UAAU,QAAQ,MAAM,QAAQ,KAAK,GAAG;AACvE,UAAM,IAAI;AAAA,MACR;AAAA,MACA,QAAQ;AAAA,MACR,UAAU,KAAK,6CAA6C,OAAO,KAAK;AAAA,IAC1E;AAAA,EACF;AAEA,QAAM,MAAM;AAGZ,aAAW,CAAC,QAAQ,CAAC,KAAK,OAAO,QAAQ,GAAG,GAAG;AAC7C,QAAI,OAAO,MAAM,UAAU;AACzB,YAAM,IAAI;AAAA,QACR;AAAA,QACA,CAAC,MAAM;AAAA,QACP,UAAU,KAAK,cAAc,MAAM,2BAA2B,OAAO,CAAC;AAAA,MACxE;AAAA,IACF;AAAA,EACF;AAGA,QAAM,EAAE,SAAS,IAAI;AACrB,MAAI,aAAa,OAAO;AACtB,UAAM,UAAU,QAAQ,UAAU;AAAA,MAChC,CAAC,SAAS,EAAE,QAAQ,QAAQ,IAAI,IAAI,MAAM;AAAA,IAC5C;AACA,QAAI,QAAQ,SAAS,GAAG;AACtB,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA,UAAU,KAAK,+CAA+C,QAAQ,KAAK,IAAI,CAAC;AAAA,MAClF;AAAA,IACF;AAAA,EACF,WAAW,aAAa,OAAO;AAC7B,UAAM,UAAU,QAAQ,UAAU;AAAA,MAChC,CAAC,SAAS,QAAQ,OAAO,IAAI,IAAI,MAAM;AAAA,IACzC;AACA,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI;AAAA,QACR;AAAA,QACA,QAAQ;AAAA,QACR,UAAU,KAAK;AAAA,MACjB;AAAA,IACF;AAAA,EACF,OAAO;AAEL,UAAM,eAAe;AACrB,UAAM,UAAU,aAAa;AAAA,MAC3B,CAAC,SAAS,EAAE,QAAQ,QAAQ,IAAI,IAAI,MAAM;AAAA,IAC5C;AACA,QAAI,QAAQ,SAAS,GAAG;AACtB,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA,UAAU,KAAK,eAAe,aAAa,KAAK,IAAI,CAAC,cAAc,QAAQ,KAAK,IAAI,CAAC;AAAA,MACvF;AAAA,IACF;AAAA,EACF;AACF;AAwBA,SAAS,QAAQ,UAAqE;AACpF,SAAO,MAAM,QAAQ,QAAQ,IAAI,WAAW,WAAW,CAAC,QAAkB,IAAI,CAAC;AACjF;AAGA,SAAS,cACP,OACA,OACoB;AACpB,aAAW,MAAM,OAAO;AACtB,QAAI,OAAO,OAAO;AAChB,YAAM,MAAM,OAAO,OAAO,KAAK,EAAE,KAAK,CAAC,MAAM,MAAM,EAAE;AACrD,UAAI,QAAQ,OAAW,QAAO;AAAA,IAChC,WAAW,MAAM,EAAE,MAAM,UAAa,MAAM,EAAE,MAAM,IAAI;AACtD,aAAO,MAAM,EAAE;AAAA,IACjB;AAAA,EACF;AACA,SAAO;AACT;AAkBO,SAAS,gBACd,OACA,QACA,UACA,OACA,MACwC;AACxC,MAAI,WAAW,OAAO;AACpB,WAAO;AAAA,EACT;AAEA,MAAI,CAAC,QAAQ;AACX,UAAM,IAAI,wBAAwB,SAAS,WAAW;AAAA,EACxD;AAGA,MAAI,MAAM,MAAM,MAAM,UAAa,MAAM,MAAM,MAAM,IAAI;AACvD,WAAO,MAAM,MAAM;AAAA,EACrB;AAEA,QAAM,SAAoB,MAAM,UAAU;AAI1C,QAAM,cAAc,QAAQ,QAAQ;AACpC,QAAM,YAAY,cAAc,OAAO,WAAW;AAClD,MAAI,cAAc,OAAW,QAAO;AAGpC,MAAI,WAAW,cAAc;AAC3B,UAAM,SAAS,cAAc,OAAO,QAAQ,MAAM,UAAU,CAAC;AAC7D,QAAI,WAAW,OAAW,QAAO;AAAA,EACnC;AAGA,MAAI,WAAW,SAAS;AACtB,UAAM,IAAI;AAAA,MACR,SAAS;AAAA,MACT,wCAAwC,MAAM,OAC3C,YAAY,SAAS,IAAI,uBAAuB,YAAY,KAAK,IAAI,CAAC,MAAM,MAC7E;AAAA,IACJ;AAAA,EACF;AACA,SAAO;AACT;AAcO,SAAS,UAAU,KAA8B,MAAyB;AAC/E,QAAM,WAAW,KAAK,QAAQ,KAAK;AACnC,MAAI,aAAa,IAAI;AACnB,UAAM,WAAW,KAAK,MAAM,GAAG,QAAQ;AACvC,UAAM,WAAW,KAAK,MAAM,WAAW,CAAC;AACxC,UAAM,MAAM,IAAI,QAAQ;AACxB,QAAI,CAAC,MAAM,QAAQ,GAAG,EAAG,QAAO,CAAC;AACjC,WAAO,IAAI,QAAQ,UAAQ;AACzB,UAAI,CAAC,QAAQ,OAAO,SAAS,YAAY,MAAM,QAAQ,IAAI,EAAG,QAAO,CAAC;AACtE,aAAO,UAAU,MAAiC,QAAQ;AAAA,IAC5D,CAAC;AAAA,EACH;AACA,QAAM,SAAS,KAAK,QAAQ,GAAG;AAC/B,MAAI,WAAW,IAAI;AACjB,UAAM,OAAO,KAAK,MAAM,GAAG,MAAM;AACjC,UAAM,OAAO,KAAK,MAAM,SAAS,CAAC;AAClC,UAAM,SAAS,IAAI,IAAI;AACvB,QAAI,CAAC,UAAU,OAAO,WAAW,YAAY,MAAM,QAAQ,MAAM,EAAG,QAAO,CAAC;AAC5E,WAAO,UAAU,QAAmC,IAAI;AAAA,EAC1D;AACA,QAAM,MAAM,IAAI,IAAI;AACpB,SAAO,QAAQ,SAAY,CAAC,GAAG,IAAI,CAAC;AACtC;AAOO,SAAS,iBACd,KACA,MACA,OACM;AACN,QAAM,SAAS,KAAK,QAAQ,GAAG;AAC/B,MAAI,WAAW,IAAI;AACjB,UAAM,OAAO,KAAK,MAAM,GAAG,MAAM;AACjC,UAAM,OAAO,KAAK,MAAM,SAAS,CAAC;AAClC,UAAM,SAAS,IAAI,IAAI;AACvB,QAAI,CAAC,UAAU,OAAO,WAAW,YAAY,MAAM,QAAQ,MAAM,EAAG;AACpE,qBAAiB,QAAmC,MAAM,KAAK;AAC/D;AAAA,EACF;AACA,MAAI,IAAI,IAAI;AACd;AAGA,SAAS,YACP,KACA,MACA,QACA,UACA,MACyB;AACzB,QAAM,WAAW,KAAK,QAAQ,KAAK;AACnC,MAAI,aAAa,IAAI;AACnB,UAAM,WAAW,KAAK,MAAM,GAAG,QAAQ;AACvC,UAAM,WAAW,KAAK,MAAM,WAAW,CAAC;AACxC,UAAM,MAAM,IAAI,QAAQ;AACxB,QAAI,CAAC,MAAM,QAAQ,GAAG,EAAG,QAAO;AAChC,WAAO;AAAA,MACL,GAAG;AAAA,MACH,CAAC,QAAQ,GAAG,IAAI,IAAI,UAAQ;AAC1B,YAAI,CAAC,QAAQ,OAAO,SAAS,YAAY,MAAM,QAAQ,IAAI,EAAG,QAAO;AACrE,eAAO,YAAY,MAAiC,UAAU,QAAQ,UAAU,IAAI;AAAA,MACtF,CAAC;AAAA,IACH;AAAA,EACF;AACA,QAAM,SAAS,KAAK,QAAQ,GAAG;AAC/B,MAAI,WAAW,IAAI;AACjB,UAAM,OAAO,KAAK,MAAM,GAAG,MAAM;AACjC,UAAM,OAAO,KAAK,MAAM,SAAS,CAAC;AAClC,UAAM,SAAS,IAAI,IAAI;AACvB,QAAI,CAAC,UAAU,OAAO,WAAW,YAAY,MAAM,QAAQ,MAAM,EAAG,QAAO;AAC3E,WAAO;AAAA,MACL,GAAG;AAAA,MACH,CAAC,IAAI,GAAG,YAAY,QAAmC,MAAM,QAAQ,UAAU,IAAI;AAAA,IACrF;AAAA,EACF;AACA,QAAM,MAAM,IAAI,IAAI;AACpB,MAAI,QAAQ,UAAa,QAAQ,KAAM,QAAO;AAC9C,MAAI,OAAO,QAAQ,YAAY,MAAM,QAAQ,GAAG,EAAG,QAAO;AAC1D,SAAO;AAAA,IACL,GAAG;AAAA,IACH,CAAC,IAAI,GAAG,gBAAgB,KAA+B,QAAQ,UAAU,MAAM,IAAI;AAAA,EACrF;AACF;AAqBO,SAAS,gBACd,QACA,YACA,QACA,UACA,QAAe,QACU;AACzB,QAAM,aAAa,OAAO,KAAK,UAAU;AACzC,MAAI,WAAW,WAAW,EAAG,QAAO;AAEpC,MAAI,SAAS;AAEb,aAAW,CAAC,OAAO,UAAU,KAAK,OAAO,QAAQ,UAAU,GAAG;AAC5D,UAAM,EAAE,WAAW,WAAW,IAAI,WAAW;AAC7C,UAAM,OAA2B;AAAA,MAC/B,QAAQ,cAAc,WAAW,KAAK;AAAA,MACtC,GAAI,eAAe,SAAY,EAAE,WAAW,IAAI,CAAC;AAAA,IACnD;AACA,aAAS,YAAY,QAAQ,OAAO,QAAQ,UAAU,IAAI;AAAA,EAC5D;AAEA,SAAO;AACT;;;ACvdO,IAAM,yBAAyB;AAG/B,SAAS,mBAAmB,gBAAgC;AACjE,SAAO,GAAG,sBAAsB,GAAG,cAAc;AACnD;AAGO,SAAS,qBAAqB,MAAuB;AAC1D,SAAO,KAAK,WAAW,sBAAsB;AAC/C;AAuDO,SAAS,QACd,MACA,MACA,MACyB;AACzB,SAAO;AAAA,IACL,eAAe;AAAA,IACf;AAAA,IACA;AAAA,IACA,GAAI,MAAM,cAAc,SAAY,EAAE,WAAW,KAAK,UAAU,IAAI,CAAC;AAAA,IACrE,GAAI,MAAM,eAAe,SAAY,EAAE,YAAY,KAAK,WAAW,IAAI,CAAC;AAAA,EAC1E;AACF;AAGO,SAAS,oBAAoB,GAAoC;AACtE,SACE,OAAO,MAAM,YACb,MAAM,QACL,EAAkC,kBAAkB;AAEzD;AA+EO,SAAS,WACd,MACA,OACA,MAMgD;AAChD,SAAO;AAAA,IACL,kBAAkB;AAAA,IAClB;AAAA,IACA;AAAA,IACA,MAAM,OAAO,KAAK,KAAK;AAAA,IACvB,GAAI,MAAM,kBAAkB,SAAY,EAAE,eAAe,KAAK,cAAc,IAAI,CAAC;AAAA,IACjF,GAAI,MAAM,cAAc,SAAY,EAAE,WAAW,KAAK,UAAU,IAAI,CAAC;AAAA,IACrE,GAAI,MAAM,eAAe,SAAY,EAAE,YAAY,KAAK,WAAW,IAAI,CAAC;AAAA,IACxE,GAAI,MAAM,kBAAkB,SAAY,EAAE,eAAe,KAAK,cAAc,IAAI,CAAC;AAAA,EACnF;AACF;AAGO,SAAS,uBAAuB,GAAuC;AAC5E,SACE,OAAO,MAAM,YACb,MAAM,QACL,EAAqC,qBAAqB;AAE/D;AA2CO,IAAM,mBAAN,MAAqD;AAAA,EA2B1D,YACmB,SACA,iBACA,gBACA,SACA,QACA,WACA,QACA,SAMA,yBAOA,SACjB;AArBiB;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAMA;AAOA;AAEjB,SAAK,WAAW,mBAAmB,cAAc;AAAA,EACnD;AAAA,EAvBmB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAMA;AAAA,EAOA;AAAA,EA/CF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,aAAa,oBAAI,IAAuB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOzD,kBAAsD;AACpD,WAAO,MAAM,KAAK,KAAK,WAAW,OAAO,CAAC,EAAE,IAAI,CAAC,OAAO;AAAA,MACtD,KAAK,EAAE;AAAA,MACP,QAAQ,EAAE;AAAA,MACV,GAAG,EAAE;AAAA,IACP,EAAE;AAAA,EACJ;AAAA;AAAA,EA8BQ,qBAA2B;AACjC,UAAM,UAAU,KAAK,QAAQ,cAAc;AAC3C,UAAM,WAAmC;AAAA,MACvC,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,UAAU;AAAA,MACV,OAAO;AAAA,MACP,OAAO;AAAA,IACT;AACA,UAAM,aAAa,SAAS,KAAK,QAAQ,IAAI,KAAK;AAClD,UAAM,eAAe,SAAS,OAAO,KAAK;AAC1C,QAAI,aAAa,cAAc;AAC7B,YAAM,IAAI;AAAA,QACR,eAAe,KAAK,cAAc,qBAAqB,OAAO,mCAC1C,KAAK,QAAQ,IAAI;AAAA,MACvC;AAAA,IACF;AAAA,EACF;AAAA;AAAA,EAIA,MAAc,gBAAoC;AAChD,UAAM,UAAU,MAAM;AAAA,MACpB,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AACA,WAAO,QAAQ,KAAK,QAAQ;AAAA,EAC9B;AAAA,EAEA,MAAc,aAAa,OAAkB,SAA6C;AACxF,QAAI,CAAC,KAAK,WAAW;AACnB,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,IAAI;AAAA,QACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,QAC5B,KAAK;AAAA,QACL,OAAO,KAAK,UAAU,KAAK;AAAA,QAC3B,KAAK,KAAK,QAAQ;AAAA,MACpB;AAAA,IACF;AACA,UAAM,MAAM,MAAM,KAAK,cAAc;AACrC,UAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,KAAK,UAAU,KAAK,GAAG,GAAG;AAC7D,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,IAAI;AAAA,MACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,MAC5B,KAAK;AAAA,MACL,OAAO;AAAA,MACP,KAAK,KAAK,QAAQ;AAAA,IACpB;AAAA,EACF;AAAA,EAEA,MAAc,aAAa,UAAiD;AAC1E,QAAI,CAAC,KAAK,WAAW;AACnB,aAAO,KAAK,MAAM,SAAS,KAAK;AAAA,IAClC;AACA,UAAM,MAAM,MAAM,KAAK,cAAc;AACrC,UAAM,OAAO,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,GAAG;AAC5D,WAAO,KAAK,MAAM,IAAI;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,IAAI,KAAW,QAA+C;AAClE,SAAK,mBAAmB;AAExB,UAAM,QAAmB,EAAE,KAAK,OAAO;AACvC,UAAM,WAAW,MAAM,KAAK,QAAQ;AAAA,MAClC,KAAK;AAAA,MACL,KAAK;AAAA,MACL;AAAA,IACF;AACA,UAAM,UAAU,WAAW,SAAS,KAAK,IAAI;AAC7C,UAAM,WAAW,MAAM,KAAK,aAAa,OAAO,OAAO;AAEvD,UAAM,KAAK,QAAQ;AAAA,MACjB,KAAK;AAAA,MACL,KAAK;AAAA,MACL;AAAA,MACA;AAAA,MACA,WAAW,SAAS,KAAK;AAAA,IAC3B;AAGA,SAAK,WAAW,IAAI,KAAK,KAAK;AAE9B,SAAK,QAAQ,KAAK,UAAU;AAAA,MAC1B,OAAO,KAAK;AAAA,MACZ,YAAY,KAAK;AAAA,MACjB,IAAI;AAAA,MACJ,QAAQ;AAAA,IACV,CAAC;AAED,QAAI,KAAK,QAAQ;AACf,YAAM,KAAK,OAAO,OAAO;AAAA,QACvB,IAAI;AAAA,QACJ,YAAY,KAAK;AAAA,QACjB,IAAI;AAAA,QACJ;AAAA,QACA,OAAO,KAAK,QAAQ;AAAA;AAAA;AAAA,QAGpB,aAAa,MAAM,oBAAoB,QAAQ;AAAA,MACjD,CAAC;AAAA,IACH;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,OAAO,SAA8D;AACzE,SAAK,mBAAmB;AACxB,eAAW,CAAC,KAAK,MAAM,KAAK,OAAO,QAAQ,OAAO,GAAuC;AACvF,YAAM,KAAK,IAAI,KAAK,MAAM;AAAA,IAC5B;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,IAAI,KAAmD;AAC3D,UAAM,WAAW,MAAM,KAAK,QAAQ;AAAA,MAClC,KAAK;AAAA,MACL,KAAK;AAAA,MACL;AAAA,IACF;AACA,QAAI,CAAC,SAAU,QAAO;AACtB,UAAM,QAAQ,MAAM,KAAK,aAAa,QAAQ;AAC9C,WAAO,MAAM;AAAA,EACf;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,OAAO,KAAW,OAAqC,CAAC,GAAkB;AAC9E,SAAK,mBAAmB;AAExB,UAAM,WAAW,MAAM,KAAK,QAAQ;AAAA,MAClC,KAAK;AAAA,MACL,KAAK;AAAA,MACL;AAAA,IACF;AACA,QAAI,CAAC,UAAU;AACb,YAAM,IAAI,oBAAoB,KAAK,gBAAgB,GAAG;AAAA,IACxD;AAEA,UAAM,OAAO,KAAK,QAAQ;AAC1B,QAAI,SAAS,YAAY,KAAK,yBAAyB;AAAA,IAOvD;AAEA,UAAM,KAAK,QAAQ,OAAO,KAAK,iBAAiB,KAAK,UAAU,GAAG;AAGlE,SAAK,WAAW,OAAO,GAAG;AAE1B,SAAK,QAAQ,KAAK,UAAU;AAAA,MAC1B,OAAO,KAAK;AAAA,MACZ,YAAY,KAAK;AAAA,MACjB,IAAI;AAAA,MACJ,QAAQ;AAAA,IACV,CAAC;AAED,QAAI,KAAK,QAAQ;AACf,YAAM,KAAK,OAAO,OAAO;AAAA,QACvB,IAAI;AAAA,QACJ,YAAY,KAAK;AAAA,QACjB,IAAI;AAAA,QACJ,SAAS,SAAS;AAAA,QAClB,OAAO,KAAK,QAAQ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,QAMpB,aAAa,MAAM,oBAAoB,QAAQ;AAAA,MACjD,CAAC;AAAA,IACH;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAmBA,MAAM,OAAO,QAAc,QAA+B;AACxD,SAAK,mBAAmB;AAGxB,UAAM,WAAW,MAAM,KAAK,QAAQ;AAAA,MAClC,KAAK;AAAA,MACL,KAAK;AAAA,MACL;AAAA,IACF;AACA,QAAI,CAAC,UAAU;AACb,YAAM,IAAI,oBAAoB,KAAK,gBAAgB,MAAM;AAAA,IAC3D;AACA,UAAM,WAAW,MAAM,KAAK,aAAa,QAAQ;AAGjD,UAAM,WAAsB,EAAE,KAAK,QAAQ,QAAQ,SAAS,OAAO;AACnE,UAAM,cAAc,MAAM,KAAK,aAAa,UAAU,CAAC;AACvD,UAAM,KAAK,QAAQ;AAAA,MACjB,KAAK;AAAA,MACL,KAAK;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAGA,QAAI,KAAK,yBAAyB;AAChC,YAAM,KAAK,wBAAwB,KAAK,gBAAgB,QAAQ,MAAM;AAAA,IACxE;AAGA,UAAM,KAAK,QAAQ,OAAO,KAAK,iBAAiB,KAAK,UAAU,MAAM;AAGrE,SAAK,WAAW,OAAO,MAAM;AAC7B,SAAK,WAAW,IAAI,QAAQ,QAAQ;AAEpC,SAAK,QAAQ,KAAK,UAAU;AAAA,MAC1B,OAAO,KAAK;AAAA,MACZ,YAAY,KAAK;AAAA,MACjB,IAAI;AAAA,MACJ,QAAQ;AAAA,IACV,CAAC;AACD,SAAK,QAAQ,KAAK,UAAU;AAAA,MAC1B,OAAO,KAAK;AAAA,MACZ,YAAY,KAAK;AAAA,MACjB,IAAI;AAAA,MACJ,QAAQ;AAAA,IACV,CAAC;AAOD,QAAI,KAAK,QAAQ;AACf,YAAM,KAAK,OAAO,OAAO;AAAA,QACvB,IAAI;AAAA,QACJ,YAAY,KAAK;AAAA,QACjB,IAAI;AAAA,QACJ,SAAS,SAAS;AAAA,QAClB,OAAO,KAAK,QAAQ;AAAA,QACpB,aAAa,MAAM,oBAAoB,QAAQ;AAAA,MACjD,CAAC;AACD,YAAM,KAAK,OAAO,OAAO;AAAA,QACvB,IAAI;AAAA,QACJ,YAAY,KAAK;AAAA,QACjB,IAAI;AAAA,QACJ,SAAS;AAAA,QACT,OAAO,KAAK,QAAQ;AAAA,QACpB,aAAa,MAAM,oBAAoB,WAAW;AAAA,MACpD,CAAC;AAAA,IACH;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,OAA6B;AACjC,UAAM,OAAO,MAAM,KAAK,QAAQ,KAAK,KAAK,iBAAiB,KAAK,QAAQ;AACxE,UAAM,UAAuB,CAAC;AAC9B,eAAW,OAAO,MAAM;AACtB,YAAM,WAAW,MAAM,KAAK,QAAQ;AAAA,QAClC,KAAK;AAAA,QACL,KAAK;AAAA,QACL;AAAA,MACF;AACA,UAAI,CAAC,SAAU;AACf,YAAM,QAAQ,MAAM,KAAK,aAAa,QAAQ;AAC9C,cAAQ,KAAK,KAAK;AAElB,WAAK,WAAW,IAAI,KAAK,KAAK;AAAA,IAChC;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,aACJ,KACA,QACA,UAC6B;AAC7B,UAAM,SAAS,MAAM,KAAK,IAAI,GAAW;AACzC,QAAI,CAAC,OAAQ,QAAO;AAGpB,QAAI,OAAO,MAAM,MAAM,OAAW,QAAO,OAAO,MAAM;AAGtD,UAAM,QAAQ,MAAM,QAAQ,QAAQ,IAAK,WAAiC,WAAW,CAAC,QAAkB,IAAI,CAAC;AAC7G,eAAW,MAAM,OAAO;AACtB,UAAI,OAAO,OAAO;AAEhB,cAAM,MAAM,OAAO,OAAO,MAAM,EAAE,CAAC;AACnC,YAAI,QAAQ,OAAW,QAAO;AAAA,MAChC,WAAW,OAAO,EAAE,MAAM,QAAW;AACnC,eAAO,OAAO,EAAE;AAAA,MAClB;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AACF;","names":[]}

package/dist/{chunk-VU7SWWT5.js → chunk-ROVO6NPJ.js}

@@ -1,7 +1,7 @@
 import {
   RecordLockedError,
   ValidationError
-} from "./chunk-535SSHBS.js";
+} from "./chunk-ZEGSDPB7.js";
 
 // src/guards/with-guard.ts
 function withGuard(strategy) {
@@ -20,7 +20,7 @@ function recordId(record) {
   return typeof id === "string" ? id : "";
 }
 function immutableGuard(config) {
-  const { collection, after, appendOnly, amendmentRoles } = config;
+  const { collection, after, appendOnly, amendmentRoles, amendmentInvariant } = config;
   if (appendOnly && after !== void 0) {
     throw new ValidationError("immutableGuard: `after` and `appendOnly` are mutually exclusive");
   }
@@ -46,12 +46,16 @@ function immutableGuard(config) {
       }
     },
     // The authorized override: inside an amendment transaction the
-    // check/onDelete are skipped and the change is ledgered. No extra
-    // invariant — the amendment itself is the sanctioned exception.
+    // check/onDelete are skipped and the change is ledgered. By default
+    // there is no extra invariant — the amendment itself is the
+    // sanctioned exception. Callers may supply `amendmentInvariant` to
+    // keep a constraint inviolable even under amendment (e.g. forbid
+    // deletes, or preserve a cross-record sum); a throw reverts the
+    // amendment and surfaces as `InvariantError`.
     amendment: {
       roles: amendmentRoles ?? ["admin", "owner"],
-      invariant: () => {
-      }
+      invariant: amendmentInvariant ?? (() => {
+      })
     }
   };
   return withGuard(spec);
@@ -61,4 +65,4 @@ export {
   withGuard,
   immutableGuard
 };
-//# sourceMappingURL=chunk-VU7SWWT5.js.map
+//# sourceMappingURL=chunk-ROVO6NPJ.js.map

package/dist/chunk-ROVO6NPJ.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/guards/with-guard.ts","../src/guards/immutable-guard.ts"],"sourcesContent":["import { ValidationError } from '../errors.js'\nimport type { GuardStrategy, GuardStrategyHandle } from './types.js'\n\n/**\n * Register a guard for a collection. Guards run on every `put()` /\n * `delete()` for the named collection (after permissions, before\n * encryption) and may:\n *\n *   - `check` — block writes by throwing (typically `RecordLockedError`)\n *   - `frozenFields` — freeze specific fields once a condition is true\n *   - `amendment` — declare an authorized-override path with invariant\n *\n * Pass the returned handle to `createNoydb({ strategies: [...] })`.\n *\n * @see docs/superpowers/specs/2026-05-18-guards-design.md\n */\nexport function withGuard<T extends Record<string, unknown>>(\n  strategy: GuardStrategy<T>,\n): GuardStrategyHandle<T> {\n  if (!strategy.collection || strategy.collection.length === 0) {\n    throw new ValidationError('withGuard: collection name is required')\n  }\n  return {\n    __noydb_strategy: 'guard',\n    spec: strategy,\n  }\n}\n","/**\n * `immutableGuard` — declarative WORM / append-only sugar over the guard\n * subsystem.\n *\n * Issued fiscal documents (invoices, DDTs) must be immutable after issue.\n * That is expressible today with a hand-rolled `withGuard` (block on\n * `check`/`onDelete`, allow an admin `amendment`), but the boilerplate is\n * repetitive and easy to get subtly wrong. `immutableGuard` generates\n * exactly that guard from a declarative config, reusing the guard\n * machinery wholesale — `check`/`onDelete` rejection, the ledgered\n * `amendment` override, and composition with `periods`/`history`.\n *\n * ```ts\n * createNoydb({ guardStrategies: [\n *   immutableGuard({\n *     collection: 'invoices',\n *     after: (r) => r.status === 'issued',   // immutable once issued\n *   }),\n * ] })\n * ```\n *\n * A record is mutable until `after(record)` holds; from then on, updates\n * and deletes throw `RecordLockedError` unless performed inside an\n * `amendment` transaction by an authorized role (the override is\n * ledgered by the guard amendment mechanism). `appendOnly: true` is\n * shorthand for `after: () => true` — immutable from creation.\n */\n\nimport { withGuard } from './with-guard.js'\nimport type { GuardStrategy, GuardStrategyHandle, GuardContext, GuardChange } from './types.js'\nimport { RecordLockedError, ValidationError } from '../errors.js'\n\nexport interface ImmutableGuardConfig<T extends Record<string, unknown>> {\n  /** The collection to make WORM. */\n  collection: string\n  /**\n   * A record becomes immutable once this predicate holds. Evaluated on\n   * the *existing* (already-persisted) record, so the write that first\n   * makes it true is still allowed; subsequent writes are blocked.\n   * Mutually exclusive with `appendOnly`.\n   */\n  after?: (record: T) => boolean\n  /** Shorthand for `after: () => true` — immutable from creation. */\n  appendOnly?: boolean\n  /** Roles permitted to override via an amendment transaction. Default `['admin', 'owner']`. */\n  amendmentRoles?: ReadonlyArray<'admin' | 'owner'>\n  /**\n   * Optional set-level invariant run over the amendment change-set after\n   * the writes execute. Signature matches `GuardStrategy.amendment.invariant`\n   * exactly: it receives every {before, after} pair touching this\n   * collection in the amendment plus the guard context; throwing reverts\n   * the whole amendment and surfaces as `InvariantError`.\n   *\n   * Use this to keep a constraint inviolable EVEN under amendment — e.g.\n   * forbid deleting an issued document by re-throwing on any\n   * `before !== null && after === null` change, or assert a cross-record\n   * sum is preserved. When omitted the amendment is unconditionally\n   * allowed (the amendment itself is the sanctioned, ledgered override) —\n   * this is the backward-compatible default.\n   */\n  amendmentInvariant?: (\n    changes: ReadonlyArray<GuardChange<T>>,\n    ctx: GuardContext<T>,\n  ) => Promise<void> | void\n}\n\nfunction recordId(record: Record<string, unknown> | null): string {\n  const id = record?.id\n  return typeof id === 'string' ? id : ''\n}\n\n/**\n * Build an immutability guard. Pass the returned handle to\n * `createNoydb({ guardStrategies: [...] })`.\n */\nexport function immutableGuard<T extends Record<string, unknown>>(\n  config: ImmutableGuardConfig<T>,\n): GuardStrategyHandle<T> {\n  const { collection, after, appendOnly, amendmentRoles, amendmentInvariant } = config\n  if (appendOnly && after !== undefined) {\n    throw new ValidationError('immutableGuard: `after` and `appendOnly` are mutually exclusive')\n  }\n  if (!appendOnly && after === undefined) {\n    throw new ValidationError('immutableGuard: provide `after` or `appendOnly: true`')\n  }\n\n  const isImmutable: (record: T) => boolean = appendOnly ? () => true : after!\n  const reason = appendOnly ? 'append-only collection' : 'record is immutable after issue'\n\n  const spec: GuardStrategy<T> = {\n    collection,\n    // Block updates to an already-immutable record. Inserts (existing\n    // null) and the transition write that first makes the record\n    // immutable are allowed — `after` reads the prior state.\n    check: (incoming: T, ctx: GuardContext<T>) => {\n      if (ctx.existing !== null && isImmutable(ctx.existing)) {\n        throw new RecordLockedError(collection, recordId(incoming as Record<string, unknown>), reason)\n      }\n    },\n    // Block deletes of an immutable record.\n    onDelete: (existing: T) => {\n      if (isImmutable(existing)) {\n        throw new RecordLockedError(collection, recordId(existing as Record<string, unknown>), reason)\n      }\n    },\n    // The authorized override: inside an amendment transaction the\n    // check/onDelete are skipped and the change is ledgered. By default\n    // there is no extra invariant — the amendment itself is the\n    // sanctioned exception. Callers may supply `amendmentInvariant` to\n    // keep a constraint inviolable even under amendment (e.g. forbid\n    // deletes, or preserve a cross-record sum); a throw reverts the\n    // amendment and surfaces as `InvariantError`.\n    amendment: {\n      roles: amendmentRoles ?? ['admin', 'owner'],\n      invariant: amendmentInvariant ?? (() => {\n        /* allow — the amendment is the override, and is ledgered */\n      }),\n    },\n  }\n\n  return withGuard<T>(spec)\n}\n"],"mappings":";;;;;;AAgBO,SAAS,UACd,UACwB;AACxB,MAAI,CAAC,SAAS,cAAc,SAAS,WAAW,WAAW,GAAG;AAC5D,UAAM,IAAI,gBAAgB,wCAAwC;AAAA,EACpE;AACA,SAAO;AAAA,IACL,kBAAkB;AAAA,IAClB,MAAM;AAAA,EACR;AACF;;;ACwCA,SAAS,SAAS,QAAgD;AAChE,QAAM,KAAK,QAAQ;AACnB,SAAO,OAAO,OAAO,WAAW,KAAK;AACvC;AAMO,SAAS,eACd,QACwB;AACxB,QAAM,EAAE,YAAY,OAAO,YAAY,gBAAgB,mBAAmB,IAAI;AAC9E,MAAI,cAAc,UAAU,QAAW;AACrC,UAAM,IAAI,gBAAgB,iEAAiE;AAAA,EAC7F;AACA,MAAI,CAAC,cAAc,UAAU,QAAW;AACtC,UAAM,IAAI,gBAAgB,uDAAuD;AAAA,EACnF;AAEA,QAAM,cAAsC,aAAa,MAAM,OAAO;AACtE,QAAM,SAAS,aAAa,2BAA2B;AAEvD,QAAM,OAAyB;AAAA,IAC7B;AAAA;AAAA;AAAA;AAAA,IAIA,OAAO,CAAC,UAAa,QAAyB;AAC5C,UAAI,IAAI,aAAa,QAAQ,YAAY,IAAI,QAAQ,GAAG;AACtD,cAAM,IAAI,kBAAkB,YAAY,SAAS,QAAmC,GAAG,MAAM;AAAA,MAC/F;AAAA,IACF;AAAA;AAAA,IAEA,UAAU,CAAC,aAAgB;AACzB,UAAI,YAAY,QAAQ,GAAG;AACzB,cAAM,IAAI,kBAAkB,YAAY,SAAS,QAAmC,GAAG,MAAM;AAAA,MAC/F;AAAA,IACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAQA,WAAW;AAAA,MACT,OAAO,kBAAkB,CAAC,SAAS,OAAO;AAAA,MAC1C,WAAW,uBAAuB,MAAM;AAAA,MAExC;AAAA,IACF;AAAA,EACF;AAEA,SAAO,UAAa,IAAI;AAC1B;","names":[]}

package/dist/{chunk-6RR3MNMG.js → chunk-SHX5QBCI.js}

@@ -4,13 +4,13 @@ import {
 import {
   base64ToBuffer,
   bufferToBase64
-} from "./chunk-YULZKK4F.js";
+} from "./chunk-UNTGHX5A.js";
 import {
   SessionExpiredError,
   SessionNotFoundError,
   SessionPolicyError,
   ValidationError
-} from "./chunk-535SSHBS.js";
+} from "./chunk-ZEGSDPB7.js";
 
 // src/session/session.ts
 var subtle = globalThis.crypto.subtle;
@@ -364,4 +364,4 @@ export {
   clearDevUnlock,
   isDevUnlockActive
 };
-//# sourceMappingURL=chunk-6RR3MNMG.js.map
+//# sourceMappingURL=chunk-SHX5QBCI.js.map

package/dist/{chunk-GC4V7RU7.js → chunk-SISBMAPO.js}

@@ -14,4 +14,4 @@ export {
   NOYDB_SYNC_VERSION,
   createStore
 };
-//# sourceMappingURL=chunk-GC4V7RU7.js.map
+//# sourceMappingURL=chunk-SISBMAPO.js.map