@noy-db/hub 0.2.0-pre.16 → 0.2.0-pre.17

package/dist/chunk-I5IUYN7B.js

@@ -0,0 +1,125 @@
+import {
+  NOYDB_FORMAT_VERSION
+} from "./chunk-SISBMAPO.js";
+import {
+  decrypt,
+  encrypt
+} from "./chunk-UNTGHX5A.js";
+
+// src/forget/strategy.ts
+var NO_FORGET = { subjects: {} };
+function withForgetCascade(opts) {
+  return { subjects: { ...opts.subjects } };
+}
+
+// src/forget/subject-index.ts
+var SUBJECT_INDEX_COLLECTION = "_subject_index";
+async function sha256HexString(input) {
+  const bytes = new TextEncoder().encode(input);
+  const digest = await globalThis.crypto.subtle.digest("SHA-256", bytes);
+  return Array.from(new Uint8Array(digest)).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function subjectKey(subjectId) {
+  return sha256HexString(subjectId);
+}
+async function readRefs(adapter, vault, getDEK, encrypted, key) {
+  const env = await adapter.get(vault, SUBJECT_INDEX_COLLECTION, key);
+  if (!env || !env._data) return [];
+  if (!encrypted) return JSON.parse(env._data);
+  const dek = await getDEK(SUBJECT_INDEX_COLLECTION);
+  const json = await decrypt(env._iv, env._data, dek);
+  return JSON.parse(json);
+}
+async function writeRefs(adapter, vault, getDEK, encrypted, key, refs) {
+  const json = JSON.stringify(refs);
+  let env;
+  if (!encrypted) {
+    env = { _noydb: NOYDB_FORMAT_VERSION, _v: 1, _ts: (/* @__PURE__ */ new Date()).toISOString(), _iv: "", _data: json };
+  } else {
+    const dek = await getDEK(SUBJECT_INDEX_COLLECTION);
+    const { iv, data } = await encrypt(json, dek);
+    env = { _noydb: NOYDB_FORMAT_VERSION, _v: 1, _ts: (/* @__PURE__ */ new Date()).toISOString(), _iv: iv, _data: data };
+  }
+  await adapter.put(vault, SUBJECT_INDEX_COLLECTION, key, env);
+}
+async function addSubjectRef(adapter, vault, getDEK, encrypted, subjectId, ref) {
+  const key = await subjectKey(subjectId);
+  const refs = await readRefs(adapter, vault, getDEK, encrypted, key);
+  if (refs.some((r) => r.collection === ref.collection && r.id === ref.id)) return;
+  refs.push(ref);
+  await writeRefs(adapter, vault, getDEK, encrypted, key, refs);
+}
+async function removeSubjectRef(adapter, vault, getDEK, encrypted, subjectId, ref) {
+  const key = await subjectKey(subjectId);
+  const refs = await readRefs(adapter, vault, getDEK, encrypted, key);
+  const next = refs.filter((r) => !(r.collection === ref.collection && r.id === ref.id));
+  if (next.length === refs.length) return;
+  if (next.length === 0) {
+    await adapter.delete(vault, SUBJECT_INDEX_COLLECTION, key);
+    return;
+  }
+  await writeRefs(adapter, vault, getDEK, encrypted, key, next);
+}
+async function lookupSubject(adapter, vault, getDEK, encrypted, subjectId) {
+  const key = await subjectKey(subjectId);
+  return readRefs(adapter, vault, getDEK, encrypted, key);
+}
+async function rebuildSubjectIndex(adapter, vault, getDEK, encrypted, subjects, decodeRecord) {
+  const existing = await adapter.list(vault, SUBJECT_INDEX_COLLECTION);
+  for (const k of existing) {
+    await adapter.delete(vault, SUBJECT_INDEX_COLLECTION, k);
+  }
+  const bySubject = /* @__PURE__ */ new Map();
+  for (const [collection, field] of Object.entries(subjects)) {
+    const ids = await adapter.list(vault, collection);
+    for (const id of ids) {
+      if (id.startsWith("_")) continue;
+      const env = await adapter.get(vault, collection, id);
+      if (!env || !env._data) continue;
+      const record = await decodeRecord(collection, id, env);
+      if (record === null) continue;
+      const subjectValue = readDottedPath(record, field);
+      if (subjectValue === void 0 || subjectValue === null) continue;
+      const subjectId = coerceSubjectId(subjectValue);
+      const list = bySubject.get(subjectId) ?? [];
+      list.push({ collection, id });
+      bySubject.set(subjectId, list);
+    }
+  }
+  let entries = 0;
+  for (const [subjectId, refs] of bySubject) {
+    const key = await subjectKey(subjectId);
+    await writeRefs(adapter, vault, getDEK, encrypted, key, refs);
+    entries++;
+  }
+  return entries;
+}
+function coerceSubjectId(value) {
+  if (typeof value === "string") return value;
+  if (typeof value === "number" || typeof value === "boolean" || typeof value === "bigint") {
+    return String(value);
+  }
+  return JSON.stringify(value);
+}
+function readDottedPath(record, field) {
+  if (!field.includes(".")) return record[field];
+  let cursor = record;
+  for (const segment of field.split(".")) {
+    if (cursor === null || cursor === void 0) return void 0;
+    cursor = cursor[segment];
+  }
+  return cursor;
+}
+
+export {
+  NO_FORGET,
+  withForgetCascade,
+  SUBJECT_INDEX_COLLECTION,
+  addSubjectRef,
+  removeSubjectRef,
+  lookupSubject,
+  rebuildSubjectIndex,
+  coerceSubjectId,
+  readDottedPath
+};
+//# sourceMappingURL=chunk-I5IUYN7B.js.map

package/dist/chunk-I5IUYN7B.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/forget/strategy.ts","../src/forget/subject-index.ts"],"sourcesContent":["/**\n * `withForgetCascade` — declaration surface for GDPR right-to-erasure via\n * per-record CEK crypto-shred (#304, step 2 of the CEK security epic).\n *\n * This file holds only the *declaration* shape and the disabled sentinel.\n * The actual erasure machinery lives in:\n *   - `subject-index.ts` — the encrypted `_subject_index` reserved collection\n *   - `vault.ts` `forget()` — the per-record tombstone + ledger flow\n *   - `collection.ts` `_writeTombstone` — the envelope rewrite\n *\n * A `ForgetStrategy` declares which collections carry erasable subject data\n * and the (dotted-path) field on each record that names the data subject.\n * Declaring a collection here ALSO forces `perRecordKeys: true` for it (a\n * shred can only erase a record whose body is keyed off a per-record CEK),\n * so adopters opt into the CEK foundation transitively.\n *\n * @module\n */\nimport type { LedgerEntry } from '../history/ledger/entry.js'\n\n/**\n * User-supplied declaration passed to {@link withForgetCascade}. Maps a\n * collection name to the record field (dotted path supported, e.g.\n * `'billing.buyerId'`) that identifies the data subject for erasure.\n *\n * ```ts\n * withForgetCascade({ subjects: { invoices: 'buyerId', contacts: 'id' } })\n * ```\n */\nexport interface SubjectDeclaration {\n  readonly subjects: Record<string, string>\n}\n\n/**\n * Resolved forget strategy threaded through Noydb → every Vault. Carries\n * the same `subjects` map the user declared. `NO_FORGET` (empty map) is the\n * off-by-default sentinel; `vault.forget()` throws\n * `ForgetStrategyNotConfiguredError` when the map is empty.\n */\nexport interface ForgetStrategy {\n  /** Collection → subject-field (dotted path). Empty under `NO_FORGET`. */\n  readonly subjects: Readonly<Record<string, string>>\n}\n\n/**\n * Disabled sentinel — no collections declare a subject field. `vault.forget()`\n * refuses with `ForgetStrategyNotConfiguredError`; no write hooks register; no\n * collection is forced into `perRecordKeys`. Non-adopters pay nothing.\n */\nexport const NO_FORGET: ForgetStrategy = { subjects: {} }\n\n/**\n * Declare GDPR crypto-shred for one or more collections.\n *\n * Each declared collection is forced to `perRecordKeys: true` (a shred can\n * only guarantee erasure of a record whose body is keyed off a per-record\n * CEK). On write, Noydb extracts `record[subjectField]` and maintains an\n * encrypted `_subject_index` mapping `subject → [{collection, id}]`, so\n * `vault.forget(subjectId)` can find every record for a subject and rewrite\n * each to a tombstone (body + history permanently undecryptable) while the\n * collection DEK and every other record stay intact.\n *\n * @example\n * ```ts\n * createNoydb({\n *   secret, user,\n *   forgetStrategy: withForgetCascade({ subjects: { invoices: 'buyerId' } }),\n * })\n * const result = await vault.forget('buyer-123')\n * // → { subject, recordsShredded, historyVersionsShredded, collections, … }\n * ```\n */\nexport function withForgetCascade(opts: SubjectDeclaration): ForgetStrategy {\n  return { subjects: { ...opts.subjects } }\n}\n\n/**\n * The outcome of a `vault.forget(subjectId)` call.\n *\n * `unmigratedRecords` lists `collection:id` pairs that were tombstoned but\n * whose body had NOT been migrated to a per-record CEK at shred time (legacy\n * body still under the shared collection DEK). Those records are tombstoned\n * (live envelope + history stripped) but their pre-shred ciphertext, if it\n * leaked into a backup before migration, remains decryptable under the\n * collection DEK — so erasure-completeness is NOT guaranteed for them. Run\n * the per-record-CEK migration pass, then re-forget, to close the gap.\n *\n * Blob attachments (#365): a shredded record's **erasable** blobs (on a\n * `perRecordKeys` collection) are crypto-shredded inline — `blobsShredded`\n * counts those taken to refCount 0 (BlobObject deleted → chunks permanently\n * undecryptable), `blobsRetainedShared` counts those still referenced by\n * another record (shared content legitimately persists for its other owner).\n * `blobResidueCollections` now lists only collections with blobs that could\n * NOT be crypto-shredded: **legacy** blobs (no per-blob `_cek`, chunks under\n * the shared `_blob` DEK — migrate them), or a session without the blob\n * subsystem loaded. An all-erasable subject yields an empty residue list.\n */\nexport interface ForgetResult {\n  /** The subject id passed to `forget()`. Echoed for caller convenience. */\n  readonly subject: string\n  /** Count of live records rewritten to a tombstone. */\n  readonly recordsShredded: number\n  /** Count of `_history` envelopes tombstoned across all shredded records. */\n  readonly historyVersionsShredded: number\n  /** Distinct collections that had at least one record shredded. */\n  readonly collections: readonly string[]\n  /** `collection:id` pairs shredded while still un-migrated (see type docs). */\n  readonly unmigratedRecords: readonly string[]\n  /** Count of erasable blobs crypto-shredded (refCount → 0, BlobObject deleted). */\n  readonly blobsShredded: number\n  /** Count of erasable blobs retained because still referenced elsewhere (shared). */\n  readonly blobsRetainedShared: number\n  /** Collections with blobs that could NOT be crypto-shredded — legacy (no `_cek`) or blobs disabled (see type docs). */\n  readonly blobResidueCollections: readonly string[]\n  /** The single `op:'forget'` ledger entry appended for this erasure. */\n  readonly ledgerEntry: LedgerEntry\n}\n","/**\n * The encrypted subject index (#304).\n *\n * GDPR crypto-shred needs to answer \"which records belong to data subject\n * X?\" portably (the index must travel with the vault/bundle) WITHOUT leaking\n * subject-equivalence to the store. The rejected alternative — an unencrypted\n * subject tag in envelope metadata — would let anyone with store access see\n * which records share a subject. Instead we keep a reserved `_subject_index`\n * collection, encrypted under its OWN DEK (`getDEK('_subject_index')`):\n *\n *   - record id  = `sha256Hex(subjectId)` — the raw subject id never appears\n *     as a key, so the store can't correlate index entries to a known subject.\n *   - record body = AES-GCM(JSON `[{ collection, id }]`) under the index DEK.\n *\n * ## Concurrency (RISK #3 — known v1 limitation)\n *\n * `addSubjectRef` / `removeSubjectRef` are read-modify-write with no CAS. The\n * design assumes a SINGLE WRITER (the noy-db single-process write model). Two\n * concurrent writers racing on the SAME subject can lose an entry (last-write\n * wins on the ref list). This is documented, not fixed in v1:\n * `rebuildSubjectIndex` performs a full scan to recover a correct index from\n * the canonical records, so a lost ref is recoverable. A CAS-backed index is\n * deferred to a later slice.\n *\n * @module\n */\nimport { encrypt, decrypt } from '../crypto.js'\nimport type { NoydbStore, EncryptedEnvelope } from '../types.js'\nimport { NOYDB_FORMAT_VERSION } from '../types.js'\n\n/** Reserved collection holding the encrypted subject → records index. */\nexport const SUBJECT_INDEX_COLLECTION = '_subject_index'\n\n/** A single record reference held in a subject's index entry. */\nexport interface SubjectRef {\n  readonly collection: string\n  readonly id: string\n}\n\ntype GetDEK = (collectionName: string) => Promise<CryptoKey>\n\n/** SHA-256 hex of a UTF-8 string. The subject-index record key derivation. */\nasync function sha256HexString(input: string): Promise<string> {\n  const bytes = new TextEncoder().encode(input)\n  const digest = await globalThis.crypto.subtle.digest('SHA-256', bytes)\n  return Array.from(new Uint8Array(digest))\n    .map((b) => b.toString(16).padStart(2, '0'))\n    .join('')\n}\n\n/** Stable subject-index record id for a subject id. */\nexport async function subjectKey(subjectId: string): Promise<string> {\n  return sha256HexString(subjectId)\n}\n\n/** Read + decrypt the ref list for a subject. Returns `[]` when absent. */\nasync function readRefs(\n  adapter: NoydbStore,\n  vault: string,\n  getDEK: GetDEK,\n  encrypted: boolean,\n  key: string,\n): Promise<SubjectRef[]> {\n  const env = await adapter.get(vault, SUBJECT_INDEX_COLLECTION, key)\n  if (!env || !env._data) return []\n  if (!encrypted) return JSON.parse(env._data) as SubjectRef[]\n  const dek = await getDEK(SUBJECT_INDEX_COLLECTION)\n  const json = await decrypt(env._iv, env._data, dek)\n  return JSON.parse(json) as SubjectRef[]\n}\n\n/** Encrypt + write a ref list for a subject under its derived key. */\nasync function writeRefs(\n  adapter: NoydbStore,\n  vault: string,\n  getDEK: GetDEK,\n  encrypted: boolean,\n  key: string,\n  refs: SubjectRef[],\n): Promise<void> {\n  const json = JSON.stringify(refs)\n  let env: EncryptedEnvelope\n  if (!encrypted) {\n    env = { _noydb: NOYDB_FORMAT_VERSION, _v: 1, _ts: new Date().toISOString(), _iv: '', _data: json }\n  } else {\n    const dek = await getDEK(SUBJECT_INDEX_COLLECTION)\n    const { iv, data } = await encrypt(json, dek)\n    env = { _noydb: NOYDB_FORMAT_VERSION, _v: 1, _ts: new Date().toISOString(), _iv: iv, _data: data }\n  }\n  await adapter.put(vault, SUBJECT_INDEX_COLLECTION, key, env)\n}\n\n/**\n * Add a `{ collection, id }` ref to a subject's index entry (idempotent —\n * a duplicate ref is not appended). Read-modify-write; see the concurrency\n * note in the module docstring.\n */\nexport async function addSubjectRef(\n  adapter: NoydbStore,\n  vault: string,\n  getDEK: GetDEK,\n  encrypted: boolean,\n  subjectId: string,\n  ref: SubjectRef,\n): Promise<void> {\n  const key = await subjectKey(subjectId)\n  const refs = await readRefs(adapter, vault, getDEK, encrypted, key)\n  if (refs.some((r) => r.collection === ref.collection && r.id === ref.id)) return\n  refs.push(ref)\n  await writeRefs(adapter, vault, getDEK, encrypted, key, refs)\n}\n\n/**\n * Remove a `{ collection, id }` ref from a subject's index entry. When the\n * last ref is removed the (now empty) entry is deleted so the store holds no\n * residual key for an erased subject.\n */\nexport async function removeSubjectRef(\n  adapter: NoydbStore,\n  vault: string,\n  getDEK: GetDEK,\n  encrypted: boolean,\n  subjectId: string,\n  ref: SubjectRef,\n): Promise<void> {\n  const key = await subjectKey(subjectId)\n  const refs = await readRefs(adapter, vault, getDEK, encrypted, key)\n  const next = refs.filter((r) => !(r.collection === ref.collection && r.id === ref.id))\n  if (next.length === refs.length) return\n  if (next.length === 0) {\n    await adapter.delete(vault, SUBJECT_INDEX_COLLECTION, key)\n    return\n  }\n  await writeRefs(adapter, vault, getDEK, encrypted, key, next)\n}\n\n/** Look up every record ref for a subject. Returns `[]` when none exist. */\nexport async function lookupSubject(\n  adapter: NoydbStore,\n  vault: string,\n  getDEK: GetDEK,\n  encrypted: boolean,\n  subjectId: string,\n): Promise<SubjectRef[]> {\n  const key = await subjectKey(subjectId)\n  return readRefs(adapter, vault, getDEK, encrypted, key)\n}\n\n/**\n * Rebuild the entire subject index from the canonical records (the recovery\n * path for the documented read-modify-write race). Scans each declared\n * collection, reads `record[subjectField]` (dotted path), and rewrites the\n * index from scratch. Tombstoned (already-shredded) records contribute no\n * ref — their body is gone, so they cannot be re-indexed.\n *\n * `decodeRecord` decrypts an envelope to a plain object (or returns null for\n * a tombstone / unreadable record); supplied by the caller so this module\n * stays free of Collection internals.\n */\nexport async function rebuildSubjectIndex(\n  adapter: NoydbStore,\n  vault: string,\n  getDEK: GetDEK,\n  encrypted: boolean,\n  subjects: Readonly<Record<string, string>>,\n  decodeRecord: (collection: string, id: string, env: EncryptedEnvelope) => Promise<Record<string, unknown> | null>,\n): Promise<number> {\n  // Drop every existing index entry first so removed refs don't linger.\n  const existing = await adapter.list(vault, SUBJECT_INDEX_COLLECTION)\n  for (const k of existing) {\n    await adapter.delete(vault, SUBJECT_INDEX_COLLECTION, k)\n  }\n\n  // subjectId → refs, accumulated across all declared collections.\n  const bySubject = new Map<string, SubjectRef[]>()\n  for (const [collection, field] of Object.entries(subjects)) {\n    const ids = await adapter.list(vault, collection)\n    for (const id of ids) {\n      if (id.startsWith('_')) continue\n      const env = await adapter.get(vault, collection, id)\n      if (!env || !env._data) continue // missing or tombstone\n      const record = await decodeRecord(collection, id, env)\n      if (record === null) continue\n      const subjectValue = readDottedPath(record, field)\n      if (subjectValue === undefined || subjectValue === null) continue\n      const subjectId = coerceSubjectId(subjectValue)\n      const list = bySubject.get(subjectId) ?? []\n      list.push({ collection, id })\n      bySubject.set(subjectId, list)\n    }\n  }\n\n  let entries = 0\n  for (const [subjectId, refs] of bySubject) {\n    const key = await subjectKey(subjectId)\n    await writeRefs(adapter, vault, getDEK, encrypted, key, refs)\n    entries++\n  }\n  return entries\n}\n\n/**\n * Coerce a read subject-field value to a stable string id. Primitives use\n * their natural string form; objects/arrays are JSON-stringified so structural\n * subjects still get a deterministic key (avoids the `[object Object]` trap).\n */\nexport function coerceSubjectId(value: unknown): string {\n  if (typeof value === 'string') return value\n  if (typeof value === 'number' || typeof value === 'boolean' || typeof value === 'bigint') {\n    return String(value)\n  }\n  return JSON.stringify(value)\n}\n\n/** Read a (possibly dotted) field path from a plain record. */\nexport function readDottedPath(record: Record<string, unknown>, field: string): unknown {\n  if (!field.includes('.')) return record[field]\n  let cursor: unknown = record\n  for (const segment of field.split('.')) {\n    if (cursor === null || cursor === undefined) return undefined\n    cursor = (cursor as Record<string, unknown>)[segment]\n  }\n  return cursor\n}\n"],"mappings":";;;;;;;;;AAiDO,IAAM,YAA4B,EAAE,UAAU,CAAC,EAAE;AAuBjD,SAAS,kBAAkB,MAA0C;AAC1E,SAAO,EAAE,UAAU,EAAE,GAAG,KAAK,SAAS,EAAE;AAC1C;;;AC3CO,IAAM,2BAA2B;AAWxC,eAAe,gBAAgB,OAAgC;AAC7D,QAAM,QAAQ,IAAI,YAAY,EAAE,OAAO,KAAK;AAC5C,QAAM,SAAS,MAAM,WAAW,OAAO,OAAO,OAAO,WAAW,KAAK;AACrE,SAAO,MAAM,KAAK,IAAI,WAAW,MAAM,CAAC,EACrC,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAC1C,KAAK,EAAE;AACZ;AAGA,eAAsB,WAAW,WAAoC;AACnE,SAAO,gBAAgB,SAAS;AAClC;AAGA,eAAe,SACb,SACA,OACA,QACA,WACA,KACuB;AACvB,QAAM,MAAM,MAAM,QAAQ,IAAI,OAAO,0BAA0B,GAAG;AAClE,MAAI,CAAC,OAAO,CAAC,IAAI,MAAO,QAAO,CAAC;AAChC,MAAI,CAAC,UAAW,QAAO,KAAK,MAAM,IAAI,KAAK;AAC3C,QAAM,MAAM,MAAM,OAAO,wBAAwB;AACjD,QAAM,OAAO,MAAM,QAAQ,IAAI,KAAK,IAAI,OAAO,GAAG;AAClD,SAAO,KAAK,MAAM,IAAI;AACxB;AAGA,eAAe,UACb,SACA,OACA,QACA,WACA,KACA,MACe;AACf,QAAM,OAAO,KAAK,UAAU,IAAI;AAChC,MAAI;AACJ,MAAI,CAAC,WAAW;AACd,UAAM,EAAE,QAAQ,sBAAsB,IAAI,GAAG,MAAK,oBAAI,KAAK,GAAE,YAAY,GAAG,KAAK,IAAI,OAAO,KAAK;AAAA,EACnG,OAAO;AACL,UAAM,MAAM,MAAM,OAAO,wBAAwB;AACjD,UAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,MAAM,GAAG;AAC5C,UAAM,EAAE,QAAQ,sBAAsB,IAAI,GAAG,MAAK,oBAAI,KAAK,GAAE,YAAY,GAAG,KAAK,IAAI,OAAO,KAAK;AAAA,EACnG;AACA,QAAM,QAAQ,IAAI,OAAO,0BAA0B,KAAK,GAAG;AAC7D;AAOA,eAAsB,cACpB,SACA,OACA,QACA,WACA,WACA,KACe;AACf,QAAM,MAAM,MAAM,WAAW,SAAS;AACtC,QAAM,OAAO,MAAM,SAAS,SAAS,OAAO,QAAQ,WAAW,GAAG;AAClE,MAAI,KAAK,KAAK,CAAC,MAAM,EAAE,eAAe,IAAI,cAAc,EAAE,OAAO,IAAI,EAAE,EAAG;AAC1E,OAAK,KAAK,GAAG;AACb,QAAM,UAAU,SAAS,OAAO,QAAQ,WAAW,KAAK,IAAI;AAC9D;AAOA,eAAsB,iBACpB,SACA,OACA,QACA,WACA,WACA,KACe;AACf,QAAM,MAAM,MAAM,WAAW,SAAS;AACtC,QAAM,OAAO,MAAM,SAAS,SAAS,OAAO,QAAQ,WAAW,GAAG;AAClE,QAAM,OAAO,KAAK,OAAO,CAAC,MAAM,EAAE,EAAE,eAAe,IAAI,cAAc,EAAE,OAAO,IAAI,GAAG;AACrF,MAAI,KAAK,WAAW,KAAK,OAAQ;AACjC,MAAI,KAAK,WAAW,GAAG;AACrB,UAAM,QAAQ,OAAO,OAAO,0BAA0B,GAAG;AACzD;AAAA,EACF;AACA,QAAM,UAAU,SAAS,OAAO,QAAQ,WAAW,KAAK,IAAI;AAC9D;AAGA,eAAsB,cACpB,SACA,OACA,QACA,WACA,WACuB;AACvB,QAAM,MAAM,MAAM,WAAW,SAAS;AACtC,SAAO,SAAS,SAAS,OAAO,QAAQ,WAAW,GAAG;AACxD;AAaA,eAAsB,oBACpB,SACA,OACA,QACA,WACA,UACA,cACiB;AAEjB,QAAM,WAAW,MAAM,QAAQ,KAAK,OAAO,wBAAwB;AACnE,aAAW,KAAK,UAAU;AACxB,UAAM,QAAQ,OAAO,OAAO,0BAA0B,CAAC;AAAA,EACzD;AAGA,QAAM,YAAY,oBAAI,IAA0B;AAChD,aAAW,CAAC,YAAY,KAAK,KAAK,OAAO,QAAQ,QAAQ,GAAG;AAC1D,UAAM,MAAM,MAAM,QAAQ,KAAK,OAAO,UAAU;AAChD,eAAW,MAAM,KAAK;AACpB,UAAI,GAAG,WAAW,GAAG,EAAG;AACxB,YAAM,MAAM,MAAM,QAAQ,IAAI,OAAO,YAAY,EAAE;AACnD,UAAI,CAAC,OAAO,CAAC,IAAI,MAAO;AACxB,YAAM,SAAS,MAAM,aAAa,YAAY,IAAI,GAAG;AACrD,UAAI,WAAW,KAAM;AACrB,YAAM,eAAe,eAAe,QAAQ,KAAK;AACjD,UAAI,iBAAiB,UAAa,iBAAiB,KAAM;AACzD,YAAM,YAAY,gBAAgB,YAAY;AAC9C,YAAM,OAAO,UAAU,IAAI,SAAS,KAAK,CAAC;AAC1C,WAAK,KAAK,EAAE,YAAY,GAAG,CAAC;AAC5B,gBAAU,IAAI,WAAW,IAAI;AAAA,IAC/B;AAAA,EACF;AAEA,MAAI,UAAU;AACd,aAAW,CAAC,WAAW,IAAI,KAAK,WAAW;AACzC,UAAM,MAAM,MAAM,WAAW,SAAS;AACtC,UAAM,UAAU,SAAS,OAAO,QAAQ,WAAW,KAAK,IAAI;AAC5D;AAAA,EACF;AACA,SAAO;AACT;AAOO,SAAS,gBAAgB,OAAwB;AACtD,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,MAAI,OAAO,UAAU,YAAY,OAAO,UAAU,aAAa,OAAO,UAAU,UAAU;AACxF,WAAO,OAAO,KAAK;AAAA,EACrB;AACA,SAAO,KAAK,UAAU,KAAK;AAC7B;AAGO,SAAS,eAAe,QAAiC,OAAwB;AACtF,MAAI,CAAC,MAAM,SAAS,GAAG,EAAG,QAAO,OAAO,KAAK;AAC7C,MAAI,SAAkB;AACtB,aAAW,WAAW,MAAM,MAAM,GAAG,GAAG;AACtC,QAAI,WAAW,QAAQ,WAAW,OAAW,QAAO;AACpD,aAAU,OAAmC,OAAO;AAAA,EACtD;AACA,SAAO;AACT;","names":[]}

package/dist/{chunk-CJORTUJ2.js → chunk-J7RWBXFY.js}

@@ -1,6 +1,6 @@
 import {
   NoydbError
-} from "./chunk-535SSHBS.js";
+} from "./chunk-ZEGSDPB7.js";
 
 // src/money/iso4217.ts
 var MINOR_UNITS = {
@@ -521,4 +521,4 @@ export {
   evaluateClause,
   hasFnClause
 };
-//# sourceMappingURL=chunk-CJORTUJ2.js.map
+//# sourceMappingURL=chunk-J7RWBXFY.js.map

package/dist/{chunk-AAVWKNZW.js → chunk-JDWE6JMX.js}

@@ -1,6 +1,6 @@
 import {
   ScriptViolationError
-} from "./chunk-535SSHBS.js";
+} from "./chunk-ZEGSDPB7.js";
 
 // src/i18n/script.ts
 var LATIN_BASE = /* @__PURE__ */ new Set([
@@ -136,4 +136,4 @@ export {
   inferScripts,
   enforceScript
 };
-//# sourceMappingURL=chunk-AAVWKNZW.js.map
+//# sourceMappingURL=chunk-JDWE6JMX.js.map

package/dist/{chunk-XL35NSEN.js → chunk-KCEHMDZF.js}

@@ -1,9 +1,9 @@
 import {
   NOYDB_FORMAT_VERSION
-} from "./chunk-F3BPIPLS.js";
+} from "./chunk-SISBMAPO.js";
 import {
   encrypt
-} from "./chunk-YULZKK4F.js";
+} from "./chunk-UNTGHX5A.js";
 
 // src/blobs/export-blobs.ts
 var ExportBlobsAbortedError = class extends Error {
@@ -258,4 +258,4 @@ export {
   BLOB_EVICTION_AUDIT_COLLECTION,
   runCompaction
 };
-//# sourceMappingURL=chunk-XL35NSEN.js.map
+//# sourceMappingURL=chunk-KCEHMDZF.js.map

package/dist/{chunk-TS26M2SB.js → chunk-M476FOQ7.js}

@@ -2,7 +2,7 @@ import {
   OverlayBaseIsVirtualError,
   OverlayCollectionUnavailableError,
   OverlayNameCollisionError
-} from "./chunk-535SSHBS.js";
+} from "./chunk-ZEGSDPB7.js";
 
 // src/overlay-views/registry.ts
 var OverlayedViewRegistry = class {
@@ -68,4 +68,4 @@ var OverlayedViewRegistry = class {
 export {
   OverlayedViewRegistry
 };
-//# sourceMappingURL=chunk-TS26M2SB.js.map
+//# sourceMappingURL=chunk-M476FOQ7.js.map

package/dist/{chunk-F4OJZIWQ.js → chunk-NBBMMJ2H.js}

@@ -1,6 +1,6 @@
 import {
   dekKey
-} from "./chunk-4TBBMHVC.js";
+} from "./chunk-5LIROIDM.js";
 import {
   generateULID
 } from "./chunk-FZU343FL.js";
@@ -9,10 +9,10 @@ import {
   encrypt,
   unwrapKey,
   wrapKey
-} from "./chunk-YULZKK4F.js";
+} from "./chunk-UNTGHX5A.js";
 import {
   DelegationTargetMissingError
-} from "./chunk-535SSHBS.js";
+} from "./chunk-ZEGSDPB7.js";
 
 // src/team/delegation.ts
 var DELEGATIONS_COLLECTION = "_delegations";
@@ -94,4 +94,4 @@ export {
   loadActiveDelegations,
   revokeDelegation
 };
-//# sourceMappingURL=chunk-F4OJZIWQ.js.map
+//# sourceMappingURL=chunk-NBBMMJ2H.js.map

package/dist/{chunk-CZI2A4MQ.js → chunk-NYSYPFXJ.js}

@@ -1,10 +1,10 @@
 import {
   evaluateClause,
   readPath
-} from "./chunk-CJORTUJ2.js";
+} from "./chunk-J7RWBXFY.js";
 import {
   IndexRequiredError
-} from "./chunk-535SSHBS.js";
+} from "./chunk-ZEGSDPB7.js";
 
 // src/indexing/persisted-indexes.ts
 var IDX_PREFIX = "_idx/";
@@ -427,4 +427,4 @@ export {
   PersistedCollectionIndex,
   LazyQuery
 };
-//# sourceMappingURL=chunk-CZI2A4MQ.js.map
+//# sourceMappingURL=chunk-NYSYPFXJ.js.map

package/dist/{chunk-OQSRJG6A.js → chunk-PDULVIBY.js}

@@ -1,6 +1,6 @@
 import {
   ValidationError
-} from "./chunk-535SSHBS.js";
+} from "./chunk-ZEGSDPB7.js";
 
 // src/derivations/with-derivation.ts
 function withDerivation(spec) {
@@ -60,4 +60,4 @@ function withDerivation(spec) {
 export {
   withDerivation
 };
-//# sourceMappingURL=chunk-OQSRJG6A.js.map
+//# sourceMappingURL=chunk-PDULVIBY.js.map

package/dist/{chunk-Z6FNBOTC.js → chunk-PDVP3C2I.js}

@@ -69,4 +69,4 @@ export {
   parseIndex,
   envelopePayloadHash
 };
-//# sourceMappingURL=chunk-Z6FNBOTC.js.map
+//# sourceMappingURL=chunk-PDVP3C2I.js.map

package/dist/{chunk-Z6FNBOTC.js.map → chunk-PDVP3C2I.js.map}

@@ -1 +1 @@
-{"version":3,"sources":["../src/history/ledger/entry.ts","../src/history/ledger/hash.ts"],"sourcesContent":["/**\n * Ledger entry shape + canonical JSON + sha256 helpers.\n *\n * This file holds the PURE primitives used by the hash-chained ledger:\n * the entry type, the deterministic (sort-stable) JSON encoder, and\n * the sha256 hasher that produces `prevHash` and `ledger.head()`.\n *\n * Everything here is validator-free and side-effect free — the only\n * runtime dep is Web Crypto's `subtle.digest` for the sha256 call,\n * which we already use for every other hashing operation in the core.\n *\n * The hash chain property works like this:\n *\n *   hash(entry[i])       = sha256(canonicalJSON(entry[i]))\n *   entry[i+1].prevHash  = hash(entry[i])\n *\n * Any modification to `entry[i]` (field values, field order, whitespace)\n * produces a different `hash(entry[i])`, which means `entry[i+1]`'s\n * stored `prevHash` no longer matches the recomputed hash, which means\n * `verify()` returns `{ ok: false, divergedAt: i + 1 }`. The chain is\n * append-only and tamper-evident without external anchoring.\n */\n\n/**\n * A single ledger entry in its plaintext form — what gets serialized,\n * hashed, and then encrypted with the ledger DEK before being written\n * to the `_ledger/` adapter collection.\n *\n * ## Why hash the ciphertext, not the plaintext?\n *\n * `payloadHash` is the sha256 of the record's ENCRYPTED envelope bytes,\n * not its plaintext. This matters:\n *\n *   1. **Zero-knowledge preserved.** A user (or a third party) can\n *      verify the ledger against the stored envelopes without any\n *      decryption keys. The adapter layer already holds only\n *      ciphertext, so hashing the ciphertext keeps the ledger at the\n *      same privacy level as the adapter.\n *\n *   2. **Determinism.** Plaintext → ciphertext is randomized by the\n *      fresh per-write IV, so `hash(plaintext)` would need extra\n *      normalization. `hash(ciphertext)` is already deterministic and\n *      unique per write.\n *\n *   3. **Detection property.** If an attacker modifies even one byte of\n *      the stored ciphertext (trying to flip a record), the hash\n *      changes, the ledger's recorded `payloadHash` no longer matches,\n *      and a data-integrity check fails. We don't do that check in\n *      `verify()` today, but the\n *      hook is there for a future `verifyIntegrity()` follow-up.\n *\n * Fields marked `op`, `collection`, `id`, `version`, `ts`, `actor` are\n * plaintext METADATA about the operation — NOT the record itself. The\n * entry is still encrypted at rest via the ledger DEK, but adapters\n * could theoretically infer operation patterns from the sizes and\n * timestamps. This is an accepted trade-off for the tamper-evidence\n * property; full ORAM-level privacy is out of scope for noy-db.\n */\nexport interface LedgerEntry {\n  /**\n   * Zero-based sequential position of this entry in the chain. The\n   * canonical adapter key is this number zero-padded to 10 digits\n   * (`\"0000000001\"`) so lexicographic ordering matches numeric order.\n   */\n  readonly index: number\n\n  /**\n   * Hex-encoded sha256 of the canonical JSON of the PREVIOUS entry.\n   * The genesis entry (index 0) has `prevHash === ''` — the first\n   * entry in a fresh vault has nothing to point back to.\n   */\n  readonly prevHash: string\n\n  /**\n   * Which kind of mutation this entry records. only supports\n   * data operations (`put`, `delete`, `amendment`). Access-control\n   * operations (`grant`, `revoke`, `rotate`) will be added in a\n   * follow-up once the keyring write path is instrumented — that's\n   * tracked in the epic issue.\n   *\n   * `'amendment'` is the multi-record audit entry written by the\n   * guards subsystem when an admin/owner uses `withTransactions(...)`\n   * to repair a constraint-violating state. See `amendment` field\n   * below for the structured payload.\n   *\n   * `'lifecycle'` records a non-data audit event (e.g. partition\n   * handover) — `collection`/`id` are empty and the event detail\n   * lives in `reason` (e.g. `'partition-handed-over:<sealId>'`). Like\n   * `amendment`, it carries no data envelope, so `verifyBackupIntegrity`\n   * skips it in the data cross-check (it still participates in the\n   * tamper-evident chain).\n   */\n  readonly op: 'put' | 'delete' | 'amendment' | 'lifecycle' | 'migration'\n\n  /** The collection the mutation targeted. */\n  readonly collection: string\n\n  /** The record id the mutation targeted. */\n  readonly id: string\n\n  /**\n   * The record version AFTER this mutation. For `put` this is the\n   * newly assigned version; for `delete` this is the version that\n   * was deleted (the last version visible to reads).\n   */\n  readonly version: number\n\n  /** ISO timestamp of the mutation. */\n  readonly ts: string\n\n  /** User id of the actor who performed the mutation. */\n  readonly actor: string\n\n  /**\n   * Hex-encoded sha256 of the encrypted envelope's `_data` field.\n   * For `put`, this is the hash of the new ciphertext. For `delete`,\n   * it's the hash of the last visible ciphertext at deletion time,\n   * or the empty string if nothing was there to delete. Hashing the\n   * ciphertext (not the plaintext) preserves zero-knowledge — see\n   * the file docstring.\n   */\n  readonly payloadHash: string\n\n  /**\n   * Optional human-readable tag describing why this mutation happened.\n   * Threaded through `collection.put(_, _, { reason })`. Common\n   * values include `'import:csv'`, `'import:json'`, `'import:xlsx'` from\n   * `as-*` ImportPlan.apply(), but consumers can use any string for\n   * domain-specific audit filtering. Auto-strip via `canonicalJson` —\n   * absent on the wire, never serialized as `null`.\n   *\n   * Audit consumers filter: `entries.filter(e => e.reason?.startsWith('import:'))`.\n   */\n  readonly reason?: string\n\n  /**\n   * Optional hex-encoded sha256 of the encrypted JSON Patch delta\n   * blob stored alongside this entry in `_ledger_deltas/`. Present\n   * only for `put` operations that had a previous version — the\n   * genesis put of a new record, and every `delete`, leave this\n   * field undefined.\n   *\n   * The delta payload itself lives in a sibling internal collection\n   * (`_ledger_deltas/<paddedIndex>`) and is encrypted with the\n   * ledger DEK. Callers use `ledger.loadDelta(index)` to decrypt and\n   * deserialize it when reconstructing a historical version.\n   *\n   * Why optional instead of always-present: the first put of a\n   * record has no previous version to diff against, so storing an\n   * empty patch would be noise. For deletes there's no \"next\" state\n   * to describe with a delta. Both cases set this field to undefined.\n   *\n   * Note: the canonical-JSON hasher treats `undefined` as invalid\n   * (it's one of the guard rails), so on the wire this field is\n   * either `{ deltaHash: '<hex>' }` or absent from the JSON\n   * entirely — never `{ deltaHash: undefined }`.\n   */\n  readonly deltaHash?: string\n\n  /**\n   * Present only when `op === 'amendment'`. Records the human reason,\n   * the role of the actor, the (collection, id, vBefore, vAfter) tuple\n   * for every record touched, and which guard invariants passed.\n   *\n   * See docs/superpowers/specs/2026-05-18-guards-design.md.\n   */\n  readonly amendment?: {\n    readonly reason: string\n    readonly role: 'admin' | 'owner'\n    readonly changes: ReadonlyArray<{\n      readonly collection: string\n      readonly id: string\n      readonly vBefore: number\n      readonly vAfter: number\n    }>\n    readonly invariantsPassed: ReadonlyArray<string>\n  }\n}\n\n/**\n * Canonical (sort-stable) JSON encoder.\n *\n * This function is the load-bearing primitive of the hash chain:\n * `sha256(canonicalJSON(entry))` must produce the same hex string\n * every time, on every machine, for the same logical entry — otherwise\n * `verify()` would return `{ ok: false }` on cross-platform reads.\n *\n * JavaScript's `JSON.stringify` is almost canonical, but NOT quite:\n * it preserves the insertion order of object keys, which means\n * `{a:1,b:2}` and `{b:2,a:1}` serialize differently. We fix this by\n * recursively walking objects and sorting their keys before\n * concatenation.\n *\n * Arrays keep their original order (reordering them would change\n * semantics). Numbers, strings, booleans, and `null` use the default\n * JSON encoding. `undefined` and functions are rejected — ledger\n * entries are plain data, and silently dropping `undefined` would\n * break the \"same input → same hash\" property if a caller forgot to\n * omit a field.\n *\n * Performance: one pass per nesting level; O(n log n) for key sorting\n * at each object. Entries are small (< 1 KB) so this is negligible\n * compared to the sha256 call.\n */\nexport function canonicalJson(value: unknown): string {\n  if (value === null) return 'null'\n  if (typeof value === 'boolean') return value ? 'true' : 'false'\n  if (typeof value === 'number') {\n    if (!Number.isFinite(value)) {\n      throw new Error(\n        `canonicalJson: refusing to encode non-finite number ${String(value)}`,\n      )\n    }\n    return JSON.stringify(value)\n  }\n  if (typeof value === 'string') return JSON.stringify(value)\n  if (typeof value === 'bigint') {\n    throw new Error('canonicalJson: BigInt is not JSON-serializable')\n  }\n  if (typeof value === 'undefined' || typeof value === 'function') {\n    throw new Error(\n      `canonicalJson: refusing to encode ${typeof value} — include all fields explicitly`,\n    )\n  }\n  if (Array.isArray(value)) {\n    return '[' + value.map((v) => canonicalJson(v)).join(',') + ']'\n  }\n  if (typeof value === 'object') {\n    const obj = value as Record<string, unknown>\n    const keys = Object.keys(obj).sort()\n    const parts: string[] = []\n    for (const key of keys) {\n      parts.push(JSON.stringify(key) + ':' + canonicalJson(obj[key]))\n    }\n    return '{' + parts.join(',') + '}'\n  }\n  throw new Error(`canonicalJson: unexpected value type: ${typeof value}`)\n}\n\n/**\n * Compute a hex-encoded sha256 of a string via Web Crypto's subtle API.\n *\n * We use hex (not base64) for hashes because hex is case-insensitive,\n * fixed-length (64 chars), and easier to compare visually in debug\n * output. Base64 would save a few bytes in storage but every encrypted\n * ledger entry is already much larger than the hash itself.\n */\nexport async function sha256Hex(input: string): Promise<string> {\n  const bytes = new TextEncoder().encode(input)\n  const digest = await globalThis.crypto.subtle.digest('SHA-256', bytes)\n  return bytesToHex(new Uint8Array(digest))\n}\n\n/**\n * Compute the canonical hash of a ledger entry. Short wrapper around\n * `canonicalJson` + `sha256Hex`; callers use this instead of composing\n * the two functions every time, so any future change to the hashing\n * pipeline (e.g., adding a domain-separation prefix) lives in one place.\n */\nexport async function hashEntry(entry: LedgerEntry): Promise<string> {\n  return sha256Hex(canonicalJson(entry))\n}\n\n/** Convert a Uint8Array to a lowercase hex string. */\nfunction bytesToHex(bytes: Uint8Array): string {\n  const hex = new Array<string>(bytes.length)\n  for (let i = 0; i < bytes.length; i++) {\n    // Non-null assertion: indexing a Uint8Array within bounds always\n    // returns a number, but the compiler's noUncheckedIndexedAccess\n    // flag widens it to `number | undefined`. Safe here by construction.\n    hex[i] = (bytes[i] ?? 0).toString(16).padStart(2, '0')\n  }\n  return hex.join('')\n}\n\n/**\n * Pad an index to the canonical 10-digit form used as the adapter key.\n * Ten digits is enough for ~10 billion ledger entries per vault\n * — far beyond any realistic use case, but cheap enough that the extra\n * digits don't hurt storage.\n */\nexport function paddedIndex(index: number): string {\n  return String(index).padStart(10, '0')\n}\n\n/** Parse a padded adapter key back into a number. Returns NaN on malformed input. */\nexport function parseIndex(key: string): number {\n  return Number.parseInt(key, 10)\n}\n","/**\n * Envelope payload hash — pinned in its own leaf module so consumers\n * (DictionaryHandle, the active history strategy) can import it\n * without dragging in the `LedgerStore` class.\n *\n * see `constants.ts` for the broader rationale.\n *\n * @internal\n */\n\nimport type { EncryptedEnvelope } from '../../types.js'\nimport { sha256Hex } from './entry.js'\n\n/**\n * Compute the `payloadHash` value for an encrypted envelope. Used by\n * `LedgerStore.append` for both put (hash the new envelope) and\n * delete (hash the previous envelope) paths, and by\n * `DictionaryHandle` so its ledger entries match the same contract.\n *\n * Returns the empty string when there is no envelope (delete of a\n * never-existed record). The empty string tolerated by the ledger\n * entry's `payloadHash` field as the canonical \"nothing here\" value.\n */\nexport async function envelopePayloadHash(\n  envelope: EncryptedEnvelope | null,\n): Promise<string> {\n  if (!envelope) return ''\n  // `_data` is a base64 string for encrypted envelopes and the raw\n  // JSON for plaintext ones. Both are strings, so a single sha256Hex\n  // call works for both modes — the hash value differs between\n  // encrypted/plaintext compartments because the bytes on disk\n  // differ.\n  return sha256Hex(envelope._data)\n}\n"],"mappings":";AA4MO,SAAS,cAAc,OAAwB;AACpD,MAAI,UAAU,KAAM,QAAO;AAC3B,MAAI,OAAO,UAAU,UAAW,QAAO,QAAQ,SAAS;AACxD,MAAI,OAAO,UAAU,UAAU;AAC7B,QAAI,CAAC,OAAO,SAAS,KAAK,GAAG;AAC3B,YAAM,IAAI;AAAA,QACR,uDAAuD,OAAO,KAAK,CAAC;AAAA,MACtE;AAAA,IACF;AACA,WAAO,KAAK,UAAU,KAAK;AAAA,EAC7B;AACA,MAAI,OAAO,UAAU,SAAU,QAAO,KAAK,UAAU,KAAK;AAC1D,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,IAAI,MAAM,gDAAgD;AAAA,EAClE;AACA,MAAI,OAAO,UAAU,eAAe,OAAO,UAAU,YAAY;AAC/D,UAAM,IAAI;AAAA,MACR,qCAAqC,OAAO,KAAK;AAAA,IACnD;AAAA,EACF;AACA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,MAAM,MAAM,IAAI,CAAC,MAAM,cAAc,CAAC,CAAC,EAAE,KAAK,GAAG,IAAI;AAAA,EAC9D;AACA,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,MAAM;AACZ,UAAM,OAAO,OAAO,KAAK,GAAG,EAAE,KAAK;AACnC,UAAM,QAAkB,CAAC;AACzB,eAAW,OAAO,MAAM;AACtB,YAAM,KAAK,KAAK,UAAU,GAAG,IAAI,MAAM,cAAc,IAAI,GAAG,CAAC,CAAC;AAAA,IAChE;AACA,WAAO,MAAM,MAAM,KAAK,GAAG,IAAI;AAAA,EACjC;AACA,QAAM,IAAI,MAAM,yCAAyC,OAAO,KAAK,EAAE;AACzE;AAUA,eAAsB,UAAU,OAAgC;AAC9D,QAAM,QAAQ,IAAI,YAAY,EAAE,OAAO,KAAK;AAC5C,QAAM,SAAS,MAAM,WAAW,OAAO,OAAO,OAAO,WAAW,KAAK;AACrE,SAAO,WAAW,IAAI,WAAW,MAAM,CAAC;AAC1C;AAQA,eAAsB,UAAU,OAAqC;AACnE,SAAO,UAAU,cAAc,KAAK,CAAC;AACvC;AAGA,SAAS,WAAW,OAA2B;AAC7C,QAAM,MAAM,IAAI,MAAc,MAAM,MAAM;AAC1C,WAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AAIrC,QAAI,CAAC,KAAK,MAAM,CAAC,KAAK,GAAG,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG;AAAA,EACvD;AACA,SAAO,IAAI,KAAK,EAAE;AACpB;AAQO,SAAS,YAAY,OAAuB;AACjD,SAAO,OAAO,KAAK,EAAE,SAAS,IAAI,GAAG;AACvC;AAGO,SAAS,WAAW,KAAqB;AAC9C,SAAO,OAAO,SAAS,KAAK,EAAE;AAChC;;;ACzQA,eAAsB,oBACpB,UACiB;AACjB,MAAI,CAAC,SAAU,QAAO;AAMtB,SAAO,UAAU,SAAS,KAAK;AACjC;","names":[]}
+{"version":3,"sources":["../src/history/ledger/entry.ts","../src/history/ledger/hash.ts"],"sourcesContent":["/**\n * Ledger entry shape + canonical JSON + sha256 helpers.\n *\n * This file holds the PURE primitives used by the hash-chained ledger:\n * the entry type, the deterministic (sort-stable) JSON encoder, and\n * the sha256 hasher that produces `prevHash` and `ledger.head()`.\n *\n * Everything here is validator-free and side-effect free — the only\n * runtime dep is Web Crypto's `subtle.digest` for the sha256 call,\n * which we already use for every other hashing operation in the core.\n *\n * The hash chain property works like this:\n *\n *   hash(entry[i])       = sha256(canonicalJSON(entry[i]))\n *   entry[i+1].prevHash  = hash(entry[i])\n *\n * Any modification to `entry[i]` (field values, field order, whitespace)\n * produces a different `hash(entry[i])`, which means `entry[i+1]`'s\n * stored `prevHash` no longer matches the recomputed hash, which means\n * `verify()` returns `{ ok: false, divergedAt: i + 1 }`. The chain is\n * append-only and tamper-evident without external anchoring.\n */\n\n/**\n * A single ledger entry in its plaintext form — what gets serialized,\n * hashed, and then encrypted with the ledger DEK before being written\n * to the `_ledger/` adapter collection.\n *\n * ## Why hash the ciphertext, not the plaintext?\n *\n * `payloadHash` is the sha256 of the record's ENCRYPTED envelope bytes,\n * not its plaintext. This matters:\n *\n *   1. **Zero-knowledge preserved.** A user (or a third party) can\n *      verify the ledger against the stored envelopes without any\n *      decryption keys. The adapter layer already holds only\n *      ciphertext, so hashing the ciphertext keeps the ledger at the\n *      same privacy level as the adapter.\n *\n *   2. **Determinism.** Plaintext → ciphertext is randomized by the\n *      fresh per-write IV, so `hash(plaintext)` would need extra\n *      normalization. `hash(ciphertext)` is already deterministic and\n *      unique per write.\n *\n *   3. **Detection property.** If an attacker modifies even one byte of\n *      the stored ciphertext (trying to flip a record), the hash\n *      changes, the ledger's recorded `payloadHash` no longer matches,\n *      and a data-integrity check fails. We don't do that check in\n *      `verify()` today, but the\n *      hook is there for a future `verifyIntegrity()` follow-up.\n *\n * Fields marked `op`, `collection`, `id`, `version`, `ts`, `actor` are\n * plaintext METADATA about the operation — NOT the record itself. The\n * entry is still encrypted at rest via the ledger DEK, but adapters\n * could theoretically infer operation patterns from the sizes and\n * timestamps. This is an accepted trade-off for the tamper-evidence\n * property; full ORAM-level privacy is out of scope for noy-db.\n */\nexport interface LedgerEntry {\n  /**\n   * Zero-based sequential position of this entry in the chain. The\n   * canonical adapter key is this number zero-padded to 10 digits\n   * (`\"0000000001\"`) so lexicographic ordering matches numeric order.\n   */\n  readonly index: number\n\n  /**\n   * Hex-encoded sha256 of the canonical JSON of the PREVIOUS entry.\n   * The genesis entry (index 0) has `prevHash === ''` — the first\n   * entry in a fresh vault has nothing to point back to.\n   */\n  readonly prevHash: string\n\n  /**\n   * Which kind of mutation this entry records. only supports\n   * data operations (`put`, `delete`, `amendment`). Access-control\n   * operations (`grant`, `revoke`, `rotate`) will be added in a\n   * follow-up once the keyring write path is instrumented — that's\n   * tracked in the epic issue.\n   *\n   * `'amendment'` is the multi-record audit entry written by the\n   * guards subsystem when an admin/owner uses `withTransactions(...)`\n   * to repair a constraint-violating state. See `amendment` field\n   * below for the structured payload.\n   *\n   * `'lifecycle'` records a non-data audit event (e.g. partition\n   * handover) — `collection`/`id` are empty and the event detail\n   * lives in `reason` (e.g. `'partition-handed-over:<sealId>'`). Like\n   * `amendment`, it carries no data envelope, so `verifyBackupIntegrity`\n   * skips it in the data cross-check (it still participates in the\n   * tamper-evident chain).\n   *\n   * `'forget'` is the single summary entry written by `vault.forget()`\n   * (#304 GDPR crypto-shred). `collection`/`id` are empty and `version`\n   * is 0 — a forget is not scoped to one record. `payloadHash` carries\n   * `sha256Hex(subjectId)` so the ledger PROVES \"subject X existed and\n   * was erased on date D\" without retaining the subject id or any\n   * plaintext; `reason` holds a JSON summary of the shred counts. Like\n   * `amendment`/`lifecycle` it carries no data envelope and is skipped\n   * by the reconstruct walker (it still participates in the chain, so\n   * `verify()` passes after a shred).\n   */\n  readonly op: 'put' | 'delete' | 'amendment' | 'lifecycle' | 'migration' | 'forget'\n\n  /** The collection the mutation targeted. */\n  readonly collection: string\n\n  /** The record id the mutation targeted. */\n  readonly id: string\n\n  /**\n   * The record version AFTER this mutation. For `put` this is the\n   * newly assigned version; for `delete` this is the version that\n   * was deleted (the last version visible to reads).\n   */\n  readonly version: number\n\n  /** ISO timestamp of the mutation. */\n  readonly ts: string\n\n  /** User id of the actor who performed the mutation. */\n  readonly actor: string\n\n  /**\n   * Hex-encoded sha256 of the encrypted envelope's `_data` field.\n   * For `put`, this is the hash of the new ciphertext. For `delete`,\n   * it's the hash of the last visible ciphertext at deletion time,\n   * or the empty string if nothing was there to delete. Hashing the\n   * ciphertext (not the plaintext) preserves zero-knowledge — see\n   * the file docstring.\n   */\n  readonly payloadHash: string\n\n  /**\n   * Optional human-readable tag describing why this mutation happened.\n   * Threaded through `collection.put(_, _, { reason })`. Common\n   * values include `'import:csv'`, `'import:json'`, `'import:xlsx'` from\n   * `as-*` ImportPlan.apply(), but consumers can use any string for\n   * domain-specific audit filtering. Auto-strip via `canonicalJson` —\n   * absent on the wire, never serialized as `null`.\n   *\n   * Audit consumers filter: `entries.filter(e => e.reason?.startsWith('import:'))`.\n   */\n  readonly reason?: string\n\n  /**\n   * Optional hex-encoded sha256 of the encrypted JSON Patch delta\n   * blob stored alongside this entry in `_ledger_deltas/`. Present\n   * only for `put` operations that had a previous version — the\n   * genesis put of a new record, and every `delete`, leave this\n   * field undefined.\n   *\n   * The delta payload itself lives in a sibling internal collection\n   * (`_ledger_deltas/<paddedIndex>`) and is encrypted with the\n   * ledger DEK. Callers use `ledger.loadDelta(index)` to decrypt and\n   * deserialize it when reconstructing a historical version.\n   *\n   * Why optional instead of always-present: the first put of a\n   * record has no previous version to diff against, so storing an\n   * empty patch would be noise. For deletes there's no \"next\" state\n   * to describe with a delta. Both cases set this field to undefined.\n   *\n   * Note: the canonical-JSON hasher treats `undefined` as invalid\n   * (it's one of the guard rails), so on the wire this field is\n   * either `{ deltaHash: '<hex>' }` or absent from the JSON\n   * entirely — never `{ deltaHash: undefined }`.\n   */\n  readonly deltaHash?: string\n\n  /**\n   * Present only when `op === 'amendment'`. Records the human reason,\n   * the role of the actor, the (collection, id, vBefore, vAfter) tuple\n   * for every record touched, and which guard invariants passed.\n   *\n   * See docs/superpowers/specs/2026-05-18-guards-design.md.\n   */\n  readonly amendment?: {\n    readonly reason: string\n    readonly role: 'admin' | 'owner'\n    readonly changes: ReadonlyArray<{\n      readonly collection: string\n      readonly id: string\n      readonly vBefore: number\n      readonly vAfter: number\n    }>\n    readonly invariantsPassed: ReadonlyArray<string>\n  }\n}\n\n/**\n * Canonical (sort-stable) JSON encoder.\n *\n * This function is the load-bearing primitive of the hash chain:\n * `sha256(canonicalJSON(entry))` must produce the same hex string\n * every time, on every machine, for the same logical entry — otherwise\n * `verify()` would return `{ ok: false }` on cross-platform reads.\n *\n * JavaScript's `JSON.stringify` is almost canonical, but NOT quite:\n * it preserves the insertion order of object keys, which means\n * `{a:1,b:2}` and `{b:2,a:1}` serialize differently. We fix this by\n * recursively walking objects and sorting their keys before\n * concatenation.\n *\n * Arrays keep their original order (reordering them would change\n * semantics). Numbers, strings, booleans, and `null` use the default\n * JSON encoding. `undefined` and functions are rejected — ledger\n * entries are plain data, and silently dropping `undefined` would\n * break the \"same input → same hash\" property if a caller forgot to\n * omit a field.\n *\n * Performance: one pass per nesting level; O(n log n) for key sorting\n * at each object. Entries are small (< 1 KB) so this is negligible\n * compared to the sha256 call.\n */\nexport function canonicalJson(value: unknown): string {\n  if (value === null) return 'null'\n  if (typeof value === 'boolean') return value ? 'true' : 'false'\n  if (typeof value === 'number') {\n    if (!Number.isFinite(value)) {\n      throw new Error(\n        `canonicalJson: refusing to encode non-finite number ${String(value)}`,\n      )\n    }\n    return JSON.stringify(value)\n  }\n  if (typeof value === 'string') return JSON.stringify(value)\n  if (typeof value === 'bigint') {\n    throw new Error('canonicalJson: BigInt is not JSON-serializable')\n  }\n  if (typeof value === 'undefined' || typeof value === 'function') {\n    throw new Error(\n      `canonicalJson: refusing to encode ${typeof value} — include all fields explicitly`,\n    )\n  }\n  if (Array.isArray(value)) {\n    return '[' + value.map((v) => canonicalJson(v)).join(',') + ']'\n  }\n  if (typeof value === 'object') {\n    const obj = value as Record<string, unknown>\n    const keys = Object.keys(obj).sort()\n    const parts: string[] = []\n    for (const key of keys) {\n      parts.push(JSON.stringify(key) + ':' + canonicalJson(obj[key]))\n    }\n    return '{' + parts.join(',') + '}'\n  }\n  throw new Error(`canonicalJson: unexpected value type: ${typeof value}`)\n}\n\n/**\n * Compute a hex-encoded sha256 of a string via Web Crypto's subtle API.\n *\n * We use hex (not base64) for hashes because hex is case-insensitive,\n * fixed-length (64 chars), and easier to compare visually in debug\n * output. Base64 would save a few bytes in storage but every encrypted\n * ledger entry is already much larger than the hash itself.\n */\nexport async function sha256Hex(input: string): Promise<string> {\n  const bytes = new TextEncoder().encode(input)\n  const digest = await globalThis.crypto.subtle.digest('SHA-256', bytes)\n  return bytesToHex(new Uint8Array(digest))\n}\n\n/**\n * Compute the canonical hash of a ledger entry. Short wrapper around\n * `canonicalJson` + `sha256Hex`; callers use this instead of composing\n * the two functions every time, so any future change to the hashing\n * pipeline (e.g., adding a domain-separation prefix) lives in one place.\n */\nexport async function hashEntry(entry: LedgerEntry): Promise<string> {\n  return sha256Hex(canonicalJson(entry))\n}\n\n/** Convert a Uint8Array to a lowercase hex string. */\nfunction bytesToHex(bytes: Uint8Array): string {\n  const hex = new Array<string>(bytes.length)\n  for (let i = 0; i < bytes.length; i++) {\n    // Non-null assertion: indexing a Uint8Array within bounds always\n    // returns a number, but the compiler's noUncheckedIndexedAccess\n    // flag widens it to `number | undefined`. Safe here by construction.\n    hex[i] = (bytes[i] ?? 0).toString(16).padStart(2, '0')\n  }\n  return hex.join('')\n}\n\n/**\n * Pad an index to the canonical 10-digit form used as the adapter key.\n * Ten digits is enough for ~10 billion ledger entries per vault\n * — far beyond any realistic use case, but cheap enough that the extra\n * digits don't hurt storage.\n */\nexport function paddedIndex(index: number): string {\n  return String(index).padStart(10, '0')\n}\n\n/** Parse a padded adapter key back into a number. Returns NaN on malformed input. */\nexport function parseIndex(key: string): number {\n  return Number.parseInt(key, 10)\n}\n","/**\n * Envelope payload hash — pinned in its own leaf module so consumers\n * (DictionaryHandle, the active history strategy) can import it\n * without dragging in the `LedgerStore` class.\n *\n * see `constants.ts` for the broader rationale.\n *\n * @internal\n */\n\nimport type { EncryptedEnvelope } from '../../types.js'\nimport { sha256Hex } from './entry.js'\n\n/**\n * Compute the `payloadHash` value for an encrypted envelope. Used by\n * `LedgerStore.append` for both put (hash the new envelope) and\n * delete (hash the previous envelope) paths, and by\n * `DictionaryHandle` so its ledger entries match the same contract.\n *\n * Returns the empty string when there is no envelope (delete of a\n * never-existed record). The empty string tolerated by the ledger\n * entry's `payloadHash` field as the canonical \"nothing here\" value.\n */\nexport async function envelopePayloadHash(\n  envelope: EncryptedEnvelope | null,\n): Promise<string> {\n  if (!envelope) return ''\n  // `_data` is a base64 string for encrypted envelopes and the raw\n  // JSON for plaintext ones. Both are strings, so a single sha256Hex\n  // call works for both modes — the hash value differs between\n  // encrypted/plaintext compartments because the bytes on disk\n  // differ.\n  return sha256Hex(envelope._data)\n}\n"],"mappings":";AAsNO,SAAS,cAAc,OAAwB;AACpD,MAAI,UAAU,KAAM,QAAO;AAC3B,MAAI,OAAO,UAAU,UAAW,QAAO,QAAQ,SAAS;AACxD,MAAI,OAAO,UAAU,UAAU;AAC7B,QAAI,CAAC,OAAO,SAAS,KAAK,GAAG;AAC3B,YAAM,IAAI;AAAA,QACR,uDAAuD,OAAO,KAAK,CAAC;AAAA,MACtE;AAAA,IACF;AACA,WAAO,KAAK,UAAU,KAAK;AAAA,EAC7B;AACA,MAAI,OAAO,UAAU,SAAU,QAAO,KAAK,UAAU,KAAK;AAC1D,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,IAAI,MAAM,gDAAgD;AAAA,EAClE;AACA,MAAI,OAAO,UAAU,eAAe,OAAO,UAAU,YAAY;AAC/D,UAAM,IAAI;AAAA,MACR,qCAAqC,OAAO,KAAK;AAAA,IACnD;AAAA,EACF;AACA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,MAAM,MAAM,IAAI,CAAC,MAAM,cAAc,CAAC,CAAC,EAAE,KAAK,GAAG,IAAI;AAAA,EAC9D;AACA,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,MAAM;AACZ,UAAM,OAAO,OAAO,KAAK,GAAG,EAAE,KAAK;AACnC,UAAM,QAAkB,CAAC;AACzB,eAAW,OAAO,MAAM;AACtB,YAAM,KAAK,KAAK,UAAU,GAAG,IAAI,MAAM,cAAc,IAAI,GAAG,CAAC,CAAC;AAAA,IAChE;AACA,WAAO,MAAM,MAAM,KAAK,GAAG,IAAI;AAAA,EACjC;AACA,QAAM,IAAI,MAAM,yCAAyC,OAAO,KAAK,EAAE;AACzE;AAUA,eAAsB,UAAU,OAAgC;AAC9D,QAAM,QAAQ,IAAI,YAAY,EAAE,OAAO,KAAK;AAC5C,QAAM,SAAS,MAAM,WAAW,OAAO,OAAO,OAAO,WAAW,KAAK;AACrE,SAAO,WAAW,IAAI,WAAW,MAAM,CAAC;AAC1C;AAQA,eAAsB,UAAU,OAAqC;AACnE,SAAO,UAAU,cAAc,KAAK,CAAC;AACvC;AAGA,SAAS,WAAW,OAA2B;AAC7C,QAAM,MAAM,IAAI,MAAc,MAAM,MAAM;AAC1C,WAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AAIrC,QAAI,CAAC,KAAK,MAAM,CAAC,KAAK,GAAG,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG;AAAA,EACvD;AACA,SAAO,IAAI,KAAK,EAAE;AACpB;AAQO,SAAS,YAAY,OAAuB;AACjD,SAAO,OAAO,KAAK,EAAE,SAAS,IAAI,GAAG;AACvC;AAGO,SAAS,WAAW,KAAqB;AAC9C,SAAO,OAAO,SAAS,KAAK,EAAE;AAChC;;;ACnRA,eAAsB,oBACpB,UACiB;AACjB,MAAI,CAAC,SAAU,QAAO;AAMtB,SAAO,UAAU,SAAS,KAAK;AACjC;","names":[]}

package/dist/{chunk-DLZ2ONOD.js → chunk-QHM6XEAH.js}

@@ -1,15 +1,15 @@
 import {
   dekKey
-} from "./chunk-4TBBMHVC.js";
+} from "./chunk-5LIROIDM.js";
 import {
   assertStrongPassphrase,
   mintKeyringCanary,
   persistKeyring
-} from "./chunk-6H2ZUNR7.js";
+} from "./chunk-BSZOCSDZ.js";
 import {
   NOYDB_FORMAT_VERSION,
   NOYDB_KEYRING_VERSION
-} from "./chunk-F3BPIPLS.js";
+} from "./chunk-SISBMAPO.js";
 import {
   base64ToBuffer,
   bufferToBase64,
@@ -19,7 +19,7 @@ import {
   generateSalt,
   unwrapKey,
   wrapKey
-} from "./chunk-YULZKK4F.js";
+} from "./chunk-UNTGHX5A.js";
 import {
   DelegationTargetMissingError,
   InvalidKeyError,
@@ -28,7 +28,7 @@ import {
   PermissionDeniedError,
   PrivilegeEscalationError,
   ValidationError
-} from "./chunk-535SSHBS.js";
+} from "./chunk-ZEGSDPB7.js";
 
 // src/team/authenticators.ts
 async function enrollAuthenticator(store, vault, keyring, options) {
@@ -827,4 +827,4 @@ export {
   magicLinkGrantRecordId,
   isMagicLinkGrantExpired
 };
-//# sourceMappingURL=chunk-DLZ2ONOD.js.map
+//# sourceMappingURL=chunk-QHM6XEAH.js.map

package/dist/{chunk-HBXJ37ZY.js → chunk-QO6RGLLD.js}

@@ -1,13 +1,13 @@
 import {
   wrapDbWithPredicates
-} from "./chunk-G4SCICH5.js";
+} from "./chunk-2FU2FTXD.js";
 import {
   canonicalGroupKey,
   groupAndReduce
-} from "./chunk-L2BNJ6HM.js";
+} from "./chunk-7H2GEJ3O.js";
 import {
   MaterializedViewTooLargeError
-} from "./chunk-535SSHBS.js";
+} from "./chunk-ZEGSDPB7.js";
 
 // src/materialized-views/executor.ts
 var DEFAULT_MAX_ROWS = 1e5;
@@ -150,4 +150,4 @@ async function listOutputIds(outputColl) {
 export {
   MaterializedViewExecutor
 };
-//# sourceMappingURL=chunk-HBXJ37ZY.js.map
+//# sourceMappingURL=chunk-QO6RGLLD.js.map

package/dist/{chunk-7BQ4QWYX.js → chunk-ROPJVUG3.js}

@@ -1,22 +1,22 @@
 import {
   ensureCollectionDEK
-} from "./chunk-6H2ZUNR7.js";
+} from "./chunk-BSZOCSDZ.js";
 import {
   envelopePayloadHash
-} from "./chunk-Z6FNBOTC.js";
+} from "./chunk-PDVP3C2I.js";
 import {
   NOYDB_FORMAT_VERSION
-} from "./chunk-F3BPIPLS.js";
+} from "./chunk-SISBMAPO.js";
 import {
   decrypt,
   encrypt
-} from "./chunk-YULZKK4F.js";
+} from "./chunk-UNTGHX5A.js";
 import {
   DictKeyMissingError,
   LocaleNotSpecifiedError,
   MissingTranslationError,
   PermissionDeniedError
-} from "./chunk-535SSHBS.js";
+} from "./chunk-ZEGSDPB7.js";
 
 // src/i18n/policy.ts
 function resolvePolicy(onMissing, layer) {
@@ -233,6 +233,21 @@ function dictKey(name, keys, opts) {
 function isDictKeyDescriptor(x) {
   return typeof x === "object" && x !== null && x._noydbDictKey === true;
 }
+function staticDict(name, table, opts) {
+  return {
+    _noydbStaticDict: true,
+    name,
+    table,
+    keys: Object.keys(table),
+    ...opts?.displayLocale !== void 0 ? { displayLocale: opts.displayLocale } : {},
+    ...opts?.onMissing !== void 0 ? { onMissing: opts.onMissing } : {},
+    ...opts?.substitute !== void 0 ? { substitute: opts.substitute } : {},
+    ...opts?.validateCodes !== void 0 ? { validateCodes: opts.validateCodes } : {}
+  };
+}
+function isStaticDictDescriptor(x) {
+  return typeof x === "object" && x !== null && x._noydbStaticDict === true;
+}
 var DictionaryHandle = class {
   constructor(adapter, compartmentName, dictionaryName, keyring, getDEK, encrypted, ledger, options, findAndUpdateReferences, emitter) {
     this.adapter = adapter;
@@ -584,6 +599,8 @@ export {
   isDictCollectionName,
   dictKey,
   isDictKeyDescriptor,
+  staticDict,
+  isStaticDictDescriptor,
   DictionaryHandle
 };
-//# sourceMappingURL=chunk-7BQ4QWYX.js.map
+//# sourceMappingURL=chunk-ROPJVUG3.js.map