npm - @noy-db/hub - Versions diffs - 0.2.0-pre.16 → 0.2.0-pre.18 - Mend

@noy-db/hub 0.2.0-pre.16 → 0.2.0-pre.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (306) hide show

package/dist/aggregate/index.cjs.map +1 -1
package/dist/aggregate/index.d.cts +3 -2
package/dist/aggregate/index.d.ts +3 -2
package/dist/aggregate/index.js +4 -4
package/dist/attestation/index.cjs.map +1 -1
package/dist/attestation/index.d.cts +5 -3
package/dist/attestation/index.d.ts +5 -3
package/dist/attestation/index.js +6 -6
package/dist/blobs/index.cjs +226 -11
package/dist/blobs/index.cjs.map +1 -1
package/dist/blobs/index.d.cts +6 -4
package/dist/blobs/index.d.ts +6 -4
package/dist/blobs/index.js +6 -5
package/dist/blobs/index.js.map +1 -1
package/dist/bundle/index.cjs +2065 -352
package/dist/bundle/index.cjs.map +1 -1
package/dist/bundle/index.d.cts +7 -5
package/dist/bundle/index.d.ts +7 -5
package/dist/bundle/index.js +21 -10
package/dist/bundle/index.js.map +1 -1
package/dist/{chunk-6RR3MNMG.js → chunk-2U226RDC.js} +3 -3
package/dist/{chunk-L2BNJ6HM.js → chunk-32XVU2LT.js} +3 -3
package/dist/{chunk-X73VS74Y.js → chunk-33DAO2XG.js} +2 -2
package/dist/chunk-45643PAU.js +151 -0
package/dist/chunk-45643PAU.js.map +1 -0
package/dist/{chunk-QSUK7YWK.js → chunk-4UI5T3K7.js} +4 -4
package/dist/{chunk-G4SCICH5.js → chunk-5KKNBDCT.js} +2 -2
package/dist/{chunk-DUREQF5W.js → chunk-647TFNYL.js} +34 -8
package/dist/chunk-647TFNYL.js.map +1 -0
package/dist/{chunk-E2CDVKMH.js → chunk-6FHCU3QO.js} +5 -5
package/dist/{chunk-F4OJZIWQ.js → chunk-6Q5XRLKG.js} +4 -4
package/dist/{chunk-HOR4R722.js → chunk-6XEGHIBA.js} +30 -4
package/dist/chunk-6XEGHIBA.js.map +1 -0
package/dist/{chunk-4TBBMHVC.js → chunk-6YEC7LLO.js} +2 -2
package/dist/{chunk-ZNQYHJXX.js → chunk-AB7JF2KF.js} +2 -2
package/dist/{chunk-UMLVJTYV.js → chunk-ADB7GPM3.js} +7 -4
package/dist/chunk-ADB7GPM3.js.map +1 -0
package/dist/{chunk-XL35NSEN.js → chunk-BUBJYIZ7.js} +3 -3
package/dist/chunk-C2OYWD5S.js +125 -0
package/dist/chunk-C2OYWD5S.js.map +1 -0
package/dist/{chunk-KABJXG2F.js → chunk-CMISAJAE.js} +195 -17
package/dist/chunk-CMISAJAE.js.map +1 -0
package/dist/{chunk-3YWP3WBP.js → chunk-DKMPR76W.js} +5 -5
package/dist/{chunk-BI6ETQPF.js → chunk-DR5I7Q6N.js} +4 -4
package/dist/{chunk-667MB6AH.js → chunk-F2IJ2HGD.js} +1370 -232
package/dist/chunk-F2IJ2HGD.js.map +1 -0
package/dist/{chunk-6H2ZUNR7.js → chunk-FQRAYDS4.js} +4 -4
package/dist/{chunk-535SSHBS.js → chunk-HMFC6M2G.js} +99 -2
package/dist/chunk-HMFC6M2G.js.map +1 -0
package/dist/{chunk-TS26M2SB.js → chunk-HOO5I3VG.js} +2 -2
package/dist/{chunk-OMAMZKKD.js → chunk-HWK75CYX.js} +2 -2
package/dist/{chunk-TKIY625R.js → chunk-HZOEBM67.js} +2 -2
package/dist/{chunk-DLZ2ONOD.js → chunk-IQ4GMEYZ.js} +6 -6
package/dist/{chunk-XWH4MXIU.js → chunk-K3NYRK7U.js} +2 -2
package/dist/{chunk-7BQ4QWYX.js → chunk-KOURQXIU.js} +23 -6
package/dist/chunk-KOURQXIU.js.map +1 -0
package/dist/{chunk-7Z7KSVA5.js → chunk-KQ523X3A.js} +15 -2
package/dist/chunk-KQ523X3A.js.map +1 -0
package/dist/{chunk-JD3OZAI4.js → chunk-KTZ2MHQK.js} +2 -2
package/dist/{chunk-F3BPIPLS.js → chunk-LGPSCKWZ.js} +1 -1
package/dist/chunk-LGPSCKWZ.js.map +1 -0
package/dist/{chunk-SCJPI4Z5.js → chunk-LQ3GD5LL.js} +5 -5
package/dist/{chunk-AAVWKNZW.js → chunk-M3H7VSRV.js} +2 -2
package/dist/{chunk-BR3AMFGS.js → chunk-MGB67HKX.js} +5 -5
package/dist/{chunk-GNI5STXQ.js → chunk-P57D4KBG.js} +52 -38
package/dist/chunk-P57D4KBG.js.map +1 -0
package/dist/{chunk-Z6FNBOTC.js → chunk-PDVP3C2I.js} +1 -1
package/dist/{chunk-Z6FNBOTC.js.map → chunk-PDVP3C2I.js.map} +1 -1
package/dist/{chunk-OB2ZJQ2D.js → chunk-PGVEL5IZ.js} +3 -3
package/dist/{chunk-YULZKK4F.js → chunk-QJKZ5WUP.js} +37 -2
package/dist/chunk-QJKZ5WUP.js.map +1 -0
package/dist/{chunk-BQ65SS5A.js → chunk-QPJ7Z4L3.js} +2 -2
package/dist/{chunk-CZI2A4MQ.js → chunk-RQFG2YSV.js} +3 -3
package/dist/{chunk-CJORTUJ2.js → chunk-RZWQNMMP.js} +2 -2
package/dist/{chunk-FFXM3ZIF.js → chunk-T4T5I5L6.js} +3 -3
package/dist/{chunk-QVIEAYTP.js → chunk-TFAN3NFD.js} +3 -3
package/dist/{chunk-Z4DO7YSI.js → chunk-TPOHMOGX.js} +2 -2
package/dist/{chunk-VLMPU56Q.js → chunk-TTS3RWL5.js} +2 -2
package/dist/{chunk-IXBIFDEW.js → chunk-VVDSDOVV.js} +4 -4
package/dist/{chunk-FWPKCXTN.js → chunk-WZCG3EZ6.js} +2 -2
package/dist/{chunk-HBXJ37ZY.js → chunk-Y5XVB75E.js} +4 -4
package/dist/chunk-YWYW2YNO.js +129 -0
package/dist/chunk-YWYW2YNO.js.map +1 -0
package/dist/{chunk-IQLVUT37.js → chunk-Z3BE5BRK.js} +2 -2
package/dist/{chunk-42FEUPZQ.js → chunk-Z3I2WNGF.js} +58 -3
package/dist/chunk-Z3I2WNGF.js.map +1 -0
package/dist/{state-vault-TMXZRTY5.js → chunk-ZJ67TB4S.js} +24 -7
package/dist/chunk-ZJ67TB4S.js.map +1 -0
package/dist/consent/index.cjs.map +1 -1
package/dist/consent/index.d.cts +6 -4
package/dist/consent/index.d.ts +6 -4
package/dist/consent/index.js +3 -3
package/dist/{crypto-QXQOHMHF.js → crypto-FNK3XPCS.js} +7 -3
package/dist/{delegation-NIQ43IPU.js → delegation-FMXNUWE6.js} +5 -5
package/dist/derivations/index.cjs +82 -2
package/dist/derivations/index.cjs.map +1 -1
package/dist/derivations/index.d.cts +7 -5
package/dist/derivations/index.d.ts +7 -5
package/dist/derivations/index.js +8 -6
package/dist/{dev-unlock-8XzcD2Z4.d.cts → dev-unlock-3_2b_vo6.d.cts} +1 -1
package/dist/{dev-unlock-DR3upLd1.d.ts → dev-unlock-BMvwPr_E.d.ts} +1 -1
package/dist/{strategy-BtW8fAjz.d.cts → errors-DUTlAt3Y.d.cts} +113 -727
package/dist/{strategy-BtW8fAjz.d.ts → errors-DUTlAt3Y.d.ts} +113 -727
package/dist/executor-IZ2NVXCY.js +11 -0
package/dist/executor-THSEYEJG.js +8 -0
package/dist/executor-WLFDUTOM.js +8 -0
package/dist/{fanout-sidecar-67CMI3UT.js → fanout-sidecar-JGHXAJO5.js} +2 -2
package/dist/forget/index.cjs +43 -0
package/dist/forget/index.cjs.map +1 -0
package/dist/forget/index.d.cts +1 -0
package/dist/forget/index.d.ts +1 -0
package/dist/forget/index.js +14 -0
package/dist/guards/index.cjs +80 -3
package/dist/guards/index.cjs.map +1 -1
package/dist/guards/index.d.cts +7 -5
package/dist/guards/index.d.ts +7 -5
package/dist/guards/index.js +10 -6
package/dist/{hash-CDjye9KV.d.ts → hash-BThBJFO1.d.ts} +1 -1
package/dist/{hash-DuQ88_5W.d.cts → hash-BnWnL9bQ.d.cts} +1 -1
package/dist/history/index.cjs +27 -4
package/dist/history/index.cjs.map +1 -1
package/dist/history/index.d.cts +7 -5
package/dist/history/index.d.ts +7 -5
package/dist/history/index.js +9 -7
package/dist/history/index.js.map +1 -1
package/dist/i18n/index.cjs +53 -0
package/dist/i18n/index.cjs.map +1 -1
package/dist/i18n/index.d.cts +6 -4
package/dist/i18n/index.d.ts +6 -4
package/dist/i18n/index.js +16 -8
package/dist/i18n/index.js.map +1 -1
package/dist/index-C-SSRIxP.d.cts +348 -0
package/dist/index-C-SSRIxP.d.ts +348 -0
package/dist/{index-C8Bk3-VF.d.cts → index-C6lgoUhK.d.cts} +47 -2
package/dist/{index-nP99bXLg.d.ts → index-DP1JTWHZ.d.ts} +47 -2
package/dist/index.cjs +3280 -1208
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +15 -12
package/dist/index.d.ts +15 -12
package/dist/index.js +149 -107
package/dist/index.js.map +1 -1
package/dist/indexing/index.cjs.map +1 -1
package/dist/indexing/index.js +4 -4
package/dist/issue-R2MWQO6K.js +12 -0
package/dist/{ledger-A3LL253R.js → ledger-GXC2YA3A.js} +6 -6
package/dist/materialized-views/index.cjs.map +1 -1
package/dist/materialized-views/index.d.cts +7 -5
package/dist/materialized-views/index.d.ts +7 -5
package/dist/materialized-views/index.js +12 -12
package/dist/noydb-RJL6FQ4B.js +37 -0
package/dist/overlay-views/index.cjs.map +1 -1
package/dist/overlay-views/index.d.cts +7 -5
package/dist/overlay-views/index.d.ts +7 -5
package/dist/overlay-views/index.js +4 -4
package/dist/periods/index.cjs.map +1 -1
package/dist/periods/index.d.cts +6 -4
package/dist/periods/index.d.ts +6 -4
package/dist/periods/index.js +6 -6
package/dist/{public-envelope-YP2UWMLG.js → public-envelope-HXOFHY4N.js} +4 -4
package/dist/query/index.cjs +30 -4
package/dist/query/index.cjs.map +1 -1
package/dist/query/index.d.cts +3 -2
package/dist/query/index.d.ts +3 -2
package/dist/query/index.js +6 -6
package/dist/read-only-facade-EX6WZZBP.js +7 -0
package/dist/registry-3T2RZC5A.js +8 -0
package/dist/registry-DMS7OKBM.js +8 -0
package/dist/{registry-UTA4CLQS.js → registry-WVXO6NH5.js} +3 -3
package/dist/{revoke-HNMQZSCL.js → revoke-7LCWE2AH.js} +6 -6
package/dist/sealed-record/index.cjs +139 -0
package/dist/sealed-record/index.cjs.map +1 -0
package/dist/sealed-record/index.d.cts +123 -0
package/dist/sealed-record/index.d.ts +123 -0
package/dist/sealed-record/index.js +42 -0
package/dist/sealed-record/index.js.map +1 -0
package/dist/session/index.cjs.map +1 -1
package/dist/session/index.d.cts +7 -5
package/dist/session/index.d.ts +7 -5
package/dist/session/index.js +3 -3
package/dist/shadow/index.cjs.map +1 -1
package/dist/shadow/index.d.cts +6 -4
package/dist/shadow/index.d.ts +6 -4
package/dist/shadow/index.js +2 -2
package/dist/{signer-DCMNKXSF.js → signer-HAVDLGOK.js} +5 -5
package/dist/snapshots/index.cjs.map +1 -1
package/dist/snapshots/index.d.cts +6 -4
package/dist/snapshots/index.d.ts +6 -4
package/dist/snapshots/index.js +4 -4
package/dist/{stale-W5PQTRYH.js → stale-PGTEGJDI.js} +2 -2
package/dist/stale-PGTEGJDI.js.map +1 -0
package/dist/state-vault-QKQKN3H3.js +14 -0
package/dist/state-vault-QKQKN3H3.js.map +1 -0
package/dist/store/index.cjs.map +1 -1
package/dist/store/index.d.cts +6 -4
package/dist/store/index.d.ts +6 -4
package/dist/store/index.js +2 -2
package/dist/strategy-Diwh5lzS.d.ts +739 -0
package/dist/strategy-nuyN8K5N.d.cts +739 -0
package/dist/sync/index.cjs.map +1 -1
package/dist/sync/index.d.cts +5 -3
package/dist/sync/index.d.ts +5 -3
package/dist/sync/index.js +4 -4
package/dist/team/index.cjs.map +1 -1
package/dist/team/index.d.cts +6 -4
package/dist/team/index.d.ts +6 -4
package/dist/team/index.js +8 -8
package/dist/transition-guard--t3exQHF.d.cts +165 -0
package/dist/transition-guard-BlI9Oy5K.d.ts +165 -0
package/dist/tx/index.cjs.map +1 -1
package/dist/tx/index.d.cts +6 -4
package/dist/tx/index.d.ts +6 -4
package/dist/tx/index.js +3 -3
package/dist/{types-Bze6vkwm.d.cts → types-BpLPqyaO.d.cts} +1264 -513
package/dist/{types-DrmBTscX.d.ts → types-Diqc2caK.d.ts} +1264 -513
package/dist/{ulid-DbBVrNSt.d.ts → ulid-B1zNV8r9.d.ts} +1 -1
package/dist/{ulid-DfZlAh0u.d.cts → ulid-DNiRB4Mx.d.cts} +1 -1
package/dist/util/index.cjs.map +1 -1
package/dist/util/index.js +1 -1
package/dist/{vault-group-DX2HFQMX.js → vault-group-DPZVFRI5.js} +182 -6
package/dist/vault-group-DPZVFRI5.js.map +1 -0
package/dist/{with-materialized-view--4PsvMDu.d.cts → with-materialized-view-BdH_A_r6.d.cts} +1 -1
package/dist/{with-materialized-view-QT1Tp7NO.d.ts → with-materialized-view-CzAgp_HJ.d.ts} +1 -1
package/dist/{with-overlayed-view-BEXfpzSb.d.ts → with-overlayed-view-BJbqQnsR.d.ts} +1 -1
package/dist/{with-overlayed-view-DlH5qmeB.d.cts → with-overlayed-view-C40rDPlu.d.cts} +1 -1
package/dist/with-rollup-Bopu5UDZ.d.cts +47 -0
package/dist/with-rollup-DrlGkxiE.d.ts +47 -0
package/package.json +23 -3
package/dist/chunk-42FEUPZQ.js.map +0 -1
package/dist/chunk-535SSHBS.js.map +0 -1
package/dist/chunk-667MB6AH.js.map +0 -1
package/dist/chunk-7BQ4QWYX.js.map +0 -1
package/dist/chunk-7Z7KSVA5.js.map +0 -1
package/dist/chunk-DUREQF5W.js.map +0 -1
package/dist/chunk-F3BPIPLS.js.map +0 -1
package/dist/chunk-GNI5STXQ.js.map +0 -1
package/dist/chunk-HOR4R722.js.map +0 -1
package/dist/chunk-KABJXG2F.js.map +0 -1
package/dist/chunk-OQSRJG6A.js +0 -63
package/dist/chunk-OQSRJG6A.js.map +0 -1
package/dist/chunk-UMLVJTYV.js.map +0 -1
package/dist/chunk-YULZKK4F.js.map +0 -1
package/dist/executor-6ZDSDZ6V.js +0 -8
package/dist/executor-AZLS3KBK.js +0 -11
package/dist/executor-IDZDAFNH.js +0 -8
package/dist/immutable-guard-CRPvu24K.d.cts +0 -82
package/dist/immutable-guard-Dov3WvwF.d.ts +0 -82
package/dist/issue-RZP3VI6O.js +0 -12
package/dist/noydb-WCMY2ZOW.js +0 -35
package/dist/read-only-facade-ITU6L7BL.js +0 -7
package/dist/registry-EB6SISTA.js +0 -8
package/dist/registry-IUZQVVBB.js +0 -8
package/dist/state-vault-TMXZRTY5.js.map +0 -1
package/dist/vault-group-DX2HFQMX.js.map +0 -1
package/dist/with-derivation-CCqAchD5.d.cts +0 -13
package/dist/with-derivation-_lySGdlm.d.ts +0 -13
/package/dist/{chunk-6RR3MNMG.js.map → chunk-2U226RDC.js.map} +0 -0
/package/dist/{chunk-L2BNJ6HM.js.map → chunk-32XVU2LT.js.map} +0 -0
/package/dist/{chunk-X73VS74Y.js.map → chunk-33DAO2XG.js.map} +0 -0
/package/dist/{chunk-QSUK7YWK.js.map → chunk-4UI5T3K7.js.map} +0 -0
/package/dist/{chunk-G4SCICH5.js.map → chunk-5KKNBDCT.js.map} +0 -0
/package/dist/{chunk-E2CDVKMH.js.map → chunk-6FHCU3QO.js.map} +0 -0
/package/dist/{chunk-F4OJZIWQ.js.map → chunk-6Q5XRLKG.js.map} +0 -0
/package/dist/{chunk-4TBBMHVC.js.map → chunk-6YEC7LLO.js.map} +0 -0
/package/dist/{chunk-ZNQYHJXX.js.map → chunk-AB7JF2KF.js.map} +0 -0
/package/dist/{chunk-XL35NSEN.js.map → chunk-BUBJYIZ7.js.map} +0 -0
/package/dist/{chunk-3YWP3WBP.js.map → chunk-DKMPR76W.js.map} +0 -0
/package/dist/{chunk-BI6ETQPF.js.map → chunk-DR5I7Q6N.js.map} +0 -0
/package/dist/{chunk-6H2ZUNR7.js.map → chunk-FQRAYDS4.js.map} +0 -0
/package/dist/{chunk-TS26M2SB.js.map → chunk-HOO5I3VG.js.map} +0 -0
/package/dist/{chunk-OMAMZKKD.js.map → chunk-HWK75CYX.js.map} +0 -0
/package/dist/{chunk-TKIY625R.js.map → chunk-HZOEBM67.js.map} +0 -0
/package/dist/{chunk-DLZ2ONOD.js.map → chunk-IQ4GMEYZ.js.map} +0 -0
/package/dist/{chunk-XWH4MXIU.js.map → chunk-K3NYRK7U.js.map} +0 -0
/package/dist/{chunk-JD3OZAI4.js.map → chunk-KTZ2MHQK.js.map} +0 -0
/package/dist/{chunk-SCJPI4Z5.js.map → chunk-LQ3GD5LL.js.map} +0 -0
/package/dist/{chunk-AAVWKNZW.js.map → chunk-M3H7VSRV.js.map} +0 -0
/package/dist/{chunk-BR3AMFGS.js.map → chunk-MGB67HKX.js.map} +0 -0
/package/dist/{chunk-OB2ZJQ2D.js.map → chunk-PGVEL5IZ.js.map} +0 -0
/package/dist/{chunk-BQ65SS5A.js.map → chunk-QPJ7Z4L3.js.map} +0 -0
/package/dist/{chunk-CZI2A4MQ.js.map → chunk-RQFG2YSV.js.map} +0 -0
/package/dist/{chunk-CJORTUJ2.js.map → chunk-RZWQNMMP.js.map} +0 -0
/package/dist/{chunk-FFXM3ZIF.js.map → chunk-T4T5I5L6.js.map} +0 -0
/package/dist/{chunk-QVIEAYTP.js.map → chunk-TFAN3NFD.js.map} +0 -0
/package/dist/{chunk-Z4DO7YSI.js.map → chunk-TPOHMOGX.js.map} +0 -0
/package/dist/{chunk-VLMPU56Q.js.map → chunk-TTS3RWL5.js.map} +0 -0
/package/dist/{chunk-IXBIFDEW.js.map → chunk-VVDSDOVV.js.map} +0 -0
/package/dist/{chunk-FWPKCXTN.js.map → chunk-WZCG3EZ6.js.map} +0 -0
/package/dist/{chunk-HBXJ37ZY.js.map → chunk-Y5XVB75E.js.map} +0 -0
/package/dist/{chunk-IQLVUT37.js.map → chunk-Z3BE5BRK.js.map} +0 -0
/package/dist/{crypto-QXQOHMHF.js.map → crypto-FNK3XPCS.js.map} +0 -0
/package/dist/{delegation-NIQ43IPU.js.map → delegation-FMXNUWE6.js.map} +0 -0
/package/dist/{executor-6ZDSDZ6V.js.map → executor-IZ2NVXCY.js.map} +0 -0
/package/dist/{executor-AZLS3KBK.js.map → executor-THSEYEJG.js.map} +0 -0
/package/dist/{executor-IDZDAFNH.js.map → executor-WLFDUTOM.js.map} +0 -0
/package/dist/{fanout-sidecar-67CMI3UT.js.map → fanout-sidecar-JGHXAJO5.js.map} +0 -0
/package/dist/{issue-RZP3VI6O.js.map → forget/index.js.map} +0 -0
/package/dist/{ledger-A3LL253R.js.map → issue-R2MWQO6K.js.map} +0 -0
/package/dist/{noydb-WCMY2ZOW.js.map → ledger-GXC2YA3A.js.map} +0 -0
/package/dist/{public-envelope-YP2UWMLG.js.map → noydb-RJL6FQ4B.js.map} +0 -0
/package/dist/{read-only-facade-ITU6L7BL.js.map → public-envelope-HXOFHY4N.js.map} +0 -0
/package/dist/{registry-EB6SISTA.js.map → read-only-facade-EX6WZZBP.js.map} +0 -0
/package/dist/{registry-IUZQVVBB.js.map → registry-3T2RZC5A.js.map} +0 -0
/package/dist/{registry-UTA4CLQS.js.map → registry-DMS7OKBM.js.map} +0 -0
/package/dist/{revoke-HNMQZSCL.js.map → registry-WVXO6NH5.js.map} +0 -0
/package/dist/{signer-DCMNKXSF.js.map → revoke-7LCWE2AH.js.map} +0 -0
/package/dist/{stale-W5PQTRYH.js.map → signer-HAVDLGOK.js.map} +0 -0

package/dist/chunk-OQSRJG6A.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"sources":["../src/derivations/with-derivation.ts"],"sourcesContent":["import { ValidationError } from '../errors.js'\nimport type { DerivationStrategy, DerivationStrategyHandle } from './types.js'\n\n/**\n * Register a deterministic derivation: one source collection → one or\n * more typed outputs, computed by the user's `derive` function on\n * plaintext after DEK unwrap. Outputs are encrypted with the same DEK\n * as the source and written via the standard `Collection.put` path.\n *\n * See docs/superpowers/specs/2026-05-01-dim14-derivation-v1-design.md.\n */\nexport function withDerivation<\n TSource extends Record<string, unknown>,\n TOutputs extends Record<string, Record<string, unknown>>,\n>(spec: DerivationStrategy<TSource, TOutputs>): DerivationStrategyHandle {\n if (!spec.source || spec.source.length === 0) {\n throw new ValidationError('withDerivation: source collection name is required')\n }\n if (!spec.outputs || Object.keys(spec.outputs).length === 0) {\n throw new ValidationError('withDerivation: outputs map must declare at least one output')\n }\n if (spec.deterministic !== true) {\n throw new ValidationError('withDerivation: v1 only supports deterministic derivations')\n }\n if (typeof spec.derive !== 'function') {\n throw new ValidationError('withDerivation: derive must be a function')\n }\n\n // Validate declared sibling sources (#344). Each must be a non-empty\n // string and must differ from the primary source — a self-reference\n // would double-register the strategy under the same `_bySource` key.\n if (spec.sources !== undefined) {\n for (const extra of spec.sources) {\n if (typeof extra !== 'string' || extra.length === 0) {\n throw new ValidationError('withDerivation: each entry in sources[] must be a non-empty string')\n }\n if (extra === spec.source) {\n throw new ValidationError(\n `withDerivation: sources[] must not contain the primary source \"${spec.source}\"`,\n )\n }\n }\n }\n\n // Validate array-shape outputs.\n const lifecycleMode = typeof spec.lifecycle === 'string' ? spec.lifecycle : spec.lifecycle.mode\n for (const [outputKey, outputSpec] of Object.entries(spec.outputs)) {\n if (outputSpec.shape === 'array') {\n if (lifecycleMode !== 'eager') {\n throw new ValidationError(\n `withDerivation: shape 'array' supports lifecycle 'eager' only in this release `\n + `Output \"${outputKey}\" declared lifecycle '${lifecycleMode}'. `\n + 'Switch to `lifecycle: \"eager\"` or use shape: \"record\".',\n )\n }\n if (typeof outputSpec.key !== 'function') {\n throw new ValidationError(\n `withDerivation: shape 'array' output \"${outputKey}\" requires \\`key: (out) => string\\`.`,\n )\n }\n if (outputSpec.maxFanout !== undefined) {\n if (!Number.isInteger(outputSpec.maxFanout) || outputSpec.maxFanout < 1) {\n throw new ValidationError(\n `withDerivation: maxFanout for output \"${outputKey}\" must be a positive integer `\n + `(got ${String(outputSpec.maxFanout)}).`,\n )\n }\n }\n }\n }\n\n return {\n __noydb_strategy: 'derivation',\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n spec: spec as DerivationStrategy<any, any>,\n }\n}\n"],"mappings":";;;;;AAWO,SAAS,eAGd,MAAuE;AACvE,MAAI,CAAC,KAAK,UAAU,KAAK,OAAO,WAAW,GAAG;AAC5C,UAAM,IAAI,gBAAgB,oDAAoD;AAAA,EAChF;AACA,MAAI,CAAC,KAAK,WAAW,OAAO,KAAK,KAAK,OAAO,EAAE,WAAW,GAAG;AAC3D,UAAM,IAAI,gBAAgB,8DAA8D;AAAA,EAC1F;AACA,MAAI,KAAK,kBAAkB,MAAM;AAC/B,UAAM,IAAI,gBAAgB,4DAA4D;AAAA,EACxF;AACA,MAAI,OAAO,KAAK,WAAW,YAAY;AACrC,UAAM,IAAI,gBAAgB,2CAA2C;AAAA,EACvE;AAKA,MAAI,KAAK,YAAY,QAAW;AAC9B,eAAW,SAAS,KAAK,SAAS;AAChC,UAAI,OAAO,UAAU,YAAY,MAAM,WAAW,GAAG;AACnD,cAAM,IAAI,gBAAgB,oEAAoE;AAAA,MAChG;AACA,UAAI,UAAU,KAAK,QAAQ;AACzB,cAAM,IAAI;AAAA,UACR,kEAAkE,KAAK,MAAM;AAAA,QAC/E;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAGA,QAAM,gBAAgB,OAAO,KAAK,cAAc,WAAW,KAAK,YAAY,KAAK,UAAU;AAC3F,aAAW,CAAC,WAAW,UAAU,KAAK,OAAO,QAAQ,KAAK,OAAO,GAAG;AAClE,QAAI,WAAW,UAAU,SAAS;AAChC,UAAI,kBAAkB,SAAS;AAC7B,cAAM,IAAI;AAAA,UACR,yFACa,SAAS,yBAAyB,aAAa;AAAA,QAE9D;AAAA,MACF;AACA,UAAI,OAAO,WAAW,QAAQ,YAAY;AACxC,cAAM,IAAI;AAAA,UACR,yCAAyC,SAAS;AAAA,QACpD;AAAA,MACF;AACA,UAAI,WAAW,cAAc,QAAW;AACtC,YAAI,CAAC,OAAO,UAAU,WAAW,SAAS,KAAK,WAAW,YAAY,GAAG;AACvE,gBAAM,IAAI;AAAA,YACR,yCAAyC,SAAS,qCACxC,OAAO,WAAW,SAAS,CAAC;AAAA,UACxC;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,kBAAkB;AAAA;AAAA,IAElB;AAAA,EACF;AACF;","names":[]}

package/dist/chunk-UMLVJTYV.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"sources":["../src/guards/read-only-facade.ts"],"sourcesContent":["import type { Vault } from '../vault.js'\nimport type { Query } from '../query/builder.js'\nimport type { ReadOnlyVaultFacade as ReadOnlyVaultFacadeContract } from './types.js'\n\n/**\n * Minimal read-only wrapper over a `Vault`. Used as `ctx.vault` inside\n * guard callbacks so they can fetch related records without acquiring\n * any write capability.\n */\nexport class ReadOnlyVaultFacade implements ReadOnlyVaultFacadeContract {\n private readonly _vault: Vault\n\n constructor(vault: Vault) {\n this._vault = vault\n }\n\n collection<T = unknown>(name: string): {\n get(id: string): Promise<T | null>\n list(): Promise<T[]>\n query(): Query<T>\n } {\n const c = this._vault.collection<T>(name)\n return {\n get: (id: string) => c.get(id),\n list: () => c.list(),\n query: () => c.query(),\n }\n }\n}\n"],"mappings":";AASO,IAAM,sBAAN,MAAiE;AAAA,EACrD;AAAA,EAEjB,YAAY,OAAc;AACxB,SAAK,SAAS;AAAA,EAChB;AAAA,EAEA,WAAwB,MAItB;AACA,UAAM,IAAI,KAAK,OAAO,WAAc,IAAI;AACxC,WAAO;AAAA,MACL,KAAK,CAAC,OAAe,EAAE,IAAI,EAAE;AAAA,MAC7B,MAAM,MAAM,EAAE,KAAK;AAAA,MACnB,OAAO,MAAM,EAAE,MAAM;AAAA,IACvB;AAAA,EACF;AACF;","names":[]}

package/dist/chunk-YULZKK4F.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"sources":["../src/crypto.ts"],"sourcesContent":["/**\n * Cryptographic primitives — thin wrappers around the Web Crypto API.\n *\n * ## Design principle\n *\n * **Zero npm crypto dependencies.** Every operation uses `globalThis.crypto.subtle`,\n * which is available natively in Node.js ≥ 18, all modern browsers, and\n * Deno/Bun. This avoids supply-chain risk from third-party crypto packages and\n * ensures the library stays auditable.\n *\n * ## Algorithms\n *\n * | Use case | Algorithm | Parameters |\n * |----------|-----------|------------|\n * | Key derivation | PBKDF2-SHA256 | 600,000 iterations, 32-byte salt |\n * | Record encryption | AES-256-GCM | 12-byte random IV per operation |\n * | DEK wrapping | AES-KW (RFC 3394) | 256-bit KEK |\n * | Binary encrypt | AES-256-GCM | same as record encryption |\n * | Integrity | HMAC-SHA256 | for presence channels |\n * | Content hash | SHA-256 | for ledger and bundle integrity |\n *\n * ## Key lifecycle\n *\n * ```\n * passphrase + salt\n * └─► deriveKey() → KEK (CryptoKey, extractable: false)\n * └─► wrapKey() → wrapped DEK bytes [stored in keyring]\n * └─► unwrapKey() → DEK (CryptoKey) [memory only during session]\n * └─► encrypt() / decrypt() → ciphertext / plaintext\n * ```\n *\n * IVs are generated fresh by {@link generateIV} on every encrypt call.\n * Reusing an IV with the same key would break GCM's authentication guarantee —\n * this function should be the only place IVs are produced.\n *\n * @module\n */\n\nimport { DecryptionError, InvalidKeyError, TamperedError } from './errors.js'\n\nconst PBKDF2_ITERATIONS = 600_000\nconst SALT_BYTES = 32\nconst IV_BYTES = 12\nconst KEY_BITS = 256\n\nconst subtle = globalThis.crypto.subtle\n\n// ─── Key Derivation ────────────────────────────────────────────────────\n\n/** Derive a KEK from a passphrase and salt using PBKDF2-SHA256. */\nexport async function deriveKey(\n passphrase: string,\n salt: Uint8Array,\n): Promise<CryptoKey> {\n const keyMaterial = await subtle.importKey(\n 'raw',\n new TextEncoder().encode(passphrase),\n 'PBKDF2',\n false,\n ['deriveKey'],\n )\n\n return subtle.deriveKey(\n {\n name: 'PBKDF2',\n salt: salt as BufferSource,\n iterations: PBKDF2_ITERATIONS,\n hash: 'SHA-256',\n },\n keyMaterial,\n { name: 'AES-KW', length: KEY_BITS },\n false,\n ['wrapKey', 'unwrapKey'],\n )\n}\n\n// ─── DEK Generation ────────────────────────────────────────────────────\n\n/** Generate a random AES-256-GCM data encryption key. */\nexport async function generateDEK(): Promise<CryptoKey> {\n return subtle.generateKey(\n { name: 'AES-GCM', length: KEY_BITS },\n true, // extractable — needed for AES-KW wrapping\n ['encrypt', 'decrypt'],\n )\n}\n\n// ─── Key Wrapping ──────────────────────────────────────────────────────\n\n/** Wrap (encrypt) a DEK with a KEK using AES-KW. Returns base64 string. */\nexport async function wrapKey(dek: CryptoKey, kek: CryptoKey): Promise<string> {\n const wrapped = await subtle.wrapKey('raw', dek, kek, 'AES-KW')\n return bufferToBase64(wrapped)\n}\n\n/** Unwrap (decrypt) a DEK from base64 string using a KEK. */\nexport async function unwrapKey(\n wrappedBase64: string,\n kek: CryptoKey,\n): Promise<CryptoKey> {\n try {\n return await subtle.unwrapKey(\n 'raw',\n base64ToBuffer(wrappedBase64) as BufferSource,\n kek,\n 'AES-KW',\n { name: 'AES-GCM', length: KEY_BITS },\n true,\n ['encrypt', 'decrypt'],\n )\n } catch {\n throw new InvalidKeyError()\n }\n}\n\n// ─── Encrypt / Decrypt ─────────────────────────────────────────────────\n\nexport interface EncryptResult {\n iv: string // base64\n data: string // base64\n}\n\n/** Encrypt plaintext JSON string with AES-256-GCM. Fresh IV per call. */\nexport async function encrypt(\n plaintext: string,\n dek: CryptoKey,\n): Promise<EncryptResult> {\n const iv = generateIV()\n const encoded = new TextEncoder().encode(plaintext)\n\n const ciphertext = await subtle.encrypt(\n { name: 'AES-GCM', iv: iv as BufferSource },\n dek,\n encoded,\n )\n\n return {\n iv: bufferToBase64(iv),\n data: bufferToBase64(ciphertext),\n }\n}\n\n/** Decrypt AES-256-GCM ciphertext. Throws on wrong key or tampered data. */\nexport async function decrypt(\n ivBase64: string,\n dataBase64: string,\n dek: CryptoKey,\n): Promise<string> {\n const iv = base64ToBuffer(ivBase64)\n const ciphertext = base64ToBuffer(dataBase64)\n\n try {\n const plaintext = await subtle.decrypt(\n { name: 'AES-GCM', iv: iv as BufferSource },\n dek,\n ciphertext as BufferSource,\n )\n return new TextDecoder().decode(plaintext)\n } catch (err) {\n if (err instanceof Error && err.name === 'OperationError') {\n throw new TamperedError()\n }\n throw new DecryptionError(\n err instanceof Error ? err.message : 'Decryption failed',\n )\n }\n}\n\n// ─── Binary Encrypt / Decrypt ────────\n\n/**\n * Encrypt raw bytes with AES-256-GCM using a fresh random IV.\n * Used by the attachment store so binary blobs avoid double base64 encoding\n * (the existing `encrypt()` function calls `TextEncoder` on a string — here\n * we pass the `Uint8Array` directly to `subtle.encrypt`).\n */\nexport async function encryptBytes(\n data: Uint8Array,\n dek: CryptoKey,\n): Promise<EncryptResult> {\n const iv = generateIV()\n const ciphertext = await subtle.encrypt(\n { name: 'AES-GCM', iv: iv as BufferSource },\n dek,\n data as unknown as BufferSource,\n )\n return {\n iv: bufferToBase64(iv),\n data: bufferToBase64(ciphertext),\n }\n}\n\n/**\n * Decrypt AES-256-GCM ciphertext back to raw bytes.\n * Counterpart to `encryptBytes`. Throws `TamperedError` on auth-tag failure.\n */\nexport async function decryptBytes(\n ivBase64: string,\n dataBase64: string,\n dek: CryptoKey,\n): Promise<Uint8Array> {\n const iv = base64ToBuffer(ivBase64)\n const ciphertext = base64ToBuffer(dataBase64)\n try {\n const plaintext = await subtle.decrypt(\n { name: 'AES-GCM', iv: iv as BufferSource },\n dek,\n ciphertext as BufferSource,\n )\n return new Uint8Array(plaintext)\n } catch (err) {\n if (err instanceof Error && err.name === 'OperationError') {\n throw new TamperedError()\n }\n throw new DecryptionError(\n err instanceof Error ? err.message : 'Decryption failed',\n )\n }\n}\n\n/**\n * SHA-256 hex digest of raw bytes. Used to derive content-addressed\n * eTags for blob deduplication. Computed on plaintext bytes\n * before compression and encryption so the eTag identifies content, not\n * ciphertext, and survives re-encryption (key rotation, re-upload).\n */\nexport async function sha256Hex(data: Uint8Array): Promise<string> {\n const hash = await subtle.digest('SHA-256', data as unknown as BufferSource)\n return Array.from(new Uint8Array(hash))\n .map((b) => b.toString(16).padStart(2, '0'))\n .join('')\n}\n\n// ─── HMAC-SHA-256 ─────────────────────────────\n\n/**\n * Compute HMAC-SHA-256(key, data) and return hex string.\n *\n * Used to derive content-addressed eTags that are opaque to the store:\n * ```\n * eTag = hmacSha256Hex(blobDEK, plaintext)\n * ```\n *\n * Unlike a plain SHA-256, the HMAC is keyed by the vault-shared `_blob` DEK,\n * so an attacker with store access cannot pre-compute eTags for known files.\n * Deduplication still works within a vault (same key + same content = same eTag).\n */\nexport async function hmacSha256Hex(key: CryptoKey, data: Uint8Array): Promise<string> {\n // Export AES-GCM DEK raw bytes → import as HMAC key\n const rawKey = await subtle.exportKey('raw', key)\n const hmacKey = await subtle.importKey(\n 'raw',\n rawKey,\n { name: 'HMAC', hash: 'SHA-256' },\n false,\n ['sign'],\n )\n const sig = await subtle.sign('HMAC', hmacKey, data as unknown as BufferSource)\n return Array.from(new Uint8Array(sig))\n .map((b) => b.toString(16).padStart(2, '0'))\n .join('')\n}\n\n// ─── AAD-aware Binary Encrypt / Decrypt ──\n\n/**\n * Encrypt raw bytes with AES-256-GCM using Additional Authenticated Data.\n *\n * The AAD binds each chunk to its parent blob and position, preventing\n * chunk reorder, substitution, and truncation attacks:\n * ```\n * AAD = UTF-8(\"{eTag}:{chunkIndex}:{chunkCount}\")\n * ```\n *\n * The AAD is NOT stored — the reader reconstructs it from `BlobObject`\n * metadata and passes it to `decryptBytesWithAAD`.\n */\nexport async function encryptBytesWithAAD(\n data: Uint8Array,\n dek: CryptoKey,\n aad: Uint8Array,\n): Promise<EncryptResult> {\n const iv = generateIV()\n const ciphertext = await subtle.encrypt(\n {\n name: 'AES-GCM',\n iv: iv as BufferSource,\n additionalData: aad as BufferSource,\n },\n dek,\n data as unknown as BufferSource,\n )\n return {\n iv: bufferToBase64(iv),\n data: bufferToBase64(ciphertext),\n }\n}\n\n/**\n * Decrypt AES-256-GCM ciphertext with AAD verification.\n *\n * If the AAD does not match the one used at encryption time (e.g. because\n * a chunk was reordered or substituted from another blob), the GCM auth\n * tag fails and this throws `TamperedError`.\n */\nexport async function decryptBytesWithAAD(\n ivBase64: string,\n dataBase64: string,\n dek: CryptoKey,\n aad: Uint8Array,\n): Promise<Uint8Array> {\n const iv = base64ToBuffer(ivBase64)\n const ciphertext = base64ToBuffer(dataBase64)\n try {\n const plaintext = await subtle.decrypt(\n {\n name: 'AES-GCM',\n iv: iv as BufferSource,\n additionalData: aad as BufferSource,\n },\n dek,\n ciphertext as BufferSource,\n )\n return new Uint8Array(plaintext)\n } catch (err) {\n if (err instanceof Error && err.name === 'OperationError') {\n throw new TamperedError()\n }\n throw new DecryptionError(\n err instanceof Error ? err.message : 'Decryption failed',\n )\n }\n}\n\n// ─── Presence Key Derivation ──────────────────────────────\n\n/**\n * Derive an AES-256-GCM presence key from a collection DEK using HKDF-SHA256.\n *\n * The presence key is domain-separated from the data DEK by the fixed salt\n * `'noydb-presence'` and the `info` = collection name. This means:\n * - The adapter never sees the presence key.\n * - Presence payloads rotate automatically when the collection DEK is rotated.\n * - Revoked users cannot derive the new presence key after a DEK rotation.\n *\n * @param dek The collection's AES-256-GCM DEK (extractable).\n * @param collectionName Used as the HKDF `info` parameter for domain separation.\n * @returns A non-extractable AES-256-GCM key suitable for presence payload encryption.\n */\nexport async function derivePresenceKey(dek: CryptoKey, collectionName: string): Promise<CryptoKey> {\n // Step 1: export DEK raw bytes\n const rawDek = await subtle.exportKey('raw', dek)\n\n // Step 2: import as HKDF key material\n const hkdfKey = await subtle.importKey(\n 'raw',\n rawDek,\n 'HKDF',\n false,\n ['deriveBits'],\n )\n\n // Step 3: derive 256 bits with salt='noydb-presence' and info=collectionName\n const salt = new TextEncoder().encode('noydb-presence')\n const info = new TextEncoder().encode(collectionName)\n const bits = await subtle.deriveBits(\n { name: 'HKDF', hash: 'SHA-256', salt, info },\n hkdfKey,\n KEY_BITS,\n )\n\n // Step 4: import derived bits as AES-GCM key\n return subtle.importKey(\n 'raw',\n bits,\n { name: 'AES-GCM', length: KEY_BITS },\n false,\n ['encrypt', 'decrypt'],\n )\n}\n\n// ─── Deterministic Encryption ────────────────────────────\n\n/**\n * Derive a deterministic 12-byte IV from `{ DEK, context, plaintext }`\n * via HKDF-SHA256. Given the same three inputs, the IV is identical, so\n * `encryptDeterministic` produces the same ciphertext on every call —\n * which is precisely what enables blind equality search on encrypted\n * fields.\n *\n * **The side channel this opens.** Two records whose field value is the\n * same produce the same ciphertext. An observer with store access can\n * therefore tell which records share a value — not *what* the value is,\n * but the equivalence class. This is the well-known trade-off of\n * deterministic encryption and is why the feature is strictly opt-in\n * per field, guarded by `acknowledgeDeterministicRisk: true` at\n * collection creation.\n *\n * The context string MUST include the collection name and field name,\n * so:\n * - The same plaintext in two different fields encrypts differently\n * (no cross-field equality leak).\n * - The same plaintext in two different collections (different DEKs)\n * encrypts differently by virtue of the key, even before HKDF\n * domain separation kicks in.\n */\nasync function deriveDeterministicIV(\n dek: CryptoKey,\n context: string,\n plaintext: string,\n): Promise<Uint8Array> {\n const rawDek = await subtle.exportKey('raw', dek)\n const hkdfKey = await subtle.importKey('raw', rawDek, 'HKDF', false, ['deriveBits'])\n const salt = new TextEncoder().encode('noydb-deterministic-v1')\n const info = new TextEncoder().encode(`${context}\\x00${plaintext}`)\n const bits = await subtle.deriveBits(\n { name: 'HKDF', hash: 'SHA-256', salt, info },\n hkdfKey,\n IV_BYTES * 8,\n )\n return new Uint8Array(bits)\n}\n\n/**\n * Encrypt a plaintext string with AES-256-GCM and a deterministic,\n * HKDF-derived IV.\n *\n * The same `{ dek, context, plaintext }` triple always produces the\n * same `{ iv, data }` — call this twice and you can string-compare the\n * ciphertexts to check equality of the inputs without decrypting them.\n *\n * @param context Domain-separation string — by convention\n * `'<collection>/<field>'`. Different contexts encrypt\n * the same plaintext to different ciphertexts, so\n * `email` in collection `users` does not collide with\n * `email` in collection `customers`.\n */\nexport async function encryptDeterministic(\n plaintext: string,\n dek: CryptoKey,\n context: string,\n): Promise<EncryptResult> {\n const iv = await deriveDeterministicIV(dek, context, plaintext)\n const encoded = new TextEncoder().encode(plaintext)\n const ciphertext = await subtle.encrypt(\n { name: 'AES-GCM', iv: iv as BufferSource },\n dek,\n encoded,\n )\n return {\n iv: bufferToBase64(iv),\n data: bufferToBase64(ciphertext),\n }\n}\n\n/**\n * Counterpart to {@link encryptDeterministic}. The IV is stored\n * alongside the ciphertext (exactly like the randomized path), so\n * decrypt uses the stored IV and verifies the GCM auth tag — a tampered\n * ciphertext throws `TamperedError` just like randomized AES-GCM.\n */\nexport async function decryptDeterministic(\n ivBase64: string,\n dataBase64: string,\n dek: CryptoKey,\n): Promise<string> {\n return decrypt(ivBase64, dataBase64, dek)\n}\n\n// ─── Random Generation ─────────────────────────────────────────────────\n\n/** Generate a random 12-byte IV for AES-GCM. */\nexport function generateIV(): Uint8Array {\n return globalThis.crypto.getRandomValues(new Uint8Array(IV_BYTES))\n}\n\n/** Generate a random 32-byte salt for PBKDF2. */\nexport function generateSalt(): Uint8Array {\n return globalThis.crypto.getRandomValues(new Uint8Array(SALT_BYTES))\n}\n\n// ─── Base64 Helpers ────────────────────────────────────────────────────\n\nexport function bufferToBase64(buffer: ArrayBuffer | Uint8Array): string {\n const bytes = buffer instanceof Uint8Array ? buffer : new Uint8Array(buffer)\n let binary = ''\n for (let i = 0; i < bytes.length; i++) {\n binary += String.fromCharCode(bytes[i]!)\n }\n return btoa(binary)\n}\n\nexport function base64ToBuffer(base64: string): Uint8Array<ArrayBuffer> {\n const binary = atob(base64)\n const bytes = new Uint8Array(binary.length)\n for (let i = 0; i < binary.length; i++) {\n bytes[i] = binary.charCodeAt(i)\n }\n return bytes\n}\n"],"mappings":";;;;;;;AAwCA,IAAM,oBAAoB;AAC1B,IAAM,aAAa;AACnB,IAAM,WAAW;AACjB,IAAM,WAAW;AAEjB,IAAM,SAAS,WAAW,OAAO;AAKjC,eAAsB,UACpB,YACA,MACoB;AACpB,QAAM,cAAc,MAAM,OAAO;AAAA,IAC/B;AAAA,IACA,IAAI,YAAY,EAAE,OAAO,UAAU;AAAA,IACnC;AAAA,IACA;AAAA,IACA,CAAC,WAAW;AAAA,EACd;AAEA,SAAO,OAAO;AAAA,IACZ;AAAA,MACE,MAAM;AAAA,MACN;AAAA,MACA,YAAY;AAAA,MACZ,MAAM;AAAA,IACR;AAAA,IACA;AAAA,IACA,EAAE,MAAM,UAAU,QAAQ,SAAS;AAAA,IACnC;AAAA,IACA,CAAC,WAAW,WAAW;AAAA,EACzB;AACF;AAKA,eAAsB,cAAkC;AACtD,SAAO,OAAO;AAAA,IACZ,EAAE,MAAM,WAAW,QAAQ,SAAS;AAAA,IACpC;AAAA;AAAA,IACA,CAAC,WAAW,SAAS;AAAA,EACvB;AACF;AAKA,eAAsB,QAAQ,KAAgB,KAAiC;AAC7E,QAAM,UAAU,MAAM,OAAO,QAAQ,OAAO,KAAK,KAAK,QAAQ;AAC9D,SAAO,eAAe,OAAO;AAC/B;AAGA,eAAsB,UACpB,eACA,KACoB;AACpB,MAAI;AACF,WAAO,MAAM,OAAO;AAAA,MAClB;AAAA,MACA,eAAe,aAAa;AAAA,MAC5B;AAAA,MACA;AAAA,MACA,EAAE,MAAM,WAAW,QAAQ,SAAS;AAAA,MACpC;AAAA,MACA,CAAC,WAAW,SAAS;AAAA,IACvB;AAAA,EACF,QAAQ;AACN,UAAM,IAAI,gBAAgB;AAAA,EAC5B;AACF;AAUA,eAAsB,QACpB,WACA,KACwB;AACxB,QAAM,KAAK,WAAW;AACtB,QAAM,UAAU,IAAI,YAAY,EAAE,OAAO,SAAS;AAElD,QAAM,aAAa,MAAM,OAAO;AAAA,IAC9B,EAAE,MAAM,WAAW,GAAuB;AAAA,IAC1C;AAAA,IACA;AAAA,EACF;AAEA,SAAO;AAAA,IACL,IAAI,eAAe,EAAE;AAAA,IACrB,MAAM,eAAe,UAAU;AAAA,EACjC;AACF;AAGA,eAAsB,QACpB,UACA,YACA,KACiB;AACjB,QAAM,KAAK,eAAe,QAAQ;AAClC,QAAM,aAAa,eAAe,UAAU;AAE5C,MAAI;AACF,UAAM,YAAY,MAAM,OAAO;AAAA,MAC7B,EAAE,MAAM,WAAW,GAAuB;AAAA,MAC1C;AAAA,MACA;AAAA,IACF;AACA,WAAO,IAAI,YAAY,EAAE,OAAO,SAAS;AAAA,EAC3C,SAAS,KAAK;AACZ,QAAI,eAAe,SAAS,IAAI,SAAS,kBAAkB;AACzD,YAAM,IAAI,cAAc;AAAA,IAC1B;AACA,UAAM,IAAI;AAAA,MACR,eAAe,QAAQ,IAAI,UAAU;AAAA,IACvC;AAAA,EACF;AACF;AAUA,eAAsB,aACpB,MACA,KACwB;AACxB,QAAM,KAAK,WAAW;AACtB,QAAM,aAAa,MAAM,OAAO;AAAA,IAC9B,EAAE,MAAM,WAAW,GAAuB;AAAA,IAC1C;AAAA,IACA;AAAA,EACF;AACA,SAAO;AAAA,IACL,IAAI,eAAe,EAAE;AAAA,IACrB,MAAM,eAAe,UAAU;AAAA,EACjC;AACF;AAMA,eAAsB,aACpB,UACA,YACA,KACqB;AACrB,QAAM,KAAK,eAAe,QAAQ;AAClC,QAAM,aAAa,eAAe,UAAU;AAC5C,MAAI;AACF,UAAM,YAAY,MAAM,OAAO;AAAA,MAC7B,EAAE,MAAM,WAAW,GAAuB;AAAA,MAC1C;AAAA,MACA;AAAA,IACF;AACA,WAAO,IAAI,WAAW,SAAS;AAAA,EACjC,SAAS,KAAK;AACZ,QAAI,eAAe,SAAS,IAAI,SAAS,kBAAkB;AACzD,YAAM,IAAI,cAAc;AAAA,IAC1B;AACA,UAAM,IAAI;AAAA,MACR,eAAe,QAAQ,IAAI,UAAU;AAAA,IACvC;AAAA,EACF;AACF;AAQA,eAAsB,UAAU,MAAmC;AACjE,QAAM,OAAO,MAAM,OAAO,OAAO,WAAW,IAA+B;AAC3E,SAAO,MAAM,KAAK,IAAI,WAAW,IAAI,CAAC,EACnC,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAC1C,KAAK,EAAE;AACZ;AAgBA,eAAsB,cAAc,KAAgB,MAAmC;AAErF,QAAM,SAAS,MAAM,OAAO,UAAU,OAAO,GAAG;AAChD,QAAM,UAAU,MAAM,OAAO;AAAA,IAC3B;AAAA,IACA;AAAA,IACA,EAAE,MAAM,QAAQ,MAAM,UAAU;AAAA,IAChC;AAAA,IACA,CAAC,MAAM;AAAA,EACT;AACA,QAAM,MAAM,MAAM,OAAO,KAAK,QAAQ,SAAS,IAA+B;AAC9E,SAAO,MAAM,KAAK,IAAI,WAAW,GAAG,CAAC,EAClC,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAC1C,KAAK,EAAE;AACZ;AAgBA,eAAsB,oBACpB,MACA,KACA,KACwB;AACxB,QAAM,KAAK,WAAW;AACtB,QAAM,aAAa,MAAM,OAAO;AAAA,IAC9B;AAAA,MACE,MAAM;AAAA,MACN;AAAA,MACA,gBAAgB;AAAA,IAClB;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,SAAO;AAAA,IACL,IAAI,eAAe,EAAE;AAAA,IACrB,MAAM,eAAe,UAAU;AAAA,EACjC;AACF;AASA,eAAsB,oBACpB,UACA,YACA,KACA,KACqB;AACrB,QAAM,KAAK,eAAe,QAAQ;AAClC,QAAM,aAAa,eAAe,UAAU;AAC5C,MAAI;AACF,UAAM,YAAY,MAAM,OAAO;AAAA,MAC7B;AAAA,QACE,MAAM;AAAA,QACN;AAAA,QACA,gBAAgB;AAAA,MAClB;AAAA,MACA;AAAA,MACA;AAAA,IACF;AACA,WAAO,IAAI,WAAW,SAAS;AAAA,EACjC,SAAS,KAAK;AACZ,QAAI,eAAe,SAAS,IAAI,SAAS,kBAAkB;AACzD,YAAM,IAAI,cAAc;AAAA,IAC1B;AACA,UAAM,IAAI;AAAA,MACR,eAAe,QAAQ,IAAI,UAAU;AAAA,IACvC;AAAA,EACF;AACF;AAiBA,eAAsB,kBAAkB,KAAgB,gBAA4C;AAElG,QAAM,SAAS,MAAM,OAAO,UAAU,OAAO,GAAG;AAGhD,QAAM,UAAU,MAAM,OAAO;AAAA,IAC3B;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,CAAC,YAAY;AAAA,EACf;AAGA,QAAM,OAAO,IAAI,YAAY,EAAE,OAAO,gBAAgB;AACtD,QAAM,OAAO,IAAI,YAAY,EAAE,OAAO,cAAc;AACpD,QAAM,OAAO,MAAM,OAAO;AAAA,IACxB,EAAE,MAAM,QAAQ,MAAM,WAAW,MAAM,KAAK;AAAA,IAC5C;AAAA,IACA;AAAA,EACF;AAGA,SAAO,OAAO;AAAA,IACZ;AAAA,IACA;AAAA,IACA,EAAE,MAAM,WAAW,QAAQ,SAAS;AAAA,IACpC;AAAA,IACA,CAAC,WAAW,SAAS;AAAA,EACvB;AACF;AA2BA,eAAe,sBACb,KACA,SACA,WACqB;AACrB,QAAM,SAAS,MAAM,OAAO,UAAU,OAAO,GAAG;AAChD,QAAM,UAAU,MAAM,OAAO,UAAU,OAAO,QAAQ,QAAQ,OAAO,CAAC,YAAY,CAAC;AACnF,QAAM,OAAO,IAAI,YAAY,EAAE,OAAO,wBAAwB;AAC9D,QAAM,OAAO,IAAI,YAAY,EAAE,OAAO,GAAG,OAAO,KAAO,SAAS,EAAE;AAClE,QAAM,OAAO,MAAM,OAAO;AAAA,IACxB,EAAE,MAAM,QAAQ,MAAM,WAAW,MAAM,KAAK;AAAA,IAC5C;AAAA,IACA,WAAW;AAAA,EACb;AACA,SAAO,IAAI,WAAW,IAAI;AAC5B;AAgBA,eAAsB,qBACpB,WACA,KACA,SACwB;AACxB,QAAM,KAAK,MAAM,sBAAsB,KAAK,SAAS,SAAS;AAC9D,QAAM,UAAU,IAAI,YAAY,EAAE,OAAO,SAAS;AAClD,QAAM,aAAa,MAAM,OAAO;AAAA,IAC9B,EAAE,MAAM,WAAW,GAAuB;AAAA,IAC1C;AAAA,IACA;AAAA,EACF;AACA,SAAO;AAAA,IACL,IAAI,eAAe,EAAE;AAAA,IACrB,MAAM,eAAe,UAAU;AAAA,EACjC;AACF;AAQA,eAAsB,qBACpB,UACA,YACA,KACiB;AACjB,SAAO,QAAQ,UAAU,YAAY,GAAG;AAC1C;AAKO,SAAS,aAAyB;AACvC,SAAO,WAAW,OAAO,gBAAgB,IAAI,WAAW,QAAQ,CAAC;AACnE;AAGO,SAAS,eAA2B;AACzC,SAAO,WAAW,OAAO,gBAAgB,IAAI,WAAW,UAAU,CAAC;AACrE;AAIO,SAAS,eAAe,QAA0C;AACvE,QAAM,QAAQ,kBAAkB,aAAa,SAAS,IAAI,WAAW,MAAM;AAC3E,MAAI,SAAS;AACb,WAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AACrC,cAAU,OAAO,aAAa,MAAM,CAAC,CAAE;AAAA,EACzC;AACA,SAAO,KAAK,MAAM;AACpB;AAEO,SAAS,eAAe,QAAyC;AACtE,QAAM,SAAS,KAAK,MAAM;AAC1B,QAAM,QAAQ,IAAI,WAAW,OAAO,MAAM;AAC1C,WAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;AACtC,UAAM,CAAC,IAAI,OAAO,WAAW,CAAC;AAAA,EAChC;AACA,SAAO;AACT;","names":[]}

package/dist/executor-6ZDSDZ6V.js DELETED Viewed

@@ -1,8 +0,0 @@
-import {
-  DerivationExecutor
-} from "./chunk-X73VS74Y.js";
-import "./chunk-535SSHBS.js";
-export {
-  DerivationExecutor
-};
-//# sourceMappingURL=executor-6ZDSDZ6V.js.map

package/dist/executor-AZLS3KBK.js DELETED Viewed

@@ -1,11 +0,0 @@
-import {
-  MaterializedViewExecutor
-} from "./chunk-HBXJ37ZY.js";
-import "./chunk-G4SCICH5.js";
-import "./chunk-L2BNJ6HM.js";
-import "./chunk-CJORTUJ2.js";
-import "./chunk-535SSHBS.js";
-export {
-  MaterializedViewExecutor
-};
-//# sourceMappingURL=executor-AZLS3KBK.js.map

package/dist/executor-IDZDAFNH.js DELETED Viewed

@@ -1,8 +0,0 @@
-import {
-  GuardExecutor
-} from "./chunk-ZNQYHJXX.js";
-import "./chunk-535SSHBS.js";
-export {
-  GuardExecutor
-};
-//# sourceMappingURL=executor-IDZDAFNH.js.map

package/dist/immutable-guard-CRPvu24K.d.cts DELETED Viewed

@@ -1,82 +0,0 @@
-import { as as GuardStrategy, aw as GuardStrategyHandle, at as GuardChange, au as GuardContext } from './types-Bze6vkwm.cjs';
-/**
- * Register a guard for a collection. Guards run on every `put()` /
- * `delete()` for the named collection (after permissions, before
- * encryption) and may:
- *
- *   - `check` — block writes by throwing (typically `RecordLockedError`)
- *   - `frozenFields` — freeze specific fields once a condition is true
- *   - `amendment` — declare an authorized-override path with invariant
- *
- * Pass the returned handle to `createNoydb({ strategies: [...] })`.
- *
- * @see docs/superpowers/specs/2026-05-18-guards-design.md
- */
-declare function withGuard<T extends Record<string, unknown>>(strategy: GuardStrategy<T>): GuardStrategyHandle<T>;
-/**
- * `immutableGuard` — declarative WORM / append-only sugar over the guard
- * subsystem.
- *
- * Issued fiscal documents (invoices, DDTs) must be immutable after issue.
- * That is expressible today with a hand-rolled `withGuard` (block on
- * `check`/`onDelete`, allow an admin `amendment`), but the boilerplate is
- * repetitive and easy to get subtly wrong. `immutableGuard` generates
- * exactly that guard from a declarative config, reusing the guard
- * machinery wholesale — `check`/`onDelete` rejection, the ledgered
- * `amendment` override, and composition with `periods`/`history`.
- *
- * ```ts
- * createNoydb({ guardStrategies: [
- *   immutableGuard({
- *     collection: 'invoices',
- *     after: (r) => r.status === 'issued',   // immutable once issued
- *   }),
- * ] })
- * ```
- *
- * A record is mutable until `after(record)` holds; from then on, updates
- * and deletes throw `RecordLockedError` unless performed inside an
- * `amendment` transaction by an authorized role (the override is
- * ledgered by the guard amendment mechanism). `appendOnly: true` is
- * shorthand for `after: () => true` — immutable from creation.
- */
-interface ImmutableGuardConfig<T extends Record<string, unknown>> {
-    /** The collection to make WORM. */
-    collection: string;
-    /**
-     * A record becomes immutable once this predicate holds. Evaluated on
-     * the *existing* (already-persisted) record, so the write that first
-     * makes it true is still allowed; subsequent writes are blocked.
-     * Mutually exclusive with `appendOnly`.
-     */
-    after?: (record: T) => boolean;
-    /** Shorthand for `after: () => true` — immutable from creation. */
-    appendOnly?: boolean;
-    /** Roles permitted to override via an amendment transaction. Default `['admin', 'owner']`. */
-    amendmentRoles?: ReadonlyArray<'admin' | 'owner'>;
-    /**
-     * Optional set-level invariant run over the amendment change-set after
-     * the writes execute. Signature matches `GuardStrategy.amendment.invariant`
-     * exactly: it receives every {before, after} pair touching this
-     * collection in the amendment plus the guard context; throwing reverts
-     * the whole amendment and surfaces as `InvariantError`.
-     *
-     * Use this to keep a constraint inviolable EVEN under amendment — e.g.
-     * forbid deleting an issued document by re-throwing on any
-     * `before !== null && after === null` change, or assert a cross-record
-     * sum is preserved. When omitted the amendment is unconditionally
-     * allowed (the amendment itself is the sanctioned, ledgered override) —
-     * this is the backward-compatible default.
-     */
-    amendmentInvariant?: (changes: ReadonlyArray<GuardChange<T>>, ctx: GuardContext<T>) => Promise<void> | void;
-}
-/**
- * Build an immutability guard. Pass the returned handle to
- * `createNoydb({ guardStrategies: [...] })`.
- */
-declare function immutableGuard<T extends Record<string, unknown>>(config: ImmutableGuardConfig<T>): GuardStrategyHandle<T>;
-export { type ImmutableGuardConfig as I, immutableGuard as i, withGuard as w };

package/dist/immutable-guard-Dov3WvwF.d.ts DELETED Viewed

@@ -1,82 +0,0 @@
-import { as as GuardStrategy, aw as GuardStrategyHandle, at as GuardChange, au as GuardContext } from './types-DrmBTscX.js';
-/**
- * Register a guard for a collection. Guards run on every `put()` /
- * `delete()` for the named collection (after permissions, before
- * encryption) and may:
- *
- *   - `check` — block writes by throwing (typically `RecordLockedError`)
- *   - `frozenFields` — freeze specific fields once a condition is true
- *   - `amendment` — declare an authorized-override path with invariant
- *
- * Pass the returned handle to `createNoydb({ strategies: [...] })`.
- *
- * @see docs/superpowers/specs/2026-05-18-guards-design.md
- */
-declare function withGuard<T extends Record<string, unknown>>(strategy: GuardStrategy<T>): GuardStrategyHandle<T>;
-/**
- * `immutableGuard` — declarative WORM / append-only sugar over the guard
- * subsystem.
- *
- * Issued fiscal documents (invoices, DDTs) must be immutable after issue.
- * That is expressible today with a hand-rolled `withGuard` (block on
- * `check`/`onDelete`, allow an admin `amendment`), but the boilerplate is
- * repetitive and easy to get subtly wrong. `immutableGuard` generates
- * exactly that guard from a declarative config, reusing the guard
- * machinery wholesale — `check`/`onDelete` rejection, the ledgered
- * `amendment` override, and composition with `periods`/`history`.
- *
- * ```ts
- * createNoydb({ guardStrategies: [
- *   immutableGuard({
- *     collection: 'invoices',
- *     after: (r) => r.status === 'issued',   // immutable once issued
- *   }),
- * ] })
- * ```
- *
- * A record is mutable until `after(record)` holds; from then on, updates
- * and deletes throw `RecordLockedError` unless performed inside an
- * `amendment` transaction by an authorized role (the override is
- * ledgered by the guard amendment mechanism). `appendOnly: true` is
- * shorthand for `after: () => true` — immutable from creation.
- */
-interface ImmutableGuardConfig<T extends Record<string, unknown>> {
-    /** The collection to make WORM. */
-    collection: string;
-    /**
-     * A record becomes immutable once this predicate holds. Evaluated on
-     * the *existing* (already-persisted) record, so the write that first
-     * makes it true is still allowed; subsequent writes are blocked.
-     * Mutually exclusive with `appendOnly`.
-     */
-    after?: (record: T) => boolean;
-    /** Shorthand for `after: () => true` — immutable from creation. */
-    appendOnly?: boolean;
-    /** Roles permitted to override via an amendment transaction. Default `['admin', 'owner']`. */
-    amendmentRoles?: ReadonlyArray<'admin' | 'owner'>;
-    /**
-     * Optional set-level invariant run over the amendment change-set after
-     * the writes execute. Signature matches `GuardStrategy.amendment.invariant`
-     * exactly: it receives every {before, after} pair touching this
-     * collection in the amendment plus the guard context; throwing reverts
-     * the whole amendment and surfaces as `InvariantError`.
-     *
-     * Use this to keep a constraint inviolable EVEN under amendment — e.g.
-     * forbid deleting an issued document by re-throwing on any
-     * `before !== null && after === null` change, or assert a cross-record
-     * sum is preserved. When omitted the amendment is unconditionally
-     * allowed (the amendment itself is the sanctioned, ledgered override) —
-     * this is the backward-compatible default.
-     */
-    amendmentInvariant?: (changes: ReadonlyArray<GuardChange<T>>, ctx: GuardContext<T>) => Promise<void> | void;
-}
-/**
- * Build an immutability guard. Pass the returned handle to
- * `createNoydb({ guardStrategies: [...] })`.
- */
-declare function immutableGuard<T extends Record<string, unknown>>(config: ImmutableGuardConfig<T>): GuardStrategyHandle<T>;
-export { type ImmutableGuardConfig as I, immutableGuard as i, withGuard as w };

package/dist/issue-RZP3VI6O.js DELETED Viewed

@@ -1,12 +0,0 @@
-import {
-  issueAttestationCore
-} from "./chunk-3YWP3WBP.js";
-import "./chunk-IXBIFDEW.js";
-import "./chunk-FZU343FL.js";
-import "./chunk-F3BPIPLS.js";
-import "./chunk-YULZKK4F.js";
-import "./chunk-535SSHBS.js";
-export {
-  issueAttestationCore
-};
-//# sourceMappingURL=issue-RZP3VI6O.js.map

package/dist/noydb-WCMY2ZOW.js DELETED Viewed

@@ -1,35 +0,0 @@
-import {
-  Noydb,
-  createNoydb
-} from "./chunk-667MB6AH.js";
-import "./chunk-ZC7J6ZYV.js";
-import "./chunk-EMIGCR7X.js";
-import "./chunk-QVIEAYTP.js";
-import "./chunk-VLMPU56Q.js";
-import "./chunk-CZI2A4MQ.js";
-import "./chunk-GNI5STXQ.js";
-import "./chunk-OB2ZJQ2D.js";
-import "./chunk-QSUK7YWK.js";
-import "./chunk-UF3BUNQZ.js";
-import "./chunk-7BQ4QWYX.js";
-import "./chunk-DLZ2ONOD.js";
-import "./chunk-4TBBMHVC.js";
-import "./chunk-6H2ZUNR7.js";
-import "./chunk-2QR2PQTT.js";
-import "./chunk-FZU343FL.js";
-import "./chunk-BR3AMFGS.js";
-import "./chunk-Z6FNBOTC.js";
-import "./chunk-DUREQF5W.js";
-import "./chunk-XWH4MXIU.js";
-import "./chunk-IQLVUT37.js";
-import "./chunk-L2BNJ6HM.js";
-import "./chunk-CJORTUJ2.js";
-import "./chunk-XL35NSEN.js";
-import "./chunk-F3BPIPLS.js";
-import "./chunk-YULZKK4F.js";
-import "./chunk-535SSHBS.js";
-export {
-  Noydb,
-  createNoydb
-};
-//# sourceMappingURL=noydb-WCMY2ZOW.js.map

package/dist/read-only-facade-ITU6L7BL.js DELETED Viewed

@@ -1,7 +0,0 @@
-import {
-  ReadOnlyVaultFacade
-} from "./chunk-UMLVJTYV.js";
-export {
-  ReadOnlyVaultFacade
-};
-//# sourceMappingURL=read-only-facade-ITU6L7BL.js.map

package/dist/registry-EB6SISTA.js DELETED Viewed

@@ -1,8 +0,0 @@
-import {
-  DerivationRegistry
-} from "./chunk-7Z7KSVA5.js";
-import "./chunk-535SSHBS.js";
-export {
-  DerivationRegistry
-};
-//# sourceMappingURL=registry-EB6SISTA.js.map

package/dist/registry-IUZQVVBB.js DELETED Viewed

@@ -1,8 +0,0 @@
-import {
-  OverlayedViewRegistry
-} from "./chunk-TS26M2SB.js";
-import "./chunk-535SSHBS.js";
-export {
-  OverlayedViewRegistry
-};
-//# sourceMappingURL=registry-IUZQVVBB.js.map

package/dist/state-vault-TMXZRTY5.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"sources":["../src/federation/schema-manifest.ts","../src/federation/state-vault.ts"],"sourcesContent":["/**\n * @category capability\n * StateManagement Vault — schema blueprint capture + deterministic\n * fingerprint. See\n * docs/superpowers/specs/2026-06-08-statemanagement-vault-design.md.\n */\nimport type { Vault } from '../vault.js'\nimport type { IndexDef } from '../indexing/eager-indexes.js'\nimport { sha256Hex } from '../crypto.js'\nimport type { CapturedBlueprint } from './types.js'\n\ninterface RecordedCollection {\n name: string\n indexes: IndexDef[]\n persistJsonSchema: boolean\n}\n\n/**\n * Run `configure` against a recording proxy that intercepts\n * `collection(name, opts)` calls and captures the declared blueprint.\n * The proxy delegates every other access to a no-op stub so unrelated\n * `configure` calls (guards, blob setup) do not throw — only the\n * declared collections/indexes feed the fingerprint.\n */\nexport function captureBlueprint(configure: (vault: Vault) => void): CapturedBlueprint {\n const recorded: RecordedCollection[] = []\n // Minimal chainable stub returned by intercepted collection() — supports\n // the fluent calls a template might make without affecting the blueprint.\n const collectionStub = new Proxy(\n {},\n {\n get: () => () => collectionStub,\n },\n )\n const proxy = new Proxy(\n {},\n {\n get: (_t, prop) => {\n if (prop === 'collection') {\n return (name: string, opts?: { indexes?: IndexDef[]; persistJsonSchema?: boolean }) => {\n recorded.push({\n name,\n indexes: opts?.indexes ?? [],\n persistJsonSchema: !!opts?.persistJsonSchema,\n })\n return collectionStub\n }\n }\n // Any other vault method/property: a no-op callable that returns the proxy.\n return () => proxy\n },\n },\n ) as unknown as Vault\n\n configure(proxy)\n\n const sorted = [...recorded].sort((a, b) => a.name.localeCompare(b.name))\n const indexes: Record<string, IndexDef[]> = {}\n const persistJsonSchema: string[] = []\n for (const c of sorted) {\n indexes[c.name] = c.indexes\n if (c.persistJsonSchema) persistJsonSchema.push(c.name)\n }\n return {\n // `persistJsonSchema` is already name-sorted: it is populated while\n // iterating `sorted` (collections in name order).\n collections: sorted.map((c) => c.name),\n indexes,\n persistJsonSchema,\n }\n}\n\n/** Canonical JSON: object keys sorted recursively so the bytes are stable. */\nfunction canonical(value: unknown): string {\n if (value === null || typeof value !== 'object') return JSON.stringify(value)\n if (Array.isArray(value)) return `[${value.map(canonical).join(',')}]`\n const obj = value as Record<string, unknown>\n const keys = Object.keys(obj).sort()\n return `{${keys.map((k) => `${JSON.stringify(k)}:${canonical(obj[k])}`).join(',')}}`\n}\n\n/** sha256 (hex) over the canonicalized serializable blueprint. Uses the shared hub helper. */\nexport async function fingerprintBlueprint(bp: CapturedBlueprint): Promise<string> {\n return sha256Hex(new TextEncoder().encode(canonical(bp)))\n}\n","/**\n * @category capability\n * StateManagement Vault — federation control plane (registry +\n * schema-manifest + append-only deployment-events). See\n * docs/superpowers/specs/2026-06-08-statemanagement-vault-design.md.\n */\nimport type { Noydb } from '../noydb.js'\nimport type { Collection } from '../collection.js'\nimport type { Query } from '../query/builder.js'\nimport type { VaultRegistryRow, SchemaManifestRow, DeploymentEvent, VaultTemplate } from './types.js'\nimport { captureBlueprint, fingerprintBlueprint } from './schema-manifest.js'\nimport { STATE_VAULT_NAME } from './constants.js'\nimport { generateULID } from '../bundle/ulid.js'\n\n// Re-export so consumers can `import { STATE_VAULT_NAME } from '@noy-db/hub'`.\nexport { STATE_VAULT_NAME } from './constants.js'\n\n// Physical collection names — single-token (camelCase) to stay clear of any\n// collection-name charset restrictions; the existing suite uses single-word names.\nconst REGISTRY = 'vaultRegistry'\nconst MANIFEST = 'schemaManifest'\nconst EVENTS = 'deploymentEvents'\n\nexport class StateManagementVault {\n /**\n * The append-only deployment-events log is kept truly private so the raw\n * mutable Collection is never surfaced — events may only be written via\n * `appendEvent` and read via `queryEvents`. (`registry` and\n * `schemaManifest` are deliberately public: consumers read and write them.)\n */\n readonly #events: Collection<DeploymentEvent>\n\n private constructor(\n readonly registry: Collection<VaultRegistryRow>,\n readonly schemaManifest: Collection<SchemaManifestRow>,\n events: Collection<DeploymentEvent>,\n ) {\n this.#events = events\n }\n\n /** Idempotently open the reserved state vault and bind the three control-plane collections. */\n static async open(db: Noydb): Promise<StateManagementVault> {\n const vault = await db.openVault(STATE_VAULT_NAME)\n return new StateManagementVault(\n vault.collection<VaultRegistryRow>(REGISTRY),\n vault.collection<SchemaManifestRow>(MANIFEST),\n vault.collection<DeploymentEvent>(EVENTS),\n )\n }\n\n /** Read-only query over the append-only deployment-events log. */\n queryEvents(): Query<DeploymentEvent> {\n return this.#events.query()\n }\n\n /**\n * Append a deployment event with a fresh unique (ULID) id. This is the\n * only write path to the events log; no update/delete is exposed.\n * Callers should treat failures as non-fatal — this method does not\n * swallow errors, so wrap the call site in try/catch where appropriate.\n */\n async appendEvent(event: Omit<DeploymentEvent, 'id' | 'ts'> & { ts?: number }): Promise<void> {\n const ts = event.ts ?? Date.now()\n const id = generateULID()\n await this.#events.put(id, { ...event, id, ts })\n }\n\n /**\n * Ensure a manifest row exists for `(templateName, template.version)`.\n * Safe to call repeatedly: the `fingerprint` is a deterministic hash of\n * the template's declared shape (stable across calls), though each call\n * refreshes `recordedAt`.\n */\n async recordManifest(templateName: string, template: VaultTemplate): Promise<string> {\n const bp = captureBlueprint(template.configure)\n const fingerprint = await fingerprintBlueprint(bp)\n await this.schemaManifest.put(`${templateName}:${template.version}`, {\n templateName,\n version: template.version,\n collections: bp.collections,\n indexes: bp.indexes,\n persistJsonSchema: bp.persistJsonSchema,\n fingerprint,\n recordedAt: Date.now(),\n })\n return fingerprint\n }\n\n /**\n * True when `template`'s current declared shape does not match the recorded\n * manifest for `(templateName, template.version)`. Because shards carry no\n * schema state independent of their template, this catches \"a template's\n * shape changed without bumping `version`\" — not independent per-shard drift.\n * A missing manifest is treated as drift (nothing to verify against).\n */\n async detectDrift(templateName: string, template: VaultTemplate): Promise<boolean> {\n const row = await this.schemaManifest.get(`${templateName}:${template.version}`)\n if (!row) return true\n const current = await fingerprintBlueprint(captureBlueprint(template.configure))\n return current !== row.fingerprint\n }\n}\n"],"mappings":";;;;;;;;;;;;AAwBO,SAAS,iBAAiB,WAAsD;AACrF,QAAM,WAAiC,CAAC;AAGxC,QAAM,iBAAiB,IAAI;AAAA,IACzB,CAAC;AAAA,IACD;AAAA,MACE,KAAK,MAAM,MAAM;AAAA,IACnB;AAAA,EACF;AACA,QAAM,QAAQ,IAAI;AAAA,IAChB,CAAC;AAAA,IACD;AAAA,MACE,KAAK,CAAC,IAAI,SAAS;AACjB,YAAI,SAAS,cAAc;AACzB,iBAAO,CAAC,MAAc,SAAiE;AACrF,qBAAS,KAAK;AAAA,cACZ;AAAA,cACA,SAAS,MAAM,WAAW,CAAC;AAAA,cAC3B,mBAAmB,CAAC,CAAC,MAAM;AAAA,YAC7B,CAAC;AACD,mBAAO;AAAA,UACT;AAAA,QACF;AAEA,eAAO,MAAM;AAAA,MACf;AAAA,IACF;AAAA,EACF;AAEA,YAAU,KAAK;AAEf,QAAM,SAAS,CAAC,GAAG,QAAQ,EAAE,KAAK,CAAC,GAAG,MAAM,EAAE,KAAK,cAAc,EAAE,IAAI,CAAC;AACxE,QAAM,UAAsC,CAAC;AAC7C,QAAM,oBAA8B,CAAC;AACrC,aAAW,KAAK,QAAQ;AACtB,YAAQ,EAAE,IAAI,IAAI,EAAE;AACpB,QAAI,EAAE,kBAAmB,mBAAkB,KAAK,EAAE,IAAI;AAAA,EACxD;AACA,SAAO;AAAA;AAAA;AAAA,IAGL,aAAa,OAAO,IAAI,CAAC,MAAM,EAAE,IAAI;AAAA,IACrC;AAAA,IACA;AAAA,EACF;AACF;AAGA,SAAS,UAAU,OAAwB;AACzC,MAAI,UAAU,QAAQ,OAAO,UAAU,SAAU,QAAO,KAAK,UAAU,KAAK;AAC5E,MAAI,MAAM,QAAQ,KAAK,EAAG,QAAO,IAAI,MAAM,IAAI,SAAS,EAAE,KAAK,GAAG,CAAC;AACnE,QAAM,MAAM;AACZ,QAAM,OAAO,OAAO,KAAK,GAAG,EAAE,KAAK;AACnC,SAAO,IAAI,KAAK,IAAI,CAAC,MAAM,GAAG,KAAK,UAAU,CAAC,CAAC,IAAI,UAAU,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,KAAK,GAAG,CAAC;AACnF;AAGA,eAAsB,qBAAqB,IAAwC;AACjF,SAAO,UAAU,IAAI,YAAY,EAAE,OAAO,UAAU,EAAE,CAAC,CAAC;AAC1D;;;ACjEA,IAAM,WAAW;AACjB,IAAM,WAAW;AACjB,IAAM,SAAS;AAER,IAAM,uBAAN,MAAM,sBAAqB;AAAA,EASxB,YACG,UACA,gBACT,QACA;AAHS;AACA;AAGT,SAAK,UAAU;AAAA,EACjB;AAAA,EALW;AAAA,EACA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAJF;AAAA;AAAA,EAWT,aAAa,KAAK,IAA0C;AAC1D,UAAM,QAAQ,MAAM,GAAG,UAAU,gBAAgB;AACjD,WAAO,IAAI;AAAA,MACT,MAAM,WAA6B,QAAQ;AAAA,MAC3C,MAAM,WAA8B,QAAQ;AAAA,MAC5C,MAAM,WAA4B,MAAM;AAAA,IAC1C;AAAA,EACF;AAAA;AAAA,EAGA,cAAsC;AACpC,WAAO,KAAK,QAAQ,MAAM;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,YAAY,OAA4E;AAC5F,UAAM,KAAK,MAAM,MAAM,KAAK,IAAI;AAChC,UAAM,KAAK,aAAa;AACxB,UAAM,KAAK,QAAQ,IAAI,IAAI,EAAE,GAAG,OAAO,IAAI,GAAG,CAAC;AAAA,EACjD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,eAAe,cAAsB,UAA0C;AACnF,UAAM,KAAK,iBAAiB,SAAS,SAAS;AAC9C,UAAM,cAAc,MAAM,qBAAqB,EAAE;AACjD,UAAM,KAAK,eAAe,IAAI,GAAG,YAAY,IAAI,SAAS,OAAO,IAAI;AAAA,MACnE;AAAA,MACA,SAAS,SAAS;AAAA,MAClB,aAAa,GAAG;AAAA,MAChB,SAAS,GAAG;AAAA,MACZ,mBAAmB,GAAG;AAAA,MACtB;AAAA,MACA,YAAY,KAAK,IAAI;AAAA,IACvB,CAAC;AACD,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,YAAY,cAAsB,UAA2C;AACjF,UAAM,MAAM,MAAM,KAAK,eAAe,IAAI,GAAG,YAAY,IAAI,SAAS,OAAO,EAAE;AAC/E,QAAI,CAAC,IAAK,QAAO;AACjB,UAAM,UAAU,MAAM,qBAAqB,iBAAiB,SAAS,SAAS,CAAC;AAC/E,WAAO,YAAY,IAAI;AAAA,EACzB;AACF;","names":[]}

package/dist/vault-group-DX2HFQMX.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"sources":["../src/federation/classify-skip.ts","../src/federation/cross-shard-join.ts","../src/federation/cross-vault-live.ts","../src/federation/aggregate-across.ts","../src/federation/vault-group.ts"],"sourcesContent":["import { NoAccessError } from '../errors.js'\nimport type { SkippedVault } from './types.js'\n\n/**\n * Classify a per-shard fan-out failure. `NoAccessError` (no keyring envelope for\n * the calling identity) is the unambiguous not-granted signal → `'no-grant'`\n * (expected under scoped access, not a fault). Everything else → `'error'` —\n * `InvalidKeyError`/`DecryptionError`/`KeyringCorruptError` can mean \"wrong KEK\n * OR whole-file corruption\" per loadKeyring, so they must not hide as no-grant.\n */\nexport function classifyShardSkip(err: Error): Exclude<SkippedVault['reason'], 'schema-drift'> {\n return err instanceof NoAccessError ? 'no-grant' : 'error'\n}\n","/**\n * @category capability\n * crossShardJoin — co-partitioned + broadcast dimension join for\n * ShardedQuery. Spec:\n * docs/superpowers/specs/2026-06-09-cross-shard-join-design.md.\n *\n * This module owns the BROADCAST half (central, post-merge map-attach)\n * and the leg type definitions. The CO-PARTITIONED half is threaded\n * into the existing intra-vault `.join()` from vault-group.ts — see\n * ShardedQuery.fanoutRecords. join.ts is deliberately untouched.\n */\nimport { readPath } from '../query/predicate.js'\nimport type { JoinStrategy } from '../query/join.js'\n\n/** Public options for `ShardedQuery.crossShardJoin`. */\nexport interface CrossShardJoinOptions {\n /** Alias key under which the joined same-shard record attaches. */\n readonly as: string\n /** Per-shard row ceiling override (default DEFAULT_JOIN_MAX_ROWS). */\n readonly maxRows?: number\n /** Planner strategy override, passed through to intra-vault `.join()`. */\n readonly strategy?: JoinStrategy\n}\n\n/**\n * Minimal structural shape of a broadcast dimension source. A\n * `Collection` satisfies this natively: `list()` hydrates and returns\n * the decoded records. Kept as a one-method interface so plain test\n * sources are trivial to construct.\n */\nexport interface BroadcastSource {\n list(): Promise<readonly unknown[]>\n}\n\n/** Public options for `ShardedQuery.broadcastJoin`. */\nexport interface BroadcastJoinOptions {\n /** Alias key under which the dimension record attaches. */\n readonly as: string\n /** The shared dimension collection (an opened handle in another vault). */\n readonly from: BroadcastSource\n /** Right-side key to match `field` against. Default 'id'. */\n readonly on?: string\n /** Miss behavior. 'warn' (default) attaches null + one-shot warning; 'cascade' is silent. */\n readonly mode?: 'warn' | 'cascade'\n}\n\n/** Internal co-partitioned leg carried on ShardedQuery. */\nexport interface CoPartitionedLeg {\n readonly field: string\n readonly as: string\n readonly maxRows: number | undefined\n readonly strategy: JoinStrategy | undefined\n}\n\n/** Internal broadcast leg carried on ShardedQuery. */\nexport interface BroadcastLeg {\n readonly field: string\n readonly as: string\n readonly from: BroadcastSource\n readonly on: string\n readonly mode: 'warn' | 'cascade'\n}\n\n/**\n * Coerce an unknown key value into a lookup string. Mirrors join.ts's\n * private `coerceRefKey` (string → string; number/bigint → String;\n * else null) — re-implemented locally to keep join.ts literally\n * untouched.\n */\nfunction coerceKey(value: unknown): string | null {\n if (value === null || value === undefined) return null\n if (typeof value === 'string') return value\n if (typeof value === 'number' || typeof value === 'bigint') return String(value)\n return null\n}\n\n/** One-shot warn dedup for broadcast misses, keyed by `field→as`. */\nconst warnedBroadcastKeys = new Set<string>()\nfunction warnOnceBroadcastMiss(field: string, as: string, key: string): void {\n const dedup = `${field}→${as}:${key}`\n if (warnedBroadcastKeys.has(dedup)) return\n warnedBroadcastKeys.add(dedup)\n console.warn(\n `[noy-db] broadcastJoin: no \"${as}\" dimension row for ${field}=\"${key}\". ` +\n `Attaching null. Use mode: 'cascade' to silence.`,\n )\n}\n\n/** Test-only reset for the broadcast warn dedup set. */\nexport function resetBroadcastWarnings(): void {\n warnedBroadcastKeys.clear()\n}\n\n/**\n * Apply every broadcast leg to a merged row set, centrally. Each leg's\n * source is snapshotted ONCE, indexed by its `on` key, then every row\n * gets `{ [as]: match ?? null }`. Returns fresh top-level objects.\n */\nexport async function applyBroadcastLegs(\n rows: readonly unknown[],\n legs: readonly BroadcastLeg[],\n): Promise<unknown[]> {\n if (legs.length === 0) return [...rows]\n\n // Build one index per leg (list() once per source).\n const indexes: { leg: BroadcastLeg; map: Map<string, unknown> }[] = []\n for (const leg of legs) {\n const map = new Map<string, unknown>()\n for (const rec of await leg.from.list()) {\n const k = coerceKey(readPath(rec, leg.on))\n if (k !== null && !map.has(k)) map.set(k, rec)\n }\n indexes.push({ leg, map })\n }\n\n return rows.map((row) => {\n const out = { ...(row as Record<string, unknown>) }\n for (const { leg, map } of indexes) {\n const key = coerceKey(readPath(row, leg.field))\n const match = key === null ? null : map.get(key) ?? null\n if (match === null && leg.mode === 'warn') {\n warnOnceBroadcastMiss(leg.field, leg.as, key ?? '<null>')\n }\n out[leg.as] = match\n }\n return out\n })\n}\n","/**\n * @category capability\n * Reactive core for cross-vault live queries/aggregations. Generic over a\n * snapshot S. Single-flight + microtask-coalesced recompute on relevant\n * change. Mirrors the LiveQuery/LiveAggregation contracts via facades.\n * Spec: docs/superpowers/specs/2026-06-07-cross-vault-live-and-aggregate-design.md.\n */\nimport type { ChangeEvent } from '../types.js'\n\nexport interface CrossVaultLiveOptions<S> {\n readonly subscribeToChanges: (handler: (e: ChangeEvent) => void) => () => void\n readonly isRelevant: (e: ChangeEvent) => boolean\n readonly compute: () => Promise<S>\n readonly initialSnapshot: S\n readonly debounceMs?: number\n}\n\nexport class CrossVaultLive<S> {\n snapshot: S\n error: Error | null = null\n readonly ready: Promise<void>\n\n private readonly subs = new Set<() => void>()\n private readonly unsubChange: () => void\n private readonly opts: CrossVaultLiveOptions<S>\n private stopped = false\n private computing = false\n private dirty = false\n private scheduled = false\n private timer: ReturnType<typeof setTimeout> | null = null\n private resolveReady!: () => void\n private settledOnce = false\n\n constructor(opts: CrossVaultLiveOptions<S>) {\n this.opts = opts\n this.snapshot = opts.initialSnapshot\n this.ready = new Promise<void>((res) => { this.resolveReady = res })\n this.unsubChange = opts.subscribeToChanges((e) => {\n if (this.stopped || !opts.isRelevant(e)) return\n this.schedule()\n })\n this.schedule() // initial compute\n }\n\n subscribe(cb: () => void): () => void {\n if (this.stopped) return () => {}\n this.subs.add(cb)\n return () => this.subs.delete(cb)\n }\n\n stop(): void {\n if (this.stopped) return\n this.stopped = true\n this.unsubChange()\n if (this.timer !== null) clearTimeout(this.timer)\n this.subs.clear()\n if (!this.settledOnce) this.resolveReady() // never leave ready dangling\n }\n\n private schedule(): void {\n if (this.stopped) return\n if (this.computing) { this.dirty = true; return }\n if (this.scheduled) return\n this.scheduled = true\n const run = () => { this.scheduled = false; void this.runCompute() }\n const ms = this.opts.debounceMs ?? 0\n if (ms > 0) this.timer = setTimeout(run, ms)\n // queueMicrotask is non-cancellable; the `if (this.stopped) return` guard at the top of runCompute makes a post-stop fire a no-op.\n else queueMicrotask(run)\n }\n\n private async runCompute(): Promise<void> {\n if (this.stopped) return\n this.computing = true\n this.dirty = false\n try {\n const next = await this.opts.compute()\n if (this.stopped) return\n this.snapshot = next\n this.error = null\n } catch (err) {\n if (this.stopped) return\n this.error = err instanceof Error ? err : new Error(String(err))\n } finally {\n this.computing = false\n if (!this.stopped) {\n if (!this.settledOnce) { this.settledOnce = true; this.resolveReady() }\n for (const cb of this.subs) cb()\n if (this.dirty) this.schedule()\n }\n }\n }\n}\n","/**\n * @category capability\n * One-shot distributed aggregate wrappers for cross-vault fan-out.\n * Central-reduce: all shard records are concatenated and reduced in one pass\n * so avg/mean values are computed over the full union, not as avg-of-avgs.\n * Spec: docs/superpowers/specs/2026-06-07-cross-vault-live-and-aggregate-design.md.\n */\nimport { reduceRecords } from '../aggregate/aggregation.js'\nimport { groupAndReduce } from '../aggregate/groupby.js'\nimport type { AggregateResult, AggregateSpec } from '../aggregate/aggregation.js'\nimport type {\n FanoutQueryOptions,\n SkippedVault,\n GroupedRow,\n LiveQueryOptions,\n CrossVaultLiveAggregation,\n CrossVaultLiveQuery,\n} from './types.js'\nimport { CrossVaultLive } from './cross-vault-live.js'\nimport type { ChangeEvent } from '../types.js'\n\n/** A source that can fan out records across shards. Satisfied by ShardedQuery. */\nexport interface FanoutRecordSource<R> {\n fanoutRecords(options: FanoutQueryOptions): Promise<{ records: R[]; skippedVaults: SkippedVault[] }>\n}\n\n/** Live-binding hooks (change subscription + relevance) threaded from ShardedQuery. */\nexport interface LiveBinding {\n subscribeToChanges: (handler: (e: ChangeEvent) => void) => () => void\n isRelevant: (e: ChangeEvent) => boolean\n}\n\n/**\n * One-shot cross-vault aggregate. Concatenates all shard records and runs a\n * single central reduce, ensuring correct avg/mean values.\n */\nexport class CrossVaultAggregation<R, Spec extends AggregateSpec> {\n constructor(\n private readonly src: FanoutRecordSource<R>,\n private readonly spec: Spec,\n private readonly bind?: LiveBinding,\n ) {}\n\n async run(options: FanoutQueryOptions = {}): Promise<{\n result: AggregateResult<Spec>\n skippedVaults: SkippedVault[]\n }> {\n const { records, skippedVaults } = await this.src.fanoutRecords(options)\n return { result: reduceRecords(records, this.spec), skippedVaults }\n }\n\n live(options: LiveQueryOptions = {}): CrossVaultLiveAggregation<AggregateResult<Spec>> {\n if (!this.bind) throw new Error('CrossVaultAggregation: live() requires a LiveBinding — use ShardedQuery.aggregate()')\n const spec = this.spec\n const src = this.src\n const core = new CrossVaultLive<{ value: AggregateResult<Spec> | undefined; skipped: SkippedVault[] }>({\n subscribeToChanges: this.bind.subscribeToChanges,\n isRelevant: this.bind.isRelevant,\n compute: async () => {\n const { records, skippedVaults } = await src.fanoutRecords(options)\n return { value: reduceRecords(records, spec), skipped: skippedVaults }\n },\n initialSnapshot: { value: undefined, skipped: [] },\n ...(options.debounceMs !== undefined ? { debounceMs: options.debounceMs } : {}),\n })\n return {\n get value() { return core.snapshot.value },\n get skippedVaults() { return core.snapshot.skipped as readonly SkippedVault[] },\n get error() { return core.error },\n ready: core.ready,\n subscribe: (cb) => core.subscribe(cb),\n stop: () => core.stop(),\n }\n }\n}\n\n/**\n * One-shot cross-vault grouped aggregate. Concatenates all shard records and\n * runs a single central group-and-reduce, emitting one row per bucket.\n */\nexport class CrossVaultGroupedAggregation<R, F extends string, Spec extends AggregateSpec> {\n constructor(\n private readonly src: FanoutRecordSource<R>,\n private readonly field: F,\n private readonly spec: Spec,\n private readonly bind?: LiveBinding,\n ) {}\n\n async run(options: FanoutQueryOptions = {}): Promise<{\n results: GroupedRow<F, Spec>[]\n skippedVaults: SkippedVault[]\n }> {\n const { records, skippedVaults } = await this.src.fanoutRecords(options)\n return {\n results: groupAndReduce<GroupedRow<F, Spec>>(records, this.field, this.spec),\n skippedVaults,\n }\n }\n\n live(options: LiveQueryOptions = {}): CrossVaultLiveQuery<GroupedRow<F, Spec>> {\n if (!this.bind) throw new Error('CrossVaultGroupedAggregation: live() requires a LiveBinding — use ShardedQuery.groupBy().aggregate()')\n const field = this.field\n const spec = this.spec\n const src = this.src\n const core = new CrossVaultLive<{ records: GroupedRow<F, Spec>[]; skipped: SkippedVault[] }>({\n subscribeToChanges: this.bind.subscribeToChanges,\n isRelevant: this.bind.isRelevant,\n compute: async () => {\n const { records, skippedVaults } = await src.fanoutRecords(options)\n return {\n records: groupAndReduce<GroupedRow<F, Spec>>(records, field, spec),\n skipped: skippedVaults,\n }\n },\n initialSnapshot: { records: [], skipped: [] },\n ...(options.debounceMs !== undefined ? { debounceMs: options.debounceMs } : {}),\n })\n return {\n get value() { return core.snapshot.records as readonly GroupedRow<F, Spec>[] },\n get skippedVaults() { return core.snapshot.skipped as readonly SkippedVault[] },\n get error() { return core.error },\n ready: core.ready,\n subscribe: (cb) => core.subscribe(cb),\n stop: () => core.stop(),\n }\n }\n}\n","/**\n * @category capability\n * Multi-vault partition federation — VaultGroup transparent shard\n * routing. Spec:\n * docs/superpowers/specs/2026-06-07-mvf-vaultgroup-routing-mvp-design.md.\n */\nimport type { Noydb } from '../noydb.js'\nimport type { Vault } from '../vault.js'\nimport type { Collection } from '../collection.js'\nimport type { StateManagementVault } from './state-vault.js'\nimport { CrossShardJoinError, ReservedVaultNameError, ShardProvisioningError, UnknownShardError, ValidationError } from '../errors.js'\nimport { STATE_VAULT_NAME } from './constants.js'\nimport { classifyShardSkip } from './classify-skip.js'\nimport { applyBroadcastLegs } from './cross-shard-join.js'\nimport type { CoPartitionedLeg, BroadcastLeg, CrossShardJoinOptions, BroadcastJoinOptions } from './cross-shard-join.js'\nimport { CrossVaultLive } from './cross-vault-live.js'\nimport { CrossVaultAggregation, CrossVaultGroupedAggregation } from './aggregate-across.js'\nimport type { FanoutRecordSource, LiveBinding } from './aggregate-across.js'\nimport type { AggregateSpec } from '../aggregate/aggregation.js'\nimport type {\n ShardingConfig,\n VaultRegistryRow,\n VaultTemplate,\n FanoutQueryOptions,\n FanoutResult,\n SkippedVault,\n WhereClause,\n LiveQueryOptions,\n CrossVaultLiveQuery,\n} from './types.js'\n\n/** Reserved separator between group name and partition key in a shard vault id. */\nconst SHARD_SEPARATOR = '--'\n/** Store-safe partition-key charset (single hyphens OK; '--' is the reserved separator). */\nconst SAFE_PARTITION_KEY = /^[A-Za-z0-9._-]+$/\n\nfunction assertSafePartitionKey(partitionKey: string): void {\n if (partitionKey.length === 0) {\n throw new ValidationError('partitionKey must be a non-empty string')\n }\n if (partitionKey === STATE_VAULT_NAME) {\n throw new ReservedVaultNameError(partitionKey)\n }\n if (!SAFE_PARTITION_KEY.test(partitionKey)) {\n throw new ValidationError(\n `partitionKey \"${partitionKey}\" contains characters outside [A-Za-z0-9._-]. ` +\n `Map your records to a store-safe key in sharding.keyOf.`,\n )\n }\n if (partitionKey.includes(SHARD_SEPARATOR)) {\n throw new ValidationError(\n `partitionKey \"${partitionKey}\" must not contain \"--\" — it is reserved as the ` +\n `shard vault-id separator and would risk shard-id collisions.`,\n )\n }\n}\n\nexport class VaultGroup<T> {\n constructor(\n /** @internal */ readonly db: Noydb,\n /** @internal */ readonly name: string,\n /** @internal */ readonly registry: Collection<VaultRegistryRow>,\n /** @internal */ readonly sharding: ShardingConfig<T>,\n /** @internal */ readonly template: VaultTemplate,\n ) {\n if (name.includes(SHARD_SEPARATOR)) {\n throw new ValidationError(\n `VaultGroup name \"${name}\" must not contain \"--\" (reserved shard vault-id separator).`,\n )\n }\n }\n\n /** @internal — set when the group is managed (no explicit registry). */\n private stateVault: StateManagementVault | undefined\n\n /** @internal */\n _attachStateVault(sv: StateManagementVault): void {\n this.stateVault = sv\n }\n\n /** Deterministic vault name for a partition key, namespaced by the group. */\n shardVaultId(partitionKey: string): string {\n assertSafePartitionKey(partitionKey)\n return `${this.name}${SHARD_SEPARATOR}${partitionKey}`\n }\n\n /**\n * @internal — group-qualified registry record key (avoids cross-group key\n * collisions). Identical to the shard vault id by design — the registry row\n * for a shard is keyed by that shard's vault id — so it delegates to\n * `shardVaultId`, reusing its partition-key validation.\n */\n registryId(partitionKey: string): string {\n return this.shardVaultId(partitionKey)\n }\n\n /**\n * Registry rows for THIS group (hydrates the registry collection first).\n * The registry may be shared across groups (the auto-wired StateManagement\n * vault holds one `vaultRegistry` for the whole instance), so rows are\n * filtered by `group` — without this, a group's fan-out reads would leak\n * across into other groups' shards. Mirrors the `${group}--` scoping that\n * `liveBinding().isRelevant` already applies to the reactive path.\n */\n async allRows(): Promise<VaultRegistryRow[]> {\n await this.registry.list()\n const rows = this.registry.query().toArray() // toArray() is synchronous\n return rows.filter((r) => r.group === this.name)\n }\n\n /** Open an existing shard and apply the template. */\n async openShard(partitionKey: string): Promise<Vault> {\n const vault = await this.db.openVault(this.shardVaultId(partitionKey), { create: false })\n this.template.configure(vault)\n return vault\n }\n\n /**\n * Idempotently provision a shard for `partitionKey`. Returns the\n * configured vault handle.\n *\n * - row + vault present → no-op, return handle\n * - row present, vault gone → ShardProvisioningError\n * - row absent (vault present or not) → open-or-create, configure, write row\n */\n async createShard(partitionKey: string): Promise<Vault> {\n const vaultId = this.shardVaultId(partitionKey)\n const row = await this.registry.get(this.registryId(partitionKey))\n const provisioned = await this.db._shardVaultProvisioned(vaultId)\n\n if (row && !provisioned) throw new ShardProvisioningError(vaultId, partitionKey)\n if (row && provisioned) return this.openShard(partitionKey)\n\n // Row absent → create (or reconcile a provisioned-but-unregistered vault).\n const vault = await this.db.openVault(vaultId)\n this.template.configure(vault)\n await this.registry.put(this.registryId(partitionKey), {\n vaultId,\n partitionKey,\n templateName: this.sharding.vaultTemplate,\n schemaVersion: this.template.version,\n createdAt: Date.now(),\n group: this.name,\n })\n if (this.stateVault) {\n try {\n await this.stateVault.appendEvent({\n type: 'shard-created',\n group: this.name,\n vaultId,\n templateName: this.sharding.vaultTemplate,\n version: this.template.version,\n })\n } catch {\n /* best-effort: event logging never fails the shard write */\n }\n }\n return vault\n }\n\n /**\n * Drill down to a single shard's full Collection API. Throws if the shard is unknown.\n * Also throws ShardProvisioningError if the registry row exists but the vault has been deleted\n * (registry/store divergence).\n */\n async shard(partitionKey: string): Promise<Vault> {\n const vaultId = this.shardVaultId(partitionKey)\n const row = await this.registry.get(this.registryId(partitionKey))\n if (!row) throw new UnknownShardError(partitionKey, this.name)\n const provisioned = await this.db._shardVaultProvisioned(vaultId)\n if (!provisioned) throw new ShardProvisioningError(vaultId, partitionKey)\n return this.openShard(partitionKey)\n }\n\n /** A sharded view over one logical collection across all shards. */\n collection<R = T>(collectionName: string): ShardedCollection<T, R> {\n return new ShardedCollection<T, R>(this, collectionName)\n }\n\n /** @internal — eligible (openable-candidate) rows + drift/divergence skips. */\n async resolveEligible(options: { minVersion?: number } = {}): Promise<{\n eligible: VaultRegistryRow[]\n skipped: SkippedVault[]\n }> {\n const rows = await this.allRows()\n const skipped: SkippedVault[] = []\n const versionOk: VaultRegistryRow[] = []\n for (const row of rows) {\n if (options.minVersion !== undefined && row.schemaVersion < options.minVersion) {\n skipped.push({ vaultId: row.vaultId, reason: 'schema-drift' })\n } else versionOk.push(row)\n }\n const provisioned = await Promise.all(versionOk.map((r) => this.db._shardVaultProvisioned(r.vaultId)))\n const eligible: VaultRegistryRow[] = []\n versionOk.forEach((row, i) => {\n if (provisioned[i]) eligible.push(row)\n else skipped.push({ vaultId: row.vaultId, reason: 'error', error: new ShardProvisioningError(row.vaultId, row.partitionKey) })\n })\n return { eligible, skipped }\n }\n}\n\nexport class ShardedCollection<T, R = T> {\n constructor(\n private readonly group: VaultGroup<T>,\n private readonly collectionName: string,\n ) {}\n\n /** Route a write to the shard owning `keyOf(record)`. */\n async put(id: string, record: T): Promise<void> {\n const key = this.group.sharding.keyOf(record)\n const row = await this.group.registry.get(this.group.registryId(key))\n let vault: Vault\n if (!row) {\n if (this.group.sharding.autoCreate === false) {\n throw new UnknownShardError(key, this.group.name)\n }\n vault = await this.group.createShard(key)\n } else {\n vault = await this.group.openShard(key)\n }\n await vault.collection<T>(this.collectionName).put(id, record)\n }\n\n /** Begin a cross-shard fan-out query. */\n query(): ShardedQuery<T, R> {\n return new ShardedQuery<T, R>(this.group, this.collectionName, [])\n }\n}\n\nexport class ShardedQuery<T, R = T> {\n constructor(\n private readonly group: VaultGroup<T>,\n private readonly collectionName: string,\n private readonly clauses: readonly WhereClause[],\n private readonly coPartitionedLegs: readonly CoPartitionedLeg[] = [],\n private readonly broadcastLegs: readonly BroadcastLeg[] = [],\n ) {}\n\n where(field: string, op: WhereClause['op'], value: unknown): ShardedQuery<T, R> {\n return new ShardedQuery<T, R>(\n this.group,\n this.collectionName,\n [...this.clauses, { field, op, value }],\n this.coPartitionedLegs,\n this.broadcastLegs,\n )\n }\n\n /** Co-partitioned join: each shard joins its own same-vault right collection (resolved via ref()), then union. */\n crossShardJoin(field: string, opts: CrossShardJoinOptions): ShardedQuery<T, R> {\n const leg: CoPartitionedLeg = { field, as: opts.as, maxRows: opts.maxRows, strategy: opts.strategy }\n return new ShardedQuery<T, R>(\n this.group,\n this.collectionName,\n this.clauses,\n [...this.coPartitionedLegs, leg],\n this.broadcastLegs,\n )\n }\n\n /** Broadcast dimension join: enrich every merged row from a single shared collection. */\n broadcastJoin(field: string, opts: BroadcastJoinOptions): ShardedQuery<T, R> {\n const leg: BroadcastLeg = {\n field,\n as: opts.as,\n from: opts.from,\n on: opts.on ?? 'id',\n mode: opts.mode ?? 'warn',\n }\n return new ShardedQuery<T, R>(\n this.group,\n this.collectionName,\n this.clauses,\n this.coPartitionedLegs,\n [...this.broadcastLegs, leg],\n )\n }\n\n /** @internal — fan out the where-filtered records across eligible shards. */\n async fanoutRecords(options: FanoutQueryOptions = {}): Promise<{ records: R[]; skippedVaults: SkippedVault[] }> {\n const { eligible, skipped } = await this.group.resolveEligible(options)\n // Deterministic pre-check: an undeclared co-partitioned join ref fails\n // identically on every shard, so surface it as ONE CrossShardJoinError\n // rather than N identical skips. Probe the first eligible shard.\n const probeRow = eligible[0]\n if (this.coPartitionedLegs.length > 0 && probeRow) {\n const probe = await this.group.openShard(probeRow.partitionKey)\n this.group.template.configure(probe)\n for (const leg of this.coPartitionedLegs) {\n if (!probe.resolveRef(this.collectionName, leg.field)) {\n throw new CrossShardJoinError(\n `crossShardJoin(\"${leg.field}\"): no ref() declared for \"${leg.field}\" on ` +\n `collection \"${this.collectionName}\" in template \"${this.group.sharding.vaultTemplate}\". ` +\n `Add refs: { ${leg.field}: ref('<target>') } to the template's collection options.`,\n )\n }\n }\n }\n const across = await this.group.db.queryAcross<R[]>(\n eligible.map((r) => r.vaultId),\n async (vault) => {\n this.group.template.configure(vault)\n const coll = vault.collection<R>(this.collectionName)\n await coll.list() // hydrate the in-memory cache before the sync query\n // Hydrate each co-partitioned join target — resolveSource reads the\n // in-memory cache, so an unopened right collection would join to an\n // empty snapshot (every row → null).\n for (const leg of this.coPartitionedLegs) {\n const desc = vault.resolveRef(this.collectionName, leg.field)\n if (desc) await vault.collection(desc.target).list()\n }\n let q = coll.query()\n for (const c of this.clauses) q = q.where(c.field, c.op, c.value)\n for (const leg of this.coPartitionedLegs) {\n q = q.join(leg.field, {\n as: leg.as,\n ...(leg.maxRows !== undefined ? { maxRows: leg.maxRows } : {}),\n ...(leg.strategy ? { strategy: leg.strategy } : {}),\n })\n }\n return q.toArray()\n },\n { concurrency: options.concurrency ?? 1, create: false },\n )\n const results: R[] = []\n for (const r of across) {\n if (r.error) skipped.push({ vaultId: r.vault, reason: classifyShardSkip(r.error), error: r.error })\n else for (const item of r.result) results.push(item)\n }\n return { records: results, skippedVaults: skipped }\n }\n\n /** Fan out across eligible shards, merge, then apply any broadcast dimension legs. */\n async toArray(options: FanoutQueryOptions = {}): Promise<FanoutResult<R>> {\n const { records, skippedVaults } = await this.fanoutRecords(options)\n const results = (await applyBroadcastLegs(records, this.broadcastLegs)) as R[]\n return { results, skippedVaults }\n }\n\n /** @internal — build the change-subscription + relevance binding for this query's group+collection. */\n liveBinding(): LiveBinding {\n const group = this.group\n const collectionName = this.collectionName\n return {\n subscribeToChanges: (h) => { group.db.on('change', h); return () => group.db.off('change', h) },\n isRelevant: (e) => e.collection === collectionName && e.vault.startsWith(`${group.name}--`),\n }\n }\n\n /** @internal — joined queries don't support reactive/aggregate surfaces in v1. */\n private assertNoJoinLegs(surface: string): void {\n if (this.coPartitionedLegs.length || this.broadcastLegs.length) {\n throw new CrossShardJoinError(\n `${surface}() is not supported on a ShardedQuery with crossShardJoin/broadcastJoin ` +\n `legs in v1. Use toArray() for joined cross-shard queries.`,\n )\n }\n }\n\n /** Returns a reactive cross-shard live query — a facade over CrossVaultLive. */\n live(options: LiveQueryOptions = {}): CrossVaultLiveQuery<R> {\n this.assertNoJoinLegs('live')\n const bind = this.liveBinding()\n const core = new CrossVaultLive<{ records: R[]; skipped: SkippedVault[] }>({\n ...bind,\n compute: async () => {\n const { records, skippedVaults } = await this.fanoutRecords(options)\n return { records, skipped: skippedVaults }\n },\n initialSnapshot: { records: [], skipped: [] },\n ...(options.debounceMs !== undefined ? { debounceMs: options.debounceMs } : {}),\n })\n return {\n get value() { return core.snapshot.records as readonly R[] },\n get skippedVaults() { return core.snapshot.skipped as readonly SkippedVault[] },\n get error() { return core.error },\n ready: core.ready,\n subscribe: (cb) => core.subscribe(cb),\n stop: () => core.stop(),\n }\n }\n\n /** One-shot distributed aggregate — central reduce over all shard records. */\n aggregate<Spec extends AggregateSpec>(spec: Spec): CrossVaultAggregation<R, Spec> {\n this.assertNoJoinLegs('aggregate')\n return new CrossVaultAggregation<R, Spec>(this, spec, this.liveBinding())\n }\n\n /** Begin a grouped cross-shard aggregate. */\n groupBy<F extends string>(field: F): ShardedGroupedQuery<T, R, F> {\n this.assertNoJoinLegs('groupBy')\n return new ShardedGroupedQuery<T, R, F>(this, field)\n }\n}\n\n/** Grouped cross-shard query — intermediate after `.groupBy(field)`, terminates with `.aggregate(spec)`. */\nexport class ShardedGroupedQuery<T, R, F extends string> {\n constructor(\n private readonly query: ShardedQuery<T, R>,\n private readonly field: F,\n ) {}\n\n aggregate<Spec extends AggregateSpec>(spec: Spec): CrossVaultGroupedAggregation<R, F, Spec> {\n return new CrossVaultGroupedAggregation<R, F, Spec>(\n { fanoutRecords: (o) => this.query.fanoutRecords(o) } satisfies FanoutRecordSource<R>,\n this.field,\n spec,\n this.query.liveBinding(),\n )\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAUO,SAAS,kBAAkB,KAA6D;AAC7F,SAAO,eAAe,gBAAgB,aAAa;AACrD;;;ACyDA,SAAS,UAAU,OAA+B;AAChD,MAAI,UAAU,QAAQ,UAAU,OAAW,QAAO;AAClD,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,MAAI,OAAO,UAAU,YAAY,OAAO,UAAU,SAAU,QAAO,OAAO,KAAK;AAC/E,SAAO;AACT;AAGA,IAAM,sBAAsB,oBAAI,IAAY;AAC5C,SAAS,sBAAsB,OAAe,IAAY,KAAmB;AAC3E,QAAM,QAAQ,GAAG,KAAK,SAAI,EAAE,IAAI,GAAG;AACnC,MAAI,oBAAoB,IAAI,KAAK,EAAG;AACpC,sBAAoB,IAAI,KAAK;AAC7B,UAAQ;AAAA,IACN,+BAA+B,EAAE,uBAAuB,KAAK,KAAK,GAAG;AAAA,EAEvE;AACF;AAYA,eAAsB,mBACpB,MACA,MACoB;AACpB,MAAI,KAAK,WAAW,EAAG,QAAO,CAAC,GAAG,IAAI;AAGtC,QAAM,UAA8D,CAAC;AACrE,aAAW,OAAO,MAAM;AACtB,UAAM,MAAM,oBAAI,IAAqB;AACrC,eAAW,OAAO,MAAM,IAAI,KAAK,KAAK,GAAG;AACvC,YAAM,IAAI,UAAU,SAAS,KAAK,IAAI,EAAE,CAAC;AACzC,UAAI,MAAM,QAAQ,CAAC,IAAI,IAAI,CAAC,EAAG,KAAI,IAAI,GAAG,GAAG;AAAA,IAC/C;AACA,YAAQ,KAAK,EAAE,KAAK,IAAI,CAAC;AAAA,EAC3B;AAEA,SAAO,KAAK,IAAI,CAAC,QAAQ;AACvB,UAAM,MAAM,EAAE,GAAI,IAAgC;AAClD,eAAW,EAAE,KAAK,IAAI,KAAK,SAAS;AAClC,YAAM,MAAM,UAAU,SAAS,KAAK,IAAI,KAAK,CAAC;AAC9C,YAAM,QAAQ,QAAQ,OAAO,OAAO,IAAI,IAAI,GAAG,KAAK;AACpD,UAAI,UAAU,QAAQ,IAAI,SAAS,QAAQ;AACzC,8BAAsB,IAAI,OAAO,IAAI,IAAI,OAAO,QAAQ;AAAA,MAC1D;AACA,UAAI,IAAI,EAAE,IAAI;AAAA,IAChB;AACA,WAAO;AAAA,EACT,CAAC;AACH;;;AC9GO,IAAM,iBAAN,MAAwB;AAAA,EAC7B;AAAA,EACA,QAAsB;AAAA,EACb;AAAA,EAEQ,OAAO,oBAAI,IAAgB;AAAA,EAC3B;AAAA,EACA;AAAA,EACT,UAAU;AAAA,EACV,YAAY;AAAA,EACZ,QAAQ;AAAA,EACR,YAAY;AAAA,EACZ,QAA8C;AAAA,EAC9C;AAAA,EACA,cAAc;AAAA,EAEtB,YAAY,MAAgC;AAC1C,SAAK,OAAO;AACZ,SAAK,WAAW,KAAK;AACrB,SAAK,QAAQ,IAAI,QAAc,CAAC,QAAQ;AAAE,WAAK,eAAe;AAAA,IAAI,CAAC;AACnE,SAAK,cAAc,KAAK,mBAAmB,CAAC,MAAM;AAChD,UAAI,KAAK,WAAW,CAAC,KAAK,WAAW,CAAC,EAAG;AACzC,WAAK,SAAS;AAAA,IAChB,CAAC;AACD,SAAK,SAAS;AAAA,EAChB;AAAA,EAEA,UAAU,IAA4B;AACpC,QAAI,KAAK,QAAS,QAAO,MAAM;AAAA,IAAC;AAChC,SAAK,KAAK,IAAI,EAAE;AAChB,WAAO,MAAM,KAAK,KAAK,OAAO,EAAE;AAAA,EAClC;AAAA,EAEA,OAAa;AACX,QAAI,KAAK,QAAS;AAClB,SAAK,UAAU;AACf,SAAK,YAAY;AACjB,QAAI,KAAK,UAAU,KAAM,cAAa,KAAK,KAAK;AAChD,SAAK,KAAK,MAAM;AAChB,QAAI,CAAC,KAAK,YAAa,MAAK,aAAa;AAAA,EAC3C;AAAA,EAEQ,WAAiB;AACvB,QAAI,KAAK,QAAS;AAClB,QAAI,KAAK,WAAW;AAAE,WAAK,QAAQ;AAAM;AAAA,IAAO;AAChD,QAAI,KAAK,UAAW;AACpB,SAAK,YAAY;AACjB,UAAM,MAAM,MAAM;AAAE,WAAK,YAAY;AAAO,WAAK,KAAK,WAAW;AAAA,IAAE;AACnE,UAAM,KAAK,KAAK,KAAK,cAAc;AACnC,QAAI,KAAK,EAAG,MAAK,QAAQ,WAAW,KAAK,EAAE;AAAA,QAEtC,gBAAe,GAAG;AAAA,EACzB;AAAA,EAEA,MAAc,aAA4B;AACxC,QAAI,KAAK,QAAS;AAClB,SAAK,YAAY;AACjB,SAAK,QAAQ;AACb,QAAI;AACF,YAAM,OAAO,MAAM,KAAK,KAAK,QAAQ;AACrC,UAAI,KAAK,QAAS;AAClB,WAAK,WAAW;AAChB,WAAK,QAAQ;AAAA,IACf,SAAS,KAAK;AACZ,UAAI,KAAK,QAAS;AAClB,WAAK,QAAQ,eAAe,QAAQ,MAAM,IAAI,MAAM,OAAO,GAAG,CAAC;AAAA,IACjE,UAAE;AACA,WAAK,YAAY;AACjB,UAAI,CAAC,KAAK,SAAS;AACjB,YAAI,CAAC,KAAK,aAAa;AAAE,eAAK,cAAc;AAAM,eAAK,aAAa;AAAA,QAAE;AACtE,mBAAW,MAAM,KAAK,KAAM,IAAG;AAC/B,YAAI,KAAK,MAAO,MAAK,SAAS;AAAA,MAChC;AAAA,IACF;AAAA,EACF;AACF;;;ACxDO,IAAM,wBAAN,MAA2D;AAAA,EAChE,YACmB,KACA,MACA,MACjB;AAHiB;AACA;AACA;AAAA,EAChB;AAAA,EAHgB;AAAA,EACA;AAAA,EACA;AAAA,EAGnB,MAAM,IAAI,UAA8B,CAAC,GAGtC;AACD,UAAM,EAAE,SAAS,cAAc,IAAI,MAAM,KAAK,IAAI,cAAc,OAAO;AACvE,WAAO,EAAE,QAAQ,cAAc,SAAS,KAAK,IAAI,GAAG,cAAc;AAAA,EACpE;AAAA,EAEA,KAAK,UAA4B,CAAC,GAAqD;AACrF,QAAI,CAAC,KAAK,KAAM,OAAM,IAAI,MAAM,0FAAqF;AACrH,UAAM,OAAO,KAAK;AAClB,UAAM,MAAM,KAAK;AACjB,UAAM,OAAO,IAAI,eAAsF;AAAA,MACrG,oBAAoB,KAAK,KAAK;AAAA,MAC9B,YAAY,KAAK,KAAK;AAAA,MACtB,SAAS,YAAY;AACnB,cAAM,EAAE,SAAS,cAAc,IAAI,MAAM,IAAI,cAAc,OAAO;AAClE,eAAO,EAAE,OAAO,cAAc,SAAS,IAAI,GAAG,SAAS,cAAc;AAAA,MACvE;AAAA,MACA,iBAAiB,EAAE,OAAO,QAAW,SAAS,CAAC,EAAE;AAAA,MACjD,GAAI,QAAQ,eAAe,SAAY,EAAE,YAAY,QAAQ,WAAW,IAAI,CAAC;AAAA,IAC/E,CAAC;AACD,WAAO;AAAA,MACL,IAAI,QAAQ;AAAE,eAAO,KAAK,SAAS;AAAA,MAAM;AAAA,MACzC,IAAI,gBAAgB;AAAE,eAAO,KAAK,SAAS;AAAA,MAAmC;AAAA,MAC9E,IAAI,QAAQ;AAAE,eAAO,KAAK;AAAA,MAAM;AAAA,MAChC,OAAO,KAAK;AAAA,MACZ,WAAW,CAAC,OAAO,KAAK,UAAU,EAAE;AAAA,MACpC,MAAM,MAAM,KAAK,KAAK;AAAA,IACxB;AAAA,EACF;AACF;AAMO,IAAM,+BAAN,MAAoF;AAAA,EACzF,YACmB,KACA,OACA,MACA,MACjB;AAJiB;AACA;AACA;AACA;AAAA,EAChB;AAAA,EAJgB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAGnB,MAAM,IAAI,UAA8B,CAAC,GAGtC;AACD,UAAM,EAAE,SAAS,cAAc,IAAI,MAAM,KAAK,IAAI,cAAc,OAAO;AACvE,WAAO;AAAA,MACL,SAAS,eAAoC,SAAS,KAAK,OAAO,KAAK,IAAI;AAAA,MAC3E;AAAA,IACF;AAAA,EACF;AAAA,EAEA,KAAK,UAA4B,CAAC,GAA6C;AAC7E,QAAI,CAAC,KAAK,KAAM,OAAM,IAAI,MAAM,2GAAsG;AACtI,UAAM,QAAQ,KAAK;AACnB,UAAM,OAAO,KAAK;AAClB,UAAM,MAAM,KAAK;AACjB,UAAM,OAAO,IAAI,eAA4E;AAAA,MAC3F,oBAAoB,KAAK,KAAK;AAAA,MAC9B,YAAY,KAAK,KAAK;AAAA,MACtB,SAAS,YAAY;AACnB,cAAM,EAAE,SAAS,cAAc,IAAI,MAAM,IAAI,cAAc,OAAO;AAClE,eAAO;AAAA,UACL,SAAS,eAAoC,SAAS,OAAO,IAAI;AAAA,UACjE,SAAS;AAAA,QACX;AAAA,MACF;AAAA,MACA,iBAAiB,EAAE,SAAS,CAAC,GAAG,SAAS,CAAC,EAAE;AAAA,MAC5C,GAAI,QAAQ,eAAe,SAAY,EAAE,YAAY,QAAQ,WAAW,IAAI,CAAC;AAAA,IAC/E,CAAC;AACD,WAAO;AAAA,MACL,IAAI,QAAQ;AAAE,eAAO,KAAK,SAAS;AAAA,MAA0C;AAAA,MAC7E,IAAI,gBAAgB;AAAE,eAAO,KAAK,SAAS;AAAA,MAAmC;AAAA,MAC9E,IAAI,QAAQ;AAAE,eAAO,KAAK;AAAA,MAAM;AAAA,MAChC,OAAO,KAAK;AAAA,MACZ,WAAW,CAAC,OAAO,KAAK,UAAU,EAAE;AAAA,MACpC,MAAM,MAAM,KAAK,KAAK;AAAA,IACxB;AAAA,EACF;AACF;;;AC9FA,IAAM,kBAAkB;AAExB,IAAM,qBAAqB;AAE3B,SAAS,uBAAuB,cAA4B;AAC1D,MAAI,aAAa,WAAW,GAAG;AAC7B,UAAM,IAAI,gBAAgB,yCAAyC;AAAA,EACrE;AACA,MAAI,iBAAiB,kBAAkB;AACrC,UAAM,IAAI,uBAAuB,YAAY;AAAA,EAC/C;AACA,MAAI,CAAC,mBAAmB,KAAK,YAAY,GAAG;AAC1C,UAAM,IAAI;AAAA,MACR,iBAAiB,YAAY;AAAA,IAE/B;AAAA,EACF;AACA,MAAI,aAAa,SAAS,eAAe,GAAG;AAC1C,UAAM,IAAI;AAAA,MACR,iBAAiB,YAAY;AAAA,IAE/B;AAAA,EACF;AACF;AAEO,IAAM,aAAN,MAAoB;AAAA,EACzB,YAC4B,IACA,MACA,UACA,UACA,UAC1B;AAL0B;AACA;AACA;AACA;AACA;AAE1B,QAAI,KAAK,SAAS,eAAe,GAAG;AAClC,YAAM,IAAI;AAAA,QACR,oBAAoB,IAAI;AAAA,MAC1B;AAAA,IACF;AAAA,EACF;AAAA,EAX4B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAUpB;AAAA;AAAA,EAGR,kBAAkB,IAAgC;AAChD,SAAK,aAAa;AAAA,EACpB;AAAA;AAAA,EAGA,aAAa,cAA8B;AACzC,2BAAuB,YAAY;AACnC,WAAO,GAAG,KAAK,IAAI,GAAG,eAAe,GAAG,YAAY;AAAA,EACtD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,WAAW,cAA8B;AACvC,WAAO,KAAK,aAAa,YAAY;AAAA,EACvC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,UAAuC;AAC3C,UAAM,KAAK,SAAS,KAAK;AACzB,UAAM,OAAO,KAAK,SAAS,MAAM,EAAE,QAAQ;AAC3C,WAAO,KAAK,OAAO,CAAC,MAAM,EAAE,UAAU,KAAK,IAAI;AAAA,EACjD;AAAA;AAAA,EAGA,MAAM,UAAU,cAAsC;AACpD,UAAM,QAAQ,MAAM,KAAK,GAAG,UAAU,KAAK,aAAa,YAAY,GAAG,EAAE,QAAQ,MAAM,CAAC;AACxF,SAAK,SAAS,UAAU,KAAK;AAC7B,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,YAAY,cAAsC;AACtD,UAAM,UAAU,KAAK,aAAa,YAAY;AAC9C,UAAM,MAAM,MAAM,KAAK,SAAS,IAAI,KAAK,WAAW,YAAY,CAAC;AACjE,UAAM,cAAc,MAAM,KAAK,GAAG,uBAAuB,OAAO;AAEhE,QAAI,OAAO,CAAC,YAAa,OAAM,IAAI,uBAAuB,SAAS,YAAY;AAC/E,QAAI,OAAO,YAAa,QAAO,KAAK,UAAU,YAAY;AAG1D,UAAM,QAAQ,MAAM,KAAK,GAAG,UAAU,OAAO;AAC7C,SAAK,SAAS,UAAU,KAAK;AAC7B,UAAM,KAAK,SAAS,IAAI,KAAK,WAAW,YAAY,GAAG;AAAA,MACrD;AAAA,MACA;AAAA,MACA,cAAc,KAAK,SAAS;AAAA,MAC5B,eAAe,KAAK,SAAS;AAAA,MAC7B,WAAW,KAAK,IAAI;AAAA,MACpB,OAAO,KAAK;AAAA,IACd,CAAC;AACD,QAAI,KAAK,YAAY;AACnB,UAAI;AACF,cAAM,KAAK,WAAW,YAAY;AAAA,UAChC,MAAM;AAAA,UACN,OAAO,KAAK;AAAA,UACZ;AAAA,UACA,cAAc,KAAK,SAAS;AAAA,UAC5B,SAAS,KAAK,SAAS;AAAA,QACzB,CAAC;AAAA,MACH,QAAQ;AAAA,MAER;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,MAAM,cAAsC;AAChD,UAAM,UAAU,KAAK,aAAa,YAAY;AAC9C,UAAM,MAAM,MAAM,KAAK,SAAS,IAAI,KAAK,WAAW,YAAY,CAAC;AACjE,QAAI,CAAC,IAAK,OAAM,IAAI,kBAAkB,cAAc,KAAK,IAAI;AAC7D,UAAM,cAAc,MAAM,KAAK,GAAG,uBAAuB,OAAO;AAChE,QAAI,CAAC,YAAa,OAAM,IAAI,uBAAuB,SAAS,YAAY;AACxE,WAAO,KAAK,UAAU,YAAY;AAAA,EACpC;AAAA;AAAA,EAGA,WAAkB,gBAAiD;AACjE,WAAO,IAAI,kBAAwB,MAAM,cAAc;AAAA,EACzD;AAAA;AAAA,EAGA,MAAM,gBAAgB,UAAmC,CAAC,GAGvD;AACD,UAAM,OAAO,MAAM,KAAK,QAAQ;AAChC,UAAM,UAA0B,CAAC;AACjC,UAAM,YAAgC,CAAC;AACvC,eAAW,OAAO,MAAM;AACtB,UAAI,QAAQ,eAAe,UAAa,IAAI,gBAAgB,QAAQ,YAAY;AAC9E,gBAAQ,KAAK,EAAE,SAAS,IAAI,SAAS,QAAQ,eAAe,CAAC;AAAA,MAC/D,MAAO,WAAU,KAAK,GAAG;AAAA,IAC3B;AACA,UAAM,cAAc,MAAM,QAAQ,IAAI,UAAU,IAAI,CAAC,MAAM,KAAK,GAAG,uBAAuB,EAAE,OAAO,CAAC,CAAC;AACrG,UAAM,WAA+B,CAAC;AACtC,cAAU,QAAQ,CAAC,KAAK,MAAM;AAC5B,UAAI,YAAY,CAAC,EAAG,UAAS,KAAK,GAAG;AAAA,UAChC,SAAQ,KAAK,EAAE,SAAS,IAAI,SAAS,QAAQ,SAAS,OAAO,IAAI,uBAAuB,IAAI,SAAS,IAAI,YAAY,EAAE,CAAC;AAAA,IAC/H,CAAC;AACD,WAAO,EAAE,UAAU,QAAQ;AAAA,EAC7B;AACF;AAEO,IAAM,oBAAN,MAAkC;AAAA,EACvC,YACmB,OACA,gBACjB;AAFiB;AACA;AAAA,EAChB;AAAA,EAFgB;AAAA,EACA;AAAA;AAAA,EAInB,MAAM,IAAI,IAAY,QAA0B;AAC9C,UAAM,MAAM,KAAK,MAAM,SAAS,MAAM,MAAM;AAC5C,UAAM,MAAM,MAAM,KAAK,MAAM,SAAS,IAAI,KAAK,MAAM,WAAW,GAAG,CAAC;AACpE,QAAI;AACJ,QAAI,CAAC,KAAK;AACR,UAAI,KAAK,MAAM,SAAS,eAAe,OAAO;AAC5C,cAAM,IAAI,kBAAkB,KAAK,KAAK,MAAM,IAAI;AAAA,MAClD;AACA,cAAQ,MAAM,KAAK,MAAM,YAAY,GAAG;AAAA,IAC1C,OAAO;AACL,cAAQ,MAAM,KAAK,MAAM,UAAU,GAAG;AAAA,IACxC;AACA,UAAM,MAAM,WAAc,KAAK,cAAc,EAAE,IAAI,IAAI,MAAM;AAAA,EAC/D;AAAA;AAAA,EAGA,QAA4B;AAC1B,WAAO,IAAI,aAAmB,KAAK,OAAO,KAAK,gBAAgB,CAAC,CAAC;AAAA,EACnE;AACF;AAEO,IAAM,eAAN,MAAM,cAAuB;AAAA,EAClC,YACmB,OACA,gBACA,SACA,oBAAiD,CAAC,GAClD,gBAAyC,CAAC,GAC3D;AALiB;AACA;AACA;AACA;AACA;AAAA,EAChB;AAAA,EALgB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAGnB,MAAM,OAAe,IAAuB,OAAoC;AAC9E,WAAO,IAAI;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AAAA,MACL,CAAC,GAAG,KAAK,SAAS,EAAE,OAAO,IAAI,MAAM,CAAC;AAAA,MACtC,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAAA,EACF;AAAA;AAAA,EAGA,eAAe,OAAe,MAAiD;AAC7E,UAAM,MAAwB,EAAE,OAAO,IAAI,KAAK,IAAI,SAAS,KAAK,SAAS,UAAU,KAAK,SAAS;AACnG,WAAO,IAAI;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AAAA,MACL,CAAC,GAAG,KAAK,mBAAmB,GAAG;AAAA,MAC/B,KAAK;AAAA,IACP;AAAA,EACF;AAAA;AAAA,EAGA,cAAc,OAAe,MAAgD;AAC3E,UAAM,MAAoB;AAAA,MACxB;AAAA,MACA,IAAI,KAAK;AAAA,MACT,MAAM,KAAK;AAAA,MACX,IAAI,KAAK,MAAM;AAAA,MACf,MAAM,KAAK,QAAQ;AAAA,IACrB;AACA,WAAO,IAAI;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AAAA,MACL,CAAC,GAAG,KAAK,eAAe,GAAG;AAAA,IAC7B;AAAA,EACF;AAAA;AAAA,EAGA,MAAM,cAAc,UAA8B,CAAC,GAA6D;AAC9G,UAAM,EAAE,UAAU,QAAQ,IAAI,MAAM,KAAK,MAAM,gBAAgB,OAAO;AAItE,UAAM,WAAW,SAAS,CAAC;AAC3B,QAAI,KAAK,kBAAkB,SAAS,KAAK,UAAU;AACjD,YAAM,QAAQ,MAAM,KAAK,MAAM,UAAU,SAAS,YAAY;AAC9D,WAAK,MAAM,SAAS,UAAU,KAAK;AACnC,iBAAW,OAAO,KAAK,mBAAmB;AACxC,YAAI,CAAC,MAAM,WAAW,KAAK,gBAAgB,IAAI,KAAK,GAAG;AACrD,gBAAM,IAAI;AAAA,YACR,mBAAmB,IAAI,KAAK,8BAA8B,IAAI,KAAK,oBAClD,KAAK,cAAc,kBAAkB,KAAK,MAAM,SAAS,aAAa,kBACtE,IAAI,KAAK;AAAA,UAC5B;AAAA,QACF;AAAA,MACF;AAAA,IACF;AACA,UAAM,SAAS,MAAM,KAAK,MAAM,GAAG;AAAA,MACjC,SAAS,IAAI,CAAC,MAAM,EAAE,OAAO;AAAA,MAC7B,OAAO,UAAU;AACf,aAAK,MAAM,SAAS,UAAU,KAAK;AACnC,cAAM,OAAO,MAAM,WAAc,KAAK,cAAc;AACpD,cAAM,KAAK,KAAK;AAIhB,mBAAW,OAAO,KAAK,mBAAmB;AACxC,gBAAM,OAAO,MAAM,WAAW,KAAK,gBAAgB,IAAI,KAAK;AAC5D,cAAI,KAAM,OAAM,MAAM,WAAW,KAAK,MAAM,EAAE,KAAK;AAAA,QACrD;AACA,YAAI,IAAI,KAAK,MAAM;AACnB,mBAAW,KAAK,KAAK,QAAS,KAAI,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK;AAChE,mBAAW,OAAO,KAAK,mBAAmB;AACxC,cAAI,EAAE,KAAK,IAAI,OAAO;AAAA,YACpB,IAAI,IAAI;AAAA,YACR,GAAI,IAAI,YAAY,SAAY,EAAE,SAAS,IAAI,QAAQ,IAAI,CAAC;AAAA,YAC5D,GAAI,IAAI,WAAW,EAAE,UAAU,IAAI,SAAS,IAAI,CAAC;AAAA,UACnD,CAAC;AAAA,QACH;AACA,eAAO,EAAE,QAAQ;AAAA,MACnB;AAAA,MACA,EAAE,aAAa,QAAQ,eAAe,GAAG,QAAQ,MAAM;AAAA,IACzD;AACA,UAAM,UAAe,CAAC;AACtB,eAAW,KAAK,QAAQ;AACtB,UAAI,EAAE,MAAO,SAAQ,KAAK,EAAE,SAAS,EAAE,OAAO,QAAQ,kBAAkB,EAAE,KAAK,GAAG,OAAO,EAAE,MAAM,CAAC;AAAA,UAC7F,YAAW,QAAQ,EAAE,OAAQ,SAAQ,KAAK,IAAI;AAAA,IACrD;AACA,WAAO,EAAE,SAAS,SAAS,eAAe,QAAQ;AAAA,EACpD;AAAA;AAAA,EAGA,MAAM,QAAQ,UAA8B,CAAC,GAA6B;AACxE,UAAM,EAAE,SAAS,cAAc,IAAI,MAAM,KAAK,cAAc,OAAO;AACnE,UAAM,UAAW,MAAM,mBAAmB,SAAS,KAAK,aAAa;AACrE,WAAO,EAAE,SAAS,cAAc;AAAA,EAClC;AAAA;AAAA,EAGA,cAA2B;AACzB,UAAM,QAAQ,KAAK;AACnB,UAAM,iBAAiB,KAAK;AAC5B,WAAO;AAAA,MACL,oBAAoB,CAAC,MAAM;AAAE,cAAM,GAAG,GAAG,UAAU,CAAC;AAAG,eAAO,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC;AAAA,MAAE;AAAA,MAC9F,YAAY,CAAC,MAAM,EAAE,eAAe,kBAAkB,EAAE,MAAM,WAAW,GAAG,MAAM,IAAI,IAAI;AAAA,IAC5F;AAAA,EACF;AAAA;AAAA,EAGQ,iBAAiB,SAAuB;AAC9C,QAAI,KAAK,kBAAkB,UAAU,KAAK,cAAc,QAAQ;AAC9D,YAAM,IAAI;AAAA,QACR,GAAG,OAAO;AAAA,MAEZ;AAAA,IACF;AAAA,EACF;AAAA;AAAA,EAGA,KAAK,UAA4B,CAAC,GAA2B;AAC3D,SAAK,iBAAiB,MAAM;AAC5B,UAAM,OAAO,KAAK,YAAY;AAC9B,UAAM,OAAO,IAAI,eAA0D;AAAA,MACzE,GAAG;AAAA,MACH,SAAS,YAAY;AACnB,cAAM,EAAE,SAAS,cAAc,IAAI,MAAM,KAAK,cAAc,OAAO;AACnE,eAAO,EAAE,SAAS,SAAS,cAAc;AAAA,MAC3C;AAAA,MACA,iBAAiB,EAAE,SAAS,CAAC,GAAG,SAAS,CAAC,EAAE;AAAA,MAC5C,GAAI,QAAQ,eAAe,SAAY,EAAE,YAAY,QAAQ,WAAW,IAAI,CAAC;AAAA,IAC/E,CAAC;AACD,WAAO;AAAA,MACL,IAAI,QAAQ;AAAE,eAAO,KAAK,SAAS;AAAA,MAAwB;AAAA,MAC3D,IAAI,gBAAgB;AAAE,eAAO,KAAK,SAAS;AAAA,MAAmC;AAAA,MAC9E,IAAI,QAAQ;AAAE,eAAO,KAAK;AAAA,MAAM;AAAA,MAChC,OAAO,KAAK;AAAA,MACZ,WAAW,CAAC,OAAO,KAAK,UAAU,EAAE;AAAA,MACpC,MAAM,MAAM,KAAK,KAAK;AAAA,IACxB;AAAA,EACF;AAAA;AAAA,EAGA,UAAsC,MAA4C;AAChF,SAAK,iBAAiB,WAAW;AACjC,WAAO,IAAI,sBAA+B,MAAM,MAAM,KAAK,YAAY,CAAC;AAAA,EAC1E;AAAA;AAAA,EAGA,QAA0B,OAAwC;AAChE,SAAK,iBAAiB,SAAS;AAC/B,WAAO,IAAI,oBAA6B,MAAM,KAAK;AAAA,EACrD;AACF;AAGO,IAAM,sBAAN,MAAkD;AAAA,EACvD,YACmB,OACA,OACjB;AAFiB;AACA;AAAA,EAChB;AAAA,EAFgB;AAAA,EACA;AAAA,EAGnB,UAAsC,MAAsD;AAC1F,WAAO,IAAI;AAAA,MACT,EAAE,eAAe,CAAC,MAAM,KAAK,MAAM,cAAc,CAAC,EAAE;AAAA,MACpD,KAAK;AAAA,MACL;AAAA,MACA,KAAK,MAAM,YAAY;AAAA,IACzB;AAAA,EACF;AACF;","names":[]}

package/dist/with-derivation-CCqAchD5.d.cts DELETED Viewed

@@ -1,13 +0,0 @@
-import { aH as DerivationStrategy, aL as DerivationStrategyHandle } from './types-Bze6vkwm.cjs';
-/**
- * Register a deterministic derivation: one source collection → one or
- * more typed outputs, computed by the user's `derive` function on
- * plaintext after DEK unwrap. Outputs are encrypted with the same DEK
- * as the source and written via the standard `Collection.put` path.
- *
- * See docs/superpowers/specs/2026-05-01-dim14-derivation-v1-design.md.
- */
-declare function withDerivation<TSource extends Record<string, unknown>, TOutputs extends Record<string, Record<string, unknown>>>(spec: DerivationStrategy<TSource, TOutputs>): DerivationStrategyHandle;
-export { withDerivation as w };

package/dist/with-derivation-_lySGdlm.d.ts DELETED Viewed

@@ -1,13 +0,0 @@
-import { aH as DerivationStrategy, aL as DerivationStrategyHandle } from './types-DrmBTscX.js';
-/**
- * Register a deterministic derivation: one source collection → one or
- * more typed outputs, computed by the user's `derive` function on
- * plaintext after DEK unwrap. Outputs are encrypted with the same DEK
- * as the source and written via the standard `Collection.put` path.
- *
- * See docs/superpowers/specs/2026-05-01-dim14-derivation-v1-design.md.
- */
-declare function withDerivation<TSource extends Record<string, unknown>, TOutputs extends Record<string, Record<string, unknown>>>(spec: DerivationStrategy<TSource, TOutputs>): DerivationStrategyHandle;
-export { withDerivation as w };