@noy-db/hub 0.2.0-pre.17 → 0.2.0-pre.18

package/dist/{chunk-BSZOCSDZ.js → chunk-FQRAYDS4.js}

@@ -1,7 +1,7 @@
 import {
   NOYDB_FORMAT_VERSION,
   NOYDB_KEYRING_VERSION
-} from "./chunk-SISBMAPO.js";
+} from "./chunk-LGPSCKWZ.js";
 import {
   base64ToBuffer,
   bufferToBase64,
@@ -12,7 +12,7 @@ import {
   generateSalt,
   unwrapKey,
   wrapKey
-} from "./chunk-UNTGHX5A.js";
+} from "./chunk-QJKZ5WUP.js";
 import {
   ConflictError,
   DirectoryDisabledError,
@@ -24,7 +24,7 @@ import {
   PermissionDeniedError,
   PrivilegeEscalationError,
   ValidationError
-} from "./chunk-ZEGSDPB7.js";
+} from "./chunk-HMFC6M2G.js";
 
 // src/directory/storage.ts
 var META_COLLECTION = "_meta";
@@ -894,4 +894,4 @@ export {
   hasImportCapability,
   evaluateImportCapability
 };
-//# sourceMappingURL=chunk-BSZOCSDZ.js.map
+//# sourceMappingURL=chunk-FQRAYDS4.js.map

package/dist/{chunk-ZEGSDPB7.js → chunk-HMFC6M2G.js}

@@ -194,6 +194,23 @@ var FieldFrozenError = class extends NoydbError {
     this.fields = fields;
   }
 };
+var IllegalTransitionError = class extends NoydbError {
+  collection;
+  id;
+  from;
+  to;
+  constructor(collection, id, from, to) {
+    super(
+      "ILLEGAL_TRANSITION",
+      `Cannot transition ${collection}/${id} from "${from}" to "${to}" \u2014 not a declared arc. Use withTransactions({ amendment: true, reason }) with admin/owner role to override.`
+    );
+    this.name = "IllegalTransitionError";
+    this.collection = collection;
+    this.id = id;
+    this.from = from;
+    this.to = to;
+  }
+};
 var InvariantError = class extends NoydbError {
   constructor(message) {
     super("INVARIANT_VIOLATED", message);
@@ -1066,6 +1083,7 @@ export {
   PeriodClosedError,
   RecordLockedError,
   FieldFrozenError,
+  IllegalTransitionError,
   InvariantError,
   AmendmentForbiddenError,
   DirectoryDisabledError,
@@ -1144,4 +1162,4 @@ export {
   SealedRecordMismatchError,
   RecordCekNotFoundError
 };
-//# sourceMappingURL=chunk-ZEGSDPB7.js.map
+//# sourceMappingURL=chunk-HMFC6M2G.js.map

package/dist/chunk-HMFC6M2G.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/errors.ts"],"sourcesContent":["/**\n * All NOYDB error classes — a single import surface for `catch` blocks and\n * `instanceof` checks.\n *\n * ## Class hierarchy\n *\n * ```\n * Error\n *  └─ NoydbError (code: string)\n *       ├─ Crypto errors\n *       │    ├─ DecryptionError        — AES-GCM tag failure\n *       │    ├─ TamperedError          — ciphertext modified after write\n *       │    └─ InvalidKeyError        — wrong passphrase / corrupt keyring\n *       ├─ Access errors\n *       │    ├─ NoAccessError          — no DEK for this collection\n *       │    ├─ ReadOnlyError          — ro permission, write attempted\n *       │    ├─ PermissionDeniedError  — role too low for operation\n *       │    ├─ PrivilegeEscalationError — grant wider than grantor holds\n *       │    └─ StoreCapabilityError   — optional store method missing\n *       ├─ Sync errors\n *       │    ├─ ConflictError          — optimistic-lock version mismatch\n *       │    ├─ BundleVersionConflictError — bundle push rejected by remote\n *       │    └─ NetworkError           — push/pull network failure\n *       ├─ Data errors\n *       │    ├─ NotFoundError          — get(id) on missing record\n *       │    ├─ ValidationError        — application-level guard failed\n *       │    └─ SchemaValidationError  — Standard Schema v1 rejection\n *       ├─ Query errors\n *       │    ├─ JoinTooLargeError                — join row ceiling exceeded\n *       │    ├─ CrossJoinTooLargeError            — cross-join row ceiling exceeded\n *       │    ├─ CrossJoinSourceUnknownError       — target collection not in vault\n *       │    ├─ DanglingReferenceError            — strict ref() points at nothing\n *       │    ├─ GroupCardinalityError             — groupBy bucket cap exceeded\n *       │    ├─ IndexRequiredError                — lazy-mode query touches unindexed field\n *       │    ├─ IndexWriteFailureError            — index side-car put/delete failed post-main\n *       │    ├─ UniqueConstraintError             — duplicate value on unique index\n *       │    └─ UnsupportedIndexOptionError       — unique+lazy or unique+crdt at registration\n *       ├─ i18n / Dictionary errors\n *       │    ├─ ReservedCollectionNameError\n *       │    ├─ DictKeyMissingError\n *       │    ├─ DictKeyInUseError\n *       │    ├─ MissingTranslationError\n *       │    ├─ LocaleNotSpecifiedError\n *       │    ├─ ScriptViolationError\n *       │    ├─ StaticDictReadonlyError\n *       │    ├─ UnknownDictCodeError\n *       │    └─ TranslatorNotConfiguredError\n *       ├─ Backup errors\n *       │    ├─ BackupLedgerError      — hash-chain verification failed\n *       │    └─ BackupCorruptedError   — envelope hash mismatch in dump\n *       ├─ Bundle errors\n *       │    └─ BundleIntegrityError   — .noydb body sha256 mismatch\n *       ├─ Session errors\n *       │    ├─ SessionExpiredError\n *       │    ├─ SessionNotFoundError\n *       │    └─ SessionPolicyError\n *       ├─ Snapshot errors\n *       │    └─ SnapshotNotFoundError  — snapshot key absent from snapshot store\n *       └─ Computed field errors\n *            └─ ComputedFieldError     — computed function threw during a write\n *       └─ Erasure errors\n *            └─ ForgetStrategyNotConfiguredError — vault.forget() with no withForgetCascade\n *       └─ Sealed-record errors (record-scoped CEK sealing, #306)\n *            ├─ SealedRecordExpiredError  — sealed CEK binding past expiresAt\n *            ├─ SealedRecordMismatchError — CEK sealed for record A used on record B\n *            └─ RecordCekNotFoundError    — record missing or no per-record `_cek`\n * ```\n *\n * ## Catching all NOYDB errors\n *\n * ```ts\n * import { NoydbError, InvalidKeyError, ConflictError } from '@noy-db/hub'\n *\n * try {\n *   await vault.unlock(passphrase)\n * } catch (e) {\n *   if (e instanceof InvalidKeyError) { showBadPassphraseUI(); return }\n *   if (e instanceof NoydbError) { logToSentry(e.code, e); return }\n *   throw e  // unexpected — re-throw\n * }\n * ```\n *\n * @module\n */\n\n/**\n * Base class for all NOYDB errors.\n *\n * Every error thrown by `@noy-db/hub` extends this class, so consumers can\n * catch all NOYDB errors in a single `catch (e) { if (e instanceof NoydbError) ... }`\n * block. The `code` field is a machine-readable string (e.g. `'DECRYPTION_FAILED'`)\n * suitable for `switch` statements and logging pipelines.\n */\nexport class NoydbError extends Error {\n  /** Machine-readable error code. Stable across library versions. */\n  readonly code: string\n\n  constructor(code: string, message: string) {\n    super(message)\n    this.name = 'NoydbError'\n    this.code = code\n  }\n}\n\n// ─── Crypto Errors ─────────────────────────────────────────────────────\n\n/**\n * Thrown when AES-GCM decryption fails.\n *\n * The most common cause is a wrong passphrase or a corrupted ciphertext.\n * A `DecryptionError` at the wrong passphrase level is caught internally\n * and re-thrown as `InvalidKeyError` — so in practice this surfaces for\n * per-record corruption rather than authentication failures.\n */\nexport class DecryptionError extends NoydbError {\n  constructor(message = 'Decryption failed') {\n    super('DECRYPTION_FAILED', message)\n    this.name = 'DecryptionError'\n  }\n}\n\n/**\n * Thrown when GCM tag verification fails, indicating the ciphertext was\n * modified after encryption.\n *\n * AES-256-GCM is authenticated encryption — the tag over the ciphertext\n * is checked on every decrypt. If any byte was flipped (accidental\n * corruption or deliberate tampering), decryption throws this error.\n * Treat it as a security alert: the stored bytes are not what NOYDB wrote.\n */\nexport class TamperedError extends NoydbError {\n  constructor(message = 'Data integrity check failed — record may have been tampered with') {\n    super('TAMPERED', message)\n    this.name = 'TamperedError'\n  }\n}\n\n/**\n * Thrown when key unwrapping fails, typically because the passphrase is wrong\n * or the keyring file is corrupted.\n *\n * NOYDB uses AES-KW (RFC 3394) to wrap DEKs with the KEK. If AES-KW\n * unwrapping fails, it means either the KEK was derived from the wrong\n * passphrase (PBKDF2 with 600K iterations) or the keyring bytes are\n * corrupted. This is the error shown to the user on a failed unlock attempt.\n */\nexport class InvalidKeyError extends NoydbError {\n  constructor(message = 'Invalid key — wrong passphrase or corrupted keyring') {\n    super('INVALID_KEY', message)\n    this.name = 'InvalidKeyError'\n  }\n}\n\n/**\n * Thrown when a keyring's wrapped-DEK set unwraps partially — at least\n * one DEK succeeds (proving the KEK is correct) but at least one fails.\n * The passphrase is right; the failed entries are corrupted.\n *\n * This is distinct from {@link InvalidKeyError} so that\n * `NoydbOptions.onInvalidKey: 'reset'` does NOT fire — resetting on\n * partial corruption would destroy the still-valid DEKs and the data\n * they protect, which is silent data loss in response to a feature\n * designed for stale-credential recovery.\n */\nexport class KeyringCorruptError extends NoydbError {\n  readonly failedCollections: readonly string[]\n  readonly intactCount: number\n  constructor(opts: { failedCollections: readonly string[]; intactCount: number; message?: string }) {\n    super(\n      'KEYRING_CORRUPT',\n      opts.message ??\n        `Keyring has ${opts.failedCollections.length} corrupted wrapped DEK(s) ` +\n          `(${opts.failedCollections.join(', ')}); ${opts.intactCount} other DEK(s) ` +\n          `unwrapped successfully — the passphrase is correct, the entries are damaged. ` +\n          `Do NOT use onInvalidKey: 'reset' here — that would destroy the intact DEKs.`,\n    )\n    this.name = 'KeyringCorruptError'\n    this.failedCollections = opts.failedCollections\n    this.intactCount = opts.intactCount\n  }\n}\n\n// ─── Access Errors ─────────────────────────────────────────────────────\n\n/**\n * Thrown when the authenticated user does not have a DEK for the requested\n * collection — i.e. the collection is not in their keyring at all.\n *\n * This is the \"no key for this door\" error. It is different from\n * `ReadOnlyError` (user has a key but it only grants ro) and from\n * `PermissionDeniedError` (user's role doesn't allow the operation).\n */\nexport class NoAccessError extends NoydbError {\n  constructor(message = 'No access — user does not have a key for this collection') {\n    super('NO_ACCESS', message)\n    this.name = 'NoAccessError'\n  }\n}\n\n/**\n * Thrown when a user with read-only (`ro`) permission attempts a write\n * operation (`put` or `delete`) on a collection.\n *\n * The user has a DEK for the collection (they can decrypt and read), but\n * their keyring grants only `ro`. To fix: re-grant the user with `rw`\n * permission, or do not attempt writes as a viewer/client role.\n */\nexport class ReadOnlyError extends NoydbError {\n  constructor(message = 'Read-only — user has ro permission on this collection') {\n    super('READ_ONLY', message)\n    this.name = 'ReadOnlyError'\n  }\n}\n\n/**\n * Thrown when a write is attempted against a historical view produced\n * by `vault.at(timestamp)`. Time-machine views are read-only by\n * contract — mutating the past would require either the shadow-vault\n * mechanism or a ledger-history rewrite (which breaks\n * the tamper-evidence guarantee).\n *\n * Distinct from {@link ReadOnlyError} (keyring-level) and\n * {@link PermissionDeniedError} (role-level): this error is about the\n * *view* being historical, independent of the caller's permissions.\n */\nexport class ReadOnlyAtInstantError extends NoydbError {\n  constructor(operation: string, timestamp: string) {\n    super(\n      'READ_ONLY_AT_INSTANT',\n      `Cannot ${operation}() on a vault view anchored at ${timestamp} — time-machine views are read-only`,\n    )\n    this.name = 'ReadOnlyAtInstantError'\n  }\n}\n\n/**\n * Thrown when a write is attempted against a shadow-vault frame\n * produced by `vault.frame()`. Frames are read-only by contract —\n * the use case is screen-sharing / demos / compliance review where\n * the operator wants to prevent accidental edits.\n *\n * Behavioural enforcement only — the underlying keyring still holds\n * write-capable DEKs. See {@link VaultFrame} for the full caveat.\n */\nexport class ReadOnlyFrameError extends NoydbError {\n  constructor(operation: string) {\n    super(\n      'READ_ONLY_FRAME',\n      `Cannot ${operation}() on a vault frame — frames are read-only presentations of the current vault`,\n    )\n    this.name = 'ReadOnlyFrameError'\n  }\n}\n\n/**\n * Thrown when the authenticated user's role does not permit the requested\n * operation — e.g. a `viewer` calling `grantAccess()`, or an `operator`\n * calling `rotateKeys()`.\n *\n * This is a role-level check (what the user's role allows), distinct from\n * `NoAccessError` (collection not in keyring) and `ReadOnlyError` (in\n * keyring, but write not allowed).\n */\nexport class PermissionDeniedError extends NoydbError {\n  constructor(message = 'Permission denied — insufficient role for this operation') {\n    super('PERMISSION_DENIED', message)\n    this.name = 'PermissionDeniedError'\n  }\n}\n\n/**\n * Thrown when an `@noy-db/as-*` export is attempted without the\n * required capability bit on the invoking keyring.\n *\n * Two sub-cases discriminated by the `tier` field:\n *\n * - `tier: 'plaintext'` — a plaintext-tier export (`as-xlsx`,\n *   `as-csv`, `as-blob`, `as-zip`, …) was attempted but the\n *   keyring's `exportCapability.plaintext` does not include the\n *   requested `format` (nor the `'*'` wildcard). Default for every\n *   role is `plaintext: []` — the owner must positively grant.\n * - `tier: 'bundle'` — an encrypted `as-noydb` bundle export was\n *   attempted but the keyring's `exportCapability.bundle` is\n *   `false`. Default for `owner`/`admin` is `true`; for\n *   `operator`/`viewer`/`client` it is `false`.\n *\n * Distinct from `PermissionDeniedError` (role-level check) and\n * `NoAccessError` (collection not readable). Surfaces separately so\n * UI layers can show a \"request the export capability from your\n * admin\" flow rather than a generic permission error.\n */\nexport class ExportCapabilityError extends NoydbError {\n  readonly tier: 'plaintext' | 'bundle'\n  readonly format?: string\n  readonly userId: string\n\n  constructor(opts: {\n    tier: 'plaintext' | 'bundle'\n    userId: string\n    format?: string\n    message?: string\n  }) {\n    const msg =\n      opts.message ??\n      (opts.tier === 'plaintext'\n        ? `Export capability denied — keyring \"${opts.userId}\" is not granted plaintext-export capability for format \"${opts.format ?? '<unknown>'}\". Ask a vault owner or admin to grant it via vault.grant({ exportCapability: { plaintext: ['${opts.format ?? '<format>'}'] } }).`\n        : `Export capability denied — keyring \"${opts.userId}\" is not granted encrypted-bundle export capability. Ask a vault owner or admin to grant it via vault.grant({ exportCapability: { bundle: true } }).`)\n    super('EXPORT_CAPABILITY', msg)\n    this.name = 'ExportCapabilityError'\n    this.tier = opts.tier\n    this.userId = opts.userId\n    if (opts.format !== undefined) this.format = opts.format\n  }\n}\n\n/**\n * Thrown when a keyring file's `expires_at` cutoff has passed.\n * Surfaced by `loadKeyring` before any DEK unwrap is attempted —\n * past the cutoff the slot refuses to open even with the right\n * passphrase. Distinct from PBKDF2 / unwrap errors so consumer code\n * can show a precise \"this bundle slot has expired\" message instead\n * of the generic decryption-failure UX.\n *\n * Used predominantly on `BundleRecipient` slots produced by\n * `writeNoydbBundle({ recipients: [...] })` to time-box audit access.\n */\nexport class KeyringExpiredError extends NoydbError {\n  readonly userId: string\n  readonly expiresAt: string\n  constructor(opts: { userId: string; expiresAt: string }) {\n    super(\n      'KEYRING_EXPIRED',\n      `Keyring \"${opts.userId}\" expired at ${opts.expiresAt}. ` +\n        'The slot refuses to unlock past its expiry timestamp.',\n    )\n    this.name = 'KeyringExpiredError'\n    this.userId = opts.userId\n    this.expiresAt = opts.expiresAt\n  }\n}\n\n/**\n * Thrown when an `@noy-db/as-*` import is attempted but the invoking\n * keyring lacks the required import-capability bit.\n *\n * - `tier: 'plaintext'` — a plaintext-tier import (`as-csv`, `as-json`,\n *   `as-ndjson`, `as-zip`, …) was attempted but the keyring's\n *   `importCapability.plaintext` does not include the requested\n *   `format` (nor the `'*'` wildcard).\n * - `tier: 'bundle'` — a `.noydb` bundle import was attempted but the\n *   keyring's `importCapability.bundle` is not `true`.\n *\n * Default for every role on every dimension is closed — owners and\n * admins must positively grant the capability. Distinct from\n * `PermissionDeniedError` and `NoAccessError` so UI layers can show a\n * specific \"request the import capability\" flow.\n */\nexport class ImportCapabilityError extends NoydbError {\n  readonly tier: 'plaintext' | 'bundle'\n  readonly format?: string\n  readonly userId: string\n\n  constructor(opts: {\n    tier: 'plaintext' | 'bundle'\n    userId: string\n    format?: string\n    message?: string\n  }) {\n    const msg =\n      opts.message ??\n      (opts.tier === 'plaintext'\n        ? `Import capability denied — keyring \"${opts.userId}\" is not granted plaintext-import capability for format \"${opts.format ?? '<unknown>'}\". Ask a vault owner or admin to grant it via vault.grant({ importCapability: { plaintext: ['${opts.format ?? '<format>'}'] } }).`\n        : `Import capability denied — keyring \"${opts.userId}\" is not granted encrypted-bundle import capability. Ask a vault owner or admin to grant it via vault.grant({ importCapability: { bundle: true } }).`)\n    super('IMPORT_CAPABILITY', msg)\n    this.name = 'ImportCapabilityError'\n    this.tier = opts.tier\n    this.userId = opts.userId\n    if (opts.format !== undefined) this.format = opts.format\n  }\n}\n\n/**\n * Thrown when a grant would give the grantee a permission the grantor\n * does not themselves hold — the \"admin cannot grant what admin cannot\n * do\" rule from the admin-delegation work.\n *\n * Distinct from `PermissionDeniedError` so callers can tell the two\n * cases apart in logs and tests:\n *\n *   - `PermissionDeniedError` — \"you are not allowed to perform this\n *     operation at all\" (wrong role).\n *   - `PrivilegeEscalationError` — \"you are allowed to grant, but not\n *     with these specific permissions\" (widening attempt).\n *\n * Under the admin model the grantee of an admin-grants-admin call\n * inherits the caller's entire DEK set by construction, so this error\n * is structurally unreachable in typical flows. The check and error\n * class exist so that future per-collection admin scoping cannot\n * accidentally bypass the subset rule — the guard is already wired in.\n *\n * `offendingCollection` carries the first collection name that failed\n * the subset check, to make the violation actionable in error output.\n */\n/**\n * Thrown when a caller invokes an API that requires an optional\n * store capability the active store does not implement.\n *\n * Today the only call site is `Noydb.listAccessibleVaults()`,\n * which depends on the optional `NoydbStore.listVaults()`\n * method. The error message names the missing method and the calling\n * API so consumers know exactly which combination is unsupported,\n * and the `capability` field is machine-readable so library code can\n * pattern-match in catch blocks (e.g. fall back to a candidate-list\n * shape).\n *\n * The class lives in `errors.ts` rather than as a generic\n * `ValidationError` because the diagnostic shape is different: a\n * `ValidationError` says \"the inputs you passed are wrong\"; this\n * error says \"the inputs are fine, but the store you wired up\n * doesn't support what you're asking for.\" Different fix, different\n * documentation.\n */\nexport class StoreCapabilityError extends NoydbError {\n  /** The store method/capability that was missing. */\n  readonly capability: string\n\n  constructor(capability: string, callerApi: string, storeName?: string) {\n    super(\n      'STORE_CAPABILITY',\n      `${callerApi} requires the optional store capability \"${capability}\" ` +\n        `but the active store${storeName ? ` (${storeName})` : ''} does not implement it. ` +\n        `Use a store that supports \"${capability}\" (store-memory, store-file) or pass an explicit ` +\n        `vault list to bypass enumeration.`,\n    )\n    this.name = 'StoreCapabilityError'\n    this.capability = capability\n  }\n}\n\nexport class PrivilegeEscalationError extends NoydbError {\n  readonly offendingCollection: string\n\n  constructor(offendingCollection: string, message?: string) {\n    super(\n      'PRIVILEGE_ESCALATION',\n      message ??\n        `Privilege escalation: grantor has no DEK for collection \"${offendingCollection}\" and cannot grant access to it.`,\n    )\n    this.name = 'PrivilegeEscalationError'\n    this.offendingCollection = offendingCollection\n  }\n}\n\n/**\n * Thrown when a reserved internal vault name (e.g. `__noydb_state__`) is used\n * as a group name or partition key.\n *\n * Internal vault names are prefixed or surrounded with double-underscores to\n * avoid collisions with user-defined vault names. Attempting to use one as a\n * group name or partition key bypasses the naming policy and is rejected\n * eagerly so the mis-configuration is surfaced immediately.\n */\nexport class ReservedVaultNameError extends NoydbError {\n  /** The rejected vault name. */\n  readonly vaultName: string\n\n  constructor(vaultName: string) {\n    super(\n      'RESERVED_VAULT_NAME',\n      `\"${vaultName}\" is a reserved internal vault name and cannot be used as a group name or partition key`,\n    )\n    this.name = 'ReservedVaultNameError'\n    this.vaultName = vaultName\n  }\n}\n\n/**\n * Thrown by `Collection.put` / `.delete` when the target record's\n * envelope `_ts` falls within a closed accounting period.\n *\n * Distinct from `ReadOnlyError` (keyring-level), `ReadOnlyAtInstantError`\n * (historical view), and `ReadOnlyFrameError` (shadow vault): this\n * error is about the STORED RECORD being sealed by an operator call\n * to `vault.closePeriod()`, independent of caller permissions or\n * view type. The `periodName` and `endDate` fields name the sealing\n * period so audit UIs can surface a \"this record is locked in\n * FY2026-Q1 (closed 2026-03-31)\" message without parsing the error\n * string.\n *\n * To apply a correction after close, book a compensating entry in a\n * new period rather than unlocking the old one. Re-opening a closed\n * period is deliberately unsupported.\n */\nexport class PeriodClosedError extends NoydbError {\n  readonly periodName: string\n  readonly endDate: string\n  readonly recordTs: string\n\n  constructor(periodName: string, endDate: string, recordTs: string) {\n    super(\n      'PERIOD_CLOSED',\n      `Cannot modify record (last written ${recordTs}) — sealed by closed period ` +\n        `\"${periodName}\" (endDate: ${endDate}). Post a compensating entry in a ` +\n        `new period instead.`,\n    )\n    this.name = 'PeriodClosedError'\n    this.periodName = periodName\n    this.endDate = endDate\n    this.recordTs = recordTs\n  }\n}\n\n/**\n * Thrown when a `put()` or `delete()` is rejected by a guard's `check`\n * function. The `reason` is the message the guard supplied — typically a\n * short business description (e.g. \"invoice is issued\"). The full\n * collection + id are surfaced so audit UIs can link back to the record.\n */\nexport class RecordLockedError extends NoydbError {\n  readonly collection: string\n  readonly id: string\n  readonly reason: string\n\n  constructor(collection: string, id: string, reason: string) {\n    super(\n      'RECORD_LOCKED',\n      `Cannot modify ${collection}/${id} — locked by guard: ${reason}. ` +\n        `Use withTransactions({ amendment: true, reason }) with admin/owner role to override.`,\n    )\n    this.name = 'RecordLockedError'\n    this.collection = collection\n    this.id = id\n    this.reason = reason\n  }\n}\n\n/**\n * Thrown when a `put()` changes one or more fields that are frozen by a\n * `frozenFields` guard. The `fields` list contains the specific paths\n * that were detected as changed.\n */\nexport class FieldFrozenError extends NoydbError {\n  readonly collection: string\n  readonly id: string\n  readonly fields: readonly string[]\n\n  constructor(collection: string, id: string, fields: readonly string[]) {\n    super(\n      'FIELD_FROZEN',\n      `Cannot change frozen field(s) on ${collection}/${id}: ${fields.join(', ')}. ` +\n        `Use withTransactions({ amendment: true, reason }) with admin/owner role to override.`,\n    )\n    this.name = 'FieldFrozenError'\n    this.collection = collection\n    this.id = id\n    this.fields = fields\n  }\n}\n\n/**\n * Thrown by a `transitionGuard` when a write moves a state field along an\n * arc that the declared transition graph does not allow — either an\n * update `from → to` that is not a listed edge, or an insert whose\n * initial state is not in the allowed `initial` set (reported with\n * `from: '(none)'`). Override via an amendment transaction by an\n * authorized role, like any guard.\n */\nexport class IllegalTransitionError extends NoydbError {\n  readonly collection: string\n  readonly id: string\n  readonly from: string\n  readonly to: string\n\n  constructor(collection: string, id: string, from: string, to: string) {\n    super(\n      'ILLEGAL_TRANSITION',\n      `Cannot transition ${collection}/${id} from \"${from}\" to \"${to}\" — not a declared arc. ` +\n        `Use withTransactions({ amendment: true, reason }) with admin/owner role to override.`,\n    )\n    this.name = 'IllegalTransitionError'\n    this.collection = collection\n    this.id = id\n    this.from = from\n    this.to = to\n  }\n}\n\n/**\n * Thrown by an amendment invariant when the proposed change-set violates\n * the declared business rule (e.g. disbursement total not preserved).\n * Triggers a full transaction rollback via the existing revert pass.\n */\nexport class InvariantError extends NoydbError {\n  constructor(message: string) {\n    super('INVARIANT_VIOLATED', message)\n    this.name = 'InvariantError'\n  }\n}\n\n/**\n * Thrown at `withTransactions({ amendment: true })` open if the caller's\n * role is not in the guard's allowed amendment roles. Fail-fast: thrown\n * before any writes are attempted.\n */\nexport class AmendmentForbiddenError extends NoydbError {\n  readonly userId: string\n  readonly role: string\n\n  constructor(userId: string, role: string) {\n    super(\n      'AMENDMENT_FORBIDDEN',\n      `User \"${userId}\" with role \"${role}\" cannot open an amendment transaction. ` +\n        `Amendments require admin or owner role.`,\n    )\n    this.name = 'AmendmentForbiddenError'\n    this.userId = userId\n    this.role = role\n  }\n}\n\n/**\n * Thrown by `listUsersWithEnvelopes` when the vault's user directory\n * has been disabled (via `db.setDirectoryEnabled(vault, false)`) and\n * the caller's role is neither `owner` nor `admin`. Owner/admin can\n * still enumerate users — the toggle is a UX privacy switch, not a\n * security boundary.\n *\n * Honest caveat: this is a UX flag, not a privacy guarantee. The\n * envelope ciphertext is still in the store, the keyring file is\n * still listed at `_keyring/*`, and anyone with direct store read\n * access can count keyrings without going through the hub. See\n * `docs/subsystems/user-envelope.md` → \"Directory visibility\".\n */\nexport class DirectoryDisabledError extends NoydbError {\n  readonly vault: string\n\n  constructor(vault: string) {\n    super(\n      'DIRECTORY_DISABLED',\n      `Vault \"${vault}\" has its user directory disabled. ` +\n        `Only owners and admins can call listUsersWithEnvelopes() here. ` +\n        `Use db.setDirectoryEnabled(vault, true) to re-enable.`,\n    )\n    this.name = 'DirectoryDisabledError'\n    this.vault = vault\n  }\n}\n\n// ─── Hierarchical Access Errors ─────────────────────\n\n/**\n * Thrown when a user tries to act at a tier they are not cleared for.\n *\n * This is the umbrella error for tier write refusals:\n *   - `put({ tier: N })` when the user's keyring lacks tier-N DEK.\n *   - `elevate(id, N)` when the caller cannot reach tier N.\n *\n * Distinct from `TierAccessDeniedError` which covers *read* refusals on\n * the invisibility/ghost path.\n */\nexport class TierNotGrantedError extends NoydbError {\n  readonly tier: number\n  readonly collection: string\n\n  constructor(collection: string, tier: number) {\n    super(\n      'TIER_NOT_GRANTED',\n      `User has no DEK for tier ${tier} in collection \"${collection}\"`,\n    )\n    this.name = 'TierNotGrantedError'\n    this.collection = collection\n    this.tier = tier\n  }\n}\n\n/**\n * Thrown when an elevated-handle operation runs after the elevation's\n * TTL expired. Reads continue at the original tier; only writes\n * through the scoped handle flip to throwing once expired.\n */\nexport class ElevationExpiredError extends NoydbError {\n  readonly tier: number\n  readonly expiresAt: number\n\n  constructor(opts: { tier: number; expiresAt: number }) {\n    super(\n      'ELEVATION_EXPIRED',\n      `Elevation to tier ${opts.tier} expired at ${new Date(opts.expiresAt).toISOString()}`,\n    )\n    this.name = 'ElevationExpiredError'\n    this.tier = opts.tier\n    this.expiresAt = opts.expiresAt\n  }\n}\n\n/**\n * Thrown by `vault.elevate(...)` when an elevation is already active\n * on the vault. Adopters must `release()` the existing handle before\n * starting a new elevation.\n */\nexport class AlreadyElevatedError extends NoydbError {\n  readonly activeTier: number\n\n  constructor(activeTier: number) {\n    super(\n      'ALREADY_ELEVATED',\n      `Vault is already elevated to tier ${activeTier}; release the existing handle first`,\n    )\n    this.name = 'AlreadyElevatedError'\n    this.activeTier = activeTier\n  }\n}\n\n/**\n * Thrown when `demote()` is called by someone who is not the original\n * elevator and not an owner.\n */\nexport class TierDemoteDeniedError extends NoydbError {\n  constructor(id: string, tier: number) {\n    super(\n      'TIER_DEMOTE_DENIED',\n      `Only the original elevator or an owner can demote record \"${id}\" from tier ${tier}`,\n    )\n    this.name = 'TierDemoteDeniedError'\n  }\n}\n\n/**\n * Thrown when `db.delegate()` is called against a user that has no\n * keyring in the target vault — the delegation token cannot be\n * constructed without the target user's KEK wrap.\n */\nexport class DelegationTargetMissingError extends NoydbError {\n  readonly toUser: string\n\n  constructor(toUser: string) {\n    super(\n      'DELEGATION_TARGET_MISSING',\n      `Delegation target user \"${toUser}\" has no keyring in this vault`,\n    )\n    this.name = 'DelegationTargetMissingError'\n    this.toUser = toUser\n  }\n}\n\n// ─── Sync Errors ───────────────────────────────────────────────────────\n\n/**\n * Thrown when a `put()` detects an optimistic concurrency conflict.\n *\n * NOYDB uses version numbers (`_v`) for optimistic locking. If a `put()`\n * is called with `expectedVersion: N` but the stored record is at version\n * `M ≠ N`, the write is rejected and the caller must re-read, re-apply their\n * change, and retry. The `version` field carries the actual stored version\n * so callers can decide whether to retry or surface the conflict to the user.\n */\nexport class ConflictError extends NoydbError {\n  /** The actual stored version at the time of conflict. */\n  readonly version: number\n\n  constructor(version: number, message = 'Version conflict') {\n    super('CONFLICT', message)\n    this.name = 'ConflictError'\n    this.version = version\n  }\n}\n\n/**\n * Thrown by `LedgerStore.append()` after exhausting its CAS retry\n * budget under multi-writer contention. Two browser tabs, a\n * web app + an offline mobile peer, or a server worker pool all\n * producing ledger entries against the same vault can race on the\n * \"read head, write head+1\" cycle; the optimistic-CAS retry loop\n * resolves the race for `casAtomic: true` stores, but pathological\n * contention (or a buggy peer) can still exhaust the budget. When\n * that happens, the chain is intact — the failed writer simply\n * couldn't claim a slot. Caller's choice whether to retry, queue,\n * or surface the failure to the user.\n */\nexport class LedgerContentionError extends NoydbError {\n  readonly attempts: number\n\n  constructor(attempts: number) {\n    super(\n      'LEDGER_CONTENTION',\n      `LedgerStore.append: failed to claim a chain slot after ${attempts} optimistic-CAS retries`,\n    )\n    this.name = 'LedgerContentionError'\n    this.attempts = attempts\n  }\n}\n\n/**\n * Thrown by `vault.sequence(name).next()` after exhausting its CAS retry\n * budget under contention. The counter is intact; the caller may retry.\n */\nexport class SequenceContentionError extends NoydbError {\n  readonly sequence: string\n  readonly attempts: number\n\n  constructor(sequence: string, attempts: number) {\n    super(\n      'SEQUENCE_CONTENTION',\n      `vault.sequence(\"${sequence}\").next(): failed to allocate after ${attempts} optimistic-CAS retries`,\n    )\n    this.name = 'SequenceContentionError'\n    this.sequence = sequence\n    this.attempts = attempts\n  }\n}\n\n/**\n * Thrown by `vault.sequence(name).next()` when the backing store is not\n * CAS-capable (`capabilities.casAtomic !== true`). Gap-free numbering\n * requires single-authority serialization, which an offline / non-CAS\n * store cannot provide — this is a deliberate online-only wall.\n */\nexport class SequenceOfflineError extends NoydbError {\n  constructor() {\n    super(\n      'SEQUENCE_OFFLINE',\n      'vault.sequence().next() requires an online CAS-capable store ' +\n        '(capabilities.casAtomic). Gap-free numbering cannot be serialized offline.',\n    )\n    this.name = 'SequenceOfflineError'\n  }\n}\n\n/** Thrown by a deferred-numbering pass when the store clock is unavailable or its uncertainty cannot be resolved. */\nexport class NumberingUncertaintyError extends NoydbError {\n  readonly series: string\n  constructor(series: string) {\n    super(\n      'NUMBERING_UNCERTAINTY',\n      `Deferred numbering for series \"${series}\" cannot run: the store does not expose getStoreTime() ` +\n        `(capabilities.serverWriteTime). Use a CAS sequence or a store with serverWriteTime.`,\n    )\n    this.name = 'NumberingUncertaintyError'\n    this.series = series\n  }\n}\n\n/**\n * Thrown when a bundle push is rejected because the remote has been updated\n * since the local bundle was last pulled.\n *\n * Unlike `ConflictError` (per-record), this is a whole-bundle conflict —\n * the remote's bundle handle has changed. The caller must pull the new\n * bundle, merge, and re-push. `remoteVersion` is the handle of the newer\n * remote bundle for use in diagnostics.\n */\nexport class BundleVersionConflictError extends NoydbError {\n  /** The bundle handle of the newer remote version that rejected the push. */\n  readonly remoteVersion: string\n\n  constructor(remoteVersion: string, message = 'Bundle version conflict — remote has been updated') {\n    super('BUNDLE_VERSION_CONFLICT', message)\n    this.name = 'BundleVersionConflictError'\n    this.remoteVersion = remoteVersion\n  }\n}\n\n/**\n * Thrown when a sync operation (push or pull) fails due to a network error.\n *\n * NOYDB's offline-first design means network errors are expected during sync.\n * Callers should catch `NetworkError`, surface connectivity status in the UI,\n * and rely on the `SyncScheduler` to retry when connectivity is restored.\n */\nexport class NetworkError extends NoydbError {\n  constructor(message = 'Network error') {\n    super('NETWORK_ERROR', message)\n    this.name = 'NetworkError'\n  }\n}\n\n// ─── Data Errors ───────────────────────────────────────────────────────\n\n/**\n * Thrown when `collection.get(id)` is called with an ID that does not exist.\n *\n * NOYDB collections are memory-first, so this error is synchronous and cheap —\n * it does not make a network round-trip. Callers that expect the record to be\n * absent should use `collection.getOrNull(id)` instead.\n */\nexport class NotFoundError extends NoydbError {\n  constructor(message = 'Record not found') {\n    super('NOT_FOUND', message)\n    this.name = 'NotFoundError'\n  }\n}\n\n/**\n * Thrown when application-level validation fails before encryption.\n *\n * Distinct from `SchemaValidationError` (Standard Schema v1 validator)\n * and `MissingTranslationError` (i18nText). `ValidationError` is the\n * general-purpose validation base — use it for custom guards in `put()`\n * hooks or store middleware.\n */\nexport class ValidationError extends NoydbError {\n  constructor(message = 'Validation error') {\n    super('VALIDATION_ERROR', message)\n    this.name = 'ValidationError'\n  }\n}\n\n/**\n * Thrown when a Standard Schema v1 validator rejects a record on\n * `put()` (input validation) or on read (output validation). Carries\n * the raw issue list so callers can render field-level errors.\n *\n * `direction` distinguishes the two cases:\n *   - `'input'`: the user passed bad data into `put()`. This is a\n *     normal error case that application code should handle — typically\n *     by showing validation messages in the UI.\n *   - `'output'`: stored data does not match the current schema. This\n *     indicates a schema drift (the schema was changed without\n *     migrating the existing records) and should be treated as a bug\n *     — the application should not swallow it silently.\n *\n * The `issues` type is deliberately `readonly unknown[]` on this class\n * so that `errors.ts` doesn't need to import from `schema.ts` (and\n * create a dependency cycle). Callers who know they're holding a\n * `SchemaValidationError` can cast to the more precise\n * `readonly StandardSchemaV1Issue[]` from `schema.ts`.\n */\nexport class SchemaValidationError extends NoydbError {\n  readonly issues: readonly unknown[]\n  readonly direction: 'input' | 'output'\n\n  constructor(\n    message: string,\n    issues: readonly unknown[],\n    direction: 'input' | 'output',\n  ) {\n    super('SCHEMA_VALIDATION_FAILED', message)\n    this.name = 'SchemaValidationError'\n    this.issues = issues\n    this.direction = direction\n  }\n}\n\n/** Base for schema-evolution strategy rejections. */\nexport class SchemaUpdateError extends NoydbError {\n  constructor(code: string, message: string) {\n    super(code, message)\n    this.name = 'SchemaUpdateError'\n  }\n}\n\n/** A non-additive schema change was rejected by the `additiveOnly()` strategy. */\nexport class NonAdditiveSchemaChangeError extends SchemaUpdateError {\n  constructor(message: string) {\n    super('NON_ADDITIVE_SCHEMA_CHANGE', message)\n    this.name = 'NonAdditiveSchemaChangeError'\n  }\n}\n\n/** A schema change was rejected by the `lockSchema()` strategy. */\nexport class SchemaLockedError extends SchemaUpdateError {\n  constructor(message: string) {\n    super('SCHEMA_LOCKED', message)\n    this.name = 'SchemaLockedError'\n  }\n}\n\n/** Write attempted while a schema cutover fence is up (draining/migrating, or this collection has a pending cutover). */\nexport class SchemaFenceError extends SchemaUpdateError {\n  constructor(message: string) {\n    super('SCHEMA_FENCE', message)\n    this.name = 'SchemaFenceError'\n  }\n}\n\n/** Write attempted by a client whose generation snapshot is behind the live fence — reload required. */\nexport class MigrationRequiredError extends SchemaUpdateError {\n  constructor(message: string) {\n    super('MIGRATION_REQUIRED', message)\n    this.name = 'MigrationRequiredError'\n  }\n}\n\n/** A coordinated cutover timed out waiting for active clients to quiesce. */\nexport class QuiesceTimeoutError extends SchemaUpdateError {\n  constructor(message: string) {\n    super('QUIESCE_TIMEOUT', message)\n    this.name = 'QuiesceTimeoutError'\n  }\n}\n\n// ─── Query DSL Errors ─────────────────────────────────────────────────\n\n/**\n * Thrown when `.groupBy().aggregate()` produces more than the hard\n * cardinality cap (default 100_000 groups)..\n *\n * The cap exists because `.groupBy()` materializes one bucket per\n * distinct key value in memory, and runaway cardinality — a groupBy\n * on a high-uniqueness field like `id` or `createdAt` — is almost\n * always a query mistake rather than legitimate use. A hard error is\n * better than silent OOM: the consumer sees an actionable message\n * naming the field and the observed cardinality, with guidance to\n * either narrow the query with `.where()` or accept the ceiling\n * override.\n *\n * A separate one-shot warning fires at 10% of the cap (10_000\n * groups) so consumers get a heads-up before the hard error — same\n * pattern as `JoinTooLargeError` and the `.join()` row ceiling.\n *\n * **Not overridable in.** The 100k cap is a fixed constant so\n * the failure mode is consistent across the codebase; a\n * `{ maxGroups }` override can be added later without a break if a\n * real consumer asks.\n */\nexport class GroupCardinalityError extends NoydbError {\n  /** The field being grouped on. */\n  readonly field: string\n  /** Observed number of distinct groups at the moment the cap tripped. */\n  readonly cardinality: number\n  /** The cap that was exceeded. */\n  readonly maxGroups: number\n\n  constructor(field: string, cardinality: number, maxGroups: number) {\n    super(\n      'GROUP_CARDINALITY',\n      `.groupBy(\"${field}\") produced ${cardinality} distinct groups, ` +\n        `exceeding the ${maxGroups}-group ceiling. This is almost always a ` +\n        `query mistake — grouping on a high-uniqueness field like \"id\" or ` +\n        `\"createdAt\" produces one bucket per record. Narrow the query with ` +\n        `.where() before grouping, or group on a lower-cardinality field ` +\n        `(status, category, clientId). If you genuinely need high-cardinality ` +\n        `grouping, file an issue with your use case.`,\n    )\n    this.name = 'GroupCardinalityError'\n    this.field = field\n    this.cardinality = cardinality\n    this.maxGroups = maxGroups\n  }\n}\n\n/**\n * Thrown in lazy mode when a `.query()` / `.where()` / `.orderBy()` clause\n * references a field that does not have a declared index.\n *\n * Lazy-mode queries only work when every touched field is indexed.\n * This is deliberate — silent scan-fallback would hide the performance\n * cliff that lazy-mode indexes exist to prevent.\n *\n * Payload:\n * - `collection` — name of the collection queried\n * - `touchedFields` — every field referenced by the query (filter + order)\n * - `missingFields` — subset of `touchedFields` that have no declared index\n */\nexport class IndexRequiredError extends NoydbError {\n  readonly collection: string\n  readonly touchedFields: readonly string[]\n  readonly missingFields: readonly string[]\n\n  constructor(args: { collection: string; touchedFields: readonly string[]; missingFields: readonly string[] }) {\n    super(\n      'INDEX_REQUIRED',\n      `Collection \"${args.collection}\": query references unindexed fields in lazy mode ` +\n      `(missing: ${args.missingFields.join(', ')}). ` +\n      `Declare an index on each field, or use collection.scan() for non-indexed iteration.`,\n    )\n    this.name = 'IndexRequiredError'\n    this.collection = args.collection\n    this.touchedFields = [...args.touchedFields]\n    this.missingFields = [...args.missingFields]\n  }\n}\n\n/**\n * Thrown by `Collection.put()` when writing a record would violate a\n * unique-index constraint — the same field value (or composite field\n * tuple) is already held by a *different* record id in the collection.\n *\n * Properties:\n * - `collection` — name of the collection the write was targeting\n * - `recordId` — the id of the record being written (the would-be violator)\n * - `fields` — the constrained field(s), e.g. `['taxId']` or `['workerId','employerEntityId']`\n * - `conflictingId` — the id of the record already holding the value\n *\n * Null-distinct semantics: if any constrained field is `null`/`undefined`,\n * the row is exempt (the constraint does not fire). This matches standard\n * SQL NULL-distinct behavior.\n */\nexport class UniqueConstraintError extends NoydbError {\n  readonly collection: string\n  readonly recordId: string\n  readonly fields: readonly string[]\n  readonly conflictingId: string\n\n  constructor(collection: string, recordId: string, fields: readonly string[], conflictingId: string) {\n    super(\n      'UNIQUE_CONSTRAINT',\n      `Unique constraint on ${collection}.[${fields.join(', ')}] violated: ` +\n        `record \"${recordId}\" duplicates a value already held by \"${conflictingId}\".`,\n    )\n    this.name = 'UniqueConstraintError'\n    this.collection = collection\n    this.recordId = recordId\n    this.fields = fields\n    this.conflictingId = conflictingId\n  }\n}\n\n/**\n * Thrown at collection registration when an index option is declared that\n * is incompatible with the collection's operating mode.\n *\n * Currently covers two cases:\n * - `unique: true` on a lazy-mode (`prefetch: false`) collection — lazy mode\n *   does not pre-load all records, so an in-memory uniqueness map cannot be\n *   maintained reliably.\n * - `unique: true` on a CRDT collection (`crdt: 'lww-map' | 'rga' | 'yjs'`) —\n *   CRDT put() short-circuits the unique-constraint check, so enforcement would\n *   silently not fire.\n *\n * Both cases are caught eagerly at `vault.collection()` time so the developer\n * sees the incompatibility immediately rather than shipping silently-ignored\n * constraints.\n *\n * The `option` field names the incompatible option (`'unique'`) so catch blocks\n * can pattern-match without inspecting the error message.\n */\nexport class UnsupportedIndexOptionError extends NoydbError {\n  readonly option: string\n  constructor(option: string, message: string) {\n    super('UNSUPPORTED_INDEX_OPTION', message)\n    this.name = 'UnsupportedIndexOptionError'\n    this.option = option\n  }\n}\n\n/**\n * Thrown (or surfaced via the `index:write-partial` event) when one or more\n * per-indexed-field side-car writes fail after the main record write has\n * already succeeded.\n *\n * Not thrown out of `.put()` / `.delete()` directly — those succeed when the\n * main record succeeds. Instead, `IndexWriteFailureError` instances are collected\n * into the session-scoped reconcile queue and emitted on the Collection\n * emitter as `index:write-partial`.\n *\n * Payload:\n * - `recordId` — the id of the main record whose side-car writes failed\n * - `field` — the indexed field whose side-car write failed\n * - `op` — `'put'` or `'delete'`, indicating which mutation was in flight\n * - `cause` — the underlying error from the store\n */\nexport class IndexWriteFailureError extends NoydbError {\n  readonly recordId: string\n  readonly field: string\n  readonly op: 'put' | 'delete'\n  override readonly cause: unknown\n\n  constructor(args: { recordId: string; field: string; op: 'put' | 'delete'; cause: unknown }) {\n    super(\n      'INDEX_WRITE_FAILURE',\n      `Index side-car ${args.op} failed for field \"${args.field}\" on record \"${args.recordId}\"`,\n    )\n    this.name = 'IndexWriteFailureError'\n    this.recordId = args.recordId\n    this.field = args.field\n    this.op = args.op\n    this.cause = args.cause\n  }\n}\n\n// ─── Bundle Format Errors ─────────────────────────────────\n\n/**\n * Thrown by `readNoydbBundle()` when the body bytes don't match\n * the integrity hash declared in the bundle header — i.e. someone\n * modified the bytes between write and read.\n *\n * Distinct from a generic `Error` (which would be thrown for\n * format violations like a missing magic prefix or malformed\n * header JSON) so consumers can pattern-match the corruption case\n * and handle it differently from a producer bug. A\n * `BundleIntegrityError` indicates \"the bytes you got are not\n * what was written\"; a plain `Error` from `parsePrefixAndHeader`\n * indicates \"what was written wasn't a valid bundle in the first\n * place.\"\n *\n * Also thrown when decompression fails after the integrity hash\n * passed — that's a producer bug (the wrong algorithm byte was\n * written) but it surfaces with the same error class because the\n * end result is \"the body cannot be turned back into a dump.\"\n */\nexport class BundleIntegrityError extends NoydbError {\n  constructor(message: string) {\n    super('BUNDLE_INTEGRITY', `.noydb bundle integrity check failed: ${message}`)\n    this.name = 'BundleIntegrityError'\n  }\n}\n\n/**\n * Thrown by `readNoydbBundle` when the bundle carries\n * sealed per-user passphrases but no supplied `SealingKeyProvider`\n * has a `.id` (= `pid`) matching the sealed entry's `pid`.\n *\n * Carries the failing pid + the user id so the recipient can\n * surface an actionable prompt:\n *\n * ```\n * BundleSealMismatchError: bundle carries sealed passphrase for user \"alice\"\n *   under provider \"macos-keychain:com.acme.app/alice@acme.example\",\n *   but no registered provider matches that pid.\n * ```\n *\n * Three resolution paths the message names (per foundation §11.9.4):\n *\n * 1. Configure a provider matching the pid and retry import.\n * 2. Pass `attemptUnsealAcrossProviders: true` to try each\n *    registered provider regardless of pid.\n * 3. Inspect without unsealing — pass no `sealingProviders` to\n *    receive the sealed entries unmodified for offline analysis.\n */\nexport class BundleSealMismatchError extends NoydbError {\n  readonly userId: string\n  readonly pid: string\n  constructor(userId: string, pid: string) {\n    super(\n      'BUNDLE_SEAL_MISMATCH',\n      `bundle carries sealed passphrase for user \"${userId}\" under provider `\n      + `\"${pid}\", but no registered provider matches that pid.\\n\\n`\n      + 'Resolutions:\\n'\n      + '  1. Configure a provider matching the pid and retry import.\\n'\n      + '  2. Pass `attemptUnsealAcrossProviders: true` to try each registered\\n'\n      + '     provider regardless of pid (extra credential prompts may surface).\\n'\n      + '  3. Inspect the bundle without unsealing — pass no `sealingProviders`\\n'\n      + '     to receive the sealed entries unmodified for offline analysis.',\n    )\n    this.name = 'BundleSealMismatchError'\n    this.userId = userId\n    this.pid = pid\n  }\n}\n\n// ─── i18n / Dictionary Errors ──────────────────────────\n\n/**\n * Thrown when `vault.collection()` is called with a name that is\n * reserved for NOYDB internal use (any name starting with `_dict_`).\n *\n * Dictionary collections are accessed exclusively via\n * `vault.dictionary(name)` — attempting to open one as a regular\n * collection would bypass the dictionary invariants (ACL, rename\n * tracking, reserved-name policy).\n */\nexport class ReservedCollectionNameError extends NoydbError {\n  /** The rejected collection name. */\n  readonly collectionName: string\n\n  constructor(collectionName: string) {\n    super(\n      'RESERVED_COLLECTION_NAME',\n      `\"${collectionName}\" is a reserved collection name. ` +\n        `Use vault.dictionary(\"${collectionName.replace(/^_dict_/, '')}\") ` +\n        `to access dictionary collections.`,\n    )\n    this.name = 'ReservedCollectionNameError'\n    this.collectionName = collectionName\n  }\n}\n\n/**\n * Thrown by `DictionaryHandle.get()` and `DictionaryHandle.delete()` when\n * the requested key does not exist in the dictionary.\n *\n * Distinct from `NotFoundError` (which is for data records) so callers\n * can distinguish \"data record missing\" from \"dictionary key missing\"\n * without inspecting error messages.\n */\nexport class DictKeyMissingError extends NoydbError {\n  /** The dictionary name. */\n  readonly dictionaryName: string\n  /** The key that was not found. */\n  readonly key: string\n\n  constructor(dictionaryName: string, key: string) {\n    super(\n      'DICT_KEY_MISSING',\n      `Dictionary \"${dictionaryName}\" has no entry for key \"${key}\".`,\n    )\n    this.name = 'DictKeyMissingError'\n    this.dictionaryName = dictionaryName\n    this.key = key\n  }\n}\n\n/**\n * Thrown by `DictionaryHandle.delete()` in strict mode when the key to\n * be deleted is still referenced by one or more records.\n *\n * The caller must either rename the key first (the only sanctioned\n * mass-mutation path) or pass `{ mode: 'warn' }` to skip the check\n * (development only).\n */\nexport class DictKeyInUseError extends NoydbError {\n  /** The dictionary name. */\n  readonly dictionaryName: string\n  /** The key that is still referenced. */\n  readonly key: string\n  /** Name of the first collection found to reference this key. */\n  readonly usedBy: string\n  /** Number of records in `usedBy` that reference this key. */\n  readonly count: number\n\n  constructor(\n    dictionaryName: string,\n    key: string,\n    usedBy: string,\n    count: number,\n  ) {\n    super(\n      'DICT_KEY_IN_USE',\n      `Cannot delete key \"${key}\" from dictionary \"${dictionaryName}\": ` +\n        `${count} record(s) in \"${usedBy}\" still reference it. ` +\n        `Use dictionary.rename(\"${key}\", newKey) to rewrite references first.`,\n    )\n    this.name = 'DictKeyInUseError'\n    this.dictionaryName = dictionaryName\n    this.key = key\n    this.usedBy = usedBy\n    this.count = count\n  }\n}\n\n/**\n * Thrown by `Collection.put()` when an `i18nText` field is missing one\n * or more required translations.\n *\n * The `missing` array names each locale code that was absent from the\n * field value. The `field` property names the field so callers can\n * render a field-level error message without parsing the string.\n */\nexport class MissingTranslationError extends NoydbError {\n  /** The field name whose translation(s) are missing. */\n  readonly field: string\n  /** Locale codes that were required but absent. */\n  readonly missing: readonly string[]\n\n  constructor(field: string, missing: readonly string[], message?: string) {\n    super(\n      'MISSING_TRANSLATION',\n      message ??\n        `Field \"${field}\": missing required translation(s): ${missing.join(', ')}.`,\n    )\n    this.name = 'MissingTranslationError'\n    this.field = field\n    this.missing = missing\n  }\n}\n\n/**\n * Thrown when reading an `i18nText` field without specifying a locale —\n * either at the call site (`get(id, { locale })`) or on the vault\n * (`openVault(name, { locale })`).\n *\n * Also thrown when `resolveI18nText()` exhausts the fallback chain and\n * no translation is available for the requested locale.\n *\n * The `field` property names the field that triggered the error so the\n * caller can surface it in the UI.\n */\nexport class LocaleNotSpecifiedError extends NoydbError {\n  /** The field name that required a locale. */\n  readonly field: string\n\n  constructor(field: string, message?: string) {\n    super(\n      'LOCALE_NOT_SPECIFIED',\n      message ??\n        `Cannot read i18nText field \"${field}\" without a locale. ` +\n        `Pass { locale } to get()/list()/query() or set a default via ` +\n        `openVault(name, { locale }).`,\n    )\n    this.name = 'LocaleNotSpecifiedError'\n    this.field = field\n  }\n}\n\n/**\n * Thrown at write time when an `i18nText` slot's value contains\n * characters outside the script set allowed for that locale, and the\n * field's `onScriptViolation` policy is `'reject'` (the default).\n *\n * Distinct from {@link MissingTranslationError} (write-shape) and\n * {@link LocaleNotSpecifiedError} (read-hole) so callers can tell a\n * wrong-script value from a missing one.\n */\nexport class ScriptViolationError extends NoydbError {\n  /** The field whose value violated its script constraint. */\n  readonly field: string\n  /** The locale slot (e.g. `'en'`) that was checked. */\n  readonly locale: string\n  /** The Unicode scripts allowed for this slot. */\n  readonly expected: readonly string[]\n  /** A short sample of the offending characters, for diagnostics. */\n  readonly sample: string\n\n  constructor(\n    field: string,\n    locale: string,\n    expected: readonly string[],\n    sample: string,\n    message?: string,\n  ) {\n    super(\n      'SCRIPT_VIOLATION',\n      message ??\n        `Field \"${field}\" slot \"${locale}\" expects script(s) [${expected.join(', ')}] ` +\n        `but contains disallowed character(s): \"${sample}\".`,\n    )\n    this.name = 'ScriptViolationError'\n    this.field = field\n    this.locale = locale\n    this.expected = expected\n    this.sample = sample\n  }\n}\n\n/**\n * Thrown when a mutation (`put`/`putAll`/`rename`/`delete`) is attempted\n * against a dictionary name that is backed by a `staticDict()` descriptor.\n *\n * A static dict's labels are code constants with no per-vault storage and no\n * mutation surface — a label change is a code deploy, not a runtime write.\n * Distinct from the other dictionary errors so callers can tell a\n * \"this dict is read-only by construction\" refusal from a missing-key or\n * key-in-use failure. (#291)\n */\nexport class StaticDictReadonlyError extends NoydbError {\n  /** The static dictionary name that was the target of the mutation. */\n  readonly dictionaryName: string\n\n  constructor(dictionaryName: string) {\n    super(\n      'STATIC_DICT_READONLY',\n      `Dictionary \"${dictionaryName}\" is a staticDict — its labels are code ` +\n        `constants with no mutation surface. put/putAll/rename/delete are not ` +\n        `supported; change the label in the staticDict() table and redeploy.`,\n    )\n    this.name = 'StaticDictReadonlyError'\n    this.dictionaryName = dictionaryName\n  }\n}\n\n/**\n * Thrown at put-time when a record stores a code for a `staticDict()` field\n * that is not in the descriptor's declared `keys` (a typo or a stale code).\n *\n * Codes are closed by construction, so an unknown code is treated as a bug by\n * default. Opt out per descriptor with `{ validateCodes: false }`.\n *\n * Distinct from {@link LocaleNotSpecifiedError} (a read-hole) — this is a\n * write-shape error. (#291)\n */\nexport class UnknownDictCodeError extends NoydbError {\n  /** The static dictionary name. */\n  readonly dictionaryName: string\n  /** The field that carried the unknown code. */\n  readonly field: string\n  /** The offending code value. */\n  readonly code: string\n\n  constructor(dictionaryName: string, field: string, code: string) {\n    super(\n      'UNKNOWN_DICT_CODE',\n      `Field \"${field}\": code \"${code}\" is not a known key of staticDict ` +\n        `\"${dictionaryName}\". Use a declared code, or pass ` +\n        `{ validateCodes: false } on the descriptor to allow open codes.`,\n    )\n    this.name = 'UnknownDictCodeError'\n    this.dictionaryName = dictionaryName\n    this.field = field\n    this.code = code\n  }\n}\n\n// ─── Translator Errors ─────────────────────────────────────\n\n/**\n * Thrown when a collection has an `i18nText` field with\n * `autoTranslate: true` but no `plaintextTranslator` was configured\n * on `createNoydb()`.\n *\n * The error is raised at `put()` time (not at schema construction) so\n * the mis-configuration is surfaced by the first write rather than\n * silently at startup.\n */\nexport class TranslatorNotConfiguredError extends NoydbError {\n  /** The field that requested auto-translation. */\n  readonly field: string\n  /** The collection the put was targeting. */\n  readonly collection: string\n\n  constructor(field: string, collection: string) {\n    super(\n      'TRANSLATOR_NOT_CONFIGURED',\n      `Field \"${field}\" in collection \"${collection}\" has autoTranslate: true, ` +\n        `but no plaintextTranslator was configured on createNoydb(). ` +\n        `Either configure a plaintextTranslator or remove autoTranslate from the schema.`,\n    )\n    this.name = 'TranslatorNotConfiguredError'\n    this.field = field\n    this.collection = collection\n  }\n}\n\n// ─── Backup Errors ─────────────────────────────────────────\n\n/**\n * Thrown when `Vault.load()` finds that a backup's hash chain\n * doesn't verify, or that its embedded `ledgerHead.hash` doesn't\n * match the chain head reconstructed from the loaded entries.\n *\n * Distinct from `BackupCorruptedError` so callers can choose to\n * recover from one but not the other (e.g., a corrupted JSON file is\n * unrecoverable; a chain mismatch might mean the backup is from an\n * incompatible noy-db version).\n */\nexport class BackupLedgerError extends NoydbError {\n  /** First-broken-entry index, if known. */\n  readonly divergedAt?: number\n\n  constructor(message: string, divergedAt?: number) {\n    super('BACKUP_LEDGER', message)\n    this.name = 'BackupLedgerError'\n    if (divergedAt !== undefined) this.divergedAt = divergedAt\n  }\n}\n\n/**\n * Thrown when `Vault.load()` finds that the backup's data\n * collection content doesn't match the ledger's recorded\n * `payloadHash`es. This is the \"envelope was tampered with after\n * dump\" detection — the chain itself can be intact, but if any\n * encrypted record bytes were swapped, this check catches it.\n */\nexport class BackupCorruptedError extends NoydbError {\n  /** The (collection, id) pair whose envelope failed the hash check. */\n  readonly collection: string\n  readonly id: string\n\n  constructor(collection: string, id: string, message: string) {\n    super('BACKUP_CORRUPTED', message)\n    this.name = 'BackupCorruptedError'\n    this.collection = collection\n    this.id = id\n  }\n}\n\n/**\n * Thrown by partition-extraction primitives when the\n * transitive-closure walk fails — e.g. the FK graph is deeper than\n * `maxDepth`, signalling a runaway or unexpectedly cyclic graph.\n */\nexport class PartitionExtractionError extends NoydbError {\n  constructor(message: string) {\n    super('PARTITION_EXTRACTION', message)\n    this.name = 'PartitionExtractionError'\n  }\n}\n\n/**\n * Thrown by `adoptPartition` when the transfer seal can't be\n * opened — a wrong/short transfer key (AES-GCM auth-tag failure) or a\n * malformed sealed payload.\n */\nexport class TransferSealError extends NoydbError {\n  constructor(message: string) {\n    super('TRANSFER_SEAL', message)\n    this.name = 'TransferSealError'\n  }\n}\n\n/**\n * Thrown when an adoption-lifecycle precondition fails — re-adopting a\n * partition already consumed in this store, or owner-creation on a\n * vault that isn't in the adopted-unowned state.\n */\nexport class AdoptionStateError extends NoydbError {\n  constructor(message: string) {\n    super('ADOPTION_STATE', message)\n    this.name = 'AdoptionStateError'\n  }\n}\n\n// ─── Attestation Errors ────────────────────────────────────\n\n/** Document-attestation failures: undeclared field-schema, non-owner issue, missing field, signer failure. */\nexport class AttestationError extends NoydbError {\n  constructor(message: string) {\n    super('ATTESTATION', message)\n    this.name = 'AttestationError'\n  }\n}\n\n// ─── Session Errors ───────────────────────────────────────\n\n/**\n * Thrown by `resolveSession()` when the session token's `expiresAt`\n * timestamp is in the past. The session key is also removed from the\n * in-memory store when this is thrown, so retrying with the same sessionId\n * will produce `SessionNotFoundError`.\n *\n * Separate from `SessionNotFoundError` so callers can distinguish between\n * \"session is gone\" (key store cleared, tab reloaded) and \"session is\n * still in the store but has exceeded its lifetime\" (idle timeout, absolute\n * timeout, policy-driven expiry). The remediation differs: expired sessions\n * should prompt a fresh unlock; not-found sessions may indicate a bug or a\n * cross-tab scenario where the session was never established.\n */\nexport class SessionExpiredError extends NoydbError {\n  readonly sessionId: string\n\n  constructor(sessionId: string) {\n    super('SESSION_EXPIRED', `Session \"${sessionId}\" has expired. Re-unlock to continue.`)\n    this.name = 'SessionExpiredError'\n    this.sessionId = sessionId\n  }\n}\n\n/**\n * Thrown by `resolveSession()` when the session key cannot be found in\n * the module-level store. This happens when:\n *   - The session was explicitly revoked via `revokeSession()`.\n *   - The JS context was reloaded (tab navigation, page refresh, worker restart).\n *   - `Noydb.close()` was called (which calls `revokeAllSessions()`).\n *   - The sessionId is wrong or was generated by a different JS context.\n *\n * The session token (if the caller holds it) is permanently useless after\n * this error — the key is gone and cannot be recovered.\n */\nexport class SessionNotFoundError extends NoydbError {\n  readonly sessionId: string\n\n  constructor(sessionId: string) {\n    super('SESSION_NOT_FOUND', `Session key for \"${sessionId}\" not found. The session may have been revoked or the page reloaded.`)\n    this.name = 'SessionNotFoundError'\n    this.sessionId = sessionId\n  }\n}\n\n/**\n * Thrown when a session policy blocks an operation — for example,\n * `requireReAuthFor: ['export']` is set and the caller attempts to\n * call `exportStream()` without re-authenticating for this session.\n *\n * The `operation` field names the specific operation that was blocked\n * (e.g. `'export'`, `'grant'`, `'rotate'`) so the caller can surface\n * a targeted prompt (\"Please re-enter your passphrase to export data\").\n */\nexport class SessionPolicyError extends NoydbError {\n  readonly operation: string\n\n  constructor(operation: string, message?: string) {\n    super(\n      'SESSION_POLICY',\n      message ?? `Operation \"${operation}\" requires re-authentication per the active session policy.`,\n    )\n    this.name = 'SessionPolicyError'\n    this.operation = operation\n  }\n}\n\n// ─── Query / Join Errors ────────────────────────────────────\n\n/**\n * Thrown when a `.join()` would exceed its configured row ceiling on\n * either side. The ceiling defaults to 50,000 per side and can be\n * overridden via the `{ maxRows }` option on `.join()`.\n *\n * Carries both row counts so the error message can show which side\n * tripped the limit (e.g. \"left had 60,000 rows, right had 1,200,\n * max was 50,000\"). The `side` field is machine-readable so test\n * code and devtools can match on it without regex-parsing the\n * message.\n *\n * The row ceiling exists because joins are bounded in-memory\n * operations over materialized record sets. Consumers whose\n * collections genuinely exceed the ceiling should track \n * (streaming joins over `scan()`) or filter the left side further\n * with `where()` / `limit()` before joining.\n */\nexport class JoinTooLargeError extends NoydbError {\n  readonly leftRows: number\n  readonly rightRows: number\n  readonly maxRows: number\n  readonly side: 'left' | 'right'\n\n  constructor(opts: {\n    leftRows: number\n    rightRows: number\n    maxRows: number\n    side: 'left' | 'right'\n    message: string\n  }) {\n    super('JOIN_TOO_LARGE', opts.message)\n    this.name = 'JoinTooLargeError'\n    this.leftRows = opts.leftRows\n    this.rightRows = opts.rightRows\n    this.maxRows = opts.maxRows\n    this.side = opts.side\n  }\n}\n\n/**\n * Thrown by `.crossJoin()` when the cumulative cartesian product (or lateral\n * filtered count) exceeds the configured ceiling. Check before allocating.\n * Mirrors the pattern of `JoinTooLargeError` and the `.join()` row ceiling.\n *\n * @see CrossJoinClause.maxRows — per-clause override\n * @see DEFAULT_CROSS_JOIN_MAX_ROWS — package default (50_000)\n */\nexport class CrossJoinTooLargeError extends NoydbError {\n  readonly target: string\n  readonly expected: number\n  readonly limit: number\n\n  constructor(opts: { target: string; expected: number; limit: number }) {\n    super(\n      'CROSS_JOIN_TOO_LARGE',\n      `crossJoin(\"${opts.target}\"): would produce ${opts.expected} rows, ` +\n        `exceeding the limit of ${opts.limit}. ` +\n        `Narrow the left side with .where() first, or raise the ceiling ` +\n        `with crossJoin(\"${opts.target}\", { ..., maxRows: ${opts.expected} }).`,\n    )\n    this.name = 'CrossJoinTooLargeError'\n    this.target = opts.target\n    this.expected = opts.expected\n    this.limit = opts.limit\n  }\n}\n\n/**\n * Thrown at cross-join execution time when the target collection is not\n * reachable from the current vault. The left collection is included in the\n * message for context.\n */\nexport class CrossJoinSourceUnknownError extends NoydbError {\n  readonly target: string\n  readonly leftCollection: string\n\n  constructor(target: string, leftCollection: string) {\n    super(\n      'CROSS_JOIN_SOURCE_UNKNOWN',\n      `crossJoin(\"${target}\"): collection \"${target}\" is not known in the vault ` +\n        `(cross-joining from \"${leftCollection}\"). ` +\n        `Make sure \"${target}\" is open in the same vault before executing this query.`,\n    )\n    this.name = 'CrossJoinSourceUnknownError'\n    this.target = target\n    this.leftCollection = leftCollection\n  }\n}\n\n/**\n * Thrown by `.join()` in strict `ref()` mode when a left-side record\n * points at a right-side id that does not exist in the target\n * collection.\n *\n * Distinct from `RefIntegrityError` so test code can pattern-match\n * on the *read-time* dangling case without catching *write-time*\n * integrity violations. Both indicate \"ref points at nothing\" but\n * happen at different lifecycle phases and deserve different\n * remediation in documentation: a RefIntegrityError on `put()`\n * means the input is invalid; a DanglingReferenceError on `.join()`\n * means stored data has drifted and `vault.checkIntegrity()`\n * is the right tool to find the full set of orphans.\n */\nexport class DanglingReferenceError extends NoydbError {\n  readonly field: string\n  readonly target: string\n  readonly refId: string\n\n  constructor(opts: {\n    field: string\n    target: string\n    refId: string\n    message: string\n  }) {\n    super('DANGLING_REFERENCE', opts.message)\n    this.name = 'DanglingReferenceError'\n    this.field = opts.field\n    this.target = opts.target\n    this.refId = opts.refId\n  }\n}\n\n/**\n * Thrown by {@link sanitizeFilename} when an input filename cannot be\n * made safe — NUL byte, empty after normalization, missing\n * `opaqueId` for the opaque profile, `..` segment, or a `maxBytes`\n * cap too small to hold a single code point.\n */\nexport class FilenameSanitizationError extends NoydbError {\n  constructor(message: string) {\n    super('FILENAME_SANITIZATION', message)\n    this.name = 'FilenameSanitizationError'\n  }\n}\n\n/**\n * Thrown when a write target resolves OUTSIDE the requested\n * directory after sanitization — the canonical Zip-Slip class. The\n * sanitizer's job is to strip path-traversal segments; this error\n * is the defense-in-depth fallback at the FS write site.\n */\nexport class PathEscapeError extends NoydbError {\n  readonly attempted: string\n  readonly targetDir: string\n\n  constructor(opts: { attempted: string; targetDir: string }) {\n    super(\n      'PATH_ESCAPE',\n      `Sanitized filename \"${opts.attempted}\" resolves outside target dir \"${opts.targetDir}\"`,\n    )\n    this.name = 'PathEscapeError'\n    this.attempted = opts.attempted\n    this.targetDir = opts.targetDir\n  }\n}\n\n// ─── Derivation Errors ──────────────────────────────\n\n/**\n * Thrown at vault open if the derivation graph contains a cycle.\n * `path` is the offending chain (e.g. `['a', 'b', 'c', 'a']`).\n */\nexport class DerivationCycleError extends NoydbError {\n  readonly path: readonly string[]\n\n  constructor(path: readonly string[]) {\n    super(\n      'DERIVATION_CYCLE',\n      `Derivation graph contains a cycle: ${path.join(' → ')}. ` +\n        `Refusing to open vault — break the cycle before retrying.`,\n    )\n    this.name = 'DerivationCycleError'\n    this.path = path\n  }\n}\n\n/**\n * Thrown when a cascade of source → output → source → … exceeds the\n * configured `maxDepth` (default 5).\n */\nexport class DerivationDepthError extends NoydbError {\n  readonly limit: number\n  readonly attempted: number\n\n  constructor(limit: number, attempted: number) {\n    super(\n      'DERIVATION_DEPTH',\n      `Derivation cascade exceeded max depth ${limit} (attempted ${attempted}). ` +\n        `Pass lifecycle: { maxDepth: N } to raise the limit if intentional.`,\n    )\n    this.name = 'DerivationDepthError'\n    this.limit = limit\n    this.attempted = attempted\n  }\n}\n\n/**\n * Thrown at registration if a `withDerivation` strategy references an\n * output `collection` that isn't otherwise declared (no schema, no use\n * elsewhere). Surfacing this early catches typos in collection names.\n */\nexport class DerivationOutputUnknownError extends NoydbError {\n  readonly collection: string\n\n  constructor(collection: string) {\n    super(\n      'DERIVATION_OUTPUT_UNKNOWN',\n      `Derivation output collection \"${collection}\" is not declared on the vault. ` +\n        `Register the collection (e.g. via schema) before registering a derivation that writes to it.`,\n    )\n    this.name = 'DerivationOutputUnknownError'\n    this.collection = collection\n  }\n}\n\n/**\n * Thrown when the user's `derive` function returns a value that doesn't\n * match the declared output spec (e.g. wrong shape, wrong key set).\n */\nexport class DerivationOutputShapeError extends NoydbError {\n  readonly outputKey: string\n\n  constructor(outputKey: string, detail: string) {\n    super(\n      'DERIVATION_OUTPUT_SHAPE',\n      `Derivation output \"${outputKey}\" has invalid shape: ${detail}.`,\n    )\n    this.name = 'DerivationOutputShapeError'\n    this.outputKey = outputKey\n  }\n}\n\n/**\n * Thrown by array-shape derivations when the `derive` function\n * returns more rows than the output's `maxFanout` cap. The cap exists\n * to keep dispatch cost bounded — without it a single source-row\n * update could fan out to thousands of derived rows, dominating the\n * write path.\n *\n * Defaults to `maxFanout: 64`. Raise on the output spec for\n * carry-forward expansion cases (e.g. monthly rows across multi-year\n * contracts).\n */\nexport class DerivationCapExceededError extends NoydbError {\n  readonly outputKey: string\n  readonly returned: number\n  readonly maxFanout: number\n\n  constructor(outputKey: string, returned: number, maxFanout: number) {\n    super(\n      'DERIVATION_CAP_EXCEEDED',\n      `Derivation array output \"${outputKey}\" returned ${returned} rows, exceeding `\n      + `maxFanout=${maxFanout}. Raise \\`maxFanout\\` on the OutputSpec if this fanout `\n      + 'is intended (the cap exists to keep dispatch cost bounded).',\n    )\n    this.name = 'DerivationCapExceededError'\n    this.outputKey = outputKey\n    this.returned = returned\n    this.maxFanout = maxFanout\n  }\n}\n\n/**\n * Thrown at vault open if the materialized-view graph contains a\n * cycle. `path` is the offending chain (e.g. `['a-mv', 'b-mv', 'a-mv']`).\n * Detected by the same shared DFS that catches `DerivationCycleError`;\n * surfaces with a distinct error type so consumers can disambiguate.\n */\nexport class MaterializedViewCycleError extends NoydbError {\n  readonly path: readonly string[]\n\n  constructor(path: readonly string[]) {\n    super(\n      'MATERIALIZED_VIEW_CYCLE',\n      `Materialized-view graph contains a cycle: ${path.join(' → ')}. ` +\n        `Refusing to open vault — break the cycle before retrying.`,\n    )\n    this.name = 'MaterializedViewCycleError'\n    this.path = path\n  }\n}\n\n/**\n * Thrown at MV registration if the query references a source\n * collection that isn't declared on the vault. Surfacing this early\n * catches typos in collection names.\n */\nexport class MaterializedViewSourceUnknownError extends NoydbError {\n  readonly mvName: string\n  readonly collection: string\n\n  constructor(mvName: string, collection: string) {\n    super(\n      'MATERIALIZED_VIEW_SOURCE_UNKNOWN',\n      `Materialized view \"${mvName}\" references unknown source collection \"${collection}\". ` +\n        `Declare the collection (e.g. via schema or by writing to it once) before registering the MV.`,\n    )\n    this.name = 'MaterializedViewSourceUnknownError'\n    this.mvName = mvName\n    this.collection = collection\n  }\n}\n\n/**\n * Thrown by the MV executor when a refresh produces more rows than\n * the configured ceiling. Default ceiling is 100k rows; override\n * per-MV via `maxRows`. Mirrors `JoinTooLargeError` /\n * `GroupCardinalityError` from the query DSL — the explosion is\n * detected BEFORE writes hit the store, so the source-write\n * transaction can roll back cleanly via strict-mode.\n */\nexport class MaterializedViewTooLargeError extends NoydbError {\n  readonly mvName: string\n  readonly expected: number\n  readonly limit: number\n\n  constructor(mvName: string, expected: number, limit: number) {\n    super(\n      'MATERIALIZED_VIEW_TOO_LARGE',\n      `Materialized view \"${mvName}\" would emit ${expected} rows, exceeding the configured limit of ${limit}. ` +\n        `Override via { maxRows: N } on the MV strategy if intentional, or tighten the query's filter/groupBy.`,\n    )\n    this.name = 'MaterializedViewTooLargeError'\n    this.mvName = mvName\n    this.expected = expected\n    this.limit = limit\n  }\n}\n\n/**\n * Thrown by `withMaterializedView()` at registration time when the\n * strategy is structurally malformed. Distinct from\n * `MaterializedViewSourceUnknownError` (the source list is well-formed\n * but names a collection the vault doesn't know) and\n * `MaterializedViewCycleError` (the source graph has a cycle): this\n * error fires before either check, at the moment the spec is being\n * normalized.\n *\n * Today the trigger cases are all about the `query` / `unionSources`\n * dichotomy:\n *   - both `query` and `unionSources` were set (mutually exclusive),\n *   - neither `query` nor `unionSources` was set,\n *   - `unionSources` has fewer than 2 arms,\n *   - two arms in `unionSources` reference the same `collection`.\n *\n * The error message is prefixed with `[noy-db] withMaterializedView:`\n * so it's grep-friendly in logs and looks consistent with the existing\n * `ValidationError` messages from the same factory.\n */\nexport class MaterializedViewConfigError extends NoydbError {\n  constructor(message: string) {\n    super(\n      'MATERIALIZED_VIEW_CONFIG',\n      `[noy-db] withMaterializedView: ${message}`,\n    )\n    this.name = 'MaterializedViewConfigError'\n  }\n}\n\n/**\n * Thrown at vault open when a `withOverlayedView` declaration uses\n * another virtual-overlay name as its `base`. Multi-overlay stacking\n * is a v2 non-goal — the shallow expansion in\n * `QueryDependencyAnalyzer` would truncate at the inner overlay\n * name, leaving downstream MVs silently stale.\n */\nexport class OverlayBaseIsVirtualError extends NoydbError {\n  readonly overlayName: string\n  readonly base: string\n\n  constructor(overlayName: string, base: string) {\n    super(\n      'OVERLAY_BASE_IS_VIRTUAL',\n      `withOverlayedView \"${overlayName}\": base \"${base}\" is another overlay's virtual name. ` +\n        `Multi-overlay stacking is a v3 feature; base must reference a concrete collection (a real source or an MV output).`,\n    )\n    this.name = 'OverlayBaseIsVirtualError'\n    this.overlayName = overlayName\n    this.base = base\n  }\n}\n\n/**\n * Thrown at vault open when a `withOverlayedView`'s `overlay`\n * references an unknown collection or an MV-owned collection. The\n * overlay collection is user-writable; MV-owned collections aren't.\n */\nexport class OverlayCollectionUnavailableError extends NoydbError {\n  readonly overlayName: string\n  readonly overlay: string\n\n  constructor(overlayName: string, overlay: string) {\n    super(\n      'OVERLAY_COLLECTION_UNAVAILABLE',\n      `withOverlayedView \"${overlayName}\": overlay collection \"${overlay}\" is unavailable. ` +\n        `It must be a real vault-known collection that is NOT itself an MV output collection.`,\n    )\n    this.name = 'OverlayCollectionUnavailableError'\n    this.overlayName = overlayName\n    this.overlay = overlay\n  }\n}\n\n/**\n * Thrown at vault open when a `withOverlayedView`'s virtual `name`\n * collides with an MV output or a concrete source collection.\n */\nexport class OverlayNameCollisionError extends NoydbError {\n  readonly overlayName: string\n\n  constructor(overlayName: string) {\n    super(\n      'OVERLAY_NAME_COLLISION',\n      `withOverlayedView \"${overlayName}\": virtual name collides with an MV output or a concrete source collection. ` +\n        `Pick a unique name for the virtual collection.`,\n    )\n    this.name = 'OverlayNameCollisionError'\n    this.overlayName = overlayName\n  }\n}\n\n/**\n * Thrown by the virtual overlay's `put(id, record)` when the\n * consumer-supplied `id` doesn't match `rowKey(record)`. Catches\n * fat-finger separator typos that would otherwise silently produce\n * orphaned overlay rows. Direct writes to the underlying overlay\n * collection (bypass the virtual layer) skip this validation.\n */\nexport class OverlayIdMismatchError extends NoydbError {\n  readonly actual: string\n  readonly expected: string\n\n  constructor(actual: string, expected: string) {\n    super(\n      'OVERLAY_ID_MISMATCH',\n      `Overlay put(id, record): id \"${actual}\" does not match the base MV's rowKey(record) → \"${expected}\". ` +\n        `Pass the row directly via .put(record) to derive the id, or fix the id to match the base MV's rowKey output.`,\n    )\n    this.name = 'OverlayIdMismatchError'\n    this.actual = actual\n    this.expected = expected\n  }\n}\n\n// ─── Snapshot Errors ──────────────────────────────────────\n\n/**\n * Thrown when a requested snapshot version does not exist in the\n * snapshot store — either it was never created, was pruned by the\n * retention policy, or was deleted manually.\n *\n * The `version` field carries the key that was looked up so callers\n * can surface an actionable \"snapshot X not found\" message without\n * parsing the error string.\n */\nexport class SnapshotNotFoundError extends NoydbError {\n  readonly version: string\n\n  constructor(version: string) {\n    super(\n      'SNAPSHOT_NOT_FOUND',\n      `Snapshot not found: \"${version}\" does not exist in the snapshot store. ` +\n      `It may have been pruned by the retention policy or deleted manually.`,\n    )\n    this.name = 'SnapshotNotFoundError'\n    this.version = version\n  }\n}\n\n// ─── Federation (multi-vault partition) Errors ──────────────────────────\n\n/**\n * Thrown when a write targets a partition key that has no shard and\n * `sharding.autoCreate` is disabled.\n */\nexport class UnknownShardError extends NoydbError {\n  readonly partitionKey: string\n\n  constructor(partitionKey: string, groupName: string) {\n    super(\n      'SHARD_UNKNOWN',\n      `No shard for partition key \"${partitionKey}\" in vault group \"${groupName}\" ` +\n        `and autoCreate is disabled. Call group.createShard(${JSON.stringify(partitionKey)}) ` +\n        `first, or enable sharding.autoCreate.`,\n    )\n    this.name = 'UnknownShardError'\n    this.partitionKey = partitionKey\n  }\n}\n\n/**\n * Thrown by `createShard` when the registry has a row for a partition\n * but the corresponding vault is not provisioned in the store —\n * a registry/store divergence. Refusing to recreate avoids masking\n * data loss.\n */\nexport class ShardProvisioningError extends NoydbError {\n  readonly vaultId: string\n\n  constructor(vaultId: string, partitionKey: string) {\n    super(\n      'SHARD_PROVISIONING',\n      `Registry has a row for partition \"${partitionKey}\" (vault \"${vaultId}\") but that ` +\n        `vault is not provisioned in the store. Refusing to recreate it — the registry and ` +\n        `store have diverged. Investigate before retrying.`,\n    )\n    this.name = 'ShardProvisioningError'\n    this.vaultId = vaultId\n  }\n}\n\n/**\n * Thrown by `ShardedQuery.crossShardJoin` / `broadcastJoin` for\n * deterministic, query-shaping errors: an undeclared join ref (which\n * would fail identically on every shard), or calling a deferred\n * reactive/aggregate surface on a query that already carries join legs.\n */\nexport class CrossShardJoinError extends NoydbError {\n  constructor(message: string) {\n    super('CROSS_SHARD_JOIN', message)\n    this.name = 'CrossShardJoinError'\n  }\n}\n\n/** Thrown when a VaultGroup references a template name that was never registered. */\nexport class VaultTemplateNotFoundError extends NoydbError {\n  readonly templateName: string\n\n  constructor(templateName: string) {\n    super(\n      'VAULT_TEMPLATE_NOT_FOUND',\n      `No vault template registered under \"${templateName}\". Register it with ` +\n        `db.withVaultTemplate(${JSON.stringify(templateName)}, { version, configure }) ` +\n        `before opening the vault group.`,\n    )\n    this.name = 'VaultTemplateNotFoundError'\n    this.templateName = templateName\n  }\n}\n\n// ─── Erasure Errors ────────────────────────────────────────────────────\n\n/**\n * Thrown when `vault.forget(subjectId)` is called on a vault whose\n * `createNoydb({ forgetStrategy })` declared no subject fields (the\n * default `NO_FORGET`). GDPR crypto-shred needs a declared subject →\n * record index to know which records belong to a data subject; without\n * one there is nothing to erase and a silent no-op would be a dangerous\n * false \"erased\" signal. Configure with\n * `forgetStrategy: withForgetCascade({ subjects: { invoices: 'buyerId' } })`.\n */\nexport class ForgetStrategyNotConfiguredError extends NoydbError {\n  constructor(\n    message = 'vault.forget() requires a forget strategy. Pass ' +\n      '`forgetStrategy: withForgetCascade({ subjects: { <collection>: <subjectField> } })` ' +\n      'from \"@noy-db/hub/forget\" to createNoydb().',\n  ) {\n    super('FORGET_NOT_CONFIGURED', message)\n    this.name = 'ForgetStrategyNotConfiguredError'\n  }\n}\n\n// ─── Sealed-record (record-scoped CEK sealing, #306) Errors ─────────────\n\n/**\n * Thrown by `openSealedRecord()` when the sealed CEK's binding has passed its\n * `expiresAt`. Surfaced on two checks: a cheap fast-path check on the delivery\n * envelope's clear-text `expiresAt`, and the AUTHORITATIVE check on the\n * `expiresAt` inside the sealed binding (the latter cannot be forged by editing\n * the delivery envelope). Distinct from {@link KeyringExpiredError} (bundle-slot\n * expiry) so a host can tell \"this single-record grant lapsed\" from a keyring-\n * level expiry.\n */\nexport class SealedRecordExpiredError extends NoydbError {\n  readonly expiresAt: string\n  constructor(expiresAt: string) {\n    super(\n      'SEALED_RECORD_EXPIRED',\n      `Sealed record CEK expired at ${expiresAt}. The grantor must re-seal the ` +\n        `record with a later expiresAt.`,\n    )\n    this.name = 'SealedRecordExpiredError'\n    this.expiresAt = expiresAt\n  }\n}\n\n/**\n * Thrown by `openSealedRecord()` when the sealed binding's\n * `{collection, id}` does not match the record envelope the host is trying to\n * decrypt. This is the host-denial boundary: a CEK sealed for record A cannot\n * be replayed against record B's envelope. (A CEK sealed for a PRE-rotation\n * version of a record, applied to the POST-rotation live envelope, is a\n * different failure — the binding still matches `{collection, id}` so it gets\n * past this check, and the AES-GCM auth-tag failure surfaces as\n * {@link TamperedError} instead.)\n */\nexport class SealedRecordMismatchError extends NoydbError {\n  readonly expected: { collection: string; id: string }\n  readonly actual: { collection: string; id: string }\n  constructor(\n    expected: { collection: string; id: string },\n    actual: { collection: string; id: string },\n  ) {\n    super(\n      'SEALED_RECORD_MISMATCH',\n      `Sealed CEK binding is for ${actual.collection}/${actual.id} but was ` +\n        `presented against ${expected.collection}/${expected.id}. A CEK sealed ` +\n        `for one record cannot decrypt another.`,\n    )\n    this.name = 'SealedRecordMismatchError'\n    this.expected = expected\n    this.actual = actual\n  }\n}\n\n/**\n * Thrown by `vault.sealRecordToHost()` / `vault.rotateRecordCek()` when the\n * target record has no live envelope, or its live envelope carries no `_cek`\n * (a legacy / non-`perRecordKeys` collection has nothing record-scoped to\n * seal — its body is keyed off the shared collection DEK, which sealing\n * deliberately never exposes).\n */\nexport class RecordCekNotFoundError extends NoydbError {\n  readonly collection: string\n  readonly id: string\n  constructor(collection: string, id: string) {\n    super(\n      'RECORD_CEK_NOT_FOUND',\n      `No per-record CEK for ${collection}/${id}. The record is missing, or its ` +\n        `collection was not opened with { perRecordKeys: true } — only per-record-key ` +\n        `records carry a sealable CEK.`,\n    )\n    this.name = 'RecordCekNotFoundError'\n    this.collection = collection\n    this.id = id\n  }\n}\n"],"mappings":";AA6FO,IAAM,aAAN,cAAyB,MAAM;AAAA;AAAA,EAE3B;AAAA,EAET,YAAY,MAAc,SAAiB;AACzC,UAAM,OAAO;AACb,SAAK,OAAO;AACZ,SAAK,OAAO;AAAA,EACd;AACF;AAYO,IAAM,kBAAN,cAA8B,WAAW;AAAA,EAC9C,YAAY,UAAU,qBAAqB;AACzC,UAAM,qBAAqB,OAAO;AAClC,SAAK,OAAO;AAAA,EACd;AACF;AAWO,IAAM,gBAAN,cAA4B,WAAW;AAAA,EAC5C,YAAY,UAAU,yEAAoE;AACxF,UAAM,YAAY,OAAO;AACzB,SAAK,OAAO;AAAA,EACd;AACF;AAWO,IAAM,kBAAN,cAA8B,WAAW;AAAA,EAC9C,YAAY,UAAU,4DAAuD;AAC3E,UAAM,eAAe,OAAO;AAC5B,SAAK,OAAO;AAAA,EACd;AACF;AAaO,IAAM,sBAAN,cAAkC,WAAW;AAAA,EACzC;AAAA,EACA;AAAA,EACT,YAAY,MAAuF;AACjG;AAAA,MACE;AAAA,MACA,KAAK,WACH,eAAe,KAAK,kBAAkB,MAAM,8BACtC,KAAK,kBAAkB,KAAK,IAAI,CAAC,MAAM,KAAK,WAAW;AAAA,IAGjE;AACA,SAAK,OAAO;AACZ,SAAK,oBAAoB,KAAK;AAC9B,SAAK,cAAc,KAAK;AAAA,EAC1B;AACF;AAYO,IAAM,gBAAN,cAA4B,WAAW;AAAA,EAC5C,YAAY,UAAU,iEAA4D;AAChF,UAAM,aAAa,OAAO;AAC1B,SAAK,OAAO;AAAA,EACd;AACF;AAUO,IAAM,gBAAN,cAA4B,WAAW;AAAA,EAC5C,YAAY,UAAU,8DAAyD;AAC7E,UAAM,aAAa,OAAO;AAC1B,SAAK,OAAO;AAAA,EACd;AACF;AAaO,IAAM,yBAAN,cAAqC,WAAW;AAAA,EACrD,YAAY,WAAmB,WAAmB;AAChD;AAAA,MACE;AAAA,MACA,UAAU,SAAS,kCAAkC,SAAS;AAAA,IAChE;AACA,SAAK,OAAO;AAAA,EACd;AACF;AAWO,IAAM,qBAAN,cAAiC,WAAW;AAAA,EACjD,YAAY,WAAmB;AAC7B;AAAA,MACE;AAAA,MACA,UAAU,SAAS;AAAA,IACrB;AACA,SAAK,OAAO;AAAA,EACd;AACF;AAWO,IAAM,wBAAN,cAAoC,WAAW;AAAA,EACpD,YAAY,UAAU,iEAA4D;AAChF,UAAM,qBAAqB,OAAO;AAClC,SAAK,OAAO;AAAA,EACd;AACF;AAuBO,IAAM,wBAAN,cAAoC,WAAW;AAAA,EAC3C;AAAA,EACA;AAAA,EACA;AAAA,EAET,YAAY,MAKT;AACD,UAAM,MACJ,KAAK,YACJ,KAAK,SAAS,cACX,4CAAuC,KAAK,MAAM,4DAA4D,KAAK,UAAU,WAAW,gGAAgG,KAAK,UAAU,UAAU,aACjQ,4CAAuC,KAAK,MAAM;AACxD,UAAM,qBAAqB,GAAG;AAC9B,SAAK,OAAO;AACZ,SAAK,OAAO,KAAK;AACjB,SAAK,SAAS,KAAK;AACnB,QAAI,KAAK,WAAW,OAAW,MAAK,SAAS,KAAK;AAAA,EACpD;AACF;AAaO,IAAM,sBAAN,cAAkC,WAAW;AAAA,EACzC;AAAA,EACA;AAAA,EACT,YAAY,MAA6C;AACvD;AAAA,MACE;AAAA,MACA,YAAY,KAAK,MAAM,gBAAgB,KAAK,SAAS;AAAA,IAEvD;AACA,SAAK,OAAO;AACZ,SAAK,SAAS,KAAK;AACnB,SAAK,YAAY,KAAK;AAAA,EACxB;AACF;AAkBO,IAAM,wBAAN,cAAoC,WAAW;AAAA,EAC3C;AAAA,EACA;AAAA,EACA;AAAA,EAET,YAAY,MAKT;AACD,UAAM,MACJ,KAAK,YACJ,KAAK,SAAS,cACX,4CAAuC,KAAK,MAAM,4DAA4D,KAAK,UAAU,WAAW,gGAAgG,KAAK,UAAU,UAAU,aACjQ,4CAAuC,KAAK,MAAM;AACxD,UAAM,qBAAqB,GAAG;AAC9B,SAAK,OAAO;AACZ,SAAK,OAAO,KAAK;AACjB,SAAK,SAAS,KAAK;AACnB,QAAI,KAAK,WAAW,OAAW,MAAK,SAAS,KAAK;AAAA,EACpD;AACF;AA2CO,IAAM,uBAAN,cAAmC,WAAW;AAAA;AAAA,EAE1C;AAAA,EAET,YAAY,YAAoB,WAAmB,WAAoB;AACrE;AAAA,MACE;AAAA,MACA,GAAG,SAAS,4CAA4C,UAAU,yBACzC,YAAY,KAAK,SAAS,MAAM,EAAE,sDAC3B,UAAU;AAAA,IAE5C;AACA,SAAK,OAAO;AACZ,SAAK,aAAa;AAAA,EACpB;AACF;AAEO,IAAM,2BAAN,cAAuC,WAAW;AAAA,EAC9C;AAAA,EAET,YAAY,qBAA6B,SAAkB;AACzD;AAAA,MACE;AAAA,MACA,WACE,4DAA4D,mBAAmB;AAAA,IACnF;AACA,SAAK,OAAO;AACZ,SAAK,sBAAsB;AAAA,EAC7B;AACF;AAWO,IAAM,yBAAN,cAAqC,WAAW;AAAA;AAAA,EAE5C;AAAA,EAET,YAAY,WAAmB;AAC7B;AAAA,MACE;AAAA,MACA,IAAI,SAAS;AAAA,IACf;AACA,SAAK,OAAO;AACZ,SAAK,YAAY;AAAA,EACnB;AACF;AAmBO,IAAM,oBAAN,cAAgC,WAAW;AAAA,EACvC;AAAA,EACA;AAAA,EACA;AAAA,EAET,YAAY,YAAoB,SAAiB,UAAkB;AACjE;AAAA,MACE;AAAA,MACA,sCAAsC,QAAQ,qCACxC,UAAU,eAAe,OAAO;AAAA,IAExC;AACA,SAAK,OAAO;AACZ,SAAK,aAAa;AAClB,SAAK,UAAU;AACf,SAAK,WAAW;AAAA,EAClB;AACF;AAQO,IAAM,oBAAN,cAAgC,WAAW;AAAA,EACvC;AAAA,EACA;AAAA,EACA;AAAA,EAET,YAAY,YAAoB,IAAY,QAAgB;AAC1D;AAAA,MACE;AAAA,MACA,iBAAiB,UAAU,IAAI,EAAE,4BAAuB,MAAM;AAAA,IAEhE;AACA,SAAK,OAAO;AACZ,SAAK,aAAa;AAClB,SAAK,KAAK;AACV,SAAK,SAAS;AAAA,EAChB;AACF;AAOO,IAAM,mBAAN,cAA+B,WAAW;AAAA,EACtC;AAAA,EACA;AAAA,EACA;AAAA,EAET,YAAY,YAAoB,IAAY,QAA2B;AACrE;AAAA,MACE;AAAA,MACA,oCAAoC,UAAU,IAAI,EAAE,KAAK,OAAO,KAAK,IAAI,CAAC;AAAA,IAE5E;AACA,SAAK,OAAO;AACZ,SAAK,aAAa;AAClB,SAAK,KAAK;AACV,SAAK,SAAS;AAAA,EAChB;AACF;AAUO,IAAM,yBAAN,cAAqC,WAAW;AAAA,EAC5C;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAET,YAAY,YAAoB,IAAY,MAAc,IAAY;AACpE;AAAA,MACE;AAAA,MACA,qBAAqB,UAAU,IAAI,EAAE,UAAU,IAAI,SAAS,EAAE;AAAA,IAEhE;AACA,SAAK,OAAO;AACZ,SAAK,aAAa;AAClB,SAAK,KAAK;AACV,SAAK,OAAO;AACZ,SAAK,KAAK;AAAA,EACZ;AACF;AAOO,IAAM,iBAAN,cAA6B,WAAW;AAAA,EAC7C,YAAY,SAAiB;AAC3B,UAAM,sBAAsB,OAAO;AACnC,SAAK,OAAO;AAAA,EACd;AACF;AAOO,IAAM,0BAAN,cAAsC,WAAW;AAAA,EAC7C;AAAA,EACA;AAAA,EAET,YAAY,QAAgB,MAAc;AACxC;AAAA,MACE;AAAA,MACA,SAAS,MAAM,gBAAgB,IAAI;AAAA,IAErC;AACA,SAAK,OAAO;AACZ,SAAK,SAAS;AACd,SAAK,OAAO;AAAA,EACd;AACF;AAeO,IAAM,yBAAN,cAAqC,WAAW;AAAA,EAC5C;AAAA,EAET,YAAY,OAAe;AACzB;AAAA,MACE;AAAA,MACA,UAAU,KAAK;AAAA,IAGjB;AACA,SAAK,OAAO;AACZ,SAAK,QAAQ;AAAA,EACf;AACF;AAcO,IAAM,sBAAN,cAAkC,WAAW;AAAA,EACzC;AAAA,EACA;AAAA,EAET,YAAY,YAAoB,MAAc;AAC5C;AAAA,MACE;AAAA,MACA,4BAA4B,IAAI,mBAAmB,UAAU;AAAA,IAC/D;AACA,SAAK,OAAO;AACZ,SAAK,aAAa;AAClB,SAAK,OAAO;AAAA,EACd;AACF;AAOO,IAAM,wBAAN,cAAoC,WAAW;AAAA,EAC3C;AAAA,EACA;AAAA,EAET,YAAY,MAA2C;AACrD;AAAA,MACE;AAAA,MACA,qBAAqB,KAAK,IAAI,eAAe,IAAI,KAAK,KAAK,SAAS,EAAE,YAAY,CAAC;AAAA,IACrF;AACA,SAAK,OAAO;AACZ,SAAK,OAAO,KAAK;AACjB,SAAK,YAAY,KAAK;AAAA,EACxB;AACF;AAOO,IAAM,uBAAN,cAAmC,WAAW;AAAA,EAC1C;AAAA,EAET,YAAY,YAAoB;AAC9B;AAAA,MACE;AAAA,MACA,qCAAqC,UAAU;AAAA,IACjD;AACA,SAAK,OAAO;AACZ,SAAK,aAAa;AAAA,EACpB;AACF;AAMO,IAAM,wBAAN,cAAoC,WAAW;AAAA,EACpD,YAAY,IAAY,MAAc;AACpC;AAAA,MACE;AAAA,MACA,6DAA6D,EAAE,eAAe,IAAI;AAAA,IACpF;AACA,SAAK,OAAO;AAAA,EACd;AACF;AAOO,IAAM,+BAAN,cAA2C,WAAW;AAAA,EAClD;AAAA,EAET,YAAY,QAAgB;AAC1B;AAAA,MACE;AAAA,MACA,2BAA2B,MAAM;AAAA,IACnC;AACA,SAAK,OAAO;AACZ,SAAK,SAAS;AAAA,EAChB;AACF;AAaO,IAAM,gBAAN,cAA4B,WAAW;AAAA;AAAA,EAEnC;AAAA,EAET,YAAY,SAAiB,UAAU,oBAAoB;AACzD,UAAM,YAAY,OAAO;AACzB,SAAK,OAAO;AACZ,SAAK,UAAU;AAAA,EACjB;AACF;AAcO,IAAM,wBAAN,cAAoC,WAAW;AAAA,EAC3C;AAAA,EAET,YAAY,UAAkB;AAC5B;AAAA,MACE;AAAA,MACA,0DAA0D,QAAQ;AAAA,IACpE;AACA,SAAK,OAAO;AACZ,SAAK,WAAW;AAAA,EAClB;AACF;AAMO,IAAM,0BAAN,cAAsC,WAAW;AAAA,EAC7C;AAAA,EACA;AAAA,EAET,YAAY,UAAkB,UAAkB;AAC9C;AAAA,MACE;AAAA,MACA,mBAAmB,QAAQ,uCAAuC,QAAQ;AAAA,IAC5E;AACA,SAAK,OAAO;AACZ,SAAK,WAAW;AAChB,SAAK,WAAW;AAAA,EAClB;AACF;AAQO,IAAM,uBAAN,cAAmC,WAAW;AAAA,EACnD,cAAc;AACZ;AAAA,MACE;AAAA,MACA;AAAA,IAEF;AACA,SAAK,OAAO;AAAA,EACd;AACF;AAGO,IAAM,4BAAN,cAAwC,WAAW;AAAA,EAC/C;AAAA,EACT,YAAY,QAAgB;AAC1B;AAAA,MACE;AAAA,MACA,kCAAkC,MAAM;AAAA,IAE1C;AACA,SAAK,OAAO;AACZ,SAAK,SAAS;AAAA,EAChB;AACF;AAWO,IAAM,6BAAN,cAAyC,WAAW;AAAA;AAAA,EAEhD;AAAA,EAET,YAAY,eAAuB,UAAU,0DAAqD;AAChG,UAAM,2BAA2B,OAAO;AACxC,SAAK,OAAO;AACZ,SAAK,gBAAgB;AAAA,EACvB;AACF;AASO,IAAM,eAAN,cAA2B,WAAW;AAAA,EAC3C,YAAY,UAAU,iBAAiB;AACrC,UAAM,iBAAiB,OAAO;AAC9B,SAAK,OAAO;AAAA,EACd;AACF;AAWO,IAAM,gBAAN,cAA4B,WAAW;AAAA,EAC5C,YAAY,UAAU,oBAAoB;AACxC,UAAM,aAAa,OAAO;AAC1B,SAAK,OAAO;AAAA,EACd;AACF;AAUO,IAAM,kBAAN,cAA8B,WAAW;AAAA,EAC9C,YAAY,UAAU,oBAAoB;AACxC,UAAM,oBAAoB,OAAO;AACjC,SAAK,OAAO;AAAA,EACd;AACF;AAsBO,IAAM,wBAAN,cAAoC,WAAW;AAAA,EAC3C;AAAA,EACA;AAAA,EAET,YACE,SACA,QACA,WACA;AACA,UAAM,4BAA4B,OAAO;AACzC,SAAK,OAAO;AACZ,SAAK,SAAS;AACd,SAAK,YAAY;AAAA,EACnB;AACF;AAGO,IAAM,oBAAN,cAAgC,WAAW;AAAA,EAChD,YAAY,MAAc,SAAiB;AACzC,UAAM,MAAM,OAAO;AACnB,SAAK,OAAO;AAAA,EACd;AACF;AAGO,IAAM,+BAAN,cAA2C,kBAAkB;AAAA,EAClE,YAAY,SAAiB;AAC3B,UAAM,8BAA8B,OAAO;AAC3C,SAAK,OAAO;AAAA,EACd;AACF;AAGO,IAAM,oBAAN,cAAgC,kBAAkB;AAAA,EACvD,YAAY,SAAiB;AAC3B,UAAM,iBAAiB,OAAO;AAC9B,SAAK,OAAO;AAAA,EACd;AACF;AAGO,IAAM,mBAAN,cAA+B,kBAAkB;AAAA,EACtD,YAAY,SAAiB;AAC3B,UAAM,gBAAgB,OAAO;AAC7B,SAAK,OAAO;AAAA,EACd;AACF;AAGO,IAAM,yBAAN,cAAqC,kBAAkB;AAAA,EAC5D,YAAY,SAAiB;AAC3B,UAAM,sBAAsB,OAAO;AACnC,SAAK,OAAO;AAAA,EACd;AACF;AAGO,IAAM,sBAAN,cAAkC,kBAAkB;AAAA,EACzD,YAAY,SAAiB;AAC3B,UAAM,mBAAmB,OAAO;AAChC,SAAK,OAAO;AAAA,EACd;AACF;AA0BO,IAAM,wBAAN,cAAoC,WAAW;AAAA;AAAA,EAE3C;AAAA;AAAA,EAEA;AAAA;AAAA,EAEA;AAAA,EAET,YAAY,OAAe,aAAqB,WAAmB;AACjE;AAAA,MACE;AAAA,MACA,aAAa,KAAK,eAAe,WAAW,mCACzB,SAAS;AAAA,IAM9B;AACA,SAAK,OAAO;AACZ,SAAK,QAAQ;AACb,SAAK,cAAc;AACnB,SAAK,YAAY;AAAA,EACnB;AACF;AAeO,IAAM,qBAAN,cAAiC,WAAW;AAAA,EACxC;AAAA,EACA;AAAA,EACA;AAAA,EAET,YAAY,MAAkG;AAC5G;AAAA,MACE;AAAA,MACA,eAAe,KAAK,UAAU,+DACjB,KAAK,cAAc,KAAK,IAAI,CAAC;AAAA,IAE5C;AACA,SAAK,OAAO;AACZ,SAAK,aAAa,KAAK;AACvB,SAAK,gBAAgB,CAAC,GAAG,KAAK,aAAa;AAC3C,SAAK,gBAAgB,CAAC,GAAG,KAAK,aAAa;AAAA,EAC7C;AACF;AAiBO,IAAM,wBAAN,cAAoC,WAAW;AAAA,EAC3C;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAET,YAAY,YAAoB,UAAkB,QAA2B,eAAuB;AAClG;AAAA,MACE;AAAA,MACA,wBAAwB,UAAU,KAAK,OAAO,KAAK,IAAI,CAAC,uBAC3C,QAAQ,yCAAyC,aAAa;AAAA,IAC7E;AACA,SAAK,OAAO;AACZ,SAAK,aAAa;AAClB,SAAK,WAAW;AAChB,SAAK,SAAS;AACd,SAAK,gBAAgB;AAAA,EACvB;AACF;AAqBO,IAAM,8BAAN,cAA0C,WAAW;AAAA,EACjD;AAAA,EACT,YAAY,QAAgB,SAAiB;AAC3C,UAAM,4BAA4B,OAAO;AACzC,SAAK,OAAO;AACZ,SAAK,SAAS;AAAA,EAChB;AACF;AAkBO,IAAM,yBAAN,cAAqC,WAAW;AAAA,EAC5C;AAAA,EACA;AAAA,EACA;AAAA,EACS;AAAA,EAElB,YAAY,MAAiF;AAC3F;AAAA,MACE;AAAA,MACA,kBAAkB,KAAK,EAAE,sBAAsB,KAAK,KAAK,gBAAgB,KAAK,QAAQ;AAAA,IACxF;AACA,SAAK,OAAO;AACZ,SAAK,WAAW,KAAK;AACrB,SAAK,QAAQ,KAAK;AAClB,SAAK,KAAK,KAAK;AACf,SAAK,QAAQ,KAAK;AAAA,EACpB;AACF;AAuBO,IAAM,uBAAN,cAAmC,WAAW;AAAA,EACnD,YAAY,SAAiB;AAC3B,UAAM,oBAAoB,yCAAyC,OAAO,EAAE;AAC5E,SAAK,OAAO;AAAA,EACd;AACF;AAwBO,IAAM,0BAAN,cAAsC,WAAW;AAAA,EAC7C;AAAA,EACA;AAAA,EACT,YAAY,QAAgB,KAAa;AACvC;AAAA,MACE;AAAA,MACA,8CAA8C,MAAM,qBAC9C,GAAG;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOX;AACA,SAAK,OAAO;AACZ,SAAK,SAAS;AACd,SAAK,MAAM;AAAA,EACb;AACF;AAaO,IAAM,8BAAN,cAA0C,WAAW;AAAA;AAAA,EAEjD;AAAA,EAET,YAAY,gBAAwB;AAClC;AAAA,MACE;AAAA,MACA,IAAI,cAAc,0DACS,eAAe,QAAQ,WAAW,EAAE,CAAC;AAAA,IAElE;AACA,SAAK,OAAO;AACZ,SAAK,iBAAiB;AAAA,EACxB;AACF;AAUO,IAAM,sBAAN,cAAkC,WAAW;AAAA;AAAA,EAEzC;AAAA;AAAA,EAEA;AAAA,EAET,YAAY,gBAAwB,KAAa;AAC/C;AAAA,MACE;AAAA,MACA,eAAe,cAAc,2BAA2B,GAAG;AAAA,IAC7D;AACA,SAAK,OAAO;AACZ,SAAK,iBAAiB;AACtB,SAAK,MAAM;AAAA,EACb;AACF;AAUO,IAAM,oBAAN,cAAgC,WAAW;AAAA;AAAA,EAEvC;AAAA;AAAA,EAEA;AAAA;AAAA,EAEA;AAAA;AAAA,EAEA;AAAA,EAET,YACE,gBACA,KACA,QACA,OACA;AACA;AAAA,MACE;AAAA,MACA,sBAAsB,GAAG,sBAAsB,cAAc,MACxD,KAAK,kBAAkB,MAAM,gDACN,GAAG;AAAA,IACjC;AACA,SAAK,OAAO;AACZ,SAAK,iBAAiB;AACtB,SAAK,MAAM;AACX,SAAK,SAAS;AACd,SAAK,QAAQ;AAAA,EACf;AACF;AAUO,IAAM,0BAAN,cAAsC,WAAW;AAAA;AAAA,EAE7C;AAAA;AAAA,EAEA;AAAA,EAET,YAAY,OAAe,SAA4B,SAAkB;AACvE;AAAA,MACE;AAAA,MACA,WACE,UAAU,KAAK,uCAAuC,QAAQ,KAAK,IAAI,CAAC;AAAA,IAC5E;AACA,SAAK,OAAO;AACZ,SAAK,QAAQ;AACb,SAAK,UAAU;AAAA,EACjB;AACF;AAaO,IAAM,0BAAN,cAAsC,WAAW;AAAA;AAAA,EAE7C;AAAA,EAET,YAAY,OAAe,SAAkB;AAC3C;AAAA,MACE;AAAA,MACA,WACE,+BAA+B,KAAK;AAAA,IAGxC;AACA,SAAK,OAAO;AACZ,SAAK,QAAQ;AAAA,EACf;AACF;AAWO,IAAM,uBAAN,cAAmC,WAAW;AAAA;AAAA,EAE1C;AAAA;AAAA,EAEA;AAAA;AAAA,EAEA;AAAA;AAAA,EAEA;AAAA,EAET,YACE,OACA,QACA,UACA,QACA,SACA;AACA;AAAA,MACE;AAAA,MACA,WACE,UAAU,KAAK,WAAW,MAAM,wBAAwB,SAAS,KAAK,IAAI,CAAC,4CACjC,MAAM;AAAA,IACpD;AACA,SAAK,OAAO;AACZ,SAAK,QAAQ;AACb,SAAK,SAAS;AACd,SAAK,WAAW;AAChB,SAAK,SAAS;AAAA,EAChB;AACF;AAYO,IAAM,0BAAN,cAAsC,WAAW;AAAA;AAAA,EAE7C;AAAA,EAET,YAAY,gBAAwB;AAClC;AAAA,MACE;AAAA,MACA,eAAe,cAAc;AAAA,IAG/B;AACA,SAAK,OAAO;AACZ,SAAK,iBAAiB;AAAA,EACxB;AACF;AAYO,IAAM,uBAAN,cAAmC,WAAW;AAAA;AAAA,EAE1C;AAAA;AAAA,EAEA;AAAA;AAAA,EAEA;AAAA,EAET,YAAY,gBAAwB,OAAe,MAAc;AAC/D;AAAA,MACE;AAAA,MACA,UAAU,KAAK,YAAY,IAAI,uCACzB,cAAc;AAAA,IAEtB;AACA,SAAK,OAAO;AACZ,SAAK,iBAAiB;AACtB,SAAK,QAAQ;AACb,SAAK,OAAO;AAAA,EACd;AACF;AAaO,IAAM,+BAAN,cAA2C,WAAW;AAAA;AAAA,EAElD;AAAA;AAAA,EAEA;AAAA,EAET,YAAY,OAAe,YAAoB;AAC7C;AAAA,MACE;AAAA,MACA,UAAU,KAAK,oBAAoB,UAAU;AAAA,IAG/C;AACA,SAAK,OAAO;AACZ,SAAK,QAAQ;AACb,SAAK,aAAa;AAAA,EACpB;AACF;AAcO,IAAM,oBAAN,cAAgC,WAAW;AAAA;AAAA,EAEvC;AAAA,EAET,YAAY,SAAiB,YAAqB;AAChD,UAAM,iBAAiB,OAAO;AAC9B,SAAK,OAAO;AACZ,QAAI,eAAe,OAAW,MAAK,aAAa;AAAA,EAClD;AACF;AASO,IAAM,uBAAN,cAAmC,WAAW;AAAA;AAAA,EAE1C;AAAA,EACA;AAAA,EAET,YAAY,YAAoB,IAAY,SAAiB;AAC3D,UAAM,oBAAoB,OAAO;AACjC,SAAK,OAAO;AACZ,SAAK,aAAa;AAClB,SAAK,KAAK;AAAA,EACZ;AACF;AAOO,IAAM,2BAAN,cAAuC,WAAW;AAAA,EACvD,YAAY,SAAiB;AAC3B,UAAM,wBAAwB,OAAO;AACrC,SAAK,OAAO;AAAA,EACd;AACF;AAOO,IAAM,oBAAN,cAAgC,WAAW;AAAA,EAChD,YAAY,SAAiB;AAC3B,UAAM,iBAAiB,OAAO;AAC9B,SAAK,OAAO;AAAA,EACd;AACF;AAOO,IAAM,qBAAN,cAAiC,WAAW;AAAA,EACjD,YAAY,SAAiB;AAC3B,UAAM,kBAAkB,OAAO;AAC/B,SAAK,OAAO;AAAA,EACd;AACF;AAKO,IAAM,mBAAN,cAA+B,WAAW;AAAA,EAC/C,YAAY,SAAiB;AAC3B,UAAM,eAAe,OAAO;AAC5B,SAAK,OAAO;AAAA,EACd;AACF;AAiBO,IAAM,sBAAN,cAAkC,WAAW;AAAA,EACzC;AAAA,EAET,YAAY,WAAmB;AAC7B,UAAM,mBAAmB,YAAY,SAAS,uCAAuC;AACrF,SAAK,OAAO;AACZ,SAAK,YAAY;AAAA,EACnB;AACF;AAaO,IAAM,uBAAN,cAAmC,WAAW;AAAA,EAC1C;AAAA,EAET,YAAY,WAAmB;AAC7B,UAAM,qBAAqB,oBAAoB,SAAS,sEAAsE;AAC9H,SAAK,OAAO;AACZ,SAAK,YAAY;AAAA,EACnB;AACF;AAWO,IAAM,qBAAN,cAAiC,WAAW;AAAA,EACxC;AAAA,EAET,YAAY,WAAmB,SAAkB;AAC/C;AAAA,MACE;AAAA,MACA,WAAW,cAAc,SAAS;AAAA,IACpC;AACA,SAAK,OAAO;AACZ,SAAK,YAAY;AAAA,EACnB;AACF;AAqBO,IAAM,oBAAN,cAAgC,WAAW;AAAA,EACvC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAET,YAAY,MAMT;AACD,UAAM,kBAAkB,KAAK,OAAO;AACpC,SAAK,OAAO;AACZ,SAAK,WAAW,KAAK;AACrB,SAAK,YAAY,KAAK;AACtB,SAAK,UAAU,KAAK;AACpB,SAAK,OAAO,KAAK;AAAA,EACnB;AACF;AAUO,IAAM,yBAAN,cAAqC,WAAW;AAAA,EAC5C;AAAA,EACA;AAAA,EACA;AAAA,EAET,YAAY,MAA2D;AACrE;AAAA,MACE;AAAA,MACA,cAAc,KAAK,MAAM,qBAAqB,KAAK,QAAQ,iCAC/B,KAAK,KAAK,oFAEjB,KAAK,MAAM,sBAAsB,KAAK,QAAQ;AAAA,IACrE;AACA,SAAK,OAAO;AACZ,SAAK,SAAS,KAAK;AACnB,SAAK,WAAW,KAAK;AACrB,SAAK,QAAQ,KAAK;AAAA,EACpB;AACF;AAOO,IAAM,8BAAN,cAA0C,WAAW;AAAA,EACjD;AAAA,EACA;AAAA,EAET,YAAY,QAAgB,gBAAwB;AAClD;AAAA,MACE;AAAA,MACA,cAAc,MAAM,mBAAmB,MAAM,oDACnB,cAAc,kBACxB,MAAM;AAAA,IACxB;AACA,SAAK,OAAO;AACZ,SAAK,SAAS;AACd,SAAK,iBAAiB;AAAA,EACxB;AACF;AAgBO,IAAM,yBAAN,cAAqC,WAAW;AAAA,EAC5C;AAAA,EACA;AAAA,EACA;AAAA,EAET,YAAY,MAKT;AACD,UAAM,sBAAsB,KAAK,OAAO;AACxC,SAAK,OAAO;AACZ,SAAK,QAAQ,KAAK;AAClB,SAAK,SAAS,KAAK;AACnB,SAAK,QAAQ,KAAK;AAAA,EACpB;AACF;AAQO,IAAM,4BAAN,cAAwC,WAAW;AAAA,EACxD,YAAY,SAAiB;AAC3B,UAAM,yBAAyB,OAAO;AACtC,SAAK,OAAO;AAAA,EACd;AACF;AAQO,IAAM,kBAAN,cAA8B,WAAW;AAAA,EACrC;AAAA,EACA;AAAA,EAET,YAAY,MAAgD;AAC1D;AAAA,MACE;AAAA,MACA,uBAAuB,KAAK,SAAS,kCAAkC,KAAK,SAAS;AAAA,IACvF;AACA,SAAK,OAAO;AACZ,SAAK,YAAY,KAAK;AACtB,SAAK,YAAY,KAAK;AAAA,EACxB;AACF;AAQO,IAAM,uBAAN,cAAmC,WAAW;AAAA,EAC1C;AAAA,EAET,YAAY,MAAyB;AACnC;AAAA,MACE;AAAA,MACA,sCAAsC,KAAK,KAAK,UAAK,CAAC;AAAA,IAExD;AACA,SAAK,OAAO;AACZ,SAAK,OAAO;AAAA,EACd;AACF;AAMO,IAAM,uBAAN,cAAmC,WAAW;AAAA,EAC1C;AAAA,EACA;AAAA,EAET,YAAY,OAAe,WAAmB;AAC5C;AAAA,MACE;AAAA,MACA,yCAAyC,KAAK,eAAe,SAAS;AAAA,IAExE;AACA,SAAK,OAAO;AACZ,SAAK,QAAQ;AACb,SAAK,YAAY;AAAA,EACnB;AACF;AAOO,IAAM,+BAAN,cAA2C,WAAW;AAAA,EAClD;AAAA,EAET,YAAY,YAAoB;AAC9B;AAAA,MACE;AAAA,MACA,iCAAiC,UAAU;AAAA,IAE7C;AACA,SAAK,OAAO;AACZ,SAAK,aAAa;AAAA,EACpB;AACF;AAMO,IAAM,6BAAN,cAAyC,WAAW;AAAA,EAChD;AAAA,EAET,YAAY,WAAmB,QAAgB;AAC7C;AAAA,MACE;AAAA,MACA,sBAAsB,SAAS,wBAAwB,MAAM;AAAA,IAC/D;AACA,SAAK,OAAO;AACZ,SAAK,YAAY;AAAA,EACnB;AACF;AAaO,IAAM,6BAAN,cAAyC,WAAW;AAAA,EAChD;AAAA,EACA;AAAA,EACA;AAAA,EAET,YAAY,WAAmB,UAAkB,WAAmB;AAClE;AAAA,MACE;AAAA,MACA,4BAA4B,SAAS,cAAc,QAAQ,8BAC5C,SAAS;AAAA,IAE1B;AACA,SAAK,OAAO;AACZ,SAAK,YAAY;AACjB,SAAK,WAAW;AAChB,SAAK,YAAY;AAAA,EACnB;AACF;AAQO,IAAM,6BAAN,cAAyC,WAAW;AAAA,EAChD;AAAA,EAET,YAAY,MAAyB;AACnC;AAAA,MACE;AAAA,MACA,6CAA6C,KAAK,KAAK,UAAK,CAAC;AAAA,IAE/D;AACA,SAAK,OAAO;AACZ,SAAK,OAAO;AAAA,EACd;AACF;AAOO,IAAM,qCAAN,cAAiD,WAAW;AAAA,EACxD;AAAA,EACA;AAAA,EAET,YAAY,QAAgB,YAAoB;AAC9C;AAAA,MACE;AAAA,MACA,sBAAsB,MAAM,2CAA2C,UAAU;AAAA,IAEnF;AACA,SAAK,OAAO;AACZ,SAAK,SAAS;AACd,SAAK,aAAa;AAAA,EACpB;AACF;AAUO,IAAM,gCAAN,cAA4C,WAAW;AAAA,EACnD;AAAA,EACA;AAAA,EACA;AAAA,EAET,YAAY,QAAgB,UAAkB,OAAe;AAC3D;AAAA,MACE;AAAA,MACA,sBAAsB,MAAM,gBAAgB,QAAQ,4CAA4C,KAAK;AAAA,IAEvG;AACA,SAAK,OAAO;AACZ,SAAK,SAAS;AACd,SAAK,WAAW;AAChB,SAAK,QAAQ;AAAA,EACf;AACF;AAsBO,IAAM,8BAAN,cAA0C,WAAW;AAAA,EAC1D,YAAY,SAAiB;AAC3B;AAAA,MACE;AAAA,MACA,kCAAkC,OAAO;AAAA,IAC3C;AACA,SAAK,OAAO;AAAA,EACd;AACF;AASO,IAAM,4BAAN,cAAwC,WAAW;AAAA,EAC/C;AAAA,EACA;AAAA,EAET,YAAY,aAAqB,MAAc;AAC7C;AAAA,MACE;AAAA,MACA,sBAAsB,WAAW,YAAY,IAAI;AAAA,IAEnD;AACA,SAAK,OAAO;AACZ,SAAK,cAAc;AACnB,SAAK,OAAO;AAAA,EACd;AACF;AAOO,IAAM,oCAAN,cAAgD,WAAW;AAAA,EACvD;AAAA,EACA;AAAA,EAET,YAAY,aAAqB,SAAiB;AAChD;AAAA,MACE;AAAA,MACA,sBAAsB,WAAW,0BAA0B,OAAO;AAAA,IAEpE;AACA,SAAK,OAAO;AACZ,SAAK,cAAc;AACnB,SAAK,UAAU;AAAA,EACjB;AACF;AAMO,IAAM,4BAAN,cAAwC,WAAW;AAAA,EAC/C;AAAA,EAET,YAAY,aAAqB;AAC/B;AAAA,MACE;AAAA,MACA,sBAAsB,WAAW;AAAA,IAEnC;AACA,SAAK,OAAO;AACZ,SAAK,cAAc;AAAA,EACrB;AACF;AASO,IAAM,yBAAN,cAAqC,WAAW;AAAA,EAC5C;AAAA,EACA;AAAA,EAET,YAAY,QAAgB,UAAkB;AAC5C;AAAA,MACE;AAAA,MACA,gCAAgC,MAAM,yDAAoD,QAAQ;AAAA,IAEpG;AACA,SAAK,OAAO;AACZ,SAAK,SAAS;AACd,SAAK,WAAW;AAAA,EAClB;AACF;AAaO,IAAM,wBAAN,cAAoC,WAAW;AAAA,EAC3C;AAAA,EAET,YAAY,SAAiB;AAC3B;AAAA,MACE;AAAA,MACA,wBAAwB,OAAO;AAAA,IAEjC;AACA,SAAK,OAAO;AACZ,SAAK,UAAU;AAAA,EACjB;AACF;AAQO,IAAM,oBAAN,cAAgC,WAAW;AAAA,EACvC;AAAA,EAET,YAAY,cAAsB,WAAmB;AACnD;AAAA,MACE;AAAA,MACA,+BAA+B,YAAY,qBAAqB,SAAS,wDACjB,KAAK,UAAU,YAAY,CAAC;AAAA,IAEtF;AACA,SAAK,OAAO;AACZ,SAAK,eAAe;AAAA,EACtB;AACF;AAQO,IAAM,yBAAN,cAAqC,WAAW;AAAA,EAC5C;AAAA,EAET,YAAY,SAAiB,cAAsB;AACjD;AAAA,MACE;AAAA,MACA,qCAAqC,YAAY,aAAa,OAAO;AAAA,IAGvE;AACA,SAAK,OAAO;AACZ,SAAK,UAAU;AAAA,EACjB;AACF;AAQO,IAAM,sBAAN,cAAkC,WAAW;AAAA,EAClD,YAAY,SAAiB;AAC3B,UAAM,oBAAoB,OAAO;AACjC,SAAK,OAAO;AAAA,EACd;AACF;AAGO,IAAM,6BAAN,cAAyC,WAAW;AAAA,EAChD;AAAA,EAET,YAAY,cAAsB;AAChC;AAAA,MACE;AAAA,MACA,uCAAuC,YAAY,4CACzB,KAAK,UAAU,YAAY,CAAC;AAAA,IAExD;AACA,SAAK,OAAO;AACZ,SAAK,eAAe;AAAA,EACtB;AACF;AAaO,IAAM,mCAAN,cAA+C,WAAW;AAAA,EAC/D,YACE,UAAU,mLAGV;AACA,UAAM,yBAAyB,OAAO;AACtC,SAAK,OAAO;AAAA,EACd;AACF;AAaO,IAAM,2BAAN,cAAuC,WAAW;AAAA,EAC9C;AAAA,EACT,YAAY,WAAmB;AAC7B;AAAA,MACE;AAAA,MACA,gCAAgC,SAAS;AAAA,IAE3C;AACA,SAAK,OAAO;AACZ,SAAK,YAAY;AAAA,EACnB;AACF;AAYO,IAAM,4BAAN,cAAwC,WAAW;AAAA,EAC/C;AAAA,EACA;AAAA,EACT,YACE,UACA,QACA;AACA;AAAA,MACE;AAAA,MACA,6BAA6B,OAAO,UAAU,IAAI,OAAO,EAAE,8BACpC,SAAS,UAAU,IAAI,SAAS,EAAE;AAAA,IAE3D;AACA,SAAK,OAAO;AACZ,SAAK,WAAW;AAChB,SAAK,SAAS;AAAA,EAChB;AACF;AASO,IAAM,yBAAN,cAAqC,WAAW;AAAA,EAC5C;AAAA,EACA;AAAA,EACT,YAAY,YAAoB,IAAY;AAC1C;AAAA,MACE;AAAA,MACA,yBAAyB,UAAU,IAAI,EAAE;AAAA,IAG3C;AACA,SAAK,OAAO;AACZ,SAAK,aAAa;AAClB,SAAK,KAAK;AAAA,EACZ;AACF;","names":[]}

package/dist/{chunk-M476FOQ7.js → chunk-HOO5I3VG.js}

@@ -2,7 +2,7 @@ import {
   OverlayBaseIsVirtualError,
   OverlayCollectionUnavailableError,
   OverlayNameCollisionError
-} from "./chunk-ZEGSDPB7.js";
+} from "./chunk-HMFC6M2G.js";
 
 // src/overlay-views/registry.ts
 var OverlayedViewRegistry = class {
@@ -68,4 +68,4 @@ var OverlayedViewRegistry = class {
 export {
   OverlayedViewRegistry
 };
-//# sourceMappingURL=chunk-M476FOQ7.js.map
+//# sourceMappingURL=chunk-HOO5I3VG.js.map

package/dist/{chunk-F4G63NTZ.js → chunk-HWK75CYX.js}

@@ -30,7 +30,7 @@ async function resolveStaleMVOnRead(accessor, outputCollection) {
       continue;
     }
     if (executor === null) {
-      ({ MaterializedViewExecutor: executor } = await import("./executor-3W63Y44O.js"));
+      ({ MaterializedViewExecutor: executor } = await import("./executor-IZ2NVXCY.js"));
     }
     await executor.refresh(reg, {
       getCollection: (n) => accessor.getCollection(n),
@@ -50,4 +50,4 @@ export {
   resolveStaleMVOnRead,
   clearMVStale
 };
-//# sourceMappingURL=chunk-F4G63NTZ.js.map
+//# sourceMappingURL=chunk-HWK75CYX.js.map

package/dist/{chunk-FEJDVE3Z.js → chunk-HZOEBM67.js}

@@ -1,7 +1,7 @@
 import {
   MaterializedViewConfigError,
   ValidationError
-} from "./chunk-ZEGSDPB7.js";
+} from "./chunk-HMFC6M2G.js";
 
 // src/materialized-views/with-materialized-view.ts
 function withMaterializedView(spec) {
@@ -89,4 +89,4 @@ function withMaterializedView(spec) {
 export {
   withMaterializedView
 };
-//# sourceMappingURL=chunk-FEJDVE3Z.js.map
+//# sourceMappingURL=chunk-HZOEBM67.js.map

package/dist/{chunk-QHM6XEAH.js → chunk-IQ4GMEYZ.js}

@@ -1,15 +1,15 @@
 import {
   dekKey
-} from "./chunk-5LIROIDM.js";
+} from "./chunk-6YEC7LLO.js";
 import {
   assertStrongPassphrase,
   mintKeyringCanary,
   persistKeyring
-} from "./chunk-BSZOCSDZ.js";
+} from "./chunk-FQRAYDS4.js";
 import {
   NOYDB_FORMAT_VERSION,
   NOYDB_KEYRING_VERSION
-} from "./chunk-SISBMAPO.js";
+} from "./chunk-LGPSCKWZ.js";
 import {
   base64ToBuffer,
   bufferToBase64,
@@ -19,7 +19,7 @@ import {
   generateSalt,
   unwrapKey,
   wrapKey
-} from "./chunk-UNTGHX5A.js";
+} from "./chunk-QJKZ5WUP.js";
 import {
   DelegationTargetMissingError,
   InvalidKeyError,
@@ -28,7 +28,7 @@ import {
   PermissionDeniedError,
   PrivilegeEscalationError,
   ValidationError
-} from "./chunk-ZEGSDPB7.js";
+} from "./chunk-HMFC6M2G.js";
 
 // src/team/authenticators.ts
 async function enrollAuthenticator(store, vault, keyring, options) {
@@ -827,4 +827,4 @@ export {
   magicLinkGrantRecordId,
   isMagicLinkGrantExpired
 };
-//# sourceMappingURL=chunk-QHM6XEAH.js.map
+//# sourceMappingURL=chunk-IQ4GMEYZ.js.map

package/dist/{chunk-5AXTH4QZ.js → chunk-K3NYRK7U.js}

@@ -1,6 +1,6 @@
 import {
   readPath
-} from "./chunk-J7RWBXFY.js";
+} from "./chunk-RZWQNMMP.js";
 
 // src/indexing/eager-indexes.ts
 var CollectionIndexes = class {
@@ -129,4 +129,4 @@ function removeFromIndex(idx, id, record) {
 export {
   CollectionIndexes
 };
-//# sourceMappingURL=chunk-5AXTH4QZ.js.map
+//# sourceMappingURL=chunk-K3NYRK7U.js.map

package/dist/{chunk-ROPJVUG3.js → chunk-KOURQXIU.js}

@@ -1,22 +1,22 @@
 import {
   ensureCollectionDEK
-} from "./chunk-BSZOCSDZ.js";
+} from "./chunk-FQRAYDS4.js";
 import {
   envelopePayloadHash
 } from "./chunk-PDVP3C2I.js";
 import {
   NOYDB_FORMAT_VERSION
-} from "./chunk-SISBMAPO.js";
+} from "./chunk-LGPSCKWZ.js";
 import {
   decrypt,
   encrypt
-} from "./chunk-UNTGHX5A.js";
+} from "./chunk-QJKZ5WUP.js";
 import {
   DictKeyMissingError,
   LocaleNotSpecifiedError,
   MissingTranslationError,
   PermissionDeniedError
-} from "./chunk-ZEGSDPB7.js";
+} from "./chunk-HMFC6M2G.js";
 
 // src/i18n/policy.ts
 function resolvePolicy(onMissing, layer) {
@@ -603,4 +603,4 @@ export {
   isStaticDictDescriptor,
   DictionaryHandle
 };
-//# sourceMappingURL=chunk-ROPJVUG3.js.map
+//# sourceMappingURL=chunk-KOURQXIU.js.map

package/dist/chunk-KOURQXIU.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/i18n/policy.ts","../src/i18n/core.ts","../src/i18n/dictionary.ts"],"sourcesContent":["/**\n * Per-layer i18n resolution policy.\n *\n * `onMissing` governs what happens when a multilingual field is resolved\n * to a target locale that is absent. It may be a single scalar policy or\n * a per-layer map, so a field can be lenient at the app read boundary but\n * strict inside a materialized view.\n *\n * Effective policy for layer `λ`:\n *\n * ```\n * explicit(λ) = typeof onMissing === 'object' ? onMissing[λ] : undefined\n * scalar      = typeof onMissing === 'string' ? onMissing : undefined\n * policy(λ)   = explicit(λ) ?? layerDefault(λ) ?? scalar ?? 'throw'\n * ```\n *\n * - `layerDefault('guard') = 'substitute'` — guards are lenient unless\n *   EXPLICITLY overridden; they never inherit a scalar policy (a guard\n *   reading a display value must not hard-fail on a missing locale).\n * - every other layer has no default, so it inherits the scalar, else\n *   falls back to `'throw'` (today's behavior — zero breaking change).\n *\n * @public\n */\nexport type OnMissing = 'substitute' | 'null' | 'throw'\n\n/**\n * The contexts in which a multilingual field is resolved. Each can carry\n * its own `onMissing` policy.\n *\n * - `read`       — ordinary app reads (`get`/`list`/query projection).\n * - `guard`      — a guard callback reading a value.\n * - `join`       — a joined record expanded onto a row.\n * - `mv`         — materialized-view input.\n * - `derivation` — derivation input.\n * - `export`     — bundle/public-envelope export.\n */\nexport type Layer = 'read' | 'guard' | 'join' | 'mv' | 'derivation' | 'export'\n\n/** Field-level policy: a single scalar, or a per-layer map. */\nexport type OnMissingPolicy = OnMissing | Partial<Record<Layer, OnMissing>>\n\n/**\n * Resolve the effective `OnMissing` for a layer from a field's declared\n * policy. See module docs for the resolution rule.\n */\nexport function resolvePolicy(\n  onMissing: OnMissingPolicy | undefined,\n  layer: Layer,\n): OnMissing {\n  const explicit =\n    onMissing && typeof onMissing === 'object' ? onMissing[layer] : undefined\n  const scalar = typeof onMissing === 'string' ? onMissing : undefined\n  const layerDefault: OnMissing | undefined =\n    layer === 'guard' ? 'substitute' : undefined\n  return explicit ?? layerDefault ?? scalar ?? 'throw'\n}\n","/**\n * i18nText schema type —\n *\n * `i18nText({ languages, required })` creates a descriptor for a\n * multi-language content field whose value is stored as a\n * `{ [locale]: string }` map (e.g. `{ en: 'Consulting', th: 'ที่ปรึกษา' }`).\n *\n * On put, the descriptor validates that required languages are present.\n * On read (when a `locale` option is passed), the map is collapsed to the\n * caller's locale string via the fallback chain.\n *\n * Design decisions\n * ────────────────\n *\n * **Descriptor pattern (not a Zod type).**\n * `i18nText()` returns a plain descriptor object used in the collection's\n * `i18nFields` option — same pattern as `ref()` / `dictKey()`. This keeps\n * `@noy-db/core` at zero runtime dependencies and avoids Zod v3 field-type\n * constraints. TypeScript inference is handled via the descriptor's type.\n *\n * **Enforcement at the collection boundary.**\n * The `required` option is checked by `Collection.put()` via the compartment's\n * registered `i18nFields`. Failed validation throws `MissingTranslationError`\n * — a distinct class from `SchemaValidationError` so callers can tell\n * \"wrong shape\" from \"missing translations\".\n *\n * **Resolution is post-decryption.**\n * Locale resolution happens AFTER `decryptRecord()`, as a pure in-memory\n * transform. No additional crypto work is needed. The resolved record is\n * returned in place of the stored one, with i18nText fields replaced by\n * their locale-resolved strings.\n *\n * **`locale: 'raw'`.**\n * Passing `{ locale: 'raw' }` skips resolution and returns the full\n * `{ [locale]: string }` map — useful for bilingual exports, admin UIs,\n * and any context where all translations must be visible at once.\n *\n * **Out of scope.**\n * Pluralization, RTL rendering, date/number formatting, per-locale CRDT\n * merging.\n */\n\nimport { MissingTranslationError, LocaleNotSpecifiedError } from '../errors.js'\nimport type { OnMissing, OnMissingPolicy, Layer } from './policy.js'\nimport { resolvePolicy } from './policy.js'\n\n// ─── I18nMap type helper ───────────────────────────────────────────────\n\n/** Flatten an intersection into a single object literal for nicer hovers. */\ntype Prettify<T> = { [K in keyof T]: T[K] } & {}\n\n/**\n * The stored shape of a multilingual field, inferred from its `required`\n * mode — so the compiler forces you to handle an absent optional locale\n * (`string | undefined`) instead of silently yielding `undefined`.\n *\n * Mirrors `i18nText({ languages, required })`:\n * - `'all'` (default) — every locale required: `{ th: string; en: string }`\n * - `'any'`           — every locale optional: `{ th?: string; en?: string }`\n *   (the \"at least one present\" guarantee is runtime-only — not expressible\n *   in TypeScript — so each key is optional)\n * - `readonly L[]`    — listed locales required, the rest optional:\n *   `I18nMap<'th'|'en', ['th']>` → `{ th: string; en?: string }`\n *\n * @example\n * ```ts\n * type Lang = 'th' | 'en'\n * interface Contact {\n *   name: I18nMap<Lang, 'any'>      // { th?: string; en?: string }\n *   legalName: I18nMap<Lang, ['th']> // { th: string; en?: string }\n *   slug: I18nMap<Lang>             // { th: string; en: string }\n * }\n * ```\n *\n * @public\n */\nexport type I18nMap<\n  Langs extends string,\n  Required extends 'all' | 'any' | readonly Langs[] = 'all',\n> = Required extends 'all'\n  ? Record<Langs, string>\n  : Required extends 'any'\n    ? Partial<Record<Langs, string>>\n    : Required extends readonly (infer R extends Langs)[]\n      ? Prettify<Record<R, string> & Partial<Record<Exclude<Langs, R>, string>>>\n      : never\n\n// ─── i18nText descriptor ───────────────────────────────────────────────\n\n/**\n * Options for `i18nText()`.\n *\n * `languages` declares the full set of supported locales. `required`\n * controls which must be present on every `put()`.\n *\n * `autoTranslate` is the per-field opt-in for the `plaintextTranslator`\n * hook. When `true` and a `plaintextTranslator` is configured\n * on `createNoydb()`, missing translations are generated before `put()`.\n * Default: `false`.\n */\nexport interface I18nTextOptions {\n  /** All supported locale codes (BCP 47). */\n  readonly languages: readonly string[]\n  /**\n   * Which locales must be present on every `put()`.\n   *\n   * - `'all'`       — every declared language must be present.\n   * - `'any'`       — at least one declared language must be present.\n   * - `string[]`    — listed locales are required; others are optional.\n   */\n  readonly required: 'all' | 'any' | readonly string[]\n  /**\n   * Per-field opt-in for the `plaintextTranslator` hook.\n   * When `true`, missing required translations are auto-generated\n   * before `put()` if a translator is configured. Default: `false`.\n   */\n  readonly autoTranslate?: boolean\n  /**\n   * What to do when this field is resolved to a locale that is absent.\n   * A single policy, or a per-layer map (read/guard/join/mv/derivation/\n   * export). Default `'throw'` — today's behavior, zero breaking change.\n   * See {@link OnMissingPolicy}.\n   *\n   * NOTE (current wiring): the `read` (`get`/`list`), `guard` and\n   * `derivation` layers are enforced — guard / derivation `ctx.vault`\n   * reads resolve under their own layer policy (`guard` defaults to the\n   * lenient `'substitute'`). The `mv`, `join` and `export` layers are NOT\n   * yet wired: mv/join read raw `{locale}` maps in the query/aggregate\n   * pipeline (no resolution call site), so injecting resolution there is a\n   * tracked follow-up (#285 D2/D3). Until then those reads observe the raw\n   * map, not this policy.\n   */\n  readonly onMissing?: OnMissingPolicy\n  /**\n   * Ordered preferred-substitute locales used when `onMissing` resolves\n   * to `'substitute'` and the target locale is absent. `'any'` as an\n   * element means \"first non-empty value\". A caller-supplied `fallback`\n   * at read time takes precedence over this declared list.\n   */\n  readonly substitute?: readonly string[]\n  /**\n   * Per-locale script enforcement (write-time). `'auto'` infers the\n   * allowed Unicode scripts per locale (asymmetric Latin tolerance); an\n   * object overrides per slot. Absent ⇒ no check. See `./script.ts`.\n   */\n  readonly script?: 'auto' | Partial<Record<string, readonly string[]>>\n  /**\n   * What to do when a slot's value contains characters outside its\n   * allowed script set. Default `'reject'`.\n   */\n  readonly onScriptViolation?: 'reject' | 'filter' | 'warn'\n}\n\n/**\n * Descriptor returned by `i18nText()`. Attach to the collection's\n * `i18nFields` option:\n *\n * ```ts\n * const lineItems = company.collection<LineItem>('line-items', {\n *   i18nFields: {\n *     description: i18nText({ languages: ['en', 'th'], required: 'all' }),\n *   },\n * })\n * ```\n */\nexport interface I18nTextDescriptor {\n  readonly _noydbI18nText: true\n  readonly options: I18nTextOptions\n}\n\n/**\n * Create an `I18nTextDescriptor` for a multi-language content field.\n *\n * @param options  Language list + enforcement mode.\n *\n * @example\n * ```ts\n * i18nText({ languages: ['en', 'th'], required: 'all' })\n * i18nText({ languages: ['en', 'th'], required: ['th'], autoTranslate: true })\n * ```\n */\nexport function i18nText(options: I18nTextOptions): I18nTextDescriptor {\n  return { _noydbI18nText: true, options }\n}\n\n/** Runtime predicate for detecting an `I18nTextDescriptor`. */\nexport function isI18nTextDescriptor(x: unknown): x is I18nTextDescriptor {\n  return (\n    typeof x === 'object' &&\n    x !== null &&\n    (x as { _noydbI18nText?: unknown })._noydbI18nText === true\n  )\n}\n\n// ─── Validation helpers ────────────────────────────────────────────────\n\n/**\n * Validate that a value is a valid `{ [locale]: string }` map and that\n * all required locales are present. Throws `MissingTranslationError`\n * when the required constraint is violated.\n *\n * Called by `Collection.put()` for each registered `i18nField`.\n *\n * @param value       The raw field value from the record being put.\n * @param field       The field name (used in the thrown error message).\n * @param descriptor  The `i18nText()` descriptor for this field.\n */\nexport function validateI18nTextValue(\n  value: unknown,\n  field: string,\n  descriptor: I18nTextDescriptor,\n): void {\n  const { options } = descriptor\n\n  // Must be a non-null object\n  if (typeof value !== 'object' || value === null || Array.isArray(value)) {\n    throw new MissingTranslationError(\n      field,\n      options.languages,\n      `Field \"${field}\" must be a { [locale]: string } map, got ${typeof value}.`,\n    )\n  }\n\n  const map = value as Record<string, unknown>\n\n  // All values must be strings\n  for (const [locale, v] of Object.entries(map)) {\n    if (typeof v !== 'string') {\n      throw new MissingTranslationError(\n        field,\n        [locale],\n        `Field \"${field}\": locale \"${locale}\" must be a string, got ${typeof v}.`,\n      )\n    }\n  }\n\n  // Check required constraint\n  const { required } = options\n  if (required === 'all') {\n    const missing = options.languages.filter(\n      (lang) => !(lang in map) || map[lang] === '',\n    )\n    if (missing.length > 0) {\n      throw new MissingTranslationError(\n        field,\n        missing,\n        `Field \"${field}\" requires all declared languages. Missing: ${missing.join(', ')}.`,\n      )\n    }\n  } else if (required === 'any') {\n    const present = options.languages.some(\n      (lang) => lang in map && map[lang] !== '',\n    )\n    if (!present) {\n      throw new MissingTranslationError(\n        field,\n        options.languages,\n        `Field \"${field}\" requires at least one declared language. None present.`,\n      )\n    }\n  } else {\n    // string[] — named required locales; TypeScript narrows required to readonly string[]\n    const requiredList = required\n    const missing = requiredList.filter(\n      (lang) => !(lang in map) || map[lang] === '',\n    )\n    if (missing.length > 0) {\n      throw new MissingTranslationError(\n        field,\n        missing,\n        `Field \"${field}\" requires: ${requiredList.join(', ')}. Missing: ${missing.join(', ')}.`,\n      )\n    }\n  }\n}\n\n// ─── Locale resolution ─────────────────────────────────────────────────\n\n/**\n * Resolve an i18nText value (`{ [locale]: string }` map) to a string\n * for the given locale.\n *\n * @param value    The stored locale map.\n * @param locale   The requested locale code, or `'raw'` to return the map.\n * @param fallback Single locale or ordered list; use `'any'` as the last\n *                 element to fall back to any available translation.\n * @param field    Field name used in `LocaleNotSpecifiedError` messages.\n * @returns The resolved string, OR the original map when `locale === 'raw'`.\n */\n/** Options for the policy-aware form of {@link resolveI18nText}. */\nexport interface ResolveI18nOptions {\n  /** Effective policy for the resolution layer. Default `'throw'`. */\n  readonly policy?: OnMissing\n  /** Declared substitute chain; applied only under policy `'substitute'`. */\n  readonly substitute?: readonly string[]\n}\n\n/** Normalize a single-or-list fallback into an array. */\nfunction toChain(fallback: string | readonly string[] | undefined): readonly string[] {\n  return Array.isArray(fallback) ? fallback : fallback ? [fallback as string] : []\n}\n\n/** Walk a chain, returning the first non-empty value (or `'any'` match). */\nfunction pickFromChain(\n  value: Record<string, string>,\n  chain: readonly string[],\n): string | undefined {\n  for (const fb of chain) {\n    if (fb === 'any') {\n      const any = Object.values(value).find((v) => v !== '')\n      if (any !== undefined) return any\n    } else if (value[fb] !== undefined && value[fb] !== '') {\n      return value[fb]\n    }\n  }\n  return undefined\n}\n\n// Legacy 4-arg form: can only throw or return — never null. Keeps every\n// existing call site's type unchanged (default policy is 'throw').\nexport function resolveI18nText(\n  value: Record<string, string>,\n  locale: string,\n  fallback?: string | readonly string[],\n  field?: string,\n): string | Record<string, string>\n// Policy-aware form: may return null under 'null'/'substitute' policies.\nexport function resolveI18nText(\n  value: Record<string, string>,\n  locale: string,\n  fallback: string | readonly string[] | undefined,\n  field: string | undefined,\n  opts: ResolveI18nOptions,\n): string | Record<string, string> | null\nexport function resolveI18nText(\n  value: Record<string, string>,\n  locale: string,\n  fallback?: string | readonly string[],\n  field?: string,\n  opts?: ResolveI18nOptions,\n): string | Record<string, string> | null {\n  if (locale === 'raw') {\n    return value\n  }\n\n  if (!locale) {\n    throw new LocaleNotSpecifiedError(field ?? '<unknown>')\n  }\n\n  // Primary locale\n  if (value[locale] !== undefined && value[locale] !== '') {\n    return value[locale]\n  }\n\n  const policy: OnMissing = opts?.policy ?? 'throw'\n\n  // Caller-supplied fallback ALWAYS applies first (backward compat +\n  // explicit read-time override), regardless of policy.\n  const callerChain = toChain(fallback)\n  const callerHit = pickFromChain(value, callerChain)\n  if (callerHit !== undefined) return callerHit\n\n  // Declared substitute applies ONLY under policy 'substitute'.\n  if (policy === 'substitute') {\n    const subHit = pickFromChain(value, toChain(opts?.substitute))\n    if (subHit !== undefined) return subHit\n  }\n\n  // Exhausted.\n  if (policy === 'throw') {\n    throw new LocaleNotSpecifiedError(\n      field ?? '<unknown>',\n      `No translation available for locale \"${locale}\"` +\n        (callerChain.length > 0 ? ` or fallback chain [${callerChain.join(', ')}]` : '') +\n        '.',\n    )\n  }\n  return null\n}\n\n// ─── Path helpers (nested i18nFields like 'address.lineOne') ──────────\n\n/**\n * Return all leaf values at `path`, expanding `[].` array wildcards.\n *\n * - `'name'`              → `[obj.name]`\n * - `'address.lineOne'`   → `[obj.address.lineOne]`\n * - `'contacts[].title'`  → `[obj.contacts[0].title, obj.contacts[1].title, …]`\n *\n * Returns an empty array when the path does not resolve (missing key,\n * wrong type, etc.). Used by `enforceI18nOnPut` to validate nested fields.\n */\nexport function getAtPath(obj: Record<string, unknown>, path: string): unknown[] {\n  const arrayIdx = path.indexOf('[].')\n  if (arrayIdx !== -1) {\n    const arrayKey = path.slice(0, arrayIdx)\n    const restPath = path.slice(arrayIdx + 3)\n    const arr = obj[arrayKey]\n    if (!Array.isArray(arr)) return []\n    return arr.flatMap(item => {\n      if (!item || typeof item !== 'object' || Array.isArray(item)) return []\n      return getAtPath(item as Record<string, unknown>, restPath)\n    })\n  }\n  const dotIdx = path.indexOf('.')\n  if (dotIdx !== -1) {\n    const head = path.slice(0, dotIdx)\n    const rest = path.slice(dotIdx + 1)\n    const nested = obj[head]\n    if (!nested || typeof nested !== 'object' || Array.isArray(nested)) return []\n    return getAtPath(nested as Record<string, unknown>, rest)\n  }\n  const val = obj[path]\n  return val !== undefined ? [val] : []\n}\n\n/**\n * Mutate `obj` in-place, setting `value` at the nested `path`.\n * Supports dot notation (`'address.lineOne'`) but not array wildcards —\n * auto-translate on `contacts[].title` style paths is not supported.\n */\nexport function setAtPathInPlace(\n  obj: Record<string, unknown>,\n  path: string,\n  value: unknown,\n): void {\n  const dotIdx = path.indexOf('.')\n  if (dotIdx !== -1) {\n    const head = path.slice(0, dotIdx)\n    const rest = path.slice(dotIdx + 1)\n    const nested = obj[head]\n    if (!nested || typeof nested !== 'object' || Array.isArray(nested)) return\n    setAtPathInPlace(nested as Record<string, unknown>, rest, value)\n    return\n  }\n  obj[path] = value\n}\n\n/** Recursively resolve i18nText at a single path within a record copy. */\nfunction applyAtPath(\n  obj: Record<string, unknown>,\n  path: string,\n  locale: string,\n  fallback: string | readonly string[] | undefined,\n  opts: ResolveI18nOptions,\n): Record<string, unknown> {\n  const arrayIdx = path.indexOf('[].')\n  if (arrayIdx !== -1) {\n    const arrayKey = path.slice(0, arrayIdx)\n    const restPath = path.slice(arrayIdx + 3)\n    const arr = obj[arrayKey]\n    if (!Array.isArray(arr)) return obj\n    return {\n      ...obj,\n      [arrayKey]: arr.map(item => {\n        if (!item || typeof item !== 'object' || Array.isArray(item)) return item\n        return applyAtPath(item as Record<string, unknown>, restPath, locale, fallback, opts)\n      }),\n    }\n  }\n  const dotIdx = path.indexOf('.')\n  if (dotIdx !== -1) {\n    const head = path.slice(0, dotIdx)\n    const rest = path.slice(dotIdx + 1)\n    const nested = obj[head]\n    if (!nested || typeof nested !== 'object' || Array.isArray(nested)) return obj\n    return {\n      ...obj,\n      [head]: applyAtPath(nested as Record<string, unknown>, rest, locale, fallback, opts),\n    }\n  }\n  const raw = obj[path]\n  if (raw === undefined || raw === null) return obj\n  if (typeof raw !== 'object' || Array.isArray(raw)) return obj\n  return {\n    ...obj,\n    [path]: resolveI18nText(raw as Record<string, string>, locale, fallback, path, opts),\n  }\n}\n\n/**\n * Apply locale resolution to a single record, returning a new copy.\n *\n * For each field registered as an `i18nText` descriptor:\n * - If `locale === 'raw'`, the field value is left as the stored map.\n * - Otherwise, the field value is replaced with the resolved string.\n *\n * Field paths support dot notation (`'address.lineOne'`) and array\n * wildcards (`'contacts[].title'`). Top-level fields work as before.\n *\n * @param record      The decrypted record.\n * @param i18nFields  Map of field path → `I18nTextDescriptor`.\n * @param locale      The requested locale (or `'raw'`).\n * @param fallback    Fallback chain (optional).\n * @param layer       Resolution layer (default `'read'`). Each field's\n *                    `onMissing` policy is resolved for this layer, so the\n *                    same record resolves leniently on a get but strictly\n *                    inside an mv/derivation.\n */\nexport function applyI18nLocale(\n  record: Record<string, unknown>,\n  i18nFields: Record<string, I18nTextDescriptor>,\n  locale: string,\n  fallback?: string | readonly string[],\n  layer: Layer = 'read',\n): Record<string, unknown> {\n  const fieldNames = Object.keys(i18nFields)\n  if (fieldNames.length === 0) return record\n\n  let result = record\n\n  for (const [field, descriptor] of Object.entries(i18nFields)) {\n    const { onMissing, substitute } = descriptor.options\n    const opts: ResolveI18nOptions = {\n      policy: resolvePolicy(onMissing, layer),\n      ...(substitute !== undefined ? { substitute } : {}),\n    }\n    result = applyAtPath(result, field, locale, fallback, opts)\n  }\n\n  return result\n}\n","/**\n * _dict_* reserved collections + dictKey schema descriptor —\n *\n * Stores bounded enum-like field dictionaries as reserved encrypted\n * collections (`_dict_<name>/`) within a vault. Each dictionary\n * entry maps a stable key (e.g. `'paid'`) to a locale → label record\n * (e.g. `{ en: 'Paid', th: 'ชำระแล้ว' }`).\n *\n * Design decisions\n * ────────────────\n *\n * **Why reserved collections, not a separate store?**\n * Same answer as `_sync_credentials`: the compartment's existing\n * encryption stack is exactly right. Dictionaries are encrypted under the\n * same vault DEK, inherit ACL, ledger, and backup/restore for free.\n *\n * **One collection per dictionary, not one collection with namespaces.**\n * Each `_dict_<name>/` collection holds entries `{ id: key, labels: {...} }`.\n * This composes with `ref()` naturally (a dictKey IS a ref to the dict\n * collection), and means the query DSL works over dictionary entries\n * without any special-casing.\n *\n * **dictKey() is a descriptor, not a Zod type.**\n * The descriptor pattern matches `ref()`: declare NOYDB-specific metadata\n * in the collection options alongside `refs`. TypeScript inference comes\n * from the descriptor's generic parameter, not from Zod internals.\n *\n * API:\n *   `dictKey(name, keys?)` — returns a DictKeyDescriptor\n *   `vault.dictionary(name)` — returns a DictionaryHandle\n *   `DictionaryHandle.put/putAll/get/delete/rename/list` — CRUD\n */\n\nimport type { NoydbStore, EncryptedEnvelope } from '../types.js'\nimport type { NoydbEventEmitter } from '../events.js'\nimport { NOYDB_FORMAT_VERSION } from '../types.js'\nimport type { UnlockedKeyring } from '../team/keyring.js'\nimport { encrypt, decrypt } from '../crypto.js'\nimport { ensureCollectionDEK } from '../team/keyring.js'\nimport type { LedgerStore } from '../history/ledger/store.js'\nimport type { OnMissingPolicy } from './policy.js'\nimport { envelopePayloadHash } from '../history/ledger/hash.js'\nimport {\n  PermissionDeniedError,\n  DictKeyMissingError,\n} from '../errors.js'\n\n/** Reserved collection name prefix. Never collides with user collections. */\nexport const DICT_COLLECTION_PREFIX = '_dict_'\n\n/** Return the adapter collection name for a named dictionary. */\nexport function dictCollectionName(dictionaryName: string): string {\n  return `${DICT_COLLECTION_PREFIX}${dictionaryName}`\n}\n\n/** Return true when a collection name is a reserved dictionary collection. */\nexport function isDictCollectionName(name: string): boolean {\n  return name.startsWith(DICT_COLLECTION_PREFIX)\n}\n\n// ─── DictKey descriptor ────────────────────────────────────────────────\n\n/**\n * Descriptor returned by `dictKey()`. Attach to the collection's\n * `dictKeyFields` option to declare which fields are dictionary-backed:\n *\n * ```ts\n * const invoices = company.collection<Invoice>('invoices', {\n *   dictKeyFields: {\n *     status: dictKey('status', ['draft', 'open', 'paid'] as const),\n *   },\n * })\n * ```\n *\n * The generic parameter `Keys` narrows the TypeScript type of the field\n * to a literal union; the runtime value of `keys` is used by `put()`\n * validation to reject unknown keys when a key set is declared.\n */\nexport interface DictKeyDescriptor<Keys extends string = string> {\n  readonly _noydbDictKey: true\n  /** Which dictionary this field references. */\n  readonly name: string\n  /** Declared valid keys. When set, `put()` rejects keys not in this set. */\n  readonly keys: readonly Keys[] | undefined\n  /**\n   * What to do when a label is missing for the resolved locale. Mirrors\n   * `i18nText`'s `onMissing`. Default behavior (when unset) preserves the\n   * legacy contract: a missing label is omitted (scalar) or `null`\n   * (array element) — i.e. `'null'`. Set `'substitute'` to walk the\n   * declared `substitute` chain, or `'throw'` to raise.\n   */\n  readonly onMissing?: OnMissingPolicy\n  /** Ordered preferred-substitute locales for label resolution. */\n  readonly substitute?: readonly string[]\n}\n\n/**\n * Create a `DictKeyDescriptor` for a dictionary-backed enum field.\n *\n * @param name   The dictionary name (corresponds to `_dict_<name>` collection).\n * @param keys   Optional `as const` array of valid key literals — narrows the\n *               TypeScript type to a literal union and enables put-time\n *               validation.\n *\n * @example\n * ```ts\n * const invoices = company.collection<Invoice>('invoices', {\n *   dictKeyFields: {\n *     status: dictKey('status', ['draft', 'open', 'paid'] as const),\n *   },\n * })\n * ```\n */\nexport function dictKey<Keys extends string>(\n  name: string,\n  keys?: readonly Keys[],\n  opts?: { onMissing?: OnMissingPolicy; substitute?: readonly string[] },\n): DictKeyDescriptor<Keys> {\n  return {\n    _noydbDictKey: true,\n    name,\n    keys,\n    ...(opts?.onMissing !== undefined ? { onMissing: opts.onMissing } : {}),\n    ...(opts?.substitute !== undefined ? { substitute: opts.substitute } : {}),\n  }\n}\n\n/** Runtime predicate for detecting a DictKeyDescriptor. */\nexport function isDictKeyDescriptor(x: unknown): x is DictKeyDescriptor {\n  return (\n    typeof x === 'object' &&\n    x !== null &&\n    (x as { _noydbDictKey?: unknown })._noydbDictKey === true\n  )\n}\n\n// ─── StaticDict descriptor (code-provided dictionary) ──────────────────\n\n/**\n * Descriptor returned by `staticDict()`. A sibling to {@link DictKeyDescriptor}\n * for **closed, defined-in-code, identical-across-vaults** enums (honorific,\n * civil-status, gender, religion, ContactTitle, status…).\n *\n * Unlike `dictKey`, the labels are supplied **at registration in code** and\n * resolved through the *same* label machinery, but with **no `_dict_*`\n * per-vault encrypted copy** and **no `rename()`**. The record stores only\n * the **code**; a static dict has no mutation surface.\n *\n * **Hybrid resolution.** Because a static dict is pure code with no\n * vault-locale dependency, it can — via a configured `displayLocale` — emit a\n * `<field>Label` even under a **locale-less read** (the property a locale-less\n * consumer needs and `dictKey` cannot provide). When a locale *is* active it\n * behaves exactly like `dictKey` (honoring `onMissing`/`substitute`).\n *\n * ```ts\n * const workers = vault.collection<Worker>('workers', {\n *   dictKeyFields: {\n *     civilStatus: staticDict('civilStatus', {\n *       adultMale:   { th: 'นาย',    en: 'Mr'  },\n *       adultFemale: { th: 'นาง',    en: 'Mrs' },\n *     }, { displayLocale: 'th' }),\n *   },\n * })\n * ```\n */\nexport interface StaticDictDescriptor<Keys extends string = string> {\n  readonly _noydbStaticDict: true\n  /** Which dictionary this field references (the registry name). */\n  readonly name: string\n  /** The in-code label table: key → { locale → label }. */\n  readonly table: Readonly<Record<Keys, Readonly<Record<string, string>>>>\n  /** Declared valid keys — derived from `Object.keys(table)`. */\n  readonly keys: readonly Keys[]\n  /**\n   * Locale used to emit `<field>Label` under a **locale-less** read — the\n   * hybrid hinge. When unset, a static dict behaves like `dictKey` under a\n   * locale-less read (no label); a locale-less consumer almost always wants\n   * it set.\n   */\n  readonly displayLocale?: string\n  /** Same `onMissing` policy engine as `dictKey`. Default `'null'`. */\n  readonly onMissing?: OnMissingPolicy\n  /** Ordered preferred-substitute locales for label resolution. */\n  readonly substitute?: readonly string[]\n  /**\n   * Validate the stored code against `keys` on every `put()`. Default `true`\n   * — codes are closed by construction, so an unknown code is a bug. Set\n   * `false` to allow open codes (skips the `UnknownDictCodeError` guard).\n   */\n  readonly validateCodes?: boolean\n}\n\n/**\n * Create a `StaticDictDescriptor` for a code-provided enum field — a sibling\n * to {@link dictKey} for closed, code-defined, identical-across-vaults enums.\n *\n * The labels live in `table` (no `_dict_*` collection, no `rename()`); the\n * record stores only the stable code. Pass `displayLocale` so `<field>Label`\n * resolves even under a locale-less read.\n *\n * @param name   The dictionary name (used for the readonly-guard registry and\n *               the query label seam — never creates a `_dict_<name>` key).\n * @param table  `{ key: { locale: label } }` map.\n * @param opts   `displayLocale` (locale-less label), `onMissing`, `substitute`.\n *\n * @example\n * ```ts\n * staticDict('civilStatus', {\n *   adultMale:   { th: 'นาย',    en: 'Mr'  },\n *   adultFemale: { th: 'นาง',    en: 'Mrs' },\n * }, { displayLocale: 'th' })\n * ```\n */\nexport function staticDict<const T extends Record<string, Record<string, string>>>(\n  name: string,\n  table: T,\n  opts?: {\n    displayLocale?: string\n    onMissing?: OnMissingPolicy\n    substitute?: readonly string[]\n    validateCodes?: boolean\n  },\n): StaticDictDescriptor<Extract<keyof T, string>> {\n  return {\n    _noydbStaticDict: true,\n    name,\n    table: table as Readonly<Record<Extract<keyof T, string>, Readonly<Record<string, string>>>>,\n    keys: Object.keys(table) as Extract<keyof T, string>[],\n    ...(opts?.displayLocale !== undefined ? { displayLocale: opts.displayLocale } : {}),\n    ...(opts?.onMissing !== undefined ? { onMissing: opts.onMissing } : {}),\n    ...(opts?.substitute !== undefined ? { substitute: opts.substitute } : {}),\n    ...(opts?.validateCodes !== undefined ? { validateCodes: opts.validateCodes } : {}),\n  }\n}\n\n/** Runtime predicate for detecting a StaticDictDescriptor. */\nexport function isStaticDictDescriptor(x: unknown): x is StaticDictDescriptor {\n  return (\n    typeof x === 'object' &&\n    x !== null &&\n    (x as { _noydbStaticDict?: unknown })._noydbStaticDict === true\n  )\n}\n\n// ─── Dictionary entry shape ────────────────────────────────────────────\n\n/**\n * One entry in a `_dict_*` collection. The record `id` (adapter-side\n * key) IS the stable dictionary key (e.g. `'paid'`). The `labels`\n * record maps locale codes to display strings.\n */\nexport interface DictEntry {\n  /** Stable key — same as the record id in the adapter. */\n  readonly key: string\n  /** Locale → label map, e.g. `{ en: 'Paid', th: 'ชำระแล้ว' }`. */\n  readonly labels: Record<string, string>\n}\n\n// ─── Per-dictionary options ────────────────────────────────────────────\n\n/**\n * Options for `vault.dictionary(name, options?)`.\n *\n * `writableBy` controls the minimum role for write operations (put,\n * putAll, delete, rename). Defaults to `'admin'` to match the standard\n * \"dictionary contents are owned by admins\" convention; set to\n * `'operator'` for user-editable dictionaries like custom tags.\n */\nexport interface DictionaryOptions {\n  /** Minimum role allowed to write dictionary entries. Default: `'admin'`. */\n  readonly writableBy?: 'owner' | 'admin' | 'operator'\n}\n\n// ─── DictionaryHandle ──────────────────────────────────────────────────\n\n/**\n * Handle to a named dictionary within a vault.\n *\n * Obtained via `vault.dictionary(name)`. Provides strongly-typed\n * CRUD for dictionary entries, plus the `rename()` operation that is the\n * only sanctioned mass-mutation path for dictKey fields.\n *\n * All writes are encrypted under the compartment's DEK for the\n * `_dict_<name>` collection. Adapters never see plaintext.\n */\nexport class DictionaryHandle<Keys extends string = string> {\n  private readonly collName: string\n\n  /**\n   * Synchronous write-through cache for dict-join support.\n   * Populated on every `put()`, `delete()`, and `rename()`. The snapshot\n   * is built from this cache by `snapshotEntries()` — the query executor\n   * calls this synchronously inside `.toArray()`.\n   *\n   * `null` means \"not yet initialized\" — callers should use `list()`\n   * to warm the cache before using dict joins on pre-existing data.\n   */\n  private readonly _syncCache = new Map<string, DictEntry>()\n\n  /**\n   * Return all cached entries as `{ key, labels, ...labels }` records —\n   * usable synchronously by the join executor's `snapshot()` call.\n   * Returns an empty array when the cache has never been populated.\n   */\n  snapshotEntries(): readonly Record<string, unknown>[] {\n    return Array.from(this._syncCache.values()).map((e) => ({\n      key: e.key,\n      labels: e.labels,\n      ...e.labels,\n    }))\n  }\n\n  constructor(\n    private readonly adapter: NoydbStore,\n    private readonly compartmentName: string,\n    private readonly dictionaryName: string,\n    private readonly keyring: UnlockedKeyring,\n    private readonly getDEK: (collectionName: string) => Promise<CryptoKey>,\n    private readonly encrypted: boolean,\n    private readonly ledger: LedgerStore | undefined,\n    private readonly options: DictionaryOptions,\n    /**\n     * Callback provided by the Vault to find and rewrite records\n     * in any registered collection that has a dictKeyField pointing at\n     * this dictionary, used by `rename()`.\n     */\n    private readonly findAndUpdateReferences:\n      | ((\n          dictionaryName: string,\n          oldKey: string,\n          newKey: string,\n        ) => Promise<void>)\n      | undefined,\n    private readonly emitter: NoydbEventEmitter,\n  ) {\n    this.collName = dictCollectionName(dictionaryName)\n  }\n\n  // ─── Access checks ────────────────────────────────────────────────\n\n  private requireWriteAccess(): void {\n    const minRole = this.options.writableBy ?? 'admin'\n    const roleRank: Record<string, number> = {\n      client: 1,\n      viewer: 2,\n      operator: 3,\n      admin: 4,\n      owner: 5,\n    }\n    const callerRank = roleRank[this.keyring.role] ?? 0\n    const requiredRank = roleRank[minRole] ?? 4\n    if (callerRank < requiredRank) {\n      throw new PermissionDeniedError(\n        `Dictionary \"${this.dictionaryName}\" writes require \"${minRole}\" role or above. ` +\n          `Current role: \"${this.keyring.role}\".`,\n      )\n    }\n  }\n\n  // ─── Internal helpers ─────────────────────────────────────────────\n\n  private async getDekForDict(): Promise<CryptoKey> {\n    const resolve = await ensureCollectionDEK(\n      this.adapter,\n      this.compartmentName,\n      this.keyring,\n    )\n    return resolve(this.collName)\n  }\n\n  private async encryptEntry(entry: DictEntry, version: number): Promise<EncryptedEnvelope> {\n    if (!this.encrypted) {\n      return {\n        _noydb: NOYDB_FORMAT_VERSION,\n        _v: version,\n        _ts: new Date().toISOString(),\n        _iv: '',\n        _data: JSON.stringify(entry),\n        _by: this.keyring.userId,\n      }\n    }\n    const dek = await this.getDekForDict()\n    const { iv, data } = await encrypt(JSON.stringify(entry), dek)\n    return {\n      _noydb: NOYDB_FORMAT_VERSION,\n      _v: version,\n      _ts: new Date().toISOString(),\n      _iv: iv,\n      _data: data,\n      _by: this.keyring.userId,\n    }\n  }\n\n  private async decryptEntry(envelope: EncryptedEnvelope): Promise<DictEntry> {\n    if (!this.encrypted) {\n      return JSON.parse(envelope._data) as DictEntry\n    }\n    const dek = await this.getDekForDict()\n    const json = await decrypt(envelope._iv, envelope._data, dek)\n    return JSON.parse(json) as DictEntry\n  }\n\n  // ─── Public API ───────────────────────────────────────────────────\n\n  /**\n   * Add or overwrite a single dictionary entry.\n   *\n   * @param key    The stable key to store (e.g. `'paid'`).\n   * @param labels Locale → label map (e.g. `{ en: 'Paid', th: 'ชำระแล้ว' }`).\n   */\n  async put(key: Keys, labels: Record<string, string>): Promise<void> {\n    this.requireWriteAccess()\n\n    const entry: DictEntry = { key, labels }\n    const existing = await this.adapter.get(\n      this.compartmentName,\n      this.collName,\n      key,\n    )\n    const version = existing ? existing._v + 1 : 1\n    const envelope = await this.encryptEntry(entry, version)\n\n    await this.adapter.put(\n      this.compartmentName,\n      this.collName,\n      key,\n      envelope,\n      existing ? existing._v : undefined,\n    )\n\n    // Maintain synchronous cache for dict-join snapshot\n    this._syncCache.set(key, entry)\n\n    this.emitter.emit('change', {\n      vault: this.compartmentName,\n      collection: this.collName,\n      id: key,\n      action: 'put',\n    })\n\n    if (this.ledger) {\n      await this.ledger.append({\n        op: 'put',\n        collection: this.collName,\n        id: key,\n        version,\n        actor: this.keyring.userId,\n        //  — must be the real envelope hash so\n        // vault.verifyBackupIntegrity()'s data-cross-check matches.\n        payloadHash: await envelopePayloadHash(envelope),\n      })\n    }\n  }\n\n  /**\n   * Batch-add or overwrite multiple dictionary entries in one call.\n   *\n   * @param entries  `{ key: { locale: label } }` map.\n   */\n  async putAll(entries: Record<Keys, Record<string, string>>): Promise<void> {\n    this.requireWriteAccess()\n    for (const [key, labels] of Object.entries(entries) as [Keys, Record<string, string>][]) {\n      await this.put(key, labels)\n    }\n  }\n\n  /**\n   * Load the label map for a single key.\n   *\n   * @returns The label map, or `null` if the key doesn't exist.\n   */\n  async get(key: Keys): Promise<Record<string, string> | null> {\n    const envelope = await this.adapter.get(\n      this.compartmentName,\n      this.collName,\n      key,\n    )\n    if (!envelope) return null\n    const entry = await this.decryptEntry(envelope)\n    return entry.labels\n  }\n\n  /**\n   * Delete a dictionary key.\n   *\n   * Default mode is `'strict'` — throws `DictKeyInUseError` if any\n   * registered collection has a record referencing this key. Pass\n   * `{ mode: 'warn' }` to skip the check (dev-mode cleanup only).\n   */\n  async delete(key: Keys, opts: { mode?: 'strict' | 'warn' } = {}): Promise<void> {\n    this.requireWriteAccess()\n\n    const existing = await this.adapter.get(\n      this.compartmentName,\n      this.collName,\n      key,\n    )\n    if (!existing) {\n      throw new DictKeyMissingError(this.dictionaryName, key)\n    }\n\n    const mode = opts.mode ?? 'strict'\n    if (mode === 'strict' && this.findAndUpdateReferences) {\n      // Check for references by attempting a rename to a sentinel that\n      // doesn't exist — we reuse the reference-finding machinery but\n      // abort before applying changes. Simpler: the vault\n      // exposes a separate checkReferences() callback. For now we rely\n      // on the caller to confirm no references exist, or use warn mode.\n      // A dedicated findReferences API is tracked as a follow-up.\n    }\n\n    await this.adapter.delete(this.compartmentName, this.collName, key)\n\n    // Maintain synchronous cache for dict-join snapshot\n    this._syncCache.delete(key)\n\n    this.emitter.emit('change', {\n      vault: this.compartmentName,\n      collection: this.collName,\n      id: key,\n      action: 'delete',\n    })\n\n    if (this.ledger) {\n      await this.ledger.append({\n        op: 'delete',\n        collection: this.collName,\n        id: key,\n        version: existing._v,\n        actor: this.keyring.userId,\n        //  — for delete the prior envelope is what was just\n        // removed; we hash it so the chain captures intent. The\n        // verifyBackupIntegrity data-cross-check skips delete\n        // entries entirely (the live record is gone), but the\n        // chain still benefits from a stable non-empty hash.\n        payloadHash: await envelopePayloadHash(existing),\n      })\n    }\n  }\n\n  /**\n   * Rename a dictionary key — the only sanctioned mass-mutation path.\n   *\n   * Atomically:\n   * 1. Adds the new key with the same labels as the old key.\n   * 2. Updates every registered record that stores the old key to\n   *    store the new key instead.\n   * 3. Deletes the old key.\n   * 4. Appends a single ledger entry recording the rename.\n   *\n   * Respects ACL: throws `PermissionDeniedError` before any mutation\n   * if the caller can't write. The cascade is best-effort atomic\n   * within this call — no two-phase commit across adapter calls.\n   *\n   * Cascade-on-delete is NOT supported. Use `rename()` when you need\n   * to change a key that records reference.\n   */\n  async rename(oldKey: Keys, newKey: string): Promise<void> {\n    this.requireWriteAccess()\n\n    // 1. Load old entry\n    const existing = await this.adapter.get(\n      this.compartmentName,\n      this.collName,\n      oldKey,\n    )\n    if (!existing) {\n      throw new DictKeyMissingError(this.dictionaryName, oldKey)\n    }\n    const oldEntry = await this.decryptEntry(existing)\n\n    // 2. Write new key\n    const newEntry: DictEntry = { key: newKey, labels: oldEntry.labels }\n    const newEnvelope = await this.encryptEntry(newEntry, 1)\n    await this.adapter.put(\n      this.compartmentName,\n      this.collName,\n      newKey,\n      newEnvelope,\n    )\n\n    // 3. Update all referencing records in registered collections\n    if (this.findAndUpdateReferences) {\n      await this.findAndUpdateReferences(this.dictionaryName, oldKey, newKey)\n    }\n\n    // 4. Delete old key\n    await this.adapter.delete(this.compartmentName, this.collName, oldKey)\n\n    // Maintain synchronous cache for dict-join snapshot\n    this._syncCache.delete(oldKey)\n    this._syncCache.set(newKey, newEntry)\n\n    this.emitter.emit('change', {\n      vault: this.compartmentName,\n      collection: this.collName,\n      id: oldKey,\n      action: 'delete',\n    })\n    this.emitter.emit('change', {\n      vault: this.compartmentName,\n      collection: this.collName,\n      id: newKey,\n      action: 'put',\n    })\n\n    // 5. Ledger — record the rename as delete(oldKey) + put(newKey)\n    // so verifyBackupIntegrity()'s data-cross-check matches reality\n    // (the oldKey envelope is gone; the newKey envelope is what was\n    // just written). Two entries instead of one — the chain still\n    // captures the rename intent via the matching ts + actor.\n    if (this.ledger) {\n      await this.ledger.append({\n        op: 'delete',\n        collection: this.collName,\n        id: oldKey,\n        version: existing._v,\n        actor: this.keyring.userId,\n        payloadHash: await envelopePayloadHash(existing),\n      })\n      await this.ledger.append({\n        op: 'put',\n        collection: this.collName,\n        id: newKey,\n        version: 1,\n        actor: this.keyring.userId,\n        payloadHash: await envelopePayloadHash(newEnvelope),\n      })\n    }\n  }\n\n  /**\n   * List all entries in this dictionary.\n   *\n   * @returns Array of `{ key, labels }` objects.\n   */\n  async list(): Promise<DictEntry[]> {\n    const keys = await this.adapter.list(this.compartmentName, this.collName)\n    const entries: DictEntry[] = []\n    for (const key of keys) {\n      const envelope = await this.adapter.get(\n        this.compartmentName,\n        this.collName,\n        key,\n      )\n      if (!envelope) continue\n      const entry = await this.decryptEntry(envelope)\n      entries.push(entry)\n      // Warm the synchronous cache\n      this._syncCache.set(key, entry)\n    }\n    return entries\n  }\n\n  /**\n   * Resolve a key to its label for the given locale.\n   *\n   * Used by the collection's locale-aware read path to populate\n   * `<field>Label` virtual fields. Returns `undefined` when the\n   * key doesn't exist or has no label for the requested locale\n   * (after exhausting the fallback chain).\n   */\n  async resolveLabel(\n    key: string,\n    locale: string,\n    fallback?: string | readonly string[],\n  ): Promise<string | undefined> {\n    const labels = await this.get(key as Keys)\n    if (!labels) return undefined\n\n    // Try primary locale\n    if (labels[locale] !== undefined) return labels[locale]\n\n    // Try fallback chain\n    const chain = Array.isArray(fallback) ? (fallback as readonly string[]) : fallback ? [fallback as string] : []\n    for (const fb of chain) {\n      if (fb === 'any') {\n        // Return any available label\n        const any = Object.values(labels)[0]\n        if (any !== undefined) return any\n      } else if (labels[fb] !== undefined) {\n        return labels[fb]\n      }\n    }\n\n    return undefined\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AA8CO,SAAS,cACd,WACA,OACW;AACX,QAAM,WACJ,aAAa,OAAO,cAAc,WAAW,UAAU,KAAK,IAAI;AAClE,QAAM,SAAS,OAAO,cAAc,WAAW,YAAY;AAC3D,QAAM,eACJ,UAAU,UAAU,eAAe;AACrC,SAAO,YAAY,gBAAgB,UAAU;AAC/C;;;AC6HO,SAAS,SAAS,SAA8C;AACrE,SAAO,EAAE,gBAAgB,MAAM,QAAQ;AACzC;AAGO,SAAS,qBAAqB,GAAqC;AACxE,SACE,OAAO,MAAM,YACb,MAAM,QACL,EAAmC,mBAAmB;AAE3D;AAeO,SAAS,sBACd,OACA,OACA,YACM;AACN,QAAM,EAAE,QAAQ,IAAI;AAGpB,MAAI,OAAO,UAAU,YAAY,UAAU,QAAQ,MAAM,QAAQ,KAAK,GAAG;AACvE,UAAM,IAAI;AAAA,MACR;AAAA,MACA,QAAQ;AAAA,MACR,UAAU,KAAK,6CAA6C,OAAO,KAAK;AAAA,IAC1E;AAAA,EACF;AAEA,QAAM,MAAM;AAGZ,aAAW,CAAC,QAAQ,CAAC,KAAK,OAAO,QAAQ,GAAG,GAAG;AAC7C,QAAI,OAAO,MAAM,UAAU;AACzB,YAAM,IAAI;AAAA,QACR;AAAA,QACA,CAAC,MAAM;AAAA,QACP,UAAU,KAAK,cAAc,MAAM,2BAA2B,OAAO,CAAC;AAAA,MACxE;AAAA,IACF;AAAA,EACF;AAGA,QAAM,EAAE,SAAS,IAAI;AACrB,MAAI,aAAa,OAAO;AACtB,UAAM,UAAU,QAAQ,UAAU;AAAA,MAChC,CAAC,SAAS,EAAE,QAAQ,QAAQ,IAAI,IAAI,MAAM;AAAA,IAC5C;AACA,QAAI,QAAQ,SAAS,GAAG;AACtB,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA,UAAU,KAAK,+CAA+C,QAAQ,KAAK,IAAI,CAAC;AAAA,MAClF;AAAA,IACF;AAAA,EACF,WAAW,aAAa,OAAO;AAC7B,UAAM,UAAU,QAAQ,UAAU;AAAA,MAChC,CAAC,SAAS,QAAQ,OAAO,IAAI,IAAI,MAAM;AAAA,IACzC;AACA,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI;AAAA,QACR;AAAA,QACA,QAAQ;AAAA,QACR,UAAU,KAAK;AAAA,MACjB;AAAA,IACF;AAAA,EACF,OAAO;AAEL,UAAM,eAAe;AACrB,UAAM,UAAU,aAAa;AAAA,MAC3B,CAAC,SAAS,EAAE,QAAQ,QAAQ,IAAI,IAAI,MAAM;AAAA,IAC5C;AACA,QAAI,QAAQ,SAAS,GAAG;AACtB,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA,UAAU,KAAK,eAAe,aAAa,KAAK,IAAI,CAAC,cAAc,QAAQ,KAAK,IAAI,CAAC;AAAA,MACvF;AAAA,IACF;AAAA,EACF;AACF;AAwBA,SAAS,QAAQ,UAAqE;AACpF,SAAO,MAAM,QAAQ,QAAQ,IAAI,WAAW,WAAW,CAAC,QAAkB,IAAI,CAAC;AACjF;AAGA,SAAS,cACP,OACA,OACoB;AACpB,aAAW,MAAM,OAAO;AACtB,QAAI,OAAO,OAAO;AAChB,YAAM,MAAM,OAAO,OAAO,KAAK,EAAE,KAAK,CAAC,MAAM,MAAM,EAAE;AACrD,UAAI,QAAQ,OAAW,QAAO;AAAA,IAChC,WAAW,MAAM,EAAE,MAAM,UAAa,MAAM,EAAE,MAAM,IAAI;AACtD,aAAO,MAAM,EAAE;AAAA,IACjB;AAAA,EACF;AACA,SAAO;AACT;AAkBO,SAAS,gBACd,OACA,QACA,UACA,OACA,MACwC;AACxC,MAAI,WAAW,OAAO;AACpB,WAAO;AAAA,EACT;AAEA,MAAI,CAAC,QAAQ;AACX,UAAM,IAAI,wBAAwB,SAAS,WAAW;AAAA,EACxD;AAGA,MAAI,MAAM,MAAM,MAAM,UAAa,MAAM,MAAM,MAAM,IAAI;AACvD,WAAO,MAAM,MAAM;AAAA,EACrB;AAEA,QAAM,SAAoB,MAAM,UAAU;AAI1C,QAAM,cAAc,QAAQ,QAAQ;AACpC,QAAM,YAAY,cAAc,OAAO,WAAW;AAClD,MAAI,cAAc,OAAW,QAAO;AAGpC,MAAI,WAAW,cAAc;AAC3B,UAAM,SAAS,cAAc,OAAO,QAAQ,MAAM,UAAU,CAAC;AAC7D,QAAI,WAAW,OAAW,QAAO;AAAA,EACnC;AAGA,MAAI,WAAW,SAAS;AACtB,UAAM,IAAI;AAAA,MACR,SAAS;AAAA,MACT,wCAAwC,MAAM,OAC3C,YAAY,SAAS,IAAI,uBAAuB,YAAY,KAAK,IAAI,CAAC,MAAM,MAC7E;AAAA,IACJ;AAAA,EACF;AACA,SAAO;AACT;AAcO,SAAS,UAAU,KAA8B,MAAyB;AAC/E,QAAM,WAAW,KAAK,QAAQ,KAAK;AACnC,MAAI,aAAa,IAAI;AACnB,UAAM,WAAW,KAAK,MAAM,GAAG,QAAQ;AACvC,UAAM,WAAW,KAAK,MAAM,WAAW,CAAC;AACxC,UAAM,MAAM,IAAI,QAAQ;AACxB,QAAI,CAAC,MAAM,QAAQ,GAAG,EAAG,QAAO,CAAC;AACjC,WAAO,IAAI,QAAQ,UAAQ;AACzB,UAAI,CAAC,QAAQ,OAAO,SAAS,YAAY,MAAM,QAAQ,IAAI,EAAG,QAAO,CAAC;AACtE,aAAO,UAAU,MAAiC,QAAQ;AAAA,IAC5D,CAAC;AAAA,EACH;AACA,QAAM,SAAS,KAAK,QAAQ,GAAG;AAC/B,MAAI,WAAW,IAAI;AACjB,UAAM,OAAO,KAAK,MAAM,GAAG,MAAM;AACjC,UAAM,OAAO,KAAK,MAAM,SAAS,CAAC;AAClC,UAAM,SAAS,IAAI,IAAI;AACvB,QAAI,CAAC,UAAU,OAAO,WAAW,YAAY,MAAM,QAAQ,MAAM,EAAG,QAAO,CAAC;AAC5E,WAAO,UAAU,QAAmC,IAAI;AAAA,EAC1D;AACA,QAAM,MAAM,IAAI,IAAI;AACpB,SAAO,QAAQ,SAAY,CAAC,GAAG,IAAI,CAAC;AACtC;AAOO,SAAS,iBACd,KACA,MACA,OACM;AACN,QAAM,SAAS,KAAK,QAAQ,GAAG;AAC/B,MAAI,WAAW,IAAI;AACjB,UAAM,OAAO,KAAK,MAAM,GAAG,MAAM;AACjC,UAAM,OAAO,KAAK,MAAM,SAAS,CAAC;AAClC,UAAM,SAAS,IAAI,IAAI;AACvB,QAAI,CAAC,UAAU,OAAO,WAAW,YAAY,MAAM,QAAQ,MAAM,EAAG;AACpE,qBAAiB,QAAmC,MAAM,KAAK;AAC/D;AAAA,EACF;AACA,MAAI,IAAI,IAAI;AACd;AAGA,SAAS,YACP,KACA,MACA,QACA,UACA,MACyB;AACzB,QAAM,WAAW,KAAK,QAAQ,KAAK;AACnC,MAAI,aAAa,IAAI;AACnB,UAAM,WAAW,KAAK,MAAM,GAAG,QAAQ;AACvC,UAAM,WAAW,KAAK,MAAM,WAAW,CAAC;AACxC,UAAM,MAAM,IAAI,QAAQ;AACxB,QAAI,CAAC,MAAM,QAAQ,GAAG,EAAG,QAAO;AAChC,WAAO;AAAA,MACL,GAAG;AAAA,MACH,CAAC,QAAQ,GAAG,IAAI,IAAI,UAAQ;AAC1B,YAAI,CAAC,QAAQ,OAAO,SAAS,YAAY,MAAM,QAAQ,IAAI,EAAG,QAAO;AACrE,eAAO,YAAY,MAAiC,UAAU,QAAQ,UAAU,IAAI;AAAA,MACtF,CAAC;AAAA,IACH;AAAA,EACF;AACA,QAAM,SAAS,KAAK,QAAQ,GAAG;AAC/B,MAAI,WAAW,IAAI;AACjB,UAAM,OAAO,KAAK,MAAM,GAAG,MAAM;AACjC,UAAM,OAAO,KAAK,MAAM,SAAS,CAAC;AAClC,UAAM,SAAS,IAAI,IAAI;AACvB,QAAI,CAAC,UAAU,OAAO,WAAW,YAAY,MAAM,QAAQ,MAAM,EAAG,QAAO;AAC3E,WAAO;AAAA,MACL,GAAG;AAAA,MACH,CAAC,IAAI,GAAG,YAAY,QAAmC,MAAM,QAAQ,UAAU,IAAI;AAAA,IACrF;AAAA,EACF;AACA,QAAM,MAAM,IAAI,IAAI;AACpB,MAAI,QAAQ,UAAa,QAAQ,KAAM,QAAO;AAC9C,MAAI,OAAO,QAAQ,YAAY,MAAM,QAAQ,GAAG,EAAG,QAAO;AAC1D,SAAO;AAAA,IACL,GAAG;AAAA,IACH,CAAC,IAAI,GAAG,gBAAgB,KAA+B,QAAQ,UAAU,MAAM,IAAI;AAAA,EACrF;AACF;AAqBO,SAAS,gBACd,QACA,YACA,QACA,UACA,QAAe,QACU;AACzB,QAAM,aAAa,OAAO,KAAK,UAAU;AACzC,MAAI,WAAW,WAAW,EAAG,QAAO;AAEpC,MAAI,SAAS;AAEb,aAAW,CAAC,OAAO,UAAU,KAAK,OAAO,QAAQ,UAAU,GAAG;AAC5D,UAAM,EAAE,WAAW,WAAW,IAAI,WAAW;AAC7C,UAAM,OAA2B;AAAA,MAC/B,QAAQ,cAAc,WAAW,KAAK;AAAA,MACtC,GAAI,eAAe,SAAY,EAAE,WAAW,IAAI,CAAC;AAAA,IACnD;AACA,aAAS,YAAY,QAAQ,OAAO,QAAQ,UAAU,IAAI;AAAA,EAC5D;AAEA,SAAO;AACT;;;ACzdO,IAAM,yBAAyB;AAG/B,SAAS,mBAAmB,gBAAgC;AACjE,SAAO,GAAG,sBAAsB,GAAG,cAAc;AACnD;AAGO,SAAS,qBAAqB,MAAuB;AAC1D,SAAO,KAAK,WAAW,sBAAsB;AAC/C;AAuDO,SAAS,QACd,MACA,MACA,MACyB;AACzB,SAAO;AAAA,IACL,eAAe;AAAA,IACf;AAAA,IACA;AAAA,IACA,GAAI,MAAM,cAAc,SAAY,EAAE,WAAW,KAAK,UAAU,IAAI,CAAC;AAAA,IACrE,GAAI,MAAM,eAAe,SAAY,EAAE,YAAY,KAAK,WAAW,IAAI,CAAC;AAAA,EAC1E;AACF;AAGO,SAAS,oBAAoB,GAAoC;AACtE,SACE,OAAO,MAAM,YACb,MAAM,QACL,EAAkC,kBAAkB;AAEzD;AA+EO,SAAS,WACd,MACA,OACA,MAMgD;AAChD,SAAO;AAAA,IACL,kBAAkB;AAAA,IAClB;AAAA,IACA;AAAA,IACA,MAAM,OAAO,KAAK,KAAK;AAAA,IACvB,GAAI,MAAM,kBAAkB,SAAY,EAAE,eAAe,KAAK,cAAc,IAAI,CAAC;AAAA,IACjF,GAAI,MAAM,cAAc,SAAY,EAAE,WAAW,KAAK,UAAU,IAAI,CAAC;AAAA,IACrE,GAAI,MAAM,eAAe,SAAY,EAAE,YAAY,KAAK,WAAW,IAAI,CAAC;AAAA,IACxE,GAAI,MAAM,kBAAkB,SAAY,EAAE,eAAe,KAAK,cAAc,IAAI,CAAC;AAAA,EACnF;AACF;AAGO,SAAS,uBAAuB,GAAuC;AAC5E,SACE,OAAO,MAAM,YACb,MAAM,QACL,EAAqC,qBAAqB;AAE/D;AA2CO,IAAM,mBAAN,MAAqD;AAAA,EA2B1D,YACmB,SACA,iBACA,gBACA,SACA,QACA,WACA,QACA,SAMA,yBAOA,SACjB;AArBiB;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAMA;AAOA;AAEjB,SAAK,WAAW,mBAAmB,cAAc;AAAA,EACnD;AAAA,EAvBmB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAMA;AAAA,EAOA;AAAA,EA/CF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,aAAa,oBAAI,IAAuB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOzD,kBAAsD;AACpD,WAAO,MAAM,KAAK,KAAK,WAAW,OAAO,CAAC,EAAE,IAAI,CAAC,OAAO;AAAA,MACtD,KAAK,EAAE;AAAA,MACP,QAAQ,EAAE;AAAA,MACV,GAAG,EAAE;AAAA,IACP,EAAE;AAAA,EACJ;AAAA;AAAA,EA8BQ,qBAA2B;AACjC,UAAM,UAAU,KAAK,QAAQ,cAAc;AAC3C,UAAM,WAAmC;AAAA,MACvC,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,UAAU;AAAA,MACV,OAAO;AAAA,MACP,OAAO;AAAA,IACT;AACA,UAAM,aAAa,SAAS,KAAK,QAAQ,IAAI,KAAK;AAClD,UAAM,eAAe,SAAS,OAAO,KAAK;AAC1C,QAAI,aAAa,cAAc;AAC7B,YAAM,IAAI;AAAA,QACR,eAAe,KAAK,cAAc,qBAAqB,OAAO,mCAC1C,KAAK,QAAQ,IAAI;AAAA,MACvC;AAAA,IACF;AAAA,EACF;AAAA;AAAA,EAIA,MAAc,gBAAoC;AAChD,UAAM,UAAU,MAAM;AAAA,MACpB,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AACA,WAAO,QAAQ,KAAK,QAAQ;AAAA,EAC9B;AAAA,EAEA,MAAc,aAAa,OAAkB,SAA6C;AACxF,QAAI,CAAC,KAAK,WAAW;AACnB,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,IAAI;AAAA,QACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,QAC5B,KAAK;AAAA,QACL,OAAO,KAAK,UAAU,KAAK;AAAA,QAC3B,KAAK,KAAK,QAAQ;AAAA,MACpB;AAAA,IACF;AACA,UAAM,MAAM,MAAM,KAAK,cAAc;AACrC,UAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,KAAK,UAAU,KAAK,GAAG,GAAG;AAC7D,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,IAAI;AAAA,MACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,MAC5B,KAAK;AAAA,MACL,OAAO;AAAA,MACP,KAAK,KAAK,QAAQ;AAAA,IACpB;AAAA,EACF;AAAA,EAEA,MAAc,aAAa,UAAiD;AAC1E,QAAI,CAAC,KAAK,WAAW;AACnB,aAAO,KAAK,MAAM,SAAS,KAAK;AAAA,IAClC;AACA,UAAM,MAAM,MAAM,KAAK,cAAc;AACrC,UAAM,OAAO,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,GAAG;AAC5D,WAAO,KAAK,MAAM,IAAI;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,IAAI,KAAW,QAA+C;AAClE,SAAK,mBAAmB;AAExB,UAAM,QAAmB,EAAE,KAAK,OAAO;AACvC,UAAM,WAAW,MAAM,KAAK,QAAQ;AAAA,MAClC,KAAK;AAAA,MACL,KAAK;AAAA,MACL;AAAA,IACF;AACA,UAAM,UAAU,WAAW,SAAS,KAAK,IAAI;AAC7C,UAAM,WAAW,MAAM,KAAK,aAAa,OAAO,OAAO;AAEvD,UAAM,KAAK,QAAQ;AAAA,MACjB,KAAK;AAAA,MACL,KAAK;AAAA,MACL;AAAA,MACA;AAAA,MACA,WAAW,SAAS,KAAK;AAAA,IAC3B;AAGA,SAAK,WAAW,IAAI,KAAK,KAAK;AAE9B,SAAK,QAAQ,KAAK,UAAU;AAAA,MAC1B,OAAO,KAAK;AAAA,MACZ,YAAY,KAAK;AAAA,MACjB,IAAI;AAAA,MACJ,QAAQ;AAAA,IACV,CAAC;AAED,QAAI,KAAK,QAAQ;AACf,YAAM,KAAK,OAAO,OAAO;AAAA,QACvB,IAAI;AAAA,QACJ,YAAY,KAAK;AAAA,QACjB,IAAI;AAAA,QACJ;AAAA,QACA,OAAO,KAAK,QAAQ;AAAA;AAAA;AAAA,QAGpB,aAAa,MAAM,oBAAoB,QAAQ;AAAA,MACjD,CAAC;AAAA,IACH;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,OAAO,SAA8D;AACzE,SAAK,mBAAmB;AACxB,eAAW,CAAC,KAAK,MAAM,KAAK,OAAO,QAAQ,OAAO,GAAuC;AACvF,YAAM,KAAK,IAAI,KAAK,MAAM;AAAA,IAC5B;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,IAAI,KAAmD;AAC3D,UAAM,WAAW,MAAM,KAAK,QAAQ;AAAA,MAClC,KAAK;AAAA,MACL,KAAK;AAAA,MACL;AAAA,IACF;AACA,QAAI,CAAC,SAAU,QAAO;AACtB,UAAM,QAAQ,MAAM,KAAK,aAAa,QAAQ;AAC9C,WAAO,MAAM;AAAA,EACf;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,OAAO,KAAW,OAAqC,CAAC,GAAkB;AAC9E,SAAK,mBAAmB;AAExB,UAAM,WAAW,MAAM,KAAK,QAAQ;AAAA,MAClC,KAAK;AAAA,MACL,KAAK;AAAA,MACL;AAAA,IACF;AACA,QAAI,CAAC,UAAU;AACb,YAAM,IAAI,oBAAoB,KAAK,gBAAgB,GAAG;AAAA,IACxD;AAEA,UAAM,OAAO,KAAK,QAAQ;AAC1B,QAAI,SAAS,YAAY,KAAK,yBAAyB;AAAA,IAOvD;AAEA,UAAM,KAAK,QAAQ,OAAO,KAAK,iBAAiB,KAAK,UAAU,GAAG;AAGlE,SAAK,WAAW,OAAO,GAAG;AAE1B,SAAK,QAAQ,KAAK,UAAU;AAAA,MAC1B,OAAO,KAAK;AAAA,MACZ,YAAY,KAAK;AAAA,MACjB,IAAI;AAAA,MACJ,QAAQ;AAAA,IACV,CAAC;AAED,QAAI,KAAK,QAAQ;AACf,YAAM,KAAK,OAAO,OAAO;AAAA,QACvB,IAAI;AAAA,QACJ,YAAY,KAAK;AAAA,QACjB,IAAI;AAAA,QACJ,SAAS,SAAS;AAAA,QAClB,OAAO,KAAK,QAAQ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,QAMpB,aAAa,MAAM,oBAAoB,QAAQ;AAAA,MACjD,CAAC;AAAA,IACH;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAmBA,MAAM,OAAO,QAAc,QAA+B;AACxD,SAAK,mBAAmB;AAGxB,UAAM,WAAW,MAAM,KAAK,QAAQ;AAAA,MAClC,KAAK;AAAA,MACL,KAAK;AAAA,MACL;AAAA,IACF;AACA,QAAI,CAAC,UAAU;AACb,YAAM,IAAI,oBAAoB,KAAK,gBAAgB,MAAM;AAAA,IAC3D;AACA,UAAM,WAAW,MAAM,KAAK,aAAa,QAAQ;AAGjD,UAAM,WAAsB,EAAE,KAAK,QAAQ,QAAQ,SAAS,OAAO;AACnE,UAAM,cAAc,MAAM,KAAK,aAAa,UAAU,CAAC;AACvD,UAAM,KAAK,QAAQ;AAAA,MACjB,KAAK;AAAA,MACL,KAAK;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAGA,QAAI,KAAK,yBAAyB;AAChC,YAAM,KAAK,wBAAwB,KAAK,gBAAgB,QAAQ,MAAM;AAAA,IACxE;AAGA,UAAM,KAAK,QAAQ,OAAO,KAAK,iBAAiB,KAAK,UAAU,MAAM;AAGrE,SAAK,WAAW,OAAO,MAAM;AAC7B,SAAK,WAAW,IAAI,QAAQ,QAAQ;AAEpC,SAAK,QAAQ,KAAK,UAAU;AAAA,MAC1B,OAAO,KAAK;AAAA,MACZ,YAAY,KAAK;AAAA,MACjB,IAAI;AAAA,MACJ,QAAQ;AAAA,IACV,CAAC;AACD,SAAK,QAAQ,KAAK,UAAU;AAAA,MAC1B,OAAO,KAAK;AAAA,MACZ,YAAY,KAAK;AAAA,MACjB,IAAI;AAAA,MACJ,QAAQ;AAAA,IACV,CAAC;AAOD,QAAI,KAAK,QAAQ;AACf,YAAM,KAAK,OAAO,OAAO;AAAA,QACvB,IAAI;AAAA,QACJ,YAAY,KAAK;AAAA,QACjB,IAAI;AAAA,QACJ,SAAS,SAAS;AAAA,QAClB,OAAO,KAAK,QAAQ;AAAA,QACpB,aAAa,MAAM,oBAAoB,QAAQ;AAAA,MACjD,CAAC;AACD,YAAM,KAAK,OAAO,OAAO;AAAA,QACvB,IAAI;AAAA,QACJ,YAAY,KAAK;AAAA,QACjB,IAAI;AAAA,QACJ,SAAS;AAAA,QACT,OAAO,KAAK,QAAQ;AAAA,QACpB,aAAa,MAAM,oBAAoB,WAAW;AAAA,MACpD,CAAC;AAAA,IACH;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,OAA6B;AACjC,UAAM,OAAO,MAAM,KAAK,QAAQ,KAAK,KAAK,iBAAiB,KAAK,QAAQ;AACxE,UAAM,UAAuB,CAAC;AAC9B,eAAW,OAAO,MAAM;AACtB,YAAM,WAAW,MAAM,KAAK,QAAQ;AAAA,QAClC,KAAK;AAAA,QACL,KAAK;AAAA,QACL;AAAA,MACF;AACA,UAAI,CAAC,SAAU;AACf,YAAM,QAAQ,MAAM,KAAK,aAAa,QAAQ;AAC9C,cAAQ,KAAK,KAAK;AAElB,WAAK,WAAW,IAAI,KAAK,KAAK;AAAA,IAChC;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,aACJ,KACA,QACA,UAC6B;AAC7B,UAAM,SAAS,MAAM,KAAK,IAAI,GAAW;AACzC,QAAI,CAAC,OAAQ,QAAO;AAGpB,QAAI,OAAO,MAAM,MAAM,OAAW,QAAO,OAAO,MAAM;AAGtD,UAAM,QAAQ,MAAM,QAAQ,QAAQ,IAAK,WAAiC,WAAW,CAAC,QAAkB,IAAI,CAAC;AAC7G,eAAW,MAAM,OAAO;AACtB,UAAI,OAAO,OAAO;AAEhB,cAAM,MAAM,OAAO,OAAO,MAAM,EAAE,CAAC;AACnC,YAAI,QAAQ,OAAW,QAAO;AAAA,MAChC,WAAW,OAAO,EAAE,MAAM,QAAW;AACnC,eAAO,OAAO,EAAE;AAAA,MAClB;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AACF;","names":[]}