@noy-db/hub 0.2.0-pre.17 → 0.2.0-pre.18

package/dist/chunk-YWYW2YNO.js

@@ -0,0 +1,129 @@
+import {
+  ValidationError
+} from "./chunk-HMFC6M2G.js";
+
+// src/derivations/with-derivation.ts
+function withDerivation(spec) {
+  if (!spec.source || spec.source.length === 0) {
+    throw new ValidationError("withDerivation: source collection name is required");
+  }
+  if (!spec.outputs || Object.keys(spec.outputs).length === 0) {
+    throw new ValidationError("withDerivation: outputs map must declare at least one output");
+  }
+  if (spec.deterministic !== true) {
+    throw new ValidationError("withDerivation: v1 only supports deterministic derivations");
+  }
+  if (typeof spec.derive !== "function") {
+    throw new ValidationError("withDerivation: derive must be a function");
+  }
+  if (spec.sources !== void 0) {
+    for (const extra of spec.sources) {
+      if (typeof extra !== "string" || extra.length === 0) {
+        throw new ValidationError("withDerivation: each entry in sources[] must be a non-empty string");
+      }
+      if (extra === spec.source) {
+        throw new ValidationError(
+          `withDerivation: sources[] must not contain the primary source "${spec.source}"`
+        );
+      }
+    }
+  }
+  if (spec.triggerBy !== void 0) {
+    for (const t of spec.triggerBy) {
+      if (typeof t?.collection !== "string" || t.collection.length === 0) {
+        throw new ValidationError("withDerivation: each triggerBy entry needs a non-empty `collection`");
+      }
+      if (t.collection === spec.source) {
+        throw new ValidationError(
+          `withDerivation: triggerBy.collection must not equal the source "${spec.source}" (use sources[] for same-id triggers)`
+        );
+      }
+      if (typeof t.on !== "string" || t.on.length === 0) {
+        throw new ValidationError(
+          `withDerivation: triggerBy on "${t.collection}" needs a non-empty \`on\` (the FK field on the source)`
+        );
+      }
+      if (t.maxFanout !== void 0 && (!Number.isInteger(t.maxFanout) || t.maxFanout < 1)) {
+        throw new ValidationError(
+          `withDerivation: triggerBy maxFanout on "${t.collection}" must be a positive integer (got ${String(t.maxFanout)}).`
+        );
+      }
+    }
+  }
+  const lifecycleMode = typeof spec.lifecycle === "string" ? spec.lifecycle : spec.lifecycle.mode;
+  for (const [outputKey, outputSpec] of Object.entries(spec.outputs)) {
+    if (outputSpec.shape === "record" && outputSpec.collection === spec.source) {
+      if (!outputSpec.denorm || outputSpec.denorm.length === 0) {
+        throw new ValidationError(
+          `withDerivation: self-write output "${outputKey}" (collection === source "${spec.source}") must declare \`denorm: [...]\` naming the fields it maintains.`
+        );
+      }
+    }
+    if (outputSpec.shape === "array") {
+      if (lifecycleMode !== "eager") {
+        throw new ValidationError(
+          `withDerivation: shape 'array' supports lifecycle 'eager' only in this release Output "${outputKey}" declared lifecycle '${lifecycleMode}'. Switch to \`lifecycle: "eager"\` or use shape: "record".`
+        );
+      }
+      if (typeof outputSpec.key !== "function") {
+        throw new ValidationError(
+          `withDerivation: shape 'array' output "${outputKey}" requires \`key: (out) => string\`.`
+        );
+      }
+      if (outputSpec.maxFanout !== void 0) {
+        if (!Number.isInteger(outputSpec.maxFanout) || outputSpec.maxFanout < 1) {
+          throw new ValidationError(
+            `withDerivation: maxFanout for output "${outputKey}" must be a positive integer (got ${String(outputSpec.maxFanout)}).`
+          );
+        }
+      }
+    }
+  }
+  return {
+    __noydb_strategy: "derivation",
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    spec
+  };
+}
+
+// src/derivations/with-rollup.ts
+function withRollup(config) {
+  const { from, key, into, field, compute } = config;
+  if (!from || from.length === 0) {
+    throw new ValidationError("withRollup: `from` (child collection) is required");
+  }
+  if (!into || into.length === 0) {
+    throw new ValidationError("withRollup: `into` (parent collection) is required");
+  }
+  if (from === into) {
+    throw new ValidationError("withRollup: `from` and `into` must be different collections");
+  }
+  if (!key || key.length === 0) {
+    throw new ValidationError("withRollup: `key` (FK field on the child) is required");
+  }
+  if (!field || field.length === 0) {
+    throw new ValidationError("withRollup: `field` (target field on the parent) is required");
+  }
+  if (typeof compute !== "function") {
+    throw new ValidationError("withRollup: `compute` must be a function");
+  }
+  const spec = {
+    source: into,
+    // the parent record is what carries the rolled-up field
+    deterministic: true,
+    rollup: { from, key, field, compute },
+    // Synthetic self-write output for registry / cycle bookkeeping. Dispatch
+    // patches `field` directly (value-equality guarded); the executor is not run.
+    outputs: { value: { shape: "record", collection: into, denorm: [field] } },
+    derive: () => ({ value: {} }),
+    // never invoked for a rollup strategy
+    lifecycle: "eager"
+  };
+  return { __noydb_strategy: "derivation", spec };
+}
+
+export {
+  withDerivation,
+  withRollup
+};
+//# sourceMappingURL=chunk-YWYW2YNO.js.map

package/dist/chunk-YWYW2YNO.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/derivations/with-derivation.ts","../src/derivations/with-rollup.ts"],"sourcesContent":["import { ValidationError } from '../errors.js'\nimport type { DerivationStrategy, DerivationStrategyHandle } from './types.js'\n\n/**\n * Register a deterministic derivation: one source collection → one or\n * more typed outputs, computed by the user's `derive` function on\n * plaintext after DEK unwrap. Outputs are encrypted with the same DEK\n * as the source and written via the standard `Collection.put` path.\n *\n * See docs/superpowers/specs/2026-05-01-dim14-derivation-v1-design.md.\n */\nexport function withDerivation<\n  TSource extends Record<string, unknown>,\n  TOutputs extends Record<string, Record<string, unknown>>,\n>(spec: DerivationStrategy<TSource, TOutputs>): DerivationStrategyHandle {\n  if (!spec.source || spec.source.length === 0) {\n    throw new ValidationError('withDerivation: source collection name is required')\n  }\n  if (!spec.outputs || Object.keys(spec.outputs).length === 0) {\n    throw new ValidationError('withDerivation: outputs map must declare at least one output')\n  }\n  if (spec.deterministic !== true) {\n    throw new ValidationError('withDerivation: v1 only supports deterministic derivations')\n  }\n  if (typeof spec.derive !== 'function') {\n    throw new ValidationError('withDerivation: derive must be a function')\n  }\n\n  // Validate declared sibling sources (#344). Each must be a non-empty\n  // string and must differ from the primary source — a self-reference\n  // would double-register the strategy under the same `_bySource` key.\n  if (spec.sources !== undefined) {\n    for (const extra of spec.sources) {\n      if (typeof extra !== 'string' || extra.length === 0) {\n        throw new ValidationError('withDerivation: each entry in sources[] must be a non-empty string')\n      }\n      if (extra === spec.source) {\n        throw new ValidationError(\n          `withDerivation: sources[] must not contain the primary source \"${spec.source}\"`,\n        )\n      }\n    }\n  }\n\n  // Validate FK triggers (#376). Each `collection` must be a non-empty\n  // string differing from the primary source, and `on` a non-empty field.\n  if (spec.triggerBy !== undefined) {\n    for (const t of spec.triggerBy) {\n      if (typeof t?.collection !== 'string' || t.collection.length === 0) {\n        throw new ValidationError('withDerivation: each triggerBy entry needs a non-empty `collection`')\n      }\n      if (t.collection === spec.source) {\n        throw new ValidationError(\n          `withDerivation: triggerBy.collection must not equal the source \"${spec.source}\" (use sources[] for same-id triggers)`,\n        )\n      }\n      if (typeof t.on !== 'string' || t.on.length === 0) {\n        throw new ValidationError(\n          `withDerivation: triggerBy on \"${t.collection}\" needs a non-empty \\`on\\` (the FK field on the source)`,\n        )\n      }\n      if (t.maxFanout !== undefined && (!Number.isInteger(t.maxFanout) || t.maxFanout < 1)) {\n        throw new ValidationError(\n          `withDerivation: triggerBy maxFanout on \"${t.collection}\" must be a positive integer (got ${String(t.maxFanout)}).`,\n        )\n      }\n    }\n  }\n\n  // Validate array-shape outputs.\n  const lifecycleMode = typeof spec.lifecycle === 'string' ? spec.lifecycle : spec.lifecycle.mode\n  for (const [outputKey, outputSpec] of Object.entries(spec.outputs)) {\n    // Self-write output (collection === source): reverse-denorm must declare\n    // `denorm` (the fields it owns) — field-level provenance, #376.\n    if (outputSpec.shape === 'record' && outputSpec.collection === spec.source) {\n      if (!outputSpec.denorm || outputSpec.denorm.length === 0) {\n        throw new ValidationError(\n          `withDerivation: self-write output \"${outputKey}\" (collection === source \"${spec.source}\") `\n          + 'must declare `denorm: [...]` naming the fields it maintains.',\n        )\n      }\n    }\n    if (outputSpec.shape === 'array') {\n      if (lifecycleMode !== 'eager') {\n        throw new ValidationError(\n          `withDerivation: shape 'array' supports lifecycle 'eager' only in this release `\n          + `Output \"${outputKey}\" declared lifecycle '${lifecycleMode}'. `\n          + 'Switch to `lifecycle: \"eager\"` or use shape: \"record\".',\n        )\n      }\n      if (typeof outputSpec.key !== 'function') {\n        throw new ValidationError(\n          `withDerivation: shape 'array' output \"${outputKey}\" requires \\`key: (out) => string\\`.`,\n        )\n      }\n      if (outputSpec.maxFanout !== undefined) {\n        if (!Number.isInteger(outputSpec.maxFanout) || outputSpec.maxFanout < 1) {\n          throw new ValidationError(\n            `withDerivation: maxFanout for output \"${outputKey}\" must be a positive integer `\n            + `(got ${String(outputSpec.maxFanout)}).`,\n          )\n        }\n      }\n    }\n  }\n\n  return {\n    __noydb_strategy: 'derivation',\n    // eslint-disable-next-line @typescript-eslint/no-explicit-any\n    spec: spec as DerivationStrategy<any, any>,\n  }\n}\n","import { ValidationError } from '../errors.js'\nimport type { DerivationStrategy, DerivationStrategyHandle } from './types.js'\n\n/**\n * `withRollup` — aggregate many child records onto a single field of their\n * parent (#376 slice 2). The reverse of a join: instead of reading children\n * on demand, the parent carries a maintained summary.\n *\n * ```ts\n * withRollup<Sale, Buyer>({\n *   from: 'sales',          // child collection (the trigger)\n *   key: 'buyerId',         // FK on the child → parent id\n *   into: 'buyers',         // parent collection\n *   field: 'revenueByYear', // field on the parent to maintain\n *   compute: (sales) => groupSumByYear(sales, 'total'),\n * })\n * ```\n *\n * On every write OR delete of a `from` record, the parent at id `child[key]`\n * is recomputed: `compute(allChildren where child[key] === parentId)` is\n * patched onto `parent[field]`. A parent write also recomputes its own\n * aggregate (so a parent created after its children still fills in). Only the\n * `field` is touched — the rest of the parent record is never clobbered — and\n * a value-equality guard suppresses no-op writes. The aggregate is gap-free\n * with respect to child inserts, updates, and deletes.\n *\n * Desugars to a `withDerivation` strategy carrying a `rollup` marker; dispatch\n * handles it without invoking the executor. Eager-only in this slice.\n */\nexport function withRollup<\n  TChild extends Record<string, unknown> = Record<string, unknown>,\n  TParent extends Record<string, unknown> = Record<string, unknown>,\n>(config: {\n  from: string\n  key: keyof TChild & string\n  into: string\n  field: keyof TParent & string\n  compute: (children: TChild[]) => unknown\n}): DerivationStrategyHandle {\n  const { from, key, into, field, compute } = config\n  if (!from || from.length === 0) {\n    throw new ValidationError('withRollup: `from` (child collection) is required')\n  }\n  if (!into || into.length === 0) {\n    throw new ValidationError('withRollup: `into` (parent collection) is required')\n  }\n  if (from === into) {\n    throw new ValidationError('withRollup: `from` and `into` must be different collections')\n  }\n  if (!key || key.length === 0) {\n    throw new ValidationError('withRollup: `key` (FK field on the child) is required')\n  }\n  if (!field || field.length === 0) {\n    throw new ValidationError('withRollup: `field` (target field on the parent) is required')\n  }\n  if (typeof compute !== 'function') {\n    throw new ValidationError('withRollup: `compute` must be a function')\n  }\n\n  // eslint-disable-next-line @typescript-eslint/no-explicit-any\n  const spec: DerivationStrategy<any, any> = {\n    source: into, // the parent record is what carries the rolled-up field\n    deterministic: true,\n    rollup: { from, key, field, compute: compute as (children: unknown[]) => unknown },\n    // Synthetic self-write output for registry / cycle bookkeeping. Dispatch\n    // patches `field` directly (value-equality guarded); the executor is not run.\n    outputs: { value: { shape: 'record', collection: into, denorm: [field] } },\n    derive: () => ({ value: {} }), // never invoked for a rollup strategy\n    lifecycle: 'eager',\n  }\n\n  return { __noydb_strategy: 'derivation', spec }\n}\n"],"mappings":";;;;;AAWO,SAAS,eAGd,MAAuE;AACvE,MAAI,CAAC,KAAK,UAAU,KAAK,OAAO,WAAW,GAAG;AAC5C,UAAM,IAAI,gBAAgB,oDAAoD;AAAA,EAChF;AACA,MAAI,CAAC,KAAK,WAAW,OAAO,KAAK,KAAK,OAAO,EAAE,WAAW,GAAG;AAC3D,UAAM,IAAI,gBAAgB,8DAA8D;AAAA,EAC1F;AACA,MAAI,KAAK,kBAAkB,MAAM;AAC/B,UAAM,IAAI,gBAAgB,4DAA4D;AAAA,EACxF;AACA,MAAI,OAAO,KAAK,WAAW,YAAY;AACrC,UAAM,IAAI,gBAAgB,2CAA2C;AAAA,EACvE;AAKA,MAAI,KAAK,YAAY,QAAW;AAC9B,eAAW,SAAS,KAAK,SAAS;AAChC,UAAI,OAAO,UAAU,YAAY,MAAM,WAAW,GAAG;AACnD,cAAM,IAAI,gBAAgB,oEAAoE;AAAA,MAChG;AACA,UAAI,UAAU,KAAK,QAAQ;AACzB,cAAM,IAAI;AAAA,UACR,kEAAkE,KAAK,MAAM;AAAA,QAC/E;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAIA,MAAI,KAAK,cAAc,QAAW;AAChC,eAAW,KAAK,KAAK,WAAW;AAC9B,UAAI,OAAO,GAAG,eAAe,YAAY,EAAE,WAAW,WAAW,GAAG;AAClE,cAAM,IAAI,gBAAgB,qEAAqE;AAAA,MACjG;AACA,UAAI,EAAE,eAAe,KAAK,QAAQ;AAChC,cAAM,IAAI;AAAA,UACR,mEAAmE,KAAK,MAAM;AAAA,QAChF;AAAA,MACF;AACA,UAAI,OAAO,EAAE,OAAO,YAAY,EAAE,GAAG,WAAW,GAAG;AACjD,cAAM,IAAI;AAAA,UACR,iCAAiC,EAAE,UAAU;AAAA,QAC/C;AAAA,MACF;AACA,UAAI,EAAE,cAAc,WAAc,CAAC,OAAO,UAAU,EAAE,SAAS,KAAK,EAAE,YAAY,IAAI;AACpF,cAAM,IAAI;AAAA,UACR,2CAA2C,EAAE,UAAU,qCAAqC,OAAO,EAAE,SAAS,CAAC;AAAA,QACjH;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAGA,QAAM,gBAAgB,OAAO,KAAK,cAAc,WAAW,KAAK,YAAY,KAAK,UAAU;AAC3F,aAAW,CAAC,WAAW,UAAU,KAAK,OAAO,QAAQ,KAAK,OAAO,GAAG;AAGlE,QAAI,WAAW,UAAU,YAAY,WAAW,eAAe,KAAK,QAAQ;AAC1E,UAAI,CAAC,WAAW,UAAU,WAAW,OAAO,WAAW,GAAG;AACxD,cAAM,IAAI;AAAA,UACR,sCAAsC,SAAS,6BAA6B,KAAK,MAAM;AAAA,QAEzF;AAAA,MACF;AAAA,IACF;AACA,QAAI,WAAW,UAAU,SAAS;AAChC,UAAI,kBAAkB,SAAS;AAC7B,cAAM,IAAI;AAAA,UACR,yFACa,SAAS,yBAAyB,aAAa;AAAA,QAE9D;AAAA,MACF;AACA,UAAI,OAAO,WAAW,QAAQ,YAAY;AACxC,cAAM,IAAI;AAAA,UACR,yCAAyC,SAAS;AAAA,QACpD;AAAA,MACF;AACA,UAAI,WAAW,cAAc,QAAW;AACtC,YAAI,CAAC,OAAO,UAAU,WAAW,SAAS,KAAK,WAAW,YAAY,GAAG;AACvE,gBAAM,IAAI;AAAA,YACR,yCAAyC,SAAS,qCACxC,OAAO,WAAW,SAAS,CAAC;AAAA,UACxC;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,kBAAkB;AAAA;AAAA,IAElB;AAAA,EACF;AACF;;;AClFO,SAAS,WAGd,QAM2B;AAC3B,QAAM,EAAE,MAAM,KAAK,MAAM,OAAO,QAAQ,IAAI;AAC5C,MAAI,CAAC,QAAQ,KAAK,WAAW,GAAG;AAC9B,UAAM,IAAI,gBAAgB,mDAAmD;AAAA,EAC/E;AACA,MAAI,CAAC,QAAQ,KAAK,WAAW,GAAG;AAC9B,UAAM,IAAI,gBAAgB,oDAAoD;AAAA,EAChF;AACA,MAAI,SAAS,MAAM;AACjB,UAAM,IAAI,gBAAgB,6DAA6D;AAAA,EACzF;AACA,MAAI,CAAC,OAAO,IAAI,WAAW,GAAG;AAC5B,UAAM,IAAI,gBAAgB,uDAAuD;AAAA,EACnF;AACA,MAAI,CAAC,SAAS,MAAM,WAAW,GAAG;AAChC,UAAM,IAAI,gBAAgB,8DAA8D;AAAA,EAC1F;AACA,MAAI,OAAO,YAAY,YAAY;AACjC,UAAM,IAAI,gBAAgB,0CAA0C;AAAA,EACtE;AAGA,QAAM,OAAqC;AAAA,IACzC,QAAQ;AAAA;AAAA,IACR,eAAe;AAAA,IACf,QAAQ,EAAE,MAAM,KAAK,OAAO,QAAqD;AAAA;AAAA;AAAA,IAGjF,SAAS,EAAE,OAAO,EAAE,OAAO,UAAU,YAAY,MAAM,QAAQ,CAAC,KAAK,EAAE,EAAE;AAAA,IACzE,QAAQ,OAAO,EAAE,OAAO,CAAC,EAAE;AAAA;AAAA,IAC3B,WAAW;AAAA,EACb;AAEA,SAAO,EAAE,kBAAkB,cAAc,KAAK;AAChD;","names":[]}

package/dist/{chunk-H2MRGONI.js → chunk-Z3BE5BRK.js}

@@ -1,6 +1,6 @@
 import {
   readPath
-} from "./chunk-J7RWBXFY.js";
+} from "./chunk-RZWQNMMP.js";
 
 // src/aggregate/reducers.ts
 function count(opts) {
@@ -120,4 +120,4 @@ export {
   min,
   max
 };
-//# sourceMappingURL=chunk-H2MRGONI.js.map
+//# sourceMappingURL=chunk-Z3BE5BRK.js.map

package/dist/{chunk-ROVO6NPJ.js → chunk-Z3I2WNGF.js}

@@ -1,7 +1,8 @@
 import {
+  IllegalTransitionError,
   RecordLockedError,
   ValidationError
-} from "./chunk-ZEGSDPB7.js";
+} from "./chunk-HMFC6M2G.js";
 
 // src/guards/with-guard.ts
 function withGuard(strategy) {
@@ -61,8 +62,62 @@ function immutableGuard(config) {
   return withGuard(spec);
 }
 
+// src/guards/transition-guard.ts
+function recordId2(record) {
+  const id = record?.id;
+  return typeof id === "string" ? id : "";
+}
+function stateOf(record, field) {
+  const v = record[field];
+  return typeof v === "string" ? v : String(v);
+}
+function transitionGuard(config) {
+  const { collection, field, transitions, initial, amendmentRoles, amendmentInvariant } = config;
+  const allowIdempotent = config.allowIdempotent ?? true;
+  if (!field) {
+    throw new ValidationError("transitionGuard: `field` is required");
+  }
+  if (transitions === void 0 || typeof transitions !== "object") {
+    throw new ValidationError("transitionGuard: `transitions` must be a state\u2192states map");
+  }
+  const spec = {
+    collection,
+    check: (incoming, ctx) => {
+      const rec = incoming;
+      const to = stateOf(rec, field);
+      if (ctx.existing === null) {
+        if (initial !== void 0 && !initial.includes(to)) {
+          throw new IllegalTransitionError(collection, recordId2(rec), "(none)", to);
+        }
+        return;
+      }
+      const from = stateOf(ctx.existing, field);
+      if (from === to) {
+        if (allowIdempotent) return;
+        throw new IllegalTransitionError(collection, recordId2(rec), from, to);
+      }
+      const allowed = transitions[from] ?? [];
+      if (!allowed.includes(to)) {
+        throw new IllegalTransitionError(collection, recordId2(rec), from, to);
+      }
+    },
+    // The authorized override: inside an amendment transaction the check
+    // is skipped and the change is ledgered. By default no extra invariant
+    // — the amendment itself is the sanctioned exception. Callers may
+    // supply `amendmentInvariant` to keep a constraint inviolable even
+    // under amendment; a throw reverts the amendment as `InvariantError`.
+    amendment: {
+      roles: amendmentRoles ?? ["admin", "owner"],
+      invariant: amendmentInvariant ?? (() => {
+      })
+    }
+  };
+  return withGuard(spec);
+}
+
 export {
   withGuard,
-  immutableGuard
+  immutableGuard,
+  transitionGuard
 };
-//# sourceMappingURL=chunk-ROVO6NPJ.js.map
+//# sourceMappingURL=chunk-Z3I2WNGF.js.map

package/dist/chunk-Z3I2WNGF.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/guards/with-guard.ts","../src/guards/immutable-guard.ts","../src/guards/transition-guard.ts"],"sourcesContent":["import { ValidationError } from '../errors.js'\nimport type { GuardStrategy, GuardStrategyHandle } from './types.js'\n\n/**\n * Register a guard for a collection. Guards run on every `put()` /\n * `delete()` for the named collection (after permissions, before\n * encryption) and may:\n *\n *   - `check` — block writes by throwing (typically `RecordLockedError`)\n *   - `frozenFields` — freeze specific fields once a condition is true\n *   - `amendment` — declare an authorized-override path with invariant\n *\n * Pass the returned handle to `createNoydb({ strategies: [...] })`.\n *\n * @see docs/superpowers/specs/2026-05-18-guards-design.md\n */\nexport function withGuard<T extends Record<string, unknown>>(\n  strategy: GuardStrategy<T>,\n): GuardStrategyHandle<T> {\n  if (!strategy.collection || strategy.collection.length === 0) {\n    throw new ValidationError('withGuard: collection name is required')\n  }\n  return {\n    __noydb_strategy: 'guard',\n    spec: strategy,\n  }\n}\n","/**\n * `immutableGuard` — declarative WORM / append-only sugar over the guard\n * subsystem.\n *\n * Issued fiscal documents (invoices, DDTs) must be immutable after issue.\n * That is expressible today with a hand-rolled `withGuard` (block on\n * `check`/`onDelete`, allow an admin `amendment`), but the boilerplate is\n * repetitive and easy to get subtly wrong. `immutableGuard` generates\n * exactly that guard from a declarative config, reusing the guard\n * machinery wholesale — `check`/`onDelete` rejection, the ledgered\n * `amendment` override, and composition with `periods`/`history`.\n *\n * ```ts\n * createNoydb({ guardStrategies: [\n *   immutableGuard({\n *     collection: 'invoices',\n *     after: (r) => r.status === 'issued',   // immutable once issued\n *   }),\n * ] })\n * ```\n *\n * A record is mutable until `after(record)` holds; from then on, updates\n * and deletes throw `RecordLockedError` unless performed inside an\n * `amendment` transaction by an authorized role (the override is\n * ledgered by the guard amendment mechanism). `appendOnly: true` is\n * shorthand for `after: () => true` — immutable from creation.\n */\n\nimport { withGuard } from './with-guard.js'\nimport type { GuardStrategy, GuardStrategyHandle, GuardContext, GuardChange } from './types.js'\nimport { RecordLockedError, ValidationError } from '../errors.js'\n\nexport interface ImmutableGuardConfig<T extends Record<string, unknown>> {\n  /** The collection to make WORM. */\n  collection: string\n  /**\n   * A record becomes immutable once this predicate holds. Evaluated on\n   * the *existing* (already-persisted) record, so the write that first\n   * makes it true is still allowed; subsequent writes are blocked.\n   * Mutually exclusive with `appendOnly`.\n   */\n  after?: (record: T) => boolean\n  /** Shorthand for `after: () => true` — immutable from creation. */\n  appendOnly?: boolean\n  /** Roles permitted to override via an amendment transaction. Default `['admin', 'owner']`. */\n  amendmentRoles?: ReadonlyArray<'admin' | 'owner'>\n  /**\n   * Optional set-level invariant run over the amendment change-set after\n   * the writes execute. Signature matches `GuardStrategy.amendment.invariant`\n   * exactly: it receives every {before, after} pair touching this\n   * collection in the amendment plus the guard context; throwing reverts\n   * the whole amendment and surfaces as `InvariantError`.\n   *\n   * Use this to keep a constraint inviolable EVEN under amendment — e.g.\n   * forbid deleting an issued document by re-throwing on any\n   * `before !== null && after === null` change, or assert a cross-record\n   * sum is preserved. When omitted the amendment is unconditionally\n   * allowed (the amendment itself is the sanctioned, ledgered override) —\n   * this is the backward-compatible default.\n   */\n  amendmentInvariant?: (\n    changes: ReadonlyArray<GuardChange<T>>,\n    ctx: GuardContext<T>,\n  ) => Promise<void> | void\n}\n\nfunction recordId(record: Record<string, unknown> | null): string {\n  const id = record?.id\n  return typeof id === 'string' ? id : ''\n}\n\n/**\n * Build an immutability guard. Pass the returned handle to\n * `createNoydb({ guardStrategies: [...] })`.\n */\nexport function immutableGuard<T extends Record<string, unknown>>(\n  config: ImmutableGuardConfig<T>,\n): GuardStrategyHandle<T> {\n  const { collection, after, appendOnly, amendmentRoles, amendmentInvariant } = config\n  if (appendOnly && after !== undefined) {\n    throw new ValidationError('immutableGuard: `after` and `appendOnly` are mutually exclusive')\n  }\n  if (!appendOnly && after === undefined) {\n    throw new ValidationError('immutableGuard: provide `after` or `appendOnly: true`')\n  }\n\n  const isImmutable: (record: T) => boolean = appendOnly ? () => true : after!\n  const reason = appendOnly ? 'append-only collection' : 'record is immutable after issue'\n\n  const spec: GuardStrategy<T> = {\n    collection,\n    // Block updates to an already-immutable record. Inserts (existing\n    // null) and the transition write that first makes the record\n    // immutable are allowed — `after` reads the prior state.\n    check: (incoming: T, ctx: GuardContext<T>) => {\n      if (ctx.existing !== null && isImmutable(ctx.existing)) {\n        throw new RecordLockedError(collection, recordId(incoming as Record<string, unknown>), reason)\n      }\n    },\n    // Block deletes of an immutable record.\n    onDelete: (existing: T) => {\n      if (isImmutable(existing)) {\n        throw new RecordLockedError(collection, recordId(existing as Record<string, unknown>), reason)\n      }\n    },\n    // The authorized override: inside an amendment transaction the\n    // check/onDelete are skipped and the change is ledgered. By default\n    // there is no extra invariant — the amendment itself is the\n    // sanctioned exception. Callers may supply `amendmentInvariant` to\n    // keep a constraint inviolable even under amendment (e.g. forbid\n    // deletes, or preserve a cross-record sum); a throw reverts the\n    // amendment and surfaces as `InvariantError`.\n    amendment: {\n      roles: amendmentRoles ?? ['admin', 'owner'],\n      invariant: amendmentInvariant ?? (() => {\n        /* allow — the amendment is the override, and is ledgered */\n      }),\n    },\n  }\n\n  return withGuard<T>(spec)\n}\n","/**\n * `transitionGuard` — declarative state-machine sugar over the guard\n * subsystem.\n *\n * Any record with a lifecycle field (invoice `status`, order state,\n * ticket workflow, subscription phase) needs transition validation: a\n * write may only move the field along a declared arc. That is expressible\n * with a hand-rolled `withGuard({ check })`, but every consumer\n * re-implements the same graph lookup + error. `transitionGuard`\n * generates exactly that guard from a state graph, reusing the guard\n * machinery wholesale — `check` rejection, the ledgered `amendment`\n * override, and composition with `periods`/`history`.\n *\n * It generalizes {@link immutableGuard}: WORM is the special case \"every\n * state has no outgoing arcs\", i.e. `transitions` mapping each state to `[]`.\n *\n * ```ts\n * createNoydb({ guardStrategies: [\n *   transitionGuard<Sale>({\n *     collection: 'sales', field: 'status',\n *     transitions: {                          // absence of an arc = forbidden\n *       draft: ['to_verify', 'cancelled'],\n *       to_verify: ['proforma', 'draft', 'cancelled'],\n *       proforma: ['invoiced', 'cancelled'],\n *       invoiced: ['paid'], paid: [], cancelled: [],\n *     },\n *     initial: ['draft', 'to_verify'],        // allowed status on insert\n *   }),\n * ] })\n * ```\n *\n * Semantics:\n * - **Insert** (`ctx.existing === null`): `incoming[field]` must be in\n *   `initial`. When `initial` is omitted, any value is allowed on insert.\n * - **Update**: the arc `(existing[field] → incoming[field])` must be\n *   listed in `transitions[from]`, else `IllegalTransitionError`. A\n *   same-value write (`from === to`) is allowed when `allowIdempotent`\n *   (default `true`) — so writes that touch other fields without moving\n *   state pass.\n * - **Override**: inside an `amendment` transaction by an authorized role\n *   the check is skipped and the change is ledgered (mirrors every guard).\n *\n * The status graph is caller-supplied data — no UI, no domain logic.\n */\n\nimport { withGuard } from './with-guard.js'\nimport type { GuardStrategy, GuardStrategyHandle, GuardContext, GuardChange } from './types.js'\nimport { IllegalTransitionError, ValidationError } from '../errors.js'\n\nexport interface TransitionGuardConfig<T extends Record<string, unknown>> {\n  /** The collection whose state field is governed. */\n  collection: string\n  /** The state field on the record (e.g. `'status'`). */\n  field: keyof T & string\n  /**\n   * The transition graph: each state maps to the states it may move to.\n   * A state absent from the map (or mapped to `[]`) is terminal — no\n   * outgoing arc, so any non-idempotent write from it is rejected.\n   */\n  transitions: Readonly<Record<string, readonly string[]>>\n  /**\n   * States allowed as the initial value on insert (`existing === null`).\n   * Omit to allow any value on insert.\n   */\n  initial?: readonly string[]\n  /**\n   * Allow a same-value write (`from === to`) on update. Default `true` —\n   * lets a put that changes other fields, but not the state, through.\n   */\n  allowIdempotent?: boolean\n  /** Roles permitted to override via an amendment transaction. Default `['admin', 'owner']`. */\n  amendmentRoles?: ReadonlyArray<'admin' | 'owner'>\n  /**\n   * Optional set-level invariant run over the amendment change-set after\n   * the writes execute. Signature matches `GuardStrategy.amendment.invariant`\n   * exactly. When omitted the amendment is unconditionally allowed (the\n   * amendment itself is the sanctioned, ledgered override) — the\n   * backward-compatible default. Mirrors {@link immutableGuard}.\n   */\n  amendmentInvariant?: (\n    changes: ReadonlyArray<GuardChange<T>>,\n    ctx: GuardContext<T>,\n  ) => Promise<void> | void\n}\n\nfunction recordId(record: Record<string, unknown> | null): string {\n  const id = record?.id\n  return typeof id === 'string' ? id : ''\n}\n\nfunction stateOf(record: Record<string, unknown>, field: string): string {\n  const v = record[field]\n  return typeof v === 'string' ? v : String(v)\n}\n\n/**\n * Build a state-machine transition guard. Pass the returned handle to\n * `createNoydb({ guardStrategies: [...] })`.\n */\nexport function transitionGuard<T extends Record<string, unknown>>(\n  config: TransitionGuardConfig<T>,\n): GuardStrategyHandle<T> {\n  const { collection, field, transitions, initial, amendmentRoles, amendmentInvariant } = config\n  const allowIdempotent = config.allowIdempotent ?? true\n\n  if (!field) {\n    throw new ValidationError('transitionGuard: `field` is required')\n  }\n  if (transitions === undefined || typeof transitions !== 'object') {\n    throw new ValidationError('transitionGuard: `transitions` must be a state→states map')\n  }\n\n  const spec: GuardStrategy<T> = {\n    collection,\n    check: (incoming: T, ctx: GuardContext<T>) => {\n      const rec = incoming as Record<string, unknown>\n      const to = stateOf(rec, field)\n\n      // Insert — gate on the allowed initial set (any value if unset).\n      if (ctx.existing === null) {\n        if (initial !== undefined && !initial.includes(to)) {\n          throw new IllegalTransitionError(collection, recordId(rec), '(none)', to)\n        }\n        return\n      }\n\n      // Update — the arc (from → to) must be a declared edge.\n      const from = stateOf(ctx.existing as Record<string, unknown>, field)\n      if (from === to) {\n        if (allowIdempotent) return\n        throw new IllegalTransitionError(collection, recordId(rec), from, to)\n      }\n      const allowed = transitions[from] ?? []\n      if (!allowed.includes(to)) {\n        throw new IllegalTransitionError(collection, recordId(rec), from, to)\n      }\n    },\n    // The authorized override: inside an amendment transaction the check\n    // is skipped and the change is ledgered. By default no extra invariant\n    // — the amendment itself is the sanctioned exception. Callers may\n    // supply `amendmentInvariant` to keep a constraint inviolable even\n    // under amendment; a throw reverts the amendment as `InvariantError`.\n    amendment: {\n      roles: amendmentRoles ?? ['admin', 'owner'],\n      invariant: amendmentInvariant ?? (() => {\n        /* allow — the amendment is the override, and is ledgered */\n      }),\n    },\n  }\n\n  return withGuard<T>(spec)\n}\n"],"mappings":";;;;;;;AAgBO,SAAS,UACd,UACwB;AACxB,MAAI,CAAC,SAAS,cAAc,SAAS,WAAW,WAAW,GAAG;AAC5D,UAAM,IAAI,gBAAgB,wCAAwC;AAAA,EACpE;AACA,SAAO;AAAA,IACL,kBAAkB;AAAA,IAClB,MAAM;AAAA,EACR;AACF;;;ACwCA,SAAS,SAAS,QAAgD;AAChE,QAAM,KAAK,QAAQ;AACnB,SAAO,OAAO,OAAO,WAAW,KAAK;AACvC;AAMO,SAAS,eACd,QACwB;AACxB,QAAM,EAAE,YAAY,OAAO,YAAY,gBAAgB,mBAAmB,IAAI;AAC9E,MAAI,cAAc,UAAU,QAAW;AACrC,UAAM,IAAI,gBAAgB,iEAAiE;AAAA,EAC7F;AACA,MAAI,CAAC,cAAc,UAAU,QAAW;AACtC,UAAM,IAAI,gBAAgB,uDAAuD;AAAA,EACnF;AAEA,QAAM,cAAsC,aAAa,MAAM,OAAO;AACtE,QAAM,SAAS,aAAa,2BAA2B;AAEvD,QAAM,OAAyB;AAAA,IAC7B;AAAA;AAAA;AAAA;AAAA,IAIA,OAAO,CAAC,UAAa,QAAyB;AAC5C,UAAI,IAAI,aAAa,QAAQ,YAAY,IAAI,QAAQ,GAAG;AACtD,cAAM,IAAI,kBAAkB,YAAY,SAAS,QAAmC,GAAG,MAAM;AAAA,MAC/F;AAAA,IACF;AAAA;AAAA,IAEA,UAAU,CAAC,aAAgB;AACzB,UAAI,YAAY,QAAQ,GAAG;AACzB,cAAM,IAAI,kBAAkB,YAAY,SAAS,QAAmC,GAAG,MAAM;AAAA,MAC/F;AAAA,IACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAQA,WAAW;AAAA,MACT,OAAO,kBAAkB,CAAC,SAAS,OAAO;AAAA,MAC1C,WAAW,uBAAuB,MAAM;AAAA,MAExC;AAAA,IACF;AAAA,EACF;AAEA,SAAO,UAAa,IAAI;AAC1B;;;ACpCA,SAASA,UAAS,QAAgD;AAChE,QAAM,KAAK,QAAQ;AACnB,SAAO,OAAO,OAAO,WAAW,KAAK;AACvC;AAEA,SAAS,QAAQ,QAAiC,OAAuB;AACvE,QAAM,IAAI,OAAO,KAAK;AACtB,SAAO,OAAO,MAAM,WAAW,IAAI,OAAO,CAAC;AAC7C;AAMO,SAAS,gBACd,QACwB;AACxB,QAAM,EAAE,YAAY,OAAO,aAAa,SAAS,gBAAgB,mBAAmB,IAAI;AACxF,QAAM,kBAAkB,OAAO,mBAAmB;AAElD,MAAI,CAAC,OAAO;AACV,UAAM,IAAI,gBAAgB,sCAAsC;AAAA,EAClE;AACA,MAAI,gBAAgB,UAAa,OAAO,gBAAgB,UAAU;AAChE,UAAM,IAAI,gBAAgB,gEAA2D;AAAA,EACvF;AAEA,QAAM,OAAyB;AAAA,IAC7B;AAAA,IACA,OAAO,CAAC,UAAa,QAAyB;AAC5C,YAAM,MAAM;AACZ,YAAM,KAAK,QAAQ,KAAK,KAAK;AAG7B,UAAI,IAAI,aAAa,MAAM;AACzB,YAAI,YAAY,UAAa,CAAC,QAAQ,SAAS,EAAE,GAAG;AAClD,gBAAM,IAAI,uBAAuB,YAAYA,UAAS,GAAG,GAAG,UAAU,EAAE;AAAA,QAC1E;AACA;AAAA,MACF;AAGA,YAAM,OAAO,QAAQ,IAAI,UAAqC,KAAK;AACnE,UAAI,SAAS,IAAI;AACf,YAAI,gBAAiB;AACrB,cAAM,IAAI,uBAAuB,YAAYA,UAAS,GAAG,GAAG,MAAM,EAAE;AAAA,MACtE;AACA,YAAM,UAAU,YAAY,IAAI,KAAK,CAAC;AACtC,UAAI,CAAC,QAAQ,SAAS,EAAE,GAAG;AACzB,cAAM,IAAI,uBAAuB,YAAYA,UAAS,GAAG,GAAG,MAAM,EAAE;AAAA,MACtE;AAAA,IACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMA,WAAW;AAAA,MACT,OAAO,kBAAkB,CAAC,SAAS,OAAO;AAAA,MAC1C,WAAW,uBAAuB,MAAM;AAAA,MAExC;AAAA,IACF;AAAA,EACF;AAEA,SAAO,UAAa,IAAI;AAC1B;","names":["recordId"]}

package/dist/{state-vault-W2OEABNO.js → chunk-ZJ67TB4S.js}

@@ -6,8 +6,7 @@ import {
 } from "./chunk-FZU343FL.js";
 import {
   sha256Hex
-} from "./chunk-UNTGHX5A.js";
-import "./chunk-ZEGSDPB7.js";
+} from "./chunk-QJKZ5WUP.js";
 
 // src/federation/schema-manifest.ts
 function captureBlueprint(configure) {
@@ -67,11 +66,13 @@ async function fingerprintBlueprint(bp) {
 var REGISTRY = "vaultRegistry";
 var MANIFEST = "schemaManifest";
 var EVENTS = "deploymentEvents";
+var MIGRATION_STATUS = "migrationStatus";
 var StateManagementVault = class _StateManagementVault {
-  constructor(registry, schemaManifest, events) {
+  constructor(registry, schemaManifest, events, migrationStatus) {
     this.registry = registry;
     this.schemaManifest = schemaManifest;
     this.#events = events;
+    this.#migrationStatus = migrationStatus;
   }
   registry;
   schemaManifest;
@@ -82,15 +83,31 @@ var StateManagementVault = class _StateManagementVault {
    * `schemaManifest` are deliberately public: consumers read and write them.)
    */
   #events;
-  /** Idempotently open the reserved state vault and bind the three control-plane collections. */
+  /** Per-shard fleet-migration progress (#271). Surfaced via typed methods only. */
+  #migrationStatus;
+  /** Idempotently open the reserved state vault and bind the control-plane collections. */
   static async open(db) {
     const vault = await db.openVault(STATE_VAULT_NAME);
     return new _StateManagementVault(
       vault.collection(REGISTRY),
       vault.collection(MANIFEST),
-      vault.collection(EVENTS)
+      vault.collection(EVENTS),
+      vault.collection(MIGRATION_STATUS)
     );
   }
+  /** Read one shard's migration status (or null). */
+  async getMigrationStatus(vaultId) {
+    return this.#migrationStatus.get(vaultId);
+  }
+  /** All migration-status rows (hydrates first). */
+  async listMigrationStatus() {
+    await this.#migrationStatus.list();
+    return this.#migrationStatus.query().toArray();
+  }
+  /** Upsert one shard's migration status (keyed by vaultId). */
+  async upsertMigrationStatus(row) {
+    await this.#migrationStatus.put(row.vaultId, row);
+  }
   /** Read-only query over the append-only deployment-events log. */
   queryEvents() {
     return this.#events.query();
@@ -140,8 +157,8 @@ var StateManagementVault = class _StateManagementVault {
     return current !== row.fingerprint;
   }
 };
+
 export {
-  STATE_VAULT_NAME,
   StateManagementVault
 };
-//# sourceMappingURL=state-vault-W2OEABNO.js.map
+//# sourceMappingURL=chunk-ZJ67TB4S.js.map

package/dist/chunk-ZJ67TB4S.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/federation/schema-manifest.ts","../src/federation/state-vault.ts"],"sourcesContent":["/**\n * @category capability\n * StateManagement Vault — schema blueprint capture + deterministic\n * fingerprint. See\n * docs/superpowers/specs/2026-06-08-statemanagement-vault-design.md.\n */\nimport type { Vault } from '../vault.js'\nimport type { IndexDef } from '../indexing/eager-indexes.js'\nimport { sha256Hex } from '../crypto.js'\nimport type { CapturedBlueprint } from './types.js'\n\ninterface RecordedCollection {\n  name: string\n  indexes: IndexDef[]\n  persistJsonSchema: boolean\n}\n\n/**\n * Run `configure` against a recording proxy that intercepts\n * `collection(name, opts)` calls and captures the declared blueprint.\n * The proxy delegates every other access to a no-op stub so unrelated\n * `configure` calls (guards, blob setup) do not throw — only the\n * declared collections/indexes feed the fingerprint.\n */\nexport function captureBlueprint(configure: (vault: Vault) => void): CapturedBlueprint {\n  const recorded: RecordedCollection[] = []\n  // Minimal chainable stub returned by intercepted collection() — supports\n  // the fluent calls a template might make without affecting the blueprint.\n  const collectionStub = new Proxy(\n    {},\n    {\n      get: () => () => collectionStub,\n    },\n  )\n  const proxy = new Proxy(\n    {},\n    {\n      get: (_t, prop) => {\n        if (prop === 'collection') {\n          return (name: string, opts?: { indexes?: IndexDef[]; persistJsonSchema?: boolean }) => {\n            recorded.push({\n              name,\n              indexes: opts?.indexes ?? [],\n              persistJsonSchema: !!opts?.persistJsonSchema,\n            })\n            return collectionStub\n          }\n        }\n        // Any other vault method/property: a no-op callable that returns the proxy.\n        return () => proxy\n      },\n    },\n  ) as unknown as Vault\n\n  configure(proxy)\n\n  const sorted = [...recorded].sort((a, b) => a.name.localeCompare(b.name))\n  const indexes: Record<string, IndexDef[]> = {}\n  const persistJsonSchema: string[] = []\n  for (const c of sorted) {\n    indexes[c.name] = c.indexes\n    if (c.persistJsonSchema) persistJsonSchema.push(c.name)\n  }\n  return {\n    // `persistJsonSchema` is already name-sorted: it is populated while\n    // iterating `sorted` (collections in name order).\n    collections: sorted.map((c) => c.name),\n    indexes,\n    persistJsonSchema,\n  }\n}\n\n/** Canonical JSON: object keys sorted recursively so the bytes are stable. */\nfunction canonical(value: unknown): string {\n  if (value === null || typeof value !== 'object') return JSON.stringify(value)\n  if (Array.isArray(value)) return `[${value.map(canonical).join(',')}]`\n  const obj = value as Record<string, unknown>\n  const keys = Object.keys(obj).sort()\n  return `{${keys.map((k) => `${JSON.stringify(k)}:${canonical(obj[k])}`).join(',')}}`\n}\n\n/** sha256 (hex) over the canonicalized serializable blueprint. Uses the shared hub helper. */\nexport async function fingerprintBlueprint(bp: CapturedBlueprint): Promise<string> {\n  return sha256Hex(new TextEncoder().encode(canonical(bp)))\n}\n","/**\n * @category capability\n * StateManagement Vault — federation control plane (registry +\n * schema-manifest + append-only deployment-events). See\n * docs/superpowers/specs/2026-06-08-statemanagement-vault-design.md.\n */\nimport type { Noydb } from '../noydb.js'\nimport type { Collection } from '../collection.js'\nimport type { Query } from '../query/builder.js'\nimport type { VaultRegistryRow, SchemaManifestRow, DeploymentEvent, MigrationStatusRow, VaultTemplate } from './types.js'\nimport { captureBlueprint, fingerprintBlueprint } from './schema-manifest.js'\nimport { STATE_VAULT_NAME } from './constants.js'\nimport { generateULID } from '../bundle/ulid.js'\n\n// Re-export so consumers can `import { STATE_VAULT_NAME } from '@noy-db/hub'`.\nexport { STATE_VAULT_NAME } from './constants.js'\n\n// Physical collection names — single-token (camelCase) to stay clear of any\n// collection-name charset restrictions; the existing suite uses single-word names.\nconst REGISTRY = 'vaultRegistry'\nconst MANIFEST = 'schemaManifest'\nconst EVENTS = 'deploymentEvents'\nconst MIGRATION_STATUS = 'migrationStatus'\n\nexport class StateManagementVault {\n  /**\n   * The append-only deployment-events log is kept truly private so the raw\n   * mutable Collection is never surfaced — events may only be written via\n   * `appendEvent` and read via `queryEvents`. (`registry` and\n   * `schemaManifest` are deliberately public: consumers read and write them.)\n   */\n  readonly #events: Collection<DeploymentEvent>\n  /** Per-shard fleet-migration progress (#271). Surfaced via typed methods only. */\n  readonly #migrationStatus: Collection<MigrationStatusRow>\n\n  private constructor(\n    readonly registry: Collection<VaultRegistryRow>,\n    readonly schemaManifest: Collection<SchemaManifestRow>,\n    events: Collection<DeploymentEvent>,\n    migrationStatus: Collection<MigrationStatusRow>,\n  ) {\n    this.#events = events\n    this.#migrationStatus = migrationStatus\n  }\n\n  /** Idempotently open the reserved state vault and bind the control-plane collections. */\n  static async open(db: Noydb): Promise<StateManagementVault> {\n    const vault = await db.openVault(STATE_VAULT_NAME)\n    return new StateManagementVault(\n      vault.collection<VaultRegistryRow>(REGISTRY),\n      vault.collection<SchemaManifestRow>(MANIFEST),\n      vault.collection<DeploymentEvent>(EVENTS),\n      vault.collection<MigrationStatusRow>(MIGRATION_STATUS),\n    )\n  }\n\n  /** Read one shard's migration status (or null). */\n  async getMigrationStatus(vaultId: string): Promise<MigrationStatusRow | null> {\n    return this.#migrationStatus.get(vaultId)\n  }\n\n  /** All migration-status rows (hydrates first). */\n  async listMigrationStatus(): Promise<MigrationStatusRow[]> {\n    await this.#migrationStatus.list()\n    return this.#migrationStatus.query().toArray()\n  }\n\n  /** Upsert one shard's migration status (keyed by vaultId). */\n  async upsertMigrationStatus(row: MigrationStatusRow): Promise<void> {\n    await this.#migrationStatus.put(row.vaultId, row)\n  }\n\n  /** Read-only query over the append-only deployment-events log. */\n  queryEvents(): Query<DeploymentEvent> {\n    return this.#events.query()\n  }\n\n  /**\n   * Append a deployment event with a fresh unique (ULID) id. This is the\n   * only write path to the events log; no update/delete is exposed.\n   * Callers should treat failures as non-fatal — this method does not\n   * swallow errors, so wrap the call site in try/catch where appropriate.\n   */\n  async appendEvent(event: Omit<DeploymentEvent, 'id' | 'ts'> & { ts?: number }): Promise<void> {\n    const ts = event.ts ?? Date.now()\n    const id = generateULID()\n    await this.#events.put(id, { ...event, id, ts })\n  }\n\n  /**\n   * Ensure a manifest row exists for `(templateName, template.version)`.\n   * Safe to call repeatedly: the `fingerprint` is a deterministic hash of\n   * the template's declared shape (stable across calls), though each call\n   * refreshes `recordedAt`.\n   */\n  async recordManifest(templateName: string, template: VaultTemplate): Promise<string> {\n    const bp = captureBlueprint(template.configure)\n    const fingerprint = await fingerprintBlueprint(bp)\n    await this.schemaManifest.put(`${templateName}:${template.version}`, {\n      templateName,\n      version: template.version,\n      collections: bp.collections,\n      indexes: bp.indexes,\n      persistJsonSchema: bp.persistJsonSchema,\n      fingerprint,\n      recordedAt: Date.now(),\n    })\n    return fingerprint\n  }\n\n  /**\n   * True when `template`'s current declared shape does not match the recorded\n   * manifest for `(templateName, template.version)`. Because shards carry no\n   * schema state independent of their template, this catches \"a template's\n   * shape changed without bumping `version`\" — not independent per-shard drift.\n   * A missing manifest is treated as drift (nothing to verify against).\n   */\n  async detectDrift(templateName: string, template: VaultTemplate): Promise<boolean> {\n    const row = await this.schemaManifest.get(`${templateName}:${template.version}`)\n    if (!row) return true\n    const current = await fingerprintBlueprint(captureBlueprint(template.configure))\n    return current !== row.fingerprint\n  }\n}\n"],"mappings":";;;;;;;;;;;AAwBO,SAAS,iBAAiB,WAAsD;AACrF,QAAM,WAAiC,CAAC;AAGxC,QAAM,iBAAiB,IAAI;AAAA,IACzB,CAAC;AAAA,IACD;AAAA,MACE,KAAK,MAAM,MAAM;AAAA,IACnB;AAAA,EACF;AACA,QAAM,QAAQ,IAAI;AAAA,IAChB,CAAC;AAAA,IACD;AAAA,MACE,KAAK,CAAC,IAAI,SAAS;AACjB,YAAI,SAAS,cAAc;AACzB,iBAAO,CAAC,MAAc,SAAiE;AACrF,qBAAS,KAAK;AAAA,cACZ;AAAA,cACA,SAAS,MAAM,WAAW,CAAC;AAAA,cAC3B,mBAAmB,CAAC,CAAC,MAAM;AAAA,YAC7B,CAAC;AACD,mBAAO;AAAA,UACT;AAAA,QACF;AAEA,eAAO,MAAM;AAAA,MACf;AAAA,IACF;AAAA,EACF;AAEA,YAAU,KAAK;AAEf,QAAM,SAAS,CAAC,GAAG,QAAQ,EAAE,KAAK,CAAC,GAAG,MAAM,EAAE,KAAK,cAAc,EAAE,IAAI,CAAC;AACxE,QAAM,UAAsC,CAAC;AAC7C,QAAM,oBAA8B,CAAC;AACrC,aAAW,KAAK,QAAQ;AACtB,YAAQ,EAAE,IAAI,IAAI,EAAE;AACpB,QAAI,EAAE,kBAAmB,mBAAkB,KAAK,EAAE,IAAI;AAAA,EACxD;AACA,SAAO;AAAA;AAAA;AAAA,IAGL,aAAa,OAAO,IAAI,CAAC,MAAM,EAAE,IAAI;AAAA,IACrC;AAAA,IACA;AAAA,EACF;AACF;AAGA,SAAS,UAAU,OAAwB;AACzC,MAAI,UAAU,QAAQ,OAAO,UAAU,SAAU,QAAO,KAAK,UAAU,KAAK;AAC5E,MAAI,MAAM,QAAQ,KAAK,EAAG,QAAO,IAAI,MAAM,IAAI,SAAS,EAAE,KAAK,GAAG,CAAC;AACnE,QAAM,MAAM;AACZ,QAAM,OAAO,OAAO,KAAK,GAAG,EAAE,KAAK;AACnC,SAAO,IAAI,KAAK,IAAI,CAAC,MAAM,GAAG,KAAK,UAAU,CAAC,CAAC,IAAI,UAAU,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,KAAK,GAAG,CAAC;AACnF;AAGA,eAAsB,qBAAqB,IAAwC;AACjF,SAAO,UAAU,IAAI,YAAY,EAAE,OAAO,UAAU,EAAE,CAAC,CAAC;AAC1D;;;ACjEA,IAAM,WAAW;AACjB,IAAM,WAAW;AACjB,IAAM,SAAS;AACf,IAAM,mBAAmB;AAElB,IAAM,uBAAN,MAAM,sBAAqB;AAAA,EAWxB,YACG,UACA,gBACT,QACA,iBACA;AAJS;AACA;AAIT,SAAK,UAAU;AACf,SAAK,mBAAmB;AAAA,EAC1B;AAAA,EAPW;AAAA,EACA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EANF;AAAA;AAAA,EAEA;AAAA;AAAA,EAaT,aAAa,KAAK,IAA0C;AAC1D,UAAM,QAAQ,MAAM,GAAG,UAAU,gBAAgB;AACjD,WAAO,IAAI;AAAA,MACT,MAAM,WAA6B,QAAQ;AAAA,MAC3C,MAAM,WAA8B,QAAQ;AAAA,MAC5C,MAAM,WAA4B,MAAM;AAAA,MACxC,MAAM,WAA+B,gBAAgB;AAAA,IACvD;AAAA,EACF;AAAA;AAAA,EAGA,MAAM,mBAAmB,SAAqD;AAC5E,WAAO,KAAK,iBAAiB,IAAI,OAAO;AAAA,EAC1C;AAAA;AAAA,EAGA,MAAM,sBAAqD;AACzD,UAAM,KAAK,iBAAiB,KAAK;AACjC,WAAO,KAAK,iBAAiB,MAAM,EAAE,QAAQ;AAAA,EAC/C;AAAA;AAAA,EAGA,MAAM,sBAAsB,KAAwC;AAClE,UAAM,KAAK,iBAAiB,IAAI,IAAI,SAAS,GAAG;AAAA,EAClD;AAAA;AAAA,EAGA,cAAsC;AACpC,WAAO,KAAK,QAAQ,MAAM;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,YAAY,OAA4E;AAC5F,UAAM,KAAK,MAAM,MAAM,KAAK,IAAI;AAChC,UAAM,KAAK,aAAa;AACxB,UAAM,KAAK,QAAQ,IAAI,IAAI,EAAE,GAAG,OAAO,IAAI,GAAG,CAAC;AAAA,EACjD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,eAAe,cAAsB,UAA0C;AACnF,UAAM,KAAK,iBAAiB,SAAS,SAAS;AAC9C,UAAM,cAAc,MAAM,qBAAqB,EAAE;AACjD,UAAM,KAAK,eAAe,IAAI,GAAG,YAAY,IAAI,SAAS,OAAO,IAAI;AAAA,MACnE;AAAA,MACA,SAAS,SAAS;AAAA,MAClB,aAAa,GAAG;AAAA,MAChB,SAAS,GAAG;AAAA,MACZ,mBAAmB,GAAG;AAAA,MACtB;AAAA,MACA,YAAY,KAAK,IAAI;AAAA,IACvB,CAAC;AACD,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,YAAY,cAAsB,UAA2C;AACjF,UAAM,MAAM,MAAM,KAAK,eAAe,IAAI,GAAG,YAAY,IAAI,SAAS,OAAO,EAAE;AAC/E,QAAI,CAAC,IAAK,QAAO;AACjB,UAAM,UAAU,MAAM,qBAAqB,iBAAiB,SAAS,SAAS,CAAC;AAC/E,WAAO,YAAY,IAAI;AAAA,EACzB;AACF;","names":[]}