@noy-db/hub 0.2.0-pre.17 → 0.2.0-pre.19

package/dist/derivations/index.d.cts

@@ -1,13 +1,13 @@
-export { w as withDerivation } from '../with-derivation-Bozs8DmD.cjs';
-import { aK as DerivationStrategy, aL as DerivationContext } from '../types-CrSpRDuG.cjs';
-export { aM as ArrayOutputSpec, aN as DerivationRegistry, aO as DerivationStrategyHandle, aP as DerivedFromMeta, aQ as OutputSpec, aR as RecordOutputSpec } from '../types-CrSpRDuG.cjs';
-export { h as DerivationCapExceededError, i as DerivationCycleError, j as DerivationDepthError, k as DerivationOutputShapeError, l as DerivationOutputUnknownError } from '../errors-Dz64FA65.cjs';
+export { w as withDerivation, a as withRollup } from '../with-rollup-aaxOZcIb.cjs';
+import { av as DerivationStrategy, aw as DerivationContext } from '../types-D-gr5t0G.cjs';
+export { ax as ArrayOutputSpec, ay as DerivationRegistry, az as DerivationStrategyHandle, aA as DerivedFromMeta, aB as OutputSpec, aC as RecordOutputSpec } from '../types-D-gr5t0G.cjs';
+export { i as DerivationCapExceededError, j as DerivationCycleError, k as DerivationDepthError, l as DerivationOutputShapeError, m as DerivationOutputUnknownError } from '../errors-DL-zTrrF.cjs';
 import '../lazy-builder-eYZzLEL1.cjs';
 import '../predicate-BmhBSPCH.cjs';
-import '../strategy-CLC1j79g.cjs';
+import '../strategy-C5ol6NdV.cjs';
 import '../strategy-BSxFXGzb.cjs';
-import '../index-C-SSRIxP.cjs';
-import '../index-u-kWzSrL.cjs';
+import '../index-BMmajblo.cjs';
+import '../index-BM7O48Ur.cjs';
 import '@noy-db/attestation';
 
 interface RunResult {

package/dist/derivations/index.d.ts

@@ -1,13 +1,13 @@
-export { w as withDerivation } from '../with-derivation-BZ2y4bzF.js';
-import { aK as DerivationStrategy, aL as DerivationContext } from '../types-CljIHm_J.js';
-export { aM as ArrayOutputSpec, aN as DerivationRegistry, aO as DerivationStrategyHandle, aP as DerivedFromMeta, aQ as OutputSpec, aR as RecordOutputSpec } from '../types-CljIHm_J.js';
-export { h as DerivationCapExceededError, i as DerivationCycleError, j as DerivationDepthError, k as DerivationOutputShapeError, l as DerivationOutputUnknownError } from '../errors-Dz64FA65.js';
+export { w as withDerivation, a as withRollup } from '../with-rollup-_TyBzz3T.js';
+import { av as DerivationStrategy, aw as DerivationContext } from '../types-CraiZOyO.js';
+export { ax as ArrayOutputSpec, ay as DerivationRegistry, az as DerivationStrategyHandle, aA as DerivedFromMeta, aB as OutputSpec, aC as RecordOutputSpec } from '../types-CraiZOyO.js';
+export { i as DerivationCapExceededError, j as DerivationCycleError, k as DerivationDepthError, l as DerivationOutputShapeError, m as DerivationOutputUnknownError } from '../errors-DL-zTrrF.js';
 import '../lazy-builder-ChSqcF5t.js';
 import '../predicate-BmhBSPCH.js';
-import '../strategy-4M9jo172.js';
+import '../strategy-BDxQnnTX.js';
 import '../strategy-BSxFXGzb.js';
-import '../index-C-SSRIxP.js';
-import '../index-DpU6KWof.js';
+import '../index-BMmajblo.js';
+import '../index-BelbyUwz.js';
 import '@noy-db/attestation';
 
 interface RunResult {

package/dist/derivations/index.js

@@ -1,19 +1,20 @@
 import {
-  withDerivation
-} from "../chunk-PDULVIBY.js";
+  withDerivation,
+  withRollup
+} from "../chunk-CYNTFU2D.js";
 import {
   DerivationRegistry
-} from "../chunk-GP3SDSH2.js";
+} from "../chunk-6OSOE6BY.js";
 import {
   DerivationExecutor
-} from "../chunk-XJV6OB4D.js";
+} from "../chunk-7HD67R6U.js";
 import {
   DerivationCapExceededError,
   DerivationCycleError,
   DerivationDepthError,
   DerivationOutputShapeError,
   DerivationOutputUnknownError
-} from "../chunk-ZEGSDPB7.js";
+} from "../chunk-DJF3FXW5.js";
 export {
   DerivationCapExceededError,
   DerivationCycleError,
@@ -22,6 +23,7 @@ export {
   DerivationOutputShapeError,
   DerivationOutputUnknownError,
   DerivationRegistry,
-  withDerivation
+  withDerivation,
+  withRollup
 };
 //# sourceMappingURL=index.js.map

package/dist/{dev-unlock-iXbYFAWl.d.cts → dev-unlock-BR1rMOS-.d.cts}

@@ -1,4 +1,4 @@
-import { a$ as Role, b0 as UnlockedKeyring } from './types-CrSpRDuG.cjs';
+import { aM as Role, aN as UnlockedKeyring } from './types-D-gr5t0G.cjs';
 
 /**
  * Session tokens —

package/dist/{dev-unlock-CI1ijTML.d.ts → dev-unlock-whL49sxV.d.ts}

@@ -1,4 +1,4 @@
-import { a$ as Role, b0 as UnlockedKeyring } from './types-CljIHm_J.js';
+import { aM as Role, aN as UnlockedKeyring } from './types-CraiZOyO.js';
 
 /**
  * Session tokens —

package/dist/{errors-Dz64FA65.d.cts → errors-DL-zTrrF.d.cts}

@@ -398,6 +398,21 @@ declare class FieldFrozenError extends NoydbError {
     readonly fields: readonly string[];
     constructor(collection: string, id: string, fields: readonly string[]);
 }
+/**
+ * Thrown by a `transitionGuard` when a write moves a state field along an
+ * arc that the declared transition graph does not allow — either an
+ * update `from → to` that is not a listed edge, or an insert whose
+ * initial state is not in the allowed `initial` set (reported with
+ * `from: '(none)'`). Override via an amendment transaction by an
+ * authorized role, like any guard.
+ */
+declare class IllegalTransitionError extends NoydbError {
+    readonly collection: string;
+    readonly id: string;
+    readonly from: string;
+    readonly to: string;
+    constructor(collection: string, id: string, from: string, to: string);
+}
 /**
  * Thrown by an amendment invariant when the proposed change-set violates
  * the declared business rule (e.g. disbursement total not preserved).
@@ -1346,6 +1361,19 @@ declare class ShardProvisioningError extends NoydbError {
     readonly vaultId: string;
     constructor(vaultId: string, partitionKey: string);
 }
+/**
+ * Thrown by `VaultGroup.createShard` when `sharding.regionOf` resolves a
+ * required region that doesn't match the placement backend's
+ * `capabilities.region` — the shard would land on a non-compliant backend
+ * (data-residency violation, #271). Raised BEFORE provisioning, so no
+ * vault is created.
+ */
+declare class DataResidencyError extends NoydbError {
+    readonly vaultId: string;
+    readonly requiredRegion: string;
+    readonly backendRegion: string | undefined;
+    constructor(vaultId: string, requiredRegion: string, backendRegion: string | undefined);
+}
 /** Thrown when a VaultGroup references a template name that was never registered. */
 declare class VaultTemplateNotFoundError extends NoydbError {
     readonly templateName: string;
@@ -1416,4 +1444,4 @@ declare class RecordCekNotFoundError extends NoydbError {
     constructor(collection: string, id: string);
 }
 
-export { ForgetStrategyNotConfiguredError as $, AmendmentForbiddenError as A, BackupCorruptedError as B, MaterializedViewSourceUnknownError as C, DictKeyInUseError as D, MaterializedViewTooLargeError as E, FieldFrozenError as F, AlreadyElevatedError as G, ConflictError as H, InvariantError as I, CrossJoinSourceUnknownError as J, CrossJoinTooLargeError as K, LocaleNotSpecifiedError as L, MissingTranslationError as M, NoydbError as N, OverlayBaseIsVirtualError as O, PartitionExtractionError as P, DanglingReferenceError as Q, ReservedCollectionNameError as R, ScriptViolationError as S, TranslatorNotConfiguredError as T, UnknownDictCodeError as U, DecryptionError as V, DelegationTargetMissingError as W, DirectoryDisabledError as X, ElevationExpiredError as Y, ExportCapabilityError as Z, FilenameSanitizationError as _, DictKeyMissingError as a, GroupCardinalityError as a0, ImportCapabilityError as a1, IndexRequiredError as a2, IndexWriteFailureError as a3, InvalidKeyError as a4, JoinTooLargeError as a5, KeyringCorruptError as a6, KeyringExpiredError as a7, LedgerContentionError as a8, MigrationRequiredError as a9, UniqueConstraintError as aA, UnknownShardError as aB, UnsupportedIndexOptionError as aC, ValidationError as aD, VaultTemplateNotFoundError as aE, NetworkError as aa, NoAccessError as ab, NonAdditiveSchemaChangeError as ac, NotFoundError as ad, NumberingUncertaintyError as ae, PathEscapeError as af, PeriodClosedError as ag, PermissionDeniedError as ah, PrivilegeEscalationError as ai, QuiesceTimeoutError as aj, ReadOnlyAtInstantError as ak, ReadOnlyError as al, ReadOnlyFrameError as am, RecordCekNotFoundError as an, ReservedVaultNameError as ao, SchemaFenceError as ap, SchemaLockedError as aq, SchemaUpdateError as ar, SchemaValidationError as as, SequenceContentionError as at, SequenceOfflineError as au, ShardProvisioningError as av, StoreCapabilityError as aw, TamperedError as ax, TierDemoteDeniedError as ay, TierNotGrantedError as az, StaticDictReadonlyError as b, SessionExpiredError as c, SessionNotFoundError as d, SessionPolicyError as e, RecordLockedError as f, SnapshotNotFoundError as g, DerivationCapExceededError as h, DerivationCycleError as i, DerivationDepthError as j, DerivationOutputShapeError as k, DerivationOutputUnknownError as l, OverlayCollectionUnavailableError as m, OverlayIdMismatchError as n, OverlayNameCollisionError as o, SealedRecordExpiredError as p, SealedRecordMismatchError as q, AttestationError as r, AdoptionStateError as s, BackupLedgerError as t, BundleIntegrityError as u, BundleSealMismatchError as v, BundleVersionConflictError as w, TransferSealError as x, MaterializedViewConfigError as y, MaterializedViewCycleError as z };
+export { ExportCapabilityError as $, AmendmentForbiddenError as A, BackupCorruptedError as B, MaterializedViewCycleError as C, DictKeyInUseError as D, MaterializedViewSourceUnknownError as E, FieldFrozenError as F, MaterializedViewTooLargeError as G, AlreadyElevatedError as H, IllegalTransitionError as I, ConflictError as J, CrossJoinSourceUnknownError as K, LocaleNotSpecifiedError as L, MissingTranslationError as M, NoydbError as N, OverlayBaseIsVirtualError as O, PartitionExtractionError as P, CrossJoinTooLargeError as Q, ReservedCollectionNameError as R, ScriptViolationError as S, TranslatorNotConfiguredError as T, UnknownDictCodeError as U, DanglingReferenceError as V, DataResidencyError as W, DecryptionError as X, DelegationTargetMissingError as Y, DirectoryDisabledError as Z, ElevationExpiredError as _, DictKeyMissingError as a, FilenameSanitizationError as a0, ForgetStrategyNotConfiguredError as a1, GroupCardinalityError as a2, ImportCapabilityError as a3, IndexRequiredError as a4, IndexWriteFailureError as a5, InvalidKeyError as a6, JoinTooLargeError as a7, KeyringCorruptError as a8, KeyringExpiredError as a9, TierDemoteDeniedError as aA, TierNotGrantedError as aB, UniqueConstraintError as aC, UnknownShardError as aD, UnsupportedIndexOptionError as aE, ValidationError as aF, VaultTemplateNotFoundError as aG, LedgerContentionError as aa, MigrationRequiredError as ab, NetworkError as ac, NoAccessError as ad, NonAdditiveSchemaChangeError as ae, NotFoundError as af, NumberingUncertaintyError as ag, PathEscapeError as ah, PeriodClosedError as ai, PermissionDeniedError as aj, PrivilegeEscalationError as ak, QuiesceTimeoutError as al, ReadOnlyAtInstantError as am, ReadOnlyError as an, ReadOnlyFrameError as ao, RecordCekNotFoundError as ap, ReservedVaultNameError as aq, SchemaFenceError as ar, SchemaLockedError as as, SchemaUpdateError as at, SchemaValidationError as au, SequenceContentionError as av, SequenceOfflineError as aw, ShardProvisioningError as ax, StoreCapabilityError as ay, TamperedError as az, StaticDictReadonlyError as b, SessionExpiredError as c, SessionNotFoundError as d, SessionPolicyError as e, InvariantError as f, RecordLockedError as g, SnapshotNotFoundError as h, DerivationCapExceededError as i, DerivationCycleError as j, DerivationDepthError as k, DerivationOutputShapeError as l, DerivationOutputUnknownError as m, OverlayCollectionUnavailableError as n, OverlayIdMismatchError as o, OverlayNameCollisionError as p, SealedRecordExpiredError as q, SealedRecordMismatchError as r, AttestationError as s, AdoptionStateError as t, BackupLedgerError as u, BundleIntegrityError as v, BundleSealMismatchError as w, BundleVersionConflictError as x, TransferSealError as y, MaterializedViewConfigError as z };

package/dist/{errors-Dz64FA65.d.ts → errors-DL-zTrrF.d.ts}

@@ -398,6 +398,21 @@ declare class FieldFrozenError extends NoydbError {
     readonly fields: readonly string[];
     constructor(collection: string, id: string, fields: readonly string[]);
 }
+/**
+ * Thrown by a `transitionGuard` when a write moves a state field along an
+ * arc that the declared transition graph does not allow — either an
+ * update `from → to` that is not a listed edge, or an insert whose
+ * initial state is not in the allowed `initial` set (reported with
+ * `from: '(none)'`). Override via an amendment transaction by an
+ * authorized role, like any guard.
+ */
+declare class IllegalTransitionError extends NoydbError {
+    readonly collection: string;
+    readonly id: string;
+    readonly from: string;
+    readonly to: string;
+    constructor(collection: string, id: string, from: string, to: string);
+}
 /**
  * Thrown by an amendment invariant when the proposed change-set violates
  * the declared business rule (e.g. disbursement total not preserved).
@@ -1346,6 +1361,19 @@ declare class ShardProvisioningError extends NoydbError {
     readonly vaultId: string;
     constructor(vaultId: string, partitionKey: string);
 }
+/**
+ * Thrown by `VaultGroup.createShard` when `sharding.regionOf` resolves a
+ * required region that doesn't match the placement backend's
+ * `capabilities.region` — the shard would land on a non-compliant backend
+ * (data-residency violation, #271). Raised BEFORE provisioning, so no
+ * vault is created.
+ */
+declare class DataResidencyError extends NoydbError {
+    readonly vaultId: string;
+    readonly requiredRegion: string;
+    readonly backendRegion: string | undefined;
+    constructor(vaultId: string, requiredRegion: string, backendRegion: string | undefined);
+}
 /** Thrown when a VaultGroup references a template name that was never registered. */
 declare class VaultTemplateNotFoundError extends NoydbError {
     readonly templateName: string;
@@ -1416,4 +1444,4 @@ declare class RecordCekNotFoundError extends NoydbError {
     constructor(collection: string, id: string);
 }
 
-export { ForgetStrategyNotConfiguredError as $, AmendmentForbiddenError as A, BackupCorruptedError as B, MaterializedViewSourceUnknownError as C, DictKeyInUseError as D, MaterializedViewTooLargeError as E, FieldFrozenError as F, AlreadyElevatedError as G, ConflictError as H, InvariantError as I, CrossJoinSourceUnknownError as J, CrossJoinTooLargeError as K, LocaleNotSpecifiedError as L, MissingTranslationError as M, NoydbError as N, OverlayBaseIsVirtualError as O, PartitionExtractionError as P, DanglingReferenceError as Q, ReservedCollectionNameError as R, ScriptViolationError as S, TranslatorNotConfiguredError as T, UnknownDictCodeError as U, DecryptionError as V, DelegationTargetMissingError as W, DirectoryDisabledError as X, ElevationExpiredError as Y, ExportCapabilityError as Z, FilenameSanitizationError as _, DictKeyMissingError as a, GroupCardinalityError as a0, ImportCapabilityError as a1, IndexRequiredError as a2, IndexWriteFailureError as a3, InvalidKeyError as a4, JoinTooLargeError as a5, KeyringCorruptError as a6, KeyringExpiredError as a7, LedgerContentionError as a8, MigrationRequiredError as a9, UniqueConstraintError as aA, UnknownShardError as aB, UnsupportedIndexOptionError as aC, ValidationError as aD, VaultTemplateNotFoundError as aE, NetworkError as aa, NoAccessError as ab, NonAdditiveSchemaChangeError as ac, NotFoundError as ad, NumberingUncertaintyError as ae, PathEscapeError as af, PeriodClosedError as ag, PermissionDeniedError as ah, PrivilegeEscalationError as ai, QuiesceTimeoutError as aj, ReadOnlyAtInstantError as ak, ReadOnlyError as al, ReadOnlyFrameError as am, RecordCekNotFoundError as an, ReservedVaultNameError as ao, SchemaFenceError as ap, SchemaLockedError as aq, SchemaUpdateError as ar, SchemaValidationError as as, SequenceContentionError as at, SequenceOfflineError as au, ShardProvisioningError as av, StoreCapabilityError as aw, TamperedError as ax, TierDemoteDeniedError as ay, TierNotGrantedError as az, StaticDictReadonlyError as b, SessionExpiredError as c, SessionNotFoundError as d, SessionPolicyError as e, RecordLockedError as f, SnapshotNotFoundError as g, DerivationCapExceededError as h, DerivationCycleError as i, DerivationDepthError as j, DerivationOutputShapeError as k, DerivationOutputUnknownError as l, OverlayCollectionUnavailableError as m, OverlayIdMismatchError as n, OverlayNameCollisionError as o, SealedRecordExpiredError as p, SealedRecordMismatchError as q, AttestationError as r, AdoptionStateError as s, BackupLedgerError as t, BundleIntegrityError as u, BundleSealMismatchError as v, BundleVersionConflictError as w, TransferSealError as x, MaterializedViewConfigError as y, MaterializedViewCycleError as z };
+export { ExportCapabilityError as $, AmendmentForbiddenError as A, BackupCorruptedError as B, MaterializedViewCycleError as C, DictKeyInUseError as D, MaterializedViewSourceUnknownError as E, FieldFrozenError as F, MaterializedViewTooLargeError as G, AlreadyElevatedError as H, IllegalTransitionError as I, ConflictError as J, CrossJoinSourceUnknownError as K, LocaleNotSpecifiedError as L, MissingTranslationError as M, NoydbError as N, OverlayBaseIsVirtualError as O, PartitionExtractionError as P, CrossJoinTooLargeError as Q, ReservedCollectionNameError as R, ScriptViolationError as S, TranslatorNotConfiguredError as T, UnknownDictCodeError as U, DanglingReferenceError as V, DataResidencyError as W, DecryptionError as X, DelegationTargetMissingError as Y, DirectoryDisabledError as Z, ElevationExpiredError as _, DictKeyMissingError as a, FilenameSanitizationError as a0, ForgetStrategyNotConfiguredError as a1, GroupCardinalityError as a2, ImportCapabilityError as a3, IndexRequiredError as a4, IndexWriteFailureError as a5, InvalidKeyError as a6, JoinTooLargeError as a7, KeyringCorruptError as a8, KeyringExpiredError as a9, TierDemoteDeniedError as aA, TierNotGrantedError as aB, UniqueConstraintError as aC, UnknownShardError as aD, UnsupportedIndexOptionError as aE, ValidationError as aF, VaultTemplateNotFoundError as aG, LedgerContentionError as aa, MigrationRequiredError as ab, NetworkError as ac, NoAccessError as ad, NonAdditiveSchemaChangeError as ae, NotFoundError as af, NumberingUncertaintyError as ag, PathEscapeError as ah, PeriodClosedError as ai, PermissionDeniedError as aj, PrivilegeEscalationError as ak, QuiesceTimeoutError as al, ReadOnlyAtInstantError as am, ReadOnlyError as an, ReadOnlyFrameError as ao, RecordCekNotFoundError as ap, ReservedVaultNameError as aq, SchemaFenceError as ar, SchemaLockedError as as, SchemaUpdateError as at, SchemaValidationError as au, SequenceContentionError as av, SequenceOfflineError as aw, ShardProvisioningError as ax, StoreCapabilityError as ay, TamperedError as az, StaticDictReadonlyError as b, SessionExpiredError as c, SessionNotFoundError as d, SessionPolicyError as e, InvariantError as f, RecordLockedError as g, SnapshotNotFoundError as h, DerivationCapExceededError as i, DerivationCycleError as j, DerivationDepthError as k, DerivationOutputShapeError as l, DerivationOutputUnknownError as m, OverlayCollectionUnavailableError as n, OverlayIdMismatchError as o, OverlayNameCollisionError as p, SealedRecordExpiredError as q, SealedRecordMismatchError as r, AttestationError as s, AdoptionStateError as t, BackupLedgerError as u, BundleIntegrityError as v, BundleSealMismatchError as w, BundleVersionConflictError as x, TransferSealError as y, MaterializedViewConfigError as z };

package/dist/executor-44R5CUS2.js

@@ -0,0 +1,12 @@
+import {
+  MaterializedViewExecutor
+} from "./chunk-6KESZO5D.js";
+import "./chunk-GYAWXHFO.js";
+import "./chunk-OBMYMKGO.js";
+import "./chunk-LSIIPKYT.js";
+import "./chunk-VEIVAYJ7.js";
+import "./chunk-DJF3FXW5.js";
+export {
+  MaterializedViewExecutor
+};
+//# sourceMappingURL=executor-44R5CUS2.js.map

package/dist/executor-AOACUK7Z.js

@@ -0,0 +1,8 @@
+import {
+  GuardExecutor
+} from "./chunk-IVP5IVON.js";
+import "./chunk-DJF3FXW5.js";
+export {
+  GuardExecutor
+};
+//# sourceMappingURL=executor-AOACUK7Z.js.map

package/dist/executor-OKFLQCDW.js

@@ -0,0 +1,8 @@
+import {
+  DerivationExecutor
+} from "./chunk-7HD67R6U.js";
+import "./chunk-DJF3FXW5.js";
+export {
+  DerivationExecutor
+};
+//# sourceMappingURL=executor-OKFLQCDW.js.map

package/dist/{fanout-sidecar-FIJJ46YG.js → fanout-sidecar-DCQWJQ6S.js}

@@ -1,6 +1,6 @@
 import {
   NOYDB_FORMAT_VERSION
-} from "./chunk-SISBMAPO.js";
+} from "./chunk-SHIUFIPW.js";
 
 // src/derivations/fanout-sidecar.ts
 function recordId(source, sourceId, outputKey) {
@@ -48,4 +48,4 @@ export {
   loadFanoutSidecar,
   saveFanoutSidecar
 };
-//# sourceMappingURL=fanout-sidecar-FIJJ46YG.js.map
+//# sourceMappingURL=fanout-sidecar-DCQWJQ6S.js.map

package/dist/forget/index.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/forget/index.ts","../../src/forget/strategy.ts","../../src/forget/subject-index.ts"],"sourcesContent":["/**\n * `@noy-db/hub/forget` — GDPR right-to-erasure via per-record CEK crypto-shred\n * (#304). Import `withForgetCascade` and pass it to `createNoydb`:\n *\n * ```ts\n * import { createNoydb } from '@noy-db/hub'\n * import { withForgetCascade } from '@noy-db/hub/forget'\n *\n * const db = createNoydb({\n *   secret, user,\n *   historyStrategy: withHistory(),               // ledger for the erasure proof\n *   forgetStrategy: withForgetCascade({ subjects: { invoices: 'buyerId' } }),\n * })\n * const result = await db.vault('main').forget('buyer-123')\n * ```\n *\n * The erasure flow (`vault.forget`), the subject-index maintenance hooks, and\n * the tombstone rewrite live in core (`vault.ts` / `collection.ts`) because\n * they touch the write path directly; this subpath only exposes the\n * declaration factory + result types.\n *\n * @module\n */\nexport {\n  withForgetCascade,\n  NO_FORGET,\n} from './strategy.js'\nexport type {\n  SubjectDeclaration,\n  ForgetStrategy,\n  ForgetResult,\n} from './strategy.js'\nexport type { SubjectRef } from './subject-index.js'\nexport { SUBJECT_INDEX_COLLECTION } from './subject-index.js'\n","/**\n * `withForgetCascade` — declaration surface for GDPR right-to-erasure via\n * per-record CEK crypto-shred (#304, step 2 of the CEK security epic).\n *\n * This file holds only the *declaration* shape and the disabled sentinel.\n * The actual erasure machinery lives in:\n *   - `subject-index.ts` — the encrypted `_subject_index` reserved collection\n *   - `vault.ts` `forget()` — the per-record tombstone + ledger flow\n *   - `collection.ts` `_writeTombstone` — the envelope rewrite\n *\n * A `ForgetStrategy` declares which collections carry erasable subject data\n * and the (dotted-path) field on each record that names the data subject.\n * Declaring a collection here ALSO forces `perRecordKeys: true` for it (a\n * shred can only erase a record whose body is keyed off a per-record CEK),\n * so adopters opt into the CEK foundation transitively.\n *\n * @module\n */\nimport type { LedgerEntry } from '../history/ledger/entry.js'\n\n/**\n * User-supplied declaration passed to {@link withForgetCascade}. Maps a\n * collection name to the record field (dotted path supported, e.g.\n * `'billing.buyerId'`) that identifies the data subject for erasure.\n *\n * ```ts\n * withForgetCascade({ subjects: { invoices: 'buyerId', contacts: 'id' } })\n * ```\n */\nexport interface SubjectDeclaration {\n  readonly subjects: Record<string, string>\n}\n\n/**\n * Resolved forget strategy threaded through Noydb → every Vault. Carries\n * the same `subjects` map the user declared. `NO_FORGET` (empty map) is the\n * off-by-default sentinel; `vault.forget()` throws\n * `ForgetStrategyNotConfiguredError` when the map is empty.\n */\nexport interface ForgetStrategy {\n  /** Collection → subject-field (dotted path). Empty under `NO_FORGET`. */\n  readonly subjects: Readonly<Record<string, string>>\n}\n\n/**\n * Disabled sentinel — no collections declare a subject field. `vault.forget()`\n * refuses with `ForgetStrategyNotConfiguredError`; no write hooks register; no\n * collection is forced into `perRecordKeys`. Non-adopters pay nothing.\n */\nexport const NO_FORGET: ForgetStrategy = { subjects: {} }\n\n/**\n * Declare GDPR crypto-shred for one or more collections.\n *\n * Each declared collection is forced to `perRecordKeys: true` (a shred can\n * only guarantee erasure of a record whose body is keyed off a per-record\n * CEK). On write, Noydb extracts `record[subjectField]` and maintains an\n * encrypted `_subject_index` mapping `subject → [{collection, id}]`, so\n * `vault.forget(subjectId)` can find every record for a subject and rewrite\n * each to a tombstone (body + history permanently undecryptable) while the\n * collection DEK and every other record stay intact.\n *\n * @example\n * ```ts\n * createNoydb({\n *   secret, user,\n *   forgetStrategy: withForgetCascade({ subjects: { invoices: 'buyerId' } }),\n * })\n * const result = await vault.forget('buyer-123')\n * // → { subject, recordsShredded, historyVersionsShredded, collections, … }\n * ```\n */\nexport function withForgetCascade(opts: SubjectDeclaration): ForgetStrategy {\n  return { subjects: { ...opts.subjects } }\n}\n\n/**\n * The outcome of a `vault.forget(subjectId)` call.\n *\n * `unmigratedRecords` lists `collection:id` pairs that were tombstoned but\n * whose body had NOT been migrated to a per-record CEK at shred time (legacy\n * body still under the shared collection DEK). Those records are tombstoned\n * (live envelope + history stripped) but their pre-shred ciphertext, if it\n * leaked into a backup before migration, remains decryptable under the\n * collection DEK — so erasure-completeness is NOT guaranteed for them. Run\n * the per-record-CEK migration pass, then re-forget, to close the gap.\n *\n * Blob attachments (#365): a shredded record's **erasable** blobs (on a\n * `perRecordKeys` collection) are crypto-shredded inline — `blobsShredded`\n * counts those taken to refCount 0 (BlobObject deleted → chunks permanently\n * undecryptable), `blobsRetainedShared` counts those still referenced by\n * another record (shared content legitimately persists for its other owner).\n * `blobResidueCollections` now lists only collections with blobs that could\n * NOT be crypto-shredded: **legacy** blobs (no per-blob `_cek`, chunks under\n * the shared `_blob` DEK — migrate them), or a session without the blob\n * subsystem loaded. An all-erasable subject yields an empty residue list.\n */\nexport interface ForgetResult {\n  /** The subject id passed to `forget()`. Echoed for caller convenience. */\n  readonly subject: string\n  /** Count of live records rewritten to a tombstone. */\n  readonly recordsShredded: number\n  /** Count of `_history` envelopes tombstoned across all shredded records. */\n  readonly historyVersionsShredded: number\n  /** Distinct collections that had at least one record shredded. */\n  readonly collections: readonly string[]\n  /** `collection:id` pairs shredded while still un-migrated (see type docs). */\n  readonly unmigratedRecords: readonly string[]\n  /** Count of erasable blobs crypto-shredded (refCount → 0, BlobObject deleted). */\n  readonly blobsShredded: number\n  /** Count of erasable blobs retained because still referenced elsewhere (shared). */\n  readonly blobsRetainedShared: number\n  /** Collections with blobs that could NOT be crypto-shredded — legacy (no `_cek`) or blobs disabled (see type docs). */\n  readonly blobResidueCollections: readonly string[]\n  /** The single `op:'forget'` ledger entry appended for this erasure. */\n  readonly ledgerEntry: LedgerEntry\n}\n","/**\n * The encrypted subject index (#304).\n *\n * GDPR crypto-shred needs to answer \"which records belong to data subject\n * X?\" portably (the index must travel with the vault/bundle) WITHOUT leaking\n * subject-equivalence to the store. The rejected alternative — an unencrypted\n * subject tag in envelope metadata — would let anyone with store access see\n * which records share a subject. Instead we keep a reserved `_subject_index`\n * collection, encrypted under its OWN DEK (`getDEK('_subject_index')`):\n *\n *   - record id  = `sha256Hex(subjectId)` — the raw subject id never appears\n *     as a key, so the store can't correlate index entries to a known subject.\n *   - record body = AES-GCM(JSON `[{ collection, id }]`) under the index DEK.\n *\n * ## Concurrency (RISK #3 — known v1 limitation)\n *\n * `addSubjectRef` / `removeSubjectRef` are read-modify-write with no CAS. The\n * design assumes a SINGLE WRITER (the noy-db single-process write model). Two\n * concurrent writers racing on the SAME subject can lose an entry (last-write\n * wins on the ref list). This is documented, not fixed in v1:\n * `rebuildSubjectIndex` performs a full scan to recover a correct index from\n * the canonical records, so a lost ref is recoverable. A CAS-backed index is\n * deferred to a later slice.\n *\n * @module\n */\nimport { encrypt, decrypt } from '../crypto.js'\nimport type { NoydbStore, EncryptedEnvelope } from '../types.js'\nimport { NOYDB_FORMAT_VERSION } from '../types.js'\n\n/** Reserved collection holding the encrypted subject → records index. */\nexport const SUBJECT_INDEX_COLLECTION = '_subject_index'\n\n/** A single record reference held in a subject's index entry. */\nexport interface SubjectRef {\n  readonly collection: string\n  readonly id: string\n}\n\ntype GetDEK = (collectionName: string) => Promise<CryptoKey>\n\n/** SHA-256 hex of a UTF-8 string. The subject-index record key derivation. */\nasync function sha256HexString(input: string): Promise<string> {\n  const bytes = new TextEncoder().encode(input)\n  const digest = await globalThis.crypto.subtle.digest('SHA-256', bytes)\n  return Array.from(new Uint8Array(digest))\n    .map((b) => b.toString(16).padStart(2, '0'))\n    .join('')\n}\n\n/** Stable subject-index record id for a subject id. */\nexport async function subjectKey(subjectId: string): Promise<string> {\n  return sha256HexString(subjectId)\n}\n\n/** Read + decrypt the ref list for a subject. Returns `[]` when absent. */\nasync function readRefs(\n  adapter: NoydbStore,\n  vault: string,\n  getDEK: GetDEK,\n  encrypted: boolean,\n  key: string,\n): Promise<SubjectRef[]> {\n  const env = await adapter.get(vault, SUBJECT_INDEX_COLLECTION, key)\n  if (!env || !env._data) return []\n  if (!encrypted) return JSON.parse(env._data) as SubjectRef[]\n  const dek = await getDEK(SUBJECT_INDEX_COLLECTION)\n  const json = await decrypt(env._iv, env._data, dek)\n  return JSON.parse(json) as SubjectRef[]\n}\n\n/** Encrypt + write a ref list for a subject under its derived key. */\nasync function writeRefs(\n  adapter: NoydbStore,\n  vault: string,\n  getDEK: GetDEK,\n  encrypted: boolean,\n  key: string,\n  refs: SubjectRef[],\n): Promise<void> {\n  const json = JSON.stringify(refs)\n  let env: EncryptedEnvelope\n  if (!encrypted) {\n    env = { _noydb: NOYDB_FORMAT_VERSION, _v: 1, _ts: new Date().toISOString(), _iv: '', _data: json }\n  } else {\n    const dek = await getDEK(SUBJECT_INDEX_COLLECTION)\n    const { iv, data } = await encrypt(json, dek)\n    env = { _noydb: NOYDB_FORMAT_VERSION, _v: 1, _ts: new Date().toISOString(), _iv: iv, _data: data }\n  }\n  await adapter.put(vault, SUBJECT_INDEX_COLLECTION, key, env)\n}\n\n/**\n * Add a `{ collection, id }` ref to a subject's index entry (idempotent —\n * a duplicate ref is not appended). Read-modify-write; see the concurrency\n * note in the module docstring.\n */\nexport async function addSubjectRef(\n  adapter: NoydbStore,\n  vault: string,\n  getDEK: GetDEK,\n  encrypted: boolean,\n  subjectId: string,\n  ref: SubjectRef,\n): Promise<void> {\n  const key = await subjectKey(subjectId)\n  const refs = await readRefs(adapter, vault, getDEK, encrypted, key)\n  if (refs.some((r) => r.collection === ref.collection && r.id === ref.id)) return\n  refs.push(ref)\n  await writeRefs(adapter, vault, getDEK, encrypted, key, refs)\n}\n\n/**\n * Remove a `{ collection, id }` ref from a subject's index entry. When the\n * last ref is removed the (now empty) entry is deleted so the store holds no\n * residual key for an erased subject.\n */\nexport async function removeSubjectRef(\n  adapter: NoydbStore,\n  vault: string,\n  getDEK: GetDEK,\n  encrypted: boolean,\n  subjectId: string,\n  ref: SubjectRef,\n): Promise<void> {\n  const key = await subjectKey(subjectId)\n  const refs = await readRefs(adapter, vault, getDEK, encrypted, key)\n  const next = refs.filter((r) => !(r.collection === ref.collection && r.id === ref.id))\n  if (next.length === refs.length) return\n  if (next.length === 0) {\n    await adapter.delete(vault, SUBJECT_INDEX_COLLECTION, key)\n    return\n  }\n  await writeRefs(adapter, vault, getDEK, encrypted, key, next)\n}\n\n/** Look up every record ref for a subject. Returns `[]` when none exist. */\nexport async function lookupSubject(\n  adapter: NoydbStore,\n  vault: string,\n  getDEK: GetDEK,\n  encrypted: boolean,\n  subjectId: string,\n): Promise<SubjectRef[]> {\n  const key = await subjectKey(subjectId)\n  return readRefs(adapter, vault, getDEK, encrypted, key)\n}\n\n/**\n * Rebuild the entire subject index from the canonical records (the recovery\n * path for the documented read-modify-write race). Scans each declared\n * collection, reads `record[subjectField]` (dotted path), and rewrites the\n * index from scratch. Tombstoned (already-shredded) records contribute no\n * ref — their body is gone, so they cannot be re-indexed.\n *\n * `decodeRecord` decrypts an envelope to a plain object (or returns null for\n * a tombstone / unreadable record); supplied by the caller so this module\n * stays free of Collection internals.\n */\nexport async function rebuildSubjectIndex(\n  adapter: NoydbStore,\n  vault: string,\n  getDEK: GetDEK,\n  encrypted: boolean,\n  subjects: Readonly<Record<string, string>>,\n  decodeRecord: (collection: string, id: string, env: EncryptedEnvelope) => Promise<Record<string, unknown> | null>,\n): Promise<number> {\n  // Drop every existing index entry first so removed refs don't linger.\n  const existing = await adapter.list(vault, SUBJECT_INDEX_COLLECTION)\n  for (const k of existing) {\n    await adapter.delete(vault, SUBJECT_INDEX_COLLECTION, k)\n  }\n\n  // subjectId → refs, accumulated across all declared collections.\n  const bySubject = new Map<string, SubjectRef[]>()\n  for (const [collection, field] of Object.entries(subjects)) {\n    const ids = await adapter.list(vault, collection)\n    for (const id of ids) {\n      if (id.startsWith('_')) continue\n      const env = await adapter.get(vault, collection, id)\n      if (!env || !env._data) continue // missing or tombstone\n      const record = await decodeRecord(collection, id, env)\n      if (record === null) continue\n      const subjectValue = readDottedPath(record, field)\n      if (subjectValue === undefined || subjectValue === null) continue\n      const subjectId = coerceSubjectId(subjectValue)\n      const list = bySubject.get(subjectId) ?? []\n      list.push({ collection, id })\n      bySubject.set(subjectId, list)\n    }\n  }\n\n  let entries = 0\n  for (const [subjectId, refs] of bySubject) {\n    const key = await subjectKey(subjectId)\n    await writeRefs(adapter, vault, getDEK, encrypted, key, refs)\n    entries++\n  }\n  return entries\n}\n\n/**\n * Coerce a read subject-field value to a stable string id. Primitives use\n * their natural string form; objects/arrays are JSON-stringified so structural\n * subjects still get a deterministic key (avoids the `[object Object]` trap).\n */\nexport function coerceSubjectId(value: unknown): string {\n  if (typeof value === 'string') return value\n  if (typeof value === 'number' || typeof value === 'boolean' || typeof value === 'bigint') {\n    return String(value)\n  }\n  return JSON.stringify(value)\n}\n\n/** Read a (possibly dotted) field path from a plain record. */\nexport function readDottedPath(record: Record<string, unknown>, field: string): unknown {\n  if (!field.includes('.')) return record[field]\n  let cursor: unknown = record\n  for (const segment of field.split('.')) {\n    if (cursor === null || cursor === undefined) return undefined\n    cursor = (cursor as Record<string, unknown>)[segment]\n  }\n  return cursor\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACiDO,IAAM,YAA4B,EAAE,UAAU,CAAC,EAAE;AAuBjD,SAAS,kBAAkB,MAA0C;AAC1E,SAAO,EAAE,UAAU,EAAE,GAAG,KAAK,SAAS,EAAE;AAC1C;;;AC3CO,IAAM,2BAA2B;","names":[]}
+{"version":3,"sources":["../../src/forget/index.ts","../../src/forget/strategy.ts","../../src/forget/subject-index.ts"],"sourcesContent":["/**\n * `@noy-db/hub/forget` — GDPR right-to-erasure via per-record CEK crypto-shred\n * (#304). Import `withForgetCascade` and pass it to `createNoydb`:\n *\n * ```ts\n * import { createNoydb } from '@noy-db/hub'\n * import { withForgetCascade } from '@noy-db/hub/forget'\n *\n * const db = createNoydb({\n *   secret, user,\n *   historyStrategy: withHistory(),               // ledger for the erasure proof\n *   forgetStrategy: withForgetCascade({ subjects: { invoices: 'buyerId' } }),\n * })\n * const result = await db.vault('main').forget('buyer-123')\n * ```\n *\n * The erasure flow (`vault.forget`), the subject-index maintenance hooks, and\n * the tombstone rewrite live in core (`vault.ts` / `collection.ts`) because\n * they touch the write path directly; this subpath only exposes the\n * declaration factory + result types.\n *\n * @module\n */\nexport {\n  withForgetCascade,\n  NO_FORGET,\n} from './strategy.js'\nexport type {\n  SubjectDeclaration,\n  ForgetStrategy,\n  ForgetResult,\n} from './strategy.js'\nexport type { SubjectRef } from './subject-index.js'\nexport { SUBJECT_INDEX_COLLECTION } from './subject-index.js'\n","/**\n * `withForgetCascade` — declaration surface for GDPR right-to-erasure via\n * per-record CEK crypto-shred (#304, step 2 of the CEK security epic).\n *\n * This file holds only the *declaration* shape and the disabled sentinel.\n * The actual erasure machinery lives in:\n *   - `subject-index.ts` — the encrypted `_subject_index` reserved collection\n *   - `vault.ts` `forget()` — the per-record tombstone + ledger flow\n *   - `collection.ts` `_writeTombstone` — the envelope rewrite\n *\n * A `ForgetStrategy` declares which collections carry erasable subject data\n * and the (dotted-path) field on each record that names the data subject.\n * Declaring a collection here ALSO forces `perRecordKeys: true` for it (a\n * shred can only erase a record whose body is keyed off a per-record CEK),\n * so adopters opt into the CEK foundation transitively.\n *\n * @module\n */\nimport type { LedgerEntry } from '../history/ledger/entry.js'\n\n/**\n * User-supplied declaration passed to {@link withForgetCascade}. Maps a\n * collection name to the record field (dotted path supported, e.g.\n * `'billing.buyerId'`) that identifies the data subject for erasure.\n *\n * ```ts\n * withForgetCascade({ subjects: { invoices: 'buyerId', contacts: 'id' } })\n * ```\n */\nexport interface SubjectDeclaration {\n  readonly subjects: Record<string, string>\n}\n\n/**\n * Resolved forget strategy threaded through Noydb → every Vault. Carries\n * the same `subjects` map the user declared. `NO_FORGET` (empty map) is the\n * off-by-default sentinel; `vault.forget()` throws\n * `ForgetStrategyNotConfiguredError` when the map is empty.\n */\nexport interface ForgetStrategy {\n  /** Collection → subject-field (dotted path). Empty under `NO_FORGET`. */\n  readonly subjects: Readonly<Record<string, string>>\n}\n\n/**\n * Disabled sentinel — no collections declare a subject field. `vault.forget()`\n * refuses with `ForgetStrategyNotConfiguredError`; no write hooks register; no\n * collection is forced into `perRecordKeys`. Non-adopters pay nothing.\n */\nexport const NO_FORGET: ForgetStrategy = { subjects: {} }\n\n/**\n * Declare GDPR crypto-shred for one or more collections.\n *\n * Each declared collection is forced to `perRecordKeys: true` (a shred can\n * only guarantee erasure of a record whose body is keyed off a per-record\n * CEK). On write, Noydb extracts `record[subjectField]` and maintains an\n * encrypted `_subject_index` mapping `subject → [{collection, id}]`, so\n * `vault.forget(subjectId)` can find every record for a subject and rewrite\n * each to a tombstone (body + history permanently undecryptable) while the\n * collection DEK and every other record stay intact.\n *\n * @example\n * ```ts\n * createNoydb({\n *   secret, user,\n *   forgetStrategy: withForgetCascade({ subjects: { invoices: 'buyerId' } }),\n * })\n * const result = await vault.forget('buyer-123')\n * // → { subject, recordsShredded, historyVersionsShredded, collections, … }\n * ```\n */\nexport function withForgetCascade(opts: SubjectDeclaration): ForgetStrategy {\n  return { subjects: { ...opts.subjects } }\n}\n\n/**\n * The outcome of a `vault.forget(subjectId)` call.\n *\n * `unmigratedRecords` lists `collection:id` pairs that were tombstoned but\n * whose body had NOT been migrated to a per-record CEK at shred time (legacy\n * body still under the shared collection DEK). Those records are tombstoned\n * (live envelope + history stripped) but their pre-shred ciphertext, if it\n * leaked into a backup before migration, remains decryptable under the\n * collection DEK — so erasure-completeness is NOT guaranteed for them. Run\n * the per-record-CEK migration pass, then re-forget, to close the gap.\n *\n * Blob attachments (#365): a shredded record's **erasable** blobs (on a\n * `perRecordKeys` collection) are crypto-shredded inline — `blobsShredded`\n * counts those taken to refCount 0 (BlobObject deleted → chunks permanently\n * undecryptable), `blobsRetainedShared` counts those still referenced by\n * another record (shared content legitimately persists for its other owner).\n * `blobResidueCollections` now lists only collections with blobs that could\n * NOT be crypto-shredded: **legacy** blobs (no per-blob `_cek`, chunks under\n * the shared `_blob` DEK — migrate them), or a session without the blob\n * subsystem loaded. An all-erasable subject yields an empty residue list.\n */\nexport interface ForgetResult {\n  /** The subject id passed to `forget()`. Echoed for caller convenience. */\n  readonly subject: string\n  /** Count of live records rewritten to a tombstone. */\n  readonly recordsShredded: number\n  /** Count of `_history` envelopes tombstoned across all shredded records. */\n  readonly historyVersionsShredded: number\n  /** Distinct collections that had at least one record shredded. */\n  readonly collections: readonly string[]\n  /** `collection:id` pairs shredded while still un-migrated (see type docs). */\n  readonly unmigratedRecords: readonly string[]\n  /** Count of erasable blobs crypto-shredded (refCount → 0, BlobObject deleted). */\n  readonly blobsShredded: number\n  /** Count of erasable blobs retained because still referenced elsewhere (shared). */\n  readonly blobsRetainedShared: number\n  /** Collections with blobs that could NOT be crypto-shredded — legacy (no `_cek`) or blobs disabled (see type docs). */\n  readonly blobResidueCollections: readonly string[]\n  /**\n   * Count of persisted `_idx/<field>/<recordId>` index side-cars hard-deleted\n   * across the shredded records (#401). These live under the retained\n   * collection DEK, so crypto-shred alone would leave the indexed field VALUES\n   * readable — `forget()` must delete them.\n   */\n  readonly indexPostingsPurged: number\n  /**\n   * `collection:id:field` entries whose persisted `_idx` side-car could NOT be\n   * deleted (#401) — index residue that still leaks the indexed value under the\n   * retained collection DEK. Non-empty means erasure is INCOMPLETE: retry, or\n   * purge the side-car out of band.\n   */\n  readonly indexResidue: readonly string[]\n  /** The single `op:'forget'` ledger entry appended for this erasure. */\n  readonly ledgerEntry: LedgerEntry\n}\n","/**\n * The encrypted subject index (#304).\n *\n * GDPR crypto-shred needs to answer \"which records belong to data subject\n * X?\" portably (the index must travel with the vault/bundle) WITHOUT leaking\n * subject-equivalence to the store. The rejected alternative — an unencrypted\n * subject tag in envelope metadata — would let anyone with store access see\n * which records share a subject. Instead we keep a reserved `_subject_index`\n * collection, encrypted under its OWN DEK (`getDEK('_subject_index')`):\n *\n *   - record id  = `sha256Hex(subjectId)` — the raw subject id never appears\n *     as a key, so the store can't correlate index entries to a known subject.\n *   - record body = AES-GCM(JSON `[{ collection, id }]`) under the index DEK.\n *\n * ## Concurrency (RISK #3 — known v1 limitation)\n *\n * `addSubjectRef` / `removeSubjectRef` are read-modify-write with no CAS. The\n * design assumes a SINGLE WRITER (the noy-db single-process write model). Two\n * concurrent writers racing on the SAME subject can lose an entry (last-write\n * wins on the ref list). This is documented, not fixed in v1:\n * `rebuildSubjectIndex` performs a full scan to recover a correct index from\n * the canonical records, so a lost ref is recoverable. A CAS-backed index is\n * deferred to a later slice.\n *\n * @module\n */\nimport { encrypt, decrypt } from '../crypto.js'\nimport type { NoydbStore, EncryptedEnvelope } from '../types.js'\nimport { NOYDB_FORMAT_VERSION } from '../types.js'\n\n/** Reserved collection holding the encrypted subject → records index. */\nexport const SUBJECT_INDEX_COLLECTION = '_subject_index'\n\n/** A single record reference held in a subject's index entry. */\nexport interface SubjectRef {\n  readonly collection: string\n  readonly id: string\n}\n\ntype GetDEK = (collectionName: string) => Promise<CryptoKey>\n\n/** SHA-256 hex of a UTF-8 string. The subject-index record key derivation. */\nasync function sha256HexString(input: string): Promise<string> {\n  const bytes = new TextEncoder().encode(input)\n  const digest = await globalThis.crypto.subtle.digest('SHA-256', bytes)\n  return Array.from(new Uint8Array(digest))\n    .map((b) => b.toString(16).padStart(2, '0'))\n    .join('')\n}\n\n/** Stable subject-index record id for a subject id. */\nexport async function subjectKey(subjectId: string): Promise<string> {\n  return sha256HexString(subjectId)\n}\n\n/** Read + decrypt the ref list for a subject. Returns `[]` when absent. */\nasync function readRefs(\n  adapter: NoydbStore,\n  vault: string,\n  getDEK: GetDEK,\n  encrypted: boolean,\n  key: string,\n): Promise<SubjectRef[]> {\n  const env = await adapter.get(vault, SUBJECT_INDEX_COLLECTION, key)\n  if (!env || !env._data) return []\n  if (!encrypted) return JSON.parse(env._data) as SubjectRef[]\n  const dek = await getDEK(SUBJECT_INDEX_COLLECTION)\n  const json = await decrypt(env._iv, env._data, dek)\n  return JSON.parse(json) as SubjectRef[]\n}\n\n/** Encrypt + write a ref list for a subject under its derived key. */\nasync function writeRefs(\n  adapter: NoydbStore,\n  vault: string,\n  getDEK: GetDEK,\n  encrypted: boolean,\n  key: string,\n  refs: SubjectRef[],\n): Promise<void> {\n  const json = JSON.stringify(refs)\n  let env: EncryptedEnvelope\n  if (!encrypted) {\n    env = { _noydb: NOYDB_FORMAT_VERSION, _v: 1, _ts: new Date().toISOString(), _iv: '', _data: json }\n  } else {\n    const dek = await getDEK(SUBJECT_INDEX_COLLECTION)\n    const { iv, data } = await encrypt(json, dek)\n    env = { _noydb: NOYDB_FORMAT_VERSION, _v: 1, _ts: new Date().toISOString(), _iv: iv, _data: data }\n  }\n  await adapter.put(vault, SUBJECT_INDEX_COLLECTION, key, env)\n}\n\n/**\n * Add a `{ collection, id }` ref to a subject's index entry (idempotent —\n * a duplicate ref is not appended). Read-modify-write; see the concurrency\n * note in the module docstring.\n */\nexport async function addSubjectRef(\n  adapter: NoydbStore,\n  vault: string,\n  getDEK: GetDEK,\n  encrypted: boolean,\n  subjectId: string,\n  ref: SubjectRef,\n): Promise<void> {\n  const key = await subjectKey(subjectId)\n  const refs = await readRefs(adapter, vault, getDEK, encrypted, key)\n  if (refs.some((r) => r.collection === ref.collection && r.id === ref.id)) return\n  refs.push(ref)\n  await writeRefs(adapter, vault, getDEK, encrypted, key, refs)\n}\n\n/**\n * Remove a `{ collection, id }` ref from a subject's index entry. When the\n * last ref is removed the (now empty) entry is deleted so the store holds no\n * residual key for an erased subject.\n */\nexport async function removeSubjectRef(\n  adapter: NoydbStore,\n  vault: string,\n  getDEK: GetDEK,\n  encrypted: boolean,\n  subjectId: string,\n  ref: SubjectRef,\n): Promise<void> {\n  const key = await subjectKey(subjectId)\n  const refs = await readRefs(adapter, vault, getDEK, encrypted, key)\n  const next = refs.filter((r) => !(r.collection === ref.collection && r.id === ref.id))\n  if (next.length === refs.length) return\n  if (next.length === 0) {\n    await adapter.delete(vault, SUBJECT_INDEX_COLLECTION, key)\n    return\n  }\n  await writeRefs(adapter, vault, getDEK, encrypted, key, next)\n}\n\n/** Look up every record ref for a subject. Returns `[]` when none exist. */\nexport async function lookupSubject(\n  adapter: NoydbStore,\n  vault: string,\n  getDEK: GetDEK,\n  encrypted: boolean,\n  subjectId: string,\n): Promise<SubjectRef[]> {\n  const key = await subjectKey(subjectId)\n  return readRefs(adapter, vault, getDEK, encrypted, key)\n}\n\n/**\n * Rebuild the entire subject index from the canonical records (the recovery\n * path for the documented read-modify-write race). Scans each declared\n * collection, reads `record[subjectField]` (dotted path), and rewrites the\n * index from scratch. Tombstoned (already-shredded) records contribute no\n * ref — their body is gone, so they cannot be re-indexed.\n *\n * `decodeRecord` decrypts an envelope to a plain object (or returns null for\n * a tombstone / unreadable record); supplied by the caller so this module\n * stays free of Collection internals.\n */\nexport async function rebuildSubjectIndex(\n  adapter: NoydbStore,\n  vault: string,\n  getDEK: GetDEK,\n  encrypted: boolean,\n  subjects: Readonly<Record<string, string>>,\n  decodeRecord: (collection: string, id: string, env: EncryptedEnvelope) => Promise<Record<string, unknown> | null>,\n): Promise<number> {\n  // Drop every existing index entry first so removed refs don't linger.\n  const existing = await adapter.list(vault, SUBJECT_INDEX_COLLECTION)\n  for (const k of existing) {\n    await adapter.delete(vault, SUBJECT_INDEX_COLLECTION, k)\n  }\n\n  // subjectId → refs, accumulated across all declared collections.\n  const bySubject = new Map<string, SubjectRef[]>()\n  for (const [collection, field] of Object.entries(subjects)) {\n    const ids = await adapter.list(vault, collection)\n    for (const id of ids) {\n      if (id.startsWith('_')) continue\n      const env = await adapter.get(vault, collection, id)\n      if (!env || !env._data) continue // missing or tombstone\n      const record = await decodeRecord(collection, id, env)\n      if (record === null) continue\n      const subjectValue = readDottedPath(record, field)\n      if (subjectValue === undefined || subjectValue === null) continue\n      const subjectId = coerceSubjectId(subjectValue)\n      const list = bySubject.get(subjectId) ?? []\n      list.push({ collection, id })\n      bySubject.set(subjectId, list)\n    }\n  }\n\n  let entries = 0\n  for (const [subjectId, refs] of bySubject) {\n    const key = await subjectKey(subjectId)\n    await writeRefs(adapter, vault, getDEK, encrypted, key, refs)\n    entries++\n  }\n  return entries\n}\n\n/**\n * Coerce a read subject-field value to a stable string id. Primitives use\n * their natural string form; objects/arrays are JSON-stringified so structural\n * subjects still get a deterministic key (avoids the `[object Object]` trap).\n */\nexport function coerceSubjectId(value: unknown): string {\n  if (typeof value === 'string') return value\n  if (typeof value === 'number' || typeof value === 'boolean' || typeof value === 'bigint') {\n    return String(value)\n  }\n  return JSON.stringify(value)\n}\n\n/** Read a (possibly dotted) field path from a plain record. */\nexport function readDottedPath(record: Record<string, unknown>, field: string): unknown {\n  if (!field.includes('.')) return record[field]\n  let cursor: unknown = record\n  for (const segment of field.split('.')) {\n    if (cursor === null || cursor === undefined) return undefined\n    cursor = (cursor as Record<string, unknown>)[segment]\n  }\n  return cursor\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACiDO,IAAM,YAA4B,EAAE,UAAU,CAAC,EAAE;AAuBjD,SAAS,kBAAkB,MAA0C;AAC1E,SAAO,EAAE,UAAU,EAAE,GAAG,KAAK,SAAS,EAAE;AAC1C;;;AC3CO,IAAM,2BAA2B;","names":[]}

package/dist/forget/index.d.cts

@@ -1 +1 @@
-export { b as ForgetResult, F as ForgetStrategy, N as NO_FORGET, d as SUBJECT_INDEX_COLLECTION, e as SubjectDeclaration, S as SubjectRef, w as withForgetCascade } from '../index-C-SSRIxP.cjs';
+export { b as ForgetResult, F as ForgetStrategy, N as NO_FORGET, d as SUBJECT_INDEX_COLLECTION, e as SubjectDeclaration, S as SubjectRef, w as withForgetCascade } from '../index-BMmajblo.cjs';

package/dist/forget/index.d.ts

@@ -1 +1 @@
-export { b as ForgetResult, F as ForgetStrategy, N as NO_FORGET, d as SUBJECT_INDEX_COLLECTION, e as SubjectDeclaration, S as SubjectRef, w as withForgetCascade } from '../index-C-SSRIxP.js';
+export { b as ForgetResult, F as ForgetStrategy, N as NO_FORGET, d as SUBJECT_INDEX_COLLECTION, e as SubjectDeclaration, S as SubjectRef, w as withForgetCascade } from '../index-BMmajblo.js';

package/dist/forget/index.js

@@ -2,10 +2,10 @@ import {
   NO_FORGET,
   SUBJECT_INDEX_COLLECTION,
   withForgetCascade
-} from "../chunk-I5IUYN7B.js";
-import "../chunk-SISBMAPO.js";
-import "../chunk-UNTGHX5A.js";
-import "../chunk-ZEGSDPB7.js";
+} from "../chunk-KNKNOJFS.js";
+import "../chunk-SHIUFIPW.js";
+import "../chunk-OKOKPYWH.js";
+import "../chunk-DJF3FXW5.js";
 export {
   NO_FORGET,
   SUBJECT_INDEX_COLLECTION,

package/dist/guards/index.cjs

@@ -24,10 +24,12 @@ __export(guards_exports, {
   FieldFrozenError: () => FieldFrozenError,
   GuardExecutor: () => GuardExecutor,
   GuardRegistry: () => GuardRegistry,
+  IllegalTransitionError: () => IllegalTransitionError,
   InvariantError: () => InvariantError,
   ReadOnlyVaultFacade: () => ReadOnlyVaultFacade,
   RecordLockedError: () => RecordLockedError,
   immutableGuard: () => immutableGuard,
+  transitionGuard: () => transitionGuard,
   withGuard: () => withGuard
 });
 module.exports = __toCommonJS(guards_exports);
@@ -72,6 +74,23 @@ var FieldFrozenError = class extends NoydbError {
     this.fields = fields;
   }
 };
+var IllegalTransitionError = class extends NoydbError {
+  collection;
+  id;
+  from;
+  to;
+  constructor(collection, id, from, to) {
+    super(
+      "ILLEGAL_TRANSITION",
+      `Cannot transition ${collection}/${id} from "${from}" to "${to}" \u2014 not a declared arc. Use withTransactions({ amendment: true, reason }) with admin/owner role to override.`
+    );
+    this.name = "IllegalTransitionError";
+    this.collection = collection;
+    this.id = id;
+    this.from = from;
+    this.to = to;
+  }
+};
 var InvariantError = class extends NoydbError {
   constructor(message) {
     super("INVARIANT_VIOLATED", message);
@@ -156,6 +175,59 @@ function immutableGuard(config) {
   return withGuard(spec);
 }
 
+// src/guards/transition-guard.ts
+function recordId2(record) {
+  const id = record?.id;
+  return typeof id === "string" ? id : "";
+}
+function stateOf(record, field) {
+  const v = record[field];
+  return typeof v === "string" ? v : String(v);
+}
+function transitionGuard(config) {
+  const { collection, field, transitions, initial, amendmentRoles, amendmentInvariant } = config;
+  const allowIdempotent = config.allowIdempotent ?? true;
+  if (!field) {
+    throw new ValidationError("transitionGuard: `field` is required");
+  }
+  if (transitions === void 0 || typeof transitions !== "object") {
+    throw new ValidationError("transitionGuard: `transitions` must be a state\u2192states map");
+  }
+  const spec = {
+    collection,
+    check: (incoming, ctx) => {
+      const rec = incoming;
+      const to = stateOf(rec, field);
+      if (ctx.existing === null) {
+        if (initial !== void 0 && !initial.includes(to)) {
+          throw new IllegalTransitionError(collection, recordId2(rec), "(none)", to);
+        }
+        return;
+      }
+      const from = stateOf(ctx.existing, field);
+      if (from === to) {
+        if (allowIdempotent) return;
+        throw new IllegalTransitionError(collection, recordId2(rec), from, to);
+      }
+      const allowed = transitions[from] ?? [];
+      if (!allowed.includes(to)) {
+        throw new IllegalTransitionError(collection, recordId2(rec), from, to);
+      }
+    },
+    // The authorized override: inside an amendment transaction the check
+    // is skipped and the change is ledgered. By default no extra invariant
+    // — the amendment itself is the sanctioned exception. Callers may
+    // supply `amendmentInvariant` to keep a constraint inviolable even
+    // under amendment; a throw reverts the amendment as `InvariantError`.
+    amendment: {
+      roles: amendmentRoles ?? ["admin", "owner"],
+      invariant: amendmentInvariant ?? (() => {
+      })
+    }
+  };
+  return withGuard(spec);
+}
+
 // src/guards/registry.ts
 var GuardRegistry = class {
   _byCollection = /* @__PURE__ */ new Map();
@@ -351,14 +423,17 @@ function deepEqual(a, b) {
 // src/guards/read-only-facade.ts
 var ReadOnlyVaultFacade = class {
   _vault;
-  constructor(vault) {
+  _layer;
+  constructor(vault, layer = "read") {
     this._vault = vault;
+    this._layer = layer;
   }
   collection(name) {
     const c = this._vault.collection(name);
+    const layer = this._layer;
     return {
-      get: (id) => c.get(id),
-      list: () => c.list(),
+      get: (id) => c.get(id, { _layer: layer }),
+      list: () => c.list({ _layer: layer }),
       query: () => c.query()
     };
   }
@@ -369,10 +444,12 @@ var ReadOnlyVaultFacade = class {
   FieldFrozenError,
   GuardExecutor,
   GuardRegistry,
+  IllegalTransitionError,
   InvariantError,
   ReadOnlyVaultFacade,
   RecordLockedError,
   immutableGuard,
+  transitionGuard,
   withGuard
 });
 //# sourceMappingURL=index.cjs.map