@noy-db/hub 0.2.0-pre.18 → 0.2.0-pre.19

package/dist/derivations/index.d.cts

@@ -1,13 +1,13 @@
-export { w as withDerivation, a as withRollup } from '../with-rollup-Bopu5UDZ.cjs';
-import { aK as DerivationStrategy, aL as DerivationContext } from '../types-BpLPqyaO.cjs';
-export { aM as ArrayOutputSpec, aN as DerivationRegistry, aO as DerivationStrategyHandle, aP as DerivedFromMeta, aQ as OutputSpec, aR as RecordOutputSpec } from '../types-BpLPqyaO.cjs';
-export { i as DerivationCapExceededError, j as DerivationCycleError, k as DerivationDepthError, l as DerivationOutputShapeError, m as DerivationOutputUnknownError } from '../errors-DUTlAt3Y.cjs';
+export { w as withDerivation, a as withRollup } from '../with-rollup-aaxOZcIb.cjs';
+import { av as DerivationStrategy, aw as DerivationContext } from '../types-D-gr5t0G.cjs';
+export { ax as ArrayOutputSpec, ay as DerivationRegistry, az as DerivationStrategyHandle, aA as DerivedFromMeta, aB as OutputSpec, aC as RecordOutputSpec } from '../types-D-gr5t0G.cjs';
+export { i as DerivationCapExceededError, j as DerivationCycleError, k as DerivationDepthError, l as DerivationOutputShapeError, m as DerivationOutputUnknownError } from '../errors-DL-zTrrF.cjs';
 import '../lazy-builder-eYZzLEL1.cjs';
 import '../predicate-BmhBSPCH.cjs';
-import '../strategy-nuyN8K5N.cjs';
+import '../strategy-C5ol6NdV.cjs';
 import '../strategy-BSxFXGzb.cjs';
-import '../index-C-SSRIxP.cjs';
-import '../index-C6lgoUhK.cjs';
+import '../index-BMmajblo.cjs';
+import '../index-BM7O48Ur.cjs';
 import '@noy-db/attestation';
 
 interface RunResult {

package/dist/derivations/index.d.ts

@@ -1,13 +1,13 @@
-export { w as withDerivation, a as withRollup } from '../with-rollup-DrlGkxiE.js';
-import { aK as DerivationStrategy, aL as DerivationContext } from '../types-Diqc2caK.js';
-export { aM as ArrayOutputSpec, aN as DerivationRegistry, aO as DerivationStrategyHandle, aP as DerivedFromMeta, aQ as OutputSpec, aR as RecordOutputSpec } from '../types-Diqc2caK.js';
-export { i as DerivationCapExceededError, j as DerivationCycleError, k as DerivationDepthError, l as DerivationOutputShapeError, m as DerivationOutputUnknownError } from '../errors-DUTlAt3Y.js';
+export { w as withDerivation, a as withRollup } from '../with-rollup-_TyBzz3T.js';
+import { av as DerivationStrategy, aw as DerivationContext } from '../types-CraiZOyO.js';
+export { ax as ArrayOutputSpec, ay as DerivationRegistry, az as DerivationStrategyHandle, aA as DerivedFromMeta, aB as OutputSpec, aC as RecordOutputSpec } from '../types-CraiZOyO.js';
+export { i as DerivationCapExceededError, j as DerivationCycleError, k as DerivationDepthError, l as DerivationOutputShapeError, m as DerivationOutputUnknownError } from '../errors-DL-zTrrF.js';
 import '../lazy-builder-ChSqcF5t.js';
 import '../predicate-BmhBSPCH.js';
-import '../strategy-Diwh5lzS.js';
+import '../strategy-BDxQnnTX.js';
 import '../strategy-BSxFXGzb.js';
-import '../index-C-SSRIxP.js';
-import '../index-DP1JTWHZ.js';
+import '../index-BMmajblo.js';
+import '../index-BelbyUwz.js';
 import '@noy-db/attestation';
 
 interface RunResult {

package/dist/derivations/index.js

@@ -1,20 +1,20 @@
 import {
   withDerivation,
   withRollup
-} from "../chunk-YWYW2YNO.js";
+} from "../chunk-CYNTFU2D.js";
 import {
   DerivationRegistry
-} from "../chunk-KQ523X3A.js";
+} from "../chunk-6OSOE6BY.js";
 import {
   DerivationExecutor
-} from "../chunk-33DAO2XG.js";
+} from "../chunk-7HD67R6U.js";
 import {
   DerivationCapExceededError,
   DerivationCycleError,
   DerivationDepthError,
   DerivationOutputShapeError,
   DerivationOutputUnknownError
-} from "../chunk-HMFC6M2G.js";
+} from "../chunk-DJF3FXW5.js";
 export {
   DerivationCapExceededError,
   DerivationCycleError,

package/dist/{dev-unlock-3_2b_vo6.d.cts → dev-unlock-BR1rMOS-.d.cts}

@@ -1,4 +1,4 @@
-import { a$ as Role, b0 as UnlockedKeyring } from './types-BpLPqyaO.cjs';
+import { aM as Role, aN as UnlockedKeyring } from './types-D-gr5t0G.cjs';
 
 /**
  * Session tokens —

package/dist/{dev-unlock-BMvwPr_E.d.ts → dev-unlock-whL49sxV.d.ts}

@@ -1,4 +1,4 @@
-import { a$ as Role, b0 as UnlockedKeyring } from './types-Diqc2caK.js';
+import { aM as Role, aN as UnlockedKeyring } from './types-CraiZOyO.js';
 
 /**
  * Session tokens —

package/dist/{errors-DUTlAt3Y.d.ts → errors-DL-zTrrF.d.cts}

@@ -1361,6 +1361,19 @@ declare class ShardProvisioningError extends NoydbError {
     readonly vaultId: string;
     constructor(vaultId: string, partitionKey: string);
 }
+/**
+ * Thrown by `VaultGroup.createShard` when `sharding.regionOf` resolves a
+ * required region that doesn't match the placement backend's
+ * `capabilities.region` — the shard would land on a non-compliant backend
+ * (data-residency violation, #271). Raised BEFORE provisioning, so no
+ * vault is created.
+ */
+declare class DataResidencyError extends NoydbError {
+    readonly vaultId: string;
+    readonly requiredRegion: string;
+    readonly backendRegion: string | undefined;
+    constructor(vaultId: string, requiredRegion: string, backendRegion: string | undefined);
+}
 /** Thrown when a VaultGroup references a template name that was never registered. */
 declare class VaultTemplateNotFoundError extends NoydbError {
     readonly templateName: string;
@@ -1431,4 +1444,4 @@ declare class RecordCekNotFoundError extends NoydbError {
     constructor(collection: string, id: string);
 }
 
-export { FilenameSanitizationError as $, AmendmentForbiddenError as A, BackupCorruptedError as B, MaterializedViewCycleError as C, DictKeyInUseError as D, MaterializedViewSourceUnknownError as E, FieldFrozenError as F, MaterializedViewTooLargeError as G, AlreadyElevatedError as H, IllegalTransitionError as I, ConflictError as J, CrossJoinSourceUnknownError as K, LocaleNotSpecifiedError as L, MissingTranslationError as M, NoydbError as N, OverlayBaseIsVirtualError as O, PartitionExtractionError as P, CrossJoinTooLargeError as Q, ReservedCollectionNameError as R, ScriptViolationError as S, TranslatorNotConfiguredError as T, UnknownDictCodeError as U, DanglingReferenceError as V, DecryptionError as W, DelegationTargetMissingError as X, DirectoryDisabledError as Y, ElevationExpiredError as Z, ExportCapabilityError as _, DictKeyMissingError as a, ForgetStrategyNotConfiguredError as a0, GroupCardinalityError as a1, ImportCapabilityError as a2, IndexRequiredError as a3, IndexWriteFailureError as a4, InvalidKeyError as a5, JoinTooLargeError as a6, KeyringCorruptError as a7, KeyringExpiredError as a8, LedgerContentionError as a9, TierNotGrantedError as aA, UniqueConstraintError as aB, UnknownShardError as aC, UnsupportedIndexOptionError as aD, ValidationError as aE, VaultTemplateNotFoundError as aF, MigrationRequiredError as aa, NetworkError as ab, NoAccessError as ac, NonAdditiveSchemaChangeError as ad, NotFoundError as ae, NumberingUncertaintyError as af, PathEscapeError as ag, PeriodClosedError as ah, PermissionDeniedError as ai, PrivilegeEscalationError as aj, QuiesceTimeoutError as ak, ReadOnlyAtInstantError as al, ReadOnlyError as am, ReadOnlyFrameError as an, RecordCekNotFoundError as ao, ReservedVaultNameError as ap, SchemaFenceError as aq, SchemaLockedError as ar, SchemaUpdateError as as, SchemaValidationError as at, SequenceContentionError as au, SequenceOfflineError as av, ShardProvisioningError as aw, StoreCapabilityError as ax, TamperedError as ay, TierDemoteDeniedError as az, StaticDictReadonlyError as b, SessionExpiredError as c, SessionNotFoundError as d, SessionPolicyError as e, InvariantError as f, RecordLockedError as g, SnapshotNotFoundError as h, DerivationCapExceededError as i, DerivationCycleError as j, DerivationDepthError as k, DerivationOutputShapeError as l, DerivationOutputUnknownError as m, OverlayCollectionUnavailableError as n, OverlayIdMismatchError as o, OverlayNameCollisionError as p, SealedRecordExpiredError as q, SealedRecordMismatchError as r, AttestationError as s, AdoptionStateError as t, BackupLedgerError as u, BundleIntegrityError as v, BundleSealMismatchError as w, BundleVersionConflictError as x, TransferSealError as y, MaterializedViewConfigError as z };
+export { ExportCapabilityError as $, AmendmentForbiddenError as A, BackupCorruptedError as B, MaterializedViewCycleError as C, DictKeyInUseError as D, MaterializedViewSourceUnknownError as E, FieldFrozenError as F, MaterializedViewTooLargeError as G, AlreadyElevatedError as H, IllegalTransitionError as I, ConflictError as J, CrossJoinSourceUnknownError as K, LocaleNotSpecifiedError as L, MissingTranslationError as M, NoydbError as N, OverlayBaseIsVirtualError as O, PartitionExtractionError as P, CrossJoinTooLargeError as Q, ReservedCollectionNameError as R, ScriptViolationError as S, TranslatorNotConfiguredError as T, UnknownDictCodeError as U, DanglingReferenceError as V, DataResidencyError as W, DecryptionError as X, DelegationTargetMissingError as Y, DirectoryDisabledError as Z, ElevationExpiredError as _, DictKeyMissingError as a, FilenameSanitizationError as a0, ForgetStrategyNotConfiguredError as a1, GroupCardinalityError as a2, ImportCapabilityError as a3, IndexRequiredError as a4, IndexWriteFailureError as a5, InvalidKeyError as a6, JoinTooLargeError as a7, KeyringCorruptError as a8, KeyringExpiredError as a9, TierDemoteDeniedError as aA, TierNotGrantedError as aB, UniqueConstraintError as aC, UnknownShardError as aD, UnsupportedIndexOptionError as aE, ValidationError as aF, VaultTemplateNotFoundError as aG, LedgerContentionError as aa, MigrationRequiredError as ab, NetworkError as ac, NoAccessError as ad, NonAdditiveSchemaChangeError as ae, NotFoundError as af, NumberingUncertaintyError as ag, PathEscapeError as ah, PeriodClosedError as ai, PermissionDeniedError as aj, PrivilegeEscalationError as ak, QuiesceTimeoutError as al, ReadOnlyAtInstantError as am, ReadOnlyError as an, ReadOnlyFrameError as ao, RecordCekNotFoundError as ap, ReservedVaultNameError as aq, SchemaFenceError as ar, SchemaLockedError as as, SchemaUpdateError as at, SchemaValidationError as au, SequenceContentionError as av, SequenceOfflineError as aw, ShardProvisioningError as ax, StoreCapabilityError as ay, TamperedError as az, StaticDictReadonlyError as b, SessionExpiredError as c, SessionNotFoundError as d, SessionPolicyError as e, InvariantError as f, RecordLockedError as g, SnapshotNotFoundError as h, DerivationCapExceededError as i, DerivationCycleError as j, DerivationDepthError as k, DerivationOutputShapeError as l, DerivationOutputUnknownError as m, OverlayCollectionUnavailableError as n, OverlayIdMismatchError as o, OverlayNameCollisionError as p, SealedRecordExpiredError as q, SealedRecordMismatchError as r, AttestationError as s, AdoptionStateError as t, BackupLedgerError as u, BundleIntegrityError as v, BundleSealMismatchError as w, BundleVersionConflictError as x, TransferSealError as y, MaterializedViewConfigError as z };

package/dist/{errors-DUTlAt3Y.d.cts → errors-DL-zTrrF.d.ts}

@@ -1361,6 +1361,19 @@ declare class ShardProvisioningError extends NoydbError {
     readonly vaultId: string;
     constructor(vaultId: string, partitionKey: string);
 }
+/**
+ * Thrown by `VaultGroup.createShard` when `sharding.regionOf` resolves a
+ * required region that doesn't match the placement backend's
+ * `capabilities.region` — the shard would land on a non-compliant backend
+ * (data-residency violation, #271). Raised BEFORE provisioning, so no
+ * vault is created.
+ */
+declare class DataResidencyError extends NoydbError {
+    readonly vaultId: string;
+    readonly requiredRegion: string;
+    readonly backendRegion: string | undefined;
+    constructor(vaultId: string, requiredRegion: string, backendRegion: string | undefined);
+}
 /** Thrown when a VaultGroup references a template name that was never registered. */
 declare class VaultTemplateNotFoundError extends NoydbError {
     readonly templateName: string;
@@ -1431,4 +1444,4 @@ declare class RecordCekNotFoundError extends NoydbError {
     constructor(collection: string, id: string);
 }
 
-export { FilenameSanitizationError as $, AmendmentForbiddenError as A, BackupCorruptedError as B, MaterializedViewCycleError as C, DictKeyInUseError as D, MaterializedViewSourceUnknownError as E, FieldFrozenError as F, MaterializedViewTooLargeError as G, AlreadyElevatedError as H, IllegalTransitionError as I, ConflictError as J, CrossJoinSourceUnknownError as K, LocaleNotSpecifiedError as L, MissingTranslationError as M, NoydbError as N, OverlayBaseIsVirtualError as O, PartitionExtractionError as P, CrossJoinTooLargeError as Q, ReservedCollectionNameError as R, ScriptViolationError as S, TranslatorNotConfiguredError as T, UnknownDictCodeError as U, DanglingReferenceError as V, DecryptionError as W, DelegationTargetMissingError as X, DirectoryDisabledError as Y, ElevationExpiredError as Z, ExportCapabilityError as _, DictKeyMissingError as a, ForgetStrategyNotConfiguredError as a0, GroupCardinalityError as a1, ImportCapabilityError as a2, IndexRequiredError as a3, IndexWriteFailureError as a4, InvalidKeyError as a5, JoinTooLargeError as a6, KeyringCorruptError as a7, KeyringExpiredError as a8, LedgerContentionError as a9, TierNotGrantedError as aA, UniqueConstraintError as aB, UnknownShardError as aC, UnsupportedIndexOptionError as aD, ValidationError as aE, VaultTemplateNotFoundError as aF, MigrationRequiredError as aa, NetworkError as ab, NoAccessError as ac, NonAdditiveSchemaChangeError as ad, NotFoundError as ae, NumberingUncertaintyError as af, PathEscapeError as ag, PeriodClosedError as ah, PermissionDeniedError as ai, PrivilegeEscalationError as aj, QuiesceTimeoutError as ak, ReadOnlyAtInstantError as al, ReadOnlyError as am, ReadOnlyFrameError as an, RecordCekNotFoundError as ao, ReservedVaultNameError as ap, SchemaFenceError as aq, SchemaLockedError as ar, SchemaUpdateError as as, SchemaValidationError as at, SequenceContentionError as au, SequenceOfflineError as av, ShardProvisioningError as aw, StoreCapabilityError as ax, TamperedError as ay, TierDemoteDeniedError as az, StaticDictReadonlyError as b, SessionExpiredError as c, SessionNotFoundError as d, SessionPolicyError as e, InvariantError as f, RecordLockedError as g, SnapshotNotFoundError as h, DerivationCapExceededError as i, DerivationCycleError as j, DerivationDepthError as k, DerivationOutputShapeError as l, DerivationOutputUnknownError as m, OverlayCollectionUnavailableError as n, OverlayIdMismatchError as o, OverlayNameCollisionError as p, SealedRecordExpiredError as q, SealedRecordMismatchError as r, AttestationError as s, AdoptionStateError as t, BackupLedgerError as u, BundleIntegrityError as v, BundleSealMismatchError as w, BundleVersionConflictError as x, TransferSealError as y, MaterializedViewConfigError as z };
+export { ExportCapabilityError as $, AmendmentForbiddenError as A, BackupCorruptedError as B, MaterializedViewCycleError as C, DictKeyInUseError as D, MaterializedViewSourceUnknownError as E, FieldFrozenError as F, MaterializedViewTooLargeError as G, AlreadyElevatedError as H, IllegalTransitionError as I, ConflictError as J, CrossJoinSourceUnknownError as K, LocaleNotSpecifiedError as L, MissingTranslationError as M, NoydbError as N, OverlayBaseIsVirtualError as O, PartitionExtractionError as P, CrossJoinTooLargeError as Q, ReservedCollectionNameError as R, ScriptViolationError as S, TranslatorNotConfiguredError as T, UnknownDictCodeError as U, DanglingReferenceError as V, DataResidencyError as W, DecryptionError as X, DelegationTargetMissingError as Y, DirectoryDisabledError as Z, ElevationExpiredError as _, DictKeyMissingError as a, FilenameSanitizationError as a0, ForgetStrategyNotConfiguredError as a1, GroupCardinalityError as a2, ImportCapabilityError as a3, IndexRequiredError as a4, IndexWriteFailureError as a5, InvalidKeyError as a6, JoinTooLargeError as a7, KeyringCorruptError as a8, KeyringExpiredError as a9, TierDemoteDeniedError as aA, TierNotGrantedError as aB, UniqueConstraintError as aC, UnknownShardError as aD, UnsupportedIndexOptionError as aE, ValidationError as aF, VaultTemplateNotFoundError as aG, LedgerContentionError as aa, MigrationRequiredError as ab, NetworkError as ac, NoAccessError as ad, NonAdditiveSchemaChangeError as ae, NotFoundError as af, NumberingUncertaintyError as ag, PathEscapeError as ah, PeriodClosedError as ai, PermissionDeniedError as aj, PrivilegeEscalationError as ak, QuiesceTimeoutError as al, ReadOnlyAtInstantError as am, ReadOnlyError as an, ReadOnlyFrameError as ao, RecordCekNotFoundError as ap, ReservedVaultNameError as aq, SchemaFenceError as ar, SchemaLockedError as as, SchemaUpdateError as at, SchemaValidationError as au, SequenceContentionError as av, SequenceOfflineError as aw, ShardProvisioningError as ax, StoreCapabilityError as ay, TamperedError as az, StaticDictReadonlyError as b, SessionExpiredError as c, SessionNotFoundError as d, SessionPolicyError as e, InvariantError as f, RecordLockedError as g, SnapshotNotFoundError as h, DerivationCapExceededError as i, DerivationCycleError as j, DerivationDepthError as k, DerivationOutputShapeError as l, DerivationOutputUnknownError as m, OverlayCollectionUnavailableError as n, OverlayIdMismatchError as o, OverlayNameCollisionError as p, SealedRecordExpiredError as q, SealedRecordMismatchError as r, AttestationError as s, AdoptionStateError as t, BackupLedgerError as u, BundleIntegrityError as v, BundleSealMismatchError as w, BundleVersionConflictError as x, TransferSealError as y, MaterializedViewConfigError as z };

package/dist/executor-44R5CUS2.js

@@ -0,0 +1,12 @@
+import {
+  MaterializedViewExecutor
+} from "./chunk-6KESZO5D.js";
+import "./chunk-GYAWXHFO.js";
+import "./chunk-OBMYMKGO.js";
+import "./chunk-LSIIPKYT.js";
+import "./chunk-VEIVAYJ7.js";
+import "./chunk-DJF3FXW5.js";
+export {
+  MaterializedViewExecutor
+};
+//# sourceMappingURL=executor-44R5CUS2.js.map

package/dist/executor-AOACUK7Z.js

@@ -0,0 +1,8 @@
+import {
+  GuardExecutor
+} from "./chunk-IVP5IVON.js";
+import "./chunk-DJF3FXW5.js";
+export {
+  GuardExecutor
+};
+//# sourceMappingURL=executor-AOACUK7Z.js.map

package/dist/executor-OKFLQCDW.js

@@ -0,0 +1,8 @@
+import {
+  DerivationExecutor
+} from "./chunk-7HD67R6U.js";
+import "./chunk-DJF3FXW5.js";
+export {
+  DerivationExecutor
+};
+//# sourceMappingURL=executor-OKFLQCDW.js.map

package/dist/{fanout-sidecar-JGHXAJO5.js → fanout-sidecar-DCQWJQ6S.js}

@@ -1,6 +1,6 @@
 import {
   NOYDB_FORMAT_VERSION
-} from "./chunk-LGPSCKWZ.js";
+} from "./chunk-SHIUFIPW.js";
 
 // src/derivations/fanout-sidecar.ts
 function recordId(source, sourceId, outputKey) {
@@ -48,4 +48,4 @@ export {
   loadFanoutSidecar,
   saveFanoutSidecar
 };
-//# sourceMappingURL=fanout-sidecar-JGHXAJO5.js.map
+//# sourceMappingURL=fanout-sidecar-DCQWJQ6S.js.map

package/dist/forget/index.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/forget/index.ts","../../src/forget/strategy.ts","../../src/forget/subject-index.ts"],"sourcesContent":["/**\n * `@noy-db/hub/forget` — GDPR right-to-erasure via per-record CEK crypto-shred\n * (#304). Import `withForgetCascade` and pass it to `createNoydb`:\n *\n * ```ts\n * import { createNoydb } from '@noy-db/hub'\n * import { withForgetCascade } from '@noy-db/hub/forget'\n *\n * const db = createNoydb({\n *   secret, user,\n *   historyStrategy: withHistory(),               // ledger for the erasure proof\n *   forgetStrategy: withForgetCascade({ subjects: { invoices: 'buyerId' } }),\n * })\n * const result = await db.vault('main').forget('buyer-123')\n * ```\n *\n * The erasure flow (`vault.forget`), the subject-index maintenance hooks, and\n * the tombstone rewrite live in core (`vault.ts` / `collection.ts`) because\n * they touch the write path directly; this subpath only exposes the\n * declaration factory + result types.\n *\n * @module\n */\nexport {\n  withForgetCascade,\n  NO_FORGET,\n} from './strategy.js'\nexport type {\n  SubjectDeclaration,\n  ForgetStrategy,\n  ForgetResult,\n} from './strategy.js'\nexport type { SubjectRef } from './subject-index.js'\nexport { SUBJECT_INDEX_COLLECTION } from './subject-index.js'\n","/**\n * `withForgetCascade` — declaration surface for GDPR right-to-erasure via\n * per-record CEK crypto-shred (#304, step 2 of the CEK security epic).\n *\n * This file holds only the *declaration* shape and the disabled sentinel.\n * The actual erasure machinery lives in:\n *   - `subject-index.ts` — the encrypted `_subject_index` reserved collection\n *   - `vault.ts` `forget()` — the per-record tombstone + ledger flow\n *   - `collection.ts` `_writeTombstone` — the envelope rewrite\n *\n * A `ForgetStrategy` declares which collections carry erasable subject data\n * and the (dotted-path) field on each record that names the data subject.\n * Declaring a collection here ALSO forces `perRecordKeys: true` for it (a\n * shred can only erase a record whose body is keyed off a per-record CEK),\n * so adopters opt into the CEK foundation transitively.\n *\n * @module\n */\nimport type { LedgerEntry } from '../history/ledger/entry.js'\n\n/**\n * User-supplied declaration passed to {@link withForgetCascade}. Maps a\n * collection name to the record field (dotted path supported, e.g.\n * `'billing.buyerId'`) that identifies the data subject for erasure.\n *\n * ```ts\n * withForgetCascade({ subjects: { invoices: 'buyerId', contacts: 'id' } })\n * ```\n */\nexport interface SubjectDeclaration {\n  readonly subjects: Record<string, string>\n}\n\n/**\n * Resolved forget strategy threaded through Noydb → every Vault. Carries\n * the same `subjects` map the user declared. `NO_FORGET` (empty map) is the\n * off-by-default sentinel; `vault.forget()` throws\n * `ForgetStrategyNotConfiguredError` when the map is empty.\n */\nexport interface ForgetStrategy {\n  /** Collection → subject-field (dotted path). Empty under `NO_FORGET`. */\n  readonly subjects: Readonly<Record<string, string>>\n}\n\n/**\n * Disabled sentinel — no collections declare a subject field. `vault.forget()`\n * refuses with `ForgetStrategyNotConfiguredError`; no write hooks register; no\n * collection is forced into `perRecordKeys`. Non-adopters pay nothing.\n */\nexport const NO_FORGET: ForgetStrategy = { subjects: {} }\n\n/**\n * Declare GDPR crypto-shred for one or more collections.\n *\n * Each declared collection is forced to `perRecordKeys: true` (a shred can\n * only guarantee erasure of a record whose body is keyed off a per-record\n * CEK). On write, Noydb extracts `record[subjectField]` and maintains an\n * encrypted `_subject_index` mapping `subject → [{collection, id}]`, so\n * `vault.forget(subjectId)` can find every record for a subject and rewrite\n * each to a tombstone (body + history permanently undecryptable) while the\n * collection DEK and every other record stay intact.\n *\n * @example\n * ```ts\n * createNoydb({\n *   secret, user,\n *   forgetStrategy: withForgetCascade({ subjects: { invoices: 'buyerId' } }),\n * })\n * const result = await vault.forget('buyer-123')\n * // → { subject, recordsShredded, historyVersionsShredded, collections, … }\n * ```\n */\nexport function withForgetCascade(opts: SubjectDeclaration): ForgetStrategy {\n  return { subjects: { ...opts.subjects } }\n}\n\n/**\n * The outcome of a `vault.forget(subjectId)` call.\n *\n * `unmigratedRecords` lists `collection:id` pairs that were tombstoned but\n * whose body had NOT been migrated to a per-record CEK at shred time (legacy\n * body still under the shared collection DEK). Those records are tombstoned\n * (live envelope + history stripped) but their pre-shred ciphertext, if it\n * leaked into a backup before migration, remains decryptable under the\n * collection DEK — so erasure-completeness is NOT guaranteed for them. Run\n * the per-record-CEK migration pass, then re-forget, to close the gap.\n *\n * Blob attachments (#365): a shredded record's **erasable** blobs (on a\n * `perRecordKeys` collection) are crypto-shredded inline — `blobsShredded`\n * counts those taken to refCount 0 (BlobObject deleted → chunks permanently\n * undecryptable), `blobsRetainedShared` counts those still referenced by\n * another record (shared content legitimately persists for its other owner).\n * `blobResidueCollections` now lists only collections with blobs that could\n * NOT be crypto-shredded: **legacy** blobs (no per-blob `_cek`, chunks under\n * the shared `_blob` DEK — migrate them), or a session without the blob\n * subsystem loaded. An all-erasable subject yields an empty residue list.\n */\nexport interface ForgetResult {\n  /** The subject id passed to `forget()`. Echoed for caller convenience. */\n  readonly subject: string\n  /** Count of live records rewritten to a tombstone. */\n  readonly recordsShredded: number\n  /** Count of `_history` envelopes tombstoned across all shredded records. */\n  readonly historyVersionsShredded: number\n  /** Distinct collections that had at least one record shredded. */\n  readonly collections: readonly string[]\n  /** `collection:id` pairs shredded while still un-migrated (see type docs). */\n  readonly unmigratedRecords: readonly string[]\n  /** Count of erasable blobs crypto-shredded (refCount → 0, BlobObject deleted). */\n  readonly blobsShredded: number\n  /** Count of erasable blobs retained because still referenced elsewhere (shared). */\n  readonly blobsRetainedShared: number\n  /** Collections with blobs that could NOT be crypto-shredded — legacy (no `_cek`) or blobs disabled (see type docs). */\n  readonly blobResidueCollections: readonly string[]\n  /** The single `op:'forget'` ledger entry appended for this erasure. */\n  readonly ledgerEntry: LedgerEntry\n}\n","/**\n * The encrypted subject index (#304).\n *\n * GDPR crypto-shred needs to answer \"which records belong to data subject\n * X?\" portably (the index must travel with the vault/bundle) WITHOUT leaking\n * subject-equivalence to the store. The rejected alternative — an unencrypted\n * subject tag in envelope metadata — would let anyone with store access see\n * which records share a subject. Instead we keep a reserved `_subject_index`\n * collection, encrypted under its OWN DEK (`getDEK('_subject_index')`):\n *\n *   - record id  = `sha256Hex(subjectId)` — the raw subject id never appears\n *     as a key, so the store can't correlate index entries to a known subject.\n *   - record body = AES-GCM(JSON `[{ collection, id }]`) under the index DEK.\n *\n * ## Concurrency (RISK #3 — known v1 limitation)\n *\n * `addSubjectRef` / `removeSubjectRef` are read-modify-write with no CAS. The\n * design assumes a SINGLE WRITER (the noy-db single-process write model). Two\n * concurrent writers racing on the SAME subject can lose an entry (last-write\n * wins on the ref list). This is documented, not fixed in v1:\n * `rebuildSubjectIndex` performs a full scan to recover a correct index from\n * the canonical records, so a lost ref is recoverable. A CAS-backed index is\n * deferred to a later slice.\n *\n * @module\n */\nimport { encrypt, decrypt } from '../crypto.js'\nimport type { NoydbStore, EncryptedEnvelope } from '../types.js'\nimport { NOYDB_FORMAT_VERSION } from '../types.js'\n\n/** Reserved collection holding the encrypted subject → records index. */\nexport const SUBJECT_INDEX_COLLECTION = '_subject_index'\n\n/** A single record reference held in a subject's index entry. */\nexport interface SubjectRef {\n  readonly collection: string\n  readonly id: string\n}\n\ntype GetDEK = (collectionName: string) => Promise<CryptoKey>\n\n/** SHA-256 hex of a UTF-8 string. The subject-index record key derivation. */\nasync function sha256HexString(input: string): Promise<string> {\n  const bytes = new TextEncoder().encode(input)\n  const digest = await globalThis.crypto.subtle.digest('SHA-256', bytes)\n  return Array.from(new Uint8Array(digest))\n    .map((b) => b.toString(16).padStart(2, '0'))\n    .join('')\n}\n\n/** Stable subject-index record id for a subject id. */\nexport async function subjectKey(subjectId: string): Promise<string> {\n  return sha256HexString(subjectId)\n}\n\n/** Read + decrypt the ref list for a subject. Returns `[]` when absent. */\nasync function readRefs(\n  adapter: NoydbStore,\n  vault: string,\n  getDEK: GetDEK,\n  encrypted: boolean,\n  key: string,\n): Promise<SubjectRef[]> {\n  const env = await adapter.get(vault, SUBJECT_INDEX_COLLECTION, key)\n  if (!env || !env._data) return []\n  if (!encrypted) return JSON.parse(env._data) as SubjectRef[]\n  const dek = await getDEK(SUBJECT_INDEX_COLLECTION)\n  const json = await decrypt(env._iv, env._data, dek)\n  return JSON.parse(json) as SubjectRef[]\n}\n\n/** Encrypt + write a ref list for a subject under its derived key. */\nasync function writeRefs(\n  adapter: NoydbStore,\n  vault: string,\n  getDEK: GetDEK,\n  encrypted: boolean,\n  key: string,\n  refs: SubjectRef[],\n): Promise<void> {\n  const json = JSON.stringify(refs)\n  let env: EncryptedEnvelope\n  if (!encrypted) {\n    env = { _noydb: NOYDB_FORMAT_VERSION, _v: 1, _ts: new Date().toISOString(), _iv: '', _data: json }\n  } else {\n    const dek = await getDEK(SUBJECT_INDEX_COLLECTION)\n    const { iv, data } = await encrypt(json, dek)\n    env = { _noydb: NOYDB_FORMAT_VERSION, _v: 1, _ts: new Date().toISOString(), _iv: iv, _data: data }\n  }\n  await adapter.put(vault, SUBJECT_INDEX_COLLECTION, key, env)\n}\n\n/**\n * Add a `{ collection, id }` ref to a subject's index entry (idempotent —\n * a duplicate ref is not appended). Read-modify-write; see the concurrency\n * note in the module docstring.\n */\nexport async function addSubjectRef(\n  adapter: NoydbStore,\n  vault: string,\n  getDEK: GetDEK,\n  encrypted: boolean,\n  subjectId: string,\n  ref: SubjectRef,\n): Promise<void> {\n  const key = await subjectKey(subjectId)\n  const refs = await readRefs(adapter, vault, getDEK, encrypted, key)\n  if (refs.some((r) => r.collection === ref.collection && r.id === ref.id)) return\n  refs.push(ref)\n  await writeRefs(adapter, vault, getDEK, encrypted, key, refs)\n}\n\n/**\n * Remove a `{ collection, id }` ref from a subject's index entry. When the\n * last ref is removed the (now empty) entry is deleted so the store holds no\n * residual key for an erased subject.\n */\nexport async function removeSubjectRef(\n  adapter: NoydbStore,\n  vault: string,\n  getDEK: GetDEK,\n  encrypted: boolean,\n  subjectId: string,\n  ref: SubjectRef,\n): Promise<void> {\n  const key = await subjectKey(subjectId)\n  const refs = await readRefs(adapter, vault, getDEK, encrypted, key)\n  const next = refs.filter((r) => !(r.collection === ref.collection && r.id === ref.id))\n  if (next.length === refs.length) return\n  if (next.length === 0) {\n    await adapter.delete(vault, SUBJECT_INDEX_COLLECTION, key)\n    return\n  }\n  await writeRefs(adapter, vault, getDEK, encrypted, key, next)\n}\n\n/** Look up every record ref for a subject. Returns `[]` when none exist. */\nexport async function lookupSubject(\n  adapter: NoydbStore,\n  vault: string,\n  getDEK: GetDEK,\n  encrypted: boolean,\n  subjectId: string,\n): Promise<SubjectRef[]> {\n  const key = await subjectKey(subjectId)\n  return readRefs(adapter, vault, getDEK, encrypted, key)\n}\n\n/**\n * Rebuild the entire subject index from the canonical records (the recovery\n * path for the documented read-modify-write race). Scans each declared\n * collection, reads `record[subjectField]` (dotted path), and rewrites the\n * index from scratch. Tombstoned (already-shredded) records contribute no\n * ref — their body is gone, so they cannot be re-indexed.\n *\n * `decodeRecord` decrypts an envelope to a plain object (or returns null for\n * a tombstone / unreadable record); supplied by the caller so this module\n * stays free of Collection internals.\n */\nexport async function rebuildSubjectIndex(\n  adapter: NoydbStore,\n  vault: string,\n  getDEK: GetDEK,\n  encrypted: boolean,\n  subjects: Readonly<Record<string, string>>,\n  decodeRecord: (collection: string, id: string, env: EncryptedEnvelope) => Promise<Record<string, unknown> | null>,\n): Promise<number> {\n  // Drop every existing index entry first so removed refs don't linger.\n  const existing = await adapter.list(vault, SUBJECT_INDEX_COLLECTION)\n  for (const k of existing) {\n    await adapter.delete(vault, SUBJECT_INDEX_COLLECTION, k)\n  }\n\n  // subjectId → refs, accumulated across all declared collections.\n  const bySubject = new Map<string, SubjectRef[]>()\n  for (const [collection, field] of Object.entries(subjects)) {\n    const ids = await adapter.list(vault, collection)\n    for (const id of ids) {\n      if (id.startsWith('_')) continue\n      const env = await adapter.get(vault, collection, id)\n      if (!env || !env._data) continue // missing or tombstone\n      const record = await decodeRecord(collection, id, env)\n      if (record === null) continue\n      const subjectValue = readDottedPath(record, field)\n      if (subjectValue === undefined || subjectValue === null) continue\n      const subjectId = coerceSubjectId(subjectValue)\n      const list = bySubject.get(subjectId) ?? []\n      list.push({ collection, id })\n      bySubject.set(subjectId, list)\n    }\n  }\n\n  let entries = 0\n  for (const [subjectId, refs] of bySubject) {\n    const key = await subjectKey(subjectId)\n    await writeRefs(adapter, vault, getDEK, encrypted, key, refs)\n    entries++\n  }\n  return entries\n}\n\n/**\n * Coerce a read subject-field value to a stable string id. Primitives use\n * their natural string form; objects/arrays are JSON-stringified so structural\n * subjects still get a deterministic key (avoids the `[object Object]` trap).\n */\nexport function coerceSubjectId(value: unknown): string {\n  if (typeof value === 'string') return value\n  if (typeof value === 'number' || typeof value === 'boolean' || typeof value === 'bigint') {\n    return String(value)\n  }\n  return JSON.stringify(value)\n}\n\n/** Read a (possibly dotted) field path from a plain record. */\nexport function readDottedPath(record: Record<string, unknown>, field: string): unknown {\n  if (!field.includes('.')) return record[field]\n  let cursor: unknown = record\n  for (const segment of field.split('.')) {\n    if (cursor === null || cursor === undefined) return undefined\n    cursor = (cursor as Record<string, unknown>)[segment]\n  }\n  return cursor\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACiDO,IAAM,YAA4B,EAAE,UAAU,CAAC,EAAE;AAuBjD,SAAS,kBAAkB,MAA0C;AAC1E,SAAO,EAAE,UAAU,EAAE,GAAG,KAAK,SAAS,EAAE;AAC1C;;;AC3CO,IAAM,2BAA2B;","names":[]}
+{"version":3,"sources":["../../src/forget/index.ts","../../src/forget/strategy.ts","../../src/forget/subject-index.ts"],"sourcesContent":["/**\n * `@noy-db/hub/forget` — GDPR right-to-erasure via per-record CEK crypto-shred\n * (#304). Import `withForgetCascade` and pass it to `createNoydb`:\n *\n * ```ts\n * import { createNoydb } from '@noy-db/hub'\n * import { withForgetCascade } from '@noy-db/hub/forget'\n *\n * const db = createNoydb({\n *   secret, user,\n *   historyStrategy: withHistory(),               // ledger for the erasure proof\n *   forgetStrategy: withForgetCascade({ subjects: { invoices: 'buyerId' } }),\n * })\n * const result = await db.vault('main').forget('buyer-123')\n * ```\n *\n * The erasure flow (`vault.forget`), the subject-index maintenance hooks, and\n * the tombstone rewrite live in core (`vault.ts` / `collection.ts`) because\n * they touch the write path directly; this subpath only exposes the\n * declaration factory + result types.\n *\n * @module\n */\nexport {\n  withForgetCascade,\n  NO_FORGET,\n} from './strategy.js'\nexport type {\n  SubjectDeclaration,\n  ForgetStrategy,\n  ForgetResult,\n} from './strategy.js'\nexport type { SubjectRef } from './subject-index.js'\nexport { SUBJECT_INDEX_COLLECTION } from './subject-index.js'\n","/**\n * `withForgetCascade` — declaration surface for GDPR right-to-erasure via\n * per-record CEK crypto-shred (#304, step 2 of the CEK security epic).\n *\n * This file holds only the *declaration* shape and the disabled sentinel.\n * The actual erasure machinery lives in:\n *   - `subject-index.ts` — the encrypted `_subject_index` reserved collection\n *   - `vault.ts` `forget()` — the per-record tombstone + ledger flow\n *   - `collection.ts` `_writeTombstone` — the envelope rewrite\n *\n * A `ForgetStrategy` declares which collections carry erasable subject data\n * and the (dotted-path) field on each record that names the data subject.\n * Declaring a collection here ALSO forces `perRecordKeys: true` for it (a\n * shred can only erase a record whose body is keyed off a per-record CEK),\n * so adopters opt into the CEK foundation transitively.\n *\n * @module\n */\nimport type { LedgerEntry } from '../history/ledger/entry.js'\n\n/**\n * User-supplied declaration passed to {@link withForgetCascade}. Maps a\n * collection name to the record field (dotted path supported, e.g.\n * `'billing.buyerId'`) that identifies the data subject for erasure.\n *\n * ```ts\n * withForgetCascade({ subjects: { invoices: 'buyerId', contacts: 'id' } })\n * ```\n */\nexport interface SubjectDeclaration {\n  readonly subjects: Record<string, string>\n}\n\n/**\n * Resolved forget strategy threaded through Noydb → every Vault. Carries\n * the same `subjects` map the user declared. `NO_FORGET` (empty map) is the\n * off-by-default sentinel; `vault.forget()` throws\n * `ForgetStrategyNotConfiguredError` when the map is empty.\n */\nexport interface ForgetStrategy {\n  /** Collection → subject-field (dotted path). Empty under `NO_FORGET`. */\n  readonly subjects: Readonly<Record<string, string>>\n}\n\n/**\n * Disabled sentinel — no collections declare a subject field. `vault.forget()`\n * refuses with `ForgetStrategyNotConfiguredError`; no write hooks register; no\n * collection is forced into `perRecordKeys`. Non-adopters pay nothing.\n */\nexport const NO_FORGET: ForgetStrategy = { subjects: {} }\n\n/**\n * Declare GDPR crypto-shred for one or more collections.\n *\n * Each declared collection is forced to `perRecordKeys: true` (a shred can\n * only guarantee erasure of a record whose body is keyed off a per-record\n * CEK). On write, Noydb extracts `record[subjectField]` and maintains an\n * encrypted `_subject_index` mapping `subject → [{collection, id}]`, so\n * `vault.forget(subjectId)` can find every record for a subject and rewrite\n * each to a tombstone (body + history permanently undecryptable) while the\n * collection DEK and every other record stay intact.\n *\n * @example\n * ```ts\n * createNoydb({\n *   secret, user,\n *   forgetStrategy: withForgetCascade({ subjects: { invoices: 'buyerId' } }),\n * })\n * const result = await vault.forget('buyer-123')\n * // → { subject, recordsShredded, historyVersionsShredded, collections, … }\n * ```\n */\nexport function withForgetCascade(opts: SubjectDeclaration): ForgetStrategy {\n  return { subjects: { ...opts.subjects } }\n}\n\n/**\n * The outcome of a `vault.forget(subjectId)` call.\n *\n * `unmigratedRecords` lists `collection:id` pairs that were tombstoned but\n * whose body had NOT been migrated to a per-record CEK at shred time (legacy\n * body still under the shared collection DEK). Those records are tombstoned\n * (live envelope + history stripped) but their pre-shred ciphertext, if it\n * leaked into a backup before migration, remains decryptable under the\n * collection DEK — so erasure-completeness is NOT guaranteed for them. Run\n * the per-record-CEK migration pass, then re-forget, to close the gap.\n *\n * Blob attachments (#365): a shredded record's **erasable** blobs (on a\n * `perRecordKeys` collection) are crypto-shredded inline — `blobsShredded`\n * counts those taken to refCount 0 (BlobObject deleted → chunks permanently\n * undecryptable), `blobsRetainedShared` counts those still referenced by\n * another record (shared content legitimately persists for its other owner).\n * `blobResidueCollections` now lists only collections with blobs that could\n * NOT be crypto-shredded: **legacy** blobs (no per-blob `_cek`, chunks under\n * the shared `_blob` DEK — migrate them), or a session without the blob\n * subsystem loaded. An all-erasable subject yields an empty residue list.\n */\nexport interface ForgetResult {\n  /** The subject id passed to `forget()`. Echoed for caller convenience. */\n  readonly subject: string\n  /** Count of live records rewritten to a tombstone. */\n  readonly recordsShredded: number\n  /** Count of `_history` envelopes tombstoned across all shredded records. */\n  readonly historyVersionsShredded: number\n  /** Distinct collections that had at least one record shredded. */\n  readonly collections: readonly string[]\n  /** `collection:id` pairs shredded while still un-migrated (see type docs). */\n  readonly unmigratedRecords: readonly string[]\n  /** Count of erasable blobs crypto-shredded (refCount → 0, BlobObject deleted). */\n  readonly blobsShredded: number\n  /** Count of erasable blobs retained because still referenced elsewhere (shared). */\n  readonly blobsRetainedShared: number\n  /** Collections with blobs that could NOT be crypto-shredded — legacy (no `_cek`) or blobs disabled (see type docs). */\n  readonly blobResidueCollections: readonly string[]\n  /**\n   * Count of persisted `_idx/<field>/<recordId>` index side-cars hard-deleted\n   * across the shredded records (#401). These live under the retained\n   * collection DEK, so crypto-shred alone would leave the indexed field VALUES\n   * readable — `forget()` must delete them.\n   */\n  readonly indexPostingsPurged: number\n  /**\n   * `collection:id:field` entries whose persisted `_idx` side-car could NOT be\n   * deleted (#401) — index residue that still leaks the indexed value under the\n   * retained collection DEK. Non-empty means erasure is INCOMPLETE: retry, or\n   * purge the side-car out of band.\n   */\n  readonly indexResidue: readonly string[]\n  /** The single `op:'forget'` ledger entry appended for this erasure. */\n  readonly ledgerEntry: LedgerEntry\n}\n","/**\n * The encrypted subject index (#304).\n *\n * GDPR crypto-shred needs to answer \"which records belong to data subject\n * X?\" portably (the index must travel with the vault/bundle) WITHOUT leaking\n * subject-equivalence to the store. The rejected alternative — an unencrypted\n * subject tag in envelope metadata — would let anyone with store access see\n * which records share a subject. Instead we keep a reserved `_subject_index`\n * collection, encrypted under its OWN DEK (`getDEK('_subject_index')`):\n *\n *   - record id  = `sha256Hex(subjectId)` — the raw subject id never appears\n *     as a key, so the store can't correlate index entries to a known subject.\n *   - record body = AES-GCM(JSON `[{ collection, id }]`) under the index DEK.\n *\n * ## Concurrency (RISK #3 — known v1 limitation)\n *\n * `addSubjectRef` / `removeSubjectRef` are read-modify-write with no CAS. The\n * design assumes a SINGLE WRITER (the noy-db single-process write model). Two\n * concurrent writers racing on the SAME subject can lose an entry (last-write\n * wins on the ref list). This is documented, not fixed in v1:\n * `rebuildSubjectIndex` performs a full scan to recover a correct index from\n * the canonical records, so a lost ref is recoverable. A CAS-backed index is\n * deferred to a later slice.\n *\n * @module\n */\nimport { encrypt, decrypt } from '../crypto.js'\nimport type { NoydbStore, EncryptedEnvelope } from '../types.js'\nimport { NOYDB_FORMAT_VERSION } from '../types.js'\n\n/** Reserved collection holding the encrypted subject → records index. */\nexport const SUBJECT_INDEX_COLLECTION = '_subject_index'\n\n/** A single record reference held in a subject's index entry. */\nexport interface SubjectRef {\n  readonly collection: string\n  readonly id: string\n}\n\ntype GetDEK = (collectionName: string) => Promise<CryptoKey>\n\n/** SHA-256 hex of a UTF-8 string. The subject-index record key derivation. */\nasync function sha256HexString(input: string): Promise<string> {\n  const bytes = new TextEncoder().encode(input)\n  const digest = await globalThis.crypto.subtle.digest('SHA-256', bytes)\n  return Array.from(new Uint8Array(digest))\n    .map((b) => b.toString(16).padStart(2, '0'))\n    .join('')\n}\n\n/** Stable subject-index record id for a subject id. */\nexport async function subjectKey(subjectId: string): Promise<string> {\n  return sha256HexString(subjectId)\n}\n\n/** Read + decrypt the ref list for a subject. Returns `[]` when absent. */\nasync function readRefs(\n  adapter: NoydbStore,\n  vault: string,\n  getDEK: GetDEK,\n  encrypted: boolean,\n  key: string,\n): Promise<SubjectRef[]> {\n  const env = await adapter.get(vault, SUBJECT_INDEX_COLLECTION, key)\n  if (!env || !env._data) return []\n  if (!encrypted) return JSON.parse(env._data) as SubjectRef[]\n  const dek = await getDEK(SUBJECT_INDEX_COLLECTION)\n  const json = await decrypt(env._iv, env._data, dek)\n  return JSON.parse(json) as SubjectRef[]\n}\n\n/** Encrypt + write a ref list for a subject under its derived key. */\nasync function writeRefs(\n  adapter: NoydbStore,\n  vault: string,\n  getDEK: GetDEK,\n  encrypted: boolean,\n  key: string,\n  refs: SubjectRef[],\n): Promise<void> {\n  const json = JSON.stringify(refs)\n  let env: EncryptedEnvelope\n  if (!encrypted) {\n    env = { _noydb: NOYDB_FORMAT_VERSION, _v: 1, _ts: new Date().toISOString(), _iv: '', _data: json }\n  } else {\n    const dek = await getDEK(SUBJECT_INDEX_COLLECTION)\n    const { iv, data } = await encrypt(json, dek)\n    env = { _noydb: NOYDB_FORMAT_VERSION, _v: 1, _ts: new Date().toISOString(), _iv: iv, _data: data }\n  }\n  await adapter.put(vault, SUBJECT_INDEX_COLLECTION, key, env)\n}\n\n/**\n * Add a `{ collection, id }` ref to a subject's index entry (idempotent —\n * a duplicate ref is not appended). Read-modify-write; see the concurrency\n * note in the module docstring.\n */\nexport async function addSubjectRef(\n  adapter: NoydbStore,\n  vault: string,\n  getDEK: GetDEK,\n  encrypted: boolean,\n  subjectId: string,\n  ref: SubjectRef,\n): Promise<void> {\n  const key = await subjectKey(subjectId)\n  const refs = await readRefs(adapter, vault, getDEK, encrypted, key)\n  if (refs.some((r) => r.collection === ref.collection && r.id === ref.id)) return\n  refs.push(ref)\n  await writeRefs(adapter, vault, getDEK, encrypted, key, refs)\n}\n\n/**\n * Remove a `{ collection, id }` ref from a subject's index entry. When the\n * last ref is removed the (now empty) entry is deleted so the store holds no\n * residual key for an erased subject.\n */\nexport async function removeSubjectRef(\n  adapter: NoydbStore,\n  vault: string,\n  getDEK: GetDEK,\n  encrypted: boolean,\n  subjectId: string,\n  ref: SubjectRef,\n): Promise<void> {\n  const key = await subjectKey(subjectId)\n  const refs = await readRefs(adapter, vault, getDEK, encrypted, key)\n  const next = refs.filter((r) => !(r.collection === ref.collection && r.id === ref.id))\n  if (next.length === refs.length) return\n  if (next.length === 0) {\n    await adapter.delete(vault, SUBJECT_INDEX_COLLECTION, key)\n    return\n  }\n  await writeRefs(adapter, vault, getDEK, encrypted, key, next)\n}\n\n/** Look up every record ref for a subject. Returns `[]` when none exist. */\nexport async function lookupSubject(\n  adapter: NoydbStore,\n  vault: string,\n  getDEK: GetDEK,\n  encrypted: boolean,\n  subjectId: string,\n): Promise<SubjectRef[]> {\n  const key = await subjectKey(subjectId)\n  return readRefs(adapter, vault, getDEK, encrypted, key)\n}\n\n/**\n * Rebuild the entire subject index from the canonical records (the recovery\n * path for the documented read-modify-write race). Scans each declared\n * collection, reads `record[subjectField]` (dotted path), and rewrites the\n * index from scratch. Tombstoned (already-shredded) records contribute no\n * ref — their body is gone, so they cannot be re-indexed.\n *\n * `decodeRecord` decrypts an envelope to a plain object (or returns null for\n * a tombstone / unreadable record); supplied by the caller so this module\n * stays free of Collection internals.\n */\nexport async function rebuildSubjectIndex(\n  adapter: NoydbStore,\n  vault: string,\n  getDEK: GetDEK,\n  encrypted: boolean,\n  subjects: Readonly<Record<string, string>>,\n  decodeRecord: (collection: string, id: string, env: EncryptedEnvelope) => Promise<Record<string, unknown> | null>,\n): Promise<number> {\n  // Drop every existing index entry first so removed refs don't linger.\n  const existing = await adapter.list(vault, SUBJECT_INDEX_COLLECTION)\n  for (const k of existing) {\n    await adapter.delete(vault, SUBJECT_INDEX_COLLECTION, k)\n  }\n\n  // subjectId → refs, accumulated across all declared collections.\n  const bySubject = new Map<string, SubjectRef[]>()\n  for (const [collection, field] of Object.entries(subjects)) {\n    const ids = await adapter.list(vault, collection)\n    for (const id of ids) {\n      if (id.startsWith('_')) continue\n      const env = await adapter.get(vault, collection, id)\n      if (!env || !env._data) continue // missing or tombstone\n      const record = await decodeRecord(collection, id, env)\n      if (record === null) continue\n      const subjectValue = readDottedPath(record, field)\n      if (subjectValue === undefined || subjectValue === null) continue\n      const subjectId = coerceSubjectId(subjectValue)\n      const list = bySubject.get(subjectId) ?? []\n      list.push({ collection, id })\n      bySubject.set(subjectId, list)\n    }\n  }\n\n  let entries = 0\n  for (const [subjectId, refs] of bySubject) {\n    const key = await subjectKey(subjectId)\n    await writeRefs(adapter, vault, getDEK, encrypted, key, refs)\n    entries++\n  }\n  return entries\n}\n\n/**\n * Coerce a read subject-field value to a stable string id. Primitives use\n * their natural string form; objects/arrays are JSON-stringified so structural\n * subjects still get a deterministic key (avoids the `[object Object]` trap).\n */\nexport function coerceSubjectId(value: unknown): string {\n  if (typeof value === 'string') return value\n  if (typeof value === 'number' || typeof value === 'boolean' || typeof value === 'bigint') {\n    return String(value)\n  }\n  return JSON.stringify(value)\n}\n\n/** Read a (possibly dotted) field path from a plain record. */\nexport function readDottedPath(record: Record<string, unknown>, field: string): unknown {\n  if (!field.includes('.')) return record[field]\n  let cursor: unknown = record\n  for (const segment of field.split('.')) {\n    if (cursor === null || cursor === undefined) return undefined\n    cursor = (cursor as Record<string, unknown>)[segment]\n  }\n  return cursor\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACiDO,IAAM,YAA4B,EAAE,UAAU,CAAC,EAAE;AAuBjD,SAAS,kBAAkB,MAA0C;AAC1E,SAAO,EAAE,UAAU,EAAE,GAAG,KAAK,SAAS,EAAE;AAC1C;;;AC3CO,IAAM,2BAA2B;","names":[]}

package/dist/forget/index.d.cts

@@ -1 +1 @@
-export { b as ForgetResult, F as ForgetStrategy, N as NO_FORGET, d as SUBJECT_INDEX_COLLECTION, e as SubjectDeclaration, S as SubjectRef, w as withForgetCascade } from '../index-C-SSRIxP.cjs';
+export { b as ForgetResult, F as ForgetStrategy, N as NO_FORGET, d as SUBJECT_INDEX_COLLECTION, e as SubjectDeclaration, S as SubjectRef, w as withForgetCascade } from '../index-BMmajblo.cjs';

package/dist/forget/index.d.ts

@@ -1 +1 @@
-export { b as ForgetResult, F as ForgetStrategy, N as NO_FORGET, d as SUBJECT_INDEX_COLLECTION, e as SubjectDeclaration, S as SubjectRef, w as withForgetCascade } from '../index-C-SSRIxP.js';
+export { b as ForgetResult, F as ForgetStrategy, N as NO_FORGET, d as SUBJECT_INDEX_COLLECTION, e as SubjectDeclaration, S as SubjectRef, w as withForgetCascade } from '../index-BMmajblo.js';

package/dist/forget/index.js

@@ -2,10 +2,10 @@ import {
   NO_FORGET,
   SUBJECT_INDEX_COLLECTION,
   withForgetCascade
-} from "../chunk-C2OYWD5S.js";
-import "../chunk-LGPSCKWZ.js";
-import "../chunk-QJKZ5WUP.js";
-import "../chunk-HMFC6M2G.js";
+} from "../chunk-KNKNOJFS.js";
+import "../chunk-SHIUFIPW.js";
+import "../chunk-OKOKPYWH.js";
+import "../chunk-DJF3FXW5.js";
 export {
   NO_FORGET,
   SUBJECT_INDEX_COLLECTION,