@noy-db/hub 0.2.0-pre.2 → 0.2.0-pre.21

package/dist/{chunk-PEULZC6M.js → chunk-A3JMGXPG.js}

@@ -13,6 +13,13 @@ var GuardRegistry = class {
   guardsFor(collection) {
     return this._byCollection.get(collection) ?? [];
   }
+  /** Per-collection guard counts, for introspection. */
+  summary() {
+    return [...this._byCollection.entries()].map(([collection, guards]) => ({
+      collection,
+      count: guards.length
+    }));
+  }
   /**
    * Run every guard's `check` for this collection. First throw wins —
    * remaining guards are not invoked. Guards without a `check` skip.
@@ -115,4 +122,4 @@ var GuardRegistry = class {
 export {
   GuardRegistry
 };
-//# sourceMappingURL=chunk-PEULZC6M.js.map
+//# sourceMappingURL=chunk-A3JMGXPG.js.map

package/dist/chunk-A3JMGXPG.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/guards/registry.ts"],"sourcesContent":["import type { GuardStrategy, GuardContext, GuardChange } from './types.js'\n\n/**\n * Per-record metadata attached to every entry in an amendment's\n * change-set. Carried in a parallel map alongside `_amendmentChanges`\n * so the public {@link GuardChange} shape (`{ before, after }`) stays\n * clean for invariant authors — the audit ledger reads this side\n * structure to produce the `{ collection, id, vBefore, vAfter }`\n * tuples for the amendment entry.\n *\n * @internal\n */\nexport interface AmendmentChangeMeta {\n  readonly id: string\n  readonly vBefore: number\n  readonly vAfter: number\n}\n\n/**\n * Vault-internal singleton that holds the guard graph and dispatches\n * per-collection guard execution. Owned by `Vault`; not exported.\n *\n * @internal\n */\n// Internal storage alias — guards are heterogeneous in their record type T,\n// so the registry stores them at the upper bound of GuardStrategy's T constraint.\ntype AnyGuard = GuardStrategy<Record<string, unknown>>\ntype AnyChange = GuardChange<Record<string, unknown>>\n\nexport class GuardRegistry {\n  private readonly _byCollection = new Map<string, AnyGuard[]>()\n  private _amendmentChanges: Map<string, AnyChange[]> | null = null\n  private _amendmentMeta: Map<string, AmendmentChangeMeta[]> | null = null\n\n  /** Register a guard. Multiple guards per collection are allowed. */\n  register<T extends Record<string, unknown>>(spec: GuardStrategy<T>): void {\n    const existing = this._byCollection.get(spec.collection)\n    if (existing) existing.push(spec as unknown as AnyGuard)\n    else this._byCollection.set(spec.collection, [spec as unknown as AnyGuard])\n  }\n\n  /** All guards registered against `collection` in registration order. */\n  guardsFor(collection: string): ReadonlyArray<AnyGuard> {\n    return this._byCollection.get(collection) ?? []\n  }\n\n  /** Per-collection guard counts, for introspection. */\n  summary(): { collection: string; count: number }[] {\n    return [...this._byCollection.entries()].map(([collection, guards]) => ({\n      collection,\n      count: guards.length,\n    }))\n  }\n\n  /**\n   * Run every guard's `check` for this collection. First throw wins —\n   * remaining guards are not invoked. Guards without a `check` skip.\n   */\n  async runChecks<T>(\n    collection: string,\n    incoming: T,\n    ctx: GuardContext<T>,\n  ): Promise<void> {\n    const guards = this._byCollection.get(collection)\n    if (!guards) return\n    for (const g of guards) {\n      if (g.check) {\n        await g.check(\n          incoming as unknown as Record<string, unknown>,\n          ctx as unknown as GuardContext<Record<string, unknown>>,\n        )\n      }\n    }\n  }\n\n  /**\n   * Run every guard's `onDelete` for this collection. First throw wins —\n   * remaining guards are not invoked. Guards without an `onDelete` skip.\n   * Mirrors {@link runChecks} but for the delete path.\n   */\n  async runOnDelete<T>(\n    collection: string,\n    existing: T,\n    ctx: GuardContext<T>,\n  ): Promise<void> {\n    const guards = this._byCollection.get(collection)\n    if (!guards) return\n    for (const g of guards) {\n      if (g.onDelete) {\n        await g.onDelete(\n          existing as unknown as Record<string, unknown>,\n          ctx as unknown as GuardContext<Record<string, unknown>>,\n        )\n      }\n    }\n  }\n\n  /** True if any guard for `collection` declares an `amendment` block. */\n  hasAmendment(collection: string): boolean {\n    const guards = this._byCollection.get(collection)\n    if (!guards) return false\n    return guards.some(g => g.amendment !== undefined)\n  }\n\n  /** Open a new amendment change-collection window. */\n  beginAmendment(): void {\n    this._amendmentChanges = new Map()\n    this._amendmentMeta = new Map()\n  }\n\n  /** True iff we're currently inside an amendment transaction. */\n  isAmendmentActive(): boolean {\n    return this._amendmentChanges !== null\n  }\n\n  /**\n   * Record a {before, after} pair for the active amendment. `vBefore`\n   * and `vAfter` are stored in a parallel meta structure so the public\n   * {@link GuardChange} shape handed to invariant callbacks stays\n   * `{ before, after }` only — the audit ledger reads version metadata\n   * via {@link consumeMeta}.\n   */\n  collectChange<T>(\n    collection: string,\n    id: string,\n    before: T | null,\n    after: T,\n    vBefore = 0,\n    vAfter = 0,\n  ): void {\n    if (this._amendmentChanges === null || this._amendmentMeta === null) {\n      throw new Error('GuardRegistry.collectChange called outside an amendment')\n    }\n    const list = this._amendmentChanges.get(collection)\n    const entry = { before, after } as unknown as AnyChange\n    if (list) list.push(entry)\n    else this._amendmentChanges.set(collection, [entry])\n\n    const metaList = this._amendmentMeta.get(collection)\n    const metaEntry: AmendmentChangeMeta = { id, vBefore, vAfter }\n    if (metaList) metaList.push(metaEntry)\n    else this._amendmentMeta.set(collection, [metaEntry])\n  }\n\n  /**\n   * Drain the change-set and close the amendment window. The caller\n   * (transaction commit) feeds these to each affected guard's invariant.\n   */\n  consumeChanges(): ReadonlyMap<string, ReadonlyArray<AnyChange>> {\n    const out = this._amendmentChanges ?? new Map()\n    this._amendmentChanges = null\n    return out\n  }\n\n  /**\n   * Drain the parallel id/version metadata captured during the\n   * amendment. Returned as a flat list with `collection` denormalised\n   * so the audit ledger can emit one `{ collection, id, vBefore,\n   * vAfter }` tuple per record. Must be called AFTER\n   * {@link consumeChanges} (or independently) — calling it closes the\n   * meta window in the same way.\n   */\n  consumeMeta(): ReadonlyArray<{ collection: string; id: string; vBefore: number; vAfter: number }> {\n    const out: { collection: string; id: string; vBefore: number; vAfter: number }[] = []\n    if (this._amendmentMeta) {\n      for (const [collection, list] of this._amendmentMeta) {\n        for (const m of list) {\n          out.push({ collection, id: m.id, vBefore: m.vBefore, vAfter: m.vAfter })\n        }\n      }\n    }\n    this._amendmentMeta = null\n    return out\n  }\n}\n"],"mappings":";AA6BO,IAAM,gBAAN,MAAoB;AAAA,EACR,gBAAgB,oBAAI,IAAwB;AAAA,EACrD,oBAAqD;AAAA,EACrD,iBAA4D;AAAA;AAAA,EAGpE,SAA4C,MAA8B;AACxE,UAAM,WAAW,KAAK,cAAc,IAAI,KAAK,UAAU;AACvD,QAAI,SAAU,UAAS,KAAK,IAA2B;AAAA,QAClD,MAAK,cAAc,IAAI,KAAK,YAAY,CAAC,IAA2B,CAAC;AAAA,EAC5E;AAAA;AAAA,EAGA,UAAU,YAA6C;AACrD,WAAO,KAAK,cAAc,IAAI,UAAU,KAAK,CAAC;AAAA,EAChD;AAAA;AAAA,EAGA,UAAmD;AACjD,WAAO,CAAC,GAAG,KAAK,cAAc,QAAQ,CAAC,EAAE,IAAI,CAAC,CAAC,YAAY,MAAM,OAAO;AAAA,MACtE;AAAA,MACA,OAAO,OAAO;AAAA,IAChB,EAAE;AAAA,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,UACJ,YACA,UACA,KACe;AACf,UAAM,SAAS,KAAK,cAAc,IAAI,UAAU;AAChD,QAAI,CAAC,OAAQ;AACb,eAAW,KAAK,QAAQ;AACtB,UAAI,EAAE,OAAO;AACX,cAAM,EAAE;AAAA,UACN;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,YACJ,YACA,UACA,KACe;AACf,UAAM,SAAS,KAAK,cAAc,IAAI,UAAU;AAChD,QAAI,CAAC,OAAQ;AACb,eAAW,KAAK,QAAQ;AACtB,UAAI,EAAE,UAAU;AACd,cAAM,EAAE;AAAA,UACN;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA;AAAA,EAGA,aAAa,YAA6B;AACxC,UAAM,SAAS,KAAK,cAAc,IAAI,UAAU;AAChD,QAAI,CAAC,OAAQ,QAAO;AACpB,WAAO,OAAO,KAAK,OAAK,EAAE,cAAc,MAAS;AAAA,EACnD;AAAA;AAAA,EAGA,iBAAuB;AACrB,SAAK,oBAAoB,oBAAI,IAAI;AACjC,SAAK,iBAAiB,oBAAI,IAAI;AAAA,EAChC;AAAA;AAAA,EAGA,oBAA6B;AAC3B,WAAO,KAAK,sBAAsB;AAAA,EACpC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,cACE,YACA,IACA,QACA,OACA,UAAU,GACV,SAAS,GACH;AACN,QAAI,KAAK,sBAAsB,QAAQ,KAAK,mBAAmB,MAAM;AACnE,YAAM,IAAI,MAAM,yDAAyD;AAAA,IAC3E;AACA,UAAM,OAAO,KAAK,kBAAkB,IAAI,UAAU;AAClD,UAAM,QAAQ,EAAE,QAAQ,MAAM;AAC9B,QAAI,KAAM,MAAK,KAAK,KAAK;AAAA,QACpB,MAAK,kBAAkB,IAAI,YAAY,CAAC,KAAK,CAAC;AAEnD,UAAM,WAAW,KAAK,eAAe,IAAI,UAAU;AACnD,UAAM,YAAiC,EAAE,IAAI,SAAS,OAAO;AAC7D,QAAI,SAAU,UAAS,KAAK,SAAS;AAAA,QAChC,MAAK,eAAe,IAAI,YAAY,CAAC,SAAS,CAAC;AAAA,EACtD;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,iBAAgE;AAC9D,UAAM,MAAM,KAAK,qBAAqB,oBAAI,IAAI;AAC9C,SAAK,oBAAoB;AACzB,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,cAAkG;AAChG,UAAM,MAA6E,CAAC;AACpF,QAAI,KAAK,gBAAgB;AACvB,iBAAW,CAAC,YAAY,IAAI,KAAK,KAAK,gBAAgB;AACpD,mBAAW,KAAK,MAAM;AACpB,cAAI,KAAK,EAAE,YAAY,IAAI,EAAE,IAAI,SAAS,EAAE,SAAS,QAAQ,EAAE,OAAO,CAAC;AAAA,QACzE;AAAA,MACF;AAAA,IACF;AACA,SAAK,iBAAiB;AACtB,WAAO;AAAA,EACT;AACF;","names":[]}

package/dist/{chunk-UMLVJTYV.js → chunk-ADB7GPM3.js}

@@ -1,14 +1,17 @@
 // src/guards/read-only-facade.ts
 var ReadOnlyVaultFacade = class {
   _vault;
-  constructor(vault) {
+  _layer;
+  constructor(vault, layer = "read") {
     this._vault = vault;
+    this._layer = layer;
   }
   collection(name) {
     const c = this._vault.collection(name);
+    const layer = this._layer;
     return {
-      get: (id) => c.get(id),
-      list: () => c.list(),
+      get: (id) => c.get(id, { _layer: layer }),
+      list: () => c.list({ _layer: layer }),
       query: () => c.query()
     };
   }
@@ -17,4 +20,4 @@ var ReadOnlyVaultFacade = class {
 export {
   ReadOnlyVaultFacade
 };
-//# sourceMappingURL=chunk-UMLVJTYV.js.map
+//# sourceMappingURL=chunk-ADB7GPM3.js.map

package/dist/chunk-ADB7GPM3.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/guards/read-only-facade.ts"],"sourcesContent":["import type { Vault } from '../vault.js'\nimport type { Query } from '../query/builder.js'\nimport type { Layer } from '../i18n/policy.js'\nimport type { ReadOnlyVaultFacade as ReadOnlyVaultFacadeContract } from './types.js'\n\n/**\n * Minimal read-only wrapper over a `Vault`. Used as `ctx.vault` inside\n * guard / derivation callbacks so they can fetch related records without\n * acquiring any write capability.\n *\n * The `layer` tags every `get`/`list` read with the resolution layer it\n * belongs to (#285). A guard-seeded facade reads at `'guard'`, a\n * derivation-seeded one at `'derivation'`, so i18nText / dictKey fields\n * resolve under that layer's `onMissing` policy instead of the `'read'`\n * policy — e.g. a guard read can `substitute` a missing locale (lenient\n * default) while the same field `throw`s on an ordinary app read.\n *\n * `query()` is left untagged: the query/aggregate pipeline reads raw\n * `{locale}` maps (no resolution call site), so a layer tag there would be\n * inert. Routing `mv`/`join` resolution through the pipeline is tracked\n * separately (#285 D2/D3).\n */\nexport class ReadOnlyVaultFacade implements ReadOnlyVaultFacadeContract {\n  private readonly _vault: Vault\n  private readonly _layer: Layer\n\n  constructor(vault: Vault, layer: Layer = 'read') {\n    this._vault = vault\n    this._layer = layer\n  }\n\n  collection<T = unknown>(name: string): {\n    get(id: string): Promise<T | null>\n    list(): Promise<T[]>\n    query(): Query<T>\n  } {\n    const c = this._vault.collection<T>(name)\n    const layer = this._layer\n    return {\n      get: (id: string) => c.get(id, { _layer: layer }),\n      list: () => c.list({ _layer: layer }),\n      query: () => c.query(),\n    }\n  }\n}\n"],"mappings":";AAsBO,IAAM,sBAAN,MAAiE;AAAA,EACrD;AAAA,EACA;AAAA,EAEjB,YAAY,OAAc,QAAe,QAAQ;AAC/C,SAAK,SAAS;AACd,SAAK,SAAS;AAAA,EAChB;AAAA,EAEA,WAAwB,MAItB;AACA,UAAM,IAAI,KAAK,OAAO,WAAc,IAAI;AACxC,UAAM,QAAQ,KAAK;AACnB,WAAO;AAAA,MACL,KAAK,CAAC,OAAe,EAAE,IAAI,IAAI,EAAE,QAAQ,MAAM,CAAC;AAAA,MAChD,MAAM,MAAM,EAAE,KAAK,EAAE,QAAQ,MAAM,CAAC;AAAA,MACpC,OAAO,MAAM,EAAE,MAAM;AAAA,IACvB;AAAA,EACF;AACF;","names":[]}

package/dist/{chunk-G6FRSBKK.js → chunk-AI4USDRI.js}

@@ -1,6 +1,6 @@
 import {
   dekKey
-} from "./chunk-7BUTTVMR.js";
+} from "./chunk-F5GWNSE2.js";
 import {
   generateULID
 } from "./chunk-FZU343FL.js";
@@ -9,10 +9,10 @@ import {
   encrypt,
   unwrapKey,
   wrapKey
-} from "./chunk-2PAQNPE3.js";
+} from "./chunk-37VGJM3T.js";
 import {
   DelegationTargetMissingError
-} from "./chunk-W3XXT26A.js";
+} from "./chunk-OTWT6BAJ.js";
 
 // src/team/delegation.ts
 var DELEGATIONS_COLLECTION = "_delegations";
@@ -94,4 +94,4 @@ export {
   loadActiveDelegations,
   revokeDelegation
 };
-//# sourceMappingURL=chunk-G6FRSBKK.js.map
+//# sourceMappingURL=chunk-AI4USDRI.js.map

package/dist/chunk-BZW5IL43.js

@@ -0,0 +1,151 @@
+import {
+  NOYDB_FORMAT_VERSION
+} from "./chunk-TA6HPKWQ.js";
+import {
+  bufferToBase64,
+  decrypt,
+  encrypt,
+  generateDEK,
+  unwrapCek,
+  wrapCek
+} from "./chunk-37VGJM3T.js";
+import {
+  RecordCekNotFoundError,
+  ValidationError
+} from "./chunk-OTWT6BAJ.js";
+
+// src/record-keys/tombstone.ts
+function isTombstone(envelope, encrypted) {
+  if (!encrypted) return false;
+  return !envelope._data && envelope._cek === void 0;
+}
+function buildTombstone(version, actor) {
+  return {
+    _noydb: NOYDB_FORMAT_VERSION,
+    _v: version,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    _iv: "",
+    _data: "",
+    ...actor ? { _by: actor } : {}
+  };
+}
+
+// src/record-keys/lifecycle.ts
+async function resolveStableCek(deps, id) {
+  const cached = deps.cache?.get(id);
+  if (cached) return cached;
+  const live = await deps.getLive(id);
+  if (live?._cek !== void 0) {
+    const cek = await unwrapCek(live._cek, await deps.getDEK());
+    deps.cache?.set(id, cek, 1);
+    return cek;
+  }
+  const fresh = await generateDEK();
+  deps.cache?.set(id, fresh, 1);
+  return fresh;
+}
+async function rewrapBodyToDek(envelope, fromDek, toDek) {
+  if (envelope._cek !== void 0) {
+    const cek = await unwrapCek(envelope._cek, fromDek);
+    const plaintext2 = await decrypt(envelope._iv, envelope._data, cek);
+    const { iv: iv2, data: data2 } = await encrypt(plaintext2, cek);
+    return { _iv: iv2, _data: data2, _cek: await wrapCek(cek, toDek), cek };
+  }
+  const plaintext = await decrypt(envelope._iv, envelope._data, fromDek);
+  const { iv, data } = await encrypt(plaintext, toDek);
+  return { _iv: iv, _data: data, cek: null };
+}
+
+// src/record-keys/sealing.ts
+var subtle = globalThis.crypto.subtle;
+var SEALED_CEK_NS = "_sealed_cek";
+async function sealRecordToHost(ctx, collection, id, hostSealer, opts) {
+  if (collection.includes("/")) throw new ValidationError(`sealRecordToHost: collection "${collection}" must not contain "/"`);
+  if (id.includes("/")) throw new ValidationError(`sealRecordToHost: id "${id}" must not contain "/"`);
+  const live = await ctx.adapter.get(ctx.vault, collection, id);
+  if (!live || live._cek === void 0) {
+    throw new RecordCekNotFoundError(collection, id);
+  }
+  const dek = await ctx.getDEK(collection);
+  const cek = await unwrapCek(live._cek, dek);
+  const rawCek = await subtle.exportKey("raw", cek);
+  const cekB64 = bufferToBase64(rawCek);
+  const hint = await hostSealer.publishRecipientHint();
+  if (hint.pid.includes("/")) throw new ValidationError(`sealRecordToHost: recipient pid "${hint.pid}" must not contain "/"`);
+  const binding = {
+    collection,
+    id,
+    cek: cekB64,
+    expiresAt: opts.expiresAt
+  };
+  const sealed = await hostSealer.sealForRecipient(
+    new TextEncoder().encode(JSON.stringify(binding)),
+    hint
+  );
+  const delivery = {
+    v: 1,
+    _noydb_sealed_cek: 1,
+    pid: hint.pid,
+    payload: bufferToBase64(sealed),
+    expiresAt: opts.expiresAt
+  };
+  const envelopeKey = `${collection}/${id}/${hint.pid}`;
+  const prior = await ctx.adapter.get(ctx.vault, SEALED_CEK_NS, envelopeKey);
+  const env = {
+    _noydb: NOYDB_FORMAT_VERSION,
+    _v: (prior?._v ?? 0) + 1,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    // AES-GCM bypassed — the sealing layer is the security boundary, exactly
+    // like the managed-passphrase `_meta/sealed-passphrase` envelope.
+    _iv: "",
+    _data: JSON.stringify(delivery),
+    ...ctx.actor ? { _by: ctx.actor } : {}
+  };
+  await ctx.adapter.put(ctx.vault, SEALED_CEK_NS, envelopeKey, env);
+  return { pid: hint.pid, envelopeKey };
+}
+async function revokeSealedRecord(ctx, collection, id, pid) {
+  await ctx.adapter.delete(ctx.vault, SEALED_CEK_NS, `${collection}/${id}/${pid}`);
+}
+async function rotateRecordCek(ctx, collection, id) {
+  const live = await ctx.adapter.get(ctx.vault, collection, id);
+  if (!live || live._cek === void 0) {
+    throw new RecordCekNotFoundError(collection, id);
+  }
+  const dek = await ctx.getDEK(collection);
+  const oldCek = await unwrapCek(live._cek, dek);
+  const json = await decrypt(live._iv, live._data, oldCek);
+  const newCek = await generateDEK();
+  const { iv, data } = await encrypt(json, newCek);
+  const env = {
+    _noydb: NOYDB_FORMAT_VERSION,
+    _v: live._v + 1,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    _iv: iv,
+    _data: data,
+    _cek: await wrapCek(newCek, dek),
+    ...ctx.actor ? { _by: ctx.actor } : {},
+    ...live._tier !== void 0 ? { _tier: live._tier } : {},
+    ...live._det !== void 0 ? { _det: live._det } : {}
+  };
+  await ctx.adapter.put(ctx.vault, collection, id, env);
+  await ctx.invalidateRecordCaches(collection, id);
+  const prefix = `${collection}/${id}/`;
+  const keys = await ctx.adapter.list(ctx.vault, SEALED_CEK_NS);
+  for (const key of keys) {
+    if (key.startsWith(prefix)) {
+      await ctx.adapter.delete(ctx.vault, SEALED_CEK_NS, key);
+    }
+  }
+}
+
+export {
+  isTombstone,
+  buildTombstone,
+  resolveStableCek,
+  rewrapBodyToDek,
+  sealRecordToHost,
+  revokeSealedRecord,
+  rotateRecordCek
+};
+//# sourceMappingURL=chunk-BZW5IL43.js.map

package/dist/chunk-BZW5IL43.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/record-keys/tombstone.ts","../src/record-keys/lifecycle.ts","../src/record-keys/sealing.ts"],"sourcesContent":["/**\n * Tombstone shape + predicate for the per-record-key (CEK) layer.\n *\n * A *tombstone* is the residue a GDPR crypto-shred (`vault.forget()`, #304)\n * leaves on disk: the live envelope rewritten to `{ _noydb, _v, _ts, _by,\n * _iv:'', _data:'' }`, dropping `_iv`/`_data`/`_cek`/`_det`. With the wrapped\n * per-record CEK gone, the body — and every history version under the same\n * CEK — is permanently undecryptable, while the record KEY survives so the\n * version counter and \"record existed and was erased\" persist for the audit\n * ledger.\n *\n * These two helpers are the pure, collection-independent core of that\n * contract: {@link buildTombstone} mints the shape, {@link isTombstone}\n * recognises it on the read path. The orchestration that *writes* a tombstone\n * (`_writeTombstone`) and drives `vault.forget()` lives with the collection /\n * vault; it calls into these.\n */\nimport { NOYDB_FORMAT_VERSION, type EncryptedEnvelope } from '../types.js'\n\n/**\n * Is this envelope a crypto-shred tombstone?\n *\n * A tombstone carries no body (`_data` empty) and no wrapped CEK (`_cek`\n * absent) — decrypting it would call `decrypt('', '', dek)` → an AES-GCM\n * throw, so every read choke point must short-circuit to `null` instead.\n *\n * `encrypted` is the collection's encryption flag: on an unencrypted\n * collection there are no envelopes to shred, so nothing is ever a tombstone.\n * (Legacy migration envelopes carry non-empty `_iv`/`_data`, so they are not\n * tombstones and stay readable.)\n */\nexport function isTombstone(envelope: EncryptedEnvelope, encrypted: boolean): boolean {\n  if (!encrypted) return false\n  return !envelope._data && envelope._cek === undefined\n}\n\n/**\n * Mint a tombstone envelope from a record's live version + actor.\n *\n * Keeps `_v` (the displaced version) so the counter is monotonic across the\n * shred, stamps a fresh `_ts`, and records `_by` when an actor is supplied.\n * Deliberately omits `_iv`/`_data`/`_cek`/`_det` — that omission *is* the\n * erasure.\n */\nexport function buildTombstone(version: number, actor: string): EncryptedEnvelope {\n  return {\n    _noydb: NOYDB_FORMAT_VERSION,\n    _v: version,\n    _ts: new Date().toISOString(),\n    _iv: '',\n    _data: '',\n    ...(actor ? { _by: actor } : {}),\n  }\n}\n","/**\n * Per-record CEK lifecycle helpers for the WRITE path (#356 foundation).\n *\n * These are the collection-coupled CEK operations, lifted off `Collection`\n * behind narrow deps so the kernel file delegates instead of carrying the\n * crypto inline:\n *\n *   - {@link resolveStableCek} — the stable-CEK rule: an update or history\n *     snapshot reuses the record's existing CEK so a single CEK delete kills\n *     the whole version chain; a genuine insert (or legacy record being\n *     migrated) mints a fresh one.\n *   - {@link rewrapBodyToDek} — move a record body's wrapping from one DEK to\n *     another (tier elevate/demote, bundle re-key) WITHOUT changing the body\n *     key: unwrap the CEK under the source DEK, re-encrypt the body under the\n *     same CEK, re-wrap the CEK under the destination DEK. History-chain\n *     identity is preserved because the body key never changes.\n *\n * Both are pure functions over their deps — the `cekCache` ownership stays on\n * the collection (its lifetime is tied to `load()`), so callers cache the\n * returned key themselves.\n */\nimport { encrypt, decrypt, generateDEK, wrapCek, unwrapCek } from '../crypto.js'\nimport type { EncryptedEnvelope } from '../types.js'\nimport type { Lru } from '../cache/index.js'\n\n/** Dependencies {@link resolveStableCek} needs from its collection. */\nexport interface StableCekDeps {\n  /** The collection's per-record CEK cache (`null` → no caching). */\n  readonly cache: Lru<string, CryptoKey> | null\n  /** Read the record's live envelope (to recover an existing `_cek`). */\n  getLive(id: string): Promise<EncryptedEnvelope | null>\n  /** The DEK the CEK is wrapped under (the collection DEK on the normal path). */\n  getDEK(): Promise<CryptoKey>\n}\n\n/**\n * Resolve the stable CEK for a record on the write path. Caches the resolved\n * key under `id` so an update + its history snapshot share one CEK.\n */\nexport async function resolveStableCek(deps: StableCekDeps, id: string): Promise<CryptoKey> {\n  const cached = deps.cache?.get(id)\n  if (cached) return cached\n\n  const live = await deps.getLive(id)\n  if (live?._cek !== undefined) {\n    const cek = await unwrapCek(live._cek, await deps.getDEK())\n    deps.cache?.set(id, cek, 1)\n    return cek\n  }\n\n  const fresh = await generateDEK()\n  deps.cache?.set(id, fresh, 1)\n  return fresh\n}\n\n/** Re-wrapped body bytes + the (optional) CEK to cache. */\nexport interface RewrappedBody {\n  readonly _iv: string\n  readonly _data: string\n  /** Present iff the source envelope carried a CEK (per-record-key record). */\n  readonly _cek?: string\n  /** The body key when one exists, so the caller can cache it; `null` for a legacy record. */\n  readonly cek: CryptoKey | null\n}\n\n/**\n * Move a record body from `fromDek` to `toDek`.\n *\n * - Per-record-key record (`_cek` present): unwrap the CEK under `fromDek`,\n *   re-encrypt the body under the SAME CEK, re-wrap the CEK under `toDek`. The\n *   body key is unchanged → history-chain identity preserved.\n * - Legacy record (no `_cek`): decrypt under `fromDek`, re-encrypt under `toDek`\n *   directly — byte-for-byte the pre-CEK behaviour.\n */\nexport async function rewrapBodyToDek(\n  envelope: Pick<EncryptedEnvelope, '_iv' | '_data' | '_cek'>,\n  fromDek: CryptoKey,\n  toDek: CryptoKey,\n): Promise<RewrappedBody> {\n  if (envelope._cek !== undefined) {\n    const cek = await unwrapCek(envelope._cek, fromDek)\n    const plaintext = await decrypt(envelope._iv, envelope._data, cek)\n    const { iv, data } = await encrypt(plaintext, cek)\n    return { _iv: iv, _data: data, _cek: await wrapCek(cek, toDek), cek }\n  }\n  const plaintext = await decrypt(envelope._iv, envelope._data, fromDek)\n  const { iv, data } = await encrypt(plaintext, toDek)\n  return { _iv: iv, _data: data, cek: null }\n}\n","/**\n * Record-scoped CEK sealing — grantor side (#306 slices 2-3).\n *\n * The **grantor** holds the collection DEK and seals ONE record's CEK to an\n * `at-*` host so that host — and only that host — can decrypt exactly that\n * record, with no access to the vault DEK and no ability to read any other\n * record. This is the counterpart to the host-side `openSealedRecord`\n * (`@noy-db/hub/sealed-record`), which holds no DEK.\n *\n * These functions are the orchestration behind `vault.sealRecordToHost` /\n * `vault.revokeSealedRecord` / `vault.rotateRecordCek`, lifted off `Vault`\n * behind a narrow {@link SealingContext} so the kernel file delegates. They\n * live in `record-keys/` (the vault-side CEK policy layer), NOT in\n * `sealed-record/`, so the host-side subpath stays DEK-free — they import only\n * the wire *types* from there.\n */\nimport { encrypt, decrypt, generateDEK, wrapCek, unwrapCek, bufferToBase64 } from '../crypto.js'\nimport { NOYDB_FORMAT_VERSION, type EncryptedEnvelope, type NoydbStore } from '../types.js'\nimport { RecordCekNotFoundError, ValidationError } from '../errors.js'\nimport type { RecipientSealer } from '../team/managed-passphrase.js'\nimport type { SealedCekBinding, SealedCekDeliveryEnvelope } from '../sealed-record/types.js'\n\nconst subtle = globalThis.crypto.subtle\n\n/** The `_sealed_cek` delivery namespace (one envelope per `collection/id/pid`). */\nconst SEALED_CEK_NS = '_sealed_cek'\n\n/** What the grantor functions need from their `Vault`. */\nexport interface SealingContext {\n  readonly adapter: NoydbStore\n  /** Vault id (the adapter's first coordinate). */\n  readonly vault: string\n  /** Resolve the DEK a record's CEK is wrapped under. */\n  getDEK(collection: string): Promise<CryptoKey>\n  /** Actor id stamped on `_by` (empty string → omit). */\n  readonly actor: string\n  /** Evict the per-record CEK cache + decrypted-record cache after a rotation. */\n  invalidateRecordCaches(collection: string, id: string): Promise<void>\n}\n\n/**\n * Seal a record's CEK to a host. See `vault.sealRecordToHost` for the contract.\n * Returns `{ pid, envelopeKey }`.\n */\nexport async function sealRecordToHost(\n  ctx: SealingContext,\n  collection: string,\n  id: string,\n  hostSealer: RecipientSealer,\n  opts: { expiresAt: string },\n): Promise<{ pid: string; envelopeKey: string }> {\n  // Guard separators: the `_sealed_cek` id is `collection/id/pid`, so a `/` in\n  // any component would make the prefix-delete in rotateRecordCek() (which\n  // matches `${collection}/${id}/`) ambiguous and could over- or under-match.\n  if (collection.includes('/')) throw new ValidationError(`sealRecordToHost: collection \"${collection}\" must not contain \"/\"`)\n  if (id.includes('/')) throw new ValidationError(`sealRecordToHost: id \"${id}\" must not contain \"/\"`)\n\n  const live = await ctx.adapter.get(ctx.vault, collection, id)\n  if (!live || live._cek === undefined) {\n    throw new RecordCekNotFoundError(collection, id)\n  }\n\n  const dek = await ctx.getDEK(collection)\n  const cek = await unwrapCek(live._cek, dek)\n  const rawCek = await subtle.exportKey('raw', cek)\n  const cekB64 = bufferToBase64(rawCek)\n\n  const hint = await hostSealer.publishRecipientHint()\n  if (hint.pid.includes('/')) throw new ValidationError(`sealRecordToHost: recipient pid \"${hint.pid}\" must not contain \"/\"`)\n\n  const binding: SealedCekBinding = {\n    collection,\n    id,\n    cek: cekB64,\n    expiresAt: opts.expiresAt,\n  }\n  const sealed = await hostSealer.sealForRecipient(\n    new TextEncoder().encode(JSON.stringify(binding)),\n    hint,\n  )\n\n  const delivery: SealedCekDeliveryEnvelope = {\n    v: 1,\n    _noydb_sealed_cek: 1,\n    pid: hint.pid,\n    payload: bufferToBase64(sealed),\n    expiresAt: opts.expiresAt,\n  }\n\n  const envelopeKey = `${collection}/${id}/${hint.pid}`\n  const prior = await ctx.adapter.get(ctx.vault, SEALED_CEK_NS, envelopeKey)\n  const env: EncryptedEnvelope = {\n    _noydb: NOYDB_FORMAT_VERSION,\n    _v: (prior?._v ?? 0) + 1,\n    _ts: new Date().toISOString(),\n    // AES-GCM bypassed — the sealing layer is the security boundary, exactly\n    // like the managed-passphrase `_meta/sealed-passphrase` envelope.\n    _iv: '',\n    _data: JSON.stringify(delivery),\n    ...(ctx.actor ? { _by: ctx.actor } : {}),\n  }\n  await ctx.adapter.put(ctx.vault, SEALED_CEK_NS, envelopeKey, env)\n\n  return { pid: hint.pid, envelopeKey }\n}\n\n/**\n * Soft-revoke one sealed-CEK delivery envelope (delete it from the store). A\n * host that already fetched the envelope keeps whatever it cached; for a hard\n * revocation use {@link rotateRecordCek}.\n */\nexport async function revokeSealedRecord(\n  ctx: SealingContext,\n  collection: string,\n  id: string,\n  pid: string,\n): Promise<void> {\n  await ctx.adapter.delete(ctx.vault, SEALED_CEK_NS, `${collection}/${id}/${pid}`)\n}\n\n/**\n * HARD-rotate a record's CEK: re-encrypt the live body under a fresh CEK, evict\n * caches, and delete EVERY sealed-CEK delivery envelope for the record. See\n * `vault.rotateRecordCek` for why this bypasses `Collection.put` (no guards, no\n * history bump — a key rotation must not re-encrypt prior history under the new\n * CEK).\n */\nexport async function rotateRecordCek(\n  ctx: SealingContext,\n  collection: string,\n  id: string,\n): Promise<void> {\n  const live = await ctx.adapter.get(ctx.vault, collection, id)\n  if (!live || live._cek === undefined) {\n    throw new RecordCekNotFoundError(collection, id)\n  }\n\n  const dek = await ctx.getDEK(collection)\n  const oldCek = await unwrapCek(live._cek, dek)\n  const json = await decrypt(live._iv, live._data, oldCek)\n\n  const newCek = await generateDEK()\n  const { iv, data } = await encrypt(json, newCek)\n\n  const env: EncryptedEnvelope = {\n    _noydb: NOYDB_FORMAT_VERSION,\n    _v: live._v + 1,\n    _ts: new Date().toISOString(),\n    _iv: iv,\n    _data: data,\n    _cek: await wrapCek(newCek, dek),\n    ...(ctx.actor ? { _by: ctx.actor } : {}),\n    ...(live._tier !== undefined ? { _tier: live._tier } : {}),\n    ...(live._det !== undefined ? { _det: live._det } : {}),\n  }\n  await ctx.adapter.put(ctx.vault, collection, id, env)\n\n  // Evict BOTH caches synchronously so no read returns the stale old-CEK record.\n  await ctx.invalidateRecordCaches(collection, id)\n\n  // Delete every sealed-CEK delivery envelope for this record — all pids.\n  const prefix = `${collection}/${id}/`\n  const keys = await ctx.adapter.list(ctx.vault, SEALED_CEK_NS)\n  for (const key of keys) {\n    if (key.startsWith(prefix)) {\n      await ctx.adapter.delete(ctx.vault, SEALED_CEK_NS, key)\n    }\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;AA+BO,SAAS,YAAY,UAA6B,WAA6B;AACpF,MAAI,CAAC,UAAW,QAAO;AACvB,SAAO,CAAC,SAAS,SAAS,SAAS,SAAS;AAC9C;AAUO,SAAS,eAAe,SAAiB,OAAkC;AAChF,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC5B,KAAK;AAAA,IACL,OAAO;AAAA,IACP,GAAI,QAAQ,EAAE,KAAK,MAAM,IAAI,CAAC;AAAA,EAChC;AACF;;;ACdA,eAAsB,iBAAiB,MAAqB,IAAgC;AAC1F,QAAM,SAAS,KAAK,OAAO,IAAI,EAAE;AACjC,MAAI,OAAQ,QAAO;AAEnB,QAAM,OAAO,MAAM,KAAK,QAAQ,EAAE;AAClC,MAAI,MAAM,SAAS,QAAW;AAC5B,UAAM,MAAM,MAAM,UAAU,KAAK,MAAM,MAAM,KAAK,OAAO,CAAC;AAC1D,SAAK,OAAO,IAAI,IAAI,KAAK,CAAC;AAC1B,WAAO;AAAA,EACT;AAEA,QAAM,QAAQ,MAAM,YAAY;AAChC,OAAK,OAAO,IAAI,IAAI,OAAO,CAAC;AAC5B,SAAO;AACT;AAqBA,eAAsB,gBACpB,UACA,SACA,OACwB;AACxB,MAAI,SAAS,SAAS,QAAW;AAC/B,UAAM,MAAM,MAAM,UAAU,SAAS,MAAM,OAAO;AAClD,UAAMA,aAAY,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,GAAG;AACjE,UAAM,EAAE,IAAAC,KAAI,MAAAC,MAAK,IAAI,MAAM,QAAQF,YAAW,GAAG;AACjD,WAAO,EAAE,KAAKC,KAAI,OAAOC,OAAM,MAAM,MAAM,QAAQ,KAAK,KAAK,GAAG,IAAI;AAAA,EACtE;AACA,QAAM,YAAY,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,OAAO;AACrE,QAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,WAAW,KAAK;AACnD,SAAO,EAAE,KAAK,IAAI,OAAO,MAAM,KAAK,KAAK;AAC3C;;;AClEA,IAAM,SAAS,WAAW,OAAO;AAGjC,IAAM,gBAAgB;AAmBtB,eAAsB,iBACpB,KACA,YACA,IACA,YACA,MAC+C;AAI/C,MAAI,WAAW,SAAS,GAAG,EAAG,OAAM,IAAI,gBAAgB,iCAAiC,UAAU,wBAAwB;AAC3H,MAAI,GAAG,SAAS,GAAG,EAAG,OAAM,IAAI,gBAAgB,yBAAyB,EAAE,wBAAwB;AAEnG,QAAM,OAAO,MAAM,IAAI,QAAQ,IAAI,IAAI,OAAO,YAAY,EAAE;AAC5D,MAAI,CAAC,QAAQ,KAAK,SAAS,QAAW;AACpC,UAAM,IAAI,uBAAuB,YAAY,EAAE;AAAA,EACjD;AAEA,QAAM,MAAM,MAAM,IAAI,OAAO,UAAU;AACvC,QAAM,MAAM,MAAM,UAAU,KAAK,MAAM,GAAG;AAC1C,QAAM,SAAS,MAAM,OAAO,UAAU,OAAO,GAAG;AAChD,QAAM,SAAS,eAAe,MAAM;AAEpC,QAAM,OAAO,MAAM,WAAW,qBAAqB;AACnD,MAAI,KAAK,IAAI,SAAS,GAAG,EAAG,OAAM,IAAI,gBAAgB,oCAAoC,KAAK,GAAG,wBAAwB;AAE1H,QAAM,UAA4B;AAAA,IAChC;AAAA,IACA;AAAA,IACA,KAAK;AAAA,IACL,WAAW,KAAK;AAAA,EAClB;AACA,QAAM,SAAS,MAAM,WAAW;AAAA,IAC9B,IAAI,YAAY,EAAE,OAAO,KAAK,UAAU,OAAO,CAAC;AAAA,IAChD;AAAA,EACF;AAEA,QAAM,WAAsC;AAAA,IAC1C,GAAG;AAAA,IACH,mBAAmB;AAAA,IACnB,KAAK,KAAK;AAAA,IACV,SAAS,eAAe,MAAM;AAAA,IAC9B,WAAW,KAAK;AAAA,EAClB;AAEA,QAAM,cAAc,GAAG,UAAU,IAAI,EAAE,IAAI,KAAK,GAAG;AACnD,QAAM,QAAQ,MAAM,IAAI,QAAQ,IAAI,IAAI,OAAO,eAAe,WAAW;AACzE,QAAM,MAAyB;AAAA,IAC7B,QAAQ;AAAA,IACR,KAAK,OAAO,MAAM,KAAK;AAAA,IACvB,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA;AAAA;AAAA,IAG5B,KAAK;AAAA,IACL,OAAO,KAAK,UAAU,QAAQ;AAAA,IAC9B,GAAI,IAAI,QAAQ,EAAE,KAAK,IAAI,MAAM,IAAI,CAAC;AAAA,EACxC;AACA,QAAM,IAAI,QAAQ,IAAI,IAAI,OAAO,eAAe,aAAa,GAAG;AAEhE,SAAO,EAAE,KAAK,KAAK,KAAK,YAAY;AACtC;AAOA,eAAsB,mBACpB,KACA,YACA,IACA,KACe;AACf,QAAM,IAAI,QAAQ,OAAO,IAAI,OAAO,eAAe,GAAG,UAAU,IAAI,EAAE,IAAI,GAAG,EAAE;AACjF;AASA,eAAsB,gBACpB,KACA,YACA,IACe;AACf,QAAM,OAAO,MAAM,IAAI,QAAQ,IAAI,IAAI,OAAO,YAAY,EAAE;AAC5D,MAAI,CAAC,QAAQ,KAAK,SAAS,QAAW;AACpC,UAAM,IAAI,uBAAuB,YAAY,EAAE;AAAA,EACjD;AAEA,QAAM,MAAM,MAAM,IAAI,OAAO,UAAU;AACvC,QAAM,SAAS,MAAM,UAAU,KAAK,MAAM,GAAG;AAC7C,QAAM,OAAO,MAAM,QAAQ,KAAK,KAAK,KAAK,OAAO,MAAM;AAEvD,QAAM,SAAS,MAAM,YAAY;AACjC,QAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,MAAM,MAAM;AAE/C,QAAM,MAAyB;AAAA,IAC7B,QAAQ;AAAA,IACR,IAAI,KAAK,KAAK;AAAA,IACd,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC5B,KAAK;AAAA,IACL,OAAO;AAAA,IACP,MAAM,MAAM,QAAQ,QAAQ,GAAG;AAAA,IAC/B,GAAI,IAAI,QAAQ,EAAE,KAAK,IAAI,MAAM,IAAI,CAAC;AAAA,IACtC,GAAI,KAAK,UAAU,SAAY,EAAE,OAAO,KAAK,MAAM,IAAI,CAAC;AAAA,IACxD,GAAI,KAAK,SAAS,SAAY,EAAE,MAAM,KAAK,KAAK,IAAI,CAAC;AAAA,EACvD;AACA,QAAM,IAAI,QAAQ,IAAI,IAAI,OAAO,YAAY,IAAI,GAAG;AAGpD,QAAM,IAAI,uBAAuB,YAAY,EAAE;AAG/C,QAAM,SAAS,GAAG,UAAU,IAAI,EAAE;AAClC,QAAM,OAAO,MAAM,IAAI,QAAQ,KAAK,IAAI,OAAO,aAAa;AAC5D,aAAW,OAAO,MAAM;AACtB,QAAI,IAAI,WAAW,MAAM,GAAG;AAC1B,YAAM,IAAI,QAAQ,OAAO,IAAI,OAAO,eAAe,GAAG;AAAA,IACxD;AAAA,EACF;AACF;","names":["plaintext","iv","data"]}

package/dist/chunk-C2RJVZZL.js

@@ -0,0 +1,123 @@
+import {
+  IllegalTransitionError,
+  RecordLockedError,
+  ValidationError
+} from "./chunk-OTWT6BAJ.js";
+
+// src/guards/with-guard.ts
+function withGuard(strategy) {
+  if (!strategy.collection || strategy.collection.length === 0) {
+    throw new ValidationError("withGuard: collection name is required");
+  }
+  return {
+    __noydb_strategy: "guard",
+    spec: strategy
+  };
+}
+
+// src/guards/immutable-guard.ts
+function recordId(record) {
+  const id = record?.id;
+  return typeof id === "string" ? id : "";
+}
+function immutableGuard(config) {
+  const { collection, after, appendOnly, amendmentRoles, amendmentInvariant } = config;
+  if (appendOnly && after !== void 0) {
+    throw new ValidationError("immutableGuard: `after` and `appendOnly` are mutually exclusive");
+  }
+  if (!appendOnly && after === void 0) {
+    throw new ValidationError("immutableGuard: provide `after` or `appendOnly: true`");
+  }
+  const isImmutable = appendOnly ? () => true : after;
+  const reason = appendOnly ? "append-only collection" : "record is immutable after issue";
+  const spec = {
+    collection,
+    // Block updates to an already-immutable record. Inserts (existing
+    // null) and the transition write that first makes the record
+    // immutable are allowed — `after` reads the prior state.
+    check: (incoming, ctx) => {
+      if (ctx.existing !== null && isImmutable(ctx.existing)) {
+        throw new RecordLockedError(collection, recordId(incoming), reason);
+      }
+    },
+    // Block deletes of an immutable record.
+    onDelete: (existing) => {
+      if (isImmutable(existing)) {
+        throw new RecordLockedError(collection, recordId(existing), reason);
+      }
+    },
+    // The authorized override: inside an amendment transaction the
+    // check/onDelete are skipped and the change is ledgered. By default
+    // there is no extra invariant — the amendment itself is the
+    // sanctioned exception. Callers may supply `amendmentInvariant` to
+    // keep a constraint inviolable even under amendment (e.g. forbid
+    // deletes, or preserve a cross-record sum); a throw reverts the
+    // amendment and surfaces as `InvariantError`.
+    amendment: {
+      roles: amendmentRoles ?? ["admin", "owner"],
+      invariant: amendmentInvariant ?? (() => {
+      })
+    }
+  };
+  return withGuard(spec);
+}
+
+// src/guards/transition-guard.ts
+function recordId2(record) {
+  const id = record?.id;
+  return typeof id === "string" ? id : "";
+}
+function stateOf(record, field) {
+  const v = record[field];
+  return typeof v === "string" ? v : String(v);
+}
+function transitionGuard(config) {
+  const { collection, field, transitions, initial, amendmentRoles, amendmentInvariant } = config;
+  const allowIdempotent = config.allowIdempotent ?? true;
+  if (!field) {
+    throw new ValidationError("transitionGuard: `field` is required");
+  }
+  if (transitions === void 0 || typeof transitions !== "object") {
+    throw new ValidationError("transitionGuard: `transitions` must be a state\u2192states map");
+  }
+  const spec = {
+    collection,
+    check: (incoming, ctx) => {
+      const rec = incoming;
+      const to = stateOf(rec, field);
+      if (ctx.existing === null) {
+        if (initial !== void 0 && !initial.includes(to)) {
+          throw new IllegalTransitionError(collection, recordId2(rec), "(none)", to);
+        }
+        return;
+      }
+      const from = stateOf(ctx.existing, field);
+      if (from === to) {
+        if (allowIdempotent) return;
+        throw new IllegalTransitionError(collection, recordId2(rec), from, to);
+      }
+      const allowed = transitions[from] ?? [];
+      if (!allowed.includes(to)) {
+        throw new IllegalTransitionError(collection, recordId2(rec), from, to);
+      }
+    },
+    // The authorized override: inside an amendment transaction the check
+    // is skipped and the change is ledgered. By default no extra invariant
+    // — the amendment itself is the sanctioned exception. Callers may
+    // supply `amendmentInvariant` to keep a constraint inviolable even
+    // under amendment; a throw reverts the amendment as `InvariantError`.
+    amendment: {
+      roles: amendmentRoles ?? ["admin", "owner"],
+      invariant: amendmentInvariant ?? (() => {
+      })
+    }
+  };
+  return withGuard(spec);
+}
+
+export {
+  withGuard,
+  immutableGuard,
+  transitionGuard
+};
+//# sourceMappingURL=chunk-C2RJVZZL.js.map

package/dist/chunk-C2RJVZZL.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/guards/with-guard.ts","../src/guards/immutable-guard.ts","../src/guards/transition-guard.ts"],"sourcesContent":["import { ValidationError } from '../errors.js'\nimport type { GuardStrategy, GuardStrategyHandle } from './types.js'\n\n/**\n * Register a guard for a collection. Guards run on every `put()` /\n * `delete()` for the named collection (after permissions, before\n * encryption) and may:\n *\n *   - `check` — block writes by throwing (typically `RecordLockedError`)\n *   - `frozenFields` — freeze specific fields once a condition is true\n *   - `amendment` — declare an authorized-override path with invariant\n *\n * Pass the returned handle to `createNoydb({ strategies: [...] })`.\n *\n * @see docs/superpowers/specs/2026-05-18-guards-design.md\n */\nexport function withGuard<T extends Record<string, unknown>>(\n  strategy: GuardStrategy<T>,\n): GuardStrategyHandle<T> {\n  if (!strategy.collection || strategy.collection.length === 0) {\n    throw new ValidationError('withGuard: collection name is required')\n  }\n  return {\n    __noydb_strategy: 'guard',\n    spec: strategy,\n  }\n}\n","/**\n * `immutableGuard` — declarative WORM / append-only sugar over the guard\n * subsystem.\n *\n * Issued fiscal documents (invoices, DDTs) must be immutable after issue.\n * That is expressible today with a hand-rolled `withGuard` (block on\n * `check`/`onDelete`, allow an admin `amendment`), but the boilerplate is\n * repetitive and easy to get subtly wrong. `immutableGuard` generates\n * exactly that guard from a declarative config, reusing the guard\n * machinery wholesale — `check`/`onDelete` rejection, the ledgered\n * `amendment` override, and composition with `periods`/`history`.\n *\n * ```ts\n * createNoydb({ guardStrategies: [\n *   immutableGuard({\n *     collection: 'invoices',\n *     after: (r) => r.status === 'issued',   // immutable once issued\n *   }),\n * ] })\n * ```\n *\n * A record is mutable until `after(record)` holds; from then on, updates\n * and deletes throw `RecordLockedError` unless performed inside an\n * `amendment` transaction by an authorized role (the override is\n * ledgered by the guard amendment mechanism). `appendOnly: true` is\n * shorthand for `after: () => true` — immutable from creation.\n */\n\nimport { withGuard } from './with-guard.js'\nimport type { GuardStrategy, GuardStrategyHandle, GuardContext, GuardChange } from './types.js'\nimport { RecordLockedError, ValidationError } from '../errors.js'\n\nexport interface ImmutableGuardConfig<T extends Record<string, unknown>> {\n  /** The collection to make WORM. */\n  collection: string\n  /**\n   * A record becomes immutable once this predicate holds. Evaluated on\n   * the *existing* (already-persisted) record, so the write that first\n   * makes it true is still allowed; subsequent writes are blocked.\n   * Mutually exclusive with `appendOnly`.\n   */\n  after?: (record: T) => boolean\n  /** Shorthand for `after: () => true` — immutable from creation. */\n  appendOnly?: boolean\n  /** Roles permitted to override via an amendment transaction. Default `['admin', 'owner']`. */\n  amendmentRoles?: ReadonlyArray<'admin' | 'owner'>\n  /**\n   * Optional set-level invariant run over the amendment change-set after\n   * the writes execute. Signature matches `GuardStrategy.amendment.invariant`\n   * exactly: it receives every {before, after} pair touching this\n   * collection in the amendment plus the guard context; throwing reverts\n   * the whole amendment and surfaces as `InvariantError`.\n   *\n   * Use this to keep a constraint inviolable EVEN under amendment — e.g.\n   * forbid deleting an issued document by re-throwing on any\n   * `before !== null && after === null` change, or assert a cross-record\n   * sum is preserved. When omitted the amendment is unconditionally\n   * allowed (the amendment itself is the sanctioned, ledgered override) —\n   * this is the backward-compatible default.\n   */\n  amendmentInvariant?: (\n    changes: ReadonlyArray<GuardChange<T>>,\n    ctx: GuardContext<T>,\n  ) => Promise<void> | void\n}\n\nfunction recordId(record: Record<string, unknown> | null): string {\n  const id = record?.id\n  return typeof id === 'string' ? id : ''\n}\n\n/**\n * Build an immutability guard. Pass the returned handle to\n * `createNoydb({ guardStrategies: [...] })`.\n */\nexport function immutableGuard<T extends Record<string, unknown>>(\n  config: ImmutableGuardConfig<T>,\n): GuardStrategyHandle<T> {\n  const { collection, after, appendOnly, amendmentRoles, amendmentInvariant } = config\n  if (appendOnly && after !== undefined) {\n    throw new ValidationError('immutableGuard: `after` and `appendOnly` are mutually exclusive')\n  }\n  if (!appendOnly && after === undefined) {\n    throw new ValidationError('immutableGuard: provide `after` or `appendOnly: true`')\n  }\n\n  const isImmutable: (record: T) => boolean = appendOnly ? () => true : after!\n  const reason = appendOnly ? 'append-only collection' : 'record is immutable after issue'\n\n  const spec: GuardStrategy<T> = {\n    collection,\n    // Block updates to an already-immutable record. Inserts (existing\n    // null) and the transition write that first makes the record\n    // immutable are allowed — `after` reads the prior state.\n    check: (incoming: T, ctx: GuardContext<T>) => {\n      if (ctx.existing !== null && isImmutable(ctx.existing)) {\n        throw new RecordLockedError(collection, recordId(incoming as Record<string, unknown>), reason)\n      }\n    },\n    // Block deletes of an immutable record.\n    onDelete: (existing: T) => {\n      if (isImmutable(existing)) {\n        throw new RecordLockedError(collection, recordId(existing as Record<string, unknown>), reason)\n      }\n    },\n    // The authorized override: inside an amendment transaction the\n    // check/onDelete are skipped and the change is ledgered. By default\n    // there is no extra invariant — the amendment itself is the\n    // sanctioned exception. Callers may supply `amendmentInvariant` to\n    // keep a constraint inviolable even under amendment (e.g. forbid\n    // deletes, or preserve a cross-record sum); a throw reverts the\n    // amendment and surfaces as `InvariantError`.\n    amendment: {\n      roles: amendmentRoles ?? ['admin', 'owner'],\n      invariant: amendmentInvariant ?? (() => {\n        /* allow — the amendment is the override, and is ledgered */\n      }),\n    },\n  }\n\n  return withGuard<T>(spec)\n}\n","/**\n * `transitionGuard` — declarative state-machine sugar over the guard\n * subsystem.\n *\n * Any record with a lifecycle field (invoice `status`, order state,\n * ticket workflow, subscription phase) needs transition validation: a\n * write may only move the field along a declared arc. That is expressible\n * with a hand-rolled `withGuard({ check })`, but every consumer\n * re-implements the same graph lookup + error. `transitionGuard`\n * generates exactly that guard from a state graph, reusing the guard\n * machinery wholesale — `check` rejection, the ledgered `amendment`\n * override, and composition with `periods`/`history`.\n *\n * It generalizes {@link immutableGuard}: WORM is the special case \"every\n * state has no outgoing arcs\", i.e. `transitions` mapping each state to `[]`.\n *\n * ```ts\n * createNoydb({ guardStrategies: [\n *   transitionGuard<Sale>({\n *     collection: 'sales', field: 'status',\n *     transitions: {                          // absence of an arc = forbidden\n *       draft: ['to_verify', 'cancelled'],\n *       to_verify: ['proforma', 'draft', 'cancelled'],\n *       proforma: ['invoiced', 'cancelled'],\n *       invoiced: ['paid'], paid: [], cancelled: [],\n *     },\n *     initial: ['draft', 'to_verify'],        // allowed status on insert\n *   }),\n * ] })\n * ```\n *\n * Semantics:\n * - **Insert** (`ctx.existing === null`): `incoming[field]` must be in\n *   `initial`. When `initial` is omitted, any value is allowed on insert.\n * - **Update**: the arc `(existing[field] → incoming[field])` must be\n *   listed in `transitions[from]`, else `IllegalTransitionError`. A\n *   same-value write (`from === to`) is allowed when `allowIdempotent`\n *   (default `true`) — so writes that touch other fields without moving\n *   state pass.\n * - **Override**: inside an `amendment` transaction by an authorized role\n *   the check is skipped and the change is ledgered (mirrors every guard).\n *\n * The status graph is caller-supplied data — no UI, no domain logic.\n */\n\nimport { withGuard } from './with-guard.js'\nimport type { GuardStrategy, GuardStrategyHandle, GuardContext, GuardChange } from './types.js'\nimport { IllegalTransitionError, ValidationError } from '../errors.js'\n\nexport interface TransitionGuardConfig<T extends Record<string, unknown>> {\n  /** The collection whose state field is governed. */\n  collection: string\n  /** The state field on the record (e.g. `'status'`). */\n  field: keyof T & string\n  /**\n   * The transition graph: each state maps to the states it may move to.\n   * A state absent from the map (or mapped to `[]`) is terminal — no\n   * outgoing arc, so any non-idempotent write from it is rejected.\n   */\n  transitions: Readonly<Record<string, readonly string[]>>\n  /**\n   * States allowed as the initial value on insert (`existing === null`).\n   * Omit to allow any value on insert.\n   */\n  initial?: readonly string[]\n  /**\n   * Allow a same-value write (`from === to`) on update. Default `true` —\n   * lets a put that changes other fields, but not the state, through.\n   */\n  allowIdempotent?: boolean\n  /** Roles permitted to override via an amendment transaction. Default `['admin', 'owner']`. */\n  amendmentRoles?: ReadonlyArray<'admin' | 'owner'>\n  /**\n   * Optional set-level invariant run over the amendment change-set after\n   * the writes execute. Signature matches `GuardStrategy.amendment.invariant`\n   * exactly. When omitted the amendment is unconditionally allowed (the\n   * amendment itself is the sanctioned, ledgered override) — the\n   * backward-compatible default. Mirrors {@link immutableGuard}.\n   */\n  amendmentInvariant?: (\n    changes: ReadonlyArray<GuardChange<T>>,\n    ctx: GuardContext<T>,\n  ) => Promise<void> | void\n}\n\nfunction recordId(record: Record<string, unknown> | null): string {\n  const id = record?.id\n  return typeof id === 'string' ? id : ''\n}\n\nfunction stateOf(record: Record<string, unknown>, field: string): string {\n  const v = record[field]\n  return typeof v === 'string' ? v : String(v)\n}\n\n/**\n * Build a state-machine transition guard. Pass the returned handle to\n * `createNoydb({ guardStrategies: [...] })`.\n */\nexport function transitionGuard<T extends Record<string, unknown>>(\n  config: TransitionGuardConfig<T>,\n): GuardStrategyHandle<T> {\n  const { collection, field, transitions, initial, amendmentRoles, amendmentInvariant } = config\n  const allowIdempotent = config.allowIdempotent ?? true\n\n  if (!field) {\n    throw new ValidationError('transitionGuard: `field` is required')\n  }\n  if (transitions === undefined || typeof transitions !== 'object') {\n    throw new ValidationError('transitionGuard: `transitions` must be a state→states map')\n  }\n\n  const spec: GuardStrategy<T> = {\n    collection,\n    check: (incoming: T, ctx: GuardContext<T>) => {\n      const rec = incoming as Record<string, unknown>\n      const to = stateOf(rec, field)\n\n      // Insert — gate on the allowed initial set (any value if unset).\n      if (ctx.existing === null) {\n        if (initial !== undefined && !initial.includes(to)) {\n          throw new IllegalTransitionError(collection, recordId(rec), '(none)', to)\n        }\n        return\n      }\n\n      // Update — the arc (from → to) must be a declared edge.\n      const from = stateOf(ctx.existing as Record<string, unknown>, field)\n      if (from === to) {\n        if (allowIdempotent) return\n        throw new IllegalTransitionError(collection, recordId(rec), from, to)\n      }\n      const allowed = transitions[from] ?? []\n      if (!allowed.includes(to)) {\n        throw new IllegalTransitionError(collection, recordId(rec), from, to)\n      }\n    },\n    // The authorized override: inside an amendment transaction the check\n    // is skipped and the change is ledgered. By default no extra invariant\n    // — the amendment itself is the sanctioned exception. Callers may\n    // supply `amendmentInvariant` to keep a constraint inviolable even\n    // under amendment; a throw reverts the amendment as `InvariantError`.\n    amendment: {\n      roles: amendmentRoles ?? ['admin', 'owner'],\n      invariant: amendmentInvariant ?? (() => {\n        /* allow — the amendment is the override, and is ledgered */\n      }),\n    },\n  }\n\n  return withGuard<T>(spec)\n}\n"],"mappings":";;;;;;;AAgBO,SAAS,UACd,UACwB;AACxB,MAAI,CAAC,SAAS,cAAc,SAAS,WAAW,WAAW,GAAG;AAC5D,UAAM,IAAI,gBAAgB,wCAAwC;AAAA,EACpE;AACA,SAAO;AAAA,IACL,kBAAkB;AAAA,IAClB,MAAM;AAAA,EACR;AACF;;;ACwCA,SAAS,SAAS,QAAgD;AAChE,QAAM,KAAK,QAAQ;AACnB,SAAO,OAAO,OAAO,WAAW,KAAK;AACvC;AAMO,SAAS,eACd,QACwB;AACxB,QAAM,EAAE,YAAY,OAAO,YAAY,gBAAgB,mBAAmB,IAAI;AAC9E,MAAI,cAAc,UAAU,QAAW;AACrC,UAAM,IAAI,gBAAgB,iEAAiE;AAAA,EAC7F;AACA,MAAI,CAAC,cAAc,UAAU,QAAW;AACtC,UAAM,IAAI,gBAAgB,uDAAuD;AAAA,EACnF;AAEA,QAAM,cAAsC,aAAa,MAAM,OAAO;AACtE,QAAM,SAAS,aAAa,2BAA2B;AAEvD,QAAM,OAAyB;AAAA,IAC7B;AAAA;AAAA;AAAA;AAAA,IAIA,OAAO,CAAC,UAAa,QAAyB;AAC5C,UAAI,IAAI,aAAa,QAAQ,YAAY,IAAI,QAAQ,GAAG;AACtD,cAAM,IAAI,kBAAkB,YAAY,SAAS,QAAmC,GAAG,MAAM;AAAA,MAC/F;AAAA,IACF;AAAA;AAAA,IAEA,UAAU,CAAC,aAAgB;AACzB,UAAI,YAAY,QAAQ,GAAG;AACzB,cAAM,IAAI,kBAAkB,YAAY,SAAS,QAAmC,GAAG,MAAM;AAAA,MAC/F;AAAA,IACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAQA,WAAW;AAAA,MACT,OAAO,kBAAkB,CAAC,SAAS,OAAO;AAAA,MAC1C,WAAW,uBAAuB,MAAM;AAAA,MAExC;AAAA,IACF;AAAA,EACF;AAEA,SAAO,UAAa,IAAI;AAC1B;;;ACpCA,SAASA,UAAS,QAAgD;AAChE,QAAM,KAAK,QAAQ;AACnB,SAAO,OAAO,OAAO,WAAW,KAAK;AACvC;AAEA,SAAS,QAAQ,QAAiC,OAAuB;AACvE,QAAM,IAAI,OAAO,KAAK;AACtB,SAAO,OAAO,MAAM,WAAW,IAAI,OAAO,CAAC;AAC7C;AAMO,SAAS,gBACd,QACwB;AACxB,QAAM,EAAE,YAAY,OAAO,aAAa,SAAS,gBAAgB,mBAAmB,IAAI;AACxF,QAAM,kBAAkB,OAAO,mBAAmB;AAElD,MAAI,CAAC,OAAO;AACV,UAAM,IAAI,gBAAgB,sCAAsC;AAAA,EAClE;AACA,MAAI,gBAAgB,UAAa,OAAO,gBAAgB,UAAU;AAChE,UAAM,IAAI,gBAAgB,gEAA2D;AAAA,EACvF;AAEA,QAAM,OAAyB;AAAA,IAC7B;AAAA,IACA,OAAO,CAAC,UAAa,QAAyB;AAC5C,YAAM,MAAM;AACZ,YAAM,KAAK,QAAQ,KAAK,KAAK;AAG7B,UAAI,IAAI,aAAa,MAAM;AACzB,YAAI,YAAY,UAAa,CAAC,QAAQ,SAAS,EAAE,GAAG;AAClD,gBAAM,IAAI,uBAAuB,YAAYA,UAAS,GAAG,GAAG,UAAU,EAAE;AAAA,QAC1E;AACA;AAAA,MACF;AAGA,YAAM,OAAO,QAAQ,IAAI,UAAqC,KAAK;AACnE,UAAI,SAAS,IAAI;AACf,YAAI,gBAAiB;AACrB,cAAM,IAAI,uBAAuB,YAAYA,UAAS,GAAG,GAAG,MAAM,EAAE;AAAA,MACtE;AACA,YAAM,UAAU,YAAY,IAAI,KAAK,CAAC;AACtC,UAAI,CAAC,QAAQ,SAAS,EAAE,GAAG;AACzB,cAAM,IAAI,uBAAuB,YAAYA,UAAS,GAAG,GAAG,MAAM,EAAE;AAAA,MACtE;AAAA,IACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMA,WAAW;AAAA,MACT,OAAO,kBAAkB,CAAC,SAAS,OAAO;AAAA,MAC1C,WAAW,uBAAuB,MAAM;AAAA,MAExC;AAAA,IACF;AAAA,EACF;AAEA,SAAO,UAAa,IAAI;AAC1B;","names":["recordId"]}

package/dist/{chunk-UND4XIB6.js → chunk-C6W5KVDV.js}

@@ -1,10 +1,10 @@
 import {
   NOYDB_FORMAT_VERSION
-} from "./chunk-YS3POABP.js";
+} from "./chunk-TA6HPKWQ.js";
 import {
   decrypt,
   encrypt
-} from "./chunk-2PAQNPE3.js";
+} from "./chunk-37VGJM3T.js";
 
 // src/persisted-schemas/storage.ts
 var SCHEMAS_COLLECTION = "_schemas";
@@ -84,6 +84,49 @@ var MemorySealingKeyProvider = class {
     return out;
   }
 };
+async function sealRsaOaepTlv(plaintext, publicKeyPem) {
+  const b64 = publicKeyPem.replace(/-----BEGIN PUBLIC KEY-----/, "").replace(/-----END PUBLIC KEY-----/, "").replace(/\s+/g, "");
+  const spki = base64ToBytes(b64);
+  const recipientPub = await crypto.subtle.importKey(
+    "spki",
+    spki,
+    { name: "RSA-OAEP", hash: "SHA-256" },
+    false,
+    ["encrypt"]
+  );
+  const cekBytes = crypto.getRandomValues(new Uint8Array(32));
+  const cek = await crypto.subtle.importKey("raw", cekBytes, "AES-GCM", false, ["encrypt"]);
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+  const ct = new Uint8Array(await crypto.subtle.encrypt({ name: "AES-GCM", iv }, cek, plaintext));
+  const wrapped = new Uint8Array(await crypto.subtle.encrypt({ name: "RSA-OAEP" }, recipientPub, cekBytes));
+  cekBytes.fill(0);
+  if (wrapped.length !== 256) {
+    throw new Error(`sealRsaOaepTlv: expected 256-byte RSA-OAEP wrap, got ${wrapped.length}`);
+  }
+  const out = new Uint8Array(1 + 256 + 12 + ct.length);
+  out[0] = 1;
+  out.set(wrapped, 1);
+  out.set(iv, 1 + 256);
+  out.set(ct, 1 + 256 + 12);
+  return out;
+}
+function parseRsaOaepTlv(bytes) {
+  if (bytes.length < 1 + 256 + 12 + 16) {
+    throw new Error("parseRsaOaepTlv: sealed input too short");
+  }
+  if (bytes[0] !== 1) {
+    throw new Error(`parseRsaOaepTlv: unknown TLV version ${bytes[0]}`);
+  }
+  return {
+    wrapped: bytes.subarray(1, 1 + 256),
+    iv: bytes.subarray(1 + 256, 1 + 256 + 12),
+    ct: bytes.subarray(1 + 256 + 12)
+  };
+}
+async function aesGcmOpen(cekBytes, iv, ct) {
+  const cek = await crypto.subtle.importKey("raw", cekBytes, "AES-GCM", false, ["decrypt"]);
+  return new Uint8Array(await crypto.subtle.decrypt({ name: "AES-GCM", iv }, cek, ct));
+}
 var MemoryRecipientSealer = class {
   id;
   keypair;
@@ -112,49 +155,17 @@ var MemoryRecipientSealer = class {
     if (typeof pem !== "string") {
       throw new Error("MemoryRecipientSealer.sealForRecipient: hint.material.publicKeyPem missing or not a string");
     }
-    const b64 = pem.replace(/-----BEGIN PUBLIC KEY-----/, "").replace(/-----END PUBLIC KEY-----/, "").replace(/\s+/g, "");
-    const spki = base64ToBytes(b64);
-    const recipientPub = await crypto.subtle.importKey(
-      "spki",
-      spki,
-      { name: "RSA-OAEP", hash: "SHA-256" },
-      false,
-      ["encrypt"]
-    );
-    const cekBytes = crypto.getRandomValues(new Uint8Array(32));
-    const cek = await crypto.subtle.importKey("raw", cekBytes, "AES-GCM", false, ["encrypt"]);
-    const iv = crypto.getRandomValues(new Uint8Array(12));
-    const ct = new Uint8Array(await crypto.subtle.encrypt({ name: "AES-GCM", iv }, cek, plaintext));
-    const wrapped = new Uint8Array(await crypto.subtle.encrypt({ name: "RSA-OAEP" }, recipientPub, cekBytes));
-    cekBytes.fill(0);
-    if (wrapped.length !== 256) {
-      throw new Error(`MemoryRecipientSealer.sealForRecipient: expected 256-byte RSA-OAEP wrap, got ${wrapped.length}`);
-    }
-    const out = new Uint8Array(1 + 256 + 12 + ct.length);
-    out[0] = 1;
-    out.set(wrapped, 1);
-    out.set(iv, 1 + 256);
-    out.set(ct, 1 + 256 + 12);
-    return out;
+    return sealRsaOaepTlv(plaintext, pem);
   }
   async seal(plaintext) {
     const hint = await this.publishRecipientHint();
     return this.sealForRecipient(plaintext, hint);
   }
   async unseal(bytes) {
-    if (bytes.length < 1 + 256 + 12 + 16) {
-      throw new Error("MemoryRecipientSealer.unseal: sealed input too short");
-    }
-    if (bytes[0] !== 1) {
-      throw new Error(`MemoryRecipientSealer.unseal: unknown TLV version ${bytes[0]}`);
-    }
-    const wrapped = bytes.subarray(1, 1 + 256);
-    const iv = bytes.subarray(1 + 256, 1 + 256 + 12);
-    const ct = bytes.subarray(1 + 256 + 12);
+    const { wrapped, iv, ct } = parseRsaOaepTlv(bytes);
     const { privateKey } = await this.keypair;
     const cekBytes = new Uint8Array(await crypto.subtle.decrypt({ name: "RSA-OAEP" }, privateKey, wrapped));
-    const cek = await crypto.subtle.importKey("raw", cekBytes, "AES-GCM", false, ["decrypt"]);
-    const pt = new Uint8Array(await crypto.subtle.decrypt({ name: "AES-GCM", iv }, cek, ct));
+    const pt = await aesGcmOpen(cekBytes, iv, ct);
     cekBytes.fill(0);
     return pt;
   }
@@ -241,6 +252,9 @@ export {
   loadPersistedSchema,
   savePersistedSchema,
   MemorySealingKeyProvider,
+  sealRsaOaepTlv,
+  parseRsaOaepTlv,
+  aesGcmOpen,
   MemoryRecipientSealer,
   SEALED_PASSPHRASE_RECORD_ID,
   parseSealedEnvelope,
@@ -248,4 +262,4 @@ export {
   loadSealedPassphrase,
   resolveManagedSecret
 };
-//# sourceMappingURL=chunk-UND4XIB6.js.map
+//# sourceMappingURL=chunk-C6W5KVDV.js.map