@noy-db/hub 0.2.0-pre.2 → 0.2.0-pre.21

package/dist/{chunk-QPEXPHJR.js → chunk-I3IYTUUI.js}

@@ -1,11 +1,11 @@
 import {
   canonicalJson,
   sha256Hex
-} from "./chunk-XG3PTSCD.js";
+} from "./chunk-PDVP3C2I.js";
 import {
   PeriodClosedError,
   ValidationError
-} from "./chunk-W3XXT26A.js";
+} from "./chunk-OTWT6BAJ.js";
 
 // src/periods/periods.ts
 var PERIODS_COLLECTION = "_periods";
@@ -56,7 +56,7 @@ function validatePeriodName(name, existing) {
 }
 async function appendPeriodLedgerEntry(ledger, actor, envelope, name) {
   if (!ledger) return;
-  const { envelopePayloadHash } = await import("./ledger-3IU5GMXA.js");
+  const { envelopePayloadHash } = await import("./ledger-I7JUYP4L.js");
   await ledger.append({
     op: "put",
     collection: PERIODS_COLLECTION,
@@ -87,4 +87,4 @@ export {
   appendPeriodLedgerEntry,
   withPeriods
 };
-//# sourceMappingURL=chunk-QPEXPHJR.js.map
+//# sourceMappingURL=chunk-I3IYTUUI.js.map

package/dist/{chunk-3QAKZ37R.js → chunk-IVZWHIEK.js}

@@ -2,18 +2,18 @@ import {
   ATTESTATIONS_COLLECTION,
   REVOKED_RECORD_ID,
   loadOrCreateSigner
-} from "./chunk-4HIL6AHQ.js";
+} from "./chunk-TAMRU7A2.js";
 import {
   NOYDB_FORMAT_VERSION
-} from "./chunk-YS3POABP.js";
+} from "./chunk-TA6HPKWQ.js";
 import {
   decrypt,
   encrypt
-} from "./chunk-2PAQNPE3.js";
+} from "./chunk-37VGJM3T.js";
 import {
   AttestationError,
   ConflictError
-} from "./chunk-W3XXT26A.js";
+} from "./chunk-OTWT6BAJ.js";
 
 // src/attestation/revoke.ts
 import { signRevocationList } from "@noy-db/attestation";
@@ -80,4 +80,4 @@ export {
   getRevokedDocIdsCore,
   publishRevocationListCore
 };
-//# sourceMappingURL=chunk-3QAKZ37R.js.map
+//# sourceMappingURL=chunk-IVZWHIEK.js.map

package/dist/{chunk-PLI5TV7N.js → chunk-IW4L4X65.js}

@@ -30,7 +30,7 @@ async function resolveStaleMVOnRead(accessor, outputCollection) {
       continue;
     }
     if (executor === null) {
-      ({ MaterializedViewExecutor: executor } = await import("./executor-AS2IDHKZ.js"));
+      ({ MaterializedViewExecutor: executor } = await import("./executor-KYJCJCIN.js"));
     }
     await executor.refresh(reg, {
       getCollection: (n) => accessor.getCollection(n),
@@ -50,4 +50,4 @@ export {
   resolveStaleMVOnRead,
   clearMVStale
 };
-//# sourceMappingURL=chunk-PLI5TV7N.js.map
+//# sourceMappingURL=chunk-IW4L4X65.js.map

package/dist/chunk-IW4L4X65.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/materialized-views/stale.ts"],"sourcesContent":["import type { Collection } from '../collection.js'\nimport type { TxContext } from '../tx/transaction.js'\nimport type { MaterializedViewRegistry } from './registry.js'\n// Type-only — runtime class loaded via dynamic import in\n// `resolveStaleMVOnRead` only when a stale flag actually fires.\n// Keeps the executor chunk out of the floor bundle (mirrors v1 floor-bundle isolation).\nimport type { MaterializedViewExecutor as MVExecutorType } from './executor.js'\nimport type { MVQueryContext } from './types.js'\n\n/**\n * Accessor shape passed in from the owning Vault. Provides the\n * registry (used as a stable WeakMap key + to look up MVs by output\n * collection) and the runtime context the lazy refresh needs.\n * Mirrors v1's `DerivationStaleAccessor`.\n */\nexport interface MVStaleAccessor {\n  registry(): MaterializedViewRegistry\n  // eslint-disable-next-line @typescript-eslint/no-explicit-any\n  getCollection(name: string): Collection<any>\n  getActiveTxContext(): TxContext | null\n  getQueryContext(): MVQueryContext\n}\n\n/**\n * In-memory stale map keyed by `MaterializedViewRegistry` instance\n * (stable per vault). Each registry maps to a set of MV names that\n * have at least one pending source-change requiring a re-materialize.\n *\n * Persistence across vault close is NOT implemented in this iteration\n * (concern flagged in the v2 spec, mirrors v1 derivation behavior).\n * On vault re-open, the unset stale flag is interpreted as \"fresh\" —\n * `vault.refreshView(name)` is the explicit recompute escape hatch.\n *\n * @internal\n */\nconst _staleByRegistry = new WeakMap<MaterializedViewRegistry, Set<string>>()\n\n/**\n * Mark an MV as stale. Called from `Collection.dispatchMaterializedViews`\n * when a source-write fires for a `refresh: 'lazy'` MV.\n *\n * @internal\n */\nexport function markMVStale(registry: MaterializedViewRegistry, mvName: string): void {\n  let set = _staleByRegistry.get(registry)\n  if (!set) {\n    set = new Set()\n    _staleByRegistry.set(registry, set)\n  }\n  set.add(mvName)\n}\n\n/**\n * Test-only: check whether a given MV name is currently flagged stale\n * against a registry. Exported so the regression suite can pin the\n * stale-bit lifecycle without touching the internal `WeakMap`.\n *\n * @internal\n */\nexport function isMVStale(registry: MaterializedViewRegistry, mvName: string): boolean {\n  return _staleByRegistry.get(registry)?.has(mvName) ?? false\n}\n\n/**\n * Called from `Collection.get` (and any reader that materializes the\n * MV's output collection). If any MV producing `outputCollection` is\n * flagged stale, runs the executor against the live source state\n * before returning. No-op when there is no pending work — keeps the\n * read fast path negligible.\n *\n * Dynamic-imports the executor only when a stale flag actually fires\n * (the floor-bundle isolation pattern v1 derivations established in\n * floor-bundle isolation pattern).\n */\nexport async function resolveStaleMVOnRead(\n  accessor: MVStaleAccessor,\n  outputCollection: string,\n): Promise<void> {\n  const registry = accessor.registry()\n  const pending = _staleByRegistry.get(registry)\n  if (!pending || pending.size === 0) return\n\n  // Find every MV that writes to this output collection AND is\n  // currently flagged stale. Multiple MVs CAN share an output\n  // collection in theory; in practice the registration validation +\n  // cycle detection make this unusual.\n  const candidates: string[] = []\n  for (const mv of registry.all()) {\n    if (mv.outputCollection !== outputCollection) continue\n    if (!pending.has(mv.spec.name)) continue\n    candidates.push(mv.spec.name)\n  }\n  if (candidates.length === 0) return\n\n  let executor: typeof MVExecutorType | null = null\n  for (const name of candidates) {\n    const reg = registry.byName(name)\n    if (!reg) {\n      pending.delete(name)\n      continue\n    }\n    if (executor === null) {\n      ({ MaterializedViewExecutor: executor } = (await import('./executor.js')) as {\n        MaterializedViewExecutor: typeof MVExecutorType\n      })\n    }\n    await executor.refresh(reg, {\n      getCollection: (n) => accessor.getCollection(n),\n      getActiveTxContext: () => accessor.getActiveTxContext(),\n      getQueryContext: () => accessor.getQueryContext(),\n    })\n    pending.delete(name)\n  }\n}\n\n/**\n * Drop every stale flag for a registry. Used after a manual\n * `vault.refreshView(name)` runs the executor explicitly — the\n * post-refresh state matches the registered strategies, so\n * lingering stale bits would force a redundant refresh on the next\n * read.\n *\n * @internal\n */\nexport function clearMVStale(registry: MaterializedViewRegistry, mvName: string): void {\n  _staleByRegistry.get(registry)?.delete(mvName)\n}\n"],"mappings":";AAmCA,IAAM,mBAAmB,oBAAI,QAA+C;AAQrE,SAAS,YAAY,UAAoC,QAAsB;AACpF,MAAI,MAAM,iBAAiB,IAAI,QAAQ;AACvC,MAAI,CAAC,KAAK;AACR,UAAM,oBAAI,IAAI;AACd,qBAAiB,IAAI,UAAU,GAAG;AAAA,EACpC;AACA,MAAI,IAAI,MAAM;AAChB;AASO,SAAS,UAAU,UAAoC,QAAyB;AACrF,SAAO,iBAAiB,IAAI,QAAQ,GAAG,IAAI,MAAM,KAAK;AACxD;AAaA,eAAsB,qBACpB,UACA,kBACe;AACf,QAAM,WAAW,SAAS,SAAS;AACnC,QAAM,UAAU,iBAAiB,IAAI,QAAQ;AAC7C,MAAI,CAAC,WAAW,QAAQ,SAAS,EAAG;AAMpC,QAAM,aAAuB,CAAC;AAC9B,aAAW,MAAM,SAAS,IAAI,GAAG;AAC/B,QAAI,GAAG,qBAAqB,iBAAkB;AAC9C,QAAI,CAAC,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAG;AAChC,eAAW,KAAK,GAAG,KAAK,IAAI;AAAA,EAC9B;AACA,MAAI,WAAW,WAAW,EAAG;AAE7B,MAAI,WAAyC;AAC7C,aAAW,QAAQ,YAAY;AAC7B,UAAM,MAAM,SAAS,OAAO,IAAI;AAChC,QAAI,CAAC,KAAK;AACR,cAAQ,OAAO,IAAI;AACnB;AAAA,IACF;AACA,QAAI,aAAa,MAAM;AACrB,OAAC,EAAE,0BAA0B,SAAS,IAAK,MAAM,OAAO,wBAAe;AAAA,IAGzE;AACA,UAAM,SAAS,QAAQ,KAAK;AAAA,MAC1B,eAAe,CAAC,MAAM,SAAS,cAAc,CAAC;AAAA,MAC9C,oBAAoB,MAAM,SAAS,mBAAmB;AAAA,MACtD,iBAAiB,MAAM,SAAS,gBAAgB;AAAA,IAClD,CAAC;AACD,YAAQ,OAAO,IAAI;AAAA,EACrB;AACF;AAWO,SAAS,aAAa,UAAoC,QAAsB;AACrF,mBAAiB,IAAI,QAAQ,GAAG,OAAO,MAAM;AAC/C;","names":[]}

package/dist/{chunk-3Z2TPHC4.js → chunk-IY24WS2P.js}

@@ -1,12 +1,17 @@
+import {
+  generateULID
+} from "./chunk-FZU343FL.js";
 import {
   AmendmentForbiddenError,
   ConflictError,
   InvariantError,
   ValidationError
-} from "./chunk-W3XXT26A.js";
+} from "./chunk-OTWT6BAJ.js";
 
 // src/tx/transaction.ts
 var TxContext = class {
+  /** Stable id for this transaction; shared by all writes it performs. */
+  txId = generateULID();
   /** @internal */
   _ops = [];
   /**
@@ -15,7 +20,7 @@ var TxContext = class {
    * restore prior state via `revertExecuted`. Side-effect writes (e.g.
    * recursive derivation outputs fired inside `Collection.put`) are
    * appended here in execution order so they roll back alongside the
-   * main staged ops (#133).
+   * main staged ops.
    */
   _executed = [];
   /** @internal */
@@ -132,7 +137,7 @@ var TxCollection = class {
     this._ctx._ops.push(op);
   }
 };
-async function runTransaction(db, fn, options) {
+async function runTransaction(db, fn, options, txInvariants) {
   if (options?.amendment) {
     if (typeof options.reason !== "string" || options.reason.trim().length === 0) {
       throw new ValidationError(
@@ -156,12 +161,19 @@ async function runTransaction(db, fn, options) {
   }
   const priorEnvelopes = /* @__PURE__ */ new Map();
   const store = db._store;
+  const invariants = txInvariants ?? [];
+  const watchedScopes = new Set(invariants.map((i) => i.scope));
+  const plainBefore = /* @__PURE__ */ new Map();
   for (const op of ctx._ops) {
     const key = keyOf(op);
     if (!priorEnvelopes.has(key)) {
       const env = await store.get(op.vaultName, op.collectionName, op.id);
       priorEnvelopes.set(key, env);
     }
+    if (watchedScopes.has(op.collectionName) && !plainBefore.has(key)) {
+      const prior = await db.vault(op.vaultName).collection(op.collectionName).get(op.id);
+      plainBefore.set(key, prior ?? null);
+    }
     if (op.expectedVersion !== void 0) {
       const env = priorEnvelopes.get(key) ?? null;
       const actual = env?._v ?? 0;
@@ -204,7 +216,7 @@ async function runTransaction(db, fn, options) {
     db._clearActiveTxContext(ctx);
   }
   if (ctx._amendment) {
-    const { GuardExecutor } = await import("./executor-HN6YBHZ5.js");
+    const { GuardExecutor } = await import("./executor-W7VIBOBZ.js");
     try {
       for (const [vaultName, v] of ctx._amendmentVaults) {
         const registry = v._getGuardRegistry();
@@ -259,6 +271,58 @@ async function runTransaction(db, fn, options) {
       );
     }
   }
+  if (invariants.length > 0) {
+    const lastOp = /* @__PURE__ */ new Map();
+    const order = [];
+    for (const op of ctx._ops) {
+      const key = keyOf(op);
+      if (!lastOp.has(key)) order.push(key);
+      lastOp.set(key, op);
+    }
+    const changesByScope = /* @__PURE__ */ new Map();
+    const scopeVault = /* @__PURE__ */ new Map();
+    for (const key of order) {
+      const op = lastOp.get(key);
+      if (!watchedScopes.has(op.collectionName)) continue;
+      const before = plainBefore.get(key) ?? null;
+      const after = op.type === "delete" ? null : op.record ?? null;
+      const change = { before, after };
+      const arr = changesByScope.get(op.collectionName);
+      if (arr) arr.push(change);
+      else changesByScope.set(op.collectionName, [change]);
+      scopeVault.set(op.collectionName, op.vaultName);
+    }
+    try {
+      for (const inv of invariants) {
+        const changes = changesByScope.get(inv.scope);
+        if (changes === void 0 || changes.length === 0) continue;
+        const vaultName = scopeVault.get(inv.scope);
+        const v = db.vault(vaultName);
+        const facade = v._getReadOnlyFacade() ?? {
+          collection(name) {
+            const c = v.collection(name);
+            return {
+              get: (id) => c.get(id),
+              list: () => c.list(),
+              query: () => c.query()
+            };
+          }
+        };
+        const ctxForInv = {
+          existing: null,
+          vault: facade,
+          userId: v.userId,
+          role: v.role
+        };
+        await inv.check(changes, ctxForInv);
+      }
+    } catch (err) {
+      await revertExecuted(ctx._executed, store, db);
+      throw err instanceof InvariantError ? err : new InvariantError(
+        err instanceof Error ? err.message : `invariant violated: ${String(err)}`
+      );
+    }
+  }
   return bodyResult;
 }
 async function revertExecuted(executed, store, db) {
@@ -288,4 +352,4 @@ export {
   runTransaction,
   revertExecuted
 };
-//# sourceMappingURL=chunk-3Z2TPHC4.js.map
+//# sourceMappingURL=chunk-IY24WS2P.js.map

package/dist/chunk-IY24WS2P.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/tx/transaction.ts"],"sourcesContent":["/**\n * Multi-record atomic transactions.\n *\n * Lets an application stage writes across two or more collections (or\n * vaults) and commit them all-or-nothing.\n *\n * ```ts\n * await db.transaction(async (tx) => {\n *   const inv = tx.vault('acme').collection<Invoice>('invoices')\n *   const pay = tx.vault('acme').collection<Payment>('payments')\n *   await inv.put(invoiceId, { ...invoice, status: 'paid' })\n *   await pay.put(paymentId, { invoiceId, amount, paidAt })\n * })\n * // If the body throws before returning: nothing persisted.\n * // If the body returns: all puts committed; any CAS mismatch rolls\n * // the batch back and surfaces as ConflictError.\n * ```\n *\n * ## Atomicity semantics\n *\n * Ops are buffered during the body. On body-return the hub:\n *\n * 1. **Pre-flight** — re-reads every touched envelope and enforces\n *    any caller-supplied `expectedVersion`. A mismatch throws\n *    `ConflictError` with *no* writes performed.\n * 2. **Execute** — calls `Collection.put()` / `.delete()` for each\n *    staged op in declaration order. History snapshots, ledger\n *    appends, and change events fire as normal per op.\n * 3. **Unwind on failure** — if step 2 throws mid-batch, each\n *    already-committed op is reverted via the raw store (restoring\n *    the captured prior envelope, or deleting if none existed). The\n *    ledger is NOT rewritten — audit history preserves the partial\n *    commit and the revert.\n *\n * **Crash window.** Steps 2–3 are not a storage-layer transaction —\n * if the process dies between two executed ops, the on-disk state is\n * partial. True all-or-nothing atomicity requires a store that\n * implements `NoydbStore.tx()` (DynamoDB `TransactWriteItems`,\n * IndexedDB `readwrite` transaction, …). This executor declares\n * that future integration point via the `tx?()` method + the\n * `StoreCapabilities.txAtomic` bit, but does not yet delegate\n * to it — the cascade into `Fork · Stores` tracks the per-adapter\n * wire-up.\n *\n * ## Not covered\n *\n * - Cross-sync-peer atomicity. Transactions commit against the\n *   primary store only; the sync engine pushes on its normal\n *   schedule. For cross-peer two-phase commit use `SyncTransaction`\n * via `db.transaction(vaultName)`.\n * - Read-your-writes within the body. `tx.collection().get(id)`\n *   returns the most-recently-staged value for that id when one\n *   exists; if no staged op has touched the id, it reads the current\n *   committed state. Version numbers returned by `get` reflect the\n *   pre-transaction state (staged puts have no version yet).\n *\n * @module\n */\n\nimport type { Noydb } from '../noydb.js'\nimport type { Vault } from '../vault.js'\nimport type { Collection } from '../collection.js'\nimport type { EncryptedEnvelope } from '../types.js'\nimport {\n  AmendmentForbiddenError,\n  ConflictError,\n  InvariantError,\n  ValidationError,\n} from '../errors.js'\nimport { generateULID } from '../bundle/ulid.js'\nimport type { GuardExecutor as GuardExecutorModule } from '../guards/executor.js'\nimport type { LedgerEntry } from '../history/ledger/entry.js'\nimport type { TransactionInvariant } from './invariants.js'\nimport type { GuardChange, GuardContext, ReadOnlyVaultFacade } from '../guards/types.js'\n\n/** One op buffered inside a running `TxContext`. @internal */\nexport interface StagedOp {\n  type: 'put' | 'delete'\n  vaultName: string\n  collectionName: string\n  id: string\n  record?: unknown\n  expectedVersion?: number\n  /**\n   * Optional human-readable tag forwarded to the resulting ledger\n   * entry's `reason` field. Set by callers via\n   * `tx.vault(v).collection(c).put(id, record, { reason })`.\n   */\n  reason?: string\n}\n\n/**\n * One executed op (main staged op or recursive side-effect like a\n * derivation output) paired with the envelope captured before the write.\n * `revertExecuted` walks this array in reverse on rollback.\n * @internal\n */\nexport interface ExecutedOp {\n  op: StagedOp\n  priorEnvelope: EncryptedEnvelope | null\n}\n\n/**\n * Options accepted by `db.transaction({ amendment, reason }, fn)`.\n * Only the amendment variant uses these — a plain `db.transaction(fn)`\n * never sees this shape.\n */\nexport interface AmendmentTxOptions {\n  /** Opt into amendment mode. Required to be `true`. */\n  readonly amendment: true\n  /** Human-readable rationale recorded in the ledger entry. Required. */\n  readonly reason: string\n}\n\n/**\n * Transaction handle passed to the user's body. Use\n * `tx.vault(name).collection<T>(name)` to get a per-collection\n * facade; its `put`/`delete`/`get` calls stage ops against the tx.\n */\nexport class TxContext {\n  /** Stable id for this transaction; shared by all writes it performs. */\n  readonly txId: string = generateULID()\n  /** @internal */\n  readonly _ops: StagedOp[] = []\n  /**\n   * @internal — write log built up in Phase 2. Each entry records the\n   * envelope captured BEFORE the write so a mid-batch failure can\n   * restore prior state via `revertExecuted`. Side-effect writes (e.g.\n   * recursive derivation outputs fired inside `Collection.put`) are\n   * appended here in execution order so they roll back alongside the\n   * main staged ops.\n   */\n  readonly _executed: ExecutedOp[] = []\n  /** @internal */\n  readonly _db: Noydb\n  /**\n   * @internal — true when this TxContext was opened in amendment\n   * mode. Toggles the lazy-`beginAmendment` + role-check path on first\n   * `tx.vault(name)` and unlocks the post-Phase-2 invariant + audit run.\n   */\n  readonly _amendment: boolean\n  /** @internal — vaults that have already had `beginAmendment` called. */\n  readonly _amendmentVaults = new Map<string, Vault>()\n\n  /** @internal */\n  constructor(db: Noydb, amendment = false) {\n    this._db = db\n    this._amendment = amendment\n  }\n\n  /** Scope subsequent `collection()` calls to the named vault. */\n  vault(name: string): TxVault {\n    const v = this._db.vault(name)\n    if (this._amendment && !this._amendmentVaults.has(name)) {\n      // Role check is per-vault. The task spec (\"only admin or owner\n      // can open an amendment\") is implemented lazy-on-first-touch\n      // because the role lives on the vault's keyring, and `tx.vault()`\n      // is the first place we know which vault we're addressing. The\n      // observable effect is identical to an eager check in the single-\n      // vault case the tests exercise; multi-vault amendments check\n      // each touched vault as they first appear.\n      const role = v.role\n      if (role !== 'admin' && role !== 'owner') {\n        throw new AmendmentForbiddenError(v.userId, role)\n      }\n      // Amendments require an initialised guard registry — they\n      // produce a structured invariant + change-set audit. A vault\n      // opened without `guardStrategies` (or via the sync fallback\n      // path) has a null registry and cannot run an amendment.\n      const reg = v._getGuardRegistry()\n      if (reg === null) {\n        throw new ValidationError(\n          `Vault \"${name}\": amendment mode requires at least one ` +\n          `guardStrategy registered via createNoydb({ guardStrategies }). ` +\n          `Open the vault with guardStrategies before calling ` +\n          `db.transaction({ amendment: true }).`,\n        )\n      }\n      reg.beginAmendment()\n      this._amendmentVaults.set(name, v)\n    }\n    return new TxVault(this, v)\n  }\n}\n\n/** Per-vault facade inside a running transaction. */\nexport class TxVault {\n  /** @internal */\n  readonly _ctx: TxContext\n  /** @internal */\n  readonly _vault: Vault\n\n  /** @internal */\n  constructor(ctx: TxContext, vault: Vault) {\n    this._ctx = ctx\n    this._vault = vault\n  }\n\n  /** Scope subsequent op calls to the named collection. */\n  collection<T>(name: string): TxCollection<T> {\n    const c = this._vault.collection<T>(name)\n    return new TxCollection<T>(this._ctx, this._vault, c, name)\n  }\n}\n\n/** Per-collection facade inside a running transaction. */\nexport class TxCollection<T> {\n  /** @internal */\n  readonly _ctx: TxContext\n  /** @internal */\n  readonly _vault: Vault\n  /** @internal */\n  readonly _coll: Collection<T>\n  /** @internal */\n  readonly _name: string\n\n  /** @internal */\n  constructor(ctx: TxContext, vault: Vault, coll: Collection<T>, name: string) {\n    this._ctx = ctx\n    this._vault = vault\n    this._coll = coll\n    this._name = name\n  }\n\n  /**\n   * Read the current committed value, or the most-recently-staged\n   * value from the same transaction if one exists.\n   */\n  async get(id: string): Promise<T | null> {\n    for (let i = this._ctx._ops.length - 1; i >= 0; i--) {\n      const op = this._ctx._ops[i]!\n      if (\n        op.vaultName === this._vault.name &&\n        op.collectionName === this._name &&\n        op.id === id\n      ) {\n        if (op.type === 'delete') return null\n        return op.record as T\n      }\n    }\n    return this._coll.get(id)\n  }\n\n  /**\n   * Stage a put. Does not write until the transaction body returns.\n   * Supply `{ expectedVersion }` to enforce optimistic concurrency\n   * during the commit pre-flight.\n   */\n  put(id: string, record: T, options?: { expectedVersion?: number; reason?: string }): void {\n    const op: StagedOp = {\n      type: 'put',\n      vaultName: this._vault.name,\n      collectionName: this._name,\n      id,\n      record,\n    }\n    if (options?.expectedVersion !== undefined) op.expectedVersion = options.expectedVersion\n    if (options?.reason !== undefined) op.reason = options.reason\n    this._ctx._ops.push(op)\n  }\n\n  /**\n   * Stage a delete. Does not write until the transaction body returns.\n   * Supply `{ expectedVersion }` to enforce optimistic concurrency\n   * during the commit pre-flight.\n   */\n  delete(id: string, options?: { expectedVersion?: number }): void {\n    const op: StagedOp = {\n      type: 'delete',\n      vaultName: this._vault.name,\n      collectionName: this._name,\n      id,\n    }\n    if (options?.expectedVersion !== undefined) op.expectedVersion = options.expectedVersion\n    this._ctx._ops.push(op)\n  }\n}\n\n/**\n * Commit plan: pre-flight check + execution + revert plan.\n *\n * @internal — driven by `withTransactions()` (via `tx/active.ts`) for\n * user-facing `db.transaction(...)` calls and by the `amendment` path\n * in `noydb.ts`. `Collection.putManyAtomic` runs its own Phase 2 loop\n * but shares the `_activeTxContext` mechanism (and the `revertExecuted`\n * helper) so nested side-effect derivation writes get registered for\n * revert alongside the bulk-put source ops.\n */\nexport async function runTransaction<T>(\n  db: Noydb,\n  fn: (tx: TxContext) => Promise<T> | T,\n  options?: AmendmentTxOptions,\n  txInvariants?: ReadonlyArray<TransactionInvariant>,\n): Promise<T> {\n  // ─── Amendment-mode pre-flight ───────────────────────────────\n  // `reason` is the only thing we can validate before the body runs;\n  // the per-vault role check happens lazily on first `tx.vault(name)`\n  // because we don't know which vaults the body will touch ahead of\n  // time. Throwing here keeps the failure mode close to the call site\n  // so the developer doesn't have to walk an async stack to find the\n  // missing-reason mistake.\n  if (options?.amendment) {\n    if (typeof options.reason !== 'string' || options.reason.trim().length === 0) {\n      throw new ValidationError(\n        'db.transaction({ amendment: true }) requires a non-empty `reason` string.',\n      )\n    }\n  }\n\n  const ctx = new TxContext(db, options?.amendment === true)\n  const bodyResult = await fn(ctx)\n\n  if (ctx._ops.length === 0) {\n    // Body produced no ops. If amendment mode was active we still\n    // need to close any opened windows so a subsequent (unrelated)\n    // write doesn't surprise-collect into a stale change-set. Each\n    // `beginAmendment` is matched by exactly one `consumeChanges`.\n    if (ctx._amendment) {\n      for (const v of ctx._amendmentVaults.values()) {\n        // Registry is guaranteed non-null here — `tx.vault(name)`\n        // threw above if it was null before adding to\n        // `_amendmentVaults`.\n        const reg = v._getGuardRegistry()\n        if (reg !== null) {\n          reg.consumeChanges()\n          reg.consumeMeta()\n        }\n      }\n    }\n    return bodyResult\n  }\n\n  // Phase 1 — pre-flight: snapshot every touched envelope and enforce\n  // any caller-supplied expectedVersion. Same (vault, coll, id) touched\n  // more than once in one tx snapshots only the *initial* committed\n  // state; the in-order replay in Phase 2 takes care of successor ops.\n  const priorEnvelopes = new Map<string, EncryptedEnvelope | null>()\n  const store = db._store\n\n  // Commit-time changeset invariants (#342) need PLAINTEXT prior records\n  // for `before`, but `priorEnvelopes` holds ENCRYPTED envelopes. So for\n  // ops in a watched scope we additionally decrypt the prior record here,\n  // in Phase 1, BEFORE Phase 2 overwrites it. Snapshots only the initial\n  // committed state per (vault, coll, id), matching the envelope snapshot.\n  const invariants = txInvariants ?? []\n  const watchedScopes = new Set(invariants.map(i => i.scope))\n  const plainBefore = new Map<string, unknown>()\n\n  for (const op of ctx._ops) {\n    const key = keyOf(op)\n    if (!priorEnvelopes.has(key)) {\n      const env = await store.get(op.vaultName, op.collectionName, op.id)\n      priorEnvelopes.set(key, env)\n    }\n    if (watchedScopes.has(op.collectionName) && !plainBefore.has(key)) {\n      const prior = await db\n        .vault(op.vaultName)\n        .collection(op.collectionName)\n        .get(op.id)\n      plainBefore.set(key, prior ?? null)\n    }\n    if (op.expectedVersion !== undefined) {\n      const env = priorEnvelopes.get(key) ?? null\n      const actual = env?._v ?? 0\n      if (actual !== op.expectedVersion) {\n        throw new ConflictError(\n          actual,\n          `Transaction pre-flight: ${op.vaultName}/${op.collectionName}/${op.id} ` +\n            `expected v${op.expectedVersion}, found v${actual}`,\n        )\n      }\n    }\n  }\n\n  // Phase 2 — execute via the Collection layer so history snapshots,\n  // ledger entries, and change events fire normally. We capture each\n  // successful op so a mid-batch throw can revert in Phase 3.\n  //\n  // `_activeTxContext` is published on the Noydb instance for the\n  // duration of Phase 2 so recursive writes triggered inside\n  // `Collection.put` (today: eager derivation outputs) can register\n  // their own envelopes onto `ctx._executed` and roll back alongside\n  // the main staged ops. The `finally` clears it before the\n  // amendment commit phase runs.\n  db._setActiveTxContext(ctx)\n  try {\n    try {\n      for (const op of ctx._ops) {\n        const coll = db.vault(op.vaultName).collection(op.collectionName)\n        const key = keyOf(op)\n        const prior = priorEnvelopes.get(key) ?? null\n        // Record the revert plan BEFORE the call so a mid-`coll.put` throw\n        // (e.g. strict-mode derivation failure firing after `store.put`\n        // has already committed the envelope) still has its source write\n        // reverted. `revertExecuted` is best-effort: putting prior back is\n        // idempotent when the failing op never actually wrote, and\n        // `_invalidateCacheEntry` is a no-op when the collection isn't\n        // hydrated.\n        ctx._executed.push({ op, priorEnvelope: prior })\n        if (op.type === 'put') {\n          // eslint-disable-next-line @typescript-eslint/no-explicit-any\n          await coll.put(op.id, op.record as any, op.reason !== undefined ? { reason: op.reason } : undefined)\n        } else {\n          await coll.delete(op.id)\n        }\n      }\n    } catch (err) {\n      // Phase 3 — best-effort revert. See helper docstring.\n      await revertExecuted(ctx._executed, store, db)\n      // Drain amendment windows so the next transaction starts clean.\n      if (ctx._amendment) {\n        for (const v of ctx._amendmentVaults.values()) {\n          const reg = v._getGuardRegistry()\n          if (reg !== null) {\n            reg.consumeChanges()\n            reg.consumeMeta()\n          }\n        }\n      }\n      throw err\n    }\n  } finally {\n    db._clearActiveTxContext(ctx)\n  }\n\n  // ─── Amendment commit phase (only if amendment === true) ────\n  // Body succeeded — now run each touched vault's invariants over the\n  // collected change-set, then append a structured ledger entry. If\n  // any invariant throws, treat it exactly like a mid-Phase-2 failure:\n  // revert every executed op and re-throw the InvariantError.\n  if (ctx._amendment) {\n    // Lazy-load GuardExecutor at the dispatch site — keeps the floor\n    // bundle free of the guards subsystem when amendments aren't used.\n    // Mirrors the deferred-load pattern from elsewhere in this module.\n    const { GuardExecutor } = (await import('../guards/executor.js')) as {\n      GuardExecutor: typeof GuardExecutorModule\n    }\n    try {\n      for (const [vaultName, v] of ctx._amendmentVaults) {\n        const registry = v._getGuardRegistry()\n        // Registry is guaranteed non-null at this point — the\n        // `tx.vault(name)` path that populates `_amendmentVaults`\n        // throws if the registry is null. The defensive check here\n        // is for TypeScript's narrowing.\n        if (registry === null) continue\n        const changesByCollection = registry.consumeChanges()\n        const meta = registry.consumeMeta()\n        if (changesByCollection.size === 0) continue\n\n        const readOnlyVault = v._getReadOnlyFacade()\n        if (readOnlyVault === null) continue\n\n        // Build the invariant ctx once per vault — it's the same shape\n        // every guard sees on the normal `check` path, just with a\n        // synthetic `existing: null` (invariants get the full change\n        // set in their first parameter; `existing` is a per-record\n        // concept that doesn't apply here).\n        const invariantsPassed: string[] = []\n        for (const [collection, changes] of changesByCollection) {\n          const guards = registry.guardsFor(collection).filter(g => g.amendment !== undefined)\n          for (const guard of guards) {\n            await GuardExecutor.runInvariant(guard, changes, {\n              existing: null,\n              vault: readOnlyVault,\n              userId: v.userId,\n              role: v.role,\n            })\n          }\n          if (guards.length > 0) invariantsPassed.push(collection)\n        }\n\n        // Append the audit ledger entry. Silent no-op when the\n        // history strategy isn't configured — the records still\n        // committed, only the multi-record summary is unavailable.\n        const ledger = v._getLedgerOrNull()\n        if (ledger) {\n          const role = v.role as 'admin' | 'owner'\n          const amendment: NonNullable<LedgerEntry['amendment']> = {\n            reason: options!.reason,\n            role,\n            changes: meta,\n            invariantsPassed,\n          }\n          await ledger.append({\n            op: 'amendment',\n            collection: '',\n            id: '',\n            version: 0,\n            actor: v.userId,\n            // No payload to hash — the per-record entries already\n            // captured `payloadHash` at their own append time. We use\n            // a sha256 of the canonical reason string so the field is\n            // populated with something deterministic and non-empty.\n            payloadHash: '',\n            amendment,\n          })\n        }\n        void vaultName\n      }\n    } catch (err) {\n      await revertExecuted(ctx._executed, store, db)\n      throw err instanceof InvariantError ? err : new InvariantError(\n        err instanceof Error ? err.message : `invariant violated: ${String(err)}`,\n      )\n    }\n  }\n\n  // ─── Commit-time changeset invariant phase (#342) ───────────\n  // Runs for BOTH ordinary and amendment transactions (placed after the\n  // amendment phase so an amendment commit is still subject to these\n  // set-level constraints). Assemble the changeset from the executed\n  // staged ops, deduped to the LAST write per (vault, coll, id) while\n  // preserving write order, then group `GuardChange` by collection\n  // (scope) and run each matching invariant. A throw mirrors the\n  // amendment-phase failure mode exactly: revert every executed op and\n  // re-throw as `InvariantError`.\n  if (invariants.length > 0) {\n    // Dedup ctx._ops to the last write per key, preserving first-seen\n    // (write) order so the changeset is stable and order-meaningful.\n    const lastOp = new Map<string, StagedOp>()\n    const order: string[] = []\n    for (const op of ctx._ops) {\n      const key = keyOf(op)\n      if (!lastOp.has(key)) order.push(key)\n      lastOp.set(key, op)\n    }\n\n    // Group {before, after} pairs by collection name (the invariant\n    // scope). `before` is the plaintext prior captured in Phase 1 (null\n    // for inserts / unwatched — only watched scopes were captured, and\n    // every grouped key belongs to a watched scope). `after` is the\n    // written record, null for a delete.\n    const changesByScope = new Map<string, GuardChange<unknown>[]>()\n    // Parallel map: scope → the vault name of its (last-seen) op, used to\n    // build the per-invariant read-only ctx (facade + userId + role).\n    const scopeVault = new Map<string, string>()\n    for (const key of order) {\n      const op = lastOp.get(key)!\n      if (!watchedScopes.has(op.collectionName)) continue\n      const before = plainBefore.get(key) ?? null\n      const after = op.type === 'delete' ? null : (op.record ?? null)\n      const change = { before, after } as GuardChange<unknown>\n      const arr = changesByScope.get(op.collectionName)\n      if (arr) arr.push(change)\n      else changesByScope.set(op.collectionName, [change])\n\n      // Stash the vault name alongside so we can build a per-vault ctx.\n      // (All ops in a scope group could span vaults; we resolve the\n      // vault per change below via a parallel map keyed the same way.)\n      scopeVault.set(op.collectionName, op.vaultName)\n    }\n\n    try {\n      for (const inv of invariants) {\n        const changes = changesByScope.get(inv.scope)\n        if (changes === undefined || changes.length === 0) continue\n        const vaultName = scopeVault.get(inv.scope)!\n        const v = db.vault(vaultName)\n        // Prefer the real read-only facade so the invariant can read\n        // sibling collections; fall back to a minimal read-only stub.\n        const facade: ReadOnlyVaultFacade =\n          v._getReadOnlyFacade() ?? {\n            collection<R = unknown>(name: string) {\n              const c = v.collection<R>(name)\n              return {\n                get: (id: string) => c.get(id),\n                list: () => c.list(),\n                query: () => c.query(),\n              }\n            },\n          }\n        const ctxForInv: GuardContext<unknown> = {\n          existing: null,\n          vault: facade,\n          userId: v.userId,\n          role: v.role,\n        }\n        await inv.check(changes, ctxForInv)\n      }\n    } catch (err) {\n      await revertExecuted(ctx._executed, store, db)\n      throw err instanceof InvariantError ? err : new InvariantError(\n        err instanceof Error ? err.message : `invariant violated: ${String(err)}`,\n      )\n    }\n  }\n\n  return bodyResult\n}\n\n/**\n * Phase 3 helper — restore captured prior envelopes via the raw store\n * to avoid re-firing Collection-level side effects (we don't want a\n * cascade of change events undoing themselves). The ledger is left\n * as-is: each committed op appended an entry; the revert is\n * deliberately NOT recorded as a compensating entry because the\n * caller-facing contract is \"atomic or not at all,\" not \"every write\n * visible in the audit trail.\" Auditors who need the intermediate\n * state can still reconstruct it by walking the ledger through the\n * failed-tx timestamp.\n *\n * @internal — shared between `runTransaction` and\n * `Collection.putManyAtomic`. Both register source ops + nested\n * derivation side-effect ops onto `_executed`; this helper unwinds the\n * combined list in reverse on rollback.\n */\nexport async function revertExecuted(\n  executed: ReadonlyArray<ExecutedOp>,\n  store: Noydb['_store'],\n  db?: Noydb,\n): Promise<void> {\n  for (const { op, priorEnvelope } of executed.slice().reverse()) {\n    try {\n      if (priorEnvelope) {\n        await store.put(op.vaultName, op.collectionName, op.id, priorEnvelope)\n      } else {\n        await store.delete(op.vaultName, op.collectionName, op.id)\n      }\n      // Sync the Collection-layer cache with what we just wrote at\n      // the raw store. Without this, eager-mode `get` would still\n      // return the rolled-back record from its in-memory map. The\n      // Collection's `_invalidateCacheEntry` is a no-op when the\n      // collection hasn't yet been hydrated.\n      if (db) {\n        const coll = db.vault(op.vaultName).collection(op.collectionName)\n        // eslint-disable-next-line @typescript-eslint/no-explicit-any\n        await (coll as any)._invalidateCacheEntry(op.id)\n      }\n    } catch {\n      // swallow — best-effort. Surfacing the revert error would mask\n      // the original one that triggered the rollback.\n    }\n  }\n}\n\nfunction keyOf(op: StagedOp): string {\n  return `${op.vaultName}\\x00${op.collectionName}\\x00${op.id}`\n}\n"],"mappings":";;;;;;;;;;;AAuHO,IAAM,YAAN,MAAgB;AAAA;AAAA,EAEZ,OAAe,aAAa;AAAA;AAAA,EAE5B,OAAmB,CAAC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASpB,YAA0B,CAAC;AAAA;AAAA,EAE3B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA;AAAA;AAAA,EAEA,mBAAmB,oBAAI,IAAmB;AAAA;AAAA,EAGnD,YAAY,IAAW,YAAY,OAAO;AACxC,SAAK,MAAM;AACX,SAAK,aAAa;AAAA,EACpB;AAAA;AAAA,EAGA,MAAM,MAAuB;AAC3B,UAAM,IAAI,KAAK,IAAI,MAAM,IAAI;AAC7B,QAAI,KAAK,cAAc,CAAC,KAAK,iBAAiB,IAAI,IAAI,GAAG;AAQvD,YAAM,OAAO,EAAE;AACf,UAAI,SAAS,WAAW,SAAS,SAAS;AACxC,cAAM,IAAI,wBAAwB,EAAE,QAAQ,IAAI;AAAA,MAClD;AAKA,YAAM,MAAM,EAAE,kBAAkB;AAChC,UAAI,QAAQ,MAAM;AAChB,cAAM,IAAI;AAAA,UACR,UAAU,IAAI;AAAA,QAIhB;AAAA,MACF;AACA,UAAI,eAAe;AACnB,WAAK,iBAAiB,IAAI,MAAM,CAAC;AAAA,IACnC;AACA,WAAO,IAAI,QAAQ,MAAM,CAAC;AAAA,EAC5B;AACF;AAGO,IAAM,UAAN,MAAc;AAAA;AAAA,EAEV;AAAA;AAAA,EAEA;AAAA;AAAA,EAGT,YAAY,KAAgB,OAAc;AACxC,SAAK,OAAO;AACZ,SAAK,SAAS;AAAA,EAChB;AAAA;AAAA,EAGA,WAAc,MAA+B;AAC3C,UAAM,IAAI,KAAK,OAAO,WAAc,IAAI;AACxC,WAAO,IAAI,aAAgB,KAAK,MAAM,KAAK,QAAQ,GAAG,IAAI;AAAA,EAC5D;AACF;AAGO,IAAM,eAAN,MAAsB;AAAA;AAAA,EAElB;AAAA;AAAA,EAEA;AAAA;AAAA,EAEA;AAAA;AAAA,EAEA;AAAA;AAAA,EAGT,YAAY,KAAgB,OAAc,MAAqB,MAAc;AAC3E,SAAK,OAAO;AACZ,SAAK,SAAS;AACd,SAAK,QAAQ;AACb,SAAK,QAAQ;AAAA,EACf;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,IAAI,IAA+B;AACvC,aAAS,IAAI,KAAK,KAAK,KAAK,SAAS,GAAG,KAAK,GAAG,KAAK;AACnD,YAAM,KAAK,KAAK,KAAK,KAAK,CAAC;AAC3B,UACE,GAAG,cAAc,KAAK,OAAO,QAC7B,GAAG,mBAAmB,KAAK,SAC3B,GAAG,OAAO,IACV;AACA,YAAI,GAAG,SAAS,SAAU,QAAO;AACjC,eAAO,GAAG;AAAA,MACZ;AAAA,IACF;AACA,WAAO,KAAK,MAAM,IAAI,EAAE;AAAA,EAC1B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,IAAI,IAAY,QAAW,SAA+D;AACxF,UAAM,KAAe;AAAA,MACnB,MAAM;AAAA,MACN,WAAW,KAAK,OAAO;AAAA,MACvB,gBAAgB,KAAK;AAAA,MACrB;AAAA,MACA;AAAA,IACF;AACA,QAAI,SAAS,oBAAoB,OAAW,IAAG,kBAAkB,QAAQ;AACzE,QAAI,SAAS,WAAW,OAAW,IAAG,SAAS,QAAQ;AACvD,SAAK,KAAK,KAAK,KAAK,EAAE;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,OAAO,IAAY,SAA8C;AAC/D,UAAM,KAAe;AAAA,MACnB,MAAM;AAAA,MACN,WAAW,KAAK,OAAO;AAAA,MACvB,gBAAgB,KAAK;AAAA,MACrB;AAAA,IACF;AACA,QAAI,SAAS,oBAAoB,OAAW,IAAG,kBAAkB,QAAQ;AACzE,SAAK,KAAK,KAAK,KAAK,EAAE;AAAA,EACxB;AACF;AAYA,eAAsB,eACpB,IACA,IACA,SACA,cACY;AAQZ,MAAI,SAAS,WAAW;AACtB,QAAI,OAAO,QAAQ,WAAW,YAAY,QAAQ,OAAO,KAAK,EAAE,WAAW,GAAG;AAC5E,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,QAAM,MAAM,IAAI,UAAU,IAAI,SAAS,cAAc,IAAI;AACzD,QAAM,aAAa,MAAM,GAAG,GAAG;AAE/B,MAAI,IAAI,KAAK,WAAW,GAAG;AAKzB,QAAI,IAAI,YAAY;AAClB,iBAAW,KAAK,IAAI,iBAAiB,OAAO,GAAG;AAI7C,cAAM,MAAM,EAAE,kBAAkB;AAChC,YAAI,QAAQ,MAAM;AAChB,cAAI,eAAe;AACnB,cAAI,YAAY;AAAA,QAClB;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAMA,QAAM,iBAAiB,oBAAI,IAAsC;AACjE,QAAM,QAAQ,GAAG;AAOjB,QAAM,aAAa,gBAAgB,CAAC;AACpC,QAAM,gBAAgB,IAAI,IAAI,WAAW,IAAI,OAAK,EAAE,KAAK,CAAC;AAC1D,QAAM,cAAc,oBAAI,IAAqB;AAE7C,aAAW,MAAM,IAAI,MAAM;AACzB,UAAM,MAAM,MAAM,EAAE;AACpB,QAAI,CAAC,eAAe,IAAI,GAAG,GAAG;AAC5B,YAAM,MAAM,MAAM,MAAM,IAAI,GAAG,WAAW,GAAG,gBAAgB,GAAG,EAAE;AAClE,qBAAe,IAAI,KAAK,GAAG;AAAA,IAC7B;AACA,QAAI,cAAc,IAAI,GAAG,cAAc,KAAK,CAAC,YAAY,IAAI,GAAG,GAAG;AACjE,YAAM,QAAQ,MAAM,GACjB,MAAM,GAAG,SAAS,EAClB,WAAW,GAAG,cAAc,EAC5B,IAAI,GAAG,EAAE;AACZ,kBAAY,IAAI,KAAK,SAAS,IAAI;AAAA,IACpC;AACA,QAAI,GAAG,oBAAoB,QAAW;AACpC,YAAM,MAAM,eAAe,IAAI,GAAG,KAAK;AACvC,YAAM,SAAS,KAAK,MAAM;AAC1B,UAAI,WAAW,GAAG,iBAAiB;AACjC,cAAM,IAAI;AAAA,UACR;AAAA,UACA,2BAA2B,GAAG,SAAS,IAAI,GAAG,cAAc,IAAI,GAAG,EAAE,cACtD,GAAG,eAAe,YAAY,MAAM;AAAA,QACrD;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAYA,KAAG,oBAAoB,GAAG;AAC1B,MAAI;AACF,QAAI;AACF,iBAAW,MAAM,IAAI,MAAM;AACzB,cAAM,OAAO,GAAG,MAAM,GAAG,SAAS,EAAE,WAAW,GAAG,cAAc;AAChE,cAAM,MAAM,MAAM,EAAE;AACpB,cAAM,QAAQ,eAAe,IAAI,GAAG,KAAK;AAQzC,YAAI,UAAU,KAAK,EAAE,IAAI,eAAe,MAAM,CAAC;AAC/C,YAAI,GAAG,SAAS,OAAO;AAErB,gBAAM,KAAK,IAAI,GAAG,IAAI,GAAG,QAAe,GAAG,WAAW,SAAY,EAAE,QAAQ,GAAG,OAAO,IAAI,MAAS;AAAA,QACrG,OAAO;AACL,gBAAM,KAAK,OAAO,GAAG,EAAE;AAAA,QACzB;AAAA,MACF;AAAA,IACF,SAAS,KAAK;AAEZ,YAAM,eAAe,IAAI,WAAW,OAAO,EAAE;AAE7C,UAAI,IAAI,YAAY;AAClB,mBAAW,KAAK,IAAI,iBAAiB,OAAO,GAAG;AAC7C,gBAAM,MAAM,EAAE,kBAAkB;AAChC,cAAI,QAAQ,MAAM;AAChB,gBAAI,eAAe;AACnB,gBAAI,YAAY;AAAA,UAClB;AAAA,QACF;AAAA,MACF;AACA,YAAM;AAAA,IACR;AAAA,EACF,UAAE;AACA,OAAG,sBAAsB,GAAG;AAAA,EAC9B;AAOA,MAAI,IAAI,YAAY;AAIlB,UAAM,EAAE,cAAc,IAAK,MAAM,OAAO,wBAAuB;AAG/D,QAAI;AACF,iBAAW,CAAC,WAAW,CAAC,KAAK,IAAI,kBAAkB;AACjD,cAAM,WAAW,EAAE,kBAAkB;AAKrC,YAAI,aAAa,KAAM;AACvB,cAAM,sBAAsB,SAAS,eAAe;AACpD,cAAM,OAAO,SAAS,YAAY;AAClC,YAAI,oBAAoB,SAAS,EAAG;AAEpC,cAAM,gBAAgB,EAAE,mBAAmB;AAC3C,YAAI,kBAAkB,KAAM;AAO5B,cAAM,mBAA6B,CAAC;AACpC,mBAAW,CAAC,YAAY,OAAO,KAAK,qBAAqB;AACvD,gBAAM,SAAS,SAAS,UAAU,UAAU,EAAE,OAAO,OAAK,EAAE,cAAc,MAAS;AACnF,qBAAW,SAAS,QAAQ;AAC1B,kBAAM,cAAc,aAAa,OAAO,SAAS;AAAA,cAC/C,UAAU;AAAA,cACV,OAAO;AAAA,cACP,QAAQ,EAAE;AAAA,cACV,MAAM,EAAE;AAAA,YACV,CAAC;AAAA,UACH;AACA,cAAI,OAAO,SAAS,EAAG,kBAAiB,KAAK,UAAU;AAAA,QACzD;AAKA,cAAM,SAAS,EAAE,iBAAiB;AAClC,YAAI,QAAQ;AACV,gBAAM,OAAO,EAAE;AACf,gBAAM,YAAmD;AAAA,YACvD,QAAQ,QAAS;AAAA,YACjB;AAAA,YACA,SAAS;AAAA,YACT;AAAA,UACF;AACA,gBAAM,OAAO,OAAO;AAAA,YAClB,IAAI;AAAA,YACJ,YAAY;AAAA,YACZ,IAAI;AAAA,YACJ,SAAS;AAAA,YACT,OAAO,EAAE;AAAA;AAAA;AAAA;AAAA;AAAA,YAKT,aAAa;AAAA,YACb;AAAA,UACF,CAAC;AAAA,QACH;AACA,aAAK;AAAA,MACP;AAAA,IACF,SAAS,KAAK;AACZ,YAAM,eAAe,IAAI,WAAW,OAAO,EAAE;AAC7C,YAAM,eAAe,iBAAiB,MAAM,IAAI;AAAA,QAC9C,eAAe,QAAQ,IAAI,UAAU,uBAAuB,OAAO,GAAG,CAAC;AAAA,MACzE;AAAA,IACF;AAAA,EACF;AAWA,MAAI,WAAW,SAAS,GAAG;AAGzB,UAAM,SAAS,oBAAI,IAAsB;AACzC,UAAM,QAAkB,CAAC;AACzB,eAAW,MAAM,IAAI,MAAM;AACzB,YAAM,MAAM,MAAM,EAAE;AACpB,UAAI,CAAC,OAAO,IAAI,GAAG,EAAG,OAAM,KAAK,GAAG;AACpC,aAAO,IAAI,KAAK,EAAE;AAAA,IACpB;AAOA,UAAM,iBAAiB,oBAAI,IAAoC;AAG/D,UAAM,aAAa,oBAAI,IAAoB;AAC3C,eAAW,OAAO,OAAO;AACvB,YAAM,KAAK,OAAO,IAAI,GAAG;AACzB,UAAI,CAAC,cAAc,IAAI,GAAG,cAAc,EAAG;AAC3C,YAAM,SAAS,YAAY,IAAI,GAAG,KAAK;AACvC,YAAM,QAAQ,GAAG,SAAS,WAAW,OAAQ,GAAG,UAAU;AAC1D,YAAM,SAAS,EAAE,QAAQ,MAAM;AAC/B,YAAM,MAAM,eAAe,IAAI,GAAG,cAAc;AAChD,UAAI,IAAK,KAAI,KAAK,MAAM;AAAA,UACnB,gBAAe,IAAI,GAAG,gBAAgB,CAAC,MAAM,CAAC;AAKnD,iBAAW,IAAI,GAAG,gBAAgB,GAAG,SAAS;AAAA,IAChD;AAEA,QAAI;AACF,iBAAW,OAAO,YAAY;AAC5B,cAAM,UAAU,eAAe,IAAI,IAAI,KAAK;AAC5C,YAAI,YAAY,UAAa,QAAQ,WAAW,EAAG;AACnD,cAAM,YAAY,WAAW,IAAI,IAAI,KAAK;AAC1C,cAAM,IAAI,GAAG,MAAM,SAAS;AAG5B,cAAM,SACJ,EAAE,mBAAmB,KAAK;AAAA,UACxB,WAAwB,MAAc;AACpC,kBAAM,IAAI,EAAE,WAAc,IAAI;AAC9B,mBAAO;AAAA,cACL,KAAK,CAAC,OAAe,EAAE,IAAI,EAAE;AAAA,cAC7B,MAAM,MAAM,EAAE,KAAK;AAAA,cACnB,OAAO,MAAM,EAAE,MAAM;AAAA,YACvB;AAAA,UACF;AAAA,QACF;AACF,cAAM,YAAmC;AAAA,UACvC,UAAU;AAAA,UACV,OAAO;AAAA,UACP,QAAQ,EAAE;AAAA,UACV,MAAM,EAAE;AAAA,QACV;AACA,cAAM,IAAI,MAAM,SAAS,SAAS;AAAA,MACpC;AAAA,IACF,SAAS,KAAK;AACZ,YAAM,eAAe,IAAI,WAAW,OAAO,EAAE;AAC7C,YAAM,eAAe,iBAAiB,MAAM,IAAI;AAAA,QAC9C,eAAe,QAAQ,IAAI,UAAU,uBAAuB,OAAO,GAAG,CAAC;AAAA,MACzE;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAkBA,eAAsB,eACpB,UACA,OACA,IACe;AACf,aAAW,EAAE,IAAI,cAAc,KAAK,SAAS,MAAM,EAAE,QAAQ,GAAG;AAC9D,QAAI;AACF,UAAI,eAAe;AACjB,cAAM,MAAM,IAAI,GAAG,WAAW,GAAG,gBAAgB,GAAG,IAAI,aAAa;AAAA,MACvE,OAAO;AACL,cAAM,MAAM,OAAO,GAAG,WAAW,GAAG,gBAAgB,GAAG,EAAE;AAAA,MAC3D;AAMA,UAAI,IAAI;AACN,cAAM,OAAO,GAAG,MAAM,GAAG,SAAS,EAAE,WAAW,GAAG,cAAc;AAEhE,cAAO,KAAa,sBAAsB,GAAG,EAAE;AAAA,MACjD;AAAA,IACF,QAAQ;AAAA,IAGR;AAAA,EACF;AACF;AAEA,SAAS,MAAM,IAAsB;AACnC,SAAO,GAAG,GAAG,SAAS,KAAO,GAAG,cAAc,KAAO,GAAG,EAAE;AAC5D;","names":[]}

package/dist/{chunk-HXJXPZRE.js → chunk-J6RGRZOY.js}

@@ -1,7 +1,7 @@
 import {
   FieldFrozenError,
   InvariantError
-} from "./chunk-W3XXT26A.js";
+} from "./chunk-OTWT6BAJ.js";
 
 // src/guards/executor.ts
 var GuardExecutor = {
@@ -9,14 +9,21 @@ var GuardExecutor = {
    * Compare existing vs incoming for each `frozenFields.fields` entry
    * when `frozenFields.when(existing)` is true. Throws
    * `FieldFrozenError` listing every changed frozen field.
+   *
+   * @param skipFields — field names that are schema-owned computed fields.
+   *   These are excluded from the comparison because `incoming` carries the
+   *   raw user input (computed fields not yet evaluated), so comparing
+   *   `existing[field]` vs `incoming[field]` would always look like a
+   *   change even when the computed result is unchanged.
    */
-  async checkFrozenFields(guard, id, existing, incoming) {
+  async checkFrozenFields(guard, id, existing, incoming, skipFields) {
     const ff = guard.frozenFields;
     if (!ff) return;
     if (existing === null) return;
     if (!ff.when(existing)) return;
     const changed = [];
     for (const f of ff.fields) {
+      if (skipFields?.has(String(f))) continue;
       if (existing[f] !== incoming[f]) {
         if (!deepEqual(existing[f], incoming[f])) changed.push(String(f));
       }
@@ -70,4 +77,4 @@ function deepEqual(a, b) {
 export {
   GuardExecutor
 };
-//# sourceMappingURL=chunk-HXJXPZRE.js.map
+//# sourceMappingURL=chunk-J6RGRZOY.js.map

package/dist/chunk-J6RGRZOY.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/guards/executor.ts"],"sourcesContent":["import { FieldFrozenError, InvariantError } from '../errors.js'\nimport type { GuardStrategy, GuardContext, GuardChange } from './types.js'\n\n/**\n * Pure functions that execute the work declared by a `GuardStrategy`.\n * Stateless — `GuardRegistry` decides when to call these.\n *\n * @internal\n */\nexport const GuardExecutor = {\n  /**\n   * Compare existing vs incoming for each `frozenFields.fields` entry\n   * when `frozenFields.when(existing)` is true. Throws\n   * `FieldFrozenError` listing every changed frozen field.\n   *\n   * @param skipFields — field names that are schema-owned computed fields.\n   *   These are excluded from the comparison because `incoming` carries the\n   *   raw user input (computed fields not yet evaluated), so comparing\n   *   `existing[field]` vs `incoming[field]` would always look like a\n   *   change even when the computed result is unchanged.\n   */\n  async checkFrozenFields<T extends Record<string, unknown>>(\n    guard: GuardStrategy<T>,\n    id: string,\n    existing: T | null,\n    incoming: T,\n    skipFields?: ReadonlySet<string>,\n  ): Promise<void> {\n    const ff = guard.frozenFields\n    if (!ff) return\n    if (existing === null) return // insert — nothing to freeze\n    if (!ff.when(existing)) return\n\n    const changed: string[] = []\n    for (const f of ff.fields) {\n      // Skip computed fields — they are re-evaluated after this gate and\n      // their raw-input value is not comparable to the prior computed value.\n      if (skipFields?.has(String(f))) continue\n      // Strict equality first, then deep-equality fallback for objects.\n      if (existing[f] !== incoming[f]) {\n        if (!deepEqual(existing[f], incoming[f])) changed.push(String(f))\n      }\n    }\n    if (changed.length > 0) {\n      throw new FieldFrozenError(guard.collection, id, changed)\n    }\n  },\n\n  /**\n   * Run a single guard's invariant over its slice of the change-set.\n   * Any throw is converted to `InvariantError` unless it already is one.\n   */\n  async runInvariant<T extends Record<string, unknown>>(\n    guard: GuardStrategy<T>,\n    changes: ReadonlyArray<GuardChange<T>>,\n    ctx: GuardContext<T>,\n  ): Promise<void> {\n    const amendment = guard.amendment\n    if (!amendment) return\n    try {\n      await amendment.invariant(changes, ctx)\n    } catch (err) {\n      if (err instanceof InvariantError) throw err\n      throw new InvariantError(\n        err instanceof Error ? err.message : `invariant violated: ${String(err)}`,\n      )\n    }\n  },\n}\n\n/**\n * Minimal deep-equality for guarded field diff. Handles arrays, plain\n * objects, primitives. Not for cyclic structures.\n *\n * @internal\n */\nfunction deepEqual(a: unknown, b: unknown): boolean {\n  if (a === b) return true\n  if (a === null || b === null) return a === b\n  if (typeof a !== typeof b) return false\n  if (typeof a !== 'object') return a === b\n  if (Array.isArray(a) !== Array.isArray(b)) return false\n  if (Array.isArray(a)) {\n    const aa = a as unknown[]\n    const bb = b as unknown[]\n    if (aa.length !== bb.length) return false\n    for (let i = 0; i < aa.length; i++) if (!deepEqual(aa[i], bb[i])) return false\n    return true\n  }\n  const ao = a as Record<string, unknown>\n  const bo = b as Record<string, unknown>\n  const ak = Object.keys(ao)\n  const bk = Object.keys(bo)\n  if (ak.length !== bk.length) return false\n  for (const k of ak) {\n    if (!Object.prototype.hasOwnProperty.call(bo, k)) return false\n    if (!deepEqual(ao[k], bo[k])) return false\n  }\n  return true\n}\n"],"mappings":";;;;;;AASO,IAAM,gBAAgB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAY3B,MAAM,kBACJ,OACA,IACA,UACA,UACA,YACe;AACf,UAAM,KAAK,MAAM;AACjB,QAAI,CAAC,GAAI;AACT,QAAI,aAAa,KAAM;AACvB,QAAI,CAAC,GAAG,KAAK,QAAQ,EAAG;AAExB,UAAM,UAAoB,CAAC;AAC3B,eAAW,KAAK,GAAG,QAAQ;AAGzB,UAAI,YAAY,IAAI,OAAO,CAAC,CAAC,EAAG;AAEhC,UAAI,SAAS,CAAC,MAAM,SAAS,CAAC,GAAG;AAC/B,YAAI,CAAC,UAAU,SAAS,CAAC,GAAG,SAAS,CAAC,CAAC,EAAG,SAAQ,KAAK,OAAO,CAAC,CAAC;AAAA,MAClE;AAAA,IACF;AACA,QAAI,QAAQ,SAAS,GAAG;AACtB,YAAM,IAAI,iBAAiB,MAAM,YAAY,IAAI,OAAO;AAAA,IAC1D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,aACJ,OACA,SACA,KACe;AACf,UAAM,YAAY,MAAM;AACxB,QAAI,CAAC,UAAW;AAChB,QAAI;AACF,YAAM,UAAU,UAAU,SAAS,GAAG;AAAA,IACxC,SAAS,KAAK;AACZ,UAAI,eAAe,eAAgB,OAAM;AACzC,YAAM,IAAI;AAAA,QACR,eAAe,QAAQ,IAAI,UAAU,uBAAuB,OAAO,GAAG,CAAC;AAAA,MACzE;AAAA,IACF;AAAA,EACF;AACF;AAQA,SAAS,UAAU,GAAY,GAAqB;AAClD,MAAI,MAAM,EAAG,QAAO;AACpB,MAAI,MAAM,QAAQ,MAAM,KAAM,QAAO,MAAM;AAC3C,MAAI,OAAO,MAAM,OAAO,EAAG,QAAO;AAClC,MAAI,OAAO,MAAM,SAAU,QAAO,MAAM;AACxC,MAAI,MAAM,QAAQ,CAAC,MAAM,MAAM,QAAQ,CAAC,EAAG,QAAO;AAClD,MAAI,MAAM,QAAQ,CAAC,GAAG;AACpB,UAAM,KAAK;AACX,UAAM,KAAK;AACX,QAAI,GAAG,WAAW,GAAG,OAAQ,QAAO;AACpC,aAAS,IAAI,GAAG,IAAI,GAAG,QAAQ,IAAK,KAAI,CAAC,UAAU,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC,EAAG,QAAO;AACzE,WAAO;AAAA,EACT;AACA,QAAM,KAAK;AACX,QAAM,KAAK;AACX,QAAM,KAAK,OAAO,KAAK,EAAE;AACzB,QAAM,KAAK,OAAO,KAAK,EAAE;AACzB,MAAI,GAAG,WAAW,GAAG,OAAQ,QAAO;AACpC,aAAW,KAAK,IAAI;AAClB,QAAI,CAAC,OAAO,UAAU,eAAe,KAAK,IAAI,CAAC,EAAG,QAAO;AACzD,QAAI,CAAC,UAAU,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC,EAAG,QAAO;AAAA,EACvC;AACA,SAAO;AACT;","names":[]}

package/dist/{chunk-3S4BJX25.js → chunk-JBBWALNI.js}

@@ -1,6 +1,6 @@
 import {
   ValidationError
-} from "./chunk-W3XXT26A.js";
+} from "./chunk-OTWT6BAJ.js";
 
 // src/overlay-views/with-overlayed-view.ts
 function withOverlayedView(spec) {
@@ -33,4 +33,4 @@ function withOverlayedView(spec) {
 export {
   withOverlayedView
 };
-//# sourceMappingURL=chunk-3S4BJX25.js.map
+//# sourceMappingURL=chunk-JBBWALNI.js.map

package/dist/chunk-JBBWALNI.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/overlay-views/with-overlayed-view.ts"],"sourcesContent":["import { ValidationError } from '../errors.js'\nimport type { OverlayedViewStrategy, OverlayedViewStrategyHandle } from './types.js'\n\n/**\n * Register a read-shadow overlay: bind an MV-owned base collection to\n * a user-writable overlay so consumers can express operator-editable\n * lifecycles as one declarative block (MV v2 spec § Composition\n * with operator-editable lifecycle).\n *\n * See docs/superpowers/specs/2026-05-20-dim14-mv-v2-design.md.\n */\nexport function withOverlayedView(\n  spec: OverlayedViewStrategy,\n): OverlayedViewStrategyHandle {\n  if (!spec.name || spec.name.length === 0) {\n    throw new ValidationError('withOverlayedView: name is required')\n  }\n  if (!spec.base || spec.base.length === 0) {\n    throw new ValidationError('withOverlayedView: base is required')\n  }\n  if (!spec.overlay || spec.overlay.length === 0) {\n    throw new ValidationError('withOverlayedView: overlay is required')\n  }\n  if (spec.base === spec.overlay) {\n    throw new ValidationError('withOverlayedView: base and overlay must be different collections')\n  }\n  if (spec.base === spec.name || spec.overlay === spec.name) {\n    throw new ValidationError(\n      'withOverlayedView: virtual name must differ from both base and overlay collection names',\n    )\n  }\n  if (!spec.shadowField || spec.shadowField.length === 0) {\n    throw new ValidationError('withOverlayedView: shadowField is required')\n  }\n  return {\n    __noydb_strategy: 'overlayed-view',\n    spec,\n  }\n}\n"],"mappings":";;;;;AAWO,SAAS,kBACd,MAC6B;AAC7B,MAAI,CAAC,KAAK,QAAQ,KAAK,KAAK,WAAW,GAAG;AACxC,UAAM,IAAI,gBAAgB,qCAAqC;AAAA,EACjE;AACA,MAAI,CAAC,KAAK,QAAQ,KAAK,KAAK,WAAW,GAAG;AACxC,UAAM,IAAI,gBAAgB,qCAAqC;AAAA,EACjE;AACA,MAAI,CAAC,KAAK,WAAW,KAAK,QAAQ,WAAW,GAAG;AAC9C,UAAM,IAAI,gBAAgB,wCAAwC;AAAA,EACpE;AACA,MAAI,KAAK,SAAS,KAAK,SAAS;AAC9B,UAAM,IAAI,gBAAgB,mEAAmE;AAAA,EAC/F;AACA,MAAI,KAAK,SAAS,KAAK,QAAQ,KAAK,YAAY,KAAK,MAAM;AACzD,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,MAAI,CAAC,KAAK,eAAe,KAAK,YAAY,WAAW,GAAG;AACtD,UAAM,IAAI,gBAAgB,4CAA4C;AAAA,EACxE;AACA,SAAO;AAAA,IACL,kBAAkB;AAAA,IAClB;AAAA,EACF;AACF;","names":[]}

package/dist/{chunk-7Z23ZFLV.js → chunk-JDCPRJVS.js}

@@ -3,18 +3,18 @@ import {
   hashEntry,
   paddedIndex,
   sha256Hex
-} from "./chunk-XG3PTSCD.js";
+} from "./chunk-PDVP3C2I.js";
 import {
   NOYDB_FORMAT_VERSION
-} from "./chunk-YS3POABP.js";
+} from "./chunk-TA6HPKWQ.js";
 import {
   decrypt,
   encrypt
-} from "./chunk-2PAQNPE3.js";
+} from "./chunk-37VGJM3T.js";
 import {
   ConflictError,
   LedgerContentionError
-} from "./chunk-W3XXT26A.js";
+} from "./chunk-OTWT6BAJ.js";
 
 // src/history/ledger/patch.ts
 function computePatch(prev, next) {
@@ -683,4 +683,4 @@ export {
   LEDGER_DELTAS_COLLECTION,
   LedgerStore
 };
-//# sourceMappingURL=chunk-7Z23ZFLV.js.map
+//# sourceMappingURL=chunk-JDCPRJVS.js.map

package/dist/chunk-JDCPRJVS.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/history/ledger/patch.ts","../src/history/ledger/constants.ts","../src/history/ledger/store.ts"],"sourcesContent":["/**\n * RFC 6902 JSON Patch — compute + apply.\n *\n * This module is the \"delta history\" primitive: instead of\n * snapshotting the full record on every put (the behavior),\n * `Collection.put` computes a JSON Patch from the previous version to\n * the new version and stores only the patch in the ledger. To\n * reconstruct version N, we walk from the genesis snapshot forward\n * applying patches. Storage scales with **edit size**, not record\n * size — a 10 KB record edited 1000 times costs ~10 KB of deltas\n * instead of ~10 MB of snapshots.\n *\n * ## Why hand-roll instead of using a library?\n *\n * RFC 6902 has good libraries (`fast-json-patch`, `rfc6902`) but every\n * single one of them adds a runtime dependency to `@noy-db/core`. The\n * \"zero runtime dependencies\" promise is one of the core's load-bearing\n * features, and the patch surface we actually need is small enough\n * (~150 LoC) that vendoring is the right call.\n *\n * What we implement:\n *   - `add`     — insert a value at a path\n *   - `remove`  — delete the value at a path\n *   - `replace` — overwrite the value at a path\n *\n * What we deliberately skip (out of scope for the ledger use):\n *   - `move` and `copy` — optimizations; the diff algorithm doesn't\n *     emit them, so the apply path doesn't need them\n *   - `test` — used for transactional patches; we already have\n *     optimistic concurrency via `_v` at the envelope layer\n *   - Sophisticated array diffing (LCS, edit distance) — we treat\n *     arrays as atomic values and emit a single `replace` op when\n *     they differ. The accounting domain has small arrays where this\n *     is fine; if we ever need patch-level array diffing we can add\n *     it without changing the storage format.\n *\n * ## Path encoding (RFC 6902 §3)\n *\n * Paths look like `/foo/bar/0`. Each path segment is either an object\n * key or a numeric array index. Two characters need escaping inside\n * keys: `~` becomes `~0` and `/` becomes `~1`. We implement both.\n *\n * Empty path (`\"\"`) refers to the root document. Only `replace` makes\n * sense at the root, and our diff function emits it as a top-level\n * `replace` when `prev` and `next` differ in shape (object vs array,\n * primitive vs object, etc.).\n */\n\n/** A single JSON Patch operation. Subset of RFC 6902 — see file docstring. */\nexport type JsonPatchOp =\n  | { readonly op: 'add'; readonly path: string; readonly value: unknown }\n  | { readonly op: 'remove'; readonly path: string }\n  | { readonly op: 'replace'; readonly path: string; readonly value: unknown }\n\n/** A complete JSON Patch document — an array of operations. */\nexport type JsonPatch = readonly JsonPatchOp[]\n\n// ─── Compute (diff) ──────────────────────────────────────────────────\n\n/**\n * Compute a JSON Patch that, when applied to `prev`, produces `next`.\n *\n * The algorithm is a straightforward recursive object walk:\n *\n *   1. If both inputs are plain objects (and not arrays/null):\n *      - For each key in `prev`, recurse if `next` has it, else emit `remove`\n *      - For each key in `next` not in `prev`, emit `add`\n *   2. If both inputs are arrays AND structurally equal, no-op.\n *      Otherwise emit a single `replace` for the whole array.\n *   3. If both inputs are deeply equal primitives, no-op.\n *   4. Otherwise emit a `replace` at the current path.\n *\n * We do not minimize patches across move-like rearrangements — every\n * generated patch is straightforward enough to apply by hand if you\n * had to debug it.\n */\nexport function computePatch(prev: unknown, next: unknown): JsonPatch {\n  const ops: JsonPatchOp[] = []\n  diff(prev, next, '', ops)\n  return ops\n}\n\nfunction diff(\n  prev: unknown,\n  next: unknown,\n  path: string,\n  out: JsonPatchOp[],\n): void {\n  // Both null / both undefined → no-op (we don't differentiate them\n  // in JSON terms; canonicalJson would reject undefined anyway).\n  if (prev === next) return\n\n  // One side null, the other not → straight replace.\n  if (prev === null || next === null) {\n    out.push({ op: 'replace', path, value: next })\n    return\n  }\n\n  const prevIsArray = Array.isArray(prev)\n  const nextIsArray = Array.isArray(next)\n  const prevIsObject = typeof prev === 'object' && !prevIsArray\n  const nextIsObject = typeof next === 'object' && !nextIsArray\n\n  // Type changed (e.g., object → primitive, array → object). Replace.\n  if (prevIsArray !== nextIsArray || prevIsObject !== nextIsObject) {\n    out.push({ op: 'replace', path, value: next })\n    return\n  }\n\n  // Both arrays. We don't do clever LCS-based diffing — emit a single\n  // replace for the whole array if they differ. See file docstring for\n  // the rationale.\n  if (prevIsArray && nextIsArray) {\n    if (!arrayDeepEqual(prev as unknown[], next as unknown[])) {\n      out.push({ op: 'replace', path, value: next })\n    }\n    return\n  }\n\n  // Both plain objects. Recurse key by key.\n  if (prevIsObject && nextIsObject) {\n    const prevObj = prev as Record<string, unknown>\n    const nextObj = next as Record<string, unknown>\n    const prevKeys = Object.keys(prevObj)\n    const nextKeys = Object.keys(nextObj)\n\n    // Handle removes and overlapping recursions in one pass over prev.\n    for (const key of prevKeys) {\n      const childPath = path + '/' + escapePathSegment(key)\n      if (!(key in nextObj)) {\n        out.push({ op: 'remove', path: childPath })\n      } else {\n        diff(prevObj[key], nextObj[key], childPath, out)\n      }\n    }\n    // Handle adds.\n    for (const key of nextKeys) {\n      if (!(key in prevObj)) {\n        out.push({\n          op: 'add',\n          path: path + '/' + escapePathSegment(key),\n          value: nextObj[key],\n        })\n      }\n    }\n    return\n  }\n\n  // Two primitives that aren't strictly equal — replace.\n  out.push({ op: 'replace', path, value: next })\n}\n\nfunction arrayDeepEqual(a: unknown[], b: unknown[]): boolean {\n  if (a.length !== b.length) return false\n  for (let i = 0; i < a.length; i++) {\n    if (!deepEqual(a[i], b[i])) return false\n  }\n  return true\n}\n\nfunction deepEqual(a: unknown, b: unknown): boolean {\n  if (a === b) return true\n  if (a === null || b === null) return false\n  if (typeof a !== typeof b) return false\n  if (typeof a !== 'object') return false\n  const aArray = Array.isArray(a)\n  const bArray = Array.isArray(b)\n  if (aArray !== bArray) return false\n  if (aArray && bArray) return arrayDeepEqual(a, b as unknown[])\n  const aObj = a as Record<string, unknown>\n  const bObj = b as Record<string, unknown>\n  const aKeys = Object.keys(aObj)\n  const bKeys = Object.keys(bObj)\n  if (aKeys.length !== bKeys.length) return false\n  for (const key of aKeys) {\n    if (!(key in bObj)) return false\n    if (!deepEqual(aObj[key], bObj[key])) return false\n  }\n  return true\n}\n\n// ─── Apply ──────────────────────────────────────────────────────────\n\n/**\n * Apply a JSON Patch to a base document and return the result.\n *\n * The base document is **not mutated** — every op clones the parent\n * container before writing to it, so the caller's reference to `base`\n * stays untouched. This costs an extra allocation per op but makes\n * the apply pipeline reorderable and safe to interrupt.\n *\n * Throws on:\n *   - Removing a path that doesn't exist\n *   - Adding to a path whose parent doesn't exist\n *   - A path component that doesn't match the document shape (e.g.,\n *     trying to step into a primitive)\n *\n * Throwing is the right behavior for the ledger use case: a failed\n * apply means the chain is corrupted, which should be loud rather\n * than silently producing a wrong reconstruction.\n */\nexport function applyPatch<T = unknown>(base: T, patch: JsonPatch): T {\n  let result: unknown = clone(base)\n  for (const op of patch) {\n    result = applyOp(result, op)\n  }\n  return result as T\n}\n\nfunction applyOp(doc: unknown, op: JsonPatchOp): unknown {\n  // Empty path → operation targets the root. Only `replace` and `add`\n  // make sense at the root, but we handle `remove` for completeness\n  // (root removal returns null).\n  if (op.path === '') {\n    if (op.op === 'remove') return null\n    return clone(op.value)\n  }\n\n  const segments = parsePath(op.path)\n  return walkAndApply(doc, segments, op)\n}\n\nfunction walkAndApply(\n  doc: unknown,\n  segments: string[],\n  op: JsonPatchOp,\n): unknown {\n  if (segments.length === 0) {\n    // Should never happen — empty path is handled in applyOp().\n    throw new Error('walkAndApply: empty segments (internal error)')\n  }\n\n  const [head, ...rest] = segments\n  if (head === undefined) throw new Error('walkAndApply: undefined segment')\n\n  if (rest.length === 0) {\n    return applyAtTerminal(doc, head, op)\n  }\n\n  // Recurse into the child container, then rebuild the parent with\n  // the modified child.\n  if (Array.isArray(doc)) {\n    const idx = parseArrayIndex(head, doc.length)\n    const child = doc[idx]\n    const newChild = walkAndApply(child, rest, op)\n    const next = doc.slice()\n    next[idx] = newChild\n    return next\n  }\n  if (doc !== null && typeof doc === 'object') {\n    const obj = doc as Record<string, unknown>\n    if (!(head in obj)) {\n      throw new Error(`applyPatch: path segment \"${head}\" not found in object`)\n    }\n    const newChild = walkAndApply(obj[head], rest, op)\n    return { ...obj, [head]: newChild }\n  }\n  throw new Error(\n    `applyPatch: cannot step into ${typeof doc} at segment \"${head}\"`,\n  )\n}\n\nfunction applyAtTerminal(\n  doc: unknown,\n  segment: string,\n  op: JsonPatchOp,\n): unknown {\n  if (Array.isArray(doc)) {\n    const idx =\n      segment === '-' ? doc.length : parseArrayIndex(segment, doc.length + 1)\n    const next = doc.slice()\n    if (op.op === 'remove') {\n      next.splice(idx, 1)\n      return next\n    }\n    if (op.op === 'add') {\n      next.splice(idx, 0, clone(op.value))\n      return next\n    }\n    if (op.op === 'replace') {\n      if (idx >= doc.length) {\n        throw new Error(\n          `applyPatch: replace at out-of-bounds array index ${idx}`,\n        )\n      }\n      next[idx] = clone(op.value)\n      return next\n    }\n  }\n  if (doc !== null && typeof doc === 'object') {\n    const obj = doc as Record<string, unknown>\n    if (op.op === 'remove') {\n      if (!(segment in obj)) {\n        throw new Error(\n          `applyPatch: remove on missing key \"${segment}\"`,\n        )\n      }\n      const next = { ...obj }\n      delete next[segment]\n      return next\n    }\n    if (op.op === 'add') {\n      // RFC 6902: `add` on an existing key replaces it.\n      return { ...obj, [segment]: clone(op.value) }\n    }\n    if (op.op === 'replace') {\n      if (!(segment in obj)) {\n        throw new Error(\n          `applyPatch: replace on missing key \"${segment}\"`,\n        )\n      }\n      return { ...obj, [segment]: clone(op.value) }\n    }\n  }\n  throw new Error(\n    `applyPatch: cannot apply ${op.op} at terminal segment \"${segment}\"`,\n  )\n}\n\n// ─── Path encoding (RFC 6902 §3) ─────────────────────────────────────\n\n/**\n * Escape a single path segment per RFC 6902 §3:\n *   `~` → `~0`\n *   `/` → `~1`\n *\n * Order matters: `~` must be escaped first, otherwise the `~1` we\n * just emitted would be re-escaped to `~01`.\n */\nfunction escapePathSegment(segment: string): string {\n  return segment.replace(/~/g, '~0').replace(/\\//g, '~1')\n}\n\nfunction unescapePathSegment(segment: string): string {\n  return segment.replace(/~1/g, '/').replace(/~0/g, '~')\n}\n\nfunction parsePath(path: string): string[] {\n  if (!path.startsWith('/')) {\n    throw new Error(`applyPatch: path must start with '/', got \"${path}\"`)\n  }\n  return path\n    .slice(1)\n    .split('/')\n    .map(unescapePathSegment)\n}\n\nfunction parseArrayIndex(segment: string, max: number): number {\n  if (!/^\\d+$/.test(segment)) {\n    throw new Error(\n      `applyPatch: array index must be a non-negative integer, got \"${segment}\"`,\n    )\n  }\n  const idx = Number.parseInt(segment, 10)\n  if (idx < 0 || idx > max) {\n    throw new Error(\n      `applyPatch: array index ${idx} out of range [0, ${max}]`,\n    )\n  }\n  return idx\n}\n\n// ─── Cheap structural clone ─────────────────────────────────────────\n\n/**\n * Plain-JSON clone via JSON.parse(JSON.stringify(value)).\n *\n * Faster than `structuredClone` for our use because (a) we know our\n * inputs are JSON-compatible (no Dates, Maps, or BigInts — anything\n * else gets rejected by canonicalJson upstream), and (b) `structuredClone`\n * has overhead for handling arbitrary structured data we don't need.\n *\n * For tiny ledger entries (< 1 KB), the JSON round-trip is in the\n * single-digit microsecond range.\n */\nfunction clone<T>(value: T): T {\n  if (value === null || value === undefined) return value\n  if (typeof value !== 'object') return value\n  return JSON.parse(JSON.stringify(value)) as T\n}\n","/**\n * Ledger storage constants — pinned in their own leaf module so\n * always-on core code (vault.ts, dictionary.ts) can import them\n * without dragging the `LedgerStore` class into the bundle.\n *\n * `splitting: true` in tsup is not enough on its own: when a\n * source file exports both pure constants and a heavyweight class,\n * the bundler keeps the entire chunk reachable from any importer.\n * Extracting the constants lets the floor scenario import them\n * without paying for the class.\n *\n * @internal\n */\n\n/** The internal collection name used for ledger entry storage. */\nexport const LEDGER_COLLECTION = '_ledger'\n\n/**\n * The internal collection name used for delta payload storage.\n *\n * Deltas live in a sibling collection (not inside `_ledger`) for two\n * reasons:\n *\n *   1. **Listing efficiency.** `ledger.loadAllEntries()` calls\n *      `adapter.list(_ledger)` which would otherwise return every\n *      delta key alongside every entry key. Splitting them keeps the\n *      list small (one key per ledger entry) and the delta reads\n *      keyed by the entry's index.\n *\n *   2. **Prune-friendliness.** A future `pruneHistory()` will delete\n *      old deltas while keeping the ledger chain intact (folding old\n *      deltas into a base snapshot). Separating the storage makes\n *      that deletion a targeted operation on one collection instead\n *      of a filter across a mixed list.\n *\n * Both collections share the same ledger DEK — one DEK, two\n * internal collections, same zero-knowledge guarantees.\n */\nexport const LEDGER_DELTAS_COLLECTION = '_ledger_deltas'\n","/**\n * `LedgerStore` — read/write access to a compartment's hash-chained\n * audit log.\n *\n * The store is a thin wrapper around the adapter's `_ledger/` internal\n * collection. Every append:\n *\n *   1. Loads the current head (or treats an empty ledger as head = -1)\n *   2. Computes `prevHash` = sha256(canonicalJson(head))\n *   3. Builds the new entry with `index = head.index + 1`\n *   4. Encrypts the entry with the compartment's ledger DEK\n *   5. Writes the encrypted envelope to `_ledger/<paddedIndex>`\n *\n * `verify()` walks the chain from genesis forward and returns\n * `{ ok: true, head }` on success or `{ ok: false, divergedAt }` on the\n * first broken link.\n *\n * ## Thread / concurrency model\n *\n * For we assume a **single writer per vault**. Two\n * concurrent `append()` calls would race on the \"read head, write\n * head+1\" cycle and could produce a broken chain. The sync engine\n * is the primary concurrent-writer scenario, and it uses\n * optimistic-concurrency via `expectedVersion` on the adapter — but\n * the ledger path has no such guard today. Multi-writer hardening is a\n * follow-up.\n *\n * Single-writer usage IS safe, including across process restarts:\n * `head()` reads the adapter fresh each call, so a crash between the\n * adapter.put of a data record and the ledger append just means the\n * ledger is missing an entry for that record. `verify()` still\n * succeeds; a future `verifyIntegrity()` helper can cross-check the\n * ledger against the data collections to catch the gap.\n *\n * ## Why hide the ledger from `vault.collection()`?\n *\n * The `_ledger` name starts with `_`, matching the existing prefix\n * convention for internal collections (`_keyring`, `_sync`,\n * `_history`). The Vault's public `collection()` method already\n * returns entries for any name, but `loadAll()` filters out\n * underscore-prefixed collections so backups and exports don't leak\n * ledger metadata. We keep the ledger accessible ONLY via\n * `vault.ledger()` to enforce the hash-chain invariants — direct\n * puts via `collection('_ledger')` would bypass the `append()` logic.\n */\n\nimport type { NoydbStore, EncryptedEnvelope } from '../../types.js'\nimport { NOYDB_FORMAT_VERSION } from '../../types.js'\nimport { encrypt, decrypt } from '../../crypto.js'\nimport { ConflictError, LedgerContentionError } from '../../errors.js'\nimport {\n  canonicalJson,\n  hashEntry,\n  paddedIndex,\n  sha256Hex,\n  type LedgerEntry,\n} from './entry.js'\nimport type { JsonPatch } from './patch.js'\nimport { applyPatch } from './patch.js'\nimport { LEDGER_COLLECTION, LEDGER_DELTAS_COLLECTION } from './constants.js'\nimport { envelopePayloadHash } from './hash.js'\n\n/**\n * Maximum optimistic-CAS retries on the ledger head. Each failed\n * attempt invalidates the head cache, re-reads, and retries with a\n * fresh next-index. After N failures we surface\n * `LedgerContentionError` so the caller can decide whether to retry,\n * queue, or alert.\n */\nconst MAX_APPEND_ATTEMPTS = 8\n\n//  — re-export the constants + helper so any existing\n// `import { LEDGER_COLLECTION } from '...store.js'` paths keep\n// working. Internal core paths (vault.ts) import from the leaf\n// modules directly to avoid pulling this file's class into the\n// floor bundle.\nexport { LEDGER_COLLECTION, LEDGER_DELTAS_COLLECTION, envelopePayloadHash }\n\n/**\n * Input shape for `LedgerStore.append()`. The caller supplies the\n * operation metadata; the store fills in `index` and `prevHash`.\n */\nexport interface AppendInput {\n  op: LedgerEntry['op']\n  collection: string\n  id: string\n  version: number\n  actor: string\n  payloadHash: string\n  /**\n   * Optional JSON Patch representing the delta from the previous\n   * version to the new version. Present only for `put` operations\n   * that had a previous version; omitted for genesis puts and for\n   * deletes. When present, `LedgerStore.append` persists the patch\n   * in `_ledger_deltas/<paddedIndex>` and records its sha256 hash\n   * as the entry's `deltaHash` field.\n   */\n  delta?: JsonPatch\n  /**\n   * Present only for `op === 'amendment'` — structured audit\n   * payload for multi-record repair operations performed via\n   * `withTransactions(...)`. Carried through verbatim to the\n   * resulting ledger entry.\n   */\n  amendment?: LedgerEntry['amendment']\n  /**\n   * Optional human-readable tag describing why this mutation happened.\n   * Threaded from `collection.put(_, _, { reason })`.\n   * Carried verbatim onto the resulting ledger entry's `reason` field;\n   * omitted from canonical JSON when undefined.\n   */\n  reason?: string\n}\n\n/**\n * Result of `LedgerStore.verify()`. On success, `head` is the hash of\n * the last entry — the same value that should be published to any\n * external anchoring service (blockchain, OpenTimestamps, etc.). On\n * failure, `divergedAt` is the 0-based index of the first entry whose\n * recorded `prevHash` does not match the recomputed hash of its\n * predecessor. Entries at `divergedAt` and later are untrustworthy;\n * entries before that index are still valid.\n */\nexport type VerifyResult =\n  | { readonly ok: true; readonly head: string; readonly length: number }\n  | {\n      readonly ok: false\n      readonly divergedAt: number\n      readonly expected: string\n      readonly actual: string\n    }\n\n/**\n * A LedgerStore is bound to a single vault. Callers obtain one\n * via `vault.ledger()` — there is no public constructor to keep\n * the hash-chain invariants in one place.\n *\n * The class holds no mutable state beyond its dependencies (adapter,\n * vault name, DEK resolver, actor id). Every method reads the\n * adapter fresh so multiple instances against the same vault\n * see each other's writes immediately (at the cost of re-parsing the\n * ledger on every head() / verify() call; acceptable at scale).\n */\nexport class LedgerStore {\n  private readonly adapter: NoydbStore\n  private readonly vault: string\n  private readonly encrypted: boolean\n  private readonly getDEK: (collectionName: string) => Promise<CryptoKey>\n  private readonly actor: string\n\n  /**\n   * In-memory cache of the chain head — the most recently appended\n   * entry along with its precomputed hash. Without this, every\n   * `append()` would re-load every prior entry to recompute the\n   * prevHash, making N puts O(N²) — a 1K-record stress test goes from\n   * < 100ms to a multi-second timeout.\n   *\n   * The cache is populated on first read (`append`, `head`, `verify`)\n   * and updated in-place on every successful `append`. Single-writer\n   * usage (the assumption) keeps it consistent. A second\n   * LedgerStore instance writing to the same vault would not\n   * see the first instance's appends in its cached state — that's the\n   * concurrency caveat documented at the class level.\n   *\n   * Sentinel `undefined` means \"not yet loaded\"; an explicit `null`\n   * value means \"loaded and confirmed empty\" — distinguishing these\n   * matters because an empty ledger is a valid state (genesis prevHash\n   * is the empty string), and we don't want to re-scan the adapter\n   * just because the chain is freshly initialized.\n   */\n  private headCache: { entry: LedgerEntry; hash: string } | null | undefined = undefined\n\n  constructor(opts: {\n    adapter: NoydbStore\n    vault: string\n    encrypted: boolean\n    getDEK: (collectionName: string) => Promise<CryptoKey>\n    actor: string\n  }) {\n    this.adapter = opts.adapter\n    this.vault = opts.vault\n    this.encrypted = opts.encrypted\n    this.getDEK = opts.getDEK\n    this.actor = opts.actor\n  }\n\n  /**\n   * Lazily load (or return cached) the current chain head. The cache\n   * sentinel is `undefined` until first access; after the first call,\n   * the cache holds either a `{ entry, hash }` for non-empty ledgers\n   * or `null` for empty ones.\n   */\n  private async getCachedHead(): Promise<{ entry: LedgerEntry; hash: string } | null> {\n    if (this.headCache !== undefined) return this.headCache\n    const entries = await this.loadAllEntries()\n    const last = entries[entries.length - 1]\n    if (!last) {\n      this.headCache = null\n      return null\n    }\n    this.headCache = { entry: last, hash: await hashEntry(last) }\n    return this.headCache\n  }\n\n  /**\n   * Append a new entry to the ledger. Returns the full entry that was\n   * written (with its assigned index and computed prevHash) so the\n   * caller can use the hash for downstream purposes (e.g., embedding\n   * in a verifiable backup).\n   *\n   * This is the **only** way to add entries. Direct adapter writes to\n   * `_ledger/` would bypass the chain math and would be caught by the\n   * next `verify()` call as a divergence.\n   *\n   * ## Multi-writer correctness\n   *\n   * Append is implemented as an optimistic-CAS retry loop. On every\n   * attempt:\n   *\n   *   1. Read fresh head (cache invalidated on retry).\n   *   2. Compute `nextIndex = head.index + 1`, `prevHash = hash(head)`.\n   *   3. Encrypt delta payload IN MEMORY (no adapter write yet) so we\n   *      can compute `deltaHash` before claiming the chain slot.\n   *   4. Build + encrypt the entry envelope.\n   *   5. `adapter.put(_ledger, paddedIndex, envelope, expectedVersion: 0)`\n   *      — the `expectedVersion: 0` asserts \"this slot must not exist.\"\n   *      Stores with `casAtomic: true` honor the CAS check; under\n   *      contention the second writer's put throws `ConflictError`.\n   *   6. On `ConflictError`: invalidate the head cache, sleep with\n   *      bounded backoff + jitter, retry. After `MAX_APPEND_ATTEMPTS`\n   *      retries throw {@link LedgerContentionError}.\n   *   7. On success: write the delta envelope (if any) at the same\n   *      index. Update the head cache.\n   *\n   * Entry-first ordering matters: writing the delta first under\n   * contention would orphan delta records at indices the writer never\n   * actually claimed. The deltaHash is computed off the encrypted\n   * envelope's `_data` field, which doesn't require the envelope to\n   * be persisted.\n   *\n   * Stores with `casAtomic: false` (file, s3, r2 by default) silently\n   * accept the `expectedVersion: 0` argument and proceed without a\n   * CAS check. Concurrent appends against those stores remain\n   * best-effort — pair them with an advisory lock or with sync\n   * single-writer discipline.\n   */\n  async append(input: AppendInput): Promise<LedgerEntry> {\n    let lastConflict: ConflictError | undefined\n    for (let attempt = 0; attempt < MAX_APPEND_ATTEMPTS; attempt++) {\n      // Force a fresh head read on every retry. The first attempt may\n      // hit the cache; subsequent attempts must re-scan the adapter\n      // because the prior conflict means our cached state is stale.\n      if (attempt > 0) {\n        this.headCache = undefined\n      }\n      try {\n        return await this.appendOnce(input)\n      } catch (err) {\n        if (err instanceof ConflictError) {\n          lastConflict = err\n          if (attempt < MAX_APPEND_ATTEMPTS - 1) {\n            await sleepBackoff(attempt)\n          }\n          continue\n        }\n        throw err\n      }\n    }\n    void lastConflict\n    throw new LedgerContentionError(MAX_APPEND_ATTEMPTS)\n  }\n\n  /**\n   * One attempt at the append cycle. Throws `ConflictError` when the\n   * CAS check on the entry put fails — `append()` catches that and\n   * retries. Any other error propagates to the caller.\n   */\n  private async appendOnce(input: AppendInput): Promise<LedgerEntry> {\n    const cached = await this.getCachedHead()\n    const lastEntry = cached?.entry\n    const prevHash = cached?.hash ?? ''\n    const nextIndex = lastEntry ? lastEntry.index + 1 : 0\n\n    // Encrypt the delta in memory so we can compute deltaHash WITHOUT\n    // claiming the deltas slot yet — entry-put is the chain claim.\n    let deltaEnvelope: EncryptedEnvelope | undefined\n    let deltaHash: string | undefined\n    if (input.delta !== undefined) {\n      deltaEnvelope = await this.encryptDelta(input.delta)\n      deltaHash = await sha256Hex(deltaEnvelope._data)\n    }\n\n    // Build the entry. Conditionally include `deltaHash` so\n    // canonicalJson (which rejects undefined) never sees it when\n    // there's no delta.\n    const entryBase = {\n      index: nextIndex,\n      prevHash,\n      op: input.op,\n      collection: input.collection,\n      id: input.id,\n      version: input.version,\n      ts: new Date().toISOString(),\n      actor: input.actor === '' ? this.actor : input.actor,\n      payloadHash: input.payloadHash,\n    } as const\n    const entry: LedgerEntry = {\n      ...entryBase,\n      ...(deltaHash !== undefined ? { deltaHash } : {}),\n      ...(input.amendment !== undefined ? { amendment: input.amendment } : {}),\n      ...(input.reason !== undefined ? { reason: input.reason } : {}),\n    }\n\n    const envelope = await this.encryptEntry(entry)\n    // expectedVersion: 0 ≡ \"the slot must not yet exist.\" Honored by\n    // casAtomic stores; silently passed through by non-CAS stores.\n    await this.adapter.put(\n      this.vault,\n      LEDGER_COLLECTION,\n      paddedIndex(entry.index),\n      envelope,\n      0,\n    )\n\n    // Chain slot claimed. Now write the delta record (if any).\n    if (deltaEnvelope) {\n      await this.adapter.put(\n        this.vault,\n        LEDGER_DELTAS_COLLECTION,\n        paddedIndex(entry.index),\n        deltaEnvelope,\n        0,\n      )\n    }\n\n    // Update the head cache so the next append() doesn't re-scan the\n    // adapter.\n    this.headCache = { entry, hash: await hashEntry(entry) }\n    return entry\n  }\n\n  /**\n   * Load a delta payload by its entry index. Returns `null` if the\n   * entry at that index doesn't reference a delta (genesis puts and\n   * deletes leave the slot empty) or if the delta row is missing\n   * (possible after a `pruneHistory` fold).\n   *\n   * The caller is responsible for deciding what to do with a missing\n   * delta — `ledger.reconstruct()` uses it as a \"stop walking\n   * backward\" signal and falls back to the on-disk current value.\n   */\n  async loadDelta(index: number): Promise<JsonPatch | null> {\n    const envelope = await this.adapter.get(\n      this.vault,\n      LEDGER_DELTAS_COLLECTION,\n      paddedIndex(index),\n    )\n    if (!envelope) return null\n    if (!this.encrypted) {\n      return JSON.parse(envelope._data) as JsonPatch\n    }\n    const dek = await this.getDEK(LEDGER_COLLECTION)\n    const json = await decrypt(envelope._iv, envelope._data, dek)\n    return JSON.parse(json) as JsonPatch\n  }\n\n  /** Encrypt a JSON Patch into an envelope for storage. Mirrors encryptEntry. */\n  private async encryptDelta(patch: JsonPatch): Promise<EncryptedEnvelope> {\n    const json = JSON.stringify(patch)\n    if (!this.encrypted) {\n      return {\n        _noydb: NOYDB_FORMAT_VERSION,\n        _v: 1,\n        _ts: new Date().toISOString(),\n        _iv: '',\n        _data: json,\n        _by: this.actor,\n      }\n    }\n    const dek = await this.getDEK(LEDGER_COLLECTION)\n    const { iv, data } = await encrypt(json, dek)\n    return {\n      _noydb: NOYDB_FORMAT_VERSION,\n      _v: 1,\n      _ts: new Date().toISOString(),\n      _iv: iv,\n      _data: data,\n      _by: this.actor,\n    }\n  }\n\n  /**\n   * Read all entries in ascending-index order. Used internally by\n   * `append()`, `head()`, `verify()`, and `entries()`. Decryption is\n   * serial because the entries are tiny and the overhead of a Promise\n   * pool would dominate at realistic chain lengths (< 100K entries).\n   */\n  async loadAllEntries(): Promise<LedgerEntry[]> {\n    const keys = await this.adapter.list(this.vault, LEDGER_COLLECTION)\n    // Sort lexicographically, which matches numeric order because\n    // keys are zero-padded to 10 digits.\n    keys.sort()\n    const entries: LedgerEntry[] = []\n    for (const key of keys) {\n      const envelope = await this.adapter.get(\n        this.vault,\n        LEDGER_COLLECTION,\n        key,\n      )\n      if (!envelope) continue\n      entries.push(await this.decryptEntry(envelope))\n    }\n    return entries\n  }\n\n  /**\n   * Return the current head of the ledger: the last entry, its hash,\n   * and the total chain length. `null` on an empty ledger so callers\n   * can distinguish \"no history yet\" from \"empty history\".\n   */\n  async head(): Promise<\n    | { readonly entry: LedgerEntry; readonly hash: string; readonly length: number }\n    | null\n  > {\n    const cached = await this.getCachedHead()\n    if (!cached) return null\n    // `length` is `entry.index + 1` because indices are zero-based and\n    // contiguous. We don't need to re-scan the adapter to compute it.\n    return {\n      entry: cached.entry,\n      hash: cached.hash,\n      length: cached.entry.index + 1,\n    }\n  }\n\n  /**\n   * Return entries in the requested half-open range `[from, to)`.\n   * Defaults: `from = 0`, `to = length`. The indices are clipped to\n   * the valid range; no error is thrown for out-of-range queries.\n   */\n  async entries(opts: { from?: number; to?: number } = {}): Promise<LedgerEntry[]> {\n    const all = await this.loadAllEntries()\n    const from = Math.max(0, opts.from ?? 0)\n    const to = Math.min(all.length, opts.to ?? all.length)\n    return all.slice(from, to)\n  }\n\n  /**\n   * Reconstruct a record's state at a given historical version by\n   * walking the ledger's delta chain backward from the current state.\n   *\n   * ## Algorithm\n   *\n   * Ledger deltas are stored in **reverse** form — each entry's\n   * patch describes how to undo that put, transforming the new\n   * record back into the previous one. `reconstruct` exploits this\n   * by:\n   *\n   *   1. Finding every ledger entry for `(collection, id)` in the\n   *      chain, sorted by index ascending.\n   *   2. Starting from `current` (the present value of the record,\n   *      as held by the caller — typically fetched via\n   *      `Collection.get()`).\n   *   3. Walking entries in **descending** index order and applying\n   *      each entry's reverse patch, stopping when we reach the\n   *      entry whose version equals `atVersion`.\n   *\n   * The result is the record as it existed immediately AFTER the\n   * put at `atVersion`. To get the state at the genesis put\n   * (version 1), the walk runs all the way back through every put\n   * after the first.\n   *\n   * ## Caveats\n   *\n   * - **Delete entries** break the walk: once we see a delete, the\n   *   record didn't exist before that point, so there's nothing to\n   *   reconstruct. We return `null` in that case.\n   * - **Missing deltas** (e.g., after `pruneHistory` folds old\n   *   entries into a base snapshot) also stop the walk. does\n   *   not ship pruneHistory, so today this only happens if an entry\n   *   was deleted out-of-band.\n   * - The caller MUST pass the correct current value. Passing a\n   *   mutated object would corrupt the reconstruction — the patch\n   *   chain is only valid against the exact state that was in\n   *   effect when the most recent put happened.\n   *\n   * For, `reconstruct` is the only way to read a historical\n   * version via deltas. The legacy `_history` collection still\n   * holds full snapshots and `Collection.getVersion()` still reads\n   * from there — the two paths coexist until pruneHistory lands in\n   * a follow-up and delta becomes the default.\n   */\n  async reconstruct<T>(\n    collection: string,\n    id: string,\n    current: T,\n    atVersion: number,\n  ): Promise<T | null> {\n    const all = await this.loadAllEntries()\n    // Filter to entries for this (collection, id), in ascending index.\n    const matching = all.filter(\n      (e) => e.collection === collection && e.id === id,\n    )\n    if (matching.length === 0) {\n      // No ledger history at all; the current state IS version 1\n      // (or there's nothing), so the only valid atVersion is the\n      // current record's version. We can't verify that here, so\n      // return current if atVersion is plausible, null otherwise.\n      return null\n    }\n\n    // Walk entries in descending index order, applying each reverse\n    // delta until we reach the target version.\n    let state: T | null = current\n    for (let i = matching.length - 1; i >= 0; i--) {\n      const entry = matching[i]\n      if (!entry) continue\n\n      // Defensive: skip every non-put/non-delete op variant. The\n      // outer filter on `e.collection === collection && e.id === id`\n      // already excludes `amendment` entries (their collection/id are\n      // empty strings), but a top-of-loop guard keeps the walker\n      // robust if a future op variant slips through the filter.\n      if (entry.op !== 'put' && entry.op !== 'delete') continue\n\n      // Match check FIRST — before applying this entry's reverse\n      // patch. `state` at this point is the record state immediately\n      // after this entry's put (or before this entry's delete), so\n      // if the caller asked for this exact version, we're done.\n      if (entry.version === atVersion && entry.op !== 'delete') {\n        return state\n      }\n\n      if (entry.op === 'delete') {\n        // A delete erases the live state. If the caller asks for a\n        // version older than the delete we should continue walking\n        // (state becomes null and the next put resets it). But we\n        // can't reconstruct that pre-delete state from the current\n        // in-memory `state` — the delete has no reverse patch. So\n        // anything past this point is unreachable; return null.\n        return null\n      }\n\n      if (entry.deltaHash === undefined) {\n        // Genesis put — the earliest state for this lifecycle. We\n        // can't walk further back. If the caller asked for exactly\n        // this version, return the current state (we already failed\n        // the match check above because a fresh genesis after a\n        // delete can have version === atVersion). Otherwise the\n        // target is unreachable from here.\n        if (entry.version === atVersion) return state\n        return null\n      }\n\n      const patch = await this.loadDelta(entry.index)\n      if (!patch) {\n        // Delta row is missing (probably pruned). Stop walking.\n        return null\n      }\n\n      if (state === null) {\n        // We're trying to walk back across a delete range and there's\n        // nothing to apply a reverse patch to. Bail.\n        return null\n      }\n\n      state = applyPatch(state, patch)\n    }\n\n    // Ran off the end of the walk without matching. The target\n    // version doesn't exist in this record's chain.\n    return null\n  }\n\n  /**\n   * Walk the chain from genesis forward and verify every link.\n   *\n   * Returns `{ ok: true, head, length }` if every entry's `prevHash`\n   * matches the recomputed hash of its predecessor (and the genesis\n   * entry's `prevHash` is the empty string).\n   *\n   * Returns `{ ok: false, divergedAt, expected, actual }` on the first\n   * mismatch. `divergedAt` is the 0-based index of the BROKEN entry\n   * — entries before that index still verify cleanly; entries at and\n   * after `divergedAt` are untrustworthy.\n   *\n   * This method detects:\n   *   - Mutated entry content (fields changed)\n   *   - Reordered entries (if any adjacent pair swaps, the prevHash\n   *     of the second no longer matches)\n   *   - Inserted entries (the inserted entry's prevHash likely fails,\n   *     and the following entry's prevHash definitely fails)\n   *   - Deleted entries (the entry after the deletion sees a wrong\n   *     prevHash)\n   *\n   * It does NOT detect:\n   *   - Tampering with the DATA collections that bypassed the ledger\n   *     entirely (e.g., an attacker who modifies records without\n   *     appending matching ledger entries — this is why we also\n   *     plan a `verifyIntegrity()` helper in a follow-up)\n   *   - Truncation of the chain at the tail (dropping the last N\n   *     entries leaves a shorter but still consistent chain). External\n   *     anchoring of `head.hash` to a trusted service is the defense\n   *     against this.\n   */\n  async verify(): Promise<VerifyResult> {\n    const entries = await this.loadAllEntries()\n    let expectedPrevHash = ''\n    for (let i = 0; i < entries.length; i++) {\n      const entry = entries[i]\n      if (!entry) continue\n      if (entry.prevHash !== expectedPrevHash) {\n        return {\n          ok: false,\n          divergedAt: i,\n          expected: expectedPrevHash,\n          actual: entry.prevHash,\n        }\n      }\n      if (entry.index !== i) {\n        // An entry whose stored index doesn't match its position in\n        // the sorted list means someone rewrote the adapter keys.\n        // Treat as divergence.\n        return {\n          ok: false,\n          divergedAt: i,\n          expected: `index=${i}`,\n          actual: `index=${entry.index}`,\n        }\n      }\n      expectedPrevHash = await hashEntry(entry)\n    }\n    return {\n      ok: true,\n      head: expectedPrevHash,\n      length: entries.length,\n    }\n  }\n\n  // ─── Encryption plumbing ─────────────────────────────────────────\n\n  /**\n   * Serialize + encrypt a ledger entry into an EncryptedEnvelope. The\n   * envelope's `_v` field is set to `entry.index + 1` so the usual\n   * optimistic-concurrency machinery has a reasonable version number\n   * to compare against (the ledger is append-only, so concurrent\n   * writes should always bump the index).\n   */\n  private async encryptEntry(entry: LedgerEntry): Promise<EncryptedEnvelope> {\n    const json = canonicalJson(entry)\n    if (!this.encrypted) {\n      return {\n        _noydb: NOYDB_FORMAT_VERSION,\n        _v: entry.index + 1,\n        _ts: entry.ts,\n        _iv: '',\n        _data: json,\n        _by: entry.actor,\n      }\n    }\n    const dek = await this.getDEK(LEDGER_COLLECTION)\n    const { iv, data } = await encrypt(json, dek)\n    return {\n      _noydb: NOYDB_FORMAT_VERSION,\n      _v: entry.index + 1,\n      _ts: entry.ts,\n      _iv: iv,\n      _data: data,\n      _by: entry.actor,\n    }\n  }\n\n  /** Decrypt an envelope into a LedgerEntry. Throws on bad key / tamper. */\n  private async decryptEntry(envelope: EncryptedEnvelope): Promise<LedgerEntry> {\n    if (!this.encrypted) {\n      return JSON.parse(envelope._data) as LedgerEntry\n    }\n    const dek = await this.getDEK(LEDGER_COLLECTION)\n    const json = await decrypt(envelope._iv, envelope._data, dek)\n    return JSON.parse(json) as LedgerEntry\n  }\n}\n\n// `envelopePayloadHash` was moved to `./hash.ts` so it can be\n// imported by core code without dragging this file's `LedgerStore`\n// class into the floor bundle. The re-export at the top of this\n// file keeps the original `import { envelopePayloadHash } from '.../store.js'`\n// path working.\n\n/**\n * Exponential backoff with jitter for the append CAS retry loop.\n * Attempt 0 → ~5–10 ms, attempt 7 → ~640–1280 ms. Jitter avoids the\n * thundering-herd problem when multiple writers collide repeatedly.\n */\nfunction sleepBackoff(attempt: number): Promise<void> {\n  const base = 5 * Math.pow(2, attempt)\n  const jitter = Math.random() * base\n  return new Promise((resolve) => setTimeout(resolve, base + jitter))\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;AA4EO,SAAS,aAAa,MAAe,MAA0B;AACpE,QAAM,MAAqB,CAAC;AAC5B,OAAK,MAAM,MAAM,IAAI,GAAG;AACxB,SAAO;AACT;AAEA,SAAS,KACP,MACA,MACA,MACA,KACM;AAGN,MAAI,SAAS,KAAM;AAGnB,MAAI,SAAS,QAAQ,SAAS,MAAM;AAClC,QAAI,KAAK,EAAE,IAAI,WAAW,MAAM,OAAO,KAAK,CAAC;AAC7C;AAAA,EACF;AAEA,QAAM,cAAc,MAAM,QAAQ,IAAI;AACtC,QAAM,cAAc,MAAM,QAAQ,IAAI;AACtC,QAAM,eAAe,OAAO,SAAS,YAAY,CAAC;AAClD,QAAM,eAAe,OAAO,SAAS,YAAY,CAAC;AAGlD,MAAI,gBAAgB,eAAe,iBAAiB,cAAc;AAChE,QAAI,KAAK,EAAE,IAAI,WAAW,MAAM,OAAO,KAAK,CAAC;AAC7C;AAAA,EACF;AAKA,MAAI,eAAe,aAAa;AAC9B,QAAI,CAAC,eAAe,MAAmB,IAAiB,GAAG;AACzD,UAAI,KAAK,EAAE,IAAI,WAAW,MAAM,OAAO,KAAK,CAAC;AAAA,IAC/C;AACA;AAAA,EACF;AAGA,MAAI,gBAAgB,cAAc;AAChC,UAAM,UAAU;AAChB,UAAM,UAAU;AAChB,UAAM,WAAW,OAAO,KAAK,OAAO;AACpC,UAAM,WAAW,OAAO,KAAK,OAAO;AAGpC,eAAW,OAAO,UAAU;AAC1B,YAAM,YAAY,OAAO,MAAM,kBAAkB,GAAG;AACpD,UAAI,EAAE,OAAO,UAAU;AACrB,YAAI,KAAK,EAAE,IAAI,UAAU,MAAM,UAAU,CAAC;AAAA,MAC5C,OAAO;AACL,aAAK,QAAQ,GAAG,GAAG,QAAQ,GAAG,GAAG,WAAW,GAAG;AAAA,MACjD;AAAA,IACF;AAEA,eAAW,OAAO,UAAU;AAC1B,UAAI,EAAE,OAAO,UAAU;AACrB,YAAI,KAAK;AAAA,UACP,IAAI;AAAA,UACJ,MAAM,OAAO,MAAM,kBAAkB,GAAG;AAAA,UACxC,OAAO,QAAQ,GAAG;AAAA,QACpB,CAAC;AAAA,MACH;AAAA,IACF;AACA;AAAA,EACF;AAGA,MAAI,KAAK,EAAE,IAAI,WAAW,MAAM,OAAO,KAAK,CAAC;AAC/C;AAEA,SAAS,eAAe,GAAc,GAAuB;AAC3D,MAAI,EAAE,WAAW,EAAE,OAAQ,QAAO;AAClC,WAAS,IAAI,GAAG,IAAI,EAAE,QAAQ,KAAK;AACjC,QAAI,CAAC,UAAU,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,EAAG,QAAO;AAAA,EACrC;AACA,SAAO;AACT;AAEA,SAAS,UAAU,GAAY,GAAqB;AAClD,MAAI,MAAM,EAAG,QAAO;AACpB,MAAI,MAAM,QAAQ,MAAM,KAAM,QAAO;AACrC,MAAI,OAAO,MAAM,OAAO,EAAG,QAAO;AAClC,MAAI,OAAO,MAAM,SAAU,QAAO;AAClC,QAAM,SAAS,MAAM,QAAQ,CAAC;AAC9B,QAAM,SAAS,MAAM,QAAQ,CAAC;AAC9B,MAAI,WAAW,OAAQ,QAAO;AAC9B,MAAI,UAAU,OAAQ,QAAO,eAAe,GAAG,CAAc;AAC7D,QAAM,OAAO;AACb,QAAM,OAAO;AACb,QAAM,QAAQ,OAAO,KAAK,IAAI;AAC9B,QAAM,QAAQ,OAAO,KAAK,IAAI;AAC9B,MAAI,MAAM,WAAW,MAAM,OAAQ,QAAO;AAC1C,aAAW,OAAO,OAAO;AACvB,QAAI,EAAE,OAAO,MAAO,QAAO;AAC3B,QAAI,CAAC,UAAU,KAAK,GAAG,GAAG,KAAK,GAAG,CAAC,EAAG,QAAO;AAAA,EAC/C;AACA,SAAO;AACT;AAsBO,SAAS,WAAwB,MAAS,OAAqB;AACpE,MAAI,SAAkB,MAAM,IAAI;AAChC,aAAW,MAAM,OAAO;AACtB,aAAS,QAAQ,QAAQ,EAAE;AAAA,EAC7B;AACA,SAAO;AACT;AAEA,SAAS,QAAQ,KAAc,IAA0B;AAIvD,MAAI,GAAG,SAAS,IAAI;AAClB,QAAI,GAAG,OAAO,SAAU,QAAO;AAC/B,WAAO,MAAM,GAAG,KAAK;AAAA,EACvB;AAEA,QAAM,WAAW,UAAU,GAAG,IAAI;AAClC,SAAO,aAAa,KAAK,UAAU,EAAE;AACvC;AAEA,SAAS,aACP,KACA,UACA,IACS;AACT,MAAI,SAAS,WAAW,GAAG;AAEzB,UAAM,IAAI,MAAM,+CAA+C;AAAA,EACjE;AAEA,QAAM,CAAC,MAAM,GAAG,IAAI,IAAI;AACxB,MAAI,SAAS,OAAW,OAAM,IAAI,MAAM,iCAAiC;AAEzE,MAAI,KAAK,WAAW,GAAG;AACrB,WAAO,gBAAgB,KAAK,MAAM,EAAE;AAAA,EACtC;AAIA,MAAI,MAAM,QAAQ,GAAG,GAAG;AACtB,UAAM,MAAM,gBAAgB,MAAM,IAAI,MAAM;AAC5C,UAAM,QAAQ,IAAI,GAAG;AACrB,UAAM,WAAW,aAAa,OAAO,MAAM,EAAE;AAC7C,UAAM,OAAO,IAAI,MAAM;AACvB,SAAK,GAAG,IAAI;AACZ,WAAO;AAAA,EACT;AACA,MAAI,QAAQ,QAAQ,OAAO,QAAQ,UAAU;AAC3C,UAAM,MAAM;AACZ,QAAI,EAAE,QAAQ,MAAM;AAClB,YAAM,IAAI,MAAM,6BAA6B,IAAI,uBAAuB;AAAA,IAC1E;AACA,UAAM,WAAW,aAAa,IAAI,IAAI,GAAG,MAAM,EAAE;AACjD,WAAO,EAAE,GAAG,KAAK,CAAC,IAAI,GAAG,SAAS;AAAA,EACpC;AACA,QAAM,IAAI;AAAA,IACR,gCAAgC,OAAO,GAAG,gBAAgB,IAAI;AAAA,EAChE;AACF;AAEA,SAAS,gBACP,KACA,SACA,IACS;AACT,MAAI,MAAM,QAAQ,GAAG,GAAG;AACtB,UAAM,MACJ,YAAY,MAAM,IAAI,SAAS,gBAAgB,SAAS,IAAI,SAAS,CAAC;AACxE,UAAM,OAAO,IAAI,MAAM;AACvB,QAAI,GAAG,OAAO,UAAU;AACtB,WAAK,OAAO,KAAK,CAAC;AAClB,aAAO;AAAA,IACT;AACA,QAAI,GAAG,OAAO,OAAO;AACnB,WAAK,OAAO,KAAK,GAAG,MAAM,GAAG,KAAK,CAAC;AACnC,aAAO;AAAA,IACT;AACA,QAAI,GAAG,OAAO,WAAW;AACvB,UAAI,OAAO,IAAI,QAAQ;AACrB,cAAM,IAAI;AAAA,UACR,oDAAoD,GAAG;AAAA,QACzD;AAAA,MACF;AACA,WAAK,GAAG,IAAI,MAAM,GAAG,KAAK;AAC1B,aAAO;AAAA,IACT;AAAA,EACF;AACA,MAAI,QAAQ,QAAQ,OAAO,QAAQ,UAAU;AAC3C,UAAM,MAAM;AACZ,QAAI,GAAG,OAAO,UAAU;AACtB,UAAI,EAAE,WAAW,MAAM;AACrB,cAAM,IAAI;AAAA,UACR,sCAAsC,OAAO;AAAA,QAC/C;AAAA,MACF;AACA,YAAM,OAAO,EAAE,GAAG,IAAI;AACtB,aAAO,KAAK,OAAO;AACnB,aAAO;AAAA,IACT;AACA,QAAI,GAAG,OAAO,OAAO;AAEnB,aAAO,EAAE,GAAG,KAAK,CAAC,OAAO,GAAG,MAAM,GAAG,KAAK,EAAE;AAAA,IAC9C;AACA,QAAI,GAAG,OAAO,WAAW;AACvB,UAAI,EAAE,WAAW,MAAM;AACrB,cAAM,IAAI;AAAA,UACR,uCAAuC,OAAO;AAAA,QAChD;AAAA,MACF;AACA,aAAO,EAAE,GAAG,KAAK,CAAC,OAAO,GAAG,MAAM,GAAG,KAAK,EAAE;AAAA,IAC9C;AAAA,EACF;AACA,QAAM,IAAI;AAAA,IACR,4BAA4B,GAAG,EAAE,yBAAyB,OAAO;AAAA,EACnE;AACF;AAYA,SAAS,kBAAkB,SAAyB;AAClD,SAAO,QAAQ,QAAQ,MAAM,IAAI,EAAE,QAAQ,OAAO,IAAI;AACxD;AAEA,SAAS,oBAAoB,SAAyB;AACpD,SAAO,QAAQ,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,GAAG;AACvD;AAEA,SAAS,UAAU,MAAwB;AACzC,MAAI,CAAC,KAAK,WAAW,GAAG,GAAG;AACzB,UAAM,IAAI,MAAM,8CAA8C,IAAI,GAAG;AAAA,EACvE;AACA,SAAO,KACJ,MAAM,CAAC,EACP,MAAM,GAAG,EACT,IAAI,mBAAmB;AAC5B;AAEA,SAAS,gBAAgB,SAAiB,KAAqB;AAC7D,MAAI,CAAC,QAAQ,KAAK,OAAO,GAAG;AAC1B,UAAM,IAAI;AAAA,MACR,gEAAgE,OAAO;AAAA,IACzE;AAAA,EACF;AACA,QAAM,MAAM,OAAO,SAAS,SAAS,EAAE;AACvC,MAAI,MAAM,KAAK,MAAM,KAAK;AACxB,UAAM,IAAI;AAAA,MACR,2BAA2B,GAAG,qBAAqB,GAAG;AAAA,IACxD;AAAA,EACF;AACA,SAAO;AACT;AAeA,SAAS,MAAS,OAAa;AAC7B,MAAI,UAAU,QAAQ,UAAU,OAAW,QAAO;AAClD,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,SAAO,KAAK,MAAM,KAAK,UAAU,KAAK,CAAC;AACzC;;;AC5WO,IAAM,oBAAoB;AAuB1B,IAAM,2BAA2B;;;AC+BxC,IAAM,sBAAsB;AA0ErB,IAAM,cAAN,MAAkB;AAAA,EACN;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAsBT,YAAqE;AAAA,EAE7E,YAAY,MAMT;AACD,SAAK,UAAU,KAAK;AACpB,SAAK,QAAQ,KAAK;AAClB,SAAK,YAAY,KAAK;AACtB,SAAK,SAAS,KAAK;AACnB,SAAK,QAAQ,KAAK;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAc,gBAAsE;AAClF,QAAI,KAAK,cAAc,OAAW,QAAO,KAAK;AAC9C,UAAM,UAAU,MAAM,KAAK,eAAe;AAC1C,UAAM,OAAO,QAAQ,QAAQ,SAAS,CAAC;AACvC,QAAI,CAAC,MAAM;AACT,WAAK,YAAY;AACjB,aAAO;AAAA,IACT;AACA,SAAK,YAAY,EAAE,OAAO,MAAM,MAAM,MAAM,UAAU,IAAI,EAAE;AAC5D,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4CA,MAAM,OAAO,OAA0C;AACrD,QAAI;AACJ,aAAS,UAAU,GAAG,UAAU,qBAAqB,WAAW;AAI9D,UAAI,UAAU,GAAG;AACf,aAAK,YAAY;AAAA,MACnB;AACA,UAAI;AACF,eAAO,MAAM,KAAK,WAAW,KAAK;AAAA,MACpC,SAAS,KAAK;AACZ,YAAI,eAAe,eAAe;AAChC,yBAAe;AACf,cAAI,UAAU,sBAAsB,GAAG;AACrC,kBAAM,aAAa,OAAO;AAAA,UAC5B;AACA;AAAA,QACF;AACA,cAAM;AAAA,MACR;AAAA,IACF;AACA,SAAK;AACL,UAAM,IAAI,sBAAsB,mBAAmB;AAAA,EACrD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAc,WAAW,OAA0C;AACjE,UAAM,SAAS,MAAM,KAAK,cAAc;AACxC,UAAM,YAAY,QAAQ;AAC1B,UAAM,WAAW,QAAQ,QAAQ;AACjC,UAAM,YAAY,YAAY,UAAU,QAAQ,IAAI;AAIpD,QAAI;AACJ,QAAI;AACJ,QAAI,MAAM,UAAU,QAAW;AAC7B,sBAAgB,MAAM,KAAK,aAAa,MAAM,KAAK;AACnD,kBAAY,MAAM,UAAU,cAAc,KAAK;AAAA,IACjD;AAKA,UAAM,YAAY;AAAA,MAChB,OAAO;AAAA,MACP;AAAA,MACA,IAAI,MAAM;AAAA,MACV,YAAY,MAAM;AAAA,MAClB,IAAI,MAAM;AAAA,MACV,SAAS,MAAM;AAAA,MACf,KAAI,oBAAI,KAAK,GAAE,YAAY;AAAA,MAC3B,OAAO,MAAM,UAAU,KAAK,KAAK,QAAQ,MAAM;AAAA,MAC/C,aAAa,MAAM;AAAA,IACrB;AACA,UAAM,QAAqB;AAAA,MACzB,GAAG;AAAA,MACH,GAAI,cAAc,SAAY,EAAE,UAAU,IAAI,CAAC;AAAA,MAC/C,GAAI,MAAM,cAAc,SAAY,EAAE,WAAW,MAAM,UAAU,IAAI,CAAC;AAAA,MACtE,GAAI,MAAM,WAAW,SAAY,EAAE,QAAQ,MAAM,OAAO,IAAI,CAAC;AAAA,IAC/D;AAEA,UAAM,WAAW,MAAM,KAAK,aAAa,KAAK;AAG9C,UAAM,KAAK,QAAQ;AAAA,MACjB,KAAK;AAAA,MACL;AAAA,MACA,YAAY,MAAM,KAAK;AAAA,MACvB;AAAA,MACA;AAAA,IACF;AAGA,QAAI,eAAe;AACjB,YAAM,KAAK,QAAQ;AAAA,QACjB,KAAK;AAAA,QACL;AAAA,QACA,YAAY,MAAM,KAAK;AAAA,QACvB;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAIA,SAAK,YAAY,EAAE,OAAO,MAAM,MAAM,UAAU,KAAK,EAAE;AACvD,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,UAAU,OAA0C;AACxD,UAAM,WAAW,MAAM,KAAK,QAAQ;AAAA,MAClC,KAAK;AAAA,MACL;AAAA,MACA,YAAY,KAAK;AAAA,IACnB;AACA,QAAI,CAAC,SAAU,QAAO;AACtB,QAAI,CAAC,KAAK,WAAW;AACnB,aAAO,KAAK,MAAM,SAAS,KAAK;AAAA,IAClC;AACA,UAAM,MAAM,MAAM,KAAK,OAAO,iBAAiB;AAC/C,UAAM,OAAO,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,GAAG;AAC5D,WAAO,KAAK,MAAM,IAAI;AAAA,EACxB;AAAA;AAAA,EAGA,MAAc,aAAa,OAA8C;AACvE,UAAM,OAAO,KAAK,UAAU,KAAK;AACjC,QAAI,CAAC,KAAK,WAAW;AACnB,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,IAAI;AAAA,QACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,QAC5B,KAAK;AAAA,QACL,OAAO;AAAA,QACP,KAAK,KAAK;AAAA,MACZ;AAAA,IACF;AACA,UAAM,MAAM,MAAM,KAAK,OAAO,iBAAiB;AAC/C,UAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,MAAM,GAAG;AAC5C,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,IAAI;AAAA,MACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,MAC5B,KAAK;AAAA,MACL,OAAO;AAAA,MACP,KAAK,KAAK;AAAA,IACZ;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,iBAAyC;AAC7C,UAAM,OAAO,MAAM,KAAK,QAAQ,KAAK,KAAK,OAAO,iBAAiB;AAGlE,SAAK,KAAK;AACV,UAAM,UAAyB,CAAC;AAChC,eAAW,OAAO,MAAM;AACtB,YAAM,WAAW,MAAM,KAAK,QAAQ;AAAA,QAClC,KAAK;AAAA,QACL;AAAA,QACA;AAAA,MACF;AACA,UAAI,CAAC,SAAU;AACf,cAAQ,KAAK,MAAM,KAAK,aAAa,QAAQ,CAAC;AAAA,IAChD;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,OAGJ;AACA,UAAM,SAAS,MAAM,KAAK,cAAc;AACxC,QAAI,CAAC,OAAQ,QAAO;AAGpB,WAAO;AAAA,MACL,OAAO,OAAO;AAAA,MACd,MAAM,OAAO;AAAA,MACb,QAAQ,OAAO,MAAM,QAAQ;AAAA,IAC/B;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,QAAQ,OAAuC,CAAC,GAA2B;AAC/E,UAAM,MAAM,MAAM,KAAK,eAAe;AACtC,UAAM,OAAO,KAAK,IAAI,GAAG,KAAK,QAAQ,CAAC;AACvC,UAAM,KAAK,KAAK,IAAI,IAAI,QAAQ,KAAK,MAAM,IAAI,MAAM;AACrD,WAAO,IAAI,MAAM,MAAM,EAAE;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA+CA,MAAM,YACJ,YACA,IACA,SACA,WACmB;AACnB,UAAM,MAAM,MAAM,KAAK,eAAe;AAEtC,UAAM,WAAW,IAAI;AAAA,MACnB,CAAC,MAAM,EAAE,eAAe,cAAc,EAAE,OAAO;AAAA,IACjD;AACA,QAAI,SAAS,WAAW,GAAG;AAKzB,aAAO;AAAA,IACT;AAIA,QAAI,QAAkB;AACtB,aAAS,IAAI,SAAS,SAAS,GAAG,KAAK,GAAG,KAAK;AAC7C,YAAM,QAAQ,SAAS,CAAC;AACxB,UAAI,CAAC,MAAO;AAOZ,UAAI,MAAM,OAAO,SAAS,MAAM,OAAO,SAAU;AAMjD,UAAI,MAAM,YAAY,aAAa,MAAM,OAAO,UAAU;AACxD,eAAO;AAAA,MACT;AAEA,UAAI,MAAM,OAAO,UAAU;AAOzB,eAAO;AAAA,MACT;AAEA,UAAI,MAAM,cAAc,QAAW;AAOjC,YAAI,MAAM,YAAY,UAAW,QAAO;AACxC,eAAO;AAAA,MACT;AAEA,YAAM,QAAQ,MAAM,KAAK,UAAU,MAAM,KAAK;AAC9C,UAAI,CAAC,OAAO;AAEV,eAAO;AAAA,MACT;AAEA,UAAI,UAAU,MAAM;AAGlB,eAAO;AAAA,MACT;AAEA,cAAQ,WAAW,OAAO,KAAK;AAAA,IACjC;AAIA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiCA,MAAM,SAAgC;AACpC,UAAM,UAAU,MAAM,KAAK,eAAe;AAC1C,QAAI,mBAAmB;AACvB,aAAS,IAAI,GAAG,IAAI,QAAQ,QAAQ,KAAK;AACvC,YAAM,QAAQ,QAAQ,CAAC;AACvB,UAAI,CAAC,MAAO;AACZ,UAAI,MAAM,aAAa,kBAAkB;AACvC,eAAO;AAAA,UACL,IAAI;AAAA,UACJ,YAAY;AAAA,UACZ,UAAU;AAAA,UACV,QAAQ,MAAM;AAAA,QAChB;AAAA,MACF;AACA,UAAI,MAAM,UAAU,GAAG;AAIrB,eAAO;AAAA,UACL,IAAI;AAAA,UACJ,YAAY;AAAA,UACZ,UAAU,SAAS,CAAC;AAAA,UACpB,QAAQ,SAAS,MAAM,KAAK;AAAA,QAC9B;AAAA,MACF;AACA,yBAAmB,MAAM,UAAU,KAAK;AAAA,IAC1C;AACA,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,MAAM;AAAA,MACN,QAAQ,QAAQ;AAAA,IAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAc,aAAa,OAAgD;AACzE,UAAM,OAAO,cAAc,KAAK;AAChC,QAAI,CAAC,KAAK,WAAW;AACnB,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,IAAI,MAAM,QAAQ;AAAA,QAClB,KAAK,MAAM;AAAA,QACX,KAAK;AAAA,QACL,OAAO;AAAA,QACP,KAAK,MAAM;AAAA,MACb;AAAA,IACF;AACA,UAAM,MAAM,MAAM,KAAK,OAAO,iBAAiB;AAC/C,UAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,MAAM,GAAG;AAC5C,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,IAAI,MAAM,QAAQ;AAAA,MAClB,KAAK,MAAM;AAAA,MACX,KAAK;AAAA,MACL,OAAO;AAAA,MACP,KAAK,MAAM;AAAA,IACb;AAAA,EACF;AAAA;AAAA,EAGA,MAAc,aAAa,UAAmD;AAC5E,QAAI,CAAC,KAAK,WAAW;AACnB,aAAO,KAAK,MAAM,SAAS,KAAK;AAAA,IAClC;AACA,UAAM,MAAM,MAAM,KAAK,OAAO,iBAAiB;AAC/C,UAAM,OAAO,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,GAAG;AAC5D,WAAO,KAAK,MAAM,IAAI;AAAA,EACxB;AACF;AAaA,SAAS,aAAa,SAAgC;AACpD,QAAM,OAAO,IAAI,KAAK,IAAI,GAAG,OAAO;AACpC,QAAM,SAAS,KAAK,OAAO,IAAI;AAC/B,SAAO,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,OAAO,MAAM,CAAC;AACpE;","names":[]}

package/dist/{chunk-243PNUA6.js → chunk-JOK73NDT.js}

@@ -1,9 +1,9 @@
 import {
   NOYDB_FORMAT_VERSION
-} from "./chunk-YS3POABP.js";
+} from "./chunk-TA6HPKWQ.js";
 import {
   ValidationError
-} from "./chunk-W3XXT26A.js";
+} from "./chunk-OTWT6BAJ.js";
 
 // src/meta/public-envelope/schema.ts
 var DATA_URL_PREFIX = /^data:([a-zA-Z0-9.+-]+\/[a-zA-Z0-9.+-]+);base64,/;
@@ -152,4 +152,4 @@ export {
   resolveLocale,
   pickLocale
 };
-//# sourceMappingURL=chunk-243PNUA6.js.map
+//# sourceMappingURL=chunk-JOK73NDT.js.map