@noy-db/hub 0.2.0-pre.2 → 0.2.0-pre.21

package/dist/chunk-PFSNOPBQ.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/blobs/export-blobs.ts","../src/blobs/blob-compaction.ts"],"sourcesContent":["/**\n * `vault.exportBlobs()` — bulk blob extraction primitive.\n *\n * Async-iterable handle over every blob attached to records in a\n * vault, optionally filtered by collection allowlist and per-record\n * predicate. Emits tuples of `{ blobId, recordRef, bytes, meta }` so\n * the consumer can pipe into any sink (zip stream, S3 multipart, USB\n * copy, cold-storage tape) without pulling the whole export into\n * memory.\n *\n * ## Auth + audit\n *\n * - Capability check runs **once** at handle creation via\n *   `Vault.assertCanExport('plaintext', 'blob')`. An operator whose\n *   keyring lacks that bit fails before a single byte of ciphertext\n *   is decrypted.\n * - Audit entry lands in `_export_audit` at handle creation: the\n *   actor, start timestamp, target collections, predicate presence,\n *   and batch mechanism. **No content hashes** — per the spec\n *   non-correlation invariant.\n *\n * ## Abort + resume\n *\n * - `handle.abort()` flips the internal signal; the next iteration\n *   boundary throws `AbortError`. Consumers already in `for await`\n *   can catch and exit cleanly.\n * - Restart after a partial failure with `{ afterBlobId }` — the\n *   iterator skips tuples up to (and including) that blob id before\n *   yielding again. Combined with a blob-count ceiling it supports\n *   idempotent batch re-runs.\n *\n * @module\n */\n\nimport type { Collection } from '../collection.js'\nimport type { SlotInfo } from '../types.js'\n\n// ─── Types ──────────────────────────────────────────────────────────────\n\nexport interface ExportBlobsOptions {\n  /**\n   * Collection allowlist. Omit to export blobs from every collection\n   * the caller has read access to.\n   */\n  readonly collections?: readonly string[]\n  /**\n   * Per-record predicate. Called on the decrypted record BEFORE any\n   * blob bytes are read for that record — returning false skips the\n   * record and all its slots without touching their chunks.\n   */\n  readonly where?: (record: unknown, context: { collection: string; id: string }) => boolean\n  /**\n   * Resume after a specific blob id. The iterator skips tuples up to\n   * and including this id, then yields. Format of the id is the same\n   * as `ExportedBlob.blobId` (the HMAC-keyed eTag).\n   */\n  readonly afterBlobId?: string\n  /**\n   * External abort signal. When fired, the next iterator tick throws\n   * `ExportBlobsAbortedError`. Honored alongside `handle.abort()`.\n   */\n  readonly signal?: AbortSignal\n}\n\nexport interface ExportedBlob {\n  /** Opaque blob identifier — HMAC-keyed eTag, stable across vaults. */\n  readonly blobId: string\n  /** Where this blob came from in the vault. */\n  readonly recordRef: {\n    readonly collection: string\n    readonly id: string\n    readonly slot: string\n  }\n  /** Decrypted plaintext bytes. */\n  readonly bytes: Uint8Array\n  /** Best-effort metadata (from the blob slot record). */\n  readonly meta: {\n    readonly size: number\n    /**\n     * User-visible filename stored on the slot. Often equal to the\n     * slot name; differs when the caller supplied an explicit\n     * `filename` to `BlobSet.put()`.\n     */\n    readonly filename: string\n    readonly mimeType?: string\n    readonly createdAt?: string\n  }\n}\n\nexport interface ExportBlobsHandle extends AsyncIterable<ExportedBlob> {\n  /** Abort the export. Safe to call multiple times. */\n  abort(): void\n  /** True once `abort()` has fired or the external signal aborted. */\n  readonly aborted: boolean\n}\n\nexport class ExportBlobsAbortedError extends Error {\n  constructor(reason: string) {\n    super(`exportBlobs aborted: ${reason}`)\n    this.name = 'ExportBlobsAbortedError'\n  }\n}\n\n// ─── Audit ──────────────────────────────────────────────────────────────\n\nexport const EXPORT_AUDIT_COLLECTION = '_export_audit'\n\nexport interface ExportBlobsAuditEntry {\n  readonly id: string\n  readonly mechanism: 'exportBlobs'\n  readonly actor: string\n  readonly startedAt: string\n  readonly collections: readonly string[] | null\n  readonly predicate: boolean\n  readonly afterBlobId: string | null\n}\n\n// ─── Implementation ─────────────────────────────────────────────────────\n\n/**\n * Build the handle. Factored out of `Vault.exportBlobs` so the\n * implementation can be unit-tested without going through the\n * compartment lifecycle.\n */\nexport function createExportBlobsHandle(\n  actor: string,\n  listAccessibleCollections: () => Promise<string[]>,\n  getCollection: <T>(name: string) => Collection<T>,\n  writeAudit: (entry: ExportBlobsAuditEntry) => Promise<void>,\n  options: ExportBlobsOptions,\n): ExportBlobsHandle {\n  let aborted = false\n\n  const abort = (): void => {\n    aborted = true\n  }\n\n  if (options.signal) {\n    if (options.signal.aborted) aborted = true\n    options.signal.addEventListener('abort', () => { aborted = true })\n  }\n\n  function assertLive(): void {\n    if (aborted) throw new ExportBlobsAbortedError('aborted by caller')\n  }\n\n  const allowlist = options.collections ? new Set(options.collections) : null\n\n  // Write the audit entry BEFORE the first yield so a blocked\n  // iteration still leaves an audit trail that the export started.\n  let auditPromise: Promise<void> | null = null\n  function writeAuditOnce(): Promise<void> {\n    if (!auditPromise) {\n      auditPromise = writeAudit({\n        id: generateBatchId(),\n        mechanism: 'exportBlobs',\n        actor,\n        startedAt: new Date().toISOString(),\n        collections: options.collections ?? null,\n        predicate: Boolean(options.where),\n        afterBlobId: options.afterBlobId ?? null,\n      })\n    }\n    return auditPromise\n  }\n\n  async function* generate(): AsyncGenerator<ExportedBlob> {\n    await writeAuditOnce()\n    assertLive()\n\n    // Resolve target collections lazily — also keeps the call async.\n    const allCollections = await listAccessibleCollections()\n    const targets = allCollections.filter(name => {\n      if (name.startsWith('_')) return false\n      if (allowlist && !allowlist.has(name)) return false\n      return true\n    })\n\n    let resumeCursorHit = options.afterBlobId === undefined\n\n    for (const collectionName of targets) {\n      if (aborted) return\n\n      const coll = getCollection<Record<string, unknown>>(collectionName)\n      const records = await coll.list().catch(() => [])\n      for (const record of records) {\n        if (aborted) return\n        assertLive()\n\n        const idField = (record as { id?: unknown }).id\n        if (typeof idField !== 'string') continue\n\n        if (options.where && !options.where(record, { collection: collectionName, id: idField })) continue\n\n        const blobSet = coll.blob(idField)\n        const slots = await blobSet.list().catch(() => [] as SlotInfo[])\n        for (const slot of slots) {\n          if (aborted) return\n\n          if (!resumeCursorHit) {\n            if (slot.eTag === options.afterBlobId) {\n              resumeCursorHit = true\n            }\n            continue\n          }\n\n          const bytes = await blobSet.get(slot.name)\n          if (!bytes) continue\n\n          const item: ExportedBlob = {\n            blobId: slot.eTag,\n            recordRef: { collection: collectionName, id: idField, slot: slot.name },\n            bytes,\n            meta: {\n              size: slot.size,\n              filename: slot.filename,\n              ...(slot.mimeType !== undefined && { mimeType: slot.mimeType }),\n              ...(slot.uploadedAt !== undefined && { createdAt: slot.uploadedAt }),\n            },\n          }\n          yield item\n        }\n      }\n    }\n  }\n\n  const handle: ExportBlobsHandle = {\n    abort,\n    get aborted() { return aborted },\n    [Symbol.asyncIterator]: () => generate(),\n  }\n  return handle\n}\n\n// ─── Helpers ────────────────────────────────────────────────────────────\n\nfunction generateBatchId(): string {\n  // 16 bytes of crypto randomness, URL-safe base64, no padding.\n  const raw = globalThis.crypto.getRandomValues(new Uint8Array(16))\n  let s = ''\n  for (const b of raw) s += b.toString(16).padStart(2, '0')\n  return `batch-${Date.now().toString(36)}-${s.slice(0, 12)}`\n}\n","/**\n * Blob retention + compaction.\n *\n * Declarative per-collection / per-slot eviction policy. Two\n * triggers:\n *\n *   - **`retainDays`** — age-based TTL. A slot uploaded more than N\n *     days ago is evicted.\n *   - **`evictWhen(record)`** — predicate over the **decrypted**\n *     record. Lets consumers express \"the image is safe to drop once\n *     the structured invoice has been reviewed and confirmed.\"\n *\n * Either trigger (or both) causes the slot to evict. Eviction removes\n * the slot entry from `_blob_slots_{collection}`, decrements the\n * blob's refCount (so unreferenced chunks can be GC'd by the next\n * sweep), and writes one entry to the `_blob_eviction_audit`\n * collection for tamper-evident record-keeping.\n *\n * The audit entry carries the eTag of the evicted blob (opaque HMAC\n * of plaintext under the vault's `_blob` DEK) — no plaintext leakage,\n * per the SPEC non-correlation invariant. Consumers reconstructing\n * \"what used to be attached\" can look up the audit entry by record\n * id.\n *\n * Compaction is **consumer-scheduled** — noy-db never runs a\n * background daemon. Call `vault.compact()` whenever your workflow\n * allows (cron, manual \"tidy\" button, cold-storage export prep, …).\n *\n * @module\n */\n\nimport type { NoydbStore, EncryptedEnvelope, SlotInfo } from '../types.js'\nimport { NOYDB_FORMAT_VERSION } from '../types.js'\nimport { encrypt } from '../crypto.js'\n\n// ─── Config types ───────────────────────────────────────────────────────\n\nexport interface BlobFieldPolicy<T = unknown> {\n  /**\n   * Age-based TTL in days. A slot whose `uploadedAt` is older than\n   * `now - retainDays × 86400s` evicts on the next `vault.compact()`.\n   * Omit to disable age-based eviction.\n   */\n  readonly retainDays?: number\n  /**\n   * Predicate evaluated against the decrypted record. When it returns\n   * `true`, every matching slot on that record evicts. Omit to\n   * disable predicate-based eviction.\n   */\n  readonly evictWhen?: (record: T) => boolean\n}\n\nexport type BlobFieldsConfig<T = unknown> = Record<string, BlobFieldPolicy<T>>\n\n// ─── Audit collection ──────────────────────────────────────────────────\n\nexport const BLOB_EVICTION_AUDIT_COLLECTION = '_blob_eviction_audit'\n\nexport interface BlobEvictionEntry {\n  readonly id: string\n  readonly collection: string\n  readonly recordId: string\n  readonly slotName: string\n  readonly blobHash: string\n  readonly reason: 'ttl' | 'predicate' | 'both'\n  readonly evictedAt: string\n  readonly actor: string\n}\n\n// ─── Compaction result ──────────────────────────────────────────────────\n\nexport interface CompactionResult {\n  /** Number of blob slots evicted across all collections. */\n  readonly evicted: number\n  /** Number of records touched (iterated + policy checked). */\n  readonly records: number\n  /** Number of collections with `blobFields` configured. */\n  readonly collections: number\n  /** Number of audit entries written. Equal to `evicted`. */\n  readonly auditEntries: number\n  /** Per-collection breakdown for diagnostics. */\n  readonly byCollection: Record<string, { records: number; evicted: number }>\n}\n\n// ─── Core ──────────────────────────────────────────────────────────────\n\nexport interface CompactRunOptions {\n  /** Override \"now\" for deterministic testing. */\n  readonly now?: Date\n  /**\n   * Stop after this many evictions. Useful for capped batches / cron\n   * jobs that need to fit in a time window. `undefined` = unbounded.\n   */\n  readonly maxEvictions?: number\n  /**\n   * Dry-run — evaluate policies and return the counts, but do NOT\n   * delete slots or write audit entries. Lets a consumer preview\n   * what would happen.\n   */\n  readonly dryRun?: boolean\n}\n\nexport interface CompactionContext {\n  readonly adapter: NoydbStore\n  readonly vault: string\n  readonly actor: string\n  readonly encrypted: boolean\n  readonly getDEK: (collection: string) => Promise<CryptoKey>\n  /**\n   * Resolve a collection's declared `blobFields` config. Returns an\n   * empty map for collections without the config — the walk skips\n   * those.\n   */\n  readonly getBlobFields: <T>(collection: string) => BlobFieldsConfig<T> | null\n  /** List collection names in the vault. */\n  readonly listCollections: () => Promise<string[]>\n  /** List record ids in a collection. */\n  readonly listRecords: (collection: string) => Promise<string[]>\n  /** Decrypt and return the record. Null when absent. */\n  readonly getRecord: <T>(collection: string, id: string) => Promise<T | null>\n  /** Return the BlobSet-like handle for a record's slots. */\n  readonly listSlots: (collection: string, id: string) => Promise<SlotInfo[]>\n  /** Delete a slot and decrement its blob's refCount. */\n  readonly deleteSlot: (collection: string, id: string, slotName: string) => Promise<void>\n}\n\nexport async function runCompaction(\n  ctx: CompactionContext,\n  options: CompactRunOptions = {},\n): Promise<CompactionResult> {\n  const now = options.now ?? new Date()\n  const maxEvictions = options.maxEvictions ?? Infinity\n  const dryRun = options.dryRun === true\n\n  const allCollections = await ctx.listCollections()\n  const byCollection: Record<string, { records: number; evicted: number }> = {}\n  let evicted = 0\n  let records = 0\n  let auditEntries = 0\n  let collectionsWithPolicy = 0\n\n  outer: for (const collectionName of allCollections) {\n    if (collectionName.startsWith('_')) continue\n    const config = ctx.getBlobFields(collectionName)\n    if (!config) continue\n    const configuredSlots = Object.keys(config)\n    if (configuredSlots.length === 0) continue\n    collectionsWithPolicy += 1\n    byCollection[collectionName] = { records: 0, evicted: 0 }\n\n    const ids = await ctx.listRecords(collectionName)\n    for (const recordId of ids) {\n      if (evicted >= maxEvictions) break outer\n\n      const record = await ctx.getRecord(collectionName, recordId).catch(() => null)\n      if (record === null) continue\n      records += 1\n      byCollection[collectionName].records += 1\n\n      const slots = await ctx.listSlots(collectionName, recordId).catch(() => [])\n      for (const slot of slots) {\n        if (evicted >= maxEvictions) break outer\n        const policy = config[slot.name]\n        if (!policy) continue\n\n        const reason = evaluatePolicy(policy, record, slot, now)\n        if (!reason) continue\n\n        if (!dryRun) {\n          await ctx.deleteSlot(collectionName, recordId, slot.name)\n          await writeAuditEntry(ctx, {\n            id: generateEvictionId(collectionName, recordId, slot.name),\n            collection: collectionName,\n            recordId,\n            slotName: slot.name,\n            blobHash: slot.eTag,\n            reason,\n            evictedAt: now.toISOString(),\n            actor: ctx.actor,\n          })\n          auditEntries += 1\n        }\n        evicted += 1\n        byCollection[collectionName].evicted += 1\n      }\n    }\n  }\n\n  return {\n    evicted,\n    records,\n    collections: collectionsWithPolicy,\n    auditEntries,\n    byCollection,\n  }\n}\n\nfunction evaluatePolicy<T>(\n  policy: BlobFieldPolicy<T>,\n  record: T,\n  slot: SlotInfo,\n  now: Date,\n): 'ttl' | 'predicate' | 'both' | null {\n  let ttlTriggered = false\n  let predicateTriggered = false\n\n  if (policy.retainDays !== undefined && policy.retainDays > 0) {\n    const uploadedAt = Date.parse(slot.uploadedAt)\n    if (Number.isFinite(uploadedAt)) {\n      const ageMs = now.getTime() - uploadedAt\n      const limitMs = policy.retainDays * 86_400_000\n      if (ageMs > limitMs) ttlTriggered = true\n    }\n  }\n\n  if (policy.evictWhen) {\n    try {\n      if (policy.evictWhen(record)) predicateTriggered = true\n    } catch {\n      // Predicate error → do NOT evict. Fail closed.\n    }\n  }\n\n  if (ttlTriggered && predicateTriggered) return 'both'\n  if (ttlTriggered) return 'ttl'\n  if (predicateTriggered) return 'predicate'\n  return null\n}\n\nfunction generateEvictionId(collection: string, recordId: string, slotName: string): string {\n  const rand = globalThis.crypto.getRandomValues(new Uint8Array(8))\n  let suffix = ''\n  for (const b of rand) suffix += b.toString(16).padStart(2, '0')\n  return `${collection}__${recordId}__${slotName}__${suffix}`\n}\n\nasync function writeAuditEntry(ctx: CompactionContext, entry: BlobEvictionEntry): Promise<void> {\n  const json = JSON.stringify(entry)\n  let envelope: EncryptedEnvelope\n  if (ctx.encrypted) {\n    const dek = await ctx.getDEK(BLOB_EVICTION_AUDIT_COLLECTION)\n    const { iv, data } = await encrypt(json, dek)\n    envelope = {\n      _noydb: NOYDB_FORMAT_VERSION,\n      _v: 1,\n      _ts: entry.evictedAt,\n      _iv: iv,\n      _data: data,\n      _by: entry.actor,\n    }\n  } else {\n    envelope = {\n      _noydb: NOYDB_FORMAT_VERSION,\n      _v: 1,\n      _ts: entry.evictedAt,\n      _iv: '',\n      _data: json,\n      _by: entry.actor,\n    }\n  }\n  await ctx.adapter.put(ctx.vault, BLOB_EVICTION_AUDIT_COLLECTION, entry.id, envelope)\n}\n"],"mappings":";;;;;;;;AAgGO,IAAM,0BAAN,cAAsC,MAAM;AAAA,EACjD,YAAY,QAAgB;AAC1B,UAAM,wBAAwB,MAAM,EAAE;AACtC,SAAK,OAAO;AAAA,EACd;AACF;AAIO,IAAM,0BAA0B;AAmBhC,SAAS,wBACd,OACA,2BACA,eACA,YACA,SACmB;AACnB,MAAI,UAAU;AAEd,QAAM,QAAQ,MAAY;AACxB,cAAU;AAAA,EACZ;AAEA,MAAI,QAAQ,QAAQ;AAClB,QAAI,QAAQ,OAAO,QAAS,WAAU;AACtC,YAAQ,OAAO,iBAAiB,SAAS,MAAM;AAAE,gBAAU;AAAA,IAAK,CAAC;AAAA,EACnE;AAEA,WAAS,aAAmB;AAC1B,QAAI,QAAS,OAAM,IAAI,wBAAwB,mBAAmB;AAAA,EACpE;AAEA,QAAM,YAAY,QAAQ,cAAc,IAAI,IAAI,QAAQ,WAAW,IAAI;AAIvE,MAAI,eAAqC;AACzC,WAAS,iBAAgC;AACvC,QAAI,CAAC,cAAc;AACjB,qBAAe,WAAW;AAAA,QACxB,IAAI,gBAAgB;AAAA,QACpB,WAAW;AAAA,QACX;AAAA,QACA,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,QAClC,aAAa,QAAQ,eAAe;AAAA,QACpC,WAAW,QAAQ,QAAQ,KAAK;AAAA,QAChC,aAAa,QAAQ,eAAe;AAAA,MACtC,CAAC;AAAA,IACH;AACA,WAAO;AAAA,EACT;AAEA,kBAAgB,WAAyC;AACvD,UAAM,eAAe;AACrB,eAAW;AAGX,UAAM,iBAAiB,MAAM,0BAA0B;AACvD,UAAM,UAAU,eAAe,OAAO,UAAQ;AAC5C,UAAI,KAAK,WAAW,GAAG,EAAG,QAAO;AACjC,UAAI,aAAa,CAAC,UAAU,IAAI,IAAI,EAAG,QAAO;AAC9C,aAAO;AAAA,IACT,CAAC;AAED,QAAI,kBAAkB,QAAQ,gBAAgB;AAE9C,eAAW,kBAAkB,SAAS;AACpC,UAAI,QAAS;AAEb,YAAM,OAAO,cAAuC,cAAc;AAClE,YAAM,UAAU,MAAM,KAAK,KAAK,EAAE,MAAM,MAAM,CAAC,CAAC;AAChD,iBAAW,UAAU,SAAS;AAC5B,YAAI,QAAS;AACb,mBAAW;AAEX,cAAM,UAAW,OAA4B;AAC7C,YAAI,OAAO,YAAY,SAAU;AAEjC,YAAI,QAAQ,SAAS,CAAC,QAAQ,MAAM,QAAQ,EAAE,YAAY,gBAAgB,IAAI,QAAQ,CAAC,EAAG;AAE1F,cAAM,UAAU,KAAK,KAAK,OAAO;AACjC,cAAM,QAAQ,MAAM,QAAQ,KAAK,EAAE,MAAM,MAAM,CAAC,CAAe;AAC/D,mBAAW,QAAQ,OAAO;AACxB,cAAI,QAAS;AAEb,cAAI,CAAC,iBAAiB;AACpB,gBAAI,KAAK,SAAS,QAAQ,aAAa;AACrC,gCAAkB;AAAA,YACpB;AACA;AAAA,UACF;AAEA,gBAAM,QAAQ,MAAM,QAAQ,IAAI,KAAK,IAAI;AACzC,cAAI,CAAC,MAAO;AAEZ,gBAAM,OAAqB;AAAA,YACzB,QAAQ,KAAK;AAAA,YACb,WAAW,EAAE,YAAY,gBAAgB,IAAI,SAAS,MAAM,KAAK,KAAK;AAAA,YACtE;AAAA,YACA,MAAM;AAAA,cACJ,MAAM,KAAK;AAAA,cACX,UAAU,KAAK;AAAA,cACf,GAAI,KAAK,aAAa,UAAa,EAAE,UAAU,KAAK,SAAS;AAAA,cAC7D,GAAI,KAAK,eAAe,UAAa,EAAE,WAAW,KAAK,WAAW;AAAA,YACpE;AAAA,UACF;AACA,gBAAM;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,QAAM,SAA4B;AAAA,IAChC;AAAA,IACA,IAAI,UAAU;AAAE,aAAO;AAAA,IAAQ;AAAA,IAC/B,CAAC,OAAO,aAAa,GAAG,MAAM,SAAS;AAAA,EACzC;AACA,SAAO;AACT;AAIA,SAAS,kBAA0B;AAEjC,QAAM,MAAM,WAAW,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AAChE,MAAI,IAAI;AACR,aAAW,KAAK,IAAK,MAAK,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG;AACxD,SAAO,SAAS,KAAK,IAAI,EAAE,SAAS,EAAE,CAAC,IAAI,EAAE,MAAM,GAAG,EAAE,CAAC;AAC3D;;;AC1LO,IAAM,iCAAiC;AAsE9C,eAAsB,cACpB,KACA,UAA6B,CAAC,GACH;AAC3B,QAAM,MAAM,QAAQ,OAAO,oBAAI,KAAK;AACpC,QAAM,eAAe,QAAQ,gBAAgB;AAC7C,QAAM,SAAS,QAAQ,WAAW;AAElC,QAAM,iBAAiB,MAAM,IAAI,gBAAgB;AACjD,QAAM,eAAqE,CAAC;AAC5E,MAAI,UAAU;AACd,MAAI,UAAU;AACd,MAAI,eAAe;AACnB,MAAI,wBAAwB;AAE5B,QAAO,YAAW,kBAAkB,gBAAgB;AAClD,QAAI,eAAe,WAAW,GAAG,EAAG;AACpC,UAAM,SAAS,IAAI,cAAc,cAAc;AAC/C,QAAI,CAAC,OAAQ;AACb,UAAM,kBAAkB,OAAO,KAAK,MAAM;AAC1C,QAAI,gBAAgB,WAAW,EAAG;AAClC,6BAAyB;AACzB,iBAAa,cAAc,IAAI,EAAE,SAAS,GAAG,SAAS,EAAE;AAExD,UAAM,MAAM,MAAM,IAAI,YAAY,cAAc;AAChD,eAAW,YAAY,KAAK;AAC1B,UAAI,WAAW,aAAc,OAAM;AAEnC,YAAM,SAAS,MAAM,IAAI,UAAU,gBAAgB,QAAQ,EAAE,MAAM,MAAM,IAAI;AAC7E,UAAI,WAAW,KAAM;AACrB,iBAAW;AACX,mBAAa,cAAc,EAAE,WAAW;AAExC,YAAM,QAAQ,MAAM,IAAI,UAAU,gBAAgB,QAAQ,EAAE,MAAM,MAAM,CAAC,CAAC;AAC1E,iBAAW,QAAQ,OAAO;AACxB,YAAI,WAAW,aAAc,OAAM;AACnC,cAAM,SAAS,OAAO,KAAK,IAAI;AAC/B,YAAI,CAAC,OAAQ;AAEb,cAAM,SAAS,eAAe,QAAQ,QAAQ,MAAM,GAAG;AACvD,YAAI,CAAC,OAAQ;AAEb,YAAI,CAAC,QAAQ;AACX,gBAAM,IAAI,WAAW,gBAAgB,UAAU,KAAK,IAAI;AACxD,gBAAM,gBAAgB,KAAK;AAAA,YACzB,IAAI,mBAAmB,gBAAgB,UAAU,KAAK,IAAI;AAAA,YAC1D,YAAY;AAAA,YACZ;AAAA,YACA,UAAU,KAAK;AAAA,YACf,UAAU,KAAK;AAAA,YACf;AAAA,YACA,WAAW,IAAI,YAAY;AAAA,YAC3B,OAAO,IAAI;AAAA,UACb,CAAC;AACD,0BAAgB;AAAA,QAClB;AACA,mBAAW;AACX,qBAAa,cAAc,EAAE,WAAW;AAAA,MAC1C;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,aAAa;AAAA,IACb;AAAA,IACA;AAAA,EACF;AACF;AAEA,SAAS,eACP,QACA,QACA,MACA,KACqC;AACrC,MAAI,eAAe;AACnB,MAAI,qBAAqB;AAEzB,MAAI,OAAO,eAAe,UAAa,OAAO,aAAa,GAAG;AAC5D,UAAM,aAAa,KAAK,MAAM,KAAK,UAAU;AAC7C,QAAI,OAAO,SAAS,UAAU,GAAG;AAC/B,YAAM,QAAQ,IAAI,QAAQ,IAAI;AAC9B,YAAM,UAAU,OAAO,aAAa;AACpC,UAAI,QAAQ,QAAS,gBAAe;AAAA,IACtC;AAAA,EACF;AAEA,MAAI,OAAO,WAAW;AACpB,QAAI;AACF,UAAI,OAAO,UAAU,MAAM,EAAG,sBAAqB;AAAA,IACrD,QAAQ;AAAA,IAER;AAAA,EACF;AAEA,MAAI,gBAAgB,mBAAoB,QAAO;AAC/C,MAAI,aAAc,QAAO;AACzB,MAAI,mBAAoB,QAAO;AAC/B,SAAO;AACT;AAEA,SAAS,mBAAmB,YAAoB,UAAkB,UAA0B;AAC1F,QAAM,OAAO,WAAW,OAAO,gBAAgB,IAAI,WAAW,CAAC,CAAC;AAChE,MAAI,SAAS;AACb,aAAW,KAAK,KAAM,WAAU,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG;AAC9D,SAAO,GAAG,UAAU,KAAK,QAAQ,KAAK,QAAQ,KAAK,MAAM;AAC3D;AAEA,eAAe,gBAAgB,KAAwB,OAAyC;AAC9F,QAAM,OAAO,KAAK,UAAU,KAAK;AACjC,MAAI;AACJ,MAAI,IAAI,WAAW;AACjB,UAAM,MAAM,MAAM,IAAI,OAAO,8BAA8B;AAC3D,UAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,MAAM,GAAG;AAC5C,eAAW;AAAA,MACT,QAAQ;AAAA,MACR,IAAI;AAAA,MACJ,KAAK,MAAM;AAAA,MACX,KAAK;AAAA,MACL,OAAO;AAAA,MACP,KAAK,MAAM;AAAA,IACb;AAAA,EACF,OAAO;AACL,eAAW;AAAA,MACT,QAAQ;AAAA,MACR,IAAI;AAAA,MACJ,KAAK,MAAM;AAAA,MACX,KAAK;AAAA,MACL,OAAO;AAAA,MACP,KAAK,MAAM;AAAA,IACb;AAAA,EACF;AACA,QAAM,IAAI,QAAQ,IAAI,IAAI,OAAO,gCAAgC,MAAM,IAAI,QAAQ;AACrF;","names":[]}

package/dist/chunk-PLI5TV7N.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/materialized-views/stale.ts"],"sourcesContent":["import type { Collection } from '../collection.js'\nimport type { TxContext } from '../tx/transaction.js'\nimport type { MaterializedViewRegistry } from './registry.js'\n// Type-only — runtime class loaded via dynamic import in\n// `resolveStaleMVOnRead` only when a stale flag actually fires.\n// Keeps the executor chunk out of the floor bundle (mirrors v1 #130).\nimport type { MaterializedViewExecutor as MVExecutorType } from './executor.js'\nimport type { MVQueryContext } from './types.js'\n\n/**\n * Accessor shape passed in from the owning Vault. Provides the\n * registry (used as a stable WeakMap key + to look up MVs by output\n * collection) and the runtime context the lazy refresh needs.\n * Mirrors v1's `DerivationStaleAccessor`.\n */\nexport interface MVStaleAccessor {\n  registry(): MaterializedViewRegistry\n  // eslint-disable-next-line @typescript-eslint/no-explicit-any\n  getCollection(name: string): Collection<any>\n  getActiveTxContext(): TxContext | null\n  getQueryContext(): MVQueryContext\n}\n\n/**\n * In-memory stale map keyed by `MaterializedViewRegistry` instance\n * (stable per vault). Each registry maps to a set of MV names that\n * have at least one pending source-change requiring a re-materialize.\n *\n * Persistence across vault close is NOT implemented in this iteration\n * (concern flagged in the v2 spec, mirrors v1 derivation behavior).\n * On vault re-open, the unset stale flag is interpreted as \"fresh\" —\n * `vault.refreshView(name)` is the explicit recompute escape hatch.\n *\n * @internal\n */\nconst _staleByRegistry = new WeakMap<MaterializedViewRegistry, Set<string>>()\n\n/**\n * Mark an MV as stale. Called from `Collection.dispatchMaterializedViews`\n * when a source-write fires for a `refresh: 'lazy'` MV.\n *\n * @internal\n */\nexport function markMVStale(registry: MaterializedViewRegistry, mvName: string): void {\n  let set = _staleByRegistry.get(registry)\n  if (!set) {\n    set = new Set()\n    _staleByRegistry.set(registry, set)\n  }\n  set.add(mvName)\n}\n\n/**\n * Test-only: check whether a given MV name is currently flagged stale\n * against a registry. Exported so the regression suite can pin the\n * stale-bit lifecycle without touching the internal `WeakMap`.\n *\n * @internal\n */\nexport function isMVStale(registry: MaterializedViewRegistry, mvName: string): boolean {\n  return _staleByRegistry.get(registry)?.has(mvName) ?? false\n}\n\n/**\n * Called from `Collection.get` (and any reader that materializes the\n * MV's output collection). If any MV producing `outputCollection` is\n * flagged stale, runs the executor against the live source state\n * before returning. No-op when there is no pending work — keeps the\n * read fast path negligible.\n *\n * Dynamic-imports the executor only when a stale flag actually fires\n * (the floor-bundle isolation pattern v1 derivations established in\n * #130).\n */\nexport async function resolveStaleMVOnRead(\n  accessor: MVStaleAccessor,\n  outputCollection: string,\n): Promise<void> {\n  const registry = accessor.registry()\n  const pending = _staleByRegistry.get(registry)\n  if (!pending || pending.size === 0) return\n\n  // Find every MV that writes to this output collection AND is\n  // currently flagged stale. Multiple MVs CAN share an output\n  // collection in theory; in practice the registration validation +\n  // cycle detection make this unusual.\n  const candidates: string[] = []\n  for (const mv of registry.all()) {\n    if (mv.outputCollection !== outputCollection) continue\n    if (!pending.has(mv.spec.name)) continue\n    candidates.push(mv.spec.name)\n  }\n  if (candidates.length === 0) return\n\n  let executor: typeof MVExecutorType | null = null\n  for (const name of candidates) {\n    const reg = registry.byName(name)\n    if (!reg) {\n      pending.delete(name)\n      continue\n    }\n    if (executor === null) {\n      ({ MaterializedViewExecutor: executor } = (await import('./executor.js')) as {\n        MaterializedViewExecutor: typeof MVExecutorType\n      })\n    }\n    await executor.refresh(reg, {\n      getCollection: (n) => accessor.getCollection(n),\n      getActiveTxContext: () => accessor.getActiveTxContext(),\n      getQueryContext: () => accessor.getQueryContext(),\n    })\n    pending.delete(name)\n  }\n}\n\n/**\n * Drop every stale flag for a registry. Used after a manual\n * `vault.refreshView(name)` runs the executor explicitly — the\n * post-refresh state matches the registered strategies, so\n * lingering stale bits would force a redundant refresh on the next\n * read.\n *\n * @internal\n */\nexport function clearMVStale(registry: MaterializedViewRegistry, mvName: string): void {\n  _staleByRegistry.get(registry)?.delete(mvName)\n}\n"],"mappings":";AAmCA,IAAM,mBAAmB,oBAAI,QAA+C;AAQrE,SAAS,YAAY,UAAoC,QAAsB;AACpF,MAAI,MAAM,iBAAiB,IAAI,QAAQ;AACvC,MAAI,CAAC,KAAK;AACR,UAAM,oBAAI,IAAI;AACd,qBAAiB,IAAI,UAAU,GAAG;AAAA,EACpC;AACA,MAAI,IAAI,MAAM;AAChB;AASO,SAAS,UAAU,UAAoC,QAAyB;AACrF,SAAO,iBAAiB,IAAI,QAAQ,GAAG,IAAI,MAAM,KAAK;AACxD;AAaA,eAAsB,qBACpB,UACA,kBACe;AACf,QAAM,WAAW,SAAS,SAAS;AACnC,QAAM,UAAU,iBAAiB,IAAI,QAAQ;AAC7C,MAAI,CAAC,WAAW,QAAQ,SAAS,EAAG;AAMpC,QAAM,aAAuB,CAAC;AAC9B,aAAW,MAAM,SAAS,IAAI,GAAG;AAC/B,QAAI,GAAG,qBAAqB,iBAAkB;AAC9C,QAAI,CAAC,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAG;AAChC,eAAW,KAAK,GAAG,KAAK,IAAI;AAAA,EAC9B;AACA,MAAI,WAAW,WAAW,EAAG;AAE7B,MAAI,WAAyC;AAC7C,aAAW,QAAQ,YAAY;AAC7B,UAAM,MAAM,SAAS,OAAO,IAAI;AAChC,QAAI,CAAC,KAAK;AACR,cAAQ,OAAO,IAAI;AACnB;AAAA,IACF;AACA,QAAI,aAAa,MAAM;AACrB,OAAC,EAAE,0BAA0B,SAAS,IAAK,MAAM,OAAO,wBAAe;AAAA,IAGzE;AACA,UAAM,SAAS,QAAQ,KAAK;AAAA,MAC1B,eAAe,CAAC,MAAM,SAAS,cAAc,CAAC;AAAA,MAC9C,oBAAoB,MAAM,SAAS,mBAAmB;AAAA,MACtD,iBAAiB,MAAM,SAAS,gBAAgB;AAAA,IAClD,CAAC;AACD,YAAQ,OAAO,IAAI;AAAA,EACrB;AACF;AAWO,SAAS,aAAa,UAAoC,QAAsB;AACrF,mBAAiB,IAAI,QAAQ,GAAG,OAAO,MAAM;AAC/C;","names":[]}

package/dist/chunk-Q6W2CMEJ.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/directory/storage.ts","../src/directory/visibility.ts","../src/validation.ts","../src/meta/user-envelope/types.ts","../src/meta/user-envelope/storage.ts","../src/team/keyring.ts"],"sourcesContent":["/**\n * Persistence helpers for the vault-level user-directory toggle\n * (`_meta/directory`). Mirrors the bypass-AES pattern used by\n * `_meta/policy` — the directory document is plain JSON, the\n * envelope's `_iv` field is left empty.\n *\n * @see docs/subsystems/user-envelope.md → Directory visibility\n * @see docs/subsystems/plaintext-bypass.md — every `_iv: ''` write site\n *\n * @module\n */\nimport type { NoydbStore, EncryptedEnvelope } from '../types.js'\nimport { NOYDB_FORMAT_VERSION } from '../types.js'\nimport type { DirectoryConfig } from './types.js'\n\n/** Reserved collection name for vault-level metadata documents. */\nexport const META_COLLECTION = '_meta'\n/** Reserved id for the vault-level directory document. */\nexport const DIRECTORY_RECORD_ID = 'directory'\n\n/**\n * Read the directory toggle from `_meta/directory`. Returns `undefined`\n * when no document has been persisted — callers treat that as the\n * default-on case (`{ enabled: true }`).\n *\n * Tolerates corrupted documents the same way `_meta/policy` does: a\n * JSON parse failure surfaces as `undefined`, not a thrown error, so a\n * bad write never permanently breaks team enumeration.\n */\nexport async function readDirectoryConfig(\n  store: NoydbStore,\n  vault: string,\n): Promise<DirectoryConfig | undefined> {\n  const envelope = await store.get(vault, META_COLLECTION, DIRECTORY_RECORD_ID)\n  if (!envelope) return undefined\n  try {\n    const parsed = JSON.parse(envelope._data) as unknown\n    if (!isDirectoryConfig(parsed)) return undefined\n    return parsed\n  } catch {\n    return undefined\n  }\n}\n\n/**\n * Persist the directory toggle at `_meta/directory`. Idempotent — call\n * on every `db.setDirectoryEnabled()` invocation. Owner-only at the\n * caller site; this primitive does not check roles.\n */\nexport async function persistDirectoryConfig(\n  store: NoydbStore,\n  vault: string,\n  config: DirectoryConfig,\n): Promise<void> {\n  const envelope: EncryptedEnvelope = {\n    _noydb: NOYDB_FORMAT_VERSION,\n    _v: 1,\n    _ts: new Date().toISOString(),\n    _iv: '',\n    _data: JSON.stringify({ enabled: config.enabled }),\n  }\n  await store.put(vault, META_COLLECTION, DIRECTORY_RECORD_ID, envelope)\n}\n\nfunction isDirectoryConfig(x: unknown): x is DirectoryConfig {\n  if (x === null || typeof x !== 'object') return false\n  if (!('enabled' in x)) return false\n  return typeof (x as { enabled: unknown }).enabled === 'boolean'\n}\n","/**\n * Persistence helpers for the per-user visibility flag\n * (`_meta/visibility/<keyringId>`). Mirrors the bypass-AES pattern used\n * by `_meta/policy` — the visibility document is plain JSON, the\n * envelope's `_iv` field is left empty.\n *\n * Stored alongside the keyring file rather than inside the encrypted\n * user envelope (`_users/<keyringId>`) because:\n *\n *  - `UserEnvelope<T>.data` is opaque-to-hub by contract — hub does not\n *    introspect or reserve any keys inside it. Adding `hidden` there\n *    would violate that contract.\n *  - `listUsersWithEnvelopes` filters by the flag, and the filter must\n *    work even when decryption fails (legacy keyrings predating the\n *    envelope feature, or a corrupted envelope).\n *\n * @see docs/subsystems/user-envelope.md → Directory visibility\n * @see docs/subsystems/plaintext-bypass.md — every `_iv: ''` write site\n *\n * @module\n */\nimport type { NoydbStore, EncryptedEnvelope } from '../types.js'\nimport { NOYDB_FORMAT_VERSION } from '../types.js'\nimport type { UserVisibility } from './types.js'\nimport { META_COLLECTION } from './storage.js'\n\n/** Prefix for per-user visibility records inside `_meta`. */\nexport const VISIBILITY_RECORD_PREFIX = 'visibility/'\n\n/** Compose the `_meta` record id for a keyring's visibility doc. */\nexport function visibilityRecordId(keyringId: string): string {\n  return VISIBILITY_RECORD_PREFIX + keyringId\n}\n\n/**\n * Read the visibility flag for `keyringId`. Returns `undefined` when no\n * document has been persisted — callers treat that as the default-visible\n * case (`{ hidden: false }`).\n */\nexport async function readUserVisibility(\n  store: NoydbStore,\n  vault: string,\n  keyringId: string,\n): Promise<UserVisibility | undefined> {\n  const envelope = await store.get(vault, META_COLLECTION, visibilityRecordId(keyringId))\n  if (!envelope) return undefined\n  try {\n    const parsed = JSON.parse(envelope._data) as unknown\n    if (!isUserVisibility(parsed)) return undefined\n    return parsed\n  } catch {\n    return undefined\n  }\n}\n\n/**\n * Persist the visibility flag for `keyringId` at\n * `_meta/visibility/<keyringId>`. Idempotent — call on every\n * `vault.user.setMyVisibility()` invocation. Own-only at the caller\n * site; this primitive does not enforce keyring ownership.\n */\nexport async function persistUserVisibility(\n  store: NoydbStore,\n  vault: string,\n  keyringId: string,\n  visibility: UserVisibility,\n): Promise<void> {\n  const envelope: EncryptedEnvelope = {\n    _noydb: NOYDB_FORMAT_VERSION,\n    _v: 1,\n    _ts: new Date().toISOString(),\n    _iv: '',\n    _data: JSON.stringify({ hidden: visibility.hidden }),\n  }\n  await store.put(vault, META_COLLECTION, visibilityRecordId(keyringId), envelope)\n}\n\n/**\n * Delete the visibility flag for `keyringId`. Called from `revoke()`\n * alongside `deleteUserEnvelope` so the sidecar does not leak to a\n * re-granted principal with the same `userId`. Idempotent — the store's\n * `delete()` is already a no-op when the record is absent.\n */\nexport async function deleteUserVisibility(\n  store: NoydbStore,\n  vault: string,\n  keyringId: string,\n): Promise<void> {\n  await store.delete(vault, META_COLLECTION, visibilityRecordId(keyringId))\n}\n\nfunction isUserVisibility(x: unknown): x is UserVisibility {\n  if (x === null || typeof x !== 'object') return false\n  if (!('hidden' in x)) return false\n  return typeof (x as { hidden: unknown }).hidden === 'boolean'\n}\n","/**\n * Passphrase validation — phrase format (per the three-tier session-tiers\n * design, locked 2026-05-04).\n *\n * Passphrases are **phrases**: multiple simple words, easy to remember,\n * structurally constrained so a weak choice cannot silently collapse the\n * security floor. The format is intentionally narrow: lowercase letters\n * and single spaces only, no punctuation, no symbols, no digits.\n *\n * - Default minimum: 6 words (~77 bits with the 7,776-word EFF list).\n * - Strict minimum: 8 words (~103 bits).\n * - Per-word minimum: 3 characters (excludes \"a\", \"is\", \"of\").\n * - Adjacent repeats rejected (\"the the\").\n *\n * The hub runs validation default-on at every passphrase ingress\n * (`createOwnerKeyring`, `grant`, `rotatePassphrase`); test fixtures and\n * CLI scripts override via `{ allowWeakPassphrase: true }`.\n *\n * @module\n */\nimport { NoydbError, ValidationError } from './errors.js'\n\n/** All reasons a phrase can be rejected. */\nexport type WeakPassphraseReason =\n  | 'empty'\n  | 'invalid-chars'\n  | 'leading-or-trailing-space'\n  | 'double-space'\n  | 'too-few-words'\n  | 'word-too-short'\n  | 'repeated-adjacent'\n\n/** Per-vault knobs. Aligns with `VaultPolicy.passphrase`. */\nexport interface PassphrasePolicy {\n  /** Minimum number of words. Default 6. Strict policy uses 8. */\n  readonly minWords?: number\n  /** Minimum characters per word. Default 3. */\n  readonly minWordLength?: number\n  /** Reject adjacent identical words (\"the the\"). Default true. */\n  readonly rejectRepeatedAdjacent?: boolean\n  /**\n   * Override the default character-class rule (`/^[a-z]+( [a-z]+)*$/`).\n   *\n   * The hub's strict default is lowercase-letters-and-single-spaces\n   * because that's what the EFF wordlist generator emits and what\n   * most attacker password lists are keyed on. Use this knob to allow\n   * digits, uppercase, hyphens, or non-Latin scripts when the\n   * consumer's audience needs them — e.g.:\n   *\n   * ```ts\n   * // Thai + English mix with digits permitted\n   * pattern: /^[\\p{L}0-9 ]+( [\\p{L}0-9 ]+)*$/u\n   *\n   * // Allow uppercase + hyphens (passphrase-with-hyphens style)\n   * pattern: /^[A-Za-z]+([- ][A-Za-z]+)*$/\n   * ```\n   *\n   * The OTHER structural rules still apply (min-words split by space,\n   * min-word-length, repeated-adjacent, leading/trailing whitespace,\n   * double-space). For non-space-delimited word semantics, use\n   * {@link customValidator} instead.\n   *\n   * Added in pre.8 (#31).\n   */\n  readonly pattern?: RegExp\n  /**\n   * Replace ALL validation entirely with a custom function. When set,\n   * none of the other PassphrasePolicy fields apply — the consumer\n   * owns every rule (word splitting, character classes, entropy\n   * thresholds, allowlist/denylist). Use sparingly; this is the\n   * escape hatch for domain-specific phrase formats:\n   *\n   *   - Localized wordlists with non-space word boundaries\n   *   - BIP-39 seed phrases (24 words, fixed wordlist, etc.)\n   *   - Organization-specific HR password policies\n   *\n   * The returned `PassphraseValidationResult` is what\n   * {@link assertStrongPassphrase} dispatches on — `ok: true` accepts;\n   * `ok: false` throws `WeakPassphraseError` with the supplied reason.\n   *\n   * Added in pre.8 (#31).\n   */\n  readonly customValidator?: (phrase: string) => PassphraseValidationResult\n}\n\n/** Result of a check. Discriminated union — compile-time exhaustive. */\nexport type PassphraseValidationResult =\n  | { readonly ok: true; readonly words: number }\n  | {\n      readonly ok: false\n      readonly reason: WeakPassphraseReason\n      readonly minimum?: number\n      readonly got?: number\n    }\n\n/**\n * Thrown by `assertStrongPassphrase()` and by every hub ingress\n * point (`createOwnerKeyring`, `grant`, `rotatePassphrase`) when a\n * supplied phrase fails the structural rules above.\n */\nexport class WeakPassphraseError extends NoydbError {\n  readonly reason: WeakPassphraseReason\n  readonly suggestion: string\n  constructor(reason: WeakPassphraseReason, suggestion: string) {\n    super('WEAK_PASSPHRASE', `Weak passphrase (${reason}). ${suggestion}`)\n    this.name = 'WeakPassphraseError'\n    this.reason = reason\n    this.suggestion = suggestion\n  }\n}\n\nconst DEFAULT_MIN_WORDS = 6\nconst DEFAULT_MIN_WORD_LENGTH = 3\n\nconst SUGGESTIONS: Record<WeakPassphraseReason, string> = {\n  empty: 'Provide a phrase of at least 6 lowercase words separated by single spaces.',\n  'invalid-chars':\n    'Use only lowercase letters [a-z] and single spaces. No punctuation, symbols, digits, or uppercase.',\n  'leading-or-trailing-space': 'Trim leading and trailing spaces.',\n  'double-space': 'Use exactly one space between words.',\n  'too-few-words':\n    'Use at least 6 words by default (8 under strict policy). Example: \"correct horse battery staple printer toaster\".',\n  'word-too-short': 'Each word must be at least 3 characters. Drop short fillers like \"a\", \"is\", \"of\".',\n  'repeated-adjacent': 'Avoid repeating the same word twice in a row.',\n}\n\n/**\n * Inspect a phrase against the format rules and return a structured\n * verdict. Never throws — callers either branch on `ok` or pass the\n * result to {@link assertStrongPassphrase} for the throwing flavour.\n */\nexport function validatePassphrase(\n  s: string,\n  opts?: PassphrasePolicy,\n): PassphraseValidationResult {\n  // Escape hatch: customValidator owns the entire decision. None of\n  // the structural rules below run when this is set — the consumer is\n  // responsible for the full validation contract.\n  if (opts?.customValidator) {\n    return opts.customValidator(s)\n  }\n\n  const minWords = opts?.minWords ?? DEFAULT_MIN_WORDS\n  const minWordLength = opts?.minWordLength ?? DEFAULT_MIN_WORD_LENGTH\n  const rejectRepeated = opts?.rejectRepeatedAdjacent ?? true\n\n  if (s.length === 0) {\n    return { ok: false, reason: 'empty' }\n  }\n\n  if (s !== s.trim()) {\n    return { ok: false, reason: 'leading-or-trailing-space' }\n  }\n\n  if (s.includes('  ')) {\n    return { ok: false, reason: 'double-space' }\n  }\n\n  // The default character class is lowercase-letters-and-spaces;\n  // consumers can override via PassphrasePolicy.pattern (e.g. to\n  // allow digits, uppercase, or non-Latin scripts). Word splitting\n  // below remains space-based — for non-space word semantics the\n  // consumer should use customValidator instead.\n  const charPattern = opts?.pattern ?? /^[a-z]+( [a-z]+)*$/\n  if (!charPattern.test(s)) {\n    return { ok: false, reason: 'invalid-chars' }\n  }\n\n  const words = s.split(' ')\n\n  if (words.length < minWords) {\n    return { ok: false, reason: 'too-few-words', minimum: minWords, got: words.length }\n  }\n\n  for (const w of words) {\n    if (w.length < minWordLength) {\n      return { ok: false, reason: 'word-too-short', minimum: minWordLength, got: w.length }\n    }\n  }\n\n  if (rejectRepeated) {\n    for (let i = 1; i < words.length; i++) {\n      if (words[i] === words[i - 1]) {\n        return { ok: false, reason: 'repeated-adjacent' }\n      }\n    }\n  }\n\n  return { ok: true, words: words.length }\n}\n\n/**\n * Throw {@link WeakPassphraseError} when the phrase fails. Used by\n * `createOwnerKeyring`, `grant`, and `rotatePassphrase` at ingress.\n *\n * Pass `{ allowWeakPassphrase: true }` to bypass — intended for test\n * fixtures, CLI scripts, and dev environments. The override never\n * loosens the cryptographic key derivation; it only relaxes the\n * structural-strength gate.\n */\nexport function assertStrongPassphrase(\n  s: string,\n  opts?: PassphrasePolicy & { allowWeakPassphrase?: boolean },\n): void {\n  if (opts?.allowWeakPassphrase) return\n  const result = validatePassphrase(s, opts)\n  if (result.ok) return\n  throw new WeakPassphraseError(result.reason, SUGGESTIONS[result.reason])\n}\n\n/**\n * Estimate the entropy of a phrase, given the EFF 7,776-word list as\n * the assumed wordlist. ~12.9 bits per word.\n *\n * Returns 0 for any input that fails the phrase format — character-class\n * estimates aren't comparable to phrase entropy, and surfacing 0 makes\n * weak inputs visible in any UI that displays an entropy meter.\n */\nexport function estimateEntropy(passphrase: string): number {\n  const result = validatePassphrase(passphrase)\n  if (!result.ok) return 0\n  return Math.round(result.words * Math.log2(7776))\n}\n\n/**\n * Internal compatibility shim. Older code paths used the throwing\n * `validatePassphrase(s)` directly; some still do via re-exports. Routes\n * to the new `assertStrongPassphrase` so the contract holds for both\n * shapes during the transition. New code should call\n * {@link assertStrongPassphrase} directly.\n *\n * @internal\n */\nexport function legacyAssertPassphrase(s: string): void {\n  try {\n    assertStrongPassphrase(s)\n  } catch (err) {\n    if (err instanceof WeakPassphraseError) {\n      throw new ValidationError(err.message)\n    }\n    throw err\n  }\n}\n","/**\n * Type surface for the per-principal user envelope subsystem.\n *\n * @see docs/superpowers/specs/2026-05-05-user-envelope-design.md\n *\n * @module\n */\nimport { NoydbError } from '../../errors.js'\n\n/**\n * Thin reader view of a user envelope. The on-disk shape is the standard\n * {@link import('../../types.js').EncryptedEnvelope}; this is what callers\n * see after the storage layer has decrypted the payload.\n *\n * Hub commits to the `keyringId` ⇔ `userId` identity and the `_v` / `_ts`\n * envelope metadata. The `data` payload is fully app-defined — hub does\n * not introspect, validate, or reserve any keys inside it.\n */\nexport interface UserEnvelope<T> {\n  /** The principal id this envelope belongs to. Equals the keyring `user_id`. */\n  readonly keyringId: string\n  /** App-owned payload. Opaque to hub. */\n  readonly data: T\n  /** Optimistic-concurrency version. Increments on every write. */\n  readonly _v: number\n  /** ISO timestamp of the last write. */\n  readonly _ts: string\n}\n\n/**\n * Soft cap on the JSON-serialized payload size. Generous (a typical\n * profile + preferences + small app annex is ~1 KiB); rejects accidental\n * \"stuff app state in here\" anti-patterns.\n */\nexport const USER_ENVELOPE_MAX_BYTES = 64 * 1024\n\n/**\n * Reserved store collection name for user envelopes. Starts with `_` so the\n * keyring grant machinery propagates the DEK to every granted user via the\n * existing system-collection DEK propagation path in `team/keyring.ts`.\n */\nexport const USER_ENVELOPE_COLLECTION = '_users'\n\n/**\n * Thrown when a user-envelope payload exceeds {@link USER_ENVELOPE_MAX_BYTES}\n * after JSON-serialization. The error carries the actual size so callers\n * can decide whether to trim or split.\n */\nexport class UserEnvelopeOversizedError extends NoydbError {\n  readonly bytes: number\n  readonly limit: number\n  constructor(bytes: number, limit: number = USER_ENVELOPE_MAX_BYTES) {\n    super(\n      'USER_ENVELOPE_OVERSIZED',\n      `User envelope payload is ${bytes} bytes; soft cap is ${limit} bytes. ` +\n        `Move large data into the vault's regular collections.`,\n    )\n    this.name = 'UserEnvelopeOversizedError'\n    this.bytes = bytes\n    this.limit = limit\n  }\n}\n","/**\n * Persistence helpers for per-principal user envelopes stored at\n * `_users/<keyringId>` (logically: `_meta/user/<keyringId>`).\n *\n * Unlike `_meta/policy` and `_meta/handle` which are plaintext, user\n * envelopes carry user data and are encrypted with a dedicated\n * {@link USER_ENVELOPE_COLLECTION} DEK (provisioned at vault open and\n * propagated to every keyring via the system-collection DEK path in\n * `team/keyring.ts`).\n *\n * This module is the **storage primitive** layer. The public API\n * (`vault.user.*`) sits on top of this; permission gates, own-only\n * write enforcement, and presence-channel propagation live there.\n *\n * @see docs/superpowers/specs/2026-05-05-user-envelope-design.md\n *\n * @module\n */\nimport type { NoydbStore, EncryptedEnvelope } from '../../types.js'\nimport { NOYDB_FORMAT_VERSION } from '../../types.js'\nimport { encrypt, decrypt } from '../../crypto.js'\nimport { ConflictError } from '../../errors.js'\nimport {\n  USER_ENVELOPE_COLLECTION,\n  USER_ENVELOPE_MAX_BYTES,\n  UserEnvelopeOversizedError,\n  type UserEnvelope,\n} from './types.js'\n\n/**\n * Read and decrypt the user envelope for `keyringId`. Returns `null`\n * when no envelope has been persisted (either the principal has never\n * called `updateMe`, or the keyring predates this feature).\n *\n * Decryption errors propagate — a tampered or wrong-keyed envelope\n * surfaces as the underlying crypto error rather than masquerading as\n * \"not found\".\n */\nexport async function loadUserEnvelope<T = unknown>(\n  store: NoydbStore,\n  vault: string,\n  keyringId: string,\n  dek: CryptoKey,\n): Promise<UserEnvelope<T> | null> {\n  const envelope = await store.get(vault, USER_ENVELOPE_COLLECTION, keyringId)\n  if (!envelope) return null\n  const plaintext = await decrypt(envelope._iv, envelope._data, dek)\n  const data = JSON.parse(plaintext) as T\n  return {\n    keyringId,\n    data,\n    _v: envelope._v,\n    _ts: envelope._ts,\n  }\n}\n\n/**\n * Encrypt and persist the user envelope for `keyringId`. The new\n * version is `(prior._v ?? 0) + 1`. Pass `expectedVersion` to enable\n * optimistic-concurrency checks: a mismatch with the stored version\n * throws {@link ConflictError} with the actual stored version.\n *\n * `expectedVersion: 0` means \"expect no prior envelope\"; the write\n * succeeds only if no envelope exists yet.\n *\n * Soft-caps the JSON-serialized payload at {@link USER_ENVELOPE_MAX_BYTES};\n * larger payloads throw {@link UserEnvelopeOversizedError}.\n */\nexport async function saveUserEnvelope<T>(\n  store: NoydbStore,\n  vault: string,\n  keyringId: string,\n  payload: T,\n  dek: CryptoKey,\n  expectedVersion?: number,\n): Promise<UserEnvelope<T>> {\n  const json = JSON.stringify(payload)\n  // TextEncoder counts bytes correctly for multi-byte UTF-8 (Thai text,\n  // emoji, etc.) — JSON.stringify().length would undercount.\n  const bytes = new TextEncoder().encode(json).byteLength\n  if (bytes > USER_ENVELOPE_MAX_BYTES) {\n    throw new UserEnvelopeOversizedError(bytes)\n  }\n\n  const prior = await store.get(vault, USER_ENVELOPE_COLLECTION, keyringId)\n  if (expectedVersion !== undefined) {\n    const priorVersion = prior?._v ?? 0\n    if (priorVersion !== expectedVersion) {\n      throw new ConflictError(\n        priorVersion,\n        `User envelope for \"${keyringId}\" expected version ${expectedVersion}, ` +\n          `actual ${priorVersion}`,\n      )\n    }\n  }\n\n  const nextVersion = (prior?._v ?? 0) + 1\n  const ts = new Date().toISOString()\n  const { iv, data } = await encrypt(json, dek)\n\n  const envelope: EncryptedEnvelope = {\n    _noydb: NOYDB_FORMAT_VERSION,\n    _v: nextVersion,\n    _ts: ts,\n    _iv: iv,\n    _data: data,\n  }\n  await store.put(vault, USER_ENVELOPE_COLLECTION, keyringId, envelope)\n\n  return {\n    keyringId,\n    data: payload,\n    _v: nextVersion,\n    _ts: ts,\n  }\n}\n\n/**\n * Delete the user envelope for `keyringId`. Idempotent — no error if\n * the envelope is already absent. Called from the keyring revoke path\n * (cascade-delete) and is a no-op for keyrings that never wrote.\n */\nexport async function deleteUserEnvelope(\n  store: NoydbStore,\n  vault: string,\n  keyringId: string,\n): Promise<void> {\n  await store.delete(vault, USER_ENVELOPE_COLLECTION, keyringId)\n}\n\n/**\n * List the keyring ids that have a user envelope persisted in `vault`.\n * Order is store-defined — callers that need a stable order should sort.\n */\nexport async function listUserEnvelopeIds(\n  store: NoydbStore,\n  vault: string,\n): Promise<string[]> {\n  return store.list(vault, USER_ENVELOPE_COLLECTION)\n}\n","import type { NoydbStore, KeyringFile, KeyringAuthenticator, Role, Permissions, GrantOptions, RevokeOptions, UpdateUserOptions, UserInfo, EncryptedEnvelope, ExportCapability, ExportFormat, ImportCapability, VaultPolicyOnDisk } from '../types.js'\nimport { NOYDB_KEYRING_VERSION, NOYDB_FORMAT_VERSION } from '../types.js'\nimport {\n  deriveKey,\n  generateDEK,\n  generateSalt,\n  wrapKey,\n  unwrapKey,\n  encrypt,\n  decrypt,\n  bufferToBase64,\n  base64ToBuffer,\n} from '../crypto.js'\nimport { NoAccessError, PermissionDeniedError, PrivilegeEscalationError, KeyringExpiredError, KeyringCorruptError, InvalidKeyError, ValidationError, DirectoryDisabledError } from '../errors.js'\nimport { readDirectoryConfig } from '../directory/storage.js'\nimport { readUserVisibility, deleteUserVisibility } from '../directory/visibility.js'\nimport { assertStrongPassphrase, type PassphrasePolicy } from '../validation.js'\nimport {\n  saveUserEnvelope,\n  loadUserEnvelope as loadUserEnvelopeFn,\n  deleteUserEnvelope,\n  USER_ENVELOPE_COLLECTION,\n  type UserEnvelope as UserEnvelopeReader,\n} from '../meta/user-envelope/index.js'\n\n// ─── Roles that can grant/revoke ───────────────────────────────────────\n\n/**\n * Roles that an `admin` is allowed to grant and revoke.\n *\n * Includes `'admin'` itself: the model bottlenecked all admin\n * onboarding through the single `owner` principal, which made lateral\n * delegation impossible and left a single-owner bus-factor risk\n * unresolved even when multiple trusted humans existed. opens up\n * admin↔admin lateral delegation, with two guardrails:\n *\n *   1. **No privilege escalation.** Enforced in `grant()`: every DEK\n *      wrapped into the new admin's keyring must be present in the\n *      grantor's own DEK set. Today this is structurally trivially\n *      true (admin grants always inherit the full caller DEK set),\n *      but the check is wired in so future per-collection admin scoping\n *      cannot accidentally bypass it. See `PrivilegeEscalationError`.\n *\n *   2. **Cascade on revoke.** Enforced in `revoke()`: when an admin is\n *      revoked, every admin they (transitively) granted is either\n *      revoked too (`cascade: 'strict'`, default) or left in place with\n *      a console warning (`cascade: 'warn'`). The walk uses the\n *      `granted_by` field on each keyring file as the parent pointer.\n */\nconst ADMIN_GRANTABLE_TARGETS: readonly Role[] = ['operator', 'viewer', 'client', 'admin']\n\nfunction canGrant(callerRole: Role, targetRole: Role): boolean {\n  if (callerRole === 'owner') return true\n  if (callerRole === 'admin') return ADMIN_GRANTABLE_TARGETS.includes(targetRole)\n  return false\n}\n\nfunction canRevoke(callerRole: Role, targetRole: Role): boolean {\n  if (targetRole === 'owner') return false // owner cannot be revoked\n  if (callerRole === 'owner') return true\n  if (callerRole === 'admin') return ADMIN_GRANTABLE_TARGETS.includes(targetRole)\n  return false\n}\n\n/**\n * Whether `callerRole` can mutate a keyring whose role is (or becomes)\n * `targetRole`. Used by `updateKeyringIdentity` (#54).\n *\n * Mirrors `canGrant`'s hierarchy: admins manage admin/operator/viewer/\n * client laterally; admins cannot create or destroy `owner`-shaped\n * keyrings. Owner can do anything.\n *\n * Both the OLD role and the NEW role must satisfy this check —\n * otherwise admin could elevate themselves (`admin → owner`) or demote\n * an owner (`owner → admin`) under cover of \"update.\"\n */\nfunction canUpdateRole(callerRole: Role, targetRole: Role): boolean {\n  if (callerRole === 'owner') return true\n  if (callerRole === 'admin') return ADMIN_GRANTABLE_TARGETS.includes(targetRole)\n  return false\n}\n\n// ─── Unlocked Keyring ──────────────────────────────────────────────────\n\n/** In-memory representation of an unlocked keyring. */\nexport interface UnlockedKeyring {\n  readonly userId: string\n  readonly displayName: string\n  readonly role: Role\n  readonly permissions: Permissions\n  readonly deks: Map<string, CryptoKey>\n  /**\n   * The KEK, when this keyring was unlocked via tier 1 (passphrase) or\n   * a wrap-KEK tier-2 method (WebAuthn / OIDC). `null` when the\n   * keyring was opened via:\n   *\n   *   - Unencrypted mode (no KEK exists)\n   *   - Tier-3 PIN quick-resume (`@noy-db/on-pin`)\n   *   - Wrap-DEKs tier-2 unlock (`@noy-db/on-password`'s\n   *     `verifyPasswordSlot` after #26 Path C)\n   *   - Session-state restore (`session/session.ts`)\n   *   - Dev-unlock fixture (`session/dev-unlock.ts`)\n   *\n   * Consumers performing tier-1 operations that need the KEK\n   * (DEK rewrap, keyring persist, delegation issue/unwrap) must\n   * null-check and throw a clear error if absent — re-authenticate\n   * at tier 1 first to recover the KEK.\n   *\n   * Tightened from `CryptoKey` to `CryptoKey | null` in pre.8 (#41).\n   * The runtime contract has always allowed null; the type now\n   * matches reality.\n   */\n  readonly kek: CryptoKey | null\n  readonly salt: Uint8Array\n  /**\n   * `@noy-db/as-*` export capability. Absent when the\n   * keyring was written before this RFC landed — role-based defaults\n   * apply via `hasExportCapability`.\n   */\n  readonly exportCapability?: ExportCapability\n  /**\n   * `@noy-db/as-*` import capability. Absent when the\n   * keyring was written before the import-capability extension\n   * landed — default-closed semantics\n   * apply via `hasImportCapability` (no plaintext format granted, no\n   * bundle import granted, regardless of role).\n   */\n  readonly importCapability?: ImportCapability\n  /**\n   * Tier-2 authenticator slots — readonly snapshot loaded from the\n   * keyring file. Mutations go through `enrollAuthenticator` /\n   * `removeAuthenticator` (issue #11), which write back via\n   * `persistKeyring`. Always defined; loads with an empty array for\n   * keyrings written before the multi-slot extension landed.\n   */\n  readonly authenticators: readonly KeyringAuthenticator[]\n  /**\n   * Reserved per-keyring policy override (forward-compat for Option C\n   * — see {@link VaultPolicyOnDisk}). v1.0 round-trips this field but\n   * never enforces it; the gate engine uses `_meta/policy` only.\n   */\n  readonly policy?: VaultPolicyOnDisk\n}\n\n// ─── Passphrase canary (#113) ──────────────────────────────────────────\n//\n// The canary is a fixed 256-bit AES-GCM key (32 zero bytes), wrapped\n// under the keyring's KEK with AES-KW. Because AES-KW is deterministic\n// (RFC 3394 fixed IV), wrapping the same constant under the same KEK\n// always yields the same ciphertext — so every write site can mint\n// fresh on each persist without round-tripping a `canary` field\n// through UnlockedKeyring.\n//\n// On load, the canary unwraps cleanly iff the KEK is correct AND the\n// canary bytes on disk are intact. Combined with each-DEK try/catch,\n// this distinguishes wrong-passphrase (canary fails AND every DEK fails)\n// from corruption (canary succeeds OR at least one DEK succeeds) —\n// closing the all-DEKs-corrupt and single-DEK ambiguities that the\n// pre-canary heuristic from #82 / #99 left open.\n\nconst CANARY_PLAINTEXT_BYTES = new Uint8Array(32)\nlet canaryKeyPromise: Promise<CryptoKey> | null = null\n\nfunction getCanaryKey(): Promise<CryptoKey> {\n  if (canaryKeyPromise === null) {\n    canaryKeyPromise = globalThis.crypto.subtle.importKey(\n      'raw',\n      CANARY_PLAINTEXT_BYTES as BufferSource,\n      { name: 'AES-GCM', length: 256 },\n      true, // extractable so AES-KW can wrap it\n      ['encrypt', 'decrypt'],\n    )\n  }\n  return canaryKeyPromise\n}\n\n/** Mint a fresh wrapped-canary string. Deterministic for a given KEK. */\nexport async function mintKeyringCanary(kek: CryptoKey): Promise<string> {\n  const canaryKey = await getCanaryKey()\n  return wrapKey(canaryKey, kek)\n}\n\n/** Try to unwrap the canary. Returns true iff KEK + canary bytes are intact. */\nasync function verifyKeyringCanary(wrappedCanary: string, kek: CryptoKey): Promise<boolean> {\n  try {\n    await unwrapKey(wrappedCanary, kek)\n    return true\n  } catch {\n    return false\n  }\n}\n\n// ─── Load / Create ─────────────────────────────────────────────────────\n\n/** Load and unlock a user's keyring for a vault. */\nexport async function loadKeyring(\n  adapter: NoydbStore,\n  vault: string,\n  userId: string,\n  passphrase: string,\n): Promise<UnlockedKeyring> {\n  const envelope = await adapter.get(vault, '_keyring', userId)\n\n  if (!envelope) {\n    throw new NoAccessError(`No keyring found for user \"${userId}\" in vault \"${vault}\"`)\n  }\n\n  const keyringFile = JSON.parse(envelope._data) as KeyringFile\n\n  //  — refuse to unwrap an expired slot. Check happens before any\n  // KEK derivation so an expired slot doesn't leak timing on the\n  // passphrase. Comparison uses Date.parse → ms-since-epoch; an\n  // unparseable expires_at is treated as \"no expiry\" so a malformed\n  // value can't silently lock users out (it'll surface in tests).\n  if (keyringFile.expires_at !== undefined) {\n    const cutoff = Date.parse(keyringFile.expires_at)\n    if (Number.isFinite(cutoff) && Date.now() >= cutoff) {\n      throw new KeyringExpiredError({ userId: keyringFile.user_id, expiresAt: keyringFile.expires_at })\n    }\n  }\n\n  const salt = base64ToBuffer(keyringFile.salt)\n  const kek = await deriveKey(passphrase, salt)\n\n  // Verify the canary first when present. A canary success proves the\n  // KEK is correct independent of any DEK byte — so subsequent DEK\n  // unwrap failures are unambiguously corruption, not wrong-pass. A\n  // canary failure with at least one DEK success indicates the KEK\n  // is correct but the canary itself is corrupt. (#113)\n  // `null` sentinel = legacy keyring without canary; falls back to the\n  // multi-DEK heuristic from #82 / #99.\n  const canaryOk: boolean | null = keyringFile.canary !== undefined\n    ? await verifyKeyringCanary(keyringFile.canary, kek)\n    : null\n\n  // Unwrap each DEK independently — collect successes and failures.\n  const deks = new Map<string, CryptoKey>()\n  const failedCollections: string[] = []\n  let firstUnwrapError: unknown = null\n  for (const [collName, wrappedDek] of Object.entries(keyringFile.deks)) {\n    try {\n      const dek = await unwrapKey(wrappedDek, kek)\n      deks.set(collName, dek)\n    } catch (err) {\n      failedCollections.push(collName)\n      if (firstUnwrapError === null) firstUnwrapError = err\n    }\n  }\n\n  if (canaryOk === true) {\n    // KEK proven correct by the canary. Any DEK failure is corruption.\n    if (failedCollections.length > 0) {\n      throw new KeyringCorruptError({ failedCollections, intactCount: deks.size })\n    }\n  } else if (canaryOk === false) {\n    // Canary failed. If any DEK unwrapped, KEK is correct → canary bytes\n    // are corrupted (rare; reported under the '_canary' sentinel).\n    if (deks.size > 0) {\n      throw new KeyringCorruptError({\n        failedCollections: [...failedCollections, '_canary'],\n        intactCount: deks.size,\n      })\n    }\n    // Canary failed AND no DEK unwrapped — wrong KEK (or whole-file\n    // corruption). Surface the original InvalidKeyError so\n    // onInvalidKey: 'reset' can fire its documented recovery path.\n    throw firstUnwrapError instanceof Error ? firstUnwrapError : new InvalidKeyError()\n  } else {\n    // Legacy keyring (no canary). Fall back to the multi-DEK heuristic.\n    if (failedCollections.length > 0) {\n      if (deks.size > 0) {\n        throw new KeyringCorruptError({ failedCollections, intactCount: deks.size })\n      }\n      throw firstUnwrapError instanceof Error ? firstUnwrapError : new InvalidKeyError()\n    }\n  }\n\n  return {\n    userId: keyringFile.user_id,\n    displayName: keyringFile.display_name,\n    role: keyringFile.role,\n    permissions: keyringFile.permissions,\n    deks,\n    kek,\n    salt,\n    authenticators: keyringFile.authenticators ?? [],\n    ...(keyringFile.export_capability !== undefined && { exportCapability: keyringFile.export_capability }),\n    ...(keyringFile.import_capability !== undefined && { importCapability: keyringFile.import_capability }),\n    ...(keyringFile.policy !== undefined && { policy: keyringFile.policy }),\n  }\n}\n\n/**\n * Create the initial owner keyring for a new vault.\n *\n * Pass `{ validate: true }` (or a `PassphrasePolicy`) to gate creation\n * on the phrase-format strength rules — `Noydb` threads this from\n * `NoydbOptions.validatePassphrase`. Direct callers (CLI, scripts,\n * test fixtures) opt in explicitly.\n */\nexport async function createOwnerKeyring(\n  adapter: NoydbStore,\n  vault: string,\n  userId: string,\n  passphrase: string,\n  passphraseOpts?: PassphrasePolicy & { validate?: boolean; allowWeakPassphrase?: boolean },\n): Promise<UnlockedKeyring> {\n  if (passphraseOpts?.validate && !passphraseOpts.allowWeakPassphrase) {\n    assertStrongPassphrase(passphrase, passphraseOpts)\n  }\n  const salt = generateSalt()\n  const kek = await deriveKey(passphrase, salt)\n\n  // Eager-provision the _users DEK at owner creation. This guarantees\n  // every subsequent grant inherits it via the existing\n  // collName.startsWith('_') propagation in grant() — so multi-principal\n  // user-envelope reads (alice reading bob's profile) work for new\n  // vaults without any per-keyring DEK rotation. Pre-existing vaults\n  // get the DEK lazily on first vault.user.* access (which only\n  // materializes a single-principal DEK that won't propagate\n  // retroactively — that's the documented \"lazy creation for\n  // pre-existing keyrings\" rollout note in the spec).\n  const userEnvelopeDek = await generateDEK()\n  const wrappedUserEnvelopeDek = await wrapKey(userEnvelopeDek, kek)\n  const canary = await mintKeyringCanary(kek)\n\n  const keyringFile: KeyringFile = {\n    _noydb_keyring: NOYDB_KEYRING_VERSION,\n    user_id: userId,\n    display_name: userId,\n    role: 'owner',\n    permissions: {},\n    deks: { [USER_ENVELOPE_COLLECTION]: wrappedUserEnvelopeDek },\n    salt: bufferToBase64(salt),\n    created_at: new Date().toISOString(),\n    granted_by: userId,\n    canary,\n  }\n\n  await writeKeyringFile(adapter, vault, userId, keyringFile)\n\n  return {\n    userId,\n    displayName: userId,\n    role: 'owner',\n    permissions: {},\n    deks: new Map([[USER_ENVELOPE_COLLECTION, userEnvelopeDek]]),\n    kek,\n    salt,\n    authenticators: [],\n  }\n}\n\n// ─── Grant ─────────────────────────────────────────────────────────────\n\n/** Grant access to a new user. Caller must have grant privilege. */\nexport async function grant(\n  adapter: NoydbStore,\n  vault: string,\n  callerKeyring: UnlockedKeyring,\n  options: GrantOptions,\n): Promise<void> {\n  if (!callerKeyring.kek) {\n    throw new ValidationError(\n      'grant: caller keyring has no KEK — tier-2 wrap-DEKs and tier-3 PIN-resume ' +\n        'sessions cannot grant access to other users. Re-authenticate at tier 1 ' +\n        '(passphrase) before granting.',\n    )\n  }\n\n  if (!canGrant(callerKeyring.role, options.role)) {\n    throw new PermissionDeniedError(\n      `Role \"${callerKeyring.role}\" cannot grant role \"${options.role}\"`,\n    )\n  }\n\n  // Optional strength validation — opt-in via grant({ validatePassphrase: true })\n  // or via the calling Noydb's NoydbOptions.validatePassphrase flag.\n  // The override `allowWeakPassphrase: true` skips even when validate is on.\n  if (\n    (options as { validatePassphrase?: boolean }).validatePassphrase &&\n    !options.allowWeakPassphrase\n  ) {\n    assertStrongPassphrase(options.passphrase)\n  }\n\n  // Determine which collections the new user gets access to\n  const permissions = resolvePermissions(options.role, options.permissions)\n\n  // Derive the new user's KEK from their passphrase\n  const newSalt = generateSalt()\n  const newKek = await deriveKey(options.passphrase, newSalt)\n\n  // Wrap the appropriate DEKs with the new user's KEK\n  const wrappedDeks: Record<string, string> = {}\n  for (const collName of Object.keys(permissions)) {\n    const dek = callerKeyring.deks.get(collName)\n    if (dek) {\n      wrappedDeks[collName] = await wrapKey(dek, newKek)\n    }\n  }\n\n  // For owner/admin/viewer roles, wrap ALL known DEKs\n  if (options.role === 'owner' || options.role === 'admin' || options.role === 'viewer') {\n    for (const [collName, dek] of callerKeyring.deks) {\n      if (!(collName in wrappedDeks)) {\n        wrappedDeks[collName] = await wrapKey(dek, newKek)\n      }\n    }\n  }\n\n  // For ALL roles, propagate system-prefixed collection DEKs\n  // (`_ledger`, `_history`, `_sync`, …). These are internal collections\n  // that any user with access to the vault must be able to\n  // read and write — for example, the hash-chained ledger writes\n  // an entry on every put/delete, so operators and clients with write\n  // access to a single data collection still need the `_ledger` DEK.\n  //\n  // Trade-off: a granted user can decrypt every system-collection\n  // entry, including ones they would not otherwise have access to\n  // (e.g., an operator on `invoices` can read ledger entries for\n  // mutations in `salaries`). This is a metadata leak, not a\n  // plaintext leak — the ledger entries record collection names,\n  // record ids, and ciphertext hashes, but never plaintext records.\n  // Per-collection ledger DEKs are tracked as a follow-up.\n  for (const [collName, dek] of callerKeyring.deks) {\n    if (collName.startsWith('_') && !(collName in wrappedDeks)) {\n      wrappedDeks[collName] = await wrapKey(dek, newKek)\n    }\n  }\n\n  // Anti-privilege-escalation check. Every DEK we just\n  // wrapped into the new keyring must come from the caller's own DEK\n  // set — the grantor cannot give the grantee access to a collection\n  // they themselves can't read. Today this is structurally trivially\n  // satisfied because every wrapped DEK was looked up in\n  // `callerKeyring.deks` above, but the explicit check is wired in\n  // so a future change (per-collection admin scoping, escrow-based\n  // re-wrapping, etc.) cannot accidentally let a widening grant\n  // through. See `PrivilegeEscalationError` for the rationale.\n  for (const collName of Object.keys(wrappedDeks)) {\n    if (!callerKeyring.deks.has(collName)) {\n      throw new PrivilegeEscalationError(collName)\n    }\n  }\n\n  const canary = await mintKeyringCanary(newKek)\n  const keyringFile: KeyringFile = {\n    _noydb_keyring: NOYDB_KEYRING_VERSION,\n    user_id: options.userId,\n    display_name: options.displayName,\n    role: options.role,\n    permissions,\n    deks: wrappedDeks,\n    salt: bufferToBase64(newSalt),\n    created_at: new Date().toISOString(),\n    granted_by: callerKeyring.userId,\n    canary,\n    ...(options.exportCapability !== undefined && { export_capability: options.exportCapability }),\n    ...(options.importCapability !== undefined && { import_capability: options.importCapability }),\n  }\n\n  await writeKeyringFile(adapter, vault, options.userId, keyringFile)\n\n  // User envelope bootstrap. Seeded with `options.initialProfile` if\n  // provided, otherwise an empty `{}`. Encrypted with the caller's\n  // _users DEK — which is the same DEK that was wrapped into the new\n  // keyring's `wrappedDeks[USER_ENVELOPE_COLLECTION]` above (system-\n  // collection propagation), so the new user can decrypt it on first\n  // open. Skipped silently if the caller has no _users DEK (pre-feature\n  // vault upgrade path — documented \"lazy creation for pre-existing\n  // keyrings\" in the spec).\n  const userEnvelopeDek = callerKeyring.deks.get(USER_ENVELOPE_COLLECTION)\n  if (userEnvelopeDek) {\n    const initialPayload = options.initialProfile ?? {}\n    await saveUserEnvelope(\n      adapter,\n      vault,\n      options.userId,\n      initialPayload,\n      userEnvelopeDek,\n    )\n  }\n}\n\n// ─── Revoke ────────────────────────────────────────────────────────────\n\n/**\n * Walk every keyring in the vault to find admins that the given\n * `rootUserId` (transitively) granted, via the `granted_by` parent\n * pointer recorded on each keyring file.\n *\n * Returns the set of descendant admin user-ids in DFS order, NOT\n * including the root itself. Non-admin descendants are excluded\n * because operators/viewers/clients cannot grant other users — they\n * are leaves in the delegation tree and cleaning them up is the\n * caller's job (or the next rotate, since they'd lose key access\n * anyway when the cascading admin's collections rotate).\n *\n * The walk uses a visited set keyed by user-id so cycles introduced\n * by re-grants (admin-A revoked, then re-granted later by admin-B who\n * was originally granted by A) terminate cleanly.\n */\nasync function findAdminDescendants(\n  adapter: NoydbStore,\n  vault: string,\n  rootUserId: string,\n): Promise<string[]> {\n  const allUserIds = await adapter.list(vault, '_keyring')\n\n  // Build a map: parentUserId → child KeyringFiles. We only ever\n  // descend into admins, so non-admin children are skipped at the\n  // edge level rather than after a recursive call.\n  const childrenByParent = new Map<string, string[]>()\n  for (const userId of allUserIds) {\n    const env = await adapter.get(vault, '_keyring', userId)\n    if (!env) continue\n    const kf = JSON.parse(env._data) as KeyringFile\n    if (kf.role !== 'admin') continue // only admins can grant — leaves are uninteresting\n    if (kf.user_id === rootUserId) continue // self-edges are noise\n    const list = childrenByParent.get(kf.granted_by) ?? []\n    list.push(kf.user_id)\n    childrenByParent.set(kf.granted_by, list)\n  }\n\n  const visited = new Set<string>()\n  const order: string[] = []\n  const stack: string[] = [...(childrenByParent.get(rootUserId) ?? [])]\n  while (stack.length > 0) {\n    const next = stack.pop()!\n    if (visited.has(next)) continue\n    visited.add(next)\n    order.push(next)\n    for (const grandchild of childrenByParent.get(next) ?? []) {\n      if (!visited.has(grandchild)) stack.push(grandchild)\n    }\n  }\n  return order\n}\n\n/** Revoke a user's access. Optionally rotate keys for affected collections. */\nexport async function revoke(\n  adapter: NoydbStore,\n  vault: string,\n  callerKeyring: UnlockedKeyring,\n  options: RevokeOptions,\n): Promise<void> {\n  // Load the target's keyring to check their role\n  const targetEnvelope = await adapter.get(vault, '_keyring', options.userId)\n  if (!targetEnvelope) {\n    throw new NoAccessError(`User \"${options.userId}\" has no keyring in vault \"${vault}\"`)\n  }\n\n  const targetKeyring = JSON.parse(targetEnvelope._data) as KeyringFile\n\n  if (!canRevoke(callerKeyring.role, targetKeyring.role)) {\n    throw new PermissionDeniedError(\n      `Role \"${callerKeyring.role}\" cannot revoke role \"${targetKeyring.role}\"`,\n    )\n  }\n\n  // Cascade-on-revoke. Only meaningful when the target is\n  // an admin — operators/viewers/clients cannot grant other users so\n  // they have no delegation subtree to walk.\n  const cascadeMode = options.cascade ?? 'strict'\n  const usersToRevoke: string[] = [options.userId]\n  const affectedCollections = new Set(Object.keys(targetKeyring.deks))\n\n  if (targetKeyring.role === 'admin') {\n    const descendants = await findAdminDescendants(adapter, vault, options.userId)\n    if (descendants.length > 0) {\n      if (cascadeMode === 'warn') {\n        // Diagnostic mode: leave the descendants in place but make\n        // them visible. The owner / a different admin can clean up\n        // manually. The single console.warn is intentionally noisy\n        // (a list, not a count) so the operator sees exactly which\n        // keyrings will become orphans.\n        console.warn(\n          `[noy-db] revoke(${options.userId}): cascade='warn' — leaving ` +\n            `${descendants.length} descendant admin(s) in place: ` +\n            `${descendants.join(', ')}. These admins were granted by the revoked user ` +\n            `(transitively) and will become orphans in the delegation tree.`,\n        )\n      } else {\n        // Strict mode (default): pull every descendant into the\n        // revoke set. We collect their affected collections too so\n        // the single rotation pass at the end covers everything.\n        for (const userId of descendants) {\n          const descEnv = await adapter.get(vault, '_keyring', userId)\n          if (!descEnv) continue\n          const descKf = JSON.parse(descEnv._data) as KeyringFile\n          usersToRevoke.push(userId)\n          for (const c of Object.keys(descKf.deks)) affectedCollections.add(c)\n        }\n      }\n    }\n  }\n\n  // Delete every keyring in the revoke set. Order doesn't matter\n  // because each keyring file is independent on disk; we don't have\n  // referential integrity to maintain across deletes.\n  for (const userId of usersToRevoke) {\n    await adapter.delete(vault, '_keyring', userId)\n    // Cascade-delete the principal's user envelope. Idempotent — no\n    // error when the envelope was never written (e.g. the user was\n    // granted but never authenticated to write their own profile).\n    await deleteUserEnvelope(adapter, vault, userId)\n    // Also drop the visibility sidecar at `_meta/visibility/<userId>`.\n    // If the same `userId` is re-granted later (rare for humans,\n    // possible for service accounts and test fixtures), the new\n    // principal must start with a fresh visibility state instead of\n    // silently inheriting the revoked user's `hidden` flag.\n    await deleteUserVisibility(adapter, vault, userId)\n  }\n\n  // Single rotation pass at the end. The cost is O(records in\n  // affected collections), NOT O(records × cascade depth) — every\n  // descendant's collections were unioned into `affectedCollections`\n  // before we got here, so the rotation re-encrypts each affected\n  // record exactly once regardless of how deep the cascade went.\n  if (options.rotateKeys !== false && affectedCollections.size > 0) {\n    await rotateKeys(adapter, vault, callerKeyring, [...affectedCollections])\n  }\n}\n\n// ─── Update User (#54) ─────────────────────────────────────────────────\n\n/**\n * Mutate `role`, `displayName`, and/or `permissions` on an existing\n * keyring. Pure plaintext-header rewrite — no DEK rewrap, no KEK\n * required, no authenticator slots touched. Tier-2 enrollments and\n * recovery codes survive the operation.\n *\n * Role-elevation guard: BOTH the old role AND the new role must\n * satisfy `canUpdateRole(callerRole, _)`. This blocks the two\n * privilege-escalation shapes:\n *   - admin elevates someone (or themselves) to owner\n *   - admin demotes an owner to a role they then control\n *\n * Owner is always allowed. Admin manages admin / operator / viewer /\n * client laterally.\n *\n * Identity preserved: same userId, same DEK wrappings. Last-write-wins\n * through the standard keyring put (same concurrency story as `grant`\n * and `revoke`).\n *\n * @throws `NoAccessError` when no keyring exists for the target.\n * @throws `PermissionDeniedError` when the role hierarchy rejects.\n * @throws `ValidationError` when the diff is empty (nothing to update).\n *\n * @see #54\n */\nexport async function updateKeyringIdentity(\n  adapter: NoydbStore,\n  vault: string,\n  callerKeyring: UnlockedKeyring,\n  options: UpdateUserOptions,\n): Promise<void> {\n  if (\n    options.role === undefined &&\n    options.displayName === undefined &&\n    options.permissions === undefined\n  ) {\n    throw new ValidationError(\n      `updateUser: at least one of role / displayName / permissions must be provided ` +\n        `(userId: \"${options.userId}\").`,\n    )\n  }\n\n  const env = await adapter.get(vault, '_keyring', options.userId)\n  if (!env) {\n    throw new NoAccessError(\n      `updateUser: user \"${options.userId}\" has no keyring in vault \"${vault}\".`,\n    )\n  }\n  const target = JSON.parse(env._data) as KeyringFile\n\n  // Role-elevation guard. The OLD role must be one this caller is\n  // allowed to manage, AND the NEW role (if changing) must be too.\n  // Two-sided check: blocks admin→owner promotion (new side) and\n  // demoting an owner (old side).\n  if (!canUpdateRole(callerKeyring.role, target.role)) {\n    throw new PermissionDeniedError(\n      `Role \"${callerKeyring.role}\" cannot update a keyring with role \"${target.role}\"`,\n    )\n  }\n  if (\n    options.role !== undefined &&\n    options.role !== target.role &&\n    !canUpdateRole(callerKeyring.role, options.role)\n  ) {\n    throw new PermissionDeniedError(\n      `Role \"${callerKeyring.role}\" cannot promote target to role \"${options.role}\"`,\n    )\n  }\n\n  const next: KeyringFile = {\n    ...target,\n    ...(options.role !== undefined && { role: options.role }),\n    ...(options.displayName !== undefined && {\n      // null clears the field (stored as \"\"); a string sets it.\n      display_name: options.displayName ?? '',\n    }),\n    ...(options.permissions !== undefined && { permissions: options.permissions }),\n  }\n\n  await writeKeyringFile(adapter, vault, options.userId, next)\n}\n\n// ─── Key Rotation ──────────────────────────────────────────────────────\n\n/**\n * Rotate DEKs for specified collections:\n * 1. Generate new DEKs\n * 2. Re-encrypt all records in affected collections\n * 3. Re-wrap new DEKs for all remaining users\n */\nexport async function rotateKeys(\n  adapter: NoydbStore,\n  vault: string,\n  callerKeyring: UnlockedKeyring,\n  collections: string[],\n): Promise<void> {\n  // Generate new DEKs for each affected collection\n  const newDeks = new Map<string, CryptoKey>()\n  for (const collName of collections) {\n    newDeks.set(collName, await generateDEK())\n  }\n\n  // Re-encrypt all records in affected collections\n  for (const collName of collections) {\n    const oldDek = callerKeyring.deks.get(collName)\n    const newDek = newDeks.get(collName)!\n    if (!oldDek) continue\n\n    const ids = await adapter.list(vault, collName)\n    for (const id of ids) {\n      const envelope = await adapter.get(vault, collName, id)\n      if (!envelope || !envelope._iv) continue\n\n      // Decrypt with old DEK\n      const plaintext = await decrypt(envelope._iv, envelope._data, oldDek)\n\n      // Re-encrypt with new DEK\n      const { iv, data } = await encrypt(plaintext, newDek)\n      const newEnvelope: EncryptedEnvelope = {\n        _noydb: NOYDB_FORMAT_VERSION,\n        _v: envelope._v,\n        _ts: new Date().toISOString(),\n        _iv: iv,\n        _data: data,\n      }\n      await adapter.put(vault, collName, id, newEnvelope)\n    }\n  }\n\n  // Update caller's keyring with new DEKs\n  for (const [collName, newDek] of newDeks) {\n    callerKeyring.deks.set(collName, newDek)\n  }\n  await persistKeyring(adapter, vault, callerKeyring)\n\n  // Update all remaining users' keyrings with re-wrapped new DEKs\n  const userIds = await adapter.list(vault, '_keyring')\n  for (const userId of userIds) {\n    if (userId === callerKeyring.userId) continue\n\n    const userEnvelope = await adapter.get(vault, '_keyring', userId)\n    if (!userEnvelope) continue\n\n    const userKeyringFile = JSON.parse(userEnvelope._data) as KeyringFile\n    // Note: we can't derive other users' KEKs to re-wrap DEKs for them.\n    // Rotation requires users to re-unlock and be re-granted after the caller\n    // re-wraps with the raw DEKs held in memory. See rotation flow below.\n    // The trick: import the user's KEK from their salt? No — we need their passphrase.\n    //\n    // Per the spec: the caller (owner/admin) wraps the new DEKs with each remaining\n    // user's KEK. But we can't derive their KEK without their passphrase.\n    //\n    // Real solution from the spec: the caller wraps the DEK using the approach of\n    // reading each user's existing wrapping. Since we can't derive their KEK,\n    // we use a RE-KEYING approach: the new DEK is wrapped with a key-wrapping-key\n    // that we CAN derive — we use the existing wrapped DEK as proof that the user\n    // had access, and we replace it with the new wrapped DEK.\n    //\n    // Practical approach: Since the owner/admin has all raw DEKs in memory,\n    // and each user's keyring contains their salt, we need the users to\n    // re-authenticate to get the new wrapped keys. This is the standard approach.\n    //\n    // For NOYDB Phase 2: we'll update the keyring file to include a \"pending_rekey\"\n    // flag. Users will get new DEKs on next login when the owner provides them.\n    //\n    // SIMPLER approach used here: Since the owner performed the rotation,\n    // the owner has both old and new DEKs. We store a \"rekey token\" that the\n    // user can use to unwrap: we wrap the new DEK with the OLD DEK (which the\n    // user can still unwrap from their keyring, since their keyring has the old\n    // wrapped DEK and their KEK can unwrap it).\n\n    // Actually even simpler: we just need the user's KEK. We don't have it.\n    // The spec says the owner wraps new DEKs for each remaining user.\n    // This requires knowing each user's KEK (or having a shared secret).\n    //\n    // The CORRECT implementation from the spec: the owner/admin has all DEKs.\n    // Each user's keyring stores DEKs wrapped with THAT USER's KEK.\n    // To re-wrap, we need each user's KEK — which we can't get.\n    //\n    // Real-world solution: use a KEY ESCROW approach where the owner stores\n    // each user's wrapping key (not their passphrase, but a key derived from\n    // the grant process). During grant, the owner stores a copy of the new user's\n    // KEK (wrapped with the owner's KEK) so they can re-wrap later.\n    //\n    // For now: mark the user's keyring as needing rekey. The user will need to\n    // re-authenticate (owner provides new passphrase or re-grants).\n\n    // Update: simplest correct approach — during grant, we store the user's KEK\n    // wrapped with the owner's KEK in a separate escrow field. Then during rotation,\n    // the owner unwraps the user's KEK from escrow and wraps the new DEKs.\n    //\n    // BUT: that means we need to change the KeyringFile format.\n    // For Phase 2 MVP: just delete the user's old DEK entries and require re-grant.\n    // This is secure (revoked keys are gone) but inconvenient (remaining users\n    // need re-grant for rotated collections).\n\n    // PHASE 2 APPROACH: Remove the affected collection DEKs from remaining users'\n    // keyrings. The owner must re-grant access to those collections.\n    // This is correct and secure — just requires the owner to re-run grant().\n\n    const updatedDeks = { ...userKeyringFile.deks }\n    for (const collName of collections) {\n      delete updatedDeks[collName]\n    }\n\n    const updatedPermissions = { ...userKeyringFile.permissions }\n    for (const collName of collections) {\n      delete updatedPermissions[collName]\n    }\n\n    const updatedKeyring: KeyringFile = {\n      ...userKeyringFile,\n      deks: updatedDeks,\n      permissions: updatedPermissions,\n    }\n\n    await writeKeyringFile(adapter, vault, userId, updatedKeyring)\n  }\n}\n\n// ─── Change Secret ─────────────────────────────────────────────────────\n\n/**\n * Change the user's passphrase. Re-wraps every DEK under the new KEK.\n *\n * Validates the new passphrase against the strength rules unless\n * `allowWeakPassphrase: true` is passed. Mirrors `rotatePassphrase`'s\n * default-on validation contract.\n *\n * `db.rotatePassphrase()` adds a `checkGate('rotate-passphrase')` step\n * on top of this primitive and additionally requires the OLD passphrase\n * for re-derivation; `changeSecret` reuses the cached unlocked KEK so\n * the OLD passphrase is not retyped.\n */\nexport async function changeSecret(\n  adapter: NoydbStore,\n  vault: string,\n  keyring: UnlockedKeyring,\n  newPassphrase: string,\n  passphraseOpts?: PassphrasePolicy & { allowWeakPassphrase?: boolean },\n): Promise<UnlockedKeyring> {\n  if (!passphraseOpts?.allowWeakPassphrase) {\n    assertStrongPassphrase(newPassphrase, passphraseOpts)\n  }\n  const newSalt = generateSalt()\n  const newKek = await deriveKey(newPassphrase, newSalt)\n\n  // Re-wrap all DEKs with the new KEK\n  const wrappedDeks: Record<string, string> = {}\n  for (const [collName, dek] of keyring.deks) {\n    wrappedDeks[collName] = await wrapKey(dek, newKek)\n  }\n\n  const canary = await mintKeyringCanary(newKek)\n  const keyringFile: KeyringFile = {\n    _noydb_keyring: NOYDB_KEYRING_VERSION,\n    user_id: keyring.userId,\n    display_name: keyring.displayName,\n    role: keyring.role,\n    permissions: keyring.permissions,\n    deks: wrappedDeks,\n    salt: bufferToBase64(newSalt),\n    created_at: new Date().toISOString(),\n    granted_by: keyring.userId,\n    canary,\n  }\n\n  await writeKeyringFile(adapter, vault, keyring.userId, keyringFile)\n\n  return {\n    userId: keyring.userId,\n    displayName: keyring.displayName,\n    role: keyring.role,\n    permissions: keyring.permissions,\n    deks: keyring.deks, // Same DEKs, different wrapping\n    kek: newKek,\n    salt: newSalt,\n    // Tier-2 slots are NOT preserved through `changeSecret` —\n    // each slot wraps the OLD KEK, so the new keyring has no\n    // authenticator slots until the user re-enrolls. The higher-level\n    // `db.rotatePassphrase()` (#10) preserves slots by rewrapping the\n    // KEK reference, not the KEK itself.\n    authenticators: [],\n    ...(keyring.policy !== undefined && { policy: keyring.policy }),\n  }\n}\n\n// ─── Bundle recipients ──────────────────────────────────────────\n\n/**\n * Recipient slot in a re-keyed `.noydb` bundle. Each slot becomes its\n * own keyring file inside the bundle, sealed with its own passphrase.\n * Same role/permission semantics as `db.grant()` but no adapter side\n * effect — the slot only exists inside the bundle bytes.\n *\n * @public\n */\nexport interface BundleRecipient {\n  /** User id stamped onto the keyring file in the bundle. */\n  readonly id: string\n  /** Optional display name. Defaults to `id`. */\n  readonly displayName?: string\n  /** Passphrase the recipient will type to unlock. */\n  readonly passphrase: string\n  /** Role on the destination vault. Defaults to `'viewer'`. */\n  readonly role?: Role\n  /**\n   * Per-collection permissions. When omitted, role defaults apply.\n   * Restricting permissions here ALSO restricts which DEKs are wrapped\n   * into the slot — a slot with `{ invoices: 'ro' }` cannot decrypt\n   * other collections even though their ciphertext sits in the bundle.\n   */\n  readonly permissions?: Permissions\n  /**\n   * Optional `as-*` export grants on the destination vault.\n   * Mirrors the `exportCapability` field on a live keyring.\n   */\n  readonly exportCapability?: ExportCapability\n  /**\n   * Optional `as-*` import grants on the destination vault.\n   * Mirrors the `importCapability` field on a live keyring.\n   * Default-closed: no plaintext format granted, no bundle import.\n   */\n  readonly importCapability?: ImportCapability\n  /**\n   * Optional bundle-slot expiry. ISO-8601 timestamp; past the\n   * cutoff this slot's keyring refuses to load with\n   * `KeyringExpiredError`. Time-boxed audit access pattern: \"this\n   * slot works for 30 days then becomes opaque to its holder.\"\n   */\n  readonly expiresAt?: string\n}\n\n/**\n * Build a `KeyringFile` for one bundle recipient, given the source\n * vault's unwrapped DEKs. Mirrors `grant()` minus the adapter write —\n * the produced file is meant to be embedded in the bundle's\n * `keyrings` map, never persisted to the source vault.\n *\n * Privilege-escalation check still runs: every DEK wrapped into the\n * recipient's keyring must come from the source's own DEK set.\n *\n * @internal\n */\nexport async function buildRecipientKeyringFile(\n  callerKeyring: UnlockedKeyring,\n  recipient: BundleRecipient,\n): Promise<KeyringFile> {\n  if (!callerKeyring.kek) {\n    throw new ValidationError(\n      'buildRecipientKeyringFile: caller keyring has no KEK — tier-2 wrap-DEKs ' +\n        'and tier-3 PIN-resume sessions cannot create bundle recipients. ' +\n        'Re-authenticate at tier 1 (passphrase) before building a bundle.',\n    )\n  }\n\n  const role: Role = recipient.role ?? 'viewer'\n  const permissions = resolvePermissions(role, recipient.permissions)\n\n  const newSalt = generateSalt()\n  const newKek = await deriveKey(recipient.passphrase, newSalt)\n\n  const wrappedDeks: Record<string, string> = {}\n\n  // Collections the recipient was explicitly granted permission to.\n  for (const collName of Object.keys(permissions)) {\n    const dek = callerKeyring.deks.get(collName)\n    if (dek) {\n      wrappedDeks[collName] = await wrapKey(dek, newKek)\n    }\n  }\n\n  // owner / admin / viewer: wrap every known DEK (matches grant).\n  if (role === 'owner' || role === 'admin' || role === 'viewer') {\n    for (const [collName, dek] of callerKeyring.deks) {\n      if (!(collName in wrappedDeks)) {\n        wrappedDeks[collName] = await wrapKey(dek, newKek)\n      }\n    }\n  }\n\n  // Always propagate system-prefixed collection DEKs (`_ledger`, etc.) —\n  // the recipient needs them to verify the bundle on import.\n  for (const [collName, dek] of callerKeyring.deks) {\n    if (collName.startsWith('_') && !(collName in wrappedDeks)) {\n      wrappedDeks[collName] = await wrapKey(dek, newKek)\n    }\n  }\n\n  // Anti-privilege-escalation: every wrapped DEK must come from the\n  // caller's own DEK set. Belt-and-braces with the lookups above.\n  for (const collName of Object.keys(wrappedDeks)) {\n    if (!callerKeyring.deks.has(collName)) {\n      throw new PrivilegeEscalationError(collName)\n    }\n  }\n\n  const canary = await mintKeyringCanary(newKek)\n  return {\n    _noydb_keyring: NOYDB_KEYRING_VERSION,\n    user_id: recipient.id,\n    display_name: recipient.displayName ?? recipient.id,\n    role,\n    permissions,\n    deks: wrappedDeks,\n    salt: bufferToBase64(newSalt),\n    created_at: new Date().toISOString(),\n    granted_by: callerKeyring.userId,\n    canary,\n    ...(recipient.exportCapability !== undefined\n      ? { export_capability: recipient.exportCapability }\n      : {}),\n    ...(recipient.importCapability !== undefined\n      ? { import_capability: recipient.importCapability }\n      : {}),\n    ...(recipient.expiresAt !== undefined\n      ? { expires_at: recipient.expiresAt }\n      : {}),\n  }\n}\n\n// ─── List Users ────────────────────────────────────────────────────────\n\n/** List all users with access to a vault. */\nexport async function listUsers(\n  adapter: NoydbStore,\n  vault: string,\n): Promise<UserInfo[]> {\n  const userIds = await adapter.list(vault, '_keyring')\n  const users: UserInfo[] = []\n\n  for (const userId of userIds) {\n    const envelope = await adapter.get(vault, '_keyring', userId)\n    if (!envelope) continue\n    const kf = JSON.parse(envelope._data) as KeyringFile\n    users.push({\n      userId: kf.user_id,\n      displayName: kf.display_name,\n      role: kf.role,\n      permissions: kf.permissions,\n      createdAt: kf.created_at,\n      grantedBy: kf.granted_by,\n    })\n  }\n\n  return users\n}\n\n/**\n * Optional filter knobs for {@link listUsersWithEnvelopes}.\n *\n * - `includeHidden` — when true, principals with `_meta/visibility/<id>`\n *   set to `{ hidden: true }` are returned alongside everyone else.\n *   Requires `owner` or `admin` callerRole; lower roles get\n *   {@link import('../errors.js').PermissionDeniedError}.\n */\nexport interface ListUsersOptions {\n  readonly includeHidden?: boolean\n}\n\n/**\n * Joined enumeration: every keyring + its `_users/<keyringId>`\n * envelope side by side. Convenience for admin UIs that want to\n * render team-member lists with profile data (\"Bob — operator —\n * 'Bob the Auditor' avatar X locale fr-FR\") in a single pass.\n *\n * `userEnvelopeDek` is the vault's `_users` collection DEK\n * (`vault.getDEK('_users')`); used to decrypt every envelope.\n *\n * `callerRole` (#122) drives the directory-visibility checks:\n *\n *  - When the vault's `_meta/directory` document has `enabled: false`,\n *    only `owner` and `admin` callers may enumerate; anyone else gets\n *    {@link import('../errors.js').DirectoryDisabledError}.\n *  - Principals with `_meta/visibility/<id>` set to `{ hidden: true }`\n *    are filtered out by default. `owner`/`admin` callers can pass\n *    `{ includeHidden: true }` to see them; lower roles passing that\n *    option get `PermissionDeniedError`.\n *\n * Honest caveat (#122): these filters are a UX hint, not a security\n * boundary. The keyring file is still listed at `_keyring/*` and the\n * envelope ciphertext at `_users/*`. A caller with direct store access\n * — or a caller that calls this function with `callerRole: 'owner'`\n * unconditionally — sees every principal. The protection is only as\n * strong as the role the calling layer passes in. The hub-level wrapper\n * on `Vault` sources `callerRole` from the unlocked keyring's `role`\n * field, which is signed-by-construction (it lives in the user's own\n * keyring file). See `docs/subsystems/user-envelope.md` →\n * \"Directory visibility\".\n *\n * Principals without a persisted envelope (legacy keyrings predating\n * the user-envelope feature) come back with `envelope: null`. The\n * caller chooses how to render — usually \"fall back to keyring's\n * `displayName`\".\n *\n * Order matches `listUsers()` (store-defined; sort if you need a\n * stable display order).\n */\nexport async function listUsersWithEnvelopes<T = unknown>(\n  adapter: NoydbStore,\n  vault: string,\n  userEnvelopeDek: CryptoKey,\n  callerRole: Role,\n  options: ListUsersOptions = {},\n): Promise<Array<{ user: UserInfo; envelope: UserEnvelopeReader<T> | null }>> {\n  const isPrivileged = callerRole === 'owner' || callerRole === 'admin'\n\n  // 1. Vault-level directory toggle.\n  const dirConfig = await readDirectoryConfig(adapter, vault)\n  if (dirConfig?.enabled === false && !isPrivileged) {\n    throw new DirectoryDisabledError(vault)\n  }\n\n  // 2. `includeHidden` requires admin/owner.\n  if (options.includeHidden && !isPrivileged) {\n    throw new PermissionDeniedError(\n      'Permission denied — listUsersWithEnvelopes({ includeHidden: true }) requires owner or admin role',\n    )\n  }\n\n  const users = await listUsers(adapter, vault)\n  const out: Array<{ user: UserInfo; envelope: UserEnvelopeReader<T> | null }> = []\n  for (const user of users) {\n    if (!options.includeHidden) {\n      const visibility = await readUserVisibility(adapter, vault, user.userId)\n      if (visibility?.hidden) continue\n    }\n    const envelope = await loadUserEnvelopeFn<T>(\n      adapter,\n      vault,\n      user.userId,\n      userEnvelopeDek,\n    )\n    out.push({ user, envelope })\n  }\n  return out\n}\n\n\n// ─── DEK Management ────────────────────────────────────────────────────\n\n/** Ensure a DEK exists for a collection. Generates one if new. */\nexport async function ensureCollectionDEK(\n  adapter: NoydbStore,\n  vault: string,\n  keyring: UnlockedKeyring,\n): Promise<(collectionName: string) => Promise<CryptoKey>> {\n  // Dedupe concurrent first-time DEK creates per collection. Without\n  // this, two concurrent `getDEK('foo')` calls both pass the `existing`\n  // check (the Map is empty), both generate fresh DEKs, and the second\n  // `set` overwrites the first — making any envelope encrypted with\n  // the discarded DEK fail to decrypt later (TamperedError on read).\n  // Pre-existing race exposed by the multi-writer ledger work in #296.\n  const inFlight = new Map<string, Promise<CryptoKey>>()\n  return async (collectionName: string): Promise<CryptoKey> => {\n    const existing = keyring.deks.get(collectionName)\n    if (existing) return existing\n    const pending = inFlight.get(collectionName)\n    if (pending) return pending\n\n    const promise = (async () => {\n      const dek = await generateDEK()\n      keyring.deks.set(collectionName, dek)\n      await persistKeyring(adapter, vault, keyring)\n      return dek\n    })()\n    inFlight.set(collectionName, promise)\n    try {\n      return await promise\n    } finally {\n      inFlight.delete(collectionName)\n    }\n  }\n}\n\n// ─── Permission Checks ─────────────────────────────────────────────────\n\n/** Check if a user has write permission for a collection. */\nexport function hasWritePermission(keyring: UnlockedKeyring, collectionName: string): boolean {\n  if (keyring.role === 'owner' || keyring.role === 'admin') return true\n  if (keyring.role === 'viewer' || keyring.role === 'client') return false\n  return keyring.permissions[collectionName] === 'rw'\n}\n\n/** Check if a user has any access to a collection. */\nexport function hasAccess(keyring: UnlockedKeyring, collectionName: string): boolean {\n  if (keyring.role === 'owner' || keyring.role === 'admin' || keyring.role === 'viewer') return true\n  return collectionName in keyring.permissions\n}\n\n// ─── Helpers ───────────────────────────────────────────────────────────\n\n/** Persist a keyring file to the adapter. */\nexport async function persistKeyring(\n  adapter: NoydbStore,\n  vault: string,\n  keyring: UnlockedKeyring,\n): Promise<void> {\n  if (!keyring.kek) {\n    throw new ValidationError(\n      'persistKeyring: keyring.kek is null — cannot wrap DEKs without the KEK. ' +\n        'This typically means the keyring was opened via tier-3 PIN resume, ' +\n        'session restore, or a wrap-DEKs tier-2 unlock. Re-authenticate at ' +\n        'tier 1 (passphrase) before persisting.',\n    )\n  }\n  const wrappedDeks: Record<string, string> = {}\n  for (const [collName, dek] of keyring.deks) {\n    wrappedDeks[collName] = await wrapKey(dek, keyring.kek)\n  }\n  const canary = await mintKeyringCanary(keyring.kek)\n\n  const keyringFile: KeyringFile = {\n    _noydb_keyring: NOYDB_KEYRING_VERSION,\n    user_id: keyring.userId,\n    display_name: keyring.displayName,\n    role: keyring.role,\n    permissions: keyring.permissions,\n    deks: wrappedDeks,\n    salt: bufferToBase64(keyring.salt),\n    created_at: new Date().toISOString(),\n    granted_by: keyring.userId,\n    canary,\n    ...(keyring.exportCapability !== undefined && { export_capability: keyring.exportCapability }),\n    ...(keyring.importCapability !== undefined && { import_capability: keyring.importCapability }),\n    ...(keyring.authenticators.length > 0 && { authenticators: keyring.authenticators }),\n    ...(keyring.policy !== undefined && { policy: keyring.policy }),\n  }\n\n  await writeKeyringFile(adapter, vault, keyring.userId, keyringFile)\n}\n\n// ─── Export capability ──────────────────────────────────────\n\n/**\n * Role-based default policy for the encrypted-bundle capability.\n *\n * Applied when `keyring.exportCapability` is absent or\n * `exportCapability.bundle` is undefined:\n *\n * - `owner` / `admin` → `true` (happy-path backup without friction)\n * - `operator` / `viewer` / `client` → `false` (explicit grant required)\n *\n * Rationale: a bundle is inert without the KEK, so an owner backing up\n * their own vault doesn't need friction; a non-admin role producing a\n * bundle for an external party does, because the bundle outlives\n * keyring revocation.\n */\nfunction defaultBundleCapability(role: Role): boolean {\n  return role === 'owner' || role === 'admin'\n}\n\n/**\n * Check whether a keyring is authorised for a given `@noy-db/as-*`\n * export tier.\n *\n * - `tier: 'plaintext'` — returns true iff `exportCapability.plaintext`\n *   contains the requested `format` or the `'*'` wildcard. Default for\n *   every role is empty — no grant, no plaintext export.\n * - `tier: 'bundle'` — returns `exportCapability.bundle` if present, or\n *   the role-based default otherwise (owner/admin → true, else false).\n *\n * `@noy-db/as-*` packages MUST call this before invoking the underlying\n * export primitive. Rogue forks that skip the check are caught by code\n * review — the single-entry-point contract is a convention, not a\n * runtime invariant. Vault-level gated wrappers\n * (`vault.exportRecords` / `exportBlobs` / `writeBundle`) will land in a\n * follow-up PR to enforce at the primitive level.\n */\nexport function hasExportCapability(\n  keyring: UnlockedKeyring,\n  tier: 'plaintext',\n  format: ExportFormat,\n): boolean\nexport function hasExportCapability(\n  keyring: UnlockedKeyring,\n  tier: 'bundle',\n): boolean\nexport function hasExportCapability(\n  keyring: UnlockedKeyring,\n  tier: 'plaintext' | 'bundle',\n  format?: ExportFormat,\n): boolean {\n  const cap = keyring.exportCapability\n  if (tier === 'plaintext') {\n    const allowed = cap?.plaintext ?? []\n    return allowed.includes('*') || (format !== undefined && allowed.includes(format))\n  }\n  // tier === 'bundle'\n  return cap?.bundle ?? defaultBundleCapability(keyring.role)\n}\n\n/**\n * Same-shape inspector for an `ExportCapability` value that isn't yet\n * attached to a keyring (e.g. for previewing a grant before applying).\n * Role must be supplied separately so bundle defaults can be computed.\n */\nexport function evaluateExportCapability(\n  capability: ExportCapability | undefined,\n  role: Role,\n  tier: 'plaintext',\n  format: ExportFormat,\n): boolean\nexport function evaluateExportCapability(\n  capability: ExportCapability | undefined,\n  role: Role,\n  tier: 'bundle',\n): boolean\nexport function evaluateExportCapability(\n  capability: ExportCapability | undefined,\n  role: Role,\n  tier: 'plaintext' | 'bundle',\n  format?: ExportFormat,\n): boolean {\n  if (tier === 'plaintext') {\n    const allowed = capability?.plaintext ?? []\n    return allowed.includes('*') || (format !== undefined && allowed.includes(format))\n  }\n  return capability?.bundle ?? defaultBundleCapability(role)\n}\n\n// ─── Import capability (issue ) ────────────────────────────────────\n\n/**\n * Check whether a keyring is authorised for a given `@noy-db/as-*`\n * import tier (issue ).\n *\n * - `tier: 'plaintext'` — true iff `importCapability.plaintext`\n *   contains the requested `format` or the `'*'` wildcard.\n * - `tier: 'bundle'` — true iff `importCapability.bundle === true`.\n *\n * **Default-closed for every role on every dimension** — including\n * owner. Import is more dangerous than export (corrupts vs leaks), so\n * the policy refuses to assume intent. Owners must positively grant\n * the capability via `vault.grant({ importCapability: ... })`.\n */\nexport function hasImportCapability(\n  keyring: UnlockedKeyring,\n  tier: 'plaintext',\n  format: ExportFormat,\n): boolean\nexport function hasImportCapability(\n  keyring: UnlockedKeyring,\n  tier: 'bundle',\n): boolean\nexport function hasImportCapability(\n  keyring: UnlockedKeyring,\n  tier: 'plaintext' | 'bundle',\n  format?: ExportFormat,\n): boolean {\n  const cap = keyring.importCapability\n  if (tier === 'plaintext') {\n    const allowed = cap?.plaintext ?? []\n    return allowed.includes('*') || (format !== undefined && allowed.includes(format))\n  }\n  // tier === 'bundle' — closed default for every role\n  return cap?.bundle === true\n}\n\n/**\n * Same-shape inspector for an `ImportCapability` value that isn't yet\n * attached to a keyring (e.g. previewing a grant before applying).\n * `role` is accepted for symmetry with `evaluateExportCapability` even\n * though the import policy ignores it — bundle defaults are\n * role-agnostic and closed.\n */\nexport function evaluateImportCapability(\n  capability: ImportCapability | undefined,\n  role: Role,\n  tier: 'plaintext',\n  format: ExportFormat,\n): boolean\nexport function evaluateImportCapability(\n  capability: ImportCapability | undefined,\n  role: Role,\n  tier: 'bundle',\n): boolean\nexport function evaluateImportCapability(\n  capability: ImportCapability | undefined,\n  _role: Role,\n  tier: 'plaintext' | 'bundle',\n  format?: ExportFormat,\n): boolean {\n  if (tier === 'plaintext') {\n    const allowed = capability?.plaintext ?? []\n    return allowed.includes('*') || (format !== undefined && allowed.includes(format))\n  }\n  return capability?.bundle === true\n}\n\nfunction resolvePermissions(role: Role, explicit?: Permissions): Permissions {\n  if (role === 'owner' || role === 'admin' || role === 'viewer') return {}\n  return explicit ?? {}\n}\n\nasync function writeKeyringFile(\n  adapter: NoydbStore,\n  vault: string,\n  userId: string,\n  keyringFile: KeyringFile,\n): Promise<void> {\n  const envelope = {\n    _noydb: 1 as const,\n    _v: 1,\n    _ts: new Date().toISOString(),\n    _iv: '',\n    _data: JSON.stringify(keyringFile),\n  }\n  await adapter.put(vault, '_keyring', userId, envelope)\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgBO,IAAM,kBAAkB;AAExB,IAAM,sBAAsB;AAWnC,eAAsB,oBACpB,OACA,OACsC;AACtC,QAAM,WAAW,MAAM,MAAM,IAAI,OAAO,iBAAiB,mBAAmB;AAC5E,MAAI,CAAC,SAAU,QAAO;AACtB,MAAI;AACF,UAAM,SAAS,KAAK,MAAM,SAAS,KAAK;AACxC,QAAI,CAAC,kBAAkB,MAAM,EAAG,QAAO;AACvC,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAOA,eAAsB,uBACpB,OACA,OACA,QACe;AACf,QAAM,WAA8B;AAAA,IAClC,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC5B,KAAK;AAAA,IACL,OAAO,KAAK,UAAU,EAAE,SAAS,OAAO,QAAQ,CAAC;AAAA,EACnD;AACA,QAAM,MAAM,IAAI,OAAO,iBAAiB,qBAAqB,QAAQ;AACvE;AAEA,SAAS,kBAAkB,GAAkC;AAC3D,MAAI,MAAM,QAAQ,OAAO,MAAM,SAAU,QAAO;AAChD,MAAI,EAAE,aAAa,GAAI,QAAO;AAC9B,SAAO,OAAQ,EAA2B,YAAY;AACxD;;;ACzCO,IAAM,2BAA2B;AAGjC,SAAS,mBAAmB,WAA2B;AAC5D,SAAO,2BAA2B;AACpC;AAOA,eAAsB,mBACpB,OACA,OACA,WACqC;AACrC,QAAM,WAAW,MAAM,MAAM,IAAI,OAAO,iBAAiB,mBAAmB,SAAS,CAAC;AACtF,MAAI,CAAC,SAAU,QAAO;AACtB,MAAI;AACF,UAAM,SAAS,KAAK,MAAM,SAAS,KAAK;AACxC,QAAI,CAAC,iBAAiB,MAAM,EAAG,QAAO;AACtC,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAQA,eAAsB,sBACpB,OACA,OACA,WACA,YACe;AACf,QAAM,WAA8B;AAAA,IAClC,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC5B,KAAK;AAAA,IACL,OAAO,KAAK,UAAU,EAAE,QAAQ,WAAW,OAAO,CAAC;AAAA,EACrD;AACA,QAAM,MAAM,IAAI,OAAO,iBAAiB,mBAAmB,SAAS,GAAG,QAAQ;AACjF;AAQA,eAAsB,qBACpB,OACA,OACA,WACe;AACf,QAAM,MAAM,OAAO,OAAO,iBAAiB,mBAAmB,SAAS,CAAC;AAC1E;AAEA,SAAS,iBAAiB,GAAiC;AACzD,MAAI,MAAM,QAAQ,OAAO,MAAM,SAAU,QAAO;AAChD,MAAI,EAAE,YAAY,GAAI,QAAO;AAC7B,SAAO,OAAQ,EAA0B,WAAW;AACtD;;;ACKO,IAAM,sBAAN,cAAkC,WAAW;AAAA,EACzC;AAAA,EACA;AAAA,EACT,YAAY,QAA8B,YAAoB;AAC5D,UAAM,mBAAmB,oBAAoB,MAAM,MAAM,UAAU,EAAE;AACrE,SAAK,OAAO;AACZ,SAAK,SAAS;AACd,SAAK,aAAa;AAAA,EACpB;AACF;AAEA,IAAM,oBAAoB;AAC1B,IAAM,0BAA0B;AAEhC,IAAM,cAAoD;AAAA,EACxD,OAAO;AAAA,EACP,iBACE;AAAA,EACF,6BAA6B;AAAA,EAC7B,gBAAgB;AAAA,EAChB,iBACE;AAAA,EACF,kBAAkB;AAAA,EAClB,qBAAqB;AACvB;AAOO,SAAS,mBACd,GACA,MAC4B;AAI5B,MAAI,MAAM,iBAAiB;AACzB,WAAO,KAAK,gBAAgB,CAAC;AAAA,EAC/B;AAEA,QAAM,WAAW,MAAM,YAAY;AACnC,QAAM,gBAAgB,MAAM,iBAAiB;AAC7C,QAAM,iBAAiB,MAAM,0BAA0B;AAEvD,MAAI,EAAE,WAAW,GAAG;AAClB,WAAO,EAAE,IAAI,OAAO,QAAQ,QAAQ;AAAA,EACtC;AAEA,MAAI,MAAM,EAAE,KAAK,GAAG;AAClB,WAAO,EAAE,IAAI,OAAO,QAAQ,4BAA4B;AAAA,EAC1D;AAEA,MAAI,EAAE,SAAS,IAAI,GAAG;AACpB,WAAO,EAAE,IAAI,OAAO,QAAQ,eAAe;AAAA,EAC7C;AAOA,QAAM,cAAc,MAAM,WAAW;AACrC,MAAI,CAAC,YAAY,KAAK,CAAC,GAAG;AACxB,WAAO,EAAE,IAAI,OAAO,QAAQ,gBAAgB;AAAA,EAC9C;AAEA,QAAM,QAAQ,EAAE,MAAM,GAAG;AAEzB,MAAI,MAAM,SAAS,UAAU;AAC3B,WAAO,EAAE,IAAI,OAAO,QAAQ,iBAAiB,SAAS,UAAU,KAAK,MAAM,OAAO;AAAA,EACpF;AAEA,aAAW,KAAK,OAAO;AACrB,QAAI,EAAE,SAAS,eAAe;AAC5B,aAAO,EAAE,IAAI,OAAO,QAAQ,kBAAkB,SAAS,eAAe,KAAK,EAAE,OAAO;AAAA,IACtF;AAAA,EACF;AAEA,MAAI,gBAAgB;AAClB,aAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AACrC,UAAI,MAAM,CAAC,MAAM,MAAM,IAAI,CAAC,GAAG;AAC7B,eAAO,EAAE,IAAI,OAAO,QAAQ,oBAAoB;AAAA,MAClD;AAAA,IACF;AAAA,EACF;AAEA,SAAO,EAAE,IAAI,MAAM,OAAO,MAAM,OAAO;AACzC;AAWO,SAAS,uBACd,GACA,MACM;AACN,MAAI,MAAM,oBAAqB;AAC/B,QAAM,SAAS,mBAAmB,GAAG,IAAI;AACzC,MAAI,OAAO,GAAI;AACf,QAAM,IAAI,oBAAoB,OAAO,QAAQ,YAAY,OAAO,MAAM,CAAC;AACzE;AAUO,SAAS,gBAAgB,YAA4B;AAC1D,QAAM,SAAS,mBAAmB,UAAU;AAC5C,MAAI,CAAC,OAAO,GAAI,QAAO;AACvB,SAAO,KAAK,MAAM,OAAO,QAAQ,KAAK,KAAK,IAAI,CAAC;AAClD;;;AC5LO,IAAM,0BAA0B,KAAK;AAOrC,IAAM,2BAA2B;AAOjC,IAAM,6BAAN,cAAyC,WAAW;AAAA,EAChD;AAAA,EACA;AAAA,EACT,YAAY,OAAe,QAAgB,yBAAyB;AAClE;AAAA,MACE;AAAA,MACA,4BAA4B,KAAK,uBAAuB,KAAK;AAAA,IAE/D;AACA,SAAK,OAAO;AACZ,SAAK,QAAQ;AACb,SAAK,QAAQ;AAAA,EACf;AACF;;;ACvBA,eAAsB,iBACpB,OACA,OACA,WACA,KACiC;AACjC,QAAM,WAAW,MAAM,MAAM,IAAI,OAAO,0BAA0B,SAAS;AAC3E,MAAI,CAAC,SAAU,QAAO;AACtB,QAAM,YAAY,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,GAAG;AACjE,QAAM,OAAO,KAAK,MAAM,SAAS;AACjC,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,IAAI,SAAS;AAAA,IACb,KAAK,SAAS;AAAA,EAChB;AACF;AAcA,eAAsB,iBACpB,OACA,OACA,WACA,SACA,KACA,iBAC0B;AAC1B,QAAM,OAAO,KAAK,UAAU,OAAO;AAGnC,QAAM,QAAQ,IAAI,YAAY,EAAE,OAAO,IAAI,EAAE;AAC7C,MAAI,QAAQ,yBAAyB;AACnC,UAAM,IAAI,2BAA2B,KAAK;AAAA,EAC5C;AAEA,QAAM,QAAQ,MAAM,MAAM,IAAI,OAAO,0BAA0B,SAAS;AACxE,MAAI,oBAAoB,QAAW;AACjC,UAAM,eAAe,OAAO,MAAM;AAClC,QAAI,iBAAiB,iBAAiB;AACpC,YAAM,IAAI;AAAA,QACR;AAAA,QACA,sBAAsB,SAAS,sBAAsB,eAAe,YACxD,YAAY;AAAA,MAC1B;AAAA,IACF;AAAA,EACF;AAEA,QAAM,eAAe,OAAO,MAAM,KAAK;AACvC,QAAM,MAAK,oBAAI,KAAK,GAAE,YAAY;AAClC,QAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,MAAM,GAAG;AAE5C,QAAM,WAA8B;AAAA,IAClC,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,KAAK;AAAA,IACL,KAAK;AAAA,IACL,OAAO;AAAA,EACT;AACA,QAAM,MAAM,IAAI,OAAO,0BAA0B,WAAW,QAAQ;AAEpE,SAAO;AAAA,IACL;AAAA,IACA,MAAM;AAAA,IACN,IAAI;AAAA,IACJ,KAAK;AAAA,EACP;AACF;AAOA,eAAsB,mBACpB,OACA,OACA,WACe;AACf,QAAM,MAAM,OAAO,OAAO,0BAA0B,SAAS;AAC/D;AAMA,eAAsB,oBACpB,OACA,OACmB;AACnB,SAAO,MAAM,KAAK,OAAO,wBAAwB;AACnD;;;AC1FA,IAAM,0BAA2C,CAAC,YAAY,UAAU,UAAU,OAAO;AAEzF,SAAS,SAAS,YAAkB,YAA2B;AAC7D,MAAI,eAAe,QAAS,QAAO;AACnC,MAAI,eAAe,QAAS,QAAO,wBAAwB,SAAS,UAAU;AAC9E,SAAO;AACT;AAEA,SAAS,UAAU,YAAkB,YAA2B;AAC9D,MAAI,eAAe,QAAS,QAAO;AACnC,MAAI,eAAe,QAAS,QAAO;AACnC,MAAI,eAAe,QAAS,QAAO,wBAAwB,SAAS,UAAU;AAC9E,SAAO;AACT;AAcA,SAAS,cAAc,YAAkB,YAA2B;AAClE,MAAI,eAAe,QAAS,QAAO;AACnC,MAAI,eAAe,QAAS,QAAO,wBAAwB,SAAS,UAAU;AAC9E,SAAO;AACT;AAgFA,IAAM,yBAAyB,IAAI,WAAW,EAAE;AAChD,IAAI,mBAA8C;AAElD,SAAS,eAAmC;AAC1C,MAAI,qBAAqB,MAAM;AAC7B,uBAAmB,WAAW,OAAO,OAAO;AAAA,MAC1C;AAAA,MACA;AAAA,MACA,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,MAC/B;AAAA;AAAA,MACA,CAAC,WAAW,SAAS;AAAA,IACvB;AAAA,EACF;AACA,SAAO;AACT;AAGA,eAAsB,kBAAkB,KAAiC;AACvE,QAAM,YAAY,MAAM,aAAa;AACrC,SAAO,QAAQ,WAAW,GAAG;AAC/B;AAGA,eAAe,oBAAoB,eAAuB,KAAkC;AAC1F,MAAI;AACF,UAAM,UAAU,eAAe,GAAG;AAClC,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAKA,eAAsB,YACpB,SACA,OACA,QACA,YAC0B;AAC1B,QAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,YAAY,MAAM;AAE5D,MAAI,CAAC,UAAU;AACb,UAAM,IAAI,cAAc,8BAA8B,MAAM,eAAe,KAAK,GAAG;AAAA,EACrF;AAEA,QAAM,cAAc,KAAK,MAAM,SAAS,KAAK;AAO7C,MAAI,YAAY,eAAe,QAAW;AACxC,UAAM,SAAS,KAAK,MAAM,YAAY,UAAU;AAChD,QAAI,OAAO,SAAS,MAAM,KAAK,KAAK,IAAI,KAAK,QAAQ;AACnD,YAAM,IAAI,oBAAoB,EAAE,QAAQ,YAAY,SAAS,WAAW,YAAY,WAAW,CAAC;AAAA,IAClG;AAAA,EACF;AAEA,QAAM,OAAO,eAAe,YAAY,IAAI;AAC5C,QAAM,MAAM,MAAM,UAAU,YAAY,IAAI;AAS5C,QAAM,WAA2B,YAAY,WAAW,SACpD,MAAM,oBAAoB,YAAY,QAAQ,GAAG,IACjD;AAGJ,QAAM,OAAO,oBAAI,IAAuB;AACxC,QAAM,oBAA8B,CAAC;AACrC,MAAI,mBAA4B;AAChC,aAAW,CAAC,UAAU,UAAU,KAAK,OAAO,QAAQ,YAAY,IAAI,GAAG;AACrE,QAAI;AACF,YAAM,MAAM,MAAM,UAAU,YAAY,GAAG;AAC3C,WAAK,IAAI,UAAU,GAAG;AAAA,IACxB,SAAS,KAAK;AACZ,wBAAkB,KAAK,QAAQ;AAC/B,UAAI,qBAAqB,KAAM,oBAAmB;AAAA,IACpD;AAAA,EACF;AAEA,MAAI,aAAa,MAAM;AAErB,QAAI,kBAAkB,SAAS,GAAG;AAChC,YAAM,IAAI,oBAAoB,EAAE,mBAAmB,aAAa,KAAK,KAAK,CAAC;AAAA,IAC7E;AAAA,EACF,WAAW,aAAa,OAAO;AAG7B,QAAI,KAAK,OAAO,GAAG;AACjB,YAAM,IAAI,oBAAoB;AAAA,QAC5B,mBAAmB,CAAC,GAAG,mBAAmB,SAAS;AAAA,QACnD,aAAa,KAAK;AAAA,MACpB,CAAC;AAAA,IACH;AAIA,UAAM,4BAA4B,QAAQ,mBAAmB,IAAI,gBAAgB;AAAA,EACnF,OAAO;AAEL,QAAI,kBAAkB,SAAS,GAAG;AAChC,UAAI,KAAK,OAAO,GAAG;AACjB,cAAM,IAAI,oBAAoB,EAAE,mBAAmB,aAAa,KAAK,KAAK,CAAC;AAAA,MAC7E;AACA,YAAM,4BAA4B,QAAQ,mBAAmB,IAAI,gBAAgB;AAAA,IACnF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,QAAQ,YAAY;AAAA,IACpB,aAAa,YAAY;AAAA,IACzB,MAAM,YAAY;AAAA,IAClB,aAAa,YAAY;AAAA,IACzB;AAAA,IACA;AAAA,IACA;AAAA,IACA,gBAAgB,YAAY,kBAAkB,CAAC;AAAA,IAC/C,GAAI,YAAY,sBAAsB,UAAa,EAAE,kBAAkB,YAAY,kBAAkB;AAAA,IACrG,GAAI,YAAY,sBAAsB,UAAa,EAAE,kBAAkB,YAAY,kBAAkB;AAAA,IACrG,GAAI,YAAY,WAAW,UAAa,EAAE,QAAQ,YAAY,OAAO;AAAA,EACvE;AACF;AAUA,eAAsB,mBACpB,SACA,OACA,QACA,YACA,gBAC0B;AAC1B,MAAI,gBAAgB,YAAY,CAAC,eAAe,qBAAqB;AACnE,2BAAuB,YAAY,cAAc;AAAA,EACnD;AACA,QAAM,OAAO,aAAa;AAC1B,QAAM,MAAM,MAAM,UAAU,YAAY,IAAI;AAW5C,QAAM,kBAAkB,MAAM,YAAY;AAC1C,QAAM,yBAAyB,MAAM,QAAQ,iBAAiB,GAAG;AACjE,QAAM,SAAS,MAAM,kBAAkB,GAAG;AAE1C,QAAM,cAA2B;AAAA,IAC/B,gBAAgB;AAAA,IAChB,SAAS;AAAA,IACT,cAAc;AAAA,IACd,MAAM;AAAA,IACN,aAAa,CAAC;AAAA,IACd,MAAM,EAAE,CAAC,wBAAwB,GAAG,uBAAuB;AAAA,IAC3D,MAAM,eAAe,IAAI;AAAA,IACzB,aAAY,oBAAI,KAAK,GAAE,YAAY;AAAA,IACnC,YAAY;AAAA,IACZ;AAAA,EACF;AAEA,QAAM,iBAAiB,SAAS,OAAO,QAAQ,WAAW;AAE1D,SAAO;AAAA,IACL;AAAA,IACA,aAAa;AAAA,IACb,MAAM;AAAA,IACN,aAAa,CAAC;AAAA,IACd,MAAM,oBAAI,IAAI,CAAC,CAAC,0BAA0B,eAAe,CAAC,CAAC;AAAA,IAC3D;AAAA,IACA;AAAA,IACA,gBAAgB,CAAC;AAAA,EACnB;AACF;AAKA,eAAsB,MACpB,SACA,OACA,eACA,SACe;AACf,MAAI,CAAC,cAAc,KAAK;AACtB,UAAM,IAAI;AAAA,MACR;AAAA,IAGF;AAAA,EACF;AAEA,MAAI,CAAC,SAAS,cAAc,MAAM,QAAQ,IAAI,GAAG;AAC/C,UAAM,IAAI;AAAA,MACR,SAAS,cAAc,IAAI,wBAAwB,QAAQ,IAAI;AAAA,IACjE;AAAA,EACF;AAKA,MACG,QAA6C,sBAC9C,CAAC,QAAQ,qBACT;AACA,2BAAuB,QAAQ,UAAU;AAAA,EAC3C;AAGA,QAAM,cAAc,mBAAmB,QAAQ,MAAM,QAAQ,WAAW;AAGxE,QAAM,UAAU,aAAa;AAC7B,QAAM,SAAS,MAAM,UAAU,QAAQ,YAAY,OAAO;AAG1D,QAAM,cAAsC,CAAC;AAC7C,aAAW,YAAY,OAAO,KAAK,WAAW,GAAG;AAC/C,UAAM,MAAM,cAAc,KAAK,IAAI,QAAQ;AAC3C,QAAI,KAAK;AACP,kBAAY,QAAQ,IAAI,MAAM,QAAQ,KAAK,MAAM;AAAA,IACnD;AAAA,EACF;AAGA,MAAI,QAAQ,SAAS,WAAW,QAAQ,SAAS,WAAW,QAAQ,SAAS,UAAU;AACrF,eAAW,CAAC,UAAU,GAAG,KAAK,cAAc,MAAM;AAChD,UAAI,EAAE,YAAY,cAAc;AAC9B,oBAAY,QAAQ,IAAI,MAAM,QAAQ,KAAK,MAAM;AAAA,MACnD;AAAA,IACF;AAAA,EACF;AAgBA,aAAW,CAAC,UAAU,GAAG,KAAK,cAAc,MAAM;AAChD,QAAI,SAAS,WAAW,GAAG,KAAK,EAAE,YAAY,cAAc;AAC1D,kBAAY,QAAQ,IAAI,MAAM,QAAQ,KAAK,MAAM;AAAA,IACnD;AAAA,EACF;AAWA,aAAW,YAAY,OAAO,KAAK,WAAW,GAAG;AAC/C,QAAI,CAAC,cAAc,KAAK,IAAI,QAAQ,GAAG;AACrC,YAAM,IAAI,yBAAyB,QAAQ;AAAA,IAC7C;AAAA,EACF;AAEA,QAAM,SAAS,MAAM,kBAAkB,MAAM;AAC7C,QAAM,cAA2B;AAAA,IAC/B,gBAAgB;AAAA,IAChB,SAAS,QAAQ;AAAA,IACjB,cAAc,QAAQ;AAAA,IACtB,MAAM,QAAQ;AAAA,IACd;AAAA,IACA,MAAM;AAAA,IACN,MAAM,eAAe,OAAO;AAAA,IAC5B,aAAY,oBAAI,KAAK,GAAE,YAAY;AAAA,IACnC,YAAY,cAAc;AAAA,IAC1B;AAAA,IACA,GAAI,QAAQ,qBAAqB,UAAa,EAAE,mBAAmB,QAAQ,iBAAiB;AAAA,IAC5F,GAAI,QAAQ,qBAAqB,UAAa,EAAE,mBAAmB,QAAQ,iBAAiB;AAAA,EAC9F;AAEA,QAAM,iBAAiB,SAAS,OAAO,QAAQ,QAAQ,WAAW;AAUlE,QAAM,kBAAkB,cAAc,KAAK,IAAI,wBAAwB;AACvE,MAAI,iBAAiB;AACnB,UAAM,iBAAiB,QAAQ,kBAAkB,CAAC;AAClD,UAAM;AAAA,MACJ;AAAA,MACA;AAAA,MACA,QAAQ;AAAA,MACR;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACF;AAoBA,eAAe,qBACb,SACA,OACA,YACmB;AACnB,QAAM,aAAa,MAAM,QAAQ,KAAK,OAAO,UAAU;AAKvD,QAAM,mBAAmB,oBAAI,IAAsB;AACnD,aAAW,UAAU,YAAY;AAC/B,UAAM,MAAM,MAAM,QAAQ,IAAI,OAAO,YAAY,MAAM;AACvD,QAAI,CAAC,IAAK;AACV,UAAM,KAAK,KAAK,MAAM,IAAI,KAAK;AAC/B,QAAI,GAAG,SAAS,QAAS;AACzB,QAAI,GAAG,YAAY,WAAY;AAC/B,UAAM,OAAO,iBAAiB,IAAI,GAAG,UAAU,KAAK,CAAC;AACrD,SAAK,KAAK,GAAG,OAAO;AACpB,qBAAiB,IAAI,GAAG,YAAY,IAAI;AAAA,EAC1C;AAEA,QAAM,UAAU,oBAAI,IAAY;AAChC,QAAM,QAAkB,CAAC;AACzB,QAAM,QAAkB,CAAC,GAAI,iBAAiB,IAAI,UAAU,KAAK,CAAC,CAAE;AACpE,SAAO,MAAM,SAAS,GAAG;AACvB,UAAM,OAAO,MAAM,IAAI;AACvB,QAAI,QAAQ,IAAI,IAAI,EAAG;AACvB,YAAQ,IAAI,IAAI;AAChB,UAAM,KAAK,IAAI;AACf,eAAW,cAAc,iBAAiB,IAAI,IAAI,KAAK,CAAC,GAAG;AACzD,UAAI,CAAC,QAAQ,IAAI,UAAU,EAAG,OAAM,KAAK,UAAU;AAAA,IACrD;AAAA,EACF;AACA,SAAO;AACT;AAGA,eAAsB,OACpB,SACA,OACA,eACA,SACe;AAEf,QAAM,iBAAiB,MAAM,QAAQ,IAAI,OAAO,YAAY,QAAQ,MAAM;AAC1E,MAAI,CAAC,gBAAgB;AACnB,UAAM,IAAI,cAAc,SAAS,QAAQ,MAAM,8BAA8B,KAAK,GAAG;AAAA,EACvF;AAEA,QAAM,gBAAgB,KAAK,MAAM,eAAe,KAAK;AAErD,MAAI,CAAC,UAAU,cAAc,MAAM,cAAc,IAAI,GAAG;AACtD,UAAM,IAAI;AAAA,MACR,SAAS,cAAc,IAAI,yBAAyB,cAAc,IAAI;AAAA,IACxE;AAAA,EACF;AAKA,QAAM,cAAc,QAAQ,WAAW;AACvC,QAAM,gBAA0B,CAAC,QAAQ,MAAM;AAC/C,QAAM,sBAAsB,IAAI,IAAI,OAAO,KAAK,cAAc,IAAI,CAAC;AAEnE,MAAI,cAAc,SAAS,SAAS;AAClC,UAAM,cAAc,MAAM,qBAAqB,SAAS,OAAO,QAAQ,MAAM;AAC7E,QAAI,YAAY,SAAS,GAAG;AAC1B,UAAI,gBAAgB,QAAQ;AAM1B,gBAAQ;AAAA,UACN,mBAAmB,QAAQ,MAAM,oCAC5B,YAAY,MAAM,kCAClB,YAAY,KAAK,IAAI,CAAC;AAAA,QAE7B;AAAA,MACF,OAAO;AAIL,mBAAW,UAAU,aAAa;AAChC,gBAAM,UAAU,MAAM,QAAQ,IAAI,OAAO,YAAY,MAAM;AAC3D,cAAI,CAAC,QAAS;AACd,gBAAM,SAAS,KAAK,MAAM,QAAQ,KAAK;AACvC,wBAAc,KAAK,MAAM;AACzB,qBAAW,KAAK,OAAO,KAAK,OAAO,IAAI,EAAG,qBAAoB,IAAI,CAAC;AAAA,QACrE;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAKA,aAAW,UAAU,eAAe;AAClC,UAAM,QAAQ,OAAO,OAAO,YAAY,MAAM;AAI9C,UAAM,mBAAmB,SAAS,OAAO,MAAM;AAM/C,UAAM,qBAAqB,SAAS,OAAO,MAAM;AAAA,EACnD;AAOA,MAAI,QAAQ,eAAe,SAAS,oBAAoB,OAAO,GAAG;AAChE,UAAM,WAAW,SAAS,OAAO,eAAe,CAAC,GAAG,mBAAmB,CAAC;AAAA,EAC1E;AACF;AA6BA,eAAsB,sBACpB,SACA,OACA,eACA,SACe;AACf,MACE,QAAQ,SAAS,UACjB,QAAQ,gBAAgB,UACxB,QAAQ,gBAAgB,QACxB;AACA,UAAM,IAAI;AAAA,MACR,2FACe,QAAQ,MAAM;AAAA,IAC/B;AAAA,EACF;AAEA,QAAM,MAAM,MAAM,QAAQ,IAAI,OAAO,YAAY,QAAQ,MAAM;AAC/D,MAAI,CAAC,KAAK;AACR,UAAM,IAAI;AAAA,MACR,qBAAqB,QAAQ,MAAM,8BAA8B,KAAK;AAAA,IACxE;AAAA,EACF;AACA,QAAM,SAAS,KAAK,MAAM,IAAI,KAAK;AAMnC,MAAI,CAAC,cAAc,cAAc,MAAM,OAAO,IAAI,GAAG;AACnD,UAAM,IAAI;AAAA,MACR,SAAS,cAAc,IAAI,wCAAwC,OAAO,IAAI;AAAA,IAChF;AAAA,EACF;AACA,MACE,QAAQ,SAAS,UACjB,QAAQ,SAAS,OAAO,QACxB,CAAC,cAAc,cAAc,MAAM,QAAQ,IAAI,GAC/C;AACA,UAAM,IAAI;AAAA,MACR,SAAS,cAAc,IAAI,oCAAoC,QAAQ,IAAI;AAAA,IAC7E;AAAA,EACF;AAEA,QAAM,OAAoB;AAAA,IACxB,GAAG;AAAA,IACH,GAAI,QAAQ,SAAS,UAAa,EAAE,MAAM,QAAQ,KAAK;AAAA,IACvD,GAAI,QAAQ,gBAAgB,UAAa;AAAA;AAAA,MAEvC,cAAc,QAAQ,eAAe;AAAA,IACvC;AAAA,IACA,GAAI,QAAQ,gBAAgB,UAAa,EAAE,aAAa,QAAQ,YAAY;AAAA,EAC9E;AAEA,QAAM,iBAAiB,SAAS,OAAO,QAAQ,QAAQ,IAAI;AAC7D;AAUA,eAAsB,WACpB,SACA,OACA,eACA,aACe;AAEf,QAAM,UAAU,oBAAI,IAAuB;AAC3C,aAAW,YAAY,aAAa;AAClC,YAAQ,IAAI,UAAU,MAAM,YAAY,CAAC;AAAA,EAC3C;AAGA,aAAW,YAAY,aAAa;AAClC,UAAM,SAAS,cAAc,KAAK,IAAI,QAAQ;AAC9C,UAAM,SAAS,QAAQ,IAAI,QAAQ;AACnC,QAAI,CAAC,OAAQ;AAEb,UAAM,MAAM,MAAM,QAAQ,KAAK,OAAO,QAAQ;AAC9C,eAAW,MAAM,KAAK;AACpB,YAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,UAAU,EAAE;AACtD,UAAI,CAAC,YAAY,CAAC,SAAS,IAAK;AAGhC,YAAM,YAAY,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,MAAM;AAGpE,YAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,WAAW,MAAM;AACpD,YAAM,cAAiC;AAAA,QACrC,QAAQ;AAAA,QACR,IAAI,SAAS;AAAA,QACb,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,QAC5B,KAAK;AAAA,QACL,OAAO;AAAA,MACT;AACA,YAAM,QAAQ,IAAI,OAAO,UAAU,IAAI,WAAW;AAAA,IACpD;AAAA,EACF;AAGA,aAAW,CAAC,UAAU,MAAM,KAAK,SAAS;AACxC,kBAAc,KAAK,IAAI,UAAU,MAAM;AAAA,EACzC;AACA,QAAM,eAAe,SAAS,OAAO,aAAa;AAGlD,QAAM,UAAU,MAAM,QAAQ,KAAK,OAAO,UAAU;AACpD,aAAW,UAAU,SAAS;AAC5B,QAAI,WAAW,cAAc,OAAQ;AAErC,UAAM,eAAe,MAAM,QAAQ,IAAI,OAAO,YAAY,MAAM;AAChE,QAAI,CAAC,aAAc;AAEnB,UAAM,kBAAkB,KAAK,MAAM,aAAa,KAAK;AAyDrD,UAAM,cAAc,EAAE,GAAG,gBAAgB,KAAK;AAC9C,eAAW,YAAY,aAAa;AAClC,aAAO,YAAY,QAAQ;AAAA,IAC7B;AAEA,UAAM,qBAAqB,EAAE,GAAG,gBAAgB,YAAY;AAC5D,eAAW,YAAY,aAAa;AAClC,aAAO,mBAAmB,QAAQ;AAAA,IACpC;AAEA,UAAM,iBAA8B;AAAA,MAClC,GAAG;AAAA,MACH,MAAM;AAAA,MACN,aAAa;AAAA,IACf;AAEA,UAAM,iBAAiB,SAAS,OAAO,QAAQ,cAAc;AAAA,EAC/D;AACF;AAgBA,eAAsB,aACpB,SACA,OACA,SACA,eACA,gBAC0B;AAC1B,MAAI,CAAC,gBAAgB,qBAAqB;AACxC,2BAAuB,eAAe,cAAc;AAAA,EACtD;AACA,QAAM,UAAU,aAAa;AAC7B,QAAM,SAAS,MAAM,UAAU,eAAe,OAAO;AAGrD,QAAM,cAAsC,CAAC;AAC7C,aAAW,CAAC,UAAU,GAAG,KAAK,QAAQ,MAAM;AAC1C,gBAAY,QAAQ,IAAI,MAAM,QAAQ,KAAK,MAAM;AAAA,EACnD;AAEA,QAAM,SAAS,MAAM,kBAAkB,MAAM;AAC7C,QAAM,cAA2B;AAAA,IAC/B,gBAAgB;AAAA,IAChB,SAAS,QAAQ;AAAA,IACjB,cAAc,QAAQ;AAAA,IACtB,MAAM,QAAQ;AAAA,IACd,aAAa,QAAQ;AAAA,IACrB,MAAM;AAAA,IACN,MAAM,eAAe,OAAO;AAAA,IAC5B,aAAY,oBAAI,KAAK,GAAE,YAAY;AAAA,IACnC,YAAY,QAAQ;AAAA,IACpB;AAAA,EACF;AAEA,QAAM,iBAAiB,SAAS,OAAO,QAAQ,QAAQ,WAAW;AAElE,SAAO;AAAA,IACL,QAAQ,QAAQ;AAAA,IAChB,aAAa,QAAQ;AAAA,IACrB,MAAM,QAAQ;AAAA,IACd,aAAa,QAAQ;AAAA,IACrB,MAAM,QAAQ;AAAA;AAAA,IACd,KAAK;AAAA,IACL,MAAM;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMN,gBAAgB,CAAC;AAAA,IACjB,GAAI,QAAQ,WAAW,UAAa,EAAE,QAAQ,QAAQ,OAAO;AAAA,EAC/D;AACF;AA2DA,eAAsB,0BACpB,eACA,WACsB;AACtB,MAAI,CAAC,cAAc,KAAK;AACtB,UAAM,IAAI;AAAA,MACR;AAAA,IAGF;AAAA,EACF;AAEA,QAAM,OAAa,UAAU,QAAQ;AACrC,QAAM,cAAc,mBAAmB,MAAM,UAAU,WAAW;AAElE,QAAM,UAAU,aAAa;AAC7B,QAAM,SAAS,MAAM,UAAU,UAAU,YAAY,OAAO;AAE5D,QAAM,cAAsC,CAAC;AAG7C,aAAW,YAAY,OAAO,KAAK,WAAW,GAAG;AAC/C,UAAM,MAAM,cAAc,KAAK,IAAI,QAAQ;AAC3C,QAAI,KAAK;AACP,kBAAY,QAAQ,IAAI,MAAM,QAAQ,KAAK,MAAM;AAAA,IACnD;AAAA,EACF;AAGA,MAAI,SAAS,WAAW,SAAS,WAAW,SAAS,UAAU;AAC7D,eAAW,CAAC,UAAU,GAAG,KAAK,cAAc,MAAM;AAChD,UAAI,EAAE,YAAY,cAAc;AAC9B,oBAAY,QAAQ,IAAI,MAAM,QAAQ,KAAK,MAAM;AAAA,MACnD;AAAA,IACF;AAAA,EACF;AAIA,aAAW,CAAC,UAAU,GAAG,KAAK,cAAc,MAAM;AAChD,QAAI,SAAS,WAAW,GAAG,KAAK,EAAE,YAAY,cAAc;AAC1D,kBAAY,QAAQ,IAAI,MAAM,QAAQ,KAAK,MAAM;AAAA,IACnD;AAAA,EACF;AAIA,aAAW,YAAY,OAAO,KAAK,WAAW,GAAG;AAC/C,QAAI,CAAC,cAAc,KAAK,IAAI,QAAQ,GAAG;AACrC,YAAM,IAAI,yBAAyB,QAAQ;AAAA,IAC7C;AAAA,EACF;AAEA,QAAM,SAAS,MAAM,kBAAkB,MAAM;AAC7C,SAAO;AAAA,IACL,gBAAgB;AAAA,IAChB,SAAS,UAAU;AAAA,IACnB,cAAc,UAAU,eAAe,UAAU;AAAA,IACjD;AAAA,IACA;AAAA,IACA,MAAM;AAAA,IACN,MAAM,eAAe,OAAO;AAAA,IAC5B,aAAY,oBAAI,KAAK,GAAE,YAAY;AAAA,IACnC,YAAY,cAAc;AAAA,IAC1B;AAAA,IACA,GAAI,UAAU,qBAAqB,SAC/B,EAAE,mBAAmB,UAAU,iBAAiB,IAChD,CAAC;AAAA,IACL,GAAI,UAAU,qBAAqB,SAC/B,EAAE,mBAAmB,UAAU,iBAAiB,IAChD,CAAC;AAAA,IACL,GAAI,UAAU,cAAc,SACxB,EAAE,YAAY,UAAU,UAAU,IAClC,CAAC;AAAA,EACP;AACF;AAKA,eAAsB,UACpB,SACA,OACqB;AACrB,QAAM,UAAU,MAAM,QAAQ,KAAK,OAAO,UAAU;AACpD,QAAM,QAAoB,CAAC;AAE3B,aAAW,UAAU,SAAS;AAC5B,UAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,YAAY,MAAM;AAC5D,QAAI,CAAC,SAAU;AACf,UAAM,KAAK,KAAK,MAAM,SAAS,KAAK;AACpC,UAAM,KAAK;AAAA,MACT,QAAQ,GAAG;AAAA,MACX,aAAa,GAAG;AAAA,MAChB,MAAM,GAAG;AAAA,MACT,aAAa,GAAG;AAAA,MAChB,WAAW,GAAG;AAAA,MACd,WAAW,GAAG;AAAA,IAChB,CAAC;AAAA,EACH;AAEA,SAAO;AACT;AAoDA,eAAsB,uBACpB,SACA,OACA,iBACA,YACA,UAA4B,CAAC,GAC+C;AAC5E,QAAM,eAAe,eAAe,WAAW,eAAe;AAG9D,QAAM,YAAY,MAAM,oBAAoB,SAAS,KAAK;AAC1D,MAAI,WAAW,YAAY,SAAS,CAAC,cAAc;AACjD,UAAM,IAAI,uBAAuB,KAAK;AAAA,EACxC;AAGA,MAAI,QAAQ,iBAAiB,CAAC,cAAc;AAC1C,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,QAAM,QAAQ,MAAM,UAAU,SAAS,KAAK;AAC5C,QAAM,MAAyE,CAAC;AAChF,aAAW,QAAQ,OAAO;AACxB,QAAI,CAAC,QAAQ,eAAe;AAC1B,YAAM,aAAa,MAAM,mBAAmB,SAAS,OAAO,KAAK,MAAM;AACvE,UAAI,YAAY,OAAQ;AAAA,IAC1B;AACA,UAAM,WAAW,MAAM;AAAA,MACrB;AAAA,MACA;AAAA,MACA,KAAK;AAAA,MACL;AAAA,IACF;AACA,QAAI,KAAK,EAAE,MAAM,SAAS,CAAC;AAAA,EAC7B;AACA,SAAO;AACT;AAMA,eAAsB,oBACpB,SACA,OACA,SACyD;AAOzD,QAAM,WAAW,oBAAI,IAAgC;AACrD,SAAO,OAAO,mBAA+C;AAC3D,UAAM,WAAW,QAAQ,KAAK,IAAI,cAAc;AAChD,QAAI,SAAU,QAAO;AACrB,UAAM,UAAU,SAAS,IAAI,cAAc;AAC3C,QAAI,QAAS,QAAO;AAEpB,UAAM,WAAW,YAAY;AAC3B,YAAM,MAAM,MAAM,YAAY;AAC9B,cAAQ,KAAK,IAAI,gBAAgB,GAAG;AACpC,YAAM,eAAe,SAAS,OAAO,OAAO;AAC5C,aAAO;AAAA,IACT,GAAG;AACH,aAAS,IAAI,gBAAgB,OAAO;AACpC,QAAI;AACF,aAAO,MAAM;AAAA,IACf,UAAE;AACA,eAAS,OAAO,cAAc;AAAA,IAChC;AAAA,EACF;AACF;AAKO,SAAS,mBAAmB,SAA0B,gBAAiC;AAC5F,MAAI,QAAQ,SAAS,WAAW,QAAQ,SAAS,QAAS,QAAO;AACjE,MAAI,QAAQ,SAAS,YAAY,QAAQ,SAAS,SAAU,QAAO;AACnE,SAAO,QAAQ,YAAY,cAAc,MAAM;AACjD;AAGO,SAAS,UAAU,SAA0B,gBAAiC;AACnF,MAAI,QAAQ,SAAS,WAAW,QAAQ,SAAS,WAAW,QAAQ,SAAS,SAAU,QAAO;AAC9F,SAAO,kBAAkB,QAAQ;AACnC;AAKA,eAAsB,eACpB,SACA,OACA,SACe;AACf,MAAI,CAAC,QAAQ,KAAK;AAChB,UAAM,IAAI;AAAA,MACR;AAAA,IAIF;AAAA,EACF;AACA,QAAM,cAAsC,CAAC;AAC7C,aAAW,CAAC,UAAU,GAAG,KAAK,QAAQ,MAAM;AAC1C,gBAAY,QAAQ,IAAI,MAAM,QAAQ,KAAK,QAAQ,GAAG;AAAA,EACxD;AACA,QAAM,SAAS,MAAM,kBAAkB,QAAQ,GAAG;AAElD,QAAM,cAA2B;AAAA,IAC/B,gBAAgB;AAAA,IAChB,SAAS,QAAQ;AAAA,IACjB,cAAc,QAAQ;AAAA,IACtB,MAAM,QAAQ;AAAA,IACd,aAAa,QAAQ;AAAA,IACrB,MAAM;AAAA,IACN,MAAM,eAAe,QAAQ,IAAI;AAAA,IACjC,aAAY,oBAAI,KAAK,GAAE,YAAY;AAAA,IACnC,YAAY,QAAQ;AAAA,IACpB;AAAA,IACA,GAAI,QAAQ,qBAAqB,UAAa,EAAE,mBAAmB,QAAQ,iBAAiB;AAAA,IAC5F,GAAI,QAAQ,qBAAqB,UAAa,EAAE,mBAAmB,QAAQ,iBAAiB;AAAA,IAC5F,GAAI,QAAQ,eAAe,SAAS,KAAK,EAAE,gBAAgB,QAAQ,eAAe;AAAA,IAClF,GAAI,QAAQ,WAAW,UAAa,EAAE,QAAQ,QAAQ,OAAO;AAAA,EAC/D;AAEA,QAAM,iBAAiB,SAAS,OAAO,QAAQ,QAAQ,WAAW;AACpE;AAkBA,SAAS,wBAAwB,MAAqB;AACpD,SAAO,SAAS,WAAW,SAAS;AACtC;AA4BO,SAAS,oBACd,SACA,MACA,QACS;AACT,QAAM,MAAM,QAAQ;AACpB,MAAI,SAAS,aAAa;AACxB,UAAM,UAAU,KAAK,aAAa,CAAC;AACnC,WAAO,QAAQ,SAAS,GAAG,KAAM,WAAW,UAAa,QAAQ,SAAS,MAAM;AAAA,EAClF;AAEA,SAAO,KAAK,UAAU,wBAAwB,QAAQ,IAAI;AAC5D;AAkBO,SAAS,yBACd,YACA,MACA,MACA,QACS;AACT,MAAI,SAAS,aAAa;AACxB,UAAM,UAAU,YAAY,aAAa,CAAC;AAC1C,WAAO,QAAQ,SAAS,GAAG,KAAM,WAAW,UAAa,QAAQ,SAAS,MAAM;AAAA,EAClF;AACA,SAAO,YAAY,UAAU,wBAAwB,IAAI;AAC3D;AA0BO,SAAS,oBACd,SACA,MACA,QACS;AACT,QAAM,MAAM,QAAQ;AACpB,MAAI,SAAS,aAAa;AACxB,UAAM,UAAU,KAAK,aAAa,CAAC;AACnC,WAAO,QAAQ,SAAS,GAAG,KAAM,WAAW,UAAa,QAAQ,SAAS,MAAM;AAAA,EAClF;AAEA,SAAO,KAAK,WAAW;AACzB;AAoBO,SAAS,yBACd,YACA,OACA,MACA,QACS;AACT,MAAI,SAAS,aAAa;AACxB,UAAM,UAAU,YAAY,aAAa,CAAC;AAC1C,WAAO,QAAQ,SAAS,GAAG,KAAM,WAAW,UAAa,QAAQ,SAAS,MAAM;AAAA,EAClF;AACA,SAAO,YAAY,WAAW;AAChC;AAEA,SAAS,mBAAmB,MAAY,UAAqC;AAC3E,MAAI,SAAS,WAAW,SAAS,WAAW,SAAS,SAAU,QAAO,CAAC;AACvE,SAAO,YAAY,CAAC;AACtB;AAEA,eAAe,iBACb,SACA,OACA,QACA,aACe;AACf,QAAM,WAAW;AAAA,IACf,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC5B,KAAK;AAAA,IACL,OAAO,KAAK,UAAU,WAAW;AAAA,EACnC;AACA,QAAM,QAAQ,IAAI,OAAO,YAAY,QAAQ,QAAQ;AACvD;","names":[]}

package/dist/chunk-RTZVQAJ7.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/materialized-views/with-materialized-view.ts"],"sourcesContent":["import { MaterializedViewConfigError, ValidationError } from '../errors.js'\nimport type { MaterializedViewStrategy, MaterializedViewStrategyHandle } from './types.js'\n\n/**\n * Register a materialized view: a declared query whose result is\n * persisted as a queryable collection and kept fresh as sources\n * change. Writes go through the standard `Collection.put` pipeline;\n * refresh-driven deletes route through `Collection._internalDelete` so\n * user `onDelete` guards on the output collection aren't tripped by\n * housekeeping.\n *\n * Two registration modes:\n *   - **single-source** — declare `query: (db) => Query<TRow>`; the\n *     dependency analyzer derives source collections from the plan.\n *   - **UNION** (#165) — declare `unionSources: [{ collection, map }, ...]`\n *     plus optional `groupBy` + `aggregate`; the executor reads each\n *     arm, maps to the unified row shape, concatenates, then groups\n *     and aggregates.\n *\n * The two modes are mutually exclusive — exactly one of `query` /\n * `unionSources` must be set at registration time.\n *\n * See docs/superpowers/specs/2026-05-20-dim14-mv-v2-design.md (single-source v2)\n * and docs/superpowers/specs/2026-05-21-dim14-mv-multikey-and-union.md (UNION).\n */\nexport function withMaterializedView<TRow extends Record<string, unknown>>(\n  spec: MaterializedViewStrategy<TRow>,\n): MaterializedViewStrategyHandle {\n  if (!spec.name || spec.name.length === 0) {\n    throw new ValidationError('withMaterializedView: name is required')\n  }\n  // Mutual exclusion: query and unionSources cannot coexist.\n  if (spec.query && spec.unionSources) {\n    throw new MaterializedViewConfigError(\n      'query and unionSources are mutually exclusive — pick one',\n    )\n  }\n  // Strategy must declare one of the two.\n  if (!spec.query && !spec.unionSources) {\n    throw new MaterializedViewConfigError(\n      'strategy must declare either query or unionSources',\n    )\n  }\n  if (spec.query !== undefined && typeof spec.query !== 'function') {\n    throw new ValidationError('withMaterializedView: query must be a function returning a Query<T>')\n  }\n  // UNION-form invariants.\n  if (spec.unionSources) {\n    if (spec.unionSources.length < 2) {\n      throw new MaterializedViewConfigError(\n        'unionSources requires at least 2 source collections',\n      )\n    }\n    const seen = new Set<string>()\n    for (const s of spec.unionSources) {\n      if (typeof s?.collection !== 'string' || s.collection.length === 0) {\n        throw new MaterializedViewConfigError(\n          'each unionSources entry must declare a non-empty `collection` string',\n        )\n      }\n      if (typeof s.map !== 'function') {\n        throw new MaterializedViewConfigError(\n          `unionSources entry for \"${s.collection}\" is missing a \\`map\\` function`,\n        )\n      }\n      if (seen.has(s.collection)) {\n        throw new MaterializedViewConfigError(\n          `unionSources must reference distinct collections (duplicate: \"${s.collection}\")`,\n        )\n      }\n      seen.add(s.collection)\n    }\n    if (Array.isArray(spec.groupBy) && spec.groupBy.length === 0) {\n      throw new MaterializedViewConfigError(\n        `withMaterializedView \"${spec.name}\": groupBy must not be an empty array — omit it or provide at least one field name`,\n      )\n    }\n    if (spec.aggregate && !spec.groupBy) {\n      throw new MaterializedViewConfigError(\n        `withMaterializedView \"${spec.name}\": UNION strategy with aggregate requires groupBy — `\n        + `use groupBy to declare the bucketing keys, or remove aggregate for a pure dedup MV`,\n      )\n    }\n    if (spec.predicates) {\n      throw new MaterializedViewConfigError(\n        `withMaterializedView \"${spec.name}\": predicates are not supported on UNION strategies — `\n        + `UNION mode does not use a Query<T> chain, so .wherePredicate() cannot fire. `\n        + `Use the query() form, or open an issue if per-arm predicates are needed`,\n      )\n    }\n  }\n  if (typeof spec.rowKey !== 'function') {\n    throw new ValidationError('withMaterializedView: rowKey is required (no default; see spec § Type surface)')\n  }\n  if (spec.refresh !== 'eager' && spec.refresh !== 'lazy' && spec.refresh !== 'manual') {\n    throw new ValidationError(\n      `withMaterializedView: refresh must be 'eager' | 'lazy' | 'manual', got \"${String(spec.refresh)}\"`,\n    )\n  }\n  return {\n    __noydb_strategy: 'materialized-view',\n    spec,\n  }\n}\n"],"mappings":";;;;;;AAyBO,SAAS,qBACd,MACgC;AAChC,MAAI,CAAC,KAAK,QAAQ,KAAK,KAAK,WAAW,GAAG;AACxC,UAAM,IAAI,gBAAgB,wCAAwC;AAAA,EACpE;AAEA,MAAI,KAAK,SAAS,KAAK,cAAc;AACnC,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,MAAI,CAAC,KAAK,SAAS,CAAC,KAAK,cAAc;AACrC,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,MAAI,KAAK,UAAU,UAAa,OAAO,KAAK,UAAU,YAAY;AAChE,UAAM,IAAI,gBAAgB,qEAAqE;AAAA,EACjG;AAEA,MAAI,KAAK,cAAc;AACrB,QAAI,KAAK,aAAa,SAAS,GAAG;AAChC,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AACA,UAAM,OAAO,oBAAI,IAAY;AAC7B,eAAW,KAAK,KAAK,cAAc;AACjC,UAAI,OAAO,GAAG,eAAe,YAAY,EAAE,WAAW,WAAW,GAAG;AAClE,cAAM,IAAI;AAAA,UACR;AAAA,QACF;AAAA,MACF;AACA,UAAI,OAAO,EAAE,QAAQ,YAAY;AAC/B,cAAM,IAAI;AAAA,UACR,2BAA2B,EAAE,UAAU;AAAA,QACzC;AAAA,MACF;AACA,UAAI,KAAK,IAAI,EAAE,UAAU,GAAG;AAC1B,cAAM,IAAI;AAAA,UACR,iEAAiE,EAAE,UAAU;AAAA,QAC/E;AAAA,MACF;AACA,WAAK,IAAI,EAAE,UAAU;AAAA,IACvB;AACA,QAAI,MAAM,QAAQ,KAAK,OAAO,KAAK,KAAK,QAAQ,WAAW,GAAG;AAC5D,YAAM,IAAI;AAAA,QACR,yBAAyB,KAAK,IAAI;AAAA,MACpC;AAAA,IACF;AACA,QAAI,KAAK,aAAa,CAAC,KAAK,SAAS;AACnC,YAAM,IAAI;AAAA,QACR,yBAAyB,KAAK,IAAI;AAAA,MAEpC;AAAA,IACF;AACA,QAAI,KAAK,YAAY;AACnB,YAAM,IAAI;AAAA,QACR,yBAAyB,KAAK,IAAI;AAAA,MAGpC;AAAA,IACF;AAAA,EACF;AACA,MAAI,OAAO,KAAK,WAAW,YAAY;AACrC,UAAM,IAAI,gBAAgB,mFAAgF;AAAA,EAC5G;AACA,MAAI,KAAK,YAAY,WAAW,KAAK,YAAY,UAAU,KAAK,YAAY,UAAU;AACpF,UAAM,IAAI;AAAA,MACR,2EAA2E,OAAO,KAAK,OAAO,CAAC;AAAA,IACjG;AAAA,EACF;AACA,SAAO;AAAA,IACL,kBAAkB;AAAA,IAClB;AAAA,EACF;AACF;","names":[]}

package/dist/chunk-TBKOGSYR.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/materialized-views/dependency-analyzer.ts","../src/materialized-views/query-hash.ts","../src/materialized-views/registry.ts"],"sourcesContent":["import type { Query, QueryPlan } from '../query/builder.js'\nimport type { JoinContext } from '../query/join.js'\nimport type { MaterializedViewStrategy } from './types.js'\n\n/**\n * Walks a `Query<T>` plan and returns the set of source collection\n * names that any source-write should trigger a refresh on.\n *\n * Foundation sub-issue (#150) handles:\n *   - root collection (the one the query was built from)\n *   - FK join targets (`.join(field, { as })`)\n *\n * Deferred to later sub-issues:\n *   - `.crossJoin()` — v3 cross-join spec (separate primitive)\n *   - `.wherePredicate(name)` — v2 predicate primitive, sub-issue #153\n *   - Overlay-name expansion to {base, overlay} — sub-issue #154\n *\n * The set is materialized at MV registration time. The MV registry\n * uses it to (a) dispatch `onSourceWrite` only to MVs that actually\n * care, and (b) contribute edges to the shared cycle-detection graph.\n */\n// eslint-disable-next-line @typescript-eslint/no-explicit-any\nexport function analyzeDependencies(query: Query<any>): Set<string> {\n  const deps = new Set<string>()\n  const plan = query._plan()\n  const ctx = query._joinContext()\n\n  // The root collection is always a dependency.\n  if (ctx?.leftCollection) {\n    deps.add(ctx.leftCollection)\n  }\n\n  // FK join targets contribute additional sources.\n  for (const leg of plan.joins) {\n    deps.add(leg.target)\n  }\n\n  // Sub-plans inside OR clauses can carry nested joins. Walk them.\n  // (Today only top-level `.join()` populates `plan.joins`, but the\n  // OR-group machinery permits sub-plans, so we recurse defensively.)\n  walkClausesForJoins(plan, deps, ctx)\n\n  return deps\n}\n\nfunction walkClausesForJoins(\n  plan: QueryPlan,\n  deps: Set<string>,\n  ctx: JoinContext | undefined,\n): void {\n  void ctx\n  // Today `plan.joins` carries all join legs at top level. Sub-plans\n  // inside OR groups don't currently support nested joins, so the loop\n  // below is a no-op safety net for future builder extensions.\n  for (const clause of plan.clauses) {\n    if (clause.type === 'group') {\n      // Group clauses don't (yet) carry their own joins; this is a\n      // forward-compat anchor for when OR-groups support nested\n      // sources.\n    }\n  }\n}\n\n/**\n * Convenience: produce a stable string summary of the query plan\n * suitable for `queryHash` derivation. Captures everything the\n * dependency analyzer reads + the where/orderBy/limit/offset\n * structure that affects materialized rows.\n *\n * `joinContext` is intentionally NOT included — the join-resolution\n * function references would defeat hash determinism. The set of join\n * TARGETS (collection names) IS included via the plan.joins legs.\n */\n// eslint-disable-next-line @typescript-eslint/no-explicit-any\nexport function summarizeQueryPlan(query: Query<any>): string {\n  const plan = query._plan()\n  const ctx = query._joinContext()\n  return JSON.stringify({\n    root: ctx?.leftCollection ?? null,\n    clauses: plan.clauses,\n    orderBy: plan.orderBy,\n    limit: plan.limit ?? null,\n    offset: plan.offset,\n    joins: plan.joins.map(j => ({ field: j.field, as: j.as, target: j.target, mode: j.mode })),\n  })\n}\n\n/**\n * Canonical string description of a UNION MV's plan, used as input to\n * `computeQueryHash`.\n *\n * Asymmetry note (#165 niwat review):\n *   - Arm collection names are NOT sorted. Declaration order is\n *     semantically meaningful for the dedup-only UNION path —\n *     `materializeUnionResult` iterates `spec.unionSources` in\n *     declaration order and keeps the first-seen row per composite key\n *     (tie-break precedence). If we sorted arms here, a consumer who\n *     reordered `unionSources` to change precedence would compute the\n *     same `queryHash`, refresh would be a no-op, and stale MV rows\n *     would persist. Hashing in declaration order makes any reorder\n *     trigger a refresh.\n *   - `groupBy` fields ARE sorted. Multi-key groupBy buckets are\n *     commutative (`canonicalGroupKey` produces the same composite key\n *     regardless of field order in the input spec).\n *   - `aggregate` keys ARE sorted. Reducer-spec keys are independent\n *     of each other — order of declaration doesn't change output.\n *\n * Per-arm `map` functions are NOT fingerprinted; consumers must bump\n * the MV's `name` (or rely on application-level cache busting) when\n * `map` semantics change non-equivalently.\n */\nexport function summarizeUnionPlan<T extends Record<string, unknown>>(\n  spec: MaterializedViewStrategy<T>,\n): string {\n  const arms = (spec.unionSources ?? [])\n    .map(s => s.collection)\n    .join(',')\n  const groupBy: string = Array.isArray(spec.groupBy)\n    ? [...spec.groupBy].sort().join(',')\n    : typeof spec.groupBy === 'string'\n      ? spec.groupBy\n      : ''\n  const aggKeys = spec.aggregate ? Object.keys(spec.aggregate).sort().join(',') : ''\n  return `union(${arms})|groupBy(${groupBy})|aggregate(${aggKeys})`\n}\n","/**\n * Deterministic hash of a materialized view strategy's \"shape\": MV\n * name + canonical query-plan summary + sorted dependency-set.\n *\n * Used to detect strategy drift: a row whose `_materializedFrom.queryHash`\n * doesn't match the current strategy is considered stale.\n *\n * Web Crypto SHA-256 — no extra deps. Mirrors the v1\n * `computeStrategyHash` pattern.\n */\nexport async function computeQueryHash(\n  mvName: string,\n  /**\n   * Source-collection set the query depends on. Sorted before\n   * canonicalization so set iteration order doesn't affect the hash.\n   */\n  dependencies: ReadonlySet<string>,\n  /**\n   * Stringified query-plan summary. The caller produces this from the\n   * `Query<T>` builder — concretely: a JSON serialization of clauses +\n   * orderBy + limit + offset + joins. Function bodies inside\n   * `wherePredicate` are NOT included here (those carry their own\n   * `predicateHash` to be folded in by a later sub-issue).\n   */\n  queryPlanSummary: string,\n): Promise<string> {\n  const canonical = JSON.stringify({\n    mvName,\n    dependencies: [...dependencies].sort(),\n    queryPlanSummary,\n  })\n  const bytes = new TextEncoder().encode(canonical)\n  const digest = await crypto.subtle.digest('SHA-256', bytes)\n  return Array.from(new Uint8Array(digest))\n    .map(b => b.toString(16).padStart(2, '0'))\n    .join('')\n}\n\n/**\n * Canonicalize a query plan for hashing. Walks the plan structure\n * with sorted keys so insertion order doesn't perturb the result.\n * Lives here rather than in `query/builder.ts` to keep that module\n * stable across MV-specific evolutions.\n *\n * @internal exported for testing\n */\nexport function canonicalizeQueryPlan(plan: unknown): string {\n  return JSON.stringify(plan, (_key, value) => {\n    if (value && typeof value === 'object' && !Array.isArray(value)) {\n      const sorted: Record<string, unknown> = {}\n      for (const k of Object.keys(value as Record<string, unknown>).sort()) {\n        sorted[k] = (value as Record<string, unknown>)[k]\n      }\n      return sorted\n    }\n    return value\n  })\n}\n","import { MaterializedViewCycleError, MaterializedViewSourceUnknownError } from '../errors.js'\nimport type { DerivationRegistry } from '../derivations/registry.js'\nimport type { Clause, FieldClause } from '../query/predicate.js'\nimport type { DeclaredPredicate } from '../query/builder.js'\nimport { analyzeDependencies, summarizeQueryPlan, summarizeUnionPlan } from './dependency-analyzer.js'\nimport { computeQueryHash } from './query-hash.js'\nimport type { MaterializedViewStrategy, MVQueryContext } from './types.js'\n\n/**\n * One registered MV strategy alongside its derived metadata. Stored\n * type-erased on `TRow` so the registry can hold heterogeneous MVs.\n */\nexport interface RegisteredMV {\n  // eslint-disable-next-line @typescript-eslint/no-explicit-any\n  readonly spec: MaterializedViewStrategy<any>\n  /** Output collection name (`spec.output?.collection ?? spec.name`). */\n  readonly outputCollection: string\n  /** Set of source collections; populated at registration via the analyzer. */\n  readonly dependencies: ReadonlySet<string>\n  /** Canonical `queryHash` — `_materializedFrom.queryHash` for every emitted row. */\n  readonly queryHash: string\n  /**\n   * Top-level FieldClauses on the partition field, captured at\n   * registration time. Used by the cycle detector to resolve\n   * same-collection-as-source edges via the partition-discriminator\n   * check (#152). Empty when `spec.output?.partition` is undefined.\n   */\n  readonly partitionClauses: readonly FieldClause[]\n}\n\n/**\n * Vault-internal registry of MV strategies. Owned by `Vault`; not\n * exported. Parallel to v1's `DerivationRegistry`; the two graphs share\n * a single cycle-detection pass at vault open (see `validate`).\n *\n * @internal\n */\nexport class MaterializedViewRegistry {\n  /** Keyed by `spec.name`. */\n  private readonly _byName = new Map<string, RegisteredMV>()\n  /** Keyed by dependency source-collection → MVs that depend on it. */\n  private readonly _bySource = new Map<string, RegisteredMV[]>()\n\n  /**\n   * Register an MV. Invokes `spec.query()` once at registration time to\n   * read the plan + join context; the resulting `Query<T>` is discarded\n   * after dependency extraction. `vault.collection(...)` must therefore\n   * be functional by the time this runs — typically wired from\n   * `Vault._initMaterializedViews` after collection bootstrap.\n   *\n   * Throws `MaterializedViewSourceUnknownError` if the analyzer\n   * surfaces a dependency the vault doesn't know about (when a\n   * `knownCollections` checker is supplied).\n   */\n  async register(\n    // eslint-disable-next-line @typescript-eslint/no-explicit-any\n    spec: MaterializedViewStrategy<any>,\n    db: MVQueryContext,\n    options?: { knownCollections?: (name: string) => boolean },\n  ): Promise<void> {\n    // Build a predicate-aware db wrapper (#153). If `spec.predicates` is\n    // declared, the wrapper intercepts `.collection().query()` and\n    // attaches the predicates map to the resulting Query<T>. With no\n    // predicates declared, the wrapper is the original db unchanged.\n    const dbForQuery = spec.predicates ? wrapDbWithPredicates(db, spec.predicates) : db\n\n    // Invoke the query callback once to inspect its plan / dependencies.\n    // For Query<T> shapes the analyzer extracts deps + plan summary\n    // automatically. Aggregation / GroupedAggregation shapes don't\n    // expose the underlying Query, so the spec must declare `sources`\n    // explicitly. `partitionClauses` are only populated for Query<T>\n    // since same-collection-partition is a non-aggregate concern.\n    // UNION-form strategies (#165): dependencies and plan summary come\n    // straight off the strategy — no `query` callback to introspect.\n    // The dependency-analyzer + summarizer are bypassed entirely; the\n    // executor handles materialization via `materializeUnionResult`.\n    let dependencies: Set<string>\n    let queryPlanSummary: string\n    // eslint-disable-next-line @typescript-eslint/no-explicit-any\n    let qAny: any = null\n    let isQuery = false\n    if (spec.unionSources) {\n      dependencies = new Set(spec.unionSources.map(s => s.collection))\n      queryPlanSummary = summarizeUnionPlan(spec)\n    } else {\n      const q = spec.query!(dbForQuery)\n      // eslint-disable-next-line @typescript-eslint/no-explicit-any\n      qAny = q as any\n      isQuery = typeof qAny._plan === 'function'\n      if (isQuery) {\n        dependencies = analyzeDependencies(q)\n        queryPlanSummary = summarizeQueryPlan(q)\n        // Fold `.wherePredicate(name, ctx)` references into the plan\n        // summary so predicate function or ctx changes (signalled by\n        // bumping `hash` or supplying a different ctx) propagate into\n        // `queryHash` and force refresh on next visit.\n        const predicateRefs = extractPredicateRefs(qAny._plan())\n        if (predicateRefs.length > 0) {\n          queryPlanSummary = JSON.stringify({ plan: queryPlanSummary, predicates: predicateRefs })\n        }\n        // If `sources` is ALSO declared, take the union (consumer's\n        // explicit list extends the auto-analyzed set).\n        if (spec.sources) for (const s of spec.sources) dependencies.add(s)\n      } else {\n        // Aggregate shape: require explicit `sources`.\n        if (!spec.sources || spec.sources.length === 0) {\n          throw new Error(\n            `withMaterializedView \"${spec.name}\": query() returned an aggregate ` +\n              `(Aggregation or GroupedAggregation) but no \\`sources\\` field is declared. ` +\n              `The dependency analyzer cannot walk through groupBy().aggregate() ` +\n              `back to the source — declare sources: [...] explicitly.`,\n          )\n        }\n        dependencies = new Set(spec.sources)\n        // Aggregate plans don't carry a chainable query plan for summary\n        // purposes; the dep-set + spec.name serve as the queryHash inputs.\n        queryPlanSummary = JSON.stringify({ aggregate: true, sources: [...spec.sources].sort() })\n      }\n    }\n\n    // Sanity-check declared dependencies against the vault's known\n    // collections. Optional — when the checker isn't supplied (test\n    // wiring, in-process composition) the registration succeeds and\n    // any typo surfaces at first onSourceWrite as a no-op.\n    if (options?.knownCollections) {\n      for (const dep of dependencies) {\n        if (!options.knownCollections(dep)) {\n          throw new MaterializedViewSourceUnknownError(spec.name, dep)\n        }\n      }\n    }\n\n    const outputCollection = spec.output?.collection ?? spec.name\n    const queryHash = await computeQueryHash(spec.name, dependencies, queryPlanSummary)\n    // For same-collection-as-source MVs, capture the where-clauses on\n    // the partition field so cycle detection can prove disjointness.\n    // Only applicable to Query<T> shapes — aggregate MVs don't carry\n    // a chainable plan to inspect (and same-collection aggregation\n    // doesn't make sense in the niwat use cases that motivated #152).\n    const partitionClauses: FieldClause[] = []\n    const partitionField = spec.output?.partition?.field\n    if (partitionField !== undefined && isQuery) {\n      const plan = qAny._plan()\n      for (const clause of plan.clauses) {\n        if (isFieldClauseOnField(clause, partitionField)) partitionClauses.push(clause)\n      }\n    }\n    const reg: RegisteredMV = { spec, outputCollection, dependencies, queryHash, partitionClauses }\n\n    this._byName.set(spec.name, reg)\n    for (const dep of dependencies) {\n      const arr = this._bySource.get(dep)\n      if (arr) arr.push(reg)\n      else this._bySource.set(dep, [reg])\n    }\n  }\n\n  /** All MVs that depend on `source`, in registration order. */\n  mvsForSource(source: string): ReadonlyArray<RegisteredMV> {\n    return this._bySource.get(source) ?? []\n  }\n\n  /** Single MV by name, or `undefined`. */\n  byName(name: string): RegisteredMV | undefined {\n    return this._byName.get(name)\n  }\n\n  /** Iterate over every registered MV. */\n  all(): ReadonlyArray<RegisteredMV> {\n    return [...this._byName.values()]\n  }\n\n  /**\n   * Cycle detection over the combined derivation + MV graph. Edges:\n   *   - Derivation: derivation.source → output.collection (each output)\n   *   - MV: every dep in MV.dependencies → MV.outputCollection\n   *\n   * Throws `MaterializedViewCycleError` if the cycle's terminal node\n   * is an MV output collection; otherwise (a pure-derivation cycle)\n   * the caller's `DerivationRegistry.validate()` will surface\n   * `DerivationCycleError` separately at vault open.\n   *\n   * Call AFTER all `register()` calls complete.\n   */\n  validate(derivationRegistry?: DerivationRegistry | null): void {\n    const visited = new Set<string>()\n    const stack: string[] = []\n    const mvOutputs = new Set<string>()\n    for (const reg of this._byName.values()) mvOutputs.add(reg.outputCollection)\n\n    const edges = new Map<string, string[]>()\n\n    // MV edges: every dep → output. Same-collection edges (dep ===\n    // outputCollection) are skipped IFF the MV declares an\n    // `output.partition` discriminator AND the query has a where-clause\n    // that provably excludes the partition value. Otherwise the cycle\n    // detector treats the edge as real — naïve same-collection MVs\n    // surface as `MaterializedViewCycleError`.\n    for (const reg of this._byName.values()) {\n      for (const dep of reg.dependencies) {\n        if (dep === reg.outputCollection && partitionDisjoint(reg)) continue\n        const arr = edges.get(dep)\n        if (arr) arr.push(reg.outputCollection)\n        else edges.set(dep, [reg.outputCollection])\n      }\n    }\n\n    // Derivation edges: source → output collections\n    if (derivationRegistry) {\n      // The shared DerivationRegistry exposes its edges via the same\n      // `strategiesForSource` API its own `validate()` uses. We don't\n      // duplicate cycle detection — we add MV nodes to the graph and\n      // run the unified DFS, attributing cycles that touch an MV\n      // output to `MaterializedViewCycleError`.\n      for (const reg of this._byName.values()) {\n        // Walk every dependency through derivation edges too: a\n        // derivation whose output we depend on is itself a source.\n        void reg\n      }\n      // Pull derivation edges by scanning every MV dep + every MV\n      // output as potential derivation sources.\n      const sourcesToScan = new Set<string>()\n      for (const reg of this._byName.values()) {\n        for (const dep of reg.dependencies) sourcesToScan.add(dep)\n        sourcesToScan.add(reg.outputCollection)\n      }\n      for (const src of sourcesToScan) {\n        const strategies = derivationRegistry.strategiesForSource(src)\n        if (strategies.length === 0) continue\n        for (const s of strategies) {\n          for (const key of Object.keys(s.spec.outputs)) {\n            const o = s.spec.outputs[key]\n            if (!o) continue\n            const arr = edges.get(src)\n            if (arr) arr.push(o.collection)\n            else edges.set(src, [o.collection])\n          }\n        }\n      }\n    }\n\n    const visit = (node: string): void => {\n      if (stack.includes(node)) {\n        const cycle = stack.slice(stack.indexOf(node)).concat(node)\n        // If any node on the cycle is an MV output, attribute as MV\n        // cycle. Otherwise let DerivationRegistry.validate() surface it.\n        if (cycle.some(n => mvOutputs.has(n))) {\n          throw new MaterializedViewCycleError(cycle)\n        }\n        // Pure-derivation cycle — caller's DerivationRegistry.validate()\n        // will catch it separately. Don't double-report.\n        return\n      }\n      if (visited.has(node)) return\n      stack.push(node)\n      const outs = edges.get(node)\n      if (outs) for (const o of outs) visit(o)\n      stack.pop()\n      visited.add(node)\n    }\n\n    for (const node of edges.keys()) visit(node)\n  }\n}\n\n/**\n * Type guard: is the clause a top-level `FieldClause` on the given\n * field? Used by the partition-disjoint check.\n *\n * @internal\n */\nfunction isFieldClauseOnField(clause: Clause, field: string): clause is FieldClause {\n  return clause.type === 'field' && clause.field === field\n}\n\n/**\n * Wrap an `MVQueryContext` so its `.collection().query()` returns a\n * Query<T> with the MV's declared predicates attached. Bare Queries\n * (outside of any MV) don't gain `.wherePredicate()` — only Queries\n * obtained through this wrapped db do.\n *\n * @internal\n */\nexport function wrapDbWithPredicates(\n  db: MVQueryContext,\n  predicates: NonNullable<MaterializedViewStrategy<Record<string, unknown>>['predicates']>,\n): MVQueryContext {\n  // Build the predicate map once — the fn signature in the MV spec\n  // is row-typed but the QueryBuilder casts to unknown, so we widen\n  // here for the Map.\n  const map = new Map<string, DeclaredPredicate>()\n  for (const [name, decl] of Object.entries(predicates)) {\n    map.set(name, {\n      hash: decl.hash,\n      fn: decl.fn as (record: unknown, ctx?: unknown) => boolean,\n    })\n  }\n  return {\n    // eslint-disable-next-line @typescript-eslint/no-explicit-any\n    collection<T extends Record<string, unknown>>(name: string): any {\n      const c = db.collection<T>(name)\n      // Return an object that delegates everything to `c` but\n      // overrides `.query()` to attach predicates via the new\n      // `Query._withPredicates()` accessor.\n      return new Proxy(c, {\n        get(target, prop, receiver) {\n          if (prop === 'query') {\n            return (...args: unknown[]) => {\n              // eslint-disable-next-line @typescript-eslint/no-explicit-any\n              const q = (target.query as any)(...args)\n              // For non-aggregate Query<T>, attach predicates. For\n              // legacy predicate-arg overload that returns T[] (sync\n              // filter), pass through unchanged.\n               \n              if (q && typeof q._withPredicates === 'function') {\n                return q._withPredicates(map)\n              }\n              return q\n            }\n          }\n          return Reflect.get(target, prop, receiver)\n        },\n      })\n    },\n  }\n}\n\n/**\n * Walk a QueryPlan's clauses and collect predicate-reference markers\n * for `queryHash` derivation. Returns a sorted array (deterministic\n * order) of `{ name, predicateHash, ctxHash }` tuples — these are the\n * hashable identity of each `.wherePredicate()` call site.\n *\n * @internal\n */\nfunction extractPredicateRefs(\n  plan: { clauses: readonly Clause[] },\n): Array<{ name: string; predicateHash: string; ctxHash: string }> {\n  const refs: Array<{ name: string; predicateHash: string; ctxHash: string }> = []\n  const walk = (clauses: readonly Clause[]): void => {\n    for (const c of clauses) {\n      if (c.type === 'wherePredicate') {\n        refs.push({ name: c.name, predicateHash: c.predicateHash, ctxHash: c.ctxHash })\n      } else if (c.type === 'group') {\n        walk(c.clauses)\n      }\n    }\n  }\n  walk(plan.clauses)\n  // Stable-sort by (name, predicateHash, ctxHash) — same predicate\n  // appearing twice with different ctx hashes both flow through.\n  refs.sort((a, b) => {\n    if (a.name !== b.name) return a.name < b.name ? -1 : 1\n    if (a.predicateHash !== b.predicateHash) return a.predicateHash < b.predicateHash ? -1 : 1\n    return a.ctxHash < b.ctxHash ? -1 : a.ctxHash > b.ctxHash ? 1 : 0\n  })\n  return refs\n}\n\n/**\n * Provability check for the same-collection partition-discriminator\n * (#152, spec § Same-collection-as-source MV). Returns `true` when\n * the captured partition clauses on the MV's query provably exclude\n * the partition's value — meaning the input filter and the output\n * partition are disjoint and the same-collection edge isn't really a\n * cycle.\n *\n * Supported provability shapes (narrow on purpose — niwat's DERIV-\n * PP30-001 is the load-bearing case):\n *\n * - `.where(field, '==', X)` where X !== partition.value → disjoint\n * - `.where(field, '!=', partition.value)` → disjoint\n * - `.where(field, 'in', [...])` where partition.value NOT in list → disjoint\n *\n * Anything else (no clause on the partition field, an 'in' list that\n * contains partition.value, unsupported operators) → not disjoint,\n * the cycle detector surfaces `MaterializedViewCycleError`.\n *\n * @internal\n */\nfunction partitionDisjoint(reg: RegisteredMV): boolean {\n  const partition = reg.spec.output?.partition\n  if (partition === undefined) return false\n  const value = partition.value\n  // The OR-semantics of multiple where-clauses on the same field\n  // would muddy this check. v2 only treats AND-chained clauses;\n  // any clause that proves disjoint is sufficient.\n  for (const c of reg.partitionClauses) {\n    if (c.op === '==' && c.value !== value) return true\n    if (c.op === '!=' && c.value === value) return true\n    if (c.op === 'in' && Array.isArray(c.value)) {\n      const list = c.value as readonly unknown[]\n      if (!list.includes(value)) return true\n    }\n  }\n  return false\n}\n"],"mappings":";;;;;;AAsBO,SAAS,oBAAoB,OAAgC;AAClE,QAAM,OAAO,oBAAI,IAAY;AAC7B,QAAM,OAAO,MAAM,MAAM;AACzB,QAAM,MAAM,MAAM,aAAa;AAG/B,MAAI,KAAK,gBAAgB;AACvB,SAAK,IAAI,IAAI,cAAc;AAAA,EAC7B;AAGA,aAAW,OAAO,KAAK,OAAO;AAC5B,SAAK,IAAI,IAAI,MAAM;AAAA,EACrB;AAKA,sBAAoB,MAAM,MAAM,GAAG;AAEnC,SAAO;AACT;AAEA,SAAS,oBACP,MACA,MACA,KACM;AACN,OAAK;AAIL,aAAW,UAAU,KAAK,SAAS;AACjC,QAAI,OAAO,SAAS,SAAS;AAAA,IAI7B;AAAA,EACF;AACF;AAaO,SAAS,mBAAmB,OAA2B;AAC5D,QAAM,OAAO,MAAM,MAAM;AACzB,QAAM,MAAM,MAAM,aAAa;AAC/B,SAAO,KAAK,UAAU;AAAA,IACpB,MAAM,KAAK,kBAAkB;AAAA,IAC7B,SAAS,KAAK;AAAA,IACd,SAAS,KAAK;AAAA,IACd,OAAO,KAAK,SAAS;AAAA,IACrB,QAAQ,KAAK;AAAA,IACb,OAAO,KAAK,MAAM,IAAI,QAAM,EAAE,OAAO,EAAE,OAAO,IAAI,EAAE,IAAI,QAAQ,EAAE,QAAQ,MAAM,EAAE,KAAK,EAAE;AAAA,EAC3F,CAAC;AACH;AA0BO,SAAS,mBACd,MACQ;AACR,QAAM,QAAQ,KAAK,gBAAgB,CAAC,GACjC,IAAI,OAAK,EAAE,UAAU,EACrB,KAAK,GAAG;AACX,QAAM,UAAkB,MAAM,QAAQ,KAAK,OAAO,IAC9C,CAAC,GAAG,KAAK,OAAO,EAAE,KAAK,EAAE,KAAK,GAAG,IACjC,OAAO,KAAK,YAAY,WACtB,KAAK,UACL;AACN,QAAM,UAAU,KAAK,YAAY,OAAO,KAAK,KAAK,SAAS,EAAE,KAAK,EAAE,KAAK,GAAG,IAAI;AAChF,SAAO,SAAS,IAAI,aAAa,OAAO,eAAe,OAAO;AAChE;;;AClHA,eAAsB,iBACpB,QAKA,cAQA,kBACiB;AACjB,QAAM,YAAY,KAAK,UAAU;AAAA,IAC/B;AAAA,IACA,cAAc,CAAC,GAAG,YAAY,EAAE,KAAK;AAAA,IACrC;AAAA,EACF,CAAC;AACD,QAAM,QAAQ,IAAI,YAAY,EAAE,OAAO,SAAS;AAChD,QAAM,SAAS,MAAM,OAAO,OAAO,OAAO,WAAW,KAAK;AAC1D,SAAO,MAAM,KAAK,IAAI,WAAW,MAAM,CAAC,EACrC,IAAI,OAAK,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EACxC,KAAK,EAAE;AACZ;AAUO,SAAS,sBAAsB,MAAuB;AAC3D,SAAO,KAAK,UAAU,MAAM,CAAC,MAAM,UAAU;AAC3C,QAAI,SAAS,OAAO,UAAU,YAAY,CAAC,MAAM,QAAQ,KAAK,GAAG;AAC/D,YAAM,SAAkC,CAAC;AACzC,iBAAW,KAAK,OAAO,KAAK,KAAgC,EAAE,KAAK,GAAG;AACpE,eAAO,CAAC,IAAK,MAAkC,CAAC;AAAA,MAClD;AACA,aAAO;AAAA,IACT;AACA,WAAO;AAAA,EACT,CAAC;AACH;;;ACpBO,IAAM,2BAAN,MAA+B;AAAA;AAAA,EAEnB,UAAU,oBAAI,IAA0B;AAAA;AAAA,EAExC,YAAY,oBAAI,IAA4B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAa7D,MAAM,SAEJ,MACA,IACA,SACe;AAKf,UAAM,aAAa,KAAK,aAAa,qBAAqB,IAAI,KAAK,UAAU,IAAI;AAYjF,QAAI;AACJ,QAAI;AAEJ,QAAI,OAAY;AAChB,QAAI,UAAU;AACd,QAAI,KAAK,cAAc;AACrB,qBAAe,IAAI,IAAI,KAAK,aAAa,IAAI,OAAK,EAAE,UAAU,CAAC;AAC/D,yBAAmB,mBAAmB,IAAI;AAAA,IAC5C,OAAO;AACL,YAAM,IAAI,KAAK,MAAO,UAAU;AAEhC,aAAO;AACP,gBAAU,OAAO,KAAK,UAAU;AAChC,UAAI,SAAS;AACX,uBAAe,oBAAoB,CAAC;AACpC,2BAAmB,mBAAmB,CAAC;AAKvC,cAAM,gBAAgB,qBAAqB,KAAK,MAAM,CAAC;AACvD,YAAI,cAAc,SAAS,GAAG;AAC5B,6BAAmB,KAAK,UAAU,EAAE,MAAM,kBAAkB,YAAY,cAAc,CAAC;AAAA,QACzF;AAGA,YAAI,KAAK,QAAS,YAAW,KAAK,KAAK,QAAS,cAAa,IAAI,CAAC;AAAA,MACpE,OAAO;AAEL,YAAI,CAAC,KAAK,WAAW,KAAK,QAAQ,WAAW,GAAG;AAC9C,gBAAM,IAAI;AAAA,YACR,yBAAyB,KAAK,IAAI;AAAA,UAIpC;AAAA,QACF;AACA,uBAAe,IAAI,IAAI,KAAK,OAAO;AAGnC,2BAAmB,KAAK,UAAU,EAAE,WAAW,MAAM,SAAS,CAAC,GAAG,KAAK,OAAO,EAAE,KAAK,EAAE,CAAC;AAAA,MAC1F;AAAA,IACF;AAMA,QAAI,SAAS,kBAAkB;AAC7B,iBAAW,OAAO,cAAc;AAC9B,YAAI,CAAC,QAAQ,iBAAiB,GAAG,GAAG;AAClC,gBAAM,IAAI,mCAAmC,KAAK,MAAM,GAAG;AAAA,QAC7D;AAAA,MACF;AAAA,IACF;AAEA,UAAM,mBAAmB,KAAK,QAAQ,cAAc,KAAK;AACzD,UAAM,YAAY,MAAM,iBAAiB,KAAK,MAAM,cAAc,gBAAgB;AAMlF,UAAM,mBAAkC,CAAC;AACzC,UAAM,iBAAiB,KAAK,QAAQ,WAAW;AAC/C,QAAI,mBAAmB,UAAa,SAAS;AAC3C,YAAM,OAAO,KAAK,MAAM;AACxB,iBAAW,UAAU,KAAK,SAAS;AACjC,YAAI,qBAAqB,QAAQ,cAAc,EAAG,kBAAiB,KAAK,MAAM;AAAA,MAChF;AAAA,IACF;AACA,UAAM,MAAoB,EAAE,MAAM,kBAAkB,cAAc,WAAW,iBAAiB;AAE9F,SAAK,QAAQ,IAAI,KAAK,MAAM,GAAG;AAC/B,eAAW,OAAO,cAAc;AAC9B,YAAM,MAAM,KAAK,UAAU,IAAI,GAAG;AAClC,UAAI,IAAK,KAAI,KAAK,GAAG;AAAA,UAChB,MAAK,UAAU,IAAI,KAAK,CAAC,GAAG,CAAC;AAAA,IACpC;AAAA,EACF;AAAA;AAAA,EAGA,aAAa,QAA6C;AACxD,WAAO,KAAK,UAAU,IAAI,MAAM,KAAK,CAAC;AAAA,EACxC;AAAA;AAAA,EAGA,OAAO,MAAwC;AAC7C,WAAO,KAAK,QAAQ,IAAI,IAAI;AAAA,EAC9B;AAAA;AAAA,EAGA,MAAmC;AACjC,WAAO,CAAC,GAAG,KAAK,QAAQ,OAAO,CAAC;AAAA,EAClC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,SAAS,oBAAsD;AAC7D,UAAM,UAAU,oBAAI,IAAY;AAChC,UAAM,QAAkB,CAAC;AACzB,UAAM,YAAY,oBAAI,IAAY;AAClC,eAAW,OAAO,KAAK,QAAQ,OAAO,EAAG,WAAU,IAAI,IAAI,gBAAgB;AAE3E,UAAM,QAAQ,oBAAI,IAAsB;AAQxC,eAAW,OAAO,KAAK,QAAQ,OAAO,GAAG;AACvC,iBAAW,OAAO,IAAI,cAAc;AAClC,YAAI,QAAQ,IAAI,oBAAoB,kBAAkB,GAAG,EAAG;AAC5D,cAAM,MAAM,MAAM,IAAI,GAAG;AACzB,YAAI,IAAK,KAAI,KAAK,IAAI,gBAAgB;AAAA,YACjC,OAAM,IAAI,KAAK,CAAC,IAAI,gBAAgB,CAAC;AAAA,MAC5C;AAAA,IACF;AAGA,QAAI,oBAAoB;AAMtB,iBAAW,OAAO,KAAK,QAAQ,OAAO,GAAG;AAGvC,aAAK;AAAA,MACP;AAGA,YAAM,gBAAgB,oBAAI,IAAY;AACtC,iBAAW,OAAO,KAAK,QAAQ,OAAO,GAAG;AACvC,mBAAW,OAAO,IAAI,aAAc,eAAc,IAAI,GAAG;AACzD,sBAAc,IAAI,IAAI,gBAAgB;AAAA,MACxC;AACA,iBAAW,OAAO,eAAe;AAC/B,cAAM,aAAa,mBAAmB,oBAAoB,GAAG;AAC7D,YAAI,WAAW,WAAW,EAAG;AAC7B,mBAAW,KAAK,YAAY;AAC1B,qBAAW,OAAO,OAAO,KAAK,EAAE,KAAK,OAAO,GAAG;AAC7C,kBAAM,IAAI,EAAE,KAAK,QAAQ,GAAG;AAC5B,gBAAI,CAAC,EAAG;AACR,kBAAM,MAAM,MAAM,IAAI,GAAG;AACzB,gBAAI,IAAK,KAAI,KAAK,EAAE,UAAU;AAAA,gBACzB,OAAM,IAAI,KAAK,CAAC,EAAE,UAAU,CAAC;AAAA,UACpC;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,UAAM,QAAQ,CAAC,SAAuB;AACpC,UAAI,MAAM,SAAS,IAAI,GAAG;AACxB,cAAM,QAAQ,MAAM,MAAM,MAAM,QAAQ,IAAI,CAAC,EAAE,OAAO,IAAI;AAG1D,YAAI,MAAM,KAAK,OAAK,UAAU,IAAI,CAAC,CAAC,GAAG;AACrC,gBAAM,IAAI,2BAA2B,KAAK;AAAA,QAC5C;AAGA;AAAA,MACF;AACA,UAAI,QAAQ,IAAI,IAAI,EAAG;AACvB,YAAM,KAAK,IAAI;AACf,YAAM,OAAO,MAAM,IAAI,IAAI;AAC3B,UAAI,KAAM,YAAW,KAAK,KAAM,OAAM,CAAC;AACvC,YAAM,IAAI;AACV,cAAQ,IAAI,IAAI;AAAA,IAClB;AAEA,eAAW,QAAQ,MAAM,KAAK,EAAG,OAAM,IAAI;AAAA,EAC7C;AACF;AAQA,SAAS,qBAAqB,QAAgB,OAAsC;AAClF,SAAO,OAAO,SAAS,WAAW,OAAO,UAAU;AACrD;AAUO,SAAS,qBACd,IACA,YACgB;AAIhB,QAAM,MAAM,oBAAI,IAA+B;AAC/C,aAAW,CAAC,MAAM,IAAI,KAAK,OAAO,QAAQ,UAAU,GAAG;AACrD,QAAI,IAAI,MAAM;AAAA,MACZ,MAAM,KAAK;AAAA,MACX,IAAI,KAAK;AAAA,IACX,CAAC;AAAA,EACH;AACA,SAAO;AAAA;AAAA,IAEL,WAA8C,MAAmB;AAC/D,YAAM,IAAI,GAAG,WAAc,IAAI;AAI/B,aAAO,IAAI,MAAM,GAAG;AAAA,QAClB,IAAI,QAAQ,MAAM,UAAU;AAC1B,cAAI,SAAS,SAAS;AACpB,mBAAO,IAAI,SAAoB;AAE7B,oBAAM,IAAK,OAAO,MAAc,GAAG,IAAI;AAKvC,kBAAI,KAAK,OAAO,EAAE,oBAAoB,YAAY;AAChD,uBAAO,EAAE,gBAAgB,GAAG;AAAA,cAC9B;AACA,qBAAO;AAAA,YACT;AAAA,UACF;AACA,iBAAO,QAAQ,IAAI,QAAQ,MAAM,QAAQ;AAAA,QAC3C;AAAA,MACF,CAAC;AAAA,IACH;AAAA,EACF;AACF;AAUA,SAAS,qBACP,MACiE;AACjE,QAAM,OAAwE,CAAC;AAC/E,QAAM,OAAO,CAAC,YAAqC;AACjD,eAAW,KAAK,SAAS;AACvB,UAAI,EAAE,SAAS,kBAAkB;AAC/B,aAAK,KAAK,EAAE,MAAM,EAAE,MAAM,eAAe,EAAE,eAAe,SAAS,EAAE,QAAQ,CAAC;AAAA,MAChF,WAAW,EAAE,SAAS,SAAS;AAC7B,aAAK,EAAE,OAAO;AAAA,MAChB;AAAA,IACF;AAAA,EACF;AACA,OAAK,KAAK,OAAO;AAGjB,OAAK,KAAK,CAAC,GAAG,MAAM;AAClB,QAAI,EAAE,SAAS,EAAE,KAAM,QAAO,EAAE,OAAO,EAAE,OAAO,KAAK;AACrD,QAAI,EAAE,kBAAkB,EAAE,cAAe,QAAO,EAAE,gBAAgB,EAAE,gBAAgB,KAAK;AACzF,WAAO,EAAE,UAAU,EAAE,UAAU,KAAK,EAAE,UAAU,EAAE,UAAU,IAAI;AAAA,EAClE,CAAC;AACD,SAAO;AACT;AAuBA,SAAS,kBAAkB,KAA4B;AACrD,QAAM,YAAY,IAAI,KAAK,QAAQ;AACnC,MAAI,cAAc,OAAW,QAAO;AACpC,QAAM,QAAQ,UAAU;AAIxB,aAAW,KAAK,IAAI,kBAAkB;AACpC,QAAI,EAAE,OAAO,QAAQ,EAAE,UAAU,MAAO,QAAO;AAC/C,QAAI,EAAE,OAAO,QAAQ,EAAE,UAAU,MAAO,QAAO;AAC/C,QAAI,EAAE,OAAO,QAAQ,MAAM,QAAQ,EAAE,KAAK,GAAG;AAC3C,YAAM,OAAO,EAAE;AACf,UAAI,CAAC,KAAK,SAAS,KAAK,EAAG,QAAO;AAAA,IACpC;AAAA,EACF;AACA,SAAO;AACT;","names":[]}

package/dist/chunk-UMLVJTYV.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/guards/read-only-facade.ts"],"sourcesContent":["import type { Vault } from '../vault.js'\nimport type { Query } from '../query/builder.js'\nimport type { ReadOnlyVaultFacade as ReadOnlyVaultFacadeContract } from './types.js'\n\n/**\n * Minimal read-only wrapper over a `Vault`. Used as `ctx.vault` inside\n * guard callbacks so they can fetch related records without acquiring\n * any write capability.\n */\nexport class ReadOnlyVaultFacade implements ReadOnlyVaultFacadeContract {\n  private readonly _vault: Vault\n\n  constructor(vault: Vault) {\n    this._vault = vault\n  }\n\n  collection<T = unknown>(name: string): {\n    get(id: string): Promise<T | null>\n    list(): Promise<T[]>\n    query(): Query<T>\n  } {\n    const c = this._vault.collection<T>(name)\n    return {\n      get: (id: string) => c.get(id),\n      list: () => c.list(),\n      query: () => c.query(),\n    }\n  }\n}\n"],"mappings":";AASO,IAAM,sBAAN,MAAiE;AAAA,EACrD;AAAA,EAEjB,YAAY,OAAc;AACxB,SAAK,SAAS;AAAA,EAChB;AAAA,EAEA,WAAwB,MAItB;AACA,UAAM,IAAI,KAAK,OAAO,WAAc,IAAI;AACxC,WAAO;AAAA,MACL,KAAK,CAAC,OAAe,EAAE,IAAI,EAAE;AAAA,MAC7B,MAAM,MAAM,EAAE,KAAK;AAAA,MACnB,OAAO,MAAM,EAAE,MAAM;AAAA,IACvB;AAAA,EACF;AACF;","names":[]}

package/dist/chunk-UND4XIB6.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/persisted-schemas/storage.ts","../src/team/managed-passphrase.ts"],"sourcesContent":["/**\n * Read / write the per-collection persisted-schema envelope. Mirrors the\n * standard noy-db record envelope shape and is **AES-GCM encrypted with\n * the collection's DEK** — the schema body (field names, enum values,\n * constraints) is sensitive metadata, so it gets the same encryption\n * envelope as the records it describes.\n *\n * Storage layout:\n *\n *   <vault>/_schemas/<collection>   →   EncryptedEnvelope\n *\n * The DEK passed to {@link savePersistedSchema} / {@link loadPersistedSchema}\n * is the same key the collection uses for its records.\n *\n * @module\n */\n\nimport { encrypt, decrypt } from '../crypto.js'\nimport { NOYDB_FORMAT_VERSION } from '../types.js'\nimport type { NoydbStore, EncryptedEnvelope } from '../types.js'\nimport type { PersistedSchemaEnvelope } from './types.js'\n\n/** Reserved collection name where persisted schemas live. */\nexport const SCHEMAS_COLLECTION = '_schemas' as const\n\n/**\n * Read and decrypt the persisted-schema envelope for one collection.\n * Returns `undefined` when no envelope has been written or when decryption\n * fails (e.g. wrong DEK passed). Tolerates corrupted records — JSON parse\n * failures surface as `undefined`, mirroring `_meta/handle`'s contract.\n */\nexport async function loadPersistedSchema(\n  store: NoydbStore,\n  vault: string,\n  collection: string,\n  dek: CryptoKey,\n): Promise<PersistedSchemaEnvelope | undefined> {\n  const envelope = await store.get(vault, SCHEMAS_COLLECTION, collection)\n  if (!envelope) return undefined\n  try {\n    const plaintext = await decrypt(envelope._iv, envelope._data, dek)\n    const parsed = JSON.parse(plaintext) as PersistedSchemaEnvelope\n    if (parsed._noydb_schema !== 1) return undefined\n    return parsed\n  } catch {\n    return undefined\n  }\n}\n\n/**\n * Encrypt and persist a schema envelope for one collection. Always\n * overwrites any prior write (callers gate on hash equality before calling\n * to avoid no-op writes).\n */\nexport async function savePersistedSchema(\n  store: NoydbStore,\n  vault: string,\n  collection: string,\n  dek: CryptoKey,\n  payload: PersistedSchemaEnvelope,\n): Promise<void> {\n  const json = JSON.stringify(payload)\n  const { iv, data } = await encrypt(json, dek)\n  const prior = await store.get(vault, SCHEMAS_COLLECTION, collection)\n  const env: EncryptedEnvelope = {\n    _noydb: NOYDB_FORMAT_VERSION,\n    _v: (prior?._v ?? 0) + 1,\n    _ts: new Date().toISOString(),\n    _iv: iv,\n    _data: data,\n  }\n  await store.put(vault, SCHEMAS_COLLECTION, collection, env)\n}\n","/**\n * Managed-passphrase mode — issue #14, rubber-hose-resistant vaults.\n *\n * A vault mode where the passphrase is machine-generated and never\n * exposed to the user, sealed under a developer-provided\n * {@link SealingKeyProvider} (macOS Keychain, Windows Credential\n * Manager, libsecret, AWS KMS, …). The user has no secret to give\n * up to coercion — they can't reveal what they don't know.\n *\n * ## Components in this file\n *\n *   - {@link SealingKeyProvider} — the interface concrete providers\n *     implement. Provider implementations live OUTSIDE hub (per-\n *     platform packages).\n *   - {@link MemorySealingKeyProvider} — in-memory test provider; uses\n *     a deterministic per-instance \"key\" so two providers with\n *     different ids cannot unseal each other's outputs.\n *   - {@link RecipientHint} — public material a sender uses to seal\n *     plaintext for a specific recipient; published by\n *     {@link RecipientSealer.publishRecipientHint} and transported\n *     out-of-band to the sender before bundle writes.\n *   - {@link RecipientSealer} — interface for asymmetric/granted\n *     providers that support recipient-target sealing (RSA-OAEP,\n *     cloud-KMS asymmetric, etc.); distinct from self-only\n *     {@link SealingKeyProvider} (macOS Keychain, WebAuthn-PRF).\n *   - {@link MemoryRecipientSealer} — in-process reference\n *     implementation of both `RecipientSealer` and\n *     `SealingKeyProvider` using real WebCrypto RSA-OAEP + AES-GCM;\n *     safe for tests and same-process sender/recipient scenarios.\n *   - {@link loadSealedPassphrase} / {@link saveSealedPassphrase} —\n *     plaintext envelope storage at `_meta/sealed-passphrase`.\n *     Mirrors the `_meta/handle` and `_meta/public-envelope` AES-\n *     GCM-bypassed patterns. The sealing layer (provider's job)\n *     is the security boundary; hub doesn't have a key to encrypt\n *     with at this layer — that's the whole point of the design.\n *   - {@link resolveManagedSecret} — orchestrates the \"generate +\n *     seal + persist on first open; unseal on reopen\" flow.\n *     Returns the plaintext passphrase string that the rest of the\n *     `createNoydb` keyring path consumes.\n *\n * Slice 1 of #14. Deferred to follow-ups:\n *   - Block `rotate-passphrase` policy gate under managed mode.\n *   - Mandatory strong-recovery enforcement (depends on #10).\n *   - Recovery flow under managed mode (generates fresh sealed phrase).\n *\n * @see docs/subsystems/session-tiers.md → Managed-passphrase mode\n *\n * @module\n */\n\nimport type { NoydbStore, EncryptedEnvelope } from '../types.js'\nimport { NOYDB_FORMAT_VERSION } from '../types.js'\n\n/**\n * The contract concrete providers (per-platform key stores) implement\n * to seal and unseal a hub-generated random passphrase. The plaintext\n * passphrase NEVER leaves hub-controlled memory in unsealed form —\n * the provider receives the bytes, returns opaque sealed bytes, and\n * later reverses the operation. Hub treats the sealed bytes as\n * fully opaque.\n *\n * Implementations live OUTSIDE `@noy-db/hub` (separate packages\n * per the issue's \"Concrete providers (live outside hub)\" note):\n *\n * | Platform | Package (TBD) | Backing |\n * |---|---|---|\n * | macOS | `@noy-db/seal-macos-keychain` | Security.framework |\n * | Windows | `@noy-db/seal-wincred` | Credential Manager |\n * | Linux | `@noy-db/seal-libsecret` | libsecret / secret-service |\n * | Cloud / server | `@noy-db/seal-aws-kms` | AWS KMS Decrypt |\n */\nexport interface SealingKeyProvider {\n  /**\n   * Non-sensitive identifier disclosed in the persisted envelope.\n   * Surfaced to consumers via `loadSealedPassphrase().providerId` so\n   * a vault opened with the wrong provider class can detect the\n   * mismatch and surface a clear error. NOT secret — fine to log.\n   *\n   * Suggested format: `<family>:<scope>` — e.g. `macos-keychain:com.acme.app`,\n   * `aws-kms:arn:aws:kms:us-east-1:123:key/abc`. The hub never\n   * parses this; it's purely audit metadata.\n   */\n  readonly id: string\n\n  /** Seal raw passphrase bytes. Output bytes are opaque to hub. */\n  seal(passphrase: Uint8Array): Promise<Uint8Array>\n\n  /**\n   * Reverse {@link seal}. MUST throw on tamper, wrong-provider, or\n   * any other failure — hub treats a thrown error as \"this provider\n   * cannot unlock this vault\" and surfaces it to the caller.\n   */\n  unseal(sealed: Uint8Array): Promise<Uint8Array>\n}\n\n/**\n * In-memory test provider. NOT secure — uses a deterministic\n * per-instance \"key\" (16-byte SHA-256 of `id`) XOR'd over the\n * passphrase plus a 4-byte provider-id fingerprint prefix. The XOR is\n * sufficient to make different `id` values produce mutually-unsealable\n * outputs (the contract tests for that), but offers ZERO real\n * confidentiality — never use outside tests.\n *\n * Replace with a real platform provider in production.\n */\nexport class MemorySealingKeyProvider implements SealingKeyProvider {\n  readonly id: string\n  private readonly fingerprint: Uint8Array\n  private readonly keyBytes: Uint8Array\n\n  constructor(opts: { id: string }) {\n    this.id = opts.id\n    // Deterministic 4-byte fingerprint of the provider id, prepended\n    // to every sealed output so we can detect \"wrong provider\" at\n    // unseal time without leaking anything sensitive about either\n    // provider's actual key material.\n    const encoded = new TextEncoder().encode(opts.id)\n    let h = 0\n    for (let i = 0; i < encoded.length; i++) {\n      h = (h * 31 + encoded[i]!) >>> 0\n    }\n    this.fingerprint = new Uint8Array([\n      (h >>> 24) & 0xff, (h >>> 16) & 0xff, (h >>> 8) & 0xff, h & 0xff,\n    ])\n    // Deterministic 16-byte \"key\" derived from the id by repeating\n    // the fingerprint with offsets. Good enough for the XOR-stream\n    // test cipher; never confuse this with real key derivation.\n    this.keyBytes = new Uint8Array(16)\n    for (let i = 0; i < 16; i++) {\n      this.keyBytes[i] = this.fingerprint[i % 4]! ^ (i * 17)\n    }\n  }\n\n  async seal(passphrase: Uint8Array): Promise<Uint8Array> {\n    const out = new Uint8Array(4 + passphrase.length)\n    out.set(this.fingerprint, 0)\n    for (let i = 0; i < passphrase.length; i++) {\n      out[4 + i] = passphrase[i]! ^ this.keyBytes[i % 16]!\n    }\n    return out\n  }\n\n  async unseal(sealed: Uint8Array): Promise<Uint8Array> {\n    if (sealed.length < 4) {\n      throw new Error('MemorySealingKeyProvider: sealed input too short')\n    }\n    for (let i = 0; i < 4; i++) {\n      if (sealed[i] !== this.fingerprint[i]) {\n        throw new Error(\n          `MemorySealingKeyProvider(\"${this.id}\"): provider-id mismatch on unseal `\n          + '(sealed bytes were produced by a different provider)',\n        )\n      }\n    }\n    const body = sealed.subarray(4)\n    const out = new Uint8Array(body.length)\n    for (let i = 0; i < body.length; i++) {\n      out[i] = body[i]! ^ this.keyBytes[i % 16]!\n    }\n    return out\n  }\n}\n\n/**\n * Public material a sender uses to seal-for-this-recipient. Published by\n * a recipient's RecipientSealer; transported to the sender out-of-band\n * (email, S3, in-app message). The sender obtains the hint, supplies it\n * to writeNoydbBundle's sealedCredentials.perUser[userId].hint, and the\n * hub seals each user's credential against it. Per foundation §11.4.\n */\nexport type RecipientHint = {\n  readonly v: 1\n  /** Recipient's provider id; matches the SealedAutoUnlockEntry.pid they'll unseal under. */\n  readonly pid: string\n  /** Algorithm the sender uses to produce the seal. Slice 1 ships RSA-OAEP-SHA256 only. */\n  readonly alg: 'rsa-oaep-sha256'\n  /** Public material — alg-specific. For 'rsa-oaep-sha256': { publicKeyPem: string }. */\n  readonly material: Readonly<Record<string, unknown>>\n}\n\n/**\n * Handover-capable provider. Implemented additionally by asymmetric/granted\n * providers (cloud-KMS asymmetric, Azure RSA Key Vault, AWS KMS with grant).\n * Self-only providers (macOS Keychain, env-var, WebAuthn-PRF) do NOT\n * implement this — the §11.2 capability matrix lives in the type system.\n *\n * Per foundation §11.4. A function that requires recipient-target sealing\n * takes `RecipientSealer`, not `SealingKeyProvider` — the compiler rejects\n * passing a self-only provider at the spec site.\n */\nexport interface RecipientSealer {\n  readonly id: string\n  /** Produce hint material a sender uses to seal-for-this-recipient. */\n  publishRecipientHint(): Promise<RecipientHint>\n  /**\n   * Seal plaintext for the recipient described by `hint`. Returns opaque\n   * bytes — same contract as `SealingKeyProvider.seal()`. The bundle\n   * layer base64-encodes the bytes into `SealedAutoUnlockEntry.sealed`\n   * without inspecting them.\n   */\n  sealForRecipient(plaintext: Uint8Array, hint: RecipientHint): Promise<Uint8Array>\n}\n\n/**\n * Reference implementation of `RecipientSealer` + `SealingKeyProvider`.\n * Uses WebCrypto RSA-OAEP-SHA256 (2048-bit) to wrap a fresh 32-byte\n * AES-GCM CEK, AES-GCM-encrypts plaintext under it, and packs the\n * result into a self-describing TLV:\n *\n *   byte  0       : version (0x01)\n *   bytes 1..256  : RSA-OAEP-wrapped CEK (fixed 256 bytes at RSA-2048)\n *   bytes 257..268: AES-GCM IV (12 bytes)\n *   bytes 269..   : AES-GCM ciphertext ‖ 16-byte tag\n *\n * Implements BOTH interfaces. `seal(plaintext)` (self-target) is just\n * `sealForRecipient(plaintext, this own hint)` — same TLV. Convenient\n * for tests where one provider plays both ends. Real cloud providers\n * (`at-aws-kms`, etc.) will pick their own internal layouts; the only\n * contract is round-trip identity.\n *\n * SAFE for production within its scope — the cryptography is real\n * (RSA-OAEP + AES-GCM via WebCrypto), but the keypair lives in-process\n * and is regenerated on every construction. Not suitable as a managed\n * keychain; use it for tests and for shipping bundles where the\n * recipient instance lives in the same process as the sender (rare).\n */\nexport class MemoryRecipientSealer implements SealingKeyProvider, RecipientSealer {\n  readonly id: string\n  private readonly keypair: Promise<CryptoKeyPair>\n\n  constructor(opts: { id: string }) {\n    this.id = opts.id\n    this.keypair = crypto.subtle.generateKey(\n      { name: 'RSA-OAEP', modulusLength: 2048, publicExponent: new Uint8Array([1, 0, 1]), hash: 'SHA-256' },\n      true,\n      ['encrypt', 'decrypt'],\n    )\n  }\n\n  async publishRecipientHint(): Promise<RecipientHint> {\n    const { publicKey } = await this.keypair\n    const spki = await crypto.subtle.exportKey('spki', publicKey)\n    const pem = '-----BEGIN PUBLIC KEY-----\\n'\n      + bytesToBase64(new Uint8Array(spki)).match(/.{1,64}/g)!.join('\\n')\n      + '\\n-----END PUBLIC KEY-----\\n'\n    return { v: 1, pid: this.id, alg: 'rsa-oaep-sha256', material: { publicKeyPem: pem } }\n  }\n\n  async sealForRecipient(plaintext: Uint8Array, hint: RecipientHint): Promise<Uint8Array> {\n    if (hint.v !== 1) {\n      throw new Error(`MemoryRecipientSealer.sealForRecipient: unsupported hint.v ${String(hint.v)} (expected 1)`)\n    }\n    if (hint.alg !== 'rsa-oaep-sha256') {\n      throw new Error(`MemoryRecipientSealer.sealForRecipient: unsupported hint.alg '${String(hint.alg)}' (expected 'rsa-oaep-sha256')`)\n    }\n    const pem = hint.material['publicKeyPem']\n    if (typeof pem !== 'string') {\n      throw new Error('MemoryRecipientSealer.sealForRecipient: hint.material.publicKeyPem missing or not a string')\n    }\n    // Parse PEM → SPKI bytes.\n    const b64 = pem.replace(/-----BEGIN PUBLIC KEY-----/, '').replace(/-----END PUBLIC KEY-----/, '').replace(/\\s+/g, '')\n    const spki = base64ToBytes(b64)\n    const recipientPub = await crypto.subtle.importKey(\n      'spki', spki as BufferSource,\n      { name: 'RSA-OAEP', hash: 'SHA-256' },\n      false, ['encrypt'],\n    )\n    // Mint fresh CEK + IV, AES-GCM encrypt plaintext.\n    const cekBytes = crypto.getRandomValues(new Uint8Array(32))\n    const cek = await crypto.subtle.importKey('raw', cekBytes as BufferSource, 'AES-GCM', false, ['encrypt'])\n    const iv = crypto.getRandomValues(new Uint8Array(12))\n    const ct = new Uint8Array(await crypto.subtle.encrypt({ name: 'AES-GCM', iv: iv as BufferSource }, cek, plaintext as BufferSource))\n    // RSA-OAEP-wrap the CEK bytes.\n    const wrapped = new Uint8Array(await crypto.subtle.encrypt({ name: 'RSA-OAEP' }, recipientPub, cekBytes as BufferSource))\n    cekBytes.fill(0)\n    if (wrapped.length !== 256) {\n      throw new Error(`MemoryRecipientSealer.sealForRecipient: expected 256-byte RSA-OAEP wrap, got ${wrapped.length}`)\n    }\n    // TLV layout.\n    const out = new Uint8Array(1 + 256 + 12 + ct.length)\n    out[0] = 0x01\n    out.set(wrapped, 1)\n    out.set(iv, 1 + 256)\n    out.set(ct, 1 + 256 + 12)\n    return out\n  }\n\n  async seal(plaintext: Uint8Array): Promise<Uint8Array> {\n    const hint = await this.publishRecipientHint()\n    return this.sealForRecipient(plaintext, hint)\n  }\n\n  async unseal(bytes: Uint8Array): Promise<Uint8Array> {\n    if (bytes.length < 1 + 256 + 12 + 16) {\n      throw new Error('MemoryRecipientSealer.unseal: sealed input too short')\n    }\n    if (bytes[0] !== 0x01) {\n      throw new Error(`MemoryRecipientSealer.unseal: unknown TLV version ${bytes[0]}`)\n    }\n    const wrapped = bytes.subarray(1, 1 + 256)\n    const iv = bytes.subarray(1 + 256, 1 + 256 + 12)\n    const ct = bytes.subarray(1 + 256 + 12)\n    const { privateKey } = await this.keypair\n    const cekBytes = new Uint8Array(await crypto.subtle.decrypt({ name: 'RSA-OAEP' }, privateKey, wrapped as BufferSource))\n    const cek = await crypto.subtle.importKey('raw', cekBytes as BufferSource, 'AES-GCM', false, ['decrypt'])\n    const pt = new Uint8Array(await crypto.subtle.decrypt({ name: 'AES-GCM', iv: iv as BufferSource }, cek, ct as BufferSource))\n    cekBytes.fill(0)\n    return pt\n  }\n}\n\n// ─── Persisted envelope ────────────────────────────────────────────────\n\n/** Reserved id for the managed-passphrase envelope under `_meta`. */\nexport const SEALED_PASSPHRASE_RECORD_ID = 'sealed-passphrase' as const\n\n/** Plaintext payload stored inside the `_meta/sealed-passphrase` envelope. */\nexport interface SealedPassphrase {\n  readonly _noydb_sealed: 1\n  readonly providerId: string\n  /** Sealed bytes. Base64-encoded on the wire; decoded on load. */\n  readonly sealed: Uint8Array\n}\n\n/**\n * Wire-format envelope persisted at `_meta/sealed-passphrase` for\n * managed-mode vaults. The provider produces raw sealed bytes via\n * {@link SealingKeyProvider.seal}; this wrapper carries the dispatch\n * metadata hub needs to pick the right provider on the unseal path.\n *\n * Stability boundary: once shipped, the wire format only grows by\n * adding optional fields. See the at-* sealing dimension foundation\n * doc, §11.9.1.\n *\n * v1 shape (this release): `{ v: 1, _noydb_sealed: 1, pid, payload }`.\n *\n * Legacy shape (pre.14, pre.15): `{ _noydb_sealed: 1, providerId, sealed }`\n * — accepted on read for backwards compatibility; never produced on\n * write going forward.\n */\nexport interface SealedEnvelope {\n  /** Envelope schema version. v1 is the shape shipped in pre.16. */\n  readonly v: 1\n  /** Magic marker for forensics + legacy-shape detection. */\n  readonly _noydb_sealed: 1\n  /** Matches the producing provider's `.id`. Dispatch key on unseal. */\n  readonly pid: string\n  /** Sealed bytes from the provider, base64-encoded on the wire. */\n  readonly payload: string\n}\n\nfunction bytesToBase64(bytes: Uint8Array): string {\n  let binary = ''\n  for (let i = 0; i < bytes.length; i++) binary += String.fromCharCode(bytes[i]!)\n  return btoa(binary)\n}\n\nfunction base64ToBytes(b64: string): Uint8Array {\n  const binary = atob(b64)\n  const out = new Uint8Array(binary.length)\n  for (let i = 0; i < binary.length; i++) out[i] = binary.charCodeAt(i)\n  return out\n}\n\n/**\n * Parse a `_meta/sealed-passphrase` `_data` JSON string into the\n * in-memory {@link SealedPassphrase} representation. Accepts both:\n *\n *   1. v1 wire format `{ v: 1, _noydb_sealed: 1, pid, payload }` —\n *      the shape produced from pre.16 onward.\n *   2. Legacy wire format `{ _noydb_sealed: 1, providerId, sealed }` —\n *      the shape produced in pre.14/pre.15. Read-only; never written\n *      going forward.\n *\n * Returns `undefined` for any input that doesn't match either shape,\n * so callers can fall back to \"no managed-mode envelope present.\"\n *\n * @internal — exported only for the migration safety-net test suite.\n */\nexport function parseSealedEnvelope(raw: unknown): SealedPassphrase | undefined {\n  if (typeof raw !== 'object' || raw === null) return undefined\n  const r = raw as Record<string, unknown>\n  if (r._noydb_sealed !== 1) return undefined\n\n  // v1 shape — preferred.\n  if (\n    r.v === 1\n    && typeof r.pid === 'string'\n    && typeof r.payload === 'string'\n  ) {\n    return {\n      _noydb_sealed: 1,\n      providerId: r.pid,\n      sealed: base64ToBytes(r.payload),\n    }\n  }\n\n  // Legacy shape — pre.14 / pre.15. Accept on read for compat.\n  if (\n    typeof r.providerId === 'string'\n    && typeof r.sealed === 'string'\n  ) {\n    return {\n      _noydb_sealed: 1,\n      providerId: r.providerId,\n      sealed: base64ToBytes(r.sealed),\n    }\n  }\n\n  return undefined\n}\n\nexport async function saveSealedPassphrase(\n  store: NoydbStore,\n  vault: string,\n  payload: { readonly providerId: string; readonly sealed: Uint8Array },\n): Promise<void> {\n  const persisted: SealedEnvelope = {\n    v: 1,\n    _noydb_sealed: 1,\n    pid: payload.providerId,\n    payload: bytesToBase64(payload.sealed),\n  }\n  const prior = await store.get(vault, '_meta', SEALED_PASSPHRASE_RECORD_ID)\n  const env: EncryptedEnvelope = {\n    _noydb: NOYDB_FORMAT_VERSION,\n    _v: (prior?._v ?? 0) + 1,\n    _ts: new Date().toISOString(),\n    // AES-GCM bypassed — the sealing layer is the security boundary.\n    _iv: '',\n    _data: JSON.stringify(persisted),\n  }\n  await store.put(vault, '_meta', SEALED_PASSPHRASE_RECORD_ID, env)\n}\n\nexport async function loadSealedPassphrase(\n  store: NoydbStore,\n  vault: string,\n): Promise<SealedPassphrase | undefined> {\n  const envelope = await store.get(vault, '_meta', SEALED_PASSPHRASE_RECORD_ID)\n  if (!envelope) return undefined\n  try {\n    return parseSealedEnvelope(JSON.parse(envelope._data))\n  } catch {\n    return undefined\n  }\n}\n\n// ─── createNoydb orchestration ─────────────────────────────────────────\n\n/**\n * Resolve the effective plaintext passphrase string for a managed-mode\n * vault. Two paths:\n *\n *   1. **First open (no envelope persisted):** generate a 256-bit random\n *      via `crypto.getRandomValues`, base64-encode for use as a\n *      passphrase string, seal the underlying bytes under the\n *      provider, persist `_meta/sealed-passphrase`, return the\n *      base64 string.\n *\n *   2. **Reopen (envelope exists):** read + unseal + decode → return.\n *      A different provider whose `seal` output disagrees on the\n *      stored bytes throws here, surfaced as a clear error.\n *\n * The returned string is the same shape that `secret:` would take in\n * standard mode — the rest of the keyring path consumes it\n * unchanged.\n *\n * @internal — called from `createNoydb` / `getKeyringInternal`.\n */\nexport async function resolveManagedSecret(\n  store: NoydbStore,\n  vault: string,\n  provider: SealingKeyProvider,\n): Promise<string> {\n  const existing = await loadSealedPassphrase(store, vault)\n  if (existing) {\n    if (existing.providerId !== provider.id) {\n      throw new Error(\n        `Managed-mode vault \"${vault}\" was sealed under provider id `\n        + `\"${existing.providerId}\" but the current SealingKeyProvider is `\n        + `\"${provider.id}\". Pass the same provider that originally enrolled `\n        + 'the vault, or treat this as a fresh enrollment and clear '\n        + '`_meta/sealed-passphrase` first.',\n      )\n    }\n    const plaintext = await provider.unseal(existing.sealed)\n    return bytesToBase64(plaintext)\n  }\n\n  // First open: mint a 256-bit random, seal, persist.\n  const random = new Uint8Array(32)\n  globalThis.crypto.getRandomValues(random)\n  const sealed = await provider.seal(random)\n  await saveSealedPassphrase(store, vault, { providerId: provider.id, sealed })\n  return bytesToBase64(random)\n}\n"],"mappings":";;;;;;;;;AAuBO,IAAM,qBAAqB;AAQlC,eAAsB,oBACpB,OACA,OACA,YACA,KAC8C;AAC9C,QAAM,WAAW,MAAM,MAAM,IAAI,OAAO,oBAAoB,UAAU;AACtE,MAAI,CAAC,SAAU,QAAO;AACtB,MAAI;AACF,UAAM,YAAY,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,GAAG;AACjE,UAAM,SAAS,KAAK,MAAM,SAAS;AACnC,QAAI,OAAO,kBAAkB,EAAG,QAAO;AACvC,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAOA,eAAsB,oBACpB,OACA,OACA,YACA,KACA,SACe;AACf,QAAM,OAAO,KAAK,UAAU,OAAO;AACnC,QAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,MAAM,GAAG;AAC5C,QAAM,QAAQ,MAAM,MAAM,IAAI,OAAO,oBAAoB,UAAU;AACnE,QAAM,MAAyB;AAAA,IAC7B,QAAQ;AAAA,IACR,KAAK,OAAO,MAAM,KAAK;AAAA,IACvB,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC5B,KAAK;AAAA,IACL,OAAO;AAAA,EACT;AACA,QAAM,MAAM,IAAI,OAAO,oBAAoB,YAAY,GAAG;AAC5D;;;ACiCO,IAAM,2BAAN,MAA6D;AAAA,EACzD;AAAA,EACQ;AAAA,EACA;AAAA,EAEjB,YAAY,MAAsB;AAChC,SAAK,KAAK,KAAK;AAKf,UAAM,UAAU,IAAI,YAAY,EAAE,OAAO,KAAK,EAAE;AAChD,QAAI,IAAI;AACR,aAAS,IAAI,GAAG,IAAI,QAAQ,QAAQ,KAAK;AACvC,UAAK,IAAI,KAAK,QAAQ,CAAC,MAAQ;AAAA,IACjC;AACA,SAAK,cAAc,IAAI,WAAW;AAAA,MAC/B,MAAM,KAAM;AAAA,MAAO,MAAM,KAAM;AAAA,MAAO,MAAM,IAAK;AAAA,MAAM,IAAI;AAAA,IAC9D,CAAC;AAID,SAAK,WAAW,IAAI,WAAW,EAAE;AACjC,aAAS,IAAI,GAAG,IAAI,IAAI,KAAK;AAC3B,WAAK,SAAS,CAAC,IAAI,KAAK,YAAY,IAAI,CAAC,IAAM,IAAI;AAAA,IACrD;AAAA,EACF;AAAA,EAEA,MAAM,KAAK,YAA6C;AACtD,UAAM,MAAM,IAAI,WAAW,IAAI,WAAW,MAAM;AAChD,QAAI,IAAI,KAAK,aAAa,CAAC;AAC3B,aAAS,IAAI,GAAG,IAAI,WAAW,QAAQ,KAAK;AAC1C,UAAI,IAAI,CAAC,IAAI,WAAW,CAAC,IAAK,KAAK,SAAS,IAAI,EAAE;AAAA,IACpD;AACA,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,OAAO,QAAyC;AACpD,QAAI,OAAO,SAAS,GAAG;AACrB,YAAM,IAAI,MAAM,kDAAkD;AAAA,IACpE;AACA,aAAS,IAAI,GAAG,IAAI,GAAG,KAAK;AAC1B,UAAI,OAAO,CAAC,MAAM,KAAK,YAAY,CAAC,GAAG;AACrC,cAAM,IAAI;AAAA,UACR,6BAA6B,KAAK,EAAE;AAAA,QAEtC;AAAA,MACF;AAAA,IACF;AACA,UAAM,OAAO,OAAO,SAAS,CAAC;AAC9B,UAAM,MAAM,IAAI,WAAW,KAAK,MAAM;AACtC,aAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK;AACpC,UAAI,CAAC,IAAI,KAAK,CAAC,IAAK,KAAK,SAAS,IAAI,EAAE;AAAA,IAC1C;AACA,WAAO;AAAA,EACT;AACF;AAiEO,IAAM,wBAAN,MAA2E;AAAA,EACvE;AAAA,EACQ;AAAA,EAEjB,YAAY,MAAsB;AAChC,SAAK,KAAK,KAAK;AACf,SAAK,UAAU,OAAO,OAAO;AAAA,MAC3B,EAAE,MAAM,YAAY,eAAe,MAAM,gBAAgB,IAAI,WAAW,CAAC,GAAG,GAAG,CAAC,CAAC,GAAG,MAAM,UAAU;AAAA,MACpG;AAAA,MACA,CAAC,WAAW,SAAS;AAAA,IACvB;AAAA,EACF;AAAA,EAEA,MAAM,uBAA+C;AACnD,UAAM,EAAE,UAAU,IAAI,MAAM,KAAK;AACjC,UAAM,OAAO,MAAM,OAAO,OAAO,UAAU,QAAQ,SAAS;AAC5D,UAAM,MAAM,iCACR,cAAc,IAAI,WAAW,IAAI,CAAC,EAAE,MAAM,UAAU,EAAG,KAAK,IAAI,IAChE;AACJ,WAAO,EAAE,GAAG,GAAG,KAAK,KAAK,IAAI,KAAK,mBAAmB,UAAU,EAAE,cAAc,IAAI,EAAE;AAAA,EACvF;AAAA,EAEA,MAAM,iBAAiB,WAAuB,MAA0C;AACtF,QAAI,KAAK,MAAM,GAAG;AAChB,YAAM,IAAI,MAAM,8DAA8D,OAAO,KAAK,CAAC,CAAC,eAAe;AAAA,IAC7G;AACA,QAAI,KAAK,QAAQ,mBAAmB;AAClC,YAAM,IAAI,MAAM,iEAAiE,OAAO,KAAK,GAAG,CAAC,gCAAgC;AAAA,IACnI;AACA,UAAM,MAAM,KAAK,SAAS,cAAc;AACxC,QAAI,OAAO,QAAQ,UAAU;AAC3B,YAAM,IAAI,MAAM,4FAA4F;AAAA,IAC9G;AAEA,UAAM,MAAM,IAAI,QAAQ,8BAA8B,EAAE,EAAE,QAAQ,4BAA4B,EAAE,EAAE,QAAQ,QAAQ,EAAE;AACpH,UAAM,OAAO,cAAc,GAAG;AAC9B,UAAM,eAAe,MAAM,OAAO,OAAO;AAAA,MACvC;AAAA,MAAQ;AAAA,MACR,EAAE,MAAM,YAAY,MAAM,UAAU;AAAA,MACpC;AAAA,MAAO,CAAC,SAAS;AAAA,IACnB;AAEA,UAAM,WAAW,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AAC1D,UAAM,MAAM,MAAM,OAAO,OAAO,UAAU,OAAO,UAA0B,WAAW,OAAO,CAAC,SAAS,CAAC;AACxG,UAAM,KAAK,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AACpD,UAAM,KAAK,IAAI,WAAW,MAAM,OAAO,OAAO,QAAQ,EAAE,MAAM,WAAW,GAAuB,GAAG,KAAK,SAAyB,CAAC;AAElI,UAAM,UAAU,IAAI,WAAW,MAAM,OAAO,OAAO,QAAQ,EAAE,MAAM,WAAW,GAAG,cAAc,QAAwB,CAAC;AACxH,aAAS,KAAK,CAAC;AACf,QAAI,QAAQ,WAAW,KAAK;AAC1B,YAAM,IAAI,MAAM,gFAAgF,QAAQ,MAAM,EAAE;AAAA,IAClH;AAEA,UAAM,MAAM,IAAI,WAAW,IAAI,MAAM,KAAK,GAAG,MAAM;AACnD,QAAI,CAAC,IAAI;AACT,QAAI,IAAI,SAAS,CAAC;AAClB,QAAI,IAAI,IAAI,IAAI,GAAG;AACnB,QAAI,IAAI,IAAI,IAAI,MAAM,EAAE;AACxB,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,KAAK,WAA4C;AACrD,UAAM,OAAO,MAAM,KAAK,qBAAqB;AAC7C,WAAO,KAAK,iBAAiB,WAAW,IAAI;AAAA,EAC9C;AAAA,EAEA,MAAM,OAAO,OAAwC;AACnD,QAAI,MAAM,SAAS,IAAI,MAAM,KAAK,IAAI;AACpC,YAAM,IAAI,MAAM,sDAAsD;AAAA,IACxE;AACA,QAAI,MAAM,CAAC,MAAM,GAAM;AACrB,YAAM,IAAI,MAAM,qDAAqD,MAAM,CAAC,CAAC,EAAE;AAAA,IACjF;AACA,UAAM,UAAU,MAAM,SAAS,GAAG,IAAI,GAAG;AACzC,UAAM,KAAK,MAAM,SAAS,IAAI,KAAK,IAAI,MAAM,EAAE;AAC/C,UAAM,KAAK,MAAM,SAAS,IAAI,MAAM,EAAE;AACtC,UAAM,EAAE,WAAW,IAAI,MAAM,KAAK;AAClC,UAAM,WAAW,IAAI,WAAW,MAAM,OAAO,OAAO,QAAQ,EAAE,MAAM,WAAW,GAAG,YAAY,OAAuB,CAAC;AACtH,UAAM,MAAM,MAAM,OAAO,OAAO,UAAU,OAAO,UAA0B,WAAW,OAAO,CAAC,SAAS,CAAC;AACxG,UAAM,KAAK,IAAI,WAAW,MAAM,OAAO,OAAO,QAAQ,EAAE,MAAM,WAAW,GAAuB,GAAG,KAAK,EAAkB,CAAC;AAC3H,aAAS,KAAK,CAAC;AACf,WAAO;AAAA,EACT;AACF;AAKO,IAAM,8BAA8B;AAqC3C,SAAS,cAAc,OAA2B;AAChD,MAAI,SAAS;AACb,WAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,IAAK,WAAU,OAAO,aAAa,MAAM,CAAC,CAAE;AAC9E,SAAO,KAAK,MAAM;AACpB;AAEA,SAAS,cAAc,KAAyB;AAC9C,QAAM,SAAS,KAAK,GAAG;AACvB,QAAM,MAAM,IAAI,WAAW,OAAO,MAAM;AACxC,WAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,IAAK,KAAI,CAAC,IAAI,OAAO,WAAW,CAAC;AACpE,SAAO;AACT;AAiBO,SAAS,oBAAoB,KAA4C;AAC9E,MAAI,OAAO,QAAQ,YAAY,QAAQ,KAAM,QAAO;AACpD,QAAM,IAAI;AACV,MAAI,EAAE,kBAAkB,EAAG,QAAO;AAGlC,MACE,EAAE,MAAM,KACL,OAAO,EAAE,QAAQ,YACjB,OAAO,EAAE,YAAY,UACxB;AACA,WAAO;AAAA,MACL,eAAe;AAAA,MACf,YAAY,EAAE;AAAA,MACd,QAAQ,cAAc,EAAE,OAAO;AAAA,IACjC;AAAA,EACF;AAGA,MACE,OAAO,EAAE,eAAe,YACrB,OAAO,EAAE,WAAW,UACvB;AACA,WAAO;AAAA,MACL,eAAe;AAAA,MACf,YAAY,EAAE;AAAA,MACd,QAAQ,cAAc,EAAE,MAAM;AAAA,IAChC;AAAA,EACF;AAEA,SAAO;AACT;AAEA,eAAsB,qBACpB,OACA,OACA,SACe;AACf,QAAM,YAA4B;AAAA,IAChC,GAAG;AAAA,IACH,eAAe;AAAA,IACf,KAAK,QAAQ;AAAA,IACb,SAAS,cAAc,QAAQ,MAAM;AAAA,EACvC;AACA,QAAM,QAAQ,MAAM,MAAM,IAAI,OAAO,SAAS,2BAA2B;AACzE,QAAM,MAAyB;AAAA,IAC7B,QAAQ;AAAA,IACR,KAAK,OAAO,MAAM,KAAK;AAAA,IACvB,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA;AAAA,IAE5B,KAAK;AAAA,IACL,OAAO,KAAK,UAAU,SAAS;AAAA,EACjC;AACA,QAAM,MAAM,IAAI,OAAO,SAAS,6BAA6B,GAAG;AAClE;AAEA,eAAsB,qBACpB,OACA,OACuC;AACvC,QAAM,WAAW,MAAM,MAAM,IAAI,OAAO,SAAS,2BAA2B;AAC5E,MAAI,CAAC,SAAU,QAAO;AACtB,MAAI;AACF,WAAO,oBAAoB,KAAK,MAAM,SAAS,KAAK,CAAC;AAAA,EACvD,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAwBA,eAAsB,qBACpB,OACA,OACA,UACiB;AACjB,QAAM,WAAW,MAAM,qBAAqB,OAAO,KAAK;AACxD,MAAI,UAAU;AACZ,QAAI,SAAS,eAAe,SAAS,IAAI;AACvC,YAAM,IAAI;AAAA,QACR,uBAAuB,KAAK,mCACtB,SAAS,UAAU,4CACnB,SAAS,EAAE;AAAA,MAGnB;AAAA,IACF;AACA,UAAM,YAAY,MAAM,SAAS,OAAO,SAAS,MAAM;AACvD,WAAO,cAAc,SAAS;AAAA,EAChC;AAGA,QAAM,SAAS,IAAI,WAAW,EAAE;AAChC,aAAW,OAAO,gBAAgB,MAAM;AACxC,QAAM,SAAS,MAAM,SAAS,KAAK,MAAM;AACzC,QAAM,qBAAqB,OAAO,OAAO,EAAE,YAAY,SAAS,IAAI,OAAO,CAAC;AAC5E,SAAO,cAAc,MAAM;AAC7B;","names":[]}