@noy-db/hub 0.2.0-pre.4 → 0.2.0-pre.5

package/dist/chunk-GDTCGIPX.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/materialized-views/dependency-analyzer.ts","../src/materialized-views/query-hash.ts","../src/materialized-views/registry.ts"],"sourcesContent":["import type { Query, QueryPlan } from '../query/builder.js'\nimport type { JoinContext } from '../query/join.js'\nimport type { MaterializedViewStrategy } from './types.js'\n\n/**\n * Walks a `Query<T>` plan and returns the set of source collection\n * names that any source-write should trigger a refresh on.\n *\n * Foundation sub-issue (#150) handles:\n *   - root collection (the one the query was built from)\n *   - FK join targets (`.join(field, { as })`)\n *\n * Deferred to later sub-issues:\n *   - `.crossJoin()` — v3 cross-join spec (separate primitive)\n *   - `.wherePredicate(name)` — v2 predicate primitive, sub-issue #153\n *   - Overlay-name expansion to {base, overlay} — sub-issue #154\n *\n * The set is materialized at MV registration time. The MV registry\n * uses it to (a) dispatch `onSourceWrite` only to MVs that actually\n * care, and (b) contribute edges to the shared cycle-detection graph.\n */\n// eslint-disable-next-line @typescript-eslint/no-explicit-any\nexport function analyzeDependencies(query: Query<any>): Set<string> {\n  const deps = new Set<string>()\n  const plan = query._plan()\n  const ctx = query._joinContext()\n\n  // The root collection is always a dependency.\n  if (ctx?.leftCollection) {\n    deps.add(ctx.leftCollection)\n  }\n\n  // FK join targets contribute additional sources.\n  for (const leg of plan.joins) {\n    deps.add(leg.target)\n  }\n\n  // Sub-plans inside OR clauses can carry nested joins. Walk them.\n  // (Today only top-level `.join()` populates `plan.joins`, but the\n  // OR-group machinery permits sub-plans, so we recurse defensively.)\n  walkClausesForJoins(plan, deps, ctx)\n\n  return deps\n}\n\nfunction walkClausesForJoins(\n  plan: QueryPlan,\n  deps: Set<string>,\n  ctx: JoinContext | undefined,\n): void {\n  void ctx\n  // Today `plan.joins` carries all join legs at top level. Sub-plans\n  // inside OR groups don't currently support nested joins, so the loop\n  // below is a no-op safety net for future builder extensions.\n  for (const clause of plan.clauses) {\n    if (clause.type === 'group') {\n      // Group clauses don't (yet) carry their own joins; this is a\n      // forward-compat anchor for when OR-groups support nested\n      // sources.\n    }\n  }\n}\n\n/**\n * Convenience: produce a stable string summary of the query plan\n * suitable for `queryHash` derivation. Captures everything the\n * dependency analyzer reads + the where/orderBy/limit/offset\n * structure that affects materialized rows.\n *\n * `joinContext` is intentionally NOT included — the join-resolution\n * function references would defeat hash determinism. The set of join\n * TARGETS (collection names) IS included via the plan.joins legs.\n */\n// eslint-disable-next-line @typescript-eslint/no-explicit-any\nexport function summarizeQueryPlan(query: Query<any>): string {\n  const plan = query._plan()\n  const ctx = query._joinContext()\n  return JSON.stringify({\n    root: ctx?.leftCollection ?? null,\n    clauses: plan.clauses,\n    orderBy: plan.orderBy,\n    limit: plan.limit ?? null,\n    offset: plan.offset,\n    joins: plan.joins.map(j => ({ field: j.field, as: j.as, target: j.target, mode: j.mode })),\n  })\n}\n\n/**\n * Canonical string description of a UNION MV's plan, used as input to\n * `computeQueryHash`.\n *\n * Asymmetry note (#165 niwat review):\n *   - Arm collection names are NOT sorted. Declaration order is\n *     semantically meaningful for the dedup-only UNION path —\n *     `materializeUnionResult` iterates `spec.unionSources` in\n *     declaration order and keeps the first-seen row per composite key\n *     (tie-break precedence). If we sorted arms here, a consumer who\n *     reordered `unionSources` to change precedence would compute the\n *     same `queryHash`, refresh would be a no-op, and stale MV rows\n *     would persist. Hashing in declaration order makes any reorder\n *     trigger a refresh.\n *   - `groupBy` fields ARE sorted. Multi-key groupBy buckets are\n *     commutative (`canonicalGroupKey` produces the same composite key\n *     regardless of field order in the input spec).\n *   - `aggregate` keys ARE sorted. Reducer-spec keys are independent\n *     of each other — order of declaration doesn't change output.\n *\n * Per-arm `map` functions are NOT fingerprinted; consumers must bump\n * the MV's `name` (or rely on application-level cache busting) when\n * `map` semantics change non-equivalently.\n */\nexport function summarizeUnionPlan<T extends Record<string, unknown>>(\n  spec: MaterializedViewStrategy<T>,\n): string {\n  const arms = (spec.unionSources ?? [])\n    .map(s => s.collection)\n    .join(',')\n  const groupBy: string = Array.isArray(spec.groupBy)\n    ? [...spec.groupBy].sort().join(',')\n    : typeof spec.groupBy === 'string'\n      ? spec.groupBy\n      : ''\n  const aggKeys = spec.aggregate ? Object.keys(spec.aggregate).sort().join(',') : ''\n  return `union(${arms})|groupBy(${groupBy})|aggregate(${aggKeys})`\n}\n","/**\n * Deterministic hash of a materialized view strategy's \"shape\": MV\n * name + canonical query-plan summary + sorted dependency-set.\n *\n * Used to detect strategy drift: a row whose `_materializedFrom.queryHash`\n * doesn't match the current strategy is considered stale.\n *\n * Web Crypto SHA-256 — no extra deps. Mirrors the v1\n * `computeStrategyHash` pattern.\n */\nexport async function computeQueryHash(\n  mvName: string,\n  /**\n   * Source-collection set the query depends on. Sorted before\n   * canonicalization so set iteration order doesn't affect the hash.\n   */\n  dependencies: ReadonlySet<string>,\n  /**\n   * Stringified query-plan summary. The caller produces this from the\n   * `Query<T>` builder — concretely: a JSON serialization of clauses +\n   * orderBy + limit + offset + joins. Function bodies inside\n   * `wherePredicate` are NOT included here (those carry their own\n   * `predicateHash` to be folded in by a later sub-issue).\n   */\n  queryPlanSummary: string,\n): Promise<string> {\n  const canonical = JSON.stringify({\n    mvName,\n    dependencies: [...dependencies].sort(),\n    queryPlanSummary,\n  })\n  const bytes = new TextEncoder().encode(canonical)\n  const digest = await crypto.subtle.digest('SHA-256', bytes)\n  return Array.from(new Uint8Array(digest))\n    .map(b => b.toString(16).padStart(2, '0'))\n    .join('')\n}\n\n/**\n * Canonicalize a query plan for hashing. Walks the plan structure\n * with sorted keys so insertion order doesn't perturb the result.\n * Lives here rather than in `query/builder.ts` to keep that module\n * stable across MV-specific evolutions.\n *\n * @internal exported for testing\n */\nexport function canonicalizeQueryPlan(plan: unknown): string {\n  return JSON.stringify(plan, (_key, value) => {\n    if (value && typeof value === 'object' && !Array.isArray(value)) {\n      const sorted: Record<string, unknown> = {}\n      for (const k of Object.keys(value as Record<string, unknown>).sort()) {\n        sorted[k] = (value as Record<string, unknown>)[k]\n      }\n      return sorted\n    }\n    return value\n  })\n}\n","import { MaterializedViewCycleError, MaterializedViewSourceUnknownError } from '../errors.js'\nimport type { DerivationRegistry } from '../derivations/registry.js'\nimport type { Clause, FieldClause } from '../query/predicate.js'\nimport type { DeclaredPredicate } from '../query/builder.js'\nimport { analyzeDependencies, summarizeQueryPlan, summarizeUnionPlan } from './dependency-analyzer.js'\nimport { computeQueryHash } from './query-hash.js'\nimport type { MaterializedViewStrategy, MVQueryContext } from './types.js'\n\n/**\n * One registered MV strategy alongside its derived metadata. Stored\n * type-erased on `TRow` so the registry can hold heterogeneous MVs.\n */\nexport interface RegisteredMV {\n  // eslint-disable-next-line @typescript-eslint/no-explicit-any\n  readonly spec: MaterializedViewStrategy<any>\n  /** Output collection name (`spec.output?.collection ?? spec.name`). */\n  readonly outputCollection: string\n  /** Set of source collections; populated at registration via the analyzer. */\n  readonly dependencies: ReadonlySet<string>\n  /** Canonical `queryHash` — `_materializedFrom.queryHash` for every emitted row. */\n  readonly queryHash: string\n  /**\n   * Top-level FieldClauses on the partition field, captured at\n   * registration time. Used by the cycle detector to resolve\n   * same-collection-as-source edges via the partition-discriminator\n   * check (#152). Empty when `spec.output?.partition` is undefined.\n   */\n  readonly partitionClauses: readonly FieldClause[]\n}\n\n/**\n * Vault-internal registry of MV strategies. Owned by `Vault`; not\n * exported. Parallel to v1's `DerivationRegistry`; the two graphs share\n * a single cycle-detection pass at vault open (see `validate`).\n *\n * @internal\n */\nexport class MaterializedViewRegistry {\n  /** Keyed by `spec.name`. */\n  private readonly _byName = new Map<string, RegisteredMV>()\n  /** Keyed by dependency source-collection → MVs that depend on it. */\n  private readonly _bySource = new Map<string, RegisteredMV[]>()\n\n  /**\n   * Register an MV. Invokes `spec.query()` once at registration time to\n   * read the plan + join context; the resulting `Query<T>` is discarded\n   * after dependency extraction. `vault.collection(...)` must therefore\n   * be functional by the time this runs — typically wired from\n   * `Vault._initMaterializedViews` after collection bootstrap.\n   *\n   * Throws `MaterializedViewSourceUnknownError` if the analyzer\n   * surfaces a dependency the vault doesn't know about (when a\n   * `knownCollections` checker is supplied).\n   */\n  async register(\n    // eslint-disable-next-line @typescript-eslint/no-explicit-any\n    spec: MaterializedViewStrategy<any>,\n    db: MVQueryContext,\n    options?: { knownCollections?: (name: string) => boolean },\n  ): Promise<void> {\n    // Build a predicate-aware db wrapper (#153). If `spec.predicates` is\n    // declared, the wrapper intercepts `.collection().query()` and\n    // attaches the predicates map to the resulting Query<T>. With no\n    // predicates declared, the wrapper is the original db unchanged.\n    const dbForQuery = spec.predicates ? wrapDbWithPredicates(db, spec.predicates) : db\n\n    // Invoke the query callback once to inspect its plan / dependencies.\n    // For Query<T> shapes the analyzer extracts deps + plan summary\n    // automatically. Aggregation / GroupedAggregation shapes don't\n    // expose the underlying Query, so the spec must declare `sources`\n    // explicitly. `partitionClauses` are only populated for Query<T>\n    // since same-collection-partition is a non-aggregate concern.\n    // UNION-form strategies (#165): dependencies and plan summary come\n    // straight off the strategy — no `query` callback to introspect.\n    // The dependency-analyzer + summarizer are bypassed entirely; the\n    // executor handles materialization via `materializeUnionResult`.\n    let dependencies: Set<string>\n    let queryPlanSummary: string\n    // eslint-disable-next-line @typescript-eslint/no-explicit-any\n    let qAny: any = null\n    let isQuery = false\n    if (spec.unionSources) {\n      dependencies = new Set(spec.unionSources.map(s => s.collection))\n      queryPlanSummary = summarizeUnionPlan(spec)\n    } else {\n      const q = spec.query!(dbForQuery)\n      // eslint-disable-next-line @typescript-eslint/no-explicit-any\n      qAny = q as any\n      isQuery = typeof qAny._plan === 'function'\n      if (isQuery) {\n        dependencies = analyzeDependencies(q)\n        queryPlanSummary = summarizeQueryPlan(q)\n        // Fold `.wherePredicate(name, ctx)` references into the plan\n        // summary so predicate function or ctx changes (signalled by\n        // bumping `hash` or supplying a different ctx) propagate into\n        // `queryHash` and force refresh on next visit.\n        const predicateRefs = extractPredicateRefs(qAny._plan())\n        if (predicateRefs.length > 0) {\n          queryPlanSummary = JSON.stringify({ plan: queryPlanSummary, predicates: predicateRefs })\n        }\n        // If `sources` is ALSO declared, take the union (consumer's\n        // explicit list extends the auto-analyzed set).\n        if (spec.sources) for (const s of spec.sources) dependencies.add(s)\n      } else {\n        // Aggregate shape: require explicit `sources`.\n        if (!spec.sources || spec.sources.length === 0) {\n          throw new Error(\n            `withMaterializedView \"${spec.name}\": query() returned an aggregate ` +\n              `(Aggregation or GroupedAggregation) but no \\`sources\\` field is declared. ` +\n              `The dependency analyzer cannot walk through groupBy().aggregate() ` +\n              `back to the source — declare sources: [...] explicitly.`,\n          )\n        }\n        dependencies = new Set(spec.sources)\n        // Aggregate plans don't carry a chainable query plan for summary\n        // purposes; the dep-set + spec.name serve as the queryHash inputs.\n        queryPlanSummary = JSON.stringify({ aggregate: true, sources: [...spec.sources].sort() })\n      }\n    }\n\n    // Sanity-check declared dependencies against the vault's known\n    // collections. Optional — when the checker isn't supplied (test\n    // wiring, in-process composition) the registration succeeds and\n    // any typo surfaces at first onSourceWrite as a no-op.\n    if (options?.knownCollections) {\n      for (const dep of dependencies) {\n        if (!options.knownCollections(dep)) {\n          throw new MaterializedViewSourceUnknownError(spec.name, dep)\n        }\n      }\n    }\n\n    const outputCollection = spec.output?.collection ?? spec.name\n    const queryHash = await computeQueryHash(spec.name, dependencies, queryPlanSummary)\n    // For same-collection-as-source MVs, capture the where-clauses on\n    // the partition field so cycle detection can prove disjointness.\n    // Only applicable to Query<T> shapes — aggregate MVs don't carry\n    // a chainable plan to inspect (and same-collection aggregation\n    // doesn't make sense in the niwat use cases that motivated #152).\n    const partitionClauses: FieldClause[] = []\n    const partitionField = spec.output?.partition?.field\n    if (partitionField !== undefined && isQuery) {\n      const plan = qAny._plan()\n      for (const clause of plan.clauses) {\n        if (isFieldClauseOnField(clause, partitionField)) partitionClauses.push(clause)\n      }\n    }\n    const reg: RegisteredMV = { spec, outputCollection, dependencies, queryHash, partitionClauses }\n\n    this._byName.set(spec.name, reg)\n    for (const dep of dependencies) {\n      const arr = this._bySource.get(dep)\n      if (arr) arr.push(reg)\n      else this._bySource.set(dep, [reg])\n    }\n  }\n\n  /** All MVs that depend on `source`, in registration order. */\n  mvsForSource(source: string): ReadonlyArray<RegisteredMV> {\n    return this._bySource.get(source) ?? []\n  }\n\n  /** Single MV by name, or `undefined`. */\n  byName(name: string): RegisteredMV | undefined {\n    return this._byName.get(name)\n  }\n\n  /** Iterate over every registered MV. */\n  all(): ReadonlyArray<RegisteredMV> {\n    return [...this._byName.values()]\n  }\n\n  /**\n   * Cycle detection over the combined derivation + MV graph. Edges:\n   *   - Derivation: derivation.source → output.collection (each output)\n   *   - MV: every dep in MV.dependencies → MV.outputCollection\n   *\n   * Throws `MaterializedViewCycleError` if the cycle's terminal node\n   * is an MV output collection; otherwise (a pure-derivation cycle)\n   * the caller's `DerivationRegistry.validate()` will surface\n   * `DerivationCycleError` separately at vault open.\n   *\n   * Call AFTER all `register()` calls complete.\n   */\n  validate(derivationRegistry?: DerivationRegistry | null): void {\n    const visited = new Set<string>()\n    const stack: string[] = []\n    const mvOutputs = new Set<string>()\n    for (const reg of this._byName.values()) mvOutputs.add(reg.outputCollection)\n\n    const edges = new Map<string, string[]>()\n\n    // MV edges: every dep → output. Same-collection edges (dep ===\n    // outputCollection) are skipped IFF the MV declares an\n    // `output.partition` discriminator AND the query has a where-clause\n    // that provably excludes the partition value. Otherwise the cycle\n    // detector treats the edge as real — naïve same-collection MVs\n    // surface as `MaterializedViewCycleError`.\n    for (const reg of this._byName.values()) {\n      for (const dep of reg.dependencies) {\n        if (dep === reg.outputCollection && partitionDisjoint(reg)) continue\n        const arr = edges.get(dep)\n        if (arr) arr.push(reg.outputCollection)\n        else edges.set(dep, [reg.outputCollection])\n      }\n    }\n\n    // Derivation edges: source → output collections\n    if (derivationRegistry) {\n      // The shared DerivationRegistry exposes its edges via the same\n      // `strategiesForSource` API its own `validate()` uses. We don't\n      // duplicate cycle detection — we add MV nodes to the graph and\n      // run the unified DFS, attributing cycles that touch an MV\n      // output to `MaterializedViewCycleError`.\n      for (const reg of this._byName.values()) {\n        // Walk every dependency through derivation edges too: a\n        // derivation whose output we depend on is itself a source.\n        void reg\n      }\n      // Pull derivation edges by scanning every MV dep + every MV\n      // output as potential derivation sources.\n      const sourcesToScan = new Set<string>()\n      for (const reg of this._byName.values()) {\n        for (const dep of reg.dependencies) sourcesToScan.add(dep)\n        sourcesToScan.add(reg.outputCollection)\n      }\n      for (const src of sourcesToScan) {\n        const strategies = derivationRegistry.strategiesForSource(src)\n        if (strategies.length === 0) continue\n        for (const s of strategies) {\n          for (const key of Object.keys(s.spec.outputs)) {\n            const o = s.spec.outputs[key]\n            if (!o) continue\n            const arr = edges.get(src)\n            if (arr) arr.push(o.collection)\n            else edges.set(src, [o.collection])\n          }\n        }\n      }\n    }\n\n    const visit = (node: string): void => {\n      if (stack.includes(node)) {\n        const cycle = stack.slice(stack.indexOf(node)).concat(node)\n        // If any node on the cycle is an MV output, attribute as MV\n        // cycle. Otherwise let DerivationRegistry.validate() surface it.\n        if (cycle.some(n => mvOutputs.has(n))) {\n          throw new MaterializedViewCycleError(cycle)\n        }\n        // Pure-derivation cycle — caller's DerivationRegistry.validate()\n        // will catch it separately. Don't double-report.\n        return\n      }\n      if (visited.has(node)) return\n      stack.push(node)\n      const outs = edges.get(node)\n      if (outs) for (const o of outs) visit(o)\n      stack.pop()\n      visited.add(node)\n    }\n\n    for (const node of edges.keys()) visit(node)\n  }\n}\n\n/**\n * Type guard: is the clause a top-level `FieldClause` on the given\n * field? Used by the partition-disjoint check.\n *\n * @internal\n */\nfunction isFieldClauseOnField(clause: Clause, field: string): clause is FieldClause {\n  return clause.type === 'field' && clause.field === field\n}\n\n/**\n * Wrap an `MVQueryContext` so its `.collection().query()` returns a\n * Query<T> with the MV's declared predicates attached. Bare Queries\n * (outside of any MV) don't gain `.wherePredicate()` — only Queries\n * obtained through this wrapped db do.\n *\n * @internal\n */\nexport function wrapDbWithPredicates(\n  db: MVQueryContext,\n  predicates: NonNullable<MaterializedViewStrategy<Record<string, unknown>>['predicates']>,\n): MVQueryContext {\n  // Build the predicate map once — the fn signature in the MV spec\n  // is row-typed but the QueryBuilder casts to unknown, so we widen\n  // here for the Map.\n  const map = new Map<string, DeclaredPredicate>()\n  for (const [name, decl] of Object.entries(predicates)) {\n    map.set(name, {\n      hash: decl.hash,\n      fn: decl.fn as (record: unknown, ctx?: unknown) => boolean,\n    })\n  }\n  return {\n    // eslint-disable-next-line @typescript-eslint/no-explicit-any\n    collection<T extends Record<string, unknown>>(name: string): any {\n      const c = db.collection<T>(name)\n      // Return an object that delegates everything to `c` but\n      // overrides `.query()` to attach predicates via the new\n      // `Query._withPredicates()` accessor.\n      return new Proxy(c, {\n        get(target, prop, receiver) {\n          if (prop === 'query') {\n            return (...args: unknown[]) => {\n              // eslint-disable-next-line @typescript-eslint/no-explicit-any\n              const q = (target.query as any)(...args)\n              // For non-aggregate Query<T>, attach predicates. For\n              // legacy predicate-arg overload that returns T[] (sync\n              // filter), pass through unchanged.\n               \n              if (q && typeof q._withPredicates === 'function') {\n                return q._withPredicates(map)\n              }\n              return q\n            }\n          }\n          return Reflect.get(target, prop, receiver)\n        },\n      })\n    },\n  }\n}\n\n/**\n * Walk a QueryPlan's clauses and collect predicate-reference markers\n * for `queryHash` derivation. Returns a sorted array (deterministic\n * order) of `{ name, predicateHash, ctxHash }` tuples — these are the\n * hashable identity of each `.wherePredicate()` call site.\n *\n * @internal\n */\nfunction extractPredicateRefs(\n  plan: { clauses: readonly Clause[] },\n): Array<{ name: string; predicateHash: string; ctxHash: string }> {\n  const refs: Array<{ name: string; predicateHash: string; ctxHash: string }> = []\n  const walk = (clauses: readonly Clause[]): void => {\n    for (const c of clauses) {\n      if (c.type === 'wherePredicate') {\n        refs.push({ name: c.name, predicateHash: c.predicateHash, ctxHash: c.ctxHash })\n      } else if (c.type === 'group') {\n        walk(c.clauses)\n      }\n    }\n  }\n  walk(plan.clauses)\n  // Stable-sort by (name, predicateHash, ctxHash) — same predicate\n  // appearing twice with different ctx hashes both flow through.\n  refs.sort((a, b) => {\n    if (a.name !== b.name) return a.name < b.name ? -1 : 1\n    if (a.predicateHash !== b.predicateHash) return a.predicateHash < b.predicateHash ? -1 : 1\n    return a.ctxHash < b.ctxHash ? -1 : a.ctxHash > b.ctxHash ? 1 : 0\n  })\n  return refs\n}\n\n/**\n * Provability check for the same-collection partition-discriminator\n * (#152, spec § Same-collection-as-source MV). Returns `true` when\n * the captured partition clauses on the MV's query provably exclude\n * the partition's value — meaning the input filter and the output\n * partition are disjoint and the same-collection edge isn't really a\n * cycle.\n *\n * Supported provability shapes (narrow on purpose — niwat's DERIV-\n * PP30-001 is the load-bearing case):\n *\n * - `.where(field, '==', X)` where X !== partition.value → disjoint\n * - `.where(field, '!=', partition.value)` → disjoint\n * - `.where(field, 'in', [...])` where partition.value NOT in list → disjoint\n *\n * Anything else (no clause on the partition field, an 'in' list that\n * contains partition.value, unsupported operators) → not disjoint,\n * the cycle detector surfaces `MaterializedViewCycleError`.\n *\n * @internal\n */\nfunction partitionDisjoint(reg: RegisteredMV): boolean {\n  const partition = reg.spec.output?.partition\n  if (partition === undefined) return false\n  const value = partition.value\n  // The OR-semantics of multiple where-clauses on the same field\n  // would muddy this check. v2 only treats AND-chained clauses;\n  // any clause that proves disjoint is sufficient.\n  for (const c of reg.partitionClauses) {\n    if (c.op === '==' && c.value !== value) return true\n    if (c.op === '!=' && c.value === value) return true\n    if (c.op === 'in' && Array.isArray(c.value)) {\n      const list = c.value as readonly unknown[]\n      if (!list.includes(value)) return true\n    }\n  }\n  return false\n}\n"],"mappings":";;;;;;AAsBO,SAAS,oBAAoB,OAAgC;AAClE,QAAM,OAAO,oBAAI,IAAY;AAC7B,QAAM,OAAO,MAAM,MAAM;AACzB,QAAM,MAAM,MAAM,aAAa;AAG/B,MAAI,KAAK,gBAAgB;AACvB,SAAK,IAAI,IAAI,cAAc;AAAA,EAC7B;AAGA,aAAW,OAAO,KAAK,OAAO;AAC5B,SAAK,IAAI,IAAI,MAAM;AAAA,EACrB;AAKA,sBAAoB,MAAM,MAAM,GAAG;AAEnC,SAAO;AACT;AAEA,SAAS,oBACP,MACA,MACA,KACM;AACN,OAAK;AAIL,aAAW,UAAU,KAAK,SAAS;AACjC,QAAI,OAAO,SAAS,SAAS;AAAA,IAI7B;AAAA,EACF;AACF;AAaO,SAAS,mBAAmB,OAA2B;AAC5D,QAAM,OAAO,MAAM,MAAM;AACzB,QAAM,MAAM,MAAM,aAAa;AAC/B,SAAO,KAAK,UAAU;AAAA,IACpB,MAAM,KAAK,kBAAkB;AAAA,IAC7B,SAAS,KAAK;AAAA,IACd,SAAS,KAAK;AAAA,IACd,OAAO,KAAK,SAAS;AAAA,IACrB,QAAQ,KAAK;AAAA,IACb,OAAO,KAAK,MAAM,IAAI,QAAM,EAAE,OAAO,EAAE,OAAO,IAAI,EAAE,IAAI,QAAQ,EAAE,QAAQ,MAAM,EAAE,KAAK,EAAE;AAAA,EAC3F,CAAC;AACH;AA0BO,SAAS,mBACd,MACQ;AACR,QAAM,QAAQ,KAAK,gBAAgB,CAAC,GACjC,IAAI,OAAK,EAAE,UAAU,EACrB,KAAK,GAAG;AACX,QAAM,UAAkB,MAAM,QAAQ,KAAK,OAAO,IAC9C,CAAC,GAAG,KAAK,OAAO,EAAE,KAAK,EAAE,KAAK,GAAG,IACjC,OAAO,KAAK,YAAY,WACtB,KAAK,UACL;AACN,QAAM,UAAU,KAAK,YAAY,OAAO,KAAK,KAAK,SAAS,EAAE,KAAK,EAAE,KAAK,GAAG,IAAI;AAChF,SAAO,SAAS,IAAI,aAAa,OAAO,eAAe,OAAO;AAChE;;;AClHA,eAAsB,iBACpB,QAKA,cAQA,kBACiB;AACjB,QAAM,YAAY,KAAK,UAAU;AAAA,IAC/B;AAAA,IACA,cAAc,CAAC,GAAG,YAAY,EAAE,KAAK;AAAA,IACrC;AAAA,EACF,CAAC;AACD,QAAM,QAAQ,IAAI,YAAY,EAAE,OAAO,SAAS;AAChD,QAAM,SAAS,MAAM,OAAO,OAAO,OAAO,WAAW,KAAK;AAC1D,SAAO,MAAM,KAAK,IAAI,WAAW,MAAM,CAAC,EACrC,IAAI,OAAK,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EACxC,KAAK,EAAE;AACZ;AAUO,SAAS,sBAAsB,MAAuB;AAC3D,SAAO,KAAK,UAAU,MAAM,CAAC,MAAM,UAAU;AAC3C,QAAI,SAAS,OAAO,UAAU,YAAY,CAAC,MAAM,QAAQ,KAAK,GAAG;AAC/D,YAAM,SAAkC,CAAC;AACzC,iBAAW,KAAK,OAAO,KAAK,KAAgC,EAAE,KAAK,GAAG;AACpE,eAAO,CAAC,IAAK,MAAkC,CAAC;AAAA,MAClD;AACA,aAAO;AAAA,IACT;AACA,WAAO;AAAA,EACT,CAAC;AACH;;;ACpBO,IAAM,2BAAN,MAA+B;AAAA;AAAA,EAEnB,UAAU,oBAAI,IAA0B;AAAA;AAAA,EAExC,YAAY,oBAAI,IAA4B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAa7D,MAAM,SAEJ,MACA,IACA,SACe;AAKf,UAAM,aAAa,KAAK,aAAa,qBAAqB,IAAI,KAAK,UAAU,IAAI;AAYjF,QAAI;AACJ,QAAI;AAEJ,QAAI,OAAY;AAChB,QAAI,UAAU;AACd,QAAI,KAAK,cAAc;AACrB,qBAAe,IAAI,IAAI,KAAK,aAAa,IAAI,OAAK,EAAE,UAAU,CAAC;AAC/D,yBAAmB,mBAAmB,IAAI;AAAA,IAC5C,OAAO;AACL,YAAM,IAAI,KAAK,MAAO,UAAU;AAEhC,aAAO;AACP,gBAAU,OAAO,KAAK,UAAU;AAChC,UAAI,SAAS;AACX,uBAAe,oBAAoB,CAAC;AACpC,2BAAmB,mBAAmB,CAAC;AAKvC,cAAM,gBAAgB,qBAAqB,KAAK,MAAM,CAAC;AACvD,YAAI,cAAc,SAAS,GAAG;AAC5B,6BAAmB,KAAK,UAAU,EAAE,MAAM,kBAAkB,YAAY,cAAc,CAAC;AAAA,QACzF;AAGA,YAAI,KAAK,QAAS,YAAW,KAAK,KAAK,QAAS,cAAa,IAAI,CAAC;AAAA,MACpE,OAAO;AAEL,YAAI,CAAC,KAAK,WAAW,KAAK,QAAQ,WAAW,GAAG;AAC9C,gBAAM,IAAI;AAAA,YACR,yBAAyB,KAAK,IAAI;AAAA,UAIpC;AAAA,QACF;AACA,uBAAe,IAAI,IAAI,KAAK,OAAO;AAGnC,2BAAmB,KAAK,UAAU,EAAE,WAAW,MAAM,SAAS,CAAC,GAAG,KAAK,OAAO,EAAE,KAAK,EAAE,CAAC;AAAA,MAC1F;AAAA,IACF;AAMA,QAAI,SAAS,kBAAkB;AAC7B,iBAAW,OAAO,cAAc;AAC9B,YAAI,CAAC,QAAQ,iBAAiB,GAAG,GAAG;AAClC,gBAAM,IAAI,mCAAmC,KAAK,MAAM,GAAG;AAAA,QAC7D;AAAA,MACF;AAAA,IACF;AAEA,UAAM,mBAAmB,KAAK,QAAQ,cAAc,KAAK;AACzD,UAAM,YAAY,MAAM,iBAAiB,KAAK,MAAM,cAAc,gBAAgB;AAMlF,UAAM,mBAAkC,CAAC;AACzC,UAAM,iBAAiB,KAAK,QAAQ,WAAW;AAC/C,QAAI,mBAAmB,UAAa,SAAS;AAC3C,YAAM,OAAO,KAAK,MAAM;AACxB,iBAAW,UAAU,KAAK,SAAS;AACjC,YAAI,qBAAqB,QAAQ,cAAc,EAAG,kBAAiB,KAAK,MAAM;AAAA,MAChF;AAAA,IACF;AACA,UAAM,MAAoB,EAAE,MAAM,kBAAkB,cAAc,WAAW,iBAAiB;AAE9F,SAAK,QAAQ,IAAI,KAAK,MAAM,GAAG;AAC/B,eAAW,OAAO,cAAc;AAC9B,YAAM,MAAM,KAAK,UAAU,IAAI,GAAG;AAClC,UAAI,IAAK,KAAI,KAAK,GAAG;AAAA,UAChB,MAAK,UAAU,IAAI,KAAK,CAAC,GAAG,CAAC;AAAA,IACpC;AAAA,EACF;AAAA;AAAA,EAGA,aAAa,QAA6C;AACxD,WAAO,KAAK,UAAU,IAAI,MAAM,KAAK,CAAC;AAAA,EACxC;AAAA;AAAA,EAGA,OAAO,MAAwC;AAC7C,WAAO,KAAK,QAAQ,IAAI,IAAI;AAAA,EAC9B;AAAA;AAAA,EAGA,MAAmC;AACjC,WAAO,CAAC,GAAG,KAAK,QAAQ,OAAO,CAAC;AAAA,EAClC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,SAAS,oBAAsD;AAC7D,UAAM,UAAU,oBAAI,IAAY;AAChC,UAAM,QAAkB,CAAC;AACzB,UAAM,YAAY,oBAAI,IAAY;AAClC,eAAW,OAAO,KAAK,QAAQ,OAAO,EAAG,WAAU,IAAI,IAAI,gBAAgB;AAE3E,UAAM,QAAQ,oBAAI,IAAsB;AAQxC,eAAW,OAAO,KAAK,QAAQ,OAAO,GAAG;AACvC,iBAAW,OAAO,IAAI,cAAc;AAClC,YAAI,QAAQ,IAAI,oBAAoB,kBAAkB,GAAG,EAAG;AAC5D,cAAM,MAAM,MAAM,IAAI,GAAG;AACzB,YAAI,IAAK,KAAI,KAAK,IAAI,gBAAgB;AAAA,YACjC,OAAM,IAAI,KAAK,CAAC,IAAI,gBAAgB,CAAC;AAAA,MAC5C;AAAA,IACF;AAGA,QAAI,oBAAoB;AAMtB,iBAAW,OAAO,KAAK,QAAQ,OAAO,GAAG;AAGvC,aAAK;AAAA,MACP;AAGA,YAAM,gBAAgB,oBAAI,IAAY;AACtC,iBAAW,OAAO,KAAK,QAAQ,OAAO,GAAG;AACvC,mBAAW,OAAO,IAAI,aAAc,eAAc,IAAI,GAAG;AACzD,sBAAc,IAAI,IAAI,gBAAgB;AAAA,MACxC;AACA,iBAAW,OAAO,eAAe;AAC/B,cAAM,aAAa,mBAAmB,oBAAoB,GAAG;AAC7D,YAAI,WAAW,WAAW,EAAG;AAC7B,mBAAW,KAAK,YAAY;AAC1B,qBAAW,OAAO,OAAO,KAAK,EAAE,KAAK,OAAO,GAAG;AAC7C,kBAAM,IAAI,EAAE,KAAK,QAAQ,GAAG;AAC5B,gBAAI,CAAC,EAAG;AACR,kBAAM,MAAM,MAAM,IAAI,GAAG;AACzB,gBAAI,IAAK,KAAI,KAAK,EAAE,UAAU;AAAA,gBACzB,OAAM,IAAI,KAAK,CAAC,EAAE,UAAU,CAAC;AAAA,UACpC;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,UAAM,QAAQ,CAAC,SAAuB;AACpC,UAAI,MAAM,SAAS,IAAI,GAAG;AACxB,cAAM,QAAQ,MAAM,MAAM,MAAM,QAAQ,IAAI,CAAC,EAAE,OAAO,IAAI;AAG1D,YAAI,MAAM,KAAK,OAAK,UAAU,IAAI,CAAC,CAAC,GAAG;AACrC,gBAAM,IAAI,2BAA2B,KAAK;AAAA,QAC5C;AAGA;AAAA,MACF;AACA,UAAI,QAAQ,IAAI,IAAI,EAAG;AACvB,YAAM,KAAK,IAAI;AACf,YAAM,OAAO,MAAM,IAAI,IAAI;AAC3B,UAAI,KAAM,YAAW,KAAK,KAAM,OAAM,CAAC;AACvC,YAAM,IAAI;AACV,cAAQ,IAAI,IAAI;AAAA,IAClB;AAEA,eAAW,QAAQ,MAAM,KAAK,EAAG,OAAM,IAAI;AAAA,EAC7C;AACF;AAQA,SAAS,qBAAqB,QAAgB,OAAsC;AAClF,SAAO,OAAO,SAAS,WAAW,OAAO,UAAU;AACrD;AAUO,SAAS,qBACd,IACA,YACgB;AAIhB,QAAM,MAAM,oBAAI,IAA+B;AAC/C,aAAW,CAAC,MAAM,IAAI,KAAK,OAAO,QAAQ,UAAU,GAAG;AACrD,QAAI,IAAI,MAAM;AAAA,MACZ,MAAM,KAAK;AAAA,MACX,IAAI,KAAK;AAAA,IACX,CAAC;AAAA,EACH;AACA,SAAO;AAAA;AAAA,IAEL,WAA8C,MAAmB;AAC/D,YAAM,IAAI,GAAG,WAAc,IAAI;AAI/B,aAAO,IAAI,MAAM,GAAG;AAAA,QAClB,IAAI,QAAQ,MAAM,UAAU;AAC1B,cAAI,SAAS,SAAS;AACpB,mBAAO,IAAI,SAAoB;AAE7B,oBAAM,IAAK,OAAO,MAAc,GAAG,IAAI;AAKvC,kBAAI,KAAK,OAAO,EAAE,oBAAoB,YAAY;AAChD,uBAAO,EAAE,gBAAgB,GAAG;AAAA,cAC9B;AACA,qBAAO;AAAA,YACT;AAAA,UACF;AACA,iBAAO,QAAQ,IAAI,QAAQ,MAAM,QAAQ;AAAA,QAC3C;AAAA,MACF,CAAC;AAAA,IACH;AAAA,EACF;AACF;AAUA,SAAS,qBACP,MACiE;AACjE,QAAM,OAAwE,CAAC;AAC/E,QAAM,OAAO,CAAC,YAAqC;AACjD,eAAW,KAAK,SAAS;AACvB,UAAI,EAAE,SAAS,kBAAkB;AAC/B,aAAK,KAAK,EAAE,MAAM,EAAE,MAAM,eAAe,EAAE,eAAe,SAAS,EAAE,QAAQ,CAAC;AAAA,MAChF,WAAW,EAAE,SAAS,SAAS;AAC7B,aAAK,EAAE,OAAO;AAAA,MAChB;AAAA,IACF;AAAA,EACF;AACA,OAAK,KAAK,OAAO;AAGjB,OAAK,KAAK,CAAC,GAAG,MAAM;AAClB,QAAI,EAAE,SAAS,EAAE,KAAM,QAAO,EAAE,OAAO,EAAE,OAAO,KAAK;AACrD,QAAI,EAAE,kBAAkB,EAAE,cAAe,QAAO,EAAE,gBAAgB,EAAE,gBAAgB,KAAK;AACzF,WAAO,EAAE,UAAU,EAAE,UAAU,KAAK,EAAE,UAAU,EAAE,UAAU,IAAI;AAAA,EAClE,CAAC;AACD,SAAO;AACT;AAuBA,SAAS,kBAAkB,KAA4B;AACrD,QAAM,YAAY,IAAI,KAAK,QAAQ;AACnC,MAAI,cAAc,OAAW,QAAO;AACpC,QAAM,QAAQ,UAAU;AAIxB,aAAW,KAAK,IAAI,kBAAkB;AACpC,QAAI,EAAE,OAAO,QAAQ,EAAE,UAAU,MAAO,QAAO;AAC/C,QAAI,EAAE,OAAO,QAAQ,EAAE,UAAU,MAAO,QAAO;AAC/C,QAAI,EAAE,OAAO,QAAQ,MAAM,QAAQ,EAAE,KAAK,GAAG;AAC3C,YAAM,OAAO,EAAE;AACf,UAAI,CAAC,KAAK,SAAS,KAAK,EAAG,QAAO;AAAA,IACpC;AAAA,EACF;AACA,SAAO;AACT;","names":[]}

package/dist/chunk-GVXBHCZ2.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/tx/transaction.ts"],"sourcesContent":["/**\n * Multi-record atomic transactions.\n *\n * Lets an application stage writes across two or more collections (or\n * vaults) and commit them all-or-nothing.\n *\n * ```ts\n * await db.transaction(async (tx) => {\n *   const inv = tx.vault('acme').collection<Invoice>('invoices')\n *   const pay = tx.vault('acme').collection<Payment>('payments')\n *   await inv.put(invoiceId, { ...invoice, status: 'paid' })\n *   await pay.put(paymentId, { invoiceId, amount, paidAt })\n * })\n * // If the body throws before returning: nothing persisted.\n * // If the body returns: all puts committed; any CAS mismatch rolls\n * // the batch back and surfaces as ConflictError.\n * ```\n *\n * ## Atomicity semantics\n *\n * Ops are buffered during the body. On body-return the hub:\n *\n * 1. **Pre-flight** — re-reads every touched envelope and enforces\n *    any caller-supplied `expectedVersion`. A mismatch throws\n *    `ConflictError` with *no* writes performed.\n * 2. **Execute** — calls `Collection.put()` / `.delete()` for each\n *    staged op in declaration order. History snapshots, ledger\n *    appends, and change events fire as normal per op.\n * 3. **Unwind on failure** — if step 2 throws mid-batch, each\n *    already-committed op is reverted via the raw store (restoring\n *    the captured prior envelope, or deleting if none existed). The\n *    ledger is NOT rewritten — audit history preserves the partial\n *    commit and the revert.\n *\n * **Crash window.** Steps 2–3 are not a storage-layer transaction —\n * if the process dies between two executed ops, the on-disk state is\n * partial. True all-or-nothing atomicity requires a store that\n * implements `NoydbStore.tx()` (DynamoDB `TransactWriteItems`,\n * IndexedDB `readwrite` transaction, …). This executor declares\n * that future integration point via the `tx?()` method + the\n * `StoreCapabilities.txAtomic` bit, but does not yet delegate\n * to it — the cascade into `Fork · Stores` tracks the per-adapter\n * wire-up.\n *\n * ## Not covered\n *\n * - Cross-sync-peer atomicity. Transactions commit against the\n *   primary store only; the sync engine pushes on its normal\n *   schedule. For cross-peer two-phase commit use `SyncTransaction`\n * via `db.transaction(vaultName)`.\n * - Read-your-writes within the body. `tx.collection().get(id)`\n *   returns the most-recently-staged value for that id when one\n *   exists; if no staged op has touched the id, it reads the current\n *   committed state. Version numbers returned by `get` reflect the\n *   pre-transaction state (staged puts have no version yet).\n *\n * @module\n */\n\nimport type { Noydb } from '../noydb.js'\nimport type { Vault } from '../vault.js'\nimport type { Collection } from '../collection.js'\nimport type { EncryptedEnvelope } from '../types.js'\nimport {\n  AmendmentForbiddenError,\n  ConflictError,\n  InvariantError,\n  ValidationError,\n} from '../errors.js'\nimport { generateULID } from '../bundle/ulid.js'\nimport type { GuardExecutor as GuardExecutorModule } from '../guards/executor.js'\nimport type { LedgerEntry } from '../history/ledger/entry.js'\n\n/** One op buffered inside a running `TxContext`. @internal */\nexport interface StagedOp {\n  type: 'put' | 'delete'\n  vaultName: string\n  collectionName: string\n  id: string\n  record?: unknown\n  expectedVersion?: number\n  /**\n   * Optional human-readable tag forwarded to the resulting ledger\n   * entry's `reason` field (#1). Set by callers via\n   * `tx.vault(v).collection(c).put(id, record, { reason })`.\n   */\n  reason?: string\n}\n\n/**\n * One executed op (main staged op or recursive side-effect like a\n * derivation output) paired with the envelope captured before the write.\n * `revertExecuted` walks this array in reverse on rollback.\n * @internal\n */\nexport interface ExecutedOp {\n  op: StagedOp\n  priorEnvelope: EncryptedEnvelope | null\n}\n\n/**\n * Options accepted by `db.transaction({ amendment, reason }, fn)`.\n * Only the amendment variant uses these — a plain `db.transaction(fn)`\n * never sees this shape.\n */\nexport interface AmendmentTxOptions {\n  /** Opt into amendment mode. Required to be `true`. */\n  readonly amendment: true\n  /** Human-readable rationale recorded in the ledger entry. Required. */\n  readonly reason: string\n}\n\n/**\n * Transaction handle passed to the user's body. Use\n * `tx.vault(name).collection<T>(name)` to get a per-collection\n * facade; its `put`/`delete`/`get` calls stage ops against the tx.\n */\nexport class TxContext {\n  /** Stable id for this transaction; shared by all writes it performs (#230). */\n  readonly txId: string = generateULID()\n  /** @internal */\n  readonly _ops: StagedOp[] = []\n  /**\n   * @internal — write log built up in Phase 2. Each entry records the\n   * envelope captured BEFORE the write so a mid-batch failure can\n   * restore prior state via `revertExecuted`. Side-effect writes (e.g.\n   * recursive derivation outputs fired inside `Collection.put`) are\n   * appended here in execution order so they roll back alongside the\n   * main staged ops (#133).\n   */\n  readonly _executed: ExecutedOp[] = []\n  /** @internal */\n  readonly _db: Noydb\n  /**\n   * @internal — true when this TxContext was opened in amendment\n   * mode. Toggles the lazy-`beginAmendment` + role-check path on first\n   * `tx.vault(name)` and unlocks the post-Phase-2 invariant + audit run.\n   */\n  readonly _amendment: boolean\n  /** @internal — vaults that have already had `beginAmendment` called. */\n  readonly _amendmentVaults = new Map<string, Vault>()\n\n  /** @internal */\n  constructor(db: Noydb, amendment = false) {\n    this._db = db\n    this._amendment = amendment\n  }\n\n  /** Scope subsequent `collection()` calls to the named vault. */\n  vault(name: string): TxVault {\n    const v = this._db.vault(name)\n    if (this._amendment && !this._amendmentVaults.has(name)) {\n      // Role check is per-vault. The task spec (\"only admin or owner\n      // can open an amendment\") is implemented lazy-on-first-touch\n      // because the role lives on the vault's keyring, and `tx.vault()`\n      // is the first place we know which vault we're addressing. The\n      // observable effect is identical to an eager check in the single-\n      // vault case the tests exercise; multi-vault amendments check\n      // each touched vault as they first appear.\n      const role = v.role\n      if (role !== 'admin' && role !== 'owner') {\n        throw new AmendmentForbiddenError(v.userId, role)\n      }\n      // Amendments require an initialised guard registry — they\n      // produce a structured invariant + change-set audit. A vault\n      // opened without `guardStrategies` (or via the sync fallback\n      // path) has a null registry and cannot run an amendment.\n      const reg = v._getGuardRegistry()\n      if (reg === null) {\n        throw new ValidationError(\n          `Vault \"${name}\": amendment mode requires at least one ` +\n          `guardStrategy registered via createNoydb({ guardStrategies }). ` +\n          `Open the vault with guardStrategies before calling ` +\n          `db.transaction({ amendment: true }).`,\n        )\n      }\n      reg.beginAmendment()\n      this._amendmentVaults.set(name, v)\n    }\n    return new TxVault(this, v)\n  }\n}\n\n/** Per-vault facade inside a running transaction. */\nexport class TxVault {\n  /** @internal */\n  readonly _ctx: TxContext\n  /** @internal */\n  readonly _vault: Vault\n\n  /** @internal */\n  constructor(ctx: TxContext, vault: Vault) {\n    this._ctx = ctx\n    this._vault = vault\n  }\n\n  /** Scope subsequent op calls to the named collection. */\n  collection<T>(name: string): TxCollection<T> {\n    const c = this._vault.collection<T>(name)\n    return new TxCollection<T>(this._ctx, this._vault, c, name)\n  }\n}\n\n/** Per-collection facade inside a running transaction. */\nexport class TxCollection<T> {\n  /** @internal */\n  readonly _ctx: TxContext\n  /** @internal */\n  readonly _vault: Vault\n  /** @internal */\n  readonly _coll: Collection<T>\n  /** @internal */\n  readonly _name: string\n\n  /** @internal */\n  constructor(ctx: TxContext, vault: Vault, coll: Collection<T>, name: string) {\n    this._ctx = ctx\n    this._vault = vault\n    this._coll = coll\n    this._name = name\n  }\n\n  /**\n   * Read the current committed value, or the most-recently-staged\n   * value from the same transaction if one exists.\n   */\n  async get(id: string): Promise<T | null> {\n    for (let i = this._ctx._ops.length - 1; i >= 0; i--) {\n      const op = this._ctx._ops[i]!\n      if (\n        op.vaultName === this._vault.name &&\n        op.collectionName === this._name &&\n        op.id === id\n      ) {\n        if (op.type === 'delete') return null\n        return op.record as T\n      }\n    }\n    return this._coll.get(id)\n  }\n\n  /**\n   * Stage a put. Does not write until the transaction body returns.\n   * Supply `{ expectedVersion }` to enforce optimistic concurrency\n   * during the commit pre-flight.\n   */\n  put(id: string, record: T, options?: { expectedVersion?: number; reason?: string }): void {\n    const op: StagedOp = {\n      type: 'put',\n      vaultName: this._vault.name,\n      collectionName: this._name,\n      id,\n      record,\n    }\n    if (options?.expectedVersion !== undefined) op.expectedVersion = options.expectedVersion\n    if (options?.reason !== undefined) op.reason = options.reason\n    this._ctx._ops.push(op)\n  }\n\n  /**\n   * Stage a delete. Does not write until the transaction body returns.\n   * Supply `{ expectedVersion }` to enforce optimistic concurrency\n   * during the commit pre-flight.\n   */\n  delete(id: string, options?: { expectedVersion?: number }): void {\n    const op: StagedOp = {\n      type: 'delete',\n      vaultName: this._vault.name,\n      collectionName: this._name,\n      id,\n    }\n    if (options?.expectedVersion !== undefined) op.expectedVersion = options.expectedVersion\n    this._ctx._ops.push(op)\n  }\n}\n\n/**\n * Commit plan: pre-flight check + execution + revert plan.\n *\n * @internal — driven by `withTransactions()` (via `tx/active.ts`) for\n * user-facing `db.transaction(...)` calls and by the `amendment` path\n * in `noydb.ts`. `Collection.putManyAtomic` runs its own Phase 2 loop\n * but shares the `_activeTxContext` mechanism (and the `revertExecuted`\n * helper) so nested side-effect derivation writes get registered for\n * revert alongside the bulk-put source ops (#133).\n */\nexport async function runTransaction<T>(\n  db: Noydb,\n  fn: (tx: TxContext) => Promise<T> | T,\n  options?: AmendmentTxOptions,\n): Promise<T> {\n  // ─── Amendment-mode pre-flight ───────────────────────────────\n  // `reason` is the only thing we can validate before the body runs;\n  // the per-vault role check happens lazily on first `tx.vault(name)`\n  // because we don't know which vaults the body will touch ahead of\n  // time. Throwing here keeps the failure mode close to the call site\n  // so the developer doesn't have to walk an async stack to find the\n  // missing-reason mistake.\n  if (options?.amendment) {\n    if (typeof options.reason !== 'string' || options.reason.trim().length === 0) {\n      throw new ValidationError(\n        'db.transaction({ amendment: true }) requires a non-empty `reason` string.',\n      )\n    }\n  }\n\n  const ctx = new TxContext(db, options?.amendment === true)\n  const bodyResult = await fn(ctx)\n\n  if (ctx._ops.length === 0) {\n    // Body produced no ops. If amendment mode was active we still\n    // need to close any opened windows so a subsequent (unrelated)\n    // write doesn't surprise-collect into a stale change-set. Each\n    // `beginAmendment` is matched by exactly one `consumeChanges`.\n    if (ctx._amendment) {\n      for (const v of ctx._amendmentVaults.values()) {\n        // Registry is guaranteed non-null here — `tx.vault(name)`\n        // threw above if it was null before adding to\n        // `_amendmentVaults`.\n        const reg = v._getGuardRegistry()\n        if (reg !== null) {\n          reg.consumeChanges()\n          reg.consumeMeta()\n        }\n      }\n    }\n    return bodyResult\n  }\n\n  // Phase 1 — pre-flight: snapshot every touched envelope and enforce\n  // any caller-supplied expectedVersion. Same (vault, coll, id) touched\n  // more than once in one tx snapshots only the *initial* committed\n  // state; the in-order replay in Phase 2 takes care of successor ops.\n  const priorEnvelopes = new Map<string, EncryptedEnvelope | null>()\n  const store = db._store\n  for (const op of ctx._ops) {\n    const key = keyOf(op)\n    if (!priorEnvelopes.has(key)) {\n      const env = await store.get(op.vaultName, op.collectionName, op.id)\n      priorEnvelopes.set(key, env)\n    }\n    if (op.expectedVersion !== undefined) {\n      const env = priorEnvelopes.get(key) ?? null\n      const actual = env?._v ?? 0\n      if (actual !== op.expectedVersion) {\n        throw new ConflictError(\n          actual,\n          `Transaction pre-flight: ${op.vaultName}/${op.collectionName}/${op.id} ` +\n            `expected v${op.expectedVersion}, found v${actual}`,\n        )\n      }\n    }\n  }\n\n  // Phase 2 — execute via the Collection layer so history snapshots,\n  // ledger entries, and change events fire normally. We capture each\n  // successful op so a mid-batch throw can revert in Phase 3.\n  //\n  // `_activeTxContext` is published on the Noydb instance for the\n  // duration of Phase 2 so recursive writes triggered inside\n  // `Collection.put` (today: eager derivation outputs) can register\n  // their own envelopes onto `ctx._executed` and roll back alongside\n  // the main staged ops (#133). The `finally` clears it before the\n  // amendment commit phase runs.\n  db._setActiveTxContext(ctx)\n  try {\n    try {\n      for (const op of ctx._ops) {\n        const coll = db.vault(op.vaultName).collection(op.collectionName)\n        const key = keyOf(op)\n        const prior = priorEnvelopes.get(key) ?? null\n        // Record the revert plan BEFORE the call so a mid-`coll.put` throw\n        // (e.g. strict-mode derivation failure firing after `store.put`\n        // has already committed the envelope) still has its source write\n        // reverted. `revertExecuted` is best-effort: putting prior back is\n        // idempotent when the failing op never actually wrote, and\n        // `_invalidateCacheEntry` is a no-op when the collection isn't\n        // hydrated.\n        ctx._executed.push({ op, priorEnvelope: prior })\n        if (op.type === 'put') {\n          // eslint-disable-next-line @typescript-eslint/no-explicit-any\n          await coll.put(op.id, op.record as any, op.reason !== undefined ? { reason: op.reason } : undefined)\n        } else {\n          await coll.delete(op.id)\n        }\n      }\n    } catch (err) {\n      // Phase 3 — best-effort revert. See helper docstring.\n      await revertExecuted(ctx._executed, store, db)\n      // Drain amendment windows so the next transaction starts clean.\n      if (ctx._amendment) {\n        for (const v of ctx._amendmentVaults.values()) {\n          const reg = v._getGuardRegistry()\n          if (reg !== null) {\n            reg.consumeChanges()\n            reg.consumeMeta()\n          }\n        }\n      }\n      throw err\n    }\n  } finally {\n    db._clearActiveTxContext(ctx)\n  }\n\n  // ─── Amendment commit phase (only if amendment === true) ────\n  // Body succeeded — now run each touched vault's invariants over the\n  // collected change-set, then append a structured ledger entry. If\n  // any invariant throws, treat it exactly like a mid-Phase-2 failure:\n  // revert every executed op and re-throw the InvariantError.\n  if (ctx._amendment) {\n    // Lazy-load GuardExecutor at the dispatch site — keeps the floor\n    // bundle free of the guards subsystem when amendments aren't used.\n    // Mirrors the deferred-load pattern from #130 elsewhere in this PR.\n    const { GuardExecutor } = (await import('../guards/executor.js')) as {\n      GuardExecutor: typeof GuardExecutorModule\n    }\n    try {\n      for (const [vaultName, v] of ctx._amendmentVaults) {\n        const registry = v._getGuardRegistry()\n        // Registry is guaranteed non-null at this point — the\n        // `tx.vault(name)` path that populates `_amendmentVaults`\n        // throws if the registry is null. The defensive check here\n        // is for TypeScript's narrowing.\n        if (registry === null) continue\n        const changesByCollection = registry.consumeChanges()\n        const meta = registry.consumeMeta()\n        if (changesByCollection.size === 0) continue\n\n        const readOnlyVault = v._getReadOnlyFacade()\n        if (readOnlyVault === null) continue\n\n        // Build the invariant ctx once per vault — it's the same shape\n        // every guard sees on the normal `check` path, just with a\n        // synthetic `existing: null` (invariants get the full change\n        // set in their first parameter; `existing` is a per-record\n        // concept that doesn't apply here).\n        const invariantsPassed: string[] = []\n        for (const [collection, changes] of changesByCollection) {\n          const guards = registry.guardsFor(collection).filter(g => g.amendment !== undefined)\n          for (const guard of guards) {\n            await GuardExecutor.runInvariant(guard, changes, {\n              existing: null,\n              vault: readOnlyVault,\n              userId: v.userId,\n              role: v.role,\n            })\n          }\n          if (guards.length > 0) invariantsPassed.push(collection)\n        }\n\n        // Append the audit ledger entry. Silent no-op when the\n        // history strategy isn't configured — the records still\n        // committed, only the multi-record summary is unavailable.\n        const ledger = v._getLedgerOrNull()\n        if (ledger) {\n          const role = v.role as 'admin' | 'owner'\n          const amendment: NonNullable<LedgerEntry['amendment']> = {\n            reason: options!.reason,\n            role,\n            changes: meta,\n            invariantsPassed,\n          }\n          await ledger.append({\n            op: 'amendment',\n            collection: '',\n            id: '',\n            version: 0,\n            actor: v.userId,\n            // No payload to hash — the per-record entries already\n            // captured `payloadHash` at their own append time. We use\n            // a sha256 of the canonical reason string so the field is\n            // populated with something deterministic and non-empty.\n            payloadHash: '',\n            amendment,\n          })\n        }\n        void vaultName\n      }\n    } catch (err) {\n      await revertExecuted(ctx._executed, store, db)\n      throw err instanceof InvariantError ? err : new InvariantError(\n        err instanceof Error ? err.message : `invariant violated: ${String(err)}`,\n      )\n    }\n  }\n\n  return bodyResult\n}\n\n/**\n * Phase 3 helper — restore captured prior envelopes via the raw store\n * to avoid re-firing Collection-level side effects (we don't want a\n * cascade of change events undoing themselves). The ledger is left\n * as-is: each committed op appended an entry; the revert is\n * deliberately NOT recorded as a compensating entry because the\n * caller-facing contract is \"atomic or not at all,\" not \"every write\n * visible in the audit trail.\" Auditors who need the intermediate\n * state can still reconstruct it by walking the ledger through the\n * failed-tx timestamp.\n *\n * @internal — shared between `runTransaction` and\n * `Collection.putManyAtomic`. Both register source ops + nested\n * derivation side-effect ops onto `_executed`; this helper unwinds the\n * combined list in reverse on rollback.\n */\nexport async function revertExecuted(\n  executed: ReadonlyArray<ExecutedOp>,\n  store: Noydb['_store'],\n  db?: Noydb,\n): Promise<void> {\n  for (const { op, priorEnvelope } of executed.slice().reverse()) {\n    try {\n      if (priorEnvelope) {\n        await store.put(op.vaultName, op.collectionName, op.id, priorEnvelope)\n      } else {\n        await store.delete(op.vaultName, op.collectionName, op.id)\n      }\n      // Sync the Collection-layer cache with what we just wrote at\n      // the raw store. Without this, eager-mode `get` would still\n      // return the rolled-back record from its in-memory map. The\n      // Collection's `_invalidateCacheEntry` is a no-op when the\n      // collection hasn't yet been hydrated.\n      if (db) {\n        const coll = db.vault(op.vaultName).collection(op.collectionName)\n        // eslint-disable-next-line @typescript-eslint/no-explicit-any\n        await (coll as any)._invalidateCacheEntry(op.id)\n      }\n    } catch {\n      // swallow — best-effort. Surfacing the revert error would mask\n      // the original one that triggered the rollback.\n    }\n  }\n}\n\nfunction keyOf(op: StagedOp): string {\n  return `${op.vaultName}\\x00${op.collectionName}\\x00${op.id}`\n}\n"],"mappings":";;;;;;;;;;;AAqHO,IAAM,YAAN,MAAgB;AAAA;AAAA,EAEZ,OAAe,aAAa;AAAA;AAAA,EAE5B,OAAmB,CAAC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASpB,YAA0B,CAAC;AAAA;AAAA,EAE3B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA;AAAA;AAAA,EAEA,mBAAmB,oBAAI,IAAmB;AAAA;AAAA,EAGnD,YAAY,IAAW,YAAY,OAAO;AACxC,SAAK,MAAM;AACX,SAAK,aAAa;AAAA,EACpB;AAAA;AAAA,EAGA,MAAM,MAAuB;AAC3B,UAAM,IAAI,KAAK,IAAI,MAAM,IAAI;AAC7B,QAAI,KAAK,cAAc,CAAC,KAAK,iBAAiB,IAAI,IAAI,GAAG;AAQvD,YAAM,OAAO,EAAE;AACf,UAAI,SAAS,WAAW,SAAS,SAAS;AACxC,cAAM,IAAI,wBAAwB,EAAE,QAAQ,IAAI;AAAA,MAClD;AAKA,YAAM,MAAM,EAAE,kBAAkB;AAChC,UAAI,QAAQ,MAAM;AAChB,cAAM,IAAI;AAAA,UACR,UAAU,IAAI;AAAA,QAIhB;AAAA,MACF;AACA,UAAI,eAAe;AACnB,WAAK,iBAAiB,IAAI,MAAM,CAAC;AAAA,IACnC;AACA,WAAO,IAAI,QAAQ,MAAM,CAAC;AAAA,EAC5B;AACF;AAGO,IAAM,UAAN,MAAc;AAAA;AAAA,EAEV;AAAA;AAAA,EAEA;AAAA;AAAA,EAGT,YAAY,KAAgB,OAAc;AACxC,SAAK,OAAO;AACZ,SAAK,SAAS;AAAA,EAChB;AAAA;AAAA,EAGA,WAAc,MAA+B;AAC3C,UAAM,IAAI,KAAK,OAAO,WAAc,IAAI;AACxC,WAAO,IAAI,aAAgB,KAAK,MAAM,KAAK,QAAQ,GAAG,IAAI;AAAA,EAC5D;AACF;AAGO,IAAM,eAAN,MAAsB;AAAA;AAAA,EAElB;AAAA;AAAA,EAEA;AAAA;AAAA,EAEA;AAAA;AAAA,EAEA;AAAA;AAAA,EAGT,YAAY,KAAgB,OAAc,MAAqB,MAAc;AAC3E,SAAK,OAAO;AACZ,SAAK,SAAS;AACd,SAAK,QAAQ;AACb,SAAK,QAAQ;AAAA,EACf;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,IAAI,IAA+B;AACvC,aAAS,IAAI,KAAK,KAAK,KAAK,SAAS,GAAG,KAAK,GAAG,KAAK;AACnD,YAAM,KAAK,KAAK,KAAK,KAAK,CAAC;AAC3B,UACE,GAAG,cAAc,KAAK,OAAO,QAC7B,GAAG,mBAAmB,KAAK,SAC3B,GAAG,OAAO,IACV;AACA,YAAI,GAAG,SAAS,SAAU,QAAO;AACjC,eAAO,GAAG;AAAA,MACZ;AAAA,IACF;AACA,WAAO,KAAK,MAAM,IAAI,EAAE;AAAA,EAC1B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,IAAI,IAAY,QAAW,SAA+D;AACxF,UAAM,KAAe;AAAA,MACnB,MAAM;AAAA,MACN,WAAW,KAAK,OAAO;AAAA,MACvB,gBAAgB,KAAK;AAAA,MACrB;AAAA,MACA;AAAA,IACF;AACA,QAAI,SAAS,oBAAoB,OAAW,IAAG,kBAAkB,QAAQ;AACzE,QAAI,SAAS,WAAW,OAAW,IAAG,SAAS,QAAQ;AACvD,SAAK,KAAK,KAAK,KAAK,EAAE;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,OAAO,IAAY,SAA8C;AAC/D,UAAM,KAAe;AAAA,MACnB,MAAM;AAAA,MACN,WAAW,KAAK,OAAO;AAAA,MACvB,gBAAgB,KAAK;AAAA,MACrB;AAAA,IACF;AACA,QAAI,SAAS,oBAAoB,OAAW,IAAG,kBAAkB,QAAQ;AACzE,SAAK,KAAK,KAAK,KAAK,EAAE;AAAA,EACxB;AACF;AAYA,eAAsB,eACpB,IACA,IACA,SACY;AAQZ,MAAI,SAAS,WAAW;AACtB,QAAI,OAAO,QAAQ,WAAW,YAAY,QAAQ,OAAO,KAAK,EAAE,WAAW,GAAG;AAC5E,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,QAAM,MAAM,IAAI,UAAU,IAAI,SAAS,cAAc,IAAI;AACzD,QAAM,aAAa,MAAM,GAAG,GAAG;AAE/B,MAAI,IAAI,KAAK,WAAW,GAAG;AAKzB,QAAI,IAAI,YAAY;AAClB,iBAAW,KAAK,IAAI,iBAAiB,OAAO,GAAG;AAI7C,cAAM,MAAM,EAAE,kBAAkB;AAChC,YAAI,QAAQ,MAAM;AAChB,cAAI,eAAe;AACnB,cAAI,YAAY;AAAA,QAClB;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAMA,QAAM,iBAAiB,oBAAI,IAAsC;AACjE,QAAM,QAAQ,GAAG;AACjB,aAAW,MAAM,IAAI,MAAM;AACzB,UAAM,MAAM,MAAM,EAAE;AACpB,QAAI,CAAC,eAAe,IAAI,GAAG,GAAG;AAC5B,YAAM,MAAM,MAAM,MAAM,IAAI,GAAG,WAAW,GAAG,gBAAgB,GAAG,EAAE;AAClE,qBAAe,IAAI,KAAK,GAAG;AAAA,IAC7B;AACA,QAAI,GAAG,oBAAoB,QAAW;AACpC,YAAM,MAAM,eAAe,IAAI,GAAG,KAAK;AACvC,YAAM,SAAS,KAAK,MAAM;AAC1B,UAAI,WAAW,GAAG,iBAAiB;AACjC,cAAM,IAAI;AAAA,UACR;AAAA,UACA,2BAA2B,GAAG,SAAS,IAAI,GAAG,cAAc,IAAI,GAAG,EAAE,cACtD,GAAG,eAAe,YAAY,MAAM;AAAA,QACrD;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAYA,KAAG,oBAAoB,GAAG;AAC1B,MAAI;AACF,QAAI;AACF,iBAAW,MAAM,IAAI,MAAM;AACzB,cAAM,OAAO,GAAG,MAAM,GAAG,SAAS,EAAE,WAAW,GAAG,cAAc;AAChE,cAAM,MAAM,MAAM,EAAE;AACpB,cAAM,QAAQ,eAAe,IAAI,GAAG,KAAK;AAQzC,YAAI,UAAU,KAAK,EAAE,IAAI,eAAe,MAAM,CAAC;AAC/C,YAAI,GAAG,SAAS,OAAO;AAErB,gBAAM,KAAK,IAAI,GAAG,IAAI,GAAG,QAAe,GAAG,WAAW,SAAY,EAAE,QAAQ,GAAG,OAAO,IAAI,MAAS;AAAA,QACrG,OAAO;AACL,gBAAM,KAAK,OAAO,GAAG,EAAE;AAAA,QACzB;AAAA,MACF;AAAA,IACF,SAAS,KAAK;AAEZ,YAAM,eAAe,IAAI,WAAW,OAAO,EAAE;AAE7C,UAAI,IAAI,YAAY;AAClB,mBAAW,KAAK,IAAI,iBAAiB,OAAO,GAAG;AAC7C,gBAAM,MAAM,EAAE,kBAAkB;AAChC,cAAI,QAAQ,MAAM;AAChB,gBAAI,eAAe;AACnB,gBAAI,YAAY;AAAA,UAClB;AAAA,QACF;AAAA,MACF;AACA,YAAM;AAAA,IACR;AAAA,EACF,UAAE;AACA,OAAG,sBAAsB,GAAG;AAAA,EAC9B;AAOA,MAAI,IAAI,YAAY;AAIlB,UAAM,EAAE,cAAc,IAAK,MAAM,OAAO,wBAAuB;AAG/D,QAAI;AACF,iBAAW,CAAC,WAAW,CAAC,KAAK,IAAI,kBAAkB;AACjD,cAAM,WAAW,EAAE,kBAAkB;AAKrC,YAAI,aAAa,KAAM;AACvB,cAAM,sBAAsB,SAAS,eAAe;AACpD,cAAM,OAAO,SAAS,YAAY;AAClC,YAAI,oBAAoB,SAAS,EAAG;AAEpC,cAAM,gBAAgB,EAAE,mBAAmB;AAC3C,YAAI,kBAAkB,KAAM;AAO5B,cAAM,mBAA6B,CAAC;AACpC,mBAAW,CAAC,YAAY,OAAO,KAAK,qBAAqB;AACvD,gBAAM,SAAS,SAAS,UAAU,UAAU,EAAE,OAAO,OAAK,EAAE,cAAc,MAAS;AACnF,qBAAW,SAAS,QAAQ;AAC1B,kBAAM,cAAc,aAAa,OAAO,SAAS;AAAA,cAC/C,UAAU;AAAA,cACV,OAAO;AAAA,cACP,QAAQ,EAAE;AAAA,cACV,MAAM,EAAE;AAAA,YACV,CAAC;AAAA,UACH;AACA,cAAI,OAAO,SAAS,EAAG,kBAAiB,KAAK,UAAU;AAAA,QACzD;AAKA,cAAM,SAAS,EAAE,iBAAiB;AAClC,YAAI,QAAQ;AACV,gBAAM,OAAO,EAAE;AACf,gBAAM,YAAmD;AAAA,YACvD,QAAQ,QAAS;AAAA,YACjB;AAAA,YACA,SAAS;AAAA,YACT;AAAA,UACF;AACA,gBAAM,OAAO,OAAO;AAAA,YAClB,IAAI;AAAA,YACJ,YAAY;AAAA,YACZ,IAAI;AAAA,YACJ,SAAS;AAAA,YACT,OAAO,EAAE;AAAA;AAAA;AAAA;AAAA;AAAA,YAKT,aAAa;AAAA,YACb;AAAA,UACF,CAAC;AAAA,QACH;AACA,aAAK;AAAA,MACP;AAAA,IACF,SAAS,KAAK;AACZ,YAAM,eAAe,IAAI,WAAW,OAAO,EAAE;AAC7C,YAAM,eAAe,iBAAiB,MAAM,IAAI;AAAA,QAC9C,eAAe,QAAQ,IAAI,UAAU,uBAAuB,OAAO,GAAG,CAAC;AAAA,MACzE;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAkBA,eAAsB,eACpB,UACA,OACA,IACe;AACf,aAAW,EAAE,IAAI,cAAc,KAAK,SAAS,MAAM,EAAE,QAAQ,GAAG;AAC9D,QAAI;AACF,UAAI,eAAe;AACjB,cAAM,MAAM,IAAI,GAAG,WAAW,GAAG,gBAAgB,GAAG,IAAI,aAAa;AAAA,MACvE,OAAO;AACL,cAAM,MAAM,OAAO,GAAG,WAAW,GAAG,gBAAgB,GAAG,EAAE;AAAA,MAC3D;AAMA,UAAI,IAAI;AACN,cAAM,OAAO,GAAG,MAAM,GAAG,SAAS,EAAE,WAAW,GAAG,cAAc;AAEhE,cAAO,KAAa,sBAAsB,GAAG,EAAE;AAAA,MACjD;AAAA,IACF,QAAQ;AAAA,IAGR;AAAA,EACF;AACF;AAEA,SAAS,MAAM,IAAsB;AACnC,SAAO,GAAG,GAAG,SAAS,KAAO,GAAG,cAAc,KAAO,GAAG,EAAE;AAC5D;","names":[]}

package/dist/chunk-HGZ7DC5H.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/derivations/executor.ts"],"sourcesContent":["import { DerivationCapExceededError, DerivationOutputShapeError } from '../errors.js'\nimport type { DerivationContext, DerivationStrategy, DerivedFromMeta } from './types.js'\n\nexport interface RunResult {\n  outputs: Record<string, OutputResult>\n  failed: boolean\n}\n\n/**\n * Per-output result of a strategy invocation. Discriminated by\n * `kind`:\n *\n * - `record` — the existing v1 shape: one value (or a \"skipped\"\n *   marker if the output was optional and `derive` returned null).\n * - `array` — the #200 shape: a list of `(key, value)` entries.\n *   The caller diffs these against the previously-emitted key set\n *   (loaded from the fanout sidecar) to compute deletes + upserts.\n */\nexport type OutputResult =\n  | RecordOutputResult\n  | ArrayOutputResult\n  | FailedOutputResult\n\nexport interface RecordOutputResult {\n  kind: 'record'\n  value: Record<string, unknown>\n  ok: true\n  /**\n   * `true` when an optional output (#144) returned `null` /\n   * `undefined`. The caller deletes any previously-emitted output at\n   * the same id (mirrors \"tombstone for derived data\"); a never-emitted\n   * output is a silent no-op. `ok: true` because skipping is a\n   * successful outcome, not a failure.\n   */\n  skipped?: boolean\n}\n\nexport interface ArrayOutputResult {\n  kind: 'array'\n  ok: true\n  /** One `(key, value)` per derived row. Empty array means \"all prior outputs for this source go.\" */\n  entries: ReadonlyArray<{ readonly key: string; readonly value: Record<string, unknown> }>\n}\n\nexport interface FailedOutputResult {\n  kind: 'failed'\n  ok: false\n  error: Error\n  /** Always empty on failure; present so consumers don't have to narrow. */\n  value: Record<string, unknown>\n}\n\n/**\n * Stateless functions that execute a derivation strategy. Persistence\n * (encrypt + store.put) is the caller's job — typically\n * `DerivationRegistry.onSourceWrite` which iterates run() results and\n * writes each output via `Collection.put`.\n */\nexport const DerivationExecutor = {\n  /**\n   * Run `derive` once, validate output shape against the spec, stamp\n   * `_derivedFrom` onto every output. Returns per-output success or\n   * failure; throws only for shape mismatches (a contract violation).\n   */\n  async run<\n    TSource extends Record<string, unknown>,\n    TOutputs extends Record<string, Record<string, unknown>>,\n  >(\n    strategy: DerivationStrategy<TSource, TOutputs>,\n    source: TSource & { id: string },\n    sourceVersion: number,\n    strategyHash: string,\n    ctx: DerivationContext,\n  ): Promise<RunResult> {\n    const outputs: Record<string, OutputResult> = {}\n    let derived: Partial<TOutputs>\n\n    try {\n      derived = await Promise.resolve(strategy.derive(source as TSource, ctx))\n    } catch (err) {\n      for (const key of Object.keys(strategy.outputs)) {\n        outputs[key] = {\n          kind: 'failed',\n          value: {},\n          ok: false,\n          error: err instanceof Error ? err : new Error(String(err)),\n        }\n      }\n      return { outputs, failed: true }\n    }\n\n    const meta: DerivedFromMeta = {\n      source: strategy.source,\n      sourceId: source.id,\n      sourceVersion,\n      derivedAt: new Date().toISOString(),\n      strategyHash,\n    }\n\n    for (const key of Object.keys(strategy.outputs)) {\n      const outSpec = strategy.outputs[key]\n      if (!outSpec) continue\n      const value = (derived as Record<string, unknown>)[key]\n\n      // ── Array-shape branch (#200 slice 1) ──────────────────────\n      if (outSpec.shape === 'array') {\n        if (value === undefined || value === null) {\n          // Treat null/undefined as \"empty array\" — clears all prior\n          // outputs for this (source, output) pair. The caller's\n          // diff turns that into deletes.\n          outputs[key] = { kind: 'array', ok: true, entries: [] }\n          continue\n        }\n        if (!Array.isArray(value)) {\n          throw new DerivationOutputShapeError(\n            key,\n            `shape 'array' expects an array, got ${typeof value}`,\n          )\n        }\n        const maxFanout = outSpec.maxFanout ?? 64\n        if (value.length > maxFanout) {\n          throw new DerivationCapExceededError(key, value.length, maxFanout)\n        }\n        const entries: Array<{ key: string; value: Record<string, unknown> }> = []\n        const seenKeys = new Set<string>()\n        for (let i = 0; i < value.length; i++) {\n          const row = value[i] as unknown\n          if (row === null || typeof row !== 'object') {\n            throw new DerivationOutputShapeError(\n              key,\n              `array member at index ${i} must be a non-null object (got ${row === null ? 'null' : typeof row})`,\n            )\n          }\n          let derivedKey: string\n          try {\n            derivedKey = outSpec.key(row as Record<string, unknown>)\n          } catch (err) {\n            throw new DerivationOutputShapeError(\n              key,\n              `key extractor threw on array member at index ${i}: `\n              + (err instanceof Error ? err.message : String(err)),\n            )\n          }\n          if (typeof derivedKey !== 'string' || derivedKey.length === 0) {\n            throw new DerivationOutputShapeError(\n              key,\n              `key extractor returned ${typeof derivedKey === 'string' ? 'empty string' : typeof derivedKey} at index ${i}; expected non-empty string`,\n            )\n          }\n          if (seenKeys.has(derivedKey)) {\n            throw new DerivationOutputShapeError(\n              key,\n              `duplicate key \"${derivedKey}\" in array output (index ${i}); each derived row must have a unique key within a single derive() invocation`,\n            )\n          }\n          seenKeys.add(derivedKey)\n          entries.push({\n            key: derivedKey,\n            value: { ...(row as Record<string, unknown>), _derivedFrom: meta },\n          })\n        }\n        outputs[key] = { kind: 'array', ok: true, entries }\n        continue\n      }\n\n      // ── Record-shape branch (existing v1 behavior) ─────────────\n      if (value === undefined || value === null) {\n        if (outSpec.optional === true) {\n          // #144: optional output explicitly skipped. Mark for caller\n          // so any prior-emitted output at this id can be deleted.\n          outputs[key] = { kind: 'record', value: {}, ok: true, skipped: true }\n          continue\n        }\n        throw new DerivationOutputShapeError(\n          key,\n          `expected object, got ${value === undefined ? 'undefined' : 'null'}`,\n        )\n      }\n      if (typeof value !== 'object') {\n        throw new DerivationOutputShapeError(\n          key,\n          `expected object, got ${typeof value}`,\n        )\n      }\n      outputs[key] = {\n        kind: 'record',\n        value: { ...(value as Record<string, unknown>), _derivedFrom: meta },\n        ok: true,\n      }\n    }\n    return { outputs, failed: false }\n  },\n}\n"],"mappings":";;;;;;AA0DO,IAAM,qBAAqB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMhC,MAAM,IAIJ,UACA,QACA,eACA,cACA,KACoB;AACpB,UAAM,UAAwC,CAAC;AAC/C,QAAI;AAEJ,QAAI;AACF,gBAAU,MAAM,QAAQ,QAAQ,SAAS,OAAO,QAAmB,GAAG,CAAC;AAAA,IACzE,SAAS,KAAK;AACZ,iBAAW,OAAO,OAAO,KAAK,SAAS,OAAO,GAAG;AAC/C,gBAAQ,GAAG,IAAI;AAAA,UACb,MAAM;AAAA,UACN,OAAO,CAAC;AAAA,UACR,IAAI;AAAA,UACJ,OAAO,eAAe,QAAQ,MAAM,IAAI,MAAM,OAAO,GAAG,CAAC;AAAA,QAC3D;AAAA,MACF;AACA,aAAO,EAAE,SAAS,QAAQ,KAAK;AAAA,IACjC;AAEA,UAAM,OAAwB;AAAA,MAC5B,QAAQ,SAAS;AAAA,MACjB,UAAU,OAAO;AAAA,MACjB;AAAA,MACA,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,MAClC;AAAA,IACF;AAEA,eAAW,OAAO,OAAO,KAAK,SAAS,OAAO,GAAG;AAC/C,YAAM,UAAU,SAAS,QAAQ,GAAG;AACpC,UAAI,CAAC,QAAS;AACd,YAAM,QAAS,QAAoC,GAAG;AAGtD,UAAI,QAAQ,UAAU,SAAS;AAC7B,YAAI,UAAU,UAAa,UAAU,MAAM;AAIzC,kBAAQ,GAAG,IAAI,EAAE,MAAM,SAAS,IAAI,MAAM,SAAS,CAAC,EAAE;AACtD;AAAA,QACF;AACA,YAAI,CAAC,MAAM,QAAQ,KAAK,GAAG;AACzB,gBAAM,IAAI;AAAA,YACR;AAAA,YACA,uCAAuC,OAAO,KAAK;AAAA,UACrD;AAAA,QACF;AACA,cAAM,YAAY,QAAQ,aAAa;AACvC,YAAI,MAAM,SAAS,WAAW;AAC5B,gBAAM,IAAI,2BAA2B,KAAK,MAAM,QAAQ,SAAS;AAAA,QACnE;AACA,cAAM,UAAkE,CAAC;AACzE,cAAM,WAAW,oBAAI,IAAY;AACjC,iBAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AACrC,gBAAM,MAAM,MAAM,CAAC;AACnB,cAAI,QAAQ,QAAQ,OAAO,QAAQ,UAAU;AAC3C,kBAAM,IAAI;AAAA,cACR;AAAA,cACA,yBAAyB,CAAC,mCAAmC,QAAQ,OAAO,SAAS,OAAO,GAAG;AAAA,YACjG;AAAA,UACF;AACA,cAAI;AACJ,cAAI;AACF,yBAAa,QAAQ,IAAI,GAA8B;AAAA,UACzD,SAAS,KAAK;AACZ,kBAAM,IAAI;AAAA,cACR;AAAA,cACA,gDAAgD,CAAC,QAC9C,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAAA,YACpD;AAAA,UACF;AACA,cAAI,OAAO,eAAe,YAAY,WAAW,WAAW,GAAG;AAC7D,kBAAM,IAAI;AAAA,cACR;AAAA,cACA,0BAA0B,OAAO,eAAe,WAAW,iBAAiB,OAAO,UAAU,aAAa,CAAC;AAAA,YAC7G;AAAA,UACF;AACA,cAAI,SAAS,IAAI,UAAU,GAAG;AAC5B,kBAAM,IAAI;AAAA,cACR;AAAA,cACA,kBAAkB,UAAU,4BAA4B,CAAC;AAAA,YAC3D;AAAA,UACF;AACA,mBAAS,IAAI,UAAU;AACvB,kBAAQ,KAAK;AAAA,YACX,KAAK;AAAA,YACL,OAAO,EAAE,GAAI,KAAiC,cAAc,KAAK;AAAA,UACnE,CAAC;AAAA,QACH;AACA,gBAAQ,GAAG,IAAI,EAAE,MAAM,SAAS,IAAI,MAAM,QAAQ;AAClD;AAAA,MACF;AAGA,UAAI,UAAU,UAAa,UAAU,MAAM;AACzC,YAAI,QAAQ,aAAa,MAAM;AAG7B,kBAAQ,GAAG,IAAI,EAAE,MAAM,UAAU,OAAO,CAAC,GAAG,IAAI,MAAM,SAAS,KAAK;AACpE;AAAA,QACF;AACA,cAAM,IAAI;AAAA,UACR;AAAA,UACA,wBAAwB,UAAU,SAAY,cAAc,MAAM;AAAA,QACpE;AAAA,MACF;AACA,UAAI,OAAO,UAAU,UAAU;AAC7B,cAAM,IAAI;AAAA,UACR;AAAA,UACA,wBAAwB,OAAO,KAAK;AAAA,QACtC;AAAA,MACF;AACA,cAAQ,GAAG,IAAI;AAAA,QACb,MAAM;AAAA,QACN,OAAO,EAAE,GAAI,OAAmC,cAAc,KAAK;AAAA,QACnE,IAAI;AAAA,MACN;AAAA,IACF;AACA,WAAO,EAAE,SAAS,QAAQ,MAAM;AAAA,EAClC;AACF;","names":[]}

package/dist/chunk-MRIBLZL3.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/query/predicate.ts"],"sourcesContent":["/**\n * Operator implementations for the query DSL.\n *\n * All predicates run client-side, AFTER decryption — they never see ciphertext.\n * This file is dependency-free and tree-shakeable.\n */\n\n/** Comparison operators supported by the where() builder. */\nexport type Operator =\n  | '=='\n  | '!='\n  | '<'\n  | '<='\n  | '>'\n  | '>='\n  | 'in'\n  | 'contains'\n  | 'startsWith'\n  | 'between'\n\n/**\n * A single field comparison clause inside a query plan.\n * Plans are JSON-serializable, so this type uses primitives only.\n */\nexport interface FieldClause {\n  readonly type: 'field'\n  readonly field: string\n  readonly op: Operator\n  readonly value: unknown\n}\n\n/**\n * A user-supplied predicate function escape hatch. Not serializable.\n *\n * The predicate accepts `unknown` at the type level so the surrounding\n * Clause type can stay non-parametric — this keeps Collection<T> covariant\n * in T at the public API surface. Builder methods cast user predicates\n * (typed `(record: T) => boolean`) into this shape on the way in.\n */\nexport interface FilterClause {\n  readonly type: 'filter'\n  readonly fn: (record: unknown) => boolean\n}\n\n/**\n * A declared deterministic predicate reference (#153). The query\n * builder produces this via `.wherePredicate(name, ctx?)` when a\n * Query has been augmented with a predicates map (typically by the\n * materialized-view registry — see MV v2 spec § Function-based\n * source-row predicates).\n *\n * `predicateHash` is the consumer-supplied stable hash for the\n * function body; `ctxHash` is the canonical-JSON SHA-256 of `ctx`.\n * Both fold into the MV's `queryHash` so a function or ctx change\n * forces refresh on next visit.\n *\n * `fn` is resolved at builder time from the predicates map and\n * embedded directly — so `evaluateClause` can fire it without a\n * runtime lookup.\n */\nexport interface WherePredicateClause {\n  readonly type: 'wherePredicate'\n  readonly name: string\n  readonly ctx: unknown\n  readonly predicateHash: string\n  readonly ctxHash: string\n  readonly fn: (record: unknown, ctx?: unknown) => boolean\n}\n\n/** A logical group of clauses combined by AND or OR. */\nexport interface GroupClause {\n  readonly type: 'group'\n  readonly op: 'and' | 'or'\n  readonly clauses: readonly Clause[]\n}\n\nexport type Clause = FieldClause | FilterClause | WherePredicateClause | GroupClause\n\n/**\n * Read a possibly nested field path like \"address.city\" from a record.\n * Returns undefined if any segment is missing.\n */\nexport function readPath(record: unknown, path: string): unknown {\n  if (record === null || record === undefined) return undefined\n  if (!path.includes('.')) {\n    return (record as Record<string, unknown>)[path]\n  }\n  const segments = path.split('.')\n  let cursor: unknown = record\n  for (const segment of segments) {\n    if (cursor === null || cursor === undefined) return undefined\n    cursor = (cursor as Record<string, unknown>)[segment]\n  }\n  return cursor\n}\n\n/**\n * Evaluate a single field clause against a record.\n * Returns false on type mismatches rather than throwing — query results\n * exclude non-matching records by definition.\n */\nexport function evaluateFieldClause(record: unknown, clause: FieldClause): boolean {\n  const actual = readPath(record, clause.field)\n  const { op, value } = clause\n\n  switch (op) {\n    case '==':\n      return actual === value\n    case '!=':\n      return actual !== value\n    case '<':\n      return isComparable(actual, value) && (actual as number) < (value as number)\n    case '<=':\n      return isComparable(actual, value) && (actual as number) <= (value as number)\n    case '>':\n      return isComparable(actual, value) && (actual as number) > (value as number)\n    case '>=':\n      return isComparable(actual, value) && (actual as number) >= (value as number)\n    case 'in':\n      return Array.isArray(value) && value.includes(actual)\n    case 'contains':\n      if (typeof actual === 'string') return typeof value === 'string' && actual.includes(value)\n      if (Array.isArray(actual)) return actual.includes(value)\n      return false\n    case 'startsWith':\n      return typeof actual === 'string' && typeof value === 'string' && actual.startsWith(value)\n    case 'between': {\n      if (!Array.isArray(value) || value.length !== 2) return false\n      const [lo, hi] = value\n      if (!isComparable(actual, lo) || !isComparable(actual, hi)) return false\n      return (actual as number) >= (lo as number) && (actual as number) <= (hi as number)\n    }\n    default: {\n      // Exhaustiveness — TS will error if a new operator is added without a case.\n      const _exhaustive: never = op\n      void _exhaustive\n      return false\n    }\n  }\n}\n\n/**\n * Two values are \"comparable\" if they share an order-defined runtime type.\n * Strings compare lexicographically; numbers and Dates numerically; otherwise false.\n */\nfunction isComparable(a: unknown, b: unknown): boolean {\n  if (typeof a === 'number' && typeof b === 'number') return true\n  if (typeof a === 'string' && typeof b === 'string') return true\n  if (a instanceof Date && b instanceof Date) return true\n  return false\n}\n\n/**\n * Evaluate any clause (field / filter / group) against a record.\n * The recursion depth is bounded by the user's query expression — no risk of\n * blowing the stack on a 50K-record collection.\n */\nexport function evaluateClause(record: unknown, clause: Clause): boolean {\n  switch (clause.type) {\n    case 'field':\n      return evaluateFieldClause(record, clause)\n    case 'filter':\n      return clause.fn(record)\n    case 'wherePredicate':\n      return clause.fn(record, clause.ctx)\n    case 'group':\n      if (clause.op === 'and') {\n        for (const child of clause.clauses) {\n          if (!evaluateClause(record, child)) return false\n        }\n        return true\n      } else {\n        for (const child of clause.clauses) {\n          if (evaluateClause(record, child)) return true\n        }\n        return false\n      }\n  }\n}\n"],"mappings":";AAkFO,SAAS,SAAS,QAAiB,MAAuB;AAC/D,MAAI,WAAW,QAAQ,WAAW,OAAW,QAAO;AACpD,MAAI,CAAC,KAAK,SAAS,GAAG,GAAG;AACvB,WAAQ,OAAmC,IAAI;AAAA,EACjD;AACA,QAAM,WAAW,KAAK,MAAM,GAAG;AAC/B,MAAI,SAAkB;AACtB,aAAW,WAAW,UAAU;AAC9B,QAAI,WAAW,QAAQ,WAAW,OAAW,QAAO;AACpD,aAAU,OAAmC,OAAO;AAAA,EACtD;AACA,SAAO;AACT;AAOO,SAAS,oBAAoB,QAAiB,QAA8B;AACjF,QAAM,SAAS,SAAS,QAAQ,OAAO,KAAK;AAC5C,QAAM,EAAE,IAAI,MAAM,IAAI;AAEtB,UAAQ,IAAI;AAAA,IACV,KAAK;AACH,aAAO,WAAW;AAAA,IACpB,KAAK;AACH,aAAO,WAAW;AAAA,IACpB,KAAK;AACH,aAAO,aAAa,QAAQ,KAAK,KAAM,SAAqB;AAAA,IAC9D,KAAK;AACH,aAAO,aAAa,QAAQ,KAAK,KAAM,UAAsB;AAAA,IAC/D,KAAK;AACH,aAAO,aAAa,QAAQ,KAAK,KAAM,SAAqB;AAAA,IAC9D,KAAK;AACH,aAAO,aAAa,QAAQ,KAAK,KAAM,UAAsB;AAAA,IAC/D,KAAK;AACH,aAAO,MAAM,QAAQ,KAAK,KAAK,MAAM,SAAS,MAAM;AAAA,IACtD,KAAK;AACH,UAAI,OAAO,WAAW,SAAU,QAAO,OAAO,UAAU,YAAY,OAAO,SAAS,KAAK;AACzF,UAAI,MAAM,QAAQ,MAAM,EAAG,QAAO,OAAO,SAAS,KAAK;AACvD,aAAO;AAAA,IACT,KAAK;AACH,aAAO,OAAO,WAAW,YAAY,OAAO,UAAU,YAAY,OAAO,WAAW,KAAK;AAAA,IAC3F,KAAK,WAAW;AACd,UAAI,CAAC,MAAM,QAAQ,KAAK,KAAK,MAAM,WAAW,EAAG,QAAO;AACxD,YAAM,CAAC,IAAI,EAAE,IAAI;AACjB,UAAI,CAAC,aAAa,QAAQ,EAAE,KAAK,CAAC,aAAa,QAAQ,EAAE,EAAG,QAAO;AACnE,aAAQ,UAAsB,MAAkB,UAAsB;AAAA,IACxE;AAAA,IACA,SAAS;AAEP,YAAM,cAAqB;AAC3B,WAAK;AACL,aAAO;AAAA,IACT;AAAA,EACF;AACF;AAMA,SAAS,aAAa,GAAY,GAAqB;AACrD,MAAI,OAAO,MAAM,YAAY,OAAO,MAAM,SAAU,QAAO;AAC3D,MAAI,OAAO,MAAM,YAAY,OAAO,MAAM,SAAU,QAAO;AAC3D,MAAI,aAAa,QAAQ,aAAa,KAAM,QAAO;AACnD,SAAO;AACT;AAOO,SAAS,eAAe,QAAiB,QAAyB;AACvE,UAAQ,OAAO,MAAM;AAAA,IACnB,KAAK;AACH,aAAO,oBAAoB,QAAQ,MAAM;AAAA,IAC3C,KAAK;AACH,aAAO,OAAO,GAAG,MAAM;AAAA,IACzB,KAAK;AACH,aAAO,OAAO,GAAG,QAAQ,OAAO,GAAG;AAAA,IACrC,KAAK;AACH,UAAI,OAAO,OAAO,OAAO;AACvB,mBAAW,SAAS,OAAO,SAAS;AAClC,cAAI,CAAC,eAAe,QAAQ,KAAK,EAAG,QAAO;AAAA,QAC7C;AACA,eAAO;AAAA,MACT,OAAO;AACL,mBAAW,SAAS,OAAO,SAAS;AAClC,cAAI,eAAe,QAAQ,KAAK,EAAG,QAAO;AAAA,QAC5C;AACA,eAAO;AAAA,MACT;AAAA,EACJ;AACF;","names":[]}

package/dist/chunk-NCO2JGKK.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/history/ledger/entry.ts","../src/history/ledger/hash.ts"],"sourcesContent":["/**\n * Ledger entry shape + canonical JSON + sha256 helpers.\n *\n * This file holds the PURE primitives used by the hash-chained ledger:\n * the entry type, the deterministic (sort-stable) JSON encoder, and\n * the sha256 hasher that produces `prevHash` and `ledger.head()`.\n *\n * Everything here is validator-free and side-effect free — the only\n * runtime dep is Web Crypto's `subtle.digest` for the sha256 call,\n * which we already use for every other hashing operation in the core.\n *\n * The hash chain property works like this:\n *\n *   hash(entry[i])       = sha256(canonicalJSON(entry[i]))\n *   entry[i+1].prevHash  = hash(entry[i])\n *\n * Any modification to `entry[i]` (field values, field order, whitespace)\n * produces a different `hash(entry[i])`, which means `entry[i+1]`'s\n * stored `prevHash` no longer matches the recomputed hash, which means\n * `verify()` returns `{ ok: false, divergedAt: i + 1 }`. The chain is\n * append-only and tamper-evident without external anchoring.\n */\n\n/**\n * A single ledger entry in its plaintext form — what gets serialized,\n * hashed, and then encrypted with the ledger DEK before being written\n * to the `_ledger/` adapter collection.\n *\n * ## Why hash the ciphertext, not the plaintext?\n *\n * `payloadHash` is the sha256 of the record's ENCRYPTED envelope bytes,\n * not its plaintext. This matters:\n *\n *   1. **Zero-knowledge preserved.** A user (or a third party) can\n *      verify the ledger against the stored envelopes without any\n *      decryption keys. The adapter layer already holds only\n *      ciphertext, so hashing the ciphertext keeps the ledger at the\n *      same privacy level as the adapter.\n *\n *   2. **Determinism.** Plaintext → ciphertext is randomized by the\n *      fresh per-write IV, so `hash(plaintext)` would need extra\n *      normalization. `hash(ciphertext)` is already deterministic and\n *      unique per write.\n *\n *   3. **Detection property.** If an attacker modifies even one byte of\n *      the stored ciphertext (trying to flip a record), the hash\n *      changes, the ledger's recorded `payloadHash` no longer matches,\n *      and a data-integrity check fails. We don't do that check in\n *      `verify()` today, but the\n *      hook is there for a future `verifyIntegrity()` follow-up.\n *\n * Fields marked `op`, `collection`, `id`, `version`, `ts`, `actor` are\n * plaintext METADATA about the operation — NOT the record itself. The\n * entry is still encrypted at rest via the ledger DEK, but adapters\n * could theoretically infer operation patterns from the sizes and\n * timestamps. This is an accepted trade-off for the tamper-evidence\n * property; full ORAM-level privacy is out of scope for noy-db.\n */\nexport interface LedgerEntry {\n  /**\n   * Zero-based sequential position of this entry in the chain. The\n   * canonical adapter key is this number zero-padded to 10 digits\n   * (`\"0000000001\"`) so lexicographic ordering matches numeric order.\n   */\n  readonly index: number\n\n  /**\n   * Hex-encoded sha256 of the canonical JSON of the PREVIOUS entry.\n   * The genesis entry (index 0) has `prevHash === ''` — the first\n   * entry in a fresh vault has nothing to point back to.\n   */\n  readonly prevHash: string\n\n  /**\n   * Which kind of mutation this entry records. only supports\n   * data operations (`put`, `delete`, `amendment`). Access-control\n   * operations (`grant`, `revoke`, `rotate`) will be added in a\n   * follow-up once the keyring write path is instrumented — that's\n   * tracked in the epic issue.\n   *\n   * `'amendment'` is the multi-record audit entry written by the\n   * guards subsystem when an admin/owner uses `withTransactions(...)`\n   * to repair a constraint-violating state. See `amendment` field\n   * below for the structured payload.\n   *\n   * `'lifecycle'` records a non-data audit event (e.g. partition\n   * handover, #226) — `collection`/`id` are empty and the event detail\n   * lives in `reason` (e.g. `'partition-handed-over:<sealId>'`). Like\n   * `amendment`, it carries no data envelope, so `verifyBackupIntegrity`\n   * skips it in the data cross-check (it still participates in the\n   * tamper-evident chain).\n   */\n  readonly op: 'put' | 'delete' | 'amendment' | 'lifecycle' | 'migration'\n\n  /** The collection the mutation targeted. */\n  readonly collection: string\n\n  /** The record id the mutation targeted. */\n  readonly id: string\n\n  /**\n   * The record version AFTER this mutation. For `put` this is the\n   * newly assigned version; for `delete` this is the version that\n   * was deleted (the last version visible to reads).\n   */\n  readonly version: number\n\n  /** ISO timestamp of the mutation. */\n  readonly ts: string\n\n  /** User id of the actor who performed the mutation. */\n  readonly actor: string\n\n  /**\n   * Hex-encoded sha256 of the encrypted envelope's `_data` field.\n   * For `put`, this is the hash of the new ciphertext. For `delete`,\n   * it's the hash of the last visible ciphertext at deletion time,\n   * or the empty string if nothing was there to delete. Hashing the\n   * ciphertext (not the plaintext) preserves zero-knowledge — see\n   * the file docstring.\n   */\n  readonly payloadHash: string\n\n  /**\n   * Optional human-readable tag describing why this mutation happened\n   * (#1). Threaded through `collection.put(_, _, { reason })`. Common\n   * values include `'import:csv'`, `'import:json'`, `'import:xlsx'` from\n   * `as-*` ImportPlan.apply(), but consumers can use any string for\n   * domain-specific audit filtering. Auto-strip via `canonicalJson` —\n   * absent on the wire, never serialized as `null`.\n   *\n   * Audit consumers filter: `entries.filter(e => e.reason?.startsWith('import:'))`.\n   */\n  readonly reason?: string\n\n  /**\n   * Optional hex-encoded sha256 of the encrypted JSON Patch delta\n   * blob stored alongside this entry in `_ledger_deltas/`. Present\n   * only for `put` operations that had a previous version — the\n   * genesis put of a new record, and every `delete`, leave this\n   * field undefined.\n   *\n   * The delta payload itself lives in a sibling internal collection\n   * (`_ledger_deltas/<paddedIndex>`) and is encrypted with the\n   * ledger DEK. Callers use `ledger.loadDelta(index)` to decrypt and\n   * deserialize it when reconstructing a historical version.\n   *\n   * Why optional instead of always-present: the first put of a\n   * record has no previous version to diff against, so storing an\n   * empty patch would be noise. For deletes there's no \"next\" state\n   * to describe with a delta. Both cases set this field to undefined.\n   *\n   * Note: the canonical-JSON hasher treats `undefined` as invalid\n   * (it's one of the guard rails), so on the wire this field is\n   * either `{ deltaHash: '<hex>' }` or absent from the JSON\n   * entirely — never `{ deltaHash: undefined }`.\n   */\n  readonly deltaHash?: string\n\n  /**\n   * Present only when `op === 'amendment'`. Records the human reason,\n   * the role of the actor, the (collection, id, vBefore, vAfter) tuple\n   * for every record touched, and which guard invariants passed.\n   *\n   * See docs/superpowers/specs/2026-05-18-guards-design.md.\n   */\n  readonly amendment?: {\n    readonly reason: string\n    readonly role: 'admin' | 'owner'\n    readonly changes: ReadonlyArray<{\n      readonly collection: string\n      readonly id: string\n      readonly vBefore: number\n      readonly vAfter: number\n    }>\n    readonly invariantsPassed: ReadonlyArray<string>\n  }\n}\n\n/**\n * Canonical (sort-stable) JSON encoder.\n *\n * This function is the load-bearing primitive of the hash chain:\n * `sha256(canonicalJSON(entry))` must produce the same hex string\n * every time, on every machine, for the same logical entry — otherwise\n * `verify()` would return `{ ok: false }` on cross-platform reads.\n *\n * JavaScript's `JSON.stringify` is almost canonical, but NOT quite:\n * it preserves the insertion order of object keys, which means\n * `{a:1,b:2}` and `{b:2,a:1}` serialize differently. We fix this by\n * recursively walking objects and sorting their keys before\n * concatenation.\n *\n * Arrays keep their original order (reordering them would change\n * semantics). Numbers, strings, booleans, and `null` use the default\n * JSON encoding. `undefined` and functions are rejected — ledger\n * entries are plain data, and silently dropping `undefined` would\n * break the \"same input → same hash\" property if a caller forgot to\n * omit a field.\n *\n * Performance: one pass per nesting level; O(n log n) for key sorting\n * at each object. Entries are small (< 1 KB) so this is negligible\n * compared to the sha256 call.\n */\nexport function canonicalJson(value: unknown): string {\n  if (value === null) return 'null'\n  if (typeof value === 'boolean') return value ? 'true' : 'false'\n  if (typeof value === 'number') {\n    if (!Number.isFinite(value)) {\n      throw new Error(\n        `canonicalJson: refusing to encode non-finite number ${String(value)}`,\n      )\n    }\n    return JSON.stringify(value)\n  }\n  if (typeof value === 'string') return JSON.stringify(value)\n  if (typeof value === 'bigint') {\n    throw new Error('canonicalJson: BigInt is not JSON-serializable')\n  }\n  if (typeof value === 'undefined' || typeof value === 'function') {\n    throw new Error(\n      `canonicalJson: refusing to encode ${typeof value} — include all fields explicitly`,\n    )\n  }\n  if (Array.isArray(value)) {\n    return '[' + value.map((v) => canonicalJson(v)).join(',') + ']'\n  }\n  if (typeof value === 'object') {\n    const obj = value as Record<string, unknown>\n    const keys = Object.keys(obj).sort()\n    const parts: string[] = []\n    for (const key of keys) {\n      parts.push(JSON.stringify(key) + ':' + canonicalJson(obj[key]))\n    }\n    return '{' + parts.join(',') + '}'\n  }\n  throw new Error(`canonicalJson: unexpected value type: ${typeof value}`)\n}\n\n/**\n * Compute a hex-encoded sha256 of a string via Web Crypto's subtle API.\n *\n * We use hex (not base64) for hashes because hex is case-insensitive,\n * fixed-length (64 chars), and easier to compare visually in debug\n * output. Base64 would save a few bytes in storage but every encrypted\n * ledger entry is already much larger than the hash itself.\n */\nexport async function sha256Hex(input: string): Promise<string> {\n  const bytes = new TextEncoder().encode(input)\n  const digest = await globalThis.crypto.subtle.digest('SHA-256', bytes)\n  return bytesToHex(new Uint8Array(digest))\n}\n\n/**\n * Compute the canonical hash of a ledger entry. Short wrapper around\n * `canonicalJson` + `sha256Hex`; callers use this instead of composing\n * the two functions every time, so any future change to the hashing\n * pipeline (e.g., adding a domain-separation prefix) lives in one place.\n */\nexport async function hashEntry(entry: LedgerEntry): Promise<string> {\n  return sha256Hex(canonicalJson(entry))\n}\n\n/** Convert a Uint8Array to a lowercase hex string. */\nfunction bytesToHex(bytes: Uint8Array): string {\n  const hex = new Array<string>(bytes.length)\n  for (let i = 0; i < bytes.length; i++) {\n    // Non-null assertion: indexing a Uint8Array within bounds always\n    // returns a number, but the compiler's noUncheckedIndexedAccess\n    // flag widens it to `number | undefined`. Safe here by construction.\n    hex[i] = (bytes[i] ?? 0).toString(16).padStart(2, '0')\n  }\n  return hex.join('')\n}\n\n/**\n * Pad an index to the canonical 10-digit form used as the adapter key.\n * Ten digits is enough for ~10 billion ledger entries per vault\n * — far beyond any realistic use case, but cheap enough that the extra\n * digits don't hurt storage.\n */\nexport function paddedIndex(index: number): string {\n  return String(index).padStart(10, '0')\n}\n\n/** Parse a padded adapter key back into a number. Returns NaN on malformed input. */\nexport function parseIndex(key: string): number {\n  return Number.parseInt(key, 10)\n}\n","/**\n * Envelope payload hash — pinned in its own leaf module so consumers\n * (DictionaryHandle, the active history strategy) can import it\n * without dragging in the `LedgerStore` class.\n *\n * see `constants.ts` for the broader rationale.\n *\n * @internal\n */\n\nimport type { EncryptedEnvelope } from '../../types.js'\nimport { sha256Hex } from './entry.js'\n\n/**\n * Compute the `payloadHash` value for an encrypted envelope. Used by\n * `LedgerStore.append` for both put (hash the new envelope) and\n * delete (hash the previous envelope) paths, and by\n * `DictionaryHandle` so its ledger entries match the same contract.\n *\n * Returns the empty string when there is no envelope (delete of a\n * never-existed record). The empty string tolerated by the ledger\n * entry's `payloadHash` field as the canonical \"nothing here\" value.\n */\nexport async function envelopePayloadHash(\n  envelope: EncryptedEnvelope | null,\n): Promise<string> {\n  if (!envelope) return ''\n  // `_data` is a base64 string for encrypted envelopes and the raw\n  // JSON for plaintext ones. Both are strings, so a single sha256Hex\n  // call works for both modes — the hash value differs between\n  // encrypted/plaintext compartments because the bytes on disk\n  // differ.\n  return sha256Hex(envelope._data)\n}\n"],"mappings":";AA4MO,SAAS,cAAc,OAAwB;AACpD,MAAI,UAAU,KAAM,QAAO;AAC3B,MAAI,OAAO,UAAU,UAAW,QAAO,QAAQ,SAAS;AACxD,MAAI,OAAO,UAAU,UAAU;AAC7B,QAAI,CAAC,OAAO,SAAS,KAAK,GAAG;AAC3B,YAAM,IAAI;AAAA,QACR,uDAAuD,OAAO,KAAK,CAAC;AAAA,MACtE;AAAA,IACF;AACA,WAAO,KAAK,UAAU,KAAK;AAAA,EAC7B;AACA,MAAI,OAAO,UAAU,SAAU,QAAO,KAAK,UAAU,KAAK;AAC1D,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,IAAI,MAAM,gDAAgD;AAAA,EAClE;AACA,MAAI,OAAO,UAAU,eAAe,OAAO,UAAU,YAAY;AAC/D,UAAM,IAAI;AAAA,MACR,qCAAqC,OAAO,KAAK;AAAA,IACnD;AAAA,EACF;AACA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,MAAM,MAAM,IAAI,CAAC,MAAM,cAAc,CAAC,CAAC,EAAE,KAAK,GAAG,IAAI;AAAA,EAC9D;AACA,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,MAAM;AACZ,UAAM,OAAO,OAAO,KAAK,GAAG,EAAE,KAAK;AACnC,UAAM,QAAkB,CAAC;AACzB,eAAW,OAAO,MAAM;AACtB,YAAM,KAAK,KAAK,UAAU,GAAG,IAAI,MAAM,cAAc,IAAI,GAAG,CAAC,CAAC;AAAA,IAChE;AACA,WAAO,MAAM,MAAM,KAAK,GAAG,IAAI;AAAA,EACjC;AACA,QAAM,IAAI,MAAM,yCAAyC,OAAO,KAAK,EAAE;AACzE;AAUA,eAAsB,UAAU,OAAgC;AAC9D,QAAM,QAAQ,IAAI,YAAY,EAAE,OAAO,KAAK;AAC5C,QAAM,SAAS,MAAM,WAAW,OAAO,OAAO,OAAO,WAAW,KAAK;AACrE,SAAO,WAAW,IAAI,WAAW,MAAM,CAAC;AAC1C;AAQA,eAAsB,UAAU,OAAqC;AACnE,SAAO,UAAU,cAAc,KAAK,CAAC;AACvC;AAGA,SAAS,WAAW,OAA2B;AAC7C,QAAM,MAAM,IAAI,MAAc,MAAM,MAAM;AAC1C,WAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AAIrC,QAAI,CAAC,KAAK,MAAM,CAAC,KAAK,GAAG,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG;AAAA,EACvD;AACA,SAAO,IAAI,KAAK,EAAE;AACpB;AAQO,SAAS,YAAY,OAAuB;AACjD,SAAO,OAAO,KAAK,EAAE,SAAS,IAAI,GAAG;AACvC;AAGO,SAAS,WAAW,KAAqB;AAC9C,SAAO,OAAO,SAAS,KAAK,EAAE;AAChC;;;ACzQA,eAAsB,oBACpB,UACiB;AACjB,MAAI,CAAC,SAAU,QAAO;AAMtB,SAAO,UAAU,SAAS,KAAK;AACjC;","names":[]}

package/dist/chunk-NGSPBLLE.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/overlay-views/virtual-collection.ts"],"sourcesContent":["import { OverlayIdMismatchError } from '../errors.js'\nimport type { Collection } from '../collection.js'\nimport type { OverlayedViewStrategy } from './types.js'\n\n/**\n * Virtual-collection proxy returned by `vault.collection(overlayName)`\n * when `overlayName` is a registered `withOverlayedView` (#154).\n *\n * Implements the core `Collection<T>`-shaped read/write surface with\n * merge-on-read semantics:\n *   - `get(id)`: overlay row wins iff `overlay[shadowField] === shadowValue`\n *   - `list()` / `.query()`: union of ids, per-id merge applied\n *   - `put(record)` / `put(id, record)`: routes to overlay; id derived\n *     via the base MV's `rowKey` (validated on the two-arg form)\n *   - `delete(id)`: removes the overlay row only; base stays\n *\n * Reactive APIs (`live`, `subscribe`, `query().live()`) are out of\n * scope for #154 and surface as \"not yet implemented\" — wired in a\n * future sub-issue.\n */\n// eslint-disable-next-line @typescript-eslint/no-explicit-any\nexport class OverlayedCollection<T extends Record<string, unknown> = any> {\n  constructor(\n    private readonly spec: OverlayedViewStrategy,\n    private readonly baseCollection: Collection<T>,\n    private readonly overlayCollection: Collection<T>,\n    private readonly baseRowKey: ((row: Record<string, unknown>) => string) | undefined,\n  ) {}\n\n  /**\n   * Convenience accessors for advanced callers that need to bypass the\n   * virtual layer (bulk imports, direct overlay queries). Mirrors the\n   * spec's \"direct writes to the underlying overlay collection skip\n   * the validation\" escape hatch.\n   */\n  readonly overlay = {\n    rowKey: (row: Record<string, unknown>): string => {\n      if (!this.baseRowKey) {\n        throw new Error(\n          `Overlay \"${this.spec.name}\": base \"${this.spec.base}\" is not an MV — ` +\n            `cannot auto-derive id from the row. Use \\`put(id, record)\\` instead.`,\n        )\n      }\n      return this.baseRowKey(row)\n    },\n  }\n\n  /** Get the merged row by id. */\n  async get(id: string): Promise<T | null> {\n    const overlayRow = await this.overlayCollection.get(id)\n    if (overlayRow !== null && this.shadowPredicateApplies(overlayRow)) {\n      return overlayRow\n    }\n    const baseRow = await this.baseCollection.get(id)\n    if (baseRow !== null) return baseRow\n    // No base row — but if an overlay row exists with the shadow\n    // predicate true, we returned it above. If overlay exists but\n    // predicate is false, return null (overlay exists but doesn't\n    // qualify, and there's no base to fall back to) — per spec\n    // operations table row \"overlay exists, predicate false, no base\".\n    return null\n  }\n\n  /** List union of base + overlay ids, applying the merge per row. */\n  async list(): Promise<T[]> {\n    const baseRows = await this.baseCollection.list()\n    const overlayRows = await this.overlayCollection.list()\n    // Build id → merged row, base-first then overlay applies shadow rule.\n    const merged = new Map<string, T>()\n    const idOf = (row: T): string => {\n      // Best-effort: use baseRowKey if available, else assume the row\n      // has a `.id` field (common pattern). The spec requires every\n      // base MV to declare `rowKey`, so the first branch is the\n      // canonical path.\n      if (this.baseRowKey) return this.baseRowKey(row as Record<string, unknown>)\n      const idField = (row as Record<string, unknown>).id\n      return typeof idField === 'string' ? idField : ''\n    }\n    for (const row of baseRows) {\n      const id = idOf(row)\n      if (id) merged.set(id, row)\n    }\n    for (const row of overlayRows) {\n      const id = idOf(row)\n      if (!id) continue\n      if (this.shadowPredicateApplies(row)) {\n        merged.set(id, row) // overlay shadow wins\n      } else if (!merged.has(id)) {\n        // Overlay-only + predicate false + no base → don't surface\n        // (matches spec operations table)\n        continue\n      }\n      // else: overlay exists but predicate is false and base is\n      // present → keep the base row already in `merged`\n    }\n    return [...merged.values()]\n  }\n\n  /**\n   * Write to the overlay. Two forms:\n   * - `put(record)`: id is derived via the base MV's `rowKey(record)`.\n   *   Throws if the base isn't an MV.\n   * - `put(id, record)`: validates `id === rowKey(record)`; throws\n   *   `OverlayIdMismatchError` on mismatch.\n   */\n  async put(idOrRecord: string | T, maybeRecord?: T): Promise<void> {\n    let id: string\n    let record: T\n    if (maybeRecord === undefined) {\n      // Single-arg form: put(record). Derive id via base rowKey.\n      record = idOrRecord as T\n      if (!this.baseRowKey) {\n        throw new Error(\n          `Overlay \"${this.spec.name}\".put(record): base \"${this.spec.base}\" is not an MV. ` +\n            `Use put(id, record) explicitly.`,\n        )\n      }\n      id = this.baseRowKey(record as Record<string, unknown>)\n    } else {\n      // Two-arg form: put(id, record). Validate against rowKey.\n      id = idOrRecord as string\n      record = maybeRecord\n      if (this.baseRowKey) {\n        const expected = this.baseRowKey(record as Record<string, unknown>)\n        if (id !== expected) {\n          throw new OverlayIdMismatchError(id, expected)\n        }\n      }\n    }\n    await this.overlayCollection.put(id, record)\n  }\n\n  /**\n   * Remove the overlay row only. Idempotent (no-op on absent).\n   * The base row is untouched — if a base row exists for `id`,\n   * subsequent reads return it.\n   */\n  async delete(id: string): Promise<void> {\n    await this.overlayCollection.delete(id)\n  }\n\n  /** True when `overlay[shadowField] === shadowValue`. */\n  private shadowPredicateApplies(row: T): boolean {\n    return (row as Record<string, unknown>)[this.spec.shadowField] === this.spec.shadowValue\n  }\n\n  // ─── Throw-stubs for the unimplemented Collection<T> surface ───────\n  //\n  // `Vault.collection(name)` widens the return type to `Collection<T>`\n  // for the overlay intercept, but `OverlayedCollection` doesn't\n  // implement the full surface. These stubs catch the common\n  // reactive / chainable APIs with a clear \"not yet implemented\"\n  // error pointing at the relevant issue — so consumers don't hit a\n  // cryptic `undefined is not a function` runtime crash.\n  //\n  // Closes niwat-review of PR #160.\n\n  /** @throws — chainable Query<T> over a virtual collection is deferred. */\n  query(): never {\n    throw new Error(\n      `OverlayedCollection \"${this.spec.name}\".query() is not yet implemented for overlay views (#154). ` +\n        `Use \\`list()\\` + filter for now, or read from the underlying \\`${this.spec.base}\\` / \\`${this.spec.overlay}\\` collections directly. ` +\n        `Reactive APIs land in a future MV sub-issue.`,\n    )\n  }\n\n  /** @throws — change-stream subscription over a virtual collection is deferred. */\n  subscribe(): never {\n    throw new Error(\n      `OverlayedCollection \"${this.spec.name}\".subscribe() is not yet implemented for overlay views (#154). ` +\n        `Subscribe to the underlying \\`${this.spec.base}\\` / \\`${this.spec.overlay}\\` collections individually for now. ` +\n        `Merged change-stream lands in a future MV sub-issue.`,\n    )\n  }\n\n  /** @throws — live query over a virtual collection is deferred. */\n  live(): never {\n    throw new Error(\n      `OverlayedCollection \"${this.spec.name}\".live() is not yet implemented for overlay views (#154). ` +\n        `Reactive APIs land in a future MV sub-issue.`,\n    )\n  }\n\n  /** @throws — async iteration over a virtual collection is deferred. */\n  scan(): never {\n    throw new Error(\n      `OverlayedCollection \"${this.spec.name}\".scan() is not yet implemented for overlay views (#154). ` +\n        `Use \\`list()\\` for now (no row-count ceiling at niwat scale), or scan the underlying collections directly.`,\n    )\n  }\n\n  /** @throws — lazy-mode query is not applicable to virtual collections. */\n  lazyQuery(): never {\n    throw new Error(\n      `OverlayedCollection \"${this.spec.name}\".lazyQuery() is not supported. ` +\n        `Virtual collections always materialize through base + overlay reads — lazy-mode indexed lookups don't apply.`,\n    )\n  }\n\n  /** @throws — bulk-atomic put is deferred to a future MV sub-issue. */\n  putManyAtomic(): never {\n    throw new Error(\n      `OverlayedCollection \"${this.spec.name}\".putManyAtomic() is not yet implemented for overlay views (#154). ` +\n        `Use sequential \\`.put(record)\\` calls for now, or write to \\`${this.spec.overlay}\\` directly.`,\n    )\n  }\n\n  /** @throws — bulk delete is deferred to a future MV sub-issue. */\n  deleteMany(): never {\n    throw new Error(\n      `OverlayedCollection \"${this.spec.name}\".deleteMany() is not yet implemented for overlay views (#154). ` +\n        `Use sequential \\`.delete(id)\\` calls for now, or operate on \\`${this.spec.overlay}\\` directly.`,\n    )\n  }\n\n  /** @throws — `.first()` over a virtual collection is deferred. */\n  first(): never {\n    throw new Error(\n      `OverlayedCollection \"${this.spec.name}\".first() is not yet implemented for overlay views (#154). ` +\n        `Use \\`(await list())[0]\\` for now.`,\n    )\n  }\n\n  /** @throws — `.count()` over a virtual collection is deferred. */\n  count(): never {\n    throw new Error(\n      `OverlayedCollection \"${this.spec.name}\".count() is not yet implemented for overlay views (#154). ` +\n        `Use \\`(await list()).length\\` for now.`,\n    )\n  }\n}\n"],"mappings":";;;;;AAqBO,IAAM,sBAAN,MAAmE;AAAA,EACxE,YACmB,MACA,gBACA,mBACA,YACjB;AAJiB;AACA;AACA;AACA;AAAA,EAChB;AAAA,EAJgB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASV,UAAU;AAAA,IACjB,QAAQ,CAAC,QAAyC;AAChD,UAAI,CAAC,KAAK,YAAY;AACpB,cAAM,IAAI;AAAA,UACR,YAAY,KAAK,KAAK,IAAI,YAAY,KAAK,KAAK,IAAI;AAAA,QAEtD;AAAA,MACF;AACA,aAAO,KAAK,WAAW,GAAG;AAAA,IAC5B;AAAA,EACF;AAAA;AAAA,EAGA,MAAM,IAAI,IAA+B;AACvC,UAAM,aAAa,MAAM,KAAK,kBAAkB,IAAI,EAAE;AACtD,QAAI,eAAe,QAAQ,KAAK,uBAAuB,UAAU,GAAG;AAClE,aAAO;AAAA,IACT;AACA,UAAM,UAAU,MAAM,KAAK,eAAe,IAAI,EAAE;AAChD,QAAI,YAAY,KAAM,QAAO;AAM7B,WAAO;AAAA,EACT;AAAA;AAAA,EAGA,MAAM,OAAqB;AACzB,UAAM,WAAW,MAAM,KAAK,eAAe,KAAK;AAChD,UAAM,cAAc,MAAM,KAAK,kBAAkB,KAAK;AAEtD,UAAM,SAAS,oBAAI,IAAe;AAClC,UAAM,OAAO,CAAC,QAAmB;AAK/B,UAAI,KAAK,WAAY,QAAO,KAAK,WAAW,GAA8B;AAC1E,YAAM,UAAW,IAAgC;AACjD,aAAO,OAAO,YAAY,WAAW,UAAU;AAAA,IACjD;AACA,eAAW,OAAO,UAAU;AAC1B,YAAM,KAAK,KAAK,GAAG;AACnB,UAAI,GAAI,QAAO,IAAI,IAAI,GAAG;AAAA,IAC5B;AACA,eAAW,OAAO,aAAa;AAC7B,YAAM,KAAK,KAAK,GAAG;AACnB,UAAI,CAAC,GAAI;AACT,UAAI,KAAK,uBAAuB,GAAG,GAAG;AACpC,eAAO,IAAI,IAAI,GAAG;AAAA,MACpB,WAAW,CAAC,OAAO,IAAI,EAAE,GAAG;AAG1B;AAAA,MACF;AAAA,IAGF;AACA,WAAO,CAAC,GAAG,OAAO,OAAO,CAAC;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,IAAI,YAAwB,aAAgC;AAChE,QAAI;AACJ,QAAI;AACJ,QAAI,gBAAgB,QAAW;AAE7B,eAAS;AACT,UAAI,CAAC,KAAK,YAAY;AACpB,cAAM,IAAI;AAAA,UACR,YAAY,KAAK,KAAK,IAAI,wBAAwB,KAAK,KAAK,IAAI;AAAA,QAElE;AAAA,MACF;AACA,WAAK,KAAK,WAAW,MAAiC;AAAA,IACxD,OAAO;AAEL,WAAK;AACL,eAAS;AACT,UAAI,KAAK,YAAY;AACnB,cAAM,WAAW,KAAK,WAAW,MAAiC;AAClE,YAAI,OAAO,UAAU;AACnB,gBAAM,IAAI,uBAAuB,IAAI,QAAQ;AAAA,QAC/C;AAAA,MACF;AAAA,IACF;AACA,UAAM,KAAK,kBAAkB,IAAI,IAAI,MAAM;AAAA,EAC7C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,OAAO,IAA2B;AACtC,UAAM,KAAK,kBAAkB,OAAO,EAAE;AAAA,EACxC;AAAA;AAAA,EAGQ,uBAAuB,KAAiB;AAC9C,WAAQ,IAAgC,KAAK,KAAK,WAAW,MAAM,KAAK,KAAK;AAAA,EAC/E;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,QAAe;AACb,UAAM,IAAI;AAAA,MACR,wBAAwB,KAAK,KAAK,IAAI,6HAC8B,KAAK,KAAK,IAAI,UAAU,KAAK,KAAK,OAAO;AAAA,IAE/G;AAAA,EACF;AAAA;AAAA,EAGA,YAAmB;AACjB,UAAM,IAAI;AAAA,MACR,wBAAwB,KAAK,KAAK,IAAI,gGACH,KAAK,KAAK,IAAI,UAAU,KAAK,KAAK,OAAO;AAAA,IAE9E;AAAA,EACF;AAAA;AAAA,EAGA,OAAc;AACZ,UAAM,IAAI;AAAA,MACR,wBAAwB,KAAK,KAAK,IAAI;AAAA,IAExC;AAAA,EACF;AAAA;AAAA,EAGA,OAAc;AACZ,UAAM,IAAI;AAAA,MACR,wBAAwB,KAAK,KAAK,IAAI;AAAA,IAExC;AAAA,EACF;AAAA;AAAA,EAGA,YAAmB;AACjB,UAAM,IAAI;AAAA,MACR,wBAAwB,KAAK,KAAK,IAAI;AAAA,IAExC;AAAA,EACF;AAAA;AAAA,EAGA,gBAAuB;AACrB,UAAM,IAAI;AAAA,MACR,wBAAwB,KAAK,KAAK,IAAI,mIAC4B,KAAK,KAAK,OAAO;AAAA,IACrF;AAAA,EACF;AAAA;AAAA,EAGA,aAAoB;AAClB,UAAM,IAAI;AAAA,MACR,wBAAwB,KAAK,KAAK,IAAI,iIAC6B,KAAK,KAAK,OAAO;AAAA,IACtF;AAAA,EACF;AAAA;AAAA,EAGA,QAAe;AACb,UAAM,IAAI;AAAA,MACR,wBAAwB,KAAK,KAAK,IAAI;AAAA,IAExC;AAAA,EACF;AAAA;AAAA,EAGA,QAAe;AACb,UAAM,IAAI;AAAA,MACR,wBAAwB,KAAK,KAAK,IAAI;AAAA,IAExC;AAAA,EACF;AACF;","names":[]}

package/dist/chunk-P6256WTJ.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/bundle/format.ts","../src/bundle/bundle.ts"],"sourcesContent":["/**\n * `.noydb` container format — byte layout, header schema, validators.\n *\n *. Wraps a `vault.dump()` JSON string in a thin\n * binary container with a magic-byte prefix, a minimum-disclosure\n * unencrypted header, and a compressed body.\n *\n * **Byte layout** (read in order from offset 0):\n *\n * ```\n * +--------+--------+--------+--------+\n * |  N=78  |  D=68  |  B=66  |  1=49  |  Magic 'NDB1' (4 bytes)\n * +--------+--------+--------+--------+\n * | flags  | compr  |  header_length (uint32 BE)            |\n * +--------+--------+--------+--------+--------+--------+--------+\n * | header_length bytes of UTF-8 JSON header                       ...\n * +--------+--------+\n * | compressed body bytes                                            ...\n * ```\n *\n * Total fixed prefix before the header JSON is **10 bytes**:\n *   - 4 bytes magic\n *   - 1 byte flags\n *   - 1 byte compression algorithm\n *   - 4 bytes header length (uint32 big-endian)\n *\n * **Why a binary container** at all? `vault.dump()` already\n * produces a JSON string with encrypted records inside. Wrapping it\n * again seems redundant — but the wrap is what makes the file safe\n * to drop into cloud storage (Drive, Dropbox, iCloud) without\n * leaking the vault name and exporter identity through the\n * cloud's metadata API. The minimum-disclosure header is the only\n * thing visible without downloading and decompressing the body.\n * The dump JSON inside the body still contains the original\n * metadata, but that's only readable by someone who already has the\n * file bytes — the same person who could read the encrypted records\n * with the right passphrase.\n *\n * **Why minimum disclosure** in the header? Because consumers will\n * inevitably store these in services where the filename, file size,\n * and any unencrypted metadata are indexed for search. A field like\n * `vault: \"Acme Corp\"` would let an attacker (or a curious\n * cloud admin) enumerate which compartments exist and who exported\n * them, even with zero access to the encrypted body. The header\n * carries only what's needed to identify the file as a NOYDB\n * bundle and verify its integrity — nothing about the contents.\n */\n\nimport type { PublicEnvelope } from '../meta/public-envelope/types.js'\n\n/** Magic bytes 'NDB1' (ASCII), identifying a NOYDB bundle. */\nexport const NOYDB_BUNDLE_MAGIC = new Uint8Array([0x4e, 0x44, 0x42, 0x31])\n\n/** Total fixed prefix before the header JSON: 4+1+1+4 bytes. */\nexport const NOYDB_BUNDLE_PREFIX_BYTES = 10\n\n/** Current bundle format version. Bumped on layout changes. */\nexport const NOYDB_BUNDLE_FORMAT_VERSION = 1\n\n/**\n * Bitfield interpretation of the flags byte.\n *\n * Bit 0 — body is compressed (0 = raw, 1 = compressed)\n * Bit 1 — header carries an integrity hash over the body bytes\n * Bits 2-7 — reserved, must be 0 in\n */\nexport const FLAG_COMPRESSED = 0b0000_0001\nexport const FLAG_HAS_INTEGRITY_HASH = 0b0000_0010\n\n/**\n * Compression algorithm encoding for the byte at offset 5.\n *\n * `none` is admitted for round-trip testing and for callers that\n * want to bundle without compression (e.g. when piping into a\n * separately compressed transport). `gzip` is the universally\n * available baseline (Node 18+, all modern browsers). `brotli` is\n * preferred when the runtime supports it — typically 30-50% smaller\n * for JSON payloads — but Node 22+ / Chrome 124+ / Firefox 122+\n * are required, so the writer feature-detects at runtime and falls\n * back to gzip. The reader must handle all three.\n */\nexport const COMPRESSION_NONE = 0\nexport const COMPRESSION_GZIP = 1\nexport const COMPRESSION_BROTLI = 2\n\nexport type CompressionAlgo = 0 | 1 | 2\n\n/**\n * The unencrypted header carried in every `.noydb` bundle.\n *\n * **Minimum-disclosure rules:** these are the ONLY allowed keys.\n * Any other key in a parsed header causes\n * `validateBundleHeader` to throw. The set is kept short to\n * minimize attack surface from cloud-storage metadata indexing —\n * see the file-level doc comment for the rationale.\n *\n * Forbidden in particular:\n *   - `vault` / `_compartment` — would leak the tenant name\n *   - `exporter` / `_exported_by` — would leak user identity\n *   - `timestamp` / `_exported_at` — would leak activity timing\n *   - `kdfParams` / salt fields — would leak crypto config that\n *     could narrow brute-force search space\n *   - any field starting with `_` (reserved by the dump format)\n */\nexport interface NoydbBundleHeader {\n  /** Bundle format version — bumped on layout changes. */\n  readonly formatVersion: number\n  /**\n   * Opaque ULID identifier — generated once per vault and\n   * stable across re-exports of the same vault. Does not\n   * leak any information about contents (the timestamp prefix is\n   * just monotonicity for sortability, not exporter activity —\n   * see `bundle/ulid.ts` for the design notes).\n   */\n  readonly handle: string\n  /** Compressed body length in bytes. Lets readers verify completeness without decompressing. */\n  readonly bodyBytes: number\n  /** SHA-256 of the compressed body bytes (lowercase hex). Lets readers verify integrity without decompressing. */\n  readonly bodySha256: string\n  /**\n   * Owner-curated public envelope (`docs/subsystems/public-envelope.md`).\n   * Optional — present only when the source vault has a\n   * `_meta/public-envelope` document AND the writer's hub is opted\n   * into the feature. Treat as **untrusted hint**; the body's\n   * encrypted contents remain the source of truth.\n   *\n   * The envelope deliberately widens the minimum-disclosure rule\n   * for explicit, owner-curated label fields (name, icon, …). Every\n   * other unknown header key still rejects at parse time.\n   */\n  readonly publicEnvelope?: PublicEnvelope\n  /**\n   * Auto-unlock material indicator (#197). When present, the bundle\n   * body wraps the dump JSON in a structure carrying per-user\n   * passphrases — either plaintext (`'unsealed'`, public-by-design)\n   * or sealed under a `SealingKeyProvider` (`'sealed'`, requires\n   * matching provider on the recipient side).\n   *\n   * Visible pre-decompression so cloud listing UIs can warn before\n   * download: \"this bundle opens itself for anyone holding the file\"\n   * (unsealed) or \"this bundle is sealed for a specific provider\"\n   * (sealed).\n   *\n   * Absent → the body is a raw `vault.dump()` JSON string (the\n   * pre-#197 shape; back-compatible).\n   */\n  readonly autoUnlock?: 'unsealed' | 'sealed'\n  /**\n   * Bundle's role in the source → destination lifecycle (#203).\n   *   - omitted / 'snapshot' (default): backup/copy of an existing vault.\n   *   - 'extracted-partition': re-keyed projection awaiting adoption.\n   */\n  readonly bundleKind?: 'snapshot' | 'extracted-partition'\n  /**\n   * Transfer-seal INDICATOR (#206) — metadata only, no payload (the\n   * sealed DEKs live in the body). Present iff\n   * bundleKind === 'extracted-partition'.\n   */\n  readonly transferSeal?: {\n    readonly v: 1\n    readonly alg: 'aes-256-gcm-pre-shared'\n    readonly sealId: string\n  }\n}\n\n/**\n * Allowlist of header keys. Any key not in this set is forbidden\n * and causes `validateBundleHeader` to throw. Kept as a Set for\n * O(1) lookup; the validator iterates over the parsed header and\n * checks each key against this set.\n */\nconst ALLOWED_HEADER_KEYS: ReadonlySet<string> = new Set([\n  'formatVersion',\n  'handle',\n  'bodyBytes',\n  'bodySha256',\n  'publicEnvelope',\n  'autoUnlock',\n  'bundleKind',\n  'transferSeal',\n])\n\n/**\n * Validate a parsed bundle header. Throws on any deviation from\n * the minimum-disclosure schema:\n *\n *   - Missing required field\n *   - Wrong type for any field\n *   - Any extra key not in `ALLOWED_HEADER_KEYS`\n *   - Unsupported `formatVersion`\n *   - Negative or non-integer `bodyBytes`\n *   - Malformed `handle` (must be 26-char Crockford base32)\n *   - Malformed `bodySha256` (must be 64-char lowercase hex)\n *\n * The error messages name the offending field so consumers can\n * fix the producer rather than the reader.\n */\nexport function validateBundleHeader(\n  parsed: unknown,\n): asserts parsed is NoydbBundleHeader {\n  if (parsed === null || typeof parsed !== 'object') {\n    throw new Error(\n      `.noydb bundle header must be a JSON object, got ${parsed === null ? 'null' : typeof parsed}`,\n    )\n  }\n  // Disallow any unknown key — minimum disclosure means we reject\n  // forward-compat extension keys at the format layer; new fields\n  // require a format version bump and a new validator.\n  for (const key of Object.keys(parsed)) {\n    if (!ALLOWED_HEADER_KEYS.has(key)) {\n      throw new Error(\n        `.noydb bundle header contains forbidden key \"${key}\". ` +\n          `Only minimum-disclosure fields are allowed: ` +\n          `${[...ALLOWED_HEADER_KEYS].join(', ')}.`,\n      )\n    }\n  }\n  const h = parsed as Record<string, unknown>\n  if (typeof h['formatVersion'] !== 'number' || h['formatVersion'] !== NOYDB_BUNDLE_FORMAT_VERSION) {\n    throw new Error(\n      `.noydb bundle header.formatVersion must be ${NOYDB_BUNDLE_FORMAT_VERSION}, ` +\n        `got ${String(h['formatVersion'])}. The reader does not support ` +\n        `forward-compat versions; upgrade the reader to handle newer bundles.`,\n    )\n  }\n  if (typeof h['handle'] !== 'string' || !/^[0-9A-HJKMNP-TV-Z]{26}$/.test(h['handle'])) {\n    throw new Error(\n      `.noydb bundle header.handle must be a 26-character Crockford base32 ULID, ` +\n        `got ${typeof h['handle'] === 'string' ? `\"${h['handle']}\"` : String(h['handle'])}.`,\n    )\n  }\n  if (typeof h['bodyBytes'] !== 'number' || !Number.isInteger(h['bodyBytes']) || h['bodyBytes'] < 0) {\n    throw new Error(\n      `.noydb bundle header.bodyBytes must be a non-negative integer, ` +\n        `got ${String(h['bodyBytes'])}.`,\n    )\n  }\n  if (typeof h['bodySha256'] !== 'string' || !/^[0-9a-f]{64}$/.test(h['bodySha256'])) {\n    throw new Error(\n      `.noydb bundle header.bodySha256 must be a 64-character lowercase hex string, ` +\n        `got ${typeof h['bodySha256'] === 'string' ? `\"${h['bodySha256']}\"` : String(h['bodySha256'])}.`,\n    )\n  }\n  if (h['publicEnvelope'] !== undefined) {\n    const env = h['publicEnvelope']\n    if (env === null || typeof env !== 'object' || Array.isArray(env)) {\n      throw new Error(\n        `.noydb bundle header.publicEnvelope must be a JSON object when present, got ${typeof env}.`,\n      )\n    }\n    const e = env as Record<string, unknown>\n    if (e['_noydb_public'] !== 1) {\n      throw new Error(\n        `.noydb bundle header.publicEnvelope._noydb_public must be 1, got ${String(e['_noydb_public'])}.`,\n      )\n    }\n    if (typeof e['version'] !== 'number' || !Number.isInteger(e['version']) || e['version'] < 1) {\n      throw new Error(\n        `.noydb bundle header.publicEnvelope.version must be a positive integer, got ${String(e['version'])}.`,\n      )\n    }\n  }\n  if (h['autoUnlock'] !== undefined) {\n    if (h['autoUnlock'] !== 'unsealed' && h['autoUnlock'] !== 'sealed') {\n      const got = typeof h['autoUnlock'] === 'string' ? `\"${h['autoUnlock']}\"` : typeof h['autoUnlock']\n      throw new Error(\n        `.noydb bundle header.autoUnlock must be 'unsealed' or 'sealed' when present, got ${got}.`,\n      )\n    }\n  }\n  if (h['bundleKind'] !== undefined) {\n    if (h['bundleKind'] !== 'snapshot' && h['bundleKind'] !== 'extracted-partition') {\n      const got = typeof h['bundleKind'] === 'string' ? `\"${h['bundleKind']}\"` : typeof h['bundleKind']\n      throw new Error(\n        `.noydb bundle header.bundleKind must be 'snapshot' or 'extracted-partition' when present, got ${got}.`,\n      )\n    }\n  }\n  if (h['transferSeal'] !== undefined) {\n    const ts = h['transferSeal']\n    if (ts === null || typeof ts !== 'object' || Array.isArray(ts)) {\n      throw new Error(`.noydb bundle header.transferSeal must be a JSON object when present, got ${typeof ts}.`)\n    }\n    const t = ts as Record<string, unknown>\n    if (t['v'] !== 1) {\n      throw new Error(`.noydb bundle header.transferSeal.v must be 1, got ${String(t['v'])}.`)\n    }\n    if (t['alg'] !== 'aes-256-gcm-pre-shared') {\n      throw new Error(`.noydb bundle header.transferSeal.alg must be 'aes-256-gcm-pre-shared', got ${String(t['alg'])}.`)\n    }\n    if (typeof t['sealId'] !== 'string' || t['sealId'].length === 0) {\n      throw new Error(`.noydb bundle header.transferSeal.sealId must be a non-empty string, got ${String(t['sealId'])}.`)\n    }\n  }\n  // Cross-field invariant: the seal indicator and the extracted-partition\n  // kind imply each other. An extracted partition is unlocked via its\n  // transfer seal; a seal without the kind is a malformed header.\n  const isExtracted = h['bundleKind'] === 'extracted-partition'\n  const hasSeal = h['transferSeal'] !== undefined\n  if (hasSeal && !isExtracted) {\n    throw new Error(\n      `.noydb bundle header.transferSeal requires bundleKind === 'extracted-partition'.`,\n    )\n  }\n  if (isExtracted && !hasSeal) {\n    throw new Error(\n      `.noydb bundle header with bundleKind === 'extracted-partition' must carry a transferSeal indicator.`,\n    )\n  }\n  // An extracted partition's unlock path IS the transfer seal. A parallel\n  // autoUnlock credential would create two unlock paths and weaken the\n  // one-time-seal guarantee (spec §12.3). Reject the combination.\n  if (isExtracted && h['autoUnlock'] !== undefined) {\n    throw new Error(\n      `.noydb bundle header cannot carry both autoUnlock and bundleKind === 'extracted-partition' — `\n      + `an extracted partition is unlocked via its transfer seal, not an auto-credential.`,\n    )\n  }\n}\n\n/**\n * Encode a header object to UTF-8 JSON bytes after validating\n * minimum disclosure. Used by the writer to serialize the header\n * region of the container.\n */\nexport function encodeBundleHeader(header: NoydbBundleHeader): Uint8Array {\n  validateBundleHeader(header)\n  // Stable key ordering — JSON.stringify with no replacer uses\n  // insertion order, which is fine here because we control the\n  // object construction. Stable ordering means two bundles with\n  // identical contents produce byte-identical headers.\n  const json = JSON.stringify({\n    formatVersion: header.formatVersion,\n    handle: header.handle,\n    bodyBytes: header.bodyBytes,\n    bodySha256: header.bodySha256,\n    ...(header.publicEnvelope !== undefined ? { publicEnvelope: header.publicEnvelope } : {}),\n    ...(header.autoUnlock !== undefined ? { autoUnlock: header.autoUnlock } : {}),\n    ...(header.bundleKind !== undefined ? { bundleKind: header.bundleKind } : {}),\n    ...(header.transferSeal !== undefined ? { transferSeal: header.transferSeal } : {}),\n  })\n  return new TextEncoder().encode(json)\n}\n\n/**\n * Parse a bundle header from its UTF-8 JSON bytes. Throws on\n * invalid JSON or any minimum-disclosure violation.\n */\nexport function decodeBundleHeader(bytes: Uint8Array): NoydbBundleHeader {\n  const json = new TextDecoder('utf-8', { fatal: true }).decode(bytes)\n  let parsed: unknown\n  try {\n    parsed = JSON.parse(json)\n  } catch (err) {\n    throw new Error(\n      `.noydb bundle header is not valid JSON: ${(err as Error).message}`,\n    )\n  }\n  validateBundleHeader(parsed)\n  return parsed\n}\n\n/**\n * Read a uint32 from `bytes` at `offset` in big-endian byte order.\n * No bounds check — callers must guarantee `offset + 4 <= bytes.length`.\n * Used to decode the header length field; kept inline so the parser\n * doesn't depend on DataView allocation per call.\n */\nexport function readUint32BE(bytes: Uint8Array, offset: number): number {\n  return (\n    (bytes[offset]! << 24 >>> 0) +\n    (bytes[offset + 1]! << 16) +\n    (bytes[offset + 2]! << 8) +\n    bytes[offset + 3]!\n  )\n}\n\n/**\n * Write a uint32 to `bytes` at `offset` in big-endian byte order.\n * No bounds check — callers must guarantee `offset + 4 <= bytes.length`.\n */\nexport function writeUint32BE(bytes: Uint8Array, offset: number, value: number): void {\n  bytes[offset] = (value >>> 24) & 0xff\n  bytes[offset + 1] = (value >>> 16) & 0xff\n  bytes[offset + 2] = (value >>> 8) & 0xff\n  bytes[offset + 3] = value & 0xff\n}\n\n/**\n * Verify the magic prefix of a bundle. Returns true if the first\n * 4 bytes match `NDB1`. Used by readers as a fast file-type check\n * before any further parsing.\n */\nexport function hasNoydbBundleMagic(bytes: Uint8Array): boolean {\n  if (bytes.length < NOYDB_BUNDLE_MAGIC.length) return false\n  for (let i = 0; i < NOYDB_BUNDLE_MAGIC.length; i++) {\n    if (bytes[i] !== NOYDB_BUNDLE_MAGIC[i]) return false\n  }\n  return true\n}\n","/**\n * `.noydb` container primitives — write, read, header-only read.\n *\n *. Wraps a `vault.dump()` JSON string in the\n * binary container described in `format.ts`.\n *\n * **Three primitives:**\n *\n *   - `writeNoydbBundle(vault, opts?)` — produces the\n *     full container bytes ready to write to disk or upload\n *   - `readNoydbBundleHeader(bytes)` — parses just the header\n *     without decompressing the body, fast file-type and\n *     metadata read for cloud listing UIs\n *   - `readNoydbBundle(bytes)` — full read: validates magic,\n *     header, integrity hash, and decompresses the body to\n *     return the original `dump()` JSON string for use with\n *     `vault.load()`\n *\n * **Compression strategy:** brotli when available (Node 22+,\n * Chrome 124+, Firefox 122+), gzip fallback elsewhere. The\n * algorithm choice is encoded in the format byte at offset 5,\n * so readers handle either transparently. Brotli wins ~30-50%\n * on JSON payloads with repeated keys (which vault dumps\n * are).\n *\n * **Why split read/load?** `readNoydbBundle` returns the\n * *unwrapped JSON string*, not a Vault object. The caller\n * is responsible for piping that JSON into\n * `vault.load(json, passphrase)`. Splitting the layers\n * keeps the bundle module free of any crypto/passphrase\n * concerns — it's purely a format layer. The same `readNoydbBundle`\n * call can also feed verification tools, format inspectors, or\n * archive utilities that don't care about decryption.\n */\n\nimport {\n  COMPRESSION_BROTLI,\n  COMPRESSION_GZIP,\n  COMPRESSION_NONE,\n  FLAG_COMPRESSED,\n  FLAG_HAS_INTEGRITY_HASH,\n  NOYDB_BUNDLE_FORMAT_VERSION,\n  NOYDB_BUNDLE_MAGIC,\n  NOYDB_BUNDLE_PREFIX_BYTES,\n  decodeBundleHeader,\n  encodeBundleHeader,\n  hasNoydbBundleMagic,\n  readUint32BE,\n  writeUint32BE,\n  type CompressionAlgo,\n  type NoydbBundleHeader,\n} from './format.js'\nimport { BundleIntegrityError, BundleSealMismatchError, ValidationError } from '../errors.js'\nimport type { Vault } from '../vault.js'\nimport type { BundleRecipient } from '../team/keyring.js'\nimport { pickLocale } from '../meta/public-envelope/storage.js'\nimport type { PublicEnvelope } from '../meta/public-envelope/types.js'\nimport type { SealingKeyProvider, RecipientSealer, RecipientHint } from '../team/managed-passphrase.js'\n\n// ─── #215 auto-credential types ───────────────────────────────────────────────\n\n/**\n * The credential kinds that can be bundled for auto-unlock.\n * WebAuthn is intentionally excluded — it is hardware-bound and\n * cannot be embedded as a portable credential.\n */\nexport type AutoCredentialKind = 'passphrase' | 'password' | 'pin'\n\n/**\n * A typed credential for auto-unlock. Carries the credential `kind`\n * alongside the plaintext `value`, so consumers can dispatch the\n * correct login/prefill path rather than treating all credentials\n * as passphrases.\n *\n * `bundle.ts` is a pure format layer — it carries the credential\n * without interpreting it. The consumer is responsible for\n * dispatching on `kind`.\n */\nexport interface AutoCredential {\n  readonly kind: AutoCredentialKind\n  readonly value: string\n}\n\n/**\n * Options accepted by `writeNoydbBundle`.\n *\n * - `compression: 'auto'` (default) — try brotli, fall back to gzip\n * - `compression: 'brotli'` — force brotli, throw if unsupported\n * - `compression: 'gzip'` — force gzip\n * - `compression: 'none'` — no compression (round-trip testing only)\n *\n * **Slice filtering** (added in ):\n * - `collections` — allowlist of collection names to include. Internal\n *   collections (keyrings, ledger) and excluded user collections are\n *   dropped from the bundle. Records inside included collections are\n *   carried through verbatim.\n * - `since` — only records whose envelope `_ts` is on/after the given\n *   instant survive. Operates on the unencrypted envelope timestamp,\n *   so plaintext access to records is not required.\n *\n * Both filters intersect (AND). When neither is provided the bundle is\n * a whole-vault snapshot, identical to today's behaviour.\n */\nexport interface WriteNoydbBundleOptions {\n  readonly compression?: 'auto' | 'brotli' | 'gzip' | 'none'\n  /** Allowlist of user-collection names to include. */\n  readonly collections?: readonly string[]\n  /**\n   * Drop records whose envelope `_ts` is strictly older than this\n   * instant. Accepts a `Date` or any ISO-8601 string parseable by\n   * `new Date()`.\n   */\n  readonly since?: Date | string\n  /**\n   * Plaintext-pipeline record predicate. Decrypts each record\n   * with the vault's per-collection DEK, runs the predicate, and\n   * keeps the original ciphertext for survivors (no re-encrypt —\n   * preserves zero-knowledge cleanly). Records the predicate returns\n   * `false` for are dropped from the bundle.\n   *\n   * Async predicates are supported. Mutating the record from inside\n   * the predicate is undefined behaviour.\n   */\n  readonly where?: (\n    record: unknown,\n    ctx: { collection: string; id: string },\n  ) => boolean | Promise<boolean>\n  /**\n   * Hierarchical-tier ceiling. Records whose envelope `_tier`\n   * is strictly greater than this number are dropped. Operates on the\n   * envelope `_tier` (no decryption needed) — vault.exportStream is\n   * referenced in the issue body for symmetry, but the tier value\n   * lives on the unencrypted envelope. Vault without tiers is a no-op.\n   */\n  readonly tierAtMost?: number\n  /**\n   * Single-recipient re-keying shorthand. When set, the\n   * bundle's keyring is replaced with one freshly-derived entry sealed\n   * with this passphrase. The recipient inherits the source keyring's\n   * userId, role, and permissions. Mutually exclusive with `recipients`.\n   */\n  readonly exportPassphrase?: string\n  /**\n   * Multi-recipient re-keying. Replaces the bundle's keyring\n   * map with one slot per recipient, each sealed with its own\n   * passphrase. DEKs are unwrapped from the source keyring once and\n   * re-wrapped per recipient — record ciphertext is unchanged.\n   *\n   * Mutually exclusive with `exportPassphrase`. When neither is set,\n   * the bundle inherits the source keyring as-is (today's behaviour,\n   * suited to personal backup-and-restore).\n   */\n  readonly recipients?: readonly BundleRecipient[]\n  /**\n   * Auto-unlock — unsealed per-user credentials (#215).\n   *\n   * Generalises `autoPassphrases` to support any bundleable credential\n   * kind (`passphrase` | `password` | `pin`).\n   *\n   * Public-by-design: anyone holding the bundle bytes can read these\n   * plaintext credentials. Use for demo data, sample vaults,\n   * prospect onboarding.\n   *\n   * The `policy: 'public-by-design'` discriminant is mandatory. A\n   * bare `{ perUser }` without it is rejected at write time — the\n   * safety net against a careless call against a production vault.\n   *\n   * Mutually exclusive with `sealedCredentials`, `autoPassphrases`,\n   * and `sealedPassphrases`.\n   */\n  readonly autoCredentials?: {\n    readonly policy: 'public-by-design'\n    readonly perUser: Record<string, AutoCredential>\n  }\n  /**\n   * Auto-unlock — per-user credentials sealed under a\n   * {@link SealingKeyProvider} (#215).\n   *\n   * Generalises `sealedPassphrases` to support any bundleable\n   * credential kind (`passphrase` | `password` | `pin`).\n   *\n   * The hub seals each user's plaintext credential under `provider`\n   * and embeds the resulting sealed envelopes in the bundle. The\n   * recipient must hold a provider with a matching `pid` (i.e.,\n   * `provider.id`) to auto-unseal on import.\n   *\n   * `mode: 'self-target'` — sender and recipient share the same\n   * provider identity (same iCloud Keychain entry, same\n   * MDM-provisioned bundle id, same KMS account, etc.).\n   *\n   * `mode: 'recipient-target'` — asymmetric sealing via a\n   * {@link RecipientSealer}. Each user entry carries a\n   * `credential` and a `hint` (the recipient's public material).\n   * The bundle can only be unsealed by the holder of the matching\n   * private key.\n   *\n   * Mutually exclusive with `autoCredentials`, `autoPassphrases`,\n   * and `sealedPassphrases`.\n   */\n  readonly sealedCredentials?:\n    | {\n        readonly mode: 'self-target'\n        readonly provider: SealingKeyProvider\n        readonly perUser: Record<string, AutoCredential>\n      }\n    | {\n        readonly mode: 'recipient-target'\n        readonly provider: RecipientSealer\n        readonly perUser: Record<string, { readonly credential: AutoCredential; readonly hint: RecipientHint }>\n      }\n  /**\n   * @deprecated Use `autoCredentials` instead (#215).\n   *\n   * Auto-unlock — unsealed per-user passphrases (#197 slice 1).\n   *\n   * Public-by-design: anyone holding the bundle bytes can read these\n   * plaintext credentials. Use for demo data, sample vaults,\n   * prospect onboarding.\n   *\n   * The `policy: 'public-by-design'` discriminant is mandatory. A\n   * bare `{ perUser }` without it is rejected at write time — the\n   * safety net against a careless call against a production vault.\n   *\n   * Mutually exclusive with `autoCredentials`, `sealedCredentials`,\n   * and `sealedPassphrases`.\n   */\n  readonly autoPassphrases?: {\n    readonly policy: 'public-by-design'\n    readonly perUser: Record<string, string>\n  }\n  /**\n   * @deprecated Use `sealedCredentials` instead (#215).\n   *\n   * Auto-unlock — per-user passphrases sealed under a\n   * {@link SealingKeyProvider} (#197 slice 1, self-target only).\n   *\n   * The hub seals each user's plaintext passphrase under `provider`\n   * and embeds the resulting sealed envelopes in the bundle. The\n   * recipient must hold a provider with a matching `pid` (i.e.,\n   * `provider.id`) to auto-unseal on import.\n   *\n   * `mode: 'self-target'` is the only mode for `sealedPassphrases` — sender\n   * and recipient share the same provider identity (same iCloud Keychain\n   * entry, same MDM-provisioned bundle id, same KMS account, etc.).\n   * For recipient-target sealing via the `RecipientSealer` interface,\n   * use `sealedCredentials` with `mode: 'recipient-target'` (§11.4).\n   *\n   * Mutually exclusive with `autoCredentials`, `sealedCredentials`,\n   * and `autoPassphrases`.\n   */\n  readonly sealedPassphrases?: {\n    readonly mode: 'self-target'\n    readonly provider: SealingKeyProvider\n    readonly perUser: Record<string, string>\n  }\n}\n\n/**\n * Result returned by `readNoydbBundle`. The caller is expected to\n * pass `dumpJson` into `vault.load(json, passphrase)` to\n * actually restore a vault. Splitting the layers keeps the\n * bundle module free of crypto concerns — see file-level docs.\n */\nexport interface NoydbBundleReadResult {\n  readonly header: NoydbBundleHeader\n  readonly dumpJson: string\n  /**\n   * Auto-unlock material (#197, widened in #215). Present only when\n   * the header's `autoUnlock` flag is set AND the body's wrapped\n   * structure survived parsing. Values are typed credentials — either\n   * delivered plain (`kind: 'unsealed'`) or unsealed at read time\n   * using one of the supplied `sealingProviders` (`kind: 'sealed'`).\n   *\n   * Consumers dispatch on `cred.kind` to choose the correct login /\n   * prefill path. Pre-0.2 bundles (bare string entries) are coerced\n   * to `{ kind: 'passphrase', value }` on read for back-compat.\n   *\n   * For `kind: 'sealed'` bundles read without `sealingProviders`, the\n   * `value` field is the raw base64 sealed bytes — opaque to the\n   * consumer until unsealed elsewhere.\n   */\n  readonly autoUnlock?: {\n    readonly kind: 'unsealed' | 'sealed'\n    readonly perUser: Record<string, AutoCredential>\n  }\n}\n\n/**\n * Sealed credential entry as it appears in the bundle body's\n * `_autoUnlock.perUser` map when the bundle was written with\n * `sealedCredentials` (or the deprecated `sealedPassphrases`).\n * Provider's sealed output is base64-encoded; the `pid` is the\n * dispatch key matched against recipient-supplied\n * `SealingKeyProvider.id`. The `kind` carries the plaintext-tier\n * metadata so the consumer can dispatch on credential type without\n * unsealing first.\n *\n * Back-compat: `kind` is absent in pre-0.2 bundles — readers must\n * default to `'passphrase'` when not present.\n */\ninterface SealedAutoUnlockEntry {\n  readonly pid: string\n  readonly sealed: string\n  readonly alg: 'aes-256-gcm'\n  readonly kind?: AutoCredentialKind\n  /**\n   * Recipient-target only: the RecipientHint the sender used to seal.\n   * Carried for recipient verifiability (\"yes this was sealed against\n   * my published hint\"). Self-target entries omit it. Pre-0.2 readers\n   * ignore unknown fields, so this is back-compatible.\n   */\n  readonly hint?: RecipientHint\n}\n\n/**\n * Discriminated wrapper carried in the bundle body when the header's\n * `autoUnlock` flag is set. Without the flag, the body is the raw\n * `vault.dump()` JSON string (the pre-#197 shape).\n *\n * Back-compat: pre-0.2 bundles carry bare `string` values in the\n * unsealed `perUser` map. Readers must coerce those to\n * `{ kind: 'passphrase', value }`.\n */\ninterface AutoUnlockBody {\n  readonly _noydb_bundle_body: 1\n  readonly dump: string\n  readonly _autoUnlock:\n    | { readonly kind: 'unsealed'; readonly perUser: Record<string, AutoCredential | string> }\n    | { readonly kind: 'sealed'; readonly perUser: Record<string, SealedAutoUnlockEntry> }\n}\n\n/**\n * Options accepted by {@link readNoydbBundle} for the #197\n * auto-unlock paths. Without these the reader behaves exactly as\n * pre-#197 (header parsed; body returned as `dumpJson`).\n */\nexport interface ReadNoydbBundleOptions {\n  /**\n   * Recipient-side sealing providers used to unseal entries from\n   * `sealedPassphrases`. The reader picks the one whose `.id`\n   * matches each entry's `pid`. Multiple providers may be supplied\n   * (different users may seal under different identities).\n   *\n   * When unset and the bundle carries sealed envelopes, the\n   * `autoUnlock.perUser` map remains the SEALED entries unmodified\n   * — callers can inspect them or unseal elsewhere.\n   */\n  readonly sealingProviders?: readonly SealingKeyProvider[]\n  /**\n   * Opt-in trial mode for unsealing — when an entry's `pid` doesn't\n   * match a registered provider, try each provider whose alg\n   * matches. Default `false` (strict-pid dispatch per foundation\n   * §11.9.2). Surfaces extra credential prompts; use deliberately.\n   */\n  readonly attemptUnsealAcrossProviders?: boolean\n}\n\n// ─── #197/#215 auto-unlock helpers ────────────────────────────────────────────\n\n/**\n * Internal normalized form of the auto-unlock options, computed once\n * from the four public-facing fields (autoCredentials, sealedCredentials,\n * autoPassphrases, sealedPassphrases). Callers work against this shape\n * so the build + validate paths share a single normalizer.\n */\ninterface NormalizedAutoUnlock {\n  readonly mode: 'unsealed' | 'sealed-self' | 'sealed-recipient'\n  readonly provider?: SealingKeyProvider | RecipientSealer\n  readonly perUser: Record<string, AutoCredential>\n  /** Present only for `sealed-recipient`. Same key set as `perUser`. */\n  readonly hints?: Record<string, RecipientHint>\n}\n\n/**\n * Coerce a `Record<string, string>` (legacy passphrase-only map) into\n * a `Record<string, AutoCredential>` by tagging each entry as\n * `kind: 'passphrase'`. Used by the normalizer to promote the deprecated\n * `autoPassphrases`/`sealedPassphrases` sugar.\n */\nfunction toAutoCredentials(m: Record<string, string>): Record<string, AutoCredential> {\n  return Object.fromEntries(\n    Object.entries(m).map(([u, value]) => [u, { kind: 'passphrase' as const, value }]),\n  )\n}\n\n/**\n * Normalize the four auto-unlock option fields into a single\n * `NormalizedAutoUnlock` (or `null` when none is set). Enforces mutual\n * exclusion — exactly one of the four may be present. Promotes the\n * deprecated sugar fields to `AutoCredential` shape.\n *\n * Does NOT validate field-level constraints (policy marker, perUser\n * length, mode, provider presence, kind allowlist) — those are checked\n * in `validateAutoUnlockOptions` after normalization.\n */\nfunction normalizeAutoUnlock(opts: WriteNoydbBundleOptions): NormalizedAutoUnlock | null {\n  const set = [\n    opts.autoCredentials,\n    opts.sealedCredentials,\n    opts.autoPassphrases,\n    opts.sealedPassphrases,\n  ].filter(v => v !== undefined).length\n  if (set === 0) return null\n  if (set > 1) {\n    throw new ValidationError(\n      'writeNoydbBundle: only one of autoCredentials / sealedCredentials / '\n      + 'autoPassphrases / sealedPassphrases may be set.',\n    )\n  }\n  if (opts.autoCredentials !== undefined) {\n    return { mode: 'unsealed', perUser: opts.autoCredentials.perUser }\n  }\n  if (opts.autoPassphrases !== undefined) {\n    return { mode: 'unsealed', perUser: toAutoCredentials(opts.autoPassphrases.perUser) }\n  }\n  if (opts.sealedCredentials !== undefined) {\n    if (opts.sealedCredentials.mode === 'recipient-target') {\n      const perUser: Record<string, AutoCredential> = {}\n      const hints: Record<string, RecipientHint> = {}\n      for (const [userId, entry] of Object.entries(opts.sealedCredentials.perUser)) {\n        perUser[userId] = entry.credential\n        hints[userId] = entry.hint\n      }\n      return { mode: 'sealed-recipient', provider: opts.sealedCredentials.provider, perUser, hints }\n    }\n    return { mode: 'sealed-self', provider: opts.sealedCredentials.provider, perUser: opts.sealedCredentials.perUser }\n  }\n  // sealedPassphrases — only remaining option\n  return {\n    mode: 'sealed-self',\n    provider: opts.sealedPassphrases!.provider,\n    perUser: toAutoCredentials(opts.sealedPassphrases!.perUser),\n  }\n}\n\n/**\n * Validate the auto-unlock options and return the resulting header\n * `autoUnlock` value (or null when no auto-unlock requested).\n *\n * Takes the pre-computed `NormalizedAutoUnlock` so the caller (i.e.\n * `writeNoydbBundle`) can pass the same object to `buildAutoUnlockWrapper`\n * without a second `normalizeAutoUnlock` call.\n *\n * Validation per spec (#197 + #215 §3):\n *   - (mutual exclusion already enforced by normalizeAutoUnlock)\n *   - unsealed path: `policy: 'public-by-design'` marker required\n *   - non-empty `perUser` maps\n *   - sealed path: provider present; both `mode: 'self-target'` and `mode: 'recipient-target'` accepted; recipient-target requires a `RecipientSealer` provider and per-user `hint` (§11.4)\n *   - every AutoCredential.kind ∈ {passphrase, password, pin}\n *     (WebAuthn is hardware-bound and cannot be bundled)\n *\n * Throws {@link ValidationError} on any violation.\n */\nfunction validateAutoUnlockOptions(\n  opts: WriteNoydbBundleOptions,\n  normalized: NormalizedAutoUnlock | null,\n): 'unsealed' | 'sealed' | null {\n  if (normalized === null) return null\n\n  const VALID_KINDS: ReadonlySet<string> = new Set(['passphrase', 'password', 'pin'])\n\n  // Validate every credential kind before any further checks.\n  for (const [userId, cred] of Object.entries(normalized.perUser)) {\n    if (!VALID_KINDS.has(cred.kind)) {\n      throw new ValidationError(\n        `writeNoydbBundle: credential for user '${userId}' has unsupported kind '${cred.kind}'. `\n        + 'auto-unlock supports passphrase/password/pin only; WebAuthn is hardware-bound '\n        + 'and cannot be bundled.',\n      )\n    }\n  }\n\n  if (normalized.mode === 'unsealed') {\n    // Read the policy marker from whichever active option carries it.\n    const policy = opts.autoCredentials?.policy ?? opts.autoPassphrases?.policy\n    if (policy !== 'public-by-design') {\n      throw new ValidationError(\n        'writeNoydbBundle: `autoCredentials` (or `autoPassphrases`) requires '\n        + '`policy: \"public-by-design\"`. '\n        + 'This is an explicit opt-in marker — bundling plaintext credentials is '\n        + 'safe only when those credentials are intended to be public (demo data, '\n        + 'sample vaults). For production credentials, use `sealedCredentials` instead.',\n      )\n    }\n    const userCount = Object.keys(normalized.perUser).length\n    if (userCount === 0) {\n      throw new ValidationError(\n        'writeNoydbBundle: `autoCredentials.perUser` (or `autoPassphrases.perUser`) '\n        + 'must have at least one entry.',\n      )\n    }\n    return 'unsealed'\n  }\n\n  // Sealed path — branch on mode.\n  if (normalized.mode === 'sealed-recipient') {\n    const provider = normalized.provider\n    if (provider === undefined || typeof (provider as RecipientSealer).publishRecipientHint !== 'function'\n        || typeof (provider as RecipientSealer).sealForRecipient !== 'function') {\n      throw new ValidationError(\n        'writeNoydbBundle: `sealedCredentials.provider` for mode \\'recipient-target\\' must be a '\n        + 'RecipientSealer (publishRecipientHint + sealForRecipient). Self-only providers '\n        + '(MemorySealingKeyProvider, at-macos-keychain, etc.) do not satisfy this contract.',\n      )\n    }\n    const hints = normalized.hints\n    if (hints === undefined) {\n      throw new Error('unreachable — sealed-recipient normalization must populate hints')\n    }\n    for (const userId of Object.keys(normalized.perUser)) {\n      const hint = hints[userId]\n      if (hint === undefined) {\n        throw new ValidationError(\n          `writeNoydbBundle: \\`sealedCredentials.perUser['${userId}']\\` missing required \\`hint\\` for mode 'recipient-target'.`,\n        )\n      }\n      if (hint.v !== 1) {\n        throw new ValidationError(\n          `writeNoydbBundle: \\`sealedCredentials.perUser['${userId}'].hint.v\\` must be 1 (got ${String(hint.v)}).`,\n        )\n      }\n      if (typeof hint.pid !== 'string' || hint.pid.length === 0) {\n        throw new ValidationError(\n          `writeNoydbBundle: \\`sealedCredentials.perUser['${userId}'].hint.pid\\` must be a non-empty string identifying the recipient.`,\n        )\n      }\n      if (hint.alg !== 'rsa-oaep-sha256') {\n        throw new ValidationError(\n          `writeNoydbBundle: \\`sealedCredentials.perUser['${userId}'].hint.alg\\` must be 'rsa-oaep-sha256' in slice 1 (got '${String(hint.alg)}').`,\n        )\n      }\n      // Note: hint.pid identifies the recipient, not the sender — no pid===sender.id check here.\n      // The sender holds a RecipientSealer that calls sealForRecipient(plaintext, hint);\n      // the hint's pid is the dispatch key on the reader side (matched against recipient providers).\n    }\n    const userCount = Object.keys(normalized.perUser).length\n    if (userCount === 0) {\n      throw new ValidationError(\n        'writeNoydbBundle: `sealedCredentials.perUser` must have at least one entry.',\n      )\n    }\n    return 'sealed'\n  }\n\n  // mode === 'sealed-self'\n  const selfTargetMode = opts.sealedCredentials?.mode ?? opts.sealedPassphrases?.mode\n  if (selfTargetMode !== 'self-target') {\n    throw new ValidationError(\n      `writeNoydbBundle: \\`sealedCredentials.mode\\` (or \\`sealedPassphrases.mode\\`) must be `\n      + `'self-target' or 'recipient-target' (got '${String(selfTargetMode)}').`,\n    )\n  }\n  if (normalized.provider === undefined) {\n    throw new ValidationError(\n      'writeNoydbBundle: `sealedCredentials.provider` (or `sealedPassphrases.provider`) '\n      + 'is required (a `SealingKeyProvider`).',\n    )\n  }\n  const userCount = Object.keys(normalized.perUser).length\n  if (userCount === 0) {\n    throw new ValidationError(\n      'writeNoydbBundle: `sealedCredentials.perUser` (or `sealedPassphrases.perUser`) '\n      + 'must have at least one entry.',\n    )\n  }\n  return 'sealed'\n}\n\n/**\n * Build the body wrapper carrying the dump + `_autoUnlock` blob.\n * Takes the pre-computed `NormalizedAutoUnlock` so both validate and\n * build work off the same normalized form (no double-normalize).\n */\nasync function buildAutoUnlockWrapper(\n  dumpJson: string,\n  normalized: NormalizedAutoUnlock,\n): Promise<AutoUnlockBody> {\n  if (normalized.mode === 'unsealed') {\n    return {\n      _noydb_bundle_body: 1,\n      dump: dumpJson,\n      _autoUnlock: {\n        kind: 'unsealed',\n        perUser: { ...normalized.perUser },\n      },\n    }\n  }\n  // Sealed path — branch on mode.\n  const provider = normalized.provider\n  if (provider === undefined) {\n    throw new Error('unreachable — validation should have caught this')\n  }\n  const sealedPerUser: Record<string, SealedAutoUnlockEntry> = {}\n  const encoder = new TextEncoder()\n\n  if (normalized.mode === 'sealed-recipient') {\n    const recipientSealer = provider as RecipientSealer\n    const hints = normalized.hints\n    if (hints === undefined) {\n      throw new Error('unreachable — sealed-recipient normalization must populate hints')\n    }\n    for (const [userId, cred] of Object.entries(normalized.perUser)) {\n      const hint = hints[userId]!\n      const sealed = await recipientSealer.sealForRecipient(encoder.encode(cred.value), hint)\n      sealedPerUser[userId] = {\n        pid: hint.pid,                  // use the recipient's pid, not the sender's\n        sealed: bytesToBase64(sealed),\n        alg: 'aes-256-gcm',\n        kind: cred.kind,\n        hint,\n      }\n    }\n  } else {\n    // mode === 'sealed-self'\n    const selfSealer = provider as SealingKeyProvider\n    for (const [userId, cred] of Object.entries(normalized.perUser)) {\n      const sealed = await selfSealer.seal(encoder.encode(cred.value))\n      sealedPerUser[userId] = {\n        pid: selfSealer.id,\n        sealed: bytesToBase64(sealed),\n        alg: 'aes-256-gcm',\n        kind: cred.kind,\n      }\n    }\n  }\n\n  return {\n    _noydb_bundle_body: 1,\n    dump: dumpJson,\n    _autoUnlock: { kind: 'sealed', perUser: sealedPerUser },\n  }\n}\n\n/**\n * Parse the body bytes when the header signaled an auto-unlock.\n * Returns the inner `dump` JSON string + the `_autoUnlock` blob;\n * throws if the wrapper structure is malformed.\n */\nfunction parseAutoUnlockBody(bodyString: string): { dump: string; blob: AutoUnlockBody['_autoUnlock'] } {\n  let parsed: unknown\n  try {\n    parsed = JSON.parse(bodyString)\n  } catch (err) {\n    throw new BundleIntegrityError(\n      'header declared autoUnlock but body could not be parsed as JSON wrapper: '\n      + (err instanceof Error ? err.message : String(err)),\n    )\n  }\n  if (typeof parsed !== 'object' || parsed === null) {\n    throw new BundleIntegrityError('autoUnlock body is not a JSON object')\n  }\n  const obj = parsed as Record<string, unknown>\n  if (obj['_noydb_bundle_body'] !== 1) {\n    throw new BundleIntegrityError(\n      'autoUnlock body missing `_noydb_bundle_body: 1` discriminator',\n    )\n  }\n  if (typeof obj['dump'] !== 'string') {\n    throw new BundleIntegrityError('autoUnlock body must carry a string `dump` field')\n  }\n  const blob = obj['_autoUnlock']\n  if (typeof blob !== 'object' || blob === null) {\n    throw new BundleIntegrityError('autoUnlock body missing `_autoUnlock` blob')\n  }\n  const blobObj = blob as Record<string, unknown>\n  const kind = blobObj['kind']\n  if (kind !== 'unsealed' && kind !== 'sealed') {\n    throw new BundleIntegrityError(\n      `autoUnlock blob has invalid kind ${String(kind)}; expected 'unsealed' or 'sealed'`,\n    )\n  }\n  return {\n    dump: obj['dump'],\n    blob: blob as AutoUnlockBody['_autoUnlock'],\n  }\n}\n\n/**\n * Transfer-seal payload (#206). The destination DEKs, exported to raw\n * bytes and AES-256-GCM-sealed *as a set* under the one-time transfer\n * key. `adoptPartition` (#207) unseals this; `createOwnerOnAdoptedPartition`\n * (#208) re-wraps the raw DEKs under the recipient's KEK.\n */\nexport interface TransferSealPayload {\n  readonly v: 1\n  readonly alg: 'aes-256-gcm-pre-shared'\n  readonly sealId: string\n  /** base64(AES-256-GCM(transferKey, JSON of { collection: base64(rawDEK) })) — iv ‖ ct ‖ tag. */\n  readonly payload: string\n}\n\n/**\n * Body wrapper for an extracted, transfer-sealed partition (#203/#206).\n * Sibling to {@link AutoUnlockBody}; selected by `header.bundleKind ===\n * 'extracted-partition'`. The inner `dump` is a re-keyed projection with\n * an empty `keyrings` map.\n */\nexport interface ExtractedPartitionBody {\n  readonly _noydb_bundle_body: 1\n  readonly dump: string\n  readonly _transferSeal: TransferSealPayload\n}\n\nexport function buildExtractedPartitionWrapper(\n  dumpJson: string,\n  seal: TransferSealPayload,\n): ExtractedPartitionBody {\n  return { _noydb_bundle_body: 1, dump: dumpJson, _transferSeal: seal }\n}\n\nexport function parseExtractedPartitionBody(\n  bodyString: string,\n): { dump: string; seal: TransferSealPayload } {\n  let parsed: unknown\n  try {\n    parsed = JSON.parse(bodyString)\n  } catch (err) {\n    throw new BundleIntegrityError(\n      'header declared extracted-partition but body could not be parsed as JSON wrapper: '\n      + (err instanceof Error ? err.message : String(err)),\n    )\n  }\n  if (typeof parsed !== 'object' || parsed === null) {\n    throw new BundleIntegrityError('extracted-partition body is not a JSON object')\n  }\n  const obj = parsed as Record<string, unknown>\n  if (obj['_noydb_bundle_body'] !== 1) {\n    throw new BundleIntegrityError(\n      'extracted-partition body missing `_noydb_bundle_body: 1` discriminator',\n    )\n  }\n  if (typeof obj['dump'] !== 'string') {\n    throw new BundleIntegrityError('extracted-partition body must carry a string `dump` field')\n  }\n  const seal = obj['_transferSeal']\n  if (typeof seal !== 'object' || seal === null) {\n    throw new BundleIntegrityError('extracted-partition body missing `_transferSeal` blob')\n  }\n  const s = seal as Record<string, unknown>\n  if (s['v'] !== 1 || s['alg'] !== 'aes-256-gcm-pre-shared'\n      || typeof s['sealId'] !== 'string' || typeof s['payload'] !== 'string') {\n    throw new BundleIntegrityError('extracted-partition `_transferSeal` blob is malformed')\n  }\n  return { dump: obj['dump'], seal: seal as TransferSealPayload }\n}\n\n/**\n * Coerce an unsealed perUser entry to `AutoCredential`. Pre-0.2 bundles\n * store bare strings; 0.2+ bundles store `{ kind, value }` objects.\n */\nfunction coerceUnsealed(entry: AutoCredential | string): AutoCredential {\n  if (typeof entry === 'string') return { kind: 'passphrase', value: entry }\n  return entry\n}\n\n/**\n * Resolve the `_autoUnlock` blob into a typed per-user credential map.\n *\n * - For `kind: 'unsealed'`: pass through, coercing pre-0.2 bare strings\n *   to `{ kind: 'passphrase', value }`.\n * - For `kind: 'sealed'`: pick a `SealingKeyProvider` from\n *   `opts.sealingProviders` whose `.id` matches each entry's `pid`;\n *   unseal to `AutoCredential`. When no provider matches AND strict mode\n *   (default), throw `BundleSealMismatchError`. With\n *   `attemptUnsealAcrossProviders: true`, try each provider whose\n *   `alg` matches the envelope.\n *   Exception: if an unmatched entry carries a `hint` field (recipient-target\n *   entries), it passes through as `{ kind, value: base64sealed }` rather than\n *   throwing — multi-recipient bundles have N-1 unmatched entries from each\n *   recipient's perspective, and the consumer is expected to ignore entries\n *   not addressed to them.\n * - When `sealingProviders` is unset entirely on a `'sealed'` bundle,\n *   pass through the SEALED entries as `{ kind, value: base64sealed }` —\n *   the caller can inspect or unseal elsewhere.\n *\n * Pre-0.2 sealed entries missing `kind` default to `'passphrase'`.\n */\nasync function resolveAutoUnlock(\n  blob: AutoUnlockBody['_autoUnlock'],\n  opts: ReadNoydbBundleOptions,\n): Promise<{ kind: 'unsealed' | 'sealed'; perUser: Record<string, AutoCredential> }> {\n  if (blob.kind === 'unsealed') {\n    const resolved: Record<string, AutoCredential> = {}\n    for (const [userId, entry] of Object.entries(blob.perUser)) {\n      resolved[userId] = coerceUnsealed(entry)\n    }\n    return { kind: 'unsealed', perUser: resolved }\n  }\n  // Sealed path.\n  if (opts.sealingProviders === undefined || opts.sealingProviders.length === 0) {\n    // Inspection mode — pass the sealed payload through as a typed\n    // credential whose `value` is the opaque base64 sealed bytes.\n    // The caller is signalled by `kind: 'sealed'` on the outer result.\n    const passthrough: Record<string, AutoCredential> = {}\n    for (const [userId, entry] of Object.entries(blob.perUser)) {\n      passthrough[userId] = { kind: entry.kind ?? 'passphrase', value: entry.sealed }\n    }\n    return { kind: 'sealed', perUser: passthrough }\n  }\n  const providersByPid = new Map<string, SealingKeyProvider>()\n  for (const p of opts.sealingProviders) providersByPid.set(p.id, p)\n\n  const decoder = new TextDecoder()\n  const unsealedMap: Record<string, AutoCredential> = {}\n\n  for (const [userId, entry] of Object.entries(blob.perUser)) {\n    const credKind: AutoCredentialKind = entry.kind ?? 'passphrase'\n    const provider = providersByPid.get(entry.pid)\n    if (provider === undefined) {\n      if (opts.attemptUnsealAcrossProviders === true) {\n        // Try each provider; first that succeeds wins.\n        let opened: string | null = null\n        for (const candidate of opts.sealingProviders) {\n          try {\n            const plaintextBytes = await candidate.unseal(base64ToBytes(entry.sealed))\n            opened = decoder.decode(plaintextBytes)\n            break\n          } catch {\n            // try next\n          }\n        }\n        if (opened === null) {\n          if (entry.hint !== undefined) {\n            // Recipient-target entry not addressed to any held key — pass through sealed.\n            // Other recipients' entries in a multi-recipient bundle are opaque to us.\n            unsealedMap[userId] = { kind: credKind, value: entry.sealed }\n            continue\n          }\n          throw new BundleSealMismatchError(userId, entry.pid)\n        }\n        unsealedMap[userId] = { kind: credKind, value: opened }\n        continue\n      }\n      if (entry.hint !== undefined) {\n        // Recipient-target entry not addressed to any held key — pass through sealed.\n        // Multi-recipient bundles deliberately seal each user's entry under their own\n        // public key; a reader holding only alice's key will not match bob's pid.\n        unsealedMap[userId] = { kind: credKind, value: entry.sealed }\n        continue\n      }\n      throw new BundleSealMismatchError(userId, entry.pid)\n    }\n    const plaintextBytes = await provider.unseal(base64ToBytes(entry.sealed))\n    unsealedMap[userId] = { kind: credKind, value: decoder.decode(plaintextBytes) }\n  }\n  return { kind: 'sealed', perUser: unsealedMap }\n}\n\nfunction bytesToBase64(bytes: Uint8Array): string {\n  let binary = ''\n  for (let i = 0; i < bytes.length; i++) binary += String.fromCharCode(bytes[i]!)\n  return btoa(binary)\n}\n\nfunction base64ToBytes(b64: string): Uint8Array {\n  const binary = atob(b64)\n  const out = new Uint8Array(binary.length)\n  for (let i = 0; i < binary.length; i++) out[i] = binary.charCodeAt(i)\n  return out\n}\n\n/**\n * Detect whether the runtime's `CompressionStream` supports brotli.\n *\n * Brotli requires Node 22+ / Chrome 124+ / Firefox 122+. The\n * detection runs the `CompressionStream` constructor in a\n * try/catch — unsupported formats throw `TypeError` synchronously,\n * making this a safe one-shot check that we cache for the\n * lifetime of the process.\n */\nlet cachedBrotliSupport: boolean | null = null\nfunction supportsBrotliCompression(): boolean {\n  if (cachedBrotliSupport !== null) return cachedBrotliSupport\n  try {\n    new CompressionStream('br' as CompressionFormat)\n    cachedBrotliSupport = true\n  } catch {\n    cachedBrotliSupport = false\n  }\n  return cachedBrotliSupport\n}\n\n/** Test-only: reset the brotli detection cache between tests. */\nexport function resetBrotliSupportCache(): void {\n  cachedBrotliSupport = null\n}\n\n/**\n * Pick the compression algorithm and the corresponding format byte\n * from a user option. Throws if the user explicitly requests brotli\n * on a runtime that doesn't support it — a silent fallback would\n * make the produced bundle smaller-than-expected and confuse\n * size-bound tests.\n */\nfunction selectCompression(option: WriteNoydbBundleOptions['compression']): {\n  format: CompressionAlgo\n  streamFormat: CompressionFormat | null\n} {\n  const choice = option ?? 'auto'\n  if (choice === 'none') return { format: COMPRESSION_NONE, streamFormat: null }\n  if (choice === 'gzip') return { format: COMPRESSION_GZIP, streamFormat: 'gzip' }\n  if (choice === 'brotli') {\n    if (!supportsBrotliCompression()) {\n      throw new Error(\n        `writeNoydbBundle({ compression: 'brotli' }) is not supported on this ` +\n          `runtime. Brotli requires Node 22+, Chrome 124+, or Firefox 122+. ` +\n          `Use { compression: 'auto' } to fall back to gzip silently, or ` +\n          `{ compression: 'gzip' } to be explicit.`,\n      )\n    }\n    return { format: COMPRESSION_BROTLI, streamFormat: 'br' as CompressionFormat }\n  }\n  // 'auto' — prefer brotli, fall back to gzip\n  if (supportsBrotliCompression()) {\n    return { format: COMPRESSION_BROTLI, streamFormat: 'br' as CompressionFormat }\n  }\n  return { format: COMPRESSION_GZIP, streamFormat: 'gzip' }\n}\n\n/**\n * Pump a Uint8Array through a CompressionStream / DecompressionStream\n * and collect the output. Both APIs are universally available in\n * Node 18+ and modern browsers; the only variance is which\n * formats they support, handled by `selectCompression` above.\n *\n * Implementation: build a single-chunk ReadableStream from the\n * input, pipe through the transform, then drain the resulting\n * ReadableStream into a single concatenated Uint8Array. This is\n * O(N) memory in the input + output sizes, which is fine for the\n * dump-sized payloads (typically <50MB) targets.\n */\nasync function pumpThroughStream(\n  input: Uint8Array,\n  stream: CompressionStream | DecompressionStream,\n): Promise<Uint8Array> {\n  const readable = new Blob([input as BlobPart]).stream().pipeThrough(stream)\n  const reader = readable.getReader()\n  const chunks: Uint8Array[] = []\n  let total = 0\n  for (;;) {\n    const { value, done } = await reader.read()\n    if (done) break\n    if (value) {\n      chunks.push(value as Uint8Array)\n      total += value.length\n    }\n  }\n  const out = new Uint8Array(total)\n  let offset = 0\n  for (const chunk of chunks) {\n    out.set(chunk, offset)\n    offset += chunk.length\n  }\n  return out\n}\n\n/**\n * SHA-256 hex digest of `bytes`. Used for the bundle integrity\n * hash carried in the header. Web Crypto API only — no Node\n * crypto module, no third-party hash library.\n *\n * The output format is lowercase hex (64 chars for SHA-256). The\n * format validator pins this — uppercase or mixed-case digests\n * are rejected, so the writer and reader agree on canonicalization.\n */\nasync function sha256Hex(bytes: Uint8Array): Promise<string> {\n  // Copy into a fresh ArrayBuffer-backed Uint8Array. The\n  // underlying buffer of `bytes` may be SharedArrayBuffer (e.g.\n  // from a worker), which `subtle.digest` rejects via TypeScript's\n  // BufferSource type. Allocating a fresh ArrayBuffer-backed view\n  // sidesteps the type narrowing and is portable across all\n  // runtimes — the copy cost is O(N) but bundle bodies are\n  // typically <50MB, well below the threshold where the copy\n  // matters.\n  const copy = new Uint8Array(bytes.length)\n  copy.set(bytes)\n  const digest = await crypto.subtle.digest('SHA-256', copy)\n  const view = new Uint8Array(digest)\n  let hex = ''\n  for (let i = 0; i < view.length; i++) {\n    hex += view[i]!.toString(16).padStart(2, '0')\n  }\n  return hex\n}\n\n/**\n * Concatenate any number of Uint8Arrays into a single new buffer.\n * Used to assemble the final bundle from its prefix + header +\n * body parts.\n */\nfunction concatBytes(parts: readonly Uint8Array[]): Uint8Array {\n  let total = 0\n  for (const p of parts) total += p.length\n  const out = new Uint8Array(total)\n  let offset = 0\n  for (const p of parts) {\n    out.set(p, offset)\n    offset += p.length\n  }\n  return out\n}\n\n/**\n * Replace the bundle's keyrings with freshly built recipient slots,\n * one per supplied recipient. No-op when neither `exportPassphrase`\n * nor `recipients` is set — the source keyring is inherited as-is.\n *\n * The single-passphrase shorthand creates a one-recipient list whose\n * id, role, and permissions inherit from the source vault — useful\n * for \"back up to a different passphrase\" without changing role\n * semantics. The multi-recipient form wraps each slot independently\n * with its declared role + permissions.\n *\n * @internal\n */\nasync function applyRecipientRewrap(\n  vault: Vault,\n  dumpJson: string,\n  opts: WriteNoydbBundleOptions,\n): Promise<string> {\n  if (opts.exportPassphrase === undefined && opts.recipients === undefined) {\n    return dumpJson\n  }\n\n  const recipients: readonly BundleRecipient[] =\n    opts.recipients ?? [\n      {\n        id: vault.userId,\n        passphrase: opts.exportPassphrase as string,\n        role: vault.role,\n      },\n    ]\n\n  const recipientKeyrings = await vault.buildBundleRecipientKeyrings(recipients)\n\n  const backup = JSON.parse(dumpJson) as { keyrings: unknown; [k: string]: unknown }\n  backup.keyrings = recipientKeyrings\n  return JSON.stringify(backup)\n}\n\n/**\n * Apply opt-in slice filters to a vault dump JSON string. Filters that\n * narrow the bundle without crossing the encryption boundary — both\n * operate on metadata (collection name, envelope `_ts`) and never need\n * to decrypt records. When neither filter is set, the dump is returned\n * unchanged so the no-arg path stays a pure passthrough.\n *\n * Internal-collection filtering: when a `collections` allowlist is\n * provided, the bundle still carries `_internal` (ledger entries) and\n * the keyrings — they're necessary for the receiver to verify and\n * unlock the bundle. The allowlist applies to the user-collection\n * map only.\n *\n * @internal\n */\nfunction applySliceFilters(\n  dumpJson: string,\n  opts: WriteNoydbBundleOptions,\n): string {\n  const collectionsFilter = opts.collections\n    ? new Set(opts.collections)\n    : null\n  const sinceMs =\n    opts.since !== undefined ? new Date(opts.since).getTime() : null\n  if (collectionsFilter === null && sinceMs === null) return dumpJson\n\n  // Parse, prune, re-serialize. The dump shape is stable\n  // (VaultBackup) so this is a one-off allocation; for vaults beyond\n  // the documented 1K–50K target a streaming variant would be a\n  // follow-up, but the simple parse path keeps the slice path\n  // type-safe and trivially auditable.\n  const backup = JSON.parse(dumpJson) as {\n    collections?: Record<string, Record<string, { _ts?: string }>>\n    [k: string]: unknown\n  }\n\n  if (backup.collections && typeof backup.collections === 'object') {\n    const next: Record<string, Record<string, unknown>> = {}\n    for (const [name, records] of Object.entries(backup.collections)) {\n      if (collectionsFilter && !collectionsFilter.has(name)) continue\n      if (sinceMs === null) {\n        next[name] = records\n        continue\n      }\n      const kept: Record<string, unknown> = {}\n      for (const [id, env] of Object.entries(records)) {\n        const envTs = env._ts ? new Date(env._ts).getTime() : NaN\n        if (Number.isFinite(envTs) && envTs >= sinceMs) {\n          kept[id] = env\n        }\n      }\n      next[name] = kept\n    }\n    backup.collections = next as typeof backup.collections\n  }\n\n  return JSON.stringify(backup)\n}\n\n/**\n * Apply opt-in plaintext-tier filters\n * to a vault dump. Operates BEFORE `applySliceFilters` so the metadata\n * pass sees the trimmed record set.\n *\n * The filter never re-encrypts: surviving records carry their original\n * envelope unchanged. Failing records are dropped from the\n * `collections` map. Internal collections (ledger, deltas) and the\n * keyrings map are untouched.\n *\n * @internal\n */\nasync function applyPlaintextFilters(\n  vault: Vault,\n  dumpJson: string,\n  opts: WriteNoydbBundleOptions,\n): Promise<string> {\n  if (opts.where === undefined && opts.tierAtMost === undefined) {\n    return dumpJson\n  }\n\n  type Env = { _ts?: string; _tier?: number; _iv: string; _data: string }\n  const backup = JSON.parse(dumpJson) as {\n    collections?: Record<string, Record<string, Env>>\n    [k: string]: unknown\n  }\n  if (!backup.collections || typeof backup.collections !== 'object') {\n    return dumpJson\n  }\n\n  const tierCeiling = opts.tierAtMost\n  const where = opts.where\n\n  const next: Record<string, Record<string, Env>> = {}\n  for (const [collName, records] of Object.entries(backup.collections)) {\n    const kept: Record<string, Env> = {}\n    for (const [id, env] of Object.entries(records)) {\n      // Tier ceiling — runs FIRST so we don't waste a decrypt on\n      // records about to be dropped anyway. Envelope tier defaults to\n      // 0 when absent (matches Vault's tier-0 conventions).\n      if (tierCeiling !== undefined) {\n        const tier = env._tier ?? 0\n        if (tier > tierCeiling) continue\n      }\n      // Plaintext predicate — decrypt, run, keep on truthy. Errors\n      // from inside the predicate propagate (callers want to see why\n      // their filter blew up rather than getting a silent passthrough).\n      if (where !== undefined) {\n        const record = await vault._decryptEnvelopeForBundleFilter(\n          env as never,\n          collName,\n        )\n        const ok = await where(record, { collection: collName, id })\n        if (!ok) continue\n      }\n      kept[id] = env\n    }\n    next[collName] = kept\n  }\n  backup.collections = next\n  return JSON.stringify(backup)\n}\n\n/**\n * Write a `.noydb` bundle for the given vault.\n *\n * Pipeline:\n *   1. Resolve or create the compartment's stable bundle handle\n *      via `vault.getBundleHandle()` — same handle on\n *      every export from the same vault instance, so cloud\n *      adapters can use it as a primary key.\n *   2. `vault.dump()` → JSON string with encrypted records\n *      inside.\n *   3. UTF-8 encode the dump string.\n *   4. Compress (brotli if available, gzip fallback by default).\n *   5. Compute SHA-256 of the compressed body for integrity.\n *   6. Build the minimum-disclosure header from format version,\n *      handle, body length, body sha.\n *   7. Serialize: magic (4) + flags (1) + algo (1) + headerLen (4)\n *      + header JSON (N) + compressed body (M).\n *\n * The output is a single `Uint8Array`. Consumers writing to disk\n * pass it to `fs.writeFile`; consumers uploading to cloud storage\n * pass it as the request body. The `@noy-db/file` adapter wraps\n * this with a `saveBundle(path, vault)` helper.\n */\n/**\n * Assemble the final `.noydb` container bytes from a body JSON string +\n * header extras. Shared by `writeNoydbBundle` and `extractPartition`\n * so both producers go through one compress/hash/prefix path.\n *\n * @internal\n */\nexport async function assembleBundleContainer(opts: {\n  handle: string\n  bodyJsonStr: string\n  compression: WriteNoydbBundleOptions['compression']\n  /** Header fields beyond the always-present four. */\n  headerExtras?: Partial<Pick<NoydbBundleHeader, 'publicEnvelope' | 'autoUnlock' | 'bundleKind' | 'transferSeal'>>\n}): Promise<Uint8Array> {\n  const dumpBytes = new TextEncoder().encode(opts.bodyJsonStr)\n  const { format, streamFormat } = selectCompression(opts.compression)\n  const body = streamFormat === null\n    ? dumpBytes\n    : await pumpThroughStream(dumpBytes, new CompressionStream(streamFormat))\n  const bodySha256 = await sha256Hex(body)\n\n  const header: NoydbBundleHeader = {\n    formatVersion: NOYDB_BUNDLE_FORMAT_VERSION,\n    handle: opts.handle,\n    bodyBytes: body.length,\n    bodySha256,\n    ...(opts.headerExtras?.publicEnvelope !== undefined ? { publicEnvelope: opts.headerExtras.publicEnvelope } : {}),\n    ...(opts.headerExtras?.autoUnlock !== undefined ? { autoUnlock: opts.headerExtras.autoUnlock } : {}),\n    ...(opts.headerExtras?.bundleKind !== undefined ? { bundleKind: opts.headerExtras.bundleKind } : {}),\n    ...(opts.headerExtras?.transferSeal !== undefined ? { transferSeal: opts.headerExtras.transferSeal } : {}),\n  }\n  const headerBytes = encodeBundleHeader(header)\n\n  const prefix = new Uint8Array(NOYDB_BUNDLE_PREFIX_BYTES)\n  prefix.set(NOYDB_BUNDLE_MAGIC, 0)\n  prefix[4] = (streamFormat === null ? 0 : FLAG_COMPRESSED) | FLAG_HAS_INTEGRITY_HASH\n  prefix[5] = format\n  writeUint32BE(prefix, 6, headerBytes.length)\n\n  return concatBytes([prefix, headerBytes, body])\n}\n\nexport async function writeNoydbBundle(\n  vault: Vault,\n  opts: WriteNoydbBundleOptions = {},\n): Promise<Uint8Array> {\n  if (opts.exportPassphrase !== undefined && opts.recipients !== undefined) {\n    throw new Error(\n      'writeNoydbBundle: pass either exportPassphrase or recipients, not both',\n    )\n  }\n\n  // #197/#215 — auto-unlock: normalize once, validate + build from the\n  // same NormalizedAutoUnlock object so there's no double-normalize call.\n  const normalizedAutoUnlock = normalizeAutoUnlock(opts)\n  const autoUnlockMode = validateAutoUnlockOptions(opts, normalizedAutoUnlock)\n\n  const handle = await vault.getBundleHandle()\n  const dumpJson = await vault.dump()\n\n  // Re-keying: when caller supplied recipients (or the single-recipient\n  // shorthand), substitute the bundle's `keyrings` map with freshly\n  // built recipient slots before slice filters run.\n  const rekeyed = await applyRecipientRewrap(vault, dumpJson, opts)\n  // Plaintext-tier filters run BEFORE\n  // the metadata-only slice — that way the metadata pass sees the\n  // already-trimmed record set and the two filter chains compose\n  // cleanly.\n  const plainFiltered = await applyPlaintextFilters(vault, rekeyed, opts)\n  const filtered = applySliceFilters(plainFiltered, opts)\n\n  // If no auto-unlock requested, body remains the raw dump JSON\n  // (pre-#197 shape). Otherwise build the wrapped body containing the\n  // dump + `_autoUnlock` blob and serialize.\n  const bodyJsonStr = normalizedAutoUnlock === null\n    ? filtered\n    : JSON.stringify(await buildAutoUnlockWrapper(filtered, normalizedAutoUnlock))\n  // Snapshot the source vault's public envelope into the header\n  // when one is persisted. `Vault.getPublicEnvelope` tolerates a\n  // missing document and returns undefined, which we propagate as\n  // \"no envelope in the header.\" Vaults without a\n  // `_meta/public-envelope` document produce minimum-disclosure\n  // headers exactly like before, preserving back-compat.\n  const publicEnvelope = await vault.getPublicEnvelope()\n\n  return assembleBundleContainer({\n    handle,\n    bodyJsonStr,\n    compression: opts.compression,\n    headerExtras: {\n      ...(publicEnvelope !== undefined ? { publicEnvelope } : {}),\n      ...(autoUnlockMode !== null ? { autoUnlock: autoUnlockMode } : {}),\n    },\n  })\n}\n\n/**\n * Internal helper shared by both readers — parses just the prefix\n * + header region of a bundle without touching the body. Returns\n * the parsed header plus the offset where the body starts and the\n * compression algorithm needed to decompress it.\n *\n * Throws on any format violation: missing/invalid magic, truncated\n * prefix, header length larger than the file, or unknown\n * compression algorithm.\n */\nfunction parsePrefixAndHeader(bytes: Uint8Array): {\n  header: NoydbBundleHeader\n  bodyOffset: number\n  algo: CompressionAlgo\n  flags: number\n} {\n  if (!hasNoydbBundleMagic(bytes)) {\n    throw new Error(\n      `Not a .noydb bundle: missing 'NDB1' magic prefix. The first 4 bytes ` +\n        `are ${[...bytes.slice(0, 4)].map((b) => b.toString(16).padStart(2, '0')).join(' ')}.`,\n    )\n  }\n  if (bytes.length < NOYDB_BUNDLE_PREFIX_BYTES) {\n    throw new Error(\n      `Truncated .noydb bundle: file is only ${bytes.length} bytes, ` +\n        `which is less than the ${NOYDB_BUNDLE_PREFIX_BYTES}-byte fixed prefix.`,\n    )\n  }\n  const flags = bytes[4]!\n  const algo = bytes[5]!\n  if (algo !== COMPRESSION_NONE && algo !== COMPRESSION_GZIP && algo !== COMPRESSION_BROTLI) {\n    throw new Error(\n      `.noydb bundle declares unknown compression algorithm ${algo}. ` +\n        `Known values: 0 (none), 1 (gzip), 2 (brotli).`,\n    )\n  }\n  const headerLength = readUint32BE(bytes, 6)\n  const bodyOffset = NOYDB_BUNDLE_PREFIX_BYTES + headerLength\n  if (bodyOffset > bytes.length) {\n    throw new Error(\n      `Truncated .noydb bundle: declared header length ${headerLength} ` +\n        `would extend past end of file (${bytes.length} bytes).`,\n    )\n  }\n  const headerBytes = bytes.slice(NOYDB_BUNDLE_PREFIX_BYTES, bodyOffset)\n  const header = decodeBundleHeader(headerBytes)\n  return { header, bodyOffset, algo: algo as CompressionAlgo, flags }\n}\n\n/**\n * Read just the bundle header — no body decompression, no\n * integrity verification. Intended for cloud-listing UIs that want\n * to show the handle and size before downloading the full body.\n *\n * Returns the same `NoydbBundleHeader` shape as the writer, with\n * minimum-disclosure validation already applied.\n *\n * **Cost** — O(prefix + header bytes). The header is normally well\n * under 1 KB, but may grow to roughly 256 KB when a `publicEnvelope`\n * with an inline icon is present. Cloud-listing UIs that previously\n * assumed sub-KB header reads should account for this when sizing\n * range requests against bundles that may carry icons.\n */\nexport function readNoydbBundleHeader(bytes: Uint8Array): NoydbBundleHeader {\n  return parsePrefixAndHeader(bytes).header\n}\n\n/**\n * Read just the bundle's public envelope (`docs/subsystems/public-envelope.md`)\n * — without verifying the body or even parsing the dump JSON. Pass\n * the raw bundle bytes; receive the owner-curated metadata or\n * `undefined` if the bundle was written without one.\n *\n * Locale-resolves any `name` / `description` map fields when `locale`\n * is supplied. Omitting `locale` returns the raw envelope.\n *\n * Same security caveat as the on-vault read path — the public\n * envelope is **untrusted hint** in v1; the encrypted body remains\n * the source of truth for vault contents.\n */\nexport function readNoydbBundlePublicEnvelope(\n  bytes: Uint8Array,\n  opts: { readonly locale?: string } = {},\n): PublicEnvelope | undefined {\n  const header = parsePrefixAndHeader(bytes).header\n  const env = header.publicEnvelope\n  if (!env) return undefined\n  if (opts.locale === undefined) return env\n  return {\n    ...env,\n    ...(env.name !== undefined ? { name: pickLocale(env.name, opts.locale, env.defaultLocale) } : {}),\n    ...(env.description !== undefined ? { description: pickLocale(env.description, opts.locale, env.defaultLocale) } : {}),\n  }\n}\n\n/**\n * Read a full `.noydb` bundle: validate magic + header, verify\n * integrity hash over the body bytes, decompress, and return the\n * original `vault.dump()` JSON string ready to pass to\n * `vault.load()`.\n *\n * Throws `BundleIntegrityError` if the body's actual SHA-256 does\n * not match the value declared in the header. Distinct from a\n * format error so consumers can pattern-match in catch blocks\n * (corrupted-in-transit vs malformed-by-producer).\n *\n * Note: this function does NOT take a passphrase. The dump JSON\n * inside the body still contains encrypted records — restoring\n * the vault requires `vault.load(dumpJson, passphrase)`\n * after this call. Splitting the layers keeps the bundle module\n * free of crypto concerns and lets the same code feed format\n * inspectors that never decrypt anything.\n */\nexport async function readNoydbBundle(\n  bytes: Uint8Array,\n  opts: ReadNoydbBundleOptions = {},\n): Promise<NoydbBundleReadResult> {\n  const { header, bodyOffset, algo } = parsePrefixAndHeader(bytes)\n  const body = bytes.slice(bodyOffset)\n\n  // Length check before hash check — a length mismatch is the\n  // cheapest tamper signal and produces a more actionable error.\n  if (body.length !== header.bodyBytes) {\n    throw new BundleIntegrityError(\n      `body length ${body.length} does not match header.bodyBytes ` +\n        `${header.bodyBytes}. The bundle was truncated or padded ` +\n        `between write and read.`,\n    )\n  }\n\n  const actualSha = await sha256Hex(body)\n  if (actualSha !== header.bodySha256) {\n    throw new BundleIntegrityError(\n      `body sha256 ${actualSha} does not match header.bodySha256 ` +\n        `${header.bodySha256}. The bundle bytes were modified between ` +\n        `write and read — refuse to decompress.`,\n    )\n  }\n\n  let dumpBytes: Uint8Array\n  if (algo === COMPRESSION_NONE) {\n    dumpBytes = body\n  } else {\n    const streamFormat: CompressionFormat =\n      algo === COMPRESSION_BROTLI ? ('br' as CompressionFormat) : 'gzip'\n    try {\n      dumpBytes = await pumpThroughStream(body, new DecompressionStream(streamFormat))\n    } catch (err) {\n      throw new BundleIntegrityError(\n        `decompression failed: ${(err as Error).message}. The bundle ` +\n          `passed the integrity hash but the body is not valid ` +\n          `${streamFormat} data — likely a producer bug.`,\n      )\n    }\n  }\n\n  const bodyString = new TextDecoder('utf-8', { fatal: true }).decode(dumpBytes)\n\n  // #197 — when the header signaled an auto-unlock, the body is a\n  // JSON wrapper carrying the dump string + the auto-unlock blob.\n  // When absent, the body IS the raw dump JSON (pre-#197 shape).\n  if (header.autoUnlock === undefined) {\n    return { header, dumpJson: bodyString }\n  }\n  const { dump, blob } = parseAutoUnlockBody(bodyString)\n  const autoUnlock = await resolveAutoUnlock(blob, opts)\n  return { header, dumpJson: dump, autoUnlock }\n}\n"],"mappings":";;;;;;;;;;AAmDO,IAAM,qBAAqB,IAAI,WAAW,CAAC,IAAM,IAAM,IAAM,EAAI,CAAC;AAGlE,IAAM,4BAA4B;AAGlC,IAAM,8BAA8B;AASpC,IAAM,kBAAkB;AACxB,IAAM,0BAA0B;AAchC,IAAM,mBAAmB;AACzB,IAAM,mBAAmB;AACzB,IAAM,qBAAqB;AAwFlC,IAAM,sBAA2C,oBAAI,IAAI;AAAA,EACvD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAiBM,SAAS,qBACd,QACqC;AACrC,MAAI,WAAW,QAAQ,OAAO,WAAW,UAAU;AACjD,UAAM,IAAI;AAAA,MACR,mDAAmD,WAAW,OAAO,SAAS,OAAO,MAAM;AAAA,IAC7F;AAAA,EACF;AAIA,aAAW,OAAO,OAAO,KAAK,MAAM,GAAG;AACrC,QAAI,CAAC,oBAAoB,IAAI,GAAG,GAAG;AACjC,YAAM,IAAI;AAAA,QACR,gDAAgD,GAAG,kDAE9C,CAAC,GAAG,mBAAmB,EAAE,KAAK,IAAI,CAAC;AAAA,MAC1C;AAAA,IACF;AAAA,EACF;AACA,QAAM,IAAI;AACV,MAAI,OAAO,EAAE,eAAe,MAAM,YAAY,EAAE,eAAe,MAAM,6BAA6B;AAChG,UAAM,IAAI;AAAA,MACR,8CAA8C,2BAA2B,SAChE,OAAO,EAAE,eAAe,CAAC,CAAC;AAAA,IAErC;AAAA,EACF;AACA,MAAI,OAAO,EAAE,QAAQ,MAAM,YAAY,CAAC,2BAA2B,KAAK,EAAE,QAAQ,CAAC,GAAG;AACpF,UAAM,IAAI;AAAA,MACR,iFACS,OAAO,EAAE,QAAQ,MAAM,WAAW,IAAI,EAAE,QAAQ,CAAC,MAAM,OAAO,EAAE,QAAQ,CAAC,CAAC;AAAA,IACrF;AAAA,EACF;AACA,MAAI,OAAO,EAAE,WAAW,MAAM,YAAY,CAAC,OAAO,UAAU,EAAE,WAAW,CAAC,KAAK,EAAE,WAAW,IAAI,GAAG;AACjG,UAAM,IAAI;AAAA,MACR,sEACS,OAAO,EAAE,WAAW,CAAC,CAAC;AAAA,IACjC;AAAA,EACF;AACA,MAAI,OAAO,EAAE,YAAY,MAAM,YAAY,CAAC,iBAAiB,KAAK,EAAE,YAAY,CAAC,GAAG;AAClF,UAAM,IAAI;AAAA,MACR,oFACS,OAAO,EAAE,YAAY,MAAM,WAAW,IAAI,EAAE,YAAY,CAAC,MAAM,OAAO,EAAE,YAAY,CAAC,CAAC;AAAA,IACjG;AAAA,EACF;AACA,MAAI,EAAE,gBAAgB,MAAM,QAAW;AACrC,UAAM,MAAM,EAAE,gBAAgB;AAC9B,QAAI,QAAQ,QAAQ,OAAO,QAAQ,YAAY,MAAM,QAAQ,GAAG,GAAG;AACjE,YAAM,IAAI;AAAA,QACR,+EAA+E,OAAO,GAAG;AAAA,MAC3F;AAAA,IACF;AACA,UAAM,IAAI;AACV,QAAI,EAAE,eAAe,MAAM,GAAG;AAC5B,YAAM,IAAI;AAAA,QACR,oEAAoE,OAAO,EAAE,eAAe,CAAC,CAAC;AAAA,MAChG;AAAA,IACF;AACA,QAAI,OAAO,EAAE,SAAS,MAAM,YAAY,CAAC,OAAO,UAAU,EAAE,SAAS,CAAC,KAAK,EAAE,SAAS,IAAI,GAAG;AAC3F,YAAM,IAAI;AAAA,QACR,+EAA+E,OAAO,EAAE,SAAS,CAAC,CAAC;AAAA,MACrG;AAAA,IACF;AAAA,EACF;AACA,MAAI,EAAE,YAAY,MAAM,QAAW;AACjC,QAAI,EAAE,YAAY,MAAM,cAAc,EAAE,YAAY,MAAM,UAAU;AAClE,YAAM,MAAM,OAAO,EAAE,YAAY,MAAM,WAAW,IAAI,EAAE,YAAY,CAAC,MAAM,OAAO,EAAE,YAAY;AAChG,YAAM,IAAI;AAAA,QACR,oFAAoF,GAAG;AAAA,MACzF;AAAA,IACF;AAAA,EACF;AACA,MAAI,EAAE,YAAY,MAAM,QAAW;AACjC,QAAI,EAAE,YAAY,MAAM,cAAc,EAAE,YAAY,MAAM,uBAAuB;AAC/E,YAAM,MAAM,OAAO,EAAE,YAAY,MAAM,WAAW,IAAI,EAAE,YAAY,CAAC,MAAM,OAAO,EAAE,YAAY;AAChG,YAAM,IAAI;AAAA,QACR,iGAAiG,GAAG;AAAA,MACtG;AAAA,IACF;AAAA,EACF;AACA,MAAI,EAAE,cAAc,MAAM,QAAW;AACnC,UAAM,KAAK,EAAE,cAAc;AAC3B,QAAI,OAAO,QAAQ,OAAO,OAAO,YAAY,MAAM,QAAQ,EAAE,GAAG;AAC9D,YAAM,IAAI,MAAM,6EAA6E,OAAO,EAAE,GAAG;AAAA,IAC3G;AACA,UAAM,IAAI;AACV,QAAI,EAAE,GAAG,MAAM,GAAG;AAChB,YAAM,IAAI,MAAM,sDAAsD,OAAO,EAAE,GAAG,CAAC,CAAC,GAAG;AAAA,IACzF;AACA,QAAI,EAAE,KAAK,MAAM,0BAA0B;AACzC,YAAM,IAAI,MAAM,+EAA+E,OAAO,EAAE,KAAK,CAAC,CAAC,GAAG;AAAA,IACpH;AACA,QAAI,OAAO,EAAE,QAAQ,MAAM,YAAY,EAAE,QAAQ,EAAE,WAAW,GAAG;AAC/D,YAAM,IAAI,MAAM,4EAA4E,OAAO,EAAE,QAAQ,CAAC,CAAC,GAAG;AAAA,IACpH;AAAA,EACF;AAIA,QAAM,cAAc,EAAE,YAAY,MAAM;AACxC,QAAM,UAAU,EAAE,cAAc,MAAM;AACtC,MAAI,WAAW,CAAC,aAAa;AAC3B,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,MAAI,eAAe,CAAC,SAAS;AAC3B,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAIA,MAAI,eAAe,EAAE,YAAY,MAAM,QAAW;AAChD,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AACF;AAOO,SAAS,mBAAmB,QAAuC;AACxE,uBAAqB,MAAM;AAK3B,QAAM,OAAO,KAAK,UAAU;AAAA,IAC1B,eAAe,OAAO;AAAA,IACtB,QAAQ,OAAO;AAAA,IACf,WAAW,OAAO;AAAA,IAClB,YAAY,OAAO;AAAA,IACnB,GAAI,OAAO,mBAAmB,SAAY,EAAE,gBAAgB,OAAO,eAAe,IAAI,CAAC;AAAA,IACvF,GAAI,OAAO,eAAe,SAAY,EAAE,YAAY,OAAO,WAAW,IAAI,CAAC;AAAA,IAC3E,GAAI,OAAO,eAAe,SAAY,EAAE,YAAY,OAAO,WAAW,IAAI,CAAC;AAAA,IAC3E,GAAI,OAAO,iBAAiB,SAAY,EAAE,cAAc,OAAO,aAAa,IAAI,CAAC;AAAA,EACnF,CAAC;AACD,SAAO,IAAI,YAAY,EAAE,OAAO,IAAI;AACtC;AAMO,SAAS,mBAAmB,OAAsC;AACvE,QAAM,OAAO,IAAI,YAAY,SAAS,EAAE,OAAO,KAAK,CAAC,EAAE,OAAO,KAAK;AACnE,MAAI;AACJ,MAAI;AACF,aAAS,KAAK,MAAM,IAAI;AAAA,EAC1B,SAAS,KAAK;AACZ,UAAM,IAAI;AAAA,MACR,2CAA4C,IAAc,OAAO;AAAA,IACnE;AAAA,EACF;AACA,uBAAqB,MAAM;AAC3B,SAAO;AACT;AAQO,SAAS,aAAa,OAAmB,QAAwB;AACtE,UACG,MAAM,MAAM,KAAM,OAAO,MACzB,MAAM,SAAS,CAAC,KAAM,OACtB,MAAM,SAAS,CAAC,KAAM,KACvB,MAAM,SAAS,CAAC;AAEpB;AAMO,SAAS,cAAc,OAAmB,QAAgB,OAAqB;AACpF,QAAM,MAAM,IAAK,UAAU,KAAM;AACjC,QAAM,SAAS,CAAC,IAAK,UAAU,KAAM;AACrC,QAAM,SAAS,CAAC,IAAK,UAAU,IAAK;AACpC,QAAM,SAAS,CAAC,IAAI,QAAQ;AAC9B;AAOO,SAAS,oBAAoB,OAA4B;AAC9D,MAAI,MAAM,SAAS,mBAAmB,OAAQ,QAAO;AACrD,WAAS,IAAI,GAAG,IAAI,mBAAmB,QAAQ,KAAK;AAClD,QAAI,MAAM,CAAC,MAAM,mBAAmB,CAAC,EAAG,QAAO;AAAA,EACjD;AACA,SAAO;AACT;;;ACpBA,SAAS,kBAAkB,GAA2D;AACpF,SAAO,OAAO;AAAA,IACZ,OAAO,QAAQ,CAAC,EAAE,IAAI,CAAC,CAAC,GAAG,KAAK,MAAM,CAAC,GAAG,EAAE,MAAM,cAAuB,MAAM,CAAC,CAAC;AAAA,EACnF;AACF;AAYA,SAAS,oBAAoB,MAA4D;AACvF,QAAM,MAAM;AAAA,IACV,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,EACP,EAAE,OAAO,OAAK,MAAM,MAAS,EAAE;AAC/B,MAAI,QAAQ,EAAG,QAAO;AACtB,MAAI,MAAM,GAAG;AACX,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AACA,MAAI,KAAK,oBAAoB,QAAW;AACtC,WAAO,EAAE,MAAM,YAAY,SAAS,KAAK,gBAAgB,QAAQ;AAAA,EACnE;AACA,MAAI,KAAK,oBAAoB,QAAW;AACtC,WAAO,EAAE,MAAM,YAAY,SAAS,kBAAkB,KAAK,gBAAgB,OAAO,EAAE;AAAA,EACtF;AACA,MAAI,KAAK,sBAAsB,QAAW;AACxC,QAAI,KAAK,kBAAkB,SAAS,oBAAoB;AACtD,YAAM,UAA0C,CAAC;AACjD,YAAM,QAAuC,CAAC;AAC9C,iBAAW,CAAC,QAAQ,KAAK,KAAK,OAAO,QAAQ,KAAK,kBAAkB,OAAO,GAAG;AAC5E,gBAAQ,MAAM,IAAI,MAAM;AACxB,cAAM,MAAM,IAAI,MAAM;AAAA,MACxB;AACA,aAAO,EAAE,MAAM,oBAAoB,UAAU,KAAK,kBAAkB,UAAU,SAAS,MAAM;AAAA,IAC/F;AACA,WAAO,EAAE,MAAM,eAAe,UAAU,KAAK,kBAAkB,UAAU,SAAS,KAAK,kBAAkB,QAAQ;AAAA,EACnH;AAEA,SAAO;AAAA,IACL,MAAM;AAAA,IACN,UAAU,KAAK,kBAAmB;AAAA,IAClC,SAAS,kBAAkB,KAAK,kBAAmB,OAAO;AAAA,EAC5D;AACF;AAoBA,SAAS,0BACP,MACA,YAC8B;AAC9B,MAAI,eAAe,KAAM,QAAO;AAEhC,QAAM,cAAmC,oBAAI,IAAI,CAAC,cAAc,YAAY,KAAK,CAAC;AAGlF,aAAW,CAAC,QAAQ,IAAI,KAAK,OAAO,QAAQ,WAAW,OAAO,GAAG;AAC/D,QAAI,CAAC,YAAY,IAAI,KAAK,IAAI,GAAG;AAC/B,YAAM,IAAI;AAAA,QACR,0CAA0C,MAAM,2BAA2B,KAAK,IAAI;AAAA,MAGtF;AAAA,IACF;AAAA,EACF;AAEA,MAAI,WAAW,SAAS,YAAY;AAElC,UAAM,SAAS,KAAK,iBAAiB,UAAU,KAAK,iBAAiB;AACrE,QAAI,WAAW,oBAAoB;AACjC,YAAM,IAAI;AAAA,QACR;AAAA,MAKF;AAAA,IACF;AACA,UAAMA,aAAY,OAAO,KAAK,WAAW,OAAO,EAAE;AAClD,QAAIA,eAAc,GAAG;AACnB,YAAM,IAAI;AAAA,QACR;AAAA,MAEF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAGA,MAAI,WAAW,SAAS,oBAAoB;AAC1C,UAAM,WAAW,WAAW;AAC5B,QAAI,aAAa,UAAa,OAAQ,SAA6B,yBAAyB,cACrF,OAAQ,SAA6B,qBAAqB,YAAY;AAC3E,YAAM,IAAI;AAAA,QACR;AAAA,MAGF;AAAA,IACF;AACA,UAAM,QAAQ,WAAW;AACzB,QAAI,UAAU,QAAW;AACvB,YAAM,IAAI,MAAM,uEAAkE;AAAA,IACpF;AACA,eAAW,UAAU,OAAO,KAAK,WAAW,OAAO,GAAG;AACpD,YAAM,OAAO,MAAM,MAAM;AACzB,UAAI,SAAS,QAAW;AACtB,cAAM,IAAI;AAAA,UACR,kDAAkD,MAAM;AAAA,QAC1D;AAAA,MACF;AACA,UAAI,KAAK,MAAM,GAAG;AAChB,cAAM,IAAI;AAAA,UACR,kDAAkD,MAAM,8BAA8B,OAAO,KAAK,CAAC,CAAC;AAAA,QACtG;AAAA,MACF;AACA,UAAI,OAAO,KAAK,QAAQ,YAAY,KAAK,IAAI,WAAW,GAAG;AACzD,cAAM,IAAI;AAAA,UACR,kDAAkD,MAAM;AAAA,QAC1D;AAAA,MACF;AACA,UAAI,KAAK,QAAQ,mBAAmB;AAClC,cAAM,IAAI;AAAA,UACR,kDAAkD,MAAM,4DAA4D,OAAO,KAAK,GAAG,CAAC;AAAA,QACtI;AAAA,MACF;AAAA,IAIF;AACA,UAAMA,aAAY,OAAO,KAAK,WAAW,OAAO,EAAE;AAClD,QAAIA,eAAc,GAAG;AACnB,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAGA,QAAM,iBAAiB,KAAK,mBAAmB,QAAQ,KAAK,mBAAmB;AAC/E,MAAI,mBAAmB,eAAe;AACpC,UAAM,IAAI;AAAA,MACR,kIAC+C,OAAO,cAAc,CAAC;AAAA,IACvE;AAAA,EACF;AACA,MAAI,WAAW,aAAa,QAAW;AACrC,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AACA,QAAM,YAAY,OAAO,KAAK,WAAW,OAAO,EAAE;AAClD,MAAI,cAAc,GAAG;AACnB,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AACA,SAAO;AACT;AAOA,eAAe,uBACb,UACA,YACyB;AACzB,MAAI,WAAW,SAAS,YAAY;AAClC,WAAO;AAAA,MACL,oBAAoB;AAAA,MACpB,MAAM;AAAA,MACN,aAAa;AAAA,QACX,MAAM;AAAA,QACN,SAAS,EAAE,GAAG,WAAW,QAAQ;AAAA,MACnC;AAAA,IACF;AAAA,EACF;AAEA,QAAM,WAAW,WAAW;AAC5B,MAAI,aAAa,QAAW;AAC1B,UAAM,IAAI,MAAM,uDAAkD;AAAA,EACpE;AACA,QAAM,gBAAuD,CAAC;AAC9D,QAAM,UAAU,IAAI,YAAY;AAEhC,MAAI,WAAW,SAAS,oBAAoB;AAC1C,UAAM,kBAAkB;AACxB,UAAM,QAAQ,WAAW;AACzB,QAAI,UAAU,QAAW;AACvB,YAAM,IAAI,MAAM,uEAAkE;AAAA,IACpF;AACA,eAAW,CAAC,QAAQ,IAAI,KAAK,OAAO,QAAQ,WAAW,OAAO,GAAG;AAC/D,YAAM,OAAO,MAAM,MAAM;AACzB,YAAM,SAAS,MAAM,gBAAgB,iBAAiB,QAAQ,OAAO,KAAK,KAAK,GAAG,IAAI;AACtF,oBAAc,MAAM,IAAI;AAAA,QACtB,KAAK,KAAK;AAAA;AAAA,QACV,QAAQ,cAAc,MAAM;AAAA,QAC5B,KAAK;AAAA,QACL,MAAM,KAAK;AAAA,QACX;AAAA,MACF;AAAA,IACF;AAAA,EACF,OAAO;AAEL,UAAM,aAAa;AACnB,eAAW,CAAC,QAAQ,IAAI,KAAK,OAAO,QAAQ,WAAW,OAAO,GAAG;AAC/D,YAAM,SAAS,MAAM,WAAW,KAAK,QAAQ,OAAO,KAAK,KAAK,CAAC;AAC/D,oBAAc,MAAM,IAAI;AAAA,QACtB,KAAK,WAAW;AAAA,QAChB,QAAQ,cAAc,MAAM;AAAA,QAC5B,KAAK;AAAA,QACL,MAAM,KAAK;AAAA,MACb;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,oBAAoB;AAAA,IACpB,MAAM;AAAA,IACN,aAAa,EAAE,MAAM,UAAU,SAAS,cAAc;AAAA,EACxD;AACF;AAOA,SAAS,oBAAoB,YAA2E;AACtG,MAAI;AACJ,MAAI;AACF,aAAS,KAAK,MAAM,UAAU;AAAA,EAChC,SAAS,KAAK;AACZ,UAAM,IAAI;AAAA,MACR,+EACG,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAAA,IACpD;AAAA,EACF;AACA,MAAI,OAAO,WAAW,YAAY,WAAW,MAAM;AACjD,UAAM,IAAI,qBAAqB,sCAAsC;AAAA,EACvE;AACA,QAAM,MAAM;AACZ,MAAI,IAAI,oBAAoB,MAAM,GAAG;AACnC,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,MAAI,OAAO,IAAI,MAAM,MAAM,UAAU;AACnC,UAAM,IAAI,qBAAqB,kDAAkD;AAAA,EACnF;AACA,QAAM,OAAO,IAAI,aAAa;AAC9B,MAAI,OAAO,SAAS,YAAY,SAAS,MAAM;AAC7C,UAAM,IAAI,qBAAqB,4CAA4C;AAAA,EAC7E;AACA,QAAM,UAAU;AAChB,QAAM,OAAO,QAAQ,MAAM;AAC3B,MAAI,SAAS,cAAc,SAAS,UAAU;AAC5C,UAAM,IAAI;AAAA,MACR,oCAAoC,OAAO,IAAI,CAAC;AAAA,IAClD;AAAA,EACF;AACA,SAAO;AAAA,IACL,MAAM,IAAI,MAAM;AAAA,IAChB;AAAA,EACF;AACF;AA4BO,SAAS,+BACd,UACA,MACwB;AACxB,SAAO,EAAE,oBAAoB,GAAG,MAAM,UAAU,eAAe,KAAK;AACtE;AAEO,SAAS,4BACd,YAC6C;AAC7C,MAAI;AACJ,MAAI;AACF,aAAS,KAAK,MAAM,UAAU;AAAA,EAChC,SAAS,KAAK;AACZ,UAAM,IAAI;AAAA,MACR,wFACG,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAAA,IACpD;AAAA,EACF;AACA,MAAI,OAAO,WAAW,YAAY,WAAW,MAAM;AACjD,UAAM,IAAI,qBAAqB,+CAA+C;AAAA,EAChF;AACA,QAAM,MAAM;AACZ,MAAI,IAAI,oBAAoB,MAAM,GAAG;AACnC,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,MAAI,OAAO,IAAI,MAAM,MAAM,UAAU;AACnC,UAAM,IAAI,qBAAqB,2DAA2D;AAAA,EAC5F;AACA,QAAM,OAAO,IAAI,eAAe;AAChC,MAAI,OAAO,SAAS,YAAY,SAAS,MAAM;AAC7C,UAAM,IAAI,qBAAqB,uDAAuD;AAAA,EACxF;AACA,QAAM,IAAI;AACV,MAAI,EAAE,GAAG,MAAM,KAAK,EAAE,KAAK,MAAM,4BAC1B,OAAO,EAAE,QAAQ,MAAM,YAAY,OAAO,EAAE,SAAS,MAAM,UAAU;AAC1E,UAAM,IAAI,qBAAqB,uDAAuD;AAAA,EACxF;AACA,SAAO,EAAE,MAAM,IAAI,MAAM,GAAG,KAAkC;AAChE;AAMA,SAAS,eAAe,OAAgD;AACtE,MAAI,OAAO,UAAU,SAAU,QAAO,EAAE,MAAM,cAAc,OAAO,MAAM;AACzE,SAAO;AACT;AAwBA,eAAe,kBACb,MACA,MACmF;AACnF,MAAI,KAAK,SAAS,YAAY;AAC5B,UAAM,WAA2C,CAAC;AAClD,eAAW,CAAC,QAAQ,KAAK,KAAK,OAAO,QAAQ,KAAK,OAAO,GAAG;AAC1D,eAAS,MAAM,IAAI,eAAe,KAAK;AAAA,IACzC;AACA,WAAO,EAAE,MAAM,YAAY,SAAS,SAAS;AAAA,EAC/C;AAEA,MAAI,KAAK,qBAAqB,UAAa,KAAK,iBAAiB,WAAW,GAAG;AAI7E,UAAM,cAA8C,CAAC;AACrD,eAAW,CAAC,QAAQ,KAAK,KAAK,OAAO,QAAQ,KAAK,OAAO,GAAG;AAC1D,kBAAY,MAAM,IAAI,EAAE,MAAM,MAAM,QAAQ,cAAc,OAAO,MAAM,OAAO;AAAA,IAChF;AACA,WAAO,EAAE,MAAM,UAAU,SAAS,YAAY;AAAA,EAChD;AACA,QAAM,iBAAiB,oBAAI,IAAgC;AAC3D,aAAW,KAAK,KAAK,iBAAkB,gBAAe,IAAI,EAAE,IAAI,CAAC;AAEjE,QAAM,UAAU,IAAI,YAAY;AAChC,QAAM,cAA8C,CAAC;AAErD,aAAW,CAAC,QAAQ,KAAK,KAAK,OAAO,QAAQ,KAAK,OAAO,GAAG;AAC1D,UAAM,WAA+B,MAAM,QAAQ;AACnD,UAAM,WAAW,eAAe,IAAI,MAAM,GAAG;AAC7C,QAAI,aAAa,QAAW;AAC1B,UAAI,KAAK,iCAAiC,MAAM;AAE9C,YAAI,SAAwB;AAC5B,mBAAW,aAAa,KAAK,kBAAkB;AAC7C,cAAI;AACF,kBAAMC,kBAAiB,MAAM,UAAU,OAAO,cAAc,MAAM,MAAM,CAAC;AACzE,qBAAS,QAAQ,OAAOA,eAAc;AACtC;AAAA,UACF,QAAQ;AAAA,UAER;AAAA,QACF;AACA,YAAI,WAAW,MAAM;AACnB,cAAI,MAAM,SAAS,QAAW;AAG5B,wBAAY,MAAM,IAAI,EAAE,MAAM,UAAU,OAAO,MAAM,OAAO;AAC5D;AAAA,UACF;AACA,gBAAM,IAAI,wBAAwB,QAAQ,MAAM,GAAG;AAAA,QACrD;AACA,oBAAY,MAAM,IAAI,EAAE,MAAM,UAAU,OAAO,OAAO;AACtD;AAAA,MACF;AACA,UAAI,MAAM,SAAS,QAAW;AAI5B,oBAAY,MAAM,IAAI,EAAE,MAAM,UAAU,OAAO,MAAM,OAAO;AAC5D;AAAA,MACF;AACA,YAAM,IAAI,wBAAwB,QAAQ,MAAM,GAAG;AAAA,IACrD;AACA,UAAM,iBAAiB,MAAM,SAAS,OAAO,cAAc,MAAM,MAAM,CAAC;AACxE,gBAAY,MAAM,IAAI,EAAE,MAAM,UAAU,OAAO,QAAQ,OAAO,cAAc,EAAE;AAAA,EAChF;AACA,SAAO,EAAE,MAAM,UAAU,SAAS,YAAY;AAChD;AAEA,SAAS,cAAc,OAA2B;AAChD,MAAI,SAAS;AACb,WAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,IAAK,WAAU,OAAO,aAAa,MAAM,CAAC,CAAE;AAC9E,SAAO,KAAK,MAAM;AACpB;AAEA,SAAS,cAAc,KAAyB;AAC9C,QAAM,SAAS,KAAK,GAAG;AACvB,QAAM,MAAM,IAAI,WAAW,OAAO,MAAM;AACxC,WAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,IAAK,KAAI,CAAC,IAAI,OAAO,WAAW,CAAC;AACpE,SAAO;AACT;AAWA,IAAI,sBAAsC;AAC1C,SAAS,4BAAqC;AAC5C,MAAI,wBAAwB,KAAM,QAAO;AACzC,MAAI;AACF,QAAI,kBAAkB,IAAyB;AAC/C,0BAAsB;AAAA,EACxB,QAAQ;AACN,0BAAsB;AAAA,EACxB;AACA,SAAO;AACT;AAGO,SAAS,0BAAgC;AAC9C,wBAAsB;AACxB;AASA,SAAS,kBAAkB,QAGzB;AACA,QAAM,SAAS,UAAU;AACzB,MAAI,WAAW,OAAQ,QAAO,EAAE,QAAQ,kBAAkB,cAAc,KAAK;AAC7E,MAAI,WAAW,OAAQ,QAAO,EAAE,QAAQ,kBAAkB,cAAc,OAAO;AAC/E,MAAI,WAAW,UAAU;AACvB,QAAI,CAAC,0BAA0B,GAAG;AAChC,YAAM,IAAI;AAAA,QACR;AAAA,MAIF;AAAA,IACF;AACA,WAAO,EAAE,QAAQ,oBAAoB,cAAc,KAA0B;AAAA,EAC/E;AAEA,MAAI,0BAA0B,GAAG;AAC/B,WAAO,EAAE,QAAQ,oBAAoB,cAAc,KAA0B;AAAA,EAC/E;AACA,SAAO,EAAE,QAAQ,kBAAkB,cAAc,OAAO;AAC1D;AAcA,eAAe,kBACb,OACA,QACqB;AACrB,QAAM,WAAW,IAAI,KAAK,CAAC,KAAiB,CAAC,EAAE,OAAO,EAAE,YAAY,MAAM;AAC1E,QAAM,SAAS,SAAS,UAAU;AAClC,QAAM,SAAuB,CAAC;AAC9B,MAAI,QAAQ;AACZ,aAAS;AACP,UAAM,EAAE,OAAO,KAAK,IAAI,MAAM,OAAO,KAAK;AAC1C,QAAI,KAAM;AACV,QAAI,OAAO;AACT,aAAO,KAAK,KAAmB;AAC/B,eAAS,MAAM;AAAA,IACjB;AAAA,EACF;AACA,QAAM,MAAM,IAAI,WAAW,KAAK;AAChC,MAAI,SAAS;AACb,aAAW,SAAS,QAAQ;AAC1B,QAAI,IAAI,OAAO,MAAM;AACrB,cAAU,MAAM;AAAA,EAClB;AACA,SAAO;AACT;AAWA,eAAe,UAAU,OAAoC;AAS3D,QAAM,OAAO,IAAI,WAAW,MAAM,MAAM;AACxC,OAAK,IAAI,KAAK;AACd,QAAM,SAAS,MAAM,OAAO,OAAO,OAAO,WAAW,IAAI;AACzD,QAAM,OAAO,IAAI,WAAW,MAAM;AAClC,MAAI,MAAM;AACV,WAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK;AACpC,WAAO,KAAK,CAAC,EAAG,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG;AAAA,EAC9C;AACA,SAAO;AACT;AAOA,SAAS,YAAY,OAA0C;AAC7D,MAAI,QAAQ;AACZ,aAAW,KAAK,MAAO,UAAS,EAAE;AAClC,QAAM,MAAM,IAAI,WAAW,KAAK;AAChC,MAAI,SAAS;AACb,aAAW,KAAK,OAAO;AACrB,QAAI,IAAI,GAAG,MAAM;AACjB,cAAU,EAAE;AAAA,EACd;AACA,SAAO;AACT;AAeA,eAAe,qBACb,OACA,UACA,MACiB;AACjB,MAAI,KAAK,qBAAqB,UAAa,KAAK,eAAe,QAAW;AACxE,WAAO;AAAA,EACT;AAEA,QAAM,aACJ,KAAK,cAAc;AAAA,IACjB;AAAA,MACE,IAAI,MAAM;AAAA,MACV,YAAY,KAAK;AAAA,MACjB,MAAM,MAAM;AAAA,IACd;AAAA,EACF;AAEF,QAAM,oBAAoB,MAAM,MAAM,6BAA6B,UAAU;AAE7E,QAAM,SAAS,KAAK,MAAM,QAAQ;AAClC,SAAO,WAAW;AAClB,SAAO,KAAK,UAAU,MAAM;AAC9B;AAiBA,SAAS,kBACP,UACA,MACQ;AACR,QAAM,oBAAoB,KAAK,cAC3B,IAAI,IAAI,KAAK,WAAW,IACxB;AACJ,QAAM,UACJ,KAAK,UAAU,SAAY,IAAI,KAAK,KAAK,KAAK,EAAE,QAAQ,IAAI;AAC9D,MAAI,sBAAsB,QAAQ,YAAY,KAAM,QAAO;AAO3D,QAAM,SAAS,KAAK,MAAM,QAAQ;AAKlC,MAAI,OAAO,eAAe,OAAO,OAAO,gBAAgB,UAAU;AAChE,UAAM,OAAgD,CAAC;AACvD,eAAW,CAAC,MAAM,OAAO,KAAK,OAAO,QAAQ,OAAO,WAAW,GAAG;AAChE,UAAI,qBAAqB,CAAC,kBAAkB,IAAI,IAAI,EAAG;AACvD,UAAI,YAAY,MAAM;AACpB,aAAK,IAAI,IAAI;AACb;AAAA,MACF;AACA,YAAM,OAAgC,CAAC;AACvC,iBAAW,CAAC,IAAI,GAAG,KAAK,OAAO,QAAQ,OAAO,GAAG;AAC/C,cAAM,QAAQ,IAAI,MAAM,IAAI,KAAK,IAAI,GAAG,EAAE,QAAQ,IAAI;AACtD,YAAI,OAAO,SAAS,KAAK,KAAK,SAAS,SAAS;AAC9C,eAAK,EAAE,IAAI;AAAA,QACb;AAAA,MACF;AACA,WAAK,IAAI,IAAI;AAAA,IACf;AACA,WAAO,cAAc;AAAA,EACvB;AAEA,SAAO,KAAK,UAAU,MAAM;AAC9B;AAcA,eAAe,sBACb,OACA,UACA,MACiB;AACjB,MAAI,KAAK,UAAU,UAAa,KAAK,eAAe,QAAW;AAC7D,WAAO;AAAA,EACT;AAGA,QAAM,SAAS,KAAK,MAAM,QAAQ;AAIlC,MAAI,CAAC,OAAO,eAAe,OAAO,OAAO,gBAAgB,UAAU;AACjE,WAAO;AAAA,EACT;AAEA,QAAM,cAAc,KAAK;AACzB,QAAM,QAAQ,KAAK;AAEnB,QAAM,OAA4C,CAAC;AACnD,aAAW,CAAC,UAAU,OAAO,KAAK,OAAO,QAAQ,OAAO,WAAW,GAAG;AACpE,UAAM,OAA4B,CAAC;AACnC,eAAW,CAAC,IAAI,GAAG,KAAK,OAAO,QAAQ,OAAO,GAAG;AAI/C,UAAI,gBAAgB,QAAW;AAC7B,cAAM,OAAO,IAAI,SAAS;AAC1B,YAAI,OAAO,YAAa;AAAA,MAC1B;AAIA,UAAI,UAAU,QAAW;AACvB,cAAM,SAAS,MAAM,MAAM;AAAA,UACzB;AAAA,UACA;AAAA,QACF;AACA,cAAM,KAAK,MAAM,MAAM,QAAQ,EAAE,YAAY,UAAU,GAAG,CAAC;AAC3D,YAAI,CAAC,GAAI;AAAA,MACX;AACA,WAAK,EAAE,IAAI;AAAA,IACb;AACA,SAAK,QAAQ,IAAI;AAAA,EACnB;AACA,SAAO,cAAc;AACrB,SAAO,KAAK,UAAU,MAAM;AAC9B;AAgCA,eAAsB,wBAAwB,MAMtB;AACtB,QAAM,YAAY,IAAI,YAAY,EAAE,OAAO,KAAK,WAAW;AAC3D,QAAM,EAAE,QAAQ,aAAa,IAAI,kBAAkB,KAAK,WAAW;AACnE,QAAM,OAAO,iBAAiB,OAC1B,YACA,MAAM,kBAAkB,WAAW,IAAI,kBAAkB,YAAY,CAAC;AAC1E,QAAM,aAAa,MAAM,UAAU,IAAI;AAEvC,QAAM,SAA4B;AAAA,IAChC,eAAe;AAAA,IACf,QAAQ,KAAK;AAAA,IACb,WAAW,KAAK;AAAA,IAChB;AAAA,IACA,GAAI,KAAK,cAAc,mBAAmB,SAAY,EAAE,gBAAgB,KAAK,aAAa,eAAe,IAAI,CAAC;AAAA,IAC9G,GAAI,KAAK,cAAc,eAAe,SAAY,EAAE,YAAY,KAAK,aAAa,WAAW,IAAI,CAAC;AAAA,IAClG,GAAI,KAAK,cAAc,eAAe,SAAY,EAAE,YAAY,KAAK,aAAa,WAAW,IAAI,CAAC;AAAA,IAClG,GAAI,KAAK,cAAc,iBAAiB,SAAY,EAAE,cAAc,KAAK,aAAa,aAAa,IAAI,CAAC;AAAA,EAC1G;AACA,QAAM,cAAc,mBAAmB,MAAM;AAE7C,QAAM,SAAS,IAAI,WAAW,yBAAyB;AACvD,SAAO,IAAI,oBAAoB,CAAC;AAChC,SAAO,CAAC,KAAK,iBAAiB,OAAO,IAAI,mBAAmB;AAC5D,SAAO,CAAC,IAAI;AACZ,gBAAc,QAAQ,GAAG,YAAY,MAAM;AAE3C,SAAO,YAAY,CAAC,QAAQ,aAAa,IAAI,CAAC;AAChD;AAEA,eAAsB,iBACpB,OACA,OAAgC,CAAC,GACZ;AACrB,MAAI,KAAK,qBAAqB,UAAa,KAAK,eAAe,QAAW;AACxE,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAIA,QAAM,uBAAuB,oBAAoB,IAAI;AACrD,QAAM,iBAAiB,0BAA0B,MAAM,oBAAoB;AAE3E,QAAM,SAAS,MAAM,MAAM,gBAAgB;AAC3C,QAAM,WAAW,MAAM,MAAM,KAAK;AAKlC,QAAM,UAAU,MAAM,qBAAqB,OAAO,UAAU,IAAI;AAKhE,QAAM,gBAAgB,MAAM,sBAAsB,OAAO,SAAS,IAAI;AACtE,QAAM,WAAW,kBAAkB,eAAe,IAAI;AAKtD,QAAM,cAAc,yBAAyB,OACzC,WACA,KAAK,UAAU,MAAM,uBAAuB,UAAU,oBAAoB,CAAC;AAO/E,QAAM,iBAAiB,MAAM,MAAM,kBAAkB;AAErD,SAAO,wBAAwB;AAAA,IAC7B;AAAA,IACA;AAAA,IACA,aAAa,KAAK;AAAA,IAClB,cAAc;AAAA,MACZ,GAAI,mBAAmB,SAAY,EAAE,eAAe,IAAI,CAAC;AAAA,MACzD,GAAI,mBAAmB,OAAO,EAAE,YAAY,eAAe,IAAI,CAAC;AAAA,IAClE;AAAA,EACF,CAAC;AACH;AAYA,SAAS,qBAAqB,OAK5B;AACA,MAAI,CAAC,oBAAoB,KAAK,GAAG;AAC/B,UAAM,IAAI;AAAA,MACR,2EACS,CAAC,GAAG,MAAM,MAAM,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAAE,KAAK,GAAG,CAAC;AAAA,IACvF;AAAA,EACF;AACA,MAAI,MAAM,SAAS,2BAA2B;AAC5C,UAAM,IAAI;AAAA,MACR,yCAAyC,MAAM,MAAM,kCACzB,yBAAyB;AAAA,IACvD;AAAA,EACF;AACA,QAAM,QAAQ,MAAM,CAAC;AACrB,QAAM,OAAO,MAAM,CAAC;AACpB,MAAI,SAAS,oBAAoB,SAAS,oBAAoB,SAAS,oBAAoB;AACzF,UAAM,IAAI;AAAA,MACR,wDAAwD,IAAI;AAAA,IAE9D;AAAA,EACF;AACA,QAAM,eAAe,aAAa,OAAO,CAAC;AAC1C,QAAM,aAAa,4BAA4B;AAC/C,MAAI,aAAa,MAAM,QAAQ;AAC7B,UAAM,IAAI;AAAA,MACR,mDAAmD,YAAY,mCAC3B,MAAM,MAAM;AAAA,IAClD;AAAA,EACF;AACA,QAAM,cAAc,MAAM,MAAM,2BAA2B,UAAU;AACrE,QAAM,SAAS,mBAAmB,WAAW;AAC7C,SAAO,EAAE,QAAQ,YAAY,MAA+B,MAAM;AACpE;AAgBO,SAAS,sBAAsB,OAAsC;AAC1E,SAAO,qBAAqB,KAAK,EAAE;AACrC;AAeO,SAAS,8BACd,OACA,OAAqC,CAAC,GACV;AAC5B,QAAM,SAAS,qBAAqB,KAAK,EAAE;AAC3C,QAAM,MAAM,OAAO;AACnB,MAAI,CAAC,IAAK,QAAO;AACjB,MAAI,KAAK,WAAW,OAAW,QAAO;AACtC,SAAO;AAAA,IACL,GAAG;AAAA,IACH,GAAI,IAAI,SAAS,SAAY,EAAE,MAAM,WAAW,IAAI,MAAM,KAAK,QAAQ,IAAI,aAAa,EAAE,IAAI,CAAC;AAAA,IAC/F,GAAI,IAAI,gBAAgB,SAAY,EAAE,aAAa,WAAW,IAAI,aAAa,KAAK,QAAQ,IAAI,aAAa,EAAE,IAAI,CAAC;AAAA,EACtH;AACF;AAoBA,eAAsB,gBACpB,OACA,OAA+B,CAAC,GACA;AAChC,QAAM,EAAE,QAAQ,YAAY,KAAK,IAAI,qBAAqB,KAAK;AAC/D,QAAM,OAAO,MAAM,MAAM,UAAU;AAInC,MAAI,KAAK,WAAW,OAAO,WAAW;AACpC,UAAM,IAAI;AAAA,MACR,eAAe,KAAK,MAAM,oCACrB,OAAO,SAAS;AAAA,IAEvB;AAAA,EACF;AAEA,QAAM,YAAY,MAAM,UAAU,IAAI;AACtC,MAAI,cAAc,OAAO,YAAY;AACnC,UAAM,IAAI;AAAA,MACR,eAAe,SAAS,qCACnB,OAAO,UAAU;AAAA,IAExB;AAAA,EACF;AAEA,MAAI;AACJ,MAAI,SAAS,kBAAkB;AAC7B,gBAAY;AAAA,EACd,OAAO;AACL,UAAM,eACJ,SAAS,qBAAsB,OAA6B;AAC9D,QAAI;AACF,kBAAY,MAAM,kBAAkB,MAAM,IAAI,oBAAoB,YAAY,CAAC;AAAA,IACjF,SAAS,KAAK;AACZ,YAAM,IAAI;AAAA,QACR,yBAA0B,IAAc,OAAO,oEAE1C,YAAY;AAAA,MACnB;AAAA,IACF;AAAA,EACF;AAEA,QAAM,aAAa,IAAI,YAAY,SAAS,EAAE,OAAO,KAAK,CAAC,EAAE,OAAO,SAAS;AAK7E,MAAI,OAAO,eAAe,QAAW;AACnC,WAAO,EAAE,QAAQ,UAAU,WAAW;AAAA,EACxC;AACA,QAAM,EAAE,MAAM,KAAK,IAAI,oBAAoB,UAAU;AACrD,QAAM,aAAa,MAAM,kBAAkB,MAAM,IAAI;AACrD,SAAO,EAAE,QAAQ,UAAU,MAAM,WAAW;AAC9C;","names":["userCount","plaintextBytes"]}