@noy-db/hub 0.3.0-pre.2 → 0.3.0-pre.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (331) hide show
  1. package/dist/adapter/index.d.ts +2 -2
  2. package/dist/adapter/index.js +1 -1
  3. package/dist/aggregate/index.d.ts +3 -3
  4. package/dist/aggregate/index.js +4 -4
  5. package/dist/api-LORZ2EZU.js +17 -0
  6. package/dist/as/index.d.ts +4 -4
  7. package/dist/as/index.js +9 -6
  8. package/dist/at/index.d.ts +2 -2
  9. package/dist/attestation/index.d.ts +3 -3
  10. package/dist/attestation/index.js +18 -15
  11. package/dist/attestation/index.js.map +1 -1
  12. package/dist/{backup-KMJQ66MF.js → backup-NGRJ46SH.js} +9 -6
  13. package/dist/{backup-KMJQ66MF.js.map → backup-NGRJ46SH.js.map} +1 -1
  14. package/dist/blobs/index.d.ts +4 -4
  15. package/dist/blobs/index.js +8 -5
  16. package/dist/blobs/index.js.map +1 -1
  17. package/dist/bundle/index.d.ts +5 -5
  18. package/dist/bundle/index.js +18 -15
  19. package/dist/bundle/index.js.map +1 -1
  20. package/dist/{bundle-PwBGkhpe.d.ts → bundle-B-P3_Jvb.d.ts} +1 -1
  21. package/dist/by/index.js +2 -2
  22. package/dist/cargo/index.d.ts +4 -4
  23. package/dist/cargo/index.js +20 -17
  24. package/dist/{chunk-Y22T3KQE.js → chunk-2KSPDSWI.js} +3 -3
  25. package/dist/{chunk-ITNUCOXM.js → chunk-2N4MUSF3.js} +7 -5
  26. package/dist/{chunk-ITNUCOXM.js.map → chunk-2N4MUSF3.js.map} +1 -1
  27. package/dist/{chunk-5N6CZTCY.js → chunk-2ZORB5RW.js} +3 -3
  28. package/dist/{chunk-FISN7WE4.js → chunk-3UDPDRUC.js} +4 -4
  29. package/dist/{chunk-TA66UMI4.js → chunk-46YGCU6Z.js} +2 -2
  30. package/dist/{chunk-IPB7FTQX.js → chunk-4DZGZ7II.js} +8 -6
  31. package/dist/{chunk-IPB7FTQX.js.map → chunk-4DZGZ7II.js.map} +1 -1
  32. package/dist/{chunk-SKF73JOP.js → chunk-4NMFWOS2.js} +3 -3
  33. package/dist/{chunk-IAGBDSCS.js → chunk-4NZCZUGL.js} +2 -2
  34. package/dist/{chunk-DFEMTNPJ.js → chunk-55HDKLI3.js} +8 -6
  35. package/dist/{chunk-DFEMTNPJ.js.map → chunk-55HDKLI3.js.map} +1 -1
  36. package/dist/{chunk-WWGT2MDV.js → chunk-5A6TC3RQ.js} +5 -5
  37. package/dist/{chunk-5O3AOPDT.js → chunk-5EZAJEES.js} +151 -432
  38. package/dist/chunk-5EZAJEES.js.map +1 -0
  39. package/dist/{chunk-62QYRORB.js → chunk-5Z3RNFJC.js} +3 -3
  40. package/dist/{chunk-M6OST55S.js → chunk-5ZPWVNL3.js} +2 -2
  41. package/dist/{chunk-PSMV73A5.js → chunk-6CNLU4TO.js} +5 -5
  42. package/dist/{chunk-QZISFCVG.js → chunk-6DP5HBQD.js} +11 -9
  43. package/dist/{chunk-QZISFCVG.js.map → chunk-6DP5HBQD.js.map} +1 -1
  44. package/dist/{chunk-AIWULCUO.js → chunk-6EVZXETK.js} +5 -3
  45. package/dist/{chunk-AIWULCUO.js.map → chunk-6EVZXETK.js.map} +1 -1
  46. package/dist/{chunk-GYGWYIOZ.js → chunk-6I2YPLAG.js} +7 -5
  47. package/dist/{chunk-GYGWYIOZ.js.map → chunk-6I2YPLAG.js.map} +1 -1
  48. package/dist/{chunk-SRB2XEWB.js → chunk-6OQ7NKMZ.js} +6 -4
  49. package/dist/{chunk-SRB2XEWB.js.map → chunk-6OQ7NKMZ.js.map} +1 -1
  50. package/dist/chunk-6RASM2J4.js +25 -0
  51. package/dist/chunk-6RASM2J4.js.map +1 -0
  52. package/dist/{chunk-5LUY7UTV.js → chunk-7IP75FP2.js} +2 -2
  53. package/dist/{chunk-HCIPRAGS.js → chunk-7MHVHGQZ.js} +2 -2
  54. package/dist/{chunk-PSHOXR6C.js → chunk-ADBMJDBW.js} +370 -83
  55. package/dist/chunk-ADBMJDBW.js.map +1 -0
  56. package/dist/{chunk-ZCGAHGUS.js → chunk-AY4P6PHN.js} +2 -2
  57. package/dist/{chunk-ZYUC53LT.js → chunk-BLZRNHMG.js} +51 -2
  58. package/dist/{chunk-ZYUC53LT.js.map → chunk-BLZRNHMG.js.map} +1 -1
  59. package/dist/{chunk-KXGNJJXB.js → chunk-BV7KNFJY.js} +7 -7
  60. package/dist/{chunk-BG3SPSR4.js → chunk-BYW7EU5L.js} +2 -2
  61. package/dist/{chunk-NF5JWERG.js → chunk-BZIWKN74.js} +2 -2
  62. package/dist/chunk-CPAROOKP.js +124 -0
  63. package/dist/chunk-CPAROOKP.js.map +1 -0
  64. package/dist/{chunk-AQTBSL7R.js → chunk-CVXLJIAV.js} +5 -5
  65. package/dist/{chunk-CWPPNPOH.js → chunk-DA34OEZU.js} +2 -2
  66. package/dist/{chunk-RUEKROOS.js → chunk-DGUR3CC4.js} +2 -2
  67. package/dist/{chunk-LXQT4WMP.js → chunk-DHIN36UC.js} +8 -6
  68. package/dist/{chunk-LXQT4WMP.js.map → chunk-DHIN36UC.js.map} +1 -1
  69. package/dist/{chunk-JNUWZ6D3.js → chunk-E4YJUNPU.js} +7 -5
  70. package/dist/{chunk-JNUWZ6D3.js.map → chunk-E4YJUNPU.js.map} +1 -1
  71. package/dist/{chunk-UV5MFVO3.js → chunk-FELHYKIO.js} +2 -2
  72. package/dist/{chunk-KVOXU4T5.js → chunk-HGQG3VIP.js} +2 -2
  73. package/dist/{chunk-XXYIOFUB.js → chunk-IIK7W3AN.js} +5 -5
  74. package/dist/{chunk-IGUYVGGI.js → chunk-IJW6K6UX.js} +3 -3
  75. package/dist/{chunk-76722EBH.js → chunk-IWVWB7BZ.js} +11 -9
  76. package/dist/{chunk-76722EBH.js.map → chunk-IWVWB7BZ.js.map} +1 -1
  77. package/dist/{chunk-QHJW5EXU.js → chunk-JFYIHLU3.js} +2 -2
  78. package/dist/chunk-L4IRFTIF.js +424 -0
  79. package/dist/chunk-L4IRFTIF.js.map +1 -0
  80. package/dist/{chunk-SM3AVUHC.js → chunk-LES2Z7B4.js} +2 -2
  81. package/dist/{chunk-IUEN57TV.js → chunk-LHYQE3BP.js} +4 -4
  82. package/dist/{chunk-V7RWQRG7.js → chunk-LKBLAUOB.js} +3 -3
  83. package/dist/{chunk-UDRIWL7A.js → chunk-MCJAUQGE.js} +3 -3
  84. package/dist/chunk-MIOLJG2R.js +105 -0
  85. package/dist/chunk-MIOLJG2R.js.map +1 -0
  86. package/dist/{chunk-UIU2THRG.js → chunk-N2FP26NH.js} +5 -5
  87. package/dist/{chunk-DGDI2D4M.js → chunk-NIA5VQ7G.js} +8 -6
  88. package/dist/{chunk-DGDI2D4M.js.map → chunk-NIA5VQ7G.js.map} +1 -1
  89. package/dist/{chunk-CMGR4ZEW.js → chunk-NMRKAGHE.js} +2 -2
  90. package/dist/{chunk-LV7M27WM.js → chunk-NPVICKZE.js} +4 -4
  91. package/dist/chunk-NTHKOFVL.js +195 -0
  92. package/dist/chunk-NTHKOFVL.js.map +1 -0
  93. package/dist/{chunk-IO6GRPT6.js → chunk-O5DNEXQC.js} +2 -2
  94. package/dist/{chunk-5TDJ56JE.js → chunk-OCDUQUAP.js} +1 -1
  95. package/dist/chunk-OCDUQUAP.js.map +1 -0
  96. package/dist/{chunk-UPJNJGGA.js → chunk-OVIVYAQL.js} +10 -8
  97. package/dist/{chunk-UPJNJGGA.js.map → chunk-OVIVYAQL.js.map} +1 -1
  98. package/dist/{chunk-I2NOIW44.js → chunk-P6DN5QU7.js} +8 -6
  99. package/dist/{chunk-I2NOIW44.js.map → chunk-P6DN5QU7.js.map} +1 -1
  100. package/dist/{chunk-Q7SS3IME.js → chunk-P6UXDALK.js} +3 -3
  101. package/dist/{chunk-UAG5KWVA.js → chunk-PJDK2PPQ.js} +3 -3
  102. package/dist/{chunk-AXRXJTE2.js → chunk-PUNJAEY6.js} +5 -5
  103. package/dist/{chunk-LFLXAY2W.js → chunk-PYWW4KLO.js} +9 -7
  104. package/dist/{chunk-LFLXAY2W.js.map → chunk-PYWW4KLO.js.map} +1 -1
  105. package/dist/{chunk-M2YKN37S.js → chunk-QLQS5A7X.js} +2 -2
  106. package/dist/{chunk-I3TIKTJO.js → chunk-TICO2I2O.js} +2 -2
  107. package/dist/{chunk-3YFXJ3ZP.js → chunk-U5DWHU3S.js} +2 -2
  108. package/dist/{chunk-26LGBE4T.js → chunk-U6OM4E67.js} +6 -4
  109. package/dist/{chunk-26LGBE4T.js.map → chunk-U6OM4E67.js.map} +1 -1
  110. package/dist/{chunk-TEILUWOI.js → chunk-UP6EMMDI.js} +10 -10
  111. package/dist/{chunk-SMXWYP24.js → chunk-VBYVKOMJ.js} +3 -3
  112. package/dist/{chunk-AZAOEIKW.js → chunk-VHEEU4ZO.js} +2 -2
  113. package/dist/{chunk-MD3Y6J3L.js → chunk-WVIIJPTJ.js} +7 -5
  114. package/dist/{chunk-MD3Y6J3L.js.map → chunk-WVIIJPTJ.js.map} +1 -1
  115. package/dist/{chunk-EIZUR2XW.js → chunk-XRE4JOEO.js} +2 -2
  116. package/dist/{chunk-VFQGRQIH.js → chunk-YDP2SA5K.js} +7 -5
  117. package/dist/{chunk-VFQGRQIH.js.map → chunk-YDP2SA5K.js.map} +1 -1
  118. package/dist/{chunk-5R3ERCDH.js → chunk-YN66UOXT.js} +3 -3
  119. package/dist/{chunk-IELYAOGG.js → chunk-YTIAXSUE.js} +4 -4
  120. package/dist/{chunk-TJYQIGAP.js → chunk-Z44OY24N.js} +3 -3
  121. package/dist/{chunk-VCTFO5CO.js → chunk-ZAWD6O46.js} +2 -2
  122. package/dist/{chunk-PKHL44ER.js → chunk-ZD4D7UM6.js} +2 -2
  123. package/dist/{chunk-MTMJVJ5W.js → chunk-ZFME46HJ.js} +5 -3
  124. package/dist/chunk-ZFME46HJ.js.map +1 -0
  125. package/dist/{chunk-LMTH2RM6.js → chunk-ZNI3RTFV.js} +2 -2
  126. package/dist/{chunk-WYSO2NIH.js → chunk-ZRDYQZYH.js} +2 -2
  127. package/dist/classified/index.d.ts +17 -0
  128. package/dist/classified/index.js +38 -0
  129. package/dist/collection-facade-XPVRHBGU.js +36 -0
  130. package/dist/consent/index.d.ts +3 -3
  131. package/dist/consent/index.js +7 -4
  132. package/dist/consent/index.js.map +1 -1
  133. package/dist/crdt/index.d.ts +3 -3
  134. package/dist/delegation-4HUHUE6T.js +22 -0
  135. package/dist/derivations/index.d.ts +4 -4
  136. package/dist/derivations/index.js +9 -6
  137. package/dist/describe/index.d.ts +1 -1
  138. package/dist/{describe-Ccd1hS7a.d.ts → describe-0tiXAjoO.d.ts} +10 -0
  139. package/dist/{dev-unlock-h0K-UZTk.d.ts → dev-unlock-B_s9DUWa.d.ts} +1 -1
  140. package/dist/{enclave-UL5LW66V.js → enclave-IS7HZSQ7.js} +34 -18
  141. package/dist/executor-ANFBCOYA.js +9 -0
  142. package/dist/executor-IKT47SH2.js +9 -0
  143. package/dist/executor-OIECZXTV.js +18 -0
  144. package/dist/export-accessible-NZWCFZHL.js +20 -0
  145. package/dist/extract-partition-52LX6RQH.js +33 -0
  146. package/dist/{fanout-sidecar-GF3DJ6KR.js → fanout-sidecar-DDKRG2MX.js} +14 -14
  147. package/dist/fanout-sidecar-DDKRG2MX.js.map +1 -0
  148. package/dist/forget/index.js +7 -4
  149. package/dist/forget/index.js.map +1 -1
  150. package/dist/guards/index.d.ts +4 -4
  151. package/dist/guards/index.js +3 -3
  152. package/dist/{hash-CdSr06sm.d.ts → hash-CWxn7sf6.d.ts} +7 -2
  153. package/dist/history/index.d.ts +4 -4
  154. package/dist/history/index.js +9 -6
  155. package/dist/history/index.js.map +1 -1
  156. package/dist/i18n/index.d.ts +3 -3
  157. package/dist/i18n/index.js +11 -8
  158. package/dist/i18n/index.js.map +1 -1
  159. package/dist/in/index.d.ts +2 -2
  160. package/dist/{index-_6At2_9_.d.ts → index-D05bV0_g.d.ts} +245 -5
  161. package/dist/{index-CGLLRtFc.d.ts → index-DTMUUwwW.d.ts} +3 -3
  162. package/dist/index.d.ts +30 -14
  163. package/dist/index.js +136 -75
  164. package/dist/index.js.map +1 -1
  165. package/dist/indexing/index.d.ts +3 -3
  166. package/dist/indexing/index.js +4 -4
  167. package/dist/issue-F4SYPJGJ.js +16 -0
  168. package/dist/kernel/index.d.ts +3 -3
  169. package/dist/kernel/index.js +10 -7
  170. package/dist/{ledger-RYI35CDS.js → ledger-YUAJUNFP.js} +9 -6
  171. package/dist/liberate-6LDETRIW.js +21 -0
  172. package/dist/materialized-views/index.d.ts +4 -4
  173. package/dist/materialized-views/index.js +13 -10
  174. package/dist/{mime-magic-B4RoFj3B.d.ts → mime-magic-Qr_4HjP6.d.ts} +1 -1
  175. package/dist/noydb-WQNBVJIG.js +54 -0
  176. package/dist/on/index.d.ts +2 -2
  177. package/dist/on/index.js +7 -4
  178. package/dist/overlay-views/index.d.ts +4 -4
  179. package/dist/overlay-views/index.js +4 -4
  180. package/dist/periods/index.d.ts +3 -3
  181. package/dist/periods/index.js +10 -7
  182. package/dist/pod/index.d.ts +3 -3
  183. package/dist/pod/index.js +9 -6
  184. package/dist/{policy-IXK4FVXP.js → policy-LRE6HTO5.js} +5 -5
  185. package/dist/portability/index.d.ts +3 -3
  186. package/dist/portability/index.js +8 -8
  187. package/dist/{public-envelope-JHDQCPSX.js → public-envelope-WVRRUVAJ.js} +4 -4
  188. package/dist/query/index.d.ts +2 -2
  189. package/dist/query/index.js +6 -6
  190. package/dist/registry-6HZ2JSQ7.js +14 -0
  191. package/dist/registry-GPXZQ7DT.js +9 -0
  192. package/dist/registry-USYD2ECC.js +16 -0
  193. package/dist/request-withdrawal-54V4L6CR.js +28 -0
  194. package/dist/reveal-WSUHXCSS.js +37 -0
  195. package/dist/reveal-WSUHXCSS.js.map +1 -0
  196. package/dist/revoke-JV26NTQD.js +21 -0
  197. package/dist/sealed-record/index.d.ts +3 -3
  198. package/dist/sealed-record/index.js +10 -7
  199. package/dist/sealed-record/index.js.map +1 -1
  200. package/dist/session/index.d.ts +4 -4
  201. package/dist/session/index.js +7 -4
  202. package/dist/session/index.js.map +1 -1
  203. package/dist/shadow/index.d.ts +3 -3
  204. package/dist/shadow/index.js +2 -2
  205. package/dist/{signer-PNKTBVF7.js → signer-AE56T5HE.js} +8 -5
  206. package/dist/snapshots/index.d.ts +3 -3
  207. package/dist/snapshots/index.js +8 -5
  208. package/dist/snapshots/index.js.map +1 -1
  209. package/dist/{stale-3JWHNDIY.js → stale-LX4BR43V.js} +2 -2
  210. package/dist/{store-coordination-provider-3I7XWZZK.js → store-coordination-provider-KTRIC6PR.js} +3 -3
  211. package/dist/sync/index.d.ts +2 -2
  212. package/dist/sync/index.js +7 -4
  213. package/dist/sync/index.js.map +1 -1
  214. package/dist/team/index.d.ts +3 -3
  215. package/dist/team/index.js +13 -10
  216. package/dist/tiers/index.d.ts +2 -2
  217. package/dist/tiers/index.js +8 -5
  218. package/dist/to/index.d.ts +2 -2
  219. package/dist/to/index.js +1 -1
  220. package/dist/{transition-guard-DqodPNKw.d.ts → transition-guard-C1Pyz8nH.d.ts} +1 -1
  221. package/dist/tx/index.d.ts +3 -3
  222. package/dist/tx/index.js +3 -3
  223. package/dist/ui/index.d.ts +1 -1
  224. package/dist/util/index.js +1 -1
  225. package/dist/validators-Dzn7T-3x.d.ts +62 -0
  226. package/dist/{vault-diff-BtpiBvic.d.ts → vault-diff-Fn0WeY2w.d.ts} +1 -1
  227. package/dist/verify-SW6J63Q2.js +135 -0
  228. package/dist/verify-SW6J63Q2.js.map +1 -0
  229. package/dist/with/index.d.ts +3 -3
  230. package/dist/with/index.js +9 -6
  231. package/dist/{with-materialized-view-DMmWtYfJ.d.ts → with-materialized-view-NKxs6iK5.d.ts} +1 -1
  232. package/dist/{with-overlayed-view-D_IB2nkM.d.ts → with-overlayed-view-B4fPYHwV.d.ts} +1 -1
  233. package/dist/{with-rollup-em2wxoHP.d.ts → with-rollup-Bl0sRFEt.d.ts} +1 -1
  234. package/dist/withdraw-accessible-DGA4V2TP.js +25 -0
  235. package/dist/withdraw-accessible-DGA4V2TP.js.map +1 -0
  236. package/package.json +7 -3
  237. package/dist/api-RW3KP7WU.js +0 -14
  238. package/dist/chunk-5O3AOPDT.js.map +0 -1
  239. package/dist/chunk-5TDJ56JE.js.map +0 -1
  240. package/dist/chunk-MTMJVJ5W.js.map +0 -1
  241. package/dist/chunk-PSHOXR6C.js.map +0 -1
  242. package/dist/collection-facade-GQAOGJP2.js +0 -33
  243. package/dist/delegation-UL5HKLER.js +0 -19
  244. package/dist/executor-2FWQRLMG.js +0 -15
  245. package/dist/executor-QZ7BXICW.js +0 -9
  246. package/dist/executor-Z5ZLJVTV.js +0 -9
  247. package/dist/export-accessible-KRV5W4GH.js +0 -17
  248. package/dist/extract-partition-GLKBOXFQ.js +0 -30
  249. package/dist/fanout-sidecar-GF3DJ6KR.js.map +0 -1
  250. package/dist/issue-Y6UVIR43.js +0 -13
  251. package/dist/liberate-CRPZEV7O.js +0 -18
  252. package/dist/noydb-LDEBLNHY.js +0 -50
  253. package/dist/registry-45RJNWGU.js +0 -9
  254. package/dist/registry-5GRV5VXI.js +0 -13
  255. package/dist/registry-WEUCHBO4.js +0 -11
  256. package/dist/request-withdrawal-GBPH2FDY.js +0 -25
  257. package/dist/revoke-TUFRGI6S.js +0 -18
  258. package/dist/withdraw-accessible-FFS46EOD.js +0 -22
  259. /package/dist/{api-RW3KP7WU.js.map → api-LORZ2EZU.js.map} +0 -0
  260. /package/dist/{chunk-Y22T3KQE.js.map → chunk-2KSPDSWI.js.map} +0 -0
  261. /package/dist/{chunk-5N6CZTCY.js.map → chunk-2ZORB5RW.js.map} +0 -0
  262. /package/dist/{chunk-FISN7WE4.js.map → chunk-3UDPDRUC.js.map} +0 -0
  263. /package/dist/{chunk-TA66UMI4.js.map → chunk-46YGCU6Z.js.map} +0 -0
  264. /package/dist/{chunk-SKF73JOP.js.map → chunk-4NMFWOS2.js.map} +0 -0
  265. /package/dist/{chunk-IAGBDSCS.js.map → chunk-4NZCZUGL.js.map} +0 -0
  266. /package/dist/{chunk-WWGT2MDV.js.map → chunk-5A6TC3RQ.js.map} +0 -0
  267. /package/dist/{chunk-62QYRORB.js.map → chunk-5Z3RNFJC.js.map} +0 -0
  268. /package/dist/{chunk-M6OST55S.js.map → chunk-5ZPWVNL3.js.map} +0 -0
  269. /package/dist/{chunk-PSMV73A5.js.map → chunk-6CNLU4TO.js.map} +0 -0
  270. /package/dist/{chunk-5LUY7UTV.js.map → chunk-7IP75FP2.js.map} +0 -0
  271. /package/dist/{chunk-HCIPRAGS.js.map → chunk-7MHVHGQZ.js.map} +0 -0
  272. /package/dist/{chunk-ZCGAHGUS.js.map → chunk-AY4P6PHN.js.map} +0 -0
  273. /package/dist/{chunk-KXGNJJXB.js.map → chunk-BV7KNFJY.js.map} +0 -0
  274. /package/dist/{chunk-BG3SPSR4.js.map → chunk-BYW7EU5L.js.map} +0 -0
  275. /package/dist/{chunk-NF5JWERG.js.map → chunk-BZIWKN74.js.map} +0 -0
  276. /package/dist/{chunk-AQTBSL7R.js.map → chunk-CVXLJIAV.js.map} +0 -0
  277. /package/dist/{chunk-CWPPNPOH.js.map → chunk-DA34OEZU.js.map} +0 -0
  278. /package/dist/{chunk-RUEKROOS.js.map → chunk-DGUR3CC4.js.map} +0 -0
  279. /package/dist/{chunk-UV5MFVO3.js.map → chunk-FELHYKIO.js.map} +0 -0
  280. /package/dist/{chunk-KVOXU4T5.js.map → chunk-HGQG3VIP.js.map} +0 -0
  281. /package/dist/{chunk-XXYIOFUB.js.map → chunk-IIK7W3AN.js.map} +0 -0
  282. /package/dist/{chunk-IGUYVGGI.js.map → chunk-IJW6K6UX.js.map} +0 -0
  283. /package/dist/{chunk-QHJW5EXU.js.map → chunk-JFYIHLU3.js.map} +0 -0
  284. /package/dist/{chunk-SM3AVUHC.js.map → chunk-LES2Z7B4.js.map} +0 -0
  285. /package/dist/{chunk-IUEN57TV.js.map → chunk-LHYQE3BP.js.map} +0 -0
  286. /package/dist/{chunk-V7RWQRG7.js.map → chunk-LKBLAUOB.js.map} +0 -0
  287. /package/dist/{chunk-UDRIWL7A.js.map → chunk-MCJAUQGE.js.map} +0 -0
  288. /package/dist/{chunk-UIU2THRG.js.map → chunk-N2FP26NH.js.map} +0 -0
  289. /package/dist/{chunk-CMGR4ZEW.js.map → chunk-NMRKAGHE.js.map} +0 -0
  290. /package/dist/{chunk-LV7M27WM.js.map → chunk-NPVICKZE.js.map} +0 -0
  291. /package/dist/{chunk-IO6GRPT6.js.map → chunk-O5DNEXQC.js.map} +0 -0
  292. /package/dist/{chunk-Q7SS3IME.js.map → chunk-P6UXDALK.js.map} +0 -0
  293. /package/dist/{chunk-UAG5KWVA.js.map → chunk-PJDK2PPQ.js.map} +0 -0
  294. /package/dist/{chunk-AXRXJTE2.js.map → chunk-PUNJAEY6.js.map} +0 -0
  295. /package/dist/{chunk-M2YKN37S.js.map → chunk-QLQS5A7X.js.map} +0 -0
  296. /package/dist/{chunk-I3TIKTJO.js.map → chunk-TICO2I2O.js.map} +0 -0
  297. /package/dist/{chunk-3YFXJ3ZP.js.map → chunk-U5DWHU3S.js.map} +0 -0
  298. /package/dist/{chunk-TEILUWOI.js.map → chunk-UP6EMMDI.js.map} +0 -0
  299. /package/dist/{chunk-SMXWYP24.js.map → chunk-VBYVKOMJ.js.map} +0 -0
  300. /package/dist/{chunk-AZAOEIKW.js.map → chunk-VHEEU4ZO.js.map} +0 -0
  301. /package/dist/{chunk-EIZUR2XW.js.map → chunk-XRE4JOEO.js.map} +0 -0
  302. /package/dist/{chunk-5R3ERCDH.js.map → chunk-YN66UOXT.js.map} +0 -0
  303. /package/dist/{chunk-IELYAOGG.js.map → chunk-YTIAXSUE.js.map} +0 -0
  304. /package/dist/{chunk-TJYQIGAP.js.map → chunk-Z44OY24N.js.map} +0 -0
  305. /package/dist/{chunk-VCTFO5CO.js.map → chunk-ZAWD6O46.js.map} +0 -0
  306. /package/dist/{chunk-PKHL44ER.js.map → chunk-ZD4D7UM6.js.map} +0 -0
  307. /package/dist/{chunk-LMTH2RM6.js.map → chunk-ZNI3RTFV.js.map} +0 -0
  308. /package/dist/{chunk-WYSO2NIH.js.map → chunk-ZRDYQZYH.js.map} +0 -0
  309. /package/dist/{collection-facade-GQAOGJP2.js.map → classified/index.js.map} +0 -0
  310. /package/dist/{delegation-UL5HKLER.js.map → collection-facade-XPVRHBGU.js.map} +0 -0
  311. /package/dist/{enclave-UL5LW66V.js.map → delegation-4HUHUE6T.js.map} +0 -0
  312. /package/dist/{executor-2FWQRLMG.js.map → enclave-IS7HZSQ7.js.map} +0 -0
  313. /package/dist/{executor-QZ7BXICW.js.map → executor-ANFBCOYA.js.map} +0 -0
  314. /package/dist/{executor-Z5ZLJVTV.js.map → executor-IKT47SH2.js.map} +0 -0
  315. /package/dist/{export-accessible-KRV5W4GH.js.map → executor-OIECZXTV.js.map} +0 -0
  316. /package/dist/{extract-partition-GLKBOXFQ.js.map → export-accessible-NZWCFZHL.js.map} +0 -0
  317. /package/dist/{issue-Y6UVIR43.js.map → extract-partition-52LX6RQH.js.map} +0 -0
  318. /package/dist/{ledger-RYI35CDS.js.map → issue-F4SYPJGJ.js.map} +0 -0
  319. /package/dist/{liberate-CRPZEV7O.js.map → ledger-YUAJUNFP.js.map} +0 -0
  320. /package/dist/{noydb-LDEBLNHY.js.map → liberate-6LDETRIW.js.map} +0 -0
  321. /package/dist/{policy-IXK4FVXP.js.map → noydb-WQNBVJIG.js.map} +0 -0
  322. /package/dist/{public-envelope-JHDQCPSX.js.map → policy-LRE6HTO5.js.map} +0 -0
  323. /package/dist/{registry-45RJNWGU.js.map → public-envelope-WVRRUVAJ.js.map} +0 -0
  324. /package/dist/{registry-5GRV5VXI.js.map → registry-6HZ2JSQ7.js.map} +0 -0
  325. /package/dist/{registry-WEUCHBO4.js.map → registry-GPXZQ7DT.js.map} +0 -0
  326. /package/dist/{request-withdrawal-GBPH2FDY.js.map → registry-USYD2ECC.js.map} +0 -0
  327. /package/dist/{revoke-TUFRGI6S.js.map → request-withdrawal-54V4L6CR.js.map} +0 -0
  328. /package/dist/{signer-PNKTBVF7.js.map → revoke-JV26NTQD.js.map} +0 -0
  329. /package/dist/{stale-3JWHNDIY.js.map → signer-AE56T5HE.js.map} +0 -0
  330. /package/dist/{withdraw-accessible-FFS46EOD.js.map → stale-LX4BR43V.js.map} +0 -0
  331. /package/dist/{store-coordination-provider-3I7XWZZK.js.map → store-coordination-provider-KTRIC6PR.js.map} +0 -0
@@ -0,0 +1,105 @@
1
+ import {
2
+ ClassifiedConfigError,
3
+ ClassifiedNotEnabledError
4
+ } from "./chunk-BLZRNHMG.js";
5
+
6
+ // src/with-shape/classified/descriptor.ts
7
+ function isClassifiedFieldSpec(x) {
8
+ return typeof x === "object" && x !== null && x._noydbClassified === true;
9
+ }
10
+ function isClassifiedGroup(x) {
11
+ return typeof x === "object" && x !== null && x._noydbClassifiedGroup === true;
12
+ }
13
+
14
+ // src/with-shape/classified/errors.ts
15
+ var ClassifiedNeverStoredError = class extends Error {
16
+ constructor(collection, field) {
17
+ super(`Field "${field}" in collection "${collection}" is classified storage:'never' (e.g. a CVC) and must not be persisted. Validate it at capture and drop it before put().`);
18
+ this.collection = collection;
19
+ this.field = field;
20
+ this.name = "ClassifiedNeverStoredError";
21
+ }
22
+ collection;
23
+ field;
24
+ };
25
+ var ClassifiedValidationError = class extends Error {
26
+ constructor(collection, field, detail) {
27
+ super(`Classified field "${field}" in collection "${collection}" failed validation: ${detail}`);
28
+ this.collection = collection;
29
+ this.field = field;
30
+ this.name = "ClassifiedValidationError";
31
+ }
32
+ collection;
33
+ field;
34
+ };
35
+
36
+ // src/with-shape/classified/resolve.ts
37
+ function resolveClassifiedFields(collection, config) {
38
+ const byField = {};
39
+ const claim = (field, spec) => {
40
+ if (byField[field] !== void 0) {
41
+ throw new ClassifiedConfigError(
42
+ collection,
43
+ `field "${field}" is claimed twice \u2014 storage forms are mutually exclusive per field (R5): a field is digest-only OR recoverable OR never, exactly one`
44
+ );
45
+ }
46
+ byField[field] = spec;
47
+ };
48
+ for (const [key, entry] of Object.entries(config)) {
49
+ if (isClassifiedGroup(entry)) {
50
+ for (const [field, spec] of Object.entries(entry.members)) claim(field, spec);
51
+ } else {
52
+ claim(key, entry);
53
+ }
54
+ }
55
+ const riderComputed = {};
56
+ for (const [field, spec] of Object.entries(byField)) {
57
+ for (const [name, rider] of Object.entries(spec.riders ?? {})) {
58
+ const companion = `${field}_${name}`;
59
+ if (byField[companion] !== void 0 || riderComputed[companion] !== void 0) {
60
+ throw new ClassifiedConfigError(collection, `rider companion "${companion}" collides with a declared field`);
61
+ }
62
+ riderComputed[companion] = (record) => record[field] === void 0 ? void 0 : rider(record[field]);
63
+ }
64
+ }
65
+ return { byField, riderComputed };
66
+ }
67
+
68
+ // src/with-shape/classified/write.ts
69
+ function enforceClassifiedWrite(record, byField, collection) {
70
+ for (const [field, spec] of Object.entries(byField)) {
71
+ const value = record[field];
72
+ if (value === void 0) continue;
73
+ if (value === null && spec.storage === "digest-only") continue;
74
+ if (spec.storage === "never") throw new ClassifiedNeverStoredError(collection, field);
75
+ const problem = spec.validate?.(value) ?? null;
76
+ if (problem !== null) throw new ClassifiedValidationError(collection, field, problem);
77
+ }
78
+ }
79
+
80
+ // src/with-shape/classified/strategy.ts
81
+ var NO_CLASSIFIED = {
82
+ async reveal() {
83
+ throw new ClassifiedNotEnabledError();
84
+ },
85
+ async verify() {
86
+ throw new ClassifiedNotEnabledError();
87
+ },
88
+ async verifyText() {
89
+ throw new ClassifiedNotEnabledError();
90
+ },
91
+ async matchGroup() {
92
+ throw new ClassifiedNotEnabledError();
93
+ }
94
+ };
95
+
96
+ export {
97
+ isClassifiedFieldSpec,
98
+ isClassifiedGroup,
99
+ ClassifiedNeverStoredError,
100
+ ClassifiedValidationError,
101
+ resolveClassifiedFields,
102
+ enforceClassifiedWrite,
103
+ NO_CLASSIFIED
104
+ };
105
+ //# sourceMappingURL=chunk-MIOLJG2R.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/with-shape/classified/descriptor.ts","../src/with-shape/classified/errors.ts","../src/with-shape/classified/resolve.ts","../src/with-shape/classified/write.ts","../src/with-shape/classified/strategy.ts"],"sourcesContent":["/**\n * Classified fields — behavioral sensitive-field descriptors (stage 1).\n * Design: docs/superpowers/specs/2026-07-04-classified-fields-design.md\n * Law: open on write, declarative on read — read-side behavior is this\n * closed vocabulary; there are no read-side callbacks.\n * @module\n */\n\nexport type ClassifiedStorage = 'recoverable' | 'never' | 'digest-only'\n\nexport type ClassifiedList =\n | { readonly kind: 'omit' }\n | { readonly kind: 'mask'; readonly pattern: string }\n | { readonly kind: 'rider'; readonly rider: string }\n\nexport type ClassifiedRider = (value: unknown) => unknown\n\nexport interface ClassifiedFieldSpec {\n readonly _noydbClassified: true\n readonly preset: string\n readonly storage: ClassifiedStorage\n readonly list: ClassifiedList\n readonly sensitivity: 'pii' | 'secret'\n /** Write-time safe projections; companion field name is `<field>_<rider>`. */\n readonly riders?: Record<string, ClassifiedRider>\n /** Write-time validator: error message, or null when valid. */\n readonly validate?: (value: unknown) => string | null\n /** Digest-only verify policy (stage 2). Mode both sides normalize under. */\n readonly verifyNormalize?: 'password' | 'secret-answer'\n /** Decorate ok:true verdicts with mustRotate after this many days (I1). */\n readonly rotateDays?: number\n /** Refuse reuse of the last N values on rotate (cap 8, spec Q4). */\n readonly notLastN?: number\n /** Member of the collection's matchGroup (secretAnswer preset). */\n readonly verifyGroupMember?: true\n}\n\nexport interface ClassifiedGroup {\n readonly _noydbClassifiedGroup: true\n readonly preset: string\n /** member record-field name -> spec (differential per-member policy). */\n readonly members: Record<string, ClassifiedFieldSpec>\n}\n\nexport type ClassifiedEntry = ClassifiedFieldSpec | ClassifiedGroup\n\nexport function isClassifiedFieldSpec(x: unknown): x is ClassifiedFieldSpec {\n return typeof x === 'object' && x !== null\n && (x as { _noydbClassified?: unknown })._noydbClassified === true\n}\n\nexport function isClassifiedGroup(x: unknown): x is ClassifiedGroup {\n return typeof x === 'object' && x !== null\n && (x as { _noydbClassifiedGroup?: unknown })._noydbClassifiedGroup === true\n}\n","/**\n * Configuration/write errors for classified fields. @module\n *\n * `ClassifiedConfigError` / `ClassifiedRevealError` moved to `kernel/errors.ts`\n * (stage 2) so `kernel/enclave/classify/*` can throw them without importing\n * with-*. Re-exported here under the same names so existing import paths\n * keep working.\n */\nexport { ClassifiedConfigError, ClassifiedRevealError, ClassifiedVerifyError, ClassifiedRotationError } from '../../kernel/errors.js'\n\nexport class ClassifiedNeverStoredError extends Error {\n constructor(public readonly collection: string, public readonly field: string) {\n super(`Field \"${field}\" in collection \"${collection}\" is classified storage:'never' `\n + `(e.g. a CVC) and must not be persisted. Validate it at capture and drop it before put().`)\n this.name = 'ClassifiedNeverStoredError'\n }\n}\n\nexport class ClassifiedValidationError extends Error {\n constructor(public readonly collection: string, public readonly field: string, detail: string) {\n super(`Classified field \"${field}\" in collection \"${collection}\" failed validation: ${detail}`)\n this.name = 'ClassifiedValidationError'\n }\n}\n","/** Flatten a classifiedFields config into a per-field map + rider computed entries. @module */\n\nimport { isClassifiedGroup, type ClassifiedEntry, type ClassifiedFieldSpec } from './descriptor.js'\nimport { ClassifiedConfigError } from './errors.js'\n\nexport type { ClassifiedEntry, ClassifiedFieldSpec, ClassifiedGroup, ClassifiedList } from './descriptor.js'\nexport { ClassifiedConfigError } from './errors.js'\n\nexport interface ResolvedClassified {\n readonly byField: Record<string, ClassifiedFieldSpec>\n readonly riderComputed: Record<string, (record: Record<string, unknown>) => unknown>\n}\n\nexport function resolveClassifiedFields(\n collection: string,\n config: Record<string, ClassifiedEntry>,\n): ResolvedClassified {\n const byField: Record<string, ClassifiedFieldSpec> = {}\n const claim = (field: string, spec: ClassifiedFieldSpec): void => {\n if (byField[field] !== undefined) {\n throw new ClassifiedConfigError(collection,\n `field \"${field}\" is claimed twice — storage forms are mutually exclusive per field (R5): ` +\n `a field is digest-only OR recoverable OR never, exactly one`)\n }\n byField[field] = spec\n }\n for (const [key, entry] of Object.entries(config)) {\n if (isClassifiedGroup(entry)) {\n for (const [field, spec] of Object.entries(entry.members)) claim(field, spec)\n } else {\n claim(key, entry)\n }\n }\n const riderComputed: Record<string, (record: Record<string, unknown>) => unknown> = {}\n for (const [field, spec] of Object.entries(byField)) {\n for (const [name, rider] of Object.entries(spec.riders ?? {})) {\n const companion = `${field}_${name}`\n if (byField[companion] !== undefined || riderComputed[companion] !== undefined) {\n throw new ClassifiedConfigError(collection, `rider companion \"${companion}\" collides with a declared field`)\n }\n riderComputed[companion] = (record) =>\n record[field] === undefined ? undefined : rider(record[field])\n }\n }\n return { byField, riderComputed }\n}\n","/** Write-path enforcement: storage:'never' rejection + preset validators.\n * Runs BEFORE riders/computed and BEFORE schema validation. Pure. @module */\n\nimport type { ClassifiedFieldSpec } from './descriptor.js'\nimport { ClassifiedNeverStoredError, ClassifiedValidationError } from './errors.js'\n\nexport function enforceClassifiedWrite(\n record: Record<string, unknown>,\n byField: Record<string, ClassifiedFieldSpec>,\n collection: string,\n): void {\n for (const [field, spec] of Object.entries(byField)) {\n const value = record[field]\n if (value === undefined) continue\n if (value === null && spec.storage === 'digest-only') continue // explicit clear (C6 branch 3)\n if (spec.storage === 'never') throw new ClassifiedNeverStoredError(collection, field)\n const problem = spec.validate?.(value) ?? null\n if (problem !== null) throw new ClassifiedValidationError(collection, field, problem)\n }\n}\n","/** The ② capability seam for classified read-egress ops (stage 1: reveal; stage 2: verify). @module */\nimport type { ClassifiedFieldSpec } from './descriptor.js'\nimport { ClassifiedNotEnabledError } from '../../kernel/errors.js'\nimport type { EncryptedEnvelope } from '../../kernel/types.js'\nimport type { EnclaveKey } from '../../kernel/enclave/index.js'\n\nexport type { ClassifiedVerdict } from '../../kernel/types.js'\nimport type { ClassifiedVerdict } from '../../kernel/types.js'\n\nexport interface ClassifiedRevealCtx {\n readonly collection: string\n readonly spec: ClassifiedFieldSpec\n /** True on an encrypted collection — false selects the plaintext-body read. */\n readonly encrypted: boolean\n readonly getEnvelope: (id: string) => Promise<EncryptedEnvelope | null>\n readonly resolveCek: (env: EncryptedEnvelope) => Promise<EnclaveKey | undefined>\n readonly getDEK: () => Promise<EnclaveKey>\n readonly onAccess?: ((op: 'reveal', id: string) => Promise<void>) | undefined\n}\n\nexport interface ClassifiedVerifyCtx {\n readonly collection: string\n readonly spec: ClassifiedFieldSpec\n readonly getEnvelope: (id: string) => Promise<EncryptedEnvelope | null> // raw envelope, NOT a decrypted view\n readonly resolveCek: (env: EncryptedEnvelope) => Promise<EnclaveKey | undefined>\n readonly getDEK: () => Promise<EnclaveKey>\n readonly now: () => number // injected (Q7)\n /** Group members resolved by the collection (matchGroup only). */\n readonly groupMembers?: ReadonlyArray<{ readonly field: string; readonly spec: ClassifiedFieldSpec }>\n readonly onAccess?: ((op: 'verify', id: string) => Promise<void>) | undefined\n}\n\nexport interface ClassifiedStrategy {\n reveal(ctx: ClassifiedRevealCtx, id: string, field: string): Promise<unknown>\n verify(ctx: ClassifiedVerifyCtx, id: string, field: string, candidate: string): Promise<ClassifiedVerdict>\n verifyText(ctx: ClassifiedVerifyCtx, id: string, field: string, candidate: string): Promise<ClassifiedVerdict>\n matchGroup(ctx: ClassifiedVerifyCtx, id: string, answers: Record<string, string>,\n opts: { readonly min: number }): Promise<{ readonly passed: boolean }>\n}\n\nexport const NO_CLASSIFIED: ClassifiedStrategy = {\n async reveal() { throw new ClassifiedNotEnabledError() },\n async verify() { throw new ClassifiedNotEnabledError() },\n async verifyText() { throw new ClassifiedNotEnabledError() },\n async matchGroup() { throw new ClassifiedNotEnabledError() },\n}\n"],"mappings":";;;;;;AA8CO,SAAS,sBAAsB,GAAsC;AAC1E,SAAO,OAAO,MAAM,YAAY,MAAM,QAChC,EAAqC,qBAAqB;AAClE;AAEO,SAAS,kBAAkB,GAAkC;AAClE,SAAO,OAAO,MAAM,YAAY,MAAM,QAChC,EAA0C,0BAA0B;AAC5E;;;AC5CO,IAAM,6BAAN,cAAyC,MAAM;AAAA,EACpD,YAA4B,YAAoC,OAAe;AAC7E,UAAM,UAAU,KAAK,oBAAoB,UAAU,0HAC2C;AAFpE;AAAoC;AAG9D,SAAK,OAAO;AAAA,EACd;AAAA,EAJ4B;AAAA,EAAoC;AAKlE;AAEO,IAAM,4BAAN,cAAwC,MAAM;AAAA,EACnD,YAA4B,YAAoC,OAAe,QAAgB;AAC7F,UAAM,qBAAqB,KAAK,oBAAoB,UAAU,wBAAwB,MAAM,EAAE;AADpE;AAAoC;AAE9D,SAAK,OAAO;AAAA,EACd;AAAA,EAH4B;AAAA,EAAoC;AAIlE;;;ACVO,SAAS,wBACd,YACA,QACoB;AACpB,QAAM,UAA+C,CAAC;AACtD,QAAM,QAAQ,CAAC,OAAe,SAAoC;AAChE,QAAI,QAAQ,KAAK,MAAM,QAAW;AAChC,YAAM,IAAI;AAAA,QAAsB;AAAA,QAC9B,UAAU,KAAK;AAAA,MAC8C;AAAA,IACjE;AACA,YAAQ,KAAK,IAAI;AAAA,EACnB;AACA,aAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,MAAM,GAAG;AACjD,QAAI,kBAAkB,KAAK,GAAG;AAC5B,iBAAW,CAAC,OAAO,IAAI,KAAK,OAAO,QAAQ,MAAM,OAAO,EAAG,OAAM,OAAO,IAAI;AAAA,IAC9E,OAAO;AACL,YAAM,KAAK,KAAK;AAAA,IAClB;AAAA,EACF;AACA,QAAM,gBAA8E,CAAC;AACrF,aAAW,CAAC,OAAO,IAAI,KAAK,OAAO,QAAQ,OAAO,GAAG;AACnD,eAAW,CAAC,MAAM,KAAK,KAAK,OAAO,QAAQ,KAAK,UAAU,CAAC,CAAC,GAAG;AAC7D,YAAM,YAAY,GAAG,KAAK,IAAI,IAAI;AAClC,UAAI,QAAQ,SAAS,MAAM,UAAa,cAAc,SAAS,MAAM,QAAW;AAC9E,cAAM,IAAI,sBAAsB,YAAY,oBAAoB,SAAS,kCAAkC;AAAA,MAC7G;AACA,oBAAc,SAAS,IAAI,CAAC,WAC1B,OAAO,KAAK,MAAM,SAAY,SAAY,MAAM,OAAO,KAAK,CAAC;AAAA,IACjE;AAAA,EACF;AACA,SAAO,EAAE,SAAS,cAAc;AAClC;;;ACvCO,SAAS,uBACd,QACA,SACA,YACM;AACN,aAAW,CAAC,OAAO,IAAI,KAAK,OAAO,QAAQ,OAAO,GAAG;AACnD,UAAM,QAAQ,OAAO,KAAK;AAC1B,QAAI,UAAU,OAAW;AACzB,QAAI,UAAU,QAAQ,KAAK,YAAY,cAAe;AACtD,QAAI,KAAK,YAAY,QAAS,OAAM,IAAI,2BAA2B,YAAY,KAAK;AACpF,UAAM,UAAU,KAAK,WAAW,KAAK,KAAK;AAC1C,QAAI,YAAY,KAAM,OAAM,IAAI,0BAA0B,YAAY,OAAO,OAAO;AAAA,EACtF;AACF;;;ACqBO,IAAM,gBAAoC;AAAA,EAC/C,MAAM,SAAS;AAAE,UAAM,IAAI,0BAA0B;AAAA,EAAE;AAAA,EACvD,MAAM,SAAS;AAAE,UAAM,IAAI,0BAA0B;AAAA,EAAE;AAAA,EACvD,MAAM,aAAa;AAAE,UAAM,IAAI,0BAA0B;AAAA,EAAE;AAAA,EAC3D,MAAM,aAAa;AAAE,UAAM,IAAI,0BAA0B;AAAA,EAAE;AAC7D;","names":[]}
@@ -1,7 +1,7 @@
1
1
  import {
2
2
  reducerBuilder,
3
3
  wrapMoneyReducers
4
- } from "./chunk-LV7M27WM.js";
4
+ } from "./chunk-NPVICKZE.js";
5
5
  import {
6
6
  MoneyPrecisionError,
7
7
  evaluateClause,
@@ -10,17 +10,17 @@ import {
10
10
  moneyFieldClause,
11
11
  parseToScaledInt,
12
12
  readPath
13
- } from "./chunk-M2YKN37S.js";
13
+ } from "./chunk-QLQS5A7X.js";
14
14
  import {
15
15
  applyI18nLocale
16
- } from "./chunk-5LUY7UTV.js";
16
+ } from "./chunk-7IP75FP2.js";
17
17
  import {
18
18
  CrossJoinSourceUnknownError,
19
19
  CrossJoinTooLargeError,
20
20
  DanglingReferenceError,
21
21
  JoinTooLargeError,
22
22
  ValidationError
23
- } from "./chunk-ZYUC53LT.js";
23
+ } from "./chunk-BLZRNHMG.js";
24
24
 
25
25
  // src/kernel/query/join.ts
26
26
  var DEFAULT_JOIN_MAX_ROWS = 5e4;
@@ -1934,4 +1934,4 @@ export {
1934
1934
  executePlan,
1935
1935
  ScanBuilder
1936
1936
  };
1937
- //# sourceMappingURL=chunk-UIU2THRG.js.map
1937
+ //# sourceMappingURL=chunk-N2FP26NH.js.map
@@ -1,16 +1,18 @@
1
1
  import {
2
2
  ensureCollectionDEK
3
- } from "./chunk-WWGT2MDV.js";
3
+ } from "./chunk-5A6TC3RQ.js";
4
4
  import {
5
- encrypt,
6
5
  openEnvelopeJson
7
- } from "./chunk-5O3AOPDT.js";
6
+ } from "./chunk-5EZAJEES.js";
7
+ import {
8
+ encrypt
9
+ } from "./chunk-L4IRFTIF.js";
8
10
  import {
9
11
  NOYDB_FORMAT_VERSION
10
- } from "./chunk-5TDJ56JE.js";
12
+ } from "./chunk-OCDUQUAP.js";
11
13
  import {
12
14
  PermissionDeniedError
13
- } from "./chunk-ZYUC53LT.js";
15
+ } from "./chunk-BLZRNHMG.js";
14
16
 
15
17
  // src/with-party/team/sync-credentials.ts
16
18
  var SYNC_CREDENTIALS_COLLECTION = "_sync_credentials";
@@ -76,4 +78,4 @@ export {
76
78
  listCredentials,
77
79
  credentialStatus
78
80
  };
79
- //# sourceMappingURL=chunk-DGDI2D4M.js.map
81
+ //# sourceMappingURL=chunk-NIA5VQ7G.js.map
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/with-party/team/sync-credentials.ts"],"sourcesContent":["/**\n * _sync_credentials reserved collection —\n *\n * Stores per-adapter OAuth tokens (and any other long-lived sync secrets) as\n * encrypted records inside the vault itself. Tokens are wrapped with the\n * compartment's own DEK, live on disk as ciphertext like any other record, and\n * are accessed only through the dedicated API in this module — never via\n * `vault.collection('_sync_credentials')`.\n *\n * Design decisions\n * ────────────────\n *\n * **Why a reserved collection, not a separate store?**\n * The compartment's existing encryption stack (AES-256-GCM + collection DEK)\n * is exactly the right primitive for protecting OAuth tokens at rest. Using a\n * separate store would require a new encryption surface, new adapter calls,\n * and a new backup/restore path — all of which already exist for collections.\n *\n * **Why not exposed as a regular collection?**\n * The same reason `_keyring` and `_ledger` aren't: they have invariants that\n * must be enforced (naming scheme, no cross-user leakage, no schema\n * validation, no history/ledger writes for privacy). Routing through a\n * dedicated API enforces those invariants.\n *\n * **Token lifecycle:**\n * - `putCredential(vault, adapterId, token)` — store or overwrite\n * - `getCredential(vault, adapterId)` — load and decrypt\n * - `deleteCredential(vault, adapterId)` — remove\n * - `listCredentials(vault)` — enumerate adapter IDs (not tokens)\n *\n * The `adapterId` is the record ID within the `_sync_credentials` collection.\n * It should be a stable, human-readable identifier for the adapter instance\n * (e.g. `'google-drive'`, `'dropbox'`, `'s3-prod'`).\n *\n * **ACL:** only `owner` and `admin` roles can read/write sync credentials.\n * Operators, viewers, and clients cannot call this API. The check is made\n * against the caller's keyring role at call time.\n */\n\nimport type { NoydbStore, EncryptedEnvelope } from '../../kernel/types.js'\nimport { NOYDB_FORMAT_VERSION } from '../../kernel/types.js'\nimport type { UnlockedKeyring } from './keyring.js'\nimport { encrypt, openEnvelopeJson } from '../../kernel/enclave/index.js'\nimport { ensureCollectionDEK } from './keyring.js'\nimport { PermissionDeniedError } from '../../kernel/errors.js'\n\n/** The reserved collection name. Never collides with user collections. */\nexport const SYNC_CREDENTIALS_COLLECTION = '_sync_credentials'\n\n// ─── Token types ──────────────────────────────────────────────────────\n\n/**\n * An OAuth/auth token stored in `_sync_credentials`.\n *\n * Fields mirror the OAuth2 token response shape. `customData` is an escape\n * hatch for adapter-specific secrets (API keys, connection strings, etc.)\n * that don't fit the OAuth2 shape.\n */\nexport interface SyncCredential {\n /** Stable identifier for the adapter instance (e.g. 'google-drive'). */\n readonly adapterId: string\n /** OAuth token type, usually 'Bearer'. */\n readonly tokenType: string\n /** The access token. Expires at `expiresAt` if set. */\n readonly accessToken: string\n /** Long-lived refresh token for renewing the access token. */\n readonly refreshToken?: string\n /** ISO timestamp when `accessToken` expires. Absent means \"no expiry\". */\n readonly expiresAt?: string\n /** Space-separated OAuth scopes. */\n readonly scopes?: string\n /** Adapter-specific opaque data (API keys, endpoints, etc.). */\n readonly customData?: Record<string, string>\n}\n\n// ─── Access check ─────────────────────────────────────────────────────\n\nfunction requireAdminAccess(keyring: UnlockedKeyring): void {\n // FR-6: custodian is INTENTIONALLY excluded. Sync credentials are the\n // firm's hosting/infrastructure secrets (OAuth tokens, connection strings) —\n // not the custodian's operational scope. A custodian operates the DATA but\n // must never mint or read transport credentials that could be used to\n // re-home or impersonate the firm's vault. Do NOT add 'custodian' here.\n if (keyring.role !== 'owner' && keyring.role !== 'admin') {\n throw new PermissionDeniedError(\n `Sync credentials require owner or admin role. Current role: \"${keyring.role}\"`,\n )\n }\n}\n\n// ─── Public API ────────────────────────────────────────────────────────\n\n/**\n * Store or overwrite a sync credential for the given adapter.\n *\n * The credential is encrypted with the `_sync_credentials` collection DEK\n * (auto-generated on first use). The record ID is the `adapterId`.\n *\n * Requires owner or admin role.\n */\nexport async function putCredential(\n adapter: NoydbStore,\n vault: string,\n keyring: UnlockedKeyring,\n credential: SyncCredential,\n): Promise<void> {\n requireAdminAccess(keyring)\n\n const getDek = await ensureCollectionDEK(adapter, vault, keyring)\n const dek = await getDek(SYNC_CREDENTIALS_COLLECTION)\n\n const { iv, data } = await encrypt(JSON.stringify(credential), dek)\n\n const existing = await adapter.get(vault, SYNC_CREDENTIALS_COLLECTION, credential.adapterId)\n const version = existing ? existing._v + 1 : 1\n\n const envelope: EncryptedEnvelope = {\n _noydb: NOYDB_FORMAT_VERSION,\n _v: version,\n _ts: new Date().toISOString(),\n _iv: iv,\n _data: data,\n _by: keyring.userId,\n }\n\n await adapter.put(\n vault,\n SYNC_CREDENTIALS_COLLECTION,\n credential.adapterId,\n envelope,\n existing ? existing._v : undefined,\n )\n}\n\n/**\n * Load and decrypt a sync credential for the given adapter ID.\n *\n * Returns `null` if no credential exists for this adapter.\n * Requires owner or admin role.\n */\nexport async function getCredential(\n adapter: NoydbStore,\n vault: string,\n keyring: UnlockedKeyring,\n adapterId: string,\n): Promise<SyncCredential | null> {\n requireAdminAccess(keyring)\n\n const getDek = await ensureCollectionDEK(adapter, vault, keyring)\n const dek = await getDek(SYNC_CREDENTIALS_COLLECTION)\n\n const envelope = await adapter.get(vault, SYNC_CREDENTIALS_COLLECTION, adapterId)\n if (!envelope) return null\n\n const plaintext = await openEnvelopeJson(envelope, dek)\n return JSON.parse(plaintext) as SyncCredential\n}\n\n/**\n * Delete a sync credential by adapter ID.\n *\n * No-op if the credential doesn't exist. Requires owner or admin role.\n */\nexport async function deleteCredential(\n adapter: NoydbStore,\n vault: string,\n keyring: UnlockedKeyring,\n adapterId: string,\n): Promise<void> {\n requireAdminAccess(keyring)\n await adapter.delete(vault, SYNC_CREDENTIALS_COLLECTION, adapterId)\n}\n\n/**\n * List all adapter IDs that have stored credentials.\n *\n * Returns only the IDs, never the credential payloads. Useful for\n * displaying \"connected adapters\" in UI without decrypting tokens.\n * Requires owner or admin role.\n */\nexport async function listCredentials(\n adapter: NoydbStore,\n vault: string,\n keyring: UnlockedKeyring,\n): Promise<string[]> {\n requireAdminAccess(keyring)\n return adapter.list(vault, SYNC_CREDENTIALS_COLLECTION)\n}\n\n/**\n * Check whether a credential exists and whether its access token has expired.\n *\n * Returns `{ exists: false }` if no credential is stored, or\n * `{ exists: true, expired: boolean }` based on the `expiresAt` field.\n * Requires owner or admin role.\n */\nexport async function credentialStatus(\n adapter: NoydbStore,\n vault: string,\n keyring: UnlockedKeyring,\n adapterId: string,\n): Promise<{ exists: false } | { exists: true; expired: boolean }> {\n const credential = await getCredential(adapter, vault, keyring, adapterId)\n if (!credential) return { exists: false }\n\n const expired = credential.expiresAt\n ? Date.now() > new Date(credential.expiresAt).getTime()\n : false\n\n return { exists: true, expired }\n}\n"],"mappings":";;;;;;;;;;;;;;;AA+CO,IAAM,8BAA8B;AA8B3C,SAAS,mBAAmB,SAAgC;AAM1D,MAAI,QAAQ,SAAS,WAAW,QAAQ,SAAS,SAAS;AACxD,UAAM,IAAI;AAAA,MACR,gEAAgE,QAAQ,IAAI;AAAA,IAC9E;AAAA,EACF;AACF;AAYA,eAAsB,cACpB,SACA,OACA,SACA,YACe;AACf,qBAAmB,OAAO;AAE1B,QAAM,SAAS,MAAM,oBAAoB,SAAS,OAAO,OAAO;AAChE,QAAM,MAAM,MAAM,OAAO,2BAA2B;AAEpD,QAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,KAAK,UAAU,UAAU,GAAG,GAAG;AAElE,QAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,6BAA6B,WAAW,SAAS;AAC3F,QAAM,UAAU,WAAW,SAAS,KAAK,IAAI;AAE7C,QAAM,WAA8B;AAAA,IAClC,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC5B,KAAK;AAAA,IACL,OAAO;AAAA,IACP,KAAK,QAAQ;AAAA,EACf;AAEA,QAAM,QAAQ;AAAA,IACZ;AAAA,IACA;AAAA,IACA,WAAW;AAAA,IACX;AAAA,IACA,WAAW,SAAS,KAAK;AAAA,EAC3B;AACF;AAQA,eAAsB,cACpB,SACA,OACA,SACA,WACgC;AAChC,qBAAmB,OAAO;AAE1B,QAAM,SAAS,MAAM,oBAAoB,SAAS,OAAO,OAAO;AAChE,QAAM,MAAM,MAAM,OAAO,2BAA2B;AAEpD,QAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,6BAA6B,SAAS;AAChF,MAAI,CAAC,SAAU,QAAO;AAEtB,QAAM,YAAY,MAAM,iBAAiB,UAAU,GAAG;AACtD,SAAO,KAAK,MAAM,SAAS;AAC7B;AAOA,eAAsB,iBACpB,SACA,OACA,SACA,WACe;AACf,qBAAmB,OAAO;AAC1B,QAAM,QAAQ,OAAO,OAAO,6BAA6B,SAAS;AACpE;AASA,eAAsB,gBACpB,SACA,OACA,SACmB;AACnB,qBAAmB,OAAO;AAC1B,SAAO,QAAQ,KAAK,OAAO,2BAA2B;AACxD;AASA,eAAsB,iBACpB,SACA,OACA,SACA,WACiE;AACjE,QAAM,aAAa,MAAM,cAAc,SAAS,OAAO,SAAS,SAAS;AACzE,MAAI,CAAC,WAAY,QAAO,EAAE,QAAQ,MAAM;AAExC,QAAM,UAAU,WAAW,YACvB,KAAK,IAAI,IAAI,IAAI,KAAK,WAAW,SAAS,EAAE,QAAQ,IACpD;AAEJ,SAAO,EAAE,QAAQ,MAAM,QAAQ;AACjC;","names":[]}
1
+ {"version":3,"sources":["../src/with-party/team/sync-credentials.ts"],"sourcesContent":["/**\n * _sync_credentials reserved collection —\n *\n * Stores per-adapter OAuth tokens (and any other long-lived sync secrets) as\n * encrypted records inside the vault itself. Tokens are wrapped with the\n * compartment's own DEK, live on disk as ciphertext like any other record, and\n * are accessed only through the dedicated API in this module — never via\n * `vault.collection('_sync_credentials')`.\n *\n * Design decisions\n * ────────────────\n *\n * **Why a reserved collection, not a separate store?**\n * The compartment's existing encryption stack (AES-256-GCM + collection DEK)\n * is exactly the right primitive for protecting OAuth tokens at rest. Using a\n * separate store would require a new encryption surface, new adapter calls,\n * and a new backup/restore path — all of which already exist for collections.\n *\n * **Why not exposed as a regular collection?**\n * The same reason `_keyring` and `_ledger` aren't: they have invariants that\n * must be enforced (naming scheme, no cross-user leakage, no schema\n * validation, no history/ledger writes for privacy). Routing through a\n * dedicated API enforces those invariants.\n *\n * **Token lifecycle:**\n * - `putCredential(vault, adapterId, token)` — store or overwrite\n * - `getCredential(vault, adapterId)` — load and decrypt\n * - `deleteCredential(vault, adapterId)` — remove\n * - `listCredentials(vault)` — enumerate adapter IDs (not tokens)\n *\n * The `adapterId` is the record ID within the `_sync_credentials` collection.\n * It should be a stable, human-readable identifier for the adapter instance\n * (e.g. `'google-drive'`, `'dropbox'`, `'s3-prod'`).\n *\n * **ACL:** only `owner` and `admin` roles can read/write sync credentials.\n * Operators, viewers, and clients cannot call this API. The check is made\n * against the caller's keyring role at call time.\n */\n\nimport type { NoydbStore, EncryptedEnvelope } from '../../kernel/types.js'\nimport { NOYDB_FORMAT_VERSION } from '../../kernel/types.js'\nimport type { UnlockedKeyring } from './keyring.js'\nimport { encrypt, openEnvelopeJson } from '../../kernel/enclave/index.js'\nimport { ensureCollectionDEK } from './keyring.js'\nimport { PermissionDeniedError } from '../../kernel/errors.js'\n\n/** The reserved collection name. Never collides with user collections. */\nexport const SYNC_CREDENTIALS_COLLECTION = '_sync_credentials'\n\n// ─── Token types ──────────────────────────────────────────────────────\n\n/**\n * An OAuth/auth token stored in `_sync_credentials`.\n *\n * Fields mirror the OAuth2 token response shape. `customData` is an escape\n * hatch for adapter-specific secrets (API keys, connection strings, etc.)\n * that don't fit the OAuth2 shape.\n */\nexport interface SyncCredential {\n /** Stable identifier for the adapter instance (e.g. 'google-drive'). */\n readonly adapterId: string\n /** OAuth token type, usually 'Bearer'. */\n readonly tokenType: string\n /** The access token. Expires at `expiresAt` if set. */\n readonly accessToken: string\n /** Long-lived refresh token for renewing the access token. */\n readonly refreshToken?: string\n /** ISO timestamp when `accessToken` expires. Absent means \"no expiry\". */\n readonly expiresAt?: string\n /** Space-separated OAuth scopes. */\n readonly scopes?: string\n /** Adapter-specific opaque data (API keys, endpoints, etc.). */\n readonly customData?: Record<string, string>\n}\n\n// ─── Access check ─────────────────────────────────────────────────────\n\nfunction requireAdminAccess(keyring: UnlockedKeyring): void {\n // FR-6: custodian is INTENTIONALLY excluded. Sync credentials are the\n // firm's hosting/infrastructure secrets (OAuth tokens, connection strings) —\n // not the custodian's operational scope. A custodian operates the DATA but\n // must never mint or read transport credentials that could be used to\n // re-home or impersonate the firm's vault. Do NOT add 'custodian' here.\n if (keyring.role !== 'owner' && keyring.role !== 'admin') {\n throw new PermissionDeniedError(\n `Sync credentials require owner or admin role. Current role: \"${keyring.role}\"`,\n )\n }\n}\n\n// ─── Public API ────────────────────────────────────────────────────────\n\n/**\n * Store or overwrite a sync credential for the given adapter.\n *\n * The credential is encrypted with the `_sync_credentials` collection DEK\n * (auto-generated on first use). The record ID is the `adapterId`.\n *\n * Requires owner or admin role.\n */\nexport async function putCredential(\n adapter: NoydbStore,\n vault: string,\n keyring: UnlockedKeyring,\n credential: SyncCredential,\n): Promise<void> {\n requireAdminAccess(keyring)\n\n const getDek = await ensureCollectionDEK(adapter, vault, keyring)\n const dek = await getDek(SYNC_CREDENTIALS_COLLECTION)\n\n const { iv, data } = await encrypt(JSON.stringify(credential), dek)\n\n const existing = await adapter.get(vault, SYNC_CREDENTIALS_COLLECTION, credential.adapterId)\n const version = existing ? existing._v + 1 : 1\n\n const envelope: EncryptedEnvelope = {\n _noydb: NOYDB_FORMAT_VERSION,\n _v: version,\n _ts: new Date().toISOString(),\n _iv: iv,\n _data: data,\n _by: keyring.userId,\n }\n\n await adapter.put(\n vault,\n SYNC_CREDENTIALS_COLLECTION,\n credential.adapterId,\n envelope,\n existing ? existing._v : undefined,\n )\n}\n\n/**\n * Load and decrypt a sync credential for the given adapter ID.\n *\n * Returns `null` if no credential exists for this adapter.\n * Requires owner or admin role.\n */\nexport async function getCredential(\n adapter: NoydbStore,\n vault: string,\n keyring: UnlockedKeyring,\n adapterId: string,\n): Promise<SyncCredential | null> {\n requireAdminAccess(keyring)\n\n const getDek = await ensureCollectionDEK(adapter, vault, keyring)\n const dek = await getDek(SYNC_CREDENTIALS_COLLECTION)\n\n const envelope = await adapter.get(vault, SYNC_CREDENTIALS_COLLECTION, adapterId)\n if (!envelope) return null\n\n const plaintext = await openEnvelopeJson(envelope, dek)\n return JSON.parse(plaintext) as SyncCredential\n}\n\n/**\n * Delete a sync credential by adapter ID.\n *\n * No-op if the credential doesn't exist. Requires owner or admin role.\n */\nexport async function deleteCredential(\n adapter: NoydbStore,\n vault: string,\n keyring: UnlockedKeyring,\n adapterId: string,\n): Promise<void> {\n requireAdminAccess(keyring)\n await adapter.delete(vault, SYNC_CREDENTIALS_COLLECTION, adapterId)\n}\n\n/**\n * List all adapter IDs that have stored credentials.\n *\n * Returns only the IDs, never the credential payloads. Useful for\n * displaying \"connected adapters\" in UI without decrypting tokens.\n * Requires owner or admin role.\n */\nexport async function listCredentials(\n adapter: NoydbStore,\n vault: string,\n keyring: UnlockedKeyring,\n): Promise<string[]> {\n requireAdminAccess(keyring)\n return adapter.list(vault, SYNC_CREDENTIALS_COLLECTION)\n}\n\n/**\n * Check whether a credential exists and whether its access token has expired.\n *\n * Returns `{ exists: false }` if no credential is stored, or\n * `{ exists: true, expired: boolean }` based on the `expiresAt` field.\n * Requires owner or admin role.\n */\nexport async function credentialStatus(\n adapter: NoydbStore,\n vault: string,\n keyring: UnlockedKeyring,\n adapterId: string,\n): Promise<{ exists: false } | { exists: true; expired: boolean }> {\n const credential = await getCredential(adapter, vault, keyring, adapterId)\n if (!credential) return { exists: false }\n\n const expired = credential.expiresAt\n ? Date.now() > new Date(credential.expiresAt).getTime()\n : false\n\n return { exists: true, expired }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;AA+CO,IAAM,8BAA8B;AA8B3C,SAAS,mBAAmB,SAAgC;AAM1D,MAAI,QAAQ,SAAS,WAAW,QAAQ,SAAS,SAAS;AACxD,UAAM,IAAI;AAAA,MACR,gEAAgE,QAAQ,IAAI;AAAA,IAC9E;AAAA,EACF;AACF;AAYA,eAAsB,cACpB,SACA,OACA,SACA,YACe;AACf,qBAAmB,OAAO;AAE1B,QAAM,SAAS,MAAM,oBAAoB,SAAS,OAAO,OAAO;AAChE,QAAM,MAAM,MAAM,OAAO,2BAA2B;AAEpD,QAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,KAAK,UAAU,UAAU,GAAG,GAAG;AAElE,QAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,6BAA6B,WAAW,SAAS;AAC3F,QAAM,UAAU,WAAW,SAAS,KAAK,IAAI;AAE7C,QAAM,WAA8B;AAAA,IAClC,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC5B,KAAK;AAAA,IACL,OAAO;AAAA,IACP,KAAK,QAAQ;AAAA,EACf;AAEA,QAAM,QAAQ;AAAA,IACZ;AAAA,IACA;AAAA,IACA,WAAW;AAAA,IACX;AAAA,IACA,WAAW,SAAS,KAAK;AAAA,EAC3B;AACF;AAQA,eAAsB,cACpB,SACA,OACA,SACA,WACgC;AAChC,qBAAmB,OAAO;AAE1B,QAAM,SAAS,MAAM,oBAAoB,SAAS,OAAO,OAAO;AAChE,QAAM,MAAM,MAAM,OAAO,2BAA2B;AAEpD,QAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,6BAA6B,SAAS;AAChF,MAAI,CAAC,SAAU,QAAO;AAEtB,QAAM,YAAY,MAAM,iBAAiB,UAAU,GAAG;AACtD,SAAO,KAAK,MAAM,SAAS;AAC7B;AAOA,eAAsB,iBACpB,SACA,OACA,SACA,WACe;AACf,qBAAmB,OAAO;AAC1B,QAAM,QAAQ,OAAO,OAAO,6BAA6B,SAAS;AACpE;AASA,eAAsB,gBACpB,SACA,OACA,SACmB;AACnB,qBAAmB,OAAO;AAC1B,SAAO,QAAQ,KAAK,OAAO,2BAA2B;AACxD;AASA,eAAsB,iBACpB,SACA,OACA,SACA,WACiE;AACjE,QAAM,aAAa,MAAM,cAAc,SAAS,OAAO,SAAS,SAAS;AACzE,MAAI,CAAC,WAAY,QAAO,EAAE,QAAQ,MAAM;AAExC,QAAM,UAAU,WAAW,YACvB,KAAK,IAAI,IAAI,IAAI,KAAK,WAAW,SAAS,EAAE,QAAQ,IACpD;AAEJ,SAAO,EAAE,QAAQ,MAAM,QAAQ;AACjC;","names":[]}
@@ -1,6 +1,6 @@
1
1
  import {
2
2
  OverlayIdMismatchError
3
- } from "./chunk-ZYUC53LT.js";
3
+ } from "./chunk-BLZRNHMG.js";
4
4
 
5
5
  // src/with-formula/overlay-views/virtual-collection.ts
6
6
  var OverlayedCollection = class {
@@ -206,4 +206,4 @@ var OverlayedCollection = class {
206
206
  export {
207
207
  OverlayedCollection
208
208
  };
209
- //# sourceMappingURL=chunk-CMGR4ZEW.js.map
209
+ //# sourceMappingURL=chunk-NMRKAGHE.js.map
@@ -4,13 +4,13 @@ import {
4
4
  parseToScaledInt,
5
5
  readPath,
6
6
  scaleForCurrency
7
- } from "./chunk-M2YKN37S.js";
7
+ } from "./chunk-QLQS5A7X.js";
8
8
  import {
9
9
  applyI18nLocale
10
- } from "./chunk-5LUY7UTV.js";
10
+ } from "./chunk-7IP75FP2.js";
11
11
  import {
12
12
  GroupCardinalityError
13
- } from "./chunk-ZYUC53LT.js";
13
+ } from "./chunk-BLZRNHMG.js";
14
14
 
15
15
  // src/with-lookup/aggregate/reducers.ts
16
16
  function count(opts) {
@@ -699,4 +699,4 @@ export {
699
699
  groupAndReduce,
700
700
  GroupedAggregation
701
701
  };
702
- //# sourceMappingURL=chunk-LV7M27WM.js.map
702
+ //# sourceMappingURL=chunk-NPVICKZE.js.map
@@ -0,0 +1,195 @@
1
+ // src/with-shape/classified/validators.ts
2
+ function luhnCheck(pan) {
3
+ const digits = pan.replace(/[\s-]/g, "");
4
+ if (!/^\d{12,19}$/.test(digits)) return false;
5
+ let sum = 0;
6
+ for (let i = 0; i < digits.length; i++) {
7
+ let d = Number(digits[digits.length - 1 - i]);
8
+ if (i % 2 === 1) {
9
+ d *= 2;
10
+ if (d > 9) d -= 9;
11
+ }
12
+ sum += d;
13
+ }
14
+ return sum % 10 === 0;
15
+ }
16
+
17
+ // src/with-shape/classified/presets.ts
18
+ var digitsOf = (v) => String(v).replace(/\D/g, "");
19
+ function panSpec() {
20
+ return {
21
+ _noydbClassified: true,
22
+ preset: "creditCard.pan",
23
+ storage: "recoverable",
24
+ sensitivity: "secret",
25
+ list: { kind: "mask", pattern: "\u2022\u2022\u2022\u2022 ${last4}" },
26
+ riders: { last4: (v) => digitsOf(v).slice(-4), bin: (v) => digitsOf(v).slice(0, 6) },
27
+ validate: (v) => typeof v === "string" && luhnCheck(v) ? null : "not a Luhn-valid card number"
28
+ };
29
+ }
30
+ function expirySpec() {
31
+ return {
32
+ _noydbClassified: true,
33
+ preset: "creditCard.expiry",
34
+ storage: "recoverable",
35
+ sensitivity: "pii",
36
+ list: { kind: "mask", pattern: "\u2022\u2022/\u2022\u2022" },
37
+ validate: (v) => typeof v === "string" && /^(0[1-9]|1[0-2])\/\d{2}$/.test(v) ? null : "expected MM/YY"
38
+ };
39
+ }
40
+ function cvcSpec() {
41
+ return {
42
+ _noydbClassified: true,
43
+ preset: "creditCard.cvc",
44
+ storage: "never",
45
+ sensitivity: "secret",
46
+ list: { kind: "omit" },
47
+ validate: (v) => typeof v === "string" && /^\d{3,4}$/.test(v) ? null : "expected 3-4 digits"
48
+ };
49
+ }
50
+ var classified = {
51
+ /** Composite card type. PAN sealed + last4/bin riders; CVC is storage:'never' (PCI-aware). */
52
+ creditCard(fields) {
53
+ const members = { [fields.pan]: panSpec() };
54
+ if (fields.expiry !== void 0) members[fields.expiry] = expirySpec();
55
+ if (fields.cvc !== void 0) members[fields.cvc] = cvcSpec();
56
+ return { _noydbClassifiedGroup: true, preset: "creditCard", members };
57
+ },
58
+ birthDate() {
59
+ return {
60
+ _noydbClassified: true,
61
+ preset: "birthDate",
62
+ storage: "recoverable",
63
+ sensitivity: "pii",
64
+ list: { kind: "mask", pattern: "${yob}-\u2022\u2022-\u2022\u2022" },
65
+ riders: { yob: (v) => String(v).slice(0, 4) },
66
+ validate: (v) => {
67
+ if (typeof v !== "string" || !/^\d{4}-\d{2}-\d{2}$/.test(v)) return "expected ISO yyyy-mm-dd";
68
+ const parts = v.split("-").map(Number);
69
+ const year = parts[0], month = parts[1], day = parts[2];
70
+ if (month < 1 || month > 12) return "not a valid calendar date";
71
+ const daysInMonth = [31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31];
72
+ const isLeapYear = year % 4 === 0 && year % 100 !== 0 || year % 400 === 0;
73
+ const maxDay = month === 2 && isLeapYear ? 29 : daysInMonth[month - 1];
74
+ if (day < 1 || day > maxDay) return "not a valid calendar date";
75
+ return null;
76
+ }
77
+ };
78
+ },
79
+ email() {
80
+ return {
81
+ _noydbClassified: true,
82
+ preset: "email",
83
+ storage: "recoverable",
84
+ sensitivity: "pii",
85
+ list: { kind: "mask", pattern: "\u2022\u2022\u2022@${domain}" },
86
+ riders: { domain: (v) => String(v).split("@")[1] ?? "" },
87
+ validate: (v) => typeof v === "string" && v.includes("@") ? null : "expected an email address"
88
+ };
89
+ },
90
+ phone() {
91
+ return {
92
+ _noydbClassified: true,
93
+ preset: "phone",
94
+ storage: "recoverable",
95
+ sensitivity: "pii",
96
+ list: { kind: "mask", pattern: "\u2022\u2022\u2022\u2022\u2022${last2}" },
97
+ riders: { last2: (v) => digitsOf(v).slice(-2) },
98
+ validate: (v) => digitsOf(v).length >= 5 ? null : "expected at least 5 digits"
99
+ };
100
+ },
101
+ /** Digest-only password: verify-without-reveal; never listed, never revealed.
102
+ * Enumeration math is on the caller for low-entropy values — see the
103
+ * per-preset docs; the hub ships no rate limiter in this slice (spec §5). */
104
+ password(opts = {}) {
105
+ const minLength = opts.minLength ?? 10;
106
+ const notLastN = opts.notLastN ?? 0;
107
+ if (!Number.isInteger(notLastN) || notLastN < 0 || notLastN > 8) {
108
+ throw new Error(`classified.password: notLastN must be an integer 0..8 (write cost is n \xD7 600K PBKDF2; ring blast radius is documented), got ${notLastN}`);
109
+ }
110
+ return {
111
+ _noydbClassified: true,
112
+ preset: "password",
113
+ storage: "digest-only",
114
+ sensitivity: "secret",
115
+ list: { kind: "omit" },
116
+ verifyNormalize: "password",
117
+ ...opts.rotateDays !== void 0 ? { rotateDays: opts.rotateDays } : {},
118
+ ...notLastN > 0 ? { notLastN } : {},
119
+ validate: (v) => typeof v === "string" && v.normalize("NFC").length >= minLength ? null : `password must be at least ${minLength} characters`
120
+ };
121
+ },
122
+ /** Digest-only secret answer: normalized (casefold/trim/collapse), groupable
123
+ * into k-of-n matchGroup challenges. Low-entropy by nature — document the
124
+ * enumeration math to your users; add app-side rate limiting. */
125
+ secretAnswer() {
126
+ return {
127
+ _noydbClassified: true,
128
+ preset: "secretAnswer",
129
+ storage: "digest-only",
130
+ sensitivity: "secret",
131
+ list: { kind: "omit" },
132
+ verifyNormalize: "secret-answer",
133
+ verifyGroupMember: true,
134
+ validate: (v) => typeof v === "string" && v.normalize("NFC").toLowerCase().trim().replace(/\s+/g, " ").length > 0 ? null : "secret answer must be non-empty after normalization"
135
+ };
136
+ }
137
+ };
138
+
139
+ // src/with-shape/classified/active.ts
140
+ function policyOf(spec) {
141
+ return {
142
+ normalize: spec.verifyNormalize ?? "password",
143
+ notLastN: spec.notLastN ?? 0,
144
+ ...spec.rotateDays !== void 0 ? { rotateDays: spec.rotateDays } : {}
145
+ };
146
+ }
147
+ var engineCtx = (ctx) => ({
148
+ collection: ctx.collection,
149
+ getEnvelope: ctx.getEnvelope,
150
+ resolveCek: ctx.resolveCek,
151
+ getDEK: ctx.getDEK,
152
+ now: ctx.now
153
+ });
154
+ function withClassified() {
155
+ return {
156
+ async reveal(ctx, id, field) {
157
+ const { revealSealedField } = await import("./reveal-WSUHXCSS.js");
158
+ const value = await revealSealedField({
159
+ collection: ctx.collection,
160
+ encrypted: ctx.encrypted,
161
+ getEnvelope: ctx.getEnvelope,
162
+ resolveCek: ctx.resolveCek,
163
+ getDEK: ctx.getDEK
164
+ }, id, field);
165
+ await ctx.onAccess?.("reveal", id);
166
+ return value;
167
+ },
168
+ async verify(ctx, id, field, candidate) {
169
+ const { verifyDigestField } = await import("./verify-SW6J63Q2.js");
170
+ const verdict = await verifyDigestField(engineCtx(ctx), id, field, candidate, policyOf(ctx.spec));
171
+ await ctx.onAccess?.("verify", id);
172
+ return verdict;
173
+ },
174
+ async verifyText(ctx, id, field, candidate) {
175
+ const { verifyTextField } = await import("./verify-SW6J63Q2.js");
176
+ const verdict = await verifyTextField(engineCtx(ctx), id, field, candidate, ctx.spec.verifyNormalize ?? "password");
177
+ await ctx.onAccess?.("verify", id);
178
+ return verdict;
179
+ },
180
+ async matchGroup(ctx, id, answers, opts) {
181
+ const { matchGroupFields } = await import("./verify-SW6J63Q2.js");
182
+ const members = (ctx.groupMembers ?? []).map((m) => ({ field: m.field, policy: policyOf(m.spec) }));
183
+ const result = await matchGroupFields(engineCtx(ctx), id, answers, members, opts);
184
+ await ctx.onAccess?.("verify", id);
185
+ return result;
186
+ }
187
+ };
188
+ }
189
+
190
+ export {
191
+ luhnCheck,
192
+ classified,
193
+ withClassified
194
+ };
195
+ //# sourceMappingURL=chunk-NTHKOFVL.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/with-shape/classified/validators.ts","../src/with-shape/classified/presets.ts","../src/with-shape/classified/active.ts"],"sourcesContent":["/** Pure write-time validators. Exported so userland can validate storage:'never'\n * fields (e.g. CVC) at capture, before dropping them. @module */\n\nexport function luhnCheck(pan: string): boolean {\n const digits = pan.replace(/[\\s-]/g, '')\n if (!/^\\d{12,19}$/.test(digits)) return false\n let sum = 0\n for (let i = 0; i < digits.length; i++) {\n let d = Number(digits[digits.length - 1 - i])\n if (i % 2 === 1) { d *= 2; if (d > 9) d -= 9 }\n sum += d\n }\n return sum % 10 === 0\n}\n","/** The preset catalog (stage 1). Presets are hub-owned; devs get declarative\n * knobs, not read-side callbacks (design law D2/D3). @module */\n\nimport type { ClassifiedFieldSpec, ClassifiedGroup } from './descriptor.js'\nimport { luhnCheck } from './validators.js'\n\nconst digitsOf = (v: unknown): string => String(v).replace(/\\D/g, '')\n\nfunction panSpec(): ClassifiedFieldSpec {\n return {\n _noydbClassified: true, preset: 'creditCard.pan', storage: 'recoverable',\n sensitivity: 'secret', list: { kind: 'mask', pattern: '•••• ${last4}' },\n riders: { last4: (v) => digitsOf(v).slice(-4), bin: (v) => digitsOf(v).slice(0, 6) },\n validate: (v) => (typeof v === 'string' && luhnCheck(v) ? null : 'not a Luhn-valid card number'),\n }\n}\n\nfunction expirySpec(): ClassifiedFieldSpec {\n return {\n _noydbClassified: true, preset: 'creditCard.expiry', storage: 'recoverable',\n sensitivity: 'pii', list: { kind: 'mask', pattern: '••/••' },\n validate: (v) => (typeof v === 'string' && /^(0[1-9]|1[0-2])\\/\\d{2}$/.test(v) ? null : 'expected MM/YY'),\n }\n}\n\nfunction cvcSpec(): ClassifiedFieldSpec {\n return {\n _noydbClassified: true, preset: 'creditCard.cvc', storage: 'never',\n sensitivity: 'secret', list: { kind: 'omit' },\n validate: (v) => (typeof v === 'string' && /^\\d{3,4}$/.test(v) ? null : 'expected 3-4 digits'),\n }\n}\n\nexport const classified = {\n /** Composite card type. PAN sealed + last4/bin riders; CVC is storage:'never' (PCI-aware). */\n creditCard(fields: { pan: string; expiry?: string; cvc?: string }): ClassifiedGroup {\n const members: Record<string, ClassifiedFieldSpec> = { [fields.pan]: panSpec() }\n if (fields.expiry !== undefined) members[fields.expiry] = expirySpec()\n if (fields.cvc !== undefined) members[fields.cvc] = cvcSpec()\n return { _noydbClassifiedGroup: true, preset: 'creditCard', members }\n },\n\n birthDate(): ClassifiedFieldSpec {\n return {\n _noydbClassified: true, preset: 'birthDate', storage: 'recoverable',\n sensitivity: 'pii', list: { kind: 'mask', pattern: '${yob}-••-••' },\n riders: { yob: (v) => String(v).slice(0, 4) },\n validate: (v) => {\n if (typeof v !== 'string' || !/^\\d{4}-\\d{2}-\\d{2}$/.test(v)) return 'expected ISO yyyy-mm-dd'\n const parts = v.split('-').map(Number)\n const year = parts[0]!, month = parts[1]!, day = parts[2]!\n if (month < 1 || month > 12) return 'not a valid calendar date'\n const daysInMonth = [31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31]\n const isLeapYear = (year % 4 === 0 && year % 100 !== 0) || year % 400 === 0\n const maxDay = month === 2 && isLeapYear ? 29 : daysInMonth[month - 1]!\n if (day < 1 || day > maxDay) return 'not a valid calendar date'\n return null\n },\n }\n },\n\n email(): ClassifiedFieldSpec {\n return {\n _noydbClassified: true, preset: 'email', storage: 'recoverable',\n sensitivity: 'pii', list: { kind: 'mask', pattern: '•••@${domain}' },\n riders: { domain: (v) => String(v).split('@')[1] ?? '' },\n validate: (v) => (typeof v === 'string' && v.includes('@') ? null : 'expected an email address'),\n }\n },\n\n phone(): ClassifiedFieldSpec {\n return {\n _noydbClassified: true, preset: 'phone', storage: 'recoverable',\n sensitivity: 'pii', list: { kind: 'mask', pattern: '•••••${last2}' },\n riders: { last2: (v) => digitsOf(v).slice(-2) },\n validate: (v) => (digitsOf(v).length >= 5 ? null : 'expected at least 5 digits'),\n }\n },\n\n /** Digest-only password: verify-without-reveal; never listed, never revealed.\n * Enumeration math is on the caller for low-entropy values — see the\n * per-preset docs; the hub ships no rate limiter in this slice (spec §5). */\n password(opts: { minLength?: number; rotateDays?: number; notLastN?: number } = {}): ClassifiedFieldSpec {\n const minLength = opts.minLength ?? 10\n const notLastN = opts.notLastN ?? 0\n if (!Number.isInteger(notLastN) || notLastN < 0 || notLastN > 8) {\n throw new Error(`classified.password: notLastN must be an integer 0..8 (write cost is n × 600K PBKDF2; ring blast radius is documented), got ${notLastN}`)\n }\n return {\n _noydbClassified: true, preset: 'password', storage: 'digest-only',\n sensitivity: 'secret', list: { kind: 'omit' },\n verifyNormalize: 'password',\n ...(opts.rotateDays !== undefined ? { rotateDays: opts.rotateDays } : {}),\n ...(notLastN > 0 ? { notLastN } : {}),\n validate: (v) => (typeof v === 'string' && v.normalize('NFC').length >= minLength\n ? null : `password must be at least ${minLength} characters`),\n }\n },\n\n /** Digest-only secret answer: normalized (casefold/trim/collapse), groupable\n * into k-of-n matchGroup challenges. Low-entropy by nature — document the\n * enumeration math to your users; add app-side rate limiting. */\n secretAnswer(): ClassifiedFieldSpec {\n return {\n _noydbClassified: true, preset: 'secretAnswer', storage: 'digest-only',\n sensitivity: 'secret', list: { kind: 'omit' },\n verifyNormalize: 'secret-answer', verifyGroupMember: true,\n validate: (v) => (typeof v === 'string'\n && v.normalize('NFC').toLowerCase().trim().replace(/\\s+/g, ' ').length > 0\n ? null : 'secret answer must be non-empty after normalization'),\n }\n },\n}\n","import type { ClassifiedStrategy, ClassifiedVerifyCtx } from './strategy.js'\nimport type { VdigFieldPolicy } from '../../kernel/types.js'\nimport type { ClassifiedFieldSpec } from './descriptor.js'\n\nfunction policyOf(spec: ClassifiedFieldSpec): VdigFieldPolicy {\n return {\n normalize: spec.verifyNormalize ?? 'password',\n notLastN: spec.notLastN ?? 0,\n ...(spec.rotateDays !== undefined ? { rotateDays: spec.rotateDays } : {}),\n }\n}\n\nconst engineCtx = (ctx: ClassifiedVerifyCtx) => ({\n collection: ctx.collection,\n getEnvelope: ctx.getEnvelope,\n resolveCek: ctx.resolveCek,\n getDEK: ctx.getDEK,\n now: ctx.now,\n})\n\n/** Opt-in factory: enables reveal + verify/verifyText/matchGroup (stage 2). */\nexport function withClassified(): ClassifiedStrategy {\n return {\n async reveal(ctx, id, field) {\n const { revealSealedField } = await import('../../kernel/enclave/classify/reveal.js')\n const value = await revealSealedField({\n collection: ctx.collection, encrypted: ctx.encrypted,\n getEnvelope: ctx.getEnvelope, resolveCek: ctx.resolveCek, getDEK: ctx.getDEK,\n }, id, field)\n await ctx.onAccess?.('reveal', id)\n return value\n },\n async verify(ctx, id, field, candidate) {\n const { verifyDigestField } = await import('../../kernel/enclave/classify/verify.js')\n const verdict = await verifyDigestField(engineCtx(ctx), id, field, candidate, policyOf(ctx.spec))\n await ctx.onAccess?.('verify', id) // fires on ok AND fail (attempt audit)\n return verdict\n },\n async verifyText(ctx, id, field, candidate) {\n const { verifyTextField } = await import('../../kernel/enclave/classify/verify.js')\n const verdict = await verifyTextField(engineCtx(ctx), id, field, candidate, ctx.spec.verifyNormalize ?? 'password')\n await ctx.onAccess?.('verify', id)\n return verdict\n },\n async matchGroup(ctx, id, answers, opts) {\n const { matchGroupFields } = await import('../../kernel/enclave/classify/verify.js')\n const members = (ctx.groupMembers ?? []).map((m) => ({ field: m.field, policy: policyOf(m.spec) }))\n const result = await matchGroupFields(engineCtx(ctx), id, answers, members, opts)\n await ctx.onAccess?.('verify', id) // ONE entry per call (Q6)\n return result\n },\n }\n}\n"],"mappings":";AAGO,SAAS,UAAU,KAAsB;AAC9C,QAAM,SAAS,IAAI,QAAQ,UAAU,EAAE;AACvC,MAAI,CAAC,cAAc,KAAK,MAAM,EAAG,QAAO;AACxC,MAAI,MAAM;AACV,WAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;AACtC,QAAI,IAAI,OAAO,OAAO,OAAO,SAAS,IAAI,CAAC,CAAC;AAC5C,QAAI,IAAI,MAAM,GAAG;AAAE,WAAK;AAAG,UAAI,IAAI,EAAG,MAAK;AAAA,IAAE;AAC7C,WAAO;AAAA,EACT;AACA,SAAO,MAAM,OAAO;AACtB;;;ACPA,IAAM,WAAW,CAAC,MAAuB,OAAO,CAAC,EAAE,QAAQ,OAAO,EAAE;AAEpE,SAAS,UAA+B;AACtC,SAAO;AAAA,IACL,kBAAkB;AAAA,IAAM,QAAQ;AAAA,IAAkB,SAAS;AAAA,IAC3D,aAAa;AAAA,IAAU,MAAM,EAAE,MAAM,QAAQ,SAAS,oCAAgB;AAAA,IACtE,QAAQ,EAAE,OAAO,CAAC,MAAM,SAAS,CAAC,EAAE,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,SAAS,CAAC,EAAE,MAAM,GAAG,CAAC,EAAE;AAAA,IACnF,UAAU,CAAC,MAAO,OAAO,MAAM,YAAY,UAAU,CAAC,IAAI,OAAO;AAAA,EACnE;AACF;AAEA,SAAS,aAAkC;AACzC,SAAO;AAAA,IACL,kBAAkB;AAAA,IAAM,QAAQ;AAAA,IAAqB,SAAS;AAAA,IAC9D,aAAa;AAAA,IAAO,MAAM,EAAE,MAAM,QAAQ,SAAS,4BAAQ;AAAA,IAC3D,UAAU,CAAC,MAAO,OAAO,MAAM,YAAY,2BAA2B,KAAK,CAAC,IAAI,OAAO;AAAA,EACzF;AACF;AAEA,SAAS,UAA+B;AACtC,SAAO;AAAA,IACL,kBAAkB;AAAA,IAAM,QAAQ;AAAA,IAAkB,SAAS;AAAA,IAC3D,aAAa;AAAA,IAAU,MAAM,EAAE,MAAM,OAAO;AAAA,IAC5C,UAAU,CAAC,MAAO,OAAO,MAAM,YAAY,YAAY,KAAK,CAAC,IAAI,OAAO;AAAA,EAC1E;AACF;AAEO,IAAM,aAAa;AAAA;AAAA,EAExB,WAAW,QAAyE;AAClF,UAAM,UAA+C,EAAE,CAAC,OAAO,GAAG,GAAG,QAAQ,EAAE;AAC/E,QAAI,OAAO,WAAW,OAAW,SAAQ,OAAO,MAAM,IAAI,WAAW;AACrE,QAAI,OAAO,QAAQ,OAAW,SAAQ,OAAO,GAAG,IAAI,QAAQ;AAC5D,WAAO,EAAE,uBAAuB,MAAM,QAAQ,cAAc,QAAQ;AAAA,EACtE;AAAA,EAEA,YAAiC;AAC/B,WAAO;AAAA,MACL,kBAAkB;AAAA,MAAM,QAAQ;AAAA,MAAa,SAAS;AAAA,MACtD,aAAa;AAAA,MAAO,MAAM,EAAE,MAAM,QAAQ,SAAS,mCAAe;AAAA,MAClE,QAAQ,EAAE,KAAK,CAAC,MAAM,OAAO,CAAC,EAAE,MAAM,GAAG,CAAC,EAAE;AAAA,MAC5C,UAAU,CAAC,MAAM;AACf,YAAI,OAAO,MAAM,YAAY,CAAC,sBAAsB,KAAK,CAAC,EAAG,QAAO;AACpE,cAAM,QAAQ,EAAE,MAAM,GAAG,EAAE,IAAI,MAAM;AACrC,cAAM,OAAO,MAAM,CAAC,GAAI,QAAQ,MAAM,CAAC,GAAI,MAAM,MAAM,CAAC;AACxD,YAAI,QAAQ,KAAK,QAAQ,GAAI,QAAO;AACpC,cAAM,cAAc,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,EAAE;AACnE,cAAM,aAAc,OAAO,MAAM,KAAK,OAAO,QAAQ,KAAM,OAAO,QAAQ;AAC1E,cAAM,SAAS,UAAU,KAAK,aAAa,KAAK,YAAY,QAAQ,CAAC;AACrE,YAAI,MAAM,KAAK,MAAM,OAAQ,QAAO;AACpC,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAAA,EAEA,QAA6B;AAC3B,WAAO;AAAA,MACL,kBAAkB;AAAA,MAAM,QAAQ;AAAA,MAAS,SAAS;AAAA,MAClD,aAAa;AAAA,MAAO,MAAM,EAAE,MAAM,QAAQ,SAAS,+BAAgB;AAAA,MACnE,QAAQ,EAAE,QAAQ,CAAC,MAAM,OAAO,CAAC,EAAE,MAAM,GAAG,EAAE,CAAC,KAAK,GAAG;AAAA,MACvD,UAAU,CAAC,MAAO,OAAO,MAAM,YAAY,EAAE,SAAS,GAAG,IAAI,OAAO;AAAA,IACtE;AAAA,EACF;AAAA,EAEA,QAA6B;AAC3B,WAAO;AAAA,MACL,kBAAkB;AAAA,MAAM,QAAQ;AAAA,MAAS,SAAS;AAAA,MAClD,aAAa;AAAA,MAAO,MAAM,EAAE,MAAM,QAAQ,SAAS,yCAAgB;AAAA,MACnE,QAAQ,EAAE,OAAO,CAAC,MAAM,SAAS,CAAC,EAAE,MAAM,EAAE,EAAE;AAAA,MAC9C,UAAU,CAAC,MAAO,SAAS,CAAC,EAAE,UAAU,IAAI,OAAO;AAAA,IACrD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,SAAS,OAAuE,CAAC,GAAwB;AACvG,UAAM,YAAY,KAAK,aAAa;AACpC,UAAM,WAAW,KAAK,YAAY;AAClC,QAAI,CAAC,OAAO,UAAU,QAAQ,KAAK,WAAW,KAAK,WAAW,GAAG;AAC/D,YAAM,IAAI,MAAM,kIAA+H,QAAQ,EAAE;AAAA,IAC3J;AACA,WAAO;AAAA,MACL,kBAAkB;AAAA,MAAM,QAAQ;AAAA,MAAY,SAAS;AAAA,MACrD,aAAa;AAAA,MAAU,MAAM,EAAE,MAAM,OAAO;AAAA,MAC5C,iBAAiB;AAAA,MACjB,GAAI,KAAK,eAAe,SAAY,EAAE,YAAY,KAAK,WAAW,IAAI,CAAC;AAAA,MACvE,GAAI,WAAW,IAAI,EAAE,SAAS,IAAI,CAAC;AAAA,MACnC,UAAU,CAAC,MAAO,OAAO,MAAM,YAAY,EAAE,UAAU,KAAK,EAAE,UAAU,YACpE,OAAO,6BAA6B,SAAS;AAAA,IACnD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,eAAoC;AAClC,WAAO;AAAA,MACL,kBAAkB;AAAA,MAAM,QAAQ;AAAA,MAAgB,SAAS;AAAA,MACzD,aAAa;AAAA,MAAU,MAAM,EAAE,MAAM,OAAO;AAAA,MAC5C,iBAAiB;AAAA,MAAiB,mBAAmB;AAAA,MACrD,UAAU,CAAC,MAAO,OAAO,MAAM,YAC1B,EAAE,UAAU,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE,QAAQ,QAAQ,GAAG,EAAE,SAAS,IACvE,OAAO;AAAA,IACb;AAAA,EACF;AACF;;;AC5GA,SAAS,SAAS,MAA4C;AAC5D,SAAO;AAAA,IACL,WAAW,KAAK,mBAAmB;AAAA,IACnC,UAAU,KAAK,YAAY;AAAA,IAC3B,GAAI,KAAK,eAAe,SAAY,EAAE,YAAY,KAAK,WAAW,IAAI,CAAC;AAAA,EACzE;AACF;AAEA,IAAM,YAAY,CAAC,SAA8B;AAAA,EAC/C,YAAY,IAAI;AAAA,EAChB,aAAa,IAAI;AAAA,EACjB,YAAY,IAAI;AAAA,EAChB,QAAQ,IAAI;AAAA,EACZ,KAAK,IAAI;AACX;AAGO,SAAS,iBAAqC;AACnD,SAAO;AAAA,IACL,MAAM,OAAO,KAAK,IAAI,OAAO;AAC3B,YAAM,EAAE,kBAAkB,IAAI,MAAM,OAAO,sBAAyC;AACpF,YAAM,QAAQ,MAAM,kBAAkB;AAAA,QACpC,YAAY,IAAI;AAAA,QAAY,WAAW,IAAI;AAAA,QAC3C,aAAa,IAAI;AAAA,QAAa,YAAY,IAAI;AAAA,QAAY,QAAQ,IAAI;AAAA,MACxE,GAAG,IAAI,KAAK;AACZ,YAAM,IAAI,WAAW,UAAU,EAAE;AACjC,aAAO;AAAA,IACT;AAAA,IACA,MAAM,OAAO,KAAK,IAAI,OAAO,WAAW;AACtC,YAAM,EAAE,kBAAkB,IAAI,MAAM,OAAO,sBAAyC;AACpF,YAAM,UAAU,MAAM,kBAAkB,UAAU,GAAG,GAAG,IAAI,OAAO,WAAW,SAAS,IAAI,IAAI,CAAC;AAChG,YAAM,IAAI,WAAW,UAAU,EAAE;AACjC,aAAO;AAAA,IACT;AAAA,IACA,MAAM,WAAW,KAAK,IAAI,OAAO,WAAW;AAC1C,YAAM,EAAE,gBAAgB,IAAI,MAAM,OAAO,sBAAyC;AAClF,YAAM,UAAU,MAAM,gBAAgB,UAAU,GAAG,GAAG,IAAI,OAAO,WAAW,IAAI,KAAK,mBAAmB,UAAU;AAClH,YAAM,IAAI,WAAW,UAAU,EAAE;AACjC,aAAO;AAAA,IACT;AAAA,IACA,MAAM,WAAW,KAAK,IAAI,SAAS,MAAM;AACvC,YAAM,EAAE,iBAAiB,IAAI,MAAM,OAAO,sBAAyC;AACnF,YAAM,WAAW,IAAI,gBAAgB,CAAC,GAAG,IAAI,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,QAAQ,SAAS,EAAE,IAAI,EAAE,EAAE;AAClG,YAAM,SAAS,MAAM,iBAAiB,UAAU,GAAG,GAAG,IAAI,SAAS,SAAS,IAAI;AAChF,YAAM,IAAI,WAAW,UAAU,EAAE;AACjC,aAAO;AAAA,IACT;AAAA,EACF;AACF;","names":[]}
@@ -1,6 +1,6 @@
1
1
  import {
2
2
  TierNotGrantedError
3
- } from "./chunk-ZYUC53LT.js";
3
+ } from "./chunk-BLZRNHMG.js";
4
4
 
5
5
  // src/with-party/team/tiers.ts
6
6
  function dekKey(collection, tier) {
@@ -31,4 +31,4 @@ export {
31
31
  effectiveClearance,
32
32
  assertTierAccess
33
33
  };
34
- //# sourceMappingURL=chunk-IO6GRPT6.js.map
34
+ //# sourceMappingURL=chunk-O5DNEXQC.js.map
@@ -29,4 +29,4 @@ export {
29
29
  SealedHandle,
30
30
  createStore
31
31
  };
32
- //# sourceMappingURL=chunk-5TDJ56JE.js.map
32
+ //# sourceMappingURL=chunk-OCDUQUAP.js.map