@noy-db/hub 0.3.0-pre.2 → 0.3.0-pre.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (331) hide show
  1. package/dist/adapter/index.d.ts +2 -2
  2. package/dist/adapter/index.js +1 -1
  3. package/dist/aggregate/index.d.ts +3 -3
  4. package/dist/aggregate/index.js +4 -4
  5. package/dist/api-LORZ2EZU.js +17 -0
  6. package/dist/as/index.d.ts +4 -4
  7. package/dist/as/index.js +9 -6
  8. package/dist/at/index.d.ts +2 -2
  9. package/dist/attestation/index.d.ts +3 -3
  10. package/dist/attestation/index.js +18 -15
  11. package/dist/attestation/index.js.map +1 -1
  12. package/dist/{backup-KMJQ66MF.js → backup-NGRJ46SH.js} +9 -6
  13. package/dist/{backup-KMJQ66MF.js.map → backup-NGRJ46SH.js.map} +1 -1
  14. package/dist/blobs/index.d.ts +4 -4
  15. package/dist/blobs/index.js +8 -5
  16. package/dist/blobs/index.js.map +1 -1
  17. package/dist/bundle/index.d.ts +5 -5
  18. package/dist/bundle/index.js +18 -15
  19. package/dist/bundle/index.js.map +1 -1
  20. package/dist/{bundle-PwBGkhpe.d.ts → bundle-B-P3_Jvb.d.ts} +1 -1
  21. package/dist/by/index.js +2 -2
  22. package/dist/cargo/index.d.ts +4 -4
  23. package/dist/cargo/index.js +20 -17
  24. package/dist/{chunk-Y22T3KQE.js → chunk-2KSPDSWI.js} +3 -3
  25. package/dist/{chunk-ITNUCOXM.js → chunk-2N4MUSF3.js} +7 -5
  26. package/dist/{chunk-ITNUCOXM.js.map → chunk-2N4MUSF3.js.map} +1 -1
  27. package/dist/{chunk-5N6CZTCY.js → chunk-2ZORB5RW.js} +3 -3
  28. package/dist/{chunk-FISN7WE4.js → chunk-3UDPDRUC.js} +4 -4
  29. package/dist/{chunk-TA66UMI4.js → chunk-46YGCU6Z.js} +2 -2
  30. package/dist/{chunk-IPB7FTQX.js → chunk-4DZGZ7II.js} +8 -6
  31. package/dist/{chunk-IPB7FTQX.js.map → chunk-4DZGZ7II.js.map} +1 -1
  32. package/dist/{chunk-SKF73JOP.js → chunk-4NMFWOS2.js} +3 -3
  33. package/dist/{chunk-IAGBDSCS.js → chunk-4NZCZUGL.js} +2 -2
  34. package/dist/{chunk-DFEMTNPJ.js → chunk-55HDKLI3.js} +8 -6
  35. package/dist/{chunk-DFEMTNPJ.js.map → chunk-55HDKLI3.js.map} +1 -1
  36. package/dist/{chunk-WWGT2MDV.js → chunk-5A6TC3RQ.js} +5 -5
  37. package/dist/{chunk-5O3AOPDT.js → chunk-5EZAJEES.js} +151 -432
  38. package/dist/chunk-5EZAJEES.js.map +1 -0
  39. package/dist/{chunk-62QYRORB.js → chunk-5Z3RNFJC.js} +3 -3
  40. package/dist/{chunk-M6OST55S.js → chunk-5ZPWVNL3.js} +2 -2
  41. package/dist/{chunk-PSMV73A5.js → chunk-6CNLU4TO.js} +5 -5
  42. package/dist/{chunk-QZISFCVG.js → chunk-6DP5HBQD.js} +11 -9
  43. package/dist/{chunk-QZISFCVG.js.map → chunk-6DP5HBQD.js.map} +1 -1
  44. package/dist/{chunk-AIWULCUO.js → chunk-6EVZXETK.js} +5 -3
  45. package/dist/{chunk-AIWULCUO.js.map → chunk-6EVZXETK.js.map} +1 -1
  46. package/dist/{chunk-GYGWYIOZ.js → chunk-6I2YPLAG.js} +7 -5
  47. package/dist/{chunk-GYGWYIOZ.js.map → chunk-6I2YPLAG.js.map} +1 -1
  48. package/dist/{chunk-SRB2XEWB.js → chunk-6OQ7NKMZ.js} +6 -4
  49. package/dist/{chunk-SRB2XEWB.js.map → chunk-6OQ7NKMZ.js.map} +1 -1
  50. package/dist/chunk-6RASM2J4.js +25 -0
  51. package/dist/chunk-6RASM2J4.js.map +1 -0
  52. package/dist/{chunk-5LUY7UTV.js → chunk-7IP75FP2.js} +2 -2
  53. package/dist/{chunk-HCIPRAGS.js → chunk-7MHVHGQZ.js} +2 -2
  54. package/dist/{chunk-PSHOXR6C.js → chunk-ADBMJDBW.js} +370 -83
  55. package/dist/chunk-ADBMJDBW.js.map +1 -0
  56. package/dist/{chunk-ZCGAHGUS.js → chunk-AY4P6PHN.js} +2 -2
  57. package/dist/{chunk-ZYUC53LT.js → chunk-BLZRNHMG.js} +51 -2
  58. package/dist/{chunk-ZYUC53LT.js.map → chunk-BLZRNHMG.js.map} +1 -1
  59. package/dist/{chunk-KXGNJJXB.js → chunk-BV7KNFJY.js} +7 -7
  60. package/dist/{chunk-BG3SPSR4.js → chunk-BYW7EU5L.js} +2 -2
  61. package/dist/{chunk-NF5JWERG.js → chunk-BZIWKN74.js} +2 -2
  62. package/dist/chunk-CPAROOKP.js +124 -0
  63. package/dist/chunk-CPAROOKP.js.map +1 -0
  64. package/dist/{chunk-AQTBSL7R.js → chunk-CVXLJIAV.js} +5 -5
  65. package/dist/{chunk-CWPPNPOH.js → chunk-DA34OEZU.js} +2 -2
  66. package/dist/{chunk-RUEKROOS.js → chunk-DGUR3CC4.js} +2 -2
  67. package/dist/{chunk-LXQT4WMP.js → chunk-DHIN36UC.js} +8 -6
  68. package/dist/{chunk-LXQT4WMP.js.map → chunk-DHIN36UC.js.map} +1 -1
  69. package/dist/{chunk-JNUWZ6D3.js → chunk-E4YJUNPU.js} +7 -5
  70. package/dist/{chunk-JNUWZ6D3.js.map → chunk-E4YJUNPU.js.map} +1 -1
  71. package/dist/{chunk-UV5MFVO3.js → chunk-FELHYKIO.js} +2 -2
  72. package/dist/{chunk-KVOXU4T5.js → chunk-HGQG3VIP.js} +2 -2
  73. package/dist/{chunk-XXYIOFUB.js → chunk-IIK7W3AN.js} +5 -5
  74. package/dist/{chunk-IGUYVGGI.js → chunk-IJW6K6UX.js} +3 -3
  75. package/dist/{chunk-76722EBH.js → chunk-IWVWB7BZ.js} +11 -9
  76. package/dist/{chunk-76722EBH.js.map → chunk-IWVWB7BZ.js.map} +1 -1
  77. package/dist/{chunk-QHJW5EXU.js → chunk-JFYIHLU3.js} +2 -2
  78. package/dist/chunk-L4IRFTIF.js +424 -0
  79. package/dist/chunk-L4IRFTIF.js.map +1 -0
  80. package/dist/{chunk-SM3AVUHC.js → chunk-LES2Z7B4.js} +2 -2
  81. package/dist/{chunk-IUEN57TV.js → chunk-LHYQE3BP.js} +4 -4
  82. package/dist/{chunk-V7RWQRG7.js → chunk-LKBLAUOB.js} +3 -3
  83. package/dist/{chunk-UDRIWL7A.js → chunk-MCJAUQGE.js} +3 -3
  84. package/dist/chunk-MIOLJG2R.js +105 -0
  85. package/dist/chunk-MIOLJG2R.js.map +1 -0
  86. package/dist/{chunk-UIU2THRG.js → chunk-N2FP26NH.js} +5 -5
  87. package/dist/{chunk-DGDI2D4M.js → chunk-NIA5VQ7G.js} +8 -6
  88. package/dist/{chunk-DGDI2D4M.js.map → chunk-NIA5VQ7G.js.map} +1 -1
  89. package/dist/{chunk-CMGR4ZEW.js → chunk-NMRKAGHE.js} +2 -2
  90. package/dist/{chunk-LV7M27WM.js → chunk-NPVICKZE.js} +4 -4
  91. package/dist/chunk-NTHKOFVL.js +195 -0
  92. package/dist/chunk-NTHKOFVL.js.map +1 -0
  93. package/dist/{chunk-IO6GRPT6.js → chunk-O5DNEXQC.js} +2 -2
  94. package/dist/{chunk-5TDJ56JE.js → chunk-OCDUQUAP.js} +1 -1
  95. package/dist/chunk-OCDUQUAP.js.map +1 -0
  96. package/dist/{chunk-UPJNJGGA.js → chunk-OVIVYAQL.js} +10 -8
  97. package/dist/{chunk-UPJNJGGA.js.map → chunk-OVIVYAQL.js.map} +1 -1
  98. package/dist/{chunk-I2NOIW44.js → chunk-P6DN5QU7.js} +8 -6
  99. package/dist/{chunk-I2NOIW44.js.map → chunk-P6DN5QU7.js.map} +1 -1
  100. package/dist/{chunk-Q7SS3IME.js → chunk-P6UXDALK.js} +3 -3
  101. package/dist/{chunk-UAG5KWVA.js → chunk-PJDK2PPQ.js} +3 -3
  102. package/dist/{chunk-AXRXJTE2.js → chunk-PUNJAEY6.js} +5 -5
  103. package/dist/{chunk-LFLXAY2W.js → chunk-PYWW4KLO.js} +9 -7
  104. package/dist/{chunk-LFLXAY2W.js.map → chunk-PYWW4KLO.js.map} +1 -1
  105. package/dist/{chunk-M2YKN37S.js → chunk-QLQS5A7X.js} +2 -2
  106. package/dist/{chunk-I3TIKTJO.js → chunk-TICO2I2O.js} +2 -2
  107. package/dist/{chunk-3YFXJ3ZP.js → chunk-U5DWHU3S.js} +2 -2
  108. package/dist/{chunk-26LGBE4T.js → chunk-U6OM4E67.js} +6 -4
  109. package/dist/{chunk-26LGBE4T.js.map → chunk-U6OM4E67.js.map} +1 -1
  110. package/dist/{chunk-TEILUWOI.js → chunk-UP6EMMDI.js} +10 -10
  111. package/dist/{chunk-SMXWYP24.js → chunk-VBYVKOMJ.js} +3 -3
  112. package/dist/{chunk-AZAOEIKW.js → chunk-VHEEU4ZO.js} +2 -2
  113. package/dist/{chunk-MD3Y6J3L.js → chunk-WVIIJPTJ.js} +7 -5
  114. package/dist/{chunk-MD3Y6J3L.js.map → chunk-WVIIJPTJ.js.map} +1 -1
  115. package/dist/{chunk-EIZUR2XW.js → chunk-XRE4JOEO.js} +2 -2
  116. package/dist/{chunk-VFQGRQIH.js → chunk-YDP2SA5K.js} +7 -5
  117. package/dist/{chunk-VFQGRQIH.js.map → chunk-YDP2SA5K.js.map} +1 -1
  118. package/dist/{chunk-5R3ERCDH.js → chunk-YN66UOXT.js} +3 -3
  119. package/dist/{chunk-IELYAOGG.js → chunk-YTIAXSUE.js} +4 -4
  120. package/dist/{chunk-TJYQIGAP.js → chunk-Z44OY24N.js} +3 -3
  121. package/dist/{chunk-VCTFO5CO.js → chunk-ZAWD6O46.js} +2 -2
  122. package/dist/{chunk-PKHL44ER.js → chunk-ZD4D7UM6.js} +2 -2
  123. package/dist/{chunk-MTMJVJ5W.js → chunk-ZFME46HJ.js} +5 -3
  124. package/dist/chunk-ZFME46HJ.js.map +1 -0
  125. package/dist/{chunk-LMTH2RM6.js → chunk-ZNI3RTFV.js} +2 -2
  126. package/dist/{chunk-WYSO2NIH.js → chunk-ZRDYQZYH.js} +2 -2
  127. package/dist/classified/index.d.ts +17 -0
  128. package/dist/classified/index.js +38 -0
  129. package/dist/collection-facade-XPVRHBGU.js +36 -0
  130. package/dist/consent/index.d.ts +3 -3
  131. package/dist/consent/index.js +7 -4
  132. package/dist/consent/index.js.map +1 -1
  133. package/dist/crdt/index.d.ts +3 -3
  134. package/dist/delegation-4HUHUE6T.js +22 -0
  135. package/dist/derivations/index.d.ts +4 -4
  136. package/dist/derivations/index.js +9 -6
  137. package/dist/describe/index.d.ts +1 -1
  138. package/dist/{describe-Ccd1hS7a.d.ts → describe-0tiXAjoO.d.ts} +10 -0
  139. package/dist/{dev-unlock-h0K-UZTk.d.ts → dev-unlock-B_s9DUWa.d.ts} +1 -1
  140. package/dist/{enclave-UL5LW66V.js → enclave-IS7HZSQ7.js} +34 -18
  141. package/dist/executor-ANFBCOYA.js +9 -0
  142. package/dist/executor-IKT47SH2.js +9 -0
  143. package/dist/executor-OIECZXTV.js +18 -0
  144. package/dist/export-accessible-NZWCFZHL.js +20 -0
  145. package/dist/extract-partition-52LX6RQH.js +33 -0
  146. package/dist/{fanout-sidecar-GF3DJ6KR.js → fanout-sidecar-DDKRG2MX.js} +14 -14
  147. package/dist/fanout-sidecar-DDKRG2MX.js.map +1 -0
  148. package/dist/forget/index.js +7 -4
  149. package/dist/forget/index.js.map +1 -1
  150. package/dist/guards/index.d.ts +4 -4
  151. package/dist/guards/index.js +3 -3
  152. package/dist/{hash-CdSr06sm.d.ts → hash-CWxn7sf6.d.ts} +7 -2
  153. package/dist/history/index.d.ts +4 -4
  154. package/dist/history/index.js +9 -6
  155. package/dist/history/index.js.map +1 -1
  156. package/dist/i18n/index.d.ts +3 -3
  157. package/dist/i18n/index.js +11 -8
  158. package/dist/i18n/index.js.map +1 -1
  159. package/dist/in/index.d.ts +2 -2
  160. package/dist/{index-_6At2_9_.d.ts → index-D05bV0_g.d.ts} +245 -5
  161. package/dist/{index-CGLLRtFc.d.ts → index-DTMUUwwW.d.ts} +3 -3
  162. package/dist/index.d.ts +30 -14
  163. package/dist/index.js +136 -75
  164. package/dist/index.js.map +1 -1
  165. package/dist/indexing/index.d.ts +3 -3
  166. package/dist/indexing/index.js +4 -4
  167. package/dist/issue-F4SYPJGJ.js +16 -0
  168. package/dist/kernel/index.d.ts +3 -3
  169. package/dist/kernel/index.js +10 -7
  170. package/dist/{ledger-RYI35CDS.js → ledger-YUAJUNFP.js} +9 -6
  171. package/dist/liberate-6LDETRIW.js +21 -0
  172. package/dist/materialized-views/index.d.ts +4 -4
  173. package/dist/materialized-views/index.js +13 -10
  174. package/dist/{mime-magic-B4RoFj3B.d.ts → mime-magic-Qr_4HjP6.d.ts} +1 -1
  175. package/dist/noydb-WQNBVJIG.js +54 -0
  176. package/dist/on/index.d.ts +2 -2
  177. package/dist/on/index.js +7 -4
  178. package/dist/overlay-views/index.d.ts +4 -4
  179. package/dist/overlay-views/index.js +4 -4
  180. package/dist/periods/index.d.ts +3 -3
  181. package/dist/periods/index.js +10 -7
  182. package/dist/pod/index.d.ts +3 -3
  183. package/dist/pod/index.js +9 -6
  184. package/dist/{policy-IXK4FVXP.js → policy-LRE6HTO5.js} +5 -5
  185. package/dist/portability/index.d.ts +3 -3
  186. package/dist/portability/index.js +8 -8
  187. package/dist/{public-envelope-JHDQCPSX.js → public-envelope-WVRRUVAJ.js} +4 -4
  188. package/dist/query/index.d.ts +2 -2
  189. package/dist/query/index.js +6 -6
  190. package/dist/registry-6HZ2JSQ7.js +14 -0
  191. package/dist/registry-GPXZQ7DT.js +9 -0
  192. package/dist/registry-USYD2ECC.js +16 -0
  193. package/dist/request-withdrawal-54V4L6CR.js +28 -0
  194. package/dist/reveal-WSUHXCSS.js +37 -0
  195. package/dist/reveal-WSUHXCSS.js.map +1 -0
  196. package/dist/revoke-JV26NTQD.js +21 -0
  197. package/dist/sealed-record/index.d.ts +3 -3
  198. package/dist/sealed-record/index.js +10 -7
  199. package/dist/sealed-record/index.js.map +1 -1
  200. package/dist/session/index.d.ts +4 -4
  201. package/dist/session/index.js +7 -4
  202. package/dist/session/index.js.map +1 -1
  203. package/dist/shadow/index.d.ts +3 -3
  204. package/dist/shadow/index.js +2 -2
  205. package/dist/{signer-PNKTBVF7.js → signer-AE56T5HE.js} +8 -5
  206. package/dist/snapshots/index.d.ts +3 -3
  207. package/dist/snapshots/index.js +8 -5
  208. package/dist/snapshots/index.js.map +1 -1
  209. package/dist/{stale-3JWHNDIY.js → stale-LX4BR43V.js} +2 -2
  210. package/dist/{store-coordination-provider-3I7XWZZK.js → store-coordination-provider-KTRIC6PR.js} +3 -3
  211. package/dist/sync/index.d.ts +2 -2
  212. package/dist/sync/index.js +7 -4
  213. package/dist/sync/index.js.map +1 -1
  214. package/dist/team/index.d.ts +3 -3
  215. package/dist/team/index.js +13 -10
  216. package/dist/tiers/index.d.ts +2 -2
  217. package/dist/tiers/index.js +8 -5
  218. package/dist/to/index.d.ts +2 -2
  219. package/dist/to/index.js +1 -1
  220. package/dist/{transition-guard-DqodPNKw.d.ts → transition-guard-C1Pyz8nH.d.ts} +1 -1
  221. package/dist/tx/index.d.ts +3 -3
  222. package/dist/tx/index.js +3 -3
  223. package/dist/ui/index.d.ts +1 -1
  224. package/dist/util/index.js +1 -1
  225. package/dist/validators-Dzn7T-3x.d.ts +62 -0
  226. package/dist/{vault-diff-BtpiBvic.d.ts → vault-diff-Fn0WeY2w.d.ts} +1 -1
  227. package/dist/verify-SW6J63Q2.js +135 -0
  228. package/dist/verify-SW6J63Q2.js.map +1 -0
  229. package/dist/with/index.d.ts +3 -3
  230. package/dist/with/index.js +9 -6
  231. package/dist/{with-materialized-view-DMmWtYfJ.d.ts → with-materialized-view-NKxs6iK5.d.ts} +1 -1
  232. package/dist/{with-overlayed-view-D_IB2nkM.d.ts → with-overlayed-view-B4fPYHwV.d.ts} +1 -1
  233. package/dist/{with-rollup-em2wxoHP.d.ts → with-rollup-Bl0sRFEt.d.ts} +1 -1
  234. package/dist/withdraw-accessible-DGA4V2TP.js +25 -0
  235. package/dist/withdraw-accessible-DGA4V2TP.js.map +1 -0
  236. package/package.json +7 -3
  237. package/dist/api-RW3KP7WU.js +0 -14
  238. package/dist/chunk-5O3AOPDT.js.map +0 -1
  239. package/dist/chunk-5TDJ56JE.js.map +0 -1
  240. package/dist/chunk-MTMJVJ5W.js.map +0 -1
  241. package/dist/chunk-PSHOXR6C.js.map +0 -1
  242. package/dist/collection-facade-GQAOGJP2.js +0 -33
  243. package/dist/delegation-UL5HKLER.js +0 -19
  244. package/dist/executor-2FWQRLMG.js +0 -15
  245. package/dist/executor-QZ7BXICW.js +0 -9
  246. package/dist/executor-Z5ZLJVTV.js +0 -9
  247. package/dist/export-accessible-KRV5W4GH.js +0 -17
  248. package/dist/extract-partition-GLKBOXFQ.js +0 -30
  249. package/dist/fanout-sidecar-GF3DJ6KR.js.map +0 -1
  250. package/dist/issue-Y6UVIR43.js +0 -13
  251. package/dist/liberate-CRPZEV7O.js +0 -18
  252. package/dist/noydb-LDEBLNHY.js +0 -50
  253. package/dist/registry-45RJNWGU.js +0 -9
  254. package/dist/registry-5GRV5VXI.js +0 -13
  255. package/dist/registry-WEUCHBO4.js +0 -11
  256. package/dist/request-withdrawal-GBPH2FDY.js +0 -25
  257. package/dist/revoke-TUFRGI6S.js +0 -18
  258. package/dist/withdraw-accessible-FFS46EOD.js +0 -22
  259. /package/dist/{api-RW3KP7WU.js.map → api-LORZ2EZU.js.map} +0 -0
  260. /package/dist/{chunk-Y22T3KQE.js.map → chunk-2KSPDSWI.js.map} +0 -0
  261. /package/dist/{chunk-5N6CZTCY.js.map → chunk-2ZORB5RW.js.map} +0 -0
  262. /package/dist/{chunk-FISN7WE4.js.map → chunk-3UDPDRUC.js.map} +0 -0
  263. /package/dist/{chunk-TA66UMI4.js.map → chunk-46YGCU6Z.js.map} +0 -0
  264. /package/dist/{chunk-SKF73JOP.js.map → chunk-4NMFWOS2.js.map} +0 -0
  265. /package/dist/{chunk-IAGBDSCS.js.map → chunk-4NZCZUGL.js.map} +0 -0
  266. /package/dist/{chunk-WWGT2MDV.js.map → chunk-5A6TC3RQ.js.map} +0 -0
  267. /package/dist/{chunk-62QYRORB.js.map → chunk-5Z3RNFJC.js.map} +0 -0
  268. /package/dist/{chunk-M6OST55S.js.map → chunk-5ZPWVNL3.js.map} +0 -0
  269. /package/dist/{chunk-PSMV73A5.js.map → chunk-6CNLU4TO.js.map} +0 -0
  270. /package/dist/{chunk-5LUY7UTV.js.map → chunk-7IP75FP2.js.map} +0 -0
  271. /package/dist/{chunk-HCIPRAGS.js.map → chunk-7MHVHGQZ.js.map} +0 -0
  272. /package/dist/{chunk-ZCGAHGUS.js.map → chunk-AY4P6PHN.js.map} +0 -0
  273. /package/dist/{chunk-KXGNJJXB.js.map → chunk-BV7KNFJY.js.map} +0 -0
  274. /package/dist/{chunk-BG3SPSR4.js.map → chunk-BYW7EU5L.js.map} +0 -0
  275. /package/dist/{chunk-NF5JWERG.js.map → chunk-BZIWKN74.js.map} +0 -0
  276. /package/dist/{chunk-AQTBSL7R.js.map → chunk-CVXLJIAV.js.map} +0 -0
  277. /package/dist/{chunk-CWPPNPOH.js.map → chunk-DA34OEZU.js.map} +0 -0
  278. /package/dist/{chunk-RUEKROOS.js.map → chunk-DGUR3CC4.js.map} +0 -0
  279. /package/dist/{chunk-UV5MFVO3.js.map → chunk-FELHYKIO.js.map} +0 -0
  280. /package/dist/{chunk-KVOXU4T5.js.map → chunk-HGQG3VIP.js.map} +0 -0
  281. /package/dist/{chunk-XXYIOFUB.js.map → chunk-IIK7W3AN.js.map} +0 -0
  282. /package/dist/{chunk-IGUYVGGI.js.map → chunk-IJW6K6UX.js.map} +0 -0
  283. /package/dist/{chunk-QHJW5EXU.js.map → chunk-JFYIHLU3.js.map} +0 -0
  284. /package/dist/{chunk-SM3AVUHC.js.map → chunk-LES2Z7B4.js.map} +0 -0
  285. /package/dist/{chunk-IUEN57TV.js.map → chunk-LHYQE3BP.js.map} +0 -0
  286. /package/dist/{chunk-V7RWQRG7.js.map → chunk-LKBLAUOB.js.map} +0 -0
  287. /package/dist/{chunk-UDRIWL7A.js.map → chunk-MCJAUQGE.js.map} +0 -0
  288. /package/dist/{chunk-UIU2THRG.js.map → chunk-N2FP26NH.js.map} +0 -0
  289. /package/dist/{chunk-CMGR4ZEW.js.map → chunk-NMRKAGHE.js.map} +0 -0
  290. /package/dist/{chunk-LV7M27WM.js.map → chunk-NPVICKZE.js.map} +0 -0
  291. /package/dist/{chunk-IO6GRPT6.js.map → chunk-O5DNEXQC.js.map} +0 -0
  292. /package/dist/{chunk-Q7SS3IME.js.map → chunk-P6UXDALK.js.map} +0 -0
  293. /package/dist/{chunk-UAG5KWVA.js.map → chunk-PJDK2PPQ.js.map} +0 -0
  294. /package/dist/{chunk-AXRXJTE2.js.map → chunk-PUNJAEY6.js.map} +0 -0
  295. /package/dist/{chunk-M2YKN37S.js.map → chunk-QLQS5A7X.js.map} +0 -0
  296. /package/dist/{chunk-I3TIKTJO.js.map → chunk-TICO2I2O.js.map} +0 -0
  297. /package/dist/{chunk-3YFXJ3ZP.js.map → chunk-U5DWHU3S.js.map} +0 -0
  298. /package/dist/{chunk-TEILUWOI.js.map → chunk-UP6EMMDI.js.map} +0 -0
  299. /package/dist/{chunk-SMXWYP24.js.map → chunk-VBYVKOMJ.js.map} +0 -0
  300. /package/dist/{chunk-AZAOEIKW.js.map → chunk-VHEEU4ZO.js.map} +0 -0
  301. /package/dist/{chunk-EIZUR2XW.js.map → chunk-XRE4JOEO.js.map} +0 -0
  302. /package/dist/{chunk-5R3ERCDH.js.map → chunk-YN66UOXT.js.map} +0 -0
  303. /package/dist/{chunk-IELYAOGG.js.map → chunk-YTIAXSUE.js.map} +0 -0
  304. /package/dist/{chunk-TJYQIGAP.js.map → chunk-Z44OY24N.js.map} +0 -0
  305. /package/dist/{chunk-VCTFO5CO.js.map → chunk-ZAWD6O46.js.map} +0 -0
  306. /package/dist/{chunk-PKHL44ER.js.map → chunk-ZD4D7UM6.js.map} +0 -0
  307. /package/dist/{chunk-LMTH2RM6.js.map → chunk-ZNI3RTFV.js.map} +0 -0
  308. /package/dist/{chunk-WYSO2NIH.js.map → chunk-ZRDYQZYH.js.map} +0 -0
  309. /package/dist/{collection-facade-GQAOGJP2.js.map → classified/index.js.map} +0 -0
  310. /package/dist/{delegation-UL5HKLER.js.map → collection-facade-XPVRHBGU.js.map} +0 -0
  311. /package/dist/{enclave-UL5LW66V.js.map → delegation-4HUHUE6T.js.map} +0 -0
  312. /package/dist/{executor-2FWQRLMG.js.map → enclave-IS7HZSQ7.js.map} +0 -0
  313. /package/dist/{executor-QZ7BXICW.js.map → executor-ANFBCOYA.js.map} +0 -0
  314. /package/dist/{executor-Z5ZLJVTV.js.map → executor-IKT47SH2.js.map} +0 -0
  315. /package/dist/{export-accessible-KRV5W4GH.js.map → executor-OIECZXTV.js.map} +0 -0
  316. /package/dist/{extract-partition-GLKBOXFQ.js.map → export-accessible-NZWCFZHL.js.map} +0 -0
  317. /package/dist/{issue-Y6UVIR43.js.map → extract-partition-52LX6RQH.js.map} +0 -0
  318. /package/dist/{ledger-RYI35CDS.js.map → issue-F4SYPJGJ.js.map} +0 -0
  319. /package/dist/{liberate-CRPZEV7O.js.map → ledger-YUAJUNFP.js.map} +0 -0
  320. /package/dist/{noydb-LDEBLNHY.js.map → liberate-6LDETRIW.js.map} +0 -0
  321. /package/dist/{policy-IXK4FVXP.js.map → noydb-WQNBVJIG.js.map} +0 -0
  322. /package/dist/{public-envelope-JHDQCPSX.js.map → policy-LRE6HTO5.js.map} +0 -0
  323. /package/dist/{registry-45RJNWGU.js.map → public-envelope-WVRRUVAJ.js.map} +0 -0
  324. /package/dist/{registry-5GRV5VXI.js.map → registry-6HZ2JSQ7.js.map} +0 -0
  325. /package/dist/{registry-WEUCHBO4.js.map → registry-GPXZQ7DT.js.map} +0 -0
  326. /package/dist/{request-withdrawal-GBPH2FDY.js.map → registry-USYD2ECC.js.map} +0 -0
  327. /package/dist/{revoke-TUFRGI6S.js.map → request-withdrawal-54V4L6CR.js.map} +0 -0
  328. /package/dist/{signer-PNKTBVF7.js.map → revoke-JV26NTQD.js.map} +0 -0
  329. /package/dist/{stale-3JWHNDIY.js.map → signer-AE56T5HE.js.map} +0 -0
  330. /package/dist/{withdraw-accessible-FFS46EOD.js.map → stale-LX4BR43V.js.map} +0 -0
  331. /package/dist/{store-coordination-provider-3I7XWZZK.js.map → store-coordination-provider-KTRIC6PR.js.map} +0 -0
@@ -1 +1 @@
1
- {"version":3,"sources":["../../src/with-audit/sealed-record/active.ts","../../src/with-audit/sealed-record/index.ts"],"sourcesContent":["/**\n * Enable the sealed-record (grantor-side) capability.\n * Pass to `createNoydb({ sealedRecordStrategy: withSealedRecord() })` to make a\n * vault's `sealRecordToHost` / `revokeSealedRecord` / `rotateRecordCek` methods\n * live. The `record-keys` grantor engine is dynamically imported here, so it is\n * reached only via opt-in.\n */\nimport type { SealedRecordStrategy } from './strategy.js'\n\nexport function withSealedRecord(): SealedRecordStrategy {\n return {\n async sealRecordToHost(ctx, collection, id, hostSealer, opts) {\n const { sealRecordToHost } = await import('../../kernel/enclave/index.js')\n return sealRecordToHost(ctx, collection, id, hostSealer, opts)\n },\n async revokeSealedRecord(ctx, collection, id, pid, opts) {\n const { revokeSealedRecord } = await import('../../kernel/enclave/index.js')\n return revokeSealedRecord(ctx, collection, id, pid, opts)\n },\n async rotateRecordCek(ctx, collection, id) {\n const { rotateRecordCek } = await import('../../kernel/enclave/index.js')\n return rotateRecordCek(ctx, collection, id)\n },\n }\n}\n","/**\n * `@noy-db/hub/sealed-record` — host-side opener for record-scoped CEK\n * sealing.\n *\n * The **grantor** side (sealing a record's CEK to a host, revoking, and hard\n * rotation) lives on `Vault` (`vault.sealRecordToHost` /\n * `vault.revokeSealedRecord` / `vault.rotateRecordCek`) because it needs the\n * collection DEK. This subpath exposes the **recipient host** side:\n * {@link openSealedRecord} reconstructs a single record's plaintext from\n * (a) the sealed-CEK delivery envelope, (b) the record's encrypted envelope\n * body, and (c) the host's own unsealer — and **nothing else**. The host never\n * touches a vault DEK and can decrypt exactly the one bound record.\n *\n * @module\n */\n\nimport { decrypt, base64ToBuffer, importCek } from '../../kernel/enclave/index.js'\nimport {\n SealedRecordExpiredError,\n SealedRecordMismatchError,\n} from '../../kernel/errors.js'\nimport type {\n SealedCekDeliveryEnvelope,\n SealedCekBinding,\n} from './types.js'\n\nexport type { SealedCekDeliveryEnvelope, SealedCekBinding } from './types.js'\nexport { SealedRecordExpiredError, SealedRecordMismatchError } from '../../kernel/errors.js'\nexport { withSealedRecord } from './active.js'\nexport { NO_SEALED_RECORD, type SealedRecordStrategy } from './strategy.js'\nexport { SealedRecordNotEnabledError } from '../../kernel/errors.js'\n\n/**\n * Host-side: decrypt a single record whose CEK was sealed to this host by a\n * vault grantor via `vault.sealRecordToHost()`.\n *\n * Verification order (security-critical — do NOT reorder past the unseal):\n * 1. **Fast-path expiry** — reject on the delivery envelope's clear-text\n * `expiresAt` before doing any (potentially expensive) unseal work. This is\n * a hint only.\n * 2. **Unseal** the `payload` with the host's `recipientSealer.unseal` →\n * parse the {@link SealedCekBinding}.\n * 3. **Binding match** — the binding's `{collection, id}` MUST equal the\n * expected pair, else {@link SealedRecordMismatchError}. This is the\n * host-denial boundary (a CEK sealed for record A cannot open record B).\n * 4. **Authoritative expiry** — re-check `binding.expiresAt` (the copy that\n * cannot be forged by editing the delivery envelope), else\n * {@link SealedRecordExpiredError}.\n * 5. **Decrypt** the record body under the unsealed CEK. A CEK from a\n * PRE-rotation seal applied to a POST-rotation live envelope passes (1)-(4)\n * but fails the AES-GCM auth tag → `TamperedError` from `decrypt`.\n *\n * @param sealedCekEnvelope The `SealedCekDeliveryEnvelope` written by the grantor.\n * @param recordEnvelope The record's `{ _iv, _data }` (the encrypted body).\n * @param recipientSealer The host's unsealer (`{ unseal(bytes) }`) — e.g. a\n * KMS-backed sealer or `MemoryRecipientSealer`.\n * @param expectedCollection Collection the caller believes `recordEnvelope` is in.\n * @param expectedId Record id the caller believes `recordEnvelope` is.\n * @returns The decrypted record body as a JSON string.\n */\nexport async function openSealedRecord(\n sealedCekEnvelope: SealedCekDeliveryEnvelope,\n recordEnvelope: { readonly _iv: string; readonly _data: string },\n recipientSealer: { unseal(bytes: Uint8Array): Promise<Uint8Array> },\n expectedCollection: string,\n expectedId: string,\n): Promise<string> {\n // (1) Fast-path expiry on the (unauthenticated) delivery envelope. Fail\n // CLOSED (M-4): a malformed/empty `expiresAt` parses to NaN — treat it as\n // expired rather than letting `NaN <= now` (which is `false`) skip the check.\n const fastT = Date.parse(sealedCekEnvelope.expiresAt)\n if (!Number.isFinite(fastT) || fastT <= Date.now()) {\n throw new SealedRecordExpiredError(sealedCekEnvelope.expiresAt)\n }\n\n // (2) Unseal → parse binding.\n const payloadBytes = base64ToBuffer(sealedCekEnvelope.payload)\n const openedBytes = await recipientSealer.unseal(payloadBytes)\n const binding = JSON.parse(new TextDecoder().decode(openedBytes)) as SealedCekBinding\n\n // (3) Binding match — host-denial boundary.\n if (binding.collection !== expectedCollection || binding.id !== expectedId) {\n throw new SealedRecordMismatchError(\n { collection: expectedCollection, id: expectedId },\n { collection: binding.collection, id: binding.id },\n )\n }\n\n // (4) Authoritative expiry — the copy that cannot be forged on the envelope.\n // Fail CLOSED (M-4): a malformed/empty `expiresAt` → NaN → treat as expired.\n const t = Date.parse(binding.expiresAt)\n if (!Number.isFinite(t) || t <= Date.now()) {\n throw new SealedRecordExpiredError(binding.expiresAt)\n }\n\n // (5) Import the raw CEK + decrypt the body. Wrong-key (pre-rotation CEK vs\n // post-rotation body) surfaces as TamperedError from decrypt's GCM tag check.\n const cek = await importCek(base64ToBuffer(binding.cek))\n return decrypt(recordEnvelope._iv, recordEnvelope._data, cek)\n}\n"],"mappings":";;;;;;;;;;;;;;;;;AASO,SAAS,mBAAyC;AACvD,SAAO;AAAA,IACL,MAAM,iBAAiB,KAAK,YAAY,IAAI,YAAY,MAAM;AAC5D,YAAM,EAAE,iBAAiB,IAAI,MAAM,OAAO,wBAA+B;AACzE,aAAO,iBAAiB,KAAK,YAAY,IAAI,YAAY,IAAI;AAAA,IAC/D;AAAA,IACA,MAAM,mBAAmB,KAAK,YAAY,IAAI,KAAK,MAAM;AACvD,YAAM,EAAE,mBAAmB,IAAI,MAAM,OAAO,wBAA+B;AAC3E,aAAO,mBAAmB,KAAK,YAAY,IAAI,KAAK,IAAI;AAAA,IAC1D;AAAA,IACA,MAAM,gBAAgB,KAAK,YAAY,IAAI;AACzC,YAAM,EAAE,gBAAgB,IAAI,MAAM,OAAO,wBAA+B;AACxE,aAAO,gBAAgB,KAAK,YAAY,EAAE;AAAA,IAC5C;AAAA,EACF;AACF;;;ACoCA,eAAsB,iBACpB,mBACA,gBACA,iBACA,oBACA,YACiB;AAIjB,QAAM,QAAQ,KAAK,MAAM,kBAAkB,SAAS;AACpD,MAAI,CAAC,OAAO,SAAS,KAAK,KAAK,SAAS,KAAK,IAAI,GAAG;AAClD,UAAM,IAAI,yBAAyB,kBAAkB,SAAS;AAAA,EAChE;AAGA,QAAM,eAAe,eAAe,kBAAkB,OAAO;AAC7D,QAAM,cAAc,MAAM,gBAAgB,OAAO,YAAY;AAC7D,QAAM,UAAU,KAAK,MAAM,IAAI,YAAY,EAAE,OAAO,WAAW,CAAC;AAGhE,MAAI,QAAQ,eAAe,sBAAsB,QAAQ,OAAO,YAAY;AAC1E,UAAM,IAAI;AAAA,MACR,EAAE,YAAY,oBAAoB,IAAI,WAAW;AAAA,MACjD,EAAE,YAAY,QAAQ,YAAY,IAAI,QAAQ,GAAG;AAAA,IACnD;AAAA,EACF;AAIA,QAAM,IAAI,KAAK,MAAM,QAAQ,SAAS;AACtC,MAAI,CAAC,OAAO,SAAS,CAAC,KAAK,KAAK,KAAK,IAAI,GAAG;AAC1C,UAAM,IAAI,yBAAyB,QAAQ,SAAS;AAAA,EACtD;AAIA,QAAM,MAAM,MAAM,UAAU,eAAe,QAAQ,GAAG,CAAC;AACvD,SAAO,QAAQ,eAAe,KAAK,eAAe,OAAO,GAAG;AAC9D;","names":[]}
1
+ {"version":3,"sources":["../../src/with-audit/sealed-record/active.ts","../../src/with-audit/sealed-record/index.ts"],"sourcesContent":["/**\n * Enable the sealed-record (grantor-side) capability.\n * Pass to `createNoydb({ sealedRecordStrategy: withSealedRecord() })` to make a\n * vault's `sealRecordToHost` / `revokeSealedRecord` / `rotateRecordCek` methods\n * live. The `record-keys` grantor engine is dynamically imported here, so it is\n * reached only via opt-in.\n */\nimport type { SealedRecordStrategy } from './strategy.js'\n\nexport function withSealedRecord(): SealedRecordStrategy {\n return {\n async sealRecordToHost(ctx, collection, id, hostSealer, opts) {\n const { sealRecordToHost } = await import('../../kernel/enclave/index.js')\n return sealRecordToHost(ctx, collection, id, hostSealer, opts)\n },\n async revokeSealedRecord(ctx, collection, id, pid, opts) {\n const { revokeSealedRecord } = await import('../../kernel/enclave/index.js')\n return revokeSealedRecord(ctx, collection, id, pid, opts)\n },\n async rotateRecordCek(ctx, collection, id) {\n const { rotateRecordCek } = await import('../../kernel/enclave/index.js')\n return rotateRecordCek(ctx, collection, id)\n },\n }\n}\n","/**\n * `@noy-db/hub/sealed-record` — host-side opener for record-scoped CEK\n * sealing.\n *\n * The **grantor** side (sealing a record's CEK to a host, revoking, and hard\n * rotation) lives on `Vault` (`vault.sealRecordToHost` /\n * `vault.revokeSealedRecord` / `vault.rotateRecordCek`) because it needs the\n * collection DEK. This subpath exposes the **recipient host** side:\n * {@link openSealedRecord} reconstructs a single record's plaintext from\n * (a) the sealed-CEK delivery envelope, (b) the record's encrypted envelope\n * body, and (c) the host's own unsealer — and **nothing else**. The host never\n * touches a vault DEK and can decrypt exactly the one bound record.\n *\n * @module\n */\n\nimport { decrypt, base64ToBuffer, importCek } from '../../kernel/enclave/index.js'\nimport {\n SealedRecordExpiredError,\n SealedRecordMismatchError,\n} from '../../kernel/errors.js'\nimport type {\n SealedCekDeliveryEnvelope,\n SealedCekBinding,\n} from './types.js'\n\nexport type { SealedCekDeliveryEnvelope, SealedCekBinding } from './types.js'\nexport { SealedRecordExpiredError, SealedRecordMismatchError } from '../../kernel/errors.js'\nexport { withSealedRecord } from './active.js'\nexport { NO_SEALED_RECORD, type SealedRecordStrategy } from './strategy.js'\nexport { SealedRecordNotEnabledError } from '../../kernel/errors.js'\n\n/**\n * Host-side: decrypt a single record whose CEK was sealed to this host by a\n * vault grantor via `vault.sealRecordToHost()`.\n *\n * Verification order (security-critical — do NOT reorder past the unseal):\n * 1. **Fast-path expiry** — reject on the delivery envelope's clear-text\n * `expiresAt` before doing any (potentially expensive) unseal work. This is\n * a hint only.\n * 2. **Unseal** the `payload` with the host's `recipientSealer.unseal` →\n * parse the {@link SealedCekBinding}.\n * 3. **Binding match** — the binding's `{collection, id}` MUST equal the\n * expected pair, else {@link SealedRecordMismatchError}. This is the\n * host-denial boundary (a CEK sealed for record A cannot open record B).\n * 4. **Authoritative expiry** — re-check `binding.expiresAt` (the copy that\n * cannot be forged by editing the delivery envelope), else\n * {@link SealedRecordExpiredError}.\n * 5. **Decrypt** the record body under the unsealed CEK. A CEK from a\n * PRE-rotation seal applied to a POST-rotation live envelope passes (1)-(4)\n * but fails the AES-GCM auth tag → `TamperedError` from `decrypt`.\n *\n * @param sealedCekEnvelope The `SealedCekDeliveryEnvelope` written by the grantor.\n * @param recordEnvelope The record's `{ _iv, _data }` (the encrypted body).\n * @param recipientSealer The host's unsealer (`{ unseal(bytes) }`) — e.g. a\n * KMS-backed sealer or `MemoryRecipientSealer`.\n * @param expectedCollection Collection the caller believes `recordEnvelope` is in.\n * @param expectedId Record id the caller believes `recordEnvelope` is.\n * @returns The decrypted record body as a JSON string.\n */\nexport async function openSealedRecord(\n sealedCekEnvelope: SealedCekDeliveryEnvelope,\n recordEnvelope: { readonly _iv: string; readonly _data: string },\n recipientSealer: { unseal(bytes: Uint8Array): Promise<Uint8Array> },\n expectedCollection: string,\n expectedId: string,\n): Promise<string> {\n // (1) Fast-path expiry on the (unauthenticated) delivery envelope. Fail\n // CLOSED (M-4): a malformed/empty `expiresAt` parses to NaN — treat it as\n // expired rather than letting `NaN <= now` (which is `false`) skip the check.\n const fastT = Date.parse(sealedCekEnvelope.expiresAt)\n if (!Number.isFinite(fastT) || fastT <= Date.now()) {\n throw new SealedRecordExpiredError(sealedCekEnvelope.expiresAt)\n }\n\n // (2) Unseal → parse binding.\n const payloadBytes = base64ToBuffer(sealedCekEnvelope.payload)\n const openedBytes = await recipientSealer.unseal(payloadBytes)\n const binding = JSON.parse(new TextDecoder().decode(openedBytes)) as SealedCekBinding\n\n // (3) Binding match — host-denial boundary.\n if (binding.collection !== expectedCollection || binding.id !== expectedId) {\n throw new SealedRecordMismatchError(\n { collection: expectedCollection, id: expectedId },\n { collection: binding.collection, id: binding.id },\n )\n }\n\n // (4) Authoritative expiry — the copy that cannot be forged on the envelope.\n // Fail CLOSED (M-4): a malformed/empty `expiresAt` → NaN → treat as expired.\n const t = Date.parse(binding.expiresAt)\n if (!Number.isFinite(t) || t <= Date.now()) {\n throw new SealedRecordExpiredError(binding.expiresAt)\n }\n\n // (5) Import the raw CEK + decrypt the body. Wrong-key (pre-rotation CEK vs\n // post-rotation body) surfaces as TamperedError from decrypt's GCM tag check.\n const cek = await importCek(base64ToBuffer(binding.cek))\n return decrypt(recordEnvelope._iv, recordEnvelope._data, cek)\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AASO,SAAS,mBAAyC;AACvD,SAAO;AAAA,IACL,MAAM,iBAAiB,KAAK,YAAY,IAAI,YAAY,MAAM;AAC5D,YAAM,EAAE,iBAAiB,IAAI,MAAM,OAAO,wBAA+B;AACzE,aAAO,iBAAiB,KAAK,YAAY,IAAI,YAAY,IAAI;AAAA,IAC/D;AAAA,IACA,MAAM,mBAAmB,KAAK,YAAY,IAAI,KAAK,MAAM;AACvD,YAAM,EAAE,mBAAmB,IAAI,MAAM,OAAO,wBAA+B;AAC3E,aAAO,mBAAmB,KAAK,YAAY,IAAI,KAAK,IAAI;AAAA,IAC1D;AAAA,IACA,MAAM,gBAAgB,KAAK,YAAY,IAAI;AACzC,YAAM,EAAE,gBAAgB,IAAI,MAAM,OAAO,wBAA+B;AACxE,aAAO,gBAAgB,KAAK,YAAY,EAAE;AAAA,IAC5C;AAAA,EACF;AACF;;;ACoCA,eAAsB,iBACpB,mBACA,gBACA,iBACA,oBACA,YACiB;AAIjB,QAAM,QAAQ,KAAK,MAAM,kBAAkB,SAAS;AACpD,MAAI,CAAC,OAAO,SAAS,KAAK,KAAK,SAAS,KAAK,IAAI,GAAG;AAClD,UAAM,IAAI,yBAAyB,kBAAkB,SAAS;AAAA,EAChE;AAGA,QAAM,eAAe,eAAe,kBAAkB,OAAO;AAC7D,QAAM,cAAc,MAAM,gBAAgB,OAAO,YAAY;AAC7D,QAAM,UAAU,KAAK,MAAM,IAAI,YAAY,EAAE,OAAO,WAAW,CAAC;AAGhE,MAAI,QAAQ,eAAe,sBAAsB,QAAQ,OAAO,YAAY;AAC1E,UAAM,IAAI;AAAA,MACR,EAAE,YAAY,oBAAoB,IAAI,WAAW;AAAA,MACjD,EAAE,YAAY,QAAQ,YAAY,IAAI,QAAQ,GAAG;AAAA,IACnD;AAAA,EACF;AAIA,QAAM,IAAI,KAAK,MAAM,QAAQ,SAAS;AACtC,MAAI,CAAC,OAAO,SAAS,CAAC,KAAK,KAAK,KAAK,IAAI,GAAG;AAC1C,UAAM,IAAI,yBAAyB,QAAQ,SAAS;AAAA,EACtD;AAIA,QAAM,MAAM,MAAM,UAAU,eAAe,QAAQ,GAAG,CAAC;AACvD,SAAO,QAAQ,eAAe,KAAK,eAAe,OAAO,GAAG;AAC9D;","names":[]}
@@ -1,8 +1,8 @@
1
- export { C as CreateSessionOptions, a as CreateSessionResult, D as DevUnlockOptions, S as SessionToken, b as activeSessionCount, c as clearDevUnlock, d as createSession, e as enableDevUnlock, i as isDevUnlockActive, f as isSessionAlive, l as loadDevUnlock, r as resolveSession, g as revokeAllSessions, h as revokeSession } from '../dev-unlock-h0K-UZTk.js';
2
- import { H as SessionStrategy } from '../index-_6At2_9_.js';
3
- export { P as PolicyEnforcer, J as SessionExpiredError, K as SessionNotFoundError, N as SessionPolicyError, Q as createEnforcer, W as validateSessionPolicy } from '../index-_6At2_9_.js';
1
+ export { C as CreateSessionOptions, a as CreateSessionResult, D as DevUnlockOptions, S as SessionToken, b as activeSessionCount, c as clearDevUnlock, d as createSession, e as enableDevUnlock, i as isDevUnlockActive, f as isSessionAlive, l as loadDevUnlock, r as resolveSession, g as revokeAllSessions, h as revokeSession } from '../dev-unlock-B_s9DUWa.js';
2
+ import { H as SessionStrategy } from '../index-D05bV0_g.js';
3
+ export { P as PolicyEnforcer, J as SessionExpiredError, K as SessionNotFoundError, N as SessionPolicyError, Q as createEnforcer, W as validateSessionPolicy } from '../index-D05bV0_g.js';
4
4
  import '../subject-index-O75wKshW.js';
5
- import '../describe-Ccd1hS7a.js';
5
+ import '../describe-0tiXAjoO.js';
6
6
  import '../index-B9QdHytu.js';
7
7
  import '@noy-db/attestation';
8
8
 
@@ -12,15 +12,18 @@ import {
12
12
  revokeAllSessions,
13
13
  revokeSession,
14
14
  validateSessionPolicy
15
- } from "../chunk-UAG5KWVA.js";
15
+ } from "../chunk-PJDK2PPQ.js";
16
16
  import "../chunk-ZJADGNYF.js";
17
- import "../chunk-5O3AOPDT.js";
18
- import "../chunk-5TDJ56JE.js";
17
+ import "../chunk-5EZAJEES.js";
18
+ import "../chunk-6RASM2J4.js";
19
+ import "../chunk-CPAROOKP.js";
20
+ import "../chunk-L4IRFTIF.js";
21
+ import "../chunk-OCDUQUAP.js";
19
22
  import {
20
23
  SessionExpiredError,
21
24
  SessionNotFoundError,
22
25
  SessionPolicyError
23
- } from "../chunk-ZYUC53LT.js";
26
+ } from "../chunk-BLZRNHMG.js";
24
27
  import "../chunk-PZ5AY32C.js";
25
28
 
26
29
  // src/with-party/session/active.ts
@@ -1 +1 @@
1
- {"version":3,"sources":["../../src/with-party/session/active.ts"],"sourcesContent":["/**\n * Active session strategy — `withSession()` returns the real\n * implementation that wires `SessionPolicy` validation, the\n * `PolicyEnforcer`, and the global session-token registry into the\n * Noydb lifecycle.\n *\n * Consumers opt in by:\n *\n * ```ts\n * import { createNoydb } from '@noy-db/hub'\n * import { withSession } from '@noy-db/hub/session'\n *\n * const db = await createNoydb({\n * store: ...,\n * user: ...,\n * sessionPolicy: { idleTimeoutMs: 15 * 60_000 },\n * sessionStrategy: withSession(),\n * })\n * ```\n *\n * The factory delegates to the existing `session-policy.ts` and\n * `session.ts` modules. Splitting the import chain through this file\n * is what lets tsup tree-shake the ~495 LOC of policy + token code\n * out of the default bundle when no `withSession()` import is\n * present.\n *\n * Note: dev-unlock (`devUnlock`, `cancelDevUnlock`) is a separate\n * named import from `@noy-db/hub` and tree-shakes independently —\n * apps that don't import it never include it.\n *\n * @public\n */\n\nimport type { SessionStrategy } from './strategy.js'\nimport { createEnforcer, validateSessionPolicy } from './session-policy.js'\nimport { revokeAllSessions } from './session.js'\n\nexport function withSession(): SessionStrategy {\n return {\n validateSessionPolicy,\n createEnforcer,\n revokeAllSessions,\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAqCO,SAAS,cAA+B;AAC7C,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;","names":[]}
1
+ {"version":3,"sources":["../../src/with-party/session/active.ts"],"sourcesContent":["/**\n * Active session strategy — `withSession()` returns the real\n * implementation that wires `SessionPolicy` validation, the\n * `PolicyEnforcer`, and the global session-token registry into the\n * Noydb lifecycle.\n *\n * Consumers opt in by:\n *\n * ```ts\n * import { createNoydb } from '@noy-db/hub'\n * import { withSession } from '@noy-db/hub/session'\n *\n * const db = await createNoydb({\n * store: ...,\n * user: ...,\n * sessionPolicy: { idleTimeoutMs: 15 * 60_000 },\n * sessionStrategy: withSession(),\n * })\n * ```\n *\n * The factory delegates to the existing `session-policy.ts` and\n * `session.ts` modules. Splitting the import chain through this file\n * is what lets tsup tree-shake the ~495 LOC of policy + token code\n * out of the default bundle when no `withSession()` import is\n * present.\n *\n * Note: dev-unlock (`devUnlock`, `cancelDevUnlock`) is a separate\n * named import from `@noy-db/hub` and tree-shakes independently —\n * apps that don't import it never include it.\n *\n * @public\n */\n\nimport type { SessionStrategy } from './strategy.js'\nimport { createEnforcer, validateSessionPolicy } from './session-policy.js'\nimport { revokeAllSessions } from './session.js'\n\nexport function withSession(): SessionStrategy {\n return {\n validateSessionPolicy,\n createEnforcer,\n revokeAllSessions,\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAqCO,SAAS,cAA+B;AAC7C,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;","names":[]}
@@ -1,7 +1,7 @@
1
- import { bU as ShadowStrategy } from '../index-_6At2_9_.js';
2
- export { bV as CollectionFrame, bW as VaultFrame } from '../index-_6At2_9_.js';
1
+ import { bU as ShadowStrategy } from '../index-D05bV0_g.js';
2
+ export { bV as CollectionFrame, bW as VaultFrame } from '../index-D05bV0_g.js';
3
3
  import '../subject-index-O75wKshW.js';
4
- import '../describe-Ccd1hS7a.js';
4
+ import '../describe-0tiXAjoO.js';
5
5
  import '../index-B9QdHytu.js';
6
6
  import '@noy-db/attestation';
7
7
 
@@ -1,8 +1,8 @@
1
1
  import {
2
2
  CollectionFrame,
3
3
  VaultFrame
4
- } from "../chunk-NF5JWERG.js";
5
- import "../chunk-ZYUC53LT.js";
4
+ } from "../chunk-BZIWKN74.js";
5
+ import "../chunk-BLZRNHMG.js";
6
6
  import "../chunk-PZ5AY32C.js";
7
7
 
8
8
  // src/with-fork/shadow/active.ts
@@ -4,10 +4,13 @@ import {
4
4
  SIGNER_RECORD_ID,
5
5
  loadOrCreateSigner,
6
6
  loadSigner
7
- } from "./chunk-JNUWZ6D3.js";
8
- import "./chunk-5O3AOPDT.js";
9
- import "./chunk-5TDJ56JE.js";
10
- import "./chunk-ZYUC53LT.js";
7
+ } from "./chunk-E4YJUNPU.js";
8
+ import "./chunk-5EZAJEES.js";
9
+ import "./chunk-6RASM2J4.js";
10
+ import "./chunk-CPAROOKP.js";
11
+ import "./chunk-L4IRFTIF.js";
12
+ import "./chunk-OCDUQUAP.js";
13
+ import "./chunk-BLZRNHMG.js";
11
14
  import "./chunk-PZ5AY32C.js";
12
15
  export {
13
16
  ATTESTATIONS_COLLECTION,
@@ -16,4 +19,4 @@ export {
16
19
  loadOrCreateSigner,
17
20
  loadSigner
18
21
  };
19
- //# sourceMappingURL=signer-PNKTBVF7.js.map
22
+ //# sourceMappingURL=signer-AE56T5HE.js.map
@@ -1,7 +1,7 @@
1
- import { bX as NoydbPodStore, bY as RetentionPolicy, bZ as SnapshotPolicy, b_ as SnapshotStrategy } from '../index-_6At2_9_.js';
2
- export { b$ as SnapshotMeta, c0 as SnapshotMode, c1 as SnapshotNotFoundError } from '../index-_6At2_9_.js';
1
+ import { bX as NoydbPodStore, bY as RetentionPolicy, bZ as SnapshotPolicy, b_ as SnapshotStrategy } from '../index-D05bV0_g.js';
2
+ export { b$ as SnapshotMeta, c0 as SnapshotMode, c1 as SnapshotNotFoundError } from '../index-D05bV0_g.js';
3
3
  import '../subject-index-O75wKshW.js';
4
- import '../describe-Ccd1hS7a.js';
4
+ import '../describe-0tiXAjoO.js';
5
5
  import '../index-B9QdHytu.js';
6
6
  import '@noy-db/attestation';
7
7
 
@@ -1,13 +1,16 @@
1
1
  import {
2
2
  readPod,
3
3
  writePod
4
- } from "../chunk-FISN7WE4.js";
5
- import "../chunk-SMXWYP24.js";
6
- import "../chunk-5O3AOPDT.js";
7
- import "../chunk-5TDJ56JE.js";
4
+ } from "../chunk-3UDPDRUC.js";
5
+ import "../chunk-VBYVKOMJ.js";
6
+ import "../chunk-5EZAJEES.js";
7
+ import "../chunk-6RASM2J4.js";
8
+ import "../chunk-CPAROOKP.js";
9
+ import "../chunk-L4IRFTIF.js";
10
+ import "../chunk-OCDUQUAP.js";
8
11
  import {
9
12
  SnapshotNotFoundError
10
- } from "../chunk-ZYUC53LT.js";
13
+ } from "../chunk-BLZRNHMG.js";
11
14
  import "../chunk-PZ5AY32C.js";
12
15
 
13
16
  // src/with-fork/snapshots/engine.ts
@@ -1 +1 @@
1
- {"version":3,"sources":["../../src/with-fork/snapshots/engine.ts","../../src/with-fork/snapshots/active.ts"],"sourcesContent":["import { writePod, readPod } from '../../with-pod/bundle.js'\nimport { SnapshotNotFoundError } from '../../kernel/errors.js'\nimport type { NoydbPodStore } from '../../kernel/types.js'\nimport type { Vault } from '../../kernel/vault.js'\nimport type { SnapshotMeta, RetentionPolicy, SnapshotIndex } from './strategy.js'\n\nexport class SnapshotEngine {\n constructor(\n private readonly store: NoydbPodStore,\n private readonly retention: RetentionPolicy,\n ) {}\n\n private indexKey(vaultName: string): string {\n return `${vaultName}__index`\n }\n\n private snapKey(vaultName: string, n: number): string {\n return `${vaultName}__snap_${n.toString().padStart(6, '0')}`\n }\n\n private autoKey(vaultName: string): string {\n return `${vaultName}__auto`\n }\n\n private async readIndex(\n vaultName: string,\n ): Promise<{ index: SnapshotIndex; indexVersion: string | null }> {\n const result = await this.store.readBundle(this.indexKey(vaultName))\n if (!result) return { index: { snapshots: [], nextCounter: 1 }, indexVersion: null }\n const text = new TextDecoder().decode(result.bytes)\n return { index: JSON.parse(text) as SnapshotIndex, indexVersion: result.version }\n }\n\n private async writeIndex(\n vaultName: string,\n index: SnapshotIndex,\n expectedVersion: string | null,\n ): Promise<void> {\n const bytes = new TextEncoder().encode(JSON.stringify(index))\n await this.store.writeBundle(this.indexKey(vaultName), bytes, expectedVersion)\n }\n\n async snapshot(\n vault: Vault,\n by: string,\n opts?: { label?: string; note?: string },\n ): Promise<SnapshotMeta> {\n const bytes = await writePod(vault, {})\n const { index, indexVersion } = await this.readIndex(vault.name)\n const key = this.snapKey(vault.name, index.nextCounter)\n\n // Write blob first. If the subsequent index write fails, the next snapshot()\n // call will re-derive the same key (counter not persisted) and overwrite this blob.\n // This is an accepted v1 trade-off: failure window is narrow and requires a store\n // error between the two writes. A retry produces a fresh snapshot at the same key.\n await this.store.writeBundle(key, bytes, null)\n\n const meta: SnapshotMeta = {\n version: key,\n ...(opts?.label !== undefined ? { label: opts.label } : {}),\n ...(opts?.note !== undefined ? { note: opts.note } : {}),\n exportedAt: new Date().toISOString(),\n exportedBy: by,\n size: bytes.length,\n integrity: 'verified',\n }\n\n const newIndex: SnapshotIndex = {\n snapshots: [...index.snapshots, meta],\n nextCounter: index.nextCounter + 1,\n // Preserve the rolling auto slot — on-demand snapshots never touch it.\n ...(index.auto ? { auto: index.auto } : {}),\n }\n const toDelete = this.applyRetention(newIndex)\n await this.writeIndex(vault.name, newIndex, indexVersion)\n\n for (const k of toDelete) {\n await this.store.deleteBundle(k)\n }\n\n return meta\n }\n\n /**\n * Rolling auto-snapshot. Overwrites the single fixed `<vault>__auto` key and\n * stores its meta in `index.auto`, separate from the immutable `snapshots`\n * pool — retention never prunes it. Used by the cadence scheduler.\n */\n async autoSnapshot(\n vault: Vault,\n by: string,\n opts?: { label?: string; note?: string },\n ): Promise<SnapshotMeta> {\n const bytes = await writePod(vault, {})\n const { index, indexVersion } = await this.readIndex(vault.name)\n const key = this.autoKey(vault.name)\n\n // Unconditional overwrite of the rolling slot.\n await this.store.writeBundle(key, bytes, null)\n\n const meta: SnapshotMeta = {\n version: key,\n label: opts?.label ?? 'auto',\n ...(opts?.note !== undefined ? { note: opts.note } : {}),\n exportedAt: new Date().toISOString(),\n exportedBy: by,\n size: bytes.length,\n integrity: 'verified',\n auto: true,\n }\n\n index.auto = meta\n await this.writeIndex(vault.name, index, indexVersion)\n return meta\n }\n\n async listSnapshots(vaultId: string): Promise<SnapshotMeta[]> {\n const { index } = await this.readIndex(vaultId)\n const immutable = [...index.snapshots].reverse()\n return index.auto ? [index.auto, ...immutable] : immutable\n }\n\n async restoreSnapshot(vault: Vault, version: string): Promise<void> {\n if (!version.startsWith(`${vault.name}__`)) throw new SnapshotNotFoundError(version)\n const result = await this.store.readBundle(version)\n if (!result) throw new SnapshotNotFoundError(version)\n const { dumpJson } = await readPod(result.bytes)\n await vault.load(dumpJson)\n }\n\n /**\n * Applies the configured retention policy to `index`, mutating `index.snapshots`\n * in place and returning the blob keys that should be deleted from the store.\n * Called by `snapshot()` before the index is written.\n *\n * @internal — public for direct testing only\n */\n applyRetention(index: SnapshotIndex): string[] {\n const prune = this.retention.prune ?? true\n if (!prune) return []\n\n const toDelete: string[] = []\n let remaining = index.snapshots.slice()\n\n if (this.retention.keepLast !== undefined && remaining.length > this.retention.keepLast) {\n const excess = remaining.splice(0, remaining.length - this.retention.keepLast)\n toDelete.push(...excess.map(m => m.version))\n }\n\n if (this.retention.maxAgeDays !== undefined) {\n const cutoffMs = this.retention.maxAgeDays * 86_400_000\n const now = Date.now()\n const fresh = remaining.filter(m => now - new Date(m.exportedAt).getTime() <= cutoffMs)\n toDelete.push(...remaining.filter(m => !fresh.includes(m)).map(m => m.version))\n remaining = fresh\n }\n\n index.snapshots = remaining\n return toDelete\n }\n}\n","import { SnapshotEngine } from './engine.js'\nimport type { SnapshotStrategy, RetentionPolicy } from './strategy.js'\nimport type { SnapshotPolicy } from './policy.js'\nimport type { NoydbPodStore } from '../../kernel/types.js'\nimport type { Vault } from '../../kernel/vault.js'\n\nexport interface WithSnapshotsOptions {\n /** Bundle store where snapshot blobs and the sidecar index are written. */\n store: NoydbPodStore\n /**\n * Declarative retention policy. Enforced eagerly after each on-demand `snapshot()`.\n * Defaults to no retention (all on-demand snapshots kept forever). Never affects\n * the rolling auto-snapshot.\n */\n retention?: RetentionPolicy\n /**\n * Automatic-snapshot cadence. Default `mode:'manual'` ⇒ no timers; snapshots\n * stay on-demand. Set `mode:'debounce'`/`'interval'` to enable auto-snapshots\n * to the rolling `<vault>__auto` key.\n */\n snapshotPolicy?: SnapshotPolicy\n}\n\nexport function withSnapshots(opts: WithSnapshotsOptions): SnapshotStrategy {\n const engine = new SnapshotEngine(opts.store, opts.retention ?? {})\n return {\n snapshot(vault, by, snapOpts) {\n return engine.snapshot(vault as Vault, by, snapOpts)\n },\n listSnapshots(vaultId) {\n return engine.listSnapshots(vaultId)\n },\n restoreSnapshot(vault, version) {\n return engine.restoreSnapshot(vault as Vault, version)\n },\n autoSnapshot(vault, by, snapOpts) {\n return engine.autoSnapshot(vault as Vault, by, snapOpts)\n },\n ...(opts.snapshotPolicy ? { policy: opts.snapshotPolicy } : {}),\n }\n}\n"],"mappings":";;;;;;;;;;;;;AAMO,IAAM,iBAAN,MAAqB;AAAA,EAC1B,YACmB,OACA,WACjB;AAFiB;AACA;AAAA,EAChB;AAAA,EAFgB;AAAA,EACA;AAAA,EAGX,SAAS,WAA2B;AAC1C,WAAO,GAAG,SAAS;AAAA,EACrB;AAAA,EAEQ,QAAQ,WAAmB,GAAmB;AACpD,WAAO,GAAG,SAAS,UAAU,EAAE,SAAS,EAAE,SAAS,GAAG,GAAG,CAAC;AAAA,EAC5D;AAAA,EAEQ,QAAQ,WAA2B;AACzC,WAAO,GAAG,SAAS;AAAA,EACrB;AAAA,EAEA,MAAc,UACZ,WACgE;AAChE,UAAM,SAAS,MAAM,KAAK,MAAM,WAAW,KAAK,SAAS,SAAS,CAAC;AACnE,QAAI,CAAC,OAAQ,QAAO,EAAE,OAAO,EAAE,WAAW,CAAC,GAAG,aAAa,EAAE,GAAG,cAAc,KAAK;AACnF,UAAM,OAAO,IAAI,YAAY,EAAE,OAAO,OAAO,KAAK;AAClD,WAAO,EAAE,OAAO,KAAK,MAAM,IAAI,GAAoB,cAAc,OAAO,QAAQ;AAAA,EAClF;AAAA,EAEA,MAAc,WACZ,WACA,OACA,iBACe;AACf,UAAM,QAAQ,IAAI,YAAY,EAAE,OAAO,KAAK,UAAU,KAAK,CAAC;AAC5D,UAAM,KAAK,MAAM,YAAY,KAAK,SAAS,SAAS,GAAG,OAAO,eAAe;AAAA,EAC/E;AAAA,EAEA,MAAM,SACJ,OACA,IACA,MACuB;AACvB,UAAM,QAAQ,MAAM,SAAS,OAAO,CAAC,CAAC;AACtC,UAAM,EAAE,OAAO,aAAa,IAAI,MAAM,KAAK,UAAU,MAAM,IAAI;AAC/D,UAAM,MAAM,KAAK,QAAQ,MAAM,MAAM,MAAM,WAAW;AAMtD,UAAM,KAAK,MAAM,YAAY,KAAK,OAAO,IAAI;AAE7C,UAAM,OAAqB;AAAA,MACzB,SAAS;AAAA,MACT,GAAI,MAAM,UAAU,SAAY,EAAE,OAAO,KAAK,MAAM,IAAI,CAAC;AAAA,MACzD,GAAI,MAAM,SAAS,SAAY,EAAE,MAAM,KAAK,KAAK,IAAI,CAAC;AAAA,MACtD,aAAY,oBAAI,KAAK,GAAE,YAAY;AAAA,MACnC,YAAY;AAAA,MACZ,MAAM,MAAM;AAAA,MACZ,WAAW;AAAA,IACb;AAEA,UAAM,WAA0B;AAAA,MAC9B,WAAW,CAAC,GAAG,MAAM,WAAW,IAAI;AAAA,MACpC,aAAa,MAAM,cAAc;AAAA;AAAA,MAEjC,GAAI,MAAM,OAAO,EAAE,MAAM,MAAM,KAAK,IAAI,CAAC;AAAA,IAC3C;AACA,UAAM,WAAW,KAAK,eAAe,QAAQ;AAC7C,UAAM,KAAK,WAAW,MAAM,MAAM,UAAU,YAAY;AAExD,eAAW,KAAK,UAAU;AACxB,YAAM,KAAK,MAAM,aAAa,CAAC;AAAA,IACjC;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,aACJ,OACA,IACA,MACuB;AACvB,UAAM,QAAQ,MAAM,SAAS,OAAO,CAAC,CAAC;AACtC,UAAM,EAAE,OAAO,aAAa,IAAI,MAAM,KAAK,UAAU,MAAM,IAAI;AAC/D,UAAM,MAAM,KAAK,QAAQ,MAAM,IAAI;AAGnC,UAAM,KAAK,MAAM,YAAY,KAAK,OAAO,IAAI;AAE7C,UAAM,OAAqB;AAAA,MACzB,SAAS;AAAA,MACT,OAAO,MAAM,SAAS;AAAA,MACtB,GAAI,MAAM,SAAS,SAAY,EAAE,MAAM,KAAK,KAAK,IAAI,CAAC;AAAA,MACtD,aAAY,oBAAI,KAAK,GAAE,YAAY;AAAA,MACnC,YAAY;AAAA,MACZ,MAAM,MAAM;AAAA,MACZ,WAAW;AAAA,MACX,MAAM;AAAA,IACR;AAEA,UAAM,OAAO;AACb,UAAM,KAAK,WAAW,MAAM,MAAM,OAAO,YAAY;AACrD,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,cAAc,SAA0C;AAC5D,UAAM,EAAE,MAAM,IAAI,MAAM,KAAK,UAAU,OAAO;AAC9C,UAAM,YAAY,CAAC,GAAG,MAAM,SAAS,EAAE,QAAQ;AAC/C,WAAO,MAAM,OAAO,CAAC,MAAM,MAAM,GAAG,SAAS,IAAI;AAAA,EACnD;AAAA,EAEA,MAAM,gBAAgB,OAAc,SAAgC;AAClE,QAAI,CAAC,QAAQ,WAAW,GAAG,MAAM,IAAI,IAAI,EAAG,OAAM,IAAI,sBAAsB,OAAO;AACnF,UAAM,SAAS,MAAM,KAAK,MAAM,WAAW,OAAO;AAClD,QAAI,CAAC,OAAQ,OAAM,IAAI,sBAAsB,OAAO;AACpD,UAAM,EAAE,SAAS,IAAI,MAAM,QAAQ,OAAO,KAAK;AAC/C,UAAM,MAAM,KAAK,QAAQ;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,eAAe,OAAgC;AAC7C,UAAM,QAAQ,KAAK,UAAU,SAAS;AACtC,QAAI,CAAC,MAAO,QAAO,CAAC;AAEpB,UAAM,WAAqB,CAAC;AAC5B,QAAI,YAAY,MAAM,UAAU,MAAM;AAEtC,QAAI,KAAK,UAAU,aAAa,UAAa,UAAU,SAAS,KAAK,UAAU,UAAU;AACvF,YAAM,SAAS,UAAU,OAAO,GAAG,UAAU,SAAS,KAAK,UAAU,QAAQ;AAC7E,eAAS,KAAK,GAAG,OAAO,IAAI,OAAK,EAAE,OAAO,CAAC;AAAA,IAC7C;AAEA,QAAI,KAAK,UAAU,eAAe,QAAW;AAC3C,YAAM,WAAW,KAAK,UAAU,aAAa;AAC7C,YAAM,MAAM,KAAK,IAAI;AACrB,YAAM,QAAQ,UAAU,OAAO,OAAK,MAAM,IAAI,KAAK,EAAE,UAAU,EAAE,QAAQ,KAAK,QAAQ;AACtF,eAAS,KAAK,GAAG,UAAU,OAAO,OAAK,CAAC,MAAM,SAAS,CAAC,CAAC,EAAE,IAAI,OAAK,EAAE,OAAO,CAAC;AAC9E,kBAAY;AAAA,IACd;AAEA,UAAM,YAAY;AAClB,WAAO;AAAA,EACT;AACF;;;ACzIO,SAAS,cAAc,MAA8C;AAC1E,QAAM,SAAS,IAAI,eAAe,KAAK,OAAO,KAAK,aAAa,CAAC,CAAC;AAClE,SAAO;AAAA,IACL,SAAS,OAAO,IAAI,UAAU;AAC5B,aAAO,OAAO,SAAS,OAAgB,IAAI,QAAQ;AAAA,IACrD;AAAA,IACA,cAAc,SAAS;AACrB,aAAO,OAAO,cAAc,OAAO;AAAA,IACrC;AAAA,IACA,gBAAgB,OAAO,SAAS;AAC9B,aAAO,OAAO,gBAAgB,OAAgB,OAAO;AAAA,IACvD;AAAA,IACA,aAAa,OAAO,IAAI,UAAU;AAChC,aAAO,OAAO,aAAa,OAAgB,IAAI,QAAQ;AAAA,IACzD;AAAA,IACA,GAAI,KAAK,iBAAiB,EAAE,QAAQ,KAAK,eAAe,IAAI,CAAC;AAAA,EAC/D;AACF;","names":[]}
1
+ {"version":3,"sources":["../../src/with-fork/snapshots/engine.ts","../../src/with-fork/snapshots/active.ts"],"sourcesContent":["import { writePod, readPod } from '../../with-pod/bundle.js'\nimport { SnapshotNotFoundError } from '../../kernel/errors.js'\nimport type { NoydbPodStore } from '../../kernel/types.js'\nimport type { Vault } from '../../kernel/vault.js'\nimport type { SnapshotMeta, RetentionPolicy, SnapshotIndex } from './strategy.js'\n\nexport class SnapshotEngine {\n constructor(\n private readonly store: NoydbPodStore,\n private readonly retention: RetentionPolicy,\n ) {}\n\n private indexKey(vaultName: string): string {\n return `${vaultName}__index`\n }\n\n private snapKey(vaultName: string, n: number): string {\n return `${vaultName}__snap_${n.toString().padStart(6, '0')}`\n }\n\n private autoKey(vaultName: string): string {\n return `${vaultName}__auto`\n }\n\n private async readIndex(\n vaultName: string,\n ): Promise<{ index: SnapshotIndex; indexVersion: string | null }> {\n const result = await this.store.readBundle(this.indexKey(vaultName))\n if (!result) return { index: { snapshots: [], nextCounter: 1 }, indexVersion: null }\n const text = new TextDecoder().decode(result.bytes)\n return { index: JSON.parse(text) as SnapshotIndex, indexVersion: result.version }\n }\n\n private async writeIndex(\n vaultName: string,\n index: SnapshotIndex,\n expectedVersion: string | null,\n ): Promise<void> {\n const bytes = new TextEncoder().encode(JSON.stringify(index))\n await this.store.writeBundle(this.indexKey(vaultName), bytes, expectedVersion)\n }\n\n async snapshot(\n vault: Vault,\n by: string,\n opts?: { label?: string; note?: string },\n ): Promise<SnapshotMeta> {\n const bytes = await writePod(vault, {})\n const { index, indexVersion } = await this.readIndex(vault.name)\n const key = this.snapKey(vault.name, index.nextCounter)\n\n // Write blob first. If the subsequent index write fails, the next snapshot()\n // call will re-derive the same key (counter not persisted) and overwrite this blob.\n // This is an accepted v1 trade-off: failure window is narrow and requires a store\n // error between the two writes. A retry produces a fresh snapshot at the same key.\n await this.store.writeBundle(key, bytes, null)\n\n const meta: SnapshotMeta = {\n version: key,\n ...(opts?.label !== undefined ? { label: opts.label } : {}),\n ...(opts?.note !== undefined ? { note: opts.note } : {}),\n exportedAt: new Date().toISOString(),\n exportedBy: by,\n size: bytes.length,\n integrity: 'verified',\n }\n\n const newIndex: SnapshotIndex = {\n snapshots: [...index.snapshots, meta],\n nextCounter: index.nextCounter + 1,\n // Preserve the rolling auto slot — on-demand snapshots never touch it.\n ...(index.auto ? { auto: index.auto } : {}),\n }\n const toDelete = this.applyRetention(newIndex)\n await this.writeIndex(vault.name, newIndex, indexVersion)\n\n for (const k of toDelete) {\n await this.store.deleteBundle(k)\n }\n\n return meta\n }\n\n /**\n * Rolling auto-snapshot. Overwrites the single fixed `<vault>__auto` key and\n * stores its meta in `index.auto`, separate from the immutable `snapshots`\n * pool — retention never prunes it. Used by the cadence scheduler.\n */\n async autoSnapshot(\n vault: Vault,\n by: string,\n opts?: { label?: string; note?: string },\n ): Promise<SnapshotMeta> {\n const bytes = await writePod(vault, {})\n const { index, indexVersion } = await this.readIndex(vault.name)\n const key = this.autoKey(vault.name)\n\n // Unconditional overwrite of the rolling slot.\n await this.store.writeBundle(key, bytes, null)\n\n const meta: SnapshotMeta = {\n version: key,\n label: opts?.label ?? 'auto',\n ...(opts?.note !== undefined ? { note: opts.note } : {}),\n exportedAt: new Date().toISOString(),\n exportedBy: by,\n size: bytes.length,\n integrity: 'verified',\n auto: true,\n }\n\n index.auto = meta\n await this.writeIndex(vault.name, index, indexVersion)\n return meta\n }\n\n async listSnapshots(vaultId: string): Promise<SnapshotMeta[]> {\n const { index } = await this.readIndex(vaultId)\n const immutable = [...index.snapshots].reverse()\n return index.auto ? [index.auto, ...immutable] : immutable\n }\n\n async restoreSnapshot(vault: Vault, version: string): Promise<void> {\n if (!version.startsWith(`${vault.name}__`)) throw new SnapshotNotFoundError(version)\n const result = await this.store.readBundle(version)\n if (!result) throw new SnapshotNotFoundError(version)\n const { dumpJson } = await readPod(result.bytes)\n await vault.load(dumpJson)\n }\n\n /**\n * Applies the configured retention policy to `index`, mutating `index.snapshots`\n * in place and returning the blob keys that should be deleted from the store.\n * Called by `snapshot()` before the index is written.\n *\n * @internal — public for direct testing only\n */\n applyRetention(index: SnapshotIndex): string[] {\n const prune = this.retention.prune ?? true\n if (!prune) return []\n\n const toDelete: string[] = []\n let remaining = index.snapshots.slice()\n\n if (this.retention.keepLast !== undefined && remaining.length > this.retention.keepLast) {\n const excess = remaining.splice(0, remaining.length - this.retention.keepLast)\n toDelete.push(...excess.map(m => m.version))\n }\n\n if (this.retention.maxAgeDays !== undefined) {\n const cutoffMs = this.retention.maxAgeDays * 86_400_000\n const now = Date.now()\n const fresh = remaining.filter(m => now - new Date(m.exportedAt).getTime() <= cutoffMs)\n toDelete.push(...remaining.filter(m => !fresh.includes(m)).map(m => m.version))\n remaining = fresh\n }\n\n index.snapshots = remaining\n return toDelete\n }\n}\n","import { SnapshotEngine } from './engine.js'\nimport type { SnapshotStrategy, RetentionPolicy } from './strategy.js'\nimport type { SnapshotPolicy } from './policy.js'\nimport type { NoydbPodStore } from '../../kernel/types.js'\nimport type { Vault } from '../../kernel/vault.js'\n\nexport interface WithSnapshotsOptions {\n /** Bundle store where snapshot blobs and the sidecar index are written. */\n store: NoydbPodStore\n /**\n * Declarative retention policy. Enforced eagerly after each on-demand `snapshot()`.\n * Defaults to no retention (all on-demand snapshots kept forever). Never affects\n * the rolling auto-snapshot.\n */\n retention?: RetentionPolicy\n /**\n * Automatic-snapshot cadence. Default `mode:'manual'` ⇒ no timers; snapshots\n * stay on-demand. Set `mode:'debounce'`/`'interval'` to enable auto-snapshots\n * to the rolling `<vault>__auto` key.\n */\n snapshotPolicy?: SnapshotPolicy\n}\n\nexport function withSnapshots(opts: WithSnapshotsOptions): SnapshotStrategy {\n const engine = new SnapshotEngine(opts.store, opts.retention ?? {})\n return {\n snapshot(vault, by, snapOpts) {\n return engine.snapshot(vault as Vault, by, snapOpts)\n },\n listSnapshots(vaultId) {\n return engine.listSnapshots(vaultId)\n },\n restoreSnapshot(vault, version) {\n return engine.restoreSnapshot(vault as Vault, version)\n },\n autoSnapshot(vault, by, snapOpts) {\n return engine.autoSnapshot(vault as Vault, by, snapOpts)\n },\n ...(opts.snapshotPolicy ? { policy: opts.snapshotPolicy } : {}),\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;AAMO,IAAM,iBAAN,MAAqB;AAAA,EAC1B,YACmB,OACA,WACjB;AAFiB;AACA;AAAA,EAChB;AAAA,EAFgB;AAAA,EACA;AAAA,EAGX,SAAS,WAA2B;AAC1C,WAAO,GAAG,SAAS;AAAA,EACrB;AAAA,EAEQ,QAAQ,WAAmB,GAAmB;AACpD,WAAO,GAAG,SAAS,UAAU,EAAE,SAAS,EAAE,SAAS,GAAG,GAAG,CAAC;AAAA,EAC5D;AAAA,EAEQ,QAAQ,WAA2B;AACzC,WAAO,GAAG,SAAS;AAAA,EACrB;AAAA,EAEA,MAAc,UACZ,WACgE;AAChE,UAAM,SAAS,MAAM,KAAK,MAAM,WAAW,KAAK,SAAS,SAAS,CAAC;AACnE,QAAI,CAAC,OAAQ,QAAO,EAAE,OAAO,EAAE,WAAW,CAAC,GAAG,aAAa,EAAE,GAAG,cAAc,KAAK;AACnF,UAAM,OAAO,IAAI,YAAY,EAAE,OAAO,OAAO,KAAK;AAClD,WAAO,EAAE,OAAO,KAAK,MAAM,IAAI,GAAoB,cAAc,OAAO,QAAQ;AAAA,EAClF;AAAA,EAEA,MAAc,WACZ,WACA,OACA,iBACe;AACf,UAAM,QAAQ,IAAI,YAAY,EAAE,OAAO,KAAK,UAAU,KAAK,CAAC;AAC5D,UAAM,KAAK,MAAM,YAAY,KAAK,SAAS,SAAS,GAAG,OAAO,eAAe;AAAA,EAC/E;AAAA,EAEA,MAAM,SACJ,OACA,IACA,MACuB;AACvB,UAAM,QAAQ,MAAM,SAAS,OAAO,CAAC,CAAC;AACtC,UAAM,EAAE,OAAO,aAAa,IAAI,MAAM,KAAK,UAAU,MAAM,IAAI;AAC/D,UAAM,MAAM,KAAK,QAAQ,MAAM,MAAM,MAAM,WAAW;AAMtD,UAAM,KAAK,MAAM,YAAY,KAAK,OAAO,IAAI;AAE7C,UAAM,OAAqB;AAAA,MACzB,SAAS;AAAA,MACT,GAAI,MAAM,UAAU,SAAY,EAAE,OAAO,KAAK,MAAM,IAAI,CAAC;AAAA,MACzD,GAAI,MAAM,SAAS,SAAY,EAAE,MAAM,KAAK,KAAK,IAAI,CAAC;AAAA,MACtD,aAAY,oBAAI,KAAK,GAAE,YAAY;AAAA,MACnC,YAAY;AAAA,MACZ,MAAM,MAAM;AAAA,MACZ,WAAW;AAAA,IACb;AAEA,UAAM,WAA0B;AAAA,MAC9B,WAAW,CAAC,GAAG,MAAM,WAAW,IAAI;AAAA,MACpC,aAAa,MAAM,cAAc;AAAA;AAAA,MAEjC,GAAI,MAAM,OAAO,EAAE,MAAM,MAAM,KAAK,IAAI,CAAC;AAAA,IAC3C;AACA,UAAM,WAAW,KAAK,eAAe,QAAQ;AAC7C,UAAM,KAAK,WAAW,MAAM,MAAM,UAAU,YAAY;AAExD,eAAW,KAAK,UAAU;AACxB,YAAM,KAAK,MAAM,aAAa,CAAC;AAAA,IACjC;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,aACJ,OACA,IACA,MACuB;AACvB,UAAM,QAAQ,MAAM,SAAS,OAAO,CAAC,CAAC;AACtC,UAAM,EAAE,OAAO,aAAa,IAAI,MAAM,KAAK,UAAU,MAAM,IAAI;AAC/D,UAAM,MAAM,KAAK,QAAQ,MAAM,IAAI;AAGnC,UAAM,KAAK,MAAM,YAAY,KAAK,OAAO,IAAI;AAE7C,UAAM,OAAqB;AAAA,MACzB,SAAS;AAAA,MACT,OAAO,MAAM,SAAS;AAAA,MACtB,GAAI,MAAM,SAAS,SAAY,EAAE,MAAM,KAAK,KAAK,IAAI,CAAC;AAAA,MACtD,aAAY,oBAAI,KAAK,GAAE,YAAY;AAAA,MACnC,YAAY;AAAA,MACZ,MAAM,MAAM;AAAA,MACZ,WAAW;AAAA,MACX,MAAM;AAAA,IACR;AAEA,UAAM,OAAO;AACb,UAAM,KAAK,WAAW,MAAM,MAAM,OAAO,YAAY;AACrD,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,cAAc,SAA0C;AAC5D,UAAM,EAAE,MAAM,IAAI,MAAM,KAAK,UAAU,OAAO;AAC9C,UAAM,YAAY,CAAC,GAAG,MAAM,SAAS,EAAE,QAAQ;AAC/C,WAAO,MAAM,OAAO,CAAC,MAAM,MAAM,GAAG,SAAS,IAAI;AAAA,EACnD;AAAA,EAEA,MAAM,gBAAgB,OAAc,SAAgC;AAClE,QAAI,CAAC,QAAQ,WAAW,GAAG,MAAM,IAAI,IAAI,EAAG,OAAM,IAAI,sBAAsB,OAAO;AACnF,UAAM,SAAS,MAAM,KAAK,MAAM,WAAW,OAAO;AAClD,QAAI,CAAC,OAAQ,OAAM,IAAI,sBAAsB,OAAO;AACpD,UAAM,EAAE,SAAS,IAAI,MAAM,QAAQ,OAAO,KAAK;AAC/C,UAAM,MAAM,KAAK,QAAQ;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,eAAe,OAAgC;AAC7C,UAAM,QAAQ,KAAK,UAAU,SAAS;AACtC,QAAI,CAAC,MAAO,QAAO,CAAC;AAEpB,UAAM,WAAqB,CAAC;AAC5B,QAAI,YAAY,MAAM,UAAU,MAAM;AAEtC,QAAI,KAAK,UAAU,aAAa,UAAa,UAAU,SAAS,KAAK,UAAU,UAAU;AACvF,YAAM,SAAS,UAAU,OAAO,GAAG,UAAU,SAAS,KAAK,UAAU,QAAQ;AAC7E,eAAS,KAAK,GAAG,OAAO,IAAI,OAAK,EAAE,OAAO,CAAC;AAAA,IAC7C;AAEA,QAAI,KAAK,UAAU,eAAe,QAAW;AAC3C,YAAM,WAAW,KAAK,UAAU,aAAa;AAC7C,YAAM,MAAM,KAAK,IAAI;AACrB,YAAM,QAAQ,UAAU,OAAO,OAAK,MAAM,IAAI,KAAK,EAAE,UAAU,EAAE,QAAQ,KAAK,QAAQ;AACtF,eAAS,KAAK,GAAG,UAAU,OAAO,OAAK,CAAC,MAAM,SAAS,CAAC,CAAC,EAAE,IAAI,OAAK,EAAE,OAAO,CAAC;AAC9E,kBAAY;AAAA,IACd;AAEA,UAAM,YAAY;AAClB,WAAO;AAAA,EACT;AACF;;;ACzIO,SAAS,cAAc,MAA8C;AAC1E,QAAM,SAAS,IAAI,eAAe,KAAK,OAAO,KAAK,aAAa,CAAC,CAAC;AAClE,SAAO;AAAA,IACL,SAAS,OAAO,IAAI,UAAU;AAC5B,aAAO,OAAO,SAAS,OAAgB,IAAI,QAAQ;AAAA,IACrD;AAAA,IACA,cAAc,SAAS;AACrB,aAAO,OAAO,cAAc,OAAO;AAAA,IACrC;AAAA,IACA,gBAAgB,OAAO,SAAS;AAC9B,aAAO,OAAO,gBAAgB,OAAgB,OAAO;AAAA,IACvD;AAAA,IACA,aAAa,OAAO,IAAI,UAAU;AAChC,aAAO,OAAO,aAAa,OAAgB,IAAI,QAAQ;AAAA,IACzD;AAAA,IACA,GAAI,KAAK,iBAAiB,EAAE,QAAQ,KAAK,eAAe,IAAI,CAAC;AAAA,EAC/D;AACF;","names":[]}
@@ -3,7 +3,7 @@ import {
3
3
  isMVStale,
4
4
  markMVStale,
5
5
  resolveStaleMVOnRead
6
- } from "./chunk-BG3SPSR4.js";
6
+ } from "./chunk-BYW7EU5L.js";
7
7
  import "./chunk-PZ5AY32C.js";
8
8
  export {
9
9
  clearMVStale,
@@ -11,4 +11,4 @@ export {
11
11
  markMVStale,
12
12
  resolveStaleMVOnRead
13
13
  };
14
- //# sourceMappingURL=stale-3JWHNDIY.js.map
14
+ //# sourceMappingURL=stale-LX4BR43V.js.map
@@ -1,10 +1,10 @@
1
1
  import {
2
2
  loadFence,
3
3
  saveFence
4
- } from "./chunk-IAGBDSCS.js";
4
+ } from "./chunk-4NZCZUGL.js";
5
5
  import {
6
6
  NOYDB_FORMAT_VERSION
7
- } from "./chunk-5TDJ56JE.js";
7
+ } from "./chunk-OCDUQUAP.js";
8
8
  import "./chunk-PZ5AY32C.js";
9
9
 
10
10
  // src/with-shape/schema-update/client-registry.ts
@@ -139,4 +139,4 @@ function unref(timer) {
139
139
  export {
140
140
  StoreCoordinationProvider
141
141
  };
142
- //# sourceMappingURL=store-coordination-provider-3I7XWZZK.js.map
142
+ //# sourceMappingURL=store-coordination-provider-KTRIC6PR.js.map
@@ -1,6 +1,6 @@
1
- import { cr as SyncStrategy } from '../index-_6At2_9_.js';
1
+ import { cr as SyncStrategy } from '../index-D05bV0_g.js';
2
2
  import '../subject-index-O75wKshW.js';
3
- import '../describe-Ccd1hS7a.js';
3
+ import '../describe-0tiXAjoO.js';
4
4
  import '../index-B9QdHytu.js';
5
5
  import '@noy-db/attestation';
6
6
 
@@ -2,11 +2,14 @@ import {
2
2
  PresenceHandle,
3
3
  SyncEngine,
4
4
  SyncTransaction
5
- } from "../chunk-IUEN57TV.js";
5
+ } from "../chunk-LHYQE3BP.js";
6
6
  import "../chunk-VQNJ7UZL.js";
7
- import "../chunk-5O3AOPDT.js";
8
- import "../chunk-5TDJ56JE.js";
9
- import "../chunk-ZYUC53LT.js";
7
+ import "../chunk-5EZAJEES.js";
8
+ import "../chunk-6RASM2J4.js";
9
+ import "../chunk-CPAROOKP.js";
10
+ import "../chunk-L4IRFTIF.js";
11
+ import "../chunk-OCDUQUAP.js";
12
+ import "../chunk-BLZRNHMG.js";
10
13
  import "../chunk-PZ5AY32C.js";
11
14
 
12
15
  // src/with-party/team/sync-active.ts
@@ -1 +1 @@
1
- {"version":3,"sources":["../../src/with-party/team/sync-active.ts"],"sourcesContent":["/**\n * Active sync strategy — `withSync()` returns the real implementation\n * that wires the `SyncEngine`, `SyncTransaction`, and `PresenceHandle`\n * constructors into the Noydb / Vault / Collection hot paths.\n *\n * Consumers opt in by:\n *\n * ```ts\n * import { createNoydb } from '@noy-db/hub'\n * import { withSync } from '@noy-db/hub/sync'\n *\n * const db = await createNoydb({\n * store: localStore,\n * sync: remoteStore,\n * user: ...,\n * syncStrategy: withSync(),\n * })\n * ```\n *\n * The factory delegates to the existing `sync.ts`,\n * `sync-transaction.ts`, and `presence.ts` modules. Splitting the\n * import chain through this file is what lets tsup tree-shake the\n * ~856 LOC of replication + presence machinery out of the default\n * bundle when no `withSync()` import is present.\n *\n * Keyring + grant/revoke/magic-link/delegation stay in the always-on\n * core (or tree-shake via direct named imports) — those are required\n * for any multi-user vault, even purely local ones.\n *\n * @public\n */\n\nimport type { SyncStrategy, BuildSyncEngineOptions } from './sync-strategy.js'\nimport type { PresenceHandleOpts } from './presence.js'\nimport type { Vault } from '../../kernel/vault.js'\nimport { SyncEngine } from './sync.js'\nimport { SyncTransaction } from './sync-transaction.js'\nimport { PresenceHandle } from './presence.js'\n\nexport function withSync(): SyncStrategy {\n return {\n buildSyncEngine(opts: BuildSyncEngineOptions): SyncEngine {\n return new SyncEngine(opts)\n },\n buildSyncTransaction(vault: Vault, engine: SyncEngine): SyncTransaction {\n return new SyncTransaction(vault, engine)\n },\n buildPresence<P>(opts: PresenceHandleOpts): PresenceHandle<P> {\n return new PresenceHandle<P>(opts)\n },\n }\n}\n"],"mappings":";;;;;;;;;;;;AAuCO,SAAS,WAAyB;AACvC,SAAO;AAAA,IACL,gBAAgB,MAA0C;AACxD,aAAO,IAAI,WAAW,IAAI;AAAA,IAC5B;AAAA,IACA,qBAAqB,OAAc,QAAqC;AACtE,aAAO,IAAI,gBAAgB,OAAO,MAAM;AAAA,IAC1C;AAAA,IACA,cAAiB,MAA6C;AAC5D,aAAO,IAAI,eAAkB,IAAI;AAAA,IACnC;AAAA,EACF;AACF;","names":[]}
1
+ {"version":3,"sources":["../../src/with-party/team/sync-active.ts"],"sourcesContent":["/**\n * Active sync strategy — `withSync()` returns the real implementation\n * that wires the `SyncEngine`, `SyncTransaction`, and `PresenceHandle`\n * constructors into the Noydb / Vault / Collection hot paths.\n *\n * Consumers opt in by:\n *\n * ```ts\n * import { createNoydb } from '@noy-db/hub'\n * import { withSync } from '@noy-db/hub/sync'\n *\n * const db = await createNoydb({\n * store: localStore,\n * sync: remoteStore,\n * user: ...,\n * syncStrategy: withSync(),\n * })\n * ```\n *\n * The factory delegates to the existing `sync.ts`,\n * `sync-transaction.ts`, and `presence.ts` modules. Splitting the\n * import chain through this file is what lets tsup tree-shake the\n * ~856 LOC of replication + presence machinery out of the default\n * bundle when no `withSync()` import is present.\n *\n * Keyring + grant/revoke/magic-link/delegation stay in the always-on\n * core (or tree-shake via direct named imports) — those are required\n * for any multi-user vault, even purely local ones.\n *\n * @public\n */\n\nimport type { SyncStrategy, BuildSyncEngineOptions } from './sync-strategy.js'\nimport type { PresenceHandleOpts } from './presence.js'\nimport type { Vault } from '../../kernel/vault.js'\nimport { SyncEngine } from './sync.js'\nimport { SyncTransaction } from './sync-transaction.js'\nimport { PresenceHandle } from './presence.js'\n\nexport function withSync(): SyncStrategy {\n return {\n buildSyncEngine(opts: BuildSyncEngineOptions): SyncEngine {\n return new SyncEngine(opts)\n },\n buildSyncTransaction(vault: Vault, engine: SyncEngine): SyncTransaction {\n return new SyncTransaction(vault, engine)\n },\n buildPresence<P>(opts: PresenceHandleOpts): PresenceHandle<P> {\n return new PresenceHandle<P>(opts)\n },\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;AAuCO,SAAS,WAAyB;AACvC,SAAO;AAAA,IACL,gBAAgB,MAA0C;AACxD,aAAO,IAAI,WAAW,IAAI;AAAA,IAC5B;AAAA,IACA,qBAAqB,OAAc,QAAqC;AACtE,aAAO,IAAI,gBAAgB,OAAO,MAAM;AAAA,IAC1C;AAAA,IACA,cAAiB,MAA6C;AAC5D,aAAO,IAAI,eAAkB,IAAI;AAAA,IACnC;AAAA,EACF;AACF;","names":[]}
@@ -1,7 +1,7 @@
1
- import { cT as NoydbStore, cF as UnlockedKeyring } from '../index-_6At2_9_.js';
2
- export { dM as BundleRecipient, fg as EnrollAuthenticatorOptions, fh as EnrollAuthenticatorWrappingDEKsOptions, fi as EnrollAuthenticatorWrappingKEKOptions, gf as ListUsersOptions, h2 as PaperRecoveryEntry, he as PresenceHandle, hI as RecoverPassphraseInput, hJ as RecoverPassphraseResult, hK as RecoverUserOptions, hN as RecoveryProof, hZ as RotatePassphraseInput, iw as SlotRewrapCeremony, ix as SlotRewrapContext, iG as SyncEngine, iO as SyncTransaction, j6 as UpdateAuthenticatorOptions, jn as WrappedDeksBlob, jy as buildRecipientKeyringFile, jz as burnPaperRecoveryEntry, kO as changeSecret, kP as createOwnerKeyring, jF as deriveMagicLinkContentKey, jJ as enrollAuthenticator, kQ as ensureCollectionDEK, jN as evaluateExportCapability, jP as evaluateImportCapability, jS as findAuthenticator, kR as grant, jT as hasExportCapability, jU as hasImportCapability, jX as isMagicLinkGrantExpired, k4 as listMagicLinkGrants, k5 as listUsers, k6 as listUsersWithEnvelopes, kS as loadKeyring, k9 as loadPaperRecoveryEntries, kc as magicLinkGrantRecordId, kd as mintPaperRecoveryEntry, kf as mintWrappedDeksBlob, kT as persistKeyring, kk as readMagicLinkGrantRecord, k1 as recoverPassphrase, km as recoverUser, kq as removeAuthenticator, kU as revoke, kw as revokeMagicLinkGrant, k2 as rotatePassphrase, ky as savePaperRecoveryEntries, kC as unwrapDeksFromBlob, kD as unwrapDeksFromPaperEntry, kF as unwrapMagicLinkGrant, kV as updateAuthenticator, kW as updateKeyringIdentity, kN as writeMagicLinkGrant } from '../index-_6At2_9_.js';
1
+ import { cT as NoydbStore, cF as UnlockedKeyring } from '../index-D05bV0_g.js';
2
+ export { e1 as BundleRecipient, fy as EnrollAuthenticatorOptions, fz as EnrollAuthenticatorWrappingDEKsOptions, fA as EnrollAuthenticatorWrappingKEKOptions, gx as ListUsersOptions, hk as PaperRecoveryEntry, hw as PresenceHandle, h_ as RecoverPassphraseInput, h$ as RecoverPassphraseResult, i0 as RecoverUserOptions, i3 as RecoveryProof, ig as RotatePassphraseInput, iO as SlotRewrapCeremony, iP as SlotRewrapContext, iY as SyncEngine, j4 as SyncTransaction, jo as UpdateAuthenticatorOptions, jF as WrappedDeksBlob, jQ as buildRecipientKeyringFile, jR as burnPaperRecoveryEntry, l4 as changeSecret, l5 as createOwnerKeyring, jX as deriveMagicLinkContentKey, j$ as enrollAuthenticator, l6 as ensureCollectionDEK, k3 as evaluateExportCapability, k5 as evaluateImportCapability, k8 as findAuthenticator, l7 as grant, k9 as hasExportCapability, ka as hasImportCapability, kd as isMagicLinkGrantExpired, km as listMagicLinkGrants, kn as listUsers, ko as listUsersWithEnvelopes, l8 as loadKeyring, kr as loadPaperRecoveryEntries, ku as magicLinkGrantRecordId, kv as mintPaperRecoveryEntry, kx as mintWrappedDeksBlob, l9 as persistKeyring, kC as readMagicLinkGrantRecord, kj as recoverPassphrase, kE as recoverUser, kI as removeAuthenticator, la as revoke, kO as revokeMagicLinkGrant, kk as rotatePassphrase, kQ as savePaperRecoveryEntries, kU as unwrapDeksFromBlob, kV as unwrapDeksFromPaperEntry, kX as unwrapMagicLinkGrant, lb as updateAuthenticator, lc as updateKeyringIdentity, l3 as writeMagicLinkGrant } from '../index-D05bV0_g.js';
3
3
  import '../subject-index-O75wKshW.js';
4
- import '../describe-Ccd1hS7a.js';
4
+ import '../describe-0tiXAjoO.js';
5
5
  import '../index-B9QdHytu.js';
6
6
  import '@noy-db/attestation';
7
7
 
@@ -5,7 +5,7 @@ import {
5
5
  getCredential,
6
6
  listCredentials,
7
7
  putCredential
8
- } from "../chunk-DGDI2D4M.js";
8
+ } from "../chunk-NIA5VQ7G.js";
9
9
  import {
10
10
  deriveMagicLinkContentKey,
11
11
  enrollAuthenticator,
@@ -22,7 +22,7 @@ import {
22
22
  unwrapMagicLinkGrant,
23
23
  updateAuthenticator,
24
24
  writeMagicLinkGrant
25
- } from "../chunk-UPJNJGGA.js";
25
+ } from "../chunk-OVIVYAQL.js";
26
26
  import {
27
27
  burnPaperRecoveryEntry,
28
28
  loadPaperRecoveryEntries,
@@ -31,13 +31,13 @@ import {
31
31
  savePaperRecoveryEntries,
32
32
  unwrapDeksFromBlob,
33
33
  unwrapDeksFromPaperEntry
34
- } from "../chunk-IGUYVGGI.js";
35
- import "../chunk-IO6GRPT6.js";
34
+ } from "../chunk-IJW6K6UX.js";
35
+ import "../chunk-O5DNEXQC.js";
36
36
  import {
37
37
  PresenceHandle,
38
38
  SyncEngine,
39
39
  SyncTransaction
40
- } from "../chunk-IUEN57TV.js";
40
+ } from "../chunk-LHYQE3BP.js";
41
41
  import "../chunk-VQNJ7UZL.js";
42
42
  import {
43
43
  buildRecipientKeyringFile,
@@ -55,11 +55,14 @@ import {
55
55
  persistKeyring,
56
56
  revoke,
57
57
  updateKeyringIdentity
58
- } from "../chunk-WWGT2MDV.js";
59
- import "../chunk-ITNUCOXM.js";
60
- import "../chunk-5O3AOPDT.js";
61
- import "../chunk-5TDJ56JE.js";
62
- import "../chunk-ZYUC53LT.js";
58
+ } from "../chunk-5A6TC3RQ.js";
59
+ import "../chunk-2N4MUSF3.js";
60
+ import "../chunk-5EZAJEES.js";
61
+ import "../chunk-6RASM2J4.js";
62
+ import "../chunk-CPAROOKP.js";
63
+ import "../chunk-L4IRFTIF.js";
64
+ import "../chunk-OCDUQUAP.js";
65
+ import "../chunk-BLZRNHMG.js";
63
66
  import "../chunk-PZ5AY32C.js";
64
67
  export {
65
68
  PresenceHandle,
@@ -1,5 +1,5 @@
1
- export { l0 as NO_TIERS, l1 as TiersContext, iZ as TiersNotEnabledError, l2 as TiersStrategy, l3 as assertDeclaredTier, l4 as assertTiersEnabled, l5 as classifySealedShred, l6 as demote, l7 as elevate, l8 as getAtTier, l9 as listAtTier, la as putAtTier, lb as withTiers } from '../index-_6At2_9_.js';
1
+ export { li as NO_TIERS, lj as TiersContext, jf as TiersNotEnabledError, lk as TiersStrategy, ll as assertDeclaredTier, lm as assertTiersEnabled, ln as classifySealedShred, lo as demote, lp as elevate, lq as getAtTier, lr as listAtTier, ls as putAtTier, lt as withTiers } from '../index-D05bV0_g.js';
2
2
  import '../subject-index-O75wKshW.js';
3
- import '../describe-Ccd1hS7a.js';
3
+ import '../describe-0tiXAjoO.js';
4
4
  import '../index-B9QdHytu.js';
5
5
  import '@noy-db/attestation';
@@ -9,13 +9,16 @@ import {
9
9
  listAtTier,
10
10
  putAtTier,
11
11
  withTiers
12
- } from "../chunk-IPB7FTQX.js";
13
- import "../chunk-IO6GRPT6.js";
14
- import "../chunk-5O3AOPDT.js";
15
- import "../chunk-5TDJ56JE.js";
12
+ } from "../chunk-4DZGZ7II.js";
13
+ import "../chunk-O5DNEXQC.js";
14
+ import "../chunk-5EZAJEES.js";
15
+ import "../chunk-6RASM2J4.js";
16
+ import "../chunk-CPAROOKP.js";
17
+ import "../chunk-L4IRFTIF.js";
18
+ import "../chunk-OCDUQUAP.js";
16
19
  import {
17
20
  TiersNotEnabledError
18
- } from "../chunk-ZYUC53LT.js";
21
+ } from "../chunk-BLZRNHMG.js";
19
22
  import "../chunk-PZ5AY32C.js";
20
23
  export {
21
24
  NO_TIERS,
@@ -1,5 +1,5 @@
1
- export { dq as BundleVersionConflictError, eJ as ConflictError, cV as EncryptedEnvelope, ge as ListPageResult, gM as NetworkError, gS as NoydbBundleStore, bX as NoydbPodStore, cT as NoydbStore, du as PodVersionConflictError, iD as StoreCapabilities, iE as StoreCapabilityError, iF as StoreTime, j1 as TxOp, jg as VaultSnapshot } from '../index-_6At2_9_.js';
1
+ export { dq as BundleVersionConflictError, e$ as ConflictError, cV as EncryptedEnvelope, gw as ListPageResult, h2 as NetworkError, h8 as NoydbBundleStore, bX as NoydbPodStore, cT as NoydbStore, du as PodVersionConflictError, iV as StoreCapabilities, iW as StoreCapabilityError, iX as StoreTime, jj as TxOp, jy as VaultSnapshot } from '../index-D05bV0_g.js';
2
2
  import '../subject-index-O75wKshW.js';
3
- import '../describe-Ccd1hS7a.js';
3
+ import '../describe-0tiXAjoO.js';
4
4
  import '../index-B9QdHytu.js';
5
5
  import '@noy-db/attestation';
package/dist/to/index.js CHANGED
@@ -5,7 +5,7 @@ import {
5
5
  NetworkError,
6
6
  PodVersionConflictError,
7
7
  StoreCapabilityError
8
- } from "../chunk-ZYUC53LT.js";
8
+ } from "../chunk-BLZRNHMG.js";
9
9
  import "../chunk-PZ5AY32C.js";
10
10
  export {
11
11
  BundleVersionConflictError,
@@ -1,4 +1,4 @@
1
- import { bJ as GuardStrategy, bP as GuardStrategyHandle, bK as GuardChange, bL as GuardContext } from './index-_6At2_9_.js';
1
+ import { bJ as GuardStrategy, bP as GuardStrategyHandle, bK as GuardChange, bL as GuardContext } from './index-D05bV0_g.js';
2
2
 
3
3
  /**
4
4
  * Register a guard for a collection. Guards run on every `put()` /
@@ -1,7 +1,7 @@
1
- import { i_ as TransactionInvariant, kX as TxStrategy } from '../index-_6At2_9_.js';
2
- export { kY as AmendmentTxOptions, j0 as TxCollection, dP as TxContext, j2 as TxVault, kx as runTransaction } from '../index-_6At2_9_.js';
1
+ import { jg as TransactionInvariant, ld as TxStrategy } from '../index-D05bV0_g.js';
2
+ export { le as AmendmentTxOptions, ji as TxCollection, e4 as TxContext, jk as TxVault, kP as runTransaction } from '../index-D05bV0_g.js';
3
3
  import '../subject-index-O75wKshW.js';
4
- import '../describe-Ccd1hS7a.js';
4
+ import '../describe-0tiXAjoO.js';
5
5
  import '../index-B9QdHytu.js';
6
6
  import '@noy-db/attestation';
7
7
 
package/dist/tx/index.js CHANGED
@@ -3,9 +3,9 @@ import {
3
3
  TxContext,
4
4
  TxVault,
5
5
  runTransaction
6
- } from "../chunk-SKF73JOP.js";
6
+ } from "../chunk-4NMFWOS2.js";
7
7
  import "../chunk-ZJADGNYF.js";
8
- import "../chunk-ZYUC53LT.js";
8
+ import "../chunk-BLZRNHMG.js";
9
9
  import "../chunk-PZ5AY32C.js";
10
10
 
11
11
  // src/with-commit/tx/dry-run.ts
@@ -44,7 +44,7 @@ async function runDryRun(db, fn) {
44
44
  const gctx = { existing: before, vault: facade, userId: v.userId, role: v.role };
45
45
  try {
46
46
  await registry.runChecks(op.collectionName, after, gctx);
47
- const { GuardExecutor } = await import("../executor-QZ7BXICW.js");
47
+ const { GuardExecutor } = await import("../executor-IKT47SH2.js");
48
48
  for (const g of guards) {
49
49
  await GuardExecutor.checkFrozenFields(g, op.id, before, after);
50
50
  }
@@ -1 +1 @@
1
- export { C as CollectionDescription, a as CollectionMeta, D as DescribeOptions, b as DescribedField, F as FieldMeta, S as SemanticType } from '../describe-Ccd1hS7a.js';
1
+ export { C as CollectionDescription, a as CollectionMeta, D as DescribeOptions, b as DescribedField, F as FieldMeta, S as SemanticType } from '../describe-0tiXAjoO.js';
@@ -3,7 +3,7 @@ import {
3
3
  } from "../chunk-PY4KJPYU.js";
4
4
  import {
5
5
  FilenameSanitizationError
6
- } from "../chunk-ZYUC53LT.js";
6
+ } from "../chunk-BLZRNHMG.js";
7
7
  import "../chunk-PZ5AY32C.js";
8
8
 
9
9
  // src/kernel/util/sanitize-filename.ts
@@ -0,0 +1,62 @@
1
+ import { dO as ClassifiedEntry, dL as ClassifiedFieldSpec, dP as ClassifiedGroup } from './index-D05bV0_g.js';
2
+
3
+ /**
4
+ * Configuration/write errors for classified fields. @module
5
+ *
6
+ * `ClassifiedConfigError` / `ClassifiedRevealError` moved to `kernel/errors.ts`
7
+ * (stage 2) so `kernel/enclave/classify/*` can throw them without importing
8
+ * with-*. Re-exported here under the same names so existing import paths
9
+ * keep working.
10
+ */
11
+
12
+ declare class ClassifiedNeverStoredError extends Error {
13
+ readonly collection: string;
14
+ readonly field: string;
15
+ constructor(collection: string, field: string);
16
+ }
17
+ declare class ClassifiedValidationError extends Error {
18
+ readonly collection: string;
19
+ readonly field: string;
20
+ constructor(collection: string, field: string, detail: string);
21
+ }
22
+
23
+ /** Flatten a classifiedFields config into a per-field map + rider computed entries. @module */
24
+
25
+ interface ResolvedClassified {
26
+ readonly byField: Record<string, ClassifiedFieldSpec>;
27
+ readonly riderComputed: Record<string, (record: Record<string, unknown>) => unknown>;
28
+ }
29
+ declare function resolveClassifiedFields(collection: string, config: Record<string, ClassifiedEntry>): ResolvedClassified;
30
+
31
+ /** The preset catalog (stage 1). Presets are hub-owned; devs get declarative
32
+ * knobs, not read-side callbacks (design law D2/D3). @module */
33
+
34
+ declare const classified: {
35
+ /** Composite card type. PAN sealed + last4/bin riders; CVC is storage:'never' (PCI-aware). */
36
+ creditCard(fields: {
37
+ pan: string;
38
+ expiry?: string;
39
+ cvc?: string;
40
+ }): ClassifiedGroup;
41
+ birthDate(): ClassifiedFieldSpec;
42
+ email(): ClassifiedFieldSpec;
43
+ phone(): ClassifiedFieldSpec;
44
+ /** Digest-only password: verify-without-reveal; never listed, never revealed.
45
+ * Enumeration math is on the caller for low-entropy values — see the
46
+ * per-preset docs; the hub ships no rate limiter in this slice (spec §5). */
47
+ password(opts?: {
48
+ minLength?: number;
49
+ rotateDays?: number;
50
+ notLastN?: number;
51
+ }): ClassifiedFieldSpec;
52
+ /** Digest-only secret answer: normalized (casefold/trim/collapse), groupable
53
+ * into k-of-n matchGroup challenges. Low-entropy by nature — document the
54
+ * enumeration math to your users; add app-side rate limiting. */
55
+ secretAnswer(): ClassifiedFieldSpec;
56
+ };
57
+
58
+ /** Pure write-time validators. Exported so userland can validate storage:'never'
59
+ * fields (e.g. CVC) at capture, before dropping them. @module */
60
+ declare function luhnCheck(pan: string): boolean;
61
+
62
+ export { ClassifiedNeverStoredError as C, type ResolvedClassified as R, ClassifiedValidationError as a, classified as c, luhnCheck as l, resolveClassifiedFields as r };
@@ -1,4 +1,4 @@
1
- import { V as Vault, cE as DiffEntry } from './index-_6At2_9_.js';
1
+ import { V as Vault, cE as DiffEntry } from './index-D05bV0_g.js';
2
2
 
3
3
  /**
4
4
  * Vault-level diff orchestrator.