@noy-db/hub 0.3.0-pre.3 → 0.3.0-pre.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (388) hide show
  1. package/dist/adapter/index.d.ts +2 -2
  2. package/dist/adapter/index.js +1 -1
  3. package/dist/aggregate/index.d.ts +3 -3
  4. package/dist/aggregate/index.js +4 -4
  5. package/dist/api-JOXUNSKP.js +20 -0
  6. package/dist/as/index.d.ts +4 -4
  7. package/dist/as/index.js +12 -9
  8. package/dist/at/index.d.ts +2 -2
  9. package/dist/attestation/index.d.ts +3 -3
  10. package/dist/attestation/index.js +21 -18
  11. package/dist/attestation/index.js.map +1 -1
  12. package/dist/{backup-NGRJ46SH.js → backup-OPONO6Q5.js} +12 -9
  13. package/dist/{backup-NGRJ46SH.js.map → backup-OPONO6Q5.js.map} +1 -1
  14. package/dist/blobs/index.d.ts +4 -4
  15. package/dist/blobs/index.js +11 -8
  16. package/dist/blobs/index.js.map +1 -1
  17. package/dist/bundle/index.d.ts +5 -5
  18. package/dist/bundle/index.js +21 -18
  19. package/dist/bundle/index.js.map +1 -1
  20. package/dist/{bundle-B-P3_Jvb.d.ts → bundle-Bs13EZtX.d.ts} +1 -1
  21. package/dist/by/index.js +2 -2
  22. package/dist/cargo/index.d.ts +4 -4
  23. package/dist/cargo/index.js +23 -20
  24. package/dist/{chunk-VBYVKOMJ.js → chunk-3QRQOBS7.js} +3 -3
  25. package/dist/{chunk-JFYIHLU3.js → chunk-3Y4QLJ6K.js} +2 -2
  26. package/dist/{chunk-BZIWKN74.js → chunk-43ISXURO.js} +2 -2
  27. package/dist/{chunk-PYWW4KLO.js → chunk-44UTIDE2.js} +9 -9
  28. package/dist/{chunk-7IP75FP2.js → chunk-4K3MQ5S3.js} +2 -2
  29. package/dist/chunk-5EWYUR5P.js +37 -0
  30. package/dist/chunk-5EWYUR5P.js.map +1 -0
  31. package/dist/{chunk-2KSPDSWI.js → chunk-5MRE3C4Q.js} +5 -5
  32. package/dist/{chunk-PUNJAEY6.js → chunk-6HNKCKFZ.js} +7 -7
  33. package/dist/{chunk-PJDK2PPQ.js → chunk-6RXPSMKR.js} +3 -3
  34. package/dist/{chunk-6DP5HBQD.js → chunk-6UOSONVI.js} +9 -9
  35. package/dist/{chunk-YN66UOXT.js → chunk-7SY3PTED.js} +25 -9
  36. package/dist/{chunk-YN66UOXT.js.map → chunk-7SY3PTED.js.map} +1 -1
  37. package/dist/{chunk-UP6EMMDI.js → chunk-A4DWPOP3.js} +10 -10
  38. package/dist/{chunk-MCJAUQGE.js → chunk-A5DYVMDR.js} +3 -3
  39. package/dist/{chunk-MIOLJG2R.js → chunk-AF5ZRTZ4.js} +5 -2
  40. package/dist/chunk-AF5ZRTZ4.js.map +1 -0
  41. package/dist/{chunk-TICO2I2O.js → chunk-BKGIWGCX.js} +2 -2
  42. package/dist/{chunk-O5DNEXQC.js → chunk-BMQOH7MM.js} +2 -2
  43. package/dist/{chunk-3UDPDRUC.js → chunk-EWR7HL3K.js} +4 -4
  44. package/dist/{chunk-CVXLJIAV.js → chunk-FH52CDEW.js} +5 -5
  45. package/dist/chunk-G4MGYGSS.js +130 -0
  46. package/dist/chunk-G4MGYGSS.js.map +1 -0
  47. package/dist/{chunk-FELHYKIO.js → chunk-G7RDYYTE.js} +2 -2
  48. package/dist/{chunk-N2FP26NH.js → chunk-GBTUANXF.js} +16 -297
  49. package/dist/chunk-GBTUANXF.js.map +1 -0
  50. package/dist/{chunk-DHIN36UC.js → chunk-GQOT6QJR.js} +8 -8
  51. package/dist/{chunk-DGUR3CC4.js → chunk-GXGK22QU.js} +2 -2
  52. package/dist/{chunk-YTIAXSUE.js → chunk-GZZL5R73.js} +4 -4
  53. package/dist/{chunk-E4YJUNPU.js → chunk-H5XRIJX3.js} +7 -7
  54. package/dist/{chunk-DA34OEZU.js → chunk-H7RYPVMJ.js} +2 -2
  55. package/dist/{chunk-2ZORB5RW.js → chunk-HBKDR7R3.js} +3 -3
  56. package/dist/{chunk-ZNI3RTFV.js → chunk-HMXLN43G.js} +2 -2
  57. package/dist/{chunk-BYW7EU5L.js → chunk-HY6ZGGEC.js} +2 -2
  58. package/dist/{chunk-ADBMJDBW.js → chunk-IEUIUSBO.js} +449 -1077
  59. package/dist/chunk-IEUIUSBO.js.map +1 -0
  60. package/dist/{chunk-OVIVYAQL.js → chunk-LEA7WJEZ.js} +25 -10
  61. package/dist/chunk-LEA7WJEZ.js.map +1 -0
  62. package/dist/{chunk-5Z3RNFJC.js → chunk-LIP6JWYK.js} +3 -3
  63. package/dist/{chunk-OCDUQUAP.js → chunk-LN22XH4B.js} +1 -1
  64. package/dist/chunk-LN22XH4B.js.map +1 -0
  65. package/dist/chunk-LP7BEXCT.js +32 -0
  66. package/dist/chunk-LP7BEXCT.js.map +1 -0
  67. package/dist/{chunk-IJW6K6UX.js → chunk-LPRPVCNY.js} +5 -5
  68. package/dist/{chunk-6EVZXETK.js → chunk-M66NAZA4.js} +3 -3
  69. package/dist/{chunk-HGQG3VIP.js → chunk-N5YVZHCB.js} +2 -2
  70. package/dist/chunk-NO272T7Q.js +194 -0
  71. package/dist/chunk-NO272T7Q.js.map +1 -0
  72. package/dist/{chunk-NIA5VQ7G.js → chunk-NQVZB3S7.js} +29 -11
  73. package/dist/chunk-NQVZB3S7.js.map +1 -0
  74. package/dist/{chunk-6OQ7NKMZ.js → chunk-O2DB4C3M.js} +6 -6
  75. package/dist/{chunk-LHYQE3BP.js → chunk-OFBFAVLI.js} +6 -6
  76. package/dist/{chunk-IWVWB7BZ.js → chunk-OJU3CPFA.js} +12 -12
  77. package/dist/{chunk-ZFME46HJ.js → chunk-OPTFANOX.js} +3 -3
  78. package/dist/chunk-OPTFANOX.js.map +1 -0
  79. package/dist/{chunk-5EZAJEES.js → chunk-OVO2RZAE.js} +81 -27
  80. package/dist/chunk-OVO2RZAE.js.map +1 -0
  81. package/dist/{chunk-6I2YPLAG.js → chunk-P27Z66EB.js} +7 -7
  82. package/dist/{chunk-7MHVHGQZ.js → chunk-P2LDXRGP.js} +2 -2
  83. package/dist/chunk-P3NGV5RV.js +41 -0
  84. package/dist/chunk-P3NGV5RV.js.map +1 -0
  85. package/dist/{chunk-NPVICKZE.js → chunk-P5WXDYMD.js} +8 -197
  86. package/dist/chunk-P5WXDYMD.js.map +1 -0
  87. package/dist/{chunk-CPAROOKP.js → chunk-PGFY7IRW.js} +12 -41
  88. package/dist/chunk-PGFY7IRW.js.map +1 -0
  89. package/dist/{chunk-Z44OY24N.js → chunk-PI5CG2OV.js} +9 -5
  90. package/dist/chunk-PI5CG2OV.js.map +1 -0
  91. package/dist/{chunk-6RASM2J4.js → chunk-QKVILR7N.js} +2 -2
  92. package/dist/{chunk-LKBLAUOB.js → chunk-QNTEDPWP.js} +3 -3
  93. package/dist/{chunk-P6UXDALK.js → chunk-RDHAGBEB.js} +3 -3
  94. package/dist/{chunk-XRE4JOEO.js → chunk-RTS23VIJ.js} +2 -2
  95. package/dist/{chunk-5ZPWVNL3.js → chunk-S2WKOCTU.js} +2 -2
  96. package/dist/chunk-SAJJWVNQ.js +135 -0
  97. package/dist/chunk-SAJJWVNQ.js.map +1 -0
  98. package/dist/{chunk-VHEEU4ZO.js → chunk-SW56GSYC.js} +2 -2
  99. package/dist/{chunk-46YGCU6Z.js → chunk-T2EGAXPM.js} +2 -2
  100. package/dist/{chunk-LES2Z7B4.js → chunk-T45LAT2Y.js} +2 -2
  101. package/dist/{chunk-4NMFWOS2.js → chunk-T65UZXR6.js} +3 -3
  102. package/dist/{chunk-2N4MUSF3.js → chunk-TB5RNNJ4.js} +7 -7
  103. package/dist/chunk-TCIUO62Z.js +29 -0
  104. package/dist/chunk-TCIUO62Z.js.map +1 -0
  105. package/dist/chunk-THNJ3IKU.js +17 -0
  106. package/dist/chunk-THNJ3IKU.js.map +1 -0
  107. package/dist/{chunk-U6OM4E67.js → chunk-TL7QR5T6.js} +20 -15
  108. package/dist/chunk-TL7QR5T6.js.map +1 -0
  109. package/dist/{chunk-L4IRFTIF.js → chunk-TLJOJBZD.js} +3 -23
  110. package/dist/chunk-TLJOJBZD.js.map +1 -0
  111. package/dist/chunk-TQ3REHVF.js +95 -0
  112. package/dist/chunk-TQ3REHVF.js.map +1 -0
  113. package/dist/{chunk-6CNLU4TO.js → chunk-TYGW5TOR.js} +7 -7
  114. package/dist/{chunk-BLZRNHMG.js → chunk-U23JUUPX.js} +8 -1
  115. package/dist/{chunk-BLZRNHMG.js.map → chunk-U23JUUPX.js.map} +1 -1
  116. package/dist/{chunk-U5DWHU3S.js → chunk-U24XHXNK.js} +2 -2
  117. package/dist/chunk-ULIHDPKL.js +94 -0
  118. package/dist/chunk-ULIHDPKL.js.map +1 -0
  119. package/dist/chunk-UOEWDCUX.js +69 -0
  120. package/dist/chunk-UOEWDCUX.js.map +1 -0
  121. package/dist/{chunk-NTHKOFVL.js → chunk-VFRNWE5P.js} +52 -8
  122. package/dist/chunk-VFRNWE5P.js.map +1 -0
  123. package/dist/{chunk-4DZGZ7II.js → chunk-VMJ5URU7.js} +8 -8
  124. package/dist/chunk-VMJ5URU7.js.map +1 -0
  125. package/dist/{chunk-YDP2SA5K.js → chunk-VPCMJ5Z4.js} +5 -5
  126. package/dist/{chunk-ZAWD6O46.js → chunk-VRPBEOWU.js} +2 -2
  127. package/dist/{chunk-AY4P6PHN.js → chunk-VWGCJUTV.js} +2 -2
  128. package/dist/{chunk-IIK7W3AN.js → chunk-XJR3COJO.js} +5 -5
  129. package/dist/{chunk-ZD4D7UM6.js → chunk-XYYW64LB.js} +2 -2
  130. package/dist/{chunk-4NZCZUGL.js → chunk-YFF2RP3X.js} +2 -2
  131. package/dist/{chunk-WVIIJPTJ.js → chunk-Z3FZC5GV.js} +7 -7
  132. package/dist/{chunk-55HDKLI3.js → chunk-Z5PIUYNB.js} +8 -8
  133. package/dist/{chunk-ZRDYQZYH.js → chunk-Z7KI4WHR.js} +2 -2
  134. package/dist/{chunk-BV7KNFJY.js → chunk-ZBDK7T6X.js} +9 -9
  135. package/dist/chunk-ZKF6HH7V.js +120 -0
  136. package/dist/chunk-ZKF6HH7V.js.map +1 -0
  137. package/dist/{chunk-P6DN5QU7.js → chunk-ZKYMKF2S.js} +8 -8
  138. package/dist/{chunk-NMRKAGHE.js → chunk-ZROMNP7Q.js} +2 -2
  139. package/dist/{chunk-5A6TC3RQ.js → chunk-ZT4GWVTX.js} +29 -14
  140. package/dist/chunk-ZT4GWVTX.js.map +1 -0
  141. package/dist/classified/index.d.ts +4 -4
  142. package/dist/classified/index.js +3 -3
  143. package/dist/collection-facade-THH4ASGX.js +39 -0
  144. package/dist/computed-BMMEFRFJ.js +11 -0
  145. package/dist/config-drift-3UIJVI5G.js +24 -0
  146. package/dist/config-drift-3UIJVI5G.js.map +1 -0
  147. package/dist/consent/index.d.ts +3 -3
  148. package/dist/consent/index.js +10 -7
  149. package/dist/consent/index.js.map +1 -1
  150. package/dist/crdt/index.d.ts +3 -3
  151. package/dist/delegation-BQNIEHZE.js +25 -0
  152. package/dist/derivations/index.d.ts +4 -4
  153. package/dist/derivations/index.js +12 -9
  154. package/dist/describe/index.d.ts +1 -1
  155. package/dist/{describe-0tiXAjoO.d.ts → describe-C6iHNlqJ.d.ts} +9 -0
  156. package/dist/{dev-unlock-B_s9DUWa.d.ts → dev-unlock-Cqd5Xv5J.d.ts} +1 -1
  157. package/dist/{enclave-IS7HZSQ7.js → enclave-YN6223OG.js} +21 -8
  158. package/dist/executor-CBTNU5VZ.js +9 -0
  159. package/dist/executor-DJHNSTIR.js +9 -0
  160. package/dist/executor-FGISLQIN.js +21 -0
  161. package/dist/export-accessible-P7SLRLK3.js +23 -0
  162. package/dist/extract-partition-6JGY3KYR.js +36 -0
  163. package/dist/{fanout-sidecar-DDKRG2MX.js → fanout-sidecar-WS22Q5WH.js} +12 -9
  164. package/dist/{fanout-sidecar-DDKRG2MX.js.map → fanout-sidecar-WS22Q5WH.js.map} +1 -1
  165. package/dist/fence-watcher-DHQ775JB.js +69 -0
  166. package/dist/fence-watcher-DHQ775JB.js.map +1 -0
  167. package/dist/find-RNBG7LBY.js +11 -0
  168. package/dist/forget/index.js +10 -7
  169. package/dist/forget/index.js.map +1 -1
  170. package/dist/guards/index.d.ts +4 -4
  171. package/dist/guards/index.js +3 -3
  172. package/dist/{hash-CWxn7sf6.d.ts → hash-D8Q5MJLA.d.ts} +1 -1
  173. package/dist/history/index.d.ts +4 -4
  174. package/dist/history/index.js +12 -9
  175. package/dist/history/index.js.map +1 -1
  176. package/dist/i18n/index.d.ts +3 -3
  177. package/dist/i18n/index.js +14 -11
  178. package/dist/i18n/index.js.map +1 -1
  179. package/dist/in/index.d.ts +2 -2
  180. package/dist/{index-D05bV0_g.d.ts → index-D4GQe1Rx.d.ts} +818 -49
  181. package/dist/{index-DTMUUwwW.d.ts → index-DRxk8q_7.d.ts} +3 -3
  182. package/dist/index.d.ts +54 -18
  183. package/dist/index.js +1022 -123
  184. package/dist/index.js.map +1 -1
  185. package/dist/indexing/index.d.ts +3 -3
  186. package/dist/indexing/index.js +4 -4
  187. package/dist/issue-W5QG53B5.js +19 -0
  188. package/dist/json-schema-I22JCYCG.js +44 -0
  189. package/dist/json-schema-I22JCYCG.js.map +1 -0
  190. package/dist/kernel/index.d.ts +3 -3
  191. package/dist/kernel/index.js +13 -10
  192. package/dist/lazy/index.d.ts +21 -0
  193. package/dist/lazy/index.js +12 -0
  194. package/dist/{ledger-YUAJUNFP.js → ledger-KZWBKAG5.js} +12 -9
  195. package/dist/liberate-AQ7OWBZZ.js +24 -0
  196. package/dist/link-set-UQEIYQAM.js +31 -0
  197. package/dist/materialized-views/index.d.ts +4 -4
  198. package/dist/materialized-views/index.js +16 -13
  199. package/dist/{mime-magic-Qr_4HjP6.d.ts → mime-magic-DmwT7OzZ.d.ts} +1 -1
  200. package/dist/noydb-WQZNAECY.js +60 -0
  201. package/dist/on/index.d.ts +2 -2
  202. package/dist/on/index.js +10 -7
  203. package/dist/overlay-views/index.d.ts +4 -4
  204. package/dist/overlay-views/index.js +4 -4
  205. package/dist/periods/index.d.ts +3 -3
  206. package/dist/periods/index.js +13 -10
  207. package/dist/pod/index.d.ts +3 -3
  208. package/dist/pod/index.js +12 -9
  209. package/dist/{policy-LRE6HTO5.js → policy-YIKUH4AD.js} +5 -5
  210. package/dist/portability/index.d.ts +3 -3
  211. package/dist/portability/index.js +8 -8
  212. package/dist/{public-envelope-WVRRUVAJ.js → public-envelope-MRN5YYZZ.js} +4 -4
  213. package/dist/query/index.d.ts +2 -2
  214. package/dist/query/index.js +6 -6
  215. package/dist/register-V5AQTXNI.js +21 -0
  216. package/dist/registry-IMNMHWTM.js +17 -0
  217. package/dist/registry-K6VUQXKV.js +19 -0
  218. package/dist/registry-ZVO3T4M5.js +9 -0
  219. package/dist/request-withdrawal-EHALV66Y.js +31 -0
  220. package/dist/request-withdrawal-EHALV66Y.js.map +1 -0
  221. package/dist/{reveal-WSUHXCSS.js → reveal-TBLTFWQ2.js} +6 -5
  222. package/dist/{reveal-WSUHXCSS.js.map → reveal-TBLTFWQ2.js.map} +1 -1
  223. package/dist/revoke-MHAUAESM.js +24 -0
  224. package/dist/revoke-MHAUAESM.js.map +1 -0
  225. package/dist/sealed-record/index.d.ts +3 -3
  226. package/dist/sealed-record/index.js +13 -10
  227. package/dist/sealed-record/index.js.map +1 -1
  228. package/dist/session/index.d.ts +4 -4
  229. package/dist/session/index.js +10 -7
  230. package/dist/session/index.js.map +1 -1
  231. package/dist/shadow/index.d.ts +3 -3
  232. package/dist/shadow/index.js +2 -2
  233. package/dist/signer-PQ74YXRY.js +25 -0
  234. package/dist/signer-PQ74YXRY.js.map +1 -0
  235. package/dist/snapshots/index.d.ts +3 -3
  236. package/dist/snapshots/index.js +11 -8
  237. package/dist/snapshots/index.js.map +1 -1
  238. package/dist/{stale-LX4BR43V.js → stale-7Q62KVI3.js} +2 -2
  239. package/dist/stale-7Q62KVI3.js.map +1 -0
  240. package/dist/storage-3FKGLQMC.js +23 -0
  241. package/dist/storage-3FKGLQMC.js.map +1 -0
  242. package/dist/{store-coordination-provider-KTRIC6PR.js → store-coordination-provider-JJCEMTAE.js} +3 -3
  243. package/dist/sync/index.d.ts +2 -2
  244. package/dist/sync/index.js +10 -7
  245. package/dist/sync/index.js.map +1 -1
  246. package/dist/team/index.d.ts +45 -6
  247. package/dist/team/index.js +25 -15
  248. package/dist/tiers/index.d.ts +2 -2
  249. package/dist/tiers/index.js +11 -8
  250. package/dist/to/index.d.ts +2 -2
  251. package/dist/to/index.js +1 -1
  252. package/dist/{transition-guard-C1Pyz8nH.d.ts → transition-guard-C4hvR-Ac.d.ts} +1 -1
  253. package/dist/tx/index.d.ts +3 -3
  254. package/dist/tx/index.js +3 -3
  255. package/dist/ui/index.d.ts +1 -1
  256. package/dist/util/index.js +1 -1
  257. package/dist/validators-Ctgkj5qd.d.ts +101 -0
  258. package/dist/{vault-diff-Fn0WeY2w.d.ts → vault-diff-B1Ir6EGs.d.ts} +1 -1
  259. package/dist/{verify-SW6J63Q2.js → verify-YB5LQHNA.js} +11 -7
  260. package/dist/{verify-SW6J63Q2.js.map → verify-YB5LQHNA.js.map} +1 -1
  261. package/dist/walk-T65TZDN2.js +241 -0
  262. package/dist/walk-T65TZDN2.js.map +1 -0
  263. package/dist/with/index.d.ts +3 -3
  264. package/dist/with/index.js +12 -9
  265. package/dist/{with-materialized-view-NKxs6iK5.d.ts → with-materialized-view-Bp65kKdQ.d.ts} +1 -1
  266. package/dist/{with-overlayed-view-B4fPYHwV.d.ts → with-overlayed-view-BRhdQNrK.d.ts} +1 -1
  267. package/dist/{with-rollup-Bl0sRFEt.d.ts → with-rollup-bQRPc3y1.d.ts} +1 -1
  268. package/dist/withdraw-accessible-JMX2TCPX.js +28 -0
  269. package/dist/withdraw-accessible-JMX2TCPX.js.map +1 -0
  270. package/package.json +7 -3
  271. package/dist/api-LORZ2EZU.js +0 -17
  272. package/dist/chunk-4DZGZ7II.js.map +0 -1
  273. package/dist/chunk-5A6TC3RQ.js.map +0 -1
  274. package/dist/chunk-5EZAJEES.js.map +0 -1
  275. package/dist/chunk-ADBMJDBW.js.map +0 -1
  276. package/dist/chunk-CPAROOKP.js.map +0 -1
  277. package/dist/chunk-L4IRFTIF.js.map +0 -1
  278. package/dist/chunk-MIOLJG2R.js.map +0 -1
  279. package/dist/chunk-N2FP26NH.js.map +0 -1
  280. package/dist/chunk-NIA5VQ7G.js.map +0 -1
  281. package/dist/chunk-NPVICKZE.js.map +0 -1
  282. package/dist/chunk-NTHKOFVL.js.map +0 -1
  283. package/dist/chunk-OCDUQUAP.js.map +0 -1
  284. package/dist/chunk-OVIVYAQL.js.map +0 -1
  285. package/dist/chunk-QLQS5A7X.js +0 -524
  286. package/dist/chunk-QLQS5A7X.js.map +0 -1
  287. package/dist/chunk-U6OM4E67.js.map +0 -1
  288. package/dist/chunk-Z44OY24N.js.map +0 -1
  289. package/dist/chunk-ZFME46HJ.js.map +0 -1
  290. package/dist/collection-facade-XPVRHBGU.js +0 -36
  291. package/dist/delegation-4HUHUE6T.js +0 -22
  292. package/dist/executor-ANFBCOYA.js +0 -9
  293. package/dist/executor-IKT47SH2.js +0 -9
  294. package/dist/executor-OIECZXTV.js +0 -18
  295. package/dist/export-accessible-NZWCFZHL.js +0 -20
  296. package/dist/extract-partition-52LX6RQH.js +0 -33
  297. package/dist/issue-F4SYPJGJ.js +0 -16
  298. package/dist/liberate-6LDETRIW.js +0 -21
  299. package/dist/noydb-WQNBVJIG.js +0 -54
  300. package/dist/registry-6HZ2JSQ7.js +0 -14
  301. package/dist/registry-GPXZQ7DT.js +0 -9
  302. package/dist/registry-USYD2ECC.js +0 -16
  303. package/dist/request-withdrawal-54V4L6CR.js +0 -28
  304. package/dist/revoke-JV26NTQD.js +0 -21
  305. package/dist/signer-AE56T5HE.js +0 -22
  306. package/dist/validators-Dzn7T-3x.d.ts +0 -62
  307. package/dist/withdraw-accessible-DGA4V2TP.js +0 -25
  308. /package/dist/{api-LORZ2EZU.js.map → api-JOXUNSKP.js.map} +0 -0
  309. /package/dist/{chunk-VBYVKOMJ.js.map → chunk-3QRQOBS7.js.map} +0 -0
  310. /package/dist/{chunk-JFYIHLU3.js.map → chunk-3Y4QLJ6K.js.map} +0 -0
  311. /package/dist/{chunk-BZIWKN74.js.map → chunk-43ISXURO.js.map} +0 -0
  312. /package/dist/{chunk-PYWW4KLO.js.map → chunk-44UTIDE2.js.map} +0 -0
  313. /package/dist/{chunk-7IP75FP2.js.map → chunk-4K3MQ5S3.js.map} +0 -0
  314. /package/dist/{chunk-2KSPDSWI.js.map → chunk-5MRE3C4Q.js.map} +0 -0
  315. /package/dist/{chunk-PUNJAEY6.js.map → chunk-6HNKCKFZ.js.map} +0 -0
  316. /package/dist/{chunk-PJDK2PPQ.js.map → chunk-6RXPSMKR.js.map} +0 -0
  317. /package/dist/{chunk-6DP5HBQD.js.map → chunk-6UOSONVI.js.map} +0 -0
  318. /package/dist/{chunk-UP6EMMDI.js.map → chunk-A4DWPOP3.js.map} +0 -0
  319. /package/dist/{chunk-MCJAUQGE.js.map → chunk-A5DYVMDR.js.map} +0 -0
  320. /package/dist/{chunk-TICO2I2O.js.map → chunk-BKGIWGCX.js.map} +0 -0
  321. /package/dist/{chunk-O5DNEXQC.js.map → chunk-BMQOH7MM.js.map} +0 -0
  322. /package/dist/{chunk-3UDPDRUC.js.map → chunk-EWR7HL3K.js.map} +0 -0
  323. /package/dist/{chunk-CVXLJIAV.js.map → chunk-FH52CDEW.js.map} +0 -0
  324. /package/dist/{chunk-FELHYKIO.js.map → chunk-G7RDYYTE.js.map} +0 -0
  325. /package/dist/{chunk-DHIN36UC.js.map → chunk-GQOT6QJR.js.map} +0 -0
  326. /package/dist/{chunk-DGUR3CC4.js.map → chunk-GXGK22QU.js.map} +0 -0
  327. /package/dist/{chunk-YTIAXSUE.js.map → chunk-GZZL5R73.js.map} +0 -0
  328. /package/dist/{chunk-E4YJUNPU.js.map → chunk-H5XRIJX3.js.map} +0 -0
  329. /package/dist/{chunk-DA34OEZU.js.map → chunk-H7RYPVMJ.js.map} +0 -0
  330. /package/dist/{chunk-2ZORB5RW.js.map → chunk-HBKDR7R3.js.map} +0 -0
  331. /package/dist/{chunk-ZNI3RTFV.js.map → chunk-HMXLN43G.js.map} +0 -0
  332. /package/dist/{chunk-BYW7EU5L.js.map → chunk-HY6ZGGEC.js.map} +0 -0
  333. /package/dist/{chunk-5Z3RNFJC.js.map → chunk-LIP6JWYK.js.map} +0 -0
  334. /package/dist/{chunk-IJW6K6UX.js.map → chunk-LPRPVCNY.js.map} +0 -0
  335. /package/dist/{chunk-6EVZXETK.js.map → chunk-M66NAZA4.js.map} +0 -0
  336. /package/dist/{chunk-HGQG3VIP.js.map → chunk-N5YVZHCB.js.map} +0 -0
  337. /package/dist/{chunk-6OQ7NKMZ.js.map → chunk-O2DB4C3M.js.map} +0 -0
  338. /package/dist/{chunk-LHYQE3BP.js.map → chunk-OFBFAVLI.js.map} +0 -0
  339. /package/dist/{chunk-IWVWB7BZ.js.map → chunk-OJU3CPFA.js.map} +0 -0
  340. /package/dist/{chunk-6I2YPLAG.js.map → chunk-P27Z66EB.js.map} +0 -0
  341. /package/dist/{chunk-7MHVHGQZ.js.map → chunk-P2LDXRGP.js.map} +0 -0
  342. /package/dist/{chunk-6RASM2J4.js.map → chunk-QKVILR7N.js.map} +0 -0
  343. /package/dist/{chunk-LKBLAUOB.js.map → chunk-QNTEDPWP.js.map} +0 -0
  344. /package/dist/{chunk-P6UXDALK.js.map → chunk-RDHAGBEB.js.map} +0 -0
  345. /package/dist/{chunk-XRE4JOEO.js.map → chunk-RTS23VIJ.js.map} +0 -0
  346. /package/dist/{chunk-5ZPWVNL3.js.map → chunk-S2WKOCTU.js.map} +0 -0
  347. /package/dist/{chunk-VHEEU4ZO.js.map → chunk-SW56GSYC.js.map} +0 -0
  348. /package/dist/{chunk-46YGCU6Z.js.map → chunk-T2EGAXPM.js.map} +0 -0
  349. /package/dist/{chunk-LES2Z7B4.js.map → chunk-T45LAT2Y.js.map} +0 -0
  350. /package/dist/{chunk-4NMFWOS2.js.map → chunk-T65UZXR6.js.map} +0 -0
  351. /package/dist/{chunk-2N4MUSF3.js.map → chunk-TB5RNNJ4.js.map} +0 -0
  352. /package/dist/{chunk-6CNLU4TO.js.map → chunk-TYGW5TOR.js.map} +0 -0
  353. /package/dist/{chunk-U5DWHU3S.js.map → chunk-U24XHXNK.js.map} +0 -0
  354. /package/dist/{chunk-YDP2SA5K.js.map → chunk-VPCMJ5Z4.js.map} +0 -0
  355. /package/dist/{chunk-ZAWD6O46.js.map → chunk-VRPBEOWU.js.map} +0 -0
  356. /package/dist/{chunk-AY4P6PHN.js.map → chunk-VWGCJUTV.js.map} +0 -0
  357. /package/dist/{chunk-IIK7W3AN.js.map → chunk-XJR3COJO.js.map} +0 -0
  358. /package/dist/{chunk-ZD4D7UM6.js.map → chunk-XYYW64LB.js.map} +0 -0
  359. /package/dist/{chunk-4NZCZUGL.js.map → chunk-YFF2RP3X.js.map} +0 -0
  360. /package/dist/{chunk-WVIIJPTJ.js.map → chunk-Z3FZC5GV.js.map} +0 -0
  361. /package/dist/{chunk-55HDKLI3.js.map → chunk-Z5PIUYNB.js.map} +0 -0
  362. /package/dist/{chunk-ZRDYQZYH.js.map → chunk-Z7KI4WHR.js.map} +0 -0
  363. /package/dist/{chunk-BV7KNFJY.js.map → chunk-ZBDK7T6X.js.map} +0 -0
  364. /package/dist/{chunk-P6DN5QU7.js.map → chunk-ZKYMKF2S.js.map} +0 -0
  365. /package/dist/{chunk-NMRKAGHE.js.map → chunk-ZROMNP7Q.js.map} +0 -0
  366. /package/dist/{collection-facade-XPVRHBGU.js.map → collection-facade-THH4ASGX.js.map} +0 -0
  367. /package/dist/{delegation-4HUHUE6T.js.map → computed-BMMEFRFJ.js.map} +0 -0
  368. /package/dist/{enclave-IS7HZSQ7.js.map → delegation-BQNIEHZE.js.map} +0 -0
  369. /package/dist/{executor-ANFBCOYA.js.map → enclave-YN6223OG.js.map} +0 -0
  370. /package/dist/{executor-IKT47SH2.js.map → executor-CBTNU5VZ.js.map} +0 -0
  371. /package/dist/{executor-OIECZXTV.js.map → executor-DJHNSTIR.js.map} +0 -0
  372. /package/dist/{export-accessible-NZWCFZHL.js.map → executor-FGISLQIN.js.map} +0 -0
  373. /package/dist/{extract-partition-52LX6RQH.js.map → export-accessible-P7SLRLK3.js.map} +0 -0
  374. /package/dist/{issue-F4SYPJGJ.js.map → extract-partition-6JGY3KYR.js.map} +0 -0
  375. /package/dist/{ledger-YUAJUNFP.js.map → find-RNBG7LBY.js.map} +0 -0
  376. /package/dist/{liberate-6LDETRIW.js.map → issue-W5QG53B5.js.map} +0 -0
  377. /package/dist/{noydb-WQNBVJIG.js.map → lazy/index.js.map} +0 -0
  378. /package/dist/{policy-LRE6HTO5.js.map → ledger-KZWBKAG5.js.map} +0 -0
  379. /package/dist/{public-envelope-WVRRUVAJ.js.map → liberate-AQ7OWBZZ.js.map} +0 -0
  380. /package/dist/{registry-6HZ2JSQ7.js.map → link-set-UQEIYQAM.js.map} +0 -0
  381. /package/dist/{registry-GPXZQ7DT.js.map → noydb-WQZNAECY.js.map} +0 -0
  382. /package/dist/{registry-USYD2ECC.js.map → policy-YIKUH4AD.js.map} +0 -0
  383. /package/dist/{request-withdrawal-54V4L6CR.js.map → public-envelope-MRN5YYZZ.js.map} +0 -0
  384. /package/dist/{revoke-JV26NTQD.js.map → register-V5AQTXNI.js.map} +0 -0
  385. /package/dist/{signer-AE56T5HE.js.map → registry-IMNMHWTM.js.map} +0 -0
  386. /package/dist/{stale-LX4BR43V.js.map → registry-K6VUQXKV.js.map} +0 -0
  387. /package/dist/{withdraw-accessible-DGA4V2TP.js.map → registry-ZVO3T4M5.js.map} +0 -0
  388. /package/dist/{store-coordination-provider-KTRIC6PR.js.map → store-coordination-provider-JJCEMTAE.js.map} +0 -0
@@ -0,0 +1,194 @@
1
+ // src/kernel/cache/lru.ts
2
+ var Lru = class {
3
+ entries = /* @__PURE__ */ new Map();
4
+ maxRecords;
5
+ maxBytes;
6
+ currentBytes = 0;
7
+ hits = 0;
8
+ misses = 0;
9
+ evictions = 0;
10
+ constructor(options) {
11
+ if (options.maxRecords === void 0 && options.maxBytes === void 0) {
12
+ throw new Error("Lru: must specify maxRecords, maxBytes, or both");
13
+ }
14
+ this.maxRecords = options.maxRecords;
15
+ this.maxBytes = options.maxBytes;
16
+ }
17
+ /**
18
+ * Look up a key. Hits promote the entry to most-recently-used; misses
19
+ * return undefined. Both update the running stats counters.
20
+ */
21
+ get(key) {
22
+ const entry = this.entries.get(key);
23
+ if (!entry) {
24
+ this.misses++;
25
+ return void 0;
26
+ }
27
+ this.entries.delete(key);
28
+ this.entries.set(key, entry);
29
+ this.hits++;
30
+ return entry.value;
31
+ }
32
+ /**
33
+ * Insert or update a key. If the key already exists, its size is
34
+ * accounted for and the entry is promoted to MRU. After insertion,
35
+ * eviction runs to maintain both budgets.
36
+ */
37
+ set(key, value, size) {
38
+ const existing = this.entries.get(key);
39
+ if (existing) {
40
+ this.currentBytes -= existing.size;
41
+ this.entries.delete(key);
42
+ }
43
+ this.entries.set(key, { value, size });
44
+ this.currentBytes += size;
45
+ this.evictUntilUnderBudget();
46
+ }
47
+ /**
48
+ * Remove a key without affecting hit/miss stats. Used by `Collection.delete()`.
49
+ * Returns true if the key was present.
50
+ */
51
+ remove(key) {
52
+ const existing = this.entries.get(key);
53
+ if (!existing) return false;
54
+ this.currentBytes -= existing.size;
55
+ this.entries.delete(key);
56
+ return true;
57
+ }
58
+ /** True if the cache currently holds an entry for the given key. */
59
+ has(key) {
60
+ return this.entries.has(key);
61
+ }
62
+ /**
63
+ * Drop every entry. Stats counters survive — call `resetStats()` if you
64
+ * want a clean slate. Used by `Collection.invalidate()` on key rotation.
65
+ */
66
+ clear() {
67
+ this.entries.clear();
68
+ this.currentBytes = 0;
69
+ }
70
+ /** Reset hit/miss/eviction counters to zero. Does NOT touch entries. */
71
+ resetStats() {
72
+ this.hits = 0;
73
+ this.misses = 0;
74
+ this.evictions = 0;
75
+ }
76
+ /** Snapshot of current cache statistics. Cheap — no copying. */
77
+ stats() {
78
+ return {
79
+ hits: this.hits,
80
+ misses: this.misses,
81
+ evictions: this.evictions,
82
+ size: this.entries.size,
83
+ bytes: this.currentBytes
84
+ };
85
+ }
86
+ /**
87
+ * Iterate over all currently-cached values. Order is least-recently-used
88
+ * first. Used by tests and devtools — production callers should use
89
+ * `Collection.scan()` instead.
90
+ */
91
+ *values() {
92
+ for (const entry of this.entries.values()) yield entry.value;
93
+ }
94
+ /**
95
+ * Walk the cache from the LRU end and drop entries until both budgets
96
+ * are satisfied. Called after every `set()`. Single pass — entries are
97
+ * never re-promoted during eviction.
98
+ */
99
+ evictUntilUnderBudget() {
100
+ while (this.overBudget()) {
101
+ const oldest = this.entries.keys().next();
102
+ if (oldest.done) return;
103
+ const key = oldest.value;
104
+ const entry = this.entries.get(key);
105
+ if (entry) this.currentBytes -= entry.size;
106
+ this.entries.delete(key);
107
+ this.evictions++;
108
+ }
109
+ }
110
+ overBudget() {
111
+ if (this.maxRecords !== void 0 && this.entries.size > this.maxRecords) return true;
112
+ if (this.maxBytes !== void 0 && this.currentBytes > this.maxBytes) return true;
113
+ return false;
114
+ }
115
+ };
116
+
117
+ // src/kernel/cache/policy.ts
118
+ var UNITS = {
119
+ "": 1,
120
+ "B": 1,
121
+ "KB": 1024,
122
+ "MB": 1024 * 1024,
123
+ "GB": 1024 * 1024 * 1024
124
+ // 'TB' deliberately not supported — if you need it, you're not using NOYDB.
125
+ };
126
+ function parseBytes(input) {
127
+ if (typeof input === "number") {
128
+ if (!Number.isFinite(input) || input <= 0) {
129
+ throw new Error(`parseBytes: numeric input must be a positive finite number, got ${String(input)}`);
130
+ }
131
+ return Math.floor(input);
132
+ }
133
+ const trimmed = input.trim();
134
+ if (trimmed === "") {
135
+ throw new Error("parseBytes: empty string is not a valid byte budget");
136
+ }
137
+ const match = /^([0-9]+(?:\.[0-9]+)?)\s*([A-Za-z]*)$/.exec(trimmed);
138
+ if (!match) {
139
+ throw new Error(`parseBytes: invalid byte budget "${input}". Expected format: "1024", "50KB", "50MB", "1GB"`);
140
+ }
141
+ const value = parseFloat(match[1]);
142
+ const unit = (match[2] ?? "").toUpperCase();
143
+ if (!(unit in UNITS)) {
144
+ throw new Error(`parseBytes: unknown unit "${match[2]}" in "${input}". Supported: B, KB, MB, GB`);
145
+ }
146
+ const bytes = Math.floor(value * UNITS[unit]);
147
+ if (bytes <= 0) {
148
+ throw new Error(`parseBytes: byte budget must be > 0, got ${bytes} from "${input}"`);
149
+ }
150
+ return bytes;
151
+ }
152
+ function estimateRecordBytes(record) {
153
+ try {
154
+ return JSON.stringify(record).length;
155
+ } catch {
156
+ return 0;
157
+ }
158
+ }
159
+
160
+ // src/port/with/lazy-strategy.ts
161
+ function buildLazyCache(collection, cache) {
162
+ if (!cache || cache.maxRecords === void 0 && cache.maxBytes === void 0) {
163
+ throw new Error(
164
+ `Collection "${collection}": lazy mode (prefetch: false) requires a cache option with maxRecords and/or maxBytes. An unbounded lazy cache defeats the purpose.`
165
+ );
166
+ }
167
+ const lruOptions = {};
168
+ if (cache.maxRecords !== void 0) lruOptions.maxRecords = cache.maxRecords;
169
+ if (cache.maxBytes !== void 0) lruOptions.maxBytes = parseBytes(cache.maxBytes);
170
+ return new Lru(lruOptions);
171
+ }
172
+ var implicitLazyWarned = false;
173
+ var IMPLICIT_LAZY = {
174
+ createCache(collection, cache) {
175
+ if (!implicitLazyWarned) {
176
+ implicitLazyWarned = true;
177
+ if (!(typeof process !== "undefined" && process.env["NODE_ENV"] === "test")) {
178
+ console.warn(
179
+ `[noy-db] Collection "${collection}": lazy mode (prefetch: false) without the lazy service is deprecated \u2014 pass \`lazyStrategy: withLazy()\` (from "@noy-db/hub/lazy") to createNoydb(). The implicit path will be removed at 1.0.`
180
+ );
181
+ }
182
+ }
183
+ return buildLazyCache(collection, cache);
184
+ }
185
+ };
186
+
187
+ export {
188
+ Lru,
189
+ parseBytes,
190
+ estimateRecordBytes,
191
+ buildLazyCache,
192
+ IMPLICIT_LAZY
193
+ };
194
+ //# sourceMappingURL=chunk-NO272T7Q.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/kernel/cache/lru.ts","../src/kernel/cache/policy.ts","../src/port/with/lazy-strategy.ts"],"sourcesContent":["/**\n * Generic LRU cache for `Collection`'s lazy hydration mode.\n *\n * Backed by a JavaScript `Map`, which preserves insertion order. Promotion\n * is implemented as `delete()` + `set()` — O(1) on `Map` since both\n * operations are constant-time. Eviction walks the iterator from the front\n * (least recently used) until both budgets are satisfied.\n *\n * ships in-memory only. The cache is never persisted; on collection\n * close every entry is dropped. Persisting cache state is a follow-up\n * once the access patterns from real consumers tell us whether it would\n * pay back the complexity.\n */\n\nexport interface LruEntry<V> {\n /** The cached value. */\n readonly value: V\n /**\n * Approximate decrypted byte size of the entry. Used by the byte-budget\n * eviction path. Callers compute this once at insert time and pass it\n * in — recomputing on every access would dominate the per-record cost.\n */\n readonly size: number\n}\n\nexport interface LruOptions {\n /** Maximum number of entries before eviction. Required if `maxBytes` is unset. */\n maxRecords?: number\n /** Maximum total bytes before eviction. Computed from per-entry `size`. */\n maxBytes?: number\n}\n\nexport interface LruStats {\n /** Total cache hits since construction (or `resetStats()`). */\n hits: number\n /** Total cache misses since construction (or `resetStats()`). */\n misses: number\n /** Total entries evicted since construction (or `resetStats()`). */\n evictions: number\n /** Current number of cached entries. */\n size: number\n /** Current sum of cached entry sizes (in bytes, approximate). */\n bytes: number\n}\n\n/**\n * O(1) LRU cache. Both `get()` and `set()` promote the touched entry to\n * the most-recently-used end. Eviction happens after every insert and\n * walks the front of the Map iterator dropping entries until both\n * budgets are satisfied.\n */\nexport class Lru<K, V> {\n private readonly entries = new Map<K, LruEntry<V>>()\n private readonly maxRecords: number | undefined\n private readonly maxBytes: number | undefined\n private currentBytes = 0\n private hits = 0\n private misses = 0\n private evictions = 0\n\n constructor(options: LruOptions) {\n if (options.maxRecords === undefined && options.maxBytes === undefined) {\n throw new Error('Lru: must specify maxRecords, maxBytes, or both')\n }\n this.maxRecords = options.maxRecords\n this.maxBytes = options.maxBytes\n }\n\n /**\n * Look up a key. Hits promote the entry to most-recently-used; misses\n * return undefined. Both update the running stats counters.\n */\n get(key: K): V | undefined {\n const entry = this.entries.get(key)\n if (!entry) {\n this.misses++\n return undefined\n }\n // Promote: re-insert moves the entry to the end of the iteration order.\n this.entries.delete(key)\n this.entries.set(key, entry)\n this.hits++\n return entry.value\n }\n\n /**\n * Insert or update a key. If the key already exists, its size is\n * accounted for and the entry is promoted to MRU. After insertion,\n * eviction runs to maintain both budgets.\n */\n set(key: K, value: V, size: number): void {\n const existing = this.entries.get(key)\n if (existing) {\n // Update path: subtract the old size before adding the new one.\n this.currentBytes -= existing.size\n this.entries.delete(key)\n }\n this.entries.set(key, { value, size })\n this.currentBytes += size\n this.evictUntilUnderBudget()\n }\n\n /**\n * Remove a key without affecting hit/miss stats. Used by `Collection.delete()`.\n * Returns true if the key was present.\n */\n remove(key: K): boolean {\n const existing = this.entries.get(key)\n if (!existing) return false\n this.currentBytes -= existing.size\n this.entries.delete(key)\n return true\n }\n\n /** True if the cache currently holds an entry for the given key. */\n has(key: K): boolean {\n return this.entries.has(key)\n }\n\n /**\n * Drop every entry. Stats counters survive — call `resetStats()` if you\n * want a clean slate. Used by `Collection.invalidate()` on key rotation.\n */\n clear(): void {\n this.entries.clear()\n this.currentBytes = 0\n }\n\n /** Reset hit/miss/eviction counters to zero. Does NOT touch entries. */\n resetStats(): void {\n this.hits = 0\n this.misses = 0\n this.evictions = 0\n }\n\n /** Snapshot of current cache statistics. Cheap — no copying. */\n stats(): LruStats {\n return {\n hits: this.hits,\n misses: this.misses,\n evictions: this.evictions,\n size: this.entries.size,\n bytes: this.currentBytes,\n }\n }\n\n /**\n * Iterate over all currently-cached values. Order is least-recently-used\n * first. Used by tests and devtools — production callers should use\n * `Collection.scan()` instead.\n */\n *values(): IterableIterator<V> {\n for (const entry of this.entries.values()) yield entry.value\n }\n\n /**\n * Walk the cache from the LRU end and drop entries until both budgets\n * are satisfied. Called after every `set()`. Single pass — entries are\n * never re-promoted during eviction.\n */\n private evictUntilUnderBudget(): void {\n while (this.overBudget()) {\n const oldest = this.entries.keys().next()\n if (oldest.done) return // empty cache; nothing more to evict\n const key = oldest.value\n const entry = this.entries.get(key)\n if (entry) this.currentBytes -= entry.size\n this.entries.delete(key)\n this.evictions++\n }\n }\n\n private overBudget(): boolean {\n if (this.maxRecords !== undefined && this.entries.size > this.maxRecords) return true\n if (this.maxBytes !== undefined && this.currentBytes > this.maxBytes) return true\n return false\n }\n}\n","/**\n * Cache policy helpers — parse human-friendly byte budgets into raw numbers.\n *\n * Accepted shapes (case-insensitive on suffix):\n * number — interpreted as raw bytes\n * '1024' — string of digits, raw bytes\n * '50KB' — kilobytes (×1024)\n * '50MB' — megabytes (×1024²)\n * '1GB' — gigabytes (×1024³)\n *\n * Decimals are accepted (`'1.5GB'` → 1610612736 bytes).\n *\n * Anything else throws — better to fail loud at construction time than\n * to silently treat a typo as 0 bytes (which would evict everything).\n */\n\nconst UNITS: Record<string, number> = {\n '': 1,\n 'B': 1,\n 'KB': 1024,\n 'MB': 1024 * 1024,\n 'GB': 1024 * 1024 * 1024,\n // 'TB' deliberately not supported — if you need it, you're not using NOYDB.\n}\n\n/** Parse a byte budget into a positive integer number of bytes. */\nexport function parseBytes(input: number | string): number {\n if (typeof input === 'number') {\n if (!Number.isFinite(input) || input <= 0) {\n throw new Error(`parseBytes: numeric input must be a positive finite number, got ${String(input)}`)\n }\n return Math.floor(input)\n }\n\n const trimmed = input.trim()\n if (trimmed === '') {\n throw new Error('parseBytes: empty string is not a valid byte budget')\n }\n\n // Accept either a bare number or a number followed by a unit suffix.\n // Regex: optional sign, digits with optional decimal, optional unit.\n const match = /^([0-9]+(?:\\.[0-9]+)?)\\s*([A-Za-z]*)$/.exec(trimmed)\n if (!match) {\n throw new Error(`parseBytes: invalid byte budget \"${input}\". Expected format: \"1024\", \"50KB\", \"50MB\", \"1GB\"`)\n }\n\n const value = parseFloat(match[1]!)\n const unit = (match[2] ?? '').toUpperCase()\n\n if (!(unit in UNITS)) {\n throw new Error(`parseBytes: unknown unit \"${match[2]}\" in \"${input}\". Supported: B, KB, MB, GB`)\n }\n\n const bytes = Math.floor(value * UNITS[unit]!)\n if (bytes <= 0) {\n throw new Error(`parseBytes: byte budget must be > 0, got ${bytes} from \"${input}\"`)\n }\n return bytes\n}\n\n/**\n * Estimate the in-memory byte size of a decrypted record.\n *\n * Uses `JSON.stringify().length` as a stand-in for actual heap usage.\n * It's a deliberate approximation: real V8 heap size includes pointer\n * overhead, hidden classes, and string interning that we can't measure\n * from JavaScript. The JSON length is a stable, monotonic proxy that\n * costs O(record size) per insert — fine when records are typically\n * < 1 KB and the cache eviction is the slow path anyway.\n *\n * Returns `0` (and the caller must treat it as 1 for accounting) if\n * stringification throws on circular references; this is documented\n * but in practice records always come from JSON-decoded envelopes.\n */\nexport function estimateRecordBytes(record: unknown): number {\n try {\n return JSON.stringify(record).length\n } catch {\n return 0\n }\n}\n","/**\n * Lazy-mode capability contract (#267 Track A tail — lazy-mode promoted out\n * of `routing` into its own `lazy` service). Lives on the `/with` port (the\n * one seam the kernel spine may import statically) so `Collection` can hold\n * the back-compat default without a spine→service static import.\n *\n * Lazy mode (`prefetch: false`) skips bulk hydration: reads go per-id\n * against the store and land in a bounded LRU working set. The strategy owns\n * constructing that LRU:\n *\n * - `withLazy()` (`with-store/lazy/active.ts`, subpath `@noy-db/hub/lazy`)\n * is the explicit catalog opt-in — silent, forward-stable.\n * - {@link IMPLICIT_LAZY} is the floor default reached when a collection\n * declares `prefetch: false` WITHOUT `lazyStrategy: withLazy()`. It keeps\n * the pre-#267 behavior byte-for-byte (back-compat delegation, pre-1.0)\n * but emits a one-time deprecation warn outside test env. It will become\n * a throwing stub at 1.0, letting the LRU leave the floor bundle\n * entirely once the per-record-CEK cache stops pinning `Lru` there.\n *\n * The on-demand read/write branches themselves stay kernel-resident (they\n * are `if (this.lazy)` forks on the hot get/put/scan paths); the service\n * seam owns cache construction + budget validation, which is where the\n * opt-in and the future tree-shake win live.\n * @internal\n */\nimport { Lru, parseBytes } from '../../kernel/cache/index.js'\nimport type { CacheOptions } from '../../kernel/collection.js'\n\nexport interface LazyStrategy {\n /**\n * Build the bounded LRU working-set cache for a lazy collection.\n * MUST throw when `cache` declares neither `maxRecords` nor `maxBytes` —\n * an unbounded lazy cache defeats the purpose.\n */\n createCache<V>(collection: string, cache: CacheOptions | undefined): Lru<string, V>\n}\n\n/**\n * Shared budget validation + LRU construction — the one implementation both\n * {@link IMPLICIT_LAZY} and `withLazy()` run, so the two paths cannot drift.\n * @internal\n */\nexport function buildLazyCache<V>(collection: string, cache: CacheOptions | undefined): Lru<string, V> {\n if (!cache || (cache.maxRecords === undefined && cache.maxBytes === undefined)) {\n throw new Error(\n `Collection \"${collection}\": lazy mode (prefetch: false) requires a cache option ` +\n `with maxRecords and/or maxBytes. An unbounded lazy cache defeats the purpose.`,\n )\n }\n const lruOptions: { maxRecords?: number; maxBytes?: number } = {}\n if (cache.maxRecords !== undefined) lruOptions.maxRecords = cache.maxRecords\n if (cache.maxBytes !== undefined) lruOptions.maxBytes = parseBytes(cache.maxBytes)\n return new Lru<string, V>(lruOptions)\n}\n\nlet implicitLazyWarned = false\n\n/**\n * Back-compat default (deprecated): `prefetch: false` without\n * `lazyStrategy: withLazy()`. Identical behavior to the explicit opt-in,\n * plus a one-time deprecation warn (suppressed under NODE_ENV=test,\n * mirroring the listPage fallback warn). @internal\n */\nexport const IMPLICIT_LAZY: LazyStrategy = {\n createCache<V>(collection: string, cache: CacheOptions | undefined): Lru<string, V> {\n if (!implicitLazyWarned) {\n implicitLazyWarned = true\n if (!(typeof process !== 'undefined' && process.env['NODE_ENV'] === 'test')) {\n console.warn(\n `[noy-db] Collection \"${collection}\": lazy mode (prefetch: false) without the lazy ` +\n `service is deprecated — pass \\`lazyStrategy: withLazy()\\` (from \"@noy-db/hub/lazy\") ` +\n `to createNoydb(). The implicit path will be removed at 1.0.`,\n )\n }\n }\n return buildLazyCache<V>(collection, cache)\n },\n}\n"],"mappings":";AAmDO,IAAM,MAAN,MAAgB;AAAA,EACJ,UAAU,oBAAI,IAAoB;AAAA,EAClC;AAAA,EACA;AAAA,EACT,eAAe;AAAA,EACf,OAAO;AAAA,EACP,SAAS;AAAA,EACT,YAAY;AAAA,EAEpB,YAAY,SAAqB;AAC/B,QAAI,QAAQ,eAAe,UAAa,QAAQ,aAAa,QAAW;AACtE,YAAM,IAAI,MAAM,iDAAiD;AAAA,IACnE;AACA,SAAK,aAAa,QAAQ;AAC1B,SAAK,WAAW,QAAQ;AAAA,EAC1B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,KAAuB;AACzB,UAAM,QAAQ,KAAK,QAAQ,IAAI,GAAG;AAClC,QAAI,CAAC,OAAO;AACV,WAAK;AACL,aAAO;AAAA,IACT;AAEA,SAAK,QAAQ,OAAO,GAAG;AACvB,SAAK,QAAQ,IAAI,KAAK,KAAK;AAC3B,SAAK;AACL,WAAO,MAAM;AAAA,EACf;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,IAAI,KAAQ,OAAU,MAAoB;AACxC,UAAM,WAAW,KAAK,QAAQ,IAAI,GAAG;AACrC,QAAI,UAAU;AAEZ,WAAK,gBAAgB,SAAS;AAC9B,WAAK,QAAQ,OAAO,GAAG;AAAA,IACzB;AACA,SAAK,QAAQ,IAAI,KAAK,EAAE,OAAO,KAAK,CAAC;AACrC,SAAK,gBAAgB;AACrB,SAAK,sBAAsB;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,OAAO,KAAiB;AACtB,UAAM,WAAW,KAAK,QAAQ,IAAI,GAAG;AACrC,QAAI,CAAC,SAAU,QAAO;AACtB,SAAK,gBAAgB,SAAS;AAC9B,SAAK,QAAQ,OAAO,GAAG;AACvB,WAAO;AAAA,EACT;AAAA;AAAA,EAGA,IAAI,KAAiB;AACnB,WAAO,KAAK,QAAQ,IAAI,GAAG;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,QAAc;AACZ,SAAK,QAAQ,MAAM;AACnB,SAAK,eAAe;AAAA,EACtB;AAAA;AAAA,EAGA,aAAmB;AACjB,SAAK,OAAO;AACZ,SAAK,SAAS;AACd,SAAK,YAAY;AAAA,EACnB;AAAA;AAAA,EAGA,QAAkB;AAChB,WAAO;AAAA,MACL,MAAM,KAAK;AAAA,MACX,QAAQ,KAAK;AAAA,MACb,WAAW,KAAK;AAAA,MAChB,MAAM,KAAK,QAAQ;AAAA,MACnB,OAAO,KAAK;AAAA,IACd;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,CAAC,SAA8B;AAC7B,eAAW,SAAS,KAAK,QAAQ,OAAO,EAAG,OAAM,MAAM;AAAA,EACzD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOQ,wBAA8B;AACpC,WAAO,KAAK,WAAW,GAAG;AACxB,YAAM,SAAS,KAAK,QAAQ,KAAK,EAAE,KAAK;AACxC,UAAI,OAAO,KAAM;AACjB,YAAM,MAAM,OAAO;AACnB,YAAM,QAAQ,KAAK,QAAQ,IAAI,GAAG;AAClC,UAAI,MAAO,MAAK,gBAAgB,MAAM;AACtC,WAAK,QAAQ,OAAO,GAAG;AACvB,WAAK;AAAA,IACP;AAAA,EACF;AAAA,EAEQ,aAAsB;AAC5B,QAAI,KAAK,eAAe,UAAa,KAAK,QAAQ,OAAO,KAAK,WAAY,QAAO;AACjF,QAAI,KAAK,aAAa,UAAa,KAAK,eAAe,KAAK,SAAU,QAAO;AAC7E,WAAO;AAAA,EACT;AACF;;;ACjKA,IAAM,QAAgC;AAAA,EACpC,IAAI;AAAA,EACJ,KAAK;AAAA,EACL,MAAM;AAAA,EACN,MAAM,OAAO;AAAA,EACb,MAAM,OAAO,OAAO;AAAA;AAEtB;AAGO,SAAS,WAAW,OAAgC;AACzD,MAAI,OAAO,UAAU,UAAU;AAC7B,QAAI,CAAC,OAAO,SAAS,KAAK,KAAK,SAAS,GAAG;AACzC,YAAM,IAAI,MAAM,mEAAmE,OAAO,KAAK,CAAC,EAAE;AAAA,IACpG;AACA,WAAO,KAAK,MAAM,KAAK;AAAA,EACzB;AAEA,QAAM,UAAU,MAAM,KAAK;AAC3B,MAAI,YAAY,IAAI;AAClB,UAAM,IAAI,MAAM,qDAAqD;AAAA,EACvE;AAIA,QAAM,QAAQ,wCAAwC,KAAK,OAAO;AAClE,MAAI,CAAC,OAAO;AACV,UAAM,IAAI,MAAM,oCAAoC,KAAK,mDAAmD;AAAA,EAC9G;AAEA,QAAM,QAAQ,WAAW,MAAM,CAAC,CAAE;AAClC,QAAM,QAAQ,MAAM,CAAC,KAAK,IAAI,YAAY;AAE1C,MAAI,EAAE,QAAQ,QAAQ;AACpB,UAAM,IAAI,MAAM,6BAA6B,MAAM,CAAC,CAAC,SAAS,KAAK,6BAA6B;AAAA,EAClG;AAEA,QAAM,QAAQ,KAAK,MAAM,QAAQ,MAAM,IAAI,CAAE;AAC7C,MAAI,SAAS,GAAG;AACd,UAAM,IAAI,MAAM,4CAA4C,KAAK,UAAU,KAAK,GAAG;AAAA,EACrF;AACA,SAAO;AACT;AAgBO,SAAS,oBAAoB,QAAyB;AAC3D,MAAI;AACF,WAAO,KAAK,UAAU,MAAM,EAAE;AAAA,EAChC,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;ACtCO,SAAS,eAAkB,YAAoB,OAAiD;AACrG,MAAI,CAAC,SAAU,MAAM,eAAe,UAAa,MAAM,aAAa,QAAY;AAC9E,UAAM,IAAI;AAAA,MACR,eAAe,UAAU;AAAA,IAE3B;AAAA,EACF;AACA,QAAM,aAAyD,CAAC;AAChE,MAAI,MAAM,eAAe,OAAW,YAAW,aAAa,MAAM;AAClE,MAAI,MAAM,aAAa,OAAW,YAAW,WAAW,WAAW,MAAM,QAAQ;AACjF,SAAO,IAAI,IAAe,UAAU;AACtC;AAEA,IAAI,qBAAqB;AAQlB,IAAM,gBAA8B;AAAA,EACzC,YAAe,YAAoB,OAAiD;AAClF,QAAI,CAAC,oBAAoB;AACvB,2BAAqB;AACrB,UAAI,EAAE,OAAO,YAAY,eAAe,QAAQ,IAAI,UAAU,MAAM,SAAS;AAC3E,gBAAQ;AAAA,UACN,wBAAwB,UAAU;AAAA,QAGpC;AAAA,MACF;AAAA,IACF;AACA,WAAO,eAAkB,YAAY,KAAK;AAAA,EAC5C;AACF;","names":[]}
@@ -1,21 +1,39 @@
1
1
  import {
2
- ensureCollectionDEK
3
- } from "./chunk-5A6TC3RQ.js";
2
+ SYNC_CREDENTIALS_COLLECTION,
3
+ ensureCollectionDEK,
4
+ grant,
5
+ revoke,
6
+ rotateKeys
7
+ } from "./chunk-ZT4GWVTX.js";
4
8
  import {
5
9
  openEnvelopeJson
6
- } from "./chunk-5EZAJEES.js";
7
- import {
8
- encrypt
9
- } from "./chunk-L4IRFTIF.js";
10
+ } from "./chunk-OVO2RZAE.js";
10
11
  import {
11
12
  NOYDB_FORMAT_VERSION
12
- } from "./chunk-OCDUQUAP.js";
13
+ } from "./chunk-LN22XH4B.js";
14
+ import {
15
+ encrypt
16
+ } from "./chunk-TLJOJBZD.js";
13
17
  import {
14
18
  PermissionDeniedError
15
- } from "./chunk-BLZRNHMG.js";
19
+ } from "./chunk-U23JUUPX.js";
20
+
21
+ // src/with-party/team/active.ts
22
+ function withTeam() {
23
+ return {
24
+ async grant(team, vault, options, factors) {
25
+ return team.runGrant(grant, vault, options, factors);
26
+ },
27
+ async revoke(team, vault, options, factors) {
28
+ return team.runRevoke(revoke, vault, options, factors);
29
+ },
30
+ async rotate(team, vault, collections) {
31
+ return team.runRotate(rotateKeys, vault, collections);
32
+ }
33
+ };
34
+ }
16
35
 
17
36
  // src/with-party/team/sync-credentials.ts
18
- var SYNC_CREDENTIALS_COLLECTION = "_sync_credentials";
19
37
  function requireAdminAccess(keyring) {
20
38
  if (keyring.role !== "owner" && keyring.role !== "admin") {
21
39
  throw new PermissionDeniedError(
@@ -71,11 +89,11 @@ async function credentialStatus(adapter, vault, keyring, adapterId) {
71
89
  }
72
90
 
73
91
  export {
74
- SYNC_CREDENTIALS_COLLECTION,
92
+ withTeam,
75
93
  putCredential,
76
94
  getCredential,
77
95
  deleteCredential,
78
96
  listCredentials,
79
97
  credentialStatus
80
98
  };
81
- //# sourceMappingURL=chunk-NIA5VQ7G.js.map
99
+ //# sourceMappingURL=chunk-NQVZB3S7.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/with-party/team/active.ts","../src/with-party/team/sync-credentials.ts"],"sourcesContent":["/**\n * Enable the multi-user team capability (#267 Track A tail).\n *\n * Pass to `createNoydb({ teamStrategy: withTeam() })` to make `db.grant` /\n * `db.revoke` / `db.rotate` live. The keyring grant/revoke/rotate engines\n * are statically imported HERE — this module is reachable only through the\n * `@noy-db/hub/team` subpath (and the root barrel's tree-shakeable\n * re-export), so a single-user floor bundle never carries them. The facade\n * (`TeamFacade.runGrant` / `runRevoke` / `runRotate`) owns the policy-gate +\n * keyring plumbing and receives the engine as an argument.\n */\nimport type { TeamStrategy } from './strategy.js'\nimport { grant as grantEngine, revoke as revokeEngine, rotateKeys as rotateEngine } from './keyring.js'\n\nexport function withTeam(): TeamStrategy {\n return {\n async grant(team, vault, options, factors) {\n return team.runGrant(grantEngine, vault, options, factors)\n },\n async revoke(team, vault, options, factors) {\n return team.runRevoke(revokeEngine, vault, options, factors)\n },\n async rotate(team, vault, collections) {\n return team.runRotate(rotateEngine, vault, collections)\n },\n }\n}\n","/**\n * _sync_credentials reserved collection —\n *\n * Stores per-adapter OAuth tokens (and any other long-lived sync secrets) as\n * encrypted records inside the vault itself. Tokens are wrapped with the\n * compartment's own DEK, live on disk as ciphertext like any other record, and\n * are accessed only through the dedicated API in this module — never via\n * `vault.collection('_sync_credentials')`.\n *\n * Design decisions\n * ────────────────\n *\n * **Why a reserved collection, not a separate store?**\n * The compartment's existing encryption stack (AES-256-GCM + collection DEK)\n * is exactly the right primitive for protecting OAuth tokens at rest. Using a\n * separate store would require a new encryption surface, new adapter calls,\n * and a new backup/restore path — all of which already exist for collections.\n *\n * **Why not exposed as a regular collection?**\n * The same reason `_keyring` and `_ledger` aren't: they have invariants that\n * must be enforced (naming scheme, no cross-user leakage, no schema\n * validation, no history/ledger writes for privacy). Routing through a\n * dedicated API enforces those invariants.\n *\n * **Token lifecycle:**\n * - `putCredential(vault, adapterId, token)` — store or overwrite\n * - `getCredential(vault, adapterId)` — load and decrypt\n * - `deleteCredential(vault, adapterId)` — remove\n * - `listCredentials(vault)` — enumerate adapter IDs (not tokens)\n *\n * The `adapterId` is the record ID within the `_sync_credentials` collection.\n * It should be a stable, human-readable identifier for the adapter instance\n * (e.g. `'google-drive'`, `'dropbox'`, `'s3-prod'`).\n *\n * **ACL:** only `owner` and `admin` roles can read/write sync credentials.\n * Operators, viewers, and clients cannot call this API. The check is made\n * against the caller's keyring role at call time.\n */\n\nimport type { NoydbStore, EncryptedEnvelope } from '../../kernel/types.js'\nimport { NOYDB_FORMAT_VERSION } from '../../kernel/types.js'\nimport type { UnlockedKeyring } from './keyring.js'\nimport { encrypt, openEnvelopeJson } from '../../kernel/enclave/index.js'\nimport { ensureCollectionDEK } from './keyring.js'\nimport { PermissionDeniedError } from '../../kernel/errors.js'\n\n/**\n * The reserved collection name. Never collides with user collections.\n * Canonical definition lives in `reserved-secret-collections.ts` (shared with\n * the `vault.collection()` guard and grant DEK-propagation); re-exported here\n * for existing consumers.\n */\nexport { SYNC_CREDENTIALS_COLLECTION } from './reserved-secret-collections.js'\nimport { SYNC_CREDENTIALS_COLLECTION } from './reserved-secret-collections.js'\n\n// ─── Token types ──────────────────────────────────────────────────────\n\n/**\n * An OAuth/auth token stored in `_sync_credentials`.\n *\n * Fields mirror the OAuth2 token response shape. `customData` is an escape\n * hatch for adapter-specific secrets (API keys, connection strings, etc.)\n * that don't fit the OAuth2 shape.\n */\nexport interface SyncCredential {\n /** Stable identifier for the adapter instance (e.g. 'google-drive'). */\n readonly adapterId: string\n /** OAuth token type, usually 'Bearer'. */\n readonly tokenType: string\n /** The access token. Expires at `expiresAt` if set. */\n readonly accessToken: string\n /** Long-lived refresh token for renewing the access token. */\n readonly refreshToken?: string\n /** ISO timestamp when `accessToken` expires. Absent means \"no expiry\". */\n readonly expiresAt?: string\n /** Space-separated OAuth scopes. */\n readonly scopes?: string\n /** Adapter-specific opaque data (API keys, endpoints, etc.). */\n readonly customData?: Record<string, string>\n}\n\n// ─── Access check ─────────────────────────────────────────────────────\n\nfunction requireAdminAccess(keyring: UnlockedKeyring): void {\n // FR-6: custodian is INTENTIONALLY excluded. Sync credentials are the\n // firm's hosting/infrastructure secrets (OAuth tokens, connection strings) —\n // not the custodian's operational scope. A custodian operates the DATA but\n // must never mint or read transport credentials that could be used to\n // re-home or impersonate the firm's vault. Do NOT add 'custodian' here.\n if (keyring.role !== 'owner' && keyring.role !== 'admin') {\n throw new PermissionDeniedError(\n `Sync credentials require owner or admin role. Current role: \"${keyring.role}\"`,\n )\n }\n}\n\n// ─── Public API ────────────────────────────────────────────────────────\n\n/**\n * Store or overwrite a sync credential for the given adapter.\n *\n * The credential is encrypted with the `_sync_credentials` collection DEK\n * (auto-generated on first use). The record ID is the `adapterId`.\n *\n * Requires owner or admin role.\n */\nexport async function putCredential(\n adapter: NoydbStore,\n vault: string,\n keyring: UnlockedKeyring,\n credential: SyncCredential,\n): Promise<void> {\n requireAdminAccess(keyring)\n\n const getDek = await ensureCollectionDEK(adapter, vault, keyring)\n const dek = await getDek(SYNC_CREDENTIALS_COLLECTION)\n\n const { iv, data } = await encrypt(JSON.stringify(credential), dek)\n\n const existing = await adapter.get(vault, SYNC_CREDENTIALS_COLLECTION, credential.adapterId)\n const version = existing ? existing._v + 1 : 1\n\n const envelope: EncryptedEnvelope = {\n _noydb: NOYDB_FORMAT_VERSION,\n _v: version,\n _ts: new Date().toISOString(),\n _iv: iv,\n _data: data,\n _by: keyring.userId,\n }\n\n await adapter.put(\n vault,\n SYNC_CREDENTIALS_COLLECTION,\n credential.adapterId,\n envelope,\n existing ? existing._v : undefined,\n )\n}\n\n/**\n * Load and decrypt a sync credential for the given adapter ID.\n *\n * Returns `null` if no credential exists for this adapter.\n * Requires owner or admin role.\n */\nexport async function getCredential(\n adapter: NoydbStore,\n vault: string,\n keyring: UnlockedKeyring,\n adapterId: string,\n): Promise<SyncCredential | null> {\n requireAdminAccess(keyring)\n\n const getDek = await ensureCollectionDEK(adapter, vault, keyring)\n const dek = await getDek(SYNC_CREDENTIALS_COLLECTION)\n\n const envelope = await adapter.get(vault, SYNC_CREDENTIALS_COLLECTION, adapterId)\n if (!envelope) return null\n\n const plaintext = await openEnvelopeJson(envelope, dek)\n return JSON.parse(plaintext) as SyncCredential\n}\n\n/**\n * Delete a sync credential by adapter ID.\n *\n * No-op if the credential doesn't exist. Requires owner or admin role.\n */\nexport async function deleteCredential(\n adapter: NoydbStore,\n vault: string,\n keyring: UnlockedKeyring,\n adapterId: string,\n): Promise<void> {\n requireAdminAccess(keyring)\n await adapter.delete(vault, SYNC_CREDENTIALS_COLLECTION, adapterId)\n}\n\n/**\n * List all adapter IDs that have stored credentials.\n *\n * Returns only the IDs, never the credential payloads. Useful for\n * displaying \"connected adapters\" in UI without decrypting tokens.\n * Requires owner or admin role.\n */\nexport async function listCredentials(\n adapter: NoydbStore,\n vault: string,\n keyring: UnlockedKeyring,\n): Promise<string[]> {\n requireAdminAccess(keyring)\n return adapter.list(vault, SYNC_CREDENTIALS_COLLECTION)\n}\n\n/**\n * Check whether a credential exists and whether its access token has expired.\n *\n * Returns `{ exists: false }` if no credential is stored, or\n * `{ exists: true, expired: boolean }` based on the `expiresAt` field.\n * Requires owner or admin role.\n */\nexport async function credentialStatus(\n adapter: NoydbStore,\n vault: string,\n keyring: UnlockedKeyring,\n adapterId: string,\n): Promise<{ exists: false } | { exists: true; expired: boolean }> {\n const credential = await getCredential(adapter, vault, keyring, adapterId)\n if (!credential) return { exists: false }\n\n const expired = credential.expiresAt\n ? Date.now() > new Date(credential.expiresAt).getTime()\n : false\n\n return { exists: true, expired }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAcO,SAAS,WAAyB;AACvC,SAAO;AAAA,IACL,MAAM,MAAM,MAAM,OAAO,SAAS,SAAS;AACzC,aAAO,KAAK,SAAS,OAAa,OAAO,SAAS,OAAO;AAAA,IAC3D;AAAA,IACA,MAAM,OAAO,MAAM,OAAO,SAAS,SAAS;AAC1C,aAAO,KAAK,UAAU,QAAc,OAAO,SAAS,OAAO;AAAA,IAC7D;AAAA,IACA,MAAM,OAAO,MAAM,OAAO,aAAa;AACrC,aAAO,KAAK,UAAU,YAAc,OAAO,WAAW;AAAA,IACxD;AAAA,EACF;AACF;;;ACyDA,SAAS,mBAAmB,SAAgC;AAM1D,MAAI,QAAQ,SAAS,WAAW,QAAQ,SAAS,SAAS;AACxD,UAAM,IAAI;AAAA,MACR,gEAAgE,QAAQ,IAAI;AAAA,IAC9E;AAAA,EACF;AACF;AAYA,eAAsB,cACpB,SACA,OACA,SACA,YACe;AACf,qBAAmB,OAAO;AAE1B,QAAM,SAAS,MAAM,oBAAoB,SAAS,OAAO,OAAO;AAChE,QAAM,MAAM,MAAM,OAAO,2BAA2B;AAEpD,QAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,KAAK,UAAU,UAAU,GAAG,GAAG;AAElE,QAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,6BAA6B,WAAW,SAAS;AAC3F,QAAM,UAAU,WAAW,SAAS,KAAK,IAAI;AAE7C,QAAM,WAA8B;AAAA,IAClC,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC5B,KAAK;AAAA,IACL,OAAO;AAAA,IACP,KAAK,QAAQ;AAAA,EACf;AAEA,QAAM,QAAQ;AAAA,IACZ;AAAA,IACA;AAAA,IACA,WAAW;AAAA,IACX;AAAA,IACA,WAAW,SAAS,KAAK;AAAA,EAC3B;AACF;AAQA,eAAsB,cACpB,SACA,OACA,SACA,WACgC;AAChC,qBAAmB,OAAO;AAE1B,QAAM,SAAS,MAAM,oBAAoB,SAAS,OAAO,OAAO;AAChE,QAAM,MAAM,MAAM,OAAO,2BAA2B;AAEpD,QAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,6BAA6B,SAAS;AAChF,MAAI,CAAC,SAAU,QAAO;AAEtB,QAAM,YAAY,MAAM,iBAAiB,UAAU,GAAG;AACtD,SAAO,KAAK,MAAM,SAAS;AAC7B;AAOA,eAAsB,iBACpB,SACA,OACA,SACA,WACe;AACf,qBAAmB,OAAO;AAC1B,QAAM,QAAQ,OAAO,OAAO,6BAA6B,SAAS;AACpE;AASA,eAAsB,gBACpB,SACA,OACA,SACmB;AACnB,qBAAmB,OAAO;AAC1B,SAAO,QAAQ,KAAK,OAAO,2BAA2B;AACxD;AASA,eAAsB,iBACpB,SACA,OACA,SACA,WACiE;AACjE,QAAM,aAAa,MAAM,cAAc,SAAS,OAAO,SAAS,SAAS;AACzE,MAAI,CAAC,WAAY,QAAO,EAAE,QAAQ,MAAM;AAExC,QAAM,UAAU,WAAW,YACvB,KAAK,IAAI,IAAI,IAAI,KAAK,WAAW,SAAS,EAAE,QAAQ,IACpD;AAEJ,SAAO,EAAE,QAAQ,MAAM,QAAQ;AACjC;","names":[]}
@@ -1,14 +1,14 @@
1
1
  import {
2
2
  openEnvelopeJson
3
- } from "./chunk-5EZAJEES.js";
3
+ } from "./chunk-OVO2RZAE.js";
4
+ import {
5
+ NOYDB_FORMAT_VERSION
6
+ } from "./chunk-LN22XH4B.js";
4
7
  import {
5
8
  encrypt,
6
9
  hmacSha256Hex,
7
10
  sha256Hex
8
- } from "./chunk-L4IRFTIF.js";
9
- import {
10
- NOYDB_FORMAT_VERSION
11
- } from "./chunk-OCDUQUAP.js";
11
+ } from "./chunk-TLJOJBZD.js";
12
12
 
13
13
  // src/with-audit/forget/strategy.ts
14
14
  var NO_FORGET = { subjects: {} };
@@ -147,4 +147,4 @@ export {
147
147
  coerceSubjectId,
148
148
  readDottedPath
149
149
  };
150
- //# sourceMappingURL=chunk-6OQ7NKMZ.js.map
150
+ //# sourceMappingURL=chunk-O2DB4C3M.js.map
@@ -1,19 +1,19 @@
1
1
  import {
2
2
  SyncScheduler
3
3
  } from "./chunk-VQNJ7UZL.js";
4
+ import {
5
+ NOYDB_SYNC_VERSION
6
+ } from "./chunk-LN22XH4B.js";
4
7
  import {
5
8
  bufferToBase64,
6
9
  decrypt,
7
10
  derivePresenceKey,
8
11
  encrypt,
9
12
  generateIV
10
- } from "./chunk-L4IRFTIF.js";
11
- import {
12
- NOYDB_SYNC_VERSION
13
- } from "./chunk-OCDUQUAP.js";
13
+ } from "./chunk-TLJOJBZD.js";
14
14
  import {
15
15
  ConflictError
16
- } from "./chunk-BLZRNHMG.js";
16
+ } from "./chunk-U23JUUPX.js";
17
17
 
18
18
  // src/with-party/team/presence.ts
19
19
  var PresenceHandle = class {
@@ -719,4 +719,4 @@ export {
719
719
  SyncEngine,
720
720
  SyncTransaction
721
721
  };
722
- //# sourceMappingURL=chunk-LHYQE3BP.js.map
722
+ //# sourceMappingURL=chunk-OFBFAVLI.js.map
@@ -1,17 +1,17 @@
1
1
  import {
2
2
  SCHEMAS_COLLECTION
3
- } from "./chunk-U6OM4E67.js";
3
+ } from "./chunk-TL7QR5T6.js";
4
4
  import {
5
5
  BLOB_CHUNKS_COLLECTION,
6
6
  BLOB_COLLECTION,
7
7
  BLOB_INDEX_COLLECTION,
8
8
  BLOB_SLOTS_PREFIX,
9
9
  BLOB_VERSIONS_PREFIX
10
- } from "./chunk-55HDKLI3.js";
10
+ } from "./chunk-Z5PIUYNB.js";
11
11
  import {
12
12
  assembleBundleContainer,
13
13
  buildExtractedPartitionWrapper
14
- } from "./chunk-3UDPDRUC.js";
14
+ } from "./chunk-EWR7HL3K.js";
15
15
  import {
16
16
  generateULID
17
17
  } from "./chunk-ZJADGNYF.js";
@@ -22,10 +22,14 @@ import {
22
22
  canonicalJson,
23
23
  envelopePayloadHash,
24
24
  hashEntry
25
- } from "./chunk-6EVZXETK.js";
25
+ } from "./chunk-M66NAZA4.js";
26
26
  import {
27
27
  openEnvelopeJson
28
- } from "./chunk-5EZAJEES.js";
28
+ } from "./chunk-OVO2RZAE.js";
29
+ import {
30
+ NOYDB_BACKUP_VERSION,
31
+ NOYDB_FORMAT_VERSION
32
+ } from "./chunk-LN22XH4B.js";
29
33
  import {
30
34
  bufferToBase64,
31
35
  decrypt,
@@ -35,14 +39,10 @@ import {
35
39
  generateDEK,
36
40
  unwrapCek,
37
41
  wrapCek
38
- } from "./chunk-L4IRFTIF.js";
39
- import {
40
- NOYDB_BACKUP_VERSION,
41
- NOYDB_FORMAT_VERSION
42
- } from "./chunk-OCDUQUAP.js";
42
+ } from "./chunk-TLJOJBZD.js";
43
43
  import {
44
44
  PartitionExtractionError
45
- } from "./chunk-BLZRNHMG.js";
45
+ } from "./chunk-U23JUUPX.js";
46
46
 
47
47
  // src/with-cargo/walk-closure.ts
48
48
  async function walkClosure(vault, opts) {
@@ -450,4 +450,4 @@ export {
450
450
  extractPartition,
451
451
  extractPartitionCore
452
452
  };
453
- //# sourceMappingURL=chunk-IWVWB7BZ.js.map
453
+ //# sourceMappingURL=chunk-OJU3CPFA.js.map
@@ -3,10 +3,10 @@ import {
3
3
  } from "./chunk-ZJADGNYF.js";
4
4
  import {
5
5
  openEnvelopeJson
6
- } from "./chunk-5EZAJEES.js";
6
+ } from "./chunk-OVO2RZAE.js";
7
7
  import {
8
8
  encrypt
9
- } from "./chunk-L4IRFTIF.js";
9
+ } from "./chunk-TLJOJBZD.js";
10
10
 
11
11
  // src/with-audit/consent/consent.ts
12
12
  var CONSENT_AUDIT_COLLECTION = "_consent_audit";
@@ -72,4 +72,4 @@ export {
72
72
  writeConsentEntry,
73
73
  loadConsentEntries
74
74
  };
75
- //# sourceMappingURL=chunk-ZFME46HJ.js.map
75
+ //# sourceMappingURL=chunk-OPTFANOX.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/with-audit/consent/consent.ts"],"sourcesContent":["/**\n * Consent boundaries — per-access audit log.\n *\n * ```ts\n * const audit = await vault.withConsent(\n * { purpose: 'quarterly-review', consentHash: '7f3a...' },\n * async () => {\n * const invoices = await vault.collection<Invoice>('invoices').list()\n * return invoices\n * },\n * )\n *\n * const log = await vault.consentAudit({ since: '2026-01-01T00:00:00Z' })\n * // → entries: { actor, purpose, consentHash, ts, op, collection, id }\n * ```\n *\n * ## Contract\n *\n * Every `get` / `put` / `delete` that happens inside a `withConsent`\n * callback writes one entry to the reserved `_consent_audit`\n * collection. Entries are encrypted with the vault's consent-audit\n * DEK (separate from per-user-collection DEKs so access-log queries\n * don't require unwrapping individual collection keys). Outside a\n * `withConsent` scope, no entries are written — consent is\n * opt-in by design (GDPR Art. 7: *demonstrable*, *specific*\n * consent).\n *\n * ## Why store the hash, not the consent text?\n *\n * The `consentHash` is the sha256 of whatever consent receipt the\n * actor presented (a signed GDPR banner click, a HIPAA authorisation\n * PDF, an API-level `X-Consent-Hash` header). Storing only the hash:\n *\n * 1. Keeps the audit log small and indexable.\n * 2. Preserves zero-knowledge at the adapter — adapters see\n * ciphertext envelopes of `{ actor, purpose, consentHash, ts,\n * op, collection, id }`, never the consent record itself.\n * 3. Lets the regulator verify a presented consent doc matches\n * the logged hash at audit time without the system ever\n * possessing the doc.\n *\n * ## Concurrency\n *\n * The consent context lives on the {@link Vault} instance. Two\n * concurrent `withConsent` calls on the same Vault would stomp each\n * other — documented limitation; adopters needing per-flight scope\n * should use separate Vault instances or an AsyncLocalStorage shim.\n *\n * @module\n */\nimport type { EncryptedEnvelope, NoydbStore } from '../../kernel/types.js'\nimport { encrypt, openEnvelopeJson, type EnclaveKey } from '../../kernel/enclave/index.js'\nimport { generateULID } from '../../with-pod/ulid.js'\n\n/** Reserved collection for consent-audit entries. */\nexport const CONSENT_AUDIT_COLLECTION = '_consent_audit'\n\n/**\n * The consent scope active for a block of work. Set via\n * `vault.withConsent()`; observed by the collection's access hooks.\n */\nexport interface ConsentContext {\n /**\n * What this access is for. Used by the audit query (`consentAudit\n * ({ purpose })`) and carried in the stored entry. Free-form; the\n * regulator or compliance tooling decides the vocabulary.\n */\n readonly purpose: string\n /**\n * Hex-encoded sha256 of whatever consent artefact the actor\n * presented. Stored as-is in each entry.\n */\n readonly consentHash: string\n}\n\n/**\n * Access operation recorded in an audit entry.\n *\n * Union-widening checklist (I-2) — these three sites widen together or a\n * downstream exhaustive switch breaks at its next in-range minor:\n * 1. `ConsentOp` here (public, re-exported at `index.ts`).\n * 2. `onAccess` op union on `kernel/collection-config.ts`.\n * 3. classified ctx `onAccess` op union on `with-shape/classified/strategy.ts`\n * (the `ClassifiedVerifyCtx` one — the `ClassifiedRevealCtx` one stays `'reveal'`-only).\n */\nexport type ConsentOp = 'get' | 'put' | 'delete' | 'reveal' | 'verify' | 'find'\n\n/** One consent-audit record, as decrypted for the caller. */\nexport interface ConsentAuditEntry {\n /** ULID — stable insertion-order key. */\n readonly id: string\n readonly timestamp: string\n readonly actor: string\n readonly purpose: string\n readonly consentHash: string\n readonly op: ConsentOp\n readonly collection: string\n readonly recordId: string\n}\n\n/** Filter passed to `vault.consentAudit()`. */\nexport interface ConsentAuditFilter {\n /** Only entries at or after this ISO timestamp. */\n readonly since?: string\n /** Only entries at or before this ISO timestamp. */\n readonly until?: string\n /** Match entries targeting this collection. */\n readonly collection?: string\n /** Match entries written by this actor. */\n readonly actor?: string\n /** Match entries with this purpose. */\n readonly purpose?: string\n}\n\n/**\n * Write one audit entry. Called by Vault's onAccess hook when a\n * consent context is active.\n */\nexport async function writeConsentEntry(\n adapter: NoydbStore,\n vault: string,\n encrypted: boolean,\n entry: Omit<ConsentAuditEntry, 'id' | 'timestamp'>,\n getDEK: (collection: string) => Promise<EnclaveKey>,\n): Promise<void> {\n const id = generateULID()\n const full: ConsentAuditEntry = {\n id,\n timestamp: new Date().toISOString(),\n ...entry,\n }\n const envelope = await buildEnvelope(full, encrypted, getDEK)\n await adapter.put(vault, CONSENT_AUDIT_COLLECTION, id, envelope)\n}\n\n/** Load + decrypt + filter all entries. */\nexport async function loadConsentEntries(\n adapter: NoydbStore,\n vault: string,\n encrypted: boolean,\n getDEK: (collection: string) => Promise<EnclaveKey>,\n filter: ConsentAuditFilter = {},\n): Promise<ConsentAuditEntry[]> {\n const ids = await adapter.list(vault, CONSENT_AUDIT_COLLECTION)\n const entries: ConsentAuditEntry[] = []\n\n for (const id of ids.sort()) {\n const envelope = await adapter.get(vault, CONSENT_AUDIT_COLLECTION, id)\n if (!envelope) continue\n const entry = await decryptEntry(envelope, encrypted, getDEK)\n if (!matchesFilter(entry, filter)) continue\n entries.push(entry)\n }\n return entries\n}\n\n// ── internals ──────────────────────────────────────────────────────\n\nasync function buildEnvelope(\n entry: ConsentAuditEntry,\n encrypted: boolean,\n getDEK: (collection: string) => Promise<EnclaveKey>,\n): Promise<EncryptedEnvelope> {\n const json = JSON.stringify(entry)\n if (!encrypted) {\n return {\n _noydb: 1,\n _v: 1,\n _ts: entry.timestamp,\n _iv: '',\n _data: json,\n }\n }\n const dek = await getDEK(CONSENT_AUDIT_COLLECTION)\n const { iv, data } = await encrypt(json, dek)\n return {\n _noydb: 1,\n _v: 1,\n _ts: entry.timestamp,\n _iv: iv,\n _data: data,\n }\n}\n\nasync function decryptEntry(\n envelope: EncryptedEnvelope,\n encrypted: boolean,\n getDEK: (collection: string) => Promise<EnclaveKey>,\n): Promise<ConsentAuditEntry> {\n if (!encrypted) return JSON.parse(envelope._data) as ConsentAuditEntry\n const json = await openEnvelopeJson(envelope, await getDEK(CONSENT_AUDIT_COLLECTION))\n return JSON.parse(json) as ConsentAuditEntry\n}\n\nfunction matchesFilter(entry: ConsentAuditEntry, f: ConsentAuditFilter): boolean {\n if (f.since && entry.timestamp < f.since) return false\n if (f.until && entry.timestamp > f.until) return false\n if (f.collection && entry.collection !== f.collection) return false\n if (f.actor && entry.actor !== f.actor) return false\n if (f.purpose && entry.purpose !== f.purpose) return false\n return true\n}\n"],"mappings":";;;;;;;;;;;AAuDO,IAAM,2BAA2B;AA+DxC,eAAsB,kBACpB,SACA,OACA,WACA,OACA,QACe;AACf,QAAM,KAAK,aAAa;AACxB,QAAM,OAA0B;AAAA,IAC9B;AAAA,IACA,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,IAClC,GAAG;AAAA,EACL;AACA,QAAM,WAAW,MAAM,cAAc,MAAM,WAAW,MAAM;AAC5D,QAAM,QAAQ,IAAI,OAAO,0BAA0B,IAAI,QAAQ;AACjE;AAGA,eAAsB,mBACpB,SACA,OACA,WACA,QACA,SAA6B,CAAC,GACA;AAC9B,QAAM,MAAM,MAAM,QAAQ,KAAK,OAAO,wBAAwB;AAC9D,QAAM,UAA+B,CAAC;AAEtC,aAAW,MAAM,IAAI,KAAK,GAAG;AAC3B,UAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,0BAA0B,EAAE;AACtE,QAAI,CAAC,SAAU;AACf,UAAM,QAAQ,MAAM,aAAa,UAAU,WAAW,MAAM;AAC5D,QAAI,CAAC,cAAc,OAAO,MAAM,EAAG;AACnC,YAAQ,KAAK,KAAK;AAAA,EACpB;AACA,SAAO;AACT;AAIA,eAAe,cACb,OACA,WACA,QAC4B;AAC5B,QAAM,OAAO,KAAK,UAAU,KAAK;AACjC,MAAI,CAAC,WAAW;AACd,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,IAAI;AAAA,MACJ,KAAK,MAAM;AAAA,MACX,KAAK;AAAA,MACL,OAAO;AAAA,IACT;AAAA,EACF;AACA,QAAM,MAAM,MAAM,OAAO,wBAAwB;AACjD,QAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,MAAM,GAAG;AAC5C,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,KAAK,MAAM;AAAA,IACX,KAAK;AAAA,IACL,OAAO;AAAA,EACT;AACF;AAEA,eAAe,aACb,UACA,WACA,QAC4B;AAC5B,MAAI,CAAC,UAAW,QAAO,KAAK,MAAM,SAAS,KAAK;AAChD,QAAM,OAAO,MAAM,iBAAiB,UAAU,MAAM,OAAO,wBAAwB,CAAC;AACpF,SAAO,KAAK,MAAM,IAAI;AACxB;AAEA,SAAS,cAAc,OAA0B,GAAgC;AAC/E,MAAI,EAAE,SAAS,MAAM,YAAY,EAAE,MAAO,QAAO;AACjD,MAAI,EAAE,SAAS,MAAM,YAAY,EAAE,MAAO,QAAO;AACjD,MAAI,EAAE,cAAc,MAAM,eAAe,EAAE,WAAY,QAAO;AAC9D,MAAI,EAAE,SAAS,MAAM,UAAU,EAAE,MAAO,QAAO;AAC/C,MAAI,EAAE,WAAW,MAAM,YAAY,EAAE,QAAS,QAAO;AACrD,SAAO;AACT;","names":[]}