@remnic/core 9.3.538 → 9.3.540

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (81) hide show
  1. package/dist/access-cli.js +15 -15
  2. package/dist/access-http.js +9 -9
  3. package/dist/access-mcp.js +8 -8
  4. package/dist/access-schema.js +3 -3
  5. package/dist/access-service.js +6 -6
  6. package/dist/briefing.js +3 -3
  7. package/dist/causal-consolidation.js +4 -4
  8. package/dist/{chunk-DGDQZ3JW.js → chunk-2OA4PFDW.js} +2 -2
  9. package/dist/{chunk-QIWY5OKC.js → chunk-37FWWWOC.js} +5 -5
  10. package/dist/{chunk-RB7LF7K7.js → chunk-3M7OTJ5H.js} +4 -4
  11. package/dist/{chunk-KJMYHC7K.js → chunk-73JGZ5VA.js} +57 -15
  12. package/dist/chunk-73JGZ5VA.js.map +1 -0
  13. package/dist/{chunk-K4LDMTTY.js → chunk-A5TLPLUO.js} +2 -2
  14. package/dist/{chunk-67VP6I47.js → chunk-BRCYNT4I.js} +2 -2
  15. package/dist/{chunk-XI5V7WSJ.js → chunk-ENIIJ3MZ.js} +2 -2
  16. package/dist/{chunk-QK2G4EYH.js → chunk-FWYUJY4N.js} +2 -2
  17. package/dist/{chunk-TKUQG2PE.js → chunk-FXE46BJ5.js} +2 -2
  18. package/dist/{chunk-OMHRQTOD.js → chunk-GWUUEPOR.js} +2 -2
  19. package/dist/{chunk-TSBADOZU.js → chunk-IEHYNDKN.js} +5 -5
  20. package/dist/{chunk-BE5XAWSA.js → chunk-J62VXZR2.js} +2 -2
  21. package/dist/{chunk-ZQLC75BF.js → chunk-K6OABSBA.js} +2 -2
  22. package/dist/{chunk-6HF5VUBQ.js → chunk-LKUNOD7B.js} +2 -2
  23. package/dist/{chunk-Y2SXZ5KZ.js → chunk-NHZHAZCJ.js} +2 -2
  24. package/dist/{chunk-C6NYAW5B.js → chunk-O3VLN5MY.js} +4 -4
  25. package/dist/{chunk-Z5P7XYDU.js → chunk-QCJLDMY5.js} +8 -8
  26. package/dist/{chunk-7TVK7E3R.js → chunk-QKV4LVLA.js} +2 -2
  27. package/dist/{chunk-DKOIMCGB.js → chunk-QWQX7YK5.js} +2 -2
  28. package/dist/{chunk-PYGKYEDU.js → chunk-RGLJNOQN.js} +3 -3
  29. package/dist/{chunk-DRBCO4RL.js → chunk-RU7QP2GP.js} +12 -12
  30. package/dist/{chunk-O2HWL47E.js → chunk-UMXWQL3P.js} +2 -2
  31. package/dist/{chunk-6QKWLP4V.js → chunk-XE23FSDQ.js} +2 -2
  32. package/dist/{chunk-LKCE3NPZ.js → chunk-YVB6W5EX.js} +2 -2
  33. package/dist/cli.js +18 -18
  34. package/dist/compounding/engine.js +3 -3
  35. package/dist/connectors/codex-materialize-runner.js +3 -3
  36. package/dist/connectors/index.js +3 -3
  37. package/dist/entity-retrieval.js +3 -3
  38. package/dist/index.js +24 -24
  39. package/dist/maintenance/memory-governance.js +3 -3
  40. package/dist/maintenance/rebuild-memory-lifecycle-ledger.js +3 -3
  41. package/dist/maintenance/rebuild-memory-projection.js +4 -4
  42. package/dist/namespaces/migrate.js +4 -4
  43. package/dist/namespaces/storage.js +3 -3
  44. package/dist/offline-sync.js +2 -2
  45. package/dist/operator-toolkit.js +6 -6
  46. package/dist/orchestrator.js +11 -11
  47. package/dist/schemas.d.ts +22 -22
  48. package/dist/secure-store/index.js +2 -2
  49. package/dist/semantic-consolidation.js +4 -4
  50. package/dist/semantic-rule-promotion.js +3 -3
  51. package/dist/semantic-rule-verifier.js +3 -3
  52. package/dist/storage.js +2 -2
  53. package/dist/transfer/types.d.ts +12 -12
  54. package/dist/verified-recall.js +3 -3
  55. package/package.json +1 -1
  56. package/src/secure-store/secure-fs.ts +68 -15
  57. package/src/secure-store/secure-store.test.ts +63 -0
  58. package/dist/chunk-KJMYHC7K.js.map +0 -1
  59. /package/dist/{chunk-DGDQZ3JW.js.map → chunk-2OA4PFDW.js.map} +0 -0
  60. /package/dist/{chunk-QIWY5OKC.js.map → chunk-37FWWWOC.js.map} +0 -0
  61. /package/dist/{chunk-RB7LF7K7.js.map → chunk-3M7OTJ5H.js.map} +0 -0
  62. /package/dist/{chunk-K4LDMTTY.js.map → chunk-A5TLPLUO.js.map} +0 -0
  63. /package/dist/{chunk-67VP6I47.js.map → chunk-BRCYNT4I.js.map} +0 -0
  64. /package/dist/{chunk-XI5V7WSJ.js.map → chunk-ENIIJ3MZ.js.map} +0 -0
  65. /package/dist/{chunk-QK2G4EYH.js.map → chunk-FWYUJY4N.js.map} +0 -0
  66. /package/dist/{chunk-TKUQG2PE.js.map → chunk-FXE46BJ5.js.map} +0 -0
  67. /package/dist/{chunk-OMHRQTOD.js.map → chunk-GWUUEPOR.js.map} +0 -0
  68. /package/dist/{chunk-TSBADOZU.js.map → chunk-IEHYNDKN.js.map} +0 -0
  69. /package/dist/{chunk-BE5XAWSA.js.map → chunk-J62VXZR2.js.map} +0 -0
  70. /package/dist/{chunk-ZQLC75BF.js.map → chunk-K6OABSBA.js.map} +0 -0
  71. /package/dist/{chunk-6HF5VUBQ.js.map → chunk-LKUNOD7B.js.map} +0 -0
  72. /package/dist/{chunk-Y2SXZ5KZ.js.map → chunk-NHZHAZCJ.js.map} +0 -0
  73. /package/dist/{chunk-C6NYAW5B.js.map → chunk-O3VLN5MY.js.map} +0 -0
  74. /package/dist/{chunk-Z5P7XYDU.js.map → chunk-QCJLDMY5.js.map} +0 -0
  75. /package/dist/{chunk-7TVK7E3R.js.map → chunk-QKV4LVLA.js.map} +0 -0
  76. /package/dist/{chunk-DKOIMCGB.js.map → chunk-QWQX7YK5.js.map} +0 -0
  77. /package/dist/{chunk-PYGKYEDU.js.map → chunk-RGLJNOQN.js.map} +0 -0
  78. /package/dist/{chunk-DRBCO4RL.js.map → chunk-RU7QP2GP.js.map} +0 -0
  79. /package/dist/{chunk-O2HWL47E.js.map → chunk-UMXWQL3P.js.map} +0 -0
  80. /package/dist/{chunk-6QKWLP4V.js.map → chunk-XE23FSDQ.js.map} +0 -0
  81. /package/dist/{chunk-LKCE3NPZ.js.map → chunk-YVB6W5EX.js.map} +0 -0
package/dist/access-cli.js CHANGED
@@ -1,7 +1,7 @@
1
1
  import {
2
2
  Orchestrator
3
- } from "./chunk-Z5P7XYDU.js";
4
- import "./chunk-Y2SXZ5KZ.js";
3
+ } from "./chunk-QCJLDMY5.js";
4
+ import "./chunk-NHZHAZCJ.js";
5
5
  import "./chunk-BFBF3XEF.js";
6
6
  import "./chunk-S53PKKWK.js";
7
7
  import "./chunk-HHLLAQGZ.js";
@@ -15,7 +15,7 @@ import "./chunk-4HP7HIE3.js";
15
15
  import "./chunk-7N4KAIGN.js";
16
16
  import "./chunk-TECVW3JP.js";
17
17
  import "./chunk-T2PO5MUF.js";
18
- import "./chunk-QK2G4EYH.js";
18
+ import "./chunk-FWYUJY4N.js";
19
19
  import "./chunk-DRD2Q7HQ.js";
20
20
  import "./chunk-UHGBNIOS.js";
21
21
  import "./chunk-W7L6HXUC.js";
@@ -56,7 +56,7 @@ import "./chunk-54V4BZWP.js";
56
56
  import "./chunk-XZ4WBBB5.js";
57
57
  import "./chunk-77NAFXUD.js";
58
58
  import "./chunk-DB5A3NHS.js";
59
- import "./chunk-OMHRQTOD.js";
59
+ import "./chunk-GWUUEPOR.js";
60
60
  import "./chunk-6NKAQ74D.js";
61
61
  import "./chunk-OAZ5MFUB.js";
62
62
  import "./chunk-PYPOFEMK.js";
@@ -67,17 +67,17 @@ import "./chunk-Y4FHOFJ2.js";
67
67
  import "./chunk-6URPAY2D.js";
68
68
  import "./chunk-3PG3H5TD.js";
69
69
  import "./chunk-OD4FM2U7.js";
70
- import "./chunk-6HF5VUBQ.js";
71
- import "./chunk-67VP6I47.js";
70
+ import "./chunk-LKUNOD7B.js";
71
+ import "./chunk-BRCYNT4I.js";
72
72
  import "./chunk-JFEKNTX7.js";
73
73
  import "./chunk-JLNBQWZ2.js";
74
74
  import "./chunk-HPWVAEET.js";
75
75
  import "./chunk-2PRQG7PV.js";
76
- import "./chunk-7TVK7E3R.js";
76
+ import "./chunk-QKV4LVLA.js";
77
77
  import "./chunk-3BP57I6J.js";
78
78
  import "./chunk-TERNBNJB.js";
79
79
  import "./chunk-W4RVMTHR.js";
80
- import "./chunk-BE5XAWSA.js";
80
+ import "./chunk-J62VXZR2.js";
81
81
  import "./chunk-XPXEJRUB.js";
82
82
  import "./chunk-A6D7A2FW.js";
83
83
  import "./chunk-FF4KLI5W.js";
@@ -93,7 +93,7 @@ import "./chunk-JNANKJLN.js";
93
93
  import "./chunk-Q4CAQGKQ.js";
94
94
  import "./chunk-ONPLNAPX.js";
95
95
  import "./chunk-CINZGPSJ.js";
96
- import "./chunk-O2HWL47E.js";
96
+ import "./chunk-UMXWQL3P.js";
97
97
  import "./chunk-ZFXCQPNO.js";
98
98
  import "./chunk-KIB7SDIJ.js";
99
99
  import "./chunk-ORFGK3XI.js";
@@ -138,7 +138,7 @@ import "./chunk-PVGDJXVK.js";
138
138
  import "./chunk-OADWQ5CR.js";
139
139
  import {
140
140
  EngramAccessService
141
- } from "./chunk-TSBADOZU.js";
141
+ } from "./chunk-IEHYNDKN.js";
142
142
  import "./chunk-ETUPBUHB.js";
143
143
  import "./chunk-L227SKTB.js";
144
144
  import "./chunk-DHGSZ3UD.js";
@@ -152,7 +152,7 @@ import "./chunk-7Q3RCKAQ.js";
152
152
  import "./chunk-WSGF57U2.js";
153
153
  import "./chunk-XKIQZXUB.js";
154
154
  import "./chunk-UEY3VB6W.js";
155
- import "./chunk-DKOIMCGB.js";
155
+ import "./chunk-QWQX7YK5.js";
156
156
  import "./chunk-EIR5VLIH.js";
157
157
  import "./chunk-JKV57BTN.js";
158
158
  import "./chunk-EI6V5UXY.js";
@@ -164,8 +164,8 @@ import "./chunk-CHCA44C3.js";
164
164
  import "./chunk-4JRRISLU.js";
165
165
  import "./chunk-2LSZVONP.js";
166
166
  import "./chunk-DEUNUKTD.js";
167
- import "./chunk-TKUQG2PE.js";
168
- import "./chunk-K4LDMTTY.js";
167
+ import "./chunk-FXE46BJ5.js";
168
+ import "./chunk-A5TLPLUO.js";
169
169
  import "./chunk-5UZXUTVO.js";
170
170
  import "./chunk-4H5ZJHEN.js";
171
171
  import "./chunk-M5T4Q2ZU.js";
@@ -207,10 +207,10 @@ import "./chunk-X7Y7WX73.js";
207
207
  import "./chunk-BJMBJZ2Y.js";
208
208
  import "./chunk-UKJAGEXH.js";
209
209
  import "./chunk-FP2373TW.js";
210
- import "./chunk-LKCE3NPZ.js";
210
+ import "./chunk-YVB6W5EX.js";
211
211
  import "./chunk-UI3NYK34.js";
212
212
  import "./chunk-GCGJW34D.js";
213
- import "./chunk-KJMYHC7K.js";
213
+ import "./chunk-73JGZ5VA.js";
214
214
  import "./chunk-A6XUJE5D.js";
215
215
  import "./chunk-P7FMDTKL.js";
216
216
  import "./chunk-AH2JUU6X.js";
package/dist/access-http.js CHANGED
@@ -1,6 +1,6 @@
1
1
  import {
2
2
  EngramAccessHttpServer
3
- } from "./chunk-QIWY5OKC.js";
3
+ } from "./chunk-37FWWWOC.js";
4
4
  import "./chunk-SEDEKFYQ.js";
5
5
  import "./chunk-JBPKEARU.js";
6
6
  import "./chunk-TMSXWOBZ.js";
@@ -8,10 +8,10 @@ import "./chunk-J64TK33U.js";
8
8
  import "./chunk-RSUYKGGZ.js";
9
9
  import "./chunk-42NQ7AVG.js";
10
10
  import "./chunk-7RXCMVFQ.js";
11
- import "./chunk-C6NYAW5B.js";
11
+ import "./chunk-O3VLN5MY.js";
12
12
  import "./chunk-EAZGEEG2.js";
13
13
  import "./chunk-D24OXEPB.js";
14
- import "./chunk-TSBADOZU.js";
14
+ import "./chunk-IEHYNDKN.js";
15
15
  import "./chunk-ETUPBUHB.js";
16
16
  import "./chunk-L227SKTB.js";
17
17
  import "./chunk-DHGSZ3UD.js";
@@ -25,7 +25,7 @@ import "./chunk-7Q3RCKAQ.js";
25
25
  import "./chunk-WSGF57U2.js";
26
26
  import "./chunk-XKIQZXUB.js";
27
27
  import "./chunk-UEY3VB6W.js";
28
- import "./chunk-DKOIMCGB.js";
28
+ import "./chunk-QWQX7YK5.js";
29
29
  import "./chunk-EIR5VLIH.js";
30
30
  import "./chunk-JKV57BTN.js";
31
31
  import "./chunk-EI6V5UXY.js";
@@ -37,8 +37,8 @@ import "./chunk-CHCA44C3.js";
37
37
  import "./chunk-4JRRISLU.js";
38
38
  import "./chunk-2LSZVONP.js";
39
39
  import "./chunk-DEUNUKTD.js";
40
- import "./chunk-TKUQG2PE.js";
41
- import "./chunk-K4LDMTTY.js";
40
+ import "./chunk-FXE46BJ5.js";
41
+ import "./chunk-A5TLPLUO.js";
42
42
  import "./chunk-5UZXUTVO.js";
43
43
  import "./chunk-4H5ZJHEN.js";
44
44
  import "./chunk-M5T4Q2ZU.js";
@@ -68,7 +68,7 @@ import "./chunk-TVVEYCNW.js";
68
68
  import "./chunk-RFYAYKTD.js";
69
69
  import "./chunk-LBLXEFWK.js";
70
70
  import "./chunk-VFUEZZBS.js";
71
- import "./chunk-DGDQZ3JW.js";
71
+ import "./chunk-2OA4PFDW.js";
72
72
  import "./chunk-IPLYGWQF.js";
73
73
  import "./chunk-J4EB7DNW.js";
74
74
  import "./chunk-WEHSQBFR.js";
@@ -76,10 +76,10 @@ import "./chunk-X7Y7WX73.js";
76
76
  import "./chunk-BJMBJZ2Y.js";
77
77
  import "./chunk-UKJAGEXH.js";
78
78
  import "./chunk-FP2373TW.js";
79
- import "./chunk-LKCE3NPZ.js";
79
+ import "./chunk-YVB6W5EX.js";
80
80
  import "./chunk-UI3NYK34.js";
81
81
  import "./chunk-GCGJW34D.js";
82
- import "./chunk-KJMYHC7K.js";
82
+ import "./chunk-73JGZ5VA.js";
83
83
  import "./chunk-A6XUJE5D.js";
84
84
  import "./chunk-P7FMDTKL.js";
85
85
  import "./chunk-AH2JUU6X.js";
package/dist/access-mcp.js CHANGED
@@ -1,9 +1,9 @@
1
1
  import {
2
2
  EngramMcpServer
3
- } from "./chunk-C6NYAW5B.js";
3
+ } from "./chunk-O3VLN5MY.js";
4
4
  import "./chunk-EAZGEEG2.js";
5
5
  import "./chunk-D24OXEPB.js";
6
- import "./chunk-TSBADOZU.js";
6
+ import "./chunk-IEHYNDKN.js";
7
7
  import "./chunk-ETUPBUHB.js";
8
8
  import "./chunk-L227SKTB.js";
9
9
  import "./chunk-DHGSZ3UD.js";
@@ -17,7 +17,7 @@ import "./chunk-7Q3RCKAQ.js";
17
17
  import "./chunk-WSGF57U2.js";
18
18
  import "./chunk-XKIQZXUB.js";
19
19
  import "./chunk-UEY3VB6W.js";
20
- import "./chunk-DKOIMCGB.js";
20
+ import "./chunk-QWQX7YK5.js";
21
21
  import "./chunk-EIR5VLIH.js";
22
22
  import "./chunk-JKV57BTN.js";
23
23
  import "./chunk-EI6V5UXY.js";
@@ -29,8 +29,8 @@ import "./chunk-CHCA44C3.js";
29
29
  import "./chunk-4JRRISLU.js";
30
30
  import "./chunk-2LSZVONP.js";
31
31
  import "./chunk-DEUNUKTD.js";
32
- import "./chunk-TKUQG2PE.js";
33
- import "./chunk-K4LDMTTY.js";
32
+ import "./chunk-FXE46BJ5.js";
33
+ import "./chunk-A5TLPLUO.js";
34
34
  import "./chunk-5UZXUTVO.js";
35
35
  import "./chunk-4H5ZJHEN.js";
36
36
  import "./chunk-M5T4Q2ZU.js";
@@ -60,7 +60,7 @@ import "./chunk-TVVEYCNW.js";
60
60
  import "./chunk-RFYAYKTD.js";
61
61
  import "./chunk-LBLXEFWK.js";
62
62
  import "./chunk-VFUEZZBS.js";
63
- import "./chunk-DGDQZ3JW.js";
63
+ import "./chunk-2OA4PFDW.js";
64
64
  import "./chunk-IPLYGWQF.js";
65
65
  import "./chunk-J4EB7DNW.js";
66
66
  import "./chunk-WEHSQBFR.js";
@@ -68,10 +68,10 @@ import "./chunk-X7Y7WX73.js";
68
68
  import "./chunk-BJMBJZ2Y.js";
69
69
  import "./chunk-UKJAGEXH.js";
70
70
  import "./chunk-FP2373TW.js";
71
- import "./chunk-LKCE3NPZ.js";
71
+ import "./chunk-YVB6W5EX.js";
72
72
  import "./chunk-UI3NYK34.js";
73
73
  import "./chunk-GCGJW34D.js";
74
- import "./chunk-KJMYHC7K.js";
74
+ import "./chunk-73JGZ5VA.js";
75
75
  import "./chunk-A6XUJE5D.js";
76
76
  import "./chunk-P7FMDTKL.js";
77
77
  import "./chunk-AH2JUU6X.js";
package/dist/access-schema.js CHANGED
@@ -25,7 +25,7 @@ import {
25
25
  trustZoneDemoSeedRequestSchema,
26
26
  trustZonePromoteRequestSchema,
27
27
  validateRequest
28
- } from "./chunk-DGDQZ3JW.js";
28
+ } from "./chunk-2OA4PFDW.js";
29
29
  import "./chunk-IPLYGWQF.js";
30
30
  import "./chunk-J4EB7DNW.js";
31
31
  import "./chunk-WEHSQBFR.js";
@@ -33,10 +33,10 @@ import "./chunk-X7Y7WX73.js";
33
33
  import "./chunk-BJMBJZ2Y.js";
34
34
  import "./chunk-UKJAGEXH.js";
35
35
  import "./chunk-FP2373TW.js";
36
- import "./chunk-LKCE3NPZ.js";
36
+ import "./chunk-YVB6W5EX.js";
37
37
  import "./chunk-UI3NYK34.js";
38
38
  import "./chunk-GCGJW34D.js";
39
- import "./chunk-KJMYHC7K.js";
39
+ import "./chunk-73JGZ5VA.js";
40
40
  import "./chunk-A6XUJE5D.js";
41
41
  import "./chunk-P7FMDTKL.js";
42
42
  import "./chunk-AH2JUU6X.js";
package/dist/access-service.js CHANGED
@@ -3,7 +3,7 @@ import {
3
3
  EngramAccessInputError,
4
4
  EngramAccessService,
5
5
  shapeMemorySummary
6
- } from "./chunk-TSBADOZU.js";
6
+ } from "./chunk-IEHYNDKN.js";
7
7
  import "./chunk-ETUPBUHB.js";
8
8
  import "./chunk-L227SKTB.js";
9
9
  import "./chunk-DHGSZ3UD.js";
@@ -17,7 +17,7 @@ import "./chunk-7Q3RCKAQ.js";
17
17
  import "./chunk-WSGF57U2.js";
18
18
  import "./chunk-XKIQZXUB.js";
19
19
  import "./chunk-UEY3VB6W.js";
20
- import "./chunk-DKOIMCGB.js";
20
+ import "./chunk-QWQX7YK5.js";
21
21
  import "./chunk-EIR5VLIH.js";
22
22
  import "./chunk-JKV57BTN.js";
23
23
  import "./chunk-EI6V5UXY.js";
@@ -29,8 +29,8 @@ import "./chunk-CHCA44C3.js";
29
29
  import "./chunk-4JRRISLU.js";
30
30
  import "./chunk-2LSZVONP.js";
31
31
  import "./chunk-DEUNUKTD.js";
32
- import "./chunk-TKUQG2PE.js";
33
- import "./chunk-K4LDMTTY.js";
32
+ import "./chunk-FXE46BJ5.js";
33
+ import "./chunk-A5TLPLUO.js";
34
34
  import "./chunk-5UZXUTVO.js";
35
35
  import "./chunk-4H5ZJHEN.js";
36
36
  import "./chunk-M5T4Q2ZU.js";
@@ -67,10 +67,10 @@ import "./chunk-X7Y7WX73.js";
67
67
  import "./chunk-BJMBJZ2Y.js";
68
68
  import "./chunk-UKJAGEXH.js";
69
69
  import "./chunk-FP2373TW.js";
70
- import "./chunk-LKCE3NPZ.js";
70
+ import "./chunk-YVB6W5EX.js";
71
71
  import "./chunk-UI3NYK34.js";
72
72
  import "./chunk-GCGJW34D.js";
73
- import "./chunk-KJMYHC7K.js";
73
+ import "./chunk-73JGZ5VA.js";
74
74
  import "./chunk-A6XUJE5D.js";
75
75
  import "./chunk-P7FMDTKL.js";
76
76
  import "./chunk-AH2JUU6X.js";
package/dist/briefing.js CHANGED
@@ -16,8 +16,8 @@ import {
16
16
  renderBriefingMarkdown,
17
17
  resolveBriefingSaveDir,
18
18
  validateBriefingFormat
19
- } from "./chunk-TKUQG2PE.js";
20
- import "./chunk-K4LDMTTY.js";
19
+ } from "./chunk-FXE46BJ5.js";
20
+ import "./chunk-A5TLPLUO.js";
21
21
  import "./chunk-5UZXUTVO.js";
22
22
  import "./chunk-4H5ZJHEN.js";
23
23
  import "./chunk-M5T4Q2ZU.js";
@@ -34,7 +34,7 @@ import "./chunk-ALEPI75L.js";
34
34
  import "./chunk-4DJQYKMN.js";
35
35
  import "./chunk-JUC24CTX.js";
36
36
  import "./chunk-2ODBA7MQ.js";
37
- import "./chunk-KJMYHC7K.js";
37
+ import "./chunk-73JGZ5VA.js";
38
38
  import "./chunk-A6XUJE5D.js";
39
39
  import "./chunk-P7FMDTKL.js";
40
40
  import "./chunk-PZ5AY32C.js";
package/dist/causal-consolidation.js CHANGED
@@ -4,10 +4,10 @@ import {
4
4
  } from "./chunk-YQMZ7IH2.js";
5
5
  import {
6
6
  buildExtensionsBlockForConsolidation
7
- } from "./chunk-6HF5VUBQ.js";
7
+ } from "./chunk-LKUNOD7B.js";
8
8
  import {
9
9
  runPostConsolidationMaterialize
10
- } from "./chunk-67VP6I47.js";
10
+ } from "./chunk-BRCYNT4I.js";
11
11
  import "./chunk-JFEKNTX7.js";
12
12
  import "./chunk-JLNBQWZ2.js";
13
13
  import "./chunk-3UXOZBHV.js";
@@ -21,7 +21,7 @@ import "./chunk-L2EXJQJP.js";
21
21
  import "./chunk-UZB5KHKX.js";
22
22
  import "./chunk-RK6F44Y6.js";
23
23
  import "./chunk-HQ6NIBL6.js";
24
- import "./chunk-K4LDMTTY.js";
24
+ import "./chunk-A5TLPLUO.js";
25
25
  import "./chunk-5UZXUTVO.js";
26
26
  import "./chunk-4H5ZJHEN.js";
27
27
  import "./chunk-M5T4Q2ZU.js";
@@ -53,7 +53,7 @@ import {
53
53
  listJsonFiles,
54
54
  readJsonFile
55
55
  } from "./chunk-LPSF4OQH.js";
56
- import "./chunk-KJMYHC7K.js";
56
+ import "./chunk-73JGZ5VA.js";
57
57
  import "./chunk-A6XUJE5D.js";
58
58
  import "./chunk-P7FMDTKL.js";
59
59
  import "./chunk-PZ5AY32C.js";
package/dist/{chunk-DGDQZ3JW.js → chunk-2OA4PFDW.js} RENAMED
@@ -7,7 +7,7 @@ import {
7
7
  import {
8
8
  OFFLINE_SYNC_FILE_CONTENT_MAX_CHUNK_BYTES,
9
9
  OFFLINE_SYNC_MAX_MTIME_MS
10
- } from "./chunk-LKCE3NPZ.js";
10
+ } from "./chunk-YVB6W5EX.js";
11
11
  import {
12
12
  validateArchiveRelativePath
13
13
  } from "./chunk-GCGJW34D.js";
@@ -417,4 +417,4 @@ export {
417
417
  actionConfidenceRequestSchema,
418
418
  validateRequest
419
419
  };
420
- //# sourceMappingURL=chunk-DGDQZ3JW.js.map
420
+ //# sourceMappingURL=chunk-2OA4PFDW.js.map
package/dist/{chunk-QIWY5OKC.js → chunk-37FWWWOC.js} RENAMED
@@ -3,10 +3,10 @@ import {
3
3
  } from "./chunk-JBPKEARU.js";
4
4
  import {
5
5
  EngramMcpServer
6
- } from "./chunk-C6NYAW5B.js";
6
+ } from "./chunk-O3VLN5MY.js";
7
7
  import {
8
8
  EngramAccessInputError
9
- } from "./chunk-TSBADOZU.js";
9
+ } from "./chunk-IEHYNDKN.js";
10
10
  import {
11
11
  projectTagProjectId
12
12
  } from "./chunk-EDQVAMQI.js";
@@ -27,12 +27,12 @@ import {
27
27
  } from "./chunk-2ODBA7MQ.js";
28
28
  import {
29
29
  validateRequest
30
- } from "./chunk-DGDQZ3JW.js";
30
+ } from "./chunk-2OA4PFDW.js";
31
31
  import {
32
32
  OFFLINE_SYNC_APPLY_MAX_BODY_BYTES,
33
33
  OFFLINE_SYNC_FILE_CONTENT_MAX_CHUNK_BYTES,
34
34
  OFFLINE_SYNC_SNAPSHOT_BASE_MAX_BODY_BYTES
35
- } from "./chunk-LKCE3NPZ.js";
35
+ } from "./chunk-YVB6W5EX.js";
36
36
 
37
37
  // src/access-http.ts
38
38
  import { createServer } from "http";
@@ -1845,4 +1845,4 @@ var EngramAccessHttpServer = class {
1845
1845
  export {
1846
1846
  EngramAccessHttpServer
1847
1847
  };
1848
- //# sourceMappingURL=chunk-QIWY5OKC.js.map
1848
+ //# sourceMappingURL=chunk-37FWWWOC.js.map
package/dist/{chunk-RB7LF7K7.js → chunk-3M7OTJ5H.js} RENAMED
@@ -1,6 +1,6 @@
1
1
  import {
2
2
  listNamespaces
3
- } from "./chunk-ZQLC75BF.js";
3
+ } from "./chunk-K6OABSBA.js";
4
4
  import {
5
5
  runConsolidationProvenanceCheck
6
6
  } from "./chunk-LZ3VEOU5.js";
@@ -36,13 +36,13 @@ import {
36
36
  import {
37
37
  listMemoryGovernanceRuns,
38
38
  readMemoryGovernanceRunArtifact
39
- } from "./chunk-DKOIMCGB.js";
39
+ } from "./chunk-QWQX7YK5.js";
40
40
  import {
41
41
  analyzeGraphHealth
42
42
  } from "./chunk-4JRRISLU.js";
43
43
  import {
44
44
  StorageManager
45
- } from "./chunk-K4LDMTTY.js";
45
+ } from "./chunk-A5TLPLUO.js";
46
46
  import {
47
47
  lintWorkspaceFiles
48
48
  } from "./chunk-DM2T26WE.js";
@@ -1333,4 +1333,4 @@ export {
1333
1333
  runBenchmarkRecall,
1334
1334
  runOperatorRepair
1335
1335
  };
1336
- //# sourceMappingURL=chunk-RB7LF7K7.js.map
1336
+ //# sourceMappingURL=chunk-3M7OTJ5H.js.map
package/dist/{chunk-KJMYHC7K.js → chunk-73JGZ5VA.js} RENAMED
@@ -94,8 +94,7 @@ async function readMaybeEncryptedFileBuffer(filePath, key, memoryDir) {
94
94
  `secure-store is locked \u2014 cannot read encrypted file at ${filePath}. Run \`remnic secure-store unlock\` to decrypt.`
95
95
  );
96
96
  }
97
- const aad = filePathAad(filePath, memoryDir);
98
- return decryptFileBody(buf, key, aad);
97
+ return decryptFileBodyForPath(buf, key, filePath, memoryDir);
99
98
  }
100
99
  async function readMaybeEncryptedFile(filePath, key, memoryDir) {
101
100
  return (await readMaybeEncryptedFileBuffer(filePath, key, memoryDir)).toString("utf8");
@@ -199,7 +198,7 @@ async function migrateMemoryDirToEncrypted(dir, key, onBeforeEncrypt) {
199
198
  }
200
199
  }
201
200
  const content = buf.toString("utf8");
202
- const aad = filePathAad(filePath, storageAadRootForFile(filePath, dir));
201
+ const aad = filePathAad(filePath, dir);
203
202
  const encrypted = encryptFileBody(content, key, aad);
204
203
  const tempPath = uniqueAtomicTempPath(filePath, "enc-tmp");
205
204
  try {
@@ -233,8 +232,7 @@ async function decryptMemoryDirToPlaintext(dir, key) {
233
232
  result.skipped++;
234
233
  continue;
235
234
  }
236
- const aad = filePathAad(filePath, storageAadRootForFile(filePath, dir));
237
- const plaintext = decryptFileBody(buf, key, aad);
235
+ const plaintext = decryptFileBodyForPath(buf, key, filePath, dir);
238
236
  const tempPath = uniqueAtomicTempPath(filePath, "dec-tmp");
239
237
  try {
240
238
  await writeFile(tempPath, plaintext, { mode: 384 });
@@ -259,6 +257,59 @@ async function decryptMemoryDirToPlaintext(dir, key) {
259
257
  function uniqueAtomicTempPath(filePath, label) {
260
258
  return `${filePath}.${label}-${process.pid}-${Date.now()}-${randomUUID()}`;
261
259
  }
260
+ function decryptFileBodyForPath(buf, key, filePath, memoryDir) {
261
+ const aad = filePathAad(filePath, memoryDir);
262
+ try {
263
+ return decryptFileBody(buf, key, aad);
264
+ } catch (err) {
265
+ if (!(err instanceof SecureStoreDecryptError)) {
266
+ throw err;
267
+ }
268
+ const legacyRoot = legacyNamespaceAadRootForFile(filePath, memoryDir);
269
+ if (legacyRoot) {
270
+ try {
271
+ return decryptFileBody(buf, key, filePathAad(filePath, legacyRoot));
272
+ } catch {
273
+ }
274
+ }
275
+ const topLevelRoot = topLevelAadRootForNamespaceReader(filePath, memoryDir);
276
+ if (topLevelRoot) {
277
+ try {
278
+ return decryptFileBody(buf, key, filePathAad(filePath, topLevelRoot));
279
+ } catch {
280
+ }
281
+ }
282
+ throw err;
283
+ }
284
+ }
285
+ function topLevelAadRootForNamespaceReader(filePath, memoryDir) {
286
+ if (!memoryDir || !path.isAbsolute(filePath)) return null;
287
+ const resolvedMemoryDir = path.resolve(memoryDir);
288
+ const rel = path.relative(resolvedMemoryDir, filePath);
289
+ if (rel === "" || rel.startsWith("..") || path.isAbsolute(rel)) return null;
290
+ const parts = resolvedMemoryDir.split(path.sep);
291
+ if (parts.length < 3 || parts.at(-2) !== "namespaces" || !parts.at(-1)) return null;
292
+ const topLevelRoot = parts.slice(0, -2).join(path.sep) || path.sep;
293
+ const topRel = path.relative(topLevelRoot, filePath);
294
+ if (topRel === "" || topRel.startsWith("..") || path.isAbsolute(topRel)) {
295
+ return null;
296
+ }
297
+ const topParts = topRel.split(path.sep);
298
+ if (topParts[0] !== "namespaces" || topParts[1] !== parts.at(-1)) {
299
+ return null;
300
+ }
301
+ return topLevelRoot;
302
+ }
303
+ function legacyNamespaceAadRootForFile(filePath, memoryDir) {
304
+ if (!memoryDir || !path.isAbsolute(filePath)) return null;
305
+ const rel = path.relative(memoryDir, filePath);
306
+ if (rel === "" || rel.startsWith("..") || path.isAbsolute(rel)) return null;
307
+ const parts = rel.split(path.sep);
308
+ if (parts[0] === "namespaces" && parts.length >= 3 && parts[1]) {
309
+ return path.join(memoryDir, "namespaces", parts[1]);
310
+ }
311
+ return null;
312
+ }
262
313
  async function collectEncryptableStorageFiles(dir, rootDir = dir) {
263
314
  return collectStorageManagedFiles(dir, isEncryptableStoragePath, rootDir);
264
315
  }
@@ -318,15 +369,6 @@ function normalizeStorageRelativePath(rel) {
318
369
  }
319
370
  return normalized;
320
371
  }
321
- function storageAadRootForFile(filePath, rootDir) {
322
- const rel = path.relative(rootDir, filePath);
323
- if (rel === "" || rel.startsWith("..") || path.isAbsolute(rel)) return rootDir;
324
- const parts = rel.split(path.sep);
325
- if (parts[0] === "namespaces" && parts.length >= 3 && parts[1]) {
326
- return path.join(rootDir, "namespaces", parts[1]);
327
- }
328
- return rootDir;
329
- }
330
372
  var ENCRYPTABLE_MARKDOWN_STORAGE_ROOTS = /* @__PURE__ */ new Set([
331
373
  "facts",
332
374
  "corrections",
@@ -384,4 +426,4 @@ export {
384
426
  migrateMemoryDirToEncrypted,
385
427
  decryptMemoryDirToPlaintext
386
428
  };
387
- //# sourceMappingURL=chunk-KJMYHC7K.js.map
429
+ //# sourceMappingURL=chunk-73JGZ5VA.js.map
package/dist/chunk-73JGZ5VA.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/secure-store/secure-fs.ts"],"sourcesContent":["/**\n * Transparent file-level encryption for the secure-store module.\n *\n * Issue #690 (PR 3/4) — storage.ts integration layer.\n *\n * This module sits between the raw filesystem and StorageManager.\n * Every memory file is either:\n * - a plain UTF-8 text file (legacy, back-compat), or\n * - a REMNIC-ENC sealed file (AES-256-GCM, see format below).\n *\n * On-disk format\n * --------------\n * Encrypted files begin with a 9-byte magic header:\n *\n * REMNIC-ENC (7 ASCII bytes)\n * VER (1 byte, currently 0x01)\n * FLAGS (1 byte, reserved, must be 0x00)\n *\n * Followed immediately by a `seal()` envelope from `cipher.ts`:\n *\n * [VERSION:1][SALT:16][IV:12][AUTHTAG:16][CIPHERTEXT:...]\n *\n * The magic header makes encrypted files sniffable without attempting\n * a full `open()` call and gives operators a clear signal that the\n * file cannot be read by opening it in an editor.\n *\n * AAD\n * ---\n * The file path relative to the memory root is bound as Associated\n * Authenticated Data (AAD) on both encrypt and decrypt. This means\n * moving or renaming an encrypted file without re-encrypting it will\n * cause auth-tag failure on the next read — the file is tied to its\n * path. Callers that move files must re-encrypt them.\n *\n * Back-compat\n * -----------\n * `readMaybeEncryptedFile` transparently handles both formats: if the\n * file does NOT start with the magic bytes, it is returned as-is (plain\n * text). This lets an operator migrate incrementally: newly-written\n * files are encrypted while existing files continue to be read in plain\n * form until `migrateMemoryDirToEncrypted` is run.\n *\n * Naming: `secure-fs.ts` (not `vault-fs.ts`) — see `kdf.ts` naming note.\n */\n\nimport { createCipheriv, randomBytes, randomUUID } from \"node:crypto\";\nimport { lstat, mkdir, open as openFile, readFile, readdir, rename, unlink, writeFile } from \"node:fs/promises\";\nimport path from \"node:path\";\n\nimport {\n AUTH_TAG_LENGTH,\n ENVELOPE_HEADER_SIZE,\n ENVELOPE_LAYOUT,\n ENVELOPE_SALT_LENGTH,\n ENVELOPE_VERSION,\n IV_LENGTH,\n generateSalt,\n open as openEnvelope,\n parseEnvelope,\n seal,\n} from \"./cipher.js\";\n\n// ---------------------------------------------------------------------------\n// Error classes\n// ---------------------------------------------------------------------------\n\n/**\n * Thrown when a read is attempted but the keyring entry for this\n * store is absent (i.e. `secure-store unlock` has not been run\n * since the last daemon start).\n */\nexport class SecureStoreLockedError extends Error {\n constructor(message = \"secure-store is locked — run `remnic secure-store unlock` to decrypt\") {\n super(message);\n this.name = \"SecureStoreLockedError\";\n }\n}\n\n/**\n * Thrown when `open()` fails because the auth tag does not validate.\n * This covers both wrong-key and tampered-ciphertext scenarios —\n * intentionally indistinguishable from the caller's perspective.\n */\nexport class SecureStoreDecryptError extends Error {\n constructor(message = \"secure-store decryption failed — wrong key or tampered ciphertext\") {\n super(message);\n this.name = \"SecureStoreDecryptError\";\n }\n}\n\n// ---------------------------------------------------------------------------\n// Magic header\n// ---------------------------------------------------------------------------\n\n/** Magic bytes: the ASCII string \"REMNIC-ENC\" (10 bytes). */\nexport const MAGIC_BYTES = Buffer.from(\"REMNIC-ENC\", \"ascii\");\n\n/** Current on-disk version byte. */\nexport const FILE_FORMAT_VERSION = 0x01;\n\n/** Reserved flags byte — must be 0x00. */\nexport const FILE_FORMAT_FLAGS = 0x00;\n\n/** Total size of the magic header prefix (magic + version + flags). */\nexport const MAGIC_HEADER_SIZE = MAGIC_BYTES.length + 2; // 12 bytes\n\n// ---------------------------------------------------------------------------\n// Detection\n// ---------------------------------------------------------------------------\n\n/**\n * Return true iff `buf` begins with the REMNIC-ENC magic header.\n * Does not validate the envelope; just identifies the format.\n */\nexport function isEncryptedFile(buf: Uint8Array): boolean {\n if (buf.length < MAGIC_HEADER_SIZE) return false;\n const b = Buffer.isBuffer(buf) ? buf : Buffer.from(buf);\n return b.subarray(0, MAGIC_BYTES.length).equals(MAGIC_BYTES);\n}\n\n// ---------------------------------------------------------------------------\n// Encrypt / decrypt file body\n// ---------------------------------------------------------------------------\n\n/**\n * Encrypt `plain` (UTF-8 content of a memory file) and return a\n * Buffer ready to write to disk.\n *\n * @param plain Plain-text file content (UTF-8 string or Buffer).\n * @param key 32-byte AES-256 key from the keyring.\n * @param aad Optional associated data — defaults to empty if omitted.\n * Callers should pass the file path relative to memoryDir\n * so the ciphertext is bound to its location.\n */\nexport function encryptFileBody(plain: string | Buffer, key: Buffer, aad?: Buffer): Buffer {\n const plainBuf = typeof plain === \"string\" ? Buffer.from(plain, \"utf8\") : plain;\n const salt = generateSalt();\n const envelope = seal(key, salt, plainBuf, aad ? { aad } : {});\n\n const header = Buffer.alloc(MAGIC_HEADER_SIZE);\n MAGIC_BYTES.copy(header, 0);\n header.writeUInt8(FILE_FORMAT_VERSION, MAGIC_BYTES.length);\n header.writeUInt8(FILE_FORMAT_FLAGS, MAGIC_BYTES.length + 1);\n\n return Buffer.concat([header, envelope]);\n}\n\n/**\n * Decrypt a buffer produced by `encryptFileBody` and return the\n * original UTF-8 content.\n *\n * Throws `SecureStoreDecryptError` on auth failure (wrong key or\n * tampered ciphertext). Throws a plain `Error` for structural problems\n * (truncated buffer, wrong magic, unsupported version).\n */\nexport function decryptFileBody(buf: Buffer, key: Buffer, aad?: Buffer): Buffer {\n if (!isEncryptedFile(buf)) {\n throw new Error(\"decryptFileBody: buffer does not start with REMNIC-ENC magic header\");\n }\n const version = buf.readUInt8(MAGIC_BYTES.length);\n if (version !== FILE_FORMAT_VERSION) {\n throw new Error(\n `decryptFileBody: unsupported file format version ${version} (this build supports ${FILE_FORMAT_VERSION})`,\n );\n }\n const flags = buf.readUInt8(MAGIC_BYTES.length + 1);\n if (flags !== FILE_FORMAT_FLAGS) {\n throw new Error(`decryptFileBody: unknown flags byte 0x${flags.toString(16).padStart(2, \"0\")}`);\n }\n const envelope = buf.subarray(MAGIC_HEADER_SIZE);\n parseEnvelope(envelope);\n try {\n return openEnvelope(key, envelope, aad ? { aad } : {});\n } catch (err) {\n const msg = err instanceof Error ? err.message : String(err);\n throw new SecureStoreDecryptError(\n `secure-store decryption failed: ${msg}`,\n );\n }\n}\n\nfunction buildHeaderAad(salt: Uint8Array): Buffer {\n const out = Buffer.alloc(1 + ENVELOPE_SALT_LENGTH);\n out.writeUInt8(ENVELOPE_VERSION, 0);\n Buffer.from(salt).copy(out, 1);\n return out;\n}\n\n// ---------------------------------------------------------------------------\n// Path → AAD helper\n// ---------------------------------------------------------------------------\n\n/**\n * Build the AAD buffer for a file at `filePath` relative to\n * `memoryDir`. The AAD binds the ciphertext to its path so a\n * file cannot be silently relocated without re-encryption.\n *\n * When `memoryDir` is supplied and `filePath` is absolute, the\n * relative sub-path is used. Otherwise `filePath` is used verbatim.\n */\nexport function filePathAad(filePath: string, memoryDir?: string): Buffer {\n let rel = filePath;\n if (memoryDir && path.isAbsolute(filePath)) {\n rel = path.relative(memoryDir, filePath);\n }\n return Buffer.from(rel, \"utf8\");\n}\n\n// ---------------------------------------------------------------------------\n// High-level read / write helpers\n// ---------------------------------------------------------------------------\n\n/**\n * Read a file from `filePath`.\n *\n * - If the file is plaintext (no magic header), return its content\n * as-is — back-compat with unencrypted stores.\n * - If the file is encrypted AND `key` is provided, decrypt and return\n * the plaintext content.\n * - If the file is encrypted AND `key` is null, throw\n * `SecureStoreLockedError`.\n *\n * @param filePath Absolute path to the file.\n * @param key 32-byte AES-256 key, or null when the store is locked.\n * @param memoryDir Memory root for path-bound AAD. Should be absolute.\n */\nexport async function readMaybeEncryptedFileBuffer(\n filePath: string,\n key: Buffer | null,\n memoryDir?: string,\n): Promise<Buffer> {\n const buf = await readFile(filePath);\n if (!isEncryptedFile(buf)) {\n // Plain file — legacy or unencrypted store.\n return buf;\n }\n // Encrypted — key required.\n if (key === null) {\n throw new SecureStoreLockedError(\n `secure-store is locked — cannot read encrypted file at ${filePath}. ` +\n \"Run `remnic secure-store unlock` to decrypt.\",\n );\n }\n return decryptFileBodyForPath(buf, key, filePath, memoryDir);\n}\n\nexport async function readMaybeEncryptedFile(\n filePath: string,\n key: Buffer | null,\n memoryDir?: string,\n): Promise<string> {\n return (await readMaybeEncryptedFileBuffer(filePath, key, memoryDir)).toString(\"utf8\");\n}\n\nexport interface WriteMaybeEncryptedFileOptions {\n /**\n * File mode bits. Default 0o600 (owner read/write only).\n * Applied only on create; existing files inherit their existing mode.\n */\n mode?: number;\n /**\n * If true, write atomically via a temp file + rename (CLAUDE.md gotcha #54).\n * Default true.\n */\n atomic?: boolean;\n}\n\n/**\n * Write `content` to `filePath`.\n *\n * - If `key` is provided and non-null, encrypt the content first.\n * - If `key` is null, write the content as plain UTF-8 (unencrypted store).\n *\n * Writes atomically: content is written to a unique temp file\n * first, then renamed into place (CLAUDE.md gotcha #54 — never delete\n * before write).\n */\nexport async function writeMaybeEncryptedFile(\n filePath: string,\n content: string | Buffer,\n key: Buffer | null,\n options: WriteMaybeEncryptedFileOptions = {},\n memoryDir?: string,\n): Promise<void> {\n const { mode = 0o600, atomic = true } = options;\n await mkdir(path.dirname(filePath), { recursive: true });\n\n let data: Buffer | string;\n if (key !== null) {\n const aad = filePathAad(filePath, memoryDir);\n data = encryptFileBody(content, key, aad);\n } else {\n data = content;\n }\n\n if (atomic) {\n const tempPath = uniqueAtomicTempPath(filePath, \"tmp\");\n try {\n await writeFile(tempPath, data, { mode });\n await rename(tempPath, filePath);\n } catch (err) {\n // Best-effort cleanup of the temp file.\n try {\n await unlink(tempPath);\n } catch {\n // ignore\n }\n throw err;\n }\n } else {\n await writeFile(filePath, data, { mode });\n }\n}\n\nexport async function writeMaybeEncryptedFileFromChunks(\n filePath: string,\n chunks: AsyncIterable<Buffer>,\n key: Buffer | null,\n options: WriteMaybeEncryptedFileOptions = {},\n memoryDir?: string,\n): Promise<void> {\n const { mode = 0o600, atomic = true } = options;\n await mkdir(path.dirname(filePath), { recursive: true });\n const writePath = atomic ? `${filePath}.tmp-${process.pid}-${Date.now()}` : filePath;\n let completed = false;\n try {\n const handle = await openFile(writePath, \"w\", mode);\n try {\n if (key !== null) {\n const salt = generateSalt();\n const iv = randomBytes(IV_LENGTH);\n const header = Buffer.alloc(MAGIC_HEADER_SIZE + ENVELOPE_HEADER_SIZE);\n MAGIC_BYTES.copy(header, 0);\n header.writeUInt8(FILE_FORMAT_VERSION, MAGIC_BYTES.length);\n header.writeUInt8(FILE_FORMAT_FLAGS, MAGIC_BYTES.length + 1);\n const envelopeOffset = MAGIC_HEADER_SIZE;\n header.writeUInt8(ENVELOPE_VERSION, envelopeOffset + ENVELOPE_LAYOUT.version);\n salt.copy(header, envelopeOffset + ENVELOPE_LAYOUT.salt);\n iv.copy(header, envelopeOffset + ENVELOPE_LAYOUT.iv);\n await handle.write(header);\n\n const cipher = createCipheriv(\"aes-256-gcm\", key, iv, { authTagLength: AUTH_TAG_LENGTH });\n const aad = filePathAad(filePath, memoryDir);\n cipher.setAAD(Buffer.concat([buildHeaderAad(salt), aad]));\n for await (const chunk of chunks) {\n if (chunk.length === 0) continue;\n const encrypted = cipher.update(chunk);\n if (encrypted.length > 0) await handle.write(encrypted);\n }\n const final = cipher.final();\n if (final.length > 0) await handle.write(final);\n const authTag = cipher.getAuthTag();\n await handle.write(\n authTag,\n 0,\n authTag.length,\n MAGIC_HEADER_SIZE + ENVELOPE_LAYOUT.authTag,\n );\n } else {\n for await (const chunk of chunks) {\n if (chunk.length > 0) await handle.write(chunk);\n }\n }\n } finally {\n await handle.close();\n }\n if (atomic) {\n await rename(writePath, filePath);\n }\n completed = true;\n } finally {\n if (!completed && atomic) {\n await unlink(writePath).catch(() => {});\n }\n }\n}\n\n// ---------------------------------------------------------------------------\n// Migration\n// ---------------------------------------------------------------------------\n\nexport interface MigrateResult {\n /** Number of files successfully encrypted. */\n encrypted: number;\n /** Number of files already encrypted (skipped). */\n skipped: number;\n /** Files that failed to encrypt (path → error message). */\n errors: Array<{ filePath: string; error: string }>;\n}\n\nexport interface DecryptResult {\n /** Number of files successfully decrypted back to plaintext. */\n decrypted: number;\n /** Number of files already plaintext (skipped). */\n skipped: number;\n /** Files that failed to decrypt (path → error message). */\n errors: Array<{ filePath: string; error: string }>;\n}\n\n/**\n * Walk `dir` recursively, find encryptable storage-managed files that are not\n * yet encrypted, and re-write them as encrypted files under `key`.\n *\n * Safety rules per CLAUDE.md gotchas #54 and #25:\n * 1. A page-version snapshot is taken (via `createVersion`) BEFORE\n * each overwrite so the plaintext version is preserved in history.\n * Since this module has no direct access to `page-versioning.ts`\n * internals, callers who have page-versioning configured should\n * pass `onBeforeEncrypt` to take the snapshot.\n * 2. The new encrypted content is written to a temp file first,\n * then renamed atomically — never deleted before written.\n * 3. If encryption of any file fails, the error is recorded and the\n * original file is left intact (partial migration is safe).\n *\n * @param dir Absolute path to the memory directory.\n * @param key 32-byte AES-256 key.\n * @param onBeforeEncrypt Optional callback invoked before encrypting\n * each file. Can be used to take page-version\n * snapshots. Errors here are non-fatal.\n */\nexport async function migrateMemoryDirToEncrypted(\n dir: string,\n key: Buffer,\n onBeforeEncrypt?: (filePath: string) => Promise<void>,\n): Promise<MigrateResult> {\n const result: MigrateResult = { encrypted: 0, skipped: 0, errors: [] };\n\n const files = await collectEncryptableStorageFiles(dir);\n for (const filePath of files) {\n try {\n const buf = await readFile(filePath);\n if (isEncryptedFile(buf)) {\n result.skipped++;\n continue;\n }\n // Call optional pre-encryption hook (e.g. page-version snapshot).\n if (onBeforeEncrypt) {\n try {\n await onBeforeEncrypt(filePath);\n } catch {\n // Non-fatal — continue with encryption even if snapshot fails.\n }\n }\n const content = buf.toString(\"utf8\");\n const aad = filePathAad(filePath, dir);\n const encrypted = encryptFileBody(content, key, aad);\n\n // Atomic write: temp → rename (gotcha #54).\n const tempPath = uniqueAtomicTempPath(filePath, \"enc-tmp\");\n try {\n await writeFile(tempPath, encrypted, { mode: 0o600 });\n await rename(tempPath, filePath);\n result.encrypted++;\n } catch (writeErr) {\n // Clean up temp file, leave original intact.\n try {\n const { unlink } = await import(\"node:fs/promises\");\n await unlink(tempPath);\n } catch {\n // ignore\n }\n throw writeErr;\n }\n } catch (err) {\n result.errors.push({\n filePath,\n error: err instanceof Error ? err.message : String(err),\n });\n }\n }\n\n return result;\n}\n\n/**\n * Walk `dir` recursively, find storage-managed encrypted files, and\n * re-write them as plaintext under the same paths.\n *\n * This is the reversible counterpart to {@link migrateMemoryDirToEncrypted}.\n * It only touches files under the same storage-managed roots, skips\n * plaintext files, skips symlinks, excludes `.secure-store/`, and writes\n * each plaintext replacement via temp-file + rename so a per-file failure\n * leaves the ciphertext intact.\n */\nexport async function decryptMemoryDirToPlaintext(\n dir: string,\n key: Buffer,\n): Promise<DecryptResult> {\n const result: DecryptResult = { decrypted: 0, skipped: 0, errors: [] };\n\n const files = await collectStorageManagedFiles(dir, isDecryptableStoragePath);\n for (const filePath of files) {\n try {\n const buf = await readFile(filePath);\n if (!isEncryptedFile(buf)) {\n result.skipped++;\n continue;\n }\n\n const plaintext = decryptFileBodyForPath(buf, key, filePath, dir);\n const tempPath = uniqueAtomicTempPath(filePath, \"dec-tmp\");\n try {\n await writeFile(tempPath, plaintext, { mode: 0o600 });\n await rename(tempPath, filePath);\n result.decrypted++;\n } catch (writeErr) {\n try {\n await unlink(tempPath);\n } catch {\n // ignore cleanup errors; original ciphertext is still intact.\n }\n throw writeErr;\n }\n } catch (err) {\n result.errors.push({\n filePath,\n error: err instanceof Error ? err.message : String(err),\n });\n }\n }\n\n return result;\n}\n\n// ---------------------------------------------------------------------------\n// Internal helpers\n// ---------------------------------------------------------------------------\n\nfunction uniqueAtomicTempPath(filePath: string, label: string): string {\n return `${filePath}.${label}-${process.pid}-${Date.now()}-${randomUUID()}`;\n}\n\nfunction decryptFileBodyForPath(\n buf: Buffer,\n key: Buffer,\n filePath: string,\n memoryDir?: string,\n): Buffer {\n const aad = filePathAad(filePath, memoryDir);\n try {\n return decryptFileBody(buf, key, aad);\n } catch (err) {\n if (!(err instanceof SecureStoreDecryptError)) {\n throw err;\n }\n const legacyRoot = legacyNamespaceAadRootForFile(filePath, memoryDir);\n if (legacyRoot) {\n try {\n return decryptFileBody(buf, key, filePathAad(filePath, legacyRoot));\n } catch {\n // Fall through to the namespace-reader fallback below.\n }\n }\n\n const topLevelRoot = topLevelAadRootForNamespaceReader(filePath, memoryDir);\n if (topLevelRoot) {\n try {\n return decryptFileBody(buf, key, filePathAad(filePath, topLevelRoot));\n } catch {\n // Preserve the caller-facing error from the canonical decrypt attempt.\n }\n }\n\n throw err;\n }\n}\n\nfunction topLevelAadRootForNamespaceReader(filePath: string, memoryDir?: string): string | null {\n if (!memoryDir || !path.isAbsolute(filePath)) return null;\n const resolvedMemoryDir = path.resolve(memoryDir);\n const rel = path.relative(resolvedMemoryDir, filePath);\n if (rel === \"\" || rel.startsWith(\"..\") || path.isAbsolute(rel)) return null;\n const parts = resolvedMemoryDir.split(path.sep);\n if (parts.length < 3 || parts.at(-2) !== \"namespaces\" || !parts.at(-1)) return null;\n const topLevelRoot = parts.slice(0, -2).join(path.sep) || path.sep;\n const topRel = path.relative(topLevelRoot, filePath);\n if (topRel === \"\" || topRel.startsWith(\"..\") || path.isAbsolute(topRel)) {\n return null;\n }\n const topParts = topRel.split(path.sep);\n if (topParts[0] !== \"namespaces\" || topParts[1] !== parts.at(-1)) {\n return null;\n }\n return topLevelRoot;\n}\n\nfunction legacyNamespaceAadRootForFile(filePath: string, memoryDir?: string): string | null {\n if (!memoryDir || !path.isAbsolute(filePath)) return null;\n const rel = path.relative(memoryDir, filePath);\n if (rel === \"\" || rel.startsWith(\"..\") || path.isAbsolute(rel)) return null;\n const parts = rel.split(path.sep);\n if (parts[0] === \"namespaces\" && parts.length >= 3 && parts[1]) {\n return path.join(memoryDir, \"namespaces\", parts[1]);\n }\n return null;\n}\n\n/**\n * Recursively collect files under `dir` that are read through the\n * storage-layer secure-store helpers, excluding symlinked entries and\n * `.secure-store/` metadata.\n */\nasync function collectEncryptableStorageFiles(dir: string, rootDir = dir): Promise<string[]> {\n return collectStorageManagedFiles(dir, isEncryptableStoragePath, rootDir);\n}\n\n/**\n * Recursively collect regular files under storage-managed roots, excluding\n * symlinked entries and `.secure-store/` metadata. This broader collector is\n * used by the decrypt/disable path so future encrypted sidecars can be\n * restored without requiring extension-specific logic.\n */\nasync function collectStorageManagedFiles(\n dir: string,\n includeFile: (filePath: string, rootDir: string) => boolean,\n rootDir = dir,\n): Promise<string[]> {\n const results: string[] = [];\n let names: string[];\n try {\n names = await readdir(dir, { encoding: \"utf8\" });\n } catch {\n return results;\n }\n for (const name of names) {\n if (name.startsWith(\".secure-store\")) continue;\n const full = path.join(dir, name);\n let isDir = false;\n let isFile = false;\n try {\n const s = await lstat(full);\n if (s.isSymbolicLink()) continue;\n isDir = s.isDirectory();\n isFile = s.isFile();\n } catch {\n continue;\n }\n if (isDir) {\n const sub = await collectStorageManagedFiles(full, includeFile, rootDir);\n results.push(...sub);\n } else if (isFile && includeFile(full, rootDir)) {\n results.push(full);\n }\n }\n return results;\n}\n\nfunction isEncryptableStoragePath(filePath: string, rootDir: string): boolean {\n const rel = path.relative(rootDir, filePath);\n if (rel === \"\" || rel.startsWith(\"..\") || path.isAbsolute(rel)) return false;\n const normalized = normalizeStorageRelativePath(rel);\n if (normalized === \"profile.md\") return true;\n if (isEncryptableStateSidecar(normalized)) return true;\n if (isEncryptableSummarySidecar(normalized)) return true;\n const firstSegment = normalized.split(\"/\", 1)[0];\n return ENCRYPTABLE_MARKDOWN_STORAGE_ROOTS.has(firstSegment) && normalized.endsWith(\".md\");\n}\n\nfunction isDecryptableStoragePath(filePath: string, rootDir: string): boolean {\n if (isEncryptableStoragePath(filePath, rootDir)) return true;\n const rel = path.relative(rootDir, filePath);\n if (rel === \"\" || rel.startsWith(\"..\") || path.isAbsolute(rel)) return false;\n const normalized = normalizeStorageRelativePath(rel);\n const firstSegment = normalized.split(\"/\", 1)[0];\n return DECRYPTABLE_SIDECAR_ROOTS.has(firstSegment);\n}\n\nfunction normalizeStorageRelativePath(rel: string): string {\n const normalized = rel.split(path.sep).join(\"/\");\n const parts = normalized.split(\"/\");\n if (parts[0] === \"namespaces\" && parts.length >= 3) {\n return parts.slice(2).join(\"/\");\n }\n return normalized;\n}\n\nconst ENCRYPTABLE_MARKDOWN_STORAGE_ROOTS = new Set([\n \"facts\",\n \"corrections\",\n \"procedures\",\n \"reasoning-traces\",\n \"artifacts\",\n \"archive\",\n \"entities\",\n \"identity\",\n]);\n\nconst ENCRYPTABLE_STATE_SIDECARS = new Set([\n \"state/behavior-signals.jsonl\",\n \"state/buffer-surprise-ledger.jsonl\",\n \"state/buffer.json\",\n \"state/compression-guideline-draft-state.json\",\n \"state/compression-guideline-state.json\",\n \"state/compression-guidelines.draft.md\",\n \"state/compression-guidelines.md\",\n \"state/entity-synthesis-queue.json\",\n \"state/fact-hashes.txt\",\n \"state/memory-actions.jsonl\",\n \"state/memory-lifecycle-ledger.jsonl\",\n \"state/meta.json\",\n \"state/reextract-jobs.jsonl\",\n \"state/topics.json\",\n]);\n\nfunction isEncryptableStateSidecar(normalized: string): boolean {\n return ENCRYPTABLE_STATE_SIDECARS.has(normalized);\n}\n\nfunction isEncryptableSummarySidecar(normalized: string): boolean {\n return normalized.startsWith(\"summaries/\") && normalized.endsWith(\".json\");\n}\n\nconst DECRYPTABLE_SIDECAR_ROOTS = new Set([\n \"state\",\n \"indexes\",\n \"index\",\n \"provenance\",\n]);\n"],"mappings":";;;;;;;;;;;;;;AA6CA,SAAS,gBAAgB,aAAa,kBAAkB;AACxD,SAAS,OAAO,OAAO,QAAQ,UAAU,UAAU,SAAS,QAAQ,QAAQ,iBAAiB;AAC7F,OAAO,UAAU;AAwBV,IAAM,yBAAN,cAAqC,MAAM;AAAA,EAChD,YAAY,UAAU,6EAAwE;AAC5F,UAAM,OAAO;AACb,SAAK,OAAO;AAAA,EACd;AACF;AAOO,IAAM,0BAAN,cAAsC,MAAM;AAAA,EACjD,YAAY,UAAU,0EAAqE;AACzF,UAAM,OAAO;AACb,SAAK,OAAO;AAAA,EACd;AACF;AAOO,IAAM,cAAc,OAAO,KAAK,cAAc,OAAO;AAGrD,IAAM,sBAAsB;AAG5B,IAAM,oBAAoB;AAG1B,IAAM,oBAAoB,YAAY,SAAS;AAU/C,SAAS,gBAAgB,KAA0B;AACxD,MAAI,IAAI,SAAS,kBAAmB,QAAO;AAC3C,QAAM,IAAI,OAAO,SAAS,GAAG,IAAI,MAAM,OAAO,KAAK,GAAG;AACtD,SAAO,EAAE,SAAS,GAAG,YAAY,MAAM,EAAE,OAAO,WAAW;AAC7D;AAgBO,SAAS,gBAAgB,OAAwB,KAAa,KAAsB;AACzF,QAAM,WAAW,OAAO,UAAU,WAAW,OAAO,KAAK,OAAO,MAAM,IAAI;AAC1E,QAAM,OAAO,aAAa;AAC1B,QAAM,WAAW,KAAK,KAAK,MAAM,UAAU,MAAM,EAAE,IAAI,IAAI,CAAC,CAAC;AAE7D,QAAM,SAAS,OAAO,MAAM,iBAAiB;AAC7C,cAAY,KAAK,QAAQ,CAAC;AAC1B,SAAO,WAAW,qBAAqB,YAAY,MAAM;AACzD,SAAO,WAAW,mBAAmB,YAAY,SAAS,CAAC;AAE3D,SAAO,OAAO,OAAO,CAAC,QAAQ,QAAQ,CAAC;AACzC;AAUO,SAAS,gBAAgB,KAAa,KAAa,KAAsB;AAC9E,MAAI,CAAC,gBAAgB,GAAG,GAAG;AACzB,UAAM,IAAI,MAAM,qEAAqE;AAAA,EACvF;AACA,QAAM,UAAU,IAAI,UAAU,YAAY,MAAM;AAChD,MAAI,YAAY,qBAAqB;AACnC,UAAM,IAAI;AAAA,MACR,oDAAoD,OAAO,yBAAyB,mBAAmB;AAAA,IACzG;AAAA,EACF;AACA,QAAM,QAAQ,IAAI,UAAU,YAAY,SAAS,CAAC;AAClD,MAAI,UAAU,mBAAmB;AAC/B,UAAM,IAAI,MAAM,yCAAyC,MAAM,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAAE;AAAA,EAChG;AACA,QAAM,WAAW,IAAI,SAAS,iBAAiB;AAC/C,gBAAc,QAAQ;AACtB,MAAI;AACF,WAAO,KAAa,KAAK,UAAU,MAAM,EAAE,IAAI,IAAI,CAAC,CAAC;AAAA,EACvD,SAAS,KAAK;AACZ,UAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC3D,UAAM,IAAI;AAAA,MACR,mCAAmC,GAAG;AAAA,IACxC;AAAA,EACF;AACF;AAEA,SAAS,eAAe,MAA0B;AAChD,QAAM,MAAM,OAAO,MAAM,IAAI,oBAAoB;AACjD,MAAI,WAAW,kBAAkB,CAAC;AAClC,SAAO,KAAK,IAAI,EAAE,KAAK,KAAK,CAAC;AAC7B,SAAO;AACT;AAcO,SAAS,YAAY,UAAkB,WAA4B;AACxE,MAAI,MAAM;AACV,MAAI,aAAa,KAAK,WAAW,QAAQ,GAAG;AAC1C,UAAM,KAAK,SAAS,WAAW,QAAQ;AAAA,EACzC;AACA,SAAO,OAAO,KAAK,KAAK,MAAM;AAChC;AAoBA,eAAsB,6BACpB,UACA,KACA,WACiB;AACjB,QAAM,MAAM,MAAM,SAAS,QAAQ;AACnC,MAAI,CAAC,gBAAgB,GAAG,GAAG;AAEzB,WAAO;AAAA,EACT;AAEA,MAAI,QAAQ,MAAM;AAChB,UAAM,IAAI;AAAA,MACR,+DAA0D,QAAQ;AAAA,IAEpE;AAAA,EACF;AACA,SAAO,uBAAuB,KAAK,KAAK,UAAU,SAAS;AAC7D;AAEA,eAAsB,uBACpB,UACA,KACA,WACiB;AACjB,UAAQ,MAAM,6BAA6B,UAAU,KAAK,SAAS,GAAG,SAAS,MAAM;AACvF;AAyBA,eAAsB,wBACpB,UACA,SACA,KACA,UAA0C,CAAC,GAC3C,WACe;AACf,QAAM,EAAE,OAAO,KAAO,SAAS,KAAK,IAAI;AACxC,QAAM,MAAM,KAAK,QAAQ,QAAQ,GAAG,EAAE,WAAW,KAAK,CAAC;AAEvD,MAAI;AACJ,MAAI,QAAQ,MAAM;AAChB,UAAM,MAAM,YAAY,UAAU,SAAS;AAC3C,WAAO,gBAAgB,SAAS,KAAK,GAAG;AAAA,EAC1C,OAAO;AACL,WAAO;AAAA,EACT;AAEA,MAAI,QAAQ;AACV,UAAM,WAAW,qBAAqB,UAAU,KAAK;AACrD,QAAI;AACF,YAAM,UAAU,UAAU,MAAM,EAAE,KAAK,CAAC;AACxC,YAAM,OAAO,UAAU,QAAQ;AAAA,IACjC,SAAS,KAAK;AAEZ,UAAI;AACF,cAAM,OAAO,QAAQ;AAAA,MACvB,QAAQ;AAAA,MAER;AACA,YAAM;AAAA,IACR;AAAA,EACF,OAAO;AACL,UAAM,UAAU,UAAU,MAAM,EAAE,KAAK,CAAC;AAAA,EAC1C;AACF;AAEA,eAAsB,kCACpB,UACA,QACA,KACA,UAA0C,CAAC,GAC3C,WACe;AACf,QAAM,EAAE,OAAO,KAAO,SAAS,KAAK,IAAI;AACxC,QAAM,MAAM,KAAK,QAAQ,QAAQ,GAAG,EAAE,WAAW,KAAK,CAAC;AACvD,QAAM,YAAY,SAAS,GAAG,QAAQ,QAAQ,QAAQ,GAAG,IAAI,KAAK,IAAI,CAAC,KAAK;AAC5E,MAAI,YAAY;AAChB,MAAI;AACF,UAAM,SAAS,MAAM,SAAS,WAAW,KAAK,IAAI;AAClD,QAAI;AACF,UAAI,QAAQ,MAAM;AAChB,cAAM,OAAO,aAAa;AAC1B,cAAM,KAAK,YAAY,SAAS;AAChC,cAAM,SAAS,OAAO,MAAM,oBAAoB,oBAAoB;AACpE,oBAAY,KAAK,QAAQ,CAAC;AAC1B,eAAO,WAAW,qBAAqB,YAAY,MAAM;AACzD,eAAO,WAAW,mBAAmB,YAAY,SAAS,CAAC;AAC3D,cAAM,iBAAiB;AACvB,eAAO,WAAW,kBAAkB,iBAAiB,gBAAgB,OAAO;AAC5E,aAAK,KAAK,QAAQ,iBAAiB,gBAAgB,IAAI;AACvD,WAAG,KAAK,QAAQ,iBAAiB,gBAAgB,EAAE;AACnD,cAAM,OAAO,MAAM,MAAM;AAEzB,cAAM,SAAS,eAAe,eAAe,KAAK,IAAI,EAAE,eAAe,gBAAgB,CAAC;AACxF,cAAM,MAAM,YAAY,UAAU,SAAS;AAC3C,eAAO,OAAO,OAAO,OAAO,CAAC,eAAe,IAAI,GAAG,GAAG,CAAC,CAAC;AACxD,yBAAiB,SAAS,QAAQ;AAChC,cAAI,MAAM,WAAW,EAAG;AACxB,gBAAM,YAAY,OAAO,OAAO,KAAK;AACrC,cAAI,UAAU,SAAS,EAAG,OAAM,OAAO,MAAM,SAAS;AAAA,QACxD;AACA,cAAM,QAAQ,OAAO,MAAM;AAC3B,YAAI,MAAM,SAAS,EAAG,OAAM,OAAO,MAAM,KAAK;AAC9C,cAAM,UAAU,OAAO,WAAW;AAClC,cAAM,OAAO;AAAA,UACX;AAAA,UACA;AAAA,UACA,QAAQ;AAAA,UACR,oBAAoB,gBAAgB;AAAA,QACtC;AAAA,MACF,OAAO;AACL,yBAAiB,SAAS,QAAQ;AAChC,cAAI,MAAM,SAAS,EAAG,OAAM,OAAO,MAAM,KAAK;AAAA,QAChD;AAAA,MACF;AAAA,IACF,UAAE;AACA,YAAM,OAAO,MAAM;AAAA,IACrB;AACA,QAAI,QAAQ;AACV,YAAM,OAAO,WAAW,QAAQ;AAAA,IAClC;AACA,gBAAY;AAAA,EACd,UAAE;AACA,QAAI,CAAC,aAAa,QAAQ;AACxB,YAAM,OAAO,SAAS,EAAE,MAAM,MAAM;AAAA,MAAC,CAAC;AAAA,IACxC;AAAA,EACF;AACF;AA6CA,eAAsB,4BACpB,KACA,KACA,iBACwB;AACxB,QAAM,SAAwB,EAAE,WAAW,GAAG,SAAS,GAAG,QAAQ,CAAC,EAAE;AAErE,QAAM,QAAQ,MAAM,+BAA+B,GAAG;AACtD,aAAW,YAAY,OAAO;AAC5B,QAAI;AACF,YAAM,MAAM,MAAM,SAAS,QAAQ;AACnC,UAAI,gBAAgB,GAAG,GAAG;AACxB,eAAO;AACP;AAAA,MACF;AAEA,UAAI,iBAAiB;AACnB,YAAI;AACF,gBAAM,gBAAgB,QAAQ;AAAA,QAChC,QAAQ;AAAA,QAER;AAAA,MACF;AACA,YAAM,UAAU,IAAI,SAAS,MAAM;AACnC,YAAM,MAAM,YAAY,UAAU,GAAG;AACrC,YAAM,YAAY,gBAAgB,SAAS,KAAK,GAAG;AAGnD,YAAM,WAAW,qBAAqB,UAAU,SAAS;AACzD,UAAI;AACF,cAAM,UAAU,UAAU,WAAW,EAAE,MAAM,IAAM,CAAC;AACpD,cAAM,OAAO,UAAU,QAAQ;AAC/B,eAAO;AAAA,MACT,SAAS,UAAU;AAEjB,YAAI;AACF,gBAAM,EAAE,QAAAA,QAAO,IAAI,MAAM,OAAO,aAAkB;AAClD,gBAAMA,QAAO,QAAQ;AAAA,QACvB,QAAQ;AAAA,QAER;AACA,cAAM;AAAA,MACR;AAAA,IACF,SAAS,KAAK;AACZ,aAAO,OAAO,KAAK;AAAA,QACjB;AAAA,QACA,OAAO,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAAA,MACxD,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AACT;AAYA,eAAsB,4BACpB,KACA,KACwB;AACxB,QAAM,SAAwB,EAAE,WAAW,GAAG,SAAS,GAAG,QAAQ,CAAC,EAAE;AAErE,QAAM,QAAQ,MAAM,2BAA2B,KAAK,wBAAwB;AAC5E,aAAW,YAAY,OAAO;AAC5B,QAAI;AACF,YAAM,MAAM,MAAM,SAAS,QAAQ;AACnC,UAAI,CAAC,gBAAgB,GAAG,GAAG;AACzB,eAAO;AACP;AAAA,MACF;AAEA,YAAM,YAAY,uBAAuB,KAAK,KAAK,UAAU,GAAG;AAChE,YAAM,WAAW,qBAAqB,UAAU,SAAS;AACzD,UAAI;AACF,cAAM,UAAU,UAAU,WAAW,EAAE,MAAM,IAAM,CAAC;AACpD,cAAM,OAAO,UAAU,QAAQ;AAC/B,eAAO;AAAA,MACT,SAAS,UAAU;AACjB,YAAI;AACF,gBAAM,OAAO,QAAQ;AAAA,QACvB,QAAQ;AAAA,QAER;AACA,cAAM;AAAA,MACR;AAAA,IACF,SAAS,KAAK;AACZ,aAAO,OAAO,KAAK;AAAA,QACjB;AAAA,QACA,OAAO,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAAA,MACxD,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AACT;AAMA,SAAS,qBAAqB,UAAkB,OAAuB;AACrE,SAAO,GAAG,QAAQ,IAAI,KAAK,IAAI,QAAQ,GAAG,IAAI,KAAK,IAAI,CAAC,IAAI,WAAW,CAAC;AAC1E;AAEA,SAAS,uBACP,KACA,KACA,UACA,WACQ;AACR,QAAM,MAAM,YAAY,UAAU,SAAS;AAC3C,MAAI;AACF,WAAO,gBAAgB,KAAK,KAAK,GAAG;AAAA,EACtC,SAAS,KAAK;AACZ,QAAI,EAAE,eAAe,0BAA0B;AAC7C,YAAM;AAAA,IACR;AACA,UAAM,aAAa,8BAA8B,UAAU,SAAS;AACpE,QAAI,YAAY;AACd,UAAI;AACF,eAAO,gBAAgB,KAAK,KAAK,YAAY,UAAU,UAAU,CAAC;AAAA,MACpE,QAAQ;AAAA,MAER;AAAA,IACF;AAEA,UAAM,eAAe,kCAAkC,UAAU,SAAS;AAC1E,QAAI,cAAc;AAChB,UAAI;AACF,eAAO,gBAAgB,KAAK,KAAK,YAAY,UAAU,YAAY,CAAC;AAAA,MACtE,QAAQ;AAAA,MAER;AAAA,IACF;AAEA,UAAM;AAAA,EACR;AACF;AAEA,SAAS,kCAAkC,UAAkB,WAAmC;AAC9F,MAAI,CAAC,aAAa,CAAC,KAAK,WAAW,QAAQ,EAAG,QAAO;AACrD,QAAM,oBAAoB,KAAK,QAAQ,SAAS;AAChD,QAAM,MAAM,KAAK,SAAS,mBAAmB,QAAQ;AACrD,MAAI,QAAQ,MAAM,IAAI,WAAW,IAAI,KAAK,KAAK,WAAW,GAAG,EAAG,QAAO;AACvE,QAAM,QAAQ,kBAAkB,MAAM,KAAK,GAAG;AAC9C,MAAI,MAAM,SAAS,KAAK,MAAM,GAAG,EAAE,MAAM,gBAAgB,CAAC,MAAM,GAAG,EAAE,EAAG,QAAO;AAC/E,QAAM,eAAe,MAAM,MAAM,GAAG,EAAE,EAAE,KAAK,KAAK,GAAG,KAAK,KAAK;AAC/D,QAAM,SAAS,KAAK,SAAS,cAAc,QAAQ;AACnD,MAAI,WAAW,MAAM,OAAO,WAAW,IAAI,KAAK,KAAK,WAAW,MAAM,GAAG;AACvE,WAAO;AAAA,EACT;AACA,QAAM,WAAW,OAAO,MAAM,KAAK,GAAG;AACtC,MAAI,SAAS,CAAC,MAAM,gBAAgB,SAAS,CAAC,MAAM,MAAM,GAAG,EAAE,GAAG;AAChE,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEA,SAAS,8BAA8B,UAAkB,WAAmC;AAC1F,MAAI,CAAC,aAAa,CAAC,KAAK,WAAW,QAAQ,EAAG,QAAO;AACrD,QAAM,MAAM,KAAK,SAAS,WAAW,QAAQ;AAC7C,MAAI,QAAQ,MAAM,IAAI,WAAW,IAAI,KAAK,KAAK,WAAW,GAAG,EAAG,QAAO;AACvE,QAAM,QAAQ,IAAI,MAAM,KAAK,GAAG;AAChC,MAAI,MAAM,CAAC,MAAM,gBAAgB,MAAM,UAAU,KAAK,MAAM,CAAC,GAAG;AAC9D,WAAO,KAAK,KAAK,WAAW,cAAc,MAAM,CAAC,CAAC;AAAA,EACpD;AACA,SAAO;AACT;AAOA,eAAe,+BAA+B,KAAa,UAAU,KAAwB;AAC3F,SAAO,2BAA2B,KAAK,0BAA0B,OAAO;AAC1E;AAQA,eAAe,2BACb,KACA,aACA,UAAU,KACS;AACnB,QAAM,UAAoB,CAAC;AAC3B,MAAI;AACJ,MAAI;AACF,YAAQ,MAAM,QAAQ,KAAK,EAAE,UAAU,OAAO,CAAC;AAAA,EACjD,QAAQ;AACN,WAAO;AAAA,EACT;AACA,aAAW,QAAQ,OAAO;AACxB,QAAI,KAAK,WAAW,eAAe,EAAG;AACtC,UAAM,OAAO,KAAK,KAAK,KAAK,IAAI;AAChC,QAAI,QAAQ;AACZ,QAAI,SAAS;AACb,QAAI;AACF,YAAM,IAAI,MAAM,MAAM,IAAI;AAC1B,UAAI,EAAE,eAAe,EAAG;AACxB,cAAQ,EAAE,YAAY;AACtB,eAAS,EAAE,OAAO;AAAA,IACpB,QAAQ;AACN;AAAA,IACF;AACA,QAAI,OAAO;AACT,YAAM,MAAM,MAAM,2BAA2B,MAAM,aAAa,OAAO;AACvE,cAAQ,KAAK,GAAG,GAAG;AAAA,IACrB,WAAW,UAAU,YAAY,MAAM,OAAO,GAAG;AAC/C,cAAQ,KAAK,IAAI;AAAA,IACnB;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,yBAAyB,UAAkB,SAA0B;AAC5E,QAAM,MAAM,KAAK,SAAS,SAAS,QAAQ;AAC3C,MAAI,QAAQ,MAAM,IAAI,WAAW,IAAI,KAAK,KAAK,WAAW,GAAG,EAAG,QAAO;AACvE,QAAM,aAAa,6BAA6B,GAAG;AACnD,MAAI,eAAe,aAAc,QAAO;AACxC,MAAI,0BAA0B,UAAU,EAAG,QAAO;AAClD,MAAI,4BAA4B,UAAU,EAAG,QAAO;AACpD,QAAM,eAAe,WAAW,MAAM,KAAK,CAAC,EAAE,CAAC;AAC/C,SAAO,mCAAmC,IAAI,YAAY,KAAK,WAAW,SAAS,KAAK;AAC1F;AAEA,SAAS,yBAAyB,UAAkB,SAA0B;AAC5E,MAAI,yBAAyB,UAAU,OAAO,EAAG,QAAO;AACxD,QAAM,MAAM,KAAK,SAAS,SAAS,QAAQ;AAC3C,MAAI,QAAQ,MAAM,IAAI,WAAW,IAAI,KAAK,KAAK,WAAW,GAAG,EAAG,QAAO;AACvE,QAAM,aAAa,6BAA6B,GAAG;AACnD,QAAM,eAAe,WAAW,MAAM,KAAK,CAAC,EAAE,CAAC;AAC/C,SAAO,0BAA0B,IAAI,YAAY;AACnD;AAEA,SAAS,6BAA6B,KAAqB;AACzD,QAAM,aAAa,IAAI,MAAM,KAAK,GAAG,EAAE,KAAK,GAAG;AAC/C,QAAM,QAAQ,WAAW,MAAM,GAAG;AAClC,MAAI,MAAM,CAAC,MAAM,gBAAgB,MAAM,UAAU,GAAG;AAClD,WAAO,MAAM,MAAM,CAAC,EAAE,KAAK,GAAG;AAAA,EAChC;AACA,SAAO;AACT;AAEA,IAAM,qCAAqC,oBAAI,IAAI;AAAA,EACjD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAED,IAAM,6BAA6B,oBAAI,IAAI;AAAA,EACzC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAED,SAAS,0BAA0B,YAA6B;AAC9D,SAAO,2BAA2B,IAAI,UAAU;AAClD;AAEA,SAAS,4BAA4B,YAA6B;AAChE,SAAO,WAAW,WAAW,YAAY,KAAK,WAAW,SAAS,OAAO;AAC3E;AAEA,IAAM,4BAA4B,oBAAI,IAAI;AAAA,EACxC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;","names":["unlink"]}
package/dist/{chunk-K4LDMTTY.js → chunk-A5TLPLUO.js} RENAMED
@@ -69,7 +69,7 @@ import {
69
69
  readMaybeEncryptedFileBuffer,
70
70
  writeMaybeEncryptedFile,
71
71
  writeMaybeEncryptedFileFromChunks
72
- } from "./chunk-KJMYHC7K.js";
72
+ } from "./chunk-73JGZ5VA.js";
73
73
  import {
74
74
  parseFlexibleIsoTimestamp
75
75
  } from "./chunk-P7FMDTKL.js";
@@ -5326,4 +5326,4 @@ export {
5326
5326
  serializeEntityFile,
5327
5327
  StorageManager
5328
5328
  };
5329
- //# sourceMappingURL=chunk-K4LDMTTY.js.map
5329
+ //# sourceMappingURL=chunk-A5TLPLUO.js.map
package/dist/{chunk-67VP6I47.js → chunk-BRCYNT4I.js} RENAMED
@@ -7,7 +7,7 @@ import {
7
7
  } from "./chunk-3UXOZBHV.js";
8
8
  import {
9
9
  StorageManager
10
- } from "./chunk-K4LDMTTY.js";
10
+ } from "./chunk-A5TLPLUO.js";
11
11
  import {
12
12
  isSafeRouteNamespace
13
13
  } from "./chunk-U3PN77QT.js";
@@ -117,4 +117,4 @@ export {
117
117
  runCodexMaterialize,
118
118
  runPostConsolidationMaterialize
119
119
  };
120
- //# sourceMappingURL=chunk-67VP6I47.js.map
120
+ //# sourceMappingURL=chunk-BRCYNT4I.js.map
package/dist/{chunk-XI5V7WSJ.js → chunk-ENIIJ3MZ.js} RENAMED
@@ -6,7 +6,7 @@ import {
6
6
  } from "./chunk-4426WSWL.js";
7
7
  import {
8
8
  StorageManager
9
- } from "./chunk-K4LDMTTY.js";
9
+ } from "./chunk-A5TLPLUO.js";
10
10
  import {
11
11
  buildLifecycleEventsForMemory,
12
12
  sortMemoryLifecycleEvents
@@ -74,4 +74,4 @@ export {
74
74
  backupExistingLedger,
75
75
  rebuildMemoryLifecycleLedger
76
76
  };
77
- //# sourceMappingURL=chunk-XI5V7WSJ.js.map
77
+ //# sourceMappingURL=chunk-ENIIJ3MZ.js.map