npm - midsummer-sol - Versions diffs - 0.1.1 - Mend

midsummer-sol 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/index.js ADDED Viewed

@@ -0,0 +1,2035 @@
+// src/types.ts
+var SEALED = "<<sealed>>";
+// src/store.ts
+import { createHash } from "node:crypto";
+function hashString(s) {
+  return "h_" + createHash("sha256").update(s, "utf8").digest("hex");
+}
+function hashNode(node) {
+  let canon;
+  if (node.kind === "blob") {
+    canon = node.encoding ? `blob\x00${node.encoding}\x00${node.content}` : `blob\x00${node.content}`;
+  } else if (node.kind === "sealed")
+    canon = `sealed\x00${node.box}`;
+  else
+    canon = "tree\x00" + Object.keys(node.entries).sort().map((k) => {
+      const e = node.entries[k];
+      return e.mode === undefined ? `${k}\x00${e.kind}\x00${e.hash}` : `${k}\x00${e.kind}\x00${e.hash}\x00${e.mode}`;
+    }).join(`
+`);
+  return hashString(canon);
+}
+class Store {
+  objects = new Map;
+  put(node) {
+    const h = hashNode(node);
+    if (!this.objects.has(h))
+      this.objects.set(h, node);
+    return h;
+  }
+  get(h) {
+    return this.objects.get(h);
+  }
+  getTree(h) {
+    const n = this.get(h);
+    if (!n || n.kind !== "tree")
+      throw new Error(`not a tree: ${h}`);
+    return n;
+  }
+  has(h) {
+    return this.get(h) !== undefined;
+  }
+  size() {
+    return this.objects.size;
+  }
+}
+// src/tree.ts
+var EMPTY_TREE = { kind: "tree", entries: {} };
+function emptyRoot(store) {
+  return store.put(EMPTY_TREE);
+}
+function segments(path) {
+  return path.split("/").filter(Boolean);
+}
+function writeFile(store, root, path, content, opts = {}) {
+  const blob = opts.encoding ? { kind: "blob", content, encoding: opts.encoding } : { kind: "blob", content };
+  return writeInto(store, root, segments(path), store.put(blob), opts.mode);
+}
+function writeInto(store, treeHash, segs, blobHash, mode) {
+  const tree = store.getTree(treeHash);
+  const entries = { ...tree.entries };
+  const [head, ...rest] = segs;
+  if (rest.length === 0) {
+    entries[head] = mode === undefined ? { kind: "blob", hash: blobHash } : { kind: "blob", hash: blobHash, mode };
+  } else {
+    const child = entries[head];
+    const childHash = child?.kind === "tree" ? child.hash : emptyRoot(store);
+    entries[head] = { kind: "tree", hash: writeInto(store, childHash, rest, blobHash, mode) };
+  }
+  return store.put({ kind: "tree", entries });
+}
+function fileAt(store, root, path) {
+  const segs = segments(path);
+  let cur = root;
+  for (let i = 0;i < segs.length; i++) {
+    const entry = store.getTree(cur).entries[segs[i]];
+    if (!entry)
+      return;
+    if (i === segs.length - 1)
+      return entry.kind === "blob" ? store.get(entry.hash) : undefined;
+    if (entry.kind !== "tree")
+      return;
+    cur = entry.hash;
+  }
+  return;
+}
+function modeAt(store, root, path) {
+  const segs = segments(path);
+  let cur = root;
+  for (let i = 0;i < segs.length; i++) {
+    const entry = store.getTree(cur).entries[segs[i]];
+    if (!entry)
+      return;
+    if (i === segs.length - 1)
+      return entry.mode;
+    if (entry.kind !== "tree")
+      return;
+    cur = entry.hash;
+  }
+  return;
+}
+function deleteFile(store, root, path) {
+  return deleteInto(store, root, segments(path));
+}
+function deleteInto(store, treeHash, segs) {
+  const tree = store.getTree(treeHash);
+  const entries = { ...tree.entries };
+  const [head, ...rest] = segs;
+  if (!entries[head])
+    return treeHash;
+  if (rest.length === 0) {
+    delete entries[head];
+  } else if (entries[head].kind === "tree") {
+    entries[head] = { kind: "tree", hash: deleteInto(store, entries[head].hash, rest) };
+  }
+  return store.put({ kind: "tree", entries });
+}
+function readFile(store, root, path) {
+  const segs = segments(path);
+  let cur = root;
+  for (let i = 0;i < segs.length; i++) {
+    const entry = store.getTree(cur).entries[segs[i]];
+    if (!entry)
+      return;
+    if (i === segs.length - 1) {
+      return entry.kind === "blob" ? store.get(entry.hash).content : undefined;
+    }
+    if (entry.kind !== "tree")
+      return;
+    cur = entry.hash;
+  }
+  return;
+}
+function listAll(store, root, prefix = "") {
+  const tree = store.getTree(root);
+  const out = [];
+  for (const [name, entry] of Object.entries(tree.entries)) {
+    const p = prefix ? `${prefix}/${name}` : name;
+    if (entry.kind === "tree")
+      out.push(...listAll(store, entry.hash, p));
+    else
+      out.push(p);
+  }
+  return out.sort();
+}
+function entryKindAt(store, root, path) {
+  const segs = segments(path);
+  let cur = root;
+  for (let i = 0;i < segs.length; i++) {
+    const entry = store.getTree(cur).entries[segs[i]];
+    if (!entry)
+      return;
+    if (i === segs.length - 1)
+      return entry.kind;
+    if (entry.kind !== "tree")
+      return;
+    cur = entry.hash;
+  }
+  return;
+}
+function blobHashAt(store, root, path) {
+  const segs = segments(path);
+  let cur = root;
+  for (let i = 0;i < segs.length; i++) {
+    const entry = store.getTree(cur).entries[segs[i]];
+    if (!entry)
+      return;
+    if (i === segs.length - 1)
+      return entry.kind === "blob" ? entry.hash : undefined;
+    if (entry.kind !== "tree")
+      return;
+    cur = entry.hash;
+  }
+  return;
+}
+// src/privacy.ts
+class SealRegistry {
+  seals = [];
+  seal(prefix, recipients) {
+    this.seals = this.seals.filter((s) => s.prefix !== prefix);
+    this.seals.push({ prefix, recipients: new Set(recipients) });
+  }
+  unseal(prefix) {
+    this.seals = this.seals.filter((s) => s.prefix !== prefix);
+  }
+  isSealed(path) {
+    return this.seals.some((s) => covers(s.prefix, path));
+  }
+  canRead(path, actor) {
+    for (const s of this.seals) {
+      if (covers(s.prefix, path) && !s.recipients.has(actor))
+        return false;
+    }
+    return true;
+  }
+}
+function covers(prefix, path) {
+  return path === prefix || path.startsWith(prefix + "/");
+}
+// src/crypto.ts
+import { createCipheriv, createDecipheriv, createPublicKey, diffieHellman, generateKeyPairSync, hkdfSync, randomBytes, timingSafeEqual } from "node:crypto";
+var UNREADABLE = "<<unreadable>>";
+class KeyRing {
+  keys = new Map;
+  ensure(actor) {
+    let k = this.keys.get(actor);
+    if (!k) {
+      k = randomBytes(32);
+      this.keys.set(actor, k);
+    }
+    return k;
+  }
+  key(actor) {
+    return this.keys.get(actor);
+  }
+  serialize() {
+    const out = {};
+    for (const [a, k] of this.keys)
+      out[a] = k.toString("base64");
+    return out;
+  }
+  load(data) {
+    for (const [a, k] of Object.entries(data))
+      this.keys.set(a, Buffer.from(k, "base64"));
+  }
+}
+function aeadSeal(key, plain) {
+  const iv = randomBytes(12);
+  const c = createCipheriv("aes-256-gcm", key, iv);
+  const ct = Buffer.concat([c.update(plain), c.final()]);
+  return { iv: iv.toString("base64"), ct: ct.toString("base64"), tag: c.getAuthTag().toString("base64") };
+}
+function aeadOpen(key, box) {
+  const d = createDecipheriv("aes-256-gcm", key, Buffer.from(box.iv, "base64"));
+  d.setAuthTag(Buffer.from(box.tag, "base64"));
+  return Buffer.concat([d.update(Buffer.from(box.ct, "base64")), d.final()]);
+}
+function sealContent(ring, content, recipients, epoch = 1) {
+  const cek = randomBytes(32);
+  const body = aeadSeal(cek, Buffer.from(content, "utf8"));
+  const lockboxes = {};
+  for (const r of recipients)
+    lockboxes[r] = aeadSeal(ring.ensure(r), cek);
+  return { body, lockboxes, epoch };
+}
+function openContent(ring, box, actor) {
+  const lb = box.lockboxes[actor];
+  const key = ring.key(actor);
+  if (!lb || !key)
+    return UNREADABLE;
+  try {
+    const cek = aeadOpen(key, lb);
+    return aeadOpen(cek, box.body).toString("utf8");
+  } catch {
+    return UNREADABLE;
+  }
+}
+function isRecipient(box, actor) {
+  return actor in box.lockboxes;
+}
+function ciphertextOf(box) {
+  return box.body.ct;
+}
+function rotate(ring, box, content, newRecipients) {
+  return sealContent(ring, content, newRecipients, box.epoch + 1);
+}
+function sameActor(a, b) {
+  const ab = Buffer.from(a);
+  const bb = Buffer.from(b);
+  return ab.length === bb.length && timingSafeEqual(ab, bb);
+}
+var RECOVERY_INFO = Buffer.from("forge-vcs/recovery/v1\x00");
+function deriveWrapKey(shared, epkB64, recipientPubB64) {
+  if (shared.every((b) => b === 0))
+    throw new Error("invalid ECDH shared secret");
+  const info = Buffer.concat([RECOVERY_INFO, Buffer.from(epkB64, "base64"), Buffer.from(recipientPubB64, "base64")]);
+  return Buffer.from(hkdfSync("sha256", shared, Buffer.alloc(0), info, 32));
+}
+function recoveryKeyPair() {
+  const { publicKey, privateKey } = generateKeyPairSync("x25519");
+  return { publicKey: publicKey.export({ type: "spki", format: "der" }).toString("base64"), privateKey };
+}
+function wrapCekTo(recipientPublicKeyB64, cek) {
+  const recipientPub = createPublicKey({ key: Buffer.from(recipientPublicKeyB64, "base64"), type: "spki", format: "der" });
+  const eph = generateKeyPairSync("x25519");
+  const epk = eph.publicKey.export({ type: "spki", format: "der" }).toString("base64");
+  const shared = diffieHellman({ privateKey: eph.privateKey, publicKey: recipientPub });
+  return { epk, box: aeadSeal(deriveWrapKey(shared, epk, recipientPublicKeyB64), cek) };
+}
+function unwrapCekWith(privateKey, lb) {
+  const recipientPubB64 = createPublicKey(privateKey).export({ type: "spki", format: "der" }).toString("base64");
+  const epk = createPublicKey({ key: Buffer.from(lb.epk, "base64"), type: "spki", format: "der" });
+  const shared = diffieHellman({ privateKey, publicKey: epk });
+  return aeadOpen(deriveWrapKey(shared, lb.epk, recipientPubB64), lb.box);
+}
+function sealWithRecovery(ring, content, recipients, recoveryPubKeys = {}, epoch = 1) {
+  const cek = randomBytes(32);
+  const body = aeadSeal(cek, Buffer.from(content, "utf8"));
+  const lockboxes = {};
+  for (const r of recipients)
+    lockboxes[r] = aeadSeal(ring.ensure(r), cek);
+  const recovery = {};
+  for (const [id, pub] of Object.entries(recoveryPubKeys))
+    recovery[id] = wrapCekTo(pub, cek);
+  return { body, lockboxes, recovery, epoch };
+}
+function openWithRecovery(privateKey, box, recoveryId) {
+  const lb = box.recovery?.[recoveryId];
+  if (!lb)
+    return UNREADABLE;
+  try {
+    const cek = unwrapCekWith(privateKey, lb);
+    return aeadOpen(cek, box.body).toString("utf8");
+  } catch {
+    return UNREADABLE;
+  }
+}
+// src/log.ts
+function groupIntoUnits(ops) {
+  const units = [];
+  let cur = [];
+  for (const op of ops) {
+    if (op.type === "checkpoint") {
+      units.push({ label: op.message, by: op.by, at: op.at, head: op.rootAfter, ops: cur, open: false });
+      cur = [];
+    } else {
+      cur.push(op);
+    }
+  }
+  if (cur.length > 0) {
+    const last = cur[cur.length - 1];
+    units.push({ by: last.by, at: last.at, head: last.rootAfter, ops: cur, open: true });
+  }
+  return units;
+}
+function underPrefix(path, prefix) {
+  if (prefix === "" || path === prefix)
+    return true;
+  const dir = prefix.endsWith("/") ? prefix : prefix + "/";
+  return path.startsWith(dir);
+}
+function filterLog(ops, opts = {}) {
+  const { actor, pathPrefix, since } = opts;
+  return ops.filter((op) => {
+    if (actor !== undefined && op.by !== actor)
+      return false;
+    if (pathPrefix !== undefined && !underPrefix(op.path, pathPrefix))
+      return false;
+    if (since !== undefined && op.seq < since)
+      return false;
+    return true;
+  });
+}
+function formatLog(ops) {
+  return ops.map((op) => {
+    const by = op.by ?? "?";
+    const head = `${op.seq} ${by} ${op.type} ${op.path}`;
+    return op.message ? `${head}: ${op.message}` : head;
+  });
+}
+// src/repo.ts
+class Repo {
+  store = new Store;
+  seals = new SealRegistry;
+  view(actor = "anon", head) {
+    return new View(this, actor, head ?? emptyRoot(this.store));
+  }
+}
+class View {
+  repo;
+  actor;
+  ancestry;
+  log = [];
+  seq = 0;
+  root;
+  constructor(repo, actor, head, ancestry = []) {
+    this.repo = repo;
+    this.actor = actor;
+    this.ancestry = ancestry;
+    this.root = head;
+  }
+  writeFile(path, content, opts = {}) {
+    this.root = writeFile(this.repo.store, this.root, path, content, opts);
+    return this.record("write", path);
+  }
+  writeBytes(path, data) {
+    this.root = writeFile(this.repo.store, this.root, path, Buffer.from(data).toString("base64"), { encoding: "base64" });
+    return this.record("write", path);
+  }
+  chmod(path, mode) {
+    const f = fileAt(this.repo.store, this.root, path);
+    if (!f)
+      return this;
+    this.root = writeFile(this.repo.store, this.root, path, f.content, { encoding: f.encoding, mode });
+    return this.record("write", path);
+  }
+  deleteFile(path) {
+    this.root = deleteFile(this.repo.store, this.root, path);
+    return this.record("delete", path);
+  }
+  seal(prefix, recipients) {
+    this.repo.seals.seal(prefix, recipients);
+    return this.record("seal", prefix);
+  }
+  readFile(path) {
+    if (!this.repo.seals.canRead(path, this.actor))
+      return SEALED;
+    return readFile(this.repo.store, this.root, path);
+  }
+  readBytes(path) {
+    if (!this.repo.seals.canRead(path, this.actor))
+      return SEALED;
+    const f = fileAt(this.repo.store, this.root, path);
+    if (!f)
+      return;
+    return new Uint8Array(Buffer.from(f.content, f.encoding === "base64" ? "base64" : "utf8"));
+  }
+  list() {
+    return listAll(this.repo.store, this.root);
+  }
+  isSealed(path) {
+    return this.repo.seals.isSealed(path);
+  }
+  mode(path) {
+    return modeAt(this.repo.store, this.root, path);
+  }
+  head() {
+    return this.root;
+  }
+  history() {
+    return this.log;
+  }
+  fullHistory() {
+    return [...this.ancestry, ...this.log];
+  }
+  checkpoint(label) {
+    this.record("checkpoint", "", label);
+    return { label, head: this.root, at: this.log[this.log.length - 1].at };
+  }
+  units() {
+    return groupIntoUnits(this.log);
+  }
+  fork(actor = this.actor) {
+    return new View(this.repo, actor, this.root, [...this.ancestry, ...this.log]);
+  }
+  replay(actor = this.actor) {
+    const v = this.repo.view(actor);
+    for (const e of this.log) {
+      if (e.type === "write")
+        v.writeFile(e.path, this.blobContentFor(e));
+      else if (e.type === "delete")
+        v.deleteFile(e.path);
+    }
+    return v;
+  }
+  blobHashAt(path) {
+    return blobHashAt(this.repo.store, this.root, path);
+  }
+  record(type, path, message) {
+    this.log.push({ seq: this.seq++, type, path, rootAfter: this.root, at: Date.now(), by: this.actor, ...message !== undefined ? { message } : {} });
+    return this;
+  }
+  blobContentFor(e) {
+    const c = readFile(this.repo.store, e.rootAfter, e.path);
+    return c ?? "";
+  }
+}
+// src/text-merge.ts
+function lines(s) {
+  return s.split(`
+`);
+}
+function eq(a, b) {
+  return a.length === b.length && a.every((x, i) => x === b[i]);
+}
+function lcsPairs(a, b) {
+  const n = a.length;
+  const m = b.length;
+  const dp = Array.from({ length: n + 1 }, () => new Array(m + 1).fill(0));
+  for (let i2 = n - 1;i2 >= 0; i2--) {
+    for (let j2 = m - 1;j2 >= 0; j2--) {
+      dp[i2][j2] = a[i2] === b[j2] ? dp[i2 + 1][j2 + 1] + 1 : Math.max(dp[i2 + 1][j2], dp[i2][j2 + 1]);
+    }
+  }
+  const pairs = [];
+  let i = 0;
+  let j = 0;
+  while (i < n && j < m) {
+    if (a[i] === b[j]) {
+      pairs.push([i, j]);
+      i++;
+      j++;
+    } else if (dp[i + 1][j] >= dp[i][j + 1])
+      i++;
+    else
+      j++;
+  }
+  return pairs;
+}
+function hunks(base, other) {
+  const pairs = lcsPairs(base, other);
+  const out = [];
+  let pb = 0;
+  let po = 0;
+  const flush = (bEnd, oEnd) => {
+    if (bEnd > pb || oEnd > po)
+      out.push({ bs: pb, be: bEnd, lines: other.slice(po, oEnd) });
+  };
+  for (const [bi, oi] of pairs) {
+    flush(bi, oi);
+    pb = bi + 1;
+    po = oi + 1;
+  }
+  flush(base.length, other.length);
+  return out;
+}
+function sideContent(side, rs, re, base) {
+  const res = [];
+  let pos = rs;
+  for (const h of side) {
+    if (h.bs < rs || h.be > re)
+      continue;
+    for (let k = pos;k < h.bs; k++)
+      res.push(base[k]);
+    res.push(...h.lines);
+    pos = Math.max(pos, h.be);
+  }
+  for (let k = pos;k < re; k++)
+    res.push(base[k]);
+  return res;
+}
+function merge3(baseS, oursS, theirsS) {
+  const base = lines(baseS);
+  const ours = hunks(base, lines(oursS));
+  const theirs = hunks(base, lines(theirsS));
+  const all = [
+    ...ours.map((h) => ({ ...h, side: "o" })),
+    ...theirs.map((h) => ({ ...h, side: "t" }))
+  ].sort((x, y) => x.bs - y.bs || x.be - y.be);
+  const regions = [];
+  for (const h of all) {
+    const last = regions[regions.length - 1];
+    if (last && h.bs < last.re) {
+      last.re = Math.max(last.re, h.be);
+      if (h.side === "o")
+        last.o = true;
+      else
+        last.t = true;
+    } else {
+      regions.push({ rs: h.bs, re: h.be, o: h.side === "o", t: h.side === "t" });
+    }
+  }
+  const out = [];
+  let conflicts = 0;
+  let pos = 0;
+  for (const reg of regions) {
+    for (let k = pos;k < reg.rs; k++)
+      out.push(base[k]);
+    const o = sideContent(ours, reg.rs, reg.re, base);
+    const t = sideContent(theirs, reg.rs, reg.re, base);
+    if (reg.o && reg.t) {
+      if (eq(o, t))
+        out.push(...o);
+      else {
+        conflicts++;
+        out.push("<<<<<<< ours", ...o, "=======", ...t, ">>>>>>> theirs");
+      }
+    } else if (reg.o)
+      out.push(...o);
+    else
+      out.push(...t);
+    pos = reg.re;
+  }
+  for (let k = pos;k < base.length; k++)
+    out.push(base[k]);
+  return { clean: conflicts === 0, text: out.join(`
+`), conflicts };
+}
+// src/merge.ts
+function resolvePath(base, ours, theirs) {
+  const oursChanged = ours !== base;
+  const theirsChanged = theirs !== base;
+  if (!oursChanged && !theirsChanged) {
+    return { content: base };
+  }
+  if (oursChanged && !theirsChanged) {
+    return { content: ours };
+  }
+  if (!oursChanged && theirsChanged) {
+    return { content: theirs };
+  }
+  if (ours === theirs) {
+    return { content: ours };
+  }
+  if (base !== undefined && ours !== undefined && theirs !== undefined) {
+    const m = merge3(base, ours, theirs);
+    if (m.clean)
+      return { content: m.text };
+    return { content: m.text, conflict: { path: "", ours, theirs } };
+  }
+  return {
+    content: ours,
+    conflict: { path: "", ours, theirs }
+  };
+}
+function merge(repo, baseHead, oursHead, theirsHead) {
+  const store = repo.store;
+  const paths = new Set([
+    ...listAll(store, baseHead),
+    ...listAll(store, oursHead),
+    ...listAll(store, theirsHead)
+  ]);
+  const conflicts = [];
+  let root = emptyRoot(store);
+  for (const path of [...paths].sort()) {
+    const base = readFile(store, baseHead, path);
+    const ours = readFile(store, oursHead, path);
+    const theirs = readFile(store, theirsHead, path);
+    const { content, conflict } = resolvePath(base, ours, theirs);
+    if (conflict)
+      conflicts.push({ ...conflict, path });
+    if (content !== undefined) {
+      root = writeFile(store, root, path, content);
+    }
+  }
+  return { head: root, conflicts };
+}
+// src/labels.ts
+class Labels {
+  labels = new Map;
+  branch(name, head) {
+    this.create(name, "branch", head);
+  }
+  tag(name, head) {
+    this.create(name, "tag", head);
+  }
+  resolve(name) {
+    return this.labels.get(name)?.head;
+  }
+  update(name, head) {
+    const label = this.labels.get(name);
+    if (!label)
+      throw new Error(`unknown label: ${name}`);
+    if (label.kind === "tag")
+      throw new Error(`cannot move tag: ${name} (tags are immutable)`);
+    label.head = head;
+  }
+  remove(name) {
+    if (!this.labels.delete(name))
+      throw new Error(`unknown label: ${name}`);
+  }
+  list() {
+    return [...this.labels.values()].map((l) => ({ ...l })).sort((a, b) => a.name < b.name ? -1 : a.name > b.name ? 1 : 0);
+  }
+  create(name, kind, head) {
+    if (this.labels.has(name))
+      throw new Error(`label already exists: ${name}`);
+    this.labels.set(name, { name, kind, head });
+  }
+}
+// src/git-bridge.ts
+function importFiles(repo, files, actor = "anon") {
+  const view = repo.view(actor);
+  for (const path of Object.keys(files)) {
+    view.writeFile(path, files[path]);
+  }
+  return view;
+}
+function exportFiles(view) {
+  const out = {};
+  for (const path of view.list()) {
+    const content = view.readFile(path);
+    if (content === SEALED || content === undefined)
+      continue;
+    out[path] = content;
+  }
+  return out;
+}
+// src/cli.ts
+var USAGE = [
+  "usage:",
+  "  write <path> <content...>   write content to a path",
+  "  read <path>                 read a path (or <<sealed>> if withheld)",
+  "  list                        list every file path",
+  "  seal <prefix> <actor...>    seal a prefix to a recipient set",
+  "  log                         show the op-log",
+  "  checkpoint <label>          label the current head",
+  "  fork                        note a clone-free branch at this head"
+].join(`
+`);
+function runCommand(view, argv) {
+  const [cmd, ...rest] = argv;
+  switch (cmd) {
+    case "write":
+      return cmdWrite(view, rest);
+    case "read":
+      return cmdRead(view, rest);
+    case "list":
+      return cmdList(view);
+    case "seal":
+      return cmdSeal(view, rest);
+    case "log":
+      return cmdLog(view);
+    case "checkpoint":
+      return cmdCheckpoint(view, rest);
+    case "fork":
+      return cmdFork(view);
+    default:
+      return USAGE;
+  }
+}
+function cmdWrite(view, args) {
+  const [path, ...content] = args;
+  if (!path || content.length === 0)
+    return USAGE;
+  view.writeFile(path, content.join(" "));
+  return `wrote ${path} @ ${short(view.head())}`;
+}
+function cmdRead(view, args) {
+  const [path] = args;
+  if (!path)
+    return USAGE;
+  const content = view.readFile(path);
+  if (content === SEALED)
+    return SEALED;
+  if (content === undefined)
+    return `not found: ${path}`;
+  return content;
+}
+function cmdList(view) {
+  const files = view.list();
+  return files.length === 0 ? "(empty)" : files.join(`
+`);
+}
+function cmdSeal(view, args) {
+  const [prefix, ...recipients] = args;
+  if (!prefix || recipients.length === 0)
+    return USAGE;
+  view.seal(prefix, recipients);
+  return `sealed ${prefix} -> ${recipients.join(", ")}`;
+}
+function cmdLog(view) {
+  const ops = view.history();
+  if (ops.length === 0)
+    return "(no ops)";
+  return ops.map((e) => `${e.seq} ${e.type} ${e.path} @ ${short(e.rootAfter)}`).join(`
+`);
+}
+function cmdCheckpoint(view, args) {
+  const [label] = args;
+  if (!label)
+    return USAGE;
+  const cp = view.checkpoint(label);
+  return `checkpoint ${cp.label} @ ${short(cp.head)}`;
+}
+function cmdFork(view) {
+  return `fork: clone-free branch at ${short(view.head())}`;
+}
+function short(hash) {
+  return hash.slice(0, 12);
+}
+// src/async-store.ts
+async function getTree(store, hash) {
+  const node = await store.get(hash);
+  if (!node || node.kind !== "tree")
+    throw new Error(`not a tree: ${hash}`);
+  return node;
+}
+class MemoryAsyncStore {
+  nodes = new Map;
+  async put(node) {
+    const h = hashNode(node);
+    if (!this.nodes.has(h))
+      this.nodes.set(h, node);
+    return h;
+  }
+  async get(hash) {
+    return this.nodes.get(hash);
+  }
+  async has(hash) {
+    return this.nodes.has(hash);
+  }
+  get size() {
+    return this.nodes.size;
+  }
+}
+// src/attest.ts
+import { createHmac, timingSafeEqual as timingSafeEqual2 } from "node:crypto";
+function canonicalOp(op) {
+  return JSON.stringify({
+    seq: op.seq,
+    type: op.type,
+    path: op.path,
+    rootAfter: op.rootAfter,
+    by: op.by ?? null,
+    message: op.message ?? null
+  });
+}
+function signOp(key, op) {
+  return createHmac("sha256", key).update(canonicalOp(op)).digest("base64");
+}
+function verifyOp(key, op, sig) {
+  const expected = Buffer.from(signOp(key, op), "base64");
+  let claimed;
+  try {
+    claimed = Buffer.from(sig, "base64");
+  } catch {
+    return false;
+  }
+  if (expected.length !== claimed.length)
+    return false;
+  return timingSafeEqual2(expected, claimed);
+}
+// src/errors.ts
+class CorruptRepoError extends Error {
+  constructor(message) {
+    super(`corrupt repo: ${message}`);
+    this.name = "CorruptRepoError";
+  }
+}
+// src/chain.ts
+function hashEntry(prevHash, op) {
+  return hashString(canonicalOp(op) + "\x00" + (prevHash ?? ""));
+}
+function chainOp(prevHash, op) {
+  return { ...op, prevHash, entryHash: hashEntry(prevHash, op) };
+}
+// src/async-tree.ts
+function segments2(path) {
+  return path.split("/").filter(Boolean);
+}
+async function emptyRoot2(store) {
+  return store.put({ kind: "tree", entries: {} });
+}
+async function writeFile2(store, root, path, content, opts = {}) {
+  const blob = opts.encoding ? { kind: "blob", content, encoding: opts.encoding } : { kind: "blob", content };
+  const hash = await store.put(blob);
+  return writeInto2(store, root, segments2(path), hash, "blob", opts.mode);
+}
+async function writeSealed(store, root, path, box) {
+  const hash = await store.put({ kind: "sealed", box });
+  return writeInto2(store, root, segments2(path), hash, "sealed");
+}
+async function writeInto2(store, treeHash, segs, hash, leafKind, mode) {
+  const tree = await getTree(store, treeHash);
+  const entries = { ...tree.entries };
+  const [head, ...rest] = segs;
+  if (rest.length === 0) {
+    entries[head] = mode === undefined ? { kind: leafKind, hash } : { kind: leafKind, hash, mode };
+  } else {
+    const child = entries[head];
+    const childHash = child?.kind === "tree" ? child.hash : await emptyRoot2(store);
+    entries[head] = { kind: "tree", hash: await writeInto2(store, childHash, rest, hash, leafKind, mode) };
+  }
+  return store.put({ kind: "tree", entries });
+}
+async function applyBatch(store, root, changes) {
+  if (changes.size === 0)
+    return root;
+  const tree = await getTree(store, root);
+  const entries = { ...tree.entries };
+  const subdirs = new Map;
+  for (const [path, leaf] of changes) {
+    const i = path.indexOf("/");
+    if (i === -1) {
+      if (leaf === null)
+        delete entries[path];
+      else
+        entries[path] = leaf.mode === undefined ? { kind: leaf.kind, hash: leaf.hash } : { kind: leaf.kind, hash: leaf.hash, mode: leaf.mode };
+    } else {
+      const head = path.slice(0, i);
+      let m = subdirs.get(head);
+      if (!m) {
+        m = new Map;
+        subdirs.set(head, m);
+      }
+      m.set(path.slice(i + 1), leaf);
+    }
+  }
+  for (const [name, sub] of subdirs) {
+    const child = entries[name];
+    const childRoot = child && child.kind === "tree" ? child.hash : await emptyRoot2(store);
+    const built = await applyBatch(store, childRoot, sub);
+    const builtTree = await getTree(store, built);
+    if (Object.keys(builtTree.entries).length === 0)
+      delete entries[name];
+    else
+      entries[name] = { kind: "tree", hash: built };
+  }
+  return store.put({ kind: "tree", entries });
+}
+async function deleteFile2(store, root, path) {
+  return deleteInto2(store, root, segments2(path));
+}
+async function deleteInto2(store, treeHash, segs) {
+  const tree = await getTree(store, treeHash);
+  const entries = { ...tree.entries };
+  const [head, ...rest] = segs;
+  if (!entries[head])
+    return treeHash;
+  if (rest.length === 0) {
+    delete entries[head];
+  } else if (entries[head].kind === "tree") {
+    entries[head] = { kind: "tree", hash: await deleteInto2(store, entries[head].hash, rest) };
+  }
+  return store.put({ kind: "tree", entries });
+}
+async function nodeAt(store, root, path) {
+  const segs = segments2(path);
+  let cur = root;
+  for (let i = 0;i < segs.length; i++) {
+    const entry = (await getTree(store, cur)).entries[segs[i]];
+    if (!entry)
+      return;
+    if (i === segs.length - 1) {
+      if (entry.kind === "tree")
+        return;
+      const node = await store.get(entry.hash);
+      if (!node)
+        return;
+      if (node.kind === "blob")
+        return { kind: "blob", content: node.content };
+      if (node.kind === "sealed")
+        return { kind: "sealed", box: node.box };
+      return;
+    }
+    if (entry.kind !== "tree")
+      return;
+    cur = entry.hash;
+  }
+  return;
+}
+async function fileAt2(store, root, path) {
+  const segs = segments2(path);
+  let cur = root;
+  for (let i = 0;i < segs.length; i++) {
+    const entry = (await getTree(store, cur)).entries[segs[i]];
+    if (!entry)
+      return;
+    if (i === segs.length - 1) {
+      if (entry.kind !== "blob")
+        return;
+      const node = await store.get(entry.hash);
+      return node && node.kind === "blob" ? node : undefined;
+    }
+    if (entry.kind !== "tree")
+      return;
+    cur = entry.hash;
+  }
+  return;
+}
+async function modeAt2(store, root, path) {
+  const segs = segments2(path);
+  let cur = root;
+  for (let i = 0;i < segs.length; i++) {
+    const entry = (await getTree(store, cur)).entries[segs[i]];
+    if (!entry)
+      return;
+    if (i === segs.length - 1)
+      return entry.mode;
+    if (entry.kind !== "tree")
+      return;
+    cur = entry.hash;
+  }
+  return;
+}
+async function listAll2(store, root, prefix = "") {
+  const tree = await getTree(store, root);
+  const out = [];
+  for (const [name, entry] of Object.entries(tree.entries)) {
+    const p = prefix ? `${prefix}/${name}` : name;
+    if (entry.kind === "tree")
+      out.push(...await listAll2(store, entry.hash, p));
+    else
+      out.push(p);
+  }
+  return out.sort();
+}
+// src/async-repo.ts
+function pageOps(ops, opts = {}) {
+  let out = opts.from !== undefined ? ops.filter((o) => o.seq >= opts.from) : ops.slice();
+  if (opts.limit !== undefined)
+    out = out.slice(0, opts.limit);
+  return out;
+}
+class MemoryOpLog {
+  entries = [];
+  _head;
+  _logTip;
+  async head() {
+    return this._head;
+  }
+  async seq() {
+    return this.entries.length ? this.entries[this.entries.length - 1].seq : 0;
+  }
+  async logTip() {
+    return this._logTip;
+  }
+  async append(entry) {
+    const chained = chainOp(this._logTip, entry);
+    this.entries.push(chained);
+    this._head = chained.rootAfter;
+    this._logTip = chained.entryHash;
+  }
+  async history(opts) {
+    return pageOps(this.entries, opts);
+  }
+}
+class AsyncRepo {
+  store;
+  log;
+  actor;
+  constructor(store, log, actor = "anon") {
+    this.store = store;
+    this.log = log;
+    this.actor = actor;
+  }
+  async currentRoot() {
+    const head = await this.log.head();
+    if (head === undefined) {
+      const seq = await this.log.seq();
+      if (seq > 0)
+        throw new CorruptRepoError(`op-log has ${seq} op(s) but no head pointer — head is lost`);
+      return emptyRoot2(this.store);
+    }
+    if (!await this.store.has(head)) {
+      throw new CorruptRepoError(`head ${head} references a node missing from the store — dangling head`);
+    }
+    return head;
+  }
+  async writeFile(path, content, at = Date.now(), by = this.actor) {
+    const rootAfter = await writeFile2(this.store, await this.currentRoot(), path, content);
+    await this.log.append({ seq: await this.log.seq() + 1, type: "write", path, rootAfter, at, by });
+    return rootAfter;
+  }
+  async applyBatch(changes) {
+    const root = await this.currentRoot();
+    const leaves = new Map;
+    for (const c of changes) {
+      if ("delete" in c) {
+        leaves.set(c.path, null);
+        continue;
+      }
+      const blob = c.encoding ? { kind: "blob", content: c.content, encoding: c.encoding } : { kind: "blob", content: c.content };
+      const hash = await this.store.put(blob);
+      leaves.set(c.path, { kind: "blob", hash, mode: c.mode });
+    }
+    return { root: await applyBatch(this.store, root, leaves), changed: changes.length };
+  }
+  async writeBytes(path, data, at = Date.now(), by = this.actor) {
+    const rootAfter = await writeFile2(this.store, await this.currentRoot(), path, Buffer.from(data).toString("base64"), { encoding: "base64" });
+    await this.log.append({ seq: await this.log.seq() + 1, type: "write", path, rootAfter, at, by });
+    return rootAfter;
+  }
+  async readBytes(path) {
+    const leaf = await this.read(path);
+    if (!leaf)
+      return;
+    if (leaf.kind === "sealed")
+      return SEALED;
+    const f = await fileAt2(this.store, await this.currentRoot(), path);
+    if (!f)
+      return;
+    return new Uint8Array(Buffer.from(f.content, f.encoding === "base64" ? "base64" : "utf8"));
+  }
+  async chmod(path, mode, at = Date.now()) {
+    const f = await fileAt2(this.store, await this.currentRoot(), path);
+    if (!f)
+      return this.currentRoot();
+    const rootAfter = await writeFile2(this.store, await this.currentRoot(), path, f.content, { encoding: f.encoding, mode });
+    await this.log.append({ seq: await this.log.seq() + 1, type: "write", path, rootAfter, at, by: this.actor });
+    return rootAfter;
+  }
+  async mode(path) {
+    return modeAt2(this.store, await this.currentRoot(), path);
+  }
+  async writeSealed(path, box, at = Date.now()) {
+    const rootAfter = await writeSealed(this.store, await this.currentRoot(), path, box);
+    await this.log.append({ seq: await this.log.seq() + 1, type: "seal", path, rootAfter, at, by: this.actor });
+    return rootAfter;
+  }
+  async read(path) {
+    return nodeAt(this.store, await this.currentRoot(), path);
+  }
+  async deleteFile(path, at = Date.now(), by = this.actor) {
+    const rootAfter = await deleteFile2(this.store, await this.currentRoot(), path);
+    await this.log.append({ seq: await this.log.seq() + 1, type: "delete", path, rootAfter, at, by });
+    return rootAfter;
+  }
+  async readFile(path) {
+    const leaf = await this.read(path);
+    if (!leaf)
+      return;
+    return leaf.kind === "sealed" ? SEALED : leaf.content;
+  }
+  async list() {
+    return listAll2(this.store, await this.currentRoot());
+  }
+  async head() {
+    return this.currentRoot();
+  }
+  async history(opts) {
+    return this.log.history(opts);
+  }
+}
+// src/workspace.ts
+function safePath(path) {
+  const p = path.replace(/^\.[\\/]+/, "").trim();
+  if (!p)
+    throw new Error("path: empty");
+  if (p.startsWith("/") || p.startsWith("\\") || /^[a-zA-Z]:[\\/]/.test(p))
+    throw new Error(`path: absolute paths are not allowed: ${path}`);
+  if (p.split(/[\\/]/).some((s) => s === ".."))
+    throw new Error(`path: '..' escapes the workspace: ${path}`);
+  return p;
+}
+class SolWorkspace {
+  store;
+  log;
+  actor;
+  repo;
+  constructor(store, log, actor = "agent") {
+    this.store = store;
+    this.log = log;
+    this.actor = actor;
+    this.repo = new AsyncRepo(store, log, actor);
+  }
+  async write(path, content) {
+    return this.repo.writeFile(safePath(path), content);
+  }
+  async writeBytes(path, bytes) {
+    return this.repo.writeBytes(safePath(path), bytes);
+  }
+  async read(path) {
+    const c = await this.repo.readFile(path);
+    return c === undefined || c === SEALED ? undefined : c;
+  }
+  async readBytes(path) {
+    const b = await this.repo.readBytes(path);
+    return b === undefined || b === SEALED ? undefined : b;
+  }
+  async edit(path, oldStr, newStr, opts = {}) {
+    path = safePath(path);
+    const cur = await this.repo.readFile(path);
+    if (cur === undefined)
+      throw new Error(`edit: no such file: ${path}`);
+    if (cur === SEALED)
+      throw new Error(`edit: cannot text-edit a sealed file: ${path}`);
+    const occurrences = cur.split(oldStr).length - 1;
+    if (occurrences === 0)
+      throw new Error(`edit: text not found in ${path}`);
+    if (occurrences > 1 && !opts.all)
+      throw new Error(`edit: text appears ${occurrences}x in ${path} — add surrounding context or pass all:true`);
+    await this.repo.writeFile(path, opts.all ? cur.split(oldStr).join(newStr) : cur.replace(oldStr, newStr));
+  }
+  async ls(prefix) {
+    const all = await this.repo.list();
+    if (!prefix)
+      return all;
+    const dir = prefix.endsWith("/") ? prefix : prefix + "/";
+    return all.filter((p) => p === prefix || p.startsWith(dir));
+  }
+  async exists(path) {
+    return (await this.repo.list()).includes(path);
+  }
+  async isSealed(path) {
+    return await this.repo.readFile(path) === SEALED;
+  }
+  async move(from, to) {
+    const c = await this.repo.readFile(from);
+    if (c === undefined)
+      throw new Error(`move: no such file: ${from}`);
+    if (c === SEALED)
+      throw new Error(`move: cannot move a sealed file via the text API: ${from}`);
+    await this.repo.writeFile(safePath(to), c);
+    await this.repo.deleteFile(from);
+  }
+  remove(path) {
+    return this.repo.deleteFile(path);
+  }
+  async commit(message) {
+    const head = await this.repo.head();
+    const hist = await this.log.history();
+    let parent;
+    for (let i = hist.length - 1;i >= 0; i--) {
+      if (hist[i].type === "checkpoint") {
+        parent = hist[i].rootAfter;
+        break;
+      }
+    }
+    const entry = { seq: await this.log.seq() + 1, type: "checkpoint", path: "", rootAfter: head, at: Date.now(), by: this.actor, message, ...parent && parent !== head ? { parent } : {} };
+    await this.log.append(entry);
+    return head;
+  }
+  checkpoint(message) {
+    return this.commit(message);
+  }
+  head() {
+    return this.repo.head();
+  }
+  history(opts) {
+    return this.repo.history(opts);
+  }
+  get raw() {
+    return this.repo;
+  }
+}
+// src/sealed-client.ts
+class SealedClient {
+  repo;
+  ring;
+  constructor(repo, ring) {
+    this.repo = repo;
+    this.ring = ring;
+  }
+  async write(path, content) {
+    return this.repo.writeFile(path, content);
+  }
+  async seal(path, content, recipients) {
+    const box = sealContent(this.ring, content, recipients);
+    return this.repo.writeSealed(path, JSON.stringify(box));
+  }
+  async open(path, actor) {
+    const leaf = await this.repo.read(path);
+    if (!leaf)
+      return;
+    if (leaf.kind === "blob")
+      return leaf.content;
+    const box = JSON.parse(leaf.box);
+    return openContent(this.ring, box, actor);
+  }
+}
+// src/sync.ts
+async function missingFrom(source, target, root, seen, out) {
+  if (seen.has(root) || await target.has(root))
+    return;
+  seen.add(root);
+  const node = await source.get(root);
+  if (!node)
+    return;
+  out.push(root);
+  if (node.kind === "tree") {
+    for (const e of Object.values(node.entries))
+      await missingFrom(source, target, e.hash, seen, out);
+  }
+}
+async function pull(target, source) {
+  const sourceOps = await source.log.history();
+  const targetOps = await target.log.history();
+  const srcBySeq = new Map(sourceOps.map((o) => [o.seq, o]));
+  const maxTargetSeq = targetOps.reduce((m, o) => Math.max(m, o.seq), 0);
+  for (const t of targetOps) {
+    const s = srcBySeq.get(t.seq);
+    if (s && !(s.rootAfter === t.rootAfter && s.path === t.path && s.type === t.type)) {
+      throw new Error("diverged: target has ops the source does not — use merge(), not pull()");
+    }
+  }
+  const newOps = sourceOps.filter((o) => o.seq > maxTargetSeq).sort((a, b) => a.seq - b.seq);
+  const seen = new Set;
+  let nodes = 0;
+  for (const op of newOps) {
+    const out = [];
+    await missingFrom(source.store, target.store, op.rootAfter, seen, out);
+    for (const h of out) {
+      const node = await source.store.get(h);
+      if (node) {
+        await target.store.put(node);
+        nodes++;
+      }
+    }
+    await target.log.append(op);
+  }
+  return { ops: newOps.length, nodes, head: await target.log.head() };
+}
+async function clone(source, target) {
+  return pull(target, source);
+}
+async function reachable(store, root, into) {
+  if (into.has(root))
+    return;
+  const node = await store.get(root);
+  if (!node)
+    return;
+  into.add(root);
+  if (node.kind === "tree")
+    for (const e of Object.values(node.entries))
+      await reachable(store, e.hash, into);
+}
+async function deltaNodes(store, root, have) {
+  const out = [];
+  const seen = new Set;
+  const stack = [root];
+  while (stack.length) {
+    const h = stack.pop();
+    if (have.has(h) || seen.has(h))
+      continue;
+    seen.add(h);
+    const node = await store.get(h);
+    if (!node)
+      continue;
+    out.push(h);
+    if (node.kind === "tree")
+      for (const e of Object.values(node.entries))
+        stack.push(e.hash);
+  }
+  return out;
+}
+async function push(remote, local, opts = {}) {
+  const { head: rHead, seq: rSeq } = await remote.headSeq();
+  const localHead = await local.log.head();
+  if (!localHead || localHead === rHead)
+    return { ops: 0, nodes: 0, bytes: 0, head: rHead };
+  if (rHead) {
+    const localOps = await local.log.history();
+    if (!localOps.some((o) => o.rootAfter === rHead)) {
+      throw new Error("non-fast-forward: remote has moved — pull/merge first");
+    }
+  }
+  const have = new Set;
+  if (rHead)
+    await reachable(local.store, rHead, have);
+  const toSend = await deltaNodes(local.store, localHead, have);
+  const nodes = [];
+  let bytes = 0;
+  for (const h of toSend) {
+    const node = await local.store.get(h);
+    if (node) {
+      nodes.push(node);
+      bytes += JSON.stringify(node).length;
+    }
+  }
+  const op = { seq: rSeq + 1, type: "write", path: "", rootAfter: localHead, at: opts.at ?? Date.now(), message: opts.message };
+  const res = await remote.applyBatch(nodes, [op]);
+  return { ops: 1, nodes: nodes.length, bytes, head: res.head };
+}
+function localTarget(r) {
+  return {
+    async headSeq() {
+      return { head: await r.log.head(), seq: await r.log.seq() };
+    },
+    async applyBatch(nodes, ops) {
+      for (const n of nodes)
+        await r.store.put(n);
+      for (const op of ops)
+        await r.log.append(op);
+      return { head: await r.log.head(), applied: ops.length };
+    }
+  };
+}
+// src/diff.ts
+function diffTrees(store, aHead, bHead) {
+  const aPaths = new Set(listAll(store, aHead));
+  const bPaths = new Set(listAll(store, bHead));
+  const added = [];
+  const removed = [];
+  const modified = [];
+  for (const p of bPaths)
+    if (!aPaths.has(p))
+      added.push(p);
+  for (const p of aPaths)
+    if (!bPaths.has(p))
+      removed.push(p);
+  for (const p of aPaths) {
+    if (!bPaths.has(p))
+      continue;
+    const a = fileAt(store, aHead, p);
+    const b = fileAt(store, bHead, p);
+    if (!a || !b)
+      continue;
+    if (a.content === b.content && a.encoding === b.encoding)
+      continue;
+    const binary = a.encoding === "base64" || b.encoding === "base64";
+    const hunks2 = binary ? "" : lineHunks(a.content, b.content);
+    modified.push({ path: p, hunks: hunks2 });
+  }
+  added.sort();
+  removed.sort();
+  modified.sort((x, y) => x.path < y.path ? -1 : x.path > y.path ? 1 : 0);
+  return { added, removed, modified };
+}
+function diffFile(store, aHead, bHead, path) {
+  const a = readFile(store, aHead, path);
+  const b = readFile(store, bHead, path);
+  if (a === undefined || b === undefined || a === b)
+    return "";
+  return lineHunks(a, b);
+}
+function splitLines(s) {
+  return s.split(`
+`);
+}
+function lcsSteps(a, b) {
+  const n = a.length;
+  const m = b.length;
+  const dp = Array.from({ length: n + 1 }, () => new Array(m + 1).fill(0));
+  for (let i2 = n - 1;i2 >= 0; i2--) {
+    for (let j2 = m - 1;j2 >= 0; j2--) {
+      dp[i2][j2] = a[i2] === b[j2] ? dp[i2 + 1][j2 + 1] + 1 : Math.max(dp[i2 + 1][j2], dp[i2][j2 + 1]);
+    }
+  }
+  const steps = [];
+  let i = 0;
+  let j = 0;
+  while (i < n && j < m) {
+    if (a[i] === b[j]) {
+      steps.push({ tag: " ", line: a[i] });
+      i++;
+      j++;
+    } else if (dp[i + 1][j] >= dp[i][j + 1]) {
+      steps.push({ tag: "-", line: a[i] });
+      i++;
+    } else {
+      steps.push({ tag: "+", line: b[j] });
+      j++;
+    }
+  }
+  while (i < n)
+    steps.push({ tag: "-", line: a[i++] });
+  while (j < m)
+    steps.push({ tag: "+", line: b[j++] });
+  return steps;
+}
+function lineHunks(aText, bText) {
+  const steps = lcsSteps(splitLines(aText), splitLines(bText));
+  const body = steps.map((s) => `${s.tag}${s.line}`).join(`
+`);
+  return `@@ -1 +1 @@
+${body}`;
+}
+// src/blame.ts
+function blame(repo, view, path) {
+  const writes = view.fullHistory().filter((op) => op.type === "write" && op.path === path);
+  let prev = [];
+  for (const op of writes) {
+    const content = contentAt(repo, path, op.rootAfter);
+    if (content === undefined) {
+      prev = [];
+      continue;
+    }
+    const nextLines = splitLines2(content);
+    prev = attribute(prev, nextLines, op.by, op.seq);
+  }
+  return prev.map((t) => ({ line: t.line, by: t.by, seq: t.seq }));
+}
+function contentAt(repo, path, root) {
+  const c = repo.view("blame", root).readFile(path);
+  if (c === undefined || c === SEALED)
+    return;
+  return c;
+}
+function attribute(old, next, by, seq) {
+  const oldText = old.map((t) => t.line);
+  const keep = lcsMatch(oldText, next);
+  const out = [];
+  for (let j = 0;j < next.length; j++) {
+    const oi = keep[j];
+    if (oi >= 0)
+      out.push({ line: next[j], by: old[oi].by, seq: old[oi].seq });
+    else
+      out.push({ line: next[j], by, seq });
+  }
+  return out;
+}
+function lcsMatch(a, b) {
+  const n = a.length;
+  const m = b.length;
+  const dp = Array.from({ length: n + 1 }, () => new Array(m + 1).fill(0));
+  for (let i2 = n - 1;i2 >= 0; i2--) {
+    for (let j2 = m - 1;j2 >= 0; j2--) {
+      dp[i2][j2] = a[i2] === b[j2] ? dp[i2 + 1][j2 + 1] + 1 : Math.max(dp[i2 + 1][j2], dp[i2][j2 + 1]);
+    }
+  }
+  const match = new Array(m).fill(-1);
+  let i = 0;
+  let j = 0;
+  while (i < n && j < m) {
+    if (a[i] === b[j]) {
+      match[j] = i;
+      i++;
+      j++;
+    } else if (dp[i + 1][j] >= dp[i][j + 1]) {
+      i++;
+    } else {
+      j++;
+    }
+  }
+  return match;
+}
+function splitLines2(content) {
+  if (content === "")
+    return [];
+  const parts = content.split(`
+`);
+  if (parts.length > 0 && parts[parts.length - 1] === "")
+    parts.pop();
+  return parts;
+}
+// src/gc.ts
+function reachableFrom(store, roots) {
+  const live = new Set;
+  const stack = [...roots];
+  while (stack.length > 0) {
+    const h = stack.pop();
+    if (live.has(h))
+      continue;
+    const node = store.get(h);
+    if (!node)
+      continue;
+    live.add(h);
+    if (node.kind === "tree") {
+      for (const entry of Object.values(node.entries)) {
+        stack.push(entry.hash);
+      }
+    }
+  }
+  return live;
+}
+function garbage(store, roots, allHashes) {
+  const live = reachableFrom(store, roots);
+  return allHashes.filter((h) => !live.has(h));
+}
+function compact(store, roots) {
+  const live = reachableFrom(store, roots);
+  const out = new Store;
+  for (const h of live) {
+    const node = store.get(h);
+    if (node)
+      out.put(node);
+  }
+  return out;
+}
+// src/publish.ts
+async function copyReachable(src, dst, root, seen) {
+  if (seen.has(root))
+    return;
+  seen.add(root);
+  const node = await src.get(root);
+  if (!node)
+    return;
+  await dst.put(node);
+  if (node.kind === "tree")
+    for (const e of Object.values(node.entries))
+      await copyReachable(src, dst, e.hash, seen);
+}
+async function overlayPath(store, base, local, localHead, path) {
+  const leaf = await nodeAt(local.store, localHead, path);
+  if (!leaf)
+    return deleteFile2(store, base, path);
+  if (leaf.kind === "sealed")
+    return writeSealed(store, base, path, leaf.box);
+  return writeFile2(store, base, path, leaf.content);
+}
+async function publishPaths(remote, local, paths) {
+  const { head: rHead, seq: rSeq } = await remote.headSeq();
+  const localHead = await local.log.head();
+  if (!localHead)
+    return { ops: 0, nodes: 0, bytes: 0, head: rHead };
+  const store = new MemoryAsyncStore;
+  const seen = new Set;
+  await copyReachable(local.store, store, localHead, seen);
+  if (rHead)
+    await copyReachable(local.store, store, rHead, seen);
+  const base = rHead && await store.has(rHead) ? rHead : await emptyRoot2(store);
+  let root = base;
+  for (const path of paths)
+    root = await overlayPath(store, root, local, localHead, path);
+  const log = new MemoryOpLog;
+  if (rHead)
+    await log.append({ seq: rSeq, type: "write", path: "", rootAfter: rHead, at: 0 });
+  await log.append({ seq: rSeq + 1, type: "write", path: "", rootAfter: root, at: Date.now() });
+  return push(remote, { store, log });
+}
+// src/sparse.ts
+function underPrefix2(path, prefix) {
+  const p = prefix.replace(/\/+$/, "");
+  if (!p)
+    return true;
+  return path === p || path.startsWith(`${p}/`);
+}
+async function leafAt(store, root, path) {
+  const segs = path.split("/").filter(Boolean);
+  let cur = root;
+  for (let i = 0;i < segs.length; i++) {
+    const entry = (await getTree(store, cur)).entries[segs[i]];
+    if (!entry)
+      return;
+    if (i === segs.length - 1) {
+      if (entry.kind === "tree")
+        return;
+      return { hash: entry.hash, kind: entry.kind };
+    }
+    if (entry.kind !== "tree")
+      return;
+    cur = entry.hash;
+  }
+  return;
+}
+async function writeLeafInto(store, treeHash, segs, leafHash, leafKind) {
+  const tree = await getTree(store, treeHash);
+  const entries = { ...tree.entries };
+  const [head, ...rest] = segs;
+  if (rest.length === 0) {
+    entries[head] = { kind: leafKind, hash: leafHash };
+  } else {
+    const child = entries[head];
+    const childHash = child?.kind === "tree" ? child.hash : await emptyRoot2(store);
+    entries[head] = { kind: "tree", hash: await writeLeafInto(store, childHash, rest, leafHash, leafKind) };
+  }
+  return store.put({ kind: "tree", entries });
+}
+async function pullSubtree(target, source, prefix) {
+  const sourceHead = await source.log.head();
+  if (!sourceHead)
+    return { paths: [], nodes: 0 };
+  const all = await listAll2(source.store, sourceHead);
+  const paths = all.filter((p) => underPrefix2(p, prefix)).sort();
+  if (paths.length === 0)
+    return { paths: [], nodes: 0 };
+  let root = await target.log.head() ?? await emptyRoot2(target.store);
+  let nodes = 0;
+  for (const path of paths) {
+    const leaf = await leafAt(source.store, sourceHead, path);
+    if (!leaf)
+      continue;
+    if (!await target.store.has(leaf.hash)) {
+      const node = await source.store.get(leaf.hash);
+      if (node) {
+        await target.store.put(node);
+        nodes++;
+      }
+    }
+    root = await writeLeafInto(target.store, root, path.split("/").filter(Boolean), leaf.hash, leaf.kind);
+  }
+  const op = {
+    seq: await target.log.seq() + 1,
+    type: "write",
+    path: prefix.replace(/\/+$/, ""),
+    rootAfter: root,
+    at: Date.now(),
+    message: `sparse: ${prefix}`
+  };
+  await target.log.append(op);
+  return { paths, nodes };
+}
+// src/branch-acl.ts
+class RefAcls {
+  policies = new Map;
+  setVisibility(branch, who) {
+    if (who === "public") {
+      this.policies.delete(branch);
+      return;
+    }
+    this.policies.set(branch, new Set(who));
+  }
+  canSee(branch, actor) {
+    const policy = this.policies.get(branch);
+    if (!policy || policy === "public")
+      return true;
+    return policy.has(actor);
+  }
+  visibleBranches(all, actor) {
+    return all.filter((branch) => this.canSee(branch, actor));
+  }
+}
+// src/channel.ts
+class Channel {
+  listeners = new Set;
+  subscribe(fn) {
+    this.listeners.add(fn);
+    return () => {
+      this.listeners.delete(fn);
+    };
+  }
+  publish(op) {
+    for (const fn of [...this.listeners]) {
+      try {
+        fn(op);
+      } catch {}
+    }
+  }
+}
+// src/semantic-merge.ts
+async function semanticMerge(repo, base, ours, theirs, checker) {
+  const m = merge(repo, base, ours, theirs);
+  if (m.conflicts.length > 0)
+    return { head: m.head, lineConflicts: m.conflicts, clean: false };
+  if (checker) {
+    const r = await checker.run({ store: repo.store, head: m.head });
+    if (r.verdict === "fail") {
+      return { head: m.head, lineConflicts: [], semanticConflict: { issuer: checker.id, findings: r.findings ?? [] }, clean: false };
+    }
+  }
+  return { head: m.head, lineConflicts: [], clean: true };
+}
+var duplicateExportCheck = {
+  id: "no-duplicate-exports",
+  run({ store, head }) {
+    const findings = [];
+    for (const path of listAll(store, head)) {
+      const content = readFile(store, head, path);
+      if (typeof content !== "string")
+        continue;
+      const seen = new Map;
+      content.split(`
+`).forEach((line, i) => {
+        const match = line.match(/export\s+(?:const|let|var|function|class)\s+([A-Za-z0-9_$]+)/);
+        if (!match)
+          return;
+        const name = match[1];
+        if (seen.has(name))
+          findings.push({ path, line: i + 1, message: `duplicate export '${name}' (also at line ${seen.get(name)})`, severity: "block" });
+        else
+          seen.set(name, i + 1);
+      });
+    }
+    return findings.length === 0 ? { verdict: "pass", summary: "no duplicate exports" } : { verdict: "fail", summary: `${findings.length} duplicate export(s)`, findings };
+  }
+};
+// src/change.ts
+var nextId = 1;
+class Change {
+  repo;
+  title;
+  author;
+  baseHead;
+  sourceHead;
+  targetHead;
+  message;
+  ctx;
+  id;
+  status = "open";
+  atts = [];
+  constructor(repo, title, author, baseHead, sourceHead, targetHead, message, ctx) {
+    this.repo = repo;
+    this.title = title;
+    this.author = author;
+    this.baseHead = baseHead;
+    this.sourceHead = sourceHead;
+    this.targetHead = targetHead;
+    this.message = message;
+    this.ctx = ctx;
+    this.id = "chg_" + nextId++;
+  }
+  get scope() {
+    return this.ctx?.scope ?? "change:" + this.id;
+  }
+  attest(a) {
+    const full = { ...a, at: a.at ?? Date.now() };
+    this.atts.push(full);
+    this.ctx?.ledger?.record(this.scope, full);
+    this.ctx?.events?.publish({ type: "attestation.added", changeId: this.id, actor: full.issuer, at: full.at, data: full });
+    return this;
+  }
+  attestations() {
+    return this.atts;
+  }
+  evidence() {
+    const diff = diffTrees(this.repo.store, this.targetHead, this.sourceHead);
+    const checks = { pass: 0, fail: 0, pending: 0 };
+    let approvals = 0;
+    let blocking = 0;
+    for (const a of this.atts) {
+      if (a.kind === "check")
+        checks[a.verdict === "pass" ? "pass" : a.verdict === "fail" ? "fail" : "pending"] += 1;
+      if (a.kind === "approval" && a.verdict === "pass")
+        approvals += 1;
+      blocking += (a.findings ?? []).filter((f) => f.severity === "block").length;
+    }
+    return {
+      changeId: this.id,
+      title: this.title,
+      author: this.author,
+      status: this.status,
+      diff,
+      attestations: [...this.atts],
+      summary: {
+        files: { added: diff.added.length, removed: diff.removed.length, modified: diff.modified.length },
+        checks,
+        reviews: { approvals, blocking }
+      }
+    };
+  }
+  gate(policy = {}) {
+    const ev = this.evidence();
+    const reasons = [];
+    if (ev.summary.checks.fail > 0)
+      reasons.push(`${ev.summary.checks.fail} check(s) failing`);
+    if (ev.summary.checks.pending > 0)
+      reasons.push(`${ev.summary.checks.pending} check(s) pending`);
+    for (const req of policy.requiredChecks ?? []) {
+      const a = this.atts.find((x) => x.kind === "check" && (x.issuer === req || x.summary.toLowerCase().includes(req.toLowerCase())));
+      if (!a || a.verdict !== "pass")
+        reasons.push(`required check "${req}" not passing`);
+    }
+    if (policy.requiredApprovals && ev.summary.reviews.approvals < policy.requiredApprovals) {
+      reasons.push(`needs ${policy.requiredApprovals} approval(s), has ${ev.summary.reviews.approvals}`);
+    }
+    if (policy.blockOnFindings && ev.summary.reviews.blocking > 0) {
+      reasons.push(`${ev.summary.reviews.blocking} blocking finding(s)`);
+    }
+    const passed = reasons.length === 0;
+    this.status = passed ? "approved" : "gated";
+    this.ctx?.events?.publish({ type: passed ? "change.approved" : "change.gated", changeId: this.id, at: Date.now(), data: { passed, reasons } });
+    return { passed, reasons };
+  }
+  promote(policy = {}, by) {
+    if (this.ctx?.caps && by && !this.ctx.caps.can(by, this.scope, "promote")) {
+      return { promoted: false, reason: `${by} lacks 'promote' capability on ${this.scope}` };
+    }
+    const g = this.gate(policy);
+    if (!g.passed)
+      return { promoted: false, reason: g.reasons.join("; ") };
+    const m = merge(this.repo, this.baseHead, this.targetHead, this.sourceHead);
+    if (m.conflicts.length > 0)
+      return { promoted: false, conflicts: m.conflicts.length, reason: "merge conflicts" };
+    this.targetHead = m.head;
+    this.status = "promoted";
+    this.ctx?.events?.publish({ type: "change.promoted", changeId: this.id, actor: by, at: Date.now(), data: { head: m.head } });
+    return { promoted: true, newTargetHead: m.head, conflicts: 0 };
+  }
+  async promoteChecked(policy = {}, by, checker) {
+    if (this.ctx?.caps && by && !this.ctx.caps.can(by, this.scope, "promote")) {
+      return { promoted: false, reason: `${by} lacks 'promote' capability on ${this.scope}` };
+    }
+    const g = this.gate(policy);
+    if (!g.passed)
+      return { promoted: false, reason: g.reasons.join("; ") };
+    const sm = await semanticMerge(this.repo, this.baseHead, this.targetHead, this.sourceHead, checker);
+    if (sm.lineConflicts.length)
+      return { promoted: false, conflicts: sm.lineConflicts.length, reason: "merge conflicts" };
+    if (sm.semanticConflict)
+      return { promoted: false, reason: `semantic conflict: ${sm.semanticConflict.findings[0]?.message ?? "structural break"}` };
+    this.targetHead = sm.head;
+    this.status = "promoted";
+    this.ctx?.events?.publish({ type: "change.promoted", changeId: this.id, actor: by, at: Date.now(), data: { head: sm.head } });
+    return { promoted: true, newTargetHead: sm.head, conflicts: 0 };
+  }
+}
+function openChange(repo, opts, ctx) {
+  const c = new Change(repo, opts.title, opts.author, opts.baseHead, opts.sourceHead, opts.targetHead, opts.message, ctx);
+  ctx?.events?.publish({ type: "change.opened", changeId: c.id, actor: c.author, at: Date.now(), data: c });
+  return c;
+}
+// src/events.ts
+class EventBus {
+  subs = new Set;
+  subscribe(fn) {
+    this.subs.add(fn);
+    return () => {
+      this.subs.delete(fn);
+    };
+  }
+  publish(e) {
+    for (const fn of [...this.subs]) {
+      try {
+        fn(e);
+      } catch {}
+    }
+  }
+}
+// src/capability.ts
+function covers2(grant, want) {
+  return grant === "*" || grant === want || want.startsWith(grant + "/");
+}
+class Capabilities {
+  grants = [];
+  grant(holder, scope, actions) {
+    this.grants.push({ holder, scope, actions: new Set(actions) });
+    return this;
+  }
+  can(holder, scope, action) {
+    return this.grants.some((g) => g.holder === holder && covers2(g.scope, scope) && g.actions.has(action));
+  }
+  revoke(holder, scope) {
+    this.grants = this.grants.filter((g) => !(g.holder === holder && g.scope === scope));
+  }
+}
+// src/attestation.ts
+import { createHmac as createHmac2, timingSafeEqual as timingSafeEqual3 } from "node:crypto";
+function canonicalAttestation(a) {
+  return JSON.stringify({
+    kind: a.kind,
+    issuer: a.issuer,
+    verdict: a.verdict,
+    summary: a.summary,
+    findings: (a.findings ?? []).map((f) => ({ path: f.path, line: f.line ?? null, message: f.message, severity: f.severity ?? null })),
+    at: a.at
+  });
+}
+function signAttestation(key, a) {
+  return createHmac2("sha256", key).update(canonicalAttestation(a)).digest("base64");
+}
+function verifyAttestation(key, a, sig = a.signature) {
+  if (!sig)
+    return false;
+  const expected = Buffer.from(signAttestation(key, a));
+  const got = Buffer.from(sig);
+  return expected.length === got.length && timingSafeEqual3(expected, got);
+}
+function attestSigned(change, key, a) {
+  const full = { ...a, at: a.at ?? Date.now() };
+  full.signature = signAttestation(key, full);
+  change.attest(full);
+  return full;
+}
+class Ledger {
+  bySubject = new Map;
+  record(subject, a) {
+    const list = this.bySubject.get(subject) ?? [];
+    list.push(a);
+    this.bySubject.set(subject, list);
+  }
+  provenance(subject) {
+    return [...this.bySubject.get(subject) ?? []];
+  }
+}
+// src/check.ts
+class CheckCache {
+  cache = new Map;
+  _hits = 0;
+  _misses = 0;
+  async run(runner, req) {
+    const key = runner.id + "@" + req.head;
+    const hit = this.cache.get(key);
+    if (hit) {
+      this._hits += 1;
+      return { result: hit, cached: true };
+    }
+    this._misses += 1;
+    const result = await runner.run(req);
+    this.cache.set(key, result);
+    return { result, cached: false };
+  }
+  stats() {
+    return { hits: this._hits, misses: this._misses };
+  }
+}
+function toAttestation(runner, r) {
+  return { kind: "check", issuer: runner.id, verdict: r.verdict, summary: r.summary, findings: r.findings };
+}
+export {
+  writeFile,
+  wrapCekTo,
+  verifyOp,
+  verifyAttestation,
+  unwrapCekWith,
+  toAttestation,
+  signOp,
+  signAttestation,
+  semanticMerge,
+  sealWithRecovery,
+  sealContent,
+  sameActor,
+  safePath,
+  runCommand,
+  rotate,
+  recoveryKeyPair,
+  readFile,
+  reachableFrom,
+  push,
+  pullSubtree,
+  pull,
+  publishPaths,
+  pageOps,
+  openWithRecovery,
+  openContent,
+  openChange,
+  modeAt,
+  merge3,
+  merge,
+  localTarget,
+  listAll,
+  lineHunks,
+  isRecipient,
+  importFiles,
+  hashString,
+  hashNode,
+  groupIntoUnits,
+  getTree,
+  garbage,
+  formatLog,
+  filterLog,
+  fileAt,
+  exportFiles,
+  entryKindAt,
+  emptyRoot,
+  duplicateExportCheck,
+  diffTrees,
+  diffFile,
+  deleteFile,
+  compact,
+  clone,
+  ciphertextOf,
+  canonicalOp,
+  canonicalAttestation,
+  blobHashAt,
+  blame,
+  attestSigned,
+  View,
+  UNREADABLE,
+  Store,
+  SolWorkspace,
+  SealedClient,
+  SealRegistry,
+  SEALED,
+  Repo,
+  RefAcls,
+  MemoryOpLog,
+  MemoryAsyncStore,
+  Ledger,
+  Labels,
+  KeyRing,
+  EventBus,
+  CheckCache,
+  Channel,
+  Change,
+  Capabilities,
+  AsyncRepo
+};