toiljs 0.0.55 → 0.0.56

package/src/compiler/ssg.ts

@@ -16,7 +16,7 @@ import { createServer } from 'vite';
 import { type ResolvedToilConfig } from './config.js';
 import { extractStaticMetadata, loadTypeScript } from './prerender.js';
 import { scanRoutes } from './routes.js';
-import { injectSeoHtml, joinUrl, llmsTxt, routeSeo, sitemapXml, type LlmsPage } from './seo.js';
+import { injectSeoHtml, joinUrl, type LlmsPage, llmsTxt, routeSeo, sitemapXml } from './seo.js';
 import { createViteConfig } from './vite.js';
 
 /** Reads a string field off a metadata record, or undefined. */
@@ -91,7 +91,9 @@ export async function prerenderStaticParams(cfg: ResolvedToilConfig): Promise<st
             try {
                 mod = (await server.ssrLoadModule(route.file)) as RouteModule;
             } catch (err) {
-                warn(`skipped ${route.pattern} (${err instanceof Error ? err.message : String(err)})`);
+                warn(
+                    `skipped ${route.pattern} (${err instanceof Error ? err.message : String(err)})`,
+                );
                 continue;
             }
             if (typeof mod.generateStaticParams !== 'function') continue;
@@ -116,12 +118,16 @@ export async function prerenderStaticParams(cfg: ResolvedToilConfig): Promise<st
                             typeof mod.loader === 'function'
                                 ? await mod.loader({ params, searchParams })
                                 : undefined;
-                        metadata = asMetadata(await mod.generateMetadata({ params, searchParams, data }));
+                        metadata = asMetadata(
+                            await mod.generateMetadata({ params, searchParams, data }),
+                        );
                     } else if (mod.metadata) {
                         metadata = asMetadata(mod.metadata);
                     }
                 } catch (err) {
-                    warn(`metadata failed for ${url} (${err instanceof Error ? err.message : String(err)})`);
+                    warn(
+                        `metadata failed for ${url} (${err instanceof Error ? err.message : String(err)})`,
+                    );
                 }
                 const html = injectSeoHtml(shell, routeSeo(cfg.seo, metadata, url));
                 fs.mkdirSync(path.dirname(target), { recursive: true });

package/src/compiler/template-build.ts

@@ -19,12 +19,7 @@
 import fs from 'node:fs';
 import path from 'node:path';
 
-import {
-    createElement,
-    type ComponentType,
-    type Context,
-    type ReactNode,
-} from 'react';
+import { type ComponentType, type Context, createElement, type ReactNode } from 'react';
 import { renderToStaticMarkup } from 'react-dom/server';
 import { createServer } from 'vite';
 
@@ -36,8 +31,8 @@ import {
     assignSlotIds,
     coherenceHash,
     encodeSlots,
-    extractFromHtml,
     type Extracted,
+    extractFromHtml,
 } from './template.js';
 import { createViteConfig } from './vite.js';
 

package/src/compiler/template.ts

@@ -249,10 +249,7 @@ export function reactEscapeHtml(s: string): string {
  * any tooling that needs to materialise a full page from a template + values).
  * `values` maps a byte offset to the bytes inserted there (offsets may repeat
  * is not allowed; pass them in `slots` order). */
-export function spliceTemplate(
-    tmpl: Buffer,
-    inserts: { offset: number; value: Buffer }[],
-): Buffer {
+export function spliceTemplate(tmpl: Buffer, inserts: { offset: number; value: Buffer }[]): Buffer {
     const parts: Buffer[] = [];
     let prev = 0;
     for (const ins of inserts) {

package/src/compiler/vite.ts

@@ -7,7 +7,7 @@ import pc from 'picocolors';
 import react from '@vitejs/plugin-react';
 import { imagetools } from 'vite-imagetools';
 import { nodePolyfills } from 'vite-plugin-node-polyfills';
-import { createLogger, mergeConfig, type InlineConfig, type Logger, type PluginOption } from 'vite';
+import { createLogger, type InlineConfig, type Logger, mergeConfig, type PluginOption } from 'vite';
 
 import { type ResolvedToilConfig } from './config.js';
 import { fontPreloadPlugin } from './fonts.js';

package/src/devserver/crypto.ts

@@ -25,9 +25,24 @@ import type { MemoryRef } from './host.js';
 
 // --- ABI id tables (must match the std + Rust backend) ----------------------
 const ALG = {
-    SHA1: 1, SHA256: 2, SHA384: 3, SHA512: 4, SHA3_256: 5, SHA3_384: 6, SHA3_512: 7,
-    AES_GCM: 10, AES_CBC: 11, AES_CTR: 12, AES_KW: 13, HMAC: 20,
-    ECDSA: 32, ED25519: 33, ECDH: 50, X25519: 51, HKDF: 52, PBKDF2: 53,
+    SHA1: 1,
+    SHA256: 2,
+    SHA384: 3,
+    SHA512: 4,
+    SHA3_256: 5,
+    SHA3_384: 6,
+    SHA3_512: 7,
+    AES_GCM: 10,
+    AES_CBC: 11,
+    AES_CTR: 12,
+    AES_KW: 13,
+    HMAC: 20,
+    ECDSA: 32,
+    ED25519: 33,
+    ECDH: 50,
+    X25519: 51,
+    HKDF: 52,
+    PBKDF2: 53,
 } as const;
 const FMT = { RAW: 0, PKCS8: 1, SPKI: 2, JWK: 3 } as const;
 
@@ -77,7 +92,9 @@ function readBytes(ref: MemoryRef, ptr: number, len: number): Buffer {
 function writeBytes(ref: MemoryRef, ptr: number, bytes: Buffer | Uint8Array): void {
     const m = memBuf(ref);
     if (ptr < 0 || ptr + bytes.length > m.length)
-        throw new Error(`crypto write out of bounds: ptr=${String(ptr)} len=${String(bytes.length)}`);
+        throw new Error(
+            `crypto write out of bounds: ptr=${String(ptr)} len=${String(bytes.length)}`,
+        );
     m.set(bytes, ptr);
 }
 
@@ -85,25 +102,21 @@ function writeBytes(ref: MemoryRef, ptr: number, bytes: Buffer | Uint8Array): vo
 class ParamReader {
     private pos = 0;
     constructor(private readonly buf: Buffer) {}
-    /** Bounds-check before a read so a malformed buffer throws a controlled
-     *  error (trap-equivalent, caught by the dispatcher) rather than a raw
-     *  Node RangeError. */
-    private need(n: number): void {
-        if (n < 0 || this.pos + n > this.buf.length)
-            throw new Error('crypto: malformed params buffer (truncated)');
-    }
+
     readI32(): number {
         this.need(4);
         const v = this.buf.readInt32LE(this.pos);
         this.pos += 4;
         return v;
     }
+
     readU32(): number {
         this.need(4);
         const v = this.buf.readUInt32LE(this.pos);
         this.pos += 4;
         return v;
     }
+
     readBlob(): Buffer {
         const n = this.readU32();
         this.need(n);
@@ -111,18 +124,34 @@ class ParamReader {
         this.pos += n;
         return s;
     }
+
+    /** Bounds-check before a read so a malformed buffer throws a controlled
+     *  error (trap-equivalent, caught by the dispatcher) rather than a raw
+     *  Node RangeError. */
+    private need(n: number): void {
+        if (n < 0 || this.pos + n > this.buf.length)
+            throw new Error('crypto: malformed params buffer (truncated)');
+    }
 }
 
 function hashName(id: number): string {
     switch (id) {
-        case ALG.SHA1: return 'sha1';
-        case ALG.SHA256: return 'sha256';
-        case ALG.SHA384: return 'sha384';
-        case ALG.SHA512: return 'sha512';
-        case ALG.SHA3_256: return 'sha3-256';
-        case ALG.SHA3_384: return 'sha3-384';
-        case ALG.SHA3_512: return 'sha3-512';
-        default: throw new Error(`crypto: bad hash id ${String(id)}`);
+        case ALG.SHA1:
+            return 'sha1';
+        case ALG.SHA256:
+            return 'sha256';
+        case ALG.SHA384:
+            return 'sha384';
+        case ALG.SHA512:
+            return 'sha512';
+        case ALG.SHA3_256:
+            return 'sha3-256';
+        case ALG.SHA3_384:
+            return 'sha3-384';
+        case ALG.SHA3_512:
+            return 'sha3-512';
+        default:
+            throw new Error(`crypto: bad hash id ${String(id)}`);
     }
 }
 
@@ -151,8 +180,7 @@ export function buildCryptoImports(
 
         'crypto.take_result': (outPtr: number, outLen: number): number => {
             const r = cs.lastResult;
-            if (!r || r.length !== outLen)
-                throw new Error('crypto.take_result: length mismatch');
+            if (!r || r.length !== outLen) throw new Error('crypto.take_result: length mismatch');
             writeBytes(ref, outPtr, r);
             cs.lastResult = null;
             return r.length;
@@ -191,9 +219,15 @@ export function buildCryptoImports(
                 if (e.raw && format === FMT.RAW) return stash(cs, e.raw);
                 if (e.keyObject) {
                     if (format === FMT.PKCS8 && e.isPrivate)
-                        return stash(cs, e.keyObject.export({ format: 'der', type: 'pkcs8' }) as Buffer);
+                        return stash(
+                            cs,
+                            e.keyObject.export({ format: 'der', type: 'pkcs8' }) as Buffer,
+                        );
                     if (format === FMT.SPKI && !e.isPrivate)
-                        return stash(cs, e.keyObject.export({ format: 'der', type: 'spki' }) as Buffer);
+                        return stash(
+                            cs,
+                            e.keyObject.export({ format: 'der', type: 'spki' }) as Buffer,
+                        );
                 }
                 return ERR_UNSUPPORTED;
             } catch {
@@ -210,7 +244,13 @@ export function buildCryptoImports(
             signOp(cs, ref, h, pp, pl, dp, dl),
 
         'crypto.verify': (
-            h: number, pp: number, pl: number, sp: number, sl: number, dp: number, dl: number,
+            h: number,
+            pp: number,
+            pl: number,
+            sp: number,
+            sl: number,
+            dp: number,
+            dl: number,
         ): number => verifyOp(cs, ref, h, pp, pl, sp, sl, dp, dl),
 
         'crypto.derive_bits': (h: number, pp: number, pl: number, lengthBits: number): number =>
@@ -220,10 +260,14 @@ export function buildCryptoImports(
         // host (`mldsa_verify_import.rs`): same size asserts, 1/0/neg result.
         // Backed by the same noble lib the client signs with, so dev == prod.
         'crypto.mldsa_verify': (
-            pkPtr: number, pkLen: number,
-            msgPtr: number, msgLen: number,
-            sigPtr: number, sigLen: number,
-            ctxPtr: number, ctxLen: number,
+            pkPtr: number,
+            pkLen: number,
+            msgPtr: number,
+            msgLen: number,
+            sigPtr: number,
+            sigLen: number,
+            ctxPtr: number,
+            ctxLen: number,
         ): number => {
             if (pkLen !== 1312 || sigLen !== 2420 || ctxLen > 255) return -4;
             try {
@@ -243,8 +287,10 @@ export function buildCryptoImports(
         // the server's static secret key, write it to `outPtr`, return 0 / neg.
         // Backed by the same noble lib the client encapsulates with (dev == prod).
         'crypto.mlkem_decapsulate': (
-            ctPtr: number, ctLen: number,
-            skPtr: number, skLen: number,
+            ctPtr: number,
+            ctLen: number,
+            skPtr: number,
+            skLen: number,
             outPtr: number,
         ): number => {
             if (ctLen !== 1088 || skLen !== 2400) return -4;
@@ -267,9 +313,12 @@ export function buildCryptoImports(
         // `@noble/curves` ristretto255_oprf, which matches the edge byte-for-byte
         // (both RFC 9497), so dev == prod.
         'crypto.voprf_evaluate': (
-            seedPtr: number, seedLen: number,
-            infoPtr: number, infoLen: number,
-            blindedPtr: number, blindedLen: number,
+            seedPtr: number,
+            seedLen: number,
+            infoPtr: number,
+            infoLen: number,
+            blindedPtr: number,
+            blindedLen: number,
             outPtr: number,
         ): number => {
             // seedLen MUST be exactly 32 (RFC 9497 Ns; noble deriveKeyPair rejects
@@ -309,8 +358,13 @@ function importKey(
     try {
         // Symmetric / MAC / KDF: raw bytes.
         if (
-            alg === ALG.AES_GCM || alg === ALG.AES_CBC || alg === ALG.AES_CTR ||
-            alg === ALG.AES_KW || alg === ALG.HMAC || alg === ALG.PBKDF2 || alg === ALG.HKDF
+            alg === ALG.AES_GCM ||
+            alg === ALG.AES_CBC ||
+            alg === ALG.AES_CTR ||
+            alg === ALG.AES_KW ||
+            alg === ALG.HMAC ||
+            alg === ALG.PBKDF2 ||
+            alg === ALG.HKDF
         ) {
             if (format !== FMT.RAW) return ERR_UNSUPPORTED;
             return newEntry({ raw: key, keyObject: null, alg, hash, isPrivate: false });
@@ -339,8 +393,14 @@ function aesAlgName(keyLen: number, mode: 'gcm' | 'cbc' | 'ctr'): string {
 }
 
 function aesOp(
-    cs: CryptoState, ref: MemoryRef, encrypt: boolean,
-    handle: number, pp: number, pl: number, dp: number, dl: number,
+    cs: CryptoState,
+    ref: MemoryRef,
+    encrypt: boolean,
+    handle: number,
+    pp: number,
+    pl: number,
+    dp: number,
+    dl: number,
 ): number {
     const e = cs.keys.get(handle);
     if (!e || !e.raw) throw new Error('crypto: invalid AES key handle');
@@ -356,7 +416,9 @@ function aesOp(
             if (tagBits !== 0 && tagBits !== 128) return ERR_INVALID_PARAMS;
             if (encrypt) {
                 const c = nodeCrypto.createCipheriv(
-                    aesAlgName(e.raw.length, 'gcm'), e.raw, iv,
+                    aesAlgName(e.raw.length, 'gcm'),
+                    e.raw,
+                    iv,
                 ) as nodeCrypto.CipherGCM;
                 if (aad.length) c.setAAD(aad);
                 const ct = Buffer.concat([c.update(data), c.final()]);
@@ -366,7 +428,9 @@ function aesOp(
             // never authenticate.
             if (data.length < 16) return ERR_OPERATION_FAILED;
             const d = nodeCrypto.createDecipheriv(
-                aesAlgName(e.raw.length, 'gcm'), e.raw, iv,
+                aesAlgName(e.raw.length, 'gcm'),
+                e.raw,
+                iv,
             ) as nodeCrypto.DecipherGCM;
             if (aad.length) d.setAAD(aad);
             const tag = data.subarray(data.length - 16);
@@ -395,8 +459,13 @@ function aesOp(
 }
 
 function signOp(
-    cs: CryptoState, ref: MemoryRef,
-    handle: number, pp: number, pl: number, dp: number, dl: number,
+    cs: CryptoState,
+    ref: MemoryRef,
+    handle: number,
+    pp: number,
+    pl: number,
+    dp: number,
+    dl: number,
 ): number {
     const e = cs.keys.get(handle);
     if (!e) throw new Error('crypto.sign: invalid handle');
@@ -426,8 +495,15 @@ function signOp(
 }
 
 function verifyOp(
-    cs: CryptoState, ref: MemoryRef,
-    handle: number, pp: number, pl: number, sp: number, sl: number, dp: number, dl: number,
+    cs: CryptoState,
+    ref: MemoryRef,
+    handle: number,
+    pp: number,
+    pl: number,
+    sp: number,
+    sl: number,
+    dp: number,
+    dl: number,
 ): number {
     const e = cs.keys.get(handle);
     if (!e) throw new Error('crypto.verify: invalid handle');
@@ -442,10 +518,15 @@ function verifyOp(
             return mac.length === sig.length && nodeCrypto.timingSafeEqual(mac, sig) ? 1 : 0;
         }
         if (e.alg === ALG.ECDSA && e.keyObject) {
-            const ok = nodeCrypto.verify(hashName(hash), data, {
-                key: e.keyObject,
-                dsaEncoding: 'ieee-p1363',
-            }, sig);
+            const ok = nodeCrypto.verify(
+                hashName(hash),
+                data,
+                {
+                    key: e.keyObject,
+                    dsaEncoding: 'ieee-p1363',
+                },
+                sig,
+            );
             return ok ? 1 : 0;
         }
         if (e.alg === ALG.ED25519 && e.keyObject) {
@@ -458,8 +539,12 @@ function verifyOp(
 }
 
 function deriveBitsOp(
-    cs: CryptoState, ref: MemoryRef,
-    handle: number, pp: number, pl: number, lengthBits: number,
+    cs: CryptoState,
+    ref: MemoryRef,
+    handle: number,
+    pp: number,
+    pl: number,
+    lengthBits: number,
 ): number {
     if (lengthBits < 0 || lengthBits % 8 !== 0) return ERR_INVALID_PARAMS;
     const outLen = lengthBits / 8;
@@ -473,7 +558,10 @@ function deriveBitsOp(
         if (alg === ALG.PBKDF2 && e.raw) {
             const iterations = pr.readU32();
             const salt = pr.readBlob();
-            return stash(cs, nodeCrypto.pbkdf2Sync(e.raw, salt, iterations, outLen, hashName(hash)));
+            return stash(
+                cs,
+                nodeCrypto.pbkdf2Sync(e.raw, salt, iterations, outLen, hashName(hash)),
+            );
         }
         if (alg === ALG.HKDF && e.raw) {
             const salt = pr.readBlob();
@@ -484,7 +572,8 @@ function deriveBitsOp(
         if ((alg === ALG.ECDH || alg === ALG.X25519) && e.keyObject) {
             const peerHandle = pr.readI32();
             const peer = cs.keys.get(peerHandle);
-            if (!peer || !peer.keyObject) throw new Error('crypto.derive_bits: invalid peer handle');
+            if (!peer || !peer.keyObject)
+                throw new Error('crypto.derive_bits: invalid peer handle');
             const shared = nodeCrypto.diffieHellman({
                 privateKey: e.keyObject,
                 publicKey: peer.keyObject,

package/src/devserver/database.ts

@@ -27,6 +27,37 @@ const MEMBERS = new Map<string, Map<string, Buffer>>();
 const COUNTERS = new Map<string, bigint>();
 /** Events family: `"collection\0key"` -> append-ordered event blobs (oldest first). */
 const EVENTS = new Map<string, Buffer[]>();
+/** Capacity family: `"collection\0key"` -> an escrow ledger (total/holds/confirmed). */
+const CAPACITY = new Map<string, CapLedger>();
+
+/** A finite-resource escrow: a ceiling, in-flight holds, and confirmed consumes. */
+interface CapLedger {
+    total: bigint;
+    confirmed: bigint;
+    holds: Map<bigint, { amount: bigint; expiresMs: number }>;
+    nextId: bigint;
+}
+
+function capLedger(sk: string): CapLedger {
+    let l = CAPACITY.get(sk);
+    if (l === undefined) {
+        l = { total: 0n, confirmed: 0n, holds: new Map(), nextId: 1n };
+        CAPACITY.set(sk, l);
+    }
+    return l;
+}
+
+/** Drop holds whose TTL has elapsed (self-heal, mirrors the edge's now-based prune). */
+function capPrune(l: CapLedger, nowMs: number): void {
+    for (const [id, h] of l.holds) if (h.expiresMs <= nowMs) l.holds.delete(id);
+}
+
+/** Units currently held (un-expired, unconfirmed). */
+function capHeld(l: CapLedger): bigint {
+    let sum = 0n;
+    for (const h of l.holds.values()) sum += h.amount;
+    return sum;
+}
 
 const MAX_NAME = 512;
 const MAX_KEY = 4096;
@@ -81,8 +112,13 @@ export function buildDatabaseImports(
     db: DbDevState,
 ): Record<string, (...args: number[]) => number> {
     return {
-        'data.resolve_collection': (namePtr: number, nameLen: number, outHandlePtr: number): number => {
-            if (nameLen < 0 || nameLen > MAX_NAME) throw new Error('data: collection name too long');
+        'data.resolve_collection': (
+            namePtr: number,
+            nameLen: number,
+            outHandlePtr: number,
+        ): number => {
+            if (nameLen < 0 || nameLen > MAX_NAME)
+                throw new Error('data: collection name too long');
             const name = readCopy(ref, namePtr, nameLen).toString('utf8');
             const handle = db.handles.length;
             db.handles.push(name);
@@ -153,7 +189,8 @@ export function buildDatabaseImports(
         ): number => {
             const coll = collOf(db, handle);
             if (coll === null) return INVALID_HANDLE;
-            if (keyLen > MAX_KEY || valLen > MAX_VALUE) throw new Error('data: key/value too large');
+            if (keyLen > MAX_KEY || valLen > MAX_VALUE)
+                throw new Error('data: key/value too large');
             const sk = storeKey(coll, readCopy(ref, keyPtr, keyLen));
             if (STORE.has(sk)) return PRODUCT_ERR; // AlreadyExists
             STORE.set(sk, readCopy(ref, valPtr, valLen));
@@ -170,7 +207,8 @@ export function buildDatabaseImports(
         ): number => {
             const coll = collOf(db, handle);
             if (coll === null) return INVALID_HANDLE;
-            if (keyLen > MAX_KEY || patchLen > MAX_VALUE) throw new Error('data: key/patch too large');
+            if (keyLen > MAX_KEY || patchLen > MAX_VALUE)
+                throw new Error('data: key/patch too large');
             const sk = storeKey(coll, readCopy(ref, keyPtr, keyLen));
             if (!STORE.has(sk)) return PRODUCT_ERR; // NotFound
             const v = readCopy(ref, patchPtr, patchLen);
@@ -230,7 +268,8 @@ export function buildDatabaseImports(
         ): number => {
             const coll = collOf(db, handle);
             if (coll === null) return INVALID_HANDLE;
-            if (keyLen > MAX_KEY || valLen > MAX_VALUE) throw new Error('data: key/value too large');
+            if (keyLen > MAX_KEY || valLen > MAX_VALUE)
+                throw new Error('data: key/value too large');
             const sk = storeKey(coll, readCopy(ref, keyPtr, keyLen));
             const owner = readCopy(ref, valPtr, valLen);
             const existing = STORE.get(sk);
@@ -287,7 +326,8 @@ export function buildDatabaseImports(
         ): number => {
             const coll = collOf(db, handle);
             if (coll === null) return INVALID_HANDLE;
-            if (setLen > MAX_KEY || memberLen > MAX_VALUE) throw new Error('data: set/member too large');
+            if (setLen > MAX_KEY || memberLen > MAX_VALUE)
+                throw new Error('data: set/member too large');
             const sk = storeKey(coll, readCopy(ref, setPtr, setLen));
             const member = readCopy(ref, memberPtr, memberLen);
             let set = MEMBERS.get(sk);
@@ -310,13 +350,19 @@ export function buildDatabaseImports(
             const coll = collOf(db, handle);
             if (coll === null) return INVALID_HANDLE;
             const set = MEMBERS.get(storeKey(coll, readCopy(ref, setPtr, setLen)));
-            if (set !== undefined) set.delete(readCopy(ref, memberPtr, memberLen).toString('latin1'));
+            if (set !== undefined)
+                set.delete(readCopy(ref, memberPtr, memberLen).toString('latin1'));
             return 0;
         },
 
         // Frame the members (sorted by bytes, matching the edge BTreeMap) as
         // `u32 count` + per member `u32 len + bytes`; stash + return the length.
-        'data.membership_list': (handle: number, setPtr: number, setLen: number, limit: number): number => {
+        'data.membership_list': (
+            handle: number,
+            setPtr: number,
+            setLen: number,
+            limit: number,
+        ): number => {
             const coll = collOf(db, handle);
             if (coll === null) return INVALID_HANDLE;
             const set = MEMBERS.get(storeKey(coll, readCopy(ref, setPtr, setLen)));
@@ -434,6 +480,100 @@ export function buildDatabaseImports(
             return out.length;
         },
 
+        // --- capacity family (escrow: set_total / available / reserve / confirm / cancel) ---
+
+        // Set the ceiling (restock / reduce). Job/derive only (kind-gated upstream).
+        // A ceiling is never negative.
+        'data.capacity_set_total': (
+            handle: number,
+            keyPtr: number,
+            keyLen: number,
+            total: number | bigint,
+            _idemPtr: number,
+        ): number => {
+            const coll = collOf(db, handle);
+            if (coll === null) return INVALID_HANDLE;
+            const l = capLedger(storeKey(coll, readCopy(ref, keyPtr, keyLen)));
+            const t = BigInt(total);
+            l.total = satI64(t < 0n ? 0n : t);
+            return 0;
+        },
+
+        // Stash the i64 available (total - confirmed - active holds, floored at 0).
+        'data.capacity_available': (handle: number, keyPtr: number, keyLen: number): number => {
+            const coll = collOf(db, handle);
+            if (coll === null) return INVALID_HANDLE;
+            const l = capLedger(storeKey(coll, readCopy(ref, keyPtr, keyLen)));
+            capPrune(l, Date.now());
+            const avail = l.total - l.confirmed - capHeld(l);
+            const out = Buffer.alloc(8);
+            out.writeBigInt64LE(avail < 0n ? 0n : avail);
+            db.lastResult = out;
+            return out.length;
+        },
+
+        // Hold `amount` for `ttlMs`: stash the u64 reservation id (8 bytes) on
+        // success, or return ABSENT (-2) when there is not enough available (the
+        // guest maps that to reservation 0 = no oversell). `now` is the HOST clock.
+        'data.capacity_reserve': (
+            handle: number,
+            keyPtr: number,
+            keyLen: number,
+            amount: number | bigint,
+            ttlMs: number | bigint,
+            _idemPtr: number,
+        ): number => {
+            const coll = collOf(db, handle);
+            if (coll === null) return INVALID_HANDLE;
+            const want = BigInt(amount);
+            if (want <= 0n) return ABSENT;
+            const l = capLedger(storeKey(coll, readCopy(ref, keyPtr, keyLen)));
+            const now = Date.now();
+            capPrune(l, now);
+            if (l.total - l.confirmed - capHeld(l) < want) return ABSENT; // never oversell
+            const id = l.nextId++;
+            l.holds.set(id, { amount: want, expiresMs: now + Math.max(0, Number(ttlMs)) });
+            const out = Buffer.alloc(8);
+            out.writeBigUInt64LE(id);
+            db.lastResult = out;
+            return out.length;
+        },
+
+        // Finalize a hold into a permanent consume. 1 if the id was a live hold,
+        // 0 if it was unknown / expired / already settled.
+        'data.capacity_confirm': (
+            handle: number,
+            keyPtr: number,
+            keyLen: number,
+            reservationId: number | bigint,
+            _idemPtr: number,
+        ): number => {
+            const coll = collOf(db, handle);
+            if (coll === null) return INVALID_HANDLE;
+            const l = capLedger(storeKey(coll, readCopy(ref, keyPtr, keyLen)));
+            capPrune(l, Date.now());
+            const h = l.holds.get(BigInt(reservationId));
+            if (h === undefined) return 0;
+            l.holds.delete(BigInt(reservationId));
+            l.confirmed = satI64(l.confirmed + h.amount);
+            return 1;
+        },
+
+        // Release a hold back to available (a confirmed sale cannot be cancelled).
+        'data.capacity_cancel': (
+            handle: number,
+            keyPtr: number,
+            keyLen: number,
+            reservationId: number | bigint,
+            _idemPtr: number,
+        ): number => {
+            const coll = collOf(db, handle);
+            if (coll === null) return INVALID_HANDLE;
+            const l = capLedger(storeKey(coll, readCopy(ref, keyPtr, keyLen)));
+            capPrune(l, Date.now());
+            return l.holds.delete(BigInt(reservationId)) ? 1 : 0;
+        },
+
         // Drain the last stashed variable-length result into the caller buffer.
         'data.take_result': (outPtr: number, outCap: number): number => {
             const v = db.lastResult;
@@ -456,4 +596,5 @@ export function __resetDbForTests(): void {
     MEMBERS.clear();
     COUNTERS.clear();
     EVENTS.clear();
+    CAPACITY.clear();
 }

package/src/devserver/dotenv.ts

@@ -39,7 +39,11 @@ function parseValue(rest: string): string {
  * Parse dotenv text into `plain` (non-reserved) and `reserved` (`TOIL_*`):
  * `KEY=value`, `#` comments, optional `export`, optional surrounding quotes.
  */
-function parseDotenv(text: string, plain: Map<string, string>, reserved: Map<string, string>): void {
+function parseDotenv(
+    text: string,
+    plain: Map<string, string>,
+    reserved: Map<string, string>,
+): void {
     for (const raw of text.split('\n')) {
         let line = raw.trim();
         if (line.length === 0 || line.startsWith('#')) continue;
@@ -53,7 +57,11 @@ function parseDotenv(text: string, plain: Map<string, string>, reserved: Map<str
     }
 }
 
-function readFileInto(file: string, plain: Map<string, string>, reserved: Map<string, string>): void {
+function readFileInto(
+    file: string,
+    plain: Map<string, string>,
+    reserved: Map<string, string>,
+): void {
     try {
         parseDotenv(fs.readFileSync(file, 'utf8'), plain, reserved);
     } catch {