toiljs 0.0.55 → 0.0.57

package/src/devserver/database.ts

@@ -27,6 +27,37 @@ const MEMBERS = new Map<string, Map<string, Buffer>>();
 const COUNTERS = new Map<string, bigint>();
 /** Events family: `"collection\0key"` -> append-ordered event blobs (oldest first). */
 const EVENTS = new Map<string, Buffer[]>();
+/** Capacity family: `"collection\0key"` -> an escrow ledger (total/holds/confirmed). */
+const CAPACITY = new Map<string, CapLedger>();
+
+/** A finite-resource escrow: a ceiling, in-flight holds, and confirmed consumes. */
+interface CapLedger {
+    total: bigint;
+    confirmed: bigint;
+    holds: Map<bigint, { amount: bigint; expiresMs: number }>;
+    nextId: bigint;
+}
+
+function capLedger(sk: string): CapLedger {
+    let l = CAPACITY.get(sk);
+    if (l === undefined) {
+        l = { total: 0n, confirmed: 0n, holds: new Map(), nextId: 1n };
+        CAPACITY.set(sk, l);
+    }
+    return l;
+}
+
+/** Drop holds whose TTL has elapsed (self-heal, mirrors the edge's now-based prune). */
+function capPrune(l: CapLedger, nowMs: number): void {
+    for (const [id, h] of l.holds) if (h.expiresMs <= nowMs) l.holds.delete(id);
+}
+
+/** Units currently held (un-expired, unconfirmed). */
+function capHeld(l: CapLedger): bigint {
+    let sum = 0n;
+    for (const h of l.holds.values()) sum += h.amount;
+    return sum;
+}
 
 const MAX_NAME = 512;
 const MAX_KEY = 4096;
@@ -79,10 +110,15 @@ function collOf(db: DbDevState, handle: number): string | null {
 export function buildDatabaseImports(
     ref: MemoryRef,
     db: DbDevState,
-): Record<string, (...args: number[]) => number> {
+): Record<string, (...args: number[]) => number | bigint> {
     return {
-        'data.resolve_collection': (namePtr: number, nameLen: number, outHandlePtr: number): number => {
-            if (nameLen < 0 || nameLen > MAX_NAME) throw new Error('data: collection name too long');
+        'data.resolve_collection': (
+            namePtr: number,
+            nameLen: number,
+            outHandlePtr: number,
+        ): number => {
+            if (nameLen < 0 || nameLen > MAX_NAME)
+                throw new Error('data: collection name too long');
             const name = readCopy(ref, namePtr, nameLen).toString('utf8');
             const handle = db.handles.length;
             db.handles.push(name);
@@ -153,7 +189,8 @@ export function buildDatabaseImports(
         ): number => {
             const coll = collOf(db, handle);
             if (coll === null) return INVALID_HANDLE;
-            if (keyLen > MAX_KEY || valLen > MAX_VALUE) throw new Error('data: key/value too large');
+            if (keyLen > MAX_KEY || valLen > MAX_VALUE)
+                throw new Error('data: key/value too large');
             const sk = storeKey(coll, readCopy(ref, keyPtr, keyLen));
             if (STORE.has(sk)) return PRODUCT_ERR; // AlreadyExists
             STORE.set(sk, readCopy(ref, valPtr, valLen));
@@ -170,7 +207,8 @@ export function buildDatabaseImports(
         ): number => {
             const coll = collOf(db, handle);
             if (coll === null) return INVALID_HANDLE;
-            if (keyLen > MAX_KEY || patchLen > MAX_VALUE) throw new Error('data: key/patch too large');
+            if (keyLen > MAX_KEY || patchLen > MAX_VALUE)
+                throw new Error('data: key/patch too large');
             const sk = storeKey(coll, readCopy(ref, keyPtr, keyLen));
             if (!STORE.has(sk)) return PRODUCT_ERR; // NotFound
             const v = readCopy(ref, patchPtr, patchLen);
@@ -230,7 +268,8 @@ export function buildDatabaseImports(
         ): number => {
             const coll = collOf(db, handle);
             if (coll === null) return INVALID_HANDLE;
-            if (keyLen > MAX_KEY || valLen > MAX_VALUE) throw new Error('data: key/value too large');
+            if (keyLen > MAX_KEY || valLen > MAX_VALUE)
+                throw new Error('data: key/value too large');
             const sk = storeKey(coll, readCopy(ref, keyPtr, keyLen));
             const owner = readCopy(ref, valPtr, valLen);
             const existing = STORE.get(sk);
@@ -287,7 +326,8 @@ export function buildDatabaseImports(
         ): number => {
             const coll = collOf(db, handle);
             if (coll === null) return INVALID_HANDLE;
-            if (setLen > MAX_KEY || memberLen > MAX_VALUE) throw new Error('data: set/member too large');
+            if (setLen > MAX_KEY || memberLen > MAX_VALUE)
+                throw new Error('data: set/member too large');
             const sk = storeKey(coll, readCopy(ref, setPtr, setLen));
             const member = readCopy(ref, memberPtr, memberLen);
             let set = MEMBERS.get(sk);
@@ -310,13 +350,19 @@ export function buildDatabaseImports(
             const coll = collOf(db, handle);
             if (coll === null) return INVALID_HANDLE;
             const set = MEMBERS.get(storeKey(coll, readCopy(ref, setPtr, setLen)));
-            if (set !== undefined) set.delete(readCopy(ref, memberPtr, memberLen).toString('latin1'));
+            if (set !== undefined)
+                set.delete(readCopy(ref, memberPtr, memberLen).toString('latin1'));
             return 0;
         },
 
         // Frame the members (sorted by bytes, matching the edge BTreeMap) as
         // `u32 count` + per member `u32 len + bytes`; stash + return the length.
-        'data.membership_list': (handle: number, setPtr: number, setLen: number, limit: number): number => {
+        'data.membership_list': (
+            handle: number,
+            setPtr: number,
+            setLen: number,
+            limit: number,
+        ): number => {
             const coll = collOf(db, handle);
             if (coll === null) return INVALID_HANDLE;
             const set = MEMBERS.get(storeKey(coll, readCopy(ref, setPtr, setLen)));
@@ -434,6 +480,100 @@ export function buildDatabaseImports(
             return out.length;
         },
 
+        // --- capacity family (escrow: set_total / available / reserve / confirm / cancel) ---
+
+        // Set the ceiling (restock / reduce). Job/derive only (kind-gated upstream).
+        // A ceiling is never negative.
+        'data.capacity_set_total': (
+            handle: number,
+            keyPtr: number,
+            keyLen: number,
+            total: number | bigint,
+            _idemPtr: number,
+        ): number => {
+            const coll = collOf(db, handle);
+            if (coll === null) return INVALID_HANDLE;
+            const l = capLedger(storeKey(coll, readCopy(ref, keyPtr, keyLen)));
+            const t = BigInt(total);
+            l.total = satI64(t < 0n ? 0n : t);
+            return 0;
+        },
+
+        // Stash the i64 available (total - confirmed - active holds, floored at 0).
+        'data.capacity_available': (handle: number, keyPtr: number, keyLen: number): number => {
+            const coll = collOf(db, handle);
+            if (coll === null) return INVALID_HANDLE;
+            const l = capLedger(storeKey(coll, readCopy(ref, keyPtr, keyLen)));
+            capPrune(l, Date.now());
+            const avail = l.total - l.confirmed - capHeld(l);
+            const out = Buffer.alloc(8);
+            out.writeBigInt64LE(avail < 0n ? 0n : avail);
+            db.lastResult = out;
+            return out.length;
+        },
+
+        // Hold `amount` for `ttlMs`: stash the u64 reservation id (8 bytes) on
+        // success, or return ABSENT (-2) when there is not enough available (the
+        // guest maps that to reservation 0 = no oversell). `now` is the HOST clock.
+        'data.capacity_reserve': (
+            handle: number,
+            keyPtr: number,
+            keyLen: number,
+            amount: number | bigint,
+            ttlMs: number | bigint,
+            _idemPtr: number,
+        ): number => {
+            const coll = collOf(db, handle);
+            if (coll === null) return INVALID_HANDLE;
+            const want = BigInt(amount);
+            if (want <= 0n) return ABSENT;
+            const l = capLedger(storeKey(coll, readCopy(ref, keyPtr, keyLen)));
+            const now = Date.now();
+            capPrune(l, now);
+            if (l.total - l.confirmed - capHeld(l) < want) return ABSENT; // never oversell
+            const id = l.nextId++;
+            l.holds.set(id, { amount: want, expiresMs: now + Math.max(0, Number(ttlMs)) });
+            const out = Buffer.alloc(8);
+            out.writeBigUInt64LE(id);
+            db.lastResult = out;
+            return out.length;
+        },
+
+        // Finalize a hold into a permanent consume. 1 if the id was a live hold,
+        // 0 if it was unknown / expired / already settled.
+        'data.capacity_confirm': (
+            handle: number,
+            keyPtr: number,
+            keyLen: number,
+            reservationId: number | bigint,
+            _idemPtr: number,
+        ): number => {
+            const coll = collOf(db, handle);
+            if (coll === null) return INVALID_HANDLE;
+            const l = capLedger(storeKey(coll, readCopy(ref, keyPtr, keyLen)));
+            capPrune(l, Date.now());
+            const h = l.holds.get(BigInt(reservationId));
+            if (h === undefined) return 0;
+            l.holds.delete(BigInt(reservationId));
+            l.confirmed = satI64(l.confirmed + h.amount);
+            return 1;
+        },
+
+        // Release a hold back to available (a confirmed sale cannot be cancelled).
+        'data.capacity_cancel': (
+            handle: number,
+            keyPtr: number,
+            keyLen: number,
+            reservationId: number | bigint,
+            _idemPtr: number,
+        ): number => {
+            const coll = collOf(db, handle);
+            if (coll === null) return INVALID_HANDLE;
+            const l = capLedger(storeKey(coll, readCopy(ref, keyPtr, keyLen)));
+            capPrune(l, Date.now());
+            return l.holds.delete(BigInt(reservationId)) ? 1 : 0;
+        },
+
         // Drain the last stashed variable-length result into the caller buffer.
         'data.take_result': (outPtr: number, outCap: number): number => {
             const v = db.lastResult;
@@ -446,6 +586,24 @@ export function buildDatabaseImports(
             db.lastResult = null;
             return v.length;
         },
+
+        // `data.result_schema_version() -> i64`: the schema version the last
+        // value-returning read's row was written under, so the guest decoder can
+        // default new fields / reject an unknown layout. The production edge
+        // surfaces the real per-row version; this single-process, single-version
+        // dev store has no historical versions (data is always the current
+        // layout), so it returns -1 ("no version tracked"), which the decoder
+        // treats as "decode with the current layout". An i64 result returns a
+        // BigInt in Node's WASM ABI. (Per-row versions in dev would need catalog
+        // decoding; a follow-up if dev must exercise cross-version decode.)
+        'data.result_schema_version': (): bigint => -1n,
+
+        // `data.write_allowed() -> i32`: 1 if the current call may write. Used by
+        // the rewrite-on-read convergence after a lazy migration. The dev store is
+        // single-version, so result_schema_version always returns -1 and no
+        // migration dispatch ever fires - the convergence write is never reached
+        // here regardless. Returns 1 (the dev store permits writes) for parity.
+        'data.write_allowed': (): number => 1,
     };
 }
 
@@ -456,4 +614,5 @@ export function __resetDbForTests(): void {
     MEMBERS.clear();
     COUNTERS.clear();
     EVENTS.clear();
+    CAPACITY.clear();
 }

package/src/devserver/dotenv.ts

@@ -39,7 +39,11 @@ function parseValue(rest: string): string {
  * Parse dotenv text into `plain` (non-reserved) and `reserved` (`TOIL_*`):
  * `KEY=value`, `#` comments, optional `export`, optional surrounding quotes.
  */
-function parseDotenv(text: string, plain: Map<string, string>, reserved: Map<string, string>): void {
+function parseDotenv(
+    text: string,
+    plain: Map<string, string>,
+    reserved: Map<string, string>,
+): void {
     for (const raw of text.split('\n')) {
         let line = raw.trim();
         if (line.length === 0 || line.startsWith('#')) continue;
@@ -53,7 +57,11 @@ function parseDotenv(text: string, plain: Map<string, string>, reserved: Map<str
     }
 }
 
-function readFileInto(file: string, plain: Map<string, string>, reserved: Map<string, string>): void {
+function readFileInto(
+    file: string,
+    plain: Map<string, string>,
+    reserved: Map<string, string>,
+): void {
     try {
         parseDotenv(fs.readFileSync(file, 'utf8'), plain, reserved);
     } catch {

package/src/devserver/email/config.ts

@@ -94,7 +94,10 @@ export function resolveEmailConfig(
     } else if (providerId === 'gmail' || providerId === 'smtp') {
         provider = 'smtp';
         const isGmail = providerId === 'gmail';
-        const host = envOf(reserved, 'SMTP_HOST') ?? c.smtp?.host?.trim() ?? (isGmail ? 'smtp.gmail.com' : '');
+        const host =
+            envOf(reserved, 'SMTP_HOST') ??
+            c.smtp?.host?.trim() ??
+            (isGmail ? 'smtp.gmail.com' : '');
         if (!host) {
             return { config: null, warning: 'provider `smtp` requires TOIL_EMAIL_SMTP_HOST' };
         }
@@ -102,7 +105,10 @@ export function resolveEmailConfig(
         const user = envOf(reserved, 'SMTP_USER') ?? c.smtp?.user?.trim() ?? from;
         smtp = { host, port, user };
     } else {
-        return { config: null, warning: `unknown email provider "${providerId}" (resend|gmail|smtp)` };
+        return {
+            config: null,
+            warning: `unknown email provider "${providerId}" (resend|gmail|smtp)`,
+        };
     }
 
     return {

package/src/devserver/email/index.ts

@@ -11,11 +11,11 @@
  */
 import { loadEnvFiles } from '../dotenv.js';
 import { EmailCaps } from './caps.js';
-import { resolveEmailConfig, type ResolvedEmailConfig } from './config.js';
-import { sendVia, type OutboundMessage } from './providers.js';
+import { type ResolvedEmailConfig, resolveEmailConfig } from './config.js';
+import { type OutboundMessage, sendVia } from './providers.js';
 import { EmailStatus } from './status.js';
 import { validRecipient } from './validate.js';
-import { parseEmailBlob, type ParsedEmail } from './wire.js';
+import { type ParsedEmail, parseEmailBlob } from './wire.js';
 
 import type { EmailBackendConfig } from 'toiljs/shared';
 

package/src/devserver/email/validate.ts

@@ -17,10 +17,7 @@ export function validRecipient(s: string): boolean {
     if (parts.length !== 2) return false; // not exactly one '@'
     const [local, domain] = parts;
     return (
-        local.length > 0 &&
-        domain.includes('.') &&
-        !domain.startsWith('.') &&
-        !domain.endsWith('.')
+        local.length > 0 && domain.includes('.') && !domain.startsWith('.') && !domain.endsWith('.')
     );
 }
 

package/src/devserver/envelope.ts

@@ -69,15 +69,15 @@ export function encodeRequestEnvelope(req: EnvelopeRequest): Buffer {
     if (path.length > U16_MAX) throw new Error(`path too long: ${String(path.length)} bytes`);
     if (req.headers.length > U16_MAX)
         throw new Error(`too many headers: ${String(req.headers.length)}`);
-    if (req.body.length > U32_MAX) throw new Error(`body too long: ${String(req.body.length)} bytes`);
+    if (req.body.length > U32_MAX)
+        throw new Error(`body too long: ${String(req.body.length)} bytes`);
 
     const headers: { name: Buffer; value: Buffer }[] = [];
     let headersSize = 0;
     for (const [name, value] of req.headers) {
         const n = Buffer.from(name, 'utf8');
         const v = Buffer.from(value, 'utf8');
-        if (n.length > U16_MAX || v.length > U16_MAX)
-            throw new Error(`header too long: ${name}`);
+        if (n.length > U16_MAX || v.length > U16_MAX) throw new Error(`header too long: ${name}`);
         headers.push({ name: n, value: v });
         headersSize += 4 + n.length + v.length;
     }

package/src/devserver/host.ts

@@ -17,8 +17,8 @@
  * `WebAssembly.Instance`, so offering the full surface costs nothing.
  */
 
-import { buildCryptoImports, freshCryptoState, type CryptoState } from './crypto.js';
-import { buildDatabaseImports, freshDbState, type DbDevState } from './database.js';
+import { buildCryptoImports, type CryptoState, freshCryptoState } from './crypto.js';
+import { buildDatabaseImports, type DbDevState, freshDbState } from './database.js';
 import { EmailStatus, getEmailService } from './email/index.js';
 import { parseEmailBlob } from './email/wire.js';
 import { devEnvGet, devEnvGetSecure } from './env.js';
@@ -112,6 +112,34 @@ function readGuestString(ref: MemoryRef, ptr: number): string {
     return m.toString('utf16le', ptr, ptr + byteLen);
 }
 
+/**
+ * Framework auth secrets that, when unset, SILENTLY fall back to a published,
+ * well-known dev default inside the guest (see `server/globals/auth.ts`). Reading
+ * one that is absent means the wasm is about to sign sessions / derive keys under
+ * a value anyone can read off npm, so we surface it. Harmless for local dev; a
+ * deployed node MUST set these out of band (`.env.secrets` / the dashboard).
+ */
+const INSECURE_DEFAULT_SECRETS: Record<string, string> = {
+    AUTH_SESSION_SECRET:
+        'session cookies will be signed with a PUBLISHED key, so anyone can forge one and skip login',
+    AUTH_OPRF_SEED: 'the password OPRF seed will be the published dev value',
+    AUTH_KEM_SK: 'the server ML-KEM secret key will be the published dev value',
+};
+
+/** Warned-once set, keyed by secret name, so a hot path cannot spam the log. */
+const warnedInsecureSecrets = new Set<string>();
+
+/** Warn (once per process) that an absent framework secret falls back to a public default. */
+function warnInsecureSecretFallback(key: string): void {
+    if (warnedInsecureSecrets.has(key)) return;
+    warnedInsecureSecrets.add(key);
+    process.stdout.write(
+        `  ⚠ ${key} is not set: ${INSECURE_DEFAULT_SECRETS[key]}. ` +
+            `Fine for local dev, but a deployed node MUST set it in .env.secrets (or on your deploy target). ` +
+            `Generate one: node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"\n`,
+    );
+}
+
 /**
  * Resolve one `Environment.get`/`getSecure` lookup against the dev env source
  * and write it into the guest buffer, with the edge's return protocol: the value
@@ -128,7 +156,10 @@ function envLookup(
 ): number {
     const key = readBytes(ref, keyPtr, keyLen).toString('utf8');
     const val = secure ? devEnvGetSecure(key) : devEnvGet(key);
-    if (val === null) return -2; // ABSENT
+    if (val === null) {
+        if (secure && key in INSECURE_DEFAULT_SECRETS) warnInsecureSecretFallback(key);
+        return -2; // ABSENT
+    }
     const bytes = Buffer.from(val, 'utf8');
     if (bytes.length > outCap) return -1; // TOO_SMALL
     const m = mem(ref);
@@ -158,7 +189,12 @@ export function buildHostImports(ref: MemoryRef, state: DispatchState): WebAssem
                 state.status = code >= 100 && code <= 599 ? code : 500;
             },
 
-            set_header: (namePtr: number, nameLen: number, valPtr: number, valLen: number): void => {
+            set_header: (
+                namePtr: number,
+                nameLen: number,
+                valPtr: number,
+                valLen: number,
+            ): void => {
                 if (nameLen > MAX_HEADER_NAME_LEN)
                     throw new Error(`header name too long: ${String(nameLen)} bytes`);
                 if (valLen > MAX_HEADER_VALUE_LEN)
@@ -228,7 +264,9 @@ export function buildHostImports(ref: MemoryRef, state: DispatchState): WebAssem
                 const svc = getEmailService();
                 if (svc === null) {
                     const to = parseEmailBlob(raw)?.to ?? '<unparsed>';
-                    process.stdout.write(`  ✉ dev email_send -> ${to} (no email config; not sent)\n`);
+                    process.stdout.write(
+                        `  ✉ dev email_send -> ${to} (no email config; not sent)\n`,
+                    );
                     return EmailStatus.Sent;
                 }
                 const { status, parsed } = svc.prepare(raw);
@@ -243,7 +281,9 @@ export function buildHostImports(ref: MemoryRef, state: DispatchState): WebAssem
                         process.stdout.write(`  ✉ dev email_send -> ${parsed.to} (${label})\n`);
                     })
                     .catch((e: unknown) => {
-                        process.stdout.write(`  ✉ dev email_send -> ${parsed.to} (error: ${String(e)})\n`);
+                        process.stdout.write(
+                            `  ✉ dev email_send -> ${parsed.to} (error: ${String(e)})\n`,
+                        );
                     });
                 return EmailStatus.Sent; // optimistic; sync wasm can't await the send
             },

package/src/devserver/index.ts

@@ -22,18 +22,23 @@
 import fs from 'node:fs';
 import path from 'node:path';
 
-import { Server, type Request, type Response } from '@dacely/hyper-express';
+import { type Request, type Response, Server } from '@dacely/hyper-express';
 import pc from 'picocolors';
 
 import type { EmailBackendConfig } from 'toiljs/shared';
 
 import { applyCacheRule, lookupCache } from './cache.js';
 import { initEmailService } from './email/index.js';
-import { METHOD_CODES, type EnvelopeRequest } from './envelope.js';
+import { type EnvelopeRequest, METHOD_CODES } from './envelope.js';
 import { WasmServerModule } from './module.js';
-import { proxyToVite, wireWebsocketProxy, type ViteTarget } from './proxy.js';
+import { proxyToVite, type ViteTarget, wireWebsocketProxy } from './proxy.js';
 
-export { METHOD_CODES, encodeRequestEnvelope, decodeResponseEnvelope, unpackHandleResult } from './envelope.js';
+export {
+    METHOD_CODES,
+    encodeRequestEnvelope,
+    decodeResponseEnvelope,
+    unpackHandleResult,
+} from './envelope.js';
 export type { EnvelopeRequest, EnvelopeResponse } from './envelope.js';
 export { WasmServerModule, WasmAbortError, UNHANDLED_HEADER } from './module.js';
 export type { WasmDispatchResult } from './module.js';
@@ -161,7 +166,10 @@ function sendWasmResponse(
         if (!hasContentType) {
             // The edge defaults file bodies to application/octet-stream; in dev we
             // guess from the extension so a guest-served asset renders in the browser.
-            response.header('content-type', MIME[path.extname(file).toLowerCase()] ?? 'application/octet-stream');
+            response.header(
+                'content-type',
+                MIME[path.extname(file).toLowerCase()] ?? 'application/octet-stream',
+            );
         }
         response.sendFile(file);
         return;
@@ -267,7 +275,8 @@ export async function startDevServer(options: DevServerOptions): Promise<Running
                 // A trap (ToilScript abort, OOB, malformed envelope) is isolated to
                 // this request, exactly like the edge poisoning one instance.
                 process.stdout.write(
-                    pc.red(`  ✗ ${request.method} ${request.path} server error: ${String(e)}`) + '\n',
+                    pc.red(`  ✗ ${request.method} ${request.path} server error: ${String(e)}`) +
+                        '\n',
                 );
                 response.status(500).send('internal error\n');
                 return;

package/src/devserver/module.ts

@@ -16,8 +16,8 @@ import fs from 'node:fs';
 import {
     decodeResponseEnvelope,
     encodeRequestEnvelope,
-    unpackHandleResult,
     type EnvelopeRequest,
+    unpackHandleResult,
 } from './envelope.js';
 import { buildHostImports, freshDispatchState, type MemoryRef } from './host.js';
 
@@ -52,21 +52,60 @@ interface HandleExports {
 
 /** Host functions the dev server provides under `env` (see `host.ts`). */
 const PROVIDED_IMPORTS = new Set([
-    'abort', 'set_status', 'set_header', 'respond_file', 'thread_spawn', 'Date.now',
-    'client_ip', 'ratelimit_check', 'email_send', 'env_get', 'env_get_secure',
+    'abort',
+    'set_status',
+    'set_header',
+    'respond_file',
+    'thread_spawn',
+    'Date.now',
+    'client_ip',
+    'ratelimit_check',
+    'email_send',
+    'env_get',
+    'env_get_secure',
     // Web Crypto host functions (see ./crypto.ts).
-    'crypto.fill_random', 'crypto.random_uuid', 'crypto.take_result', 'crypto.digest',
-    'crypto.import_key', 'crypto.export_key', 'crypto.encrypt', 'crypto.decrypt',
-    'crypto.sign', 'crypto.verify', 'crypto.derive_bits',
-    'crypto.mldsa_verify', 'crypto.mlkem_decapsulate', 'crypto.voprf_evaluate',
+    'crypto.fill_random',
+    'crypto.random_uuid',
+    'crypto.take_result',
+    'crypto.digest',
+    'crypto.import_key',
+    'crypto.export_key',
+    'crypto.encrypt',
+    'crypto.decrypt',
+    'crypto.sign',
+    'crypto.verify',
+    'crypto.derive_bits',
+    'crypto.mldsa_verify',
+    'crypto.mlkem_decapsulate',
+    'crypto.voprf_evaluate',
     // ToilDB data API (see ./database.ts). Backed by ScyllaDB on the production
     // edge; backs the auth example's accounts + login challenges in dev.
-    'data.resolve_collection', 'data.get', 'data.get_many', 'data.exists', 'data.create',
-    'data.patch', 'data.delete', 'data.get_delete',
-    'data.unique_lookup', 'data.unique_claim', 'data.unique_release',
-    'data.view_get', 'data.view_publish',
-    'data.membership_contains', 'data.membership_add', 'data.membership_remove', 'data.membership_list',
-    'data.counter_get', 'data.counter_add', 'data.append', 'data.latest',
+    'data.resolve_collection',
+    'data.get',
+    'data.get_many',
+    'data.exists',
+    'data.create',
+    'data.patch',
+    'data.delete',
+    'data.get_delete',
+    'data.unique_lookup',
+    'data.unique_claim',
+    'data.unique_release',
+    'data.view_get',
+    'data.view_publish',
+    'data.membership_contains',
+    'data.membership_add',
+    'data.membership_remove',
+    'data.membership_list',
+    'data.counter_get',
+    'data.counter_add',
+    'data.append',
+    'data.latest',
+    'data.capacity_set_total',
+    'data.capacity_available',
+    'data.capacity_reserve',
+    'data.capacity_confirm',
+    'data.capacity_cancel',
     'data.take_result',
 ]);
 
@@ -204,7 +243,10 @@ export class WasmServerModule {
     /** Fail instantiation up front, with names, when the guest needs imports we do not provide. */
     private assertImportSurface(module: WebAssembly.Module): void {
         const missing = WebAssembly.Module.imports(module)
-            .filter((i) => i.kind === 'function' && (i.module !== 'env' || !PROVIDED_IMPORTS.has(i.name)))
+            .filter(
+                (i) =>
+                    i.kind === 'function' && (i.module !== 'env' || !PROVIDED_IMPORTS.has(i.name)),
+            )
             .map((i) => `${i.module}.${i.name}`);
         if (missing.length > 0)
             throw new Error(

package/src/devserver/proxy.ts

@@ -6,12 +6,7 @@
  * websocket through Node's built-in `WebSocket` client, both loopback-only.
  */
 
-import {
-    type Request,
-    type Response,
-    type Server,
-    type Websocket,
-} from '@dacely/hyper-express';
+import { type Request, type Response, type Server, type Websocket } from '@dacely/hyper-express';
 
 /** Where the internal Vite dev server listens (always loopback). */
 export interface ViteTarget {
@@ -151,7 +146,10 @@ export function wireWebsocketProxy(app: Server, target: ViteTarget): void {
                 else pending.push(m);
             });
             ws.on('close', () => {
-                if (upstream.readyState === WebSocket.OPEN || upstream.readyState === WebSocket.CONNECTING) {
+                if (
+                    upstream.readyState === WebSocket.OPEN ||
+                    upstream.readyState === WebSocket.CONNECTING
+                ) {
                     upstream.close();
                 }
             });