npm - trellis - Versions diffs - 2.1.7 → 3.0.2 - Mend

trellis 2.1.7 → 3.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (346) hide show

package/README.md +65 -706
package/dist/cli/index.d.ts +16 -0
package/dist/cli/index.d.ts.map +1 -0
package/dist/cli/index.js +3188 -232
package/dist/client/config.d.ts +56 -0
package/dist/client/config.d.ts.map +1 -0
package/dist/client/index.d.ts +15 -0
package/dist/client/index.d.ts.map +1 -0
package/dist/client/index.js +32 -0
package/dist/client/sdk.d.ts +152 -0
package/dist/client/sdk.d.ts.map +1 -0
package/dist/config-8hczw0rs.js +20 -0
package/dist/context/heat-map-manager.d.ts +100 -0
package/dist/context/heat-map-manager.d.ts.map +1 -0
package/dist/context/manager.d.ts +16 -0
package/dist/context/manager.d.ts.map +1 -0
package/dist/context/types.d.ts +20 -0
package/dist/context/types.d.ts.map +1 -0
package/dist/core/agents/harness.d.ts +58 -0
package/dist/core/agents/harness.d.ts.map +1 -0
package/dist/core/agents/index.d.ts +8 -0
package/dist/core/agents/index.d.ts.map +1 -0
package/dist/core/agents/types.d.ts +79 -0
package/dist/core/agents/types.d.ts.map +1 -0
package/dist/core/computation/expr-evaluator.d.ts +52 -0
package/dist/core/computation/expr-evaluator.d.ts.map +1 -0
package/dist/core/index.d.ts +25 -0
package/dist/core/index.d.ts.map +1 -0
package/dist/core/index.js +105 -11
package/dist/core/kernel/logic-middleware.d.ts +19 -0
package/dist/core/kernel/logic-middleware.d.ts.map +1 -0
package/dist/core/kernel/middleware.d.ts +28 -0
package/dist/core/kernel/middleware.d.ts.map +1 -0
package/dist/core/kernel/schema-middleware.d.ts +15 -0
package/dist/core/kernel/schema-middleware.d.ts.map +1 -0
package/dist/core/kernel/security-middleware.d.ts +24 -0
package/dist/core/kernel/security-middleware.d.ts.map +1 -0
package/dist/core/kernel/sync-provider.d.ts +59 -0
package/dist/core/kernel/sync-provider.d.ts.map +1 -0
package/dist/core/kernel/trellis-kernel.d.ts +217 -0
package/dist/core/kernel/trellis-kernel.d.ts.map +1 -0
package/dist/core/ontology/builtins.d.ts +16 -0
package/dist/core/ontology/builtins.d.ts.map +1 -0
package/dist/core/ontology/core-ontology.d.ts +20 -0
package/dist/core/ontology/core-ontology.d.ts.map +1 -0
package/dist/core/ontology/index.d.ts +12 -0
package/dist/core/ontology/index.d.ts.map +1 -0
package/dist/core/ontology/registry.d.ts +70 -0
package/dist/core/ontology/registry.d.ts.map +1 -0
package/dist/core/ontology/types.d.ts +201 -0
package/dist/core/ontology/types.d.ts.map +1 -0
package/dist/core/ontology/validator.d.ts +34 -0
package/dist/core/ontology/validator.d.ts.map +1 -0
package/dist/core/persist/backend.d.ts +62 -0
package/dist/core/persist/backend.d.ts.map +1 -0
package/dist/core/persist/better-sqlite-backend.d.ts +33 -0
package/dist/core/persist/better-sqlite-backend.d.ts.map +1 -0
package/dist/core/persist/sqlite-backend.d.ts +43 -0
package/dist/core/persist/sqlite-backend.d.ts.map +1 -0
package/dist/core/plugins/index.d.ts +8 -0
package/dist/core/plugins/index.d.ts.map +1 -0
package/dist/core/plugins/registry.d.ts +69 -0
package/dist/core/plugins/registry.d.ts.map +1 -0
package/dist/core/plugins/types.d.ts +87 -0
package/dist/core/plugins/types.d.ts.map +1 -0
package/dist/core/query/datalog.d.ts +52 -0
package/dist/core/query/datalog.d.ts.map +1 -0
package/dist/core/query/engine.d.ts +42 -0
package/dist/core/query/engine.d.ts.map +1 -0
package/dist/core/query/index.d.ts +12 -0
package/dist/core/query/index.d.ts.map +1 -0
package/dist/core/query/parser.d.ts +37 -0
package/dist/core/query/parser.d.ts.map +1 -0
package/dist/core/query/types.d.ts +135 -0
package/dist/core/query/types.d.ts.map +1 -0
package/dist/core/store/eav-store.d.ts +111 -0
package/dist/core/store/eav-store.d.ts.map +1 -0
package/dist/db/index.d.ts +18 -0
package/dist/db/index.d.ts.map +1 -0
package/dist/db/index.js +85 -0
package/dist/db/inspector.js +28 -0
package/dist/db/trellis.css +1 -0
package/dist/decisions/auto-capture.d.ts +31 -0
package/dist/decisions/auto-capture.d.ts.map +1 -0
package/dist/decisions/hooks.d.ts +48 -0
package/dist/decisions/hooks.d.ts.map +1 -0
package/dist/decisions/index.d.ts +36 -0
package/dist/decisions/index.d.ts.map +1 -0
package/dist/decisions/types.d.ts +73 -0
package/dist/decisions/types.d.ts.map +1 -0
package/dist/deploy-999q207z.js +10 -0
package/dist/embeddings/auto-embed.d.ts +52 -0
package/dist/embeddings/auto-embed.d.ts.map +1 -0
package/dist/embeddings/chunker.d.ts +73 -0
package/dist/embeddings/chunker.d.ts.map +1 -0
package/dist/embeddings/index.d.ts +18 -0
package/dist/embeddings/index.d.ts.map +1 -0
package/dist/embeddings/model.d.ts +30 -0
package/dist/embeddings/model.d.ts.map +1 -0
package/dist/embeddings/search.d.ts +87 -0
package/dist/embeddings/search.d.ts.map +1 -0
package/dist/embeddings/store.d.ts +66 -0
package/dist/embeddings/store.d.ts.map +1 -0
package/dist/embeddings/types.d.ts +54 -0
package/dist/embeddings/types.d.ts.map +1 -0
package/dist/engine-y0724kjq.js +8 -0
package/dist/engine.d.ts +218 -0
package/dist/engine.d.ts.map +1 -0
package/dist/evals/types.d.ts +29 -0
package/dist/evals/types.d.ts.map +1 -0
package/dist/garden/cluster.d.ts +57 -0
package/dist/garden/cluster.d.ts.map +1 -0
package/dist/garden/garden.d.ts +104 -0
package/dist/garden/garden.d.ts.map +1 -0
package/dist/garden/index.d.ts +15 -0
package/dist/garden/index.d.ts.map +1 -0
package/dist/git/git-exporter.d.ts +37 -0
package/dist/git/git-exporter.d.ts.map +1 -0
package/dist/git/git-importer.d.ts +36 -0
package/dist/git/git-importer.d.ts.map +1 -0
package/dist/git/git-reader.d.ts +63 -0
package/dist/git/git-reader.d.ts.map +1 -0
package/dist/git/index.d.ts +10 -0
package/dist/git/index.d.ts.map +1 -0
package/dist/identity/governance.d.ts +54 -0
package/dist/identity/governance.d.ts.map +1 -0
package/dist/identity/identity.d.ts +63 -0
package/dist/identity/identity.d.ts.map +1 -0
package/dist/identity/index.d.ts +10 -0
package/dist/identity/index.d.ts.map +1 -0
package/dist/identity/signing-middleware.d.ts +38 -0
package/dist/identity/signing-middleware.d.ts.map +1 -0
package/dist/import-s2b8e0ft.js +11 -0
package/dist/{index-3ejh8k6v.js → index-0q7wbasy.js} +18 -4
package/dist/index-0zk3fx2s.js +1004 -0
package/dist/index-2r4jxwnb.js +32 -0
package/dist/index-6n5dcebj.js +847 -0
package/dist/index-7e27kvvj.js +292 -0
package/dist/index-bmyt7k8n.js +90 -0
package/dist/index-c9h37r6h.js +1 -0
package/dist/{index-k5kf7sd0.js → index-hmdbnd4n.js} +1 -1
package/dist/index-k5b0xskw.js +1 -0
package/dist/index-n9f2qyh5.js +495 -0
package/dist/{index-22jx9qsz.js → index-q31hfjja.js} +861 -51
package/dist/index-skhn0agf.js +155 -0
package/dist/{index-5m0g9r0y.js → index-w7ng765c.js} +4 -497
package/dist/index-wt8rz4gn.js +132 -0
package/dist/index-xzym9w0m.js +43 -0
package/dist/index-y3d71wzd.js +77 -0
package/dist/index-y6a4kj0p.js +43 -0
package/dist/index-yhwjgfvj.js +342 -0
package/dist/index-yp88he8n.js +316 -0
package/dist/index.d.ts +25 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +21 -9
package/dist/links/index.d.ts +16 -0
package/dist/links/index.d.ts.map +1 -0
package/dist/links/lifecycle.d.ts +112 -0
package/dist/links/lifecycle.d.ts.map +1 -0
package/dist/links/parser.d.ts +56 -0
package/dist/links/parser.d.ts.map +1 -0
package/dist/links/ref-index.d.ts +55 -0
package/dist/links/ref-index.d.ts.map +1 -0
package/dist/links/resolver.d.ts +90 -0
package/dist/links/resolver.d.ts.map +1 -0
package/dist/links/types.d.ts +70 -0
package/dist/links/types.d.ts.map +1 -0
package/dist/llm/provider.d.ts +11 -0
package/dist/llm/provider.d.ts.map +1 -0
package/dist/llm/types.d.ts +74 -0
package/dist/llm/types.d.ts.map +1 -0
package/dist/mcp/docs.d.ts +18 -0
package/dist/mcp/docs.d.ts.map +1 -0
package/dist/mcp/index.d.ts +15 -0
package/dist/mcp/index.d.ts.map +1 -0
package/dist/mcp/server.d.ts +26 -0
package/dist/mcp/server.d.ts.map +1 -0
package/dist/orchestration/types.d.ts +22 -0
package/dist/orchestration/types.d.ts.map +1 -0
package/dist/plugins/agent-memory/graph-context-manager.d.ts +75 -0
package/dist/plugins/agent-memory/graph-context-manager.d.ts.map +1 -0
package/dist/plugins/agent-memory/index.d.ts +30 -0
package/dist/plugins/agent-memory/index.d.ts.map +1 -0
package/dist/plugins/agent-memory/ontology.d.ts +13 -0
package/dist/plugins/agent-memory/ontology.d.ts.map +1 -0
package/dist/plugins/agent-memory/plugin.d.ts +17 -0
package/dist/plugins/agent-memory/plugin.d.ts.map +1 -0
package/dist/plugins/brand/cache.d.ts +18 -0
package/dist/plugins/brand/cache.d.ts.map +1 -0
package/dist/plugins/brand/catalog-generator.d.ts +89 -0
package/dist/plugins/brand/catalog-generator.d.ts.map +1 -0
package/dist/plugins/brand/constraints.d.ts +55 -0
package/dist/plugins/brand/constraints.d.ts.map +1 -0
package/dist/plugins/brand/index.d.ts +44 -0
package/dist/plugins/brand/index.d.ts.map +1 -0
package/dist/plugins/brand/mcp-tools.d.ts +101 -0
package/dist/plugins/brand/mcp-tools.d.ts.map +1 -0
package/dist/plugins/brand/ontology.d.ts +13 -0
package/dist/plugins/brand/ontology.d.ts.map +1 -0
package/dist/plugins/brand/plugin.d.ts +21 -0
package/dist/plugins/brand/plugin.d.ts.map +1 -0
package/dist/plugins/brand/voice-tone.d.ts +24 -0
package/dist/plugins/brand/voice-tone.d.ts.map +1 -0
package/dist/plugins/idea-garden/api.d.ts +26 -0
package/dist/plugins/idea-garden/api.d.ts.map +1 -0
package/dist/plugins/idea-garden/index.d.ts +12 -0
package/dist/plugins/idea-garden/index.d.ts.map +1 -0
package/dist/plugins/idea-garden/plugin.d.ts +16 -0
package/dist/plugins/idea-garden/plugin.d.ts.map +1 -0
package/dist/plugins/idea-garden/types.d.ts +22 -0
package/dist/plugins/idea-garden/types.d.ts.map +1 -0
package/dist/plugins/plan-approval/index.d.ts +36 -0
package/dist/plugins/plan-approval/index.d.ts.map +1 -0
package/dist/plugins/plan-approval/ontology.d.ts +11 -0
package/dist/plugins/plan-approval/ontology.d.ts.map +1 -0
package/dist/plugins/plan-approval/plan-manager.d.ts +104 -0
package/dist/plugins/plan-approval/plan-manager.d.ts.map +1 -0
package/dist/plugins/plan-approval/plugin.d.ts +110 -0
package/dist/plugins/plan-approval/plugin.d.ts.map +1 -0
package/dist/plugins/proactive-watcher/index.d.ts +28 -0
package/dist/plugins/proactive-watcher/index.d.ts.map +1 -0
package/dist/plugins/proactive-watcher/ontology.d.ts +8 -0
package/dist/plugins/proactive-watcher/ontology.d.ts.map +1 -0
package/dist/plugins/proactive-watcher/plugin.d.ts +20 -0
package/dist/plugins/proactive-watcher/plugin.d.ts.map +1 -0
package/dist/plugins/proactive-watcher/watcher-manager.d.ts +36 -0
package/dist/plugins/proactive-watcher/watcher-manager.d.ts.map +1 -0
package/dist/plugins/sprite-tools/checkpoint-middleware.d.ts +43 -0
package/dist/plugins/sprite-tools/checkpoint-middleware.d.ts.map +1 -0
package/dist/plugins/sprite-tools/index.d.ts +40 -0
package/dist/plugins/sprite-tools/index.d.ts.map +1 -0
package/dist/plugins/sprite-tools/plugin.d.ts +69 -0
package/dist/plugins/sprite-tools/plugin.d.ts.map +1 -0
package/dist/react/index.js +189 -0
package/dist/scaffold/index.d.ts +13 -0
package/dist/scaffold/index.d.ts.map +1 -0
package/dist/scaffold/infer.d.ts +42 -0
package/dist/scaffold/infer.d.ts.map +1 -0
package/dist/scaffold/profile.d.ts +51 -0
package/dist/scaffold/profile.d.ts.map +1 -0
package/dist/scaffold/seed.d.ts +27 -0
package/dist/scaffold/seed.d.ts.map +1 -0
package/dist/scaffold/write.d.ts +53 -0
package/dist/scaffold/write.d.ts.map +1 -0
package/dist/sdk-snn5gad3.js +15 -0
package/dist/semantic/csharp-parser.d.ts +12 -0
package/dist/semantic/csharp-parser.d.ts.map +1 -0
package/dist/semantic/go-parser.d.ts +12 -0
package/dist/semantic/go-parser.d.ts.map +1 -0
package/dist/semantic/index.d.ts +22 -0
package/dist/semantic/index.d.ts.map +1 -0
package/dist/semantic/java-parser.d.ts +12 -0
package/dist/semantic/java-parser.d.ts.map +1 -0
package/dist/semantic/python-parser.d.ts +12 -0
package/dist/semantic/python-parser.d.ts.map +1 -0
package/dist/semantic/ruby-parser.d.ts +12 -0
package/dist/semantic/ruby-parser.d.ts.map +1 -0
package/dist/semantic/rust-parser.d.ts +12 -0
package/dist/semantic/rust-parser.d.ts.map +1 -0
package/dist/semantic/semantic-merge.d.ts +20 -0
package/dist/semantic/semantic-merge.d.ts.map +1 -0
package/dist/semantic/ts-parser.d.ts +13 -0
package/dist/semantic/ts-parser.d.ts.map +1 -0
package/dist/semantic/types.d.ts +130 -0
package/dist/semantic/types.d.ts.map +1 -0
package/dist/server/auth.d.ts +72 -0
package/dist/server/auth.d.ts.map +1 -0
package/dist/server/deploy.d.ts +44 -0
package/dist/server/deploy.d.ts.map +1 -0
package/dist/server/import.d.ts +40 -0
package/dist/server/import.d.ts.map +1 -0
package/dist/server/index.d.ts +26 -0
package/dist/server/index.d.ts.map +1 -0
package/dist/server/index.js +90 -0
package/dist/server/permissions.d.ts +84 -0
package/dist/server/permissions.d.ts.map +1 -0
package/dist/server/realtime.d.ts +78 -0
package/dist/server/realtime.d.ts.map +1 -0
package/dist/server/server.d.ts +43 -0
package/dist/server/server.d.ts.map +1 -0
package/dist/server/sprites.d.ts +26 -0
package/dist/server/sprites.d.ts.map +1 -0
package/dist/server/tenancy.d.ts +53 -0
package/dist/server/tenancy.d.ts.map +1 -0
package/dist/server/vm-config.d.ts +60 -0
package/dist/server/vm-config.d.ts.map +1 -0
package/dist/server-mrctdwzr.js +11 -0
package/dist/sprites-vc4qbrp1.js +16 -0
package/dist/streaming/types.d.ts +43 -0
package/dist/streaming/types.d.ts.map +1 -0
package/dist/sync/http-transport.d.ts +47 -0
package/dist/sync/http-transport.d.ts.map +1 -0
package/dist/sync/index.d.ts +22 -0
package/dist/sync/index.d.ts.map +1 -0
package/dist/sync/memory-transport.d.ts +27 -0
package/dist/sync/memory-transport.d.ts.map +1 -0
package/dist/sync/multi-repo.d.ts +82 -0
package/dist/sync/multi-repo.d.ts.map +1 -0
package/dist/sync/reconciler.d.ts +48 -0
package/dist/sync/reconciler.d.ts.map +1 -0
package/dist/sync/sync-engine.d.ts +65 -0
package/dist/sync/sync-engine.d.ts.map +1 -0
package/dist/sync/types.d.ts +71 -0
package/dist/sync/types.d.ts.map +1 -0
package/dist/sync/ws-transport.d.ts +41 -0
package/dist/sync/ws-transport.d.ts.map +1 -0
package/dist/tenancy-7d1g4ayp.js +13 -0
package/dist/ui/client.html +460 -664
package/dist/ui/server.d.ts +42 -0
package/dist/ui/server.d.ts.map +1 -0
package/dist/vcs/blob-store.d.ts +49 -0
package/dist/vcs/blob-store.d.ts.map +1 -0
package/dist/vcs/branch.d.ts +35 -0
package/dist/vcs/branch.d.ts.map +1 -0
package/dist/vcs/checkpoint.d.ts +24 -0
package/dist/vcs/checkpoint.d.ts.map +1 -0
package/dist/vcs/decompose.d.ts +19 -0
package/dist/vcs/decompose.d.ts.map +1 -0
package/dist/vcs/diff.d.ts +65 -0
package/dist/vcs/diff.d.ts.map +1 -0
package/dist/vcs/engine-context.d.ts +21 -0
package/dist/vcs/engine-context.d.ts.map +1 -0
package/dist/vcs/index.d.ts +23 -0
package/dist/vcs/index.d.ts.map +1 -0
package/dist/vcs/index.js +2 -2
package/dist/vcs/issue.d.ts +159 -0
package/dist/vcs/issue.d.ts.map +1 -0
package/dist/vcs/merge.d.ts +55 -0
package/dist/vcs/merge.d.ts.map +1 -0
package/dist/vcs/milestone.d.ts +30 -0
package/dist/vcs/milestone.d.ts.map +1 -0
package/dist/vcs/ops.d.ts +27 -0
package/dist/vcs/ops.d.ts.map +1 -0
package/dist/vcs/types.d.ts +95 -0
package/dist/vcs/types.d.ts.map +1 -0
package/dist/vcs/vcs-middleware.d.ts +14 -0
package/dist/vcs/vcs-middleware.d.ts.map +1 -0
package/dist/vm-config-6xhsj6b3.js +22 -0
package/dist/watcher/fs-watcher.d.ts +51 -0
package/dist/watcher/fs-watcher.d.ts.map +1 -0
package/dist/watcher/index.d.ts +9 -0
package/dist/watcher/index.d.ts.map +1 -0
package/dist/watcher/ingestion.d.ts +28 -0
package/dist/watcher/ingestion.d.ts.map +1 -0
package/package.json +57 -7
package/dist/index-hybgxe40.js +0 -1174

package/dist/index-6n5dcebj.js ADDED Viewed

@@ -0,0 +1,847 @@
+// @bun
+import {
+  parseSimple
+} from "./index-n9f2qyh5.js";
+import {
+  QueryEngine
+} from "./index-yp88he8n.js";
+// src/server/server.ts
+import { existsSync, readFileSync } from "fs";
+import { join } from "path";
+// src/server/auth.ts
+var ANONYMOUS = {
+  userId: null,
+  tenantId: null,
+  roles: [],
+  claims: {},
+  authenticated: false
+};
+function base64UrlEncode(input) {
+  return btoa(String.fromCharCode(...input)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64UrlDecode(input) {
+  const padded = input.replace(/-/g, "+").replace(/_/g, "/");
+  const padLen = (4 - padded.length % 4) % 4;
+  const base64 = padded + "=".repeat(padLen);
+  const binary = atob(base64);
+  return Uint8Array.from(binary, (c) => c.charCodeAt(0));
+}
+async function hmacKey(secret) {
+  return crypto.subtle.importKey("raw", new TextEncoder().encode(secret), { name: "HMAC", hash: "SHA-256" }, false, ["sign", "verify"]);
+}
+async function signJwt(payload, secret, expiresInSeconds = 86400) {
+  const header = { alg: "HS256", typ: "JWT" };
+  const now = Math.floor(Date.now() / 1000);
+  const claims = { iat: now, exp: now + expiresInSeconds, ...payload };
+  const enc = new TextEncoder;
+  const headerB64 = base64UrlEncode(enc.encode(JSON.stringify(header)));
+  const payloadB64 = base64UrlEncode(enc.encode(JSON.stringify(claims)));
+  const signing = `${headerB64}.${payloadB64}`;
+  const key = await hmacKey(secret);
+  const sig = await crypto.subtle.sign("HMAC", key, enc.encode(signing));
+  const sigB64 = base64UrlEncode(new Uint8Array(sig));
+  return `${signing}.${sigB64}`;
+}
+async function verifyJwt(token, secret) {
+  const parts = token.split(".");
+  if (parts.length !== 3)
+    return null;
+  const [headerB64, payloadB64, sigB64] = parts;
+  const enc = new TextEncoder;
+  const signing = `${headerB64}.${payloadB64}`;
+  try {
+    const key = await hmacKey(secret);
+    const sigRaw = base64UrlDecode(sigB64);
+    const sigBuf = sigRaw.buffer.slice(sigRaw.byteOffset, sigRaw.byteOffset + sigRaw.byteLength);
+    const valid = await crypto.subtle.verify("HMAC", key, sigBuf, enc.encode(signing));
+    if (!valid)
+      return null;
+    const claims = JSON.parse(new TextDecoder().decode(base64UrlDecode(payloadB64)));
+    const now = Math.floor(Date.now() / 1000);
+    if (typeof claims.exp === "number" && claims.exp < now)
+      return null;
+    return claims;
+  } catch {
+    return null;
+  }
+}
+async function resolveAuth(authHeader, config) {
+  if (!authHeader) {
+    return config.allowPublic === false ? { ...ANONYMOUS, authenticated: false } : ANONYMOUS;
+  }
+  const token = authHeader.startsWith("Bearer ") ? authHeader.slice(7) : authHeader;
+  if (config.apiKey && token === config.apiKey) {
+    return {
+      userId: "service",
+      tenantId: null,
+      roles: ["admin"],
+      claims: { sub: "service" },
+      authenticated: true
+    };
+  }
+  if (config.jwtSecret) {
+    const claims = await verifyJwt(token, config.jwtSecret);
+    if (claims) {
+      return {
+        userId: claims.sub ?? null,
+        tenantId: claims.tenantId ?? null,
+        roles: Array.isArray(claims.roles) ? claims.roles : typeof claims.role === "string" ? [claims.role] : [],
+        claims,
+        authenticated: true
+      };
+    }
+  }
+  return ANONYMOUS;
+}
+var GOOGLE_PROVIDER = {
+  name: "google",
+  authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+  tokenUrl: "https://oauth2.googleapis.com/token",
+  userInfoUrl: "https://www.googleapis.com/oauth2/v3/userinfo",
+  scopes: ["openid", "email", "profile"]
+};
+var GITHUB_PROVIDER = {
+  name: "github",
+  authUrl: "https://github.com/login/oauth/authorize",
+  tokenUrl: "https://github.com/login/oauth/access_token",
+  userInfoUrl: "https://api.github.com/user",
+  scopes: ["read:user", "user:email"]
+};
+function buildOAuthUrl(provider, redirectUri, state) {
+  const params = new URLSearchParams({
+    client_id: provider.clientId,
+    redirect_uri: redirectUri,
+    response_type: "code",
+    scope: provider.scopes.join(" "),
+    state
+  });
+  return `${provider.authUrl}?${params}`;
+}
+async function exchangeOAuthCode(provider, code, redirectUri) {
+  const tokenRes = await fetch(provider.tokenUrl, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Accept: "application/json"
+    },
+    body: new URLSearchParams({
+      client_id: provider.clientId,
+      client_secret: provider.clientSecret,
+      code,
+      redirect_uri: redirectUri,
+      grant_type: "authorization_code"
+    })
+  });
+  if (!tokenRes.ok) {
+    throw new Error(`OAuth token exchange failed: ${tokenRes.status}`);
+  }
+  const tokenData = await tokenRes.json();
+  const accessToken = tokenData.access_token;
+  const userRes = await fetch(provider.userInfoUrl, {
+    headers: {
+      Authorization: `Bearer ${accessToken}`,
+      Accept: "application/json"
+    }
+  });
+  if (!userRes.ok) {
+    throw new Error(`OAuth user info fetch failed: ${userRes.status}`);
+  }
+  const user = await userRes.json();
+  return {
+    id: String(user.id ?? user.sub ?? ""),
+    email: String(user.email ?? ""),
+    name: String(user.name ?? user.login ?? ""),
+    avatarUrl: user.picture ?? user.avatar_url ?? undefined
+  };
+}
+// src/server/permissions.ts
+class PermissionRegistry {
+  rules = new Map;
+  defaultRule = "authenticated";
+  register(entityType, permissions) {
+    this.rules.set(entityType, permissions);
+  }
+  setDefault(rule) {
+    this.defaultRule = rule;
+  }
+  getRule(entityType, op) {
+    const def = this.rules.get(entityType);
+    return def?.[op] ?? this.defaultRule;
+  }
+  check(auth, entityType, op, entity = null) {
+    const rule = this.getRule(entityType, op);
+    return evaluateRule(rule, auth, entity);
+  }
+  assert(auth, entityType, op, entity = null) {
+    if (!this.check(auth, entityType, op, entity)) {
+      throw new PermissionError(auth, entityType, op);
+    }
+  }
+}
+function evaluateRule(rule, auth, entity) {
+  if (rule === "public") {
+    return true;
+  }
+  if (rule === "authenticated") {
+    return auth.authenticated;
+  }
+  if (rule === "own") {
+    if (!auth.authenticated || !auth.userId)
+      return false;
+    const ownerFact = entity?.facts.find((f) => f.a === "ownerId" || f.a === "createdBy");
+    return ownerFact?.v === auth.userId;
+  }
+  if (typeof rule === "object") {
+    if ("role" in rule) {
+      return auth.roles.includes(rule.role);
+    }
+    if ("roles" in rule) {
+      return rule.roles.some((r) => auth.roles.includes(r));
+    }
+    if ("fn" in rule) {
+      try {
+        return rule.fn(auth, entity);
+      } catch {
+        return false;
+      }
+    }
+  }
+  return false;
+}
+class PermissionError extends Error {
+  auth;
+  entityType;
+  op;
+  constructor(auth, entityType, op) {
+    const who = auth.authenticated ? `user:${auth.userId}` : "anonymous";
+    super(`Permission denied: ${who} cannot ${op} ${entityType}`);
+    this.auth = auth;
+    this.entityType = entityType;
+    this.op = op;
+    this.name = "PermissionError";
+  }
+  toResponse() {
+    return {
+      error: "Forbidden",
+      message: this.message,
+      code: 403
+    };
+  }
+}
+var PUBLIC_READ = {
+  read: "public",
+  create: "authenticated",
+  update: "authenticated",
+  delete: "authenticated"
+};
+var FULLY_PUBLIC = {
+  read: "public",
+  create: "public",
+  update: "public",
+  delete: "public"
+};
+var OWNER_ONLY = {
+  read: "own",
+  create: "authenticated",
+  update: "own",
+  delete: "own"
+};
+var ADMIN_ONLY = {
+  read: { role: "admin" },
+  create: { role: "admin" },
+  update: { role: "admin" },
+  delete: { role: "admin" }
+};
+// src/server/realtime.ts
+class SubscriptionManager {
+  clients = new Map;
+  pool;
+  permissions;
+  constructor(pool, permissions = null) {
+    this.pool = pool;
+    this.permissions = permissions;
+  }
+  addClient(clientId, ws, auth, tenantId) {
+    this.clients.set(clientId, {
+      id: clientId,
+      ws,
+      subscriptions: new Map,
+      auth,
+      tenantId
+    });
+  }
+  removeClient(clientId) {
+    this.clients.delete(clientId);
+  }
+  async handleMessage(clientId, raw) {
+    const client = this.clients.get(clientId);
+    if (!client)
+      return;
+    let msg;
+    try {
+      msg = JSON.parse(raw);
+    } catch {
+      this._send(client, { type: "error", id: "", message: "Invalid JSON" });
+      return;
+    }
+    if (msg.type === "ping") {
+      this._send(client, { type: "pong" });
+      return;
+    }
+    if (msg.type === "subscribe") {
+      await this._handleSubscribe(client, msg.id, msg.query, msg.tenantId);
+      return;
+    }
+    if (msg.type === "unsubscribe") {
+      client.subscriptions.delete(msg.id);
+      return;
+    }
+  }
+  async notify(tenantId) {
+    const tid = tenantId ?? null;
+    const dead = [];
+    for (const [clientId, client] of this.clients) {
+      if (client.ws.readyState !== 1) {
+        dead.push(clientId);
+        continue;
+      }
+      if (client.tenantId !== tid)
+        continue;
+      for (const [subId, sub] of client.subscriptions) {
+        if (sub.tenantId !== tid)
+          continue;
+        await this._pushUpdate(client, sub);
+      }
+    }
+    for (const id of dead)
+      this.clients.delete(id);
+  }
+  get clientCount() {
+    return this.clients.size;
+  }
+  async _handleSubscribe(client, subId, queryStr, tenantId) {
+    const tid = tenantId ?? client.tenantId ?? null;
+    let parsedQuery;
+    try {
+      parsedQuery = parseSimple(queryStr);
+    } catch (err) {
+      this._send(client, {
+        type: "error",
+        id: subId,
+        message: `Invalid query: ${err instanceof Error ? err.message : String(err)}`
+      });
+      return;
+    }
+    const kernel = this.pool.get(tid);
+    const engine = new QueryEngine(kernel.getStore());
+    let result;
+    try {
+      const qr = engine.execute(parsedQuery);
+      result = qr.bindings;
+    } catch (err) {
+      this._send(client, {
+        type: "error",
+        id: subId,
+        message: `Query failed: ${err instanceof Error ? err.message : String(err)}`
+      });
+      return;
+    }
+    const sub = {
+      id: subId,
+      query: queryStr,
+      tenantId: tid,
+      auth: client.auth,
+      lastResult: result
+    };
+    client.subscriptions.set(subId, sub);
+    this._send(client, { type: "subscribed", id: subId });
+    this._send(client, {
+      type: "data",
+      id: subId,
+      result,
+      diff: { added: result, updated: [], removed: [] }
+    });
+  }
+  async _pushUpdate(client, sub) {
+    const kernel = this.pool.get(sub.tenantId);
+    const engine = new QueryEngine(kernel.getStore());
+    let newResult;
+    try {
+      const parsed = parseSimple(sub.query);
+      const qr = engine.execute(parsed);
+      newResult = qr.bindings;
+    } catch {
+      return;
+    }
+    const diff = computeDiff(sub.lastResult, newResult);
+    if (diff.added.length === 0 && diff.updated.length === 0 && diff.removed.length === 0) {
+      return;
+    }
+    sub.lastResult = newResult;
+    this._send(client, { type: "data", id: sub.id, result: newResult, diff });
+  }
+  _send(client, payload) {
+    try {
+      client.ws.send(JSON.stringify(payload));
+    } catch {}
+  }
+}
+function entityId(row) {
+  return String(row["?e"] ?? row.id ?? row.e ?? JSON.stringify(row));
+}
+function computeDiff(prev, next) {
+  const prevMap = new Map(prev.map((r) => [entityId(r), r]));
+  const nextMap = new Map(next.map((r) => [entityId(r), r]));
+  const added = [];
+  const updated = [];
+  const removed = [];
+  for (const [id, row] of nextMap) {
+    if (!prevMap.has(id)) {
+      added.push(row);
+    } else if (JSON.stringify(prevMap.get(id)) !== JSON.stringify(row)) {
+      updated.push(row);
+    }
+  }
+  for (const [id, row] of prevMap) {
+    if (!nextMap.has(id))
+      removed.push(row);
+  }
+  return { added, updated, removed };
+}
+// src/server/server.ts
+function startServer(opts) {
+  const { pool, permissions, config } = opts;
+  const port = opts.port ?? config.port ?? 3000;
+  const authConfig = {
+    jwtSecret: config.jwtSecret,
+    apiKey: config.apiKey,
+    allowPublic: true
+  };
+  const subs = new SubscriptionManager(pool, permissions ?? null);
+  const server = Bun.serve({
+    port,
+    async fetch(req, server2) {
+      const url = new URL(req.url);
+      const path = url.pathname;
+      if (req.headers.get("upgrade") === "websocket") {
+        const upgraded = server2.upgrade(req);
+        if (upgraded)
+          return;
+        return new Response("WebSocket upgrade failed", { status: 400 });
+      }
+      const auth = await resolveAuth(req.headers.get("authorization"), authConfig);
+      const tenantId = auth.tenantId ?? url.searchParams.get("tenantId") ?? null;
+      try {
+        return await route(req, url, path, auth, tenantId, {
+          pool,
+          permissions: permissions ?? null,
+          subs,
+          authConfig,
+          config,
+          oauthProviders: opts.oauthProviders ?? {}
+        });
+      } catch (err) {
+        if (err instanceof PermissionError) {
+          return json(err.toResponse(), 403);
+        }
+        const msg = err instanceof Error ? err.message : String(err);
+        return json({ error: "Internal Server Error", message: msg }, 500);
+      }
+    },
+    websocket: {
+      async open(ws) {
+        const id = crypto.randomUUID();
+        ws.__clientId = id;
+        subs.addClient(id, ws, {
+          userId: null,
+          tenantId: null,
+          roles: [],
+          claims: {},
+          authenticated: false
+        }, null);
+      },
+      async message(ws, raw) {
+        const id = ws.__clientId;
+        await subs.handleMessage(id, typeof raw === "string" ? raw : new TextDecoder().decode(raw));
+      },
+      close(ws) {
+        const id = ws.__clientId;
+        subs.removeClient(id);
+      }
+    }
+  });
+  return server;
+}
+async function route(req, url, path, auth, tenantId, ctx) {
+  const method = req.method.toUpperCase();
+  if (method === "GET" && path === "/__trellis/inspector.js") {
+    const candidates = [
+      join(import.meta.dir, "db", "inspector.js"),
+      join(import.meta.dir, "inspector.js")
+    ];
+    for (const p of candidates) {
+      if (existsSync(p)) {
+        return new Response(readFileSync(p, "utf-8"), {
+          headers: { "Content-Type": "application/javascript; charset=utf-8" }
+        });
+      }
+    }
+    return new Response("/* Trellis DB Inspector: run `bun run build:inspector` first */", {
+      headers: { "Content-Type": "application/javascript" }
+    });
+  }
+  if (method === "GET" && path === "/__trellis/trellis.css") {
+    const candidates = [
+      join(import.meta.dir, "db", "trellis.css"),
+      join(import.meta.dir, "trellis.css")
+    ];
+    for (const p of candidates) {
+      if (existsSync(p)) {
+        return new Response(readFileSync(p, "utf-8"), {
+          headers: { "Content-Type": "text/css; charset=utf-8" }
+        });
+      }
+    }
+    return new Response("/* Trellis CSS not found */", {
+      headers: { "Content-Type": "text/css" }
+    });
+  }
+  if (method === "GET" && (path === "/" || path === "/inspector")) {
+    const html = `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Trellis DB Inspector</title>
+  <link rel="stylesheet" href="/__trellis/trellis.css">
+</head>
+<body>
+  <script src="/__trellis/inspector.js"></script>
+</body>
+</html>`;
+    return new Response(html, {
+      headers: { "Content-Type": "text/html; charset=utf-8" }
+    });
+  }
+  if (method === "GET" && path === "/health") {
+    const kernel = ctx.pool.get(tenantId);
+    const ops = kernel.readAllOps().length;
+    return json({
+      status: "ok",
+      ops,
+      tenants: ctx.pool.activeTenants().length
+    });
+  }
+  if (path === "/entities" || path === "/entities/") {
+    if (method === "POST")
+      return handleCreate(req, auth, tenantId, ctx);
+    if (method === "GET")
+      return handleList(url, auth, tenantId, ctx);
+  }
+  const entityMatch = path.match(/^\/entities\/([^/]+)$/);
+  if (entityMatch) {
+    const id = decodeURIComponent(entityMatch[1]);
+    if (method === "GET")
+      return handleRead(id, auth, tenantId, ctx);
+    if (method === "PUT" || method === "PATCH")
+      return handleUpdate(req, id, auth, tenantId, ctx);
+    if (method === "DELETE")
+      return handleDelete(id, auth, tenantId, ctx);
+  }
+  if (method === "POST" && path === "/query") {
+    return handleQuery(req, auth, tenantId, ctx);
+  }
+  if (method === "POST" && path === "/upload") {
+    return handleUpload(req, auth, tenantId, ctx);
+  }
+  const fileMatch = path.match(/^\/files\/([^/]+)$/);
+  if (method === "GET" && fileMatch) {
+    return handleFileDownload(fileMatch[1], ctx, tenantId);
+  }
+  if (method === "POST" && path === "/auth/register") {
+    return handleRegister(req, tenantId, ctx);
+  }
+  if (method === "POST" && path === "/auth/login") {
+    return handleLogin(req, tenantId, ctx);
+  }
+  const oauthMatch = path.match(/^\/auth\/oauth\/([^/]+)(\/callback)?$/);
+  if (oauthMatch) {
+    const providerName = oauthMatch[1];
+    const isCallback = !!oauthMatch[2];
+    if (isCallback)
+      return handleOAuthCallback(url, providerName, tenantId, ctx);
+    return handleOAuthRedirect(providerName, url, ctx);
+  }
+  return json({ error: "Not Found" }, 404);
+}
+async function handleCreate(req, auth, tenantId, ctx) {
+  const body = await req.json();
+  if (!body.type)
+    return json({ error: "type is required" }, 400);
+  ctx.permissions?.assert(auth, body.type, "create");
+  const kernel = ctx.pool.get(tenantId);
+  const entityId2 = `${body.type.toLowerCase()}:${crypto.randomUUID()}`;
+  const attrs = {
+    ...body.attributes
+  };
+  if (auth.userId)
+    attrs.createdBy = auth.userId;
+  if (auth.tenantId)
+    attrs.tenantId = auth.tenantId;
+  const result = await kernel.createEntity(entityId2, body.type, attrs, body.links);
+  await ctx.subs.notify(tenantId);
+  return json({ id: entityId2, op: result.op.hash }, 201);
+}
+async function handleRead(id, auth, tenantId, ctx) {
+  const kernel = ctx.pool.get(tenantId);
+  const entity = kernel.getEntity(id);
+  if (!entity)
+    return json({ error: "Not Found" }, 404);
+  ctx.permissions?.assert(auth, entity.type, "read", entity);
+  return json(entityToJson(entity));
+}
+async function handleUpdate(req, id, auth, tenantId, ctx) {
+  const kernel = ctx.pool.get(tenantId);
+  const entity = kernel.getEntity(id);
+  if (!entity)
+    return json({ error: "Not Found" }, 404);
+  ctx.permissions?.assert(auth, entity.type, "update", entity);
+  const updates = await req.json();
+  await kernel.updateEntity(id, updates);
+  await ctx.subs.notify(tenantId);
+  return json({ id, updated: true });
+}
+async function handleDelete(id, auth, tenantId, ctx) {
+  const kernel = ctx.pool.get(tenantId);
+  const entity = kernel.getEntity(id);
+  if (!entity)
+    return json({ error: "Not Found" }, 404);
+  ctx.permissions?.assert(auth, entity.type, "delete", entity);
+  await kernel.deleteEntity(id);
+  await ctx.subs.notify(tenantId);
+  return json({ id, deleted: true });
+}
+async function handleList(url, auth, tenantId, ctx) {
+  const type = url.searchParams.get("type") ?? undefined;
+  const limit = parseInt(url.searchParams.get("limit") ?? "100");
+  const offset = parseInt(url.searchParams.get("offset") ?? "0");
+  const kernel = ctx.pool.get(tenantId);
+  let entities = kernel.listEntities(type);
+  if (ctx.permissions && type) {
+    entities = entities.filter((e) => ctx.permissions.check(auth, e.type, "read", e));
+  }
+  const page = entities.slice(offset, offset + limit);
+  return json({
+    data: page.map(entityToJson),
+    total: entities.length,
+    limit,
+    offset
+  });
+}
+async function handleQuery(req, auth, tenantId, ctx) {
+  const body = await req.json();
+  if (!body.query)
+    return json({ error: "query is required" }, 400);
+  let parsed;
+  try {
+    parsed = parseSimple(body.query);
+  } catch (err) {
+    return json({ error: "Invalid query", message: String(err) }, 400);
+  }
+  const kernel = ctx.pool.get(tenantId);
+  const engine = new QueryEngine(kernel.getStore());
+  const result = engine.execute(parsed);
+  return json({
+    bindings: result.bindings,
+    executionTime: result.executionTime
+  });
+}
+async function handleUpload(req, auth, tenantId, ctx) {
+  if (!auth.authenticated && ctx.config.apiKey) {
+    return json({ error: "Unauthorized" }, 401);
+  }
+  const contentType = req.headers.get("content-type") ?? "application/octet-stream";
+  const buffer = new Uint8Array(await req.arrayBuffer());
+  const hashBuf = await crypto.subtle.digest("SHA-256", buffer);
+  const hash = `blob:${Array.from(new Uint8Array(hashBuf)).map((b) => b.toString(16).padStart(2, "0")).join("")}`;
+  const kernel = ctx.pool.get(tenantId);
+  const backend = kernel.getBackend();
+  if (!backend.hasBlob(hash)) {
+    backend.putBlob(hash, buffer);
+  }
+  return json({ hash, size: buffer.length, contentType }, 201);
+}
+async function handleFileDownload(hash, ctx, tenantId) {
+  const kernel = ctx.pool.get(tenantId);
+  const backend = kernel.getBackend();
+  const blob = backend.getBlob(hash);
+  if (!blob)
+    return json({ error: "Not Found" }, 404);
+  const cleanBuf = blob.buffer.slice(blob.byteOffset, blob.byteOffset + blob.byteLength);
+  return new Response(cleanBuf, {
+    headers: { "Content-Type": "application/octet-stream" }
+  });
+}
+async function handleRegister(req, tenantId, ctx) {
+  if (!ctx.config.jwtSecret) {
+    return json({ error: "Auth not configured (no jwtSecret)" }, 501);
+  }
+  const body = await req.json();
+  if (!body.email || !body.password) {
+    return json({ error: "email and password are required" }, 400);
+  }
+  const kernel = ctx.pool.get(tenantId);
+  const existing = kernel.listEntities("User", { email: body.email });
+  if (existing.length > 0) {
+    return json({ error: "Email already registered" }, 409);
+  }
+  const userId = `user:${crypto.randomUUID()}`;
+  const pwHash = await hashPassword(body.password);
+  await kernel.createEntity(userId, "User", {
+    email: body.email,
+    name: body.name ?? "",
+    passwordHash: pwHash,
+    role: "user",
+    ...tenantId ? { tenantId } : {}
+  });
+  const token = await signJwt({ sub: userId, email: body.email, roles: ["user"], tenantId }, ctx.config.jwtSecret);
+  return json({ token, userId }, 201);
+}
+async function handleLogin(req, tenantId, ctx) {
+  if (!ctx.config.jwtSecret) {
+    return json({ error: "Auth not configured (no jwtSecret)" }, 501);
+  }
+  const body = await req.json();
+  if (!body.email || !body.password) {
+    return json({ error: "email and password are required" }, 400);
+  }
+  const kernel = ctx.pool.get(tenantId);
+  const users = kernel.listEntities("User", { email: body.email });
+  if (users.length === 0) {
+    return json({ error: "Invalid credentials" }, 401);
+  }
+  const user = users[0];
+  const pwHashFact = user.facts.find((f) => f.a === "passwordHash");
+  const roleFact = user.facts.find((f) => f.a === "role");
+  if (!pwHashFact || !await verifyPassword(body.password, String(pwHashFact.v))) {
+    return json({ error: "Invalid credentials" }, 401);
+  }
+  const role = String(roleFact?.v ?? "user");
+  const token = await signJwt({ sub: user.id, email: body.email, roles: [role], tenantId }, ctx.config.jwtSecret);
+  return json({ token, userId: user.id });
+}
+function handleOAuthRedirect(providerName, url, ctx) {
+  const provider = ctx.oauthProviders[providerName] ?? getBuiltinProvider(providerName, ctx);
+  if (!provider)
+    return json({ error: `Unknown provider: ${providerName}` }, 400);
+  const redirectUri = `${url.origin}/auth/oauth/${providerName}/callback`;
+  const state = crypto.randomUUID();
+  const authUrl = buildOAuthUrl(provider, redirectUri, state);
+  return Response.redirect(authUrl, 302);
+}
+async function handleOAuthCallback(url, providerName, tenantId, ctx) {
+  if (!ctx.config.jwtSecret) {
+    return json({ error: "Auth not configured (no jwtSecret)" }, 501);
+  }
+  const code = url.searchParams.get("code");
+  if (!code)
+    return json({ error: "Missing code" }, 400);
+  const provider = ctx.oauthProviders[providerName] ?? getBuiltinProvider(providerName, ctx);
+  if (!provider)
+    return json({ error: `Unknown provider: ${providerName}` }, 400);
+  const redirectUri = `${url.origin}/auth/oauth/${providerName}/callback`;
+  let profile;
+  try {
+    profile = await exchangeOAuthCode(provider, code, redirectUri);
+  } catch (err) {
+    return json({ error: "OAuth exchange failed", message: String(err) }, 400);
+  }
+  const kernel = ctx.pool.get(tenantId);
+  const oauthId = `oauth:${providerName}:${profile.id}`;
+  let users = kernel.listEntities("User", { oauthId });
+  let userId;
+  if (users.length === 0) {
+    userId = `user:${crypto.randomUUID()}`;
+    await kernel.createEntity(userId, "User", {
+      email: profile.email,
+      name: profile.name,
+      avatarUrl: profile.avatarUrl ?? "",
+      oauthId,
+      oauthProvider: providerName,
+      role: "user",
+      ...tenantId ? { tenantId } : {}
+    });
+  } else {
+    userId = users[0].id;
+  }
+  const token = await signJwt({ sub: userId, email: profile.email, roles: ["user"], tenantId }, ctx.config.jwtSecret);
+  return json({ token, userId });
+}
+function getBuiltinProvider(name, ctx) {
+  if (name === "google") {
+    const cid = process.env.GOOGLE_CLIENT_ID;
+    const csec = process.env.GOOGLE_CLIENT_SECRET;
+    if (!cid || !csec)
+      return null;
+    return { ...GOOGLE_PROVIDER, clientId: cid, clientSecret: csec };
+  }
+  if (name === "github") {
+    const cid = process.env.GITHUB_CLIENT_ID;
+    const csec = process.env.GITHUB_CLIENT_SECRET;
+    if (!cid || !csec)
+      return null;
+    return { ...GITHUB_PROVIDER, clientId: cid, clientSecret: csec };
+  }
+  return null;
+}
+async function hashPassword(password) {
+  const salt = crypto.randomUUID().replace(/-/g, "");
+  const enc = new TextEncoder;
+  const keyMat = await crypto.subtle.importKey("raw", enc.encode(password), "PBKDF2", false, ["deriveBits"]);
+  const bits = await crypto.subtle.deriveBits({
+    name: "PBKDF2",
+    salt: enc.encode(salt),
+    iterations: 1e5,
+    hash: "SHA-256"
+  }, keyMat, 256);
+  const hash = Array.from(new Uint8Array(bits)).map((b) => b.toString(16).padStart(2, "0")).join("");
+  return `${salt}:${hash}`;
+}
+async function verifyPassword(password, stored) {
+  const [salt, expectedHash] = stored.split(":");
+  if (!salt || !expectedHash)
+    return false;
+  const enc = new TextEncoder;
+  const keyMat = await crypto.subtle.importKey("raw", enc.encode(password), "PBKDF2", false, ["deriveBits"]);
+  const bits = await crypto.subtle.deriveBits({
+    name: "PBKDF2",
+    salt: enc.encode(salt),
+    iterations: 1e5,
+    hash: "SHA-256"
+  }, keyMat, 256);
+  const hash = Array.from(new Uint8Array(bits)).map((b) => b.toString(16).padStart(2, "0")).join("");
+  return hash === expectedHash;
+}
+function entityToJson(entity) {
+  const attrs = {};
+  for (const f of entity.facts) {
+    if (f.a !== "type") {
+      attrs[f.a] = f.v;
+    }
+  }
+  return { id: entity.id, type: entity.type, ...attrs };
+}
+function json(data, status = 200) {
+  return new Response(JSON.stringify(data), {
+    status,
+    headers: { "Content-Type": "application/json" }
+  });
+}
+export { ANONYMOUS, signJwt, verifyJwt, resolveAuth, GOOGLE_PROVIDER, GITHUB_PROVIDER, buildOAuthUrl, exchangeOAuthCode, PermissionRegistry, PermissionError, PUBLIC_READ, FULLY_PUBLIC, OWNER_ONLY, ADMIN_ONLY, SubscriptionManager, startServer };