@noy-db/hub 0.1.0-pre.3 → 0.1.0-pre.4

package/dist/blobs/index.d.cts

@@ -1,5 +1,5 @@
-import { B as BlobStrategy } from '../types-Bfs0qr5F.cjs';
-export { p as BLOB_CHUNKS_COLLECTION, q as BLOB_COLLECTION, s as BLOB_EVICTION_AUDIT_COLLECTION, t as BLOB_INDEX_COLLECTION, u as BLOB_SLOTS_PREFIX, w as BLOB_VERSIONS_PREFIX, x as BlobEvictionEntry, y as BlobFieldPolicy, z as BlobFieldsConfig, A as BlobObject, C as BlobPutOptions, E as BlobResponseOptions, F as BlobSet, G as BlobStrategyOpenArgs, H as CompactRunOptions, J as CompactionContext, K as CompactionResult, L as DEFAULT_CHUNK_SIZE, M as EXPORT_AUDIT_COLLECTION, N as ExportBlobsAbortedError, O as ExportBlobsAuditEntry, Q as ExportBlobsHandle, R as ExportBlobsOptions, T as ExportedBlob, U as SlotInfo, V as SlotRecord, W as VersionRecord, X as createExportBlobsHandle, Y as runCompaction } from '../types-Bfs0qr5F.cjs';
+import { B as BlobStrategy } from '../types-BVSfkYg6.cjs';
+export { p as BLOB_CHUNKS_COLLECTION, q as BLOB_COLLECTION, s as BLOB_EVICTION_AUDIT_COLLECTION, t as BLOB_INDEX_COLLECTION, u as BLOB_SLOTS_PREFIX, w as BLOB_VERSIONS_PREFIX, x as BlobEvictionEntry, y as BlobFieldPolicy, z as BlobFieldsConfig, A as BlobObject, C as BlobPutOptions, E as BlobResponseOptions, F as BlobSet, G as BlobStrategyOpenArgs, H as CompactRunOptions, J as CompactionContext, K as CompactionResult, L as DEFAULT_CHUNK_SIZE, M as EXPORT_AUDIT_COLLECTION, N as ExportBlobsAbortedError, O as ExportBlobsAuditEntry, Q as ExportBlobsHandle, R as ExportBlobsOptions, T as ExportedBlob, U as SlotInfo, V as SlotRecord, W as VersionRecord, X as createExportBlobsHandle, Y as runCompaction } from '../types-BVSfkYg6.cjs';
 export { d as detectMagic, a as detectMimeType, i as isPreCompressed } from '../mime-magic-CBBSOkjm.cjs';
 import '../lazy-builder-CZVLKh0Z.cjs';
 import '../predicate-SBHmi6D0.cjs';

package/dist/blobs/index.d.ts

@@ -1,5 +1,5 @@
-import { B as BlobStrategy } from '../types-BZpCZB8N.js';
-export { p as BLOB_CHUNKS_COLLECTION, q as BLOB_COLLECTION, s as BLOB_EVICTION_AUDIT_COLLECTION, t as BLOB_INDEX_COLLECTION, u as BLOB_SLOTS_PREFIX, w as BLOB_VERSIONS_PREFIX, x as BlobEvictionEntry, y as BlobFieldPolicy, z as BlobFieldsConfig, A as BlobObject, C as BlobPutOptions, E as BlobResponseOptions, F as BlobSet, G as BlobStrategyOpenArgs, H as CompactRunOptions, J as CompactionContext, K as CompactionResult, L as DEFAULT_CHUNK_SIZE, M as EXPORT_AUDIT_COLLECTION, N as ExportBlobsAbortedError, O as ExportBlobsAuditEntry, Q as ExportBlobsHandle, R as ExportBlobsOptions, T as ExportedBlob, U as SlotInfo, V as SlotRecord, W as VersionRecord, X as createExportBlobsHandle, Y as runCompaction } from '../types-BZpCZB8N.js';
+import { B as BlobStrategy } from '../types-Dmi7nrC9.js';
+export { p as BLOB_CHUNKS_COLLECTION, q as BLOB_COLLECTION, s as BLOB_EVICTION_AUDIT_COLLECTION, t as BLOB_INDEX_COLLECTION, u as BLOB_SLOTS_PREFIX, w as BLOB_VERSIONS_PREFIX, x as BlobEvictionEntry, y as BlobFieldPolicy, z as BlobFieldsConfig, A as BlobObject, C as BlobPutOptions, E as BlobResponseOptions, F as BlobSet, G as BlobStrategyOpenArgs, H as CompactRunOptions, J as CompactionContext, K as CompactionResult, L as DEFAULT_CHUNK_SIZE, M as EXPORT_AUDIT_COLLECTION, N as ExportBlobsAbortedError, O as ExportBlobsAuditEntry, Q as ExportBlobsHandle, R as ExportBlobsOptions, T as ExportedBlob, U as SlotInfo, V as SlotRecord, W as VersionRecord, X as createExportBlobsHandle, Y as runCompaction } from '../types-Dmi7nrC9.js';
 export { d as detectMagic, a as detectMimeType, i as isPreCompressed } from '../mime-magic-CBBSOkjm.js';
 import '../lazy-builder-BwEoBQZ9.js';
 import '../predicate-SBHmi6D0.js';

package/dist/blobs/index.js

@@ -14,8 +14,8 @@ import {
   detectMimeType,
   isPreCompressed,
   runCompaction
-} from "../chunk-UQFSPSWG.js";
-import "../chunk-ZRG4V3F5.js";
+} from "../chunk-QZIACZZU.js";
+import "../chunk-O5GK62FJ.js";
 import "../chunk-MR4424N3.js";
 import "../chunk-ACLDOTNQ.js";
 

package/dist/bundle/index.d.cts

@@ -1,5 +1,5 @@
-export { j as COMPRESSION_BROTLI, k as COMPRESSION_GZIP, l as COMPRESSION_NONE, C as CompressionAlgo, F as FLAG_COMPRESSED, m as FLAG_HAS_INTEGRITY_HASH, N as NOYDB_BUNDLE_FORMAT_VERSION, a as NOYDB_BUNDLE_MAGIC, b as NOYDB_BUNDLE_PREFIX_BYTES, c as NoydbBundleHeader, d as NoydbBundleReadResult, W as WriteNoydbBundleOptions, n as encodeBundleHeader, g as generateULID, i as isULID, r as readNoydbBundle, e as readNoydbBundleHeader, f as resetBrotliSupportCache, v as validateBundleHeader, w as writeNoydbBundle } from '../index-DhjMjz7L.cjs';
-import '../types-Bfs0qr5F.cjs';
+export { j as COMPRESSION_BROTLI, k as COMPRESSION_GZIP, l as COMPRESSION_NONE, C as CompressionAlgo, F as FLAG_COMPRESSED, m as FLAG_HAS_INTEGRITY_HASH, N as NOYDB_BUNDLE_FORMAT_VERSION, a as NOYDB_BUNDLE_MAGIC, b as NOYDB_BUNDLE_PREFIX_BYTES, c as NoydbBundleHeader, d as NoydbBundleReadResult, W as WriteNoydbBundleOptions, n as encodeBundleHeader, g as generateULID, i as isULID, r as readNoydbBundle, e as readNoydbBundleHeader, f as resetBrotliSupportCache, v as validateBundleHeader, w as writeNoydbBundle } from '../index-BvUiM47h.cjs';
+import '../types-BVSfkYg6.cjs';
 import '../lazy-builder-CZVLKh0Z.cjs';
 import '../predicate-SBHmi6D0.cjs';
 import '../strategy-D-SrOLCl.cjs';

package/dist/bundle/index.d.ts

@@ -1,5 +1,5 @@
-export { j as COMPRESSION_BROTLI, k as COMPRESSION_GZIP, l as COMPRESSION_NONE, C as CompressionAlgo, F as FLAG_COMPRESSED, m as FLAG_HAS_INTEGRITY_HASH, N as NOYDB_BUNDLE_FORMAT_VERSION, a as NOYDB_BUNDLE_MAGIC, b as NOYDB_BUNDLE_PREFIX_BYTES, c as NoydbBundleHeader, d as NoydbBundleReadResult, W as WriteNoydbBundleOptions, n as encodeBundleHeader, g as generateULID, i as isULID, r as readNoydbBundle, e as readNoydbBundleHeader, f as resetBrotliSupportCache, v as validateBundleHeader, w as writeNoydbBundle } from '../index-C8kQtmOk.js';
-import '../types-BZpCZB8N.js';
+export { j as COMPRESSION_BROTLI, k as COMPRESSION_GZIP, l as COMPRESSION_NONE, C as CompressionAlgo, F as FLAG_COMPRESSED, m as FLAG_HAS_INTEGRITY_HASH, N as NOYDB_BUNDLE_FORMAT_VERSION, a as NOYDB_BUNDLE_MAGIC, b as NOYDB_BUNDLE_PREFIX_BYTES, c as NoydbBundleHeader, d as NoydbBundleReadResult, W as WriteNoydbBundleOptions, n as encodeBundleHeader, g as generateULID, i as isULID, r as readNoydbBundle, e as readNoydbBundleHeader, f as resetBrotliSupportCache, v as validateBundleHeader, w as writeNoydbBundle } from '../index-Cy-MKrdK.js';
+import '../types-Dmi7nrC9.js';
 import '../lazy-builder-BwEoBQZ9.js';
 import '../predicate-SBHmi6D0.js';
 import '../strategy-D-SrOLCl.js';

package/dist/{chunk-EXQRC2L4.js → chunk-AVWFLPNR.js}

@@ -3,7 +3,7 @@ import {
 } from "./chunk-2QR2PQTT.js";
 import {
   NOYDB_SYNC_VERSION
-} from "./chunk-ZRG4V3F5.js";
+} from "./chunk-O5GK62FJ.js";
 import {
   bufferToBase64,
   decrypt,
@@ -719,4 +719,4 @@ export {
   SyncEngine,
   SyncTransaction
 };
-//# sourceMappingURL=chunk-EXQRC2L4.js.map
+//# sourceMappingURL=chunk-AVWFLPNR.js.map

package/dist/{chunk-ZLMV3TUA.js → chunk-EARQCIL7.js}

@@ -1,12 +1,12 @@
 import {
   ensureCollectionDEK
-} from "./chunk-M2F2JAWB.js";
+} from "./chunk-PSHTHSIX.js";
 import {
   envelopePayloadHash
 } from "./chunk-CIMZBAZB.js";
 import {
   NOYDB_FORMAT_VERSION
-} from "./chunk-ZRG4V3F5.js";
+} from "./chunk-O5GK62FJ.js";
 import {
   decrypt,
   encrypt
@@ -487,4 +487,4 @@ export {
   resolveI18nText,
   applyI18nLocale
 };
-//# sourceMappingURL=chunk-ZLMV3TUA.js.map
+//# sourceMappingURL=chunk-EARQCIL7.js.map

package/dist/{chunk-4OWFYIDQ.js → chunk-L77MEFCH.js}

@@ -1,9 +1,9 @@
 import {
   ensureCollectionDEK
-} from "./chunk-M2F2JAWB.js";
+} from "./chunk-PSHTHSIX.js";
 import {
   NOYDB_FORMAT_VERSION
-} from "./chunk-ZRG4V3F5.js";
+} from "./chunk-O5GK62FJ.js";
 import {
   decrypt,
   encrypt
@@ -76,4 +76,4 @@ export {
   listCredentials,
   credentialStatus
 };
-//# sourceMappingURL=chunk-4OWFYIDQ.js.map
+//# sourceMappingURL=chunk-L77MEFCH.js.map

package/dist/{chunk-5AATM2M2.js → chunk-LSZHBNDG.js}

@@ -56,7 +56,7 @@ function validatePeriodName(name, existing) {
 }
 async function appendPeriodLedgerEntry(ledger, actor, envelope, name) {
   if (!ledger) return;
-  const { envelopePayloadHash } = await import("./ledger-2NX4L7PN.js");
+  const { envelopePayloadHash } = await import("./ledger-HWXYGUIQ.js");
   await ledger.append({
     op: "put",
     collection: PERIODS_COLLECTION,
@@ -87,4 +87,4 @@ export {
   appendPeriodLedgerEntry,
   withPeriods
 };
-//# sourceMappingURL=chunk-5AATM2M2.js.map
+//# sourceMappingURL=chunk-LSZHBNDG.js.map

package/dist/{chunk-XHFOENR2.js → chunk-NK2NSXXK.js}

@@ -6,7 +6,7 @@ import {
 } from "./chunk-CIMZBAZB.js";
 import {
   NOYDB_FORMAT_VERSION
-} from "./chunk-ZRG4V3F5.js";
+} from "./chunk-O5GK62FJ.js";
 import {
   decrypt,
   encrypt
@@ -677,4 +677,4 @@ export {
   LEDGER_DELTAS_COLLECTION,
   LedgerStore
 };
-//# sourceMappingURL=chunk-XHFOENR2.js.map
+//# sourceMappingURL=chunk-NK2NSXXK.js.map

package/dist/{chunk-ZRG4V3F5.js → chunk-O5GK62FJ.js}

@@ -14,4 +14,4 @@ export {
   NOYDB_SYNC_VERSION,
   createStore
 };
-//# sourceMappingURL=chunk-ZRG4V3F5.js.map
+//# sourceMappingURL=chunk-O5GK62FJ.js.map

package/dist/chunk-O5GK62FJ.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/types.ts"],"sourcesContent":["/**\n * Core types — the {@link NoydbStore} interface, envelope format, roles, and\n * all configuration shapes consumed by {@link createNoydb}.\n *\n * ## What lives here\n *\n * - **{@link NoydbStore}** — the 6-method contract every backend must implement\n *   (`get`, `put`, `delete`, `list`, `loadAll`, `saveAll`).\n * - **{@link EncryptedEnvelope}** — the wire format stored by backends:\n *   `{ _noydb, _v, _ts, _iv, _data }`. Backends only ever see this shape.\n * - **{@link Role} / {@link Permission}** — the access-control vocabulary\n *   (`owner`, `admin`, `operator`, `viewer`, `client`).\n * - **{@link NoydbOptions}** — the full configuration object passed to\n *   {@link createNoydb}.\n *\n * ## Extending the store interface\n *\n * All optional store capabilities (`ping`, `listPage`, `listSince`,\n * `presencePublish`, `presenceSubscribe`, `listVaults`) are additive extensions\n * discovered via `'method' in store`. Implementing them unlocks features but\n * is never required — core always falls back to the 6-method baseline.\n *\n * @module\n */\n\nimport type { StandardSchemaV1 } from './schema.js'\nimport type { SyncPolicy } from './store/sync-policy.js'\nimport type { BlobStrategy } from './blobs/strategy.js'\nimport type { IndexStrategy } from './indexing/strategy.js'\nimport type { AggregateStrategy } from './aggregate/strategy.js'\nimport type { CrdtStrategy } from './crdt/strategy.js'\nimport type { ConsentStrategy } from './consent/strategy.js'\nimport type { PeriodsStrategy } from './periods/strategy.js'\nimport type { ShadowStrategy } from './shadow/strategy.js'\nimport type { TxStrategy } from './tx/strategy.js'\nimport type { HistoryStrategy } from './history/strategy.js'\nimport type { I18nStrategy } from './i18n/strategy.js'\nimport type { SessionStrategy } from './session/strategy.js'\nimport type { SyncStrategy } from './team/sync-strategy.js'\nimport type { UnlockedKeyring } from './team/keyring.js'\n\n/** Format version for encrypted record envelopes. */\nexport const NOYDB_FORMAT_VERSION = 1 as const\n\n/** Format version for keyring files. */\nexport const NOYDB_KEYRING_VERSION = 1 as const\n\n/** Format version for backup files. */\nexport const NOYDB_BACKUP_VERSION = 1 as const\n\n/** Format version for sync metadata. */\nexport const NOYDB_SYNC_VERSION = 1 as const\n\n// ─── Roles & Permissions ───────────────────────────────────────────────\n\n/**\n * Access role assigned to a user within a vault.\n *\n * Roles control both the operations a user can perform and which DEKs\n * they receive in their keyring:\n *\n * | Role       | Collections      | Can grant/revoke | Can export |\n * |------------|-----------------|:----------------:|:----------:|\n * | `owner`    | all (rw)        | Yes (all roles)  | Yes        |\n * | `admin`    | all (rw)        | Yes (≤ admin)    | Yes        |\n * | `operator` | explicit (rw)   | No               | ACL-scoped |\n * | `viewer`   | all (ro)        | No               | Yes        |\n * | `client`   | explicit (ro)   | No               | ACL-scoped |\n */\nexport type Role = 'owner' | 'admin' | 'operator' | 'viewer' | 'client'\n\n/**\n * Read-write or read-only access on a collection.\n * Stored per-collection in the user's keyring.\n */\nexport type Permission = 'rw' | 'ro'\n\n/**\n * Map of collection name → permission level for a user's keyring entry.\n * `'*'` is the wildcard collection matching all collections in the vault.\n */\nexport type Permissions = Record<string, Permission>\n\n// ─── Encrypted Envelope ────────────────────────────────────────────────\n\n/** The encrypted wrapper stored by adapters. Adapters only ever see this. */\nexport interface EncryptedEnvelope {\n  readonly _noydb: typeof NOYDB_FORMAT_VERSION\n  readonly _v: number\n  readonly _ts: string\n  readonly _iv: string\n  readonly _data: string\n  /** User who created this version (unencrypted metadata). */\n  readonly _by?: string\n  /**\n   * Hierarchical access tier. Omitted → tier 0.\n   *\n   * Unencrypted on purpose — the store reads it to route the envelope\n   * to the right DEK slot without having to try-decrypt against every\n   * tier. Only leaks the tier of each record, not any value\n   * equivalence.\n   */\n  readonly _tier?: number\n  /**\n   * User id who last elevated this record. Used by\n   * `demote()` to gate the reverse operation: only the original\n   * elevator or an owner can demote a record back down. Cleared on\n   * every successful demote so a later re-elevate requires the new\n   * actor to own the demotion right.\n   */\n  readonly _elevatedBy?: string\n  /**\n   * Deterministic-encryption index. Map of field name →\n   * base64 deterministic ciphertext. Present only when the collection\n   * declares `deterministicFields` and the feature is acknowledged. The\n   * field names are unencrypted (they're the index keys); the values\n   * are AES-GCM ciphertext with an HKDF-derived deterministic IV.\n   *\n   * Enables blind equality search (`collection.findByDet(field,\n   * value)`) without decrypting every record. Leaks equality as a known\n   * side channel.\n   */\n  readonly _det?: Record<string, string>\n}\n\n/**\n * Placeholder returned by `getAtTier()` in `'ghost'` mode when a\n * record is at a tier the caller cannot decrypt. Record existence is\n * advertised — the id and tier are visible — but contents are\n * withheld. `canElevateFrom` lists user ids authorized to elevate\n * access for this caller when known; absent when the workflow is\n * not configured.\n */\nexport interface GhostRecord {\n  readonly _ghost: true\n  readonly _tier: number\n  readonly canElevateFrom?: readonly string[]\n}\n\n/** Control what lower-tier reads see above their clearance. */\nexport type TierMode = 'invisibility' | 'ghost'\n\n/**\n * Event emitted when a record at a tier above the caller's inherent\n * clearance is read or written successfully (via elevation or\n * delegation). Always written to the ledger; subscribers get a\n * real-time feed.\n */\nexport interface CrossTierAccessEvent {\n  readonly actor: string\n  readonly collection: string\n  readonly id: string\n  readonly tier: number\n  /** How the caller gained tier access: they elevated it, or a delegation is active. */\n  readonly authorization: 'elevation' | 'delegation' | 'inherent'\n  readonly op: 'get' | 'put' | 'elevate' | 'demote'\n  readonly ts: string\n  /**\n   * When `authorization === 'elevation'`, the audit reason string the\n   * caller passed to `vault.elevate(...)`. Empty for inherent /\n   * delegation paths.\n   */\n  readonly reason?: string\n  /**\n   * When `authorization === 'elevation'`, the tier the caller's\n   * keyring effectively held BEFORE elevation. Useful for audit\n   * dashboards distinguishing \"operator elevating to 2\" from\n   * \"inherent tier-2 write.\"\n   */\n  readonly elevatedFrom?: number\n}\n\n/**\n * A single deterministic-ciphertext index slot on an envelope. Stored\n * as `iv:data` (both base64, colon-separated) so a single string per\n * field keeps the envelope compact.\n */\nexport type DeterministicCipher = string\n\n// ─── Vault Snapshot ──────────────────────────────────────────────\n\n/** All records across all collections for a compartment. */\nexport type VaultSnapshot = Record<string, Record<string, EncryptedEnvelope>>\n\n/**\n * Result of a single page fetch via the optional `listPage` adapter extension.\n *\n * `items` carries the actual encrypted envelopes (not just ids) so the\n * caller can decrypt and emit a single record without an extra `get()`\n * round-trip per id. `nextCursor` is `null` on the final page.\n */\nexport interface ListPageResult {\n  /** Encrypted envelopes for this page, in adapter-defined order. */\n  items: Array<{ id: string; envelope: EncryptedEnvelope }>\n  /** Opaque cursor for the next page, or `null` if this was the last page. */\n  nextCursor: string | null\n}\n\n// ─── Store Interface ───────────────────────────────────────────────────\n\nexport interface NoydbStore {\n  /**\n   * Optional human-readable adapter name (e.g. 'memory', 'file', 'dynamo').\n   * Used in diagnostic messages and the listPage fallback warning. Adapters\n   * are encouraged to set this so logs are clearer about which backend is\n   * involved when something goes wrong.\n   */\n  name?: string\n\n  /** Get a single record. Returns null if not found. */\n  get(vault: string, collection: string, id: string): Promise<EncryptedEnvelope | null>\n\n  /** Put a record. Throws ConflictError if expectedVersion doesn't match. */\n  put(\n    vault: string,\n    collection: string,\n    id: string,\n    envelope: EncryptedEnvelope,\n    expectedVersion?: number,\n  ): Promise<void>\n\n  /** Delete a record. */\n  delete(vault: string, collection: string, id: string): Promise<void>\n\n  /** List all record IDs in a collection. */\n  list(vault: string, collection: string): Promise<string[]>\n\n  /** Load all records for a vault (initial hydration). */\n  loadAll(vault: string): Promise<VaultSnapshot>\n\n  /** Save all records for a vault (bulk write / restore). */\n  saveAll(vault: string, data: VaultSnapshot): Promise<void>\n\n  /** Optional connectivity check for sync engine. */\n  ping?(): Promise<boolean>\n\n  /**\n   * Optional: list record IDs in a collection that have `_ts` after `since`.\n   * Used by partial sync (`pull({ modifiedSince })`). Adapters that omit this\n   * fall back to a full `loadAll` + client-side timestamp filter.\n   */\n  listSince?(vault: string, collection: string, since: string): Promise<string[]>\n\n  /**\n   * Optional pagination extension. Adapters that implement `listPage` get\n   * the streaming `Collection.scan()` fast path; adapters that don't are\n   * silently fallen back to a full `loadAll()` + slice (with a one-time\n   * console.warn).\n   *\n   * `cursor` is opaque to the core — each adapter encodes its own paging\n   * state (DynamoDB: base64 LastEvaluatedKey JSON; S3: ContinuationToken;\n   * memory/file/browser: numeric offset of a sorted id list). Pass\n   * `undefined` to start from the beginning.\n   *\n   * `limit` is a soft upper bound on `items.length`. Adapters MAY return\n   * fewer items even when more exist (e.g. if the underlying store has\n   * its own page size cap), and MUST signal \"no more pages\" by returning\n   * `nextCursor: null`.\n   *\n   * The 6-method core contract is unchanged — this is an additive\n   * extension discovered via `'listPage' in adapter`.\n   */\n  listPage?(\n    vault: string,\n    collection: string,\n    cursor?: string,\n    limit?: number,\n  ): Promise<ListPageResult>\n\n  /**\n   * Optional pub/sub for real-time presence.\n   * Publish an encrypted payload to a presence channel.\n   * Falls back to storage-based polling when absent.\n   */\n  presencePublish?(channel: string, payload: string): Promise<void>\n\n  /**\n   * Optional pub/sub for real-time presence.\n   * Subscribe to a presence channel. Returns an unsubscribe function.\n   * Falls back to storage-based polling when absent.\n   */\n  presenceSubscribe?(channel: string, callback: (payload: string) => void): () => void\n\n  /**\n   * Optional cross-vault enumeration extension.\n   *\n   * Returns the names of every top-level vault the store\n   * currently stores. Used by `Noydb.listAccessibleVaults()` to\n   * enumerate the universe of vaults before filtering down to\n   * the ones the calling principal can actually unwrap.\n   *\n   * **Why this is optional:** the storage shape of compartments\n   * differs across backends. Memory and file stores store\n   * vaults as top-level keys / directories and can enumerate\n   * them in O(1) calls. DynamoDB stores everything in a single table\n   * keyed by `(compartment#collection, id)` — enumerating compartments\n   * requires either a Scan (expensive, eventually consistent, leaks\n   * ciphertext metadata) or a dedicated GSI that the consumer\n   * provisioned. S3 needs a prefix list (cheap if enabled, ACL-sensitive\n   * otherwise). Browser localStorage can scan keys by prefix.\n   *\n   * Stores that cannot implement `listVaults` cheaply or\n   * cleanly should omit it. Core surfaces a `StoreCapabilityError`\n   * with a clear message when a caller invokes\n   * `listAccessibleVaults()` against a store that doesn't\n   * provide this method, so consumers know to either upgrade their\n   * store, provide a candidate list explicitly to `queryAcross()`,\n   * or fall back to maintaining the compartment index out of band.\n   *\n   * **Privacy note:** `listVaults` returns *every* compartment\n   * the store has, not just the ones the caller can access. The\n   * existence-leak filtering (returning only compartments whose\n   * keyring the caller can unwrap) happens in core, not in the\n   * store. The store is trusted to know its own contents — that\n   * is not a leak in the threat model. The leak the API guards\n   * against is the *return value* of `listAccessibleVaults()`\n   * exposing existence to a downstream observer who only sees that\n   * function's output.\n   *\n   * The 6-method core contract is unchanged — this is an additive\n   * extension discovered via `'listVaults' in store`.\n   */\n  listVaults?(): Promise<string[]>\n\n  /**\n   * Optional: generate a presigned URL for direct client download.\n   * Only meaningful for object stores (S3, GCS) that support URL signing.\n   * Returns a time-limited URL that fetches the encrypted envelope directly.\n   * The caller must decrypt client-side (the URL returns ciphertext).\n   */\n  presignUrl?(vault: string, collection: string, id: string, expiresInSeconds?: number): Promise<string>\n\n  /**\n   * Optional: estimate current storage usage.\n   * Returns `{ usedBytes, quotaBytes }` or null if the store cannot estimate.\n   * Used by quota-aware routing to detect overflow conditions.\n   */\n  estimateUsage?(): Promise<{ usedBytes: number; quotaBytes: number } | null>\n\n  /**\n   * Optional multi-record atomic write.\n   *\n   * When present, `db.transaction(async (tx) => { ... })` uses this to\n   * commit every staged op in one storage-layer transaction — either\n   * all ops land or none do, regardless of which records they touch.\n   * Every `TxOp.expectedVersion` (when set) must be honored atomically\n   * alongside the write; any violation throws `ConflictError` and the\n   * whole batch fails.\n   *\n   * Stores that omit this fall through to the hub's per-record OCC\n   * fallback: pre-flight CAS check, then sequential `put`/`delete`\n   * with best-effort unwind on mid-batch failure (see\n   * `runTransaction` for the exact semantics and crash window).\n   *\n   * Native implementations: `to-memory` (single Map mutation),\n   * `to-dynamo` (`TransactWriteItems`), `to-browser-idb` (one\n   * `readwrite` transaction). File / S3 cannot implement this\n   * atomically and should omit the method.\n   */\n  tx?(ops: readonly TxOp[]): Promise<void>\n}\n\n/**\n * A single staged operation inside a `db.transaction(fn)` commit. The\n * hub assembles `TxOp[]` from the user's `tx.collection().put/delete`\n * calls, encrypts any `record` values into `envelope`, and hands the\n * array to `NoydbStore.tx()` when the store supports atomic batch\n * writes. Stores that implement `tx()` MUST honor every\n * `expectedVersion` atomically against the stored envelope version.\n */\nexport interface TxOp {\n  readonly type: 'put' | 'delete'\n  readonly vault: string\n  readonly collection: string\n  readonly id: string\n  /** Populated for `type: 'put'` — the encrypted envelope to write. */\n  readonly envelope?: EncryptedEnvelope\n  /** Optional per-record CAS. Mismatch must throw `ConflictError`. */\n  readonly expectedVersion?: number\n}\n\n// ─── Store Factory Helper ──────────────────────────────────────────────\n\n/** Type-safe helper for creating store factories. */\nexport function createStore<TOptions>(\n  factory: (options: TOptions) => NoydbStore,\n): (options: TOptions) => NoydbStore {\n  return factory\n}\n\n// ─── Keyring ───────────────────────────────────────────────────────────\n\n/**\n * Interchange formats `@noy-db/as-*` packages can produce. `'*'` is a\n * wildcard granting every current + future plaintext format.\n */\nexport type ExportFormat =\n  | 'xlsx'\n  | 'csv'\n  | 'json'\n  | 'ndjson'\n  | 'xml'\n  | 'sql'\n  | 'pdf'\n  | 'blob'\n  | 'zip'\n  | '*'\n\n/**\n * Owner-granted export capability on a keyring.\n *\n * Two independent dimensions:\n *\n * - `plaintext` — per-format allowlist for record formatters + blob\n *   extractors that emit plaintext bytes (`as-xlsx`, `as-csv`,\n *   `as-blob`, `as-zip`, …). **Defaults to empty** for every role;\n *   the owner/admin must positively grant per-format (or `'*'`).\n * - `bundle` — boolean for `.noydb` encrypted container export\n *   (`as-noydb`). **Default policy: on for owner/admin, off for\n *   operator/viewer/client** — applied when the field is absent or\n *   undefined (see `hasExportCapability`).\n */\nexport interface ExportCapability {\n  readonly plaintext?: readonly ExportFormat[]\n  readonly bundle?: boolean\n}\n\n/**\n * Owner-granted import capability on a keyring (sibling of\n * `ExportCapability`, issue ).\n *\n * Two independent dimensions:\n *\n * - `plaintext` — per-format allowlist for `as-*` readers that ingest\n *   plaintext bytes (`as-csv`, `as-json`, `as-ndjson`, `as-zip`, …).\n *   Defaults to empty for every role; the owner/admin must positively\n *   grant per-format (or `'*'`).\n * - `bundle` — boolean gate for `.noydb` bundle import. **Defaults to\n *   `false` for every role**, including owner/admin. Import is more\n *   dangerous than export (corrupts vs leaks), so the policy is\n *   default-closed across the board — the owner explicitly opts a\n *   keyring in via `db.grant({ importCapability: { bundle: true } })`.\n */\nexport interface ImportCapability {\n  readonly plaintext?: readonly ExportFormat[]\n  readonly bundle?: boolean\n}\n\nexport interface KeyringFile {\n  readonly _noydb_keyring: typeof NOYDB_KEYRING_VERSION\n  readonly user_id: string\n  readonly display_name: string\n  readonly role: Role\n  readonly permissions: Permissions\n  readonly deks: Record<string, string>\n  readonly salt: string\n  readonly created_at: string\n  readonly granted_by: string\n  /**\n   * Optional — authorization spec capability bits. Absent on keyrings written\n   * before the RFC implementation. Loading falls back to role-based\n   * defaults (owner/admin get bundle-on, everyone else off).\n   */\n  readonly export_capability?: ExportCapability\n  /**\n   * Optional bundle-slot expiry. ISO-8601 timestamp; past\n   * the cutoff `loadKeyring` throws `KeyringExpiredError` before any\n   * DEK unwrap is attempted. Useful for time-boxed audit access:\n   * \"this slot works for 30 days then becomes opaque to its holder.\"\n   *\n   * Absent on live keyrings written via `db.grant()` — the field is\n   * meaningful for `BundleRecipient` slots produced by\n   * `writeNoydbBundle({ recipients: [...] })`. Setting it on a live\n   * keyring is allowed but unusual.\n   */\n  readonly expires_at?: string\n  /**\n   * Optional — issue  import-capability bits. Absent on keyrings\n   * written before  landed. Loading falls back to default-closed\n   * for every role and every format.\n   */\n  readonly import_capability?: ImportCapability\n  /**\n   * hierarchical access clearance. Absent → 0 (advisory;\n   * the real check is whether the DEK map carries a `collection#tier`\n   * entry for the requested tier). Owners and admins default to the\n   * highest tier they have DEKs for at grant time.\n   */\n  readonly clearance?: number\n}\n\n// ─── Backup ────────────────────────────────────────────────────────────\n\nexport interface VaultBackup {\n  readonly _noydb_backup: typeof NOYDB_BACKUP_VERSION\n  readonly _compartment: string\n  readonly _exported_at: string\n  readonly _exported_by: string\n  readonly keyrings: Record<string, KeyringFile>\n  readonly collections: VaultSnapshot\n  /**\n   * Internal collections (`_ledger`, `_ledger_deltas`, `_history`, `_sync`, …)\n   * captured alongside the data collections. Optional for backwards\n   * compat with backups, which only stored data collections —\n   * loading a backup leaves the ledger empty (and `verifyBackupIntegrity`\n   * skips the chain check, surfacing only a console warning).\n   */\n  readonly _internal?: VaultSnapshot\n  /**\n   * Verifiable-backup metadata. Embeds the ledger head at\n   * dump time so `load()` can cross-check that the loaded chain matches\n   * exactly what was exported. A backup whose chain has been tampered\n   * with — either by modifying ledger entries or by modifying data\n   * envelopes that the chain references — fails this check.\n   *\n   * Optional for backwards compat with backups; missing means\n   * \"legacy backup, load with a warning, no integrity check\".\n   */\n  readonly ledgerHead?: {\n    /** Hex sha256 of the canonical JSON of the last ledger entry. */\n    readonly hash: string\n    /** Sequential index of the last ledger entry. */\n    readonly index: number\n    /** ISO timestamp captured at dump time. */\n    readonly ts: string\n  }\n}\n\n// ─── Export ────────────────────────────────────────────────────────────\n\n/**\n * Options for `Vault.exportStream()` and `Vault.exportJSON()`.\n *\n * The defaults match the most common consumer pattern: one chunk per\n * collection, no ledger metadata. Per-record streaming and ledger-head\n * inclusion are opt-in because both add structure most consumers don't\n * need.\n */\nexport interface ExportStreamOptions {\n  /**\n   * `'collection'` (default) yields one chunk per collection with all\n   * records bundled in `chunk.records`. `'record'` yields one chunk per\n   * record, useful for arbitrarily large collections that should never\n   * be materialized as a single array.\n   */\n  readonly granularity?: 'collection' | 'record'\n\n  /**\n   * When `true`, every chunk includes the current compartment ledger\n   * head under `chunk.ledgerHead`. The value is identical across every\n   * chunk in a single export (one ledger per compartment). Forward-\n   * compatible with future partition work where the head would become\n   * per-partition. Default: `false`.\n   */\n  readonly withLedgerHead?: boolean\n  /**\n   * When set to a BCP 47 locale string (e.g. `'th'`), `exportJSON()`\n   * resolves all `dictKey` labels to that locale and omits the raw\n   * `dictionaries` snapshot from the output. Has no effect\n   * on `exportStream()` — format packages use the `chunk.dictionaries`\n   * snapshot directly and apply their own locale strategy.\n   *\n   * Default: `undefined` — embed the raw snapshot under `_dictionaries`.\n   */\n  readonly resolveLabels?: string\n}\n\n/**\n * One chunk yielded by `Vault.exportStream()`.\n *\n * `granularity: 'collection'` yields one chunk per collection with the\n * full record array in `records`. `granularity: 'record'` yields one\n * chunk per record with `records` containing exactly one element — the\n * `schema` and `refs` metadata is repeated on every chunk so consumers\n * doing per-record streaming don't have to thread state across yields.\n */\nexport interface ExportChunk<T = unknown> {\n  /** Collection name (no leading underscore — internal collections are filtered out). */\n  readonly collection: string\n\n  /**\n   * Standard Schema validator attached to the collection at `collection()`\n   * construction time, or `null` if no schema was provided. Surfaced so\n   * downstream serializers (`@noy-db/as-*` packages, custom\n   * exporters) can produce schema-aware output (typed CSV headers, XSD\n   * generation, etc.) without poking at collection internals.\n   */\n  readonly schema: StandardSchemaV1<unknown, T> | null\n\n  /**\n   * Foreign-key references declared on the collection via the `refs`\n   * option, as the `{ field → { target, mode } }` map produced by\n   * `RefRegistry.getOutbound`. Empty object when no refs were declared.\n   */\n  readonly refs: Record<string, { readonly target: string; readonly mode: 'strict' | 'warn' | 'cascade' }>\n\n  /**\n   * Decrypted, ACL-scoped, schema-validated records. Length 1 in\n   * `granularity: 'record'` mode, full collection in `granularity: 'collection'`\n   * mode. Records are returned by reference from the collection's eager\n   * cache where applicable — consumers must treat them as immutable.\n   */\n  readonly records: T[]\n\n  /**\n   * Dictionary snapshots for every `dictKey` field declared on this\n   * collection. Captured once at stream-start and held\n   * constant across all chunks within the same export — a rename\n   * mid-export does not change the snapshot. `undefined` when the\n   * collection has no `dictKeyFields`.\n   *\n   * Shape: `{ [fieldName]: { [stableKey]: { [locale]: label } } }`\n   *\n   * @example\n   * ```ts\n   * chunk.dictionaries?.status?.paid?.th  // → 'ชำระแล้ว'\n   * ```\n   */\n  readonly dictionaries?: Record<\n    string, // field name\n    Record<string, Record<string, string>> // stable key → locale → label\n  >\n\n  /**\n   * Vault ledger head at export time. Present only when\n   * `exportStream({ withLedgerHead: true })` was called. Identical\n   * across every chunk in the same export — included on every chunk\n   * for forward-compatibility with future per-partition ledgers, where\n   * the value will differ per chunk.\n   */\n  readonly ledgerHead?: {\n    readonly hash: string\n    readonly index: number\n    readonly ts: string\n  }\n}\n\n// ─── Sync ──────────────────────────────────────────────────────────────\n\nexport interface DirtyEntry {\n  readonly vault: string\n  readonly collection: string\n  readonly id: string\n  readonly action: 'put' | 'delete'\n  readonly version: number\n  readonly timestamp: string\n}\n\nexport interface SyncMetadata {\n  readonly _noydb_sync: typeof NOYDB_SYNC_VERSION\n  readonly last_push: string | null\n  readonly last_pull: string | null\n  readonly dirty: DirtyEntry[]\n}\n\nexport interface Conflict {\n  readonly vault: string\n  readonly collection: string\n  readonly id: string\n  readonly local: EncryptedEnvelope\n  readonly remote: EncryptedEnvelope\n  readonly localVersion: number\n  readonly remoteVersion: number\n  /**\n   * Present only when the collection uses `conflictPolicy: 'manual'`.\n   * Call `resolve(winner)` to commit the winning envelope, or\n   * `resolve(null)` to defer (conflict stays queued for the next sync).\n   * Called synchronously inside the `sync:conflict` event handler.\n   */\n  readonly resolve?: (winner: EncryptedEnvelope | null) => void\n}\n\nexport type ConflictStrategy =\n  | 'local-wins'\n  | 'remote-wins'\n  | 'version'\n  | ((conflict: Conflict) => 'local' | 'remote')\n\n/**\n * Collection-level conflict policy.\n * Overrides the db-level `conflict` option for the specific collection.\n *\n * - `'last-writer-wins'` — higher `_ts` wins (timestamp LWW).\n * - `'first-writer-wins'` — lower `_v` wins (earlier version is preserved).\n * - `'manual'` — emits `sync:conflict` with a `resolve` callback. Call\n *   `resolve(winner)` synchronously to commit or `resolve(null)` to defer.\n * - Custom fn — synchronous `(local: T, remote: T) => T`. Must be pure.\n */\nexport type ConflictPolicy<T> =\n  | 'last-writer-wins'\n  | 'first-writer-wins'\n  | 'manual'\n  | ((local: T, remote: T) => T)\n\n/**\n * Envelope-level resolver registered per collection with the SyncEngine.\n * Receives the `id` of the conflicting record and both envelopes.\n * Returns the winning envelope, or `null` to defer resolution.\n * @internal\n */\nexport type CollectionConflictResolver = (\n  id: string,\n  local: EncryptedEnvelope,\n  remote: EncryptedEnvelope,\n) => Promise<EncryptedEnvelope | null>\n\n/** Options for targeted push operations. */\nexport interface PushOptions {\n  /** Only push records belonging to these collections. Omit to push all dirty. */\n  collections?: string[]\n}\n\n/** Options for targeted pull operations. */\nexport interface PullOptions {\n  /** Only pull these collections. Omit to pull all. */\n  collections?: string[]\n  /**\n   * Only pull records with `_ts` strictly after this ISO timestamp.\n   * Adapters that implement `listSince` use it directly; others fall back\n   * to a full scan with client-side filtering.\n   */\n  modifiedSince?: string\n}\n\nexport interface PushResult {\n  readonly pushed: number\n  readonly conflicts: Conflict[]\n  readonly errors: Error[]\n}\n\nexport interface PullResult {\n  readonly pulled: number\n  readonly conflicts: Conflict[]\n  readonly errors: Error[]\n}\n\n/** Result of a sync transaction commit. */\nexport interface SyncTransactionResult {\n  readonly status: 'committed' | 'conflict'\n  readonly pushed: number\n  readonly conflicts: Conflict[]\n}\n\nexport interface SyncStatus {\n  readonly dirty: number\n  readonly lastPush: string | null\n  readonly lastPull: string | null\n  readonly online: boolean\n}\n\n// ─── Sync Target ─────────────────────────────────────────\n\nexport type SyncTargetRole = 'sync-peer' | 'backup' | 'archive'\n\n/**\n * A sync target with role and optional per-target policy.\n *\n * | Role        | Direction     | Conflict resolution | Typical use              |\n * |-------------|---------------|---------------------|--------------------------|\n * | `sync-peer` | Bidirectional | ConflictStrategy    | DynamoDB live sync       |\n * | `backup`    | Push-only     | N/A (receives merged)| S3 dump, Google Drive   |\n * | `archive`   | Push-only     | N/A                 | IPFS, Git tags, S3 Lock  |\n */\nexport interface SyncTarget {\n  /** The store to sync with. */\n  readonly store: NoydbStore\n  /** Role determines sync direction and conflict handling. */\n  readonly role: SyncTargetRole\n  /** Per-target sync policy. Inherits store-category default when absent. */\n  readonly policy?: SyncPolicy\n  /** Human-readable label for DevTools and audit logs. */\n  readonly label?: string\n}\n\n// ─── Events ────────────────────────────────────────────────────────────\n\nexport interface ChangeEvent {\n  readonly vault: string\n  readonly collection: string\n  readonly id: string\n  readonly action: 'put' | 'delete'\n}\n\nexport interface NoydbEventMap {\n  'change': ChangeEvent\n  'error': Error\n  'sync:push': PushResult\n  'sync:pull': PullResult\n  'sync:conflict': Conflict\n  'sync:online': void\n  'sync:offline': void\n  'sync:backup-error': { vault: string; target: string; error: Error }\n  'history:save': { vault: string; collection: string; id: string; version: number }\n  'history:prune': { vault: string; collection: string; id: string; pruned: number }\n  /**\n   * Emitted when a persisted-index side-car put/delete fails after the\n   * main record write already succeeded. The main record is durable; the\n   * index mirror may have drifted. Operators reconcile via\n   * `collection.reconcileIndex(field)`.\n   */\n  'index:write-partial': {\n    vault: string\n    collection: string\n    id: string\n    action: 'put' | 'delete'\n    error: Error\n  }\n  /**\n   * emitted by `Collection.ensurePersistedIndexesLoaded()`\n   * once per field on first lazy-mode query when\n   * `reconcileOnOpen: 'auto' | 'dry-run'` is configured. `applied` is\n   * `0` in `'dry-run'` mode. `skipped` is reserved for a future\n   * drift-stamp optimization that short-circuits the reconcile when\n   * the mirror version matches what's on disk — currently always\n   * `false` (the full reconcile runs every session).\n   */\n  'index:reconciled': {\n    vault: string\n    collection: string\n    field: string\n    missing: readonly string[]\n    stale: readonly string[]\n    applied: number\n    skipped: boolean\n  }\n}\n\n// ─── Grant / Revoke ────────────────────────────────────────────────────\n\nexport interface GrantOptions {\n  readonly userId: string\n  readonly displayName: string\n  readonly role: Role\n  readonly passphrase: string\n  readonly permissions?: Permissions\n  /**\n   * Optional `@noy-db/as-*` export capability. Omit or\n   * leave undefined to apply role-based defaults (see\n   * `hasExportCapability` and `ExportCapability`).\n   */\n  readonly exportCapability?: ExportCapability\n  /**\n   * Optional `@noy-db/as-*` import capability (issue ). Omit or\n   * leave undefined for default-closed semantics — no plaintext format\n   * is grantable until positively listed; bundle import is denied.\n   */\n  readonly importCapability?: ImportCapability\n}\n\nexport interface RevokeOptions {\n  readonly userId: string\n  readonly rotateKeys?: boolean\n\n  /**\n   * Cascade behavior when the revoked user is an admin who has granted\n   * other admins.\n   *\n   * - `'strict'` (default) — recursively revoke every admin that the\n   *   target (transitively) granted. The cascade walks the\n   *   `granted_by` field on each keyring file and stops at non-admin\n   *   leaves. All affected collections are accumulated and rotated in\n   *   a single pass at the end, so cascade cost is O(records in\n   *   affected collections), not O(records × cascade depth).\n   *\n   * - `'warn'` — leave the descendant admins in place but emit a\n   *   `console.warn` listing them. Useful for diagnostic dry runs and\n   *   for environments where the operator wants to clean up the\n   *   delegation tree manually.\n   *\n   * No effect when the target is not an admin (operators, viewers, and\n   * clients cannot grant other users, so they have no delegation\n   * subtree to cascade through). Defaults to `'strict'`.\n   */\n  readonly cascade?: 'strict' | 'warn'\n}\n\n// ─── Cross-vault queries ──────────────────────────────\n\n/**\n * One entry returned by `Noydb.listAccessibleVaults()`. Carries\n * the compartment id and the role the calling principal holds in it,\n * so the consumer can decide how to fan out without re-checking\n * permissions per vault.\n */\nexport interface AccessibleVault {\n  readonly id: string\n  readonly role: Role\n}\n\n/**\n * Options for `Noydb.listAccessibleVaults()`.\n */\nexport interface ListAccessibleVaultsOptions {\n  /**\n   * Minimum role the caller must hold to include a compartment in the\n   * result. Compartments where the caller's role is strictly *below*\n   * this threshold are silently excluded. Defaults to `'client'`,\n   * which means \"every vault I can unwrap is returned.\" Set to\n   * `'admin'` for \"vaults where I can grant/revoke,\" or\n   * `'owner'` for \"vaults I own.\"\n   *\n   * The privilege ordering used:\n   *   `client (1) < viewer (2) < operator (3) < admin (4) < owner (5)`\n   *\n   * Note: `viewer` and `client` are conceptually peers in the ACL\n   * (neither can grant), but `viewer` has read-all access while\n   * `client` has only explicit-collection read. The numeric order\n   * reflects \"how much can this principal see,\" not \"how much can\n   * this principal modify.\"\n   */\n  readonly minRole?: Role\n}\n\n/**\n * Options for `Noydb.queryAcross()`.\n */\nexport interface QueryAcrossOptions {\n  /**\n   * Maximum number of compartments to process in parallel. Defaults\n   * to `1` (sequential) — conservative because the per-compartment\n   * callback typically does its own I/O and an unbounded fan-out can\n   * exhaust adapter connections (DynamoDB throughput, S3 socket\n   * limits, browser fetch concurrency).\n   *\n   * Set to `4` or `8` for cloud-backed compartments where parallelism\n   * is the whole point of fanning out. Set to `1` (default) for local\n   * adapters where the disk I/O serializes anyway.\n   */\n  readonly concurrency?: number\n}\n\n/**\n * One entry in the array returned by `Noydb.queryAcross()`. Either\n * `result` is set (callback succeeded for this compartment) or\n * `error` is set (callback threw, or compartment failed to open).\n *\n * Per-compartment errors do **not** abort the overall fan-out — every\n * compartment is given a chance to run its callback, and the\n * partition between success and failure is exposed in the return\n * value. Consumers that want fail-fast semantics can check\n * `r.error !== undefined` and short-circuit themselves.\n */\nexport type QueryAcrossResult<T> =\n  | { readonly vault: string; readonly result: T; readonly error?: undefined }\n  | { readonly vault: string; readonly result?: undefined; readonly error: Error }\n\n// ─── User Info ─────────────────────────────────────────────────────────\n\nexport interface UserInfo {\n  readonly userId: string\n  readonly displayName: string\n  readonly role: Role\n  readonly permissions: Permissions\n  readonly createdAt: string\n  readonly grantedBy: string\n}\n\n// ─── Session ───────────────────────────────────────────────\n\n/**\n * Operations that a session policy can require re-authentication for.\n * Passed as the `requireReAuthFor` array in `SessionPolicy`.\n */\nexport type ReAuthOperation = 'export' | 'grant' | 'revoke' | 'rotate' | 'changeSecret'\n\n/**\n * Session policy controlling lifetime, re-auth requirements, and\n * background-lock behavior.\n *\n * All timeout values are in milliseconds. `undefined` means \"no limit.\"\n * The policy is evaluated lazily — it does not start timers itself;\n * enforcement happens at the Noydb call site.\n */\nexport interface SessionPolicy {\n  /**\n   * Idle timeout in ms. If no NOYDB operation is performed for this\n   * duration, the session is revoked on the next operation attempt\n   * (which will throw `SessionExpiredError`). The idle clock resets\n   * on every successful operation.\n   *\n   * Default: `undefined` (no idle timeout).\n   */\n  readonly idleTimeoutMs?: number\n\n  /**\n   * Absolute timeout in ms from session creation. After this duration\n   * the session is unconditionally revoked regardless of activity.\n   *\n   * Default: `undefined` (no absolute timeout).\n   */\n  readonly absoluteTimeoutMs?: number\n\n  /**\n   * Operations that require the user to re-authenticate (re-enter their\n   * passphrase or perform a fresh WebAuthn assertion) before proceeding,\n   * even if the session is still alive.\n   *\n   * Common pattern: `requireReAuthFor: ['export', 'grant']` — allow\n   * read/write operations in the background but demand a fresh credential\n   * for high-risk mutations.\n   *\n   * Default: `[]` (no extra re-auth requirements).\n   */\n  readonly requireReAuthFor?: readonly ReAuthOperation[]\n\n  /**\n   * If `true`, the session is revoked when the page goes to the background\n   * (visibilitychange event, `document.hidden === true`). Useful for\n   * high-sensitivity deployments where leaving the tab is treated as\n   * a session boundary.\n   *\n   * No-op in non-browser environments (Node.js, workers without document).\n   * Default: `false`.\n   */\n  readonly lockOnBackground?: boolean\n}\n\n// ─── i18n / Locale ─────────────────────────────────────\n\n/**\n * Locale-aware read options. Pass to `Collection.get()`, `list()`,\n * `query()`, and `scan()` to trigger per-record locale resolution for\n * `dictKey` and `i18nText` fields.\n *\n * - **`locale: 'raw'`** — skip resolution for `i18nText` fields and\n *   return the full `{ [locale]: string }` map. Dict key fields still\n *   return the stable key (no `<field>Label` added).\n * - **`fallback`** — single locale code or ordered list. Use `'any'` as\n *   the last element to fall back to any present translation.\n *\n * When neither the call-level locale nor the compartment's default locale\n * is set, reading a record with `i18nText` fields throws\n * `LocaleNotSpecifiedError`.\n */\nexport interface LocaleReadOptions {\n  /**\n   * The target locale code (e.g. `'th'`), or `'raw'` to return the full\n   * language map without resolution.\n   */\n  readonly locale?: string\n  /**\n   * Fallback locale or ordered fallback chain. Use `'any'` as the last\n   * element to fall back to any present translation.\n   */\n  readonly fallback?: string | readonly string[]\n}\n\n// ─── plaintextTranslator hook ──────────────────────────────\n\n/**\n * Context passed to the consumer-supplied `plaintextTranslator` function.\n * The hook receives the source text plus enough metadata to route it to the\n * right translation service and record what it did.\n */\nexport interface PlaintextTranslatorContext {\n  /** The plaintext string to translate. */\n  readonly text: string\n  /** BCP 47 source locale (the locale the text is written in). */\n  readonly from: string\n  /** BCP 47 target locale to translate into. */\n  readonly to: string\n  /** The schema field name that triggered the translation. */\n  readonly field: string\n  /** The collection the record is being put into. */\n  readonly collection: string\n}\n\n/**\n * A consumer-supplied async function that translates a single string\n * from one locale to another. noy-db ships no built-in translator.\n *\n * **Security:** this function receives plaintext. The consumer is\n * responsible for the data policy of whatever service it calls. See\n * `NOYDB_SPEC.md § Zero-Knowledge Storage` and the `plaintextTranslator`\n * JSDoc on `NoydbOptions` for the full invariant statement.\n */\nexport type PlaintextTranslatorFn = (\n  ctx: PlaintextTranslatorContext,\n) => Promise<string>\n\n/**\n * One entry in the in-process translator audit log. Cleared when\n * `db.close()` is called — same lifetime as the KEK and DEKs.\n *\n * Deliberately omits any content hash or translated-text fingerprint\n * to prevent correlation attacks on the audit trail.\n */\nexport interface TranslatorAuditEntry {\n  readonly type: 'translator-invocation'\n  /** Schema field name that was translated. */\n  readonly field: string\n  /** Collection the record belongs to. */\n  readonly collection: string\n  /** Source locale. */\n  readonly fromLocale: string\n  /** Target locale. */\n  readonly toLocale: string\n  /**\n   * Consumer-provided translator name from\n   * `NoydbOptions.plaintextTranslatorName`. Defaults to `'anonymous'`\n   * when not supplied.\n   */\n  readonly translatorName: string\n  /** ISO 8601 timestamp of the invocation. */\n  readonly timestamp: string\n  /**\n   * `true` when the result was served from the in-process cache rather\n   * than by calling the translator function. Present only on cache hits\n   * so the absence of the field also communicates a cache miss.\n   */\n  readonly cached?: true\n}\n\n// ─── Presence ─────────────────────────────────────────────\n\n/**\n * A presence peer entry. `lastSeen` is an ISO timestamp set by core on each\n * `update()` call. Stale entries (lastSeen older than `staleMs`) are filtered\n * before delivering to the subscriber callback.\n */\nexport interface PresencePeer<P> {\n  readonly userId: string\n  readonly payload: P\n  readonly lastSeen: string\n}\n\n// ─── CRDT ─────────────────────────────────────────────────\n\n// Re-exported from crdt.ts so consumers only need one import path.\nexport type { CrdtMode, CrdtState, LwwMapState, RgaState, YjsState } from './crdt/crdt.js'\n\n// ─── Blob / Attachment Store ────────────────────────\n\n/**\n * Second store shape for blob-store backends (Drive, WebDAV, Git, iCloud)\n * that operate on whole-vault bundles rather than per-record KV.\n *\n * Implement `readBundle` / `writeBundle` instead of the six-method KV\n * contract. Use `wrapBundleStore()` from `@noy-db/hub` to convert to a\n * `NoydbStore` that the rest of the API consumes transparently.\n *\n * Named `NoydbBundleStore` (not `NoydbBundleAdapter`) for consistency\n * with the hub / to-* / in-* rename. Concrete implementations ship\n * in `@noy-db/to-*` packages starting in.\n */\nexport interface NoydbBundleStore {\n  /** Discriminant for engine auto-detection of store shape. */\n  readonly kind: 'bundle'\n  /** Human-readable name for diagnostics (e.g. `'drive'`, `'webdav'`). */\n  readonly name?: string\n  /**\n   * Read the entire vault as raw bytes. Returns `null` if no bundle exists\n   * yet (first open of a brand-new vault).\n   */\n  readBundle(vaultId: string): Promise<{ bytes: Uint8Array; version: string } | null>\n  /**\n   * Write the entire vault as raw bytes. `expectedVersion` is the version\n   * token from the last `readBundle` (or `null` for a first write).\n   * Implementations MUST reject the write if the stored version has advanced\n   * past `expectedVersion` — throw `BundleVersionConflictError`.\n   * Returns the new version token on success.\n   */\n  writeBundle(\n    vaultId: string,\n    bytes: Uint8Array,\n    expectedVersion: string | null,\n  ): Promise<{ version: string }>\n  /** Delete a vault bundle. Idempotent — no-op if the bundle does not exist. */\n  deleteBundle(vaultId: string): Promise<void>\n  /** List all vault bundles managed by this store. */\n  listBundles(): Promise<Array<{ vaultId: string; version: string; size: number }>>\n}\n\n/**\n * Content-addressed blob object stored in the vault-level blob index.\n * Identified by HMAC-SHA-256(blobDEK, plaintext) — opaque to the store.\n *\n * Shared across all collections within a vault for deduplication: two\n * records that attach identical byte content reference the same `eTag`\n * and share a single set of encrypted chunks in `_blob_chunks`.\n */\nexport interface BlobObject {\n  /** HMAC-SHA-256 hex of the original plaintext bytes, keyed by `_blob` DEK. */\n  readonly eTag: string\n  /** Original uncompressed size in bytes. */\n  readonly size: number\n  /** Compressed size in bytes (the payload that is actually encrypted and chunked). */\n  readonly compressedSize: number\n  /** Compression algorithm applied before encryption. */\n  readonly compression: 'gzip' | 'none'\n  /** Raw chunk size in bytes used at write time. Readers MUST use this value. */\n  readonly chunkSize: number\n  /** Total number of chunks written. Reader expects exactly this many. */\n  readonly chunkCount: number\n  /** MIME type if provided or auto-detected at upload time. */\n  readonly mimeType?: string\n  /** ISO timestamp of first upload. */\n  readonly createdAt: string\n  /** Live reference count — slots + published versions pointing to this blob. */\n  readonly refCount: number\n  /**\n   * Hint indicating which store holds the chunk data.\n   * Used by `routeStore` size-tiered routing: `'default'` for small blobs\n   * stored inline (e.g. DynamoDB), `'blobs'` for large blobs in the overflow\n   * store (e.g. S3). Absent when no routing is configured.\n   */\n  readonly storeHint?: 'default' | 'blobs'\n}\n\n// ─── Attachment types ─────────────────────────────────────────\n\n/** Single attachment metadata entry stored inside a record's attachment envelope. */\nexport interface AttachmentEntry {\n  /** Content-addressed identifier (HMAC-SHA-256 of plaintext). */\n  readonly eTag: string\n  /** User-visible filename for the slot. */\n  readonly filename: string\n  /** Original uncompressed size in bytes. */\n  readonly size: number\n  /** MIME type, if provided or auto-detected at upload time. */\n  readonly mimeType?: string\n  /** ISO timestamp of the upload. */\n  readonly uploadedAt: string\n  /** User ID of the uploader, if available. */\n  readonly uploadedBy?: string\n}\n\n/** Attachment entry annotated with its slot name, as returned by `AttachmentHandle.list()`. */\nexport type AttachmentInfo = AttachmentEntry & { readonly name: string }\n\n/** Options for `AttachmentHandle.put()`. */\nexport interface AttachmentPutOptions {\n  /** Compress the attachment with gzip before encryption. Default: `true`. */\n  compress?: boolean\n  /** Chunk size in bytes. Default: `DEFAULT_CHUNK_SIZE` (256 KB). */\n  chunkSize?: number\n  /** MIME type to store with the attachment. Auto-detected from magic bytes if omitted. */\n  mimeType?: string\n  /** User ID to record as the uploader. Falls back to the active user's ID. */\n  uploadedBy?: string\n}\n\n/** Options for `AttachmentHandle.response()`. */\nexport interface AttachmentResponseOptions {\n  /**\n   * Set `Content-Disposition: inline` so the browser renders the file\n   * instead of downloading it. Default: `false` (attachment disposition).\n   */\n  inline?: boolean\n}\n\n/**\n * Slot record — mutable metadata linking a named slot on a record\n * to a `BlobObject` via its eTag.\n *\n * Multiple slots (even across different records) may reference the same\n * `eTag` — the underlying chunks are shared. Updating metadata creates\n * a new envelope version (`_v++`) while the blob data is unchanged.\n */\nexport interface SlotRecord {\n  /** Reference to the `BlobObject` in `_blob_index`. */\n  readonly eTag: string\n  /** User-visible filename for the slot. */\n  readonly filename: string\n  /** Original uncompressed size in bytes (denormalized from `BlobObject`). */\n  readonly size: number\n  /** MIME type. Takes precedence over the MIME type stored in `BlobObject`. */\n  readonly mimeType?: string\n  /** ISO timestamp of the upload that set this slot. */\n  readonly uploadedAt: string\n  /** User ID of the uploader, if available. */\n  readonly uploadedBy?: string\n}\n\n/** Result of `BlobSet.list()` — slot record plus its named slot key. */\nexport interface SlotInfo extends SlotRecord {\n  /** The slot name (key in the record's slot map). */\n  readonly name: string\n}\n\n/**\n * Explicitly published version snapshot — an independent reference to a\n * blob at a specific point in time.\n */\nexport interface VersionRecord {\n  /** User-defined label (e.g. `'issued-2025-01'`, `'amendment-2025-02'`). */\n  readonly label: string\n  /** eTag of the blob snapshot at publish time — independent of the current slot. */\n  readonly eTag: string\n  /** ISO timestamp when the version was published. */\n  readonly publishedAt: string\n  /** User ID of the publisher, if available. */\n  readonly publishedBy?: string\n}\n\n/** Options for `BlobSet.put()`. */\nexport interface BlobPutOptions {\n  /** MIME type hint. If omitted, auto-detected from magic bytes. */\n  mimeType?: string\n  /**\n   * Raw chunk size in bytes. Priority: this value > store.maxBlobBytes > 256 KB.\n   */\n  chunkSize?: number\n  /**\n   * Whether to gzip-compress bytes before encrypting. Default: `true`.\n   * Auto-set to `false` for pre-compressed MIME types (JPEG, PNG, ZIP, etc.).\n   */\n  compress?: boolean\n  /** User ID to record as `uploadedBy`. Defaults to the Noydb session user. */\n  uploadedBy?: string\n}\n\n/** Options for `BlobSet.response()` and `BlobSet.responseVersion()`. */\nexport interface BlobResponseOptions {\n  /**\n   * When `true`, sets `Content-Disposition: inline; filename=\"...\"` so\n   * the browser renders the file in the tab. Default (`false`) sets\n   * `attachment; filename=\"...\"` which triggers a download.\n   */\n  inline?: boolean\n  /** Override the filename in the Content-Disposition header. */\n  filename?: string\n}\n\n// ─── Store Capabilities ─────────────────────────────\n\nexport type StoreAuthKind =\n  | 'none'\n  | 'filesystem'\n  | 'api-key'\n  | 'iam'\n  | 'oauth'\n  | 'kerberos'\n  | 'browser-origin'\n\nexport interface StoreAuth {\n  kind: StoreAuthKind | StoreAuthKind[]\n  required: boolean\n  flow: 'static' | 'oauth' | 'kerberos' | 'implicit'\n}\n\nexport interface StoreCapabilities {\n  /**\n   * true — the store's expectedVersion check and write are atomic at the\n   * storage layer. Two concurrent puts with the same expectedVersion will\n   * produce exactly one success and one ConflictError.\n   * false — check and write are separate operations with a race window.\n   */\n  casAtomic: boolean\n  auth: StoreAuth\n  /**\n   * true — the store implements {@link NoydbStore.tx} and commits\n   * every op atomically at the storage layer. The hub's\n   * `db.transaction(fn)` will delegate to `tx(ops)` and surface a\n   * single pass/fail outcome. false (or absent) — no native\n   * multi-record atomicity; the hub falls back to per-record OCC\n   * with best-effort unwind on partial failure.\n   */\n  txAtomic?: boolean\n  /**\n   * Maximum raw bytes per blob chunk record.\n   * `undefined` — no limit (S3, file, IDB); blob stored as single chunk.\n   * `256 * 1024` — DynamoDB (400 KB item limit minus envelope overhead).\n   * `5 * 1024 * 1024` — localStorage quota safety.\n   */\n  maxBlobBytes?: number\n}\n\n// ─── Factory Options ───────────────────────────────────────────────────\n\nexport interface NoydbOptions {\n  /** Primary store (local storage). */\n  readonly store: NoydbStore\n  /**\n   * tree-shake seam — optional blob strategy. Pass `withBlobs()`\n   * from `@noy-db/hub/blobs` to enable `collection.blob(id)` storage.\n   * When omitted, hub's blob machinery stays out of the bundle (ESM\n   * tree-shaking) and `collection.blob(id)` throws with a pointer at\n   * the subpath. `BlobStrategy` is `@internal` — users only construct\n   * it via the subpath factory.\n   *\n   * @internal\n   */\n  readonly blobStrategy?: BlobStrategy\n  /**\n   * tree-shake seam — optional indexing strategy. Pass\n   * `withIndexing()` from `@noy-db/hub/indexing` to enable eager-mode\n   * `==/in` fast-paths, lazy-mode `.lazyQuery()`, rebuild/reconcile,\n   * and auto-reconcile. When omitted, indexing code never reaches the\n   * bundle; `.lazyQuery()` throws with a pointer at the subpath, and\n   * eager-mode collections fall back to linear scans regardless of\n   * `indexes: [...]` declarations. `IndexStrategy` is `@internal` —\n   * users only construct it via the subpath factory.\n   *\n   * @internal\n   */\n  readonly indexStrategy?: IndexStrategy\n  /**\n   * tree-shake seam — optional aggregate strategy. Pass\n   * `withAggregate()` from `@noy-db/hub/aggregate` to enable\n   * `.aggregate()` and `.groupBy()` on Query. When omitted, those\n   * methods throw with a pointer at the subpath; the ~886 LOC of\n   * Aggregation + GroupedQuery machinery never reaches the bundle.\n   * Streaming `scan().aggregate()` works independently of this\n   * strategy — it doesn't use the `Aggregation` class.\n   *\n   * @internal\n   */\n  readonly aggregateStrategy?: AggregateStrategy\n  /**\n   * tree-shake seam — optional CRDT strategy. Required when\n   * any collection is declared with `crdt: 'lww-map' | 'rga' | 'yjs'`;\n   * otherwise the first put/sync-merge hitting the CRDT path throws.\n   * When omitted, ~221 LOC of LWW-Map / RGA / merge helpers never\n   * reach the bundle.\n   *\n   * @internal\n   */\n  readonly crdtStrategy?: CrdtStrategy\n  /**\n   * tree-shake seam — optional consent-audit strategy. Pass\n   * `withConsent()` from `@noy-db/hub/consent` to enable per-op audit\n   * writes into `_consent_audit` when a consent scope is active.\n   * When omitted, `vault.consentAudit()` returns `[]` and writes are\n   * no-ops; the consent module's ~194 LOC never reaches the bundle.\n   *\n   * @internal\n   */\n  readonly consentStrategy?: ConsentStrategy\n  /**\n   * tree-shake seam — optional periods strategy. Pass\n   * `withPeriods()` from `@noy-db/hub/periods` to enable\n   * `vault.closePeriod()` / `.openPeriod()` / write-guard on closed\n   * periods. When omitted, `vault.listPeriods()` returns `[]` and\n   * the write-guard is a no-op; the ~363 LOC of period validation +\n   * ledger appending stay out of the bundle.\n   *\n   * @internal\n   */\n  readonly periodsStrategy?: PeriodsStrategy\n  /**\n   * tree-shake seam — optional VaultFrame strategy. Pass\n   * `withShadow()` from `@noy-db/hub/shadow` to enable\n   * `vault.frame()`. Without it, calling `vault.frame()` throws.\n   *\n   * @internal\n   */\n  readonly shadowStrategy?: ShadowStrategy\n  /**\n   * tree-shake seam — optional multi-record transactions. Pass\n   * `withTransactions()` from `@noy-db/hub/tx` to enable\n   * `db.transaction(fn)`. Without it, calling the method throws.\n   *\n   * @internal\n   */\n  readonly txStrategy?: TxStrategy\n  /**\n   * tree-shake seam — optional history + ledger + time-machine.\n   * Pass `withHistory()` from `@noy-db/hub/history` to enable\n   * per-record version snapshots, the hash-chained audit ledger, JSON\n   * Patch deltas, `vault.ledger()`, `vault.at()`, and the\n   * `collection.history()` / `getVersion()` / `revert()` / `diff()` /\n   * `clearHistory()` / `pruneRecordHistory()` read APIs. When omitted,\n   * snapshots/prune/clear are silent no-ops, the read APIs throw with\n   * a pointer at the subpath, and ~1,880 LOC stay out of the bundle.\n   *\n   * @internal\n   */\n  readonly historyStrategy?: HistoryStrategy\n  /**\n   * tree-shake seam — optional i18n strategy. Pass `withI18n()`\n   * from `@noy-db/hub/i18n` to enable `i18nText`/`dictKey` field\n   * resolution on reads, `i18nText` validation on writes, and\n   * `vault.dictionary(name)`. When omitted, locale resolution is the\n   * identity (raw values returned), the validators throw with a\n   * pointer to the subpath, and ~854 LOC of dictionary + locale\n   * machinery stay out of the bundle.\n   *\n   * @internal\n   */\n  readonly i18nStrategy?: I18nStrategy\n  /**\n   * tree-shake seam — optional session-policy strategy. Pass\n   * `withSession()` from `@noy-db/hub/session` to enable\n   * `sessionPolicy` validation, `PolicyEnforcer` lifecycle (idle /\n   * absolute timeouts, lockOnBackground), and global session-token\n   * revocation. When omitted, setting `sessionPolicy` throws at\n   * `createNoydb()` time, and ~495 LOC of policy + token machinery\n   * stay out of the bundle.\n   *\n   * @internal\n   */\n  readonly sessionStrategy?: SessionStrategy\n  /**\n   * tree-shake seam — optional sync engine + presence strategy.\n   * Pass `withSync()` from `@noy-db/hub/sync` to enable\n   * `db.push()` / `pull()` / replication, `db.transaction(vault)`\n   * for sync-aware transactions, and `collection.presence()`. When\n   * omitted, configuring `sync` / calling these surfaces throws with\n   * a pointer at the subpath, and ~856 LOC of replication + presence\n   * machinery stay out of the bundle. Keyring stays core; grant/\n   * revoke/magic-link/delegation tree-shake via direct imports.\n   *\n   * @internal\n   */\n  readonly syncStrategy?: SyncStrategy\n  /** Optional remote store(s) for sync. Accepts a single store, a SyncTarget, or an array. */\n  readonly sync?: NoydbStore | SyncTarget | SyncTarget[]\n  /** User identifier. */\n  readonly user: string\n  /** Passphrase for key derivation. Required unless encrypt is false or `getKeyring` is provided. */\n  readonly secret?: string\n  /**\n   * Optional callback that returns an unlocked keyring for a given vault.\n   * Use this to plug in WebAuthn / OIDC / Shamir / any unlock path that\n   * produces an `UnlockedKeyring` outside the passphrase model.\n   *\n   * When set, `secret` MUST NOT also be set — `createNoydb` throws if both\n   * are supplied. When neither is set (and `encrypt !== false`), `createNoydb`\n   * also throws.\n   *\n   * The callback is called lazily, on the first operation that needs the\n   * keyring for a given vault. Noydb caches the returned keyring per-vault\n   * for the lifetime of the instance, so the callback is invoked at most\n   * once per `(instance, vault)` pair (assuming the callback resolves\n   * successfully). If the callback rejects, the rejection surfaces from the\n   * first vault operation that triggered the unlock; subsequent operations\n   * will retry the callback.\n   *\n   * @example\n   * ```ts\n   * import { createNoydb } from '@noy-db/hub'\n   * import { unlockWebAuthn } from '@noy-db/on-webauthn'\n   *\n   * const enrollment = await loadEnrollment()\n   * const db = await createNoydb({\n   *   store,\n   *   user: 'alice',\n   *   getKeyring: (vault) => unlockWebAuthn(enrollment),\n   * })\n   * ```\n   *\n   * Note: this callback is responsible for both the \"open existing vault\"\n   * and the \"create new vault\" cases. Unlike the passphrase path, there is\n   * no automatic `NoAccessError` → `createOwnerKeyring` fallback, because\n   * the callback owner has the UI context to decide which path to run.\n   * For first-time bootstrap, use a passphrase or recovery code, enroll\n   * WebAuthn from the unlocked keyring, then swap to `getKeyring` on\n   * subsequent sessions.\n   */\n  readonly getKeyring?: (vault: string) => Promise<UnlockedKeyring>\n  /** Auth method. Default: 'passphrase'. */\n  readonly auth?: 'passphrase' | 'biometric'\n  /** Enable encryption. Default: true. */\n  readonly encrypt?: boolean\n  /** Conflict resolution strategy. Default: 'version'. */\n  readonly conflict?: ConflictStrategy\n  /**\n   * Sync scheduling policy. Controls when push/pull fire.\n   * Default inferred from store category: per-record → `on-change`,\n   * bundle → `debounce 30s`.\n   */\n  readonly syncPolicy?: SyncPolicy\n  /**\n   * @deprecated Use `syncPolicy` instead. Kept for backward compatibility.\n   * When both are supplied, `syncPolicy` takes precedence.\n   */\n  readonly autoSync?: boolean\n  /**\n   * @deprecated Use `syncPolicy` instead. Kept for backward compatibility.\n   */\n  readonly syncInterval?: number\n  /**\n   * Session timeout in ms. Clears keys after inactivity. Default: none.\n   * @deprecated Use `sessionPolicy.idleTimeoutMs` instead. This field is\n   * still honored for backwards compatibility but `sessionPolicy` takes\n   * precedence when both are supplied.\n   */\n  readonly sessionTimeout?: number\n  /**\n   * Session policy controlling lifetime, re-auth requirements, and\n   * background-lock behavior. When supplied, replaces the\n   * legacy `sessionTimeout` field.\n   */\n  readonly sessionPolicy?: SessionPolicy\n  /** Validate passphrase strength on creation. Default: true. */\n  readonly validatePassphrase?: boolean\n  /** Audit history configuration. */\n  readonly history?: HistoryConfig\n  /**\n   * Consumer-supplied translation function for `i18nText` fields with\n   * `autoTranslate: true`.\n   *\n   * ⚠ **`plaintextTranslator` receives unencrypted text.** Configuring\n   * this hook causes plaintext to leave noy-db's zero-knowledge boundary\n   * over whatever channel the consumer's implementation uses. noy-db ships\n   * no built-in translator and adds no translator SDKs as dependencies.\n   * The consumer chooses and owns the data policy of the external service.\n   *\n   * Per-field opt-in via `autoTranslate: true` on `i18nText()`. Calling\n   * `put()` on a collection with `autoTranslate: true` fields while this\n   * option is absent throws `TranslatorNotConfiguredError`.\n   *\n   * See `NOYDB_SPEC.md § Zero-Knowledge Storage` for the invariant text.\n   */\n  readonly plaintextTranslator?: PlaintextTranslatorFn\n  /**\n   * Human-readable name for the translator, recorded in the in-process\n   * audit log (e.g. `'deepl-pro-with-dpa'`, `'self-hosted-llama-7b'`).\n   * Defaults to `'anonymous'` when not supplied.\n   */\n  readonly plaintextTranslatorName?: string\n}\n\n// ─── History / Audit Trail ─────────────────────────────────────────────\n\n/** History configuration. */\nexport interface HistoryConfig {\n  /** Enable history tracking. Default: true. */\n  readonly enabled?: boolean\n  /** Maximum history entries per record. Oldest pruned on overflow. Default: unlimited. */\n  readonly maxVersions?: number\n}\n\n/** Options for querying history. */\nexport interface HistoryOptions {\n  /** Start date (inclusive), ISO 8601. */\n  readonly from?: string\n  /** End date (inclusive), ISO 8601. */\n  readonly to?: string\n  /** Maximum entries to return. */\n  readonly limit?: number\n}\n\n/** Options for pruning history. */\nexport interface PruneOptions {\n  /** Keep only the N most recent versions. */\n  readonly keepVersions?: number\n  /** Delete versions older than this date, ISO 8601. */\n  readonly beforeDate?: string\n}\n\n/** A decrypted history entry. */\nexport interface HistoryEntry<T> {\n  readonly version: number\n  readonly timestamp: string\n  readonly userId: string\n  readonly record: T\n}\n\n// ─── Bulk operations ──────────────────────────────────────\n\n/** Per-item options for `Collection.putMany()`. */\nexport interface PutManyItemOptions {\n  /**\n   * Optimistic-concurrency check: fail this item if the stored version\n   * is not `expectedVersion`. Honored only in `atomic: true` mode;\n   * ignored in the default best-effort loop.\n   */\n  readonly expectedVersion?: number\n}\n\n/**\n * Batch-level options for `Collection.putMany()` and `deleteMany()`.\n *\n * `atomic: true` switches the call from best-effort loop\n * to all-or-nothing: a pre-flight CAS check runs first, then every op\n * is executed; any mid-batch failure triggers a best-effort revert.\n * On failure in atomic mode the whole call throws — you won't get a\n * partial `PutManyResult`. On success the result mirrors the default\n * loop's shape.\n */\nexport interface PutManyOptions {\n  readonly atomic?: boolean\n}\n\n/** Result of `Collection.putMany()`. */\nexport interface PutManyResult {\n  /** `true` iff every entry succeeded. */\n  readonly ok: boolean\n  /** IDs that were successfully written. */\n  readonly success: readonly string[]\n  /** Entries that failed, with the error that prevented each write. */\n  readonly failures: ReadonlyArray<{ readonly id: string; readonly error: Error }>\n}\n\n/** Result of `Collection.deleteMany()`. Same shape as `PutManyResult`. */\nexport interface DeleteManyResult {\n  readonly ok: boolean\n  readonly success: readonly string[]\n  readonly failures: ReadonlyArray<{ readonly id: string; readonly error: Error }>\n}\n"],"mappings":";AA0CO,IAAM,uBAAuB;AAG7B,IAAM,wBAAwB;AAG9B,IAAM,uBAAuB;AAG7B,IAAM,qBAAqB;AA6U3B,SAAS,YACd,SACmC;AACnC,SAAO;AACT;","names":[]}

package/dist/{chunk-M2F2JAWB.js → chunk-PSHTHSIX.js}

@@ -1,7 +1,7 @@
 import {
   NOYDB_FORMAT_VERSION,
   NOYDB_KEYRING_VERSION
-} from "./chunk-ZRG4V3F5.js";
+} from "./chunk-O5GK62FJ.js";
 import {
   base64ToBuffer,
   bufferToBase64,
@@ -461,4 +461,4 @@ export {
   hasImportCapability,
   evaluateImportCapability
 };
-//# sourceMappingURL=chunk-M2F2JAWB.js.map
+//# sourceMappingURL=chunk-PSHTHSIX.js.map

package/dist/{chunk-UQFSPSWG.js → chunk-QZIACZZU.js}

@@ -1,6 +1,6 @@
 import {
   NOYDB_FORMAT_VERSION
-} from "./chunk-ZRG4V3F5.js";
+} from "./chunk-O5GK62FJ.js";
 import {
   base64ToBuffer,
   bufferToBase64,
@@ -1106,4 +1106,4 @@ export {
   BLOB_EVICTION_AUDIT_COLLECTION,
   runCompaction
 };
-//# sourceMappingURL=chunk-UQFSPSWG.js.map
+//# sourceMappingURL=chunk-QZIACZZU.js.map

package/dist/consent/index.d.cts

@@ -1,5 +1,5 @@
-import { Z as ConsentStrategy } from '../types-Bfs0qr5F.cjs';
-export { _ as CONSENT_AUDIT_COLLECTION, $ as ConsentAuditEntry, a0 as ConsentAuditFilter, a1 as ConsentContext, a2 as ConsentOp, a3 as loadConsentEntries, a4 as writeConsentEntry } from '../types-Bfs0qr5F.cjs';
+import { Z as ConsentStrategy } from '../types-BVSfkYg6.cjs';
+export { _ as CONSENT_AUDIT_COLLECTION, $ as ConsentAuditEntry, a0 as ConsentAuditFilter, a1 as ConsentContext, a2 as ConsentOp, a3 as loadConsentEntries, a4 as writeConsentEntry } from '../types-BVSfkYg6.cjs';
 import '../lazy-builder-CZVLKh0Z.cjs';
 import '../predicate-SBHmi6D0.cjs';
 import '../strategy-D-SrOLCl.cjs';

package/dist/consent/index.d.ts

@@ -1,5 +1,5 @@
-import { Z as ConsentStrategy } from '../types-BZpCZB8N.js';
-export { _ as CONSENT_AUDIT_COLLECTION, $ as ConsentAuditEntry, a0 as ConsentAuditFilter, a1 as ConsentContext, a2 as ConsentOp, a3 as loadConsentEntries, a4 as writeConsentEntry } from '../types-BZpCZB8N.js';
+import { Z as ConsentStrategy } from '../types-Dmi7nrC9.js';
+export { _ as CONSENT_AUDIT_COLLECTION, $ as ConsentAuditEntry, a0 as ConsentAuditFilter, a1 as ConsentContext, a2 as ConsentOp, a3 as loadConsentEntries, a4 as writeConsentEntry } from '../types-Dmi7nrC9.js';
 import '../lazy-builder-BwEoBQZ9.js';
 import '../predicate-SBHmi6D0.js';
 import '../strategy-D-SrOLCl.js';

package/dist/{dev-unlock-CeXic1xC.d.cts → dev-unlock-5SmCVGyx.d.cts}

@@ -1,4 +1,4 @@
-import { aq as Role, ar as UnlockedKeyring } from './types-Bfs0qr5F.cjs';
+import { aq as Role, ar as UnlockedKeyring } from './types-BVSfkYg6.cjs';
 
 /**
  * Session tokens —

package/dist/{dev-unlock-KrKkcqD3.d.ts → dev-unlock-XOUecfQ9.d.ts}

@@ -1,4 +1,4 @@
-import { aq as Role, ar as UnlockedKeyring } from './types-BZpCZB8N.js';
+import { aq as Role, ar as UnlockedKeyring } from './types-Dmi7nrC9.js';
 
 /**
  * Session tokens —

package/dist/{hash-ChfJjRjQ.d.ts → hash-Bxud16vM.d.ts}

@@ -1,4 +1,4 @@
-import { av as EncryptedEnvelope } from './types-BZpCZB8N.js';
+import { av as EncryptedEnvelope } from './types-Dmi7nrC9.js';
 
 /**
  * Ledger storage constants — pinned in their own leaf module so

package/dist/{hash-9KO1BGxh.d.cts → hash-CvuKN2gH.d.cts}

@@ -1,4 +1,4 @@
-import { av as EncryptedEnvelope } from './types-Bfs0qr5F.cjs';
+import { av as EncryptedEnvelope } from './types-BVSfkYg6.cjs';
 
 /**
  * Ledger storage constants — pinned in their own leaf module so