@noy-db/hub 0.1.0-pre.3 → 0.1.0-pre.5

package/dist/{types-Bfs0qr5F.d.cts → types-BpyE4o_n.d.cts}

@@ -1,7 +1,7 @@
 import { I as IndexStrategy, d as LazyQuery } from './lazy-builder-CZVLKh0Z.cjs';
 import { A as AggregateStrategy } from './strategy-D-SrOLCl.cjs';
 import { C as CrdtStrategy, a as CrdtMode, b as CrdtState } from './strategy-BSxFXGzb.cjs';
-import { U as RefDescriptor, p as JoinableSource, Z as RefViolation, Q as Query, $ as ScanBuilder } from './index-DN-J-5wT.cjs';
+import { N as NoydbError, U as RefDescriptor, p as JoinableSource, Z as RefViolation, Q as Query, $ as ScanBuilder } from './index-6xNpPsxR.cjs';
 import { I as IndexDef, C as CollectionIndexes } from './predicate-SBHmi6D0.cjs';
 
 /**
@@ -1739,6 +1739,86 @@ declare class NoydbEventEmitter {
     removeAllListeners(): void;
 }
 
+/**
+ * Passphrase validation — phrase format (per the three-tier session-tiers
+ * design, locked 2026-05-04).
+ *
+ * Passphrases are **phrases**: multiple simple words, easy to remember,
+ * structurally constrained so a weak choice cannot silently collapse the
+ * security floor. The format is intentionally narrow: lowercase letters
+ * and single spaces only, no punctuation, no symbols, no digits.
+ *
+ * - Default minimum: 6 words (~77 bits with the 7,776-word EFF list).
+ * - Strict minimum: 8 words (~103 bits).
+ * - Per-word minimum: 3 characters (excludes "a", "is", "of").
+ * - Adjacent repeats rejected ("the the").
+ *
+ * The hub runs validation default-on at every passphrase ingress
+ * (`createOwnerKeyring`, `grant`, `rotatePassphrase`); test fixtures and
+ * CLI scripts override via `{ allowWeakPassphrase: true }`.
+ *
+ * @module
+ */
+
+/** All reasons a phrase can be rejected. */
+type WeakPassphraseReason = 'empty' | 'invalid-chars' | 'leading-or-trailing-space' | 'double-space' | 'too-few-words' | 'word-too-short' | 'repeated-adjacent';
+/** Per-vault knobs. Aligns with `VaultPolicy.passphrase`. */
+interface PassphrasePolicy {
+    /** Minimum number of words. Default 6. Strict policy uses 8. */
+    readonly minWords?: number;
+    /** Minimum characters per word. Default 3. */
+    readonly minWordLength?: number;
+    /** Reject adjacent identical words ("the the"). Default true. */
+    readonly rejectRepeatedAdjacent?: boolean;
+}
+/** Result of a check. Discriminated union — compile-time exhaustive. */
+type PassphraseValidationResult = {
+    readonly ok: true;
+    readonly words: number;
+} | {
+    readonly ok: false;
+    readonly reason: WeakPassphraseReason;
+    readonly minimum?: number;
+    readonly got?: number;
+};
+/**
+ * Thrown by `assertStrongPassphrase()` and by every hub ingress
+ * point (`createOwnerKeyring`, `grant`, `rotatePassphrase`) when a
+ * supplied phrase fails the structural rules above.
+ */
+declare class WeakPassphraseError extends NoydbError {
+    readonly reason: WeakPassphraseReason;
+    readonly suggestion: string;
+    constructor(reason: WeakPassphraseReason, suggestion: string);
+}
+/**
+ * Inspect a phrase against the format rules and return a structured
+ * verdict. Never throws — callers either branch on `ok` or pass the
+ * result to {@link assertStrongPassphrase} for the throwing flavour.
+ */
+declare function validatePassphrase(s: string, opts?: PassphrasePolicy): PassphraseValidationResult;
+/**
+ * Throw {@link WeakPassphraseError} when the phrase fails. Used by
+ * `createOwnerKeyring`, `grant`, and `rotatePassphrase` at ingress.
+ *
+ * Pass `{ allowWeakPassphrase: true }` to bypass — intended for test
+ * fixtures, CLI scripts, and dev environments. The override never
+ * loosens the cryptographic key derivation; it only relaxes the
+ * structural-strength gate.
+ */
+declare function assertStrongPassphrase(s: string, opts?: PassphrasePolicy & {
+    allowWeakPassphrase?: boolean;
+}): void;
+/**
+ * Estimate the entropy of a phrase, given the EFF 7,776-word list as
+ * the assumed wordlist. ~12.9 bits per word.
+ *
+ * Returns 0 for any input that fails the phrase format — character-class
+ * estimates aren't comparable to phrase entropy, and surfacing 0 makes
+ * weak inputs visible in any UI that displays an entropy meter.
+ */
+declare function estimateEntropy(passphrase: string): number;
+
 /** In-memory representation of an unlocked keyring. */
 interface UnlockedKeyring {
     readonly userId: string;
@@ -1761,6 +1841,20 @@ interface UnlockedKeyring {
      * bundle import granted, regardless of role).
      */
     readonly importCapability?: ImportCapability;
+    /**
+     * Tier-2 authenticator slots — readonly snapshot loaded from the
+     * keyring file. Mutations go through `enrollAuthenticator` /
+     * `removeAuthenticator` (issue #11), which write back via
+     * `persistKeyring`. Always defined; loads with an empty array for
+     * keyrings written before the multi-slot extension landed.
+     */
+    readonly authenticators: readonly KeyringAuthenticator[];
+    /**
+     * Reserved per-keyring policy override (forward-compat for Option C
+     * — see {@link VaultPolicyOnDisk}). v1.0 round-trips this field but
+     * never enforces it; the gate engine uses `_meta/policy` only.
+     */
+    readonly policy?: VaultPolicyOnDisk;
 }
 /**
  * Recipient slot in a re-keyed `.noydb` bundle. Each slot becomes its
@@ -2715,6 +2809,347 @@ declare class SyncEngine {
     private persistMeta;
 }
 
+/**
+ * Tier-1 change flows — `rotatePassphrase` (user remembers old) and
+ * `recoverPassphrase` (user supplies a recovery proof). Issue #10.
+ *
+ * The two flows share the post-verification half — fresh salt, fresh
+ * KEK, rewrap every DEK — and differ only in how they re-derive the
+ * old KEK:
+ *
+ * - **Rotate**: derive from the supplied `oldPassphrase`.
+ * - **Recover (paper)**: unwrap from a `RecoveryCodeEntry` using a
+ *   user-supplied recovery code. The entry is burned on success.
+ *
+ * The non-paper recovery profiles (Shamir, multi-channel,
+ * admin-mediated) are not yet wired — calling them throws
+ * {@link RecoveryProfileNotImplementedError} with a tracking link.
+ *
+ * @module
+ */
+
+/** Caller payload for {@link rotatePassphrase}. */
+interface RotatePassphraseInput {
+    readonly oldPassphrase: string;
+    readonly newPassphrase: string;
+    readonly passphrasePolicy?: PassphrasePolicy;
+    readonly allowWeakPassphrase?: boolean;
+}
+/**
+ * Re-derive the user's KEK from `oldPassphrase`, rewrap every DEK
+ * under a freshly-derived KEK from `newPassphrase`, and persist.
+ *
+ * Tier-2 authenticator slots are NOT preserved — each slot wraps the
+ * old KEK and would need the user's per-slot derivation key to
+ * re-wrap; the hub doesn't hold that. The user re-enrols any slots
+ * after rotation. v0.1.0-pre.5 limitation.
+ *
+ * @throws `InvalidKeyError` if `oldPassphrase` does not unwrap the keyring.
+ * @throws `WeakPassphraseError` if `newPassphrase` fails the strength rule.
+ */
+declare function rotatePassphrase(store: NoydbStore, vault: string, userId: string, input: RotatePassphraseInput): Promise<UnlockedKeyring>;
+/** Caller payload for {@link recoverPassphrase}. */
+type RecoveryProof = {
+    readonly profile: 'paper';
+    readonly payload: {
+        readonly code: string;
+    };
+} | {
+    readonly profile: 'shamir';
+    readonly payload: {
+        readonly shares: ReadonlyArray<string>;
+    };
+} | {
+    readonly profile: 'multi-channel';
+    readonly payload: {
+        readonly proofs: ReadonlyArray<unknown>;
+    };
+} | {
+    readonly profile: 'admin-mediated';
+    readonly payload: {
+        readonly token: string;
+        readonly factor?: unknown;
+    };
+};
+interface RecoverPassphraseInput {
+    readonly newPassphrase: string;
+    readonly recoveryProof: RecoveryProof;
+    readonly passphrasePolicy?: PassphrasePolicy;
+    readonly allowWeakPassphrase?: boolean;
+}
+/**
+ * Reset the user's passphrase using a recovery proof. v0.1.0-pre.5
+ * supports the `'paper'` profile via `@noy-db/on-recovery` entries
+ * persisted in `_meta/recovery-paper`. The other three profiles throw
+ * {@link RecoveryProfileNotImplementedError}.
+ *
+ * On success, the used recovery entry is burned (deleted from the
+ * stored set).
+ */
+declare function recoverPassphrase(store: NoydbStore, vault: string, userId: string, input: RecoverPassphraseInput): Promise<UnlockedKeyring>;
+
+/**
+ * Recovery profile persistence + dispatch — issue #10.
+ *
+ * v0.1.0-pre.5 wires the **paper** profile end-to-end through
+ * `@noy-db/on-recovery`. The other three profiles (Shamir,
+ * multi-channel, admin-mediated) ship the API surface and throw
+ * {@link RecoveryProfileNotImplementedError} during use; per-profile
+ * dispatch lands in follow-up issues.
+ *
+ * Storage layout:
+ *
+ * ```
+ * _meta/recovery-paper       — JSON { entries: RecoveryCodeEntry[] } produced by `on-recovery`.
+ * _meta/recovery-shamir      — reserved
+ * _meta/recovery-multi       — reserved
+ * _meta/recovery-admin       — reserved
+ * ```
+ *
+ * Like `_meta/policy` and `_meta/handle`, the documents are plain JSON
+ * with empty `_iv` — the recovery-code wrapping is what protects the
+ * KEK; the entries themselves are inert without the user's code.
+ *
+ * @module
+ */
+
+/**
+ * One paper recovery code as persisted in `_meta/recovery-paper`.
+ *
+ * The hub's KEK is intentionally non-extractable (see `crypto.ts`),
+ * so the recovery entry can't AES-KW-wrap the KEK directly. Instead
+ * we wrap a serialized DEK set: the entry holds the AES-GCM
+ * ciphertext of `{ deks: { collection: rawDekBase64 } }`. Recovery
+ * deserializes the DEK set, then mints a fresh KEK from the new
+ * passphrase and rewraps the DEKs under it.
+ *
+ * This is the same pattern `@noy-db/on-pin` uses for tier-3 quick
+ * resume — the cryptographic guarantee is identical (AES-GCM with a
+ * PBKDF2-derived key), and it sidesteps the non-extractable-KEK
+ * constraint cleanly.
+ */
+interface PaperRecoveryEntry {
+    readonly codeId: string;
+    /** Base64 PBKDF2 salt. */
+    readonly salt: string;
+    /** Base64 AES-GCM IV used for the wrapped-DEK ciphertext. */
+    readonly iv: string;
+    /** Base64 AES-GCM ciphertext — JSON `{ deks: Record<string, base64> }`. */
+    readonly wrappedDeks: string;
+    readonly enrolledAt: string;
+}
+interface PaperRecoveryDoc {
+    readonly _noydb_recovery: 1;
+    readonly profile: 'paper';
+    readonly entries: ReadonlyArray<PaperRecoveryEntry>;
+}
+/** Read the paper-recovery entries. Returns empty array when absent. */
+declare function loadPaperRecoveryEntries(store: NoydbStore, vault: string): Promise<ReadonlyArray<PaperRecoveryEntry>>;
+/** Replace the paper-recovery entries (used after burn-on-recovery). */
+declare function savePaperRecoveryEntries(store: NoydbStore, vault: string, entries: ReadonlyArray<PaperRecoveryEntry>): Promise<void>;
+/** Drop a single paper-recovery entry (burn-on-use). */
+declare function burnPaperRecoveryEntry(store: NoydbStore, vault: string, codeId: string): Promise<void>;
+/** Whether at least one recovery profile has any enrolled entries. */
+declare function hasRecoveryEnrolled(store: NoydbStore, vault: string): Promise<boolean>;
+
+/**
+ * Public envelope — owner-curated plaintext metadata, readable
+ * before vault unlock or bundle decryption.
+ *
+ * @see docs/subsystems/public-envelope.md
+ *
+ * @module
+ */
+/**
+ * Either a single string (used when the developer's app is
+ * single-locale) or a locale → string map for i18n. Mirrors the
+ * shape `@noy-db/hub/i18n` already uses for record fields, so the
+ * existing `resolveI18nText` resolver applies.
+ */
+type PublicEnvelopeText = string | Record<string, string>;
+/**
+ * Persisted shape — both `_meta/public-envelope` and the bundle
+ * header carry this. The version number is monotonic per vault and
+ * helps cache invalidators detect change without hashing the JSON.
+ */
+interface PublicEnvelope {
+    readonly _noydb_public: 1;
+    readonly version: number;
+    readonly name?: PublicEnvelopeText;
+    readonly description?: PublicEnvelopeText;
+    /** Inline `data:` URL (`data:image/png;base64,…` or `data:image/svg+xml;base64,…`). */
+    readonly icon?: string;
+    /** ISO-8601 timestamp; auto-set on first envelope write, immutable thereafter. */
+    readonly createdAt?: string;
+    /** ISO-8601 timestamp; auto-updated on every `setPublicEnvelope` call. */
+    readonly updatedAt?: string;
+    /** BCP-47 fallback locale for renderers when the user's locale isn't covered. */
+    readonly defaultLocale?: string;
+}
+/** Field names the developer can allow in `PublicEnvelopeSchema.fields`. */
+declare const PUBLIC_ENVELOPE_FIELDS: readonly ["name", "description", "icon", "createdAt", "updatedAt", "defaultLocale"];
+type PublicEnvelopeField = (typeof PUBLIC_ENVELOPE_FIELDS)[number];
+/**
+ * Build-time schema. The developer enables the feature and bounds
+ * what the owner can set. `true` is shorthand for "all defaults" —
+ * gives the owner the full field set with the standard caps.
+ */
+interface PublicEnvelopeSchema {
+    /**
+     * Allowed field names. Setting `name`/`description`/`icon`/`defaultLocale` is
+     * gated on the field being listed here. `createdAt` / `updatedAt` are managed
+     * by the hub; including them is a no-op (the owner cannot set them
+     * directly). Default: every field above.
+     */
+    readonly fields?: ReadonlyArray<PublicEnvelopeField>;
+    /**
+     * Maximum icon size — measured as the length of the data-URL
+     * string. Default 256 KB.
+     */
+    readonly maxIconBytes?: number;
+    /** Allowed icon MIME types. Default ['image/png', 'image/svg+xml']. */
+    readonly iconMimeTypes?: ReadonlyArray<string>;
+    /** Maximum length of `name` / `description` per locale. Default 200. */
+    readonly maxStringChars?: number;
+}
+/** Default schema values; merged onto every developer-supplied schema. */
+declare const DEFAULT_PUBLIC_ENVELOPE_SCHEMA: {
+    readonly fields: readonly ["name", "description", "icon", "createdAt", "updatedAt", "defaultLocale"];
+    readonly maxIconBytes: number;
+    readonly iconMimeTypes: readonly ["image/png", "image/svg+xml"];
+    readonly maxStringChars: 200;
+};
+/** Resolved schema after merging developer override onto defaults. */
+interface ResolvedPublicEnvelopeSchema {
+    readonly fields: ReadonlyArray<PublicEnvelopeField>;
+    readonly maxIconBytes: number;
+    readonly iconMimeTypes: ReadonlyArray<string>;
+    readonly maxStringChars: number;
+}
+/**
+ * Merge developer schema onto the defaults. The shorthand `true`
+ * resolves to the full default schema; an explicit object only
+ * overrides the keys it provides.
+ */
+declare function resolveSchema(schema: true | PublicEnvelopeSchema | undefined): ResolvedPublicEnvelopeSchema | undefined;
+
+/** Owner-supplied input — the subset of {@link PublicEnvelope} the owner can set. */
+interface SetPublicEnvelopeInput {
+    readonly name?: PublicEnvelopeText;
+    readonly description?: PublicEnvelopeText;
+    readonly icon?: string;
+    readonly defaultLocale?: string;
+}
+/**
+ * Validate an owner-supplied envelope input against the developer's
+ * resolved schema. Throws `ValidationError` on the first violation;
+ * returns void on success.
+ *
+ * The validator is deliberately strict: every fail mode is a hard
+ * error rather than a silent drop, so the owner finds out immediately
+ * which field they oversized rather than discovering a truncated
+ * label months later.
+ */
+declare function validatePublicEnvelopeInput(input: SetPublicEnvelopeInput, schema: ResolvedPublicEnvelopeSchema): void;
+/**
+ * Lightweight runtime predicate — used by the bundle header
+ * validator to recognise a public envelope without requiring it.
+ */
+declare function isPublicEnvelope(x: unknown): x is PublicEnvelope;
+
+/**
+ * Tier-2 authenticator slot management — issue #11.
+ *
+ * Each slot independently wraps the SAME KEK under a method-specific
+ * derived key (LUKS pattern). Enrolling adds a slot; removing drops
+ * one. Both are constant-time keyring writes — no DEK re-keying.
+ *
+ * The crypto for each method lives in its `@noy-db/on-*` package
+ * (`on-webauthn`, `on-oidc`, `on-password`); this module accepts the
+ * package's `wrapped_kek` ciphertext + `meta` payload and persists it.
+ *
+ * @see docs/subsystems/session-tiers.md → Tier 2 — Authenticate
+ *
+ * @module
+ */
+
+/** Input shape for `enrollAuthenticator`. */
+interface EnrollAuthenticatorOptions {
+    readonly id: string;
+    readonly method: KeyringAuthenticator['method'];
+    /** Already-wrapped KEK ciphertext (base64) — produced by the on-* package. */
+    readonly wrapped_kek: string;
+    /** Method-specific metadata (cred id, salt, …). */
+    readonly meta: Record<string, unknown>;
+    /** Tier the active session held when enrolling. Defaults to 1. */
+    readonly enrolled_via_tier?: 1 | 2;
+}
+/**
+ * Append a new authenticator slot to the keyring file. Throws
+ * `ValidationError` if a slot with the same id already exists — the
+ * caller decides whether to remove + re-enroll.
+ */
+declare function enrollAuthenticator(store: NoydbStore, vault: string, keyring: UnlockedKeyring, options: EnrollAuthenticatorOptions): Promise<UnlockedKeyring>;
+/**
+ * Drop a slot by id. No-op if the slot doesn't exist (idempotent —
+ * removing a non-existent slot is a recoverable retry, not an error).
+ */
+declare function removeAuthenticator(store: NoydbStore, vault: string, keyring: UnlockedKeyring, slotId: string): Promise<UnlockedKeyring>;
+/**
+ * Look up a slot by id. Returns `undefined` when no slot matches.
+ * Used by tier-2 unlock dispatchers to fetch the wrapped KEK + meta
+ * before invoking the method-specific verifier.
+ */
+declare function findAuthenticator(keyring: UnlockedKeyring, slotId: string): KeyringAuthenticator | undefined;
+
+/**
+ * Per-vault tier-3 (PIN / quick-resume) state — issue #11.
+ *
+ * The hub holds a `PinResumeState`-shaped record in memory, keyed by
+ * vault. `enrollUnlock` populates it; `unlockViaPin` consumes it via
+ * `@noy-db/on-pin`'s `resumePin`. The cached state is wiped when the
+ * idle timer fires or `db.close()` is called.
+ *
+ * Importantly, this module does NOT depend on `@noy-db/on-pin` — the
+ * caller passes the already-built state in. That keeps the hub's
+ * `peerDependencies` empty for tier-3 and lets developers swap the
+ * primitive (e.g. an OS biometric in place of a PIN).
+ *
+ * @module
+ */
+/**
+ * Opaque `PinResumeState`-compatible record. Mirrored from
+ * `@noy-db/on-pin/PinResumeState`. The hub treats the contents as
+ * a black box.
+ */
+interface QuickUnlockState {
+    readonly _noydb_on_pin: 1;
+    readonly salt: string;
+    readonly iv: string;
+    readonly wrappedKeyring: string;
+    readonly expiresAt: string;
+    readonly maxAttempts: number;
+    attempts: number;
+}
+/** In-memory store for tier-3 unlock state, keyed by vault. */
+declare class QuickUnlockStore {
+    private readonly states;
+    private readonly timers;
+    /**
+     * Register a quick-unlock state for a vault. Replaces any existing
+     * state. Schedules an automatic clear when the state's `expiresAt`
+     * elapses.
+     */
+    set(vault: string, state: QuickUnlockState): void;
+    /** Read the state for a vault. Returns undefined when none is registered. */
+    get(vault: string): QuickUnlockState | undefined;
+    /** Drop the state for a vault. Cancels the auto-clear timer. */
+    delete(vault: string): void;
+    /** Drop every cached state. Called on `db.close()`. */
+    clear(): void;
+    private clearTimer;
+}
+
 /**
  * Multi-record atomic transactions.
  *
@@ -2853,6 +3288,84 @@ declare class TxCollection<T> {
  */
 declare function runTransaction<T>(db: Noydb, fn: (tx: TxContext) => Promise<T> | T): Promise<T>;
 
+/**
+ * Policy gate DSL types — issue #9.
+ *
+ * Sensitive operations (rotate the passphrase, enroll an authenticator,
+ * export plaintext, grant a user, …) are gated by a typed policy
+ * object. The developer supplies a {@link VaultPolicy} at vault
+ * creation; the hub merges it onto a built-in preset and persists the
+ * merged document at `_meta/policy`.
+ *
+ * @see docs/subsystems/session-tiers.md → Policy gates DSL
+ *
+ * @module
+ */
+
+/** A single off-device factor surface — the proof an actor presents at gate time. */
+type FactorKind = 'totp' | 'email-otp' | 'recovery' | 'shamir' | 'webauthn-roaming';
+/**
+ * One factor requirement entry. The default is "any one of the listed
+ * factors, fresh within the last 5 minutes". Bumping `count` requires N
+ * distinct fresh proofs; bumping `freshnessMs` widens the acceptance
+ * window.
+ */
+interface FactorRequirement {
+    readonly anyOf: ReadonlyArray<FactorKind>;
+    /** Number of distinct factors required. Default 1. */
+    readonly count?: number;
+    /** How recent each proof must be. Default 5 minutes. */
+    readonly freshnessMs?: number;
+}
+/** Soft signals layered on top of the gate verdict — never block on their own. */
+interface WarningRules {
+    /** Behavior on shared-device tier-1 ops. `'block'` raises a `PolicyDeniedError`. */
+    readonly sharedDevice?: 'warn' | 'block';
+    /** Behavior on weak tier-2 (e.g. password-only) for sensitive ops. */
+    readonly weakAuthenticator?: 'warn' | 'block';
+}
+/**
+ * Policy applied to one named gate. `enabled: false` disables the
+ * action entirely (useful in managed-passphrase mode where rotation is
+ * impossible by construction).
+ */
+interface GatePolicy {
+    /** Minimum tier the active session must hold. */
+    readonly minTier: 1 | 2 | 3;
+    /** Extra freshness-bound proofs required at gate time. */
+    readonly factors?: ReadonlyArray<FactorRequirement>;
+    readonly warn?: WarningRules;
+    readonly enabled?: boolean;
+}
+/**
+ * Built-in gate names. App-defined gates live in the `app:*` namespace
+ * and use the same engine; the engine treats unknown names with no
+ * configured policy as "no gate" (no-op).
+ */
+type BuiltInGateName = 'rotate-passphrase' | 'recover-passphrase' | 'enroll-authenticator' | 'remove-authenticator' | 'rotate-unlock' | 'enroll-user' | 'revoke-user' | 'export-bundle' | 'export-plaintext' | 'view-user-auth';
+/** Either a built-in gate name or an `app:*` custom gate. */
+type GateName = BuiltInGateName | `app:${string}`;
+/**
+ * Top-level policy object. Persisted at `_meta/policy` once at vault
+ * creation. The `passphrase` block configures the strength rules
+ * applied at every passphrase ingress (issue #7); `gates` configures
+ * the action-level requirements.
+ */
+interface VaultPolicy {
+    readonly passphrase?: PassphrasePolicy;
+    readonly gates: Partial<Record<GateName, GatePolicy>>;
+}
+/** Concrete proof an actor presents to {@link checkGate}. */
+interface FactorProof {
+    readonly kind: FactorKind;
+    /** ISO-8601 timestamp the proof was minted at. Compared against `freshnessMs`. */
+    readonly mintedAt?: string;
+    /** Method-specific payload. The engine treats it as opaque — verification is delegated. */
+    readonly payload?: unknown;
+}
+/** Active session tier — what the engine compares against `gate.minTier`. */
+type ActiveTier = 1 | 2 | 3;
+
 /** The top-level NOYDB instance. */
 declare class Noydb {
     private readonly options;
@@ -2860,6 +3373,25 @@ declare class Noydb {
     private readonly vaultCache;
     private readonly keyringCache;
     private readonly syncEngines;
+    /**
+     * Per-vault active session tier — defaults to `1` after a passphrase
+     * unlock; tier-2 / tier-3 unlocks (issue #11) downgrade it. Used by
+     * {@link checkGate} to evaluate `gate.minTier`.
+     */
+    private readonly activeTier;
+    /**
+     * Per-vault loaded policy. Cached after the first
+     * `_meta/policy` load; replaced by `db.updatePolicy()`.
+     */
+    private readonly policyCache;
+    /** Per-vault tier-3 (PIN / quick-resume) state — issue #11. */
+    private readonly quickUnlock;
+    /**
+     * Resolved public-envelope schema. Lazily computed once from
+     * `NoydbOptions.publicEnvelope`; `undefined` when the developer
+     * didn't opt in.
+     */
+    private readonly publicEnvelopeSchema;
     private closed;
     private sessionTimer;
     /** Per-vault policy enforcers. */
@@ -3113,6 +3645,211 @@ declare class Noydb {
      * @internal — not part of the public API surface
      */
     invokeTranslator(text: string, from: string, to: string, field: string, collection: string): Promise<string>;
+    /**
+     * Read the active policy for a vault. Loads from `_meta/policy` on
+     * first call; subsequent calls hit the in-memory cache. Throws
+     * `ValidationError` if the vault has not been opened.
+     */
+    getPolicy(vault: string): Promise<VaultPolicy>;
+    /**
+     * Replace the policy document at `_meta/policy` and update the
+     * in-memory cache. Gated by the `enroll-user` policy (a policy
+     * change is fundamentally a privilege-management action).
+     */
+    updatePolicy(vault: string, override: Partial<VaultPolicy>): Promise<VaultPolicy>;
+    /**
+     * Evaluate a policy gate against the active session tier and the
+     * presented factor proofs. Throws {@link PolicyDeniedError} on
+     * denial; resolves with `void` on success.
+     *
+     * @param vault    The vault whose policy applies.
+     * @param gate     Gate name — built-in (e.g. `'rotate-passphrase'`)
+     *                 or app-defined (`app:*`).
+     * @param presented Caller-supplied factor proofs.
+     */
+    checkGate(vault: string, gate: GateName, presented?: {
+        factors?: ReadonlyArray<FactorProof>;
+        sharedDevice?: boolean;
+    }): Promise<void>;
+    /** Read or persist the vault policy at `_meta/policy` on first open. */
+    private bootstrapPolicy;
+    /**
+     * Throw {@link RecoveryNotEnrolledError} when the developer
+     * explicitly opts into strict mandatory-recovery enforcement
+     * (`createNoydb({ requireRecovery: true })`) and no recovery
+     * entries are persisted.
+     *
+     * The default behavior is lenient — `recover-passphrase` is enabled
+     * in `PERSONAL_POLICY` but the hub does not block vault open on
+     * missing enrollment. v1.0 will flip the default to strict; for now,
+     * apps that want the spec-mandated check turn it on per-vault.
+     */
+    private assertRecoveryEnrolled;
+    /**
+     * Internal accessor used by tier-2/tier-3 unlock paths (issue #11)
+     * to mark the active session tier.
+     * @internal
+     */
+    _setActiveTier(vault: string, tier: ActiveTier): void;
+    /**
+     * Add a tier-2 authenticator slot to the calling user's keyring.
+     * Each slot independently wraps the SAME KEK under a method-specific
+     * key — adding a slot is a constant-time keyring write.
+     *
+     * The wrapping ciphertext is produced by the corresponding
+     * `@noy-db/on-*` package (e.g. `enrollPasswordAuthenticator` from
+     * `@noy-db/on-password`); the hub persists the result.
+     *
+     * Gated by `enroll-authenticator`; `presented` carries any factor
+     * proofs the active policy demands.
+     */
+    enrollAuthenticator(vault: string, options: EnrollAuthenticatorOptions, presented?: {
+        factors?: ReadonlyArray<FactorProof>;
+        sharedDevice?: boolean;
+    }): Promise<void>;
+    /**
+     * Remove a tier-2 authenticator slot. Idempotent — removing a
+     * non-existent slot is a successful no-op. Gated by
+     * `remove-authenticator`.
+     */
+    removeAuthenticator(vault: string, slotId: string, presented?: {
+        factors?: ReadonlyArray<FactorProof>;
+        sharedDevice?: boolean;
+    }): Promise<void>;
+    /** Read the slot list for a vault. Internal — `describeAuthConfig` (#13) consumes this. */
+    listAuthenticators(vault: string): Promise<ReadonlyArray<KeyringAuthenticator>>;
+    /**
+     * Resolve a slot by id, then hand the wrapped-KEK ciphertext + meta
+     * to the caller-supplied verifier. The verifier is the
+     * `unlockWith*` function from the corresponding `@noy-db/on-*`
+     * package, e.g. `unlockWithPassword(slot, password)`.
+     *
+     * On success, mark the active session tier as 2 — subsequent
+     * `checkGate` calls see a tier-2 unlock.
+     */
+    unlockViaAuthenticator(vault: string, slotId: string, verify: (slot: KeyringAuthenticator) => Promise<UnlockedKeyring>): Promise<UnlockedKeyring>;
+    /**
+     * Set the owner-curated public envelope for a vault. Throws
+     * `ValidationError` if the developer did not opt the hub into
+     * `publicEnvelope` via `NoydbOptions`, or if the input violates
+     * the resolved schema (oversized icon, disallowed MIME, oversized
+     * string, unknown field).
+     *
+     * `createdAt` is set on the first write and preserved on every
+     * subsequent write. `updatedAt` is refreshed on every write.
+     * `version` is monotonic — increments on every successful write.
+     */
+    setPublicEnvelope(vault: string, input: SetPublicEnvelopeInput): Promise<PublicEnvelope>;
+    /**
+     * Read the public envelope for a vault. Returns `undefined` when
+     * none has been written. Pass `locale` to resolve any locale-map
+     * fields to plain strings; omitting `locale` returns the raw map.
+     *
+     * Works even when the developer didn't enable
+     * `publicEnvelope` — reads are passive and never throw on a
+     * missing schema (the envelope is plaintext and exists on disk
+     * regardless).
+     */
+    getPublicEnvelope(vault: string, opts?: {
+        readonly locale?: string;
+    }): Promise<PublicEnvelope | undefined>;
+    /** English summary of the configured auth model. */
+    describeAuthConfig(vault: string): Promise<string>;
+    /** Mermaid `flowchart TB` source for the auth graph. */
+    diagramAuthConfig(vault: string): Promise<string>;
+    /**
+     * Per-user enrollment summary. Gated by `view-user-auth` (default:
+     * disabled). Sanitization is allowlist-based — never renders cred
+     * ids, password hashes, secrets, or any field outside the allowlist.
+     */
+    describeUserAuth(vault: string, userId: string, factors?: {
+        factors?: ReadonlyArray<FactorProof>;
+        sharedDevice?: boolean;
+    }): Promise<string>;
+    /** Bulk variant for owner dashboards. Gated by `view-user-auth`. */
+    describeAllUsersAuth(vault: string, factors?: {
+        factors?: ReadonlyArray<FactorProof>;
+        sharedDevice?: boolean;
+    }): Promise<Array<{
+        userId: string;
+        description: string;
+    }>>;
+    /**
+     * Rotate the user's passphrase (user remembers old). Validates the
+     * new phrase against the configured `passphrase` policy, runs the
+     * `rotate-passphrase` gate, then re-derives + re-wraps every DEK.
+     *
+     * Tier-2 authenticator slots are dropped — each slot wraps the old
+     * KEK and would need its derivation key to be re-presented. Re-enrol
+     * via `db.enrollAuthenticator` after rotation. Tracked as a
+     * v0.1.0-pre.5 limitation.
+     *
+     * @throws `WeakPassphraseError` on a weak new phrase.
+     * @throws `PolicyDeniedError` when the gate denies (missing factor, …).
+     * @throws `InvalidKeyError` when `oldPassphrase` is wrong.
+     */
+    rotatePassphrase(vault: string, input: RotatePassphraseInput, factors?: {
+        factors?: ReadonlyArray<FactorProof>;
+        sharedDevice?: boolean;
+    }): Promise<void>;
+    /**
+     * Reset the passphrase using a recovery proof (user forgot the old).
+     * v0.1.0-pre.5 supports the `'paper'` profile end-to-end; the
+     * other three profiles throw {@link RecoveryProfileNotImplementedError}.
+     *
+     * Burns the used recovery entry on success.
+     */
+    recoverPassphrase(vault: string, input: RecoverPassphraseInput, factors?: {
+        factors?: ReadonlyArray<FactorProof>;
+        sharedDevice?: boolean;
+    }): Promise<void>;
+    /**
+     * Persist a recovery enrollment. v0.1.0-pre.5 accepts the `'paper'`
+     * profile — the developer first calls
+     * `@noy-db/on-recovery/generateRecoveryCodeSet` to mint codes +
+     * entries, shows the codes to the user once, then hands the entries
+     * here.
+     *
+     * ```ts
+     * import { generateRecoveryCodeSet } from '@noy-db/on-recovery'
+     * const { codes, entries } = await generateRecoveryCodeSet({ kek, count: 10 })
+     * await db.enrollRecovery('acme', { profile: 'paper', entries })
+     * showCodesToUser(codes)
+     * ```
+     */
+    enrollRecovery(vault: string, enrollment: {
+        profile: 'paper';
+        entries: ReadonlyArray<PaperRecoveryEntry>;
+    }): Promise<void>;
+    /** Read the persisted paper-recovery entries. Used by `describeAuthConfig` (#13). */
+    listRecoveryEntries(vault: string): Promise<{
+        paper: ReadonlyArray<PaperRecoveryEntry>;
+    }>;
+    /**
+     * Register a tier-3 quick-unlock state for the vault. The state is
+     * an opaque blob produced by `@noy-db/on-pin/enrollPin` (or any
+     * compatible primitive). It is held in memory only — never persisted
+     * — and auto-clears when its `expiresAt` elapses.
+     *
+     * Gated by `rotate-unlock` (the same gate covers "set" and "rotate"
+     * because tier-3 is a single-slot rolling secret).
+     */
+    enrollUnlock(vault: string, state: QuickUnlockState, presented?: {
+        factors?: ReadonlyArray<FactorProof>;
+        sharedDevice?: boolean;
+    }): Promise<void>;
+    /**
+     * Resume a session via the registered tier-3 state. The verifier is
+     * `@noy-db/on-pin/resumePin` (or compatible). On success, mark the
+     * active session tier as 3 — every operation must re-authenticate at
+     * tier 2 to elevate.
+     *
+     * Returns `undefined` (caller should fall back to tier 2) when no
+     * tier-3 state is registered.
+     */
+    unlockViaPin(vault: string, resume: (state: QuickUnlockState) => Promise<UnlockedKeyring>): Promise<UnlockedKeyring | undefined>;
+    /** Drop the tier-3 state for a vault — explicit logout. */
+    clearQuickUnlock(vault: string): void;
     /** Get or load the keyring for a vault. */
     private getKeyring;
 }
@@ -4368,6 +5105,22 @@ declare class Vault {
      * separate vault instances now.
      */
     getBundleHandle(): Promise<string>;
+    /**
+     * Read the owner-curated public envelope for this vault (or
+     * `undefined` if none is persisted). The envelope lives in
+     * `_meta/public-envelope` as plaintext — readable without any KEK
+     * — so `getBundleHandle`-style callers can label a vault before
+     * unlock.
+     *
+     * Mirrors `Noydb.getPublicEnvelope(vault, opts)` but scoped to a
+     * single, already-opened `Vault` instance so the
+     * bundle writer can snapshot it without holding a `Noydb` reference.
+     *
+     * @see docs/subsystems/public-envelope.md
+     */
+    getPublicEnvelope(opts?: {
+        readonly locale?: string;
+    }): Promise<PublicEnvelope | undefined>;
     /**
      * Dump vault as a verifiable encrypted JSON backup string.
      *
@@ -6448,6 +7201,71 @@ interface ImportCapability {
     readonly plaintext?: readonly ExportFormat[];
     readonly bundle?: boolean;
 }
+/**
+ * Forward-declared on-disk shape for `VaultPolicy` — the actual policy
+ * model lives in `policy/types.ts` (#9). Declared here as `unknown`-typed
+ * map so types.ts has no dependency on the policy module while the
+ * `KeyringFile.policy` field can still round-trip foreign documents.
+ *
+ * @internal
+ */
+type VaultPolicyOnDisk = Record<string, unknown>;
+/**
+ * Recovery profile enrolled at vault creation (issue #10).
+ *
+ * - `paper` — `on-recovery` codes (the only end-to-end profile in v0.1.0-pre.5).
+ * - `shamir` / `multi-channel` / `admin-mediated` — API surface ships;
+ *   per-profile dispatch lands in follow-up issues. Calling
+ *   `db.recoverPassphrase` against these throws
+ *   {@link RecoveryProfileNotImplementedError}.
+ */
+type RecoveryEnrollment = {
+    readonly profile: 'paper';
+    /** Number of single-use codes to print at enrollment. */
+    readonly codes: number;
+} | {
+    readonly profile: 'shamir';
+    readonly k: number;
+    readonly n: number;
+    readonly trustees: ReadonlyArray<string>;
+} | {
+    readonly profile: 'multi-channel';
+    readonly email?: string;
+    readonly pin?: boolean;
+    readonly paperCodes?: number;
+} | {
+    readonly profile: 'admin-mediated';
+    readonly grantorUserId: string;
+};
+/**
+ * One tier-2 authenticator slot inside a keyring file. Each slot
+ * independently wraps the SAME KEK under a method-specific derived key
+ * (LUKS pattern). Adding or removing a slot is a constant-time keyring
+ * write — no DEK re-keying required.
+ *
+ * @see docs/subsystems/session-tiers.md → Tier 2 — Authenticate (multi-slot)
+ */
+interface KeyringAuthenticator {
+    /** Caller-chosen identifier — e.g. `'webauthn-yubikey-blue'`, `'oidc-google'`, `'password-daily'`. */
+    readonly id: string;
+    /** Method family — selects which `@noy-db/on-*` package handles unlock. */
+    readonly method: 'webauthn' | 'oidc' | 'password';
+    /** ISO-8601 timestamp at which the slot was added. */
+    readonly enrolled_at: string;
+    /**
+     * Which session tier ENROLLED this slot. Tier 1 enrolls a fresh slot;
+     * tier 2 may add a sibling slot when the active policy permits.
+     */
+    readonly enrolled_via_tier: 1 | 2;
+    /** Base64 wrapped-KEK ciphertext under the method-derived key. */
+    readonly wrapped_kek: string;
+    /**
+     * Method-specific metadata: WebAuthn cred id, OIDC issuer/sub, PBKDF2
+     * salt for `on-password`, etc. The schema is open by design — the
+     * `@noy-db/on-*` package owns the contents.
+     */
+    readonly meta: Record<string, unknown>;
+}
 interface KeyringFile {
     readonly _noydb_keyring: typeof NOYDB_KEYRING_VERSION;
     readonly user_id: string;
@@ -6458,6 +7276,23 @@ interface KeyringFile {
     readonly salt: string;
     readonly created_at: string;
     readonly granted_by: string;
+    /**
+     * Tier-2 authenticator slots (multi-slot keyring extension).
+     * Optional / append-only: keyring files written before the
+     * extension load with an empty list. Each slot independently wraps
+     * the same KEK; any one of them unlocks.
+     *
+     * @see KeyringAuthenticator
+     */
+    readonly authenticators?: readonly KeyringAuthenticator[];
+    /**
+     * Per-keyring policy override (reserved). The on-disk format
+     * accepts the field for forward compatibility with the Option C
+     * merge engine deferred to a later release; v1.0 reads only the
+     * vault-level `_meta/policy` document, so this field is parsed and
+     * round-tripped but never enforced.
+     */
+    readonly policy?: VaultPolicyOnDisk;
     /**
      * Optional — authorization spec capability bits. Absent on keyrings written
      * before the RFC implementation. Loading falls back to role-based
@@ -6812,6 +7647,12 @@ interface GrantOptions {
      * is grantable until positively listed; bundle import is denied.
      */
     readonly importCapability?: ImportCapability;
+    /**
+     * Skip phrase-format strength validation (issue #7). Defaults to
+     * false — `grant()` rejects phrases that don't meet the configured
+     * `PassphrasePolicy`. Test fixtures and CLI scripts pass `true`.
+     */
+    readonly allowWeakPassphrase?: boolean;
 }
 interface RevokeOptions {
     readonly userId: string;
@@ -7385,8 +8226,47 @@ interface NoydbOptions {
     readonly sync?: NoydbStore | SyncTarget | SyncTarget[];
     /** User identifier. */
     readonly user: string;
-    /** Passphrase for key derivation. Required unless encrypt is false. */
+    /** Passphrase for key derivation. Required unless encrypt is false or `getKeyring` is provided. */
     readonly secret?: string;
+    /**
+     * Optional callback that returns an unlocked keyring for a given vault.
+     * Use this to plug in WebAuthn / OIDC / Shamir / any unlock path that
+     * produces an `UnlockedKeyring` outside the passphrase model.
+     *
+     * When set, `secret` MUST NOT also be set — `createNoydb` throws if both
+     * are supplied. When neither is set (and `encrypt !== false`), `createNoydb`
+     * also throws.
+     *
+     * The callback is called lazily, on the first operation that needs the
+     * keyring for a given vault. Noydb caches the returned keyring per-vault
+     * for the lifetime of the instance, so the callback is invoked at most
+     * once per `(instance, vault)` pair (assuming the callback resolves
+     * successfully). If the callback rejects, the rejection surfaces from the
+     * first vault operation that triggered the unlock; subsequent operations
+     * will retry the callback.
+     *
+     * @example
+     * ```ts
+     * import { createNoydb } from '@noy-db/hub'
+     * import { unlockWebAuthn } from '@noy-db/on-webauthn'
+     *
+     * const enrollment = await loadEnrollment()
+     * const db = await createNoydb({
+     *   store,
+     *   user: 'alice',
+     *   getKeyring: (vault) => unlockWebAuthn(enrollment),
+     * })
+     * ```
+     *
+     * Note: this callback is responsible for both the "open existing vault"
+     * and the "create new vault" cases. Unlike the passphrase path, there is
+     * no automatic `NoAccessError` → `createOwnerKeyring` fallback, because
+     * the callback owner has the UI context to decide which path to run.
+     * For first-time bootstrap, use a passphrase or recovery code, enroll
+     * WebAuthn from the unlocked keyring, then swap to `getKeyring` on
+     * subsequent sessions.
+     */
+    readonly getKeyring?: (vault: string) => Promise<UnlockedKeyring>;
     /** Auth method. Default: 'passphrase'. */
     readonly auth?: 'passphrase' | 'biometric';
     /** Enable encryption. Default: true. */
@@ -7421,8 +8301,59 @@ interface NoydbOptions {
      * legacy `sessionTimeout` field.
      */
     readonly sessionPolicy?: SessionPolicy;
-    /** Validate passphrase strength on creation. Default: true. */
+    /**
+     * Validate passphrase strength against the phrase format
+     * (`@noy-db/hub` issue #7) on first-time keyring creation. When
+     * `true`, weak phrases throw {@link WeakPassphraseError} from
+     * `createNoydb()` / `db.rotatePassphrase()`. Default: `false` for
+     * back-compat in v0.1.x; planned to flip to `true` at v1.0.
+     */
     readonly validatePassphrase?: boolean;
+    /**
+     * Vault-level policy gate document (issue #9). When present, the hub
+     * persists the merged policy at `_meta/policy` on first-time vault
+     * creation and gates sensitive operations (`db.rotatePassphrase`,
+     * `db.export*`, …) against it. Omitted ⇒ the engine uses
+     * {@link PERSONAL_POLICY}. Use {@link STRICT_POLICY} for regulated
+     * deployments.
+     *
+     * The on-disk document is the source of truth — the policy field
+     * is only honored at vault creation; subsequent runs read from
+     * `_meta/policy`. Use `db.updatePolicy()` to change it deliberately.
+     *
+     * Imported from `@noy-db/hub` as a type-only reference; the runtime
+     * import lives in `policy/index.ts`.
+     */
+    readonly policy?: VaultPolicy;
+    /**
+     * Mandatory recovery profile enrollment (issue #10). Vaults with
+     * `recover-passphrase` enabled MUST register at least one profile
+     * before being production-ready, otherwise `createNoydb()` throws
+     * {@link RecoveryNotEnrolledError}. Set
+     * `policy.gates['recover-passphrase'].enabled = false` to
+     * deliberately opt out of recovery (passphrase loss = data loss).
+     *
+     * v0.1.0-pre.5 supports the `'paper'` profile end-to-end. Other
+     * profiles ship the API shape and throw
+     * {@link RecoveryProfileNotImplementedError} during use.
+     */
+    readonly recovery?: ReadonlyArray<RecoveryEnrollment>;
+    /**
+     * When `true`, `createNoydb` rejects vaults with no recovery
+     * entries persisted (per the spec's mandatory-enrollment
+     * requirement). Default `false` for v0.1.x back-compat; planned to
+     * flip to `true` at v1.0. Apps in regulated environments should
+     * turn this on now.
+     */
+    readonly requireRecovery?: boolean;
+    /**
+     * Enable the public envelope subsystem (`docs/subsystems/public-envelope.md`).
+     * Pass `true` for the default schema (every standard field, 256 KB
+     * icon cap, 200-char text cap), or a `PublicEnvelopeSchema` to
+     * narrow what the owner can set. Off by default — vaults written
+     * by hubs without this option carry no envelope, full stop.
+     */
+    readonly publicEnvelope?: true | PublicEnvelopeSchema;
     /** Audit history configuration. */
     readonly history?: HistoryConfig;
     /**
@@ -7523,4 +8454,4 @@ interface DeleteManyResult {
     }>;
 }
 
-export { type ConsentAuditEntry as $, type BlobObject as A, type BlobStrategy as B, type BlobPutOptions as C, DICT_COLLECTION_PREFIX as D, type BlobResponseOptions as E, BlobSet as F, type BlobStrategyOpenArgs as G, type CompactRunOptions as H, type I18nStrategy as I, type CompactionContext as J, type CompactionResult as K, DEFAULT_CHUNK_SIZE as L, EXPORT_AUDIT_COLLECTION as M, ExportBlobsAbortedError as N, type ExportBlobsAuditEntry as O, PolicyEnforcer as P, type ExportBlobsHandle as Q, type ExportBlobsOptions as R, type SessionStrategy as S, type ExportedBlob as T, type SlotInfo as U, type SlotRecord as V, type VersionRecord as W, createExportBlobsHandle as X, runCompaction as Y, type ConsentStrategy as Z, CONSENT_AUDIT_COLLECTION as _, type DictEntry as a, type Conflict as a$, type ConsentAuditFilter as a0, type ConsentContext as a1, type ConsentOp as a2, loadConsentEntries as a3, writeConsentEntry as a4, type PeriodsStrategy as a5, type CarryForwardContext as a6, type ClosePeriodOptions as a7, type OpenPeriodOptions as a8, PERIODS_COLLECTION as a9, type DiffEntry as aA, type JsonPatch as aB, type JsonPatchOp as aC, type LedgerEntry as aD, LedgerStore as aE, type VaultEngine as aF, VaultInstant as aG, type VerifyResult as aH, applyPatch as aI, canonicalJson as aJ, computePatch as aK, diff as aL, formatDiff as aM, hashEntry as aN, paddedIndex as aO, parseIndex as aP, sha256Hex as aQ, Vault as aR, type AccessibleVault as aS, BUNDLE_STORE_POLICY as aT, type BundleRecipient as aU, type CacheOptions as aV, type CacheStats as aW, type ChangeEvent as aX, Collection as aY, type CollectionChangeEvent as aZ, type CollectionConflictResolver as a_, type PeriodRecord as aa, type ReadOnlyCollection as ab, appendPeriodLedgerEntry as ac, assertTsWritable as ad, chainAnchor as ae, loadPeriods as af, validatePeriodName as ag, type ShadowStrategy as ah, CollectionFrame as ai, VaultFrame as aj, type TxStrategy as ak, TxCollection as al, TxContext as am, TxVault as an, runTransaction as ao, type SyncStrategy as ap, type Role as aq, type UnlockedKeyring as ar, type HistoryStrategy as as, type NoydbStore as at, type HistoryOptions as au, type EncryptedEnvelope as av, type PruneOptions as aw, type AppendInput as ax, type ChangeType as ay, CollectionInstant as az, type DictKeyDescriptor as b, type SessionPolicy as b$, type ConflictPolicy as b0, type ConflictStrategy as b1, type CrossTierAccessEvent as b2, DELEGATIONS_COLLECTION as b3, type DelegationToken as b4, type DeleteManyResult as b5, type DirtyEntry as b6, ELEVATION_AUDIT_COLLECTION as b7, ElevatedHandle as b8, type ExportCapability as b9, NOYDB_KEYRING_VERSION as bA, NOYDB_SYNC_VERSION as bB, Noydb as bC, type NoydbBundleStore as bD, type NoydbEventMap as bE, type NoydbOptions as bF, type Permission as bG, type Permissions as bH, type PlaintextTranslatorContext as bI, type PlaintextTranslatorFn as bJ, PresenceHandle as bK, type PresencePeer as bL, type PullMode as bM, type PullOptions as bN, type PullPolicy as bO, type PullResult as bP, type PushMode as bQ, type PushOptions as bR, type PushPolicy as bS, type PushResult as bT, type PutManyItemOptions as bU, type PutManyOptions as bV, type PutManyResult as bW, type QueryAcrossOptions as bX, type QueryAcrossResult as bY, type ReAuthOperation as bZ, type RevokeOptions as b_, type ExportChunk as ba, type ExportFormat as bb, type ExportStreamOptions as bc, type GhostRecord as bd, type GrantOptions as be, type HistoryConfig as bf, type HistoryEntry as bg, INDEXED_STORE_POLICY as bh, type ImportCapability as bi, type InferOutput as bj, type IssueDelegationOptions as bk, type IssueMagicLinkGrantOptions as bl, type KeyringFile as bm, type ListAccessibleVaultsOptions as bn, type ListPageResult as bo, type LocaleReadOptions as bp, Lru as bq, type LruOptions as br, type LruStats as bs, MAGIC_LINK_CONTENT_INFO_PREFIX as bt, MAGIC_LINK_GRANTS_COLLECTION as bu, MAGIC_LINK_KEK_INFO_PREFIX as bv, type MagicLinkGrantPayload as bw, type MagicLinkGrantRecord as bx, NOYDB_BACKUP_VERSION as by, NOYDB_FORMAT_VERSION as bz, DictionaryHandle as c, type StandardSchemaV1 as c0, type StandardSchemaV1Issue as c1, type StandardSchemaV1SyncResult as c2, type StoreAuth as c3, type StoreAuthKind as c4, type StoreCapabilities as c5, SyncEngine as c6, type SyncMetadata as c7, type SyncPolicy as c8, SyncScheduler as c9, revokeDelegation as cA, revokeMagicLinkGrant as cB, unwrapMagicLinkGrant as cC, validateSchemaInput as cD, validateSchemaOutput as cE, writeMagicLinkGrant as cF, type SyncSchedulerStatus as ca, type SyncStatus as cb, type SyncTarget as cc, type SyncTargetRole as cd, SyncTransaction as ce, type SyncTransactionResult as cf, type TierMode as cg, type TranslatorAuditEntry as ch, type TxOp as ci, type UserInfo as cj, type VaultBackup as ck, type VaultSnapshot as cl, buildRecipientKeyringFile as cm, createNoydb as cn, createStore as co, deriveMagicLinkContentKey as cp, evaluateExportCapability as cq, evaluateImportCapability as cr, hasExportCapability as cs, hasImportCapability as ct, isMagicLinkGrantExpired as cu, issueDelegation as cv, listMagicLinkGrants as cw, loadActiveDelegations as cx, magicLinkGrantRecordId as cy, readMagicLinkGrantRecord as cz, type DictionaryOptions as d, type I18nTextDescriptor as e, type I18nTextOptions as f, applyI18nLocale as g, dictCollectionName as h, dictKey as i, i18nText as j, isDictCollectionName as k, isDictKeyDescriptor as l, isI18nTextDescriptor as m, createEnforcer as n, validateSessionPolicy as o, BLOB_CHUNKS_COLLECTION as p, BLOB_COLLECTION as q, resolveI18nText as r, BLOB_EVICTION_AUDIT_COLLECTION as s, BLOB_INDEX_COLLECTION as t, BLOB_SLOTS_PREFIX as u, validateI18nTextValue as v, BLOB_VERSIONS_PREFIX as w, type BlobEvictionEntry as x, type BlobFieldPolicy as y, type BlobFieldsConfig as z };
+export { type ConsentAuditEntry as $, type BlobObject as A, type BlobStrategy as B, type BlobPutOptions as C, DICT_COLLECTION_PREFIX as D, type BlobResponseOptions as E, BlobSet as F, type BlobStrategyOpenArgs as G, type CompactRunOptions as H, type I18nStrategy as I, type CompactionContext as J, type CompactionResult as K, DEFAULT_CHUNK_SIZE as L, EXPORT_AUDIT_COLLECTION as M, ExportBlobsAbortedError as N, type ExportBlobsAuditEntry as O, PolicyEnforcer as P, type ExportBlobsHandle as Q, type ExportBlobsOptions as R, type SessionStrategy as S, type ExportedBlob as T, type SlotInfo as U, type SlotRecord as V, type VersionRecord as W, createExportBlobsHandle as X, runCompaction as Y, type ConsentStrategy as Z, CONSENT_AUDIT_COLLECTION as _, type DictEntry as a, type BundleRecipient as a$, type ConsentAuditFilter as a0, type ConsentContext as a1, type ConsentOp as a2, loadConsentEntries as a3, writeConsentEntry as a4, type PeriodsStrategy as a5, type CarryForwardContext as a6, type ClosePeriodOptions as a7, type OpenPeriodOptions as a8, PERIODS_COLLECTION as a9, type DiffEntry as aA, type JsonPatch as aB, type JsonPatchOp as aC, type LedgerEntry as aD, LedgerStore as aE, type VaultEngine as aF, VaultInstant as aG, type VerifyResult as aH, applyPatch as aI, canonicalJson as aJ, computePatch as aK, diff as aL, formatDiff as aM, hashEntry as aN, paddedIndex as aO, parseIndex as aP, sha256Hex as aQ, type PublicEnvelope as aR, type GateName as aS, type GatePolicy as aT, type VaultPolicy as aU, type ActiveTier as aV, type FactorProof as aW, Vault as aX, type AccessibleVault as aY, BUNDLE_STORE_POLICY as aZ, type BuiltInGateName as a_, type PeriodRecord as aa, type ReadOnlyCollection as ab, appendPeriodLedgerEntry as ac, assertTsWritable as ad, chainAnchor as ae, loadPeriods as af, validatePeriodName as ag, type ShadowStrategy as ah, CollectionFrame as ai, VaultFrame as aj, type TxStrategy as ak, TxCollection as al, TxContext as am, TxVault as an, runTransaction as ao, type SyncStrategy as ap, type Role as aq, type UnlockedKeyring as ar, type HistoryStrategy as as, type NoydbStore as at, type HistoryOptions as au, type EncryptedEnvelope as av, type PruneOptions as aw, type AppendInput as ax, type ChangeType as ay, CollectionInstant as az, type DictKeyDescriptor as b, PresenceHandle as b$, type CacheOptions as b0, type CacheStats as b1, type ChangeEvent as b2, Collection as b3, type CollectionChangeEvent as b4, type CollectionConflictResolver as b5, type Conflict as b6, type ConflictPolicy as b7, type ConflictStrategy as b8, type CrossTierAccessEvent as b9, type ListPageResult as bA, type LocaleReadOptions as bB, Lru as bC, type LruOptions as bD, type LruStats as bE, MAGIC_LINK_CONTENT_INFO_PREFIX as bF, MAGIC_LINK_GRANTS_COLLECTION as bG, MAGIC_LINK_KEK_INFO_PREFIX as bH, type MagicLinkGrantPayload as bI, type MagicLinkGrantRecord as bJ, NOYDB_BACKUP_VERSION as bK, NOYDB_FORMAT_VERSION as bL, NOYDB_KEYRING_VERSION as bM, NOYDB_SYNC_VERSION as bN, Noydb as bO, type NoydbBundleStore as bP, type NoydbEventMap as bQ, type NoydbOptions as bR, PUBLIC_ENVELOPE_FIELDS as bS, type PaperRecoveryDoc as bT, type PaperRecoveryEntry as bU, type PassphrasePolicy as bV, type PassphraseValidationResult as bW, type Permission as bX, type Permissions as bY, type PlaintextTranslatorContext as bZ, type PlaintextTranslatorFn as b_, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as ba, DELEGATIONS_COLLECTION as bb, type DelegationToken as bc, type DeleteManyResult as bd, type DirtyEntry as be, ELEVATION_AUDIT_COLLECTION as bf, ElevatedHandle as bg, type EnrollAuthenticatorOptions as bh, type ExportCapability as bi, type ExportChunk as bj, type ExportFormat as bk, type ExportStreamOptions as bl, type FactorKind as bm, type FactorRequirement as bn, type GhostRecord as bo, type GrantOptions as bp, type HistoryConfig as bq, type HistoryEntry as br, INDEXED_STORE_POLICY as bs, type ImportCapability as bt, type InferOutput as bu, type IssueDelegationOptions as bv, type IssueMagicLinkGrantOptions as bw, type KeyringAuthenticator as bx, type KeyringFile as by, type ListAccessibleVaultsOptions as bz, DictionaryHandle as c, findAuthenticator as c$, type PresencePeer as c0, type PublicEnvelopeField as c1, type PublicEnvelopeSchema as c2, type PublicEnvelopeText as c3, type PullMode as c4, type PullOptions as c5, type PullPolicy as c6, type PullResult as c7, type PushMode as c8, type PushOptions as c9, SyncScheduler as cA, type SyncSchedulerStatus as cB, type SyncStatus as cC, type SyncTarget as cD, type SyncTargetRole as cE, SyncTransaction as cF, type SyncTransactionResult as cG, type TierMode as cH, type TranslatorAuditEntry as cI, type TxOp as cJ, type UserInfo as cK, type VaultBackup as cL, type VaultPolicyOnDisk as cM, type VaultSnapshot as cN, type WarningRules as cO, WeakPassphraseError as cP, type WeakPassphraseReason as cQ, assertStrongPassphrase as cR, buildRecipientKeyringFile as cS, burnPaperRecoveryEntry as cT, createNoydb as cU, createStore as cV, deriveMagicLinkContentKey as cW, enrollAuthenticator as cX, estimateEntropy as cY, evaluateExportCapability as cZ, evaluateImportCapability as c_, type PushPolicy as ca, type PushResult as cb, type PutManyItemOptions as cc, type PutManyOptions as cd, type PutManyResult as ce, type QueryAcrossOptions as cf, type QueryAcrossResult as cg, type QuickUnlockState as ch, QuickUnlockStore as ci, type ReAuthOperation as cj, type RecoverPassphraseInput as ck, type RecoveryProof as cl, type ResolvedPublicEnvelopeSchema as cm, type RevokeOptions as cn, type RotatePassphraseInput as co, type SessionPolicy as cp, type SetPublicEnvelopeInput as cq, type StandardSchemaV1 as cr, type StandardSchemaV1Issue as cs, type StandardSchemaV1SyncResult as ct, type StoreAuth as cu, type StoreAuthKind as cv, type StoreCapabilities as cw, SyncEngine as cx, type SyncMetadata as cy, type SyncPolicy as cz, type DictionaryOptions as d, hasExportCapability as d0, hasImportCapability as d1, hasRecoveryEnrolled as d2, isMagicLinkGrantExpired as d3, isPublicEnvelope as d4, issueDelegation as d5, recoverPassphrase as d6, rotatePassphrase as d7, listMagicLinkGrants as d8, loadActiveDelegations as d9, loadPaperRecoveryEntries as da, magicLinkGrantRecordId as db, readMagicLinkGrantRecord as dc, removeAuthenticator as dd, resolveSchema as de, revokeDelegation as df, revokeMagicLinkGrant as dg, savePaperRecoveryEntries as dh, unwrapMagicLinkGrant as di, validatePassphrase as dj, validatePublicEnvelopeInput as dk, validateSchemaInput as dl, validateSchemaOutput as dm, writeMagicLinkGrant as dn, type I18nTextDescriptor as e, type I18nTextOptions as f, applyI18nLocale as g, dictCollectionName as h, dictKey as i, i18nText as j, isDictCollectionName as k, isDictKeyDescriptor as l, isI18nTextDescriptor as m, createEnforcer as n, validateSessionPolicy as o, BLOB_CHUNKS_COLLECTION as p, BLOB_COLLECTION as q, resolveI18nText as r, BLOB_EVICTION_AUDIT_COLLECTION as s, BLOB_INDEX_COLLECTION as t, BLOB_SLOTS_PREFIX as u, validateI18nTextValue as v, BLOB_VERSIONS_PREFIX as w, type BlobEvictionEntry as x, type BlobFieldPolicy as y, type BlobFieldsConfig as z };