@noy-db/hub 0.1.0-pre.4 → 0.1.0-pre.7

package/dist/index.d.ts

@@ -1,17 +1,72 @@
-import { ar as UnlockedKeyring, aR as Vault, aA as DiffEntry } from './types-Dmi7nrC9.js';
-export { aS as AccessibleVault, ax as AppendInput, p as BLOB_CHUNKS_COLLECTION, q as BLOB_COLLECTION, t as BLOB_INDEX_COLLECTION, u as BLOB_SLOTS_PREFIX, w as BLOB_VERSIONS_PREFIX, aT as BUNDLE_STORE_POLICY, A as BlobObject, C as BlobPutOptions, E as BlobResponseOptions, F as BlobSet, aU as BundleRecipient, _ as CONSENT_AUDIT_COLLECTION, aV as CacheOptions, aW as CacheStats, aX as ChangeEvent, ay as ChangeType, a7 as ClosePeriodOptions, aY as Collection, aZ as CollectionChangeEvent, a_ as CollectionConflictResolver, ai as CollectionFrame, az as CollectionInstant, a$ as Conflict, b0 as ConflictPolicy, b1 as ConflictStrategy, $ as ConsentAuditEntry, a0 as ConsentAuditFilter, a1 as ConsentContext, a2 as ConsentOp, b2 as CrossTierAccessEvent, L as DEFAULT_CHUNK_SIZE, b3 as DELEGATIONS_COLLECTION, D as DICT_COLLECTION_PREFIX, b4 as DelegationToken, b5 as DeleteManyResult, a as DictEntry, b as DictKeyDescriptor, c as DictionaryHandle, d as DictionaryOptions, b6 as DirtyEntry, b7 as ELEVATION_AUDIT_COLLECTION, b8 as ElevatedHandle, av as EncryptedEnvelope, b9 as ExportCapability, ba as ExportChunk, bb as ExportFormat, bc as ExportStreamOptions, bd as GhostRecord, be as GrantOptions, bf as HistoryConfig, bg as HistoryEntry, au as HistoryOptions, e as I18nTextDescriptor, f as I18nTextOptions, bh as INDEXED_STORE_POLICY, bi as ImportCapability, bj as InferOutput, bk as IssueDelegationOptions, bl as IssueMagicLinkGrantOptions, aB as JsonPatch, aC as JsonPatchOp, bm as KeyringFile, aD as LedgerEntry, aE as LedgerStore, bn as ListAccessibleVaultsOptions, bo as ListPageResult, bp as LocaleReadOptions, bq as Lru, br as LruOptions, bs as LruStats, bt as MAGIC_LINK_CONTENT_INFO_PREFIX, bu as MAGIC_LINK_GRANTS_COLLECTION, bv as MAGIC_LINK_KEK_INFO_PREFIX, bw as MagicLinkGrantPayload, bx as MagicLinkGrantRecord, by as NOYDB_BACKUP_VERSION, bz as NOYDB_FORMAT_VERSION, bA as NOYDB_KEYRING_VERSION, bB as NOYDB_SYNC_VERSION, bC as Noydb, bD as NoydbBundleStore, bE as NoydbEventMap, bF as NoydbOptions, at as NoydbStore, a8 as OpenPeriodOptions, a9 as PERIODS_COLLECTION, aa as PeriodRecord, bG as Permission, bH as Permissions, bI as PlaintextTranslatorContext, bJ as PlaintextTranslatorFn, P as PolicyEnforcer, bK as PresenceHandle, bL as PresencePeer, aw as PruneOptions, bM as PullMode, bN as PullOptions, bO as PullPolicy, bP as PullResult, bQ as PushMode, bR as PushOptions, bS as PushPolicy, bT as PushResult, bU as PutManyItemOptions, bV as PutManyOptions, bW as PutManyResult, bX as QueryAcrossOptions, bY as QueryAcrossResult, bZ as ReAuthOperation, b_ as RevokeOptions, aq as Role, b$ as SessionPolicy, U as SlotInfo, V as SlotRecord, c0 as StandardSchemaV1, c1 as StandardSchemaV1Issue, c2 as StandardSchemaV1SyncResult, c3 as StoreAuth, c4 as StoreAuthKind, c5 as StoreCapabilities, c6 as SyncEngine, c7 as SyncMetadata, c8 as SyncPolicy, c9 as SyncScheduler, ca as SyncSchedulerStatus, cb as SyncStatus, cc as SyncTarget, cd as SyncTargetRole, ce as SyncTransaction, cf as SyncTransactionResult, cg as TierMode, ch as TranslatorAuditEntry, al as TxCollection, am as TxContext, ci as TxOp, an as TxVault, cj as UserInfo, ck as VaultBackup, aF as VaultEngine, aj as VaultFrame, aG as VaultInstant, cl as VaultSnapshot, aH as VerifyResult, W as VersionRecord, g as applyI18nLocale, aI as applyPatch, cm as buildRecipientKeyringFile, aJ as canonicalJson, aK as computePatch, n as createEnforcer, cn as createNoydb, co as createStore, cp as deriveMagicLinkContentKey, h as dictCollectionName, i as dictKey, aL as diff, cq as evaluateExportCapability, cr as evaluateImportCapability, aM as formatDiff, cs as hasExportCapability, ct as hasImportCapability, aN as hashEntry, j as i18nText, k as isDictCollectionName, l as isDictKeyDescriptor, m as isI18nTextDescriptor, cu as isMagicLinkGrantExpired, cv as issueDelegation, cw as listMagicLinkGrants, cx as loadActiveDelegations, cy as magicLinkGrantRecordId, aO as paddedIndex, aP as parseIndex, cz as readMagicLinkGrantRecord, r as resolveI18nText, cA as revokeDelegation, cB as revokeMagicLinkGrant, ao as runTransaction, aQ as sha256Hex, cC as unwrapMagicLinkGrant, v as validateI18nTextValue, cD as validateSchemaInput, cE as validateSchemaOutput, o as validateSessionPolicy, cF as writeMagicLinkGrant } from './types-Dmi7nrC9.js';
+import { at as NoydbStore, aR as UserEnvelope, aS as PublicEnvelope, aT as GateName, aU as GatePolicy, aV as VaultPolicy, aW as ActiveTier, aX as FactorProof, ar as UnlockedKeyring, aY as Vault, aA as DiffEntry } from './types-D-6bmD2c.js';
+export { aZ as AccessibleVault, ax as AppendInput, p as BLOB_CHUNKS_COLLECTION, q as BLOB_COLLECTION, t as BLOB_INDEX_COLLECTION, u as BLOB_SLOTS_PREFIX, w as BLOB_VERSIONS_PREFIX, a_ as BUNDLE_STORE_POLICY, A as BlobObject, C as BlobPutOptions, E as BlobResponseOptions, F as BlobSet, a$ as BuiltInGateName, b0 as BundleRecipient, _ as CONSENT_AUDIT_COLLECTION, b1 as CacheOptions, b2 as CacheStats, b3 as ChangeEvent, ay as ChangeType, a7 as ClosePeriodOptions, b4 as Collection, b5 as CollectionChangeEvent, b6 as CollectionConflictResolver, ai as CollectionFrame, az as CollectionInstant, b7 as Conflict, b8 as ConflictPolicy, b9 as ConflictStrategy, $ as ConsentAuditEntry, a0 as ConsentAuditFilter, a1 as ConsentContext, a2 as ConsentOp, ba as CrossTierAccessEvent, L as DEFAULT_CHUNK_SIZE, bb as DEFAULT_PUBLIC_ENVELOPE_SCHEMA, bc as DELEGATIONS_COLLECTION, D as DICT_COLLECTION_PREFIX, bd as DeepPartial, be as DelegationToken, bf as DeleteManyResult, a as DictEntry, b as DictKeyDescriptor, c as DictionaryHandle, d as DictionaryOptions, bg as DirtyEntry, bh as ELEVATION_AUDIT_COLLECTION, bi as ElevatedHandle, av as EncryptedEnvelope, bj as EnrollAuthenticatorOptions, bk as ExportCapability, bl as ExportChunk, bm as ExportFormat, bn as ExportStreamOptions, bo as FactorKind, bp as FactorRequirement, bq as GhostRecord, br as GrantOptions, bs as HistoryConfig, bt as HistoryEntry, au as HistoryOptions, e as I18nTextDescriptor, f as I18nTextOptions, bu as INDEXED_STORE_POLICY, bv as ImportCapability, bw as InferOutput, bx as IssueDelegationOptions, by as IssueMagicLinkGrantOptions, aB as JsonPatch, aC as JsonPatchOp, bz as KeyringAuthenticator, bA as KeyringFile, aD as LedgerEntry, aE as LedgerStore, bB as ListAccessibleVaultsOptions, bC as ListPageResult, bD as LiveUserEnvelope, bE as LocaleReadOptions, bF as Lru, bG as LruOptions, bH as LruStats, bI as MAGIC_LINK_CONTENT_INFO_PREFIX, bJ as MAGIC_LINK_GRANTS_COLLECTION, bK as MAGIC_LINK_KEK_INFO_PREFIX, bL as MagicLinkGrantPayload, bM as MagicLinkGrantRecord, bN as NOYDB_BACKUP_VERSION, bO as NOYDB_FORMAT_VERSION, bP as NOYDB_KEYRING_VERSION, bQ as NOYDB_SYNC_VERSION, bR as Noydb, bS as NoydbBundleStore, bT as NoydbEventMap, bU as NoydbOptions, a8 as OpenPeriodOptions, a9 as PERIODS_COLLECTION, bV as PUBLIC_ENVELOPE_FIELDS, bW as PaperRecoveryDoc, bX as PaperRecoveryEntry, bY as PassphrasePolicy, bZ as PassphraseValidationResult, aa as PeriodRecord, b_ as Permission, b$ as Permissions, c0 as PlaintextTranslatorContext, c1 as PlaintextTranslatorFn, P as PolicyEnforcer, c2 as PresenceHandle, c3 as PresencePeer, aw as PruneOptions, c4 as PublicEnvelopeField, c5 as PublicEnvelopeSchema, c6 as PublicEnvelopeText, c7 as PullMode, c8 as PullOptions, c9 as PullPolicy, ca as PullResult, cb as PushMode, cc as PushOptions, cd as PushPolicy, ce as PushResult, cf as PutManyItemOptions, cg as PutManyOptions, ch as PutManyResult, ci as QueryAcrossOptions, cj as QueryAcrossResult, ck as QuickUnlockState, cl as QuickUnlockStore, cm as ReAuthOperation, cn as RecoverPassphraseInput, co as RecoveryProof, cp as ResolvedPublicEnvelopeSchema, cq as RevokeOptions, aq as Role, cr as RotatePassphraseInput, cs as SessionPolicy, ct as SetPublicEnvelopeInput, U as SlotInfo, V as SlotRecord, cu as StandardSchemaV1, cv as StandardSchemaV1Issue, cw as StandardSchemaV1SyncResult, cx as StoreAuth, cy as StoreAuthKind, cz as StoreCapabilities, cA as SyncEngine, cB as SyncMetadata, cC as SyncPolicy, cD as SyncScheduler, cE as SyncSchedulerStatus, cF as SyncStatus, cG as SyncTarget, cH as SyncTargetRole, cI as SyncTransaction, cJ as SyncTransactionResult, cK as TierMode, cL as TranslatorAuditEntry, al as TxCollection, am as TxContext, cM as TxOp, an as TxVault, cN as USER_ENVELOPE_COLLECTION, cO as USER_ENVELOPE_MAX_BYTES, cP as Unsubscribe, cQ as UserApi, cR as UserEnvelopeCheckGate, cS as UserEnvelopeOversizedError, cT as UserEnvelopePresented, cU as UserInfo, cV as VaultBackup, aF as VaultEngine, aj as VaultFrame, aG as VaultInstant, cW as VaultPolicyOnDisk, cX as VaultSnapshot, aH as VerifyResult, W as VersionRecord, cY as WarningRules, cZ as WeakPassphraseError, c_ as WeakPassphraseReason, g as applyI18nLocale, aI as applyPatch, c$ as assertStrongPassphrase, d0 as buildRecipientKeyringFile, d1 as burnPaperRecoveryEntry, aJ as canonicalJson, aK as computePatch, n as createEnforcer, d2 as createNoydb, d3 as createStore, d4 as deriveMagicLinkContentKey, h as dictCollectionName, i as dictKey, aL as diff, d5 as enrollAuthenticator, d6 as estimateEntropy, d7 as evaluateExportCapability, d8 as evaluateImportCapability, d9 as findAuthenticator, aM as formatDiff, da as hasExportCapability, db as hasImportCapability, dc as hasRecoveryEnrolled, aN as hashEntry, j as i18nText, k as isDictCollectionName, l as isDictKeyDescriptor, m as isI18nTextDescriptor, dd as isMagicLinkGrantExpired, de as isPublicEnvelope, df as issueDelegation, dg as keyringRecoverPassphrase, dh as keyringRotatePassphrase, di as listMagicLinkGrants, dj as listUsers, dk as listUsersWithEnvelopes, dl as loadActiveDelegations, dm as loadPaperRecoveryEntries, dn as magicLinkGrantRecordId, aO as paddedIndex, aP as parseIndex, dp as readMagicLinkGrantRecord, dq as removeAuthenticator, r as resolveI18nText, dr as resolvePublicEnvelopeSchema, ds as revokeDelegation, dt as revokeMagicLinkGrant, ao as runTransaction, du as savePaperRecoveryEntries, aQ as sha256Hex, dv as unwrapMagicLinkGrant, v as validateI18nTextValue, dw as validatePassphrase, dx as validatePublicEnvelopeInput, dy as validateSchemaInput, dz as validateSchemaOutput, o as validateSessionPolicy, dA as writeMagicLinkGrant } from './types-D-6bmD2c.js';
 export { d as detectMagic, a as detectMimeType, i as isPreCompressed } from './mime-magic-CBBSOkjm.js';
 export { AgeRoute, BlobLifecyclePolicy, BlobStoreRoute, CircuitBreakerOptions, HealthCheckOptions, LogLevel, LoggingOptions, MetricsOptions, OverrideOptions, OverrideTarget, RetryOptions, RouteStatus, RouteStoreOptions, RoutedNoydbStore, StoreCacheOptions, StoreMiddleware, StoreOperation, SuspendOptions, WrapBundleStoreOptions, WrappedBundleNoydbStore, createBundleStore, routeStore, withCache, withCircuitBreaker, withHealthCheck, withLogging, withMetrics, withRetry, wrapBundleStore, wrapStore } from './store/index.js';
-export { A as AlreadyElevatedError, B as BackupCorruptedError, a as BackupLedgerError, b as BundleIntegrityError, c as BundleVersionConflictError, C as ConflictError, D as DEFAULT_JOIN_MAX_ROWS, d as DanglingReferenceError, e as DecryptionError, f as DelegationTargetMissingError, g as DictKeyInUseError, h as DictKeyMissingError, E as ElevationExpiredError, i as ExportCapabilityError, F as FilenameSanitizationError, G as GroupCardinalityError, I as ImportCapabilityError, j as IndexRequiredError, k as IndexWriteFailureError, l as InvalidKeyError, J as JoinContext, m as JoinLeg, n as JoinStrategy, o as JoinTooLargeError, p as JoinableSource, K as KeyringExpiredError, L as LedgerContentionError, q as LiveQuery, r as LiveUpstream, s as LocaleNotSpecifiedError, M as MissingTranslationError, N as NetworkError, t as NoAccessError, u as NotFoundError, v as NoydbError, O as OrderBy, P as PathEscapeError, w as PeriodClosedError, x as PermissionDeniedError, y as PrivilegeEscalationError, Q as Query, z as QueryPlan, H as QuerySource, R as ReadOnlyAtInstantError, S as ReadOnlyError, T as ReadOnlyFrameError, U as RefDescriptor, V as RefIntegrityError, W as RefMode, X as RefRegistry, Y as RefScopeError, Z as RefViolation, _ as ReservedCollectionNameError, $ as ScanBuilder, a0 as ScanPageProvider, a1 as SchemaValidationError, a2 as SessionExpiredError, a3 as SessionNotFoundError, a4 as SessionPolicyError, a5 as StoreCapabilityError, a6 as TamperedError, a7 as TierDemoteDeniedError, a8 as TierNotGrantedError, a9 as TranslatorNotConfiguredError, aa as ValidationError, ab as applyJoins, ac as buildLiveQuery, ad as executePlan, ae as ref, af as resetJoinWarnings } from './index-BRHBCmLt.js';
-export { C as CompressionAlgo, N as NOYDB_BUNDLE_FORMAT_VERSION, a as NOYDB_BUNDLE_MAGIC, b as NOYDB_BUNDLE_PREFIX_BYTES, c as NoydbBundleHeader, d as NoydbBundleReadResult, W as WriteNoydbBundleOptions, g as generateULID, h as hasNoydbBundleMagic, i as isULID, r as readNoydbBundle, e as readNoydbBundleHeader, f as resetBrotliSupportCache, w as writeNoydbBundle } from './index-Cy-MKrdK.js';
+import { N as NoydbError } from './index-DJTf9yxn.js';
+export { A as AlreadyElevatedError, B as BackupCorruptedError, a as BackupLedgerError, b as BundleIntegrityError, c as BundleVersionConflictError, C as ConflictError, D as DEFAULT_JOIN_MAX_ROWS, d as DanglingReferenceError, e as DecryptionError, f as DelegationTargetMissingError, g as DictKeyInUseError, h as DictKeyMissingError, E as ElevationExpiredError, i as ExportCapabilityError, F as FilenameSanitizationError, G as GroupCardinalityError, I as ImportCapabilityError, j as IndexRequiredError, k as IndexWriteFailureError, l as InvalidKeyError, J as JoinContext, m as JoinLeg, n as JoinStrategy, o as JoinTooLargeError, p as JoinableSource, K as KeyringExpiredError, L as LedgerContentionError, q as LiveQuery, r as LiveUpstream, s as LocaleNotSpecifiedError, M as MissingTranslationError, t as NetworkError, u as NoAccessError, v as NotFoundError, O as OrderBy, P as PathEscapeError, w as PeriodClosedError, x as PermissionDeniedError, y as PrivilegeEscalationError, Q as Query, z as QueryPlan, H as QuerySource, R as ReadOnlyAtInstantError, S as ReadOnlyError, T as ReadOnlyFrameError, U as RefDescriptor, V as RefIntegrityError, W as RefMode, X as RefRegistry, Y as RefScopeError, Z as RefViolation, _ as ReservedCollectionNameError, $ as ScanBuilder, a0 as ScanPageProvider, a1 as SchemaValidationError, a2 as SessionExpiredError, a3 as SessionNotFoundError, a4 as SessionPolicyError, a5 as StoreCapabilityError, a6 as TamperedError, a7 as TierDemoteDeniedError, a8 as TierNotGrantedError, a9 as TranslatorNotConfiguredError, aa as ValidationError, ab as applyJoins, ac as buildLiveQuery, ad as executePlan, ae as ref, af as resetJoinWarnings } from './index-DJTf9yxn.js';
+export { C as CompressionAlgo, N as NOYDB_BUNDLE_FORMAT_VERSION, a as NOYDB_BUNDLE_MAGIC, b as NOYDB_BUNDLE_PREFIX_BYTES, c as NoydbBundleHeader, d as NoydbBundleReadResult, W as WriteNoydbBundleOptions, g as generateULID, h as hasNoydbBundleMagic, i as isULID, r as readNoydbBundle, e as readNoydbBundleHeader, f as readNoydbBundlePublicEnvelope, j as resetBrotliSupportCache, w as writeNoydbBundle } from './index-DZn6Yick.js';
 export { a as CrdtMode, b as CrdtState, L as LwwMapState, R as RgaState, Y as YjsState, m as mergeCrdtStates, r as resolveCrdtSnapshot } from './strategy-BSxFXGzb.js';
 export { SYNC_CREDENTIALS_COLLECTION, SyncCredential, credentialStatus, deleteCredential, getCredential, listCredentials, putCredential } from './team/index.js';
-export { C as CreateSessionOptions, a as CreateSessionResult, D as DevUnlockOptions, S as SessionToken, b as activeSessionCount, c as clearDevUnlock, d as createSession, e as enableDevUnlock, i as isDevUnlockActive, f as isSessionAlive, l as loadDevUnlock, r as resolveSession, g as revokeAllSessions, h as revokeSession } from './dev-unlock-XOUecfQ9.js';
+export { C as CreateSessionOptions, a as CreateSessionResult, D as DevUnlockOptions, S as SessionToken, b as activeSessionCount, c as clearDevUnlock, d as createSession, e as enableDevUnlock, i as isDevUnlockActive, f as isSessionAlive, l as loadDevUnlock, r as resolveSession, g as revokeAllSessions, h as revokeSession } from './dev-unlock-CcJ1qIi7.js';
 export { a as Clause, C as CollectionIndexes, F as FieldClause, b as FilterClause, G as GroupClause, H as HashIndex, I as IndexDef, O as Operator, e as evaluateClause, c as evaluateFieldClause, r as readPath } from './predicate-SBHmi6D0.js';
 export { a as AggregateResult, b as AggregateSpec, c as Aggregation, d as AggregationUpstream, G as GROUPBY_MAX_CARDINALITY, e as GROUPBY_WARN_CARDINALITY, f as GroupedAggregation, g as GroupedQuery, h as GroupedRow, L as LiveAggregation, R as Reducer, i as ReducerOptions, j as avg, l as count, m as groupAndReduce, n as max, o as min, r as reduceRecords, s as sum } from './strategy-D-SrOLCl.js';
-export { L as LEDGER_COLLECTION, a as LEDGER_DELTAS_COLLECTION, e as envelopePayloadHash } from './hash-Bxud16vM.js';
+export { L as LEDGER_COLLECTION, a as LEDGER_DELTAS_COLLECTION, e as envelopePayloadHash } from './hash-1Xsqx1jl.js';
 import './lazy-builder-BwEoBQZ9.js';
 
+/**
+ * Persistence helpers for per-principal user envelopes stored at
+ * `_users/<keyringId>` (logically: `_meta/user/<keyringId>`).
+ *
+ * Unlike `_meta/policy` and `_meta/handle` which are plaintext, user
+ * envelopes carry user data and are encrypted with a dedicated
+ * {@link USER_ENVELOPE_COLLECTION} DEK (provisioned at vault open and
+ * propagated to every keyring via the system-collection DEK path in
+ * `team/keyring.ts`).
+ *
+ * This module is the **storage primitive** layer. The public API
+ * (`vault.user.*`) sits on top of this; permission gates, own-only
+ * write enforcement, and presence-channel propagation live there.
+ *
+ * @see docs/superpowers/specs/2026-05-05-user-envelope-design.md
+ *
+ * @module
+ */
+
+/**
+ * Read and decrypt the user envelope for `keyringId`. Returns `null`
+ * when no envelope has been persisted (either the principal has never
+ * called `updateMe`, or the keyring predates this feature).
+ *
+ * Decryption errors propagate — a tampered or wrong-keyed envelope
+ * surfaces as the underlying crypto error rather than masquerading as
+ * "not found".
+ */
+declare function loadUserEnvelope<T = unknown>(store: NoydbStore, vault: string, keyringId: string, dek: CryptoKey): Promise<UserEnvelope<T> | null>;
+/**
+ * Encrypt and persist the user envelope for `keyringId`. The new
+ * version is `(prior._v ?? 0) + 1`. Pass `expectedVersion` to enable
+ * optimistic-concurrency checks: a mismatch with the stored version
+ * throws {@link ConflictError} with the actual stored version.
+ *
+ * `expectedVersion: 0` means "expect no prior envelope"; the write
+ * succeeds only if no envelope exists yet.
+ *
+ * Soft-caps the JSON-serialized payload at {@link USER_ENVELOPE_MAX_BYTES};
+ * larger payloads throw {@link UserEnvelopeOversizedError}.
+ */
+declare function saveUserEnvelope<T>(store: NoydbStore, vault: string, keyringId: string, payload: T, dek: CryptoKey, expectedVersion?: number): Promise<UserEnvelope<T>>;
+/**
+ * Delete the user envelope for `keyringId`. Idempotent — no error if
+ * the envelope is already absent. Called from the keyring revoke path
+ * (cascade-delete) and is a no-op for keyrings that never wrote.
+ */
+declare function deleteUserEnvelope(store: NoydbStore, vault: string, keyringId: string): Promise<void>;
+/**
+ * List the keyring ids that have a user envelope persisted in `vault`.
+ * Order is store-defined — callers that need a stable order should sort.
+ */
+declare function listUserEnvelopeIds(store: NoydbStore, vault: string): Promise<string[]>;
+
 /**
  * Cache policy helpers — parse human-friendly byte budgets into raw numbers.
  *
@@ -45,6 +100,259 @@ declare function parseBytes(input: number | string): number;
  */
 declare function estimateRecordBytes(record: unknown): number;
 
+/**
+ * Persistence helpers for `_meta/public-envelope`. Mirrors the
+ * bypass-AES pattern used by `_meta/handle` and `_meta/policy` —
+ * the document is plaintext JSON, the envelope's `_iv` field is
+ * left empty.
+ *
+ * @module
+ */
+
+/** Reserved id for the vault-level public envelope record. */
+declare const PUBLIC_ENVELOPE_RECORD_ID = "public-envelope";
+/**
+ * Read the public envelope from `_meta/public-envelope`. Returns
+ * `undefined` when no envelope has been persisted (fresh vault, or
+ * a vault written before the feature was enabled). Tolerates
+ * corrupted documents — a JSON parse failure surfaces as `undefined`,
+ * not a thrown error, mirroring `_meta/handle`'s contract.
+ */
+declare function loadPublicEnvelope(store: NoydbStore, vault: string): Promise<PublicEnvelope | undefined>;
+/** Persist the public envelope. Idempotent — overwrites any prior write. */
+declare function savePublicEnvelope(store: NoydbStore, vault: string, envelope: PublicEnvelope): Promise<void>;
+/**
+ * Public, no-key reader. Plain function, not a method on `Noydb` —
+ * the whole point is it works without an authenticated session, so
+ * a UI can show "Acme 2026 Tax Records" before unlocking.
+ *
+ * Resolves any `name` / `description` locale map through the supplied
+ * `locale` (when provided). Omitting `locale` returns the raw
+ * envelope, which a multilingual picker can render as it pleases.
+ */
+declare function readPublicEnvelope(store: NoydbStore, vault: string, opts?: {
+    readonly locale?: string;
+}): Promise<PublicEnvelope | undefined>;
+
+/**
+ * Why a gate denied a request. Stable across hub versions so consumers
+ * can switch on the value in error UIs.
+ */
+type PolicyDenyReason = 'insufficient-tier' | 'missing-factor' | 'stale-proof' | 'disabled' | 'shared-device-blocked';
+/**
+ * Thrown by {@link checkGate} when the active session does not meet
+ * the gate's requirements. Carries the gate name, the reason, and the
+ * full required {@link GatePolicy} so error UIs can prompt the user
+ * for the missing factor without re-reading the policy document.
+ */
+declare class PolicyDeniedError extends NoydbError {
+    readonly gate: GateName;
+    readonly reason: PolicyDenyReason;
+    readonly required: GatePolicy;
+    constructor(gate: GateName, reason: PolicyDenyReason, required: GatePolicy, message?: string);
+}
+/**
+ * Raised by `createNoydb({ ... })` when the developer omits a recovery
+ * profile and `recover-passphrase` is not explicitly disabled. Vaults
+ * MUST have at least one recovery path enrolled before being
+ * production-ready (paper, shamir, multi-channel, or admin-mediated).
+ *
+ * The error references issue #10 in its message so a developer hitting
+ * it gets a one-line pointer to the design.
+ */
+declare class RecoveryNotEnrolledError extends NoydbError {
+    constructor(message?: string);
+}
+/**
+ * Raised by `db.recoverPassphrase` when the developer requests a
+ * recovery profile other than `'paper'` in v0.1.0-pre.5. The other
+ * three profiles (Shamir, multi-channel, admin-mediated) ship the API
+ * shape now; their per-profile dispatch lands in follow-up issues.
+ *
+ * The carried `profile` and `tracking` fields let consumers steer the
+ * UI ("Shamir recovery is not yet wired up — open issue #N to follow").
+ */
+declare class RecoveryProfileNotImplementedError extends NoydbError {
+    readonly profile: string;
+    readonly tracking: string;
+    constructor(profile: string, tracking: string);
+}
+
+/**
+ * Default policy for personal vaults and SMB deployments — the gates
+ * that need an off-device factor get one (TOTP / email-OTP / paper
+ * recovery), the rest take a tier-1 unlock alone. Tier-3 (PIN) is the
+ * floor only for `rotate-unlock` because that's the
+ * "change my PIN" flow.
+ *
+ * The unspecified gates (e.g. `view-user-auth`) inherit the engine
+ * default of `{ enabled: false, minTier: 1 }` — they fail closed.
+ *
+ * @see docs/subsystems/session-tiers.md → Built-in gates
+ */
+declare const PERSONAL_POLICY: VaultPolicy;
+/**
+ * Strict policy for regulated deployments and shared workstations —
+ * raises the phrase floor to 8 words, demands two distinct factors for
+ * exports, and blocks export-on-shared-device. Use as a base for
+ * `policy: { ...STRICT_POLICY, gates: { ...STRICT_POLICY.gates, ... } }`
+ * tweaks.
+ */
+declare const STRICT_POLICY: VaultPolicy;
+/**
+ * Merge a developer override onto a preset. Unspecified gates inherit;
+ * specified gates fully replace the preset's entry for that gate.
+ *
+ * Example:
+ *
+ * ```ts
+ * mergePolicy(PERSONAL_POLICY, {
+ *   gates: {
+ *     'app:approve-large-payment': { minTier: 2, factors: [{ anyOf: ['totp'] }] },
+ *   },
+ * })
+ * // → PERSONAL_POLICY plus the new app gate; existing gates intact.
+ * ```
+ */
+declare function mergePolicy(base: VaultPolicy, override?: Partial<VaultPolicy>): VaultPolicy;
+
+/**
+ * Policy gate engine — the {@link checkGate} entry point.
+ *
+ * Given a configured {@link VaultPolicy}, an active session tier, and
+ * the factor proofs an actor is presenting, decide whether the gate
+ * permits the action. On denial, throws {@link PolicyDeniedError} with
+ * a stable {@link PolicyDenyReason} so consumers can branch in error
+ * UIs.
+ *
+ * @see docs/subsystems/session-tiers.md → checkGate() API
+ *
+ * @module
+ */
+
+/** Default freshness window — 5 minutes. */
+declare const DEFAULT_FRESHNESS_MS: number;
+/** Caller-supplied context for one `checkGate` invocation. */
+interface CheckGateContext {
+    /** Tier the active session currently holds. */
+    readonly activeTier: ActiveTier;
+    /** Proofs the actor is presenting for this gate. */
+    readonly factors?: ReadonlyArray<FactorProof>;
+    /**
+     * If the host knows the actor is on a shared device, set this to
+     * `true` so the engine can apply `warn.sharedDevice` rules. Defaults
+     * to `false`.
+     */
+    readonly sharedDevice?: boolean;
+    /**
+     * Override `now()` for tests. Defaults to `Date.now()`.
+     * @internal
+     */
+    readonly now?: number;
+}
+/**
+ * Decide whether `gate` permits the action under `context`. Throws
+ * {@link PolicyDeniedError} on denial; resolves with `void` on success.
+ *
+ * Lookup rules:
+ * - **Built-in gates** without a configured policy fail closed
+ *   (`enabled: false`).
+ * - **App-defined gates** (`app:*`) without a configured policy are
+ *   treated as no-op (allow). The developer registered the policy if
+ *   they wanted enforcement; absence means the gate is informational.
+ */
+declare function checkGate(policy: VaultPolicy, gate: GateName, context: CheckGateContext): Promise<void>;
+/**
+ * Same as {@link checkGate} but returns a structured verdict instead
+ * of throwing. Useful when an error UI wants to show the user
+ * "you'll need TOTP plus a recovery code to do that" without first
+ * triggering the action.
+ */
+declare function describeGate(policy: VaultPolicy, gate: GateName, context: CheckGateContext): Promise<{
+    ok: true;
+} | {
+    ok: false;
+    reason: PolicyDenyReason;
+    required: GatePolicy;
+}>;
+
+/**
+ * Persistence helpers for the vault-level policy document
+ * (`_meta/policy`). Mirrors the bypass-AES pattern used by
+ * `_meta/handle` — the policy document is plain JSON, the envelope's
+ * `_iv` field is left empty.
+ *
+ * @see docs/subsystems/session-tiers.md → Storage location
+ *
+ * @module
+ */
+
+/** Reserved collection name for vault-level metadata documents. */
+declare const META_COLLECTION = "_meta";
+/** Reserved id for the vault-level policy document. */
+declare const POLICY_RECORD_ID = "policy";
+/**
+ * Read the vault-level policy from `_meta/policy`. Returns `undefined`
+ * when no policy has been persisted (fresh vault, or a vault written
+ * before the policy module landed). The caller falls back to the
+ * default preset.
+ *
+ * Tolerates corrupted documents the same way `_meta/handle` does: a
+ * JSON parse failure surfaces as `undefined`, not a thrown error, so
+ * a bad write never permanently locks a vault.
+ */
+declare function loadVaultPolicy(store: NoydbStore, vault: string): Promise<VaultPolicy | undefined>;
+/**
+ * Persist the vault-level policy at `_meta/policy`. Idempotent — call
+ * once at vault creation and again on `db.updatePolicy()` invocations.
+ */
+declare function saveVaultPolicy(store: NoydbStore, vault: string, policy: VaultPolicy): Promise<void>;
+
+/**
+ * Authentication introspection — issue #13.
+ *
+ * Three surfaces over the configured tier model and the actual
+ * per-user enrollment state:
+ *
+ * 1. **Vault-wide English summary** — {@link describeAuthConfig}.
+ * 2. **Vault-wide Mermaid diagram** — {@link diagramAuthConfig}.
+ * 3. **Per-user introspection** — {@link describeUserAuth}, gated by
+ *    the `view-user-auth` policy gate (off by default).
+ *
+ * The per-user surface is held to a strict allowlist — fields not on
+ * the allowlist are dropped, never rendered. The negative test in
+ * `auth-introspection.test.ts` exercises the allowlist by feeding a
+ * contrived keyring with fake "secret" fields and asserting that none
+ * of them appear in the output.
+ *
+ * @module
+ */
+
+/** Vault-wide English summary of the configured authentication graph. */
+declare function describeAuthConfig(store: NoydbStore, vault: string): Promise<string>;
+/**
+ * Render the vault's auth graph as Mermaid `flowchart TB` source. The
+ * caller pipes this through Mermaid (CLI or browser) to get an SVG.
+ */
+declare function diagramAuthConfig(store: NoydbStore, vault: string): Promise<string>;
+/**
+ * Render the per-user enrollment summary. Returns an empty
+ * (non-throwing) string when the user has no keyring file — never
+ * confirms or denies the existence of the user from the document
+ * alone.
+ *
+ * Sanitization is strict: only the slot list, enrollment dates, and
+ * recovery-profile counts are rendered. WebAuthn cred ids, OIDC
+ * subject ids, password hashes, recovery codes, TOTP secrets — all
+ * dropped at the allowlist boundary, not redacted.
+ */
+declare function describeUserAuth(store: NoydbStore, vault: string, userId: string): Promise<string>;
+/** Bulk variant for owner dashboards. */
+declare function describeAllUsersAuth(store: NoydbStore, vault: string): Promise<Array<{
+    userId: string;
+    description: string;
+}>>;
+
 interface EncryptResult {
     iv: string;
     data: string;
@@ -254,16 +562,4 @@ type DiffCandidate<T = unknown> = Vault | Record<string, readonly T[]> | string;
  */
 declare function diffVault<T = unknown>(vault: Vault, candidate: DiffCandidate<T>, options?: DiffOptions): Promise<VaultDiff<T>>;
 
-/**
- * Validate passphrase strength.
- * Checks length and basic entropy heuristics.
- * Throws ValidationError if too weak.
- */
-declare function validatePassphrase(passphrase: string): void;
-/**
- * Estimate passphrase entropy in bits.
- * Uses character class analysis (not dictionary-based).
- */
-declare function estimateEntropy(passphrase: string): number;
-
-export { type DiffCandidate, DiffEntry, type DiffOptions, UnlockedKeyring, Vault, type VaultDiff, type VaultDiffEntry, type VaultDiffModifiedEntry, assertTierAccess, base64ToBuffer, bufferToBase64, decryptBytes, decryptDeterministic, dekKey, derivePresenceKey, diffVault, effectiveClearance, encryptBytes, encryptDeterministic, estimateEntropy, estimateRecordBytes, parseBytes, validatePassphrase };
+export { ActiveTier, type CheckGateContext, DEFAULT_FRESHNESS_MS, type DiffCandidate, DiffEntry, type DiffOptions, FactorProof, GateName, GatePolicy, META_COLLECTION, NoydbError, NoydbStore, PERSONAL_POLICY, POLICY_RECORD_ID, PUBLIC_ENVELOPE_RECORD_ID, PolicyDeniedError, type PolicyDenyReason, PublicEnvelope, RecoveryNotEnrolledError, RecoveryProfileNotImplementedError, STRICT_POLICY, UnlockedKeyring, UserEnvelope, Vault, type VaultDiff, type VaultDiffEntry, type VaultDiffModifiedEntry, VaultPolicy, assertTierAccess, base64ToBuffer, bufferToBase64, checkGate, decryptBytes, decryptDeterministic, dekKey, deleteUserEnvelope, derivePresenceKey, describeAllUsersAuth, describeAuthConfig, describeGate, describeUserAuth, diagramAuthConfig, diffVault, effectiveClearance, encryptBytes, encryptDeterministic, estimateRecordBytes, listUserEnvelopeIds, loadPublicEnvelope, loadUserEnvelope, loadVaultPolicy, mergePolicy, parseBytes, readPublicEnvelope, savePublicEnvelope, saveUserEnvelope, saveVaultPolicy };