@noy-db/hub 0.1.0-pre.4 → 0.1.0-pre.7

package/dist/{types-Dmi7nrC9.d.ts → types-D-6bmD2c.d.ts}

@@ -1,7 +1,7 @@
 import { I as IndexStrategy, d as LazyQuery } from './lazy-builder-BwEoBQZ9.js';
 import { A as AggregateStrategy } from './strategy-D-SrOLCl.js';
 import { C as CrdtStrategy, a as CrdtMode, b as CrdtState } from './strategy-BSxFXGzb.js';
-import { U as RefDescriptor, p as JoinableSource, Z as RefViolation, Q as Query, $ as ScanBuilder } from './index-BRHBCmLt.js';
+import { N as NoydbError, U as RefDescriptor, p as JoinableSource, Z as RefViolation, Q as Query, $ as ScanBuilder } from './index-DJTf9yxn.js';
 import { I as IndexDef, C as CollectionIndexes } from './predicate-SBHmi6D0.js';
 
 /**
@@ -1739,6 +1739,136 @@ declare class NoydbEventEmitter {
     removeAllListeners(): void;
 }
 
+/**
+ * Passphrase validation — phrase format (per the three-tier session-tiers
+ * design, locked 2026-05-04).
+ *
+ * Passphrases are **phrases**: multiple simple words, easy to remember,
+ * structurally constrained so a weak choice cannot silently collapse the
+ * security floor. The format is intentionally narrow: lowercase letters
+ * and single spaces only, no punctuation, no symbols, no digits.
+ *
+ * - Default minimum: 6 words (~77 bits with the 7,776-word EFF list).
+ * - Strict minimum: 8 words (~103 bits).
+ * - Per-word minimum: 3 characters (excludes "a", "is", "of").
+ * - Adjacent repeats rejected ("the the").
+ *
+ * The hub runs validation default-on at every passphrase ingress
+ * (`createOwnerKeyring`, `grant`, `rotatePassphrase`); test fixtures and
+ * CLI scripts override via `{ allowWeakPassphrase: true }`.
+ *
+ * @module
+ */
+
+/** All reasons a phrase can be rejected. */
+type WeakPassphraseReason = 'empty' | 'invalid-chars' | 'leading-or-trailing-space' | 'double-space' | 'too-few-words' | 'word-too-short' | 'repeated-adjacent';
+/** Per-vault knobs. Aligns with `VaultPolicy.passphrase`. */
+interface PassphrasePolicy {
+    /** Minimum number of words. Default 6. Strict policy uses 8. */
+    readonly minWords?: number;
+    /** Minimum characters per word. Default 3. */
+    readonly minWordLength?: number;
+    /** Reject adjacent identical words ("the the"). Default true. */
+    readonly rejectRepeatedAdjacent?: boolean;
+}
+/** Result of a check. Discriminated union — compile-time exhaustive. */
+type PassphraseValidationResult = {
+    readonly ok: true;
+    readonly words: number;
+} | {
+    readonly ok: false;
+    readonly reason: WeakPassphraseReason;
+    readonly minimum?: number;
+    readonly got?: number;
+};
+/**
+ * Thrown by `assertStrongPassphrase()` and by every hub ingress
+ * point (`createOwnerKeyring`, `grant`, `rotatePassphrase`) when a
+ * supplied phrase fails the structural rules above.
+ */
+declare class WeakPassphraseError extends NoydbError {
+    readonly reason: WeakPassphraseReason;
+    readonly suggestion: string;
+    constructor(reason: WeakPassphraseReason, suggestion: string);
+}
+/**
+ * Inspect a phrase against the format rules and return a structured
+ * verdict. Never throws — callers either branch on `ok` or pass the
+ * result to {@link assertStrongPassphrase} for the throwing flavour.
+ */
+declare function validatePassphrase(s: string, opts?: PassphrasePolicy): PassphraseValidationResult;
+/**
+ * Throw {@link WeakPassphraseError} when the phrase fails. Used by
+ * `createOwnerKeyring`, `grant`, and `rotatePassphrase` at ingress.
+ *
+ * Pass `{ allowWeakPassphrase: true }` to bypass — intended for test
+ * fixtures, CLI scripts, and dev environments. The override never
+ * loosens the cryptographic key derivation; it only relaxes the
+ * structural-strength gate.
+ */
+declare function assertStrongPassphrase(s: string, opts?: PassphrasePolicy & {
+    allowWeakPassphrase?: boolean;
+}): void;
+/**
+ * Estimate the entropy of a phrase, given the EFF 7,776-word list as
+ * the assumed wordlist. ~12.9 bits per word.
+ *
+ * Returns 0 for any input that fails the phrase format — character-class
+ * estimates aren't comparable to phrase entropy, and surfacing 0 makes
+ * weak inputs visible in any UI that displays an entropy meter.
+ */
+declare function estimateEntropy(passphrase: string): number;
+
+/**
+ * Type surface for the per-principal user envelope subsystem.
+ *
+ * @see docs/superpowers/specs/2026-05-05-user-envelope-design.md
+ *
+ * @module
+ */
+
+/**
+ * Thin reader view of a user envelope. The on-disk shape is the standard
+ * {@link import('../../types.js').EncryptedEnvelope}; this is what callers
+ * see after the storage layer has decrypted the payload.
+ *
+ * Hub commits to the `keyringId` ⇔ `userId` identity and the `_v` / `_ts`
+ * envelope metadata. The `data` payload is fully app-defined — hub does
+ * not introspect, validate, or reserve any keys inside it.
+ */
+interface UserEnvelope<T> {
+    /** The principal id this envelope belongs to. Equals the keyring `user_id`. */
+    readonly keyringId: string;
+    /** App-owned payload. Opaque to hub. */
+    readonly data: T;
+    /** Optimistic-concurrency version. Increments on every write. */
+    readonly _v: number;
+    /** ISO timestamp of the last write. */
+    readonly _ts: string;
+}
+/**
+ * Soft cap on the JSON-serialized payload size. Generous (a typical
+ * profile + preferences + small app annex is ~1 KiB); rejects accidental
+ * "stuff app state in here" anti-patterns.
+ */
+declare const USER_ENVELOPE_MAX_BYTES: number;
+/**
+ * Reserved store collection name for user envelopes. Starts with `_` so the
+ * keyring grant machinery propagates the DEK to every granted user via the
+ * existing system-collection DEK propagation path in `team/keyring.ts`.
+ */
+declare const USER_ENVELOPE_COLLECTION = "_users";
+/**
+ * Thrown when a user-envelope payload exceeds {@link USER_ENVELOPE_MAX_BYTES}
+ * after JSON-serialization. The error carries the actual size so callers
+ * can decide whether to trim or split.
+ */
+declare class UserEnvelopeOversizedError extends NoydbError {
+    readonly bytes: number;
+    readonly limit: number;
+    constructor(bytes: number, limit?: number);
+}
+
 /** In-memory representation of an unlocked keyring. */
 interface UnlockedKeyring {
     readonly userId: string;
@@ -1761,6 +1891,20 @@ interface UnlockedKeyring {
      * bundle import granted, regardless of role).
      */
     readonly importCapability?: ImportCapability;
+    /**
+     * Tier-2 authenticator slots — readonly snapshot loaded from the
+     * keyring file. Mutations go through `enrollAuthenticator` /
+     * `removeAuthenticator` (issue #11), which write back via
+     * `persistKeyring`. Always defined; loads with an empty array for
+     * keyrings written before the multi-slot extension landed.
+     */
+    readonly authenticators: readonly KeyringAuthenticator[];
+    /**
+     * Reserved per-keyring policy override (forward-compat for Option C
+     * — see {@link VaultPolicyOnDisk}). v1.0 round-trips this field but
+     * never enforces it; the gate engine uses `_meta/policy` only.
+     */
+    readonly policy?: VaultPolicyOnDisk;
 }
 /**
  * Recipient slot in a re-keyed `.noydb` bundle. Each slot becomes its
@@ -1817,6 +1961,29 @@ interface BundleRecipient {
  * @internal
  */
 declare function buildRecipientKeyringFile(callerKeyring: UnlockedKeyring, recipient: BundleRecipient): Promise<KeyringFile>;
+/** List all users with access to a vault. */
+declare function listUsers(adapter: NoydbStore, vault: string): Promise<UserInfo[]>;
+/**
+ * Joined enumeration: every keyring + its `_users/<keyringId>`
+ * envelope side by side. Convenience for admin UIs that want to
+ * render team-member lists with profile data ("Bob — operator —
+ * 'Bob the Auditor' avatar X locale fr-FR") in a single pass.
+ *
+ * `userEnvelopeDek` is the vault's `_users` collection DEK
+ * (`vault.getDEK('_users')`); used to decrypt every envelope.
+ *
+ * Principals without a persisted envelope (legacy keyrings predating
+ * the user-envelope feature) come back with `envelope: null`. The
+ * caller chooses how to render — usually "fall back to keyring's
+ * `displayName`".
+ *
+ * Order matches `listUsers()` (store-defined; sort if you need a
+ * stable display order).
+ */
+declare function listUsersWithEnvelopes<T = unknown>(adapter: NoydbStore, vault: string, userEnvelopeDek: CryptoKey): Promise<Array<{
+    user: UserInfo;
+    envelope: UserEnvelope<T> | null;
+}>>;
 /**
  * Check whether a keyring is authorised for a given `@noy-db/as-*`
  * export tier.
@@ -2715,6 +2882,347 @@ declare class SyncEngine {
     private persistMeta;
 }
 
+/**
+ * Tier-1 change flows — `rotatePassphrase` (user remembers old) and
+ * `recoverPassphrase` (user supplies a recovery proof). Issue #10.
+ *
+ * The two flows share the post-verification half — fresh salt, fresh
+ * KEK, rewrap every DEK — and differ only in how they re-derive the
+ * old KEK:
+ *
+ * - **Rotate**: derive from the supplied `oldPassphrase`.
+ * - **Recover (paper)**: unwrap from a `RecoveryCodeEntry` using a
+ *   user-supplied recovery code. The entry is burned on success.
+ *
+ * The non-paper recovery profiles (Shamir, multi-channel,
+ * admin-mediated) are not yet wired — calling them throws
+ * {@link RecoveryProfileNotImplementedError} with a tracking link.
+ *
+ * @module
+ */
+
+/** Caller payload for {@link rotatePassphrase}. */
+interface RotatePassphraseInput {
+    readonly oldPassphrase: string;
+    readonly newPassphrase: string;
+    readonly passphrasePolicy?: PassphrasePolicy;
+    readonly allowWeakPassphrase?: boolean;
+}
+/**
+ * Re-derive the user's KEK from `oldPassphrase`, rewrap every DEK
+ * under a freshly-derived KEK from `newPassphrase`, and persist.
+ *
+ * Tier-2 authenticator slots are NOT preserved — each slot wraps the
+ * old KEK and would need the user's per-slot derivation key to
+ * re-wrap; the hub doesn't hold that. The user re-enrols any slots
+ * after rotation. v0.1.0-pre.5 limitation.
+ *
+ * @throws `InvalidKeyError` if `oldPassphrase` does not unwrap the keyring.
+ * @throws `WeakPassphraseError` if `newPassphrase` fails the strength rule.
+ */
+declare function rotatePassphrase(store: NoydbStore, vault: string, userId: string, input: RotatePassphraseInput): Promise<UnlockedKeyring>;
+/** Caller payload for {@link recoverPassphrase}. */
+type RecoveryProof = {
+    readonly profile: 'paper';
+    readonly payload: {
+        readonly code: string;
+    };
+} | {
+    readonly profile: 'shamir';
+    readonly payload: {
+        readonly shares: ReadonlyArray<string>;
+    };
+} | {
+    readonly profile: 'multi-channel';
+    readonly payload: {
+        readonly proofs: ReadonlyArray<unknown>;
+    };
+} | {
+    readonly profile: 'admin-mediated';
+    readonly payload: {
+        readonly token: string;
+        readonly factor?: unknown;
+    };
+};
+interface RecoverPassphraseInput {
+    readonly newPassphrase: string;
+    readonly recoveryProof: RecoveryProof;
+    readonly passphrasePolicy?: PassphrasePolicy;
+    readonly allowWeakPassphrase?: boolean;
+}
+/**
+ * Reset the user's passphrase using a recovery proof. v0.1.0-pre.5
+ * supports the `'paper'` profile via `@noy-db/on-recovery` entries
+ * persisted in `_meta/recovery-paper`. The other three profiles throw
+ * {@link RecoveryProfileNotImplementedError}.
+ *
+ * On success, the used recovery entry is burned (deleted from the
+ * stored set).
+ */
+declare function recoverPassphrase(store: NoydbStore, vault: string, userId: string, input: RecoverPassphraseInput): Promise<UnlockedKeyring>;
+
+/**
+ * Recovery profile persistence + dispatch — issue #10.
+ *
+ * v0.1.0-pre.5 wires the **paper** profile end-to-end through
+ * `@noy-db/on-recovery`. The other three profiles (Shamir,
+ * multi-channel, admin-mediated) ship the API surface and throw
+ * {@link RecoveryProfileNotImplementedError} during use; per-profile
+ * dispatch lands in follow-up issues.
+ *
+ * Storage layout:
+ *
+ * ```
+ * _meta/recovery-paper       — JSON { entries: RecoveryCodeEntry[] } produced by `on-recovery`.
+ * _meta/recovery-shamir      — reserved
+ * _meta/recovery-multi       — reserved
+ * _meta/recovery-admin       — reserved
+ * ```
+ *
+ * Like `_meta/policy` and `_meta/handle`, the documents are plain JSON
+ * with empty `_iv` — the recovery-code wrapping is what protects the
+ * KEK; the entries themselves are inert without the user's code.
+ *
+ * @module
+ */
+
+/**
+ * One paper recovery code as persisted in `_meta/recovery-paper`.
+ *
+ * The hub's KEK is intentionally non-extractable (see `crypto.ts`),
+ * so the recovery entry can't AES-KW-wrap the KEK directly. Instead
+ * we wrap a serialized DEK set: the entry holds the AES-GCM
+ * ciphertext of `{ deks: { collection: rawDekBase64 } }`. Recovery
+ * deserializes the DEK set, then mints a fresh KEK from the new
+ * passphrase and rewraps the DEKs under it.
+ *
+ * This is the same pattern `@noy-db/on-pin` uses for tier-3 quick
+ * resume — the cryptographic guarantee is identical (AES-GCM with a
+ * PBKDF2-derived key), and it sidesteps the non-extractable-KEK
+ * constraint cleanly.
+ */
+interface PaperRecoveryEntry {
+    readonly codeId: string;
+    /** Base64 PBKDF2 salt. */
+    readonly salt: string;
+    /** Base64 AES-GCM IV used for the wrapped-DEK ciphertext. */
+    readonly iv: string;
+    /** Base64 AES-GCM ciphertext — JSON `{ deks: Record<string, base64> }`. */
+    readonly wrappedDeks: string;
+    readonly enrolledAt: string;
+}
+interface PaperRecoveryDoc {
+    readonly _noydb_recovery: 1;
+    readonly profile: 'paper';
+    readonly entries: ReadonlyArray<PaperRecoveryEntry>;
+}
+/** Read the paper-recovery entries. Returns empty array when absent. */
+declare function loadPaperRecoveryEntries(store: NoydbStore, vault: string): Promise<ReadonlyArray<PaperRecoveryEntry>>;
+/** Replace the paper-recovery entries (used after burn-on-recovery). */
+declare function savePaperRecoveryEntries(store: NoydbStore, vault: string, entries: ReadonlyArray<PaperRecoveryEntry>): Promise<void>;
+/** Drop a single paper-recovery entry (burn-on-use). */
+declare function burnPaperRecoveryEntry(store: NoydbStore, vault: string, codeId: string): Promise<void>;
+/** Whether at least one recovery profile has any enrolled entries. */
+declare function hasRecoveryEnrolled(store: NoydbStore, vault: string): Promise<boolean>;
+
+/**
+ * Public envelope — owner-curated plaintext metadata, readable
+ * before vault unlock or bundle decryption.
+ *
+ * @see docs/subsystems/public-envelope.md
+ *
+ * @module
+ */
+/**
+ * Either a single string (used when the developer's app is
+ * single-locale) or a locale → string map for i18n. Mirrors the
+ * shape `@noy-db/hub/i18n` already uses for record fields, so the
+ * existing `resolveI18nText` resolver applies.
+ */
+type PublicEnvelopeText = string | Record<string, string>;
+/**
+ * Persisted shape — both `_meta/public-envelope` and the bundle
+ * header carry this. The version number is monotonic per vault and
+ * helps cache invalidators detect change without hashing the JSON.
+ */
+interface PublicEnvelope {
+    readonly _noydb_public: 1;
+    readonly version: number;
+    readonly name?: PublicEnvelopeText;
+    readonly description?: PublicEnvelopeText;
+    /** Inline `data:` URL (`data:image/png;base64,…` or `data:image/svg+xml;base64,…`). */
+    readonly icon?: string;
+    /** ISO-8601 timestamp; auto-set on first envelope write, immutable thereafter. */
+    readonly createdAt?: string;
+    /** ISO-8601 timestamp; auto-updated on every `setPublicEnvelope` call. */
+    readonly updatedAt?: string;
+    /** BCP-47 fallback locale for renderers when the user's locale isn't covered. */
+    readonly defaultLocale?: string;
+}
+/** Field names the developer can allow in `PublicEnvelopeSchema.fields`. */
+declare const PUBLIC_ENVELOPE_FIELDS: readonly ["name", "description", "icon", "createdAt", "updatedAt", "defaultLocale"];
+type PublicEnvelopeField = (typeof PUBLIC_ENVELOPE_FIELDS)[number];
+/**
+ * Build-time schema. The developer enables the feature and bounds
+ * what the owner can set. `true` is shorthand for "all defaults" —
+ * gives the owner the full field set with the standard caps.
+ */
+interface PublicEnvelopeSchema {
+    /**
+     * Allowed field names. Setting `name`/`description`/`icon`/`defaultLocale` is
+     * gated on the field being listed here. `createdAt` / `updatedAt` are managed
+     * by the hub; including them is a no-op (the owner cannot set them
+     * directly). Default: every field above.
+     */
+    readonly fields?: ReadonlyArray<PublicEnvelopeField>;
+    /**
+     * Maximum icon size — measured as the length of the data-URL
+     * string. Default 256 KB.
+     */
+    readonly maxIconBytes?: number;
+    /** Allowed icon MIME types. Default ['image/png', 'image/svg+xml']. */
+    readonly iconMimeTypes?: ReadonlyArray<string>;
+    /** Maximum length of `name` / `description` per locale. Default 200. */
+    readonly maxStringChars?: number;
+}
+/** Default schema values; merged onto every developer-supplied schema. */
+declare const DEFAULT_PUBLIC_ENVELOPE_SCHEMA: {
+    readonly fields: readonly ["name", "description", "icon", "createdAt", "updatedAt", "defaultLocale"];
+    readonly maxIconBytes: number;
+    readonly iconMimeTypes: readonly ["image/png", "image/svg+xml"];
+    readonly maxStringChars: 200;
+};
+/** Resolved schema after merging developer override onto defaults. */
+interface ResolvedPublicEnvelopeSchema {
+    readonly fields: ReadonlyArray<PublicEnvelopeField>;
+    readonly maxIconBytes: number;
+    readonly iconMimeTypes: ReadonlyArray<string>;
+    readonly maxStringChars: number;
+}
+/**
+ * Merge developer schema onto the defaults. The shorthand `true`
+ * resolves to the full default schema; an explicit object only
+ * overrides the keys it provides.
+ */
+declare function resolveSchema(schema: true | PublicEnvelopeSchema | undefined): ResolvedPublicEnvelopeSchema | undefined;
+
+/** Owner-supplied input — the subset of {@link PublicEnvelope} the owner can set. */
+interface SetPublicEnvelopeInput {
+    readonly name?: PublicEnvelopeText;
+    readonly description?: PublicEnvelopeText;
+    readonly icon?: string;
+    readonly defaultLocale?: string;
+}
+/**
+ * Validate an owner-supplied envelope input against the developer's
+ * resolved schema. Throws `ValidationError` on the first violation;
+ * returns void on success.
+ *
+ * The validator is deliberately strict: every fail mode is a hard
+ * error rather than a silent drop, so the owner finds out immediately
+ * which field they oversized rather than discovering a truncated
+ * label months later.
+ */
+declare function validatePublicEnvelopeInput(input: SetPublicEnvelopeInput, schema: ResolvedPublicEnvelopeSchema): void;
+/**
+ * Lightweight runtime predicate — used by the bundle header
+ * validator to recognise a public envelope without requiring it.
+ */
+declare function isPublicEnvelope(x: unknown): x is PublicEnvelope;
+
+/**
+ * Tier-2 authenticator slot management — issue #11.
+ *
+ * Each slot independently wraps the SAME KEK under a method-specific
+ * derived key (LUKS pattern). Enrolling adds a slot; removing drops
+ * one. Both are constant-time keyring writes — no DEK re-keying.
+ *
+ * The crypto for each method lives in its `@noy-db/on-*` package
+ * (`on-webauthn`, `on-oidc`, `on-password`); this module accepts the
+ * package's `wrapped_kek` ciphertext + `meta` payload and persists it.
+ *
+ * @see docs/subsystems/session-tiers.md → Tier 2 — Authenticate
+ *
+ * @module
+ */
+
+/** Input shape for `enrollAuthenticator`. */
+interface EnrollAuthenticatorOptions {
+    readonly id: string;
+    readonly method: KeyringAuthenticator['method'];
+    /** Already-wrapped KEK ciphertext (base64) — produced by the on-* package. */
+    readonly wrapped_kek: string;
+    /** Method-specific metadata (cred id, salt, …). */
+    readonly meta: Record<string, unknown>;
+    /** Tier the active session held when enrolling. Defaults to 1. */
+    readonly enrolled_via_tier?: 1 | 2;
+}
+/**
+ * Append a new authenticator slot to the keyring file. Throws
+ * `ValidationError` if a slot with the same id already exists — the
+ * caller decides whether to remove + re-enroll.
+ */
+declare function enrollAuthenticator(store: NoydbStore, vault: string, keyring: UnlockedKeyring, options: EnrollAuthenticatorOptions): Promise<UnlockedKeyring>;
+/**
+ * Drop a slot by id. No-op if the slot doesn't exist (idempotent —
+ * removing a non-existent slot is a recoverable retry, not an error).
+ */
+declare function removeAuthenticator(store: NoydbStore, vault: string, keyring: UnlockedKeyring, slotId: string): Promise<UnlockedKeyring>;
+/**
+ * Look up a slot by id. Returns `undefined` when no slot matches.
+ * Used by tier-2 unlock dispatchers to fetch the wrapped KEK + meta
+ * before invoking the method-specific verifier.
+ */
+declare function findAuthenticator(keyring: UnlockedKeyring, slotId: string): KeyringAuthenticator | undefined;
+
+/**
+ * Per-vault tier-3 (PIN / quick-resume) state — issue #11.
+ *
+ * The hub holds a `PinResumeState`-shaped record in memory, keyed by
+ * vault. `enrollUnlock` populates it; `unlockViaPin` consumes it via
+ * `@noy-db/on-pin`'s `resumePin`. The cached state is wiped when the
+ * idle timer fires or `db.close()` is called.
+ *
+ * Importantly, this module does NOT depend on `@noy-db/on-pin` — the
+ * caller passes the already-built state in. That keeps the hub's
+ * `peerDependencies` empty for tier-3 and lets developers swap the
+ * primitive (e.g. an OS biometric in place of a PIN).
+ *
+ * @module
+ */
+/**
+ * Opaque `PinResumeState`-compatible record. Mirrored from
+ * `@noy-db/on-pin/PinResumeState`. The hub treats the contents as
+ * a black box.
+ */
+interface QuickUnlockState {
+    readonly _noydb_on_pin: 1;
+    readonly salt: string;
+    readonly iv: string;
+    readonly wrappedKeyring: string;
+    readonly expiresAt: string;
+    readonly maxAttempts: number;
+    attempts: number;
+}
+/** In-memory store for tier-3 unlock state, keyed by vault. */
+declare class QuickUnlockStore {
+    private readonly states;
+    private readonly timers;
+    /**
+     * Register a quick-unlock state for a vault. Replaces any existing
+     * state. Schedules an automatic clear when the state's `expiresAt`
+     * elapses.
+     */
+    set(vault: string, state: QuickUnlockState): void;
+    /** Read the state for a vault. Returns undefined when none is registered. */
+    get(vault: string): QuickUnlockState | undefined;
+    /** Drop the state for a vault. Cancels the auto-clear timer. */
+    delete(vault: string): void;
+    /** Drop every cached state. Called on `db.close()`. */
+    clear(): void;
+    private clearTimer;
+}
+
 /**
  * Multi-record atomic transactions.
  *
@@ -2853,6 +3361,88 @@ declare class TxCollection<T> {
  */
 declare function runTransaction<T>(db: Noydb, fn: (tx: TxContext) => Promise<T> | T): Promise<T>;
 
+/**
+ * Policy gate DSL types — issue #9.
+ *
+ * Sensitive operations (rotate the passphrase, enroll an authenticator,
+ * export plaintext, grant a user, …) are gated by a typed policy
+ * object. The developer supplies a {@link VaultPolicy} at vault
+ * creation; the hub merges it onto a built-in preset and persists the
+ * merged document at `_meta/policy`.
+ *
+ * @see docs/subsystems/session-tiers.md → Policy gates DSL
+ *
+ * @module
+ */
+
+/** A single off-device factor surface — the proof an actor presents at gate time. */
+type FactorKind = 'totp' | 'email-otp' | 'recovery' | 'shamir' | 'webauthn-roaming';
+/**
+ * One factor requirement entry. The default is "any one of the listed
+ * factors, fresh within the last 5 minutes". Bumping `count` requires N
+ * distinct fresh proofs; bumping `freshnessMs` widens the acceptance
+ * window.
+ */
+interface FactorRequirement {
+    readonly anyOf: ReadonlyArray<FactorKind>;
+    /** Number of distinct factors required. Default 1. */
+    readonly count?: number;
+    /** How recent each proof must be. Default 5 minutes. */
+    readonly freshnessMs?: number;
+}
+/** Soft signals layered on top of the gate verdict — never block on their own. */
+interface WarningRules {
+    /** Behavior on shared-device tier-1 ops. `'block'` raises a `PolicyDeniedError`. */
+    readonly sharedDevice?: 'warn' | 'block';
+    /** Behavior on weak tier-2 (e.g. password-only) for sensitive ops. */
+    readonly weakAuthenticator?: 'warn' | 'block';
+}
+/**
+ * Policy applied to one named gate. `enabled: false` disables the
+ * action entirely (useful in managed-passphrase mode where rotation is
+ * impossible by construction).
+ */
+interface GatePolicy {
+    /** Minimum tier the active session must hold. */
+    readonly minTier: 1 | 2 | 3;
+    /** Extra freshness-bound proofs required at gate time. */
+    readonly factors?: ReadonlyArray<FactorRequirement>;
+    readonly warn?: WarningRules;
+    readonly enabled?: boolean;
+}
+/**
+ * Built-in gate names. App-defined gates live in the `app:*` namespace
+ * and use the same engine; the engine treats unknown names with no
+ * configured policy as "no gate" (no-op).
+ */
+type BuiltInGateName = 'rotate-passphrase' | 'recover-passphrase' | 'enroll-authenticator' | 'remove-authenticator' | 'rotate-unlock' | 'enroll-user' | 'revoke-user' | 'export-bundle' | 'export-plaintext' | 'view-user-auth'
+/** Authorize a write to one's own user envelope (#22). */
+ | 'edit-own-profile'
+/** Authorize reading other principals' user envelopes (#22). */
+ | 'view-team-profiles';
+/** Either a built-in gate name or an `app:*` custom gate. */
+type GateName = BuiltInGateName | `app:${string}`;
+/**
+ * Top-level policy object. Persisted at `_meta/policy` once at vault
+ * creation. The `passphrase` block configures the strength rules
+ * applied at every passphrase ingress (issue #7); `gates` configures
+ * the action-level requirements.
+ */
+interface VaultPolicy {
+    readonly passphrase?: PassphrasePolicy;
+    readonly gates: Partial<Record<GateName, GatePolicy>>;
+}
+/** Concrete proof an actor presents to {@link checkGate}. */
+interface FactorProof {
+    readonly kind: FactorKind;
+    /** ISO-8601 timestamp the proof was minted at. Compared against `freshnessMs`. */
+    readonly mintedAt?: string;
+    /** Method-specific payload. The engine treats it as opaque — verification is delegated. */
+    readonly payload?: unknown;
+}
+/** Active session tier — what the engine compares against `gate.minTier`. */
+type ActiveTier = 1 | 2 | 3;
+
 /** The top-level NOYDB instance. */
 declare class Noydb {
     private readonly options;
@@ -2860,6 +3450,25 @@ declare class Noydb {
     private readonly vaultCache;
     private readonly keyringCache;
     private readonly syncEngines;
+    /**
+     * Per-vault active session tier — defaults to `1` after a passphrase
+     * unlock; tier-2 / tier-3 unlocks (issue #11) downgrade it. Used by
+     * {@link checkGate} to evaluate `gate.minTier`.
+     */
+    private readonly activeTier;
+    /**
+     * Per-vault loaded policy. Cached after the first
+     * `_meta/policy` load; replaced by `db.updatePolicy()`.
+     */
+    private readonly policyCache;
+    /** Per-vault tier-3 (PIN / quick-resume) state — issue #11. */
+    private readonly quickUnlock;
+    /**
+     * Resolved public-envelope schema. Lazily computed once from
+     * `NoydbOptions.publicEnvelope`; `undefined` when the developer
+     * didn't opt in.
+     */
+    private readonly publicEnvelopeSchema;
     private closed;
     private sessionTimer;
     /** Per-vault policy enforcers. */
@@ -3095,6 +3704,28 @@ declare class Noydb {
     private getSyncEngine;
     on<K extends keyof NoydbEventMap>(event: K, handler: (data: NoydbEventMap[K]) => void): void;
     off<K extends keyof NoydbEventMap>(event: K, handler: (data: NoydbEventMap[K]) => void): void;
+    /**
+     * Soft-lock a single vault: clear its in-memory keyring, DEKs, vault
+     * instance, sync engine, policy enforcer, and active-tier entry —
+     * WITHOUT destroying the `Noydb` instance.
+     *
+     * Designed for "lock screen" UX: the user taps **Lock** and DEKs are
+     * scrubbed from memory immediately, but the same `Noydb` instance can
+     * be re-unlocked via {@link unlockViaAuthenticator} (tier 2) or
+     * {@link unlockViaPin} (tier 3) without re-running `createNoydb`.
+     *
+     * **QuickUnlock state is preserved.** That's the whole point — the
+     * user can still resume via PIN without a full credential re-prompt.
+     * The on-disk `_meta/policy` document is also kept in cache (it
+     * survives lock; nothing about it changes when DEKs are scrubbed).
+     *
+     * No-op when `vault` is not currently in cache (idempotent).
+     *
+     * Unblocks vLannaAi/niwat#33.
+     *
+     * @see #17
+     */
+    lockVault(vault: string): void;
     close(): void;
     /**
      * Returns a snapshot of all translator invocations since the last
@@ -3113,6 +3744,278 @@ declare class Noydb {
      * @internal — not part of the public API surface
      */
     invokeTranslator(text: string, from: string, to: string, field: string, collection: string): Promise<string>;
+    /**
+     * Read the active policy for a vault. Loads from `_meta/policy` on
+     * first call; subsequent calls hit the in-memory cache. Throws
+     * `ValidationError` if the vault has not been opened.
+     */
+    getPolicy(vault: string): Promise<VaultPolicy>;
+    /**
+     * Replace the policy document at `_meta/policy` and update the
+     * in-memory cache. Gated by the `enroll-user` policy (a policy
+     * change is fundamentally a privilege-management action).
+     */
+    updatePolicy(vault: string, override: Partial<VaultPolicy>): Promise<VaultPolicy>;
+    /**
+     * Evaluate a policy gate against the active session tier and the
+     * presented factor proofs. Throws {@link PolicyDeniedError} on
+     * denial; resolves with `void` on success.
+     *
+     * @param vault    The vault whose policy applies.
+     * @param gate     Gate name — built-in (e.g. `'rotate-passphrase'`)
+     *                 or app-defined (`app:*`).
+     * @param presented Caller-supplied factor proofs.
+     */
+    checkGate(vault: string, gate: GateName, presented?: {
+        factors?: ReadonlyArray<FactorProof>;
+        sharedDevice?: boolean;
+    }): Promise<void>;
+    /** Read or persist the vault policy at `_meta/policy` on first open. */
+    private bootstrapPolicy;
+    /**
+     * Throw {@link RecoveryNotEnrolledError} when the developer
+     * explicitly opts into strict mandatory-recovery enforcement
+     * (`createNoydb({ requireRecovery: true })`) and no recovery
+     * entries are persisted.
+     *
+     * The default behavior is lenient — `recover-passphrase` is enabled
+     * in `PERSONAL_POLICY` but the hub does not block vault open on
+     * missing enrollment. v1.0 will flip the default to strict; for now,
+     * apps that want the spec-mandated check turn it on per-vault.
+     */
+    private assertRecoveryEnrolled;
+    /**
+     * Internal accessor used by tier-2/tier-3 unlock paths (issue #11)
+     * to mark the active session tier.
+     * @internal
+     */
+    _setActiveTier(vault: string, tier: ActiveTier): void;
+    /**
+     * Add a tier-2 authenticator slot to the calling user's keyring.
+     * Each slot independently wraps the SAME KEK under a method-specific
+     * key — adding a slot is a constant-time keyring write.
+     *
+     * The wrapping ciphertext is produced by the corresponding
+     * `@noy-db/on-*` package (e.g. `enrollPasswordAuthenticator` from
+     * `@noy-db/on-password`); the hub persists the result.
+     *
+     * Gated by `enroll-authenticator`; `presented` carries any factor
+     * proofs the active policy demands.
+     */
+    enrollAuthenticator(vault: string, options: EnrollAuthenticatorOptions, presented?: {
+        factors?: ReadonlyArray<FactorProof>;
+        sharedDevice?: boolean;
+    }): Promise<void>;
+    /**
+     * Remove a tier-2 authenticator slot. Idempotent — removing a
+     * non-existent slot is a successful no-op. Gated by
+     * `remove-authenticator`.
+     */
+    removeAuthenticator(vault: string, slotId: string, presented?: {
+        factors?: ReadonlyArray<FactorProof>;
+        sharedDevice?: boolean;
+    }): Promise<void>;
+    /** Read the slot list for a vault. Internal — `describeAuthConfig` (#13) consumes this. */
+    listAuthenticators(vault: string): Promise<ReadonlyArray<KeyringAuthenticator>>;
+    /**
+     * Native WebAuthn enrollment using the **real** internal keyring (#16).
+     *
+     * Why this exists: when a consumer is using `createNoydb({ secret })`,
+     * they cannot reach the live `UnlockedKeyring` to feed it to
+     * `enrollWebAuthn(keyring, vault, opts)` from `@noy-db/on-webauthn`.
+     * Constructing a synthetic keyring (the previous workaround) produces
+     * a slot whose `wrapped_kek` references the synthetic payload, not
+     * the live session — so `unlockViaAuthenticator()` later replaces the
+     * live DEK map with stale wrapped DEKs and every decrypt fails.
+     *
+     * This method runs `ceremony` with the REAL keyring (still in
+     * `keyringCache`). The ceremony performs the WebAuthn enrollment and
+     * returns the slot options that hub then persists via the standard
+     * tier-2 enrollAuthenticator path.
+     *
+     * Layering note: hub does not import `@noy-db/on-webauthn` (that
+     * would invert the dep graph). The consumer wires it in:
+     *
+     * ```ts
+     * import { enrollWebAuthn } from '@noy-db/on-webauthn'
+     *
+     * await db.enrollWebAuthn('demo', async (keyring) => {
+     *   const e = await enrollWebAuthn(keyring, 'demo', { rp: {...} })
+     *   return {
+     *     id: `webauthn-${e.credentialId.slice(0, 8)}`,
+     *     method: 'webauthn',
+     *     wrapped_kek: e.wrappedPayload,
+     *     meta: {
+     *       credentialId: e.credentialId,
+     *       wrapIv: e.wrapIv,
+     *       prfUsed: e.prfUsed,
+     *       beFlag: e.beFlag,
+     *       requireSingleDevice: e.requireSingleDevice,
+     *     },
+     *   }
+     * })
+     * ```
+     *
+     * Returns the WebAuthn `credentialId` (extracted from `meta.credentialId`)
+     * for the caller's lookup index (a bootstrap vault, a PublicEnvelope,
+     * a server-side allowlist).
+     *
+     * Gated by `enroll-authenticator` like `enrollAuthenticator()` itself.
+     *
+     * @see #16
+     */
+    enrollWebAuthn(vault: string, ceremony: (keyring: UnlockedKeyring) => Promise<EnrollAuthenticatorOptions>, presented?: {
+        factors?: ReadonlyArray<FactorProof>;
+        sharedDevice?: boolean;
+    }): Promise<{
+        credentialId: string;
+    }>;
+    /**
+     * Filter the slot list to webauthn-method slots only. Useful for
+     * "you have N WebAuthn credentials enrolled" UI surfaces and for
+     * deciding when a new device prompt should appear. Identity is
+     * `id` + `enrolled_at`; the `meta.credentialId` (base64) is used by
+     * `allowCredentials` at unlock time.
+     *
+     * @see #16
+     */
+    listWebAuthnSlots(vault: string): Promise<ReadonlyArray<{
+        id: string;
+        enrolledAt: string;
+        credentialId: string;
+    }>>;
+    /**
+     * Resolve a slot by id, then hand the wrapped-KEK ciphertext + meta
+     * to the caller-supplied verifier. The verifier is the
+     * `unlockWith*` function from the corresponding `@noy-db/on-*`
+     * package, e.g. `unlockWithPassword(slot, password)`.
+     *
+     * On success, mark the active session tier as 2 — subsequent
+     * `checkGate` calls see a tier-2 unlock.
+     */
+    unlockViaAuthenticator(vault: string, slotId: string, verify: (slot: KeyringAuthenticator) => Promise<UnlockedKeyring>): Promise<UnlockedKeyring>;
+    /**
+     * Set the owner-curated public envelope for a vault. Throws
+     * `ValidationError` if the developer did not opt the hub into
+     * `publicEnvelope` via `NoydbOptions`, or if the input violates
+     * the resolved schema (oversized icon, disallowed MIME, oversized
+     * string, unknown field).
+     *
+     * `createdAt` is set on the first write and preserved on every
+     * subsequent write. `updatedAt` is refreshed on every write.
+     * `version` is monotonic — increments on every successful write.
+     */
+    setPublicEnvelope(vault: string, input: SetPublicEnvelopeInput): Promise<PublicEnvelope>;
+    /**
+     * Read the public envelope for a vault. Returns `undefined` when
+     * none has been written. Pass `locale` to resolve any locale-map
+     * fields to plain strings; omitting `locale` returns the raw map.
+     *
+     * Works even when the developer didn't enable
+     * `publicEnvelope` — reads are passive and never throw on a
+     * missing schema (the envelope is plaintext and exists on disk
+     * regardless).
+     */
+    getPublicEnvelope(vault: string, opts?: {
+        readonly locale?: string;
+    }): Promise<PublicEnvelope | undefined>;
+    /** English summary of the configured auth model. */
+    describeAuthConfig(vault: string): Promise<string>;
+    /** Mermaid `flowchart TB` source for the auth graph. */
+    diagramAuthConfig(vault: string): Promise<string>;
+    /**
+     * Per-user enrollment summary. Gated by `view-user-auth` (default:
+     * disabled). Sanitization is allowlist-based — never renders cred
+     * ids, password hashes, secrets, or any field outside the allowlist.
+     */
+    describeUserAuth(vault: string, userId: string, factors?: {
+        factors?: ReadonlyArray<FactorProof>;
+        sharedDevice?: boolean;
+    }): Promise<string>;
+    /** Bulk variant for owner dashboards. Gated by `view-user-auth`. */
+    describeAllUsersAuth(vault: string, factors?: {
+        factors?: ReadonlyArray<FactorProof>;
+        sharedDevice?: boolean;
+    }): Promise<Array<{
+        userId: string;
+        description: string;
+    }>>;
+    /**
+     * Rotate the user's passphrase (user remembers old). Validates the
+     * new phrase against the configured `passphrase` policy, runs the
+     * `rotate-passphrase` gate, then re-derives + re-wraps every DEK.
+     *
+     * Tier-2 authenticator slots are dropped — each slot wraps the old
+     * KEK and would need its derivation key to be re-presented. Re-enrol
+     * via `db.enrollAuthenticator` after rotation. Tracked as a
+     * v0.1.0-pre.5 limitation.
+     *
+     * @throws `WeakPassphraseError` on a weak new phrase.
+     * @throws `PolicyDeniedError` when the gate denies (missing factor, …).
+     * @throws `InvalidKeyError` when `oldPassphrase` is wrong.
+     */
+    rotatePassphrase(vault: string, input: RotatePassphraseInput, factors?: {
+        factors?: ReadonlyArray<FactorProof>;
+        sharedDevice?: boolean;
+    }): Promise<void>;
+    /**
+     * Reset the passphrase using a recovery proof (user forgot the old).
+     * v0.1.0-pre.5 supports the `'paper'` profile end-to-end; the
+     * other three profiles throw {@link RecoveryProfileNotImplementedError}.
+     *
+     * Burns the used recovery entry on success.
+     */
+    recoverPassphrase(vault: string, input: RecoverPassphraseInput, factors?: {
+        factors?: ReadonlyArray<FactorProof>;
+        sharedDevice?: boolean;
+    }): Promise<void>;
+    /**
+     * Persist a recovery enrollment. v0.1.0-pre.5 accepts the `'paper'`
+     * profile — the developer first calls
+     * `@noy-db/on-recovery/generateRecoveryCodeSet` to mint codes +
+     * entries, shows the codes to the user once, then hands the entries
+     * here.
+     *
+     * ```ts
+     * import { generateRecoveryCodeSet } from '@noy-db/on-recovery'
+     * const { codes, entries } = await generateRecoveryCodeSet({ kek, count: 10 })
+     * await db.enrollRecovery('acme', { profile: 'paper', entries })
+     * showCodesToUser(codes)
+     * ```
+     */
+    enrollRecovery(vault: string, enrollment: {
+        profile: 'paper';
+        entries: ReadonlyArray<PaperRecoveryEntry>;
+    }): Promise<void>;
+    /** Read the persisted paper-recovery entries. Used by `describeAuthConfig` (#13). */
+    listRecoveryEntries(vault: string): Promise<{
+        paper: ReadonlyArray<PaperRecoveryEntry>;
+    }>;
+    /**
+     * Register a tier-3 quick-unlock state for the vault. The state is
+     * an opaque blob produced by `@noy-db/on-pin/enrollPin` (or any
+     * compatible primitive). It is held in memory only — never persisted
+     * — and auto-clears when its `expiresAt` elapses.
+     *
+     * Gated by `rotate-unlock` (the same gate covers "set" and "rotate"
+     * because tier-3 is a single-slot rolling secret).
+     */
+    enrollUnlock(vault: string, state: QuickUnlockState, presented?: {
+        factors?: ReadonlyArray<FactorProof>;
+        sharedDevice?: boolean;
+    }): Promise<void>;
+    /**
+     * Resume a session via the registered tier-3 state. The verifier is
+     * `@noy-db/on-pin/resumePin` (or compatible). On success, mark the
+     * active session tier as 3 — every operation must re-authenticate at
+     * tier 2 to elevate.
+     *
+     * Returns `undefined` (caller should fall back to tier 2) when no
+     * tier-3 state is registered.
+     */
+    unlockViaPin(vault: string, resume: (state: QuickUnlockState) => Promise<UnlockedKeyring>): Promise<UnlockedKeyring | undefined>;
+    /** Drop the tier-3 state for a vault — explicit logout. */
+    clearQuickUnlock(vault: string): void;
     /** Get or load the keyring for a vault. */
     private getKeyring;
 }
@@ -3580,6 +4483,170 @@ declare function magicLinkGrantRecordId(token: string, index: number): string;
  */
 declare function isMagicLinkGrantExpired(payload: MagicLinkGrantPayload, now?: Date): boolean;
 
+/**
+ * Public `vault.user.*` API surface.
+ *
+ * Three families:
+ *  - Write-self: `me` / `updateMe` / `setMe` — always target the writer's
+ *    own keyringId. **Own-only write rule** is structural — no method
+ *    exists to write someone else's envelope.
+ *  - Read-anyone: `get` / `list` — read other principals' envelopes
+ *    (subject to `view-team-profiles` policy gate, wired in #22).
+ *  - Reactive: `subscribe` / `live` — in-process event emission on local
+ *    writes. Cross-instance updates land via the team/sync engine and
+ *    surface to subscribers when the sync diff replays through this API.
+ *
+ * @see docs/superpowers/specs/2026-05-05-user-envelope-design.md
+ *
+ * @module
+ */
+
+/**
+ * Recursive partial. Used for `updateMe(patch)` so callers can hand in
+ * deeply-nested partial shapes and have them deep-merged onto the
+ * current envelope.
+ */
+type DeepPartial<T> = T extends object ? {
+    [P in keyof T]?: DeepPartial<T[P]>;
+} : T;
+/** Cancel a previously-registered subscription. */
+type Unsubscribe = () => void;
+/**
+ * Optional factor-proof bundle threaded into gated user-envelope
+ * operations. Same shape as `Noydb.checkGate(vault, gate, presented)`
+ * accepts elsewhere — apps that have already presented a TOTP/email-OTP
+ * for this session pass it here to satisfy tightened policies.
+ */
+interface UserEnvelopePresented {
+    readonly factors?: readonly FactorProof[];
+    readonly sharedDevice?: boolean;
+}
+/**
+ * Callback used by `UserApi` to validate the active session against a
+ * policy gate. Provided by the `Vault` constructor; in production this
+ * delegates to `Noydb.checkGate(vault, gate, presented)`. In tests, a
+ * no-op stub is fine.
+ */
+type UserEnvelopeCheckGate = (gate: 'edit-own-profile' | 'view-team-profiles', presented?: UserEnvelopePresented) => Promise<void>;
+/**
+ * Reactive handle returned by `live()`. `current` is the most recently
+ * observed value; `subscribe(cb)` fires on subsequent local writes.
+ * `stop()` releases the underlying subscription.
+ */
+interface LiveUserEnvelope<T> {
+    current(): UserEnvelope<T> | null;
+    subscribe(cb: (env: UserEnvelope<T> | null) => void): Unsubscribe;
+    stop(): void;
+}
+/**
+ * Implementation behind `vault.user`. Constructed once per Vault, holds
+ * the writer's keyringId in closure so `updateMe`/`setMe` cannot target
+ * any other principal — the own-only rule is enforced at the type level
+ * (no `set(otherKeyringId, …)` method) AND at runtime (the
+ * keyringId argument simply doesn't exist on the write path).
+ */
+declare class UserApi {
+    private readonly adapter;
+    private readonly vaultName;
+    /** The writer's own keyringId. Frozen at construction time. */
+    private readonly writerKeyringId;
+    private readonly getDek;
+    /**
+     * Policy-gate validator. When omitted, gates are skipped — useful
+     * for low-level tests that exercise the storage layer directly.
+     * Production paths always wire the Noydb-backed implementation.
+     */
+    private readonly checkGate?;
+    /** keyringId → set of listeners. Wildcard '*' fires on every change. */
+    private readonly listeners;
+    constructor(adapter: NoydbStore, vaultName: string, 
+    /** The writer's own keyringId. Frozen at construction time. */
+    writerKeyringId: string, getDek: () => Promise<CryptoKey>, 
+    /**
+     * Policy-gate validator. When omitted, gates are skipped — useful
+     * for low-level tests that exercise the storage layer directly.
+     * Production paths always wire the Noydb-backed implementation.
+     */
+    checkGate?: UserEnvelopeCheckGate | undefined);
+    /** Read the writer's own envelope. Returns null if never written. */
+    me<T = unknown>(): Promise<UserEnvelope<T> | null>;
+    /**
+     * Deep-merge a partial patch into the writer's own envelope. Creates
+     * the envelope on first call. Optimistic-concurrency safe — a stale
+     * `_v` (parallel writer on another device) throws `ConflictError`.
+     *
+     * Gated by the `edit-own-profile` policy gate (default `minTier: 3`).
+     * Pass `presented` to satisfy tightened policies that require a
+     * factor proof (e.g. STRICT_POLICY's TOTP requirement).
+     */
+    updateMe<T extends object = Record<string, unknown>>(patch: DeepPartial<T>, presented?: UserEnvelopePresented): Promise<UserEnvelope<T>>;
+    /**
+     * Replace the writer's own envelope with `payload`. Use sparingly —
+     * `updateMe` is the canonical mutation. No `expectedVersion` check;
+     * callers explicitly take last-write-wins semantics.
+     *
+     * Gated by `edit-own-profile`. See `updateMe` for `presented` usage.
+     */
+    setMe<T = unknown>(payload: T, presented?: UserEnvelopePresented): Promise<UserEnvelope<T>>;
+    /**
+     * Read another principal's envelope by their keyringId. Returns null
+     * if the principal exists but has no envelope yet, or if the
+     * keyringId does not exist at all.
+     *
+     * Gated by `view-team-profiles` (default `minTier: 2`) — but ONLY for
+     * cross-principal reads. Reading your own envelope (`keyringId ===
+     * self`) is never gated; that's just `me()` written long-form.
+     */
+    get<T = unknown>(keyringId: string, presented?: UserEnvelopePresented): Promise<UserEnvelope<T> | null>;
+    /**
+     * Read every persisted envelope in the vault. Order is store-defined.
+     *
+     * Gated by `view-team-profiles`. Default policy (`minTier: 2`) lets
+     * any authenticated session read all envelopes. Two privacy-strict
+     * opt-outs:
+     *
+     *  - `view-team-profiles.enabled: false` → list() returns only the
+     *    caller's own envelope (silent self-fallback, no thrown error).
+     *  - `view-team-profiles.minTier: 1` + insufficient tier → throws
+     *    `PolicyDeniedError` with `reason: 'insufficient-tier'`. The
+     *    caller is expected to elevate, not silently degrade.
+     *
+     * The asymmetry is deliberate: `enabled: false` is a deliberate
+     * design choice ("nobody sees teammate profiles in this app");
+     * `insufficient-tier` is "you need to authenticate further". Different
+     * UX prompts for different intents.
+     */
+    list<T = unknown>(presented?: UserEnvelopePresented): Promise<UserEnvelope<T>[]>;
+    /**
+     * Listen for changes to a specific keyringId's envelope. The callback
+     * fires synchronously after every successful local `updateMe` /
+     * `setMe` for that principal.
+     *
+     * Cross-instance changes (a teammate edits their profile on their
+     * device, the sync engine pulls the diff onto this device) will fire
+     * subscribers when the sync layer replays the write through this API.
+     * In v1, subscribers do NOT fire on raw store changes — wire your sync
+     * layer to call back through `vault.user.setMe` / `updateMe` if you
+     * need that.
+     *
+     * Pass keyringId `'*'` to fire on every change in the vault.
+     */
+    subscribe<T = unknown>(keyringId: string, cb: (env: UserEnvelope<T> | null) => void): Unsubscribe;
+    /**
+     * Reactive handle that caches the current value and re-reads on every
+     * change for the given keyringId. Convenient for framework bindings:
+     *
+     *   const live = vault.user.live<UserShape>(vault.userId)
+     *   live.subscribe(env => render(env?.data))
+     *
+     * Initial value is `null` until the first `current()` call materializes
+     * it via `vault.user.get()`. Call `stop()` when done to release the
+     * subscription.
+     */
+    live<T = unknown>(keyringId: string): LiveUserEnvelope<T>;
+    private fireChange;
+}
+
 /** A vault (tenant namespace) containing collections. */
 declare class Vault {
     private readonly adapter;
@@ -3623,6 +4690,19 @@ declare class Vault {
     private readonly i18nStrategy;
     private readonly syncStrategy;
     private getDEK;
+    /**
+     * Per-principal user envelope API.
+     *
+     * - Write-self: `me()`, `updateMe(patch)`, `setMe(payload)` — always
+     *   target this vault session's keyringId. There is no method to write
+     *   another principal's envelope (own-only write rule, structural).
+     * - Read-anyone: `get(keyringId)`, `list()` — read other principals'
+     *   envelopes, subject to the `view-team-profiles` policy gate (#22).
+     * - Reactive: `subscribe(id, cb)`, `live(id)` — fire on local writes.
+     *
+     * @see docs/superpowers/specs/2026-05-05-user-envelope-design.md
+     */
+    readonly user: UserApi;
     /**
      * Optional callback that re-derives an UnlockedKeyring from the
      * adapter using the active user's passphrase. Called by `load()`
@@ -4368,6 +5448,22 @@ declare class Vault {
      * separate vault instances now.
      */
     getBundleHandle(): Promise<string>;
+    /**
+     * Read the owner-curated public envelope for this vault (or
+     * `undefined` if none is persisted). The envelope lives in
+     * `_meta/public-envelope` as plaintext — readable without any KEK
+     * — so `getBundleHandle`-style callers can label a vault before
+     * unlock.
+     *
+     * Mirrors `Noydb.getPublicEnvelope(vault, opts)` but scoped to a
+     * single, already-opened `Vault` instance so the
+     * bundle writer can snapshot it without holding a `Noydb` reference.
+     *
+     * @see docs/subsystems/public-envelope.md
+     */
+    getPublicEnvelope(opts?: {
+        readonly locale?: string;
+    }): Promise<PublicEnvelope | undefined>;
     /**
      * Dump vault as a verifiable encrypted JSON backup string.
      *
@@ -6448,6 +7544,71 @@ interface ImportCapability {
     readonly plaintext?: readonly ExportFormat[];
     readonly bundle?: boolean;
 }
+/**
+ * Forward-declared on-disk shape for `VaultPolicy` — the actual policy
+ * model lives in `policy/types.ts` (#9). Declared here as `unknown`-typed
+ * map so types.ts has no dependency on the policy module while the
+ * `KeyringFile.policy` field can still round-trip foreign documents.
+ *
+ * @internal
+ */
+type VaultPolicyOnDisk = Record<string, unknown>;
+/**
+ * Recovery profile enrolled at vault creation (issue #10).
+ *
+ * - `paper` — `on-recovery` codes (the only end-to-end profile in v0.1.0-pre.5).
+ * - `shamir` / `multi-channel` / `admin-mediated` — API surface ships;
+ *   per-profile dispatch lands in follow-up issues. Calling
+ *   `db.recoverPassphrase` against these throws
+ *   {@link RecoveryProfileNotImplementedError}.
+ */
+type RecoveryEnrollment = {
+    readonly profile: 'paper';
+    /** Number of single-use codes to print at enrollment. */
+    readonly codes: number;
+} | {
+    readonly profile: 'shamir';
+    readonly k: number;
+    readonly n: number;
+    readonly trustees: ReadonlyArray<string>;
+} | {
+    readonly profile: 'multi-channel';
+    readonly email?: string;
+    readonly pin?: boolean;
+    readonly paperCodes?: number;
+} | {
+    readonly profile: 'admin-mediated';
+    readonly grantorUserId: string;
+};
+/**
+ * One tier-2 authenticator slot inside a keyring file. Each slot
+ * independently wraps the SAME KEK under a method-specific derived key
+ * (LUKS pattern). Adding or removing a slot is a constant-time keyring
+ * write — no DEK re-keying required.
+ *
+ * @see docs/subsystems/session-tiers.md → Tier 2 — Authenticate (multi-slot)
+ */
+interface KeyringAuthenticator {
+    /** Caller-chosen identifier — e.g. `'webauthn-yubikey-blue'`, `'oidc-google'`, `'password-daily'`. */
+    readonly id: string;
+    /** Method family — selects which `@noy-db/on-*` package handles unlock. */
+    readonly method: 'webauthn' | 'oidc' | 'password';
+    /** ISO-8601 timestamp at which the slot was added. */
+    readonly enrolled_at: string;
+    /**
+     * Which session tier ENROLLED this slot. Tier 1 enrolls a fresh slot;
+     * tier 2 may add a sibling slot when the active policy permits.
+     */
+    readonly enrolled_via_tier: 1 | 2;
+    /** Base64 wrapped-KEK ciphertext under the method-derived key. */
+    readonly wrapped_kek: string;
+    /**
+     * Method-specific metadata: WebAuthn cred id, OIDC issuer/sub, PBKDF2
+     * salt for `on-password`, etc. The schema is open by design — the
+     * `@noy-db/on-*` package owns the contents.
+     */
+    readonly meta: Record<string, unknown>;
+}
 interface KeyringFile {
     readonly _noydb_keyring: typeof NOYDB_KEYRING_VERSION;
     readonly user_id: string;
@@ -6458,6 +7619,23 @@ interface KeyringFile {
     readonly salt: string;
     readonly created_at: string;
     readonly granted_by: string;
+    /**
+     * Tier-2 authenticator slots (multi-slot keyring extension).
+     * Optional / append-only: keyring files written before the
+     * extension load with an empty list. Each slot independently wraps
+     * the same KEK; any one of them unlocks.
+     *
+     * @see KeyringAuthenticator
+     */
+    readonly authenticators?: readonly KeyringAuthenticator[];
+    /**
+     * Per-keyring policy override (reserved). The on-disk format
+     * accepts the field for forward compatibility with the Option C
+     * merge engine deferred to a later release; v1.0 reads only the
+     * vault-level `_meta/policy` document, so this field is parsed and
+     * round-tripped but never enforced.
+     */
+    readonly policy?: VaultPolicyOnDisk;
     /**
      * Optional — authorization spec capability bits. Absent on keyrings written
      * before the RFC implementation. Loading falls back to role-based
@@ -6812,6 +7990,29 @@ interface GrantOptions {
      * is grantable until positively listed; bundle import is denied.
      */
     readonly importCapability?: ImportCapability;
+    /**
+     * Skip phrase-format strength validation (issue #7). Defaults to
+     * false — `grant()` rejects phrases that don't meet the configured
+     * `PassphrasePolicy`. Test fixtures and CLI scripts pass `true`.
+     */
+    readonly allowWeakPassphrase?: boolean;
+    /**
+     * Initial user-envelope payload for the new principal. Sealed under
+     * the same vault DEK (the reserved `_users` collection's DEK) and
+     * persisted alongside the keyring during grant.
+     *
+     * **Bootstrap-only.** Once the new user activates and writes their
+     * own envelope, the own-only write rule kicks in — admins cannot
+     * edit a teammate's envelope after activation. Use this field for
+     * pre-fill at invite time (e.g. "displayName: Bob, locale: en-US")
+     * and let the user take over from there.
+     *
+     * Hub does not introspect the payload; it is JSON-serialized and
+     * encrypted opaquely. Apps own the schema.
+     *
+     * @see docs/superpowers/specs/2026-05-05-user-envelope-design.md → Lifecycle
+     */
+    readonly initialProfile?: unknown;
 }
 interface RevokeOptions {
     readonly userId: string;
@@ -7460,8 +8661,75 @@ interface NoydbOptions {
      * legacy `sessionTimeout` field.
      */
     readonly sessionPolicy?: SessionPolicy;
-    /** Validate passphrase strength on creation. Default: true. */
+    /**
+     * Validate passphrase strength against the phrase format
+     * (`@noy-db/hub` issue #7) on first-time keyring creation. When
+     * `true`, weak phrases throw {@link WeakPassphraseError} from
+     * `createNoydb()` / `db.rotatePassphrase()`. Default: `false` for
+     * back-compat in v0.1.x; planned to flip to `true` at v1.0.
+     */
     readonly validatePassphrase?: boolean;
+    /**
+     * Vault-level policy gate document (issue #9). When present, the hub
+     * persists the merged policy at `_meta/policy` on first-time vault
+     * creation and gates sensitive operations (`db.rotatePassphrase`,
+     * `db.export*`, …) against it. Omitted ⇒ the engine uses
+     * {@link PERSONAL_POLICY}. Use {@link STRICT_POLICY} for regulated
+     * deployments.
+     *
+     * The on-disk document is the source of truth — the policy field
+     * is only honored at vault creation; subsequent runs read from
+     * `_meta/policy`. Use `db.updatePolicy()` to change it deliberately.
+     *
+     * Imported from `@noy-db/hub` as a type-only reference; the runtime
+     * import lives in `policy/index.ts`.
+     */
+    readonly policy?: VaultPolicy;
+    /**
+     * Mandatory recovery profile enrollment (issue #10). Vaults with
+     * `recover-passphrase` enabled MUST register at least one profile
+     * before being production-ready, otherwise `createNoydb()` throws
+     * {@link RecoveryNotEnrolledError}. Set
+     * `policy.gates['recover-passphrase'].enabled = false` to
+     * deliberately opt out of recovery (passphrase loss = data loss).
+     *
+     * v0.1.0-pre.5 supports the `'paper'` profile end-to-end. Other
+     * profiles ship the API shape and throw
+     * {@link RecoveryProfileNotImplementedError} during use.
+     */
+    readonly recovery?: ReadonlyArray<RecoveryEnrollment>;
+    /**
+     * When `true`, `createNoydb` rejects vaults with no recovery
+     * entries persisted (per the spec's mandatory-enrollment
+     * requirement). Default `false` for v0.1.x back-compat; planned to
+     * flip to `true` at v1.0. Apps in regulated environments should
+     * turn this on now.
+     */
+    readonly requireRecovery?: boolean;
+    /**
+     * What to do when `openVault` finds an existing keyring in the store that
+     * cannot be decrypted with the supplied credentials (`InvalidKeyError`).
+     *
+     * - `'error'` (default) — propagate the error. The app must prompt the user
+     *   to supply the correct credentials or clear both the data and auth stores.
+     * - `'reset'` — delete the stale keyring and re-initialise the vault from
+     *   scratch using the current credentials. Use this when the data store can
+     *   become detached from the auth store (e.g. the user cleared the IndexedDB
+     *   data records but not the keyring row, or a WebAuthn credential was rotated).
+     *   **All previously encrypted data is unrecoverable after a reset.**
+     *
+     * Only applies to the passphrase (`secret`) path. When `getKeyring` is used,
+     * the callback is responsible for handling stale-keyring detection itself.
+     */
+    readonly onInvalidKey?: 'error' | 'reset';
+    /**
+     * Enable the public envelope subsystem (`docs/subsystems/public-envelope.md`).
+     * Pass `true` for the default schema (every standard field, 256 KB
+     * icon cap, 200-char text cap), or a `PublicEnvelopeSchema` to
+     * narrow what the owner can set. Off by default — vaults written
+     * by hubs without this option carry no envelope, full stop.
+     */
+    readonly publicEnvelope?: true | PublicEnvelopeSchema;
     /** Audit history configuration. */
     readonly history?: HistoryConfig;
     /**
@@ -7562,4 +8830,4 @@ interface DeleteManyResult {
     }>;
 }
 
-export { type ConsentAuditEntry as $, type BlobObject as A, type BlobStrategy as B, type BlobPutOptions as C, DICT_COLLECTION_PREFIX as D, type BlobResponseOptions as E, BlobSet as F, type BlobStrategyOpenArgs as G, type CompactRunOptions as H, type I18nStrategy as I, type CompactionContext as J, type CompactionResult as K, DEFAULT_CHUNK_SIZE as L, EXPORT_AUDIT_COLLECTION as M, ExportBlobsAbortedError as N, type ExportBlobsAuditEntry as O, PolicyEnforcer as P, type ExportBlobsHandle as Q, type ExportBlobsOptions as R, type SessionStrategy as S, type ExportedBlob as T, type SlotInfo as U, type SlotRecord as V, type VersionRecord as W, createExportBlobsHandle as X, runCompaction as Y, type ConsentStrategy as Z, CONSENT_AUDIT_COLLECTION as _, type DictEntry as a, type Conflict as a$, type ConsentAuditFilter as a0, type ConsentContext as a1, type ConsentOp as a2, loadConsentEntries as a3, writeConsentEntry as a4, type PeriodsStrategy as a5, type CarryForwardContext as a6, type ClosePeriodOptions as a7, type OpenPeriodOptions as a8, PERIODS_COLLECTION as a9, type DiffEntry as aA, type JsonPatch as aB, type JsonPatchOp as aC, type LedgerEntry as aD, LedgerStore as aE, type VaultEngine as aF, VaultInstant as aG, type VerifyResult as aH, applyPatch as aI, canonicalJson as aJ, computePatch as aK, diff as aL, formatDiff as aM, hashEntry as aN, paddedIndex as aO, parseIndex as aP, sha256Hex as aQ, Vault as aR, type AccessibleVault as aS, BUNDLE_STORE_POLICY as aT, type BundleRecipient as aU, type CacheOptions as aV, type CacheStats as aW, type ChangeEvent as aX, Collection as aY, type CollectionChangeEvent as aZ, type CollectionConflictResolver as a_, type PeriodRecord as aa, type ReadOnlyCollection as ab, appendPeriodLedgerEntry as ac, assertTsWritable as ad, chainAnchor as ae, loadPeriods as af, validatePeriodName as ag, type ShadowStrategy as ah, CollectionFrame as ai, VaultFrame as aj, type TxStrategy as ak, TxCollection as al, TxContext as am, TxVault as an, runTransaction as ao, type SyncStrategy as ap, type Role as aq, type UnlockedKeyring as ar, type HistoryStrategy as as, type NoydbStore as at, type HistoryOptions as au, type EncryptedEnvelope as av, type PruneOptions as aw, type AppendInput as ax, type ChangeType as ay, CollectionInstant as az, type DictKeyDescriptor as b, type SessionPolicy as b$, type ConflictPolicy as b0, type ConflictStrategy as b1, type CrossTierAccessEvent as b2, DELEGATIONS_COLLECTION as b3, type DelegationToken as b4, type DeleteManyResult as b5, type DirtyEntry as b6, ELEVATION_AUDIT_COLLECTION as b7, ElevatedHandle as b8, type ExportCapability as b9, NOYDB_KEYRING_VERSION as bA, NOYDB_SYNC_VERSION as bB, Noydb as bC, type NoydbBundleStore as bD, type NoydbEventMap as bE, type NoydbOptions as bF, type Permission as bG, type Permissions as bH, type PlaintextTranslatorContext as bI, type PlaintextTranslatorFn as bJ, PresenceHandle as bK, type PresencePeer as bL, type PullMode as bM, type PullOptions as bN, type PullPolicy as bO, type PullResult as bP, type PushMode as bQ, type PushOptions as bR, type PushPolicy as bS, type PushResult as bT, type PutManyItemOptions as bU, type PutManyOptions as bV, type PutManyResult as bW, type QueryAcrossOptions as bX, type QueryAcrossResult as bY, type ReAuthOperation as bZ, type RevokeOptions as b_, type ExportChunk as ba, type ExportFormat as bb, type ExportStreamOptions as bc, type GhostRecord as bd, type GrantOptions as be, type HistoryConfig as bf, type HistoryEntry as bg, INDEXED_STORE_POLICY as bh, type ImportCapability as bi, type InferOutput as bj, type IssueDelegationOptions as bk, type IssueMagicLinkGrantOptions as bl, type KeyringFile as bm, type ListAccessibleVaultsOptions as bn, type ListPageResult as bo, type LocaleReadOptions as bp, Lru as bq, type LruOptions as br, type LruStats as bs, MAGIC_LINK_CONTENT_INFO_PREFIX as bt, MAGIC_LINK_GRANTS_COLLECTION as bu, MAGIC_LINK_KEK_INFO_PREFIX as bv, type MagicLinkGrantPayload as bw, type MagicLinkGrantRecord as bx, NOYDB_BACKUP_VERSION as by, NOYDB_FORMAT_VERSION as bz, DictionaryHandle as c, type StandardSchemaV1 as c0, type StandardSchemaV1Issue as c1, type StandardSchemaV1SyncResult as c2, type StoreAuth as c3, type StoreAuthKind as c4, type StoreCapabilities as c5, SyncEngine as c6, type SyncMetadata as c7, type SyncPolicy as c8, SyncScheduler as c9, revokeDelegation as cA, revokeMagicLinkGrant as cB, unwrapMagicLinkGrant as cC, validateSchemaInput as cD, validateSchemaOutput as cE, writeMagicLinkGrant as cF, type SyncSchedulerStatus as ca, type SyncStatus as cb, type SyncTarget as cc, type SyncTargetRole as cd, SyncTransaction as ce, type SyncTransactionResult as cf, type TierMode as cg, type TranslatorAuditEntry as ch, type TxOp as ci, type UserInfo as cj, type VaultBackup as ck, type VaultSnapshot as cl, buildRecipientKeyringFile as cm, createNoydb as cn, createStore as co, deriveMagicLinkContentKey as cp, evaluateExportCapability as cq, evaluateImportCapability as cr, hasExportCapability as cs, hasImportCapability as ct, isMagicLinkGrantExpired as cu, issueDelegation as cv, listMagicLinkGrants as cw, loadActiveDelegations as cx, magicLinkGrantRecordId as cy, readMagicLinkGrantRecord as cz, type DictionaryOptions as d, type I18nTextDescriptor as e, type I18nTextOptions as f, applyI18nLocale as g, dictCollectionName as h, dictKey as i, i18nText as j, isDictCollectionName as k, isDictKeyDescriptor as l, isI18nTextDescriptor as m, createEnforcer as n, validateSessionPolicy as o, BLOB_CHUNKS_COLLECTION as p, BLOB_COLLECTION as q, resolveI18nText as r, BLOB_EVICTION_AUDIT_COLLECTION as s, BLOB_INDEX_COLLECTION as t, BLOB_SLOTS_PREFIX as u, validateI18nTextValue as v, BLOB_VERSIONS_PREFIX as w, type BlobEvictionEntry as x, type BlobFieldPolicy as y, type BlobFieldsConfig as z };
+export { type ConsentAuditEntry as $, type BlobObject as A, type BlobStrategy as B, type BlobPutOptions as C, DICT_COLLECTION_PREFIX as D, type BlobResponseOptions as E, BlobSet as F, type BlobStrategyOpenArgs as G, type CompactRunOptions as H, type I18nStrategy as I, type CompactionContext as J, type CompactionResult as K, DEFAULT_CHUNK_SIZE as L, EXPORT_AUDIT_COLLECTION as M, ExportBlobsAbortedError as N, type ExportBlobsAuditEntry as O, PolicyEnforcer as P, type ExportBlobsHandle as Q, type ExportBlobsOptions as R, type SessionStrategy as S, type ExportedBlob as T, type SlotInfo as U, type SlotRecord as V, type VersionRecord as W, createExportBlobsHandle as X, runCompaction as Y, type ConsentStrategy as Z, CONSENT_AUDIT_COLLECTION as _, type DictEntry as a, type BuiltInGateName as a$, type ConsentAuditFilter as a0, type ConsentContext as a1, type ConsentOp as a2, loadConsentEntries as a3, writeConsentEntry as a4, type PeriodsStrategy as a5, type CarryForwardContext as a6, type ClosePeriodOptions as a7, type OpenPeriodOptions as a8, PERIODS_COLLECTION as a9, type DiffEntry as aA, type JsonPatch as aB, type JsonPatchOp as aC, type LedgerEntry as aD, LedgerStore as aE, type VaultEngine as aF, VaultInstant as aG, type VerifyResult as aH, applyPatch as aI, canonicalJson as aJ, computePatch as aK, diff as aL, formatDiff as aM, hashEntry as aN, paddedIndex as aO, parseIndex as aP, sha256Hex as aQ, type UserEnvelope as aR, type PublicEnvelope as aS, type GateName as aT, type GatePolicy as aU, type VaultPolicy as aV, type ActiveTier as aW, type FactorProof as aX, Vault as aY, type AccessibleVault as aZ, BUNDLE_STORE_POLICY as a_, type PeriodRecord as aa, type ReadOnlyCollection as ab, appendPeriodLedgerEntry as ac, assertTsWritable as ad, chainAnchor as ae, loadPeriods as af, validatePeriodName as ag, type ShadowStrategy as ah, CollectionFrame as ai, VaultFrame as aj, type TxStrategy as ak, TxCollection as al, TxContext as am, TxVault as an, runTransaction as ao, type SyncStrategy as ap, type Role as aq, type UnlockedKeyring as ar, type HistoryStrategy as as, type NoydbStore as at, type HistoryOptions as au, type EncryptedEnvelope as av, type PruneOptions as aw, type AppendInput as ax, type ChangeType as ay, CollectionInstant as az, type DictKeyDescriptor as b, type Permissions as b$, type BundleRecipient as b0, type CacheOptions as b1, type CacheStats as b2, type ChangeEvent as b3, Collection as b4, type CollectionChangeEvent as b5, type CollectionConflictResolver as b6, type Conflict as b7, type ConflictPolicy as b8, type ConflictStrategy as b9, type KeyringFile as bA, type ListAccessibleVaultsOptions as bB, type ListPageResult as bC, type LiveUserEnvelope as bD, type LocaleReadOptions as bE, Lru as bF, type LruOptions as bG, type LruStats as bH, MAGIC_LINK_CONTENT_INFO_PREFIX as bI, MAGIC_LINK_GRANTS_COLLECTION as bJ, MAGIC_LINK_KEK_INFO_PREFIX as bK, type MagicLinkGrantPayload as bL, type MagicLinkGrantRecord as bM, NOYDB_BACKUP_VERSION as bN, NOYDB_FORMAT_VERSION as bO, NOYDB_KEYRING_VERSION as bP, NOYDB_SYNC_VERSION as bQ, Noydb as bR, type NoydbBundleStore as bS, type NoydbEventMap as bT, type NoydbOptions as bU, PUBLIC_ENVELOPE_FIELDS as bV, type PaperRecoveryDoc as bW, type PaperRecoveryEntry as bX, type PassphrasePolicy as bY, type PassphraseValidationResult as bZ, type Permission as b_, type CrossTierAccessEvent as ba, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as bb, DELEGATIONS_COLLECTION as bc, type DeepPartial as bd, type DelegationToken as be, type DeleteManyResult as bf, type DirtyEntry as bg, ELEVATION_AUDIT_COLLECTION as bh, ElevatedHandle as bi, type EnrollAuthenticatorOptions as bj, type ExportCapability as bk, type ExportChunk as bl, type ExportFormat as bm, type ExportStreamOptions as bn, type FactorKind as bo, type FactorRequirement as bp, type GhostRecord as bq, type GrantOptions as br, type HistoryConfig as bs, type HistoryEntry as bt, INDEXED_STORE_POLICY as bu, type ImportCapability as bv, type InferOutput as bw, type IssueDelegationOptions as bx, type IssueMagicLinkGrantOptions as by, type KeyringAuthenticator as bz, DictionaryHandle as c, assertStrongPassphrase as c$, type PlaintextTranslatorContext as c0, type PlaintextTranslatorFn as c1, PresenceHandle as c2, type PresencePeer as c3, type PublicEnvelopeField as c4, type PublicEnvelopeSchema as c5, type PublicEnvelopeText as c6, type PullMode as c7, type PullOptions as c8, type PullPolicy as c9, SyncEngine as cA, type SyncMetadata as cB, type SyncPolicy as cC, SyncScheduler as cD, type SyncSchedulerStatus as cE, type SyncStatus as cF, type SyncTarget as cG, type SyncTargetRole as cH, SyncTransaction as cI, type SyncTransactionResult as cJ, type TierMode as cK, type TranslatorAuditEntry as cL, type TxOp as cM, USER_ENVELOPE_COLLECTION as cN, USER_ENVELOPE_MAX_BYTES as cO, type Unsubscribe as cP, UserApi as cQ, type UserEnvelopeCheckGate as cR, UserEnvelopeOversizedError as cS, type UserEnvelopePresented as cT, type UserInfo as cU, type VaultBackup as cV, type VaultPolicyOnDisk as cW, type VaultSnapshot as cX, type WarningRules as cY, WeakPassphraseError as cZ, type WeakPassphraseReason as c_, type PullResult as ca, type PushMode as cb, type PushOptions as cc, type PushPolicy as cd, type PushResult as ce, type PutManyItemOptions as cf, type PutManyOptions as cg, type PutManyResult as ch, type QueryAcrossOptions as ci, type QueryAcrossResult as cj, type QuickUnlockState as ck, QuickUnlockStore as cl, type ReAuthOperation as cm, type RecoverPassphraseInput as cn, type RecoveryProof as co, type ResolvedPublicEnvelopeSchema as cp, type RevokeOptions as cq, type RotatePassphraseInput as cr, type SessionPolicy as cs, type SetPublicEnvelopeInput as ct, type StandardSchemaV1 as cu, type StandardSchemaV1Issue as cv, type StandardSchemaV1SyncResult as cw, type StoreAuth as cx, type StoreAuthKind as cy, type StoreCapabilities as cz, type DictionaryOptions as d, buildRecipientKeyringFile as d0, burnPaperRecoveryEntry as d1, createNoydb as d2, createStore as d3, deriveMagicLinkContentKey as d4, enrollAuthenticator as d5, estimateEntropy as d6, evaluateExportCapability as d7, evaluateImportCapability as d8, findAuthenticator as d9, writeMagicLinkGrant as dA, hasExportCapability as da, hasImportCapability as db, hasRecoveryEnrolled as dc, isMagicLinkGrantExpired as dd, isPublicEnvelope as de, issueDelegation as df, recoverPassphrase as dg, rotatePassphrase as dh, listMagicLinkGrants as di, listUsers as dj, listUsersWithEnvelopes as dk, loadActiveDelegations as dl, loadPaperRecoveryEntries as dm, magicLinkGrantRecordId as dn, readMagicLinkGrantRecord as dp, removeAuthenticator as dq, resolveSchema as dr, revokeDelegation as ds, revokeMagicLinkGrant as dt, savePaperRecoveryEntries as du, unwrapMagicLinkGrant as dv, validatePassphrase as dw, validatePublicEnvelopeInput as dx, validateSchemaInput as dy, validateSchemaOutput as dz, type I18nTextDescriptor as e, type I18nTextOptions as f, applyI18nLocale as g, dictCollectionName as h, dictKey as i, i18nText as j, isDictCollectionName as k, isDictKeyDescriptor as l, isI18nTextDescriptor as m, createEnforcer as n, validateSessionPolicy as o, BLOB_CHUNKS_COLLECTION as p, BLOB_COLLECTION as q, resolveI18nText as r, BLOB_EVICTION_AUDIT_COLLECTION as s, BLOB_INDEX_COLLECTION as t, BLOB_SLOTS_PREFIX as u, validateI18nTextValue as v, BLOB_VERSIONS_PREFIX as w, type BlobEvictionEntry as x, type BlobFieldPolicy as y, type BlobFieldsConfig as z };