@noy-db/hub 0.1.0-pre.9 → 0.2.0-pre.2

package/dist/index.d.cts

@@ -1,17 +1,22 @@
-import { at as NoydbStore, aR as UserEnvelope, aS as PublicEnvelope, aT as GateName, aU as GatePolicy, aV as VaultPolicy, aW as ActiveTier, aX as FactorProof, ar as UnlockedKeyring, aY as Vault, aA as DiffEntry } from './types-Bnb82f5R.cjs';
-export { aZ as AccessibleVault, ax as AppendInput, p as BLOB_CHUNKS_COLLECTION, q as BLOB_COLLECTION, t as BLOB_INDEX_COLLECTION, u as BLOB_SLOTS_PREFIX, w as BLOB_VERSIONS_PREFIX, a_ as BUNDLE_STORE_POLICY, A as BlobObject, C as BlobPutOptions, E as BlobResponseOptions, F as BlobSet, a$ as BuiltInGateName, b0 as BundleRecipient, _ as CONSENT_AUDIT_COLLECTION, b1 as CacheOptions, b2 as CacheStats, b3 as ChangeEvent, ay as ChangeType, a7 as ClosePeriodOptions, b4 as Collection, b5 as CollectionChangeEvent, b6 as CollectionConflictResolver, ai as CollectionFrame, az as CollectionInstant, b7 as Conflict, b8 as ConflictPolicy, b9 as ConflictStrategy, $ as ConsentAuditEntry, a0 as ConsentAuditFilter, a1 as ConsentContext, a2 as ConsentOp, ba as CrossTierAccessEvent, L as DEFAULT_CHUNK_SIZE, bb as DEFAULT_PUBLIC_ENVELOPE_SCHEMA, bc as DELEGATIONS_COLLECTION, D as DICT_COLLECTION_PREFIX, bd as DeepPartial, be as DeepPartialOrNull, bf as DelegationToken, bg as DeleteManyResult, a as DictEntry, b as DictKeyDescriptor, c as DictionaryHandle, d as DictionaryOptions, bh as DirtyEntry, bi as ELEVATION_AUDIT_COLLECTION, bj as ElevatedHandle, av as EncryptedEnvelope, bk as EnrollAuthenticatorOptions, bl as ExportCapability, bm as ExportChunk, bn as ExportFormat, bo as ExportStreamOptions, bp as FactorKind, bq as FactorRequirement, br as GhostRecord, bs as GrantOptions, bt as HistoryConfig, bu as HistoryEntry, au as HistoryOptions, e as I18nTextDescriptor, f as I18nTextOptions, bv as INDEXED_STORE_POLICY, bw as ImportCapability, bx as InferOutput, by as IssueDelegationOptions, bz as IssueMagicLinkGrantOptions, aB as JsonPatch, aC as JsonPatchOp, bA as KeyringAuthenticator, bB as KeyringFile, aD as LedgerEntry, aE as LedgerStore, bC as ListAccessibleVaultsOptions, bD as ListPageResult, bE as LiveUserEnvelope, bF as LocaleReadOptions, bG as Lru, bH as LruOptions, bI as LruStats, bJ as MAGIC_LINK_CONTENT_INFO_PREFIX, bK as MAGIC_LINK_GRANTS_COLLECTION, bL as MAGIC_LINK_KEK_INFO_PREFIX, bM as MagicLinkGrantPayload, bN as MagicLinkGrantRecord, bO as NOYDB_BACKUP_VERSION, bP as NOYDB_FORMAT_VERSION, bQ as NOYDB_KEYRING_VERSION, bR as NOYDB_SYNC_VERSION, bS as Noydb, bT as NoydbBundleStore, bU as NoydbEventMap, bV as NoydbOptions, a8 as OpenPeriodOptions, a9 as PERIODS_COLLECTION, bW as PUBLIC_ENVELOPE_FIELDS, bX as PaperRecoveryDoc, bY as PaperRecoveryEntry, bZ as PassphrasePolicy, b_ as PassphraseValidationResult, aa as PeriodRecord, b$ as Permission, c0 as Permissions, c1 as PlaintextTranslatorContext, c2 as PlaintextTranslatorFn, P as PolicyEnforcer, c3 as PresenceHandle, c4 as PresencePeer, aw as PruneOptions, c5 as PublicEnvelopeField, c6 as PublicEnvelopeSchema, c7 as PublicEnvelopeText, c8 as PullMode, c9 as PullOptions, ca as PullPolicy, cb as PullResult, cc as PushMode, cd as PushOptions, ce as PushPolicy, cf as PushResult, cg as PutManyItemOptions, ch as PutManyOptions, ci as PutManyResult, cj as QueryAcrossOptions, ck as QueryAcrossResult, cl as QuickUnlockState, cm as QuickUnlockStore, cn as ReAuthOperation, co as RecoverPassphraseInput, cp as RecoverPassphraseResult, cq as RecoverUserOptions, cr as RecoveryProof, cs as ResolvedPublicEnvelopeSchema, ct as RevokeOptions, aq as Role, cu as RotatePassphraseInput, cv as SessionPolicy, cw as SetPublicEnvelopeInput, U as SlotInfo, V as SlotRecord, cx as SlotRewrapCeremony, cy as SlotRewrapContext, cz as StandardSchemaV1, cA as StandardSchemaV1Issue, cB as StandardSchemaV1SyncResult, cC as StoreAuth, cD as StoreAuthKind, cE as StoreCapabilities, cF as SyncEngine, cG as SyncMetadata, cH as SyncPolicy, cI as SyncScheduler, cJ as SyncSchedulerStatus, cK as SyncStatus, cL as SyncTarget, cM as SyncTargetRole, cN as SyncTransaction, cO as SyncTransactionResult, cP as TierMode, cQ as TranslatorAuditEntry, al as TxCollection, am as TxContext, cR as TxOp, an as TxVault, cS as USER_ENVELOPE_COLLECTION, cT as USER_ENVELOPE_MAX_BYTES, cU as Unsubscribe, cV as UpdateAuthenticatorOptions, cW as UpdateUserOptions, cX as UserApi, cY as UserEnvelopeCheckGate, cZ as UserEnvelopeOversizedError, c_ as UserEnvelopePresented, c$ as UserInfo, d0 as VaultBackup, aF as VaultEngine, aj as VaultFrame, aG as VaultInstant, d1 as VaultPolicyOnDisk, d2 as VaultSnapshot, aH as VerifyResult, W as VersionRecord, d3 as WarningRules, d4 as WeakPassphraseError, d5 as WeakPassphraseReason, d6 as WrappedDeksBlob, g as applyI18nLocale, aI as applyPatch, d7 as assertStrongPassphrase, d8 as buildRecipientKeyringFile, d9 as burnPaperRecoveryEntry, aJ as canonicalJson, aK as computePatch, n as createEnforcer, da as createNoydb, db as createStore, dc as deriveMagicLinkContentKey, h as dictCollectionName, i as dictKey, aL as diff, dd as enrollAuthenticator, de as estimateEntropy, df as evaluateExportCapability, dg as evaluateImportCapability, dh as findAuthenticator, aM as formatDiff, di as hasExportCapability, dj as hasImportCapability, dk as hasRecoveryEnrolled, aN as hashEntry, j as i18nText, k as isDictCollectionName, l as isDictKeyDescriptor, m as isI18nTextDescriptor, dl as isMagicLinkGrantExpired, dm as isPublicEnvelope, dn as issueDelegation, dp as keyringRecoverPassphrase, dq as keyringRotatePassphrase, dr as listMagicLinkGrants, ds as listUsers, dt as listUsersWithEnvelopes, du as loadActiveDelegations, dv as loadPaperRecoveryEntries, dw as magicLinkGrantRecordId, dx as mintPaperRecoveryEntry, dy as mintWrappedDeksBlob, aO as paddedIndex, aP as parseIndex, dz as readMagicLinkGrantRecord, dA as recoverUser, dB as removeAuthenticator, r as resolveI18nText, dC as resolvePublicEnvelopeSchema, dD as revokeDelegation, dE as revokeMagicLinkGrant, ao as runTransaction, dF as savePaperRecoveryEntries, aQ as sha256Hex, dG as unwrapDeksFromBlob, dH as unwrapDeksFromPaperEntry, dI as unwrapMagicLinkGrant, v as validateI18nTextValue, dJ as validatePassphrase, dK as validatePublicEnvelopeInput, dL as validateSchemaInput, dM as validateSchemaOutput, o as validateSessionPolicy, dN as writeMagicLinkGrant } from './types-Bnb82f5R.cjs';
+import { aO as NoydbStore, bo as UserEnvelope, ba as PublicEnvelope, bp as GateName, bq as GatePolicy, br as VaultPolicy, bs as ActiveTier, bt as FactorProof, bu as PersistedSchemaEnvelope, bv as DirectoryConfig, bw as UserVisibility, aM as UnlockedKeyring, bf as Vault, aV as DiffEntry } from './types-DJG8HG6F.cjs';
+export { bx as AccessibleVault, aS as AppendInput, ay as ArrayOutputSpec, p as BLOB_CHUNKS_COLLECTION, q as BLOB_COLLECTION, t as BLOB_INDEX_COLLECTION, u as BLOB_SLOTS_PREFIX, w as BLOB_VERSIONS_PREFIX, by as BUNDLE_STORE_POLICY, A as BlobObject, C as BlobPutOptions, E as BlobResponseOptions, F as BlobSet, bz as BuiltInGateName, bc as BundleRecipient, _ as CONSENT_AUDIT_COLLECTION, bA as CacheOptions, bB as CacheStats, bC as ChangeEvent, aT as ChangeType, a7 as ClosePeriodOptions, aH as Collection, bD as CollectionChangeEvent, bE as CollectionConflictResolver, bF as CollectionDescriptor, ao as CollectionFrame, aU as CollectionInstant, bG as CollectionStats, bH as Conflict, bI as ConflictPolicy, bJ as ConflictStrategy, $ as ConsentAuditEntry, a0 as ConsentAuditFilter, a1 as ConsentContext, a2 as ConsentOp, bK as CrossTierAccessEvent, L as DEFAULT_CHUNK_SIZE, bL as DEFAULT_PUBLIC_ENVELOPE_SCHEMA, bM as DELEGATIONS_COLLECTION, D as DICT_COLLECTION_PREFIX, bN as DeepPartial, bO as DeepPartialOrNull, bP as DelegationToken, bQ as DeleteManyResult, bR as DerivationDescriptor, aw as DerivationStrategy, aA as DerivationStrategyHandle, aB as DerivedFromMeta, a as DictEntry, b as DictKeyDescriptor, c as DictionaryHandle, d as DictionaryOptions, bS as DirtyEntry, bT as DumpSchemaOptions, bU as ELEVATION_AUDIT_COLLECTION, bV as ElevatedHandle, aQ as EncryptedEnvelope, bW as EnrollAuthenticatorOptions, bX as EnrollAuthenticatorWrappingDEKsOptions, bY as EnrollAuthenticatorWrappingKEKOptions, bZ as EnrollRecoveryResult, b_ as ExportCapability, b$ as ExportChunk, c0 as ExportFormat, c1 as ExportStreamOptions, c2 as FactorKind, c3 as FactorProofBundle, c4 as FactorRequirement, c5 as FieldDescriptor, c6 as FieldSource, c7 as GhostRecord, c8 as GrantOptions, ai as GuardChange, aj as GuardContext, ah as GuardStrategy, al as GuardStrategyHandle, c9 as HistoryConfig, ca as HistoryEntry, aP as HistoryOptions, e as I18nTextDescriptor, f as I18nTextOptions, cb as INDEXED_STORE_POLICY, cc as ImportCapability, cd as InferOutput, ce as InternalCollectionStats, cf as IssueDelegationOptions, cg as IssueMagicLinkGrantOptions, aW as JsonPatch, aX as JsonPatchOp, ch as KeyringAuthenticator, ci as KeyringAuthenticatorWrappingDEKs, cj as KeyringAuthenticatorWrappingKEK, ck as KeyringFile, aY as LedgerEntry, aZ as LedgerStore, cl as ListAccessibleVaultsOptions, cm as ListPageResult, cn as ListUsersOptions, co as LiveUserEnvelope, cp as LocaleReadOptions, cq as Lru, cr as LruOptions, cs as LruStats, ct as MAGIC_LINK_CONTENT_INFO_PREFIX, cu as MAGIC_LINK_GRANTS_COLLECTION, cv as MAGIC_LINK_KEK_INFO_PREFIX, cw as MagicLinkGrantPayload, cx as MagicLinkGrantRecord, bl as MaterializedFromMeta, cy as MaterializedViewDescriptor, bm as MaterializedViewOutput, aE as MaterializedViewStrategy, aF as MaterializedViewStrategyHandle, cz as MemoryRecipientSealer, cA as MemorySealingKeyProvider, cB as NOYDB_BACKUP_VERSION, cC as NOYDB_FORMAT_VERSION, cD as NOYDB_KEYRING_VERSION, cE as NOYDB_SYNC_VERSION, cF as Noydb, cG as NoydbBundleStore, cH as NoydbEventMap, cI as NoydbOptions, a8 as OpenPeriodOptions, aC as OutputSpec, cJ as OverlayViewDescriptor, aG as OverlayedViewStrategy, aJ as OverlayedViewStrategyHandle, a9 as PERIODS_COLLECTION, cK as PUBLIC_ENVELOPE_FIELDS, cL as PaperRecoveryDoc, cM as PaperRecoveryEntry, cN as PassphrasePolicy, cO as PassphraseValidationResult, aa as PeriodRecord, cP as Permission, cQ as Permissions, cR as PersistedSchemaKind, cS as PlaintextTranslatorContext, cT as PlaintextTranslatorFn, P as PolicyEnforcer, cU as PresenceHandle, cV as PresencePeer, aR as PruneOptions, cW as PublicEnvelopeField, cX as PublicEnvelopeSchema, cY as PublicEnvelopeText, cZ as PullMode, c_ as PullOptions, c$ as PullPolicy, d0 as PullResult, d1 as PushMode, d2 as PushOptions, d3 as PushPolicy, d4 as PushResult, d5 as PutManyItemOptions, d6 as PutManyOptions, d7 as PutManyResult, d8 as QueryAcrossOptions, d9 as QueryAcrossResult, da as QuickUnlockState, db as QuickUnlockStore, dc as ReAuthOperation, be as RecipientHint, bd as RecipientSealer, aD as RecordOutputSpec, dd as RecoverPassphraseInput, de as RecoverPassphraseResult, df as RecoverUserOptions, dg as RecoveryProof, dh as ResolvedPublicEnvelopeSchema, di as RevokeOptions, aL as Role, dj as RotatePassphraseInput, dk as RotateRecoveryOptions, dl as RotateRecoveryResult, dm as SEALED_PASSPHRASE_RECORD_ID, dn as SealedEnvelope, dp as SealedPassphrase, bb as SealingKeyProvider, dq as SessionPolicy, dr as SetPublicEnvelopeInput, ds as ShamirRecoveryDoc, dt as ShamirRecoveryEntry, bh as ShamirRecoveryProvider, U as SlotInfo, V as SlotRecord, du as SlotRewrapCeremony, dv as SlotRewrapContext, dw as StandardSchemaV1, dx as StandardSchemaV1Issue, dy as StandardSchemaV1SyncResult, dz as StoreAuth, dA as StoreAuthKind, dB as StoreCapabilities, dC as SyncEngine, dD as SyncMetadata, dE as SyncPolicy, dF as SyncScheduler, dG as SyncSchedulerStatus, dH as SyncStatus, dI as SyncTarget, dJ as SyncTargetRole, dK as SyncTransaction, dL as SyncTransactionResult, dM as TierMode, dN as TranslatorAuditEntry, as as TxCollection, at as TxContext, dO as TxOp, au as TxVault, dP as USER_ENVELOPE_COLLECTION, dQ as USER_ENVELOPE_MAX_BYTES, bn as UnionSource, dR as Unsubscribe, dS as UpdateAuthenticatorOptions, dT as UpdateUserOptions, dU as UserApi, dV as UserEnvelopeCheckGate, dW as UserEnvelopeOversizedError, dX as UserEnvelopePresented, dY as UserInfo, dZ as VaultBackup, a_ as VaultEngine, ap as VaultFrame, a$ as VaultInstant, d_ as VaultPolicyOnDisk, d$ as VaultSchemaSnapshot, e0 as VaultSnapshot, b0 as VerifyResult, W as VersionRecord, e1 as WarningRules, e2 as WeakPassphraseError, e3 as WeakPassphraseReason, e4 as WrappedDeksBlob, g as applyI18nLocale, b1 as applyPatch, e5 as assertStrongPassphrase, e6 as buildRecipientKeyringFile, e7 as burnPaperRecoveryEntry, b2 as canonicalJson, b3 as computePatch, n as createEnforcer, e8 as createNoydb, e9 as createStore, ea as deriveMagicLinkContentKey, h as dictCollectionName, i as dictKey, b4 as diff, eb as enrollAuthenticator, ec as estimateEntropy, ed as evaluateExportCapability, ee as evaluateImportCapability, ef as findAuthenticator, b5 as formatDiff, eg as hasExportCapability, eh as hasImportCapability, ei as hasRecoveryEnrolled, b6 as hashEntry, j as i18nText, k as isDictCollectionName, l as isDictKeyDescriptor, m as isI18nTextDescriptor, ej as isMagicLinkGrantExpired, ek as isPublicEnvelope, el as issueDelegation, em as keyringRecoverPassphrase, en as keyringRotatePassphrase, eo as listMagicLinkGrants, ep as listUsers, eq as listUsersWithEnvelopes, er as loadActiveDelegations, es as loadPaperRecoveryEntries, et as loadSealedPassphrase, eu as loadShamirRecoveryEntries, ev as magicLinkGrantRecordId, ew as mintPaperRecoveryEntry, ex as mintShamirRecoveryEntry, ey as mintWrappedDeksBlob, b7 as paddedIndex, b8 as parseIndex, ez as parseSealedEnvelope, eA as readMagicLinkGrantRecord, eB as recoverUser, eC as removeAuthenticator, r as resolveI18nText, eD as resolvePublicEnvelopeSchema, eE as revokeDelegation, eF as revokeMagicLinkGrant, av as runTransaction, eG as savePaperRecoveryEntries, eH as saveSealedPassphrase, eI as saveShamirRecoveryEntries, b9 as sha256Hex, eJ as unwrapDeksFromBlob, eK as unwrapDeksFromPaperEntry, eL as unwrapDeksFromShamirEntry, eM as unwrapMagicLinkGrant, v as validateI18nTextValue, eN as validatePassphrase, eO as validatePublicEnvelopeInput, eP as validateSchemaInput, eQ as validateSchemaOutput, o as validateSessionPolicy, eR as writeMagicLinkGrant } from './types-DJG8HG6F.cjs';
 export { d as detectMagic, a as detectMimeType, i as isPreCompressed } from './mime-magic-CBBSOkjm.cjs';
 export { AgeRoute, BlobLifecyclePolicy, BlobStoreRoute, CircuitBreakerOptions, HealthCheckOptions, LogLevel, LoggingOptions, MetricsOptions, OverrideOptions, OverrideTarget, RetryOptions, RouteStatus, RouteStoreOptions, RoutedNoydbStore, StoreCacheOptions, StoreMiddleware, StoreOperation, SuspendOptions, WrapBundleStoreOptions, WrappedBundleNoydbStore, createBundleStore, routeStore, withCache, withCircuitBreaker, withHealthCheck, withLogging, withMetrics, withRetry, wrapBundleStore, wrapStore } from './store/index.cjs';
-import { N as NoydbError } from './index-6xNpPsxR.cjs';
-export { A as AlreadyElevatedError, B as BackupCorruptedError, a as BackupLedgerError, b as BundleIntegrityError, c as BundleVersionConflictError, C as ConflictError, D as DEFAULT_JOIN_MAX_ROWS, d as DanglingReferenceError, e as DecryptionError, f as DelegationTargetMissingError, g as DictKeyInUseError, h as DictKeyMissingError, E as ElevationExpiredError, i as ExportCapabilityError, F as FilenameSanitizationError, G as GroupCardinalityError, I as ImportCapabilityError, j as IndexRequiredError, k as IndexWriteFailureError, l as InvalidKeyError, J as JoinContext, m as JoinLeg, n as JoinStrategy, o as JoinTooLargeError, p as JoinableSource, K as KeyringExpiredError, L as LedgerContentionError, q as LiveQuery, r as LiveUpstream, s as LocaleNotSpecifiedError, M as MissingTranslationError, t as NetworkError, u as NoAccessError, v as NotFoundError, O as OrderBy, P as PathEscapeError, w as PeriodClosedError, x as PermissionDeniedError, y as PrivilegeEscalationError, Q as Query, z as QueryPlan, H as QuerySource, R as ReadOnlyAtInstantError, S as ReadOnlyError, T as ReadOnlyFrameError, U as RefDescriptor, V as RefIntegrityError, W as RefMode, X as RefRegistry, Y as RefScopeError, Z as RefViolation, _ as ReservedCollectionNameError, $ as ScanBuilder, a0 as ScanPageProvider, a1 as SchemaValidationError, a2 as SessionExpiredError, a3 as SessionNotFoundError, a4 as SessionPolicyError, a5 as StoreCapabilityError, a6 as TamperedError, a7 as TierDemoteDeniedError, a8 as TierNotGrantedError, a9 as TranslatorNotConfiguredError, aa as ValidationError, ab as applyJoins, ac as buildLiveQuery, ad as executePlan, ae as ref, af as resetJoinWarnings } from './index-6xNpPsxR.cjs';
-export { C as CompressionAlgo, N as NOYDB_BUNDLE_FORMAT_VERSION, a as NOYDB_BUNDLE_MAGIC, b as NOYDB_BUNDLE_PREFIX_BYTES, c as NoydbBundleHeader, d as NoydbBundleReadResult, W as WriteNoydbBundleOptions, g as generateULID, h as hasNoydbBundleMagic, i as isULID, r as readNoydbBundle, e as readNoydbBundleHeader, f as readNoydbBundlePublicEnvelope, j as resetBrotliSupportCache, w as writeNoydbBundle } from './index-CywCC1qZ.cjs';
+import { N as NoydbError } from './index-BMjrzNZr.cjs';
+export { x as AlreadyElevatedError, A as AmendmentForbiddenError, m as AttestationError, B as BackupCorruptedError, o as BackupLedgerError, p as BundleIntegrityError, q as BundleSealMismatchError, r as BundleVersionConflictError, C as ConflictError, y as DEFAULT_JOIN_MAX_ROWS, z as DanglingReferenceError, E as DecryptionError, G as DelegationTargetMissingError, e as DerivationCapExceededError, f as DerivationCycleError, g as DerivationDepthError, h as DerivationOutputShapeError, i as DerivationOutputUnknownError, D as DictKeyInUseError, a as DictKeyMissingError, H as DirectoryDisabledError, J as ElevationExpiredError, K as ExportCapabilityError, F as FieldFrozenError, U as FilenameSanitizationError, V as GroupCardinalityError, W as ImportCapabilityError, X as IndexRequiredError, Y as IndexWriteFailureError, Z as InvalidKeyError, I as InvariantError, _ as JoinContext, $ as JoinLeg, a0 as JoinStrategy, a1 as JoinTooLargeError, a2 as JoinableSource, a3 as KeyringCorruptError, a4 as KeyringExpiredError, a5 as LedgerContentionError, a6 as LiveQuery, a7 as LiveUpstream, L as LocaleNotSpecifiedError, t as MaterializedViewConfigError, u as MaterializedViewCycleError, v as MaterializedViewSourceUnknownError, w as MaterializedViewTooLargeError, M as MissingTranslationError, a8 as NetworkError, a9 as NoAccessError, aa as NotFoundError, ab as OrderBy, O as OverlayBaseIsVirtualError, j as OverlayCollectionUnavailableError, k as OverlayIdMismatchError, l as OverlayNameCollisionError, ac as PathEscapeError, ad as PeriodClosedError, ae as PermissionDeniedError, af as PrivilegeEscalationError, Q as Query, ag as QueryPlan, ah as QuerySource, ai as ReadOnlyAtInstantError, aj as ReadOnlyError, ak as ReadOnlyFrameError, d as RecordLockedError, al as RefDescriptor, am as RefIntegrityError, an as RefMode, ao as RefRegistry, ap as RefScopeError, aq as RefViolation, R as ReservedCollectionNameError, ar as ScanBuilder, as as ScanPageProvider, at as SchemaValidationError, S as SessionExpiredError, b as SessionNotFoundError, c as SessionPolicyError, au as StoreCapabilityError, av as TamperedError, aw as TierDemoteDeniedError, ax as TierNotGrantedError, T as TranslatorNotConfiguredError, ay as ValidationError, az as applyJoins, aA as buildLiveQuery, aB as executePlan, aC as ref, aD as resetJoinWarnings } from './index-BMjrzNZr.cjs';
+export { A as AutoCredential, n as AutoCredentialKind, c as CompressionAlgo, N as NOYDB_BUNDLE_FORMAT_VERSION, e as NOYDB_BUNDLE_MAGIC, f as NOYDB_BUNDLE_PREFIX_BYTES, g as NoydbBundleHeader, h as NoydbBundleReadResult, R as ReadNoydbBundleOptions, W as WriteNoydbBundleOptions, j as generateULID, o as hasNoydbBundleMagic, k as isULID, r as readNoydbBundle, l as readNoydbBundleHeader, p as readNoydbBundlePublicEnvelope, m as resetBrotliSupportCache, w as writeNoydbBundle } from './ulid-C7ms9oli.cjs';
 export { a as CrdtMode, b as CrdtState, L as LwwMapState, R as RgaState, Y as YjsState, m as mergeCrdtStates, r as resolveCrdtSnapshot } from './strategy-BSxFXGzb.cjs';
+export { w as withGuard } from './with-guard-DQme5DKE.cjs';
+export { w as withDerivation } from './with-derivation-BjQ7q4NE.cjs';
+export { w as withMaterializedView } from './with-materialized-view-BbEPFIIJ.cjs';
+export { a as Clause, C as CollectionIndexes, F as FieldClause, b as FilterClause, G as GroupClause, H as HashIndex, I as IndexDef, O as Operator, e as evaluateClause, c as evaluateFieldClause, r as readPath } from './predicate-Dnu81tsS.cjs';
+export { w as withOverlayedView } from './with-overlayed-view-bwlmmFjx.cjs';
 export { SYNC_CREDENTIALS_COLLECTION, SyncCredential, credentialStatus, deleteCredential, getCredential, listCredentials, putCredential } from './team/index.cjs';
-export { C as CreateSessionOptions, a as CreateSessionResult, D as DevUnlockOptions, S as SessionToken, b as activeSessionCount, c as clearDevUnlock, d as createSession, e as enableDevUnlock, i as isDevUnlockActive, f as isSessionAlive, l as loadDevUnlock, r as resolveSession, g as revokeAllSessions, h as revokeSession } from './dev-unlock-Da1B0TIK.cjs';
-export { a as Clause, C as CollectionIndexes, F as FieldClause, b as FilterClause, G as GroupClause, H as HashIndex, I as IndexDef, O as Operator, e as evaluateClause, c as evaluateFieldClause, r as readPath } from './predicate-SBHmi6D0.cjs';
-export { a as AggregateResult, b as AggregateSpec, c as Aggregation, d as AggregationUpstream, G as GROUPBY_MAX_CARDINALITY, e as GROUPBY_WARN_CARDINALITY, f as GroupedAggregation, g as GroupedQuery, h as GroupedRow, L as LiveAggregation, R as Reducer, i as ReducerOptions, j as avg, l as count, m as groupAndReduce, n as max, o as min, r as reduceRecords, s as sum } from './strategy-D-SrOLCl.cjs';
-export { L as LEDGER_COLLECTION, a as LEDGER_DELTAS_COLLECTION, e as envelopePayloadHash } from './hash-BEfzPKwo.cjs';
-import './lazy-builder-CZVLKh0Z.cjs';
+export { C as CreateSessionOptions, a as CreateSessionResult, D as DevUnlockOptions, S as SessionToken, b as activeSessionCount, c as clearDevUnlock, d as createSession, e as enableDevUnlock, i as isDevUnlockActive, f as isSessionAlive, l as loadDevUnlock, r as resolveSession, g as revokeAllSessions, h as revokeSession } from './dev-unlock-DQCNDfFp.cjs';
+export { a as AggregateResult, b as AggregateSpec, c as Aggregation, d as AggregationUpstream, G as GROUPBY_MAX_CARDINALITY, e as GROUPBY_WARN_CARDINALITY, f as GroupedAggregation, g as GroupedQuery, h as GroupedQueryN, i as GroupedRow, j as GroupedRowN, L as LiveAggregation, R as Reducer, k as ReducerOptions, l as avg, n as count, o as groupAndReduce, p as max, q as min, r as reduceRecords, t as sum } from './strategy-DSTrsZ8t.cjs';
+export { L as LEDGER_COLLECTION, a as LEDGER_DELTAS_COLLECTION, e as envelopePayloadHash } from './hash-jDowCrK2.cjs';
+import './lazy-builder-C-rPfWG0.cjs';
+import '@noy-db/attestation';
 
 /**
  * Persistence helpers for per-principal user envelopes stored at
@@ -164,13 +169,39 @@ declare class RecoveryNotEnrolledError extends NoydbError {
     constructor(message?: string);
 }
 /**
- * Raised by `db.recoverPassphrase` when the developer requests a
- * recovery profile other than `'paper'` in v0.1.0-pre.5. The other
- * three profiles (Shamir, multi-channel, admin-mediated) ship the API
- * shape now; their per-profile dispatch lands in follow-up issues.
+ * Raised by `openVault` when a managed-passphrase-mode vault has no
+ * STRONG recovery profile enrolled (#195).
+ *
+ * Managed mode means the user never types a passphrase — the unlock
+ * material lives in a `SealingKeyProvider` (`at-*` package). If that
+ * provider's key is lost AND no strong recovery is enrolled, the
+ * vault is irrecoverable. To prevent that footgun, managed-mode vaults
+ * require at least one strong recovery profile (Shamir today;
+ * multi-channel / admin-mediated when those ship).
+ *
+ * Paper recovery alone is NOT strong under managed mode: the user has
+ * no memorized passphrase to fall back on, so losing the paper sheet =
+ * losing every record permanently.
+ *
+ * Bootstrap with `db.openVaultAndEnrollRecovery(vault, { recovery: [{ profile: "shamir", k, n }] })`
+ * to atomically create-and-enroll, or call `db.enrollRecovery(vault, { profile: "shamir", ... })`
+ * separately before re-attempting `openVault`.
+ */
+declare class ManagedRecoveryNotEnrolledError extends NoydbError {
+    readonly vault: string;
+    constructor(vault: string);
+}
+/**
+ * Raised by `db.recoverPassphrase` / `db.enrollRecovery` /
+ * `db.rotateRecovery` when the developer requests a recovery profile
+ * not yet wired in this hub release.
+ *
+ * Implemented: `paper` (#10, pre.5) and `shamir` (#196 slice 1, pre.16).
+ * Pending: `multi-channel` and `admin-mediated` (tracked under #196
+ * follow-up slices).
  *
  * The carried `profile` and `tracking` fields let consumers steer the
- * UI ("Shamir recovery is not yet wired up — open issue #N to follow").
+ * UI ("multi-channel recovery is not yet wired up — open issue #N to follow").
  */
 declare class RecoveryProfileNotImplementedError extends NoydbError {
     readonly profile: string;
@@ -308,6 +339,89 @@ declare function loadVaultPolicy(store: NoydbStore, vault: string): Promise<Vaul
  */
 declare function saveVaultPolicy(store: NoydbStore, vault: string, policy: VaultPolicy): Promise<void>;
 
+/**
+ * Derive a {@link PersistedSchemaEnvelope} from a Standard Schema v1
+ * validator. v0 supports Zod via `zod-to-json-schema` (optional peer-dep);
+ * other families write a stub envelope flagging the kind.
+ *
+ * @see docs/superpowers/specs/2026-05-22-schema-dump-design.md
+ *
+ * @module
+ */
+
+/**
+ * Heuristic Zod detection — Zod schemas carry a `_def.typeName` property
+ * starting with `Zod` (e.g. `ZodObject`, `ZodString`). This survives Zod's
+ * minor-version bumps because the typeName naming is stable across v3.
+ */
+declare function isZodSchema(value: unknown): boolean;
+declare function derivePersistedSchema(validator: unknown): Promise<PersistedSchemaEnvelope>;
+
+/**
+ * Read / write the per-collection persisted-schema envelope. Mirrors the
+ * standard noy-db record envelope shape and is **AES-GCM encrypted with
+ * the collection's DEK** — the schema body (field names, enum values,
+ * constraints) is sensitive metadata, so it gets the same encryption
+ * envelope as the records it describes.
+ *
+ * Storage layout:
+ *
+ *   <vault>/_schemas/<collection>   →   EncryptedEnvelope
+ *
+ * The DEK passed to {@link savePersistedSchema} / {@link loadPersistedSchema}
+ * is the same key the collection uses for its records.
+ *
+ * @module
+ */
+
+/** Reserved collection name where persisted schemas live. */
+declare const SCHEMAS_COLLECTION: "_schemas";
+/**
+ * Read and decrypt the persisted-schema envelope for one collection.
+ * Returns `undefined` when no envelope has been written or when decryption
+ * fails (e.g. wrong DEK passed). Tolerates corrupted records — JSON parse
+ * failures surface as `undefined`, mirroring `_meta/handle`'s contract.
+ */
+declare function loadPersistedSchema(store: NoydbStore, vault: string, collection: string, dek: CryptoKey): Promise<PersistedSchemaEnvelope | undefined>;
+/**
+ * Encrypt and persist a schema envelope for one collection. Always
+ * overwrites any prior write (callers gate on hash equality before calling
+ * to avoid no-op writes).
+ */
+declare function savePersistedSchema(store: NoydbStore, vault: string, collection: string, dek: CryptoKey, payload: PersistedSchemaEnvelope): Promise<void>;
+
+/**
+ * Orchestrate the derive → hash → skip-or-write cycle for a collection's
+ * persisted JSON Schema. Called by the Vault at collection-registration
+ * time when the developer opts in via `collection({ persistJsonSchema:
+ * true })`.
+ *
+ * Skip semantics:
+ *
+ *   - Zod validators: skip when the new hash equals the stored hash.
+ *   - Non-Zod (stub envelopes have hash=null): skip when the stored
+ *     envelope's `kind` matches the freshly-detected kind (since there's
+ *     no body to compare yet — a kind change is the only signal).
+ *
+ * @module
+ */
+
+interface PersistSchemaResult {
+    /** True when a fresh envelope was written to storage. */
+    readonly written: boolean;
+    /** True when an existing envelope matched and the write was skipped. */
+    readonly skipped: boolean;
+    /** The envelope that was either written or matched. */
+    readonly envelope: PersistedSchemaEnvelope;
+}
+declare function persistSchemaIfNeeded(opts: {
+    readonly store: NoydbStore;
+    readonly vault: string;
+    readonly collectionName: string;
+    readonly validator: unknown;
+    readonly dek: CryptoKey;
+}): Promise<PersistSchemaResult>;
+
 /**
  * Authentication introspection — issue #13.
  *
@@ -353,6 +467,84 @@ declare function describeAllUsersAuth(store: NoydbStore, vault: string): Promise
     description: string;
 }>>;
 
+/**
+ * Persistence helpers for the vault-level user-directory toggle
+ * (`_meta/directory`). Mirrors the bypass-AES pattern used by
+ * `_meta/policy` — the directory document is plain JSON, the
+ * envelope's `_iv` field is left empty.
+ *
+ * @see docs/subsystems/user-envelope.md → Directory visibility
+ * @see docs/subsystems/plaintext-bypass.md — every `_iv: ''` write site
+ *
+ * @module
+ */
+
+/** Reserved id for the vault-level directory document. */
+declare const DIRECTORY_RECORD_ID = "directory";
+/**
+ * Read the directory toggle from `_meta/directory`. Returns `undefined`
+ * when no document has been persisted — callers treat that as the
+ * default-on case (`{ enabled: true }`).
+ *
+ * Tolerates corrupted documents the same way `_meta/policy` does: a
+ * JSON parse failure surfaces as `undefined`, not a thrown error, so a
+ * bad write never permanently breaks team enumeration.
+ */
+declare function readDirectoryConfig(store: NoydbStore, vault: string): Promise<DirectoryConfig | undefined>;
+/**
+ * Persist the directory toggle at `_meta/directory`. Idempotent — call
+ * on every `db.setDirectoryEnabled()` invocation. Owner-only at the
+ * caller site; this primitive does not check roles.
+ */
+declare function persistDirectoryConfig(store: NoydbStore, vault: string, config: DirectoryConfig): Promise<void>;
+
+/**
+ * Persistence helpers for the per-user visibility flag
+ * (`_meta/visibility/<keyringId>`). Mirrors the bypass-AES pattern used
+ * by `_meta/policy` — the visibility document is plain JSON, the
+ * envelope's `_iv` field is left empty.
+ *
+ * Stored alongside the keyring file rather than inside the encrypted
+ * user envelope (`_users/<keyringId>`) because:
+ *
+ *  - `UserEnvelope<T>.data` is opaque-to-hub by contract — hub does not
+ *    introspect or reserve any keys inside it. Adding `hidden` there
+ *    would violate that contract.
+ *  - `listUsersWithEnvelopes` filters by the flag, and the filter must
+ *    work even when decryption fails (legacy keyrings predating the
+ *    envelope feature, or a corrupted envelope).
+ *
+ * @see docs/subsystems/user-envelope.md → Directory visibility
+ * @see docs/subsystems/plaintext-bypass.md — every `_iv: ''` write site
+ *
+ * @module
+ */
+
+/** Prefix for per-user visibility records inside `_meta`. */
+declare const VISIBILITY_RECORD_PREFIX = "visibility/";
+/** Compose the `_meta` record id for a keyring's visibility doc. */
+declare function visibilityRecordId(keyringId: string): string;
+/**
+ * Read the visibility flag for `keyringId`. Returns `undefined` when no
+ * document has been persisted — callers treat that as the default-visible
+ * case (`{ hidden: false }`).
+ */
+declare function readUserVisibility(store: NoydbStore, vault: string, keyringId: string): Promise<UserVisibility | undefined>;
+/**
+ * Persist the visibility flag for `keyringId` at
+ * `_meta/visibility/<keyringId>`. Idempotent — call on every
+ * `vault.user.setMyVisibility()` invocation. Own-only at the caller
+ * site; this primitive does not enforce keyring ownership.
+ */
+declare function persistUserVisibility(store: NoydbStore, vault: string, keyringId: string, visibility: UserVisibility): Promise<void>;
+/**
+ * Delete the visibility flag for `keyringId`. Called from `revoke()`
+ * alongside `deleteUserEnvelope` so the sidecar does not leak to a
+ * re-granted principal with the same `userId`. Idempotent — the store's
+ * `delete()` is already a no-op when the record is absent.
+ */
+declare function deleteUserVisibility(store: NoydbStore, vault: string, keyringId: string): Promise<void>;
+
 interface EncryptResult {
     iv: string;
     data: string;
@@ -562,4 +754,4 @@ type DiffCandidate<T = unknown> = Vault | Record<string, readonly T[]> | string;
  */
 declare function diffVault<T = unknown>(vault: Vault, candidate: DiffCandidate<T>, options?: DiffOptions): Promise<VaultDiff<T>>;
 
-export { ActiveTier, type CheckGateContext, DEFAULT_FRESHNESS_MS, type DiffCandidate, DiffEntry, type DiffOptions, FactorProof, GateName, GatePolicy, META_COLLECTION, NoydbError, NoydbStore, PERSONAL_POLICY, POLICY_RECORD_ID, PUBLIC_ENVELOPE_RECORD_ID, PolicyDeniedError, type PolicyDenyReason, PublicEnvelope, RecoveryNotEnrolledError, RecoveryProfileNotImplementedError, STRICT_POLICY, UnlockedKeyring, UserEnvelope, Vault, type VaultDiff, type VaultDiffEntry, type VaultDiffModifiedEntry, VaultPolicy, assertTierAccess, base64ToBuffer, bufferToBase64, checkGate, decryptBytes, decryptDeterministic, dekKey, deleteUserEnvelope, derivePresenceKey, describeAllUsersAuth, describeAuthConfig, describeGate, describeUserAuth, diagramAuthConfig, diffVault, effectiveClearance, encryptBytes, encryptDeterministic, estimateRecordBytes, listUserEnvelopeIds, loadPublicEnvelope, loadUserEnvelope, loadVaultPolicy, mergePolicy, parseBytes, readPublicEnvelope, savePublicEnvelope, saveUserEnvelope, saveVaultPolicy };
+export { ActiveTier, type CheckGateContext, DEFAULT_FRESHNESS_MS, DIRECTORY_RECORD_ID, type DiffCandidate, DiffEntry, type DiffOptions, DirectoryConfig, FactorProof, GateName, GatePolicy, META_COLLECTION, ManagedRecoveryNotEnrolledError, NoydbError, NoydbStore, PERSONAL_POLICY, POLICY_RECORD_ID, PUBLIC_ENVELOPE_RECORD_ID, type PersistSchemaResult, PersistedSchemaEnvelope, PolicyDeniedError, type PolicyDenyReason, PublicEnvelope, RecoveryNotEnrolledError, RecoveryProfileNotImplementedError, SCHEMAS_COLLECTION, STRICT_POLICY, UnlockedKeyring, UserEnvelope, UserVisibility, VISIBILITY_RECORD_PREFIX, Vault, type VaultDiff, type VaultDiffEntry, type VaultDiffModifiedEntry, VaultPolicy, assertTierAccess, base64ToBuffer, bufferToBase64, checkGate, decryptBytes, decryptDeterministic, dekKey, deleteUserEnvelope, deleteUserVisibility, derivePersistedSchema, derivePresenceKey, describeAllUsersAuth, describeAuthConfig, describeGate, describeUserAuth, diagramAuthConfig, diffVault, effectiveClearance, encryptBytes, encryptDeterministic, estimateRecordBytes, isZodSchema, listUserEnvelopeIds, loadPersistedSchema, loadPublicEnvelope, loadUserEnvelope, loadVaultPolicy, mergePolicy, parseBytes, persistDirectoryConfig, persistSchemaIfNeeded, persistUserVisibility, readDirectoryConfig, readPublicEnvelope, readUserVisibility, savePersistedSchema, savePublicEnvelope, saveUserEnvelope, saveVaultPolicy, visibilityRecordId };

package/dist/index.d.ts

@@ -1,17 +1,22 @@
-import { at as NoydbStore, aR as UserEnvelope, aS as PublicEnvelope, aT as GateName, aU as GatePolicy, aV as VaultPolicy, aW as ActiveTier, aX as FactorProof, ar as UnlockedKeyring, aY as Vault, aA as DiffEntry } from './types-Bo7NSXJr.js';
-export { aZ as AccessibleVault, ax as AppendInput, p as BLOB_CHUNKS_COLLECTION, q as BLOB_COLLECTION, t as BLOB_INDEX_COLLECTION, u as BLOB_SLOTS_PREFIX, w as BLOB_VERSIONS_PREFIX, a_ as BUNDLE_STORE_POLICY, A as BlobObject, C as BlobPutOptions, E as BlobResponseOptions, F as BlobSet, a$ as BuiltInGateName, b0 as BundleRecipient, _ as CONSENT_AUDIT_COLLECTION, b1 as CacheOptions, b2 as CacheStats, b3 as ChangeEvent, ay as ChangeType, a7 as ClosePeriodOptions, b4 as Collection, b5 as CollectionChangeEvent, b6 as CollectionConflictResolver, ai as CollectionFrame, az as CollectionInstant, b7 as Conflict, b8 as ConflictPolicy, b9 as ConflictStrategy, $ as ConsentAuditEntry, a0 as ConsentAuditFilter, a1 as ConsentContext, a2 as ConsentOp, ba as CrossTierAccessEvent, L as DEFAULT_CHUNK_SIZE, bb as DEFAULT_PUBLIC_ENVELOPE_SCHEMA, bc as DELEGATIONS_COLLECTION, D as DICT_COLLECTION_PREFIX, bd as DeepPartial, be as DeepPartialOrNull, bf as DelegationToken, bg as DeleteManyResult, a as DictEntry, b as DictKeyDescriptor, c as DictionaryHandle, d as DictionaryOptions, bh as DirtyEntry, bi as ELEVATION_AUDIT_COLLECTION, bj as ElevatedHandle, av as EncryptedEnvelope, bk as EnrollAuthenticatorOptions, bl as ExportCapability, bm as ExportChunk, bn as ExportFormat, bo as ExportStreamOptions, bp as FactorKind, bq as FactorRequirement, br as GhostRecord, bs as GrantOptions, bt as HistoryConfig, bu as HistoryEntry, au as HistoryOptions, e as I18nTextDescriptor, f as I18nTextOptions, bv as INDEXED_STORE_POLICY, bw as ImportCapability, bx as InferOutput, by as IssueDelegationOptions, bz as IssueMagicLinkGrantOptions, aB as JsonPatch, aC as JsonPatchOp, bA as KeyringAuthenticator, bB as KeyringFile, aD as LedgerEntry, aE as LedgerStore, bC as ListAccessibleVaultsOptions, bD as ListPageResult, bE as LiveUserEnvelope, bF as LocaleReadOptions, bG as Lru, bH as LruOptions, bI as LruStats, bJ as MAGIC_LINK_CONTENT_INFO_PREFIX, bK as MAGIC_LINK_GRANTS_COLLECTION, bL as MAGIC_LINK_KEK_INFO_PREFIX, bM as MagicLinkGrantPayload, bN as MagicLinkGrantRecord, bO as NOYDB_BACKUP_VERSION, bP as NOYDB_FORMAT_VERSION, bQ as NOYDB_KEYRING_VERSION, bR as NOYDB_SYNC_VERSION, bS as Noydb, bT as NoydbBundleStore, bU as NoydbEventMap, bV as NoydbOptions, a8 as OpenPeriodOptions, a9 as PERIODS_COLLECTION, bW as PUBLIC_ENVELOPE_FIELDS, bX as PaperRecoveryDoc, bY as PaperRecoveryEntry, bZ as PassphrasePolicy, b_ as PassphraseValidationResult, aa as PeriodRecord, b$ as Permission, c0 as Permissions, c1 as PlaintextTranslatorContext, c2 as PlaintextTranslatorFn, P as PolicyEnforcer, c3 as PresenceHandle, c4 as PresencePeer, aw as PruneOptions, c5 as PublicEnvelopeField, c6 as PublicEnvelopeSchema, c7 as PublicEnvelopeText, c8 as PullMode, c9 as PullOptions, ca as PullPolicy, cb as PullResult, cc as PushMode, cd as PushOptions, ce as PushPolicy, cf as PushResult, cg as PutManyItemOptions, ch as PutManyOptions, ci as PutManyResult, cj as QueryAcrossOptions, ck as QueryAcrossResult, cl as QuickUnlockState, cm as QuickUnlockStore, cn as ReAuthOperation, co as RecoverPassphraseInput, cp as RecoverPassphraseResult, cq as RecoverUserOptions, cr as RecoveryProof, cs as ResolvedPublicEnvelopeSchema, ct as RevokeOptions, aq as Role, cu as RotatePassphraseInput, cv as SessionPolicy, cw as SetPublicEnvelopeInput, U as SlotInfo, V as SlotRecord, cx as SlotRewrapCeremony, cy as SlotRewrapContext, cz as StandardSchemaV1, cA as StandardSchemaV1Issue, cB as StandardSchemaV1SyncResult, cC as StoreAuth, cD as StoreAuthKind, cE as StoreCapabilities, cF as SyncEngine, cG as SyncMetadata, cH as SyncPolicy, cI as SyncScheduler, cJ as SyncSchedulerStatus, cK as SyncStatus, cL as SyncTarget, cM as SyncTargetRole, cN as SyncTransaction, cO as SyncTransactionResult, cP as TierMode, cQ as TranslatorAuditEntry, al as TxCollection, am as TxContext, cR as TxOp, an as TxVault, cS as USER_ENVELOPE_COLLECTION, cT as USER_ENVELOPE_MAX_BYTES, cU as Unsubscribe, cV as UpdateAuthenticatorOptions, cW as UpdateUserOptions, cX as UserApi, cY as UserEnvelopeCheckGate, cZ as UserEnvelopeOversizedError, c_ as UserEnvelopePresented, c$ as UserInfo, d0 as VaultBackup, aF as VaultEngine, aj as VaultFrame, aG as VaultInstant, d1 as VaultPolicyOnDisk, d2 as VaultSnapshot, aH as VerifyResult, W as VersionRecord, d3 as WarningRules, d4 as WeakPassphraseError, d5 as WeakPassphraseReason, d6 as WrappedDeksBlob, g as applyI18nLocale, aI as applyPatch, d7 as assertStrongPassphrase, d8 as buildRecipientKeyringFile, d9 as burnPaperRecoveryEntry, aJ as canonicalJson, aK as computePatch, n as createEnforcer, da as createNoydb, db as createStore, dc as deriveMagicLinkContentKey, h as dictCollectionName, i as dictKey, aL as diff, dd as enrollAuthenticator, de as estimateEntropy, df as evaluateExportCapability, dg as evaluateImportCapability, dh as findAuthenticator, aM as formatDiff, di as hasExportCapability, dj as hasImportCapability, dk as hasRecoveryEnrolled, aN as hashEntry, j as i18nText, k as isDictCollectionName, l as isDictKeyDescriptor, m as isI18nTextDescriptor, dl as isMagicLinkGrantExpired, dm as isPublicEnvelope, dn as issueDelegation, dp as keyringRecoverPassphrase, dq as keyringRotatePassphrase, dr as listMagicLinkGrants, ds as listUsers, dt as listUsersWithEnvelopes, du as loadActiveDelegations, dv as loadPaperRecoveryEntries, dw as magicLinkGrantRecordId, dx as mintPaperRecoveryEntry, dy as mintWrappedDeksBlob, aO as paddedIndex, aP as parseIndex, dz as readMagicLinkGrantRecord, dA as recoverUser, dB as removeAuthenticator, r as resolveI18nText, dC as resolvePublicEnvelopeSchema, dD as revokeDelegation, dE as revokeMagicLinkGrant, ao as runTransaction, dF as savePaperRecoveryEntries, aQ as sha256Hex, dG as unwrapDeksFromBlob, dH as unwrapDeksFromPaperEntry, dI as unwrapMagicLinkGrant, v as validateI18nTextValue, dJ as validatePassphrase, dK as validatePublicEnvelopeInput, dL as validateSchemaInput, dM as validateSchemaOutput, o as validateSessionPolicy, dN as writeMagicLinkGrant } from './types-Bo7NSXJr.js';
+import { aO as NoydbStore, bo as UserEnvelope, ba as PublicEnvelope, bp as GateName, bq as GatePolicy, br as VaultPolicy, bs as ActiveTier, bt as FactorProof, bu as PersistedSchemaEnvelope, bv as DirectoryConfig, bw as UserVisibility, aM as UnlockedKeyring, bf as Vault, aV as DiffEntry } from './types-BoFFiskX.js';
+export { bx as AccessibleVault, aS as AppendInput, ay as ArrayOutputSpec, p as BLOB_CHUNKS_COLLECTION, q as BLOB_COLLECTION, t as BLOB_INDEX_COLLECTION, u as BLOB_SLOTS_PREFIX, w as BLOB_VERSIONS_PREFIX, by as BUNDLE_STORE_POLICY, A as BlobObject, C as BlobPutOptions, E as BlobResponseOptions, F as BlobSet, bz as BuiltInGateName, bc as BundleRecipient, _ as CONSENT_AUDIT_COLLECTION, bA as CacheOptions, bB as CacheStats, bC as ChangeEvent, aT as ChangeType, a7 as ClosePeriodOptions, aH as Collection, bD as CollectionChangeEvent, bE as CollectionConflictResolver, bF as CollectionDescriptor, ao as CollectionFrame, aU as CollectionInstant, bG as CollectionStats, bH as Conflict, bI as ConflictPolicy, bJ as ConflictStrategy, $ as ConsentAuditEntry, a0 as ConsentAuditFilter, a1 as ConsentContext, a2 as ConsentOp, bK as CrossTierAccessEvent, L as DEFAULT_CHUNK_SIZE, bL as DEFAULT_PUBLIC_ENVELOPE_SCHEMA, bM as DELEGATIONS_COLLECTION, D as DICT_COLLECTION_PREFIX, bN as DeepPartial, bO as DeepPartialOrNull, bP as DelegationToken, bQ as DeleteManyResult, bR as DerivationDescriptor, aw as DerivationStrategy, aA as DerivationStrategyHandle, aB as DerivedFromMeta, a as DictEntry, b as DictKeyDescriptor, c as DictionaryHandle, d as DictionaryOptions, bS as DirtyEntry, bT as DumpSchemaOptions, bU as ELEVATION_AUDIT_COLLECTION, bV as ElevatedHandle, aQ as EncryptedEnvelope, bW as EnrollAuthenticatorOptions, bX as EnrollAuthenticatorWrappingDEKsOptions, bY as EnrollAuthenticatorWrappingKEKOptions, bZ as EnrollRecoveryResult, b_ as ExportCapability, b$ as ExportChunk, c0 as ExportFormat, c1 as ExportStreamOptions, c2 as FactorKind, c3 as FactorProofBundle, c4 as FactorRequirement, c5 as FieldDescriptor, c6 as FieldSource, c7 as GhostRecord, c8 as GrantOptions, ai as GuardChange, aj as GuardContext, ah as GuardStrategy, al as GuardStrategyHandle, c9 as HistoryConfig, ca as HistoryEntry, aP as HistoryOptions, e as I18nTextDescriptor, f as I18nTextOptions, cb as INDEXED_STORE_POLICY, cc as ImportCapability, cd as InferOutput, ce as InternalCollectionStats, cf as IssueDelegationOptions, cg as IssueMagicLinkGrantOptions, aW as JsonPatch, aX as JsonPatchOp, ch as KeyringAuthenticator, ci as KeyringAuthenticatorWrappingDEKs, cj as KeyringAuthenticatorWrappingKEK, ck as KeyringFile, aY as LedgerEntry, aZ as LedgerStore, cl as ListAccessibleVaultsOptions, cm as ListPageResult, cn as ListUsersOptions, co as LiveUserEnvelope, cp as LocaleReadOptions, cq as Lru, cr as LruOptions, cs as LruStats, ct as MAGIC_LINK_CONTENT_INFO_PREFIX, cu as MAGIC_LINK_GRANTS_COLLECTION, cv as MAGIC_LINK_KEK_INFO_PREFIX, cw as MagicLinkGrantPayload, cx as MagicLinkGrantRecord, bl as MaterializedFromMeta, cy as MaterializedViewDescriptor, bm as MaterializedViewOutput, aE as MaterializedViewStrategy, aF as MaterializedViewStrategyHandle, cz as MemoryRecipientSealer, cA as MemorySealingKeyProvider, cB as NOYDB_BACKUP_VERSION, cC as NOYDB_FORMAT_VERSION, cD as NOYDB_KEYRING_VERSION, cE as NOYDB_SYNC_VERSION, cF as Noydb, cG as NoydbBundleStore, cH as NoydbEventMap, cI as NoydbOptions, a8 as OpenPeriodOptions, aC as OutputSpec, cJ as OverlayViewDescriptor, aG as OverlayedViewStrategy, aJ as OverlayedViewStrategyHandle, a9 as PERIODS_COLLECTION, cK as PUBLIC_ENVELOPE_FIELDS, cL as PaperRecoveryDoc, cM as PaperRecoveryEntry, cN as PassphrasePolicy, cO as PassphraseValidationResult, aa as PeriodRecord, cP as Permission, cQ as Permissions, cR as PersistedSchemaKind, cS as PlaintextTranslatorContext, cT as PlaintextTranslatorFn, P as PolicyEnforcer, cU as PresenceHandle, cV as PresencePeer, aR as PruneOptions, cW as PublicEnvelopeField, cX as PublicEnvelopeSchema, cY as PublicEnvelopeText, cZ as PullMode, c_ as PullOptions, c$ as PullPolicy, d0 as PullResult, d1 as PushMode, d2 as PushOptions, d3 as PushPolicy, d4 as PushResult, d5 as PutManyItemOptions, d6 as PutManyOptions, d7 as PutManyResult, d8 as QueryAcrossOptions, d9 as QueryAcrossResult, da as QuickUnlockState, db as QuickUnlockStore, dc as ReAuthOperation, be as RecipientHint, bd as RecipientSealer, aD as RecordOutputSpec, dd as RecoverPassphraseInput, de as RecoverPassphraseResult, df as RecoverUserOptions, dg as RecoveryProof, dh as ResolvedPublicEnvelopeSchema, di as RevokeOptions, aL as Role, dj as RotatePassphraseInput, dk as RotateRecoveryOptions, dl as RotateRecoveryResult, dm as SEALED_PASSPHRASE_RECORD_ID, dn as SealedEnvelope, dp as SealedPassphrase, bb as SealingKeyProvider, dq as SessionPolicy, dr as SetPublicEnvelopeInput, ds as ShamirRecoveryDoc, dt as ShamirRecoveryEntry, bh as ShamirRecoveryProvider, U as SlotInfo, V as SlotRecord, du as SlotRewrapCeremony, dv as SlotRewrapContext, dw as StandardSchemaV1, dx as StandardSchemaV1Issue, dy as StandardSchemaV1SyncResult, dz as StoreAuth, dA as StoreAuthKind, dB as StoreCapabilities, dC as SyncEngine, dD as SyncMetadata, dE as SyncPolicy, dF as SyncScheduler, dG as SyncSchedulerStatus, dH as SyncStatus, dI as SyncTarget, dJ as SyncTargetRole, dK as SyncTransaction, dL as SyncTransactionResult, dM as TierMode, dN as TranslatorAuditEntry, as as TxCollection, at as TxContext, dO as TxOp, au as TxVault, dP as USER_ENVELOPE_COLLECTION, dQ as USER_ENVELOPE_MAX_BYTES, bn as UnionSource, dR as Unsubscribe, dS as UpdateAuthenticatorOptions, dT as UpdateUserOptions, dU as UserApi, dV as UserEnvelopeCheckGate, dW as UserEnvelopeOversizedError, dX as UserEnvelopePresented, dY as UserInfo, dZ as VaultBackup, a_ as VaultEngine, ap as VaultFrame, a$ as VaultInstant, d_ as VaultPolicyOnDisk, d$ as VaultSchemaSnapshot, e0 as VaultSnapshot, b0 as VerifyResult, W as VersionRecord, e1 as WarningRules, e2 as WeakPassphraseError, e3 as WeakPassphraseReason, e4 as WrappedDeksBlob, g as applyI18nLocale, b1 as applyPatch, e5 as assertStrongPassphrase, e6 as buildRecipientKeyringFile, e7 as burnPaperRecoveryEntry, b2 as canonicalJson, b3 as computePatch, n as createEnforcer, e8 as createNoydb, e9 as createStore, ea as deriveMagicLinkContentKey, h as dictCollectionName, i as dictKey, b4 as diff, eb as enrollAuthenticator, ec as estimateEntropy, ed as evaluateExportCapability, ee as evaluateImportCapability, ef as findAuthenticator, b5 as formatDiff, eg as hasExportCapability, eh as hasImportCapability, ei as hasRecoveryEnrolled, b6 as hashEntry, j as i18nText, k as isDictCollectionName, l as isDictKeyDescriptor, m as isI18nTextDescriptor, ej as isMagicLinkGrantExpired, ek as isPublicEnvelope, el as issueDelegation, em as keyringRecoverPassphrase, en as keyringRotatePassphrase, eo as listMagicLinkGrants, ep as listUsers, eq as listUsersWithEnvelopes, er as loadActiveDelegations, es as loadPaperRecoveryEntries, et as loadSealedPassphrase, eu as loadShamirRecoveryEntries, ev as magicLinkGrantRecordId, ew as mintPaperRecoveryEntry, ex as mintShamirRecoveryEntry, ey as mintWrappedDeksBlob, b7 as paddedIndex, b8 as parseIndex, ez as parseSealedEnvelope, eA as readMagicLinkGrantRecord, eB as recoverUser, eC as removeAuthenticator, r as resolveI18nText, eD as resolvePublicEnvelopeSchema, eE as revokeDelegation, eF as revokeMagicLinkGrant, av as runTransaction, eG as savePaperRecoveryEntries, eH as saveSealedPassphrase, eI as saveShamirRecoveryEntries, b9 as sha256Hex, eJ as unwrapDeksFromBlob, eK as unwrapDeksFromPaperEntry, eL as unwrapDeksFromShamirEntry, eM as unwrapMagicLinkGrant, v as validateI18nTextValue, eN as validatePassphrase, eO as validatePublicEnvelopeInput, eP as validateSchemaInput, eQ as validateSchemaOutput, o as validateSessionPolicy, eR as writeMagicLinkGrant } from './types-BoFFiskX.js';
 export { d as detectMagic, a as detectMimeType, i as isPreCompressed } from './mime-magic-CBBSOkjm.js';
 export { AgeRoute, BlobLifecyclePolicy, BlobStoreRoute, CircuitBreakerOptions, HealthCheckOptions, LogLevel, LoggingOptions, MetricsOptions, OverrideOptions, OverrideTarget, RetryOptions, RouteStatus, RouteStoreOptions, RoutedNoydbStore, StoreCacheOptions, StoreMiddleware, StoreOperation, SuspendOptions, WrapBundleStoreOptions, WrappedBundleNoydbStore, createBundleStore, routeStore, withCache, withCircuitBreaker, withHealthCheck, withLogging, withMetrics, withRetry, wrapBundleStore, wrapStore } from './store/index.js';
-import { N as NoydbError } from './index-DJTf9yxn.js';
-export { A as AlreadyElevatedError, B as BackupCorruptedError, a as BackupLedgerError, b as BundleIntegrityError, c as BundleVersionConflictError, C as ConflictError, D as DEFAULT_JOIN_MAX_ROWS, d as DanglingReferenceError, e as DecryptionError, f as DelegationTargetMissingError, g as DictKeyInUseError, h as DictKeyMissingError, E as ElevationExpiredError, i as ExportCapabilityError, F as FilenameSanitizationError, G as GroupCardinalityError, I as ImportCapabilityError, j as IndexRequiredError, k as IndexWriteFailureError, l as InvalidKeyError, J as JoinContext, m as JoinLeg, n as JoinStrategy, o as JoinTooLargeError, p as JoinableSource, K as KeyringExpiredError, L as LedgerContentionError, q as LiveQuery, r as LiveUpstream, s as LocaleNotSpecifiedError, M as MissingTranslationError, t as NetworkError, u as NoAccessError, v as NotFoundError, O as OrderBy, P as PathEscapeError, w as PeriodClosedError, x as PermissionDeniedError, y as PrivilegeEscalationError, Q as Query, z as QueryPlan, H as QuerySource, R as ReadOnlyAtInstantError, S as ReadOnlyError, T as ReadOnlyFrameError, U as RefDescriptor, V as RefIntegrityError, W as RefMode, X as RefRegistry, Y as RefScopeError, Z as RefViolation, _ as ReservedCollectionNameError, $ as ScanBuilder, a0 as ScanPageProvider, a1 as SchemaValidationError, a2 as SessionExpiredError, a3 as SessionNotFoundError, a4 as SessionPolicyError, a5 as StoreCapabilityError, a6 as TamperedError, a7 as TierDemoteDeniedError, a8 as TierNotGrantedError, a9 as TranslatorNotConfiguredError, aa as ValidationError, ab as applyJoins, ac as buildLiveQuery, ad as executePlan, ae as ref, af as resetJoinWarnings } from './index-DJTf9yxn.js';
-export { C as CompressionAlgo, N as NOYDB_BUNDLE_FORMAT_VERSION, a as NOYDB_BUNDLE_MAGIC, b as NOYDB_BUNDLE_PREFIX_BYTES, c as NoydbBundleHeader, d as NoydbBundleReadResult, W as WriteNoydbBundleOptions, g as generateULID, h as hasNoydbBundleMagic, i as isULID, r as readNoydbBundle, e as readNoydbBundleHeader, f as readNoydbBundlePublicEnvelope, j as resetBrotliSupportCache, w as writeNoydbBundle } from './index-8QDuznDr.js';
+import { N as NoydbError } from './index-BCKdioeh.js';
+export { x as AlreadyElevatedError, A as AmendmentForbiddenError, m as AttestationError, B as BackupCorruptedError, o as BackupLedgerError, p as BundleIntegrityError, q as BundleSealMismatchError, r as BundleVersionConflictError, C as ConflictError, y as DEFAULT_JOIN_MAX_ROWS, z as DanglingReferenceError, E as DecryptionError, G as DelegationTargetMissingError, e as DerivationCapExceededError, f as DerivationCycleError, g as DerivationDepthError, h as DerivationOutputShapeError, i as DerivationOutputUnknownError, D as DictKeyInUseError, a as DictKeyMissingError, H as DirectoryDisabledError, J as ElevationExpiredError, K as ExportCapabilityError, F as FieldFrozenError, U as FilenameSanitizationError, V as GroupCardinalityError, W as ImportCapabilityError, X as IndexRequiredError, Y as IndexWriteFailureError, Z as InvalidKeyError, I as InvariantError, _ as JoinContext, $ as JoinLeg, a0 as JoinStrategy, a1 as JoinTooLargeError, a2 as JoinableSource, a3 as KeyringCorruptError, a4 as KeyringExpiredError, a5 as LedgerContentionError, a6 as LiveQuery, a7 as LiveUpstream, L as LocaleNotSpecifiedError, t as MaterializedViewConfigError, u as MaterializedViewCycleError, v as MaterializedViewSourceUnknownError, w as MaterializedViewTooLargeError, M as MissingTranslationError, a8 as NetworkError, a9 as NoAccessError, aa as NotFoundError, ab as OrderBy, O as OverlayBaseIsVirtualError, j as OverlayCollectionUnavailableError, k as OverlayIdMismatchError, l as OverlayNameCollisionError, ac as PathEscapeError, ad as PeriodClosedError, ae as PermissionDeniedError, af as PrivilegeEscalationError, Q as Query, ag as QueryPlan, ah as QuerySource, ai as ReadOnlyAtInstantError, aj as ReadOnlyError, ak as ReadOnlyFrameError, d as RecordLockedError, al as RefDescriptor, am as RefIntegrityError, an as RefMode, ao as RefRegistry, ap as RefScopeError, aq as RefViolation, R as ReservedCollectionNameError, ar as ScanBuilder, as as ScanPageProvider, at as SchemaValidationError, S as SessionExpiredError, b as SessionNotFoundError, c as SessionPolicyError, au as StoreCapabilityError, av as TamperedError, aw as TierDemoteDeniedError, ax as TierNotGrantedError, T as TranslatorNotConfiguredError, ay as ValidationError, az as applyJoins, aA as buildLiveQuery, aB as executePlan, aC as ref, aD as resetJoinWarnings } from './index-BCKdioeh.js';
+export { A as AutoCredential, n as AutoCredentialKind, c as CompressionAlgo, N as NOYDB_BUNDLE_FORMAT_VERSION, e as NOYDB_BUNDLE_MAGIC, f as NOYDB_BUNDLE_PREFIX_BYTES, g as NoydbBundleHeader, h as NoydbBundleReadResult, R as ReadNoydbBundleOptions, W as WriteNoydbBundleOptions, j as generateULID, o as hasNoydbBundleMagic, k as isULID, r as readNoydbBundle, l as readNoydbBundleHeader, p as readNoydbBundlePublicEnvelope, m as resetBrotliSupportCache, w as writeNoydbBundle } from './ulid-BmBgooGm.js';
 export { a as CrdtMode, b as CrdtState, L as LwwMapState, R as RgaState, Y as YjsState, m as mergeCrdtStates, r as resolveCrdtSnapshot } from './strategy-BSxFXGzb.js';
+export { w as withGuard } from './with-guard-C25yNjzd.js';
+export { w as withDerivation } from './with-derivation-BKXXa8Vt.js';
+export { w as withMaterializedView } from './with-materialized-view-CqnRwI2S.js';
+export { a as Clause, C as CollectionIndexes, F as FieldClause, b as FilterClause, G as GroupClause, H as HashIndex, I as IndexDef, O as Operator, e as evaluateClause, c as evaluateFieldClause, r as readPath } from './predicate-Dnu81tsS.js';
+export { w as withOverlayedView } from './with-overlayed-view-Ct1fSJt-.js';
 export { SYNC_CREDENTIALS_COLLECTION, SyncCredential, credentialStatus, deleteCredential, getCredential, listCredentials, putCredential } from './team/index.js';
-export { C as CreateSessionOptions, a as CreateSessionResult, D as DevUnlockOptions, S as SessionToken, b as activeSessionCount, c as clearDevUnlock, d as createSession, e as enableDevUnlock, i as isDevUnlockActive, f as isSessionAlive, l as loadDevUnlock, r as resolveSession, g as revokeAllSessions, h as revokeSession } from './dev-unlock-BdPp68qn.js';
-export { a as Clause, C as CollectionIndexes, F as FieldClause, b as FilterClause, G as GroupClause, H as HashIndex, I as IndexDef, O as Operator, e as evaluateClause, c as evaluateFieldClause, r as readPath } from './predicate-SBHmi6D0.js';
-export { a as AggregateResult, b as AggregateSpec, c as Aggregation, d as AggregationUpstream, G as GROUPBY_MAX_CARDINALITY, e as GROUPBY_WARN_CARDINALITY, f as GroupedAggregation, g as GroupedQuery, h as GroupedRow, L as LiveAggregation, R as Reducer, i as ReducerOptions, j as avg, l as count, m as groupAndReduce, n as max, o as min, r as reduceRecords, s as sum } from './strategy-D-SrOLCl.js';
-export { L as LEDGER_COLLECTION, a as LEDGER_DELTAS_COLLECTION, e as envelopePayloadHash } from './hash-lsoL3eEW.js';
-import './lazy-builder-BwEoBQZ9.js';
+export { C as CreateSessionOptions, a as CreateSessionResult, D as DevUnlockOptions, S as SessionToken, b as activeSessionCount, c as clearDevUnlock, d as createSession, e as enableDevUnlock, i as isDevUnlockActive, f as isSessionAlive, l as loadDevUnlock, r as resolveSession, g as revokeAllSessions, h as revokeSession } from './dev-unlock-utkybTKb.js';
+export { a as AggregateResult, b as AggregateSpec, c as Aggregation, d as AggregationUpstream, G as GROUPBY_MAX_CARDINALITY, e as GROUPBY_WARN_CARDINALITY, f as GroupedAggregation, g as GroupedQuery, h as GroupedQueryN, i as GroupedRow, j as GroupedRowN, L as LiveAggregation, R as Reducer, k as ReducerOptions, l as avg, n as count, o as groupAndReduce, p as max, q as min, r as reduceRecords, t as sum } from './strategy-DSTrsZ8t.js';
+export { L as LEDGER_COLLECTION, a as LEDGER_DELTAS_COLLECTION, e as envelopePayloadHash } from './hash-DcoYWfJ_.js';
+import './lazy-builder-Rpd-V3jP.js';
+import '@noy-db/attestation';
 
 /**
  * Persistence helpers for per-principal user envelopes stored at
@@ -164,13 +169,39 @@ declare class RecoveryNotEnrolledError extends NoydbError {
     constructor(message?: string);
 }
 /**
- * Raised by `db.recoverPassphrase` when the developer requests a
- * recovery profile other than `'paper'` in v0.1.0-pre.5. The other
- * three profiles (Shamir, multi-channel, admin-mediated) ship the API
- * shape now; their per-profile dispatch lands in follow-up issues.
+ * Raised by `openVault` when a managed-passphrase-mode vault has no
+ * STRONG recovery profile enrolled (#195).
+ *
+ * Managed mode means the user never types a passphrase — the unlock
+ * material lives in a `SealingKeyProvider` (`at-*` package). If that
+ * provider's key is lost AND no strong recovery is enrolled, the
+ * vault is irrecoverable. To prevent that footgun, managed-mode vaults
+ * require at least one strong recovery profile (Shamir today;
+ * multi-channel / admin-mediated when those ship).
+ *
+ * Paper recovery alone is NOT strong under managed mode: the user has
+ * no memorized passphrase to fall back on, so losing the paper sheet =
+ * losing every record permanently.
+ *
+ * Bootstrap with `db.openVaultAndEnrollRecovery(vault, { recovery: [{ profile: "shamir", k, n }] })`
+ * to atomically create-and-enroll, or call `db.enrollRecovery(vault, { profile: "shamir", ... })`
+ * separately before re-attempting `openVault`.
+ */
+declare class ManagedRecoveryNotEnrolledError extends NoydbError {
+    readonly vault: string;
+    constructor(vault: string);
+}
+/**
+ * Raised by `db.recoverPassphrase` / `db.enrollRecovery` /
+ * `db.rotateRecovery` when the developer requests a recovery profile
+ * not yet wired in this hub release.
+ *
+ * Implemented: `paper` (#10, pre.5) and `shamir` (#196 slice 1, pre.16).
+ * Pending: `multi-channel` and `admin-mediated` (tracked under #196
+ * follow-up slices).
  *
  * The carried `profile` and `tracking` fields let consumers steer the
- * UI ("Shamir recovery is not yet wired up — open issue #N to follow").
+ * UI ("multi-channel recovery is not yet wired up — open issue #N to follow").
  */
 declare class RecoveryProfileNotImplementedError extends NoydbError {
     readonly profile: string;
@@ -308,6 +339,89 @@ declare function loadVaultPolicy(store: NoydbStore, vault: string): Promise<Vaul
  */
 declare function saveVaultPolicy(store: NoydbStore, vault: string, policy: VaultPolicy): Promise<void>;
 
+/**
+ * Derive a {@link PersistedSchemaEnvelope} from a Standard Schema v1
+ * validator. v0 supports Zod via `zod-to-json-schema` (optional peer-dep);
+ * other families write a stub envelope flagging the kind.
+ *
+ * @see docs/superpowers/specs/2026-05-22-schema-dump-design.md
+ *
+ * @module
+ */
+
+/**
+ * Heuristic Zod detection — Zod schemas carry a `_def.typeName` property
+ * starting with `Zod` (e.g. `ZodObject`, `ZodString`). This survives Zod's
+ * minor-version bumps because the typeName naming is stable across v3.
+ */
+declare function isZodSchema(value: unknown): boolean;
+declare function derivePersistedSchema(validator: unknown): Promise<PersistedSchemaEnvelope>;
+
+/**
+ * Read / write the per-collection persisted-schema envelope. Mirrors the
+ * standard noy-db record envelope shape and is **AES-GCM encrypted with
+ * the collection's DEK** — the schema body (field names, enum values,
+ * constraints) is sensitive metadata, so it gets the same encryption
+ * envelope as the records it describes.
+ *
+ * Storage layout:
+ *
+ *   <vault>/_schemas/<collection>   →   EncryptedEnvelope
+ *
+ * The DEK passed to {@link savePersistedSchema} / {@link loadPersistedSchema}
+ * is the same key the collection uses for its records.
+ *
+ * @module
+ */
+
+/** Reserved collection name where persisted schemas live. */
+declare const SCHEMAS_COLLECTION: "_schemas";
+/**
+ * Read and decrypt the persisted-schema envelope for one collection.
+ * Returns `undefined` when no envelope has been written or when decryption
+ * fails (e.g. wrong DEK passed). Tolerates corrupted records — JSON parse
+ * failures surface as `undefined`, mirroring `_meta/handle`'s contract.
+ */
+declare function loadPersistedSchema(store: NoydbStore, vault: string, collection: string, dek: CryptoKey): Promise<PersistedSchemaEnvelope | undefined>;
+/**
+ * Encrypt and persist a schema envelope for one collection. Always
+ * overwrites any prior write (callers gate on hash equality before calling
+ * to avoid no-op writes).
+ */
+declare function savePersistedSchema(store: NoydbStore, vault: string, collection: string, dek: CryptoKey, payload: PersistedSchemaEnvelope): Promise<void>;
+
+/**
+ * Orchestrate the derive → hash → skip-or-write cycle for a collection's
+ * persisted JSON Schema. Called by the Vault at collection-registration
+ * time when the developer opts in via `collection({ persistJsonSchema:
+ * true })`.
+ *
+ * Skip semantics:
+ *
+ *   - Zod validators: skip when the new hash equals the stored hash.
+ *   - Non-Zod (stub envelopes have hash=null): skip when the stored
+ *     envelope's `kind` matches the freshly-detected kind (since there's
+ *     no body to compare yet — a kind change is the only signal).
+ *
+ * @module
+ */
+
+interface PersistSchemaResult {
+    /** True when a fresh envelope was written to storage. */
+    readonly written: boolean;
+    /** True when an existing envelope matched and the write was skipped. */
+    readonly skipped: boolean;
+    /** The envelope that was either written or matched. */
+    readonly envelope: PersistedSchemaEnvelope;
+}
+declare function persistSchemaIfNeeded(opts: {
+    readonly store: NoydbStore;
+    readonly vault: string;
+    readonly collectionName: string;
+    readonly validator: unknown;
+    readonly dek: CryptoKey;
+}): Promise<PersistSchemaResult>;
+
 /**
  * Authentication introspection — issue #13.
  *
@@ -353,6 +467,84 @@ declare function describeAllUsersAuth(store: NoydbStore, vault: string): Promise
     description: string;
 }>>;
 
+/**
+ * Persistence helpers for the vault-level user-directory toggle
+ * (`_meta/directory`). Mirrors the bypass-AES pattern used by
+ * `_meta/policy` — the directory document is plain JSON, the
+ * envelope's `_iv` field is left empty.
+ *
+ * @see docs/subsystems/user-envelope.md → Directory visibility
+ * @see docs/subsystems/plaintext-bypass.md — every `_iv: ''` write site
+ *
+ * @module
+ */
+
+/** Reserved id for the vault-level directory document. */
+declare const DIRECTORY_RECORD_ID = "directory";
+/**
+ * Read the directory toggle from `_meta/directory`. Returns `undefined`
+ * when no document has been persisted — callers treat that as the
+ * default-on case (`{ enabled: true }`).
+ *
+ * Tolerates corrupted documents the same way `_meta/policy` does: a
+ * JSON parse failure surfaces as `undefined`, not a thrown error, so a
+ * bad write never permanently breaks team enumeration.
+ */
+declare function readDirectoryConfig(store: NoydbStore, vault: string): Promise<DirectoryConfig | undefined>;
+/**
+ * Persist the directory toggle at `_meta/directory`. Idempotent — call
+ * on every `db.setDirectoryEnabled()` invocation. Owner-only at the
+ * caller site; this primitive does not check roles.
+ */
+declare function persistDirectoryConfig(store: NoydbStore, vault: string, config: DirectoryConfig): Promise<void>;
+
+/**
+ * Persistence helpers for the per-user visibility flag
+ * (`_meta/visibility/<keyringId>`). Mirrors the bypass-AES pattern used
+ * by `_meta/policy` — the visibility document is plain JSON, the
+ * envelope's `_iv` field is left empty.
+ *
+ * Stored alongside the keyring file rather than inside the encrypted
+ * user envelope (`_users/<keyringId>`) because:
+ *
+ *  - `UserEnvelope<T>.data` is opaque-to-hub by contract — hub does not
+ *    introspect or reserve any keys inside it. Adding `hidden` there
+ *    would violate that contract.
+ *  - `listUsersWithEnvelopes` filters by the flag, and the filter must
+ *    work even when decryption fails (legacy keyrings predating the
+ *    envelope feature, or a corrupted envelope).
+ *
+ * @see docs/subsystems/user-envelope.md → Directory visibility
+ * @see docs/subsystems/plaintext-bypass.md — every `_iv: ''` write site
+ *
+ * @module
+ */
+
+/** Prefix for per-user visibility records inside `_meta`. */
+declare const VISIBILITY_RECORD_PREFIX = "visibility/";
+/** Compose the `_meta` record id for a keyring's visibility doc. */
+declare function visibilityRecordId(keyringId: string): string;
+/**
+ * Read the visibility flag for `keyringId`. Returns `undefined` when no
+ * document has been persisted — callers treat that as the default-visible
+ * case (`{ hidden: false }`).
+ */
+declare function readUserVisibility(store: NoydbStore, vault: string, keyringId: string): Promise<UserVisibility | undefined>;
+/**
+ * Persist the visibility flag for `keyringId` at
+ * `_meta/visibility/<keyringId>`. Idempotent — call on every
+ * `vault.user.setMyVisibility()` invocation. Own-only at the caller
+ * site; this primitive does not enforce keyring ownership.
+ */
+declare function persistUserVisibility(store: NoydbStore, vault: string, keyringId: string, visibility: UserVisibility): Promise<void>;
+/**
+ * Delete the visibility flag for `keyringId`. Called from `revoke()`
+ * alongside `deleteUserEnvelope` so the sidecar does not leak to a
+ * re-granted principal with the same `userId`. Idempotent — the store's
+ * `delete()` is already a no-op when the record is absent.
+ */
+declare function deleteUserVisibility(store: NoydbStore, vault: string, keyringId: string): Promise<void>;
+
 interface EncryptResult {
     iv: string;
     data: string;
@@ -562,4 +754,4 @@ type DiffCandidate<T = unknown> = Vault | Record<string, readonly T[]> | string;
  */
 declare function diffVault<T = unknown>(vault: Vault, candidate: DiffCandidate<T>, options?: DiffOptions): Promise<VaultDiff<T>>;
 
-export { ActiveTier, type CheckGateContext, DEFAULT_FRESHNESS_MS, type DiffCandidate, DiffEntry, type DiffOptions, FactorProof, GateName, GatePolicy, META_COLLECTION, NoydbError, NoydbStore, PERSONAL_POLICY, POLICY_RECORD_ID, PUBLIC_ENVELOPE_RECORD_ID, PolicyDeniedError, type PolicyDenyReason, PublicEnvelope, RecoveryNotEnrolledError, RecoveryProfileNotImplementedError, STRICT_POLICY, UnlockedKeyring, UserEnvelope, Vault, type VaultDiff, type VaultDiffEntry, type VaultDiffModifiedEntry, VaultPolicy, assertTierAccess, base64ToBuffer, bufferToBase64, checkGate, decryptBytes, decryptDeterministic, dekKey, deleteUserEnvelope, derivePresenceKey, describeAllUsersAuth, describeAuthConfig, describeGate, describeUserAuth, diagramAuthConfig, diffVault, effectiveClearance, encryptBytes, encryptDeterministic, estimateRecordBytes, listUserEnvelopeIds, loadPublicEnvelope, loadUserEnvelope, loadVaultPolicy, mergePolicy, parseBytes, readPublicEnvelope, savePublicEnvelope, saveUserEnvelope, saveVaultPolicy };
+export { ActiveTier, type CheckGateContext, DEFAULT_FRESHNESS_MS, DIRECTORY_RECORD_ID, type DiffCandidate, DiffEntry, type DiffOptions, DirectoryConfig, FactorProof, GateName, GatePolicy, META_COLLECTION, ManagedRecoveryNotEnrolledError, NoydbError, NoydbStore, PERSONAL_POLICY, POLICY_RECORD_ID, PUBLIC_ENVELOPE_RECORD_ID, type PersistSchemaResult, PersistedSchemaEnvelope, PolicyDeniedError, type PolicyDenyReason, PublicEnvelope, RecoveryNotEnrolledError, RecoveryProfileNotImplementedError, SCHEMAS_COLLECTION, STRICT_POLICY, UnlockedKeyring, UserEnvelope, UserVisibility, VISIBILITY_RECORD_PREFIX, Vault, type VaultDiff, type VaultDiffEntry, type VaultDiffModifiedEntry, VaultPolicy, assertTierAccess, base64ToBuffer, bufferToBase64, checkGate, decryptBytes, decryptDeterministic, dekKey, deleteUserEnvelope, deleteUserVisibility, derivePersistedSchema, derivePresenceKey, describeAllUsersAuth, describeAuthConfig, describeGate, describeUserAuth, diagramAuthConfig, diffVault, effectiveClearance, encryptBytes, encryptDeterministic, estimateRecordBytes, isZodSchema, listUserEnvelopeIds, loadPersistedSchema, loadPublicEnvelope, loadUserEnvelope, loadVaultPolicy, mergePolicy, parseBytes, persistDirectoryConfig, persistSchemaIfNeeded, persistUserVisibility, readDirectoryConfig, readPublicEnvelope, readUserVisibility, savePersistedSchema, savePublicEnvelope, saveUserEnvelope, saveVaultPolicy, visibilityRecordId };