@noy-db/hub 0.2.0-pre.1 → 0.2.0-pre.3

package/dist/{types-C4lwMKKF.d.cts → types-CSLcfytP.d.cts}

@@ -1,8 +1,9 @@
 import { I as IndexStrategy, d as LazyQuery } from './lazy-builder-C-rPfWG0.cjs';
 import { b as AggregateSpec, A as AggregateStrategy } from './strategy-DSTrsZ8t.cjs';
 import { C as CrdtStrategy, a as CrdtMode, b as CrdtState } from './strategy-BSxFXGzb.cjs';
-import { N as NoydbError, Q as Query, ak as RefRegistry, ah as RefDescriptor, _ as JoinableSource, am as RefViolation, an as ScanBuilder } from './index-CmVgTkqk.cjs';
+import { N as NoydbError, Q as Query, ar as RefRegistry, ao as RefDescriptor, a2 as JoinableSource, at as RefViolation, au as ScanBuilder } from './index-DVkvrgpm.cjs';
 import { F as FieldClause, I as IndexDef, C as CollectionIndexes } from './predicate-Dnu81tsS.cjs';
+import { AttestationFieldSchema, RevocationList } from '@noy-db/attestation';
 
 /**
  * Standard Schema v1 integration.
@@ -794,8 +795,15 @@ interface LedgerEntry {
      * guards subsystem when an admin/owner uses `withTransactions(...)`
      * to repair a constraint-violating state. See `amendment` field
      * below for the structured payload.
+     *
+     * `'lifecycle'` records a non-data audit event (e.g. partition
+     * handover, #226) — `collection`/`id` are empty and the event detail
+     * lives in `reason` (e.g. `'partition-handed-over:<sealId>'`). Like
+     * `amendment`, it carries no data envelope, so `verifyBackupIntegrity`
+     * skips it in the data cross-check (it still participates in the
+     * tamper-evident chain).
      */
-    readonly op: 'put' | 'delete' | 'amendment';
+    readonly op: 'put' | 'delete' | 'amendment' | 'lifecycle' | 'migration';
     /** The collection the mutation targeted. */
     readonly collection: string;
     /** The record id the mutation targeted. */
@@ -2541,6 +2549,220 @@ interface I18nStrategy {
     buildDictionaryHandle<Keys extends string = string>(opts: BuildDictionaryHandleOptions<Keys>): DictionaryHandle<Keys>;
 }
 
+/**
+ * Observable write-queue (#227, M12 Slice 1).
+ *
+ * Tracks outstanding in-flight *logical* writes (a full Collection.put /
+ * delete, including ledger + cache + derivation + MV dispatch — not just
+ * the adapter call). The hub holds one tracker per instance; it is
+ * framework-agnostic (no Vue/React dependency). UI layers subscribe via
+ * onChange(); the migration drain (Slice 2) quiesces via onFlush().
+ */
+/** Public, read-only view of the hub's write-queue. */
+interface WriteQueue {
+    /** True while one or more writes are in flight (`depth > 0`). */
+    readonly pending: boolean;
+    /** Count of outstanding write operations. */
+    readonly depth: number;
+    /**
+     * Subscribe to depth changes (fires on every begin and settle).
+     * Returns an unsubscribe function. Intended for reactive wrappers
+     * (e.g. `@noy-db/in-vue` turns this into a `ref`).
+     */
+    onChange(handler: () => void): () => void;
+    /**
+     * Resolves once `depth` reaches 0. If a write settled with an error
+     * while this flush was waiting, the returned promise REJECTS with that
+     * error instead — so a drain caller surfaces the failure rather than
+     * hanging. Resolves immediately when already idle and error-free.
+     */
+    onFlush(): Promise<void>;
+}
+declare class WriteQueueTracker implements WriteQueue {
+    #private;
+    get pending(): boolean;
+    get depth(): number;
+    /** Mark one write as started. */
+    begin(): void;
+    /** Mark one write as finished. Pass the error if it failed. */
+    settle(error?: Error): void;
+    onChange(handler: () => void): () => void;
+    onFlush(): Promise<void>;
+    /**
+     * Run `fn` as a tracked write: depth++ on entry, depth-- on settle
+     * (success or failure). The fn's resolved value is returned; a thrown
+     * error is re-thrown after the queue is decremented.
+     */
+    track<R>(fn: () => Promise<R>): Promise<R>;
+}
+
+/**
+ * Hub-level write lifecycle hooks (#230). `onBeforeWrite` may abort (throw);
+ * `onAfterWrite` is awaited and its errors are warned, not thrown. A
+ * re-entrancy flag suppresses nested firing so a handler that writes can't
+ * loop. Held on the Noydb instance, threaded into every Collection.
+ */
+interface WriteEvent {
+    readonly op: 'create' | 'update' | 'delete';
+    readonly vault: string;
+    readonly collection: string;
+    readonly docId: string;
+    readonly before: unknown;
+    readonly after: unknown;
+    readonly baseVersion: number;
+    readonly version: number;
+    readonly userId: string;
+    readonly timestamp: number;
+    readonly txId: string;
+}
+type WriteHook = (event: WriteEvent) => void | Promise<void>;
+type Unsubscribe$2 = () => void;
+declare class WriteHookRegistry {
+    #private;
+    /** True while handlers are running — used by the write path to skip nested firing. */
+    get suppressed(): boolean;
+    /** True when any hook is registered (cheap gate for the write path). */
+    get hasHandlers(): boolean;
+    onBeforeWrite(handler: WriteHook): Unsubscribe$2;
+    onAfterWrite(handler: WriteHook): Unsubscribe$2;
+    /** Run before-hooks (awaited, in order). A throw propagates and aborts the write. */
+    runBefore(event: WriteEvent): Promise<void>;
+    /** Run after-hooks (awaited, in order). Per-handler errors are warned, not thrown. */
+    runAfter(event: WriteEvent): Promise<void>;
+}
+
+/**
+ * Schema-update strategy framework types (#245, M12 §3a).
+ *
+ * The hub core detects a schema change (SchemaDelta) and dispatches it
+ * through a collection's ordered strategy list. Strategies decide what
+ * happens; the core only knows this interface.
+ */
+/** A single changed top-level property in a schema delta. */
+interface FieldChange {
+    readonly field: string;
+    /** True when the field's required-ness flipped. */
+    readonly requiredChanged: boolean;
+    /** True when the field's subschema shape changed. */
+    readonly shapeChanged: boolean;
+}
+/** The classified difference between a stored and a freshly-derived schema. */
+interface SchemaDelta {
+    readonly collection: string;
+    readonly kind: 'none' | 'additive' | 'non-additive';
+    /** Top-level properties present in the new schema but not the old. */
+    readonly added: readonly string[];
+    /** Top-level properties present in the old schema but not the new. */
+    readonly removed: readonly string[];
+    /** Top-level properties present in both but altered. */
+    readonly changed: readonly FieldChange[];
+}
+/** Context handed to a strategy alongside the delta. */
+interface UpdateContext {
+    readonly collection: string;
+}
+/** Bulk transform run by the coordinatedCutover strategy (#232). */
+type TransformFn = (doc: Record<string, unknown>) => Record<string, unknown>;
+/**
+ * A strategy's verdict on a detected schema change.
+ * - `allow`   — no objection; the dispatcher falls through to the next strategy.
+ * - `reject`  — terminal: refuse the change; `error` is thrown at the write path.
+ * - `cutover` — terminal: run a coordinated drain-barrier (handled by #232).
+ * New terminal actions may be added without breaking existing strategies.
+ */
+type UpdateDecision = {
+    readonly action: 'allow';
+} | {
+    readonly action: 'reject';
+    readonly error: Error;
+} | {
+    readonly action: 'cutover';
+    readonly transform: TransformFn;
+};
+/** A pluggable schema-evolution policy. */
+interface SchemaUpdateStrategy {
+    readonly name: string;
+    onSchemaDelta(delta: SchemaDelta, ctx: UpdateContext): UpdateDecision | Promise<UpdateDecision>;
+}
+
+/**
+ * Per-collection write gate (#245). Holds the (async) update decision
+ * computed at registration; `Collection.put`/`delete` await it before
+ * writing and throw the strategy's rejection error.
+ *
+ * Detection FAILURE (the promise rejecting) is deliberately NOT a write
+ * block — schema detection is a fingerprint safety net, not a correctness
+ * invariant (matches how persisted-schema write failures are swallowed).
+ * Only an explicit `reject` decision blocks writes.
+ */
+
+declare class SchemaUpdateGate {
+    #private;
+    constructor(decision: Promise<UpdateDecision>);
+    assertWritable(): Promise<void>;
+}
+
+/**
+ * Schema-fence document (#232). Vault-level generation counter + drain
+ * state, stored at `_meta/schema-fence` using the plaintext-envelope
+ * pattern of `_meta/policy` (no PII — a counter + a state enum).
+ */
+
+type FenceState = 'normal' | 'draining' | 'migrating' | 'complete';
+interface FenceDoc {
+    readonly currentSchemaVersion: number;
+    readonly fenceState: FenceState;
+}
+
+/**
+ * Vault-level schema-fence controller (#232).
+ *
+ * Owns the open-time generation snapshot, the pending-cutover registry,
+ * and the cutover orchestration. 3a: single-client (the caller is the
+ * migrator). 3b: a cooperative ack-barrier — after `draining`, the
+ * migrator waits for the active client set (registry heartbeats) to ack
+ * the draining generation before transforming. No leader election.
+ */
+
+/** Runs one collection's transform; supplied by the Vault (binds to a Collection). */
+type RunTransform = (collection: string, transform: TransformFn) => Promise<void>;
+declare class SchemaFenceController {
+    #private;
+    constructor(opts: {
+        store: NoydbStore;
+        vault: string;
+        onFlush: () => Promise<void>;
+        clientId?: string;
+        now?: () => number;
+        staleMs?: number;
+        quiesceTimeoutMs?: number;
+        emit?: (e: {
+            currentSchemaVersion: number;
+            fenceState: FenceState;
+        }) => void;
+    });
+    /** Capture the generation snapshot at vault-open. */
+    init(): Promise<void>;
+    /** Record a per-collection pending cutover (from a registration `cutover` decision). */
+    registerPendingCutover(collection: string, transform: TransformFn): void;
+    /** Write-path gate. Throws when behind, fenced, or this collection is cutover-pending. */
+    assertWritable(collection: string): Promise<void>;
+    /**
+     * Admin trigger. Drain → wait for the active set to quiesce (or time out)
+     * → migrate each pending transform → bump → complete → normal. The
+     * migrator excludes itself from the barrier (it drained synchronously
+     * here). `onPoll` (tests) advances other clients between barrier checks;
+     * production falls back to a short real delay.
+     */
+    runCutover(run: RunTransform, opts?: {
+        onPoll?: () => Promise<void>;
+    }): Promise<{
+        migrated: number;
+    }>;
+    /** Recover a stuck drain: reset fenceState to normal at the current version (no bump). */
+    abort(): Promise<void>;
+}
+
 /**
  * Zero-dependency JSON diff.
  * Produces a flat list of changes between two plain objects.
@@ -3919,6 +4141,63 @@ declare function validatePublicEnvelopeInput(input: SetPublicEnvelopeInput, sche
  */
 declare function isPublicEnvelope(x: unknown): x is PublicEnvelope;
 
+/**
+ * Multi-tab coordination (#228a): primary/secondary election (Web Locks)
+ * + presence heartbeat (BroadcastChannel). Browser-only; opt-in; no-op
+ * when the APIs are absent. The lock/channel interfaces are hub-local
+ * (structurally compatible with @noy-db/by-peer + @noy-db/by-tabs, but
+ * not imported — those packages depend on hub).
+ */
+type TabRole = 'primary' | 'secondary' | 'unknown';
+interface TabPresence {
+    readonly tabId: string;
+    readonly lastSeen: number;
+    readonly role: TabRole;
+}
+type Unsubscribe$1 = () => void;
+/** Structural subset of the Web Locks API / by-peer's MinimalLockManager. */
+interface TabLockManager {
+    request<T>(name: string, options: {
+        mode?: 'exclusive' | 'shared';
+        signal?: AbortSignal;
+    }, callback: (lock: unknown) => Promise<T>): Promise<T>;
+}
+/** Structural subset of by-peer's PeerChannel / a BroadcastChannel wrapper. */
+interface TabChannel {
+    send(payload: string): void;
+    on(event: 'message', listener: (payload: string) => void): Unsubscribe$1;
+    on(event: 'close', listener: () => void): Unsubscribe$1;
+    close(): void;
+    readonly isOpen: boolean;
+}
+interface TabCoordinationOptions {
+    readonly lockManager?: TabLockManager;
+    readonly channel?: TabChannel;
+    readonly tabId?: string;
+    readonly lockName?: string;
+    readonly heartbeatMs?: number;
+    readonly staleMs?: number;
+    readonly now?: () => number;
+    /**
+     * Close the channel on `dispose()`. Set this only for a channel the
+     * coordinator owns (e.g. the one `defaultChannel()` created); leave it
+     * false for a caller-injected channel so the coordinator never closes a
+     * channel it didn't create. Default: false.
+     */
+    readonly closeChannelOnDispose?: boolean;
+    /**
+     * Also propagate committed writes to other tabs (#228b). Default true:
+     * when tab coordination is enabled and a channel is available, a write in
+     * one tab refreshes that document in every other tab. Set false to opt out.
+     */
+    readonly propagateWrites?: boolean;
+    /**
+     * Channel for write propagation (#228b) — distinct from the presence
+     * channel. Default: an inline BroadcastChannel on `noydb:tab-writes`.
+     */
+    readonly writeChannel?: TabChannel;
+}
+
 /**
  * Per-vault tier-3 (PIN / quick-resume) state — issue #11.
  *
@@ -4068,6 +4347,8 @@ interface AmendmentTxOptions {
  * facade; its `put`/`delete`/`get` calls stage ops against the tx.
  */
 declare class TxContext {
+    /** Stable id for this transaction; shared by all writes it performs (#230). */
+    readonly txId: string;
     /** @internal */
     readonly _ops: StagedOp[];
     /**
@@ -4152,6 +4433,34 @@ declare class TxCollection<T> {
  */
 declare function runTransaction<T>(db: Noydb, fn: (tx: TxContext) => Promise<T> | T, options?: AmendmentTxOptions): Promise<T>;
 
+/**
+ * Dry-run transactions (#231). Runs the tx body to STAGE ops, then builds
+ * the directly-affected diff (before = current committed via collection.get,
+ * after = staged record) and collects guard violations — without executing
+ * phase 2. No adapter writes, no write-hooks, no commit. MV/derivation
+ * cascade is NOT simulated (v2). Mirrors the guard loop in
+ * `Collection.putInternal` — keep the two in sync.
+ */
+
+interface AffectedDocument {
+    readonly vault: string;
+    readonly op: 'create' | 'update' | 'delete';
+    readonly collection: string;
+    readonly docId: string;
+    readonly before: unknown;
+    readonly after: unknown;
+}
+interface GuardViolation {
+    readonly vault: string;
+    readonly collection: string;
+    readonly docId: string;
+    readonly message: string;
+}
+interface DryRunResult {
+    readonly affected: ReadonlyArray<AffectedDocument>;
+    readonly guardViolations: ReadonlyArray<GuardViolation>;
+}
+
 /**
  * Policy gate DSL types — issue #9.
  *
@@ -4320,8 +4629,12 @@ type ActiveTier = 1 | 2 | 3;
 
 /** The top-level NOYDB instance. */
 declare class Noydb {
+    #private;
     private readonly options;
     private readonly emitter;
+    private readonly writeQueueTracker;
+    private readonly writeHooks;
+    private readonly clientId;
     private readonly vaultCache;
     private readonly keyringCache;
     private readonly syncEngines;
@@ -4354,6 +4667,10 @@ declare class Noydb {
     private readonly publicEnvelopeSchema;
     private closed;
     private sessionTimer;
+    /** Same-device multi-tab coordinator (#228); created on `enableTabCoordination()`. */
+    private tabCoordinator;
+    /** Cross-tab write relay (#228b); created on `enableTabCoordination()`. */
+    private writeRelay;
     /** Per-vault policy enforcers. */
     private readonly policyEnforcers;
     private readonly txStrategy;
@@ -4657,6 +4974,15 @@ declare class Noydb {
      * to the vault's ledger as `op: 'amendment'`.
      */
     transaction<T>(options: AmendmentTxOptions, fn: (tx: TxContext) => Promise<T> | T): Promise<T>;
+    /**
+     * Dry-run a transaction (#231): run the body to stage ops, then return
+     * the directly-affected diff + collected guard violations WITHOUT
+     * committing (no adapter writes, no write hooks). MV/derivation cascade
+     * is not simulated. Requires `withTransactions()`.
+     */
+    transaction(options: {
+        readonly dryRun: true;
+    }, fn: (tx: TxContext) => unknown): Promise<DryRunResult>;
     /**
      * Create a sync transaction for the given vault.
      * The vault must already be open via `openVault()`.
@@ -4721,6 +5047,52 @@ declare class Noydb {
     private getSyncEngine;
     on<K extends keyof NoydbEventMap>(event: K, handler: (data: NoydbEventMap[K]) => void): void;
     off<K extends keyof NoydbEventMap>(event: K, handler: (data: NoydbEventMap[K]) => void): void;
+    /**
+     * Observable write-queue for this hub instance. Reflects outstanding
+     * in-flight writes across all collections. See {@link WriteQueue}.
+     *
+     * @example
+     * window.addEventListener('beforeunload', (e) => {
+     *   if (db.writeQueue.pending) { e.preventDefault(); e.returnValue = '' }
+     * })
+     */
+    get writeQueue(): WriteQueue;
+    /**
+     * @internal Mutable tracker behind {@link writeQueue}. Threaded into
+     * each Collection (via Vault) so `put`/`delete` can `track()` writes.
+     * Not part of the public surface — consumers use `writeQueue`.
+     */
+    get _writeQueueTracker(): WriteQueueTracker;
+    /**
+     * Register a hook that runs before each write (#230). Awaited; a throw
+     * aborts the write. Returns an unsubscribe function.
+     */
+    onBeforeWrite(handler: WriteHook): Unsubscribe$2;
+    /**
+     * Register a hook that runs after each committed write (#230). Awaited;
+     * a handler error is warned, never rolled back. Returns an unsubscribe fn.
+     */
+    onAfterWrite(handler: WriteHook): Unsubscribe$2;
+    /** Subscribe to cross-tab write conflicts (#228c). Returns an unsubscribe. */
+    onWriteConflict(fn: (c: WriteConflict) => void): Unsubscribe$2;
+    /**
+     * Enable same-device multi-tab coordination (#228): primary/secondary
+     * election + presence. Browser-only — a graceful no-op (role 'unknown')
+     * when Web Locks / BroadcastChannel are unavailable and nothing is
+     * injected. Idempotent; returns a disposer.
+     */
+    enableTabCoordination(opts?: TabCoordinationOptions): {
+        dispose: () => void;
+    };
+    private disableTabCoordination;
+    get tabRole(): TabRole;
+    activeTabs(): TabPresence[];
+    onTabRoleChange(fn: (r: TabRole) => void): Unsubscribe$2;
+    onActiveTabsChange(fn: (t: TabPresence[]) => void): Unsubscribe$2;
+    /** @internal The write-hook registry, threaded into each Collection. */
+    get _writeHooks(): WriteHookRegistry;
+    /** @internal Stable per-instance id for schema-cutover coordination (#232). */
+    get _clientId(): string;
     /**
      * Soft-lock a single vault: clear its in-memory keyring, DEKs, vault
      * instance, sync engine, policy enforcer, and active-tier entry —
@@ -6070,6 +6442,11 @@ declare class GuardRegistry {
     register<T extends Record<string, unknown>>(spec: GuardStrategy<T>): void;
     /** All guards registered against `collection` in registration order. */
     guardsFor(collection: string): ReadonlyArray<AnyGuard>;
+    /** Per-collection guard counts, for introspection (#229). */
+    summary(): {
+        collection: string;
+        count: number;
+    }[];
     /**
      * Run every guard's `check` for this collection. First throw wins —
      * remaining guards are not invoked. Guards without a `check` skip.
@@ -6813,6 +7190,29 @@ interface PersistedSchemaEnvelope {
  * @module
  */
 
+/** Flat snapshot of a vault's registered schema (#229). */
+interface SchemaIntrospection {
+    readonly collections: ReadonlyArray<{
+        name: string;
+        docCount: number;
+    }>;
+    readonly guards: ReadonlyArray<{
+        collection: string;
+        count: number;
+    }>;
+    readonly materializedViews: ReadonlyArray<{
+        name: string;
+        sourceCollections: string[];
+    }>;
+    readonly schemaUpdate: ReadonlyArray<{
+        collection: string;
+        strategies: string[];
+    }>;
+    readonly grants: ReadonlyArray<{
+        collection: string;
+        permission: Permission;
+    }>;
+}
 /** Where the field-level info in the snapshot came from. */
 type FieldSource = 'persisted' | 'live-validator' | 'sampled' | 'unknown';
 interface FieldDescriptor {
@@ -6921,6 +7321,7 @@ interface VaultIntrospectState {
 
 /** A vault (tenant namespace) containing collections. */
 declare class Vault {
+    #private;
     private readonly adapter;
     /** The vault's name as passed to `openVault()`. Stable for the instance lifetime. */
     readonly name: string;
@@ -7023,12 +7424,20 @@ declare class Vault {
      */
     private readonly reloadKeyring;
     private readonly collectionCache;
+    /** #232 — vault-level schema cutover fence/controller. */
+    readonly schemaFence: SchemaFenceController;
     /**
      * per-collection `blobFields` retention/TTL config.
      * Populated on `collection({ blobFields })` and read by
      * `vault.compact()`. Indexed by collection name.
      */
     private readonly blobFieldsRegistry;
+    /**
+     * Per-collection attestation field-schema (issue side). Populated on
+     * `collection({ attestation })` and read by `issueAttestation()`.
+     * Indexed by collection name.
+     */
+    private readonly attestationRegistry;
     /**
      * Per-vault ledger store. Lazy-initialized on first
      * `collection()` call (which passes it through to the Collection)
@@ -7249,6 +7658,15 @@ declare class Vault {
          * @see docs/superpowers/specs/2026-05-22-schema-dump-design.md
          */
         persistJsonSchema?: boolean;
+        /**
+         * Ordered schema-update strategies (#245). On a detected schema
+         * change, evaluated in order; the first non-`allow` decision wins.
+         * A `reject` is enforced at the write path (`put`/`delete` throw).
+         * Requires `persistJsonSchema: true` (detection needs the baseline).
+         */
+        schemaUpdate?: readonly SchemaUpdateStrategy[];
+        /** — declare the per-field schema for document attestation (issue side). */
+        attestation?: AttestationFieldSchema;
     }): Collection<T>;
     /**
      * Await all background persisted-schema writes triggered by
@@ -7256,6 +7674,45 @@ declare class Vault {
      * Used in tests; production code does not need to call this.
      */
     _drainPendingSchemaWrites(): Promise<void>;
+    /**
+     * Run a coordinated schema cutover (#232). Drains pending writes, waits
+     * for the active client set to quiesce (the ack-barrier), applies every
+     * pending collection transform in bulk, bumps the vault schema generation,
+     * and clears the fence. Returns the count of collections migrated.
+     * `opts.onPoll` (tests) advances other clients between barrier checks.
+     */
+    runSchemaCutover(opts?: {
+        onPoll?: () => Promise<void>;
+    }): Promise<{
+        migrated: number;
+    }>;
+    /**
+     * #228b — refresh a loaded collection's view of one document from a peer
+     * tab's broadcast. No-op when the collection isn't loaded in this tab
+     * (it will read fresh on next open). Mirrors #runCutoverTransform's guard.
+     */
+    _applyRemoteWrite(collectionName: string, docId: string, action: 'put' | 'delete'): Promise<void>;
+    /**
+     * #228c — for a detected conflict: capture this tab's clobbered record,
+     * read the common ancestor from history, converge the cache to the store's
+     * authoritative value (the (b) re-read), and return all three for the
+     * WriteConflict payload. Returns null when the collection isn't loaded.
+     */
+    _captureAndConverge(collectionName: string, docId: string, action: 'put' | 'delete', baseV: number): Promise<{
+        local: unknown;
+        remote: unknown;
+        base: unknown;
+    } | null>;
+    /** Recover a stuck cutover fence (#232) — reset to normal without bumping. */
+    abortSchemaCutover(): Promise<void>;
+    /** Current schema-cutover fence state for this vault (#232/#233). Thin live read. */
+    schemaFenceState(): Promise<FenceDoc>;
+    /** @internal Start the per-client heartbeat + fence watcher once a cutover is registered (#232). */
+    _ensureFenceCoordination(): void;
+    /** @internal Stop the heartbeat/watcher (vault lock/close). */
+    _stopFenceCoordination(): void;
+    /** @internal Drive one heartbeat + watch cycle deterministically (tests). */
+    _fenceTick(): Promise<void>;
     /**
      * Validate i18nText fields on a `put()`. Called by Collection just
      * before the adapter write, after schema validation. Throws
@@ -7431,6 +7888,22 @@ declare class Vault {
      */
     compact(options?: CompactRunOptions): Promise<CompactionResult>;
     exportBlobs(options?: ExportBlobsOptions): ExportBlobsHandle;
+    issueAttestation(collectionName: string, id: string): Promise<{
+        docId: string;
+        qr: string;
+        keyId: string;
+        publicKeyB64: string;
+    }>;
+    getDocumentSigningPublicKey(): Promise<{
+        keyId: string;
+        publicKeyB64: string;
+    }>;
+    private makeIssueContext;
+    revokeAttestation(docId: string): Promise<void>;
+    unrevokeAttestation(docId: string): Promise<void>;
+    getRevokedDocIds(): Promise<string[]>;
+    publishRevocationList(): Promise<RevocationList>;
+    private makeRevokeContext;
     private writeExportAudit;
     /**
      * Read-only accessor for the invoking keyring's export capability,
@@ -7886,6 +8359,14 @@ declare class Vault {
      * @see docs/superpowers/specs/2026-05-22-schema-dump-design.md
      */
     dumpSchema(opts?: DumpSchemaOptions): Promise<VaultSchemaSnapshot>;
+    /**
+     * Lightweight read of the vault's registered schema (#229): collections
+     * (+ doc counts), guards, materialized views, schema-update strategies,
+     * and the unlocked user's grants. Cheap — one `adapter.list` per
+     * collection, no decryption. For a full snapshot + stats use dumpSchema().
+     * Post-unlock by construction (a Vault only exists with an unlocked keyring).
+     */
+    introspect(): Promise<SchemaIntrospection>;
     /**
      * Internal accessor for {@link dumpVaultSchema}. Exposes the structural
      * state the walker needs (collection cache, registries, ref registry,
@@ -8362,12 +8843,18 @@ interface CacheStats extends LruStats {
 }
 /** A typed collection of records within a vault. */
 declare class Collection<T> {
+    #private;
     private readonly adapter;
     private readonly vault;
     private readonly name;
     private readonly keyring;
     private readonly encrypted;
     private readonly emitter;
+    private readonly writeQueue;
+    private readonly schemaUpdateGate;
+    private readonly schemaFence;
+    private readonly writeHooks;
+    private readonly activeTxId;
     private readonly getDEK;
     private readonly onDirty;
     private readonly historyConfig;
@@ -8635,6 +9122,21 @@ declare class Collection<T> {
         keyring: UnlockedKeyring;
         encrypted: boolean;
         emitter: NoydbEventEmitter;
+        /**
+         * Vault-level in-flight write tracker (#227). When present,
+         * `put`/`delete` run inside `writeQueue.track()` so `hub.writeQueue`
+         * reflects outstanding writes. Optional so direct Collection
+         * construction in tests still works untracked.
+         */
+        writeQueue?: WriteQueueTracker | undefined;
+        /** #245 — per-collection schema-update gate; `put`/`delete` await it. */
+        schemaUpdateGate?: SchemaUpdateGate | undefined;
+        /** #232 — vault-level fence controller; `put`/`delete` consult it. */
+        schemaFence?: SchemaFenceController | undefined;
+        /** #230 — hub-level write-hook registry; fired around put/delete. */
+        writeHooks?: WriteHookRegistry | undefined;
+        /** #230 — active transaction id supplier (null outside a transaction). */
+        activeTxId?: (() => string | null) | undefined;
         getDEK: (collectionName: string) => Promise<CryptoKey>;
         historyConfig?: HistoryConfig | undefined;
         onDirty?: OnDirtyCallback | undefined;
@@ -8950,7 +9452,8 @@ declare class Collection<T> {
         pollIntervalMs?: number;
     }): PresenceHandle<P>;
     /**
-     * Create or update a record.
+     * Create or update a record. Runs inside the hub's write-queue tracker
+     * (#227) so `hub.writeQueue.pending` reflects this write.
      *
      * @param id      Record identifier.
      * @param record  The record body (validated by the collection's schema
@@ -8963,6 +9466,8 @@ declare class Collection<T> {
     put(id: string, record: T, options?: {
         readonly reason?: string;
     }): Promise<void>;
+    /** @internal Untracked put body — call {@link put}, not this. */
+    private putInternal;
     /**
      * Fire registered MV strategies whose dependency set includes this
      * collection. Eager-mode MVs re-materialize inline via
@@ -8988,8 +9493,20 @@ declare class Collection<T> {
      * cycle detection.
      */
     private dispatchDerivations;
-    /** Delete a record by ID. */
+    /**
+     * Delete a record by ID. Runs inside the hub's write-queue tracker
+     * (#227) so `hub.writeQueue.pending` reflects this write.
+     */
     delete(id: string): Promise<void>;
+    /**
+     * @internal #232 — bulk-rewrite every record through a cutover transform.
+     * Raw adapter path (bypasses the write gate + guards — the transform is
+     * trusted and runs only during the `migrating` phase). Bumps each
+     * record's `_v` and appends a ledger `op:'migration'` entry.
+     */
+    _applyCutoverTransform(transform: (doc: Record<string, unknown>) => Record<string, unknown>): Promise<number>;
+    /** @internal Untracked delete body — call {@link delete}, not this. */
+    private deleteInternal;
     /**
      * @internal — system-internal delete that bypasses user-facing
      * delete hooks (`onDelete`, accounting-period guard, FK ref
@@ -9326,6 +9843,15 @@ declare class Collection<T> {
      * gone before the tx and the revert deleted it again).
      */
     _invalidateCacheEntry(id: string): Promise<void>;
+    /**
+     * #228b — apply a peer tab's committed write to THIS tab's in-memory view:
+     * re-read the (already-persisted) envelope from the shared store + refresh
+     * cache/indexes, then emit a `change` event so reactive consumers re-render.
+     * Never writes to the store and never fires write hooks, so it cannot loop.
+     */
+    _applyRemoteChange(id: string, action: 'put' | 'delete'): Promise<void>;
+    /** @internal #228c — the current in-memory record without a store read (for conflict capture). */
+    _peekCached(id: string): T | null;
     private ensureHydrated;
     /** Hydrate from a pre-loaded snapshot (used by Vault). */
     hydrateFromSnapshot(records: Record<string, EncryptedEnvelope>): Promise<void>;
@@ -9751,6 +10277,7 @@ interface ShadowStrategy {
  */
 interface TxStrategy {
     runTransaction<T>(db: Noydb, fn: (tx: TxContext) => Promise<T> | T, options?: AmendmentTxOptions): Promise<T>;
+    runDryRun(db: Noydb, fn: (tx: TxContext) => unknown): Promise<DryRunResult>;
 }
 
 /**
@@ -9897,6 +10424,18 @@ interface SessionStrategy {
  *   - {@link MemorySealingKeyProvider} — in-memory test provider; uses
  *     a deterministic per-instance "key" so two providers with
  *     different ids cannot unseal each other's outputs.
+ *   - {@link RecipientHint} — public material a sender uses to seal
+ *     plaintext for a specific recipient; published by
+ *     {@link RecipientSealer.publishRecipientHint} and transported
+ *     out-of-band to the sender before bundle writes.
+ *   - {@link RecipientSealer} — interface for asymmetric/granted
+ *     providers that support recipient-target sealing (RSA-OAEP,
+ *     cloud-KMS asymmetric, etc.); distinct from self-only
+ *     {@link SealingKeyProvider} (macOS Keychain, WebAuthn-PRF).
+ *   - {@link MemoryRecipientSealer} — in-process reference
+ *     implementation of both `RecipientSealer` and
+ *     `SealingKeyProvider` using real WebCrypto RSA-OAEP + AES-GCM;
+ *     safe for tests and same-process sender/recipient scenarios.
  *   - {@link loadSealedPassphrase} / {@link saveSealedPassphrase} —
  *     plaintext envelope storage at `_meta/sealed-passphrase`.
  *     Mirrors the `_meta/handle` and `_meta/public-envelope` AES-
@@ -9977,6 +10516,78 @@ declare class MemorySealingKeyProvider implements SealingKeyProvider {
     seal(passphrase: Uint8Array): Promise<Uint8Array>;
     unseal(sealed: Uint8Array): Promise<Uint8Array>;
 }
+/**
+ * Public material a sender uses to seal-for-this-recipient. Published by
+ * a recipient's RecipientSealer; transported to the sender out-of-band
+ * (email, S3, in-app message). The sender obtains the hint, supplies it
+ * to writeNoydbBundle's sealedCredentials.perUser[userId].hint, and the
+ * hub seals each user's credential against it. Per foundation §11.4.
+ */
+type RecipientHint = {
+    readonly v: 1;
+    /** Recipient's provider id; matches the SealedAutoUnlockEntry.pid they'll unseal under. */
+    readonly pid: string;
+    /** Algorithm the sender uses to produce the seal. Slice 1 ships RSA-OAEP-SHA256 only. */
+    readonly alg: 'rsa-oaep-sha256';
+    /** Public material — alg-specific. For 'rsa-oaep-sha256': { publicKeyPem: string }. */
+    readonly material: Readonly<Record<string, unknown>>;
+};
+/**
+ * Handover-capable provider. Implemented additionally by asymmetric/granted
+ * providers (cloud-KMS asymmetric, Azure RSA Key Vault, AWS KMS with grant).
+ * Self-only providers (macOS Keychain, env-var, WebAuthn-PRF) do NOT
+ * implement this — the §11.2 capability matrix lives in the type system.
+ *
+ * Per foundation §11.4. A function that requires recipient-target sealing
+ * takes `RecipientSealer`, not `SealingKeyProvider` — the compiler rejects
+ * passing a self-only provider at the spec site.
+ */
+interface RecipientSealer {
+    readonly id: string;
+    /** Produce hint material a sender uses to seal-for-this-recipient. */
+    publishRecipientHint(): Promise<RecipientHint>;
+    /**
+     * Seal plaintext for the recipient described by `hint`. Returns opaque
+     * bytes — same contract as `SealingKeyProvider.seal()`. The bundle
+     * layer base64-encodes the bytes into `SealedAutoUnlockEntry.sealed`
+     * without inspecting them.
+     */
+    sealForRecipient(plaintext: Uint8Array, hint: RecipientHint): Promise<Uint8Array>;
+}
+/**
+ * Reference implementation of `RecipientSealer` + `SealingKeyProvider`.
+ * Uses WebCrypto RSA-OAEP-SHA256 (2048-bit) to wrap a fresh 32-byte
+ * AES-GCM CEK, AES-GCM-encrypts plaintext under it, and packs the
+ * result into a self-describing TLV:
+ *
+ *   byte  0       : version (0x01)
+ *   bytes 1..256  : RSA-OAEP-wrapped CEK (fixed 256 bytes at RSA-2048)
+ *   bytes 257..268: AES-GCM IV (12 bytes)
+ *   bytes 269..   : AES-GCM ciphertext ‖ 16-byte tag
+ *
+ * Implements BOTH interfaces. `seal(plaintext)` (self-target) is just
+ * `sealForRecipient(plaintext, this own hint)` — same TLV. Convenient
+ * for tests where one provider plays both ends. Real cloud providers
+ * (`at-aws-kms`, etc.) will pick their own internal layouts; the only
+ * contract is round-trip identity.
+ *
+ * SAFE for production within its scope — the cryptography is real
+ * (RSA-OAEP + AES-GCM via WebCrypto), but the keypair lives in-process
+ * and is regenerated on every construction. Not suitable as a managed
+ * keychain; use it for tests and for shipping bundles where the
+ * recipient instance lives in the same process as the sender (rare).
+ */
+declare class MemoryRecipientSealer implements SealingKeyProvider, RecipientSealer {
+    readonly id: string;
+    private readonly keypair;
+    constructor(opts: {
+        id: string;
+    });
+    publishRecipientHint(): Promise<RecipientHint>;
+    sealForRecipient(plaintext: Uint8Array, hint: RecipientHint): Promise<Uint8Array>;
+    seal(plaintext: Uint8Array): Promise<Uint8Array>;
+    unseal(bytes: Uint8Array): Promise<Uint8Array>;
+}
 /** Reserved id for the managed-passphrase envelope under `_meta`. */
 declare const SEALED_PASSPHRASE_RECORD_ID: "sealed-passphrase";
 /** Plaintext payload stored inside the `_meta/sealed-passphrase` envelope. */
@@ -10758,6 +11369,23 @@ interface Conflict {
      */
     readonly resolve?: (winner: EncryptedEnvelope | null) => void;
 }
+/**
+ * #228c — a same-device cross-tab write conflict: another tab overwrote a
+ * document this tab had written, having diverged from an older base. Records
+ * are decrypted (cross-tab handlers reconcile in plaintext). `base` is the
+ * common ancestor from history, or null when history is unavailable.
+ */
+interface WriteConflict {
+    readonly vault: string;
+    readonly collection: string;
+    readonly docId: string;
+    readonly local: unknown;
+    readonly remote: unknown;
+    readonly base: unknown;
+    readonly localVersion: number;
+    readonly remoteVersion: number;
+    readonly baseVersion: number;
+}
 type ConflictStrategy = 'local-wins' | 'remote-wins' | 'version' | ((conflict: Conflict) => 'local' | 'remote');
 /**
  * Collection-level conflict policy.
@@ -10844,9 +11472,20 @@ interface ChangeEvent {
 interface NoydbEventMap {
     'change': ChangeEvent;
     'error': Error;
+    /**
+     * Same-instance signal that this vault's schema-fence state changed
+     * (#232). For UI integration (#233). Cross-client coordination goes
+     * through the store, not this event.
+     */
+    'schema:fence-changed': {
+        vault: string;
+        currentSchemaVersion: number;
+        fenceState: 'normal' | 'draining' | 'migrating' | 'complete';
+    };
     'sync:push': PushResult;
     'sync:pull': PullResult;
     'sync:conflict': Conflict;
+    'write:conflict': WriteConflict;
     'sync:online': void;
     'sync:offline': void;
     'sync:backup-error': {
@@ -11851,4 +12490,4 @@ interface DeleteManyResult {
     }>;
 }
 
-export { type ConsentAuditEntry as $, type BlobObject as A, type BlobStrategy as B, type BlobPutOptions as C, DICT_COLLECTION_PREFIX as D, type BlobResponseOptions as E, BlobSet as F, type BlobStrategyOpenArgs as G, type CompactRunOptions as H, type I18nStrategy as I, type CompactionContext as J, type CompactionResult as K, DEFAULT_CHUNK_SIZE as L, EXPORT_AUDIT_COLLECTION as M, ExportBlobsAbortedError as N, type ExportBlobsAuditEntry as O, PolicyEnforcer as P, type ExportBlobsHandle as Q, type ExportBlobsOptions as R, type SessionStrategy as S, type ExportedBlob as T, type SlotInfo as U, type SlotRecord as V, type VersionRecord as W, createExportBlobsHandle as X, runCompaction as Y, type ConsentStrategy as Z, CONSENT_AUDIT_COLLECTION as _, type DictEntry as a, VaultInstant as a$, type ConsentAuditFilter as a0, type ConsentContext as a1, type ConsentOp as a2, loadConsentEntries as a3, writeConsentEntry as a4, type PeriodsStrategy as a5, type CarryForwardContext as a6, type ClosePeriodOptions as a7, type OpenPeriodOptions as a8, PERIODS_COLLECTION as a9, type DerivationStrategyHandle as aA, type DerivedFromMeta as aB, type OutputSpec as aC, type RecordOutputSpec as aD, type MaterializedViewStrategy as aE, type MaterializedViewStrategyHandle as aF, type OverlayedViewStrategy as aG, Collection as aH, OverlayedViewRegistry as aI, type OverlayedViewStrategyHandle as aJ, type SyncStrategy as aK, type Role as aL, type UnlockedKeyring as aM, type HistoryStrategy as aN, type NoydbStore as aO, type HistoryOptions as aP, type EncryptedEnvelope as aQ, type PruneOptions as aR, type AppendInput as aS, type ChangeType as aT, CollectionInstant as aU, type DiffEntry as aV, type JsonPatch as aW, type JsonPatchOp as aX, type LedgerEntry as aY, LedgerStore as aZ, type VaultEngine as a_, type PeriodRecord as aa, type ReadOnlyCollection as ab, appendPeriodLedgerEntry as ac, assertTsWritable as ad, chainAnchor as ae, loadPeriods as af, validatePeriodName as ag, type GuardStrategy as ah, type GuardChange as ai, type GuardContext as aj, GuardRegistry as ak, type GuardStrategyHandle as al, ReadOnlyVaultFacade as am, type ShadowStrategy as an, CollectionFrame as ao, VaultFrame as ap, type TxStrategy as aq, type AmendmentTxOptions as ar, TxCollection as as, TxContext as at, TxVault as au, runTransaction as av, type DerivationStrategy as aw, type DerivationContext as ax, type ArrayOutputSpec as ay, DerivationRegistry as az, type DictKeyDescriptor as b, type FactorRequirement as b$, type VerifyResult as b0, applyPatch as b1, canonicalJson as b2, computePatch as b3, diff as b4, formatDiff as b5, hashEntry as b6, paddedIndex as b7, parseIndex as b8, sha256Hex as b9, type CollectionDescriptor as bA, type CollectionStats as bB, type Conflict as bC, type ConflictPolicy as bD, type ConflictStrategy as bE, type CrossTierAccessEvent as bF, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as bG, DELEGATIONS_COLLECTION as bH, type DeepPartial as bI, type DeepPartialOrNull as bJ, type DelegationToken as bK, type DeleteManyResult as bL, type DerivationDescriptor as bM, type DirtyEntry as bN, type DumpSchemaOptions as bO, ELEVATION_AUDIT_COLLECTION as bP, ElevatedHandle as bQ, type EnrollAuthenticatorOptions as bR, type EnrollAuthenticatorWrappingDEKsOptions as bS, type EnrollAuthenticatorWrappingKEKOptions as bT, type EnrollRecoveryResult as bU, type ExportCapability as bV, type ExportChunk as bW, type ExportFormat as bX, type ExportStreamOptions as bY, type FactorKind as bZ, type FactorProofBundle as b_, type MVQueryContext as ba, type RegisteredMV as bb, MaterializedViewRegistry as bc, type MaterializedFromMeta as bd, type MaterializedViewOutput as be, type UnionSource as bf, type UserEnvelope as bg, type PublicEnvelope as bh, type GateName as bi, type GatePolicy as bj, type VaultPolicy as bk, type ActiveTier as bl, type FactorProof as bm, type PersistedSchemaEnvelope as bn, type DirectoryConfig as bo, type UserVisibility as bp, Vault as bq, type AccessibleVault as br, BUNDLE_STORE_POLICY as bs, type BuiltInGateName as bt, type BundleRecipient as bu, type CacheOptions as bv, type CacheStats as bw, type ChangeEvent as bx, type CollectionChangeEvent as by, type CollectionConflictResolver as bz, DictionaryHandle as c, type PutManyItemOptions as c$, type FieldDescriptor as c0, type FieldSource as c1, type GhostRecord as c2, type GrantOptions as c3, type HistoryConfig as c4, type HistoryEntry as c5, INDEXED_STORE_POLICY as c6, type ImportCapability as c7, type InferOutput as c8, type InternalCollectionStats as c9, type NoydbBundleStore as cA, type NoydbEventMap as cB, type NoydbOptions as cC, type OverlayViewDescriptor as cD, PUBLIC_ENVELOPE_FIELDS as cE, type PaperRecoveryDoc as cF, type PaperRecoveryEntry as cG, type PassphrasePolicy as cH, type PassphraseValidationResult as cI, type Permission as cJ, type Permissions as cK, type PersistedSchemaKind as cL, type PlaintextTranslatorContext as cM, type PlaintextTranslatorFn as cN, PresenceHandle as cO, type PresencePeer as cP, type PublicEnvelopeField as cQ, type PublicEnvelopeSchema as cR, type PublicEnvelopeText as cS, type PullMode as cT, type PullOptions as cU, type PullPolicy as cV, type PullResult as cW, type PushMode as cX, type PushOptions as cY, type PushPolicy as cZ, type PushResult as c_, type IssueDelegationOptions as ca, type IssueMagicLinkGrantOptions as cb, type KeyringAuthenticator as cc, type KeyringAuthenticatorWrappingDEKs as cd, type KeyringAuthenticatorWrappingKEK as ce, type KeyringFile as cf, type ListAccessibleVaultsOptions as cg, type ListPageResult as ch, type ListUsersOptions as ci, type LiveUserEnvelope as cj, type LocaleReadOptions as ck, Lru as cl, type LruOptions as cm, type LruStats as cn, MAGIC_LINK_CONTENT_INFO_PREFIX as co, MAGIC_LINK_GRANTS_COLLECTION as cp, MAGIC_LINK_KEK_INFO_PREFIX as cq, type MagicLinkGrantPayload as cr, type MagicLinkGrantRecord as cs, type MaterializedViewDescriptor as ct, MemorySealingKeyProvider as cu, NOYDB_BACKUP_VERSION as cv, NOYDB_FORMAT_VERSION as cw, NOYDB_KEYRING_VERSION as cx, NOYDB_SYNC_VERSION as cy, Noydb as cz, type DictionaryOptions as d, type WeakPassphraseReason as d$, type PutManyOptions as d0, type PutManyResult as d1, type QueryAcrossOptions as d2, type QueryAcrossResult as d3, type QuickUnlockState as d4, QuickUnlockStore as d5, type ReAuthOperation as d6, type RecoverPassphraseInput as d7, type RecoverPassphraseResult as d8, type RecoverUserOptions as d9, type SyncPolicy as dA, SyncScheduler as dB, type SyncSchedulerStatus as dC, type SyncStatus as dD, type SyncTarget as dE, type SyncTargetRole as dF, SyncTransaction as dG, type SyncTransactionResult as dH, type TierMode as dI, type TranslatorAuditEntry as dJ, type TxOp as dK, USER_ENVELOPE_COLLECTION as dL, USER_ENVELOPE_MAX_BYTES as dM, type Unsubscribe as dN, type UpdateAuthenticatorOptions as dO, type UpdateUserOptions as dP, UserApi as dQ, type UserEnvelopeCheckGate as dR, UserEnvelopeOversizedError as dS, type UserEnvelopePresented as dT, type UserInfo as dU, type VaultBackup as dV, type VaultPolicyOnDisk as dW, type VaultSchemaSnapshot as dX, type VaultSnapshot as dY, type WarningRules as dZ, WeakPassphraseError as d_, type RecoveryProof as da, type ResolvedPublicEnvelopeSchema as db, type RevokeOptions as dc, type RotatePassphraseInput as dd, type RotateRecoveryOptions as de, type RotateRecoveryResult as df, SEALED_PASSPHRASE_RECORD_ID as dg, type SealedEnvelope as dh, type SealedPassphrase as di, type SealingKeyProvider as dj, type SessionPolicy as dk, type SetPublicEnvelopeInput as dl, type ShamirRecoveryDoc as dm, type ShamirRecoveryEntry as dn, type ShamirRecoveryProvider as dp, type SlotRewrapCeremony as dq, type SlotRewrapContext as dr, type StandardSchemaV1 as ds, type StandardSchemaV1Issue as dt, type StandardSchemaV1SyncResult as du, type StoreAuth as dv, type StoreAuthKind as dw, type StoreCapabilities as dx, SyncEngine as dy, type SyncMetadata as dz, type I18nTextDescriptor as e, type WrappedDeksBlob as e0, assertStrongPassphrase as e1, buildRecipientKeyringFile as e2, burnPaperRecoveryEntry as e3, createNoydb as e4, createStore as e5, deriveMagicLinkContentKey as e6, enrollAuthenticator as e7, estimateEntropy as e8, evaluateExportCapability as e9, revokeDelegation as eA, revokeMagicLinkGrant as eB, savePaperRecoveryEntries as eC, saveSealedPassphrase as eD, saveShamirRecoveryEntries as eE, unwrapDeksFromBlob as eF, unwrapDeksFromPaperEntry as eG, unwrapDeksFromShamirEntry as eH, unwrapMagicLinkGrant as eI, validatePassphrase as eJ, validatePublicEnvelopeInput as eK, validateSchemaInput as eL, validateSchemaOutput as eM, writeMagicLinkGrant as eN, changeSecret as eO, createOwnerKeyring as eP, ensureCollectionDEK as eQ, grant as eR, loadKeyring as eS, persistKeyring as eT, revoke as eU, updateAuthenticator as eV, updateKeyringIdentity as eW, evaluateImportCapability as ea, findAuthenticator as eb, hasExportCapability as ec, hasImportCapability as ed, hasRecoveryEnrolled as ee, isMagicLinkGrantExpired as ef, isPublicEnvelope as eg, issueDelegation as eh, recoverPassphrase as ei, rotatePassphrase as ej, listMagicLinkGrants as ek, listUsers as el, listUsersWithEnvelopes as em, loadActiveDelegations as en, loadPaperRecoveryEntries as eo, loadSealedPassphrase as ep, loadShamirRecoveryEntries as eq, magicLinkGrantRecordId as er, mintPaperRecoveryEntry as es, mintShamirRecoveryEntry as et, mintWrappedDeksBlob as eu, parseSealedEnvelope as ev, readMagicLinkGrantRecord as ew, recoverUser as ex, removeAuthenticator as ey, resolveSchema as ez, type I18nTextOptions as f, applyI18nLocale as g, dictCollectionName as h, dictKey as i, i18nText as j, isDictCollectionName as k, isDictKeyDescriptor as l, isI18nTextDescriptor as m, createEnforcer as n, validateSessionPolicy as o, BLOB_CHUNKS_COLLECTION as p, BLOB_COLLECTION as q, resolveI18nText as r, BLOB_EVICTION_AUDIT_COLLECTION as s, BLOB_INDEX_COLLECTION as t, BLOB_SLOTS_PREFIX as u, validateI18nTextValue as v, BLOB_VERSIONS_PREFIX as w, type BlobEvictionEntry as x, type BlobFieldPolicy as y, type BlobFieldsConfig as z };
+export { type ConsentAuditEntry as $, type BlobObject as A, type BlobStrategy as B, type BlobPutOptions as C, DICT_COLLECTION_PREFIX as D, type BlobResponseOptions as E, BlobSet as F, type BlobStrategyOpenArgs as G, type CompactRunOptions as H, type I18nStrategy as I, type CompactionContext as J, type CompactionResult as K, DEFAULT_CHUNK_SIZE as L, EXPORT_AUDIT_COLLECTION as M, ExportBlobsAbortedError as N, type ExportBlobsAuditEntry as O, PolicyEnforcer as P, type ExportBlobsHandle as Q, type ExportBlobsOptions as R, type SessionStrategy as S, type ExportedBlob as T, type SlotInfo as U, type SlotRecord as V, type VersionRecord as W, createExportBlobsHandle as X, runCompaction as Y, type ConsentStrategy as Z, CONSENT_AUDIT_COLLECTION as _, type DictEntry as a, VaultInstant as a$, type ConsentAuditFilter as a0, type ConsentContext as a1, type ConsentOp as a2, loadConsentEntries as a3, writeConsentEntry as a4, type PeriodsStrategy as a5, type CarryForwardContext as a6, type ClosePeriodOptions as a7, type OpenPeriodOptions as a8, PERIODS_COLLECTION as a9, type DerivationStrategyHandle as aA, type DerivedFromMeta as aB, type OutputSpec as aC, type RecordOutputSpec as aD, type MaterializedViewStrategy as aE, type MaterializedViewStrategyHandle as aF, type OverlayedViewStrategy as aG, Collection as aH, OverlayedViewRegistry as aI, type OverlayedViewStrategyHandle as aJ, type SyncStrategy as aK, type Role as aL, type UnlockedKeyring as aM, type HistoryStrategy as aN, type NoydbStore as aO, type HistoryOptions as aP, type EncryptedEnvelope as aQ, type PruneOptions as aR, type AppendInput as aS, type ChangeType as aT, CollectionInstant as aU, type DiffEntry as aV, type JsonPatch as aW, type JsonPatchOp as aX, type LedgerEntry as aY, LedgerStore as aZ, type VaultEngine as a_, type PeriodRecord as aa, type ReadOnlyCollection as ab, appendPeriodLedgerEntry as ac, assertTsWritable as ad, chainAnchor as ae, loadPeriods as af, validatePeriodName as ag, type GuardStrategy as ah, type GuardChange as ai, type GuardContext as aj, GuardRegistry as ak, type GuardStrategyHandle as al, ReadOnlyVaultFacade as am, type ShadowStrategy as an, CollectionFrame as ao, VaultFrame as ap, type TxStrategy as aq, type AmendmentTxOptions as ar, TxCollection as as, TxContext as at, TxVault as au, runTransaction as av, type DerivationStrategy as aw, type DerivationContext as ax, type ArrayOutputSpec as ay, DerivationRegistry as az, type DictKeyDescriptor as b, type EnrollAuthenticatorOptions as b$, type VerifyResult as b0, applyPatch as b1, canonicalJson as b2, computePatch as b3, diff as b4, formatDiff as b5, hashEntry as b6, paddedIndex as b7, parseIndex as b8, sha256Hex as b9, type AccessibleVault as bA, type AffectedDocument as bB, BUNDLE_STORE_POLICY as bC, type BuiltInGateName as bD, type CacheOptions as bE, type CacheStats as bF, type ChangeEvent as bG, type CollectionChangeEvent as bH, type CollectionConflictResolver as bI, type CollectionDescriptor as bJ, type CollectionStats as bK, type Conflict as bL, type ConflictPolicy as bM, type ConflictStrategy as bN, type CrossTierAccessEvent as bO, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as bP, DELEGATIONS_COLLECTION as bQ, type DeepPartial as bR, type DeepPartialOrNull as bS, type DelegationToken as bT, type DeleteManyResult as bU, type DerivationDescriptor as bV, type DirtyEntry as bW, type DryRunResult as bX, type DumpSchemaOptions as bY, ELEVATION_AUDIT_COLLECTION as bZ, ElevatedHandle as b_, type PublicEnvelope as ba, type SealingKeyProvider as bb, type BundleRecipient as bc, type RecipientSealer as bd, type RecipientHint as be, Vault as bf, type RecoveryEnrollmentInput as bg, type ShamirRecoveryProvider as bh, type MVQueryContext as bi, type RegisteredMV as bj, MaterializedViewRegistry as bk, type MaterializedFromMeta as bl, type MaterializedViewOutput as bm, type UnionSource as bn, type UserEnvelope as bo, type GateName as bp, type GatePolicy as bq, type VaultPolicy as br, type ActiveTier as bs, type FactorProof as bt, type SchemaUpdateStrategy as bu, type TransformFn as bv, type PersistedSchemaEnvelope as bw, type UpdateDecision as bx, type DirectoryConfig as by, type UserVisibility as bz, DictionaryHandle as c, type PlaintextTranslatorContext as c$, type EnrollAuthenticatorWrappingDEKsOptions as c0, type EnrollAuthenticatorWrappingKEKOptions as c1, type EnrollRecoveryResult as c2, type ExportCapability as c3, type ExportChunk as c4, type ExportFormat as c5, type ExportStreamOptions as c6, type FactorKind as c7, type FactorProofBundle as c8, type FactorRequirement as c9, type LruOptions as cA, type LruStats as cB, MAGIC_LINK_CONTENT_INFO_PREFIX as cC, MAGIC_LINK_GRANTS_COLLECTION as cD, MAGIC_LINK_KEK_INFO_PREFIX as cE, type MagicLinkGrantPayload as cF, type MagicLinkGrantRecord as cG, type MaterializedViewDescriptor as cH, MemoryRecipientSealer as cI, MemorySealingKeyProvider as cJ, NOYDB_BACKUP_VERSION as cK, NOYDB_FORMAT_VERSION as cL, NOYDB_KEYRING_VERSION as cM, NOYDB_SYNC_VERSION as cN, Noydb as cO, type NoydbBundleStore as cP, type NoydbEventMap as cQ, type NoydbOptions as cR, type OverlayViewDescriptor as cS, PUBLIC_ENVELOPE_FIELDS as cT, type PaperRecoveryDoc as cU, type PaperRecoveryEntry as cV, type PassphrasePolicy as cW, type PassphraseValidationResult as cX, type Permission as cY, type Permissions as cZ, type PersistedSchemaKind as c_, type FenceDoc as ca, type FenceState as cb, type FieldChange as cc, type FieldDescriptor as cd, type FieldSource as ce, type GhostRecord as cf, type GrantOptions as cg, type GuardViolation as ch, type HistoryConfig as ci, type HistoryEntry as cj, INDEXED_STORE_POLICY as ck, type ImportCapability as cl, type InferOutput as cm, type InternalCollectionStats as cn, type IssueDelegationOptions as co, type IssueMagicLinkGrantOptions as cp, type KeyringAuthenticator as cq, type KeyringAuthenticatorWrappingDEKs as cr, type KeyringAuthenticatorWrappingKEK as cs, type KeyringFile as ct, type ListAccessibleVaultsOptions as cu, type ListPageResult as cv, type ListUsersOptions as cw, type LiveUserEnvelope as cx, type LocaleReadOptions as cy, Lru as cz, type DictionaryOptions as d, type TabRole as d$, type PlaintextTranslatorFn as d0, PresenceHandle as d1, type PresencePeer as d2, type PublicEnvelopeField as d3, type PublicEnvelopeSchema as d4, type PublicEnvelopeText as d5, type PullMode as d6, type PullOptions as d7, type PullPolicy as d8, type PullResult as d9, type SealedPassphrase as dA, type SessionPolicy as dB, type SetPublicEnvelopeInput as dC, type ShamirRecoveryDoc as dD, type ShamirRecoveryEntry as dE, type SlotRewrapCeremony as dF, type SlotRewrapContext as dG, type StandardSchemaV1 as dH, type StandardSchemaV1Issue as dI, type StandardSchemaV1SyncResult as dJ, type StoreAuth as dK, type StoreAuthKind as dL, type StoreCapabilities as dM, SyncEngine as dN, type SyncMetadata as dO, type SyncPolicy as dP, SyncScheduler as dQ, type SyncSchedulerStatus as dR, type SyncStatus as dS, type SyncTarget as dT, type SyncTargetRole as dU, SyncTransaction as dV, type SyncTransactionResult as dW, type TabChannel as dX, type TabCoordinationOptions as dY, type TabLockManager as dZ, type TabPresence as d_, type PushMode as da, type PushOptions as db, type PushPolicy as dc, type PushResult as dd, type PutManyItemOptions as de, type PutManyOptions as df, type PutManyResult as dg, type QueryAcrossOptions as dh, type QueryAcrossResult as di, type QuickUnlockState as dj, QuickUnlockStore as dk, type ReAuthOperation as dl, type RecoverPassphraseInput as dm, type RecoverPassphraseResult as dn, type RecoverUserOptions as dp, type RecoveryProof as dq, type ResolvedPublicEnvelopeSchema as dr, type RevokeOptions as ds, type RotatePassphraseInput as dt, type RotateRecoveryOptions as du, type RotateRecoveryResult as dv, SEALED_PASSPHRASE_RECORD_ID as dw, type SchemaDelta as dx, type SchemaIntrospection as dy, type SealedEnvelope as dz, type I18nTextDescriptor as e, savePaperRecoveryEntries as e$, type TierMode as e0, type TranslatorAuditEntry as e1, type TxOp as e2, USER_ENVELOPE_COLLECTION as e3, USER_ENVELOPE_MAX_BYTES as e4, type Unsubscribe as e5, type UpdateAuthenticatorOptions as e6, type UpdateContext as e7, type UpdateUserOptions as e8, UserApi as e9, findAuthenticator as eA, hasExportCapability as eB, hasImportCapability as eC, hasRecoveryEnrolled as eD, isMagicLinkGrantExpired as eE, isPublicEnvelope as eF, issueDelegation as eG, recoverPassphrase as eH, rotatePassphrase as eI, listMagicLinkGrants as eJ, listUsers as eK, listUsersWithEnvelopes as eL, loadActiveDelegations as eM, loadPaperRecoveryEntries as eN, loadSealedPassphrase as eO, loadShamirRecoveryEntries as eP, magicLinkGrantRecordId as eQ, mintPaperRecoveryEntry as eR, mintShamirRecoveryEntry as eS, mintWrappedDeksBlob as eT, parseSealedEnvelope as eU, readMagicLinkGrantRecord as eV, recoverUser as eW, removeAuthenticator as eX, resolveSchema as eY, revokeDelegation as eZ, revokeMagicLinkGrant as e_, type UserEnvelopeCheckGate as ea, UserEnvelopeOversizedError as eb, type UserEnvelopePresented as ec, type UserInfo as ed, type VaultBackup as ee, type VaultPolicyOnDisk as ef, type VaultSchemaSnapshot as eg, type VaultSnapshot as eh, type WarningRules as ei, WeakPassphraseError as ej, type WeakPassphraseReason as ek, type WrappedDeksBlob as el, type WriteConflict as em, type WriteEvent as en, type WriteHook as eo, type WriteQueue as ep, assertStrongPassphrase as eq, buildRecipientKeyringFile as er, burnPaperRecoveryEntry as es, createNoydb as et, createStore as eu, deriveMagicLinkContentKey as ev, enrollAuthenticator as ew, estimateEntropy as ex, evaluateExportCapability as ey, evaluateImportCapability as ez, type I18nTextOptions as f, saveSealedPassphrase as f0, saveShamirRecoveryEntries as f1, unwrapDeksFromBlob as f2, unwrapDeksFromPaperEntry as f3, unwrapDeksFromShamirEntry as f4, unwrapMagicLinkGrant as f5, validatePassphrase as f6, validatePublicEnvelopeInput as f7, validateSchemaInput as f8, validateSchemaOutput as f9, writeMagicLinkGrant as fa, changeSecret as fb, createOwnerKeyring as fc, ensureCollectionDEK as fd, grant as fe, loadKeyring as ff, persistKeyring as fg, revoke as fh, updateAuthenticator as fi, updateKeyringIdentity as fj, applyI18nLocale as g, dictCollectionName as h, dictKey as i, i18nText as j, isDictCollectionName as k, isDictKeyDescriptor as l, isI18nTextDescriptor as m, createEnforcer as n, validateSessionPolicy as o, BLOB_CHUNKS_COLLECTION as p, BLOB_COLLECTION as q, resolveI18nText as r, BLOB_EVICTION_AUDIT_COLLECTION as s, BLOB_INDEX_COLLECTION as t, BLOB_SLOTS_PREFIX as u, validateI18nTextValue as v, BLOB_VERSIONS_PREFIX as w, type BlobEvictionEntry as x, type BlobFieldPolicy as y, type BlobFieldsConfig as z };