@noy-db/hub 0.2.0-pre.15 → 0.2.0-pre.17

package/dist/{types-4t1-tWS4.d.ts → types-CljIHm_J.d.ts}

@@ -1,7 +1,9 @@
 import { I as IndexStrategy, d as LazyQuery } from './lazy-builder-ChSqcF5t.js';
-import { a7 as NoydbError, o as LiveAggregation, f as AggregateSpec, e as AggregateResult, A as AggregateStrategy, av as MoneyDescriptor } from './strategy-CbneC7bS.js';
+import { L as LiveAggregation, b as AggregateSpec, a as AggregateResult, v as MoneyDescriptor, A as AggregateStrategy } from './strategy-4M9jo172.js';
 import { C as CrdtStrategy, a as CrdtMode, b as CrdtState } from './strategy-BSxFXGzb.js';
-import { L as LiveQuery, Q as Query, c as JoinStrategy, j as RefRegistry, R as RefDescriptor, d as JoinableSource, l as RefViolation, S as ScanBuilder } from './index-XNB2r6bX.js';
+import { L as LedgerEntry, F as ForgetStrategy, S as SubjectRef, b as ForgetResult } from './index-C-SSRIxP.js';
+import { N as NoydbError } from './errors-Dz64FA65.js';
+import { L as LiveQuery, Q as Query, c as JoinStrategy, j as RefRegistry, R as RefDescriptor, d as JoinableSource, l as RefViolation, S as ScanBuilder } from './index-DpU6KWof.js';
 import { I as IndexDef, O as Operator, F as FieldClause, C as CollectionIndexes } from './predicate-BmhBSPCH.js';
 import { AttestationFieldSchema, RevocationList } from '@noy-db/attestation';
 
@@ -415,6 +417,7 @@ declare class BlobSet {
     private readonly encrypted;
     private readonly userId;
     private readonly maxBlobBytes;
+    private readonly erasableBlobs;
     constructor(opts: {
         store: NoydbStore;
         vault: string;
@@ -424,7 +427,18 @@ declare class BlobSet {
         encrypted: boolean;
         userId?: string;
         maxBlobBytes?: number;
+        erasableBlobs?: boolean;
     });
+    /**
+     * Resolve the key the blob's CHUNKS are encrypted under.
+     *
+     * - `_cek` present (erasable blob) → unwrap the per-blob content CEK under
+     *   the `_blob` DEK. Deleting the BlobObject (at `refCount → 0`) makes this
+     *   key unrecoverable → the chunks are crypto-shredded.
+     * - `_cek` absent (legacy) → the `_blob` DEK encrypts chunks directly.
+     * - unencrypted vault → `null` (chunks stored as plaintext base64).
+     */
+    private resolveChunkKey;
     /** The internal collection that holds slot metadata for this collection's blobs. */
     private get slotsCollection();
     /** The internal collection that holds published versions for this collection's blobs. */
@@ -442,6 +456,73 @@ declare class BlobSet {
      * CAS retry loop for refCount changes on a BlobObject.
      */
     private casUpdateRefCount;
+    /**
+     * Release `n` references to a blob and reclaim it at refCount 0 (#365 slice 4).
+     *
+     * The single reclaim choke point for every reference-drop path — slot
+     * delete/overwrite, published-version delete, and `forget()` shred — so the
+     * refCount-0 policy is uniform:
+     *  - **erasable blob** (`_cek` present) → delete the `BlobObject` (the SOLE
+     *    copy of the wrapped content CEK → chunks permanently undecryptable) and
+     *    reclaim the chunks. The crypto-shred is EAGER on every path: GDPR erasure
+     *    must not wait on orphan retention.
+     *  - **legacy blob** (no `_cek`) → reclaimed only when `reclaimLegacy` (the
+     *    `forget()` erasure path); otherwise left for deferred GC so the existing
+     *    `BlobLifecyclePolicy.orphanRetentionDays` semantics are preserved.
+     *
+     * @returns `'shredded'` (erasable, refCount 0, chunks dead) · `'retainedShared'`
+     *   (erasable, still referenced) · `'residue'` (legacy — not a crypto-shred).
+     */
+    private releaseRef;
+    /**
+     * Crypto-shred this record's blob attachments (#365 slice 2) — called by
+     * `vault.forget()`.
+     *
+     * For each distinct eTag the record references (a record may attach the same
+     * content under several slot names → several refCount holds): decrement the
+     * blob's refCount by that many. When it reaches 0:
+     *  - **erasable blob** (`_cek` present) → delete the `BlobObject` (the SOLE
+     *    recoverable copy of the wrapped content CEK → chunks permanently
+     *    undecryptable) and reclaim the chunk bytes. This is the crypto-shred.
+     *  - **legacy blob** (no `_cek`) → chunks are under the shared `_blob` DEK and
+     *    stay decryptable until byte-deleted; we delete the orphaned chunks +
+     *    index but report it as residue, not a cryptographic erasure.
+     * When refCount stays > 0 the content legitimately persists for its other
+     * owner — reported as `retainedShared` (or `residue` if legacy).
+     *
+     * Finally drops the record's slot map, severing the subject's link.
+     */
+    shredAllForRecord(): Promise<{
+        shredded: string[];
+        retainedShared: string[];
+        residue: string[];
+    }>;
+    /** CAS retry loop for an arbitrary BlobObject mutation. */
+    private casUpdateBlobObject;
+    /**
+     * Migrate this record's LEGACY blobs (no `_cek`, chunks under the shared
+     * `_blob` DEK) to per-blob content CEKs so they become crypto-shreddable
+     * (#365 slice 3). Returns the eTags migrated vs. already-erasable.
+     *
+     * **Explicit maintenance pass** (mirrors the record-CEK migration posture):
+     * re-encrypts the existing compressed chunks IN PLACE under a fresh content
+     * CEK — preserving the eTag, chunkCount, chunkSize, and compression — then
+     * flips the `_cek` discriminant. Crash-safe + idempotent via `_cekPending`:
+     *   1. persist the wrapped content CEK in `_cekPending` (readers ignore it →
+     *      the blob stays readable under the `_blob` DEK; the key survives a crash);
+     *   2. re-encrypt each chunk under the content CEK (a resume reads an
+     *      already-migrated chunk under the content CEK, else under the `_blob` DEK);
+     *   3. promote `_cekPending` → `_cek` (atomic flip). Reads now use the CEK.
+     * A re-run after a crash resumes from whichever phase was reached.
+     *
+     * Dedup-safe: migrating a shared blob (refCount > 1) re-keys it for every
+     * referencer at once; a non-erasable collection still reads it (it unwraps
+     * `_cek` under the `_blob` DEK it holds).
+     */
+    migrate(): Promise<{
+        migrated: string[];
+        alreadyErasable: string[];
+    }>;
     private writeChunk;
     private readChunk;
     private versionKey;
@@ -598,6 +679,13 @@ interface BlobStrategyOpenArgs {
     readonly getDEK: (collectionName: string) => Promise<CryptoKey>;
     readonly encrypted: boolean;
     readonly userId: string;
+    /**
+     * Collection opts into per-record keys (`perRecordKeys`), so its blobs are
+     * erasable: new uploads mint a per-blob content CEK (crypto-shreddable at
+     * `refCount → 0`). Off → legacy shared-`_blob`-DEK chunks. See the per-blob
+     * CEK design spec.
+     */
+    readonly erasableBlobs?: boolean;
 }
 /**
  * The seam interface. `@internal` — do not build public APIs on this
@@ -807,224 +895,6 @@ interface ConsentStrategy {
     read(adapter: NoydbStore, vault: string, encrypted: boolean, getDEK: (collectionName: string) => Promise<CryptoKey>, filter?: ConsentAuditFilter): Promise<ConsentAuditEntry[]>;
 }
 
-/**
- * Ledger entry shape + canonical JSON + sha256 helpers.
- *
- * This file holds the PURE primitives used by the hash-chained ledger:
- * the entry type, the deterministic (sort-stable) JSON encoder, and
- * the sha256 hasher that produces `prevHash` and `ledger.head()`.
- *
- * Everything here is validator-free and side-effect free — the only
- * runtime dep is Web Crypto's `subtle.digest` for the sha256 call,
- * which we already use for every other hashing operation in the core.
- *
- * The hash chain property works like this:
- *
- *   hash(entry[i])       = sha256(canonicalJSON(entry[i]))
- *   entry[i+1].prevHash  = hash(entry[i])
- *
- * Any modification to `entry[i]` (field values, field order, whitespace)
- * produces a different `hash(entry[i])`, which means `entry[i+1]`'s
- * stored `prevHash` no longer matches the recomputed hash, which means
- * `verify()` returns `{ ok: false, divergedAt: i + 1 }`. The chain is
- * append-only and tamper-evident without external anchoring.
- */
-/**
- * A single ledger entry in its plaintext form — what gets serialized,
- * hashed, and then encrypted with the ledger DEK before being written
- * to the `_ledger/` adapter collection.
- *
- * ## Why hash the ciphertext, not the plaintext?
- *
- * `payloadHash` is the sha256 of the record's ENCRYPTED envelope bytes,
- * not its plaintext. This matters:
- *
- *   1. **Zero-knowledge preserved.** A user (or a third party) can
- *      verify the ledger against the stored envelopes without any
- *      decryption keys. The adapter layer already holds only
- *      ciphertext, so hashing the ciphertext keeps the ledger at the
- *      same privacy level as the adapter.
- *
- *   2. **Determinism.** Plaintext → ciphertext is randomized by the
- *      fresh per-write IV, so `hash(plaintext)` would need extra
- *      normalization. `hash(ciphertext)` is already deterministic and
- *      unique per write.
- *
- *   3. **Detection property.** If an attacker modifies even one byte of
- *      the stored ciphertext (trying to flip a record), the hash
- *      changes, the ledger's recorded `payloadHash` no longer matches,
- *      and a data-integrity check fails. We don't do that check in
- *      `verify()` today, but the
- *      hook is there for a future `verifyIntegrity()` follow-up.
- *
- * Fields marked `op`, `collection`, `id`, `version`, `ts`, `actor` are
- * plaintext METADATA about the operation — NOT the record itself. The
- * entry is still encrypted at rest via the ledger DEK, but adapters
- * could theoretically infer operation patterns from the sizes and
- * timestamps. This is an accepted trade-off for the tamper-evidence
- * property; full ORAM-level privacy is out of scope for noy-db.
- */
-interface LedgerEntry {
-    /**
-     * Zero-based sequential position of this entry in the chain. The
-     * canonical adapter key is this number zero-padded to 10 digits
-     * (`"0000000001"`) so lexicographic ordering matches numeric order.
-     */
-    readonly index: number;
-    /**
-     * Hex-encoded sha256 of the canonical JSON of the PREVIOUS entry.
-     * The genesis entry (index 0) has `prevHash === ''` — the first
-     * entry in a fresh vault has nothing to point back to.
-     */
-    readonly prevHash: string;
-    /**
-     * Which kind of mutation this entry records. only supports
-     * data operations (`put`, `delete`, `amendment`). Access-control
-     * operations (`grant`, `revoke`, `rotate`) will be added in a
-     * follow-up once the keyring write path is instrumented — that's
-     * tracked in the epic issue.
-     *
-     * `'amendment'` is the multi-record audit entry written by the
-     * guards subsystem when an admin/owner uses `withTransactions(...)`
-     * to repair a constraint-violating state. See `amendment` field
-     * below for the structured payload.
-     *
-     * `'lifecycle'` records a non-data audit event (e.g. partition
-     * handover) — `collection`/`id` are empty and the event detail
-     * lives in `reason` (e.g. `'partition-handed-over:<sealId>'`). Like
-     * `amendment`, it carries no data envelope, so `verifyBackupIntegrity`
-     * skips it in the data cross-check (it still participates in the
-     * tamper-evident chain).
-     */
-    readonly op: 'put' | 'delete' | 'amendment' | 'lifecycle' | 'migration';
-    /** The collection the mutation targeted. */
-    readonly collection: string;
-    /** The record id the mutation targeted. */
-    readonly id: string;
-    /**
-     * The record version AFTER this mutation. For `put` this is the
-     * newly assigned version; for `delete` this is the version that
-     * was deleted (the last version visible to reads).
-     */
-    readonly version: number;
-    /** ISO timestamp of the mutation. */
-    readonly ts: string;
-    /** User id of the actor who performed the mutation. */
-    readonly actor: string;
-    /**
-     * Hex-encoded sha256 of the encrypted envelope's `_data` field.
-     * For `put`, this is the hash of the new ciphertext. For `delete`,
-     * it's the hash of the last visible ciphertext at deletion time,
-     * or the empty string if nothing was there to delete. Hashing the
-     * ciphertext (not the plaintext) preserves zero-knowledge — see
-     * the file docstring.
-     */
-    readonly payloadHash: string;
-    /**
-     * Optional human-readable tag describing why this mutation happened.
-     * Threaded through `collection.put(_, _, { reason })`. Common
-     * values include `'import:csv'`, `'import:json'`, `'import:xlsx'` from
-     * `as-*` ImportPlan.apply(), but consumers can use any string for
-     * domain-specific audit filtering. Auto-strip via `canonicalJson` —
-     * absent on the wire, never serialized as `null`.
-     *
-     * Audit consumers filter: `entries.filter(e => e.reason?.startsWith('import:'))`.
-     */
-    readonly reason?: string;
-    /**
-     * Optional hex-encoded sha256 of the encrypted JSON Patch delta
-     * blob stored alongside this entry in `_ledger_deltas/`. Present
-     * only for `put` operations that had a previous version — the
-     * genesis put of a new record, and every `delete`, leave this
-     * field undefined.
-     *
-     * The delta payload itself lives in a sibling internal collection
-     * (`_ledger_deltas/<paddedIndex>`) and is encrypted with the
-     * ledger DEK. Callers use `ledger.loadDelta(index)` to decrypt and
-     * deserialize it when reconstructing a historical version.
-     *
-     * Why optional instead of always-present: the first put of a
-     * record has no previous version to diff against, so storing an
-     * empty patch would be noise. For deletes there's no "next" state
-     * to describe with a delta. Both cases set this field to undefined.
-     *
-     * Note: the canonical-JSON hasher treats `undefined` as invalid
-     * (it's one of the guard rails), so on the wire this field is
-     * either `{ deltaHash: '<hex>' }` or absent from the JSON
-     * entirely — never `{ deltaHash: undefined }`.
-     */
-    readonly deltaHash?: string;
-    /**
-     * Present only when `op === 'amendment'`. Records the human reason,
-     * the role of the actor, the (collection, id, vBefore, vAfter) tuple
-     * for every record touched, and which guard invariants passed.
-     *
-     * See docs/superpowers/specs/2026-05-18-guards-design.md.
-     */
-    readonly amendment?: {
-        readonly reason: string;
-        readonly role: 'admin' | 'owner';
-        readonly changes: ReadonlyArray<{
-            readonly collection: string;
-            readonly id: string;
-            readonly vBefore: number;
-            readonly vAfter: number;
-        }>;
-        readonly invariantsPassed: ReadonlyArray<string>;
-    };
-}
-/**
- * Canonical (sort-stable) JSON encoder.
- *
- * This function is the load-bearing primitive of the hash chain:
- * `sha256(canonicalJSON(entry))` must produce the same hex string
- * every time, on every machine, for the same logical entry — otherwise
- * `verify()` would return `{ ok: false }` on cross-platform reads.
- *
- * JavaScript's `JSON.stringify` is almost canonical, but NOT quite:
- * it preserves the insertion order of object keys, which means
- * `{a:1,b:2}` and `{b:2,a:1}` serialize differently. We fix this by
- * recursively walking objects and sorting their keys before
- * concatenation.
- *
- * Arrays keep their original order (reordering them would change
- * semantics). Numbers, strings, booleans, and `null` use the default
- * JSON encoding. `undefined` and functions are rejected — ledger
- * entries are plain data, and silently dropping `undefined` would
- * break the "same input → same hash" property if a caller forgot to
- * omit a field.
- *
- * Performance: one pass per nesting level; O(n log n) for key sorting
- * at each object. Entries are small (< 1 KB) so this is negligible
- * compared to the sha256 call.
- */
-declare function canonicalJson(value: unknown): string;
-/**
- * Compute a hex-encoded sha256 of a string via Web Crypto's subtle API.
- *
- * We use hex (not base64) for hashes because hex is case-insensitive,
- * fixed-length (64 chars), and easier to compare visually in debug
- * output. Base64 would save a few bytes in storage but every encrypted
- * ledger entry is already much larger than the hash itself.
- */
-declare function sha256Hex(input: string): Promise<string>;
-/**
- * Compute the canonical hash of a ledger entry. Short wrapper around
- * `canonicalJson` + `sha256Hex`; callers use this instead of composing
- * the two functions every time, so any future change to the hashing
- * pipeline (e.g., adding a domain-separation prefix) lives in one place.
- */
-declare function hashEntry(entry: LedgerEntry): Promise<string>;
-/**
- * Pad an index to the canonical 10-digit form used as the adapter key.
- * Ten digits is enough for ~10 billion ledger entries per vault
- * — far beyond any realistic use case, but cheap enough that the extra
- * digits don't hurt storage.
- */
-declare function paddedIndex(index: number): string;
-/** Parse a padded adapter key back into a number. Returns NaN on malformed input. */
-declare function parseIndex(key: string): number;
-
 /**
  * RFC 6902 JSON Patch — compute + apply.
  *
@@ -2572,6 +2442,88 @@ declare function dictKey<Keys extends string>(name: string, keys?: readonly Keys
 }): DictKeyDescriptor<Keys>;
 /** Runtime predicate for detecting a DictKeyDescriptor. */
 declare function isDictKeyDescriptor(x: unknown): x is DictKeyDescriptor;
+/**
+ * Descriptor returned by `staticDict()`. A sibling to {@link DictKeyDescriptor}
+ * for **closed, defined-in-code, identical-across-vaults** enums (honorific,
+ * civil-status, gender, religion, ContactTitle, status…).
+ *
+ * Unlike `dictKey`, the labels are supplied **at registration in code** and
+ * resolved through the *same* label machinery, but with **no `_dict_*`
+ * per-vault encrypted copy** and **no `rename()`**. The record stores only
+ * the **code**; a static dict has no mutation surface.
+ *
+ * **Hybrid resolution.** Because a static dict is pure code with no
+ * vault-locale dependency, it can — via a configured `displayLocale` — emit a
+ * `<field>Label` even under a **locale-less read** (the property a locale-less
+ * consumer needs and `dictKey` cannot provide). When a locale *is* active it
+ * behaves exactly like `dictKey` (honoring `onMissing`/`substitute`).
+ *
+ * ```ts
+ * const workers = vault.collection<Worker>('workers', {
+ *   dictKeyFields: {
+ *     civilStatus: staticDict('civilStatus', {
+ *       adultMale:   { th: 'นาย',    en: 'Mr'  },
+ *       adultFemale: { th: 'นาง',    en: 'Mrs' },
+ *     }, { displayLocale: 'th' }),
+ *   },
+ * })
+ * ```
+ */
+interface StaticDictDescriptor<Keys extends string = string> {
+    readonly _noydbStaticDict: true;
+    /** Which dictionary this field references (the registry name). */
+    readonly name: string;
+    /** The in-code label table: key → { locale → label }. */
+    readonly table: Readonly<Record<Keys, Readonly<Record<string, string>>>>;
+    /** Declared valid keys — derived from `Object.keys(table)`. */
+    readonly keys: readonly Keys[];
+    /**
+     * Locale used to emit `<field>Label` under a **locale-less** read — the
+     * hybrid hinge. When unset, a static dict behaves like `dictKey` under a
+     * locale-less read (no label); a locale-less consumer almost always wants
+     * it set.
+     */
+    readonly displayLocale?: string;
+    /** Same `onMissing` policy engine as `dictKey`. Default `'null'`. */
+    readonly onMissing?: OnMissingPolicy;
+    /** Ordered preferred-substitute locales for label resolution. */
+    readonly substitute?: readonly string[];
+    /**
+     * Validate the stored code against `keys` on every `put()`. Default `true`
+     * — codes are closed by construction, so an unknown code is a bug. Set
+     * `false` to allow open codes (skips the `UnknownDictCodeError` guard).
+     */
+    readonly validateCodes?: boolean;
+}
+/**
+ * Create a `StaticDictDescriptor` for a code-provided enum field — a sibling
+ * to {@link dictKey} for closed, code-defined, identical-across-vaults enums.
+ *
+ * The labels live in `table` (no `_dict_*` collection, no `rename()`); the
+ * record stores only the stable code. Pass `displayLocale` so `<field>Label`
+ * resolves even under a locale-less read.
+ *
+ * @param name   The dictionary name (used for the readonly-guard registry and
+ *               the query label seam — never creates a `_dict_<name>` key).
+ * @param table  `{ key: { locale: label } }` map.
+ * @param opts   `displayLocale` (locale-less label), `onMissing`, `substitute`.
+ *
+ * @example
+ * ```ts
+ * staticDict('civilStatus', {
+ *   adultMale:   { th: 'นาย',    en: 'Mr'  },
+ *   adultFemale: { th: 'นาง',    en: 'Mrs' },
+ * }, { displayLocale: 'th' })
+ * ```
+ */
+declare function staticDict<const T extends Record<string, Record<string, string>>>(name: string, table: T, opts?: {
+    displayLocale?: string;
+    onMissing?: OnMissingPolicy;
+    substitute?: readonly string[];
+    validateCodes?: boolean;
+}): StaticDictDescriptor<Extract<keyof T, string>>;
+/** Runtime predicate for detecting a StaticDictDescriptor. */
+declare function isStaticDictDescriptor(x: unknown): x is StaticDictDescriptor;
 /**
  * One entry in a `_dict_*` collection. The record `id` (adapter-side
  * key) IS the stable dictionary key (e.g. `'paid'`). The `labels`
@@ -3475,6 +3427,12 @@ interface HistoryStrategy {
      * `NO_HISTORY`.
      */
     clearHistory(adapter: NoydbStore, vault: string, collection?: string, recordId?: string): Promise<number>;
+    /**
+     * Crypto-shred (overwrite-to-tombstone) every `_history` version of a
+     * record for GDPR erasure (#304). Returns the number of versions newly
+     * tombstoned, or `0` under `NO_HISTORY` (no history = nothing to shred).
+     */
+    tombstoneHistory(adapter: NoydbStore, vault: string, collection: string, recordId: string, actor: string): Promise<number>;
     /**
      * Compute the SHA-256 hash of an envelope's encrypted payload, used
      * by `LedgerStore.append` to track tamper-evidence. Returns the
@@ -4903,6 +4861,208 @@ interface SnapshotStrategy {
     readonly policy?: SnapshotPolicy;
 }
 
+/**
+ * Minimum read surface exposed to guard `check` functions. Intentionally
+ * narrow — guards can read other collections but never write.
+ *
+ * `query()` returns the same chainable builder used elsewhere. `Query<T>`
+ * has no write terminals (no `.update()` / `.delete()`) so exposing it
+ * here preserves the read-only contract while letting guards aggregate
+ * with `.where().aggregate()` / `.groupBy()` / `.join()` instead of
+ * decrypting every sibling row via `.list()`.
+ */
+interface ReadOnlyVaultFacade$1 {
+    collection<T = unknown>(name: string): {
+        get(id: string): Promise<T | null>;
+        list(): Promise<T[]>;
+        query(): Query<T>;
+    };
+}
+/**
+ * Runtime context passed to `check` and `invariant` callbacks.
+ * `existing` is the currently-persisted record (null for inserts).
+ */
+interface GuardContext<T> {
+    existing: T | null;
+    vault: ReadOnlyVaultFacade$1;
+    userId: string;
+    role: Role;
+}
+/**
+ * One {before, after} pair handed to an `invariant` function. `before`
+ * is null for inserts; `after` reflects the proposed post-commit record.
+ */
+interface GuardChange<T> {
+    before: T | null;
+    after: T;
+}
+/** @internal — output of {@link withGuard}. */
+interface GuardStrategyHandle<T extends Record<string, unknown>> {
+    readonly __noydb_strategy: 'guard';
+    readonly spec: GuardStrategy<T>;
+}
+/**
+ * Existential erasure of `GuardStrategyHandle<T>` — used as the
+ * element type of `ReadonlyArray<>` fields where the per-handle T
+ * differs (e.g. `guardStrategies: [invoiceGuard, disbursementGuard]`).
+ *
+ * Background: `GuardStrategyHandle<T>` is INVARIANT in T because T
+ * appears in callback positions on the spec (`check(incoming: T, ctx)`,
+ * `invariant(changes: ReadonlyArray<GuardChange<T>>, ctx)`). So
+ * `Handle<Invoice>` is not assignable to `Handle<Record<string, unknown>>`.
+ * A bounded existential ("there exists some T satisfying the constraint
+ * such that this is a Handle<T>") is the right shape; TypeScript has
+ * no first-class existentials, so we fake it with a structurally narrow
+ * interface that ERASES T from both the discriminant and the spec.
+ *
+ * Consumers continue to construct typed handles via `withGuard<T>(...)`
+ * which returns `GuardStrategyHandle<T>`. Both `Handle<Invoice>` and
+ * `Handle<Disbursement>` structurally assign to `GuardStrategyHandleAny`,
+ * so an array of them is `GuardStrategyHandleAny[]`.
+ *
+ * Internal code that needs T re-narrows via the runtime discriminant
+ * (`__noydb_strategy === 'guard'`) plus per-handle type information
+ * carried by the registry.
+ *
+ * NOT exported from the public barrel — keeping this internal
+ * discourages consumers from constructing it directly. Used only as
+ * the array-element type on `Vault` / `NoydbOptions.guardStrategies`.
+ *
+ * @internal
+ */
+interface GuardStrategyHandleAny {
+    readonly __noydb_strategy: 'guard';
+    readonly spec: GuardStrategy<any>;
+}
+/** Public registration shape. See `withGuard()`. */
+interface GuardStrategy<T extends Record<string, unknown>> {
+    collection: string;
+    /**
+     * Fires on `Collection.put` (insert + update). The `incoming` argument
+     * is the record being written. Throw to cancel the put.
+     *
+     * Does NOT fire on `Collection.delete` — use {@link onDelete} for
+     * delete-time validation. Skipped during an amendment transaction
+     * (`db.transaction({ amendment: true })`) — admin/owner override.
+     */
+    check?: (incoming: T, ctx: GuardContext<T>) => Promise<void> | void;
+    /**
+     * Fires on user-initiated `Collection.delete` before the adapter
+     * delete and before the ledger append. The `existing` argument is
+     * the currently-persisted record. Throw to cancel the delete — no
+     * partial state, no tombstone ledger entry.
+     *
+     * Skipped during an amendment transaction (admin/owner override) —
+     * amendments are the unlock primitive. To make a delete TRULY
+     * unconditional (e.g. legal-document immutability rules), pair
+     * `onDelete` with an `amendment.invariant` that re-throws on any
+     * `before !== null && after === null` change:
+     *
+     * ```ts
+     * withGuard<Receipt>({
+     *   collection: 'receipts',
+     *   onDelete: () => { throw new RecordLockedError(...) },
+     *   amendment: {
+     *     roles: ['admin', 'owner'],
+     *     invariant: (changes) => {
+     *       for (const c of changes) {
+     *         if (c.before !== null && c.after === null) {
+     *           throw new RecordLockedError(...) // wrapped as InvariantError
+     *         }
+     *       }
+     *     },
+     *   },
+     * })
+     * ```
+     *
+     * Also skipped on system-internal deletes (derivation tombstones,
+     * MV refresh from Dim 14 v2) — those use `_internalDelete`
+     * which bypasses every user-facing delete hook. Housekeeping ops are
+     * NOT user-initiated and should not trip user invariants.
+     *
+     * Delete of an absent record is a no-op and does not consult any
+     * guard, matching the idempotent-delete contract.
+     */
+    onDelete?: (existing: T, ctx: GuardContext<T>) => Promise<void> | void;
+    frozenFields?: {
+        when: (existing: T) => boolean;
+        fields: ReadonlyArray<keyof T>;
+    };
+    amendment?: {
+        roles: ReadonlyArray<'admin' | 'owner'>;
+        invariant: (changes: ReadonlyArray<GuardChange<T>>, ctx: GuardContext<T>) => Promise<void> | void;
+    };
+}
+
+/**
+ * Commit-time changeset invariants for ordinary transactions.
+ *
+ * Today the only set-level invariant hook is `amendment.invariant`, which
+ * fires solely inside `db.transaction({ amendment: true }, …)` and requires
+ * an admin/owner role plus a registered guard. That is the right shape for
+ * the WORM-override path, but normal application transactions also need
+ * cross-record invariants that hold on every commit — e.g. niwat's
+ * `assertR1` ("every payment is 100% receipted").
+ *
+ * `withTransactions({ invariants: [...] })` registers such invariants. Each
+ * one names a `scope` (a collection) and a `check(changes, ctx)` callback
+ * that receives the commit's change-set for that collection.
+ *
+ * ## Semantics
+ *
+ * - **`scope`** is a collection name. An invariant fires only when the
+ *   committed transaction wrote at least one record in that collection.
+ * - **When** — at commit, AFTER Phase 2 has executed all staged ops (so
+ *   `after` reflects the written record), and after the amendment commit
+ *   phase. It runs for BOTH ordinary and amendment transactions — an
+ *   amendment is still a commit and is still subject to these invariants.
+ * - **`changes`** — one `{ before, after }` pair per touched id (deduped to
+ *   the last write per id, preserving write order). `before` is the
+ *   plaintext prior record (captured in Phase 1 before the overwrite),
+ *   `null` for an insert. `after` is the written record, `null` for a
+ *   delete.
+ * - **Throw → revert.** A throw reverts every executed op (via the shared
+ *   `revertExecuted` unwind) and is surfaced as `InvariantError` (an
+ *   `InvariantError` thrown by the check passes through unwrapped).
+ *
+ * ```ts
+ * createNoydb({ txStrategy: withTransactions({
+ *   invariants: [{
+ *     scope: 'payments',
+ *     check(changes) {
+ *       for (const { after } of changes) {
+ *         const p = after as Payment | null
+ *         if (p && p.receiptAmount !== p.amount) {
+ *           throw new InvariantError('R1: payment not fully receipted')
+ *         }
+ *       }
+ *     },
+ *   }],
+ * }) })
+ * ```
+ */
+
+/**
+ * A commit-time set-level invariant for ordinary (and amendment)
+ * transactions. See module docs for full semantics.
+ */
+interface TransactionInvariant {
+    /**
+     * The collection this invariant watches. The `check` fires only when the
+     * committed transaction wrote at least one record in this collection.
+     */
+    readonly scope: string;
+    /**
+     * Validate the change-set for {@link scope}. `changes` carries one
+     * `{ before, after }` pair per touched id (deduped to last-write,
+     * write-order preserved); `before` is the plaintext prior record (null
+     * on insert), `after` is the written record (null on delete). Throw to
+     * revert the whole transaction — the throw is surfaced as
+     * `InvariantError`.
+     */
+    check: (changes: ReadonlyArray<GuardChange<unknown>>, ctx: GuardContext<unknown>) => Promise<void> | void;
+}
+
 /**
  * Multi-record atomic transactions.
  *
@@ -5088,7 +5248,7 @@ declare class TxCollection<T> {
  * helper) so nested side-effect derivation writes get registered for
  * revert alongside the bulk-put source ops.
  */
-declare function runTransaction<T>(db: Noydb, fn: (tx: TxContext) => Promise<T> | T, options?: AmendmentTxOptions): Promise<T>;
+declare function runTransaction<T>(db: Noydb, fn: (tx: TxContext) => Promise<T> | T, options?: AmendmentTxOptions, txInvariants?: ReadonlyArray<TransactionInvariant>): Promise<T>;
 
 /**
  * Dry-run transactions. Runs the tx body to STAGE ops, then builds
@@ -5535,6 +5695,7 @@ declare class Noydb {
     private readonly policyEnforcers;
     private readonly vaultTemplates;
     private readonly txStrategy;
+    private readonly forgetStrategy;
     private readonly sessionStrategy;
     private readonly syncStrategy;
     private readonly snapshotStrategy;
@@ -5559,6 +5720,8 @@ declare class Noydb {
     /** Audit log for all translator invocations in this session. Cleared on `close()`. */
     private readonly _translatorAuditLog;
     constructor(options: NoydbOptions);
+    /** @internal — resolved forget strategy (NO_FORGET when not configured). */
+    get _forgetStrategy(): ForgetStrategy;
     private resetSessionTimer;
     /**
      * Attach a policy enforcer for a vault.
@@ -6654,145 +6817,12 @@ declare function loadActiveDelegations(store: NoydbStore, vault: string, user: U
 declare function revokeDelegation(store: NoydbStore, vault: string, id: string): Promise<void>;
 
 /**
- * Minimum read surface exposed to guard `check` functions. Intentionally
- * narrow — guards can read other collections but never write.
- *
- * `query()` returns the same chainable builder used elsewhere. `Query<T>`
- * has no write terminals (no `.update()` / `.delete()`) so exposing it
- * here preserves the read-only contract while letting guards aggregate
- * with `.where().aggregate()` / `.groupBy()` / `.join()` instead of
- * decrypting every sibling row via `.list()`.
- */
-interface ReadOnlyVaultFacade$1 {
-    collection<T = unknown>(name: string): {
-        get(id: string): Promise<T | null>;
-        list(): Promise<T[]>;
-        query(): Query<T>;
-    };
-}
-/**
- * Runtime context passed to `check` and `invariant` callbacks.
- * `existing` is the currently-persisted record (null for inserts).
- */
-interface GuardContext<T> {
-    existing: T | null;
-    vault: ReadOnlyVaultFacade$1;
-    userId: string;
-    role: Role;
-}
-/**
- * One {before, after} pair handed to an `invariant` function. `before`
- * is null for inserts; `after` reflects the proposed post-commit record.
- */
-interface GuardChange<T> {
-    before: T | null;
-    after: T;
-}
-/** @internal — output of {@link withGuard}. */
-interface GuardStrategyHandle<T extends Record<string, unknown>> {
-    readonly __noydb_strategy: 'guard';
-    readonly spec: GuardStrategy<T>;
-}
-/**
- * Existential erasure of `GuardStrategyHandle<T>` — used as the
- * element type of `ReadonlyArray<>` fields where the per-handle T
- * differs (e.g. `guardStrategies: [invoiceGuard, disbursementGuard]`).
- *
- * Background: `GuardStrategyHandle<T>` is INVARIANT in T because T
- * appears in callback positions on the spec (`check(incoming: T, ctx)`,
- * `invariant(changes: ReadonlyArray<GuardChange<T>>, ctx)`). So
- * `Handle<Invoice>` is not assignable to `Handle<Record<string, unknown>>`.
- * A bounded existential ("there exists some T satisfying the constraint
- * such that this is a Handle<T>") is the right shape; TypeScript has
- * no first-class existentials, so we fake it with a structurally narrow
- * interface that ERASES T from both the discriminant and the spec.
- *
- * Consumers continue to construct typed handles via `withGuard<T>(...)`
- * which returns `GuardStrategyHandle<T>`. Both `Handle<Invoice>` and
- * `Handle<Disbursement>` structurally assign to `GuardStrategyHandleAny`,
- * so an array of them is `GuardStrategyHandleAny[]`.
- *
- * Internal code that needs T re-narrows via the runtime discriminant
- * (`__noydb_strategy === 'guard'`) plus per-handle type information
- * carried by the registry.
- *
- * NOT exported from the public barrel — keeping this internal
- * discourages consumers from constructing it directly. Used only as
- * the array-element type on `Vault` / `NoydbOptions.guardStrategies`.
- *
- * @internal
- */
-interface GuardStrategyHandleAny {
-    readonly __noydb_strategy: 'guard';
-    readonly spec: GuardStrategy<any>;
-}
-/** Public registration shape. See `withGuard()`. */
-interface GuardStrategy<T extends Record<string, unknown>> {
-    collection: string;
-    /**
-     * Fires on `Collection.put` (insert + update). The `incoming` argument
-     * is the record being written. Throw to cancel the put.
-     *
-     * Does NOT fire on `Collection.delete` — use {@link onDelete} for
-     * delete-time validation. Skipped during an amendment transaction
-     * (`db.transaction({ amendment: true })`) — admin/owner override.
-     */
-    check?: (incoming: T, ctx: GuardContext<T>) => Promise<void> | void;
-    /**
-     * Fires on user-initiated `Collection.delete` before the adapter
-     * delete and before the ledger append. The `existing` argument is
-     * the currently-persisted record. Throw to cancel the delete — no
-     * partial state, no tombstone ledger entry.
-     *
-     * Skipped during an amendment transaction (admin/owner override) —
-     * amendments are the unlock primitive. To make a delete TRULY
-     * unconditional (e.g. legal-document immutability rules), pair
-     * `onDelete` with an `amendment.invariant` that re-throws on any
-     * `before !== null && after === null` change:
-     *
-     * ```ts
-     * withGuard<Receipt>({
-     *   collection: 'receipts',
-     *   onDelete: () => { throw new RecordLockedError(...) },
-     *   amendment: {
-     *     roles: ['admin', 'owner'],
-     *     invariant: (changes) => {
-     *       for (const c of changes) {
-     *         if (c.before !== null && c.after === null) {
-     *           throw new RecordLockedError(...) // wrapped as InvariantError
-     *         }
-     *       }
-     *     },
-     *   },
-     * })
-     * ```
-     *
-     * Also skipped on system-internal deletes (derivation tombstones,
-     * MV refresh from Dim 14 v2) — those use `_internalDelete`
-     * which bypasses every user-facing delete hook. Housekeeping ops are
-     * NOT user-initiated and should not trip user invariants.
-     *
-     * Delete of an absent record is a no-op and does not consult any
-     * guard, matching the idempotent-delete contract.
-     */
-    onDelete?: (existing: T, ctx: GuardContext<T>) => Promise<void> | void;
-    frozenFields?: {
-        when: (existing: T) => boolean;
-        fields: ReadonlyArray<keyof T>;
-    };
-    amendment?: {
-        roles: ReadonlyArray<'admin' | 'owner'>;
-        invariant: (changes: ReadonlyArray<GuardChange<T>>, ctx: GuardContext<T>) => Promise<void> | void;
-    };
-}
-
-/**
- * Runtime context handed to `derive(source, ctx)`. Mirrors `GuardContext`'s
- * narrow shape: read-only vault access, no write capability, no
- * transaction handle. Determinism is the consumer's responsibility — the
- * strategy hash includes `derive.toString()`, so the source string fixes
- * the function's inputs; whatever sibling reads `derive` performs must
- * yield the same outputs for the same source.
+ * Runtime context handed to `derive(source, ctx)`. Mirrors `GuardContext`'s
+ * narrow shape: read-only vault access, no write capability, no
+ * transaction handle. Determinism is the consumer's responsibility — the
+ * strategy hash includes `derive.toString()`, so the source string fixes
+ * the function's inputs; whatever sibling reads `derive` performs must
+ * yield the same outputs for the same source.
  */
 interface DerivationContext {
     vault: ReadOnlyVaultFacade$1;
@@ -6886,6 +6916,32 @@ type OutputSpec = RecordOutputSpec | ArrayOutputSpec;
 interface DerivationStrategy<TSource extends Record<string, unknown>, TOutputs extends Record<string, Record<string, unknown>>> {
     /** Source collection name. */
     source: string;
+    /**
+     * Additional collections whose writes ALSO re-fire this derivation
+     * (issue #344). By default only writes to the single declared
+     * `source` re-trigger a derivation; a `derive` that reads sibling
+     * collections via `ctx.vault` therefore goes stale when those
+     * siblings change. Declare those sibling collections here to wire
+     * them as extra triggers.
+     *
+     * **SAME-ID assumption (load-bearing):** when a write lands on one of
+     * these declared collections, the derivation re-fires with the
+     * PRIMARY `source` record read at the SAME id as the written record
+     * — NOT the written sibling record itself. If no primary `source`
+     * record exists at that id, the re-fire is a silent no-op (no throw,
+     * no output mutation). Model your collections so the sibling and the
+     * primary share an id (the common money/accounting case: an
+     * `allocations` row and its `payments`/`bills` keyed by the same id),
+     * or trigger off a collection you control the id-space of.
+     *
+     * Declared collections participate in cycle detection and are indexed
+     * in the registry's `_bySource` exactly like `source`, so a sibling
+     * that is also a derivation output forms a detectable cycle.
+     *
+     * Each entry must be a non-empty string and must not equal `source`
+     * (validated at `withDerivation()` construction time).
+     */
+    sources?: ReadonlyArray<string>;
     /** v1: only deterministic derivations supported. */
     deterministic: true;
     /**
@@ -7053,8 +7109,39 @@ interface UnionSource<TRow extends Record<string, unknown>> {
      * unified stream and never reaches `groupBy` / `aggregate`. This
      * removes the need for sentinel rows (e.g. `{ amount: 0 }`) whose
      * sole purpose is to be aggregated away (#297).
+     *
+     * When this arm declares {@link join}, the aliased right-side
+     * record(s) are attached to the source row under each leg's `as`
+     * BEFORE `map` runs, so `map` can read `sourceRow[leg.as]`.
      */
     readonly map: (sourceRow: Record<string, unknown>) => TRow | null | undefined;
+    /**
+     * Optional FK joins to apply to this arm's rows before {@link map}.
+     * Each leg resolves a `ref()`-declared foreign key on the arm's
+     * source collection into an attached right-side record under
+     * `as` — the same machinery as the query-form `Query.join()`.
+     *
+     * The right-side collections must be listed in the strategy's
+     * {@link MaterializedViewStrategy.sources} so writes to them trigger
+     * MV refresh — registration throws `MaterializedViewConfigError`
+     * otherwise (the union dependency set comes from arm `collection`s
+     * alone, which would not include join targets).
+     */
+    readonly join?: ReadonlyArray<UnionArmJoin>;
+}
+/**
+ * One FK join leg on a UNION arm. Mirrors the option shape of the
+ * query-form `Query.join(field, { as, maxRows?, strategy? })`.
+ */
+interface UnionArmJoin {
+    /** FK field on the arm's source collection (must have a `ref()` declared). */
+    readonly field: string;
+    /** Alias under which the resolved right-side record attaches on the source row. */
+    readonly as: string;
+    /** Per-side row ceiling override. `undefined` → the join default. */
+    readonly maxRows?: number;
+    /** Planner strategy override. `undefined` → auto-select. */
+    readonly strategy?: JoinStrategy;
 }
 /**
  * Registration shape passed to `withMaterializedView()`.
@@ -7126,6 +7213,25 @@ interface MaterializedViewStrategy<TRow extends Record<string, unknown>> {
      * UNION-mode only. Ignored if {@link query} is set.
      */
     aggregate?: AggregateSpec;
+    /**
+     * Money descriptors for the UNION-mode aggregate, keyed by the
+     * OUTPUT/intermediate field name as it appears in the mapped row and
+     * in {@link aggregate} (NOT the source collection's field name). When
+     * declared, any `sum` / `min` / `max` over a keyed field is rewritten
+     * into an exact per-currency BigInt reducer — without this, money
+     * aggregation in UNION mode silently runs in float (since the
+     * concatenated mapped stream is a plain array with no collection
+     * money context to inherit).
+     *
+     * UNION-mode only — the query form inherits its money descriptors
+     * from the source collection automatically. The descriptor's
+     * currency/scale must match what the arms' `map()` emits for that
+     * field (each arm maps into the same unified shape, so one descriptor
+     * per output field covers all arms). Meaningless without
+     * {@link aggregate}; registration throws `MaterializedViewConfigError`
+     * if declared alone.
+     */
+    moneyFields?: Record<string, MoneyDescriptor>;
     /**
      * Pure function from a materialized row → stable id used in the
      * output collection. Required — explicit always beats default-with-pitfalls
@@ -7322,6 +7428,50 @@ interface OverlayedViewStrategy {
      */
     shadowField: string;
     shadowValue: unknown;
+    /**
+     * Optional field-level merge mode (AU+032 / #348). When present, a
+     * row whose `shadowField` does NOT equal `shadowValue` is no longer
+     * forced all-base: the rules below let an intermediate status pull a
+     * declared subset of fields from the overlay while every other field
+     * still comes from the base row.
+     *
+     * Absent `mergeMode` preserves the original binary behaviour
+     * exactly — overlay wins entirely iff `shadowField === shadowValue`,
+     * otherwise base wins.
+     */
+    mergeMode?: OverlayFieldMergeMode;
+}
+/**
+ * One field-level merge rule. When the overlay row's `shadowField`
+ * equals `whenStatus`, the merged row takes `overlayFields` from the
+ * overlay and every other field from the base row.
+ *
+ * Always include `shadowField` in `overlayFields` so the status value
+ * itself propagates to the merged read (otherwise the merged row would
+ * carry the base's status, which is usually `undefined`).
+ */
+interface OverlayFieldMergeRule {
+    /** The `overlay[shadowField]` value this rule matches. */
+    readonly whenStatus: unknown;
+    /**
+     * Field names pulled from the overlay row when this rule matches.
+     * Fields absent on the overlay row are skipped (base value kept).
+     */
+    readonly overlayFields: readonly string[];
+}
+/**
+ * Field-level merge configuration. `rules` are evaluated in
+ * declaration order and the FIRST rule whose `whenStatus` matches the
+ * overlay's `shadowField` wins; later rules are not consulted.
+ *
+ * The binary shadow check (`shadowField === shadowValue` → overlay
+ * wins entirely) is always the implicit, highest-priority rule applied
+ * BEFORE any `rules` entry, so adding `mergeMode` never changes the
+ * full-override path.
+ */
+interface OverlayFieldMergeMode {
+    readonly kind: 'field-merge';
+    readonly rules: readonly OverlayFieldMergeRule[];
 }
 /** Returned by `withOverlayedView()` and consumed by `createNoydb`. */
 interface OverlayedViewStrategyHandle {
@@ -7398,11 +7548,53 @@ interface NextOptions {
     /** Deferred mode: reject after this many ms if still unsealed (reserved; not yet enforced in this slice). */
     readonly timeoutMs?: number;
 }
+/**
+ * Partitioning for a CAS sequence (#345). A partitioned sequence is an
+ * independent counter scoped to one tuple of values — e.g.
+ * `sequence('invoice', { partition: [2026, 'EU'] })` numbers EU-2026 invoices
+ * separately from `[2026, 'US']` and from the bare `invoice` series.
+ *
+ * Partition components are URI-encoded (so `/`, null bytes and other
+ * separators in a value can never collide with the structural separators) and
+ * `'/'`-joined, then appended to the series with a null-byte (`\x00`)
+ * separator. The null byte is illegal in a plain series name, which guarantees
+ * a partitioned key is always disjoint from any unpartitioned series.
+ */
+interface SequenceOptions {
+    /** Partition tuple. Each component is URI-encoded and `'/'`-joined. */
+    readonly partition?: readonly (string | number)[];
+}
+/**
+ * Resolve the CAS storage key for a (series, partition) pair.
+ *
+ * With no partition the key is `series` verbatim. With a partition the key is
+ * `${series}\x00${parts}` where `parts` is each component passed through
+ * `encodeURIComponent(String(part))` and `'/'`-joined. The null-byte separator
+ * is illegal in a plain series name, so partitioned keys never collide with
+ * unpartitioned ones; URI-encoding keeps any component containing `/` distinct
+ * from a multi-component partition.
+ *
+ * @throws {ValidationError} if any partition component is empty after `String()`
+ *   or is a non-finite number (`NaN`, `±Infinity`).
+ */
+declare function resolveSequenceKey(series: string, opts?: SequenceOptions): string;
 interface SequenceHandle {
     /** Atomically allocate and return the next value (1, 2, 3, …). Deferred series resolve at the next pass. */
     next(opts?: NextOptions): Promise<number>;
     /** Read the current value without allocating. Returns 0 if never used. */
     peek(): Promise<number>;
+    /**
+     * Set-if-greater: advance the counter to at least `n`. A no-op if the
+     * current value is already `>= n` (so it never rewinds), and `seedTo(0)` is
+     * a no-op. Idempotent and CAS-safe under concurrent `next()` / `seedTo()`.
+     *
+     * Use after a bundle / CSV import to fast-forward the counter past the
+     * highest imported serial, so subsequent `next()` calls cannot re-use a
+     * number that is already on a record.
+     *
+     * Online-only: throws {@link SequenceOfflineError} on a non-CAS store.
+     */
+    seedTo(n: number): Promise<void>;
 }
 declare class SequenceStore {
     private readonly adapter;
@@ -7433,6 +7625,7 @@ declare class SequenceStore {
     private encryptState;
     peek(name: string): Promise<number>;
     next(name: string): Promise<number>;
+    seedTo(name: string, n: number): Promise<void>;
 }
 
 /**
@@ -7528,6 +7721,287 @@ declare class ReadOnlyVaultFacade implements ReadOnlyVaultFacade$1 {
     };
 }
 
+/**
+ * Managed-passphrase mode — rubber-hose-resistant vaults.
+ *
+ * A vault mode where the passphrase is machine-generated and never
+ * exposed to the user, sealed under a developer-provided
+ * {@link SealingKeyProvider} (macOS Keychain, Windows Credential
+ * Manager, libsecret, AWS KMS, …). The user has no secret to give
+ * up to coercion — they can't reveal what they don't know.
+ *
+ * ## Components in this file
+ *
+ *   - {@link SealingKeyProvider} — the interface concrete providers
+ *     implement. Provider implementations live OUTSIDE hub (per-
+ *     platform packages).
+ *   - {@link MemorySealingKeyProvider} — in-memory test provider; uses
+ *     a deterministic per-instance "key" so two providers with
+ *     different ids cannot unseal each other's outputs.
+ *   - {@link RecipientHint} — public material a sender uses to seal
+ *     plaintext for a specific recipient; published by
+ *     {@link RecipientSealer.publishRecipientHint} and transported
+ *     out-of-band to the sender before bundle writes.
+ *   - {@link RecipientSealer} — interface for asymmetric/granted
+ *     providers that support recipient-target sealing (RSA-OAEP,
+ *     cloud-KMS asymmetric, etc.); distinct from self-only
+ *     {@link SealingKeyProvider} (macOS Keychain, WebAuthn-PRF).
+ *   - {@link MemoryRecipientSealer} — in-process reference
+ *     implementation of both `RecipientSealer` and
+ *     `SealingKeyProvider` using real WebCrypto RSA-OAEP + AES-GCM;
+ *     safe for tests and same-process sender/recipient scenarios.
+ *   - {@link loadSealedPassphrase} / {@link saveSealedPassphrase} —
+ *     plaintext envelope storage at `_meta/sealed-passphrase`.
+ *     Mirrors the `_meta/handle` and `_meta/public-envelope` AES-
+ *     GCM-bypassed patterns. The sealing layer (provider's job)
+ *     is the security boundary; hub doesn't have a key to encrypt
+ *     with at this layer — that's the whole point of the design.
+ *   - {@link resolveManagedSecret} — orchestrates the "generate +
+ *     seal + persist on first open; unseal on reopen" flow.
+ *     Returns the plaintext passphrase string that the rest of the
+ *     `createNoydb` keyring path consumes.
+ *
+ * Deferred to follow-ups:
+ *   - Block `rotate-passphrase` policy gate under managed mode.
+ *   - Mandatory strong-recovery enforcement.
+ *   - Recovery flow under managed mode (generates fresh sealed phrase).
+ *
+ * @see docs/subsystems/session-tiers.md → Managed-passphrase mode
+ *
+ * @module
+ */
+
+/**
+ * The contract concrete providers (per-platform key stores) implement
+ * to seal and unseal a hub-generated random passphrase. The plaintext
+ * passphrase NEVER leaves hub-controlled memory in unsealed form —
+ * the provider receives the bytes, returns opaque sealed bytes, and
+ * later reverses the operation. Hub treats the sealed bytes as
+ * fully opaque.
+ *
+ * Implementations live OUTSIDE `@noy-db/hub` (separate packages
+ * per the issue's "Concrete providers (live outside hub)" note):
+ *
+ * | Platform | Package (TBD) | Backing |
+ * |---|---|---|
+ * | macOS | `@noy-db/seal-macos-keychain` | Security.framework |
+ * | Windows | `@noy-db/seal-wincred` | Credential Manager |
+ * | Linux | `@noy-db/seal-libsecret` | libsecret / secret-service |
+ * | Cloud / server | `@noy-db/seal-aws-kms` | AWS KMS Decrypt |
+ */
+interface SealingKeyProvider {
+    /**
+     * Non-sensitive identifier disclosed in the persisted envelope.
+     * Surfaced to consumers via `loadSealedPassphrase().providerId` so
+     * a vault opened with the wrong provider class can detect the
+     * mismatch and surface a clear error. NOT secret — fine to log.
+     *
+     * Suggested format: `<family>:<scope>` — e.g. `macos-keychain:com.acme.app`,
+     * `aws-kms:arn:aws:kms:us-east-1:123:key/abc`. The hub never
+     * parses this; it's purely audit metadata.
+     */
+    readonly id: string;
+    /** Seal raw passphrase bytes. Output bytes are opaque to hub. */
+    seal(passphrase: Uint8Array): Promise<Uint8Array>;
+    /**
+     * Reverse {@link seal}. MUST throw on tamper, wrong-provider, or
+     * any other failure — hub treats a thrown error as "this provider
+     * cannot unlock this vault" and surfaces it to the caller.
+     */
+    unseal(sealed: Uint8Array): Promise<Uint8Array>;
+}
+/**
+ * In-memory test provider. NOT secure — uses a deterministic
+ * per-instance "key" (16-byte SHA-256 of `id`) XOR'd over the
+ * passphrase plus a 4-byte provider-id fingerprint prefix. The XOR is
+ * sufficient to make different `id` values produce mutually-unsealable
+ * outputs (the contract tests for that), but offers ZERO real
+ * confidentiality — never use outside tests.
+ *
+ * Replace with a real platform provider in production.
+ */
+declare class MemorySealingKeyProvider implements SealingKeyProvider {
+    readonly id: string;
+    private readonly fingerprint;
+    private readonly keyBytes;
+    constructor(opts: {
+        id: string;
+    });
+    seal(passphrase: Uint8Array): Promise<Uint8Array>;
+    unseal(sealed: Uint8Array): Promise<Uint8Array>;
+}
+/**
+ * Public material a sender uses to seal-for-this-recipient. Published by
+ * a recipient's RecipientSealer; transported to the sender out-of-band
+ * (email, S3, in-app message). The sender obtains the hint, supplies it
+ * to writeNoydbBundle's sealedCredentials.perUser[userId].hint, and the
+ * hub seals each user's credential against it. Per foundation §11.4.
+ */
+type RecipientHint = {
+    readonly v: 1;
+    /** Recipient's provider id; matches the SealedAutoUnlockEntry.pid they'll unseal under. */
+    readonly pid: string;
+    /** Algorithm the sender uses to produce the seal. Slice 1 ships RSA-OAEP-SHA256 only. */
+    readonly alg: 'rsa-oaep-sha256';
+    /** Public material — alg-specific. For 'rsa-oaep-sha256': { publicKeyPem: string }. */
+    readonly material: Readonly<Record<string, unknown>>;
+};
+/**
+ * Handover-capable provider. Implemented additionally by asymmetric/granted
+ * providers (cloud-KMS asymmetric, Azure RSA Key Vault, AWS KMS with grant).
+ * Self-only providers (macOS Keychain, env-var, WebAuthn-PRF) do NOT
+ * implement this — the §11.2 capability matrix lives in the type system.
+ *
+ * Per foundation §11.4. A function that requires recipient-target sealing
+ * takes `RecipientSealer`, not `SealingKeyProvider` — the compiler rejects
+ * passing a self-only provider at the spec site.
+ */
+interface RecipientSealer {
+    readonly id: string;
+    /** Produce hint material a sender uses to seal-for-this-recipient. */
+    publishRecipientHint(): Promise<RecipientHint>;
+    /**
+     * Seal plaintext for the recipient described by `hint`. Returns opaque
+     * bytes — same contract as `SealingKeyProvider.seal()`. The bundle
+     * layer base64-encodes the bytes into `SealedAutoUnlockEntry.sealed`
+     * without inspecting them.
+     */
+    sealForRecipient(plaintext: Uint8Array, hint: RecipientHint): Promise<Uint8Array>;
+}
+/**
+ * Shared RSA-OAEP-SHA256 + AES-GCM seal in the canonical recipient-target
+ * TLV wire format. Mints a fresh 32-byte CEK, AES-GCM-encrypts `plaintext`
+ * under it, RSA-OAEP-SHA256-wraps the CEK to `publicKeyPem`, and packs:
+ *
+ *   byte  0       : version (0x01)
+ *   bytes 1..256  : RSA-OAEP-wrapped CEK (fixed 256 bytes at RSA-2048)
+ *   bytes 257..268: AES-GCM IV (12 bytes)
+ *   bytes 269..   : AES-GCM ciphertext ‖ 16-byte tag
+ *
+ * This is the single source of truth for the wire format — both
+ * {@link MemoryRecipientSealer} and external sealers (e.g. `@noy-db/at-aws-kms`'s
+ * asymmetric-KMS recipient sealer) call it so a blob sealed by one unseals
+ * by the other. WebCrypto RSA-OAEP/SHA-256 here is wire-compatible with
+ * AWS KMS `RSAES_OAEP_SHA_256` (both RSAES-OAEP, SHA-256 hash, MGF1-SHA256,
+ * empty label).
+ *
+ * @public — re-exported from the hub barrel for external sealer packages.
+ */
+declare function sealRsaOaepTlv(plaintext: Uint8Array, publicKeyPem: string): Promise<Uint8Array>;
+/**
+ * Parse a {@link sealRsaOaepTlv} blob into its three segments without
+ * decrypting. The `wrapped` CEK is RSA-OAEP-SHA256 ciphertext over a
+ * 32-byte CEK — the unwrap step is pluggable: {@link MemoryRecipientSealer}
+ * decrypts it with a local RSA private key; `@noy-db/at-aws-kms` hands it to
+ * KMS `Decrypt`. After unwrapping, pass the CEK + `iv` + `ct` to
+ * {@link aesGcmOpen}.
+ *
+ * @public — re-exported from the hub barrel for external sealer packages.
+ */
+declare function parseRsaOaepTlv(bytes: Uint8Array): {
+    wrapped: Uint8Array;
+    iv: Uint8Array;
+    ct: Uint8Array;
+};
+/**
+ * AES-GCM-decrypt the `ct` segment of a {@link parseRsaOaepTlv} result under
+ * the unwrapped 32-byte CEK and its `iv`. Throws on a bad tag (tamper) — the
+ * same authenticated-decryption guarantee the TLV relies on.
+ *
+ * @public — re-exported from the hub barrel for external sealer packages.
+ */
+declare function aesGcmOpen(cekBytes: Uint8Array, iv: Uint8Array, ct: Uint8Array): Promise<Uint8Array>;
+/**
+ * Reference implementation of `RecipientSealer` + `SealingKeyProvider`.
+ * Uses WebCrypto RSA-OAEP-SHA256 (2048-bit) to wrap a fresh 32-byte
+ * AES-GCM CEK, AES-GCM-encrypts plaintext under it, and packs the
+ * result into a self-describing TLV:
+ *
+ *   byte  0       : version (0x01)
+ *   bytes 1..256  : RSA-OAEP-wrapped CEK (fixed 256 bytes at RSA-2048)
+ *   bytes 257..268: AES-GCM IV (12 bytes)
+ *   bytes 269..   : AES-GCM ciphertext ‖ 16-byte tag
+ *
+ * Implements BOTH interfaces. `seal(plaintext)` (self-target) is just
+ * `sealForRecipient(plaintext, this own hint)` — same TLV. Convenient
+ * for tests where one provider plays both ends. Real cloud providers
+ * (`at-aws-kms`, etc.) will pick their own internal layouts; the only
+ * contract is round-trip identity.
+ *
+ * SAFE for production within its scope — the cryptography is real
+ * (RSA-OAEP + AES-GCM via WebCrypto), but the keypair lives in-process
+ * and is regenerated on every construction. Not suitable as a managed
+ * keychain; use it for tests and for shipping bundles where the
+ * recipient instance lives in the same process as the sender (rare).
+ */
+declare class MemoryRecipientSealer implements SealingKeyProvider, RecipientSealer {
+    readonly id: string;
+    private readonly keypair;
+    constructor(opts: {
+        id: string;
+    });
+    publishRecipientHint(): Promise<RecipientHint>;
+    sealForRecipient(plaintext: Uint8Array, hint: RecipientHint): Promise<Uint8Array>;
+    seal(plaintext: Uint8Array): Promise<Uint8Array>;
+    unseal(bytes: Uint8Array): Promise<Uint8Array>;
+}
+/** Reserved id for the managed-passphrase envelope under `_meta`. */
+declare const SEALED_PASSPHRASE_RECORD_ID: "sealed-passphrase";
+/** Plaintext payload stored inside the `_meta/sealed-passphrase` envelope. */
+interface SealedPassphrase {
+    readonly _noydb_sealed: 1;
+    readonly providerId: string;
+    /** Sealed bytes. Base64-encoded on the wire; decoded on load. */
+    readonly sealed: Uint8Array;
+}
+/**
+ * Wire-format envelope persisted at `_meta/sealed-passphrase` for
+ * managed-mode vaults. The provider produces raw sealed bytes via
+ * {@link SealingKeyProvider.seal}; this wrapper carries the dispatch
+ * metadata hub needs to pick the right provider on the unseal path.
+ *
+ * Stability boundary: once shipped, the wire format only grows by
+ * adding optional fields. See the at-* sealing dimension foundation
+ * doc, §11.9.1.
+ *
+ * v1 shape (this release): `{ v: 1, _noydb_sealed: 1, pid, payload }`.
+ *
+ * Legacy shape (earlier releases): `{ _noydb_sealed: 1, providerId, sealed }`
+ * — accepted on read for backwards compatibility; never produced on
+ * write going forward.
+ */
+interface SealedEnvelope {
+    /** Envelope schema version. v1 is the current shape. */
+    readonly v: 1;
+    /** Magic marker for forensics + legacy-shape detection. */
+    readonly _noydb_sealed: 1;
+    /** Matches the producing provider's `.id`. Dispatch key on unseal. */
+    readonly pid: string;
+    /** Sealed bytes from the provider, base64-encoded on the wire. */
+    readonly payload: string;
+}
+/**
+ * Parse a `_meta/sealed-passphrase` `_data` JSON string into the
+ * in-memory {@link SealedPassphrase} representation. Accepts both:
+ *
+ *   1. v1 wire format `{ v: 1, _noydb_sealed: 1, pid, payload }` —
+ *      the current shape.
+ *   2. Legacy wire format `{ _noydb_sealed: 1, providerId, sealed }` —
+ *      read-only; never written
+ *      going forward.
+ *
+ * Returns `undefined` for any input that doesn't match either shape,
+ * so callers can fall back to "no managed-mode envelope present."
+ *
+ * @internal — exported only for the migration safety-net test suite.
+ */
+declare function parseSealedEnvelope(raw: unknown): SealedPassphrase | undefined;
+declare function saveSealedPassphrase(store: NoydbStore, vault: string, payload: {
+    readonly providerId: string;
+    readonly sealed: Uint8Array;
+}): Promise<void>;
+declare function loadSealedPassphrase(store: NoydbStore, vault: string): Promise<SealedPassphrase | undefined>;
+
 /**
  * `vault.exportBlobs()` — bulk blob extraction primitive.
  *
@@ -8406,6 +8880,7 @@ declare class Vault {
     private readonly periodsStrategy;
     private readonly shadowStrategy;
     private readonly historyStrategy;
+    private readonly forgetStrategy;
     private readonly i18nStrategy;
     private readonly syncStrategy;
     /**
@@ -8567,6 +9042,27 @@ declare class Vault {
      * Populated by `collection()` when the `dictKeyFields` option is passed.
      */
     private readonly dictKeyFieldRegistry;
+    /**
+     * Names of dictionaries backed by a `staticDict()` descriptor (#291).
+     * A static dict skips the `dictKeyFieldRegistry` rename machinery, but the
+     * vault must still *know* a name is static so `vault.dictionary(name)` can
+     * refuse mutation (`StaticDictReadonlyError`). Populated at `collection()`
+     * config time whenever a `StaticDictDescriptor` is seen.
+     */
+    private readonly staticDictNames;
+    /**
+     * Static-dict descriptors keyed by dictionary name (#291). Backs the
+     * read-path label resolver (resolve from the in-memory table) and the
+     * query-seam `resolveDictSource` snapshot. Last writer wins when the same
+     * name is registered by multiple collections (identical-across-vaults by
+     * construction, so the tables match).
+     */
+    private readonly staticByName;
+    /**
+     * Per-collection map of field name → StaticDictDescriptor (#291). Used by
+     * `enforceStaticDictOnPut` to validate stored codes against `desc.keys`.
+     */
+    private readonly staticDescriptorByField;
     /**
      * Registry of i18nText fields declared across all collections. Keyed
      * by collection name → field name → I18nTextDescriptor. Used by
@@ -8626,6 +9122,7 @@ declare class Vault {
         syncStrategy?: SyncStrategy | undefined;
         guardStrategies?: ReadonlyArray<GuardStrategyHandleAny> | undefined;
         numberingConfigs?: ReadonlyArray<DeferredNumberingConfig> | undefined;
+        forgetStrategy?: ForgetStrategy | undefined;
     });
     /**
      * Construct (or reconstruct) the lazy DEK resolver. Captures the
@@ -8675,8 +9172,8 @@ declare class Vault {
         refs?: Record<string, RefDescriptor>;
         /** — declare i18nText fields for locale-aware reads. */
         i18nFields?: Record<string, I18nTextDescriptor>;
-        /** — declare dictKey fields for label resolution on reads. */
-        dictKeyFields?: Record<string, DictKeyDescriptor>;
+        /** — declare dictKey / staticDict fields for label resolution on reads. */
+        dictKeyFields?: Record<string, DictKeyDescriptor | StaticDictDescriptor>;
         /** — declare money() fields for currency-safe decimal storage/formatting. */
         moneyFields?: Record<string, MoneyDescriptor>;
         /** — declare computed scalar fields, evaluated on write (schema-owned). */
@@ -8693,6 +9190,14 @@ declare class Vault {
         deterministicFields?: readonly string[];
         /** — explicit ack that deterministic encryption leaks equality. */
         acknowledgeDeterministicRisk?: boolean;
+        /**
+         * — per-record content-encryption keys. When `true`, every record
+         * body is encrypted under a fresh per-record CEK wrapped under the
+         * collection DEK (`_cek`), stable across versions. Foundation for
+         * per-record erasure (#304) / record-scoped sealing (#306). Off by
+         * default; non-adopting collections take the legacy path unchanged.
+         */
+        perRecordKeys?: boolean;
         /**
          * declarative blob retention / TTL policy per slot
          * name. Values are `{ retainDays?, evictWhen? }`. Evaluated only
@@ -8779,6 +9284,14 @@ declare class Vault {
      * `MissingTranslationError` when a required translation is absent.
      */
     enforceI18nOnPut(collectionName: string, record: unknown): void;
+    /**
+     * Validate staticDict codes on a `put()` (#291). For each `staticDict()`
+     * field, every stored code must be a declared key of the descriptor's
+     * table, else `UnknownDictCodeError`. Opt out per descriptor with
+     * `{ validateCodes: false }`. Supports scalar, dotted, and `[].`-wildcard
+     * field paths via `getAtPath` (same path support as i18n validation).
+     */
+    enforceStaticDictOnPut(collectionName: string, record: unknown): void;
     /**
      * Apply locale resolution to a record for the given collection.
      *
@@ -8961,7 +9474,7 @@ declare class Vault {
      * const cur = await vault.sequence('invoice-2026').peek()  // current value, no allocation
      * ```
      */
-    sequence(name: string): SequenceHandle;
+    sequence(series: string, opts?: SequenceOptions): SequenceHandle;
     /** @internal — lazily build the deferred-numbering engine with a cache-coherent stamp. */
     private deferred;
     /**
@@ -9119,6 +9632,102 @@ declare class Vault {
      * throws on null; this one stays silent so the off-path no-ops.
      */
     private getLedgerOrNull;
+    /** @internal — add a subject→record ref to the encrypted subject index. */
+    _addSubjectRef(subjectId: string, ref: SubjectRef): Promise<void>;
+    /** @internal — drop a subject→record ref from the encrypted subject index. */
+    _removeSubjectRef(subjectId: string, ref: SubjectRef): Promise<void>;
+    /**
+     * Rebuild the encrypted subject index from canonical records. The recovery
+     * path for the documented read-modify-write race (RISK #3). Returns the
+     * number of distinct subjects re-indexed.
+     */
+    rebuildSubjectIndex(): Promise<number>;
+    /**
+     * GDPR crypto-shred of a data subject (#304). Consults the encrypted subject
+     * index and, per matching record:
+     *   - rewrites the LIVE envelope to a tombstone (drops `_iv`/`_data`/`_cek`/`_det`),
+     *   - tombstones every `_history` version of the record,
+     * so the body and all prior versions become permanently undecryptable while
+     * the collection DEK and every OTHER record stay intact. Then appends ONE
+     * `op:'forget'` ledger entry whose `payloadHash` is `sha256Hex(subjectId)` —
+     * the chain still `verify()`s, PROVING the subject existed and was erased
+     * without retaining any plaintext.
+     *
+     * Reports — but does not silently swallow — two completeness gaps:
+     *   - `unmigratedRecords`: a record whose body was NOT yet migrated to a
+     *     per-record CEK (legacy body still under the shared collection DEK). It
+     *     is still tombstoned, but its pre-shred ciphertext (if leaked to a
+     *     backup before migration) stays decryptable. Migrate, then re-forget.
+     *   - `blobResidueCollections`: a shredded record still has blob attachments,
+     *     which are keyed off a separate `_blob` DEK and are out of scope here.
+     *
+     * @throws ForgetStrategyNotConfiguredError when no `withForgetCascade` was set.
+     */
+    forget(subjectId: string): Promise<ForgetResult>;
+    /**
+     * Seal ONE record's content-encryption key (CEK) to an `at-*` host so that
+     * host — and only that host — can decrypt exactly that record, with no
+     * access to the vault DEK and no ability to read any other record.
+     *
+     * The grantor (this caller, who holds the collection DEK) reads the record's
+     * live `_cek`, unwraps it under the collection DEK, exports the raw CEK
+     * bytes, builds a {@link SealedCekBinding} `{collection, id, cek, expiresAt}`,
+     * seals that binding for the recipient host via the host's published hint,
+     * and persists a thin {@link SealedCekDeliveryEnvelope} at
+     * `_sealed_cek/<collection>/<id>/<pid>`. The binding (not the delivery
+     * envelope) is the security boundary: the host re-verifies `{collection, id}`
+     * and `expiresAt` from inside the sealed payload.
+     *
+     * Only works on a `perRecordKeys` record — a legacy record has no `_cek` to
+     * seal (its body is under the shared collection DEK, which is never exposed
+     * by sealing) → {@link RecordCekNotFoundError}.
+     *
+     * @param collection Collection holding the record.
+     * @param id         Record id.
+     * @param hostSealer The recipient host's {@link RecipientSealer}.
+     * @param opts.expiresAt REQUIRED authoritative expiry (ISO 8601), sealed into
+     *   the binding the host verifies.
+     * @returns `{ pid, envelopeKey }` — the host provider id and the
+     *   `<collection>/<id>/<pid>` key the delivery envelope was written under.
+     */
+    sealRecordToHost(collection: string, id: string, hostSealer: RecipientSealer, opts: {
+        expiresAt: string;
+    }): Promise<{
+        pid: string;
+        envelopeKey: string;
+    }>;
+    /**
+     * Revoke a single sealed-CEK delivery envelope by deleting it from the store.
+     * A soft revocation: it removes the host's copy of the sealed CEK, but a host
+     * that already fetched the envelope keeps whatever it cached. For a hard
+     * revocation that makes the live record undecryptable to every prior grant,
+     * use {@link rotateRecordCek}.
+     */
+    revokeSealedRecord(collection: string, id: string, pid: string): Promise<void>;
+    /**
+     * HARD-rotate a record's CEK: decrypt the live body under the old CEK,
+     * re-encrypt it under a freshly-minted CEK, write the new live envelope, evict
+     * the in-memory caches, and delete EVERY sealed-CEK delivery envelope for the
+     * record. After this, any host holding a previously-sealed CEK can still
+     * decrypt PRE-rotation history versions (they keep their old `_cek`) but NOT
+     * the rotated live record (its body is under the new CEK → the old CEK fails
+     * the AES-GCM auth tag → `TamperedError`). That asymmetry IS the revocation:
+     * old grants lose the live record.
+     *
+     * Administrative path — bypasses `Collection.put` deliberately (no guards, no
+     * history snapshot, no materialized-view refresh): rotation is a key-rotation
+     * operation, not a business write, and must not version-bump history (which
+     * would re-encrypt the prior version under the NEW CEK and defeat the point).
+     *
+     * @throws {@link RecordCekNotFoundError} if the record is missing or has no `_cek`.
+     */
+    rotateRecordCek(collection: string, id: string): Promise<void>;
+    /**
+     * Build the {@link SealingContext} the record-keys grantor functions need:
+     * the vault-bound adapter, DEK resolver, actor, and the dual-cache eviction
+     * `rotateRecordCek` performs (per-record CEK cache + decrypted-record cache).
+     */
+    private sealingContext;
     /**
      * @internal — called by `Noydb.openVault` after construction.
      * Dynamic-imports `GuardRegistry` + `ReadOnlyVaultFacade` and seeds
@@ -10111,6 +10720,25 @@ declare class Collection<T> {
      * is inactive for this collection; a frozen `Set` otherwise.
      */
     private readonly deterministicFields;
+    /**
+     * Per-record CEK opt-in (`perRecordKeys: true`). When set, writes mint /
+     * reuse a per-record content-encryption key and stamp `_cek` on the
+     * envelope (see {@link EncryptedEnvelope._cek}). OFF by default — a
+     * non-adopting collection takes the byte-identical legacy path. The READ
+     * path does not consult this flag: `_cek` presence on the envelope is the
+     * format discriminant, so a mixed vault (and a recipient that never set the
+     * flag) still decrypts CEK records.
+     */
+    private readonly perRecordCek;
+    /**
+     * Session-scoped `(id) → CEK` cache for this collection. Lets updates
+     * reuse a record's stable CEK and lets repeated reads skip the AES-KW
+     * unwrap. Bounded by LRU; never persisted. Dropped when the owning
+     * collection instance is discarded — `vault.load()` clears the
+     * collectionCache, so a keyring refresh drops every CEK alongside the
+     * DEK cache. `null` unless `perRecordCek` is set.
+     */
+    private readonly cekCache;
     /**
      * declared tiers for this collection. `null` when
      * tier-aware methods are disabled. Tier 0 is implicit and never
@@ -10331,7 +10959,7 @@ declare class Collection<T> {
         /** — i18nText field descriptors for locale-aware reads. */
         i18nFields?: Record<string, I18nTextDescriptor> | undefined;
         /** — dictKey field descriptors for label resolution on reads. */
-        dictKeyFields?: Record<string, DictKeyDescriptor> | undefined;
+        dictKeyFields?: Record<string, DictKeyDescriptor | StaticDictDescriptor> | undefined;
         moneyFields?: Record<string, MoneyDescriptor> | undefined;
         computed?: ComputedFields | undefined;
         /**
@@ -10414,6 +11042,15 @@ declare class Collection<T> {
          * any deterministic field is declared. Any other value throws.
          */
         acknowledgeDeterministicRisk?: boolean | undefined;
+        /**
+         * Per-record content-encryption keys. When `true`, every record body
+         * (and every history version of it) is encrypted under a fresh
+         * per-record CEK, AES-KW-wrapped under the collection DEK and stored
+         * on the envelope's `_cek`. Off by default. Foundation for per-record
+         * erasure (#304) and record-scoped sealing (#306). `_det` slots stay
+         * keyed to the collection DEK regardless.
+         */
+        perRecordKeys?: boolean | undefined;
         /**
          * declared tiers this collection supports. An
          * undefined or empty list disables the hierarchical-tier surface
@@ -10633,6 +11270,37 @@ declare class Collection<T> {
      */
     _internalDelete(id: string, txCtx?: TxContext | null): Promise<void>;
     private _doDelete;
+    /**
+     * @internal — GDPR crypto-shred a LIVE record to a tombstone (#304).
+     *
+     * Rewrites the on-disk envelope to `{ _noydb, _v, _ts, _by, _iv:'', _data:'' }`,
+     * dropping `_iv`/`_data`/`_cek`/`_det`. The wrapped per-record CEK is gone, so
+     * the body — and (via {@link tombstoneHistory}) every history version under
+     * the same CEK — is permanently undecryptable; the collection DEK and every
+     * other record are untouched. `_det` is stripped too, so `findByDet` no
+     * longer matches the shredded record (avoiding a post-shred TamperedError).
+     *
+     * Unlike `delete()`/`_internalDelete`, this:
+     *   - does NOT fire onDelete guards / MV / derivation dispatch (a shred is an
+     *     erasure, not a domain delete — re-running those would be wrong),
+     *   - does NOT append a per-record ledger entry (`vault.forget()` appends a
+     *     single `op:'forget'` summary for the whole subject),
+     *   - keeps the record KEY present (it's an overwrite, not an adapter delete)
+     *     so the version counter + "record existed" survive for audit.
+     *
+     * Idempotent: returns `null` when the record is absent or already a tombstone.
+     * Otherwise returns `{ previousVersion }`. Invalidates the eager cache, the
+     * lazy LRU, and the per-record CEK cache for this id.
+     */
+    /**
+     * @internal — decrypt an envelope to a plain record for subject-index
+     * rebuild (#304). Returns `null` for a tombstone or unreadable envelope.
+     * Skips schema validation — the rebuild only reads the subject field.
+     */
+    _decodeEnvelope(envelope: EncryptedEnvelope, id: string): Promise<Record<string, unknown> | null>;
+    _writeTombstone(id: string, actor: string): Promise<{
+        previousVersion: number;
+    } | null>;
     /**
      * Cascade deletes of array-shape derived rows when a source row is
      * deleted. Reads each registered strategy's fanout sidecar
@@ -10934,6 +11602,16 @@ declare class Collection<T> {
      * the cache entry (record still present) or deletes it (record was
      * gone before the tx and the revert deleted it again).
      */
+    /**
+     * @internal — evict ONLY the per-record CEK cache entry for `id`. Used by
+     * `vault.rotateRecordCek()`: after a hard CEK rotation the cached unwrapped
+     * CEK is stale (it would decrypt the pre-rotation body and fail GCM auth on
+     * the post-rotation body). Eviction must be synchronous with the live-envelope
+     * rewrite so no concurrent read observes the old CEK. Paired with
+     * {@link _invalidateCacheEntry} (which refreshes the decrypted-record cache).
+     * No-op when the collection is not `perRecordKeys`.
+     */
+    _invalidateCekCacheEntry(id: string): void;
     _invalidateCacheEntry(id: string): Promise<void>;
     /**
      * Apply a peer tab's committed write to THIS tab's in-memory view:
@@ -11145,7 +11823,22 @@ declare class Collection<T> {
      * `query()` there. Throws if no index is declared, because a lazy
      * query with no index would need to enumerate the whole collection.
      */
-    lazyQuery(): LazyQuery<T>;
+    lazyQuery(): LazyQuery<T>;
+    /**
+     * Resolve the stable CEK for a record on the WRITE path — see
+     * {@link resolveStableCek}. Thin delegate that supplies the collection's
+     * CEK cache, live-envelope reader, and DEK resolver.
+     */
+    private resolveRecordCek;
+    /**
+     * Encrypt a JSON body into an envelope.
+     *
+     * When `cek` is supplied (per-record CEK collections), the body is
+     * encrypted under the CEK and the CEK is AES-KW-wrapped under the
+     * collection DEK and stamped on `_cek`. When `cek` is omitted, the legacy
+     * path encrypts the body directly under the collection DEK — byte-identical
+     * to pre-CEK behaviour, so non-adopting collections pay nothing.
+     */
     private encryptJsonString;
     private encryptRecord;
     /**
@@ -11227,7 +11920,20 @@ declare class Collection<T> {
     demote(id: string, toTier: number): Promise<void>;
     private isElevatorOrOwner;
     private emitCrossTierEvent;
-    /** Low-level: decrypt an envelope and return the raw JSON string. */
+    /**
+     * Low-level: decrypt an envelope and return the raw JSON string.
+     *
+     * `_cek` presence is the format discriminant (NOT `this.perRecordCek`),
+     * so a mixed vault — and a recipient that never opted into
+     * `perRecordKeys` — decrypts both legacy and CEK records:
+     *  - `_cek` present → unwrap the CEK under the collection DEK, decrypt the
+     *    body under the CEK (cache the unwrapped CEK so repeated reads skip it).
+     *  - `_cek` absent → legacy path, body decrypts directly under the
+     *    collection DEK.
+     *
+     * The optional `id` lets reads populate the CEK cache; it is omitted by
+     * callers (history, conflict merge) that have only the envelope.
+     */
     private decryptJsonString;
     /**
      * Decrypt an envelope into a record of type `T`.
@@ -11373,7 +12079,7 @@ interface ShadowStrategy {
  * @internal
  */
 interface TxStrategy {
-    runTransaction<T>(db: Noydb, fn: (tx: TxContext) => Promise<T> | T, options?: AmendmentTxOptions): Promise<T>;
+    runTransaction<T>(db: Noydb, fn: (tx: TxContext) => Promise<T> | T, options?: AmendmentTxOptions, txInvariants?: ReadonlyArray<TransactionInvariant>): Promise<T>;
     runDryRun(db: Noydb, fn: (tx: TxContext) => unknown): Promise<DryRunResult>;
 }
 
@@ -11504,244 +12210,6 @@ interface SessionStrategy {
     revokeAllSessions(): void;
 }
 
-/**
- * Managed-passphrase mode — rubber-hose-resistant vaults.
- *
- * A vault mode where the passphrase is machine-generated and never
- * exposed to the user, sealed under a developer-provided
- * {@link SealingKeyProvider} (macOS Keychain, Windows Credential
- * Manager, libsecret, AWS KMS, …). The user has no secret to give
- * up to coercion — they can't reveal what they don't know.
- *
- * ## Components in this file
- *
- *   - {@link SealingKeyProvider} — the interface concrete providers
- *     implement. Provider implementations live OUTSIDE hub (per-
- *     platform packages).
- *   - {@link MemorySealingKeyProvider} — in-memory test provider; uses
- *     a deterministic per-instance "key" so two providers with
- *     different ids cannot unseal each other's outputs.
- *   - {@link RecipientHint} — public material a sender uses to seal
- *     plaintext for a specific recipient; published by
- *     {@link RecipientSealer.publishRecipientHint} and transported
- *     out-of-band to the sender before bundle writes.
- *   - {@link RecipientSealer} — interface for asymmetric/granted
- *     providers that support recipient-target sealing (RSA-OAEP,
- *     cloud-KMS asymmetric, etc.); distinct from self-only
- *     {@link SealingKeyProvider} (macOS Keychain, WebAuthn-PRF).
- *   - {@link MemoryRecipientSealer} — in-process reference
- *     implementation of both `RecipientSealer` and
- *     `SealingKeyProvider` using real WebCrypto RSA-OAEP + AES-GCM;
- *     safe for tests and same-process sender/recipient scenarios.
- *   - {@link loadSealedPassphrase} / {@link saveSealedPassphrase} —
- *     plaintext envelope storage at `_meta/sealed-passphrase`.
- *     Mirrors the `_meta/handle` and `_meta/public-envelope` AES-
- *     GCM-bypassed patterns. The sealing layer (provider's job)
- *     is the security boundary; hub doesn't have a key to encrypt
- *     with at this layer — that's the whole point of the design.
- *   - {@link resolveManagedSecret} — orchestrates the "generate +
- *     seal + persist on first open; unseal on reopen" flow.
- *     Returns the plaintext passphrase string that the rest of the
- *     `createNoydb` keyring path consumes.
- *
- * Deferred to follow-ups:
- *   - Block `rotate-passphrase` policy gate under managed mode.
- *   - Mandatory strong-recovery enforcement.
- *   - Recovery flow under managed mode (generates fresh sealed phrase).
- *
- * @see docs/subsystems/session-tiers.md → Managed-passphrase mode
- *
- * @module
- */
-
-/**
- * The contract concrete providers (per-platform key stores) implement
- * to seal and unseal a hub-generated random passphrase. The plaintext
- * passphrase NEVER leaves hub-controlled memory in unsealed form —
- * the provider receives the bytes, returns opaque sealed bytes, and
- * later reverses the operation. Hub treats the sealed bytes as
- * fully opaque.
- *
- * Implementations live OUTSIDE `@noy-db/hub` (separate packages
- * per the issue's "Concrete providers (live outside hub)" note):
- *
- * | Platform | Package (TBD) | Backing |
- * |---|---|---|
- * | macOS | `@noy-db/seal-macos-keychain` | Security.framework |
- * | Windows | `@noy-db/seal-wincred` | Credential Manager |
- * | Linux | `@noy-db/seal-libsecret` | libsecret / secret-service |
- * | Cloud / server | `@noy-db/seal-aws-kms` | AWS KMS Decrypt |
- */
-interface SealingKeyProvider {
-    /**
-     * Non-sensitive identifier disclosed in the persisted envelope.
-     * Surfaced to consumers via `loadSealedPassphrase().providerId` so
-     * a vault opened with the wrong provider class can detect the
-     * mismatch and surface a clear error. NOT secret — fine to log.
-     *
-     * Suggested format: `<family>:<scope>` — e.g. `macos-keychain:com.acme.app`,
-     * `aws-kms:arn:aws:kms:us-east-1:123:key/abc`. The hub never
-     * parses this; it's purely audit metadata.
-     */
-    readonly id: string;
-    /** Seal raw passphrase bytes. Output bytes are opaque to hub. */
-    seal(passphrase: Uint8Array): Promise<Uint8Array>;
-    /**
-     * Reverse {@link seal}. MUST throw on tamper, wrong-provider, or
-     * any other failure — hub treats a thrown error as "this provider
-     * cannot unlock this vault" and surfaces it to the caller.
-     */
-    unseal(sealed: Uint8Array): Promise<Uint8Array>;
-}
-/**
- * In-memory test provider. NOT secure — uses a deterministic
- * per-instance "key" (16-byte SHA-256 of `id`) XOR'd over the
- * passphrase plus a 4-byte provider-id fingerprint prefix. The XOR is
- * sufficient to make different `id` values produce mutually-unsealable
- * outputs (the contract tests for that), but offers ZERO real
- * confidentiality — never use outside tests.
- *
- * Replace with a real platform provider in production.
- */
-declare class MemorySealingKeyProvider implements SealingKeyProvider {
-    readonly id: string;
-    private readonly fingerprint;
-    private readonly keyBytes;
-    constructor(opts: {
-        id: string;
-    });
-    seal(passphrase: Uint8Array): Promise<Uint8Array>;
-    unseal(sealed: Uint8Array): Promise<Uint8Array>;
-}
-/**
- * Public material a sender uses to seal-for-this-recipient. Published by
- * a recipient's RecipientSealer; transported to the sender out-of-band
- * (email, S3, in-app message). The sender obtains the hint, supplies it
- * to writeNoydbBundle's sealedCredentials.perUser[userId].hint, and the
- * hub seals each user's credential against it. Per foundation §11.4.
- */
-type RecipientHint = {
-    readonly v: 1;
-    /** Recipient's provider id; matches the SealedAutoUnlockEntry.pid they'll unseal under. */
-    readonly pid: string;
-    /** Algorithm the sender uses to produce the seal. Slice 1 ships RSA-OAEP-SHA256 only. */
-    readonly alg: 'rsa-oaep-sha256';
-    /** Public material — alg-specific. For 'rsa-oaep-sha256': { publicKeyPem: string }. */
-    readonly material: Readonly<Record<string, unknown>>;
-};
-/**
- * Handover-capable provider. Implemented additionally by asymmetric/granted
- * providers (cloud-KMS asymmetric, Azure RSA Key Vault, AWS KMS with grant).
- * Self-only providers (macOS Keychain, env-var, WebAuthn-PRF) do NOT
- * implement this — the §11.2 capability matrix lives in the type system.
- *
- * Per foundation §11.4. A function that requires recipient-target sealing
- * takes `RecipientSealer`, not `SealingKeyProvider` — the compiler rejects
- * passing a self-only provider at the spec site.
- */
-interface RecipientSealer {
-    readonly id: string;
-    /** Produce hint material a sender uses to seal-for-this-recipient. */
-    publishRecipientHint(): Promise<RecipientHint>;
-    /**
-     * Seal plaintext for the recipient described by `hint`. Returns opaque
-     * bytes — same contract as `SealingKeyProvider.seal()`. The bundle
-     * layer base64-encodes the bytes into `SealedAutoUnlockEntry.sealed`
-     * without inspecting them.
-     */
-    sealForRecipient(plaintext: Uint8Array, hint: RecipientHint): Promise<Uint8Array>;
-}
-/**
- * Reference implementation of `RecipientSealer` + `SealingKeyProvider`.
- * Uses WebCrypto RSA-OAEP-SHA256 (2048-bit) to wrap a fresh 32-byte
- * AES-GCM CEK, AES-GCM-encrypts plaintext under it, and packs the
- * result into a self-describing TLV:
- *
- *   byte  0       : version (0x01)
- *   bytes 1..256  : RSA-OAEP-wrapped CEK (fixed 256 bytes at RSA-2048)
- *   bytes 257..268: AES-GCM IV (12 bytes)
- *   bytes 269..   : AES-GCM ciphertext ‖ 16-byte tag
- *
- * Implements BOTH interfaces. `seal(plaintext)` (self-target) is just
- * `sealForRecipient(plaintext, this own hint)` — same TLV. Convenient
- * for tests where one provider plays both ends. Real cloud providers
- * (`at-aws-kms`, etc.) will pick their own internal layouts; the only
- * contract is round-trip identity.
- *
- * SAFE for production within its scope — the cryptography is real
- * (RSA-OAEP + AES-GCM via WebCrypto), but the keypair lives in-process
- * and is regenerated on every construction. Not suitable as a managed
- * keychain; use it for tests and for shipping bundles where the
- * recipient instance lives in the same process as the sender (rare).
- */
-declare class MemoryRecipientSealer implements SealingKeyProvider, RecipientSealer {
-    readonly id: string;
-    private readonly keypair;
-    constructor(opts: {
-        id: string;
-    });
-    publishRecipientHint(): Promise<RecipientHint>;
-    sealForRecipient(plaintext: Uint8Array, hint: RecipientHint): Promise<Uint8Array>;
-    seal(plaintext: Uint8Array): Promise<Uint8Array>;
-    unseal(bytes: Uint8Array): Promise<Uint8Array>;
-}
-/** Reserved id for the managed-passphrase envelope under `_meta`. */
-declare const SEALED_PASSPHRASE_RECORD_ID: "sealed-passphrase";
-/** Plaintext payload stored inside the `_meta/sealed-passphrase` envelope. */
-interface SealedPassphrase {
-    readonly _noydb_sealed: 1;
-    readonly providerId: string;
-    /** Sealed bytes. Base64-encoded on the wire; decoded on load. */
-    readonly sealed: Uint8Array;
-}
-/**
- * Wire-format envelope persisted at `_meta/sealed-passphrase` for
- * managed-mode vaults. The provider produces raw sealed bytes via
- * {@link SealingKeyProvider.seal}; this wrapper carries the dispatch
- * metadata hub needs to pick the right provider on the unseal path.
- *
- * Stability boundary: once shipped, the wire format only grows by
- * adding optional fields. See the at-* sealing dimension foundation
- * doc, §11.9.1.
- *
- * v1 shape (this release): `{ v: 1, _noydb_sealed: 1, pid, payload }`.
- *
- * Legacy shape (earlier releases): `{ _noydb_sealed: 1, providerId, sealed }`
- * — accepted on read for backwards compatibility; never produced on
- * write going forward.
- */
-interface SealedEnvelope {
-    /** Envelope schema version. v1 is the current shape. */
-    readonly v: 1;
-    /** Magic marker for forensics + legacy-shape detection. */
-    readonly _noydb_sealed: 1;
-    /** Matches the producing provider's `.id`. Dispatch key on unseal. */
-    readonly pid: string;
-    /** Sealed bytes from the provider, base64-encoded on the wire. */
-    readonly payload: string;
-}
-/**
- * Parse a `_meta/sealed-passphrase` `_data` JSON string into the
- * in-memory {@link SealedPassphrase} representation. Accepts both:
- *
- *   1. v1 wire format `{ v: 1, _noydb_sealed: 1, pid, payload }` —
- *      the current shape.
- *   2. Legacy wire format `{ _noydb_sealed: 1, providerId, sealed }` —
- *      read-only; never written
- *      going forward.
- *
- * Returns `undefined` for any input that doesn't match either shape,
- * so callers can fall back to "no managed-mode envelope present."
- *
- * @internal — exported only for the migration safety-net test suite.
- */
-declare function parseSealedEnvelope(raw: unknown): SealedPassphrase | undefined;
-declare function saveSealedPassphrase(store: NoydbStore, vault: string, payload: {
-    readonly providerId: string;
-    readonly sealed: Uint8Array;
-}): Promise<void>;
-declare function loadSealedPassphrase(store: NoydbStore, vault: string): Promise<SealedPassphrase | undefined>;
-
 /**
  * Core types — the {@link NoydbStore} interface, envelope format, roles, and
  * all configuration shapes consumed by {@link createNoydb}.
@@ -11838,6 +12306,27 @@ interface EncryptedEnvelope {
      * side channel.
      */
     readonly _det?: Record<string, string>;
+    /**
+     * Per-record content-encryption key (CEK), base64 AES-KW-wrapped under
+     * the collection (or tier) DEK. Present only on records written by a
+     * collection opened with `perRecordKeys: true`. When present, the body
+     * (`_iv`/`_data`) is encrypted under the unwrapped CEK rather than the
+     * collection DEK directly.
+     *
+     * Presence is the format discriminant: `_cek` absent → legacy body
+     * keyed off the collection DEK (read unchanged); `_cek` present →
+     * unwrap under the collection DEK, then decrypt the body under the CEK.
+     *
+     * The CEK is stable across every version of a record (insert mints it;
+     * updates and history snapshots reuse it), so all `_history` envelopes
+     * for a record carry the same `_cek`. This is the foundation for
+     * per-record erasure (#304) and record-scoped sealing (#306).
+     *
+     * `_det` slots are deliberately NOT keyed off the CEK — they remain
+     * keyed to the collection DEK so blind-equality search keeps working
+     * across records.
+     */
+    readonly _cek?: string;
 }
 /**
  * Placeholder returned by `getAtTier()` in `'ghost'` mode when a
@@ -13056,6 +13545,25 @@ interface BlobObject {
     readonly createdAt: string;
     /** Live reference count — slots + published versions pointing to this blob. */
     readonly refCount: number;
+    /**
+     * Base64 AES-KW-wrapped per-blob **content CEK** (wrapped under the `_blob`
+     * DEK). Present on erasable-collection blobs (`perRecordKeys`): the chunks
+     * are encrypted under this content CEK rather than directly under the `_blob`
+     * DEK, so deleting this BlobObject at `refCount → 0` crypto-shreds the chunks
+     * (they become permanently undecryptable). Absent → legacy blob, chunks
+     * decrypt directly under the `_blob` DEK (read unchanged). See
+     * docs/superpowers/specs/2026-06-13-per-blob-cek-design.md.
+     */
+    readonly _cek?: string;
+    /**
+     * Transient migration marker (#365 slice 3). Present only while a legacy
+     * blob is being migrated to a content CEK: it holds the wrapped content CEK
+     * BEFORE the chunks have been re-encrypted under it. Readers **ignore**
+     * `_cekPending` (they key off `_cek`), so the blob stays readable under the
+     * `_blob` DEK during migration AND the content CEK survives a crash → a
+     * re-run resumes and promotes `_cekPending` → `_cek`. Never set on a settled blob.
+     */
+    readonly _cekPending?: string;
     /**
      * Hint indicating which store holds the chunk data.
      * Used by `routeStore` size-tiered routing: `'default'` for small blobs
@@ -13287,6 +13795,19 @@ interface NoydbOptions {
      * @internal
      */
     readonly historyStrategy?: HistoryStrategy;
+    /**
+     * GDPR right-to-erasure (#304). Pass `withForgetCascade({ subjects })`
+     * from `@noy-db/hub/forget` to declare which collections carry erasable
+     * subject data and the record field naming the data subject. Enables
+     * `vault.forget(subjectId)` crypto-shred (rewrite-to-tombstone of the live
+     * record + every history version → body permanently undecryptable, single
+     * `op:'forget'` ledger entry, chain still verifies). Each declared
+     * collection is forced to `perRecordKeys: true`. When omitted (the
+     * `NO_FORGET` default), `vault.forget()` throws
+     * `ForgetStrategyNotConfiguredError` and no subject-index write hooks run.
+     * Requires `historyStrategy` (the ledger) for the erasure-proof entry.
+     */
+    readonly forgetStrategy?: ForgetStrategy;
     /**
      * tree-shake seam — optional i18n strategy. Pass `withI18n()`
      * from `@noy-db/hub/i18n` to enable `i18nText`/`dictKey` field
@@ -13642,4 +14163,4 @@ interface DeleteManyResult {
     }>;
 }
 
-export { type ExportBlobsAuditEntry as $, BLOB_COLLECTION as A, type BlobStrategy as B, BLOB_EVICTION_AUDIT_COLLECTION as C, DICT_COLLECTION_PREFIX as D, BLOB_INDEX_COLLECTION as E, BLOB_SLOTS_PREFIX as F, BLOB_VERSIONS_PREFIX as G, type BlobEvictionEntry as H, type I18nStrategy as I, type BlobFieldPolicy as J, type BlobFieldsConfig as K, type Layer as L, type BlobObject as M, type BlobPutOptions as N, type OnMissing as O, PolicyEnforcer as P, type BlobResponseOptions as Q, type ResolveI18nOptions as R, type ScriptWarning as S, BlobSet as T, type BlobStrategyOpenArgs as U, type CompactRunOptions as V, type CompactionContext as W, type CompactionResult as X, DEFAULT_CHUNK_SIZE as Y, EXPORT_AUDIT_COLLECTION as Z, ExportBlobsAbortedError as _, type DictEntry as a, type SyncStrategy as a$, type ExportBlobsHandle as a0, type ExportBlobsOptions as a1, type ExportedBlob as a2, type SlotInfo as a3, type SlotRecord as a4, type VersionRecord as a5, createExportBlobsHandle as a6, runCompaction as a7, type ConsentStrategy as a8, CONSENT_AUDIT_COLLECTION as a9, VaultFrame as aA, type NoydbBundleStore as aB, type RetentionPolicy as aC, type SnapshotPolicy as aD, type SnapshotStrategy as aE, type SnapshotMeta as aF, type SnapshotMode as aG, type TxStrategy as aH, type AmendmentTxOptions as aI, TxCollection as aJ, TxContext as aK, TxVault as aL, runTransaction as aM, type DerivationStrategy as aN, type DerivationContext as aO, type ArrayOutputSpec as aP, DerivationRegistry as aQ, type DerivationStrategyHandle as aR, type DerivedFromMeta as aS, type OutputSpec as aT, type RecordOutputSpec as aU, type MaterializedViewStrategy as aV, type MaterializedViewStrategyHandle as aW, type OverlayedViewStrategy as aX, Collection as aY, OverlayedViewRegistry as aZ, type OverlayedViewStrategyHandle as a_, type ConsentAuditEntry as aa, type ConsentAuditFilter as ab, type ConsentContext as ac, type ConsentOp as ad, loadConsentEntries as ae, writeConsentEntry as af, type PeriodsStrategy as ag, type CarryForwardContext as ah, type ClosePeriodOptions as ai, type OpenPeriodOptions as aj, PERIODS_COLLECTION as ak, type PeriodRecord as al, type ReadOnlyCollection as am, appendPeriodLedgerEntry as an, assertTsWritable as ao, chainAnchor as ap, loadPeriods as aq, validatePeriodName as ar, type GuardStrategy as as, type GuardChange as at, type GuardContext as au, GuardRegistry as av, type GuardStrategyHandle as aw, ReadOnlyVaultFacade as ax, type ShadowStrategy as ay, CollectionFrame as az, type DictKeyDescriptor as b, type CapturedBlueprint as b$, type Role as b0, type UnlockedKeyring as b1, type HistoryStrategy as b2, type NoydbStore as b3, type HistoryOptions as b4, type EncryptedEnvelope as b5, type PruneOptions as b6, type AppendInput as b7, type ChangeType as b8, CollectionInstant as b9, type RegisteredMV as bA, MaterializedViewRegistry as bB, type MaterializedFromMeta as bC, type MaterializedViewOutput as bD, type UnionSource as bE, type UserEnvelope as bF, type GateName as bG, type GatePolicy as bH, type VaultPolicy as bI, type ActiveTier as bJ, type FactorProof as bK, type SchemaUpdateStrategy as bL, type TransformFn as bM, type PersistedSchemaEnvelope as bN, type UpdateDecision as bO, type DirectoryConfig as bP, type UserVisibility as bQ, type AccessibleVault as bR, type AffectedDocument as bS, type ArchivePolicy as bT, type ArchiveResult as bU, type ArchiveRunOptions as bV, type ArchiveStrategy as bW, BUNDLE_STORE_POLICY as bX, type BuiltInGateName as bY, type CacheOptions as bZ, type CacheStats as b_, type DiffEntry as ba, type JsonPatch as bb, type JsonPatchOp as bc, type LedgerEntry as bd, LedgerStore as be, type VaultEngine as bf, VaultInstant as bg, type VerifyResult as bh, applyPatch as bi, canonicalJson as bj, computePatch as bk, diff as bl, formatDiff as bm, hashEntry as bn, paddedIndex as bo, parseIndex as bp, sha256Hex as bq, type PublicEnvelope as br, type SealingKeyProvider as bs, type BundleRecipient as bt, type RecipientSealer as bu, type RecipientHint as bv, Vault as bw, type RecoveryEnrollmentInput as bx, type ShamirRecoveryProvider as by, type MVQueryContext as bz, DictionaryHandle as c, type KeyringFile as c$, type ChangeEvent as c0, type CollectionChangeEvent as c1, type CollectionConflictResolver as c2, type CollectionDescriptor as c3, type CollectionStats as c4, ComputedFieldError as c5, type ComputedFields as c6, type ComputedFn as c7, type Conflict as c8, type ConflictPolicy as c9, type ExportChunk as cA, type ExportFormat as cB, type ExportStreamOptions as cC, type FactorKind as cD, type FactorProofBundle as cE, type FactorRequirement as cF, type FanoutQueryOptions as cG, type FanoutResult as cH, type FenceDoc as cI, type FenceState as cJ, type FieldChange as cK, type FieldDescriptor as cL, type FieldSource as cM, type GhostRecord as cN, type GrantOptions as cO, type GuardViolation as cP, type HistoryConfig as cQ, type HistoryEntry as cR, INDEXED_STORE_POLICY as cS, type ImportCapability as cT, type InferOutput as cU, type InternalCollectionStats as cV, type IssueDelegationOptions as cW, type IssueMagicLinkGrantOptions as cX, type KeyringAuthenticator as cY, type KeyringAuthenticatorWrappingDEKs as cZ, type KeyringAuthenticatorWrappingKEK as c_, type ConflictStrategy as ca, type CrossTierAccessEvent as cb, CrossVaultAggregation as cc, CrossVaultGroupedAggregation as cd, type GroupedRow as ce, type CrossVaultLiveAggregation as cf, type CrossVaultLiveQuery as cg, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as ch, DELEGATIONS_COLLECTION as ci, type DeepPartial as cj, type DeepPartialOrNull as ck, type DeferredNumberingConfig as cl, type DelegationToken as cm, type DeleteManyResult as cn, type DeploymentEvent as co, type DerivationDescriptor as cp, type DirtyEntry as cq, type DryRunResult as cr, type DumpSchemaOptions as cs, ELEVATION_AUDIT_COLLECTION as ct, ElevatedHandle as cu, type EnrollAuthenticatorOptions as cv, type EnrollAuthenticatorWrappingDEKsOptions as cw, type EnrollAuthenticatorWrappingKEKOptions as cx, type EnrollRecoveryResult as cy, type ExportCapability as cz, type DictionaryOptions as d, type ResolvedPublicEnvelopeSchema as d$, type ListAccessibleVaultsOptions as d0, type ListPageResult as d1, type ListUsersOptions as d2, type LiveQueryOptions as d3, type LiveUserEnvelope as d4, type LocaleReadOptions as d5, Lru as d6, type LruOptions as d7, type LruStats as d8, MAGIC_LINK_CONTENT_INFO_PREFIX as d9, type PlaintextTranslatorContext as dA, type PlaintextTranslatorFn as dB, PresenceHandle as dC, type PresencePeer as dD, type PublicEnvelopeField as dE, type PublicEnvelopeSchema as dF, type PublicEnvelopeText as dG, type PullMode as dH, type PullOptions as dI, type PullPolicy as dJ, type PullResult as dK, type PushMode as dL, type PushOptions as dM, type PushPolicy as dN, type PushResult as dO, type PutManyItemOptions as dP, type PutManyOptions as dQ, type PutManyResult as dR, type QueryAcrossOptions as dS, type QueryAcrossResult as dT, type QuickUnlockState as dU, QuickUnlockStore as dV, type ReAuthOperation as dW, type RecoverPassphraseInput as dX, type RecoverPassphraseResult as dY, type RecoverUserOptions as dZ, type RecoveryProof as d_, MAGIC_LINK_GRANTS_COLLECTION as da, MAGIC_LINK_KEK_INFO_PREFIX as db, type MagicLinkGrantPayload as dc, type MagicLinkGrantRecord as dd, type MaterializedViewDescriptor as de, MemoryRecipientSealer as df, MemorySealingKeyProvider as dg, NOYDB_BACKUP_VERSION as dh, NOYDB_FORMAT_VERSION as di, NOYDB_KEYRING_VERSION as dj, NOYDB_SYNC_VERSION as dk, type NextOptions as dl, Noydb as dm, type NoydbEventMap as dn, type NoydbOptions as dp, type Assignment as dq, type OverlayViewDescriptor as dr, PUBLIC_ENVELOPE_FIELDS as ds, type PaperRecoveryDoc as dt, type PaperRecoveryEntry as du, type PassphrasePolicy as dv, type PassphraseValidationResult as dw, type Permission as dx, type Permissions as dy, type PersistedSchemaKind as dz, type I18nMap as e, type VaultPolicyOnDisk as e$, type RevokeOptions as e0, type RotatePassphraseInput as e1, type RotateRecoveryOptions as e2, type RotateRecoveryResult as e3, SEALED_PASSPHRASE_RECORD_ID as e4, type SchemaDelta as e5, type SchemaIntrospection as e6, type SchemaManifestRow as e7, type SealedEnvelope as e8, type SealedPassphrase as e9, type SyncStatus as eA, type SyncTarget as eB, type SyncTargetRole as eC, SyncTransaction as eD, type SyncTransactionResult as eE, type TabChannel as eF, type TabCoordinationOptions as eG, type TabLockManager as eH, type TabPresence as eI, type TabRole as eJ, type TierMode as eK, type TranslatorAuditEntry as eL, type TxOp as eM, USER_ENVELOPE_COLLECTION as eN, USER_ENVELOPE_MAX_BYTES as eO, type Unsubscribe as eP, type UpdateAuthenticatorOptions as eQ, type UpdateContext as eR, type UpdateUserOptions as eS, UserApi as eT, type UserEnvelopeCheckGate as eU, UserEnvelopeOversizedError as eV, type UserEnvelopePresented as eW, type UserInfo as eX, type VaultBackup as eY, VaultGroup as eZ, type VaultGroupOptions as e_, type SequenceHandle as ea, SequenceStore as eb, type SessionPolicy as ec, type SetPublicEnvelopeInput as ed, type ShamirRecoveryDoc as ee, type ShamirRecoveryEntry as ef, ShardedCollection as eg, ShardedGroupedQuery as eh, ShardedQuery as ei, type ShardingConfig as ej, type SkippedVault as ek, type SlotRewrapCeremony as el, type SlotRewrapContext as em, type StandardSchemaV1 as en, type StandardSchemaV1Issue as eo, type StandardSchemaV1SyncResult as ep, StateManagementVault as eq, type StoreAuth as er, type StoreAuthKind as es, type StoreCapabilities as et, type StoreTime as eu, SyncEngine as ev, type SyncMetadata as ew, type SyncPolicy as ex, SyncScheduler as ey, type SyncSchedulerStatus as ez, type I18nTextDescriptor as f, withDeferredNumbering as f$, type VaultRegistryRow as f0, type VaultSchemaSnapshot as f1, type VaultSnapshot as f2, type VaultTemplate as f3, type WarningRules as f4, WeakPassphraseError as f5, type WeakPassphraseReason as f6, type WithArchiveOptions as f7, type WrappedDeksBlob as f8, type WriteConflict as f9, loadActiveDelegations as fA, loadPaperRecoveryEntries as fB, loadSealedPassphrase as fC, loadShamirRecoveryEntries as fD, magicLinkGrantRecordId as fE, mintPaperRecoveryEntry as fF, mintShamirRecoveryEntry as fG, mintWrappedDeksBlob as fH, parseSealedEnvelope as fI, readMagicLinkGrantRecord as fJ, recoverUser as fK, removeAuthenticator as fL, resolveSchema as fM, revokeDelegation as fN, revokeMagicLinkGrant as fO, savePaperRecoveryEntries as fP, saveSealedPassphrase as fQ, saveShamirRecoveryEntries as fR, unwrapDeksFromBlob as fS, unwrapDeksFromPaperEntry as fT, unwrapDeksFromShamirEntry as fU, unwrapMagicLinkGrant as fV, validatePassphrase as fW, validatePublicEnvelopeInput as fX, validateSchemaInput as fY, validateSchemaOutput as fZ, withArchive as f_, type WriteEvent as fa, type WriteHook as fb, type WriteQueue as fc, assertStrongPassphrase as fd, buildRecipientKeyringFile as fe, burnPaperRecoveryEntry as ff, createNoydb as fg, createStore as fh, deriveMagicLinkContentKey as fi, enrollAuthenticator as fj, estimateEntropy as fk, evalComputedFields as fl, evaluateExportCapability as fm, evaluateImportCapability as fn, findAuthenticator as fo, hasExportCapability as fp, hasImportCapability as fq, hasRecoveryEnrolled as fr, isMagicLinkGrantExpired as fs, isPublicEnvelope as ft, issueDelegation as fu, recoverPassphrase as fv, rotatePassphrase as fw, listMagicLinkGrants as fx, listUsers as fy, listUsersWithEnvelopes as fz, type I18nTextOptions as g, writeMagicLinkGrant as g0, changeSecret as g1, createOwnerKeyring as g2, ensureCollectionDEK as g3, grant as g4, loadKeyring as g5, persistKeyring as g6, revoke as g7, updateAuthenticator as g8, updateKeyringIdentity as g9, type OnMissingPolicy as h, applyI18nLocale as i, dictCollectionName as j, dictKey as k, enforceScript as l, getAtPath as m, i18nText as n, inferScripts as o, isDictCollectionName as p, isDictKeyDescriptor as q, isI18nTextDescriptor as r, resolveI18nText as s, resolvePolicy as t, setAtPathInPlace as u, validateI18nTextValue as v, type SessionStrategy as w, createEnforcer as x, validateSessionPolicy as y, BLOB_CHUNKS_COLLECTION as z };
+export { DEFAULT_CHUNK_SIZE as $, createEnforcer as A, validateSessionPolicy as B, type BlobStrategy as C, DICT_COLLECTION_PREFIX as D, BLOB_CHUNKS_COLLECTION as E, BLOB_COLLECTION as F, BLOB_EVICTION_AUDIT_COLLECTION as G, BLOB_INDEX_COLLECTION as H, type I18nStrategy as I, BLOB_SLOTS_PREFIX as J, BLOB_VERSIONS_PREFIX as K, type Layer as L, type BlobEvictionEntry as M, type BlobFieldPolicy as N, type OnMissing as O, PolicyEnforcer as P, type BlobFieldsConfig as Q, type ResolveI18nOptions as R, type ScriptWarning as S, type BlobObject as T, type BlobPutOptions as U, type BlobResponseOptions as V, BlobSet as W, type BlobStrategyOpenArgs as X, type CompactRunOptions as Y, type CompactionContext as Z, type CompactionResult as _, type DictEntry as a, type Role as a$, EXPORT_AUDIT_COLLECTION as a0, ExportBlobsAbortedError as a1, type ExportBlobsAuditEntry as a2, type ExportBlobsHandle as a3, type ExportBlobsOptions as a4, type ExportedBlob as a5, type SlotInfo as a6, type SlotRecord as a7, type VersionRecord as a8, createExportBlobsHandle as a9, ReadOnlyVaultFacade as aA, type ShadowStrategy as aB, CollectionFrame as aC, VaultFrame as aD, type NoydbBundleStore as aE, type RetentionPolicy as aF, type SnapshotPolicy as aG, type SnapshotStrategy as aH, type SnapshotMeta as aI, type SnapshotMode as aJ, type DerivationStrategy as aK, type DerivationContext as aL, type ArrayOutputSpec as aM, DerivationRegistry as aN, type DerivationStrategyHandle as aO, type DerivedFromMeta as aP, type OutputSpec as aQ, type RecordOutputSpec as aR, type MaterializedViewStrategy as aS, type MaterializedViewStrategyHandle as aT, type OverlayedViewStrategy as aU, Collection as aV, type OverlayFieldMergeMode as aW, type OverlayFieldMergeRule as aX, OverlayedViewRegistry as aY, type OverlayedViewStrategyHandle as aZ, type SyncStrategy as a_, runCompaction as aa, type ConsentStrategy as ab, CONSENT_AUDIT_COLLECTION as ac, type ConsentAuditEntry as ad, type ConsentAuditFilter as ae, type ConsentContext as af, type ConsentOp as ag, loadConsentEntries as ah, writeConsentEntry as ai, type PeriodsStrategy as aj, type CarryForwardContext as ak, type ClosePeriodOptions as al, type OpenPeriodOptions as am, PERIODS_COLLECTION as an, type PeriodRecord as ao, type ReadOnlyCollection as ap, appendPeriodLedgerEntry as aq, assertTsWritable as ar, chainAnchor as as, loadPeriods as at, validatePeriodName as au, type GuardStrategy as av, type GuardChange as aw, type GuardContext as ax, GuardRegistry as ay, type GuardStrategyHandle as az, type DictKeyDescriptor as b, type CollectionStats as b$, type UnlockedKeyring as b0, type HistoryStrategy as b1, type NoydbStore as b2, type HistoryOptions as b3, type EncryptedEnvelope as b4, type PruneOptions as b5, type AppendInput as b6, type ChangeType as b7, CollectionInstant as b8, type DiffEntry as b9, type UserEnvelope as bA, type GateName as bB, type GatePolicy as bC, type VaultPolicy as bD, type ActiveTier as bE, type FactorProof as bF, type SchemaUpdateStrategy as bG, type TransformFn as bH, type PersistedSchemaEnvelope as bI, type UpdateDecision as bJ, type DirectoryConfig as bK, type UserVisibility as bL, type AccessibleVault as bM, type AffectedDocument as bN, type ArchivePolicy as bO, type ArchiveResult as bP, type ArchiveRunOptions as bQ, type ArchiveStrategy as bR, BUNDLE_STORE_POLICY as bS, type BuiltInGateName as bT, type CacheOptions as bU, type CacheStats as bV, type CapturedBlueprint as bW, type ChangeEvent as bX, type CollectionChangeEvent as bY, type CollectionConflictResolver as bZ, type CollectionDescriptor as b_, type JsonPatch as ba, type JsonPatchOp as bb, LedgerStore as bc, type VaultEngine as bd, VaultInstant as be, type VerifyResult as bf, applyPatch as bg, computePatch as bh, diff as bi, formatDiff as bj, type PublicEnvelope as bk, type SealingKeyProvider as bl, type BundleRecipient as bm, type RecipientSealer as bn, type RecipientHint as bo, Vault as bp, type RecoveryEnrollmentInput as bq, type ShamirRecoveryProvider as br, TxContext as bs, type MVQueryContext as bt, type RegisteredMV as bu, MaterializedViewRegistry as bv, type MaterializedFromMeta as bw, type MaterializedViewOutput as bx, type UnionArmJoin as by, type UnionSource as bz, DictionaryHandle as c, type LiveUserEnvelope as c$, ComputedFieldError as c0, type ComputedFields as c1, type ComputedFn as c2, type Conflict as c3, type ConflictPolicy as c4, type ConflictStrategy as c5, type CrossTierAccessEvent as c6, CrossVaultAggregation as c7, CrossVaultGroupedAggregation as c8, type GroupedRow as c9, type FactorRequirement as cA, type FanoutQueryOptions as cB, type FanoutResult as cC, type FenceDoc as cD, type FenceState as cE, type FieldChange as cF, type FieldDescriptor as cG, type FieldSource as cH, type GhostRecord as cI, type GrantOptions as cJ, type GuardViolation as cK, type HistoryConfig as cL, type HistoryEntry as cM, INDEXED_STORE_POLICY as cN, type ImportCapability as cO, type InferOutput as cP, type InternalCollectionStats as cQ, type IssueDelegationOptions as cR, type IssueMagicLinkGrantOptions as cS, type KeyringAuthenticator as cT, type KeyringAuthenticatorWrappingDEKs as cU, type KeyringAuthenticatorWrappingKEK as cV, type KeyringFile as cW, type ListAccessibleVaultsOptions as cX, type ListPageResult as cY, type ListUsersOptions as cZ, type LiveQueryOptions as c_, type CrossVaultLiveAggregation as ca, type CrossVaultLiveQuery as cb, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as cc, DELEGATIONS_COLLECTION as cd, type DeepPartial as ce, type DeepPartialOrNull as cf, type DeferredNumberingConfig as cg, type DelegationToken as ch, type DeleteManyResult as ci, type DeploymentEvent as cj, type DerivationDescriptor as ck, type DirtyEntry as cl, type DryRunResult as cm, type DumpSchemaOptions as cn, ELEVATION_AUDIT_COLLECTION as co, ElevatedHandle as cp, type EnrollAuthenticatorOptions as cq, type EnrollAuthenticatorWrappingDEKsOptions as cr, type EnrollAuthenticatorWrappingKEKOptions as cs, type EnrollRecoveryResult as ct, type ExportCapability as cu, type ExportChunk as cv, type ExportFormat as cw, type ExportStreamOptions as cx, type FactorKind as cy, type FactorProofBundle as cz, type DictionaryOptions as d, SEALED_PASSPHRASE_RECORD_ID as d$, type LocaleReadOptions as d0, Lru as d1, type LruOptions as d2, type LruStats as d3, MAGIC_LINK_CONTENT_INFO_PREFIX as d4, MAGIC_LINK_GRANTS_COLLECTION as d5, MAGIC_LINK_KEK_INFO_PREFIX as d6, type MagicLinkGrantPayload as d7, type MagicLinkGrantRecord as d8, type MaterializedViewDescriptor as d9, type PublicEnvelopeSchema as dA, type PublicEnvelopeText as dB, type PullMode as dC, type PullOptions as dD, type PullPolicy as dE, type PullResult as dF, type PushMode as dG, type PushOptions as dH, type PushPolicy as dI, type PushResult as dJ, type PutManyItemOptions as dK, type PutManyOptions as dL, type PutManyResult as dM, type QueryAcrossOptions as dN, type QueryAcrossResult as dO, type QuickUnlockState as dP, QuickUnlockStore as dQ, type ReAuthOperation as dR, type RecoverPassphraseInput as dS, type RecoverPassphraseResult as dT, type RecoverUserOptions as dU, type RecoveryProof as dV, type ResolvedPublicEnvelopeSchema as dW, type RevokeOptions as dX, type RotatePassphraseInput as dY, type RotateRecoveryOptions as dZ, type RotateRecoveryResult as d_, MemoryRecipientSealer as da, MemorySealingKeyProvider as db, NOYDB_BACKUP_VERSION as dc, NOYDB_FORMAT_VERSION as dd, NOYDB_KEYRING_VERSION as de, NOYDB_SYNC_VERSION as df, type NextOptions as dg, Noydb as dh, type NoydbEventMap as di, type NoydbOptions as dj, type Assignment as dk, type OverlayViewDescriptor as dl, PUBLIC_ENVELOPE_FIELDS as dm, type PaperRecoveryDoc as dn, type PaperRecoveryEntry as dp, type PassphrasePolicy as dq, type PassphraseValidationResult as dr, type Permission as ds, type Permissions as dt, type PersistedSchemaKind as du, type PlaintextTranslatorContext as dv, type PlaintextTranslatorFn as dw, PresenceHandle as dx, type PresencePeer as dy, type PublicEnvelopeField as dz, type I18nMap as e, type VaultRegistryRow as e$, type SchemaDelta as e0, type SchemaIntrospection as e1, type SchemaManifestRow as e2, type SealedEnvelope as e3, type SealedPassphrase as e4, type SequenceHandle as e5, type SequenceOptions as e6, SequenceStore as e7, type SessionPolicy as e8, type SetPublicEnvelopeInput as e9, type SyncTransactionResult as eA, type TabChannel as eB, type TabCoordinationOptions as eC, type TabLockManager as eD, type TabPresence as eE, type TabRole as eF, type TierMode as eG, type TransactionInvariant as eH, type TranslatorAuditEntry as eI, TxCollection as eJ, type TxOp as eK, TxVault as eL, USER_ENVELOPE_COLLECTION as eM, USER_ENVELOPE_MAX_BYTES as eN, type Unsubscribe as eO, type UpdateAuthenticatorOptions as eP, type UpdateContext as eQ, type UpdateUserOptions as eR, UserApi as eS, type UserEnvelopeCheckGate as eT, UserEnvelopeOversizedError as eU, type UserEnvelopePresented as eV, type UserInfo as eW, type VaultBackup as eX, VaultGroup as eY, type VaultGroupOptions as eZ, type VaultPolicyOnDisk as e_, type ShamirRecoveryDoc as ea, type ShamirRecoveryEntry as eb, ShardedCollection as ec, ShardedGroupedQuery as ed, ShardedQuery as ee, type ShardingConfig as ef, type SkippedVault as eg, type SlotRewrapCeremony as eh, type SlotRewrapContext as ei, type StandardSchemaV1 as ej, type StandardSchemaV1Issue as ek, type StandardSchemaV1SyncResult as el, StateManagementVault as em, type StoreAuth as en, type StoreAuthKind as eo, type StoreCapabilities as ep, type StoreTime as eq, SyncEngine as er, type SyncMetadata as es, type SyncPolicy as et, SyncScheduler as eu, type SyncSchedulerStatus as ev, type SyncStatus as ew, type SyncTarget as ex, type SyncTargetRole as ey, SyncTransaction as ez, type I18nTextDescriptor as f, validatePublicEnvelopeInput as f$, type VaultSchemaSnapshot as f0, type VaultSnapshot as f1, type VaultTemplate as f2, type WarningRules as f3, WeakPassphraseError as f4, type WeakPassphraseReason as f5, type WithArchiveOptions as f6, type WrappedDeksBlob as f7, type WriteConflict as f8, type WriteEvent as f9, loadActiveDelegations as fA, loadPaperRecoveryEntries as fB, loadSealedPassphrase as fC, loadShamirRecoveryEntries as fD, magicLinkGrantRecordId as fE, mintPaperRecoveryEntry as fF, mintShamirRecoveryEntry as fG, mintWrappedDeksBlob as fH, parseRsaOaepTlv as fI, parseSealedEnvelope as fJ, readMagicLinkGrantRecord as fK, recoverUser as fL, removeAuthenticator as fM, resolveSchema as fN, resolveSequenceKey as fO, revokeDelegation as fP, revokeMagicLinkGrant as fQ, runTransaction as fR, savePaperRecoveryEntries as fS, saveSealedPassphrase as fT, saveShamirRecoveryEntries as fU, sealRsaOaepTlv as fV, unwrapDeksFromBlob as fW, unwrapDeksFromPaperEntry as fX, unwrapDeksFromShamirEntry as fY, unwrapMagicLinkGrant as fZ, validatePassphrase as f_, type WriteHook as fa, type WriteQueue as fb, aesGcmOpen as fc, assertStrongPassphrase as fd, buildRecipientKeyringFile as fe, burnPaperRecoveryEntry as ff, createNoydb as fg, createStore as fh, deriveMagicLinkContentKey as fi, enrollAuthenticator as fj, estimateEntropy as fk, evalComputedFields as fl, evaluateExportCapability as fm, evaluateImportCapability as fn, findAuthenticator as fo, hasExportCapability as fp, hasImportCapability as fq, hasRecoveryEnrolled as fr, isMagicLinkGrantExpired as fs, isPublicEnvelope as ft, issueDelegation as fu, recoverPassphrase as fv, rotatePassphrase as fw, listMagicLinkGrants as fx, listUsers as fy, listUsersWithEnvelopes as fz, type I18nTextOptions as g, validateSchemaInput as g0, validateSchemaOutput as g1, withArchive as g2, withDeferredNumbering as g3, writeMagicLinkGrant as g4, changeSecret as g5, createOwnerKeyring as g6, ensureCollectionDEK as g7, grant as g8, loadKeyring as g9, persistKeyring as ga, revoke as gb, updateAuthenticator as gc, updateKeyringIdentity as gd, type TxStrategy as ge, type AmendmentTxOptions as gf, type OnMissingPolicy as h, type StaticDictDescriptor as i, applyI18nLocale as j, dictCollectionName as k, dictKey as l, enforceScript as m, getAtPath as n, i18nText as o, inferScripts as p, isDictCollectionName as q, isDictKeyDescriptor as r, isI18nTextDescriptor as s, isStaticDictDescriptor as t, resolveI18nText as u, resolvePolicy as v, setAtPathInPlace as w, staticDict as x, validateI18nTextValue as y, type SessionStrategy as z };