@noy-db/hub 0.2.0-pre.16 → 0.2.0-pre.17

package/dist/{types-DrmBTscX.d.ts → types-CljIHm_J.d.ts}

@@ -1,7 +1,9 @@
 import { I as IndexStrategy, d as LazyQuery } from './lazy-builder-ChSqcF5t.js';
-import { a7 as NoydbError, o as LiveAggregation, f as AggregateSpec, e as AggregateResult, av as MoneyDescriptor, A as AggregateStrategy } from './strategy-BtW8fAjz.js';
+import { L as LiveAggregation, b as AggregateSpec, a as AggregateResult, v as MoneyDescriptor, A as AggregateStrategy } from './strategy-4M9jo172.js';
 import { C as CrdtStrategy, a as CrdtMode, b as CrdtState } from './strategy-BSxFXGzb.js';
-import { L as LiveQuery, Q as Query, c as JoinStrategy, j as RefRegistry, R as RefDescriptor, d as JoinableSource, l as RefViolation, S as ScanBuilder } from './index-nP99bXLg.js';
+import { L as LedgerEntry, F as ForgetStrategy, S as SubjectRef, b as ForgetResult } from './index-C-SSRIxP.js';
+import { N as NoydbError } from './errors-Dz64FA65.js';
+import { L as LiveQuery, Q as Query, c as JoinStrategy, j as RefRegistry, R as RefDescriptor, d as JoinableSource, l as RefViolation, S as ScanBuilder } from './index-DpU6KWof.js';
 import { I as IndexDef, O as Operator, F as FieldClause, C as CollectionIndexes } from './predicate-BmhBSPCH.js';
 import { AttestationFieldSchema, RevocationList } from '@noy-db/attestation';
 
@@ -415,6 +417,7 @@ declare class BlobSet {
     private readonly encrypted;
     private readonly userId;
     private readonly maxBlobBytes;
+    private readonly erasableBlobs;
     constructor(opts: {
         store: NoydbStore;
         vault: string;
@@ -424,7 +427,18 @@ declare class BlobSet {
         encrypted: boolean;
         userId?: string;
         maxBlobBytes?: number;
+        erasableBlobs?: boolean;
     });
+    /**
+     * Resolve the key the blob's CHUNKS are encrypted under.
+     *
+     * - `_cek` present (erasable blob) → unwrap the per-blob content CEK under
+     *   the `_blob` DEK. Deleting the BlobObject (at `refCount → 0`) makes this
+     *   key unrecoverable → the chunks are crypto-shredded.
+     * - `_cek` absent (legacy) → the `_blob` DEK encrypts chunks directly.
+     * - unencrypted vault → `null` (chunks stored as plaintext base64).
+     */
+    private resolveChunkKey;
     /** The internal collection that holds slot metadata for this collection's blobs. */
     private get slotsCollection();
     /** The internal collection that holds published versions for this collection's blobs. */
@@ -442,6 +456,73 @@ declare class BlobSet {
      * CAS retry loop for refCount changes on a BlobObject.
      */
     private casUpdateRefCount;
+    /**
+     * Release `n` references to a blob and reclaim it at refCount 0 (#365 slice 4).
+     *
+     * The single reclaim choke point for every reference-drop path — slot
+     * delete/overwrite, published-version delete, and `forget()` shred — so the
+     * refCount-0 policy is uniform:
+     *  - **erasable blob** (`_cek` present) → delete the `BlobObject` (the SOLE
+     *    copy of the wrapped content CEK → chunks permanently undecryptable) and
+     *    reclaim the chunks. The crypto-shred is EAGER on every path: GDPR erasure
+     *    must not wait on orphan retention.
+     *  - **legacy blob** (no `_cek`) → reclaimed only when `reclaimLegacy` (the
+     *    `forget()` erasure path); otherwise left for deferred GC so the existing
+     *    `BlobLifecyclePolicy.orphanRetentionDays` semantics are preserved.
+     *
+     * @returns `'shredded'` (erasable, refCount 0, chunks dead) · `'retainedShared'`
+     *   (erasable, still referenced) · `'residue'` (legacy — not a crypto-shred).
+     */
+    private releaseRef;
+    /**
+     * Crypto-shred this record's blob attachments (#365 slice 2) — called by
+     * `vault.forget()`.
+     *
+     * For each distinct eTag the record references (a record may attach the same
+     * content under several slot names → several refCount holds): decrement the
+     * blob's refCount by that many. When it reaches 0:
+     *  - **erasable blob** (`_cek` present) → delete the `BlobObject` (the SOLE
+     *    recoverable copy of the wrapped content CEK → chunks permanently
+     *    undecryptable) and reclaim the chunk bytes. This is the crypto-shred.
+     *  - **legacy blob** (no `_cek`) → chunks are under the shared `_blob` DEK and
+     *    stay decryptable until byte-deleted; we delete the orphaned chunks +
+     *    index but report it as residue, not a cryptographic erasure.
+     * When refCount stays > 0 the content legitimately persists for its other
+     * owner — reported as `retainedShared` (or `residue` if legacy).
+     *
+     * Finally drops the record's slot map, severing the subject's link.
+     */
+    shredAllForRecord(): Promise<{
+        shredded: string[];
+        retainedShared: string[];
+        residue: string[];
+    }>;
+    /** CAS retry loop for an arbitrary BlobObject mutation. */
+    private casUpdateBlobObject;
+    /**
+     * Migrate this record's LEGACY blobs (no `_cek`, chunks under the shared
+     * `_blob` DEK) to per-blob content CEKs so they become crypto-shreddable
+     * (#365 slice 3). Returns the eTags migrated vs. already-erasable.
+     *
+     * **Explicit maintenance pass** (mirrors the record-CEK migration posture):
+     * re-encrypts the existing compressed chunks IN PLACE under a fresh content
+     * CEK — preserving the eTag, chunkCount, chunkSize, and compression — then
+     * flips the `_cek` discriminant. Crash-safe + idempotent via `_cekPending`:
+     *   1. persist the wrapped content CEK in `_cekPending` (readers ignore it →
+     *      the blob stays readable under the `_blob` DEK; the key survives a crash);
+     *   2. re-encrypt each chunk under the content CEK (a resume reads an
+     *      already-migrated chunk under the content CEK, else under the `_blob` DEK);
+     *   3. promote `_cekPending` → `_cek` (atomic flip). Reads now use the CEK.
+     * A re-run after a crash resumes from whichever phase was reached.
+     *
+     * Dedup-safe: migrating a shared blob (refCount > 1) re-keys it for every
+     * referencer at once; a non-erasable collection still reads it (it unwraps
+     * `_cek` under the `_blob` DEK it holds).
+     */
+    migrate(): Promise<{
+        migrated: string[];
+        alreadyErasable: string[];
+    }>;
     private writeChunk;
     private readChunk;
     private versionKey;
@@ -598,6 +679,13 @@ interface BlobStrategyOpenArgs {
     readonly getDEK: (collectionName: string) => Promise<CryptoKey>;
     readonly encrypted: boolean;
     readonly userId: string;
+    /**
+     * Collection opts into per-record keys (`perRecordKeys`), so its blobs are
+     * erasable: new uploads mint a per-blob content CEK (crypto-shreddable at
+     * `refCount → 0`). Off → legacy shared-`_blob`-DEK chunks. See the per-blob
+     * CEK design spec.
+     */
+    readonly erasableBlobs?: boolean;
 }
 /**
  * The seam interface. `@internal` — do not build public APIs on this
@@ -807,224 +895,6 @@ interface ConsentStrategy {
     read(adapter: NoydbStore, vault: string, encrypted: boolean, getDEK: (collectionName: string) => Promise<CryptoKey>, filter?: ConsentAuditFilter): Promise<ConsentAuditEntry[]>;
 }
 
-/**
- * Ledger entry shape + canonical JSON + sha256 helpers.
- *
- * This file holds the PURE primitives used by the hash-chained ledger:
- * the entry type, the deterministic (sort-stable) JSON encoder, and
- * the sha256 hasher that produces `prevHash` and `ledger.head()`.
- *
- * Everything here is validator-free and side-effect free — the only
- * runtime dep is Web Crypto's `subtle.digest` for the sha256 call,
- * which we already use for every other hashing operation in the core.
- *
- * The hash chain property works like this:
- *
- *   hash(entry[i])       = sha256(canonicalJSON(entry[i]))
- *   entry[i+1].prevHash  = hash(entry[i])
- *
- * Any modification to `entry[i]` (field values, field order, whitespace)
- * produces a different `hash(entry[i])`, which means `entry[i+1]`'s
- * stored `prevHash` no longer matches the recomputed hash, which means
- * `verify()` returns `{ ok: false, divergedAt: i + 1 }`. The chain is
- * append-only and tamper-evident without external anchoring.
- */
-/**
- * A single ledger entry in its plaintext form — what gets serialized,
- * hashed, and then encrypted with the ledger DEK before being written
- * to the `_ledger/` adapter collection.
- *
- * ## Why hash the ciphertext, not the plaintext?
- *
- * `payloadHash` is the sha256 of the record's ENCRYPTED envelope bytes,
- * not its plaintext. This matters:
- *
- *   1. **Zero-knowledge preserved.** A user (or a third party) can
- *      verify the ledger against the stored envelopes without any
- *      decryption keys. The adapter layer already holds only
- *      ciphertext, so hashing the ciphertext keeps the ledger at the
- *      same privacy level as the adapter.
- *
- *   2. **Determinism.** Plaintext → ciphertext is randomized by the
- *      fresh per-write IV, so `hash(plaintext)` would need extra
- *      normalization. `hash(ciphertext)` is already deterministic and
- *      unique per write.
- *
- *   3. **Detection property.** If an attacker modifies even one byte of
- *      the stored ciphertext (trying to flip a record), the hash
- *      changes, the ledger's recorded `payloadHash` no longer matches,
- *      and a data-integrity check fails. We don't do that check in
- *      `verify()` today, but the
- *      hook is there for a future `verifyIntegrity()` follow-up.
- *
- * Fields marked `op`, `collection`, `id`, `version`, `ts`, `actor` are
- * plaintext METADATA about the operation — NOT the record itself. The
- * entry is still encrypted at rest via the ledger DEK, but adapters
- * could theoretically infer operation patterns from the sizes and
- * timestamps. This is an accepted trade-off for the tamper-evidence
- * property; full ORAM-level privacy is out of scope for noy-db.
- */
-interface LedgerEntry {
-    /**
-     * Zero-based sequential position of this entry in the chain. The
-     * canonical adapter key is this number zero-padded to 10 digits
-     * (`"0000000001"`) so lexicographic ordering matches numeric order.
-     */
-    readonly index: number;
-    /**
-     * Hex-encoded sha256 of the canonical JSON of the PREVIOUS entry.
-     * The genesis entry (index 0) has `prevHash === ''` — the first
-     * entry in a fresh vault has nothing to point back to.
-     */
-    readonly prevHash: string;
-    /**
-     * Which kind of mutation this entry records. only supports
-     * data operations (`put`, `delete`, `amendment`). Access-control
-     * operations (`grant`, `revoke`, `rotate`) will be added in a
-     * follow-up once the keyring write path is instrumented — that's
-     * tracked in the epic issue.
-     *
-     * `'amendment'` is the multi-record audit entry written by the
-     * guards subsystem when an admin/owner uses `withTransactions(...)`
-     * to repair a constraint-violating state. See `amendment` field
-     * below for the structured payload.
-     *
-     * `'lifecycle'` records a non-data audit event (e.g. partition
-     * handover) — `collection`/`id` are empty and the event detail
-     * lives in `reason` (e.g. `'partition-handed-over:<sealId>'`). Like
-     * `amendment`, it carries no data envelope, so `verifyBackupIntegrity`
-     * skips it in the data cross-check (it still participates in the
-     * tamper-evident chain).
-     */
-    readonly op: 'put' | 'delete' | 'amendment' | 'lifecycle' | 'migration';
-    /** The collection the mutation targeted. */
-    readonly collection: string;
-    /** The record id the mutation targeted. */
-    readonly id: string;
-    /**
-     * The record version AFTER this mutation. For `put` this is the
-     * newly assigned version; for `delete` this is the version that
-     * was deleted (the last version visible to reads).
-     */
-    readonly version: number;
-    /** ISO timestamp of the mutation. */
-    readonly ts: string;
-    /** User id of the actor who performed the mutation. */
-    readonly actor: string;
-    /**
-     * Hex-encoded sha256 of the encrypted envelope's `_data` field.
-     * For `put`, this is the hash of the new ciphertext. For `delete`,
-     * it's the hash of the last visible ciphertext at deletion time,
-     * or the empty string if nothing was there to delete. Hashing the
-     * ciphertext (not the plaintext) preserves zero-knowledge — see
-     * the file docstring.
-     */
-    readonly payloadHash: string;
-    /**
-     * Optional human-readable tag describing why this mutation happened.
-     * Threaded through `collection.put(_, _, { reason })`. Common
-     * values include `'import:csv'`, `'import:json'`, `'import:xlsx'` from
-     * `as-*` ImportPlan.apply(), but consumers can use any string for
-     * domain-specific audit filtering. Auto-strip via `canonicalJson` —
-     * absent on the wire, never serialized as `null`.
-     *
-     * Audit consumers filter: `entries.filter(e => e.reason?.startsWith('import:'))`.
-     */
-    readonly reason?: string;
-    /**
-     * Optional hex-encoded sha256 of the encrypted JSON Patch delta
-     * blob stored alongside this entry in `_ledger_deltas/`. Present
-     * only for `put` operations that had a previous version — the
-     * genesis put of a new record, and every `delete`, leave this
-     * field undefined.
-     *
-     * The delta payload itself lives in a sibling internal collection
-     * (`_ledger_deltas/<paddedIndex>`) and is encrypted with the
-     * ledger DEK. Callers use `ledger.loadDelta(index)` to decrypt and
-     * deserialize it when reconstructing a historical version.
-     *
-     * Why optional instead of always-present: the first put of a
-     * record has no previous version to diff against, so storing an
-     * empty patch would be noise. For deletes there's no "next" state
-     * to describe with a delta. Both cases set this field to undefined.
-     *
-     * Note: the canonical-JSON hasher treats `undefined` as invalid
-     * (it's one of the guard rails), so on the wire this field is
-     * either `{ deltaHash: '<hex>' }` or absent from the JSON
-     * entirely — never `{ deltaHash: undefined }`.
-     */
-    readonly deltaHash?: string;
-    /**
-     * Present only when `op === 'amendment'`. Records the human reason,
-     * the role of the actor, the (collection, id, vBefore, vAfter) tuple
-     * for every record touched, and which guard invariants passed.
-     *
-     * See docs/superpowers/specs/2026-05-18-guards-design.md.
-     */
-    readonly amendment?: {
-        readonly reason: string;
-        readonly role: 'admin' | 'owner';
-        readonly changes: ReadonlyArray<{
-            readonly collection: string;
-            readonly id: string;
-            readonly vBefore: number;
-            readonly vAfter: number;
-        }>;
-        readonly invariantsPassed: ReadonlyArray<string>;
-    };
-}
-/**
- * Canonical (sort-stable) JSON encoder.
- *
- * This function is the load-bearing primitive of the hash chain:
- * `sha256(canonicalJSON(entry))` must produce the same hex string
- * every time, on every machine, for the same logical entry — otherwise
- * `verify()` would return `{ ok: false }` on cross-platform reads.
- *
- * JavaScript's `JSON.stringify` is almost canonical, but NOT quite:
- * it preserves the insertion order of object keys, which means
- * `{a:1,b:2}` and `{b:2,a:1}` serialize differently. We fix this by
- * recursively walking objects and sorting their keys before
- * concatenation.
- *
- * Arrays keep their original order (reordering them would change
- * semantics). Numbers, strings, booleans, and `null` use the default
- * JSON encoding. `undefined` and functions are rejected — ledger
- * entries are plain data, and silently dropping `undefined` would
- * break the "same input → same hash" property if a caller forgot to
- * omit a field.
- *
- * Performance: one pass per nesting level; O(n log n) for key sorting
- * at each object. Entries are small (< 1 KB) so this is negligible
- * compared to the sha256 call.
- */
-declare function canonicalJson(value: unknown): string;
-/**
- * Compute a hex-encoded sha256 of a string via Web Crypto's subtle API.
- *
- * We use hex (not base64) for hashes because hex is case-insensitive,
- * fixed-length (64 chars), and easier to compare visually in debug
- * output. Base64 would save a few bytes in storage but every encrypted
- * ledger entry is already much larger than the hash itself.
- */
-declare function sha256Hex(input: string): Promise<string>;
-/**
- * Compute the canonical hash of a ledger entry. Short wrapper around
- * `canonicalJson` + `sha256Hex`; callers use this instead of composing
- * the two functions every time, so any future change to the hashing
- * pipeline (e.g., adding a domain-separation prefix) lives in one place.
- */
-declare function hashEntry(entry: LedgerEntry): Promise<string>;
-/**
- * Pad an index to the canonical 10-digit form used as the adapter key.
- * Ten digits is enough for ~10 billion ledger entries per vault
- * — far beyond any realistic use case, but cheap enough that the extra
- * digits don't hurt storage.
- */
-declare function paddedIndex(index: number): string;
-/** Parse a padded adapter key back into a number. Returns NaN on malformed input. */
-declare function parseIndex(key: string): number;
-
 /**
  * RFC 6902 JSON Patch — compute + apply.
  *
@@ -2572,6 +2442,88 @@ declare function dictKey<Keys extends string>(name: string, keys?: readonly Keys
 }): DictKeyDescriptor<Keys>;
 /** Runtime predicate for detecting a DictKeyDescriptor. */
 declare function isDictKeyDescriptor(x: unknown): x is DictKeyDescriptor;
+/**
+ * Descriptor returned by `staticDict()`. A sibling to {@link DictKeyDescriptor}
+ * for **closed, defined-in-code, identical-across-vaults** enums (honorific,
+ * civil-status, gender, religion, ContactTitle, status…).
+ *
+ * Unlike `dictKey`, the labels are supplied **at registration in code** and
+ * resolved through the *same* label machinery, but with **no `_dict_*`
+ * per-vault encrypted copy** and **no `rename()`**. The record stores only
+ * the **code**; a static dict has no mutation surface.
+ *
+ * **Hybrid resolution.** Because a static dict is pure code with no
+ * vault-locale dependency, it can — via a configured `displayLocale` — emit a
+ * `<field>Label` even under a **locale-less read** (the property a locale-less
+ * consumer needs and `dictKey` cannot provide). When a locale *is* active it
+ * behaves exactly like `dictKey` (honoring `onMissing`/`substitute`).
+ *
+ * ```ts
+ * const workers = vault.collection<Worker>('workers', {
+ *   dictKeyFields: {
+ *     civilStatus: staticDict('civilStatus', {
+ *       adultMale:   { th: 'นาย',    en: 'Mr'  },
+ *       adultFemale: { th: 'นาง',    en: 'Mrs' },
+ *     }, { displayLocale: 'th' }),
+ *   },
+ * })
+ * ```
+ */
+interface StaticDictDescriptor<Keys extends string = string> {
+    readonly _noydbStaticDict: true;
+    /** Which dictionary this field references (the registry name). */
+    readonly name: string;
+    /** The in-code label table: key → { locale → label }. */
+    readonly table: Readonly<Record<Keys, Readonly<Record<string, string>>>>;
+    /** Declared valid keys — derived from `Object.keys(table)`. */
+    readonly keys: readonly Keys[];
+    /**
+     * Locale used to emit `<field>Label` under a **locale-less** read — the
+     * hybrid hinge. When unset, a static dict behaves like `dictKey` under a
+     * locale-less read (no label); a locale-less consumer almost always wants
+     * it set.
+     */
+    readonly displayLocale?: string;
+    /** Same `onMissing` policy engine as `dictKey`. Default `'null'`. */
+    readonly onMissing?: OnMissingPolicy;
+    /** Ordered preferred-substitute locales for label resolution. */
+    readonly substitute?: readonly string[];
+    /**
+     * Validate the stored code against `keys` on every `put()`. Default `true`
+     * — codes are closed by construction, so an unknown code is a bug. Set
+     * `false` to allow open codes (skips the `UnknownDictCodeError` guard).
+     */
+    readonly validateCodes?: boolean;
+}
+/**
+ * Create a `StaticDictDescriptor` for a code-provided enum field — a sibling
+ * to {@link dictKey} for closed, code-defined, identical-across-vaults enums.
+ *
+ * The labels live in `table` (no `_dict_*` collection, no `rename()`); the
+ * record stores only the stable code. Pass `displayLocale` so `<field>Label`
+ * resolves even under a locale-less read.
+ *
+ * @param name   The dictionary name (used for the readonly-guard registry and
+ *               the query label seam — never creates a `_dict_<name>` key).
+ * @param table  `{ key: { locale: label } }` map.
+ * @param opts   `displayLocale` (locale-less label), `onMissing`, `substitute`.
+ *
+ * @example
+ * ```ts
+ * staticDict('civilStatus', {
+ *   adultMale:   { th: 'นาย',    en: 'Mr'  },
+ *   adultFemale: { th: 'นาง',    en: 'Mrs' },
+ * }, { displayLocale: 'th' })
+ * ```
+ */
+declare function staticDict<const T extends Record<string, Record<string, string>>>(name: string, table: T, opts?: {
+    displayLocale?: string;
+    onMissing?: OnMissingPolicy;
+    substitute?: readonly string[];
+    validateCodes?: boolean;
+}): StaticDictDescriptor<Extract<keyof T, string>>;
+/** Runtime predicate for detecting a StaticDictDescriptor. */
+declare function isStaticDictDescriptor(x: unknown): x is StaticDictDescriptor;
 /**
  * One entry in a `_dict_*` collection. The record `id` (adapter-side
  * key) IS the stable dictionary key (e.g. `'paid'`). The `labels`
@@ -3475,6 +3427,12 @@ interface HistoryStrategy {
      * `NO_HISTORY`.
      */
     clearHistory(adapter: NoydbStore, vault: string, collection?: string, recordId?: string): Promise<number>;
+    /**
+     * Crypto-shred (overwrite-to-tombstone) every `_history` version of a
+     * record for GDPR erasure (#304). Returns the number of versions newly
+     * tombstoned, or `0` under `NO_HISTORY` (no history = nothing to shred).
+     */
+    tombstoneHistory(adapter: NoydbStore, vault: string, collection: string, recordId: string, actor: string): Promise<number>;
     /**
      * Compute the SHA-256 hash of an envelope's encrypted payload, used
      * by `LedgerStore.append` to track tamper-evidence. Returns the
@@ -5737,6 +5695,7 @@ declare class Noydb {
     private readonly policyEnforcers;
     private readonly vaultTemplates;
     private readonly txStrategy;
+    private readonly forgetStrategy;
     private readonly sessionStrategy;
     private readonly syncStrategy;
     private readonly snapshotStrategy;
@@ -5761,6 +5720,8 @@ declare class Noydb {
     /** Audit log for all translator invocations in this session. Cleared on `close()`. */
     private readonly _translatorAuditLog;
     constructor(options: NoydbOptions);
+    /** @internal — resolved forget strategy (NO_FORGET when not configured). */
+    get _forgetStrategy(): ForgetStrategy;
     private resetSessionTimer;
     /**
      * Attach a policy enforcer for a vault.
@@ -7761,58 +7722,339 @@ declare class ReadOnlyVaultFacade implements ReadOnlyVaultFacade$1 {
 }
 
 /**
- * `vault.exportBlobs()` — bulk blob extraction primitive.
+ * Managed-passphrase mode — rubber-hose-resistant vaults.
  *
- * Async-iterable handle over every blob attached to records in a
- * vault, optionally filtered by collection allowlist and per-record
- * predicate. Emits tuples of `{ blobId, recordRef, bytes, meta }` so
- * the consumer can pipe into any sink (zip stream, S3 multipart, USB
- * copy, cold-storage tape) without pulling the whole export into
- * memory.
+ * A vault mode where the passphrase is machine-generated and never
+ * exposed to the user, sealed under a developer-provided
+ * {@link SealingKeyProvider} (macOS Keychain, Windows Credential
+ * Manager, libsecret, AWS KMS, …). The user has no secret to give
+ * up to coercion — they can't reveal what they don't know.
  *
- * ## Auth + audit
+ * ## Components in this file
  *
- * - Capability check runs **once** at handle creation via
- *   `Vault.assertCanExport('plaintext', 'blob')`. An operator whose
- *   keyring lacks that bit fails before a single byte of ciphertext
- *   is decrypted.
- * - Audit entry lands in `_export_audit` at handle creation: the
- *   actor, start timestamp, target collections, predicate presence,
- *   and batch mechanism. **No content hashes** — per the spec
- *   non-correlation invariant.
+ *   - {@link SealingKeyProvider} — the interface concrete providers
+ *     implement. Provider implementations live OUTSIDE hub (per-
+ *     platform packages).
+ *   - {@link MemorySealingKeyProvider} — in-memory test provider; uses
+ *     a deterministic per-instance "key" so two providers with
+ *     different ids cannot unseal each other's outputs.
+ *   - {@link RecipientHint} — public material a sender uses to seal
+ *     plaintext for a specific recipient; published by
+ *     {@link RecipientSealer.publishRecipientHint} and transported
+ *     out-of-band to the sender before bundle writes.
+ *   - {@link RecipientSealer} — interface for asymmetric/granted
+ *     providers that support recipient-target sealing (RSA-OAEP,
+ *     cloud-KMS asymmetric, etc.); distinct from self-only
+ *     {@link SealingKeyProvider} (macOS Keychain, WebAuthn-PRF).
+ *   - {@link MemoryRecipientSealer} — in-process reference
+ *     implementation of both `RecipientSealer` and
+ *     `SealingKeyProvider` using real WebCrypto RSA-OAEP + AES-GCM;
+ *     safe for tests and same-process sender/recipient scenarios.
+ *   - {@link loadSealedPassphrase} / {@link saveSealedPassphrase} —
+ *     plaintext envelope storage at `_meta/sealed-passphrase`.
+ *     Mirrors the `_meta/handle` and `_meta/public-envelope` AES-
+ *     GCM-bypassed patterns. The sealing layer (provider's job)
+ *     is the security boundary; hub doesn't have a key to encrypt
+ *     with at this layer — that's the whole point of the design.
+ *   - {@link resolveManagedSecret} — orchestrates the "generate +
+ *     seal + persist on first open; unseal on reopen" flow.
+ *     Returns the plaintext passphrase string that the rest of the
+ *     `createNoydb` keyring path consumes.
  *
- * ## Abort + resume
+ * Deferred to follow-ups:
+ *   - Block `rotate-passphrase` policy gate under managed mode.
+ *   - Mandatory strong-recovery enforcement.
+ *   - Recovery flow under managed mode (generates fresh sealed phrase).
  *
- * - `handle.abort()` flips the internal signal; the next iteration
- *   boundary throws `AbortError`. Consumers already in `for await`
- *   can catch and exit cleanly.
- * - Restart after a partial failure with `{ afterBlobId }` — the
- *   iterator skips tuples up to (and including) that blob id before
- *   yielding again. Combined with a blob-count ceiling it supports
- *   idempotent batch re-runs.
+ * @see docs/subsystems/session-tiers.md → Managed-passphrase mode
  *
  * @module
  */
 
-interface ExportBlobsOptions {
+/**
+ * The contract concrete providers (per-platform key stores) implement
+ * to seal and unseal a hub-generated random passphrase. The plaintext
+ * passphrase NEVER leaves hub-controlled memory in unsealed form —
+ * the provider receives the bytes, returns opaque sealed bytes, and
+ * later reverses the operation. Hub treats the sealed bytes as
+ * fully opaque.
+ *
+ * Implementations live OUTSIDE `@noy-db/hub` (separate packages
+ * per the issue's "Concrete providers (live outside hub)" note):
+ *
+ * | Platform | Package (TBD) | Backing |
+ * |---|---|---|
+ * | macOS | `@noy-db/seal-macos-keychain` | Security.framework |
+ * | Windows | `@noy-db/seal-wincred` | Credential Manager |
+ * | Linux | `@noy-db/seal-libsecret` | libsecret / secret-service |
+ * | Cloud / server | `@noy-db/seal-aws-kms` | AWS KMS Decrypt |
+ */
+interface SealingKeyProvider {
     /**
-     * Collection allowlist. Omit to export blobs from every collection
-     * the caller has read access to.
+     * Non-sensitive identifier disclosed in the persisted envelope.
+     * Surfaced to consumers via `loadSealedPassphrase().providerId` so
+     * a vault opened with the wrong provider class can detect the
+     * mismatch and surface a clear error. NOT secret — fine to log.
+     *
+     * Suggested format: `<family>:<scope>` — e.g. `macos-keychain:com.acme.app`,
+     * `aws-kms:arn:aws:kms:us-east-1:123:key/abc`. The hub never
+     * parses this; it's purely audit metadata.
      */
-    readonly collections?: readonly string[];
+    readonly id: string;
+    /** Seal raw passphrase bytes. Output bytes are opaque to hub. */
+    seal(passphrase: Uint8Array): Promise<Uint8Array>;
     /**
-     * Per-record predicate. Called on the decrypted record BEFORE any
-     * blob bytes are read for that record — returning false skips the
-     * record and all its slots without touching their chunks.
+     * Reverse {@link seal}. MUST throw on tamper, wrong-provider, or
+     * any other failure — hub treats a thrown error as "this provider
+     * cannot unlock this vault" and surfaces it to the caller.
      */
-    readonly where?: (record: unknown, context: {
-        collection: string;
+    unseal(sealed: Uint8Array): Promise<Uint8Array>;
+}
+/**
+ * In-memory test provider. NOT secure — uses a deterministic
+ * per-instance "key" (16-byte SHA-256 of `id`) XOR'd over the
+ * passphrase plus a 4-byte provider-id fingerprint prefix. The XOR is
+ * sufficient to make different `id` values produce mutually-unsealable
+ * outputs (the contract tests for that), but offers ZERO real
+ * confidentiality — never use outside tests.
+ *
+ * Replace with a real platform provider in production.
+ */
+declare class MemorySealingKeyProvider implements SealingKeyProvider {
+    readonly id: string;
+    private readonly fingerprint;
+    private readonly keyBytes;
+    constructor(opts: {
         id: string;
-    }) => boolean;
+    });
+    seal(passphrase: Uint8Array): Promise<Uint8Array>;
+    unseal(sealed: Uint8Array): Promise<Uint8Array>;
+}
+/**
+ * Public material a sender uses to seal-for-this-recipient. Published by
+ * a recipient's RecipientSealer; transported to the sender out-of-band
+ * (email, S3, in-app message). The sender obtains the hint, supplies it
+ * to writeNoydbBundle's sealedCredentials.perUser[userId].hint, and the
+ * hub seals each user's credential against it. Per foundation §11.4.
+ */
+type RecipientHint = {
+    readonly v: 1;
+    /** Recipient's provider id; matches the SealedAutoUnlockEntry.pid they'll unseal under. */
+    readonly pid: string;
+    /** Algorithm the sender uses to produce the seal. Slice 1 ships RSA-OAEP-SHA256 only. */
+    readonly alg: 'rsa-oaep-sha256';
+    /** Public material — alg-specific. For 'rsa-oaep-sha256': { publicKeyPem: string }. */
+    readonly material: Readonly<Record<string, unknown>>;
+};
+/**
+ * Handover-capable provider. Implemented additionally by asymmetric/granted
+ * providers (cloud-KMS asymmetric, Azure RSA Key Vault, AWS KMS with grant).
+ * Self-only providers (macOS Keychain, env-var, WebAuthn-PRF) do NOT
+ * implement this — the §11.2 capability matrix lives in the type system.
+ *
+ * Per foundation §11.4. A function that requires recipient-target sealing
+ * takes `RecipientSealer`, not `SealingKeyProvider` — the compiler rejects
+ * passing a self-only provider at the spec site.
+ */
+interface RecipientSealer {
+    readonly id: string;
+    /** Produce hint material a sender uses to seal-for-this-recipient. */
+    publishRecipientHint(): Promise<RecipientHint>;
     /**
-     * Resume after a specific blob id. The iterator skips tuples up to
-     * and including this id, then yields. Format of the id is the same
-     * as `ExportedBlob.blobId` (the HMAC-keyed eTag).
+     * Seal plaintext for the recipient described by `hint`. Returns opaque
+     * bytes — same contract as `SealingKeyProvider.seal()`. The bundle
+     * layer base64-encodes the bytes into `SealedAutoUnlockEntry.sealed`
+     * without inspecting them.
+     */
+    sealForRecipient(plaintext: Uint8Array, hint: RecipientHint): Promise<Uint8Array>;
+}
+/**
+ * Shared RSA-OAEP-SHA256 + AES-GCM seal in the canonical recipient-target
+ * TLV wire format. Mints a fresh 32-byte CEK, AES-GCM-encrypts `plaintext`
+ * under it, RSA-OAEP-SHA256-wraps the CEK to `publicKeyPem`, and packs:
+ *
+ *   byte  0       : version (0x01)
+ *   bytes 1..256  : RSA-OAEP-wrapped CEK (fixed 256 bytes at RSA-2048)
+ *   bytes 257..268: AES-GCM IV (12 bytes)
+ *   bytes 269..   : AES-GCM ciphertext ‖ 16-byte tag
+ *
+ * This is the single source of truth for the wire format — both
+ * {@link MemoryRecipientSealer} and external sealers (e.g. `@noy-db/at-aws-kms`'s
+ * asymmetric-KMS recipient sealer) call it so a blob sealed by one unseals
+ * by the other. WebCrypto RSA-OAEP/SHA-256 here is wire-compatible with
+ * AWS KMS `RSAES_OAEP_SHA_256` (both RSAES-OAEP, SHA-256 hash, MGF1-SHA256,
+ * empty label).
+ *
+ * @public — re-exported from the hub barrel for external sealer packages.
+ */
+declare function sealRsaOaepTlv(plaintext: Uint8Array, publicKeyPem: string): Promise<Uint8Array>;
+/**
+ * Parse a {@link sealRsaOaepTlv} blob into its three segments without
+ * decrypting. The `wrapped` CEK is RSA-OAEP-SHA256 ciphertext over a
+ * 32-byte CEK — the unwrap step is pluggable: {@link MemoryRecipientSealer}
+ * decrypts it with a local RSA private key; `@noy-db/at-aws-kms` hands it to
+ * KMS `Decrypt`. After unwrapping, pass the CEK + `iv` + `ct` to
+ * {@link aesGcmOpen}.
+ *
+ * @public — re-exported from the hub barrel for external sealer packages.
+ */
+declare function parseRsaOaepTlv(bytes: Uint8Array): {
+    wrapped: Uint8Array;
+    iv: Uint8Array;
+    ct: Uint8Array;
+};
+/**
+ * AES-GCM-decrypt the `ct` segment of a {@link parseRsaOaepTlv} result under
+ * the unwrapped 32-byte CEK and its `iv`. Throws on a bad tag (tamper) — the
+ * same authenticated-decryption guarantee the TLV relies on.
+ *
+ * @public — re-exported from the hub barrel for external sealer packages.
+ */
+declare function aesGcmOpen(cekBytes: Uint8Array, iv: Uint8Array, ct: Uint8Array): Promise<Uint8Array>;
+/**
+ * Reference implementation of `RecipientSealer` + `SealingKeyProvider`.
+ * Uses WebCrypto RSA-OAEP-SHA256 (2048-bit) to wrap a fresh 32-byte
+ * AES-GCM CEK, AES-GCM-encrypts plaintext under it, and packs the
+ * result into a self-describing TLV:
+ *
+ *   byte  0       : version (0x01)
+ *   bytes 1..256  : RSA-OAEP-wrapped CEK (fixed 256 bytes at RSA-2048)
+ *   bytes 257..268: AES-GCM IV (12 bytes)
+ *   bytes 269..   : AES-GCM ciphertext ‖ 16-byte tag
+ *
+ * Implements BOTH interfaces. `seal(plaintext)` (self-target) is just
+ * `sealForRecipient(plaintext, this own hint)` — same TLV. Convenient
+ * for tests where one provider plays both ends. Real cloud providers
+ * (`at-aws-kms`, etc.) will pick their own internal layouts; the only
+ * contract is round-trip identity.
+ *
+ * SAFE for production within its scope — the cryptography is real
+ * (RSA-OAEP + AES-GCM via WebCrypto), but the keypair lives in-process
+ * and is regenerated on every construction. Not suitable as a managed
+ * keychain; use it for tests and for shipping bundles where the
+ * recipient instance lives in the same process as the sender (rare).
+ */
+declare class MemoryRecipientSealer implements SealingKeyProvider, RecipientSealer {
+    readonly id: string;
+    private readonly keypair;
+    constructor(opts: {
+        id: string;
+    });
+    publishRecipientHint(): Promise<RecipientHint>;
+    sealForRecipient(plaintext: Uint8Array, hint: RecipientHint): Promise<Uint8Array>;
+    seal(plaintext: Uint8Array): Promise<Uint8Array>;
+    unseal(bytes: Uint8Array): Promise<Uint8Array>;
+}
+/** Reserved id for the managed-passphrase envelope under `_meta`. */
+declare const SEALED_PASSPHRASE_RECORD_ID: "sealed-passphrase";
+/** Plaintext payload stored inside the `_meta/sealed-passphrase` envelope. */
+interface SealedPassphrase {
+    readonly _noydb_sealed: 1;
+    readonly providerId: string;
+    /** Sealed bytes. Base64-encoded on the wire; decoded on load. */
+    readonly sealed: Uint8Array;
+}
+/**
+ * Wire-format envelope persisted at `_meta/sealed-passphrase` for
+ * managed-mode vaults. The provider produces raw sealed bytes via
+ * {@link SealingKeyProvider.seal}; this wrapper carries the dispatch
+ * metadata hub needs to pick the right provider on the unseal path.
+ *
+ * Stability boundary: once shipped, the wire format only grows by
+ * adding optional fields. See the at-* sealing dimension foundation
+ * doc, §11.9.1.
+ *
+ * v1 shape (this release): `{ v: 1, _noydb_sealed: 1, pid, payload }`.
+ *
+ * Legacy shape (earlier releases): `{ _noydb_sealed: 1, providerId, sealed }`
+ * — accepted on read for backwards compatibility; never produced on
+ * write going forward.
+ */
+interface SealedEnvelope {
+    /** Envelope schema version. v1 is the current shape. */
+    readonly v: 1;
+    /** Magic marker for forensics + legacy-shape detection. */
+    readonly _noydb_sealed: 1;
+    /** Matches the producing provider's `.id`. Dispatch key on unseal. */
+    readonly pid: string;
+    /** Sealed bytes from the provider, base64-encoded on the wire. */
+    readonly payload: string;
+}
+/**
+ * Parse a `_meta/sealed-passphrase` `_data` JSON string into the
+ * in-memory {@link SealedPassphrase} representation. Accepts both:
+ *
+ *   1. v1 wire format `{ v: 1, _noydb_sealed: 1, pid, payload }` —
+ *      the current shape.
+ *   2. Legacy wire format `{ _noydb_sealed: 1, providerId, sealed }` —
+ *      read-only; never written
+ *      going forward.
+ *
+ * Returns `undefined` for any input that doesn't match either shape,
+ * so callers can fall back to "no managed-mode envelope present."
+ *
+ * @internal — exported only for the migration safety-net test suite.
+ */
+declare function parseSealedEnvelope(raw: unknown): SealedPassphrase | undefined;
+declare function saveSealedPassphrase(store: NoydbStore, vault: string, payload: {
+    readonly providerId: string;
+    readonly sealed: Uint8Array;
+}): Promise<void>;
+declare function loadSealedPassphrase(store: NoydbStore, vault: string): Promise<SealedPassphrase | undefined>;
+
+/**
+ * `vault.exportBlobs()` — bulk blob extraction primitive.
+ *
+ * Async-iterable handle over every blob attached to records in a
+ * vault, optionally filtered by collection allowlist and per-record
+ * predicate. Emits tuples of `{ blobId, recordRef, bytes, meta }` so
+ * the consumer can pipe into any sink (zip stream, S3 multipart, USB
+ * copy, cold-storage tape) without pulling the whole export into
+ * memory.
+ *
+ * ## Auth + audit
+ *
+ * - Capability check runs **once** at handle creation via
+ *   `Vault.assertCanExport('plaintext', 'blob')`. An operator whose
+ *   keyring lacks that bit fails before a single byte of ciphertext
+ *   is decrypted.
+ * - Audit entry lands in `_export_audit` at handle creation: the
+ *   actor, start timestamp, target collections, predicate presence,
+ *   and batch mechanism. **No content hashes** — per the spec
+ *   non-correlation invariant.
+ *
+ * ## Abort + resume
+ *
+ * - `handle.abort()` flips the internal signal; the next iteration
+ *   boundary throws `AbortError`. Consumers already in `for await`
+ *   can catch and exit cleanly.
+ * - Restart after a partial failure with `{ afterBlobId }` — the
+ *   iterator skips tuples up to (and including) that blob id before
+ *   yielding again. Combined with a blob-count ceiling it supports
+ *   idempotent batch re-runs.
+ *
+ * @module
+ */
+
+interface ExportBlobsOptions {
+    /**
+     * Collection allowlist. Omit to export blobs from every collection
+     * the caller has read access to.
+     */
+    readonly collections?: readonly string[];
+    /**
+     * Per-record predicate. Called on the decrypted record BEFORE any
+     * blob bytes are read for that record — returning false skips the
+     * record and all its slots without touching their chunks.
+     */
+    readonly where?: (record: unknown, context: {
+        collection: string;
+        id: string;
+    }) => boolean;
+    /**
+     * Resume after a specific blob id. The iterator skips tuples up to
+     * and including this id, then yields. Format of the id is the same
+     * as `ExportedBlob.blobId` (the HMAC-keyed eTag).
      */
     readonly afterBlobId?: string;
     /**
@@ -8638,6 +8880,7 @@ declare class Vault {
     private readonly periodsStrategy;
     private readonly shadowStrategy;
     private readonly historyStrategy;
+    private readonly forgetStrategy;
     private readonly i18nStrategy;
     private readonly syncStrategy;
     /**
@@ -8799,6 +9042,27 @@ declare class Vault {
      * Populated by `collection()` when the `dictKeyFields` option is passed.
      */
     private readonly dictKeyFieldRegistry;
+    /**
+     * Names of dictionaries backed by a `staticDict()` descriptor (#291).
+     * A static dict skips the `dictKeyFieldRegistry` rename machinery, but the
+     * vault must still *know* a name is static so `vault.dictionary(name)` can
+     * refuse mutation (`StaticDictReadonlyError`). Populated at `collection()`
+     * config time whenever a `StaticDictDescriptor` is seen.
+     */
+    private readonly staticDictNames;
+    /**
+     * Static-dict descriptors keyed by dictionary name (#291). Backs the
+     * read-path label resolver (resolve from the in-memory table) and the
+     * query-seam `resolveDictSource` snapshot. Last writer wins when the same
+     * name is registered by multiple collections (identical-across-vaults by
+     * construction, so the tables match).
+     */
+    private readonly staticByName;
+    /**
+     * Per-collection map of field name → StaticDictDescriptor (#291). Used by
+     * `enforceStaticDictOnPut` to validate stored codes against `desc.keys`.
+     */
+    private readonly staticDescriptorByField;
     /**
      * Registry of i18nText fields declared across all collections. Keyed
      * by collection name → field name → I18nTextDescriptor. Used by
@@ -8858,6 +9122,7 @@ declare class Vault {
         syncStrategy?: SyncStrategy | undefined;
         guardStrategies?: ReadonlyArray<GuardStrategyHandleAny> | undefined;
         numberingConfigs?: ReadonlyArray<DeferredNumberingConfig> | undefined;
+        forgetStrategy?: ForgetStrategy | undefined;
     });
     /**
      * Construct (or reconstruct) the lazy DEK resolver. Captures the
@@ -8907,8 +9172,8 @@ declare class Vault {
         refs?: Record<string, RefDescriptor>;
         /** — declare i18nText fields for locale-aware reads. */
         i18nFields?: Record<string, I18nTextDescriptor>;
-        /** — declare dictKey fields for label resolution on reads. */
-        dictKeyFields?: Record<string, DictKeyDescriptor>;
+        /** — declare dictKey / staticDict fields for label resolution on reads. */
+        dictKeyFields?: Record<string, DictKeyDescriptor | StaticDictDescriptor>;
         /** — declare money() fields for currency-safe decimal storage/formatting. */
         moneyFields?: Record<string, MoneyDescriptor>;
         /** — declare computed scalar fields, evaluated on write (schema-owned). */
@@ -8925,6 +9190,14 @@ declare class Vault {
         deterministicFields?: readonly string[];
         /** — explicit ack that deterministic encryption leaks equality. */
         acknowledgeDeterministicRisk?: boolean;
+        /**
+         * — per-record content-encryption keys. When `true`, every record
+         * body is encrypted under a fresh per-record CEK wrapped under the
+         * collection DEK (`_cek`), stable across versions. Foundation for
+         * per-record erasure (#304) / record-scoped sealing (#306). Off by
+         * default; non-adopting collections take the legacy path unchanged.
+         */
+        perRecordKeys?: boolean;
         /**
          * declarative blob retention / TTL policy per slot
          * name. Values are `{ retainDays?, evictWhen? }`. Evaluated only
@@ -9011,6 +9284,14 @@ declare class Vault {
      * `MissingTranslationError` when a required translation is absent.
      */
     enforceI18nOnPut(collectionName: string, record: unknown): void;
+    /**
+     * Validate staticDict codes on a `put()` (#291). For each `staticDict()`
+     * field, every stored code must be a declared key of the descriptor's
+     * table, else `UnknownDictCodeError`. Opt out per descriptor with
+     * `{ validateCodes: false }`. Supports scalar, dotted, and `[].`-wildcard
+     * field paths via `getAtPath` (same path support as i18n validation).
+     */
+    enforceStaticDictOnPut(collectionName: string, record: unknown): void;
     /**
      * Apply locale resolution to a record for the given collection.
      *
@@ -9351,6 +9632,102 @@ declare class Vault {
      * throws on null; this one stays silent so the off-path no-ops.
      */
     private getLedgerOrNull;
+    /** @internal — add a subject→record ref to the encrypted subject index. */
+    _addSubjectRef(subjectId: string, ref: SubjectRef): Promise<void>;
+    /** @internal — drop a subject→record ref from the encrypted subject index. */
+    _removeSubjectRef(subjectId: string, ref: SubjectRef): Promise<void>;
+    /**
+     * Rebuild the encrypted subject index from canonical records. The recovery
+     * path for the documented read-modify-write race (RISK #3). Returns the
+     * number of distinct subjects re-indexed.
+     */
+    rebuildSubjectIndex(): Promise<number>;
+    /**
+     * GDPR crypto-shred of a data subject (#304). Consults the encrypted subject
+     * index and, per matching record:
+     *   - rewrites the LIVE envelope to a tombstone (drops `_iv`/`_data`/`_cek`/`_det`),
+     *   - tombstones every `_history` version of the record,
+     * so the body and all prior versions become permanently undecryptable while
+     * the collection DEK and every OTHER record stay intact. Then appends ONE
+     * `op:'forget'` ledger entry whose `payloadHash` is `sha256Hex(subjectId)` —
+     * the chain still `verify()`s, PROVING the subject existed and was erased
+     * without retaining any plaintext.
+     *
+     * Reports — but does not silently swallow — two completeness gaps:
+     *   - `unmigratedRecords`: a record whose body was NOT yet migrated to a
+     *     per-record CEK (legacy body still under the shared collection DEK). It
+     *     is still tombstoned, but its pre-shred ciphertext (if leaked to a
+     *     backup before migration) stays decryptable. Migrate, then re-forget.
+     *   - `blobResidueCollections`: a shredded record still has blob attachments,
+     *     which are keyed off a separate `_blob` DEK and are out of scope here.
+     *
+     * @throws ForgetStrategyNotConfiguredError when no `withForgetCascade` was set.
+     */
+    forget(subjectId: string): Promise<ForgetResult>;
+    /**
+     * Seal ONE record's content-encryption key (CEK) to an `at-*` host so that
+     * host — and only that host — can decrypt exactly that record, with no
+     * access to the vault DEK and no ability to read any other record.
+     *
+     * The grantor (this caller, who holds the collection DEK) reads the record's
+     * live `_cek`, unwraps it under the collection DEK, exports the raw CEK
+     * bytes, builds a {@link SealedCekBinding} `{collection, id, cek, expiresAt}`,
+     * seals that binding for the recipient host via the host's published hint,
+     * and persists a thin {@link SealedCekDeliveryEnvelope} at
+     * `_sealed_cek/<collection>/<id>/<pid>`. The binding (not the delivery
+     * envelope) is the security boundary: the host re-verifies `{collection, id}`
+     * and `expiresAt` from inside the sealed payload.
+     *
+     * Only works on a `perRecordKeys` record — a legacy record has no `_cek` to
+     * seal (its body is under the shared collection DEK, which is never exposed
+     * by sealing) → {@link RecordCekNotFoundError}.
+     *
+     * @param collection Collection holding the record.
+     * @param id         Record id.
+     * @param hostSealer The recipient host's {@link RecipientSealer}.
+     * @param opts.expiresAt REQUIRED authoritative expiry (ISO 8601), sealed into
+     *   the binding the host verifies.
+     * @returns `{ pid, envelopeKey }` — the host provider id and the
+     *   `<collection>/<id>/<pid>` key the delivery envelope was written under.
+     */
+    sealRecordToHost(collection: string, id: string, hostSealer: RecipientSealer, opts: {
+        expiresAt: string;
+    }): Promise<{
+        pid: string;
+        envelopeKey: string;
+    }>;
+    /**
+     * Revoke a single sealed-CEK delivery envelope by deleting it from the store.
+     * A soft revocation: it removes the host's copy of the sealed CEK, but a host
+     * that already fetched the envelope keeps whatever it cached. For a hard
+     * revocation that makes the live record undecryptable to every prior grant,
+     * use {@link rotateRecordCek}.
+     */
+    revokeSealedRecord(collection: string, id: string, pid: string): Promise<void>;
+    /**
+     * HARD-rotate a record's CEK: decrypt the live body under the old CEK,
+     * re-encrypt it under a freshly-minted CEK, write the new live envelope, evict
+     * the in-memory caches, and delete EVERY sealed-CEK delivery envelope for the
+     * record. After this, any host holding a previously-sealed CEK can still
+     * decrypt PRE-rotation history versions (they keep their old `_cek`) but NOT
+     * the rotated live record (its body is under the new CEK → the old CEK fails
+     * the AES-GCM auth tag → `TamperedError`). That asymmetry IS the revocation:
+     * old grants lose the live record.
+     *
+     * Administrative path — bypasses `Collection.put` deliberately (no guards, no
+     * history snapshot, no materialized-view refresh): rotation is a key-rotation
+     * operation, not a business write, and must not version-bump history (which
+     * would re-encrypt the prior version under the NEW CEK and defeat the point).
+     *
+     * @throws {@link RecordCekNotFoundError} if the record is missing or has no `_cek`.
+     */
+    rotateRecordCek(collection: string, id: string): Promise<void>;
+    /**
+     * Build the {@link SealingContext} the record-keys grantor functions need:
+     * the vault-bound adapter, DEK resolver, actor, and the dual-cache eviction
+     * `rotateRecordCek` performs (per-record CEK cache + decrypted-record cache).
+     */
+    private sealingContext;
     /**
      * @internal — called by `Noydb.openVault` after construction.
      * Dynamic-imports `GuardRegistry` + `ReadOnlyVaultFacade` and seeds
@@ -10343,6 +10720,25 @@ declare class Collection<T> {
      * is inactive for this collection; a frozen `Set` otherwise.
      */
     private readonly deterministicFields;
+    /**
+     * Per-record CEK opt-in (`perRecordKeys: true`). When set, writes mint /
+     * reuse a per-record content-encryption key and stamp `_cek` on the
+     * envelope (see {@link EncryptedEnvelope._cek}). OFF by default — a
+     * non-adopting collection takes the byte-identical legacy path. The READ
+     * path does not consult this flag: `_cek` presence on the envelope is the
+     * format discriminant, so a mixed vault (and a recipient that never set the
+     * flag) still decrypts CEK records.
+     */
+    private readonly perRecordCek;
+    /**
+     * Session-scoped `(id) → CEK` cache for this collection. Lets updates
+     * reuse a record's stable CEK and lets repeated reads skip the AES-KW
+     * unwrap. Bounded by LRU; never persisted. Dropped when the owning
+     * collection instance is discarded — `vault.load()` clears the
+     * collectionCache, so a keyring refresh drops every CEK alongside the
+     * DEK cache. `null` unless `perRecordCek` is set.
+     */
+    private readonly cekCache;
     /**
      * declared tiers for this collection. `null` when
      * tier-aware methods are disabled. Tier 0 is implicit and never
@@ -10563,7 +10959,7 @@ declare class Collection<T> {
         /** — i18nText field descriptors for locale-aware reads. */
         i18nFields?: Record<string, I18nTextDescriptor> | undefined;
         /** — dictKey field descriptors for label resolution on reads. */
-        dictKeyFields?: Record<string, DictKeyDescriptor> | undefined;
+        dictKeyFields?: Record<string, DictKeyDescriptor | StaticDictDescriptor> | undefined;
         moneyFields?: Record<string, MoneyDescriptor> | undefined;
         computed?: ComputedFields | undefined;
         /**
@@ -10646,6 +11042,15 @@ declare class Collection<T> {
          * any deterministic field is declared. Any other value throws.
          */
         acknowledgeDeterministicRisk?: boolean | undefined;
+        /**
+         * Per-record content-encryption keys. When `true`, every record body
+         * (and every history version of it) is encrypted under a fresh
+         * per-record CEK, AES-KW-wrapped under the collection DEK and stored
+         * on the envelope's `_cek`. Off by default. Foundation for per-record
+         * erasure (#304) and record-scoped sealing (#306). `_det` slots stay
+         * keyed to the collection DEK regardless.
+         */
+        perRecordKeys?: boolean | undefined;
         /**
          * declared tiers this collection supports. An
          * undefined or empty list disables the hierarchical-tier surface
@@ -10865,6 +11270,37 @@ declare class Collection<T> {
      */
     _internalDelete(id: string, txCtx?: TxContext | null): Promise<void>;
     private _doDelete;
+    /**
+     * @internal — GDPR crypto-shred a LIVE record to a tombstone (#304).
+     *
+     * Rewrites the on-disk envelope to `{ _noydb, _v, _ts, _by, _iv:'', _data:'' }`,
+     * dropping `_iv`/`_data`/`_cek`/`_det`. The wrapped per-record CEK is gone, so
+     * the body — and (via {@link tombstoneHistory}) every history version under
+     * the same CEK — is permanently undecryptable; the collection DEK and every
+     * other record are untouched. `_det` is stripped too, so `findByDet` no
+     * longer matches the shredded record (avoiding a post-shred TamperedError).
+     *
+     * Unlike `delete()`/`_internalDelete`, this:
+     *   - does NOT fire onDelete guards / MV / derivation dispatch (a shred is an
+     *     erasure, not a domain delete — re-running those would be wrong),
+     *   - does NOT append a per-record ledger entry (`vault.forget()` appends a
+     *     single `op:'forget'` summary for the whole subject),
+     *   - keeps the record KEY present (it's an overwrite, not an adapter delete)
+     *     so the version counter + "record existed" survive for audit.
+     *
+     * Idempotent: returns `null` when the record is absent or already a tombstone.
+     * Otherwise returns `{ previousVersion }`. Invalidates the eager cache, the
+     * lazy LRU, and the per-record CEK cache for this id.
+     */
+    /**
+     * @internal — decrypt an envelope to a plain record for subject-index
+     * rebuild (#304). Returns `null` for a tombstone or unreadable envelope.
+     * Skips schema validation — the rebuild only reads the subject field.
+     */
+    _decodeEnvelope(envelope: EncryptedEnvelope, id: string): Promise<Record<string, unknown> | null>;
+    _writeTombstone(id: string, actor: string): Promise<{
+        previousVersion: number;
+    } | null>;
     /**
      * Cascade deletes of array-shape derived rows when a source row is
      * deleted. Reads each registered strategy's fanout sidecar
@@ -11166,6 +11602,16 @@ declare class Collection<T> {
      * the cache entry (record still present) or deletes it (record was
      * gone before the tx and the revert deleted it again).
      */
+    /**
+     * @internal — evict ONLY the per-record CEK cache entry for `id`. Used by
+     * `vault.rotateRecordCek()`: after a hard CEK rotation the cached unwrapped
+     * CEK is stale (it would decrypt the pre-rotation body and fail GCM auth on
+     * the post-rotation body). Eviction must be synchronous with the live-envelope
+     * rewrite so no concurrent read observes the old CEK. Paired with
+     * {@link _invalidateCacheEntry} (which refreshes the decrypted-record cache).
+     * No-op when the collection is not `perRecordKeys`.
+     */
+    _invalidateCekCacheEntry(id: string): void;
     _invalidateCacheEntry(id: string): Promise<void>;
     /**
      * Apply a peer tab's committed write to THIS tab's in-memory view:
@@ -11378,6 +11824,21 @@ declare class Collection<T> {
      * query with no index would need to enumerate the whole collection.
      */
     lazyQuery(): LazyQuery<T>;
+    /**
+     * Resolve the stable CEK for a record on the WRITE path — see
+     * {@link resolveStableCek}. Thin delegate that supplies the collection's
+     * CEK cache, live-envelope reader, and DEK resolver.
+     */
+    private resolveRecordCek;
+    /**
+     * Encrypt a JSON body into an envelope.
+     *
+     * When `cek` is supplied (per-record CEK collections), the body is
+     * encrypted under the CEK and the CEK is AES-KW-wrapped under the
+     * collection DEK and stamped on `_cek`. When `cek` is omitted, the legacy
+     * path encrypts the body directly under the collection DEK — byte-identical
+     * to pre-CEK behaviour, so non-adopting collections pay nothing.
+     */
     private encryptJsonString;
     private encryptRecord;
     /**
@@ -11459,7 +11920,20 @@ declare class Collection<T> {
     demote(id: string, toTier: number): Promise<void>;
     private isElevatorOrOwner;
     private emitCrossTierEvent;
-    /** Low-level: decrypt an envelope and return the raw JSON string. */
+    /**
+     * Low-level: decrypt an envelope and return the raw JSON string.
+     *
+     * `_cek` presence is the format discriminant (NOT `this.perRecordCek`),
+     * so a mixed vault — and a recipient that never opted into
+     * `perRecordKeys` — decrypts both legacy and CEK records:
+     *  - `_cek` present → unwrap the CEK under the collection DEK, decrypt the
+     *    body under the CEK (cache the unwrapped CEK so repeated reads skip it).
+     *  - `_cek` absent → legacy path, body decrypts directly under the
+     *    collection DEK.
+     *
+     * The optional `id` lets reads populate the CEK cache; it is omitted by
+     * callers (history, conflict merge) that have only the envelope.
+     */
     private decryptJsonString;
     /**
      * Decrypt an envelope into a record of type `T`.
@@ -11736,244 +12210,6 @@ interface SessionStrategy {
     revokeAllSessions(): void;
 }
 
-/**
- * Managed-passphrase mode — rubber-hose-resistant vaults.
- *
- * A vault mode where the passphrase is machine-generated and never
- * exposed to the user, sealed under a developer-provided
- * {@link SealingKeyProvider} (macOS Keychain, Windows Credential
- * Manager, libsecret, AWS KMS, …). The user has no secret to give
- * up to coercion — they can't reveal what they don't know.
- *
- * ## Components in this file
- *
- *   - {@link SealingKeyProvider} — the interface concrete providers
- *     implement. Provider implementations live OUTSIDE hub (per-
- *     platform packages).
- *   - {@link MemorySealingKeyProvider} — in-memory test provider; uses
- *     a deterministic per-instance "key" so two providers with
- *     different ids cannot unseal each other's outputs.
- *   - {@link RecipientHint} — public material a sender uses to seal
- *     plaintext for a specific recipient; published by
- *     {@link RecipientSealer.publishRecipientHint} and transported
- *     out-of-band to the sender before bundle writes.
- *   - {@link RecipientSealer} — interface for asymmetric/granted
- *     providers that support recipient-target sealing (RSA-OAEP,
- *     cloud-KMS asymmetric, etc.); distinct from self-only
- *     {@link SealingKeyProvider} (macOS Keychain, WebAuthn-PRF).
- *   - {@link MemoryRecipientSealer} — in-process reference
- *     implementation of both `RecipientSealer` and
- *     `SealingKeyProvider` using real WebCrypto RSA-OAEP + AES-GCM;
- *     safe for tests and same-process sender/recipient scenarios.
- *   - {@link loadSealedPassphrase} / {@link saveSealedPassphrase} —
- *     plaintext envelope storage at `_meta/sealed-passphrase`.
- *     Mirrors the `_meta/handle` and `_meta/public-envelope` AES-
- *     GCM-bypassed patterns. The sealing layer (provider's job)
- *     is the security boundary; hub doesn't have a key to encrypt
- *     with at this layer — that's the whole point of the design.
- *   - {@link resolveManagedSecret} — orchestrates the "generate +
- *     seal + persist on first open; unseal on reopen" flow.
- *     Returns the plaintext passphrase string that the rest of the
- *     `createNoydb` keyring path consumes.
- *
- * Deferred to follow-ups:
- *   - Block `rotate-passphrase` policy gate under managed mode.
- *   - Mandatory strong-recovery enforcement.
- *   - Recovery flow under managed mode (generates fresh sealed phrase).
- *
- * @see docs/subsystems/session-tiers.md → Managed-passphrase mode
- *
- * @module
- */
-
-/**
- * The contract concrete providers (per-platform key stores) implement
- * to seal and unseal a hub-generated random passphrase. The plaintext
- * passphrase NEVER leaves hub-controlled memory in unsealed form —
- * the provider receives the bytes, returns opaque sealed bytes, and
- * later reverses the operation. Hub treats the sealed bytes as
- * fully opaque.
- *
- * Implementations live OUTSIDE `@noy-db/hub` (separate packages
- * per the issue's "Concrete providers (live outside hub)" note):
- *
- * | Platform | Package (TBD) | Backing |
- * |---|---|---|
- * | macOS | `@noy-db/seal-macos-keychain` | Security.framework |
- * | Windows | `@noy-db/seal-wincred` | Credential Manager |
- * | Linux | `@noy-db/seal-libsecret` | libsecret / secret-service |
- * | Cloud / server | `@noy-db/seal-aws-kms` | AWS KMS Decrypt |
- */
-interface SealingKeyProvider {
-    /**
-     * Non-sensitive identifier disclosed in the persisted envelope.
-     * Surfaced to consumers via `loadSealedPassphrase().providerId` so
-     * a vault opened with the wrong provider class can detect the
-     * mismatch and surface a clear error. NOT secret — fine to log.
-     *
-     * Suggested format: `<family>:<scope>` — e.g. `macos-keychain:com.acme.app`,
-     * `aws-kms:arn:aws:kms:us-east-1:123:key/abc`. The hub never
-     * parses this; it's purely audit metadata.
-     */
-    readonly id: string;
-    /** Seal raw passphrase bytes. Output bytes are opaque to hub. */
-    seal(passphrase: Uint8Array): Promise<Uint8Array>;
-    /**
-     * Reverse {@link seal}. MUST throw on tamper, wrong-provider, or
-     * any other failure — hub treats a thrown error as "this provider
-     * cannot unlock this vault" and surfaces it to the caller.
-     */
-    unseal(sealed: Uint8Array): Promise<Uint8Array>;
-}
-/**
- * In-memory test provider. NOT secure — uses a deterministic
- * per-instance "key" (16-byte SHA-256 of `id`) XOR'd over the
- * passphrase plus a 4-byte provider-id fingerprint prefix. The XOR is
- * sufficient to make different `id` values produce mutually-unsealable
- * outputs (the contract tests for that), but offers ZERO real
- * confidentiality — never use outside tests.
- *
- * Replace with a real platform provider in production.
- */
-declare class MemorySealingKeyProvider implements SealingKeyProvider {
-    readonly id: string;
-    private readonly fingerprint;
-    private readonly keyBytes;
-    constructor(opts: {
-        id: string;
-    });
-    seal(passphrase: Uint8Array): Promise<Uint8Array>;
-    unseal(sealed: Uint8Array): Promise<Uint8Array>;
-}
-/**
- * Public material a sender uses to seal-for-this-recipient. Published by
- * a recipient's RecipientSealer; transported to the sender out-of-band
- * (email, S3, in-app message). The sender obtains the hint, supplies it
- * to writeNoydbBundle's sealedCredentials.perUser[userId].hint, and the
- * hub seals each user's credential against it. Per foundation §11.4.
- */
-type RecipientHint = {
-    readonly v: 1;
-    /** Recipient's provider id; matches the SealedAutoUnlockEntry.pid they'll unseal under. */
-    readonly pid: string;
-    /** Algorithm the sender uses to produce the seal. Slice 1 ships RSA-OAEP-SHA256 only. */
-    readonly alg: 'rsa-oaep-sha256';
-    /** Public material — alg-specific. For 'rsa-oaep-sha256': { publicKeyPem: string }. */
-    readonly material: Readonly<Record<string, unknown>>;
-};
-/**
- * Handover-capable provider. Implemented additionally by asymmetric/granted
- * providers (cloud-KMS asymmetric, Azure RSA Key Vault, AWS KMS with grant).
- * Self-only providers (macOS Keychain, env-var, WebAuthn-PRF) do NOT
- * implement this — the §11.2 capability matrix lives in the type system.
- *
- * Per foundation §11.4. A function that requires recipient-target sealing
- * takes `RecipientSealer`, not `SealingKeyProvider` — the compiler rejects
- * passing a self-only provider at the spec site.
- */
-interface RecipientSealer {
-    readonly id: string;
-    /** Produce hint material a sender uses to seal-for-this-recipient. */
-    publishRecipientHint(): Promise<RecipientHint>;
-    /**
-     * Seal plaintext for the recipient described by `hint`. Returns opaque
-     * bytes — same contract as `SealingKeyProvider.seal()`. The bundle
-     * layer base64-encodes the bytes into `SealedAutoUnlockEntry.sealed`
-     * without inspecting them.
-     */
-    sealForRecipient(plaintext: Uint8Array, hint: RecipientHint): Promise<Uint8Array>;
-}
-/**
- * Reference implementation of `RecipientSealer` + `SealingKeyProvider`.
- * Uses WebCrypto RSA-OAEP-SHA256 (2048-bit) to wrap a fresh 32-byte
- * AES-GCM CEK, AES-GCM-encrypts plaintext under it, and packs the
- * result into a self-describing TLV:
- *
- *   byte  0       : version (0x01)
- *   bytes 1..256  : RSA-OAEP-wrapped CEK (fixed 256 bytes at RSA-2048)
- *   bytes 257..268: AES-GCM IV (12 bytes)
- *   bytes 269..   : AES-GCM ciphertext ‖ 16-byte tag
- *
- * Implements BOTH interfaces. `seal(plaintext)` (self-target) is just
- * `sealForRecipient(plaintext, this own hint)` — same TLV. Convenient
- * for tests where one provider plays both ends. Real cloud providers
- * (`at-aws-kms`, etc.) will pick their own internal layouts; the only
- * contract is round-trip identity.
- *
- * SAFE for production within its scope — the cryptography is real
- * (RSA-OAEP + AES-GCM via WebCrypto), but the keypair lives in-process
- * and is regenerated on every construction. Not suitable as a managed
- * keychain; use it for tests and for shipping bundles where the
- * recipient instance lives in the same process as the sender (rare).
- */
-declare class MemoryRecipientSealer implements SealingKeyProvider, RecipientSealer {
-    readonly id: string;
-    private readonly keypair;
-    constructor(opts: {
-        id: string;
-    });
-    publishRecipientHint(): Promise<RecipientHint>;
-    sealForRecipient(plaintext: Uint8Array, hint: RecipientHint): Promise<Uint8Array>;
-    seal(plaintext: Uint8Array): Promise<Uint8Array>;
-    unseal(bytes: Uint8Array): Promise<Uint8Array>;
-}
-/** Reserved id for the managed-passphrase envelope under `_meta`. */
-declare const SEALED_PASSPHRASE_RECORD_ID: "sealed-passphrase";
-/** Plaintext payload stored inside the `_meta/sealed-passphrase` envelope. */
-interface SealedPassphrase {
-    readonly _noydb_sealed: 1;
-    readonly providerId: string;
-    /** Sealed bytes. Base64-encoded on the wire; decoded on load. */
-    readonly sealed: Uint8Array;
-}
-/**
- * Wire-format envelope persisted at `_meta/sealed-passphrase` for
- * managed-mode vaults. The provider produces raw sealed bytes via
- * {@link SealingKeyProvider.seal}; this wrapper carries the dispatch
- * metadata hub needs to pick the right provider on the unseal path.
- *
- * Stability boundary: once shipped, the wire format only grows by
- * adding optional fields. See the at-* sealing dimension foundation
- * doc, §11.9.1.
- *
- * v1 shape (this release): `{ v: 1, _noydb_sealed: 1, pid, payload }`.
- *
- * Legacy shape (earlier releases): `{ _noydb_sealed: 1, providerId, sealed }`
- * — accepted on read for backwards compatibility; never produced on
- * write going forward.
- */
-interface SealedEnvelope {
-    /** Envelope schema version. v1 is the current shape. */
-    readonly v: 1;
-    /** Magic marker for forensics + legacy-shape detection. */
-    readonly _noydb_sealed: 1;
-    /** Matches the producing provider's `.id`. Dispatch key on unseal. */
-    readonly pid: string;
-    /** Sealed bytes from the provider, base64-encoded on the wire. */
-    readonly payload: string;
-}
-/**
- * Parse a `_meta/sealed-passphrase` `_data` JSON string into the
- * in-memory {@link SealedPassphrase} representation. Accepts both:
- *
- *   1. v1 wire format `{ v: 1, _noydb_sealed: 1, pid, payload }` —
- *      the current shape.
- *   2. Legacy wire format `{ _noydb_sealed: 1, providerId, sealed }` —
- *      read-only; never written
- *      going forward.
- *
- * Returns `undefined` for any input that doesn't match either shape,
- * so callers can fall back to "no managed-mode envelope present."
- *
- * @internal — exported only for the migration safety-net test suite.
- */
-declare function parseSealedEnvelope(raw: unknown): SealedPassphrase | undefined;
-declare function saveSealedPassphrase(store: NoydbStore, vault: string, payload: {
-    readonly providerId: string;
-    readonly sealed: Uint8Array;
-}): Promise<void>;
-declare function loadSealedPassphrase(store: NoydbStore, vault: string): Promise<SealedPassphrase | undefined>;
-
 /**
  * Core types — the {@link NoydbStore} interface, envelope format, roles, and
  * all configuration shapes consumed by {@link createNoydb}.
@@ -12070,6 +12306,27 @@ interface EncryptedEnvelope {
      * side channel.
      */
     readonly _det?: Record<string, string>;
+    /**
+     * Per-record content-encryption key (CEK), base64 AES-KW-wrapped under
+     * the collection (or tier) DEK. Present only on records written by a
+     * collection opened with `perRecordKeys: true`. When present, the body
+     * (`_iv`/`_data`) is encrypted under the unwrapped CEK rather than the
+     * collection DEK directly.
+     *
+     * Presence is the format discriminant: `_cek` absent → legacy body
+     * keyed off the collection DEK (read unchanged); `_cek` present →
+     * unwrap under the collection DEK, then decrypt the body under the CEK.
+     *
+     * The CEK is stable across every version of a record (insert mints it;
+     * updates and history snapshots reuse it), so all `_history` envelopes
+     * for a record carry the same `_cek`. This is the foundation for
+     * per-record erasure (#304) and record-scoped sealing (#306).
+     *
+     * `_det` slots are deliberately NOT keyed off the CEK — they remain
+     * keyed to the collection DEK so blind-equality search keeps working
+     * across records.
+     */
+    readonly _cek?: string;
 }
 /**
  * Placeholder returned by `getAtTier()` in `'ghost'` mode when a
@@ -13288,6 +13545,25 @@ interface BlobObject {
     readonly createdAt: string;
     /** Live reference count — slots + published versions pointing to this blob. */
     readonly refCount: number;
+    /**
+     * Base64 AES-KW-wrapped per-blob **content CEK** (wrapped under the `_blob`
+     * DEK). Present on erasable-collection blobs (`perRecordKeys`): the chunks
+     * are encrypted under this content CEK rather than directly under the `_blob`
+     * DEK, so deleting this BlobObject at `refCount → 0` crypto-shreds the chunks
+     * (they become permanently undecryptable). Absent → legacy blob, chunks
+     * decrypt directly under the `_blob` DEK (read unchanged). See
+     * docs/superpowers/specs/2026-06-13-per-blob-cek-design.md.
+     */
+    readonly _cek?: string;
+    /**
+     * Transient migration marker (#365 slice 3). Present only while a legacy
+     * blob is being migrated to a content CEK: it holds the wrapped content CEK
+     * BEFORE the chunks have been re-encrypted under it. Readers **ignore**
+     * `_cekPending` (they key off `_cek`), so the blob stays readable under the
+     * `_blob` DEK during migration AND the content CEK survives a crash → a
+     * re-run resumes and promotes `_cekPending` → `_cek`. Never set on a settled blob.
+     */
+    readonly _cekPending?: string;
     /**
      * Hint indicating which store holds the chunk data.
      * Used by `routeStore` size-tiered routing: `'default'` for small blobs
@@ -13519,6 +13795,19 @@ interface NoydbOptions {
      * @internal
      */
     readonly historyStrategy?: HistoryStrategy;
+    /**
+     * GDPR right-to-erasure (#304). Pass `withForgetCascade({ subjects })`
+     * from `@noy-db/hub/forget` to declare which collections carry erasable
+     * subject data and the record field naming the data subject. Enables
+     * `vault.forget(subjectId)` crypto-shred (rewrite-to-tombstone of the live
+     * record + every history version → body permanently undecryptable, single
+     * `op:'forget'` ledger entry, chain still verifies). Each declared
+     * collection is forced to `perRecordKeys: true`. When omitted (the
+     * `NO_FORGET` default), `vault.forget()` throws
+     * `ForgetStrategyNotConfiguredError` and no subject-index write hooks run.
+     * Requires `historyStrategy` (the ledger) for the erasure-proof entry.
+     */
+    readonly forgetStrategy?: ForgetStrategy;
     /**
      * tree-shake seam — optional i18n strategy. Pass `withI18n()`
      * from `@noy-db/hub/i18n` to enable `i18nText`/`dictKey` field
@@ -13874,4 +14163,4 @@ interface DeleteManyResult {
     }>;
 }
 
-export { type ExportBlobsAuditEntry as $, BLOB_COLLECTION as A, type BlobStrategy as B, BLOB_EVICTION_AUDIT_COLLECTION as C, DICT_COLLECTION_PREFIX as D, BLOB_INDEX_COLLECTION as E, BLOB_SLOTS_PREFIX as F, BLOB_VERSIONS_PREFIX as G, type BlobEvictionEntry as H, type I18nStrategy as I, type BlobFieldPolicy as J, type BlobFieldsConfig as K, type Layer as L, type BlobObject as M, type BlobPutOptions as N, type OnMissing as O, PolicyEnforcer as P, type BlobResponseOptions as Q, type ResolveI18nOptions as R, type ScriptWarning as S, BlobSet as T, type BlobStrategyOpenArgs as U, type CompactRunOptions as V, type CompactionContext as W, type CompactionResult as X, DEFAULT_CHUNK_SIZE as Y, EXPORT_AUDIT_COLLECTION as Z, ExportBlobsAbortedError as _, type DictEntry as a, type NoydbStore as a$, type ExportBlobsHandle as a0, type ExportBlobsOptions as a1, type ExportedBlob as a2, type SlotInfo as a3, type SlotRecord as a4, type VersionRecord as a5, createExportBlobsHandle as a6, runCompaction as a7, type ConsentStrategy as a8, CONSENT_AUDIT_COLLECTION as a9, VaultFrame as aA, type NoydbBundleStore as aB, type RetentionPolicy as aC, type SnapshotPolicy as aD, type SnapshotStrategy as aE, type SnapshotMeta as aF, type SnapshotMode as aG, type DerivationStrategy as aH, type DerivationContext as aI, type ArrayOutputSpec as aJ, DerivationRegistry as aK, type DerivationStrategyHandle as aL, type DerivedFromMeta as aM, type OutputSpec as aN, type RecordOutputSpec as aO, type MaterializedViewStrategy as aP, type MaterializedViewStrategyHandle as aQ, type OverlayedViewStrategy as aR, Collection as aS, type OverlayFieldMergeMode as aT, type OverlayFieldMergeRule as aU, OverlayedViewRegistry as aV, type OverlayedViewStrategyHandle as aW, type SyncStrategy as aX, type Role as aY, type UnlockedKeyring as aZ, type HistoryStrategy as a_, type ConsentAuditEntry as aa, type ConsentAuditFilter as ab, type ConsentContext as ac, type ConsentOp as ad, loadConsentEntries as ae, writeConsentEntry as af, type PeriodsStrategy as ag, type CarryForwardContext as ah, type ClosePeriodOptions as ai, type OpenPeriodOptions as aj, PERIODS_COLLECTION as ak, type PeriodRecord as al, type ReadOnlyCollection as am, appendPeriodLedgerEntry as an, assertTsWritable as ao, chainAnchor as ap, loadPeriods as aq, validatePeriodName as ar, type GuardStrategy as as, type GuardChange as at, type GuardContext as au, GuardRegistry as av, type GuardStrategyHandle as aw, ReadOnlyVaultFacade as ax, type ShadowStrategy as ay, CollectionFrame as az, type DictKeyDescriptor as b, type CollectionChangeEvent as b$, type HistoryOptions as b0, type EncryptedEnvelope as b1, type PruneOptions as b2, type AppendInput as b3, type ChangeType as b4, CollectionInstant as b5, type DiffEntry as b6, type JsonPatch as b7, type JsonPatchOp as b8, type LedgerEntry as b9, type MaterializedViewOutput as bA, type UnionArmJoin as bB, type UnionSource as bC, type UserEnvelope as bD, type GateName as bE, type GatePolicy as bF, type VaultPolicy as bG, type ActiveTier as bH, type FactorProof as bI, type SchemaUpdateStrategy as bJ, type TransformFn as bK, type PersistedSchemaEnvelope as bL, type UpdateDecision as bM, type DirectoryConfig as bN, type UserVisibility as bO, type AccessibleVault as bP, type AffectedDocument as bQ, type ArchivePolicy as bR, type ArchiveResult as bS, type ArchiveRunOptions as bT, type ArchiveStrategy as bU, BUNDLE_STORE_POLICY as bV, type BuiltInGateName as bW, type CacheOptions as bX, type CacheStats as bY, type CapturedBlueprint as bZ, type ChangeEvent as b_, LedgerStore as ba, type VaultEngine as bb, VaultInstant as bc, type VerifyResult as bd, applyPatch as be, canonicalJson as bf, computePatch as bg, diff as bh, formatDiff as bi, hashEntry as bj, paddedIndex as bk, parseIndex as bl, sha256Hex as bm, type PublicEnvelope as bn, type SealingKeyProvider as bo, type BundleRecipient as bp, type RecipientSealer as bq, type RecipientHint as br, Vault as bs, type RecoveryEnrollmentInput as bt, type ShamirRecoveryProvider as bu, TxContext as bv, type MVQueryContext as bw, type RegisteredMV as bx, MaterializedViewRegistry as by, type MaterializedFromMeta as bz, DictionaryHandle as c, type ListPageResult as c$, type CollectionConflictResolver as c0, type CollectionDescriptor as c1, type CollectionStats as c2, ComputedFieldError as c3, type ComputedFields as c4, type ComputedFn as c5, type Conflict as c6, type ConflictPolicy as c7, type ConflictStrategy as c8, type CrossTierAccessEvent as c9, type ExportStreamOptions as cA, type FactorKind as cB, type FactorProofBundle as cC, type FactorRequirement as cD, type FanoutQueryOptions as cE, type FanoutResult as cF, type FenceDoc as cG, type FenceState as cH, type FieldChange as cI, type FieldDescriptor as cJ, type FieldSource as cK, type GhostRecord as cL, type GrantOptions as cM, type GuardViolation as cN, type HistoryConfig as cO, type HistoryEntry as cP, INDEXED_STORE_POLICY as cQ, type ImportCapability as cR, type InferOutput as cS, type InternalCollectionStats as cT, type IssueDelegationOptions as cU, type IssueMagicLinkGrantOptions as cV, type KeyringAuthenticator as cW, type KeyringAuthenticatorWrappingDEKs as cX, type KeyringAuthenticatorWrappingKEK as cY, type KeyringFile as cZ, type ListAccessibleVaultsOptions as c_, CrossVaultAggregation as ca, CrossVaultGroupedAggregation as cb, type GroupedRow as cc, type CrossVaultLiveAggregation as cd, type CrossVaultLiveQuery as ce, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as cf, DELEGATIONS_COLLECTION as cg, type DeepPartial as ch, type DeepPartialOrNull as ci, type DeferredNumberingConfig as cj, type DelegationToken as ck, type DeleteManyResult as cl, type DeploymentEvent as cm, type DerivationDescriptor as cn, type DirtyEntry as co, type DryRunResult as cp, type DumpSchemaOptions as cq, ELEVATION_AUDIT_COLLECTION as cr, ElevatedHandle as cs, type EnrollAuthenticatorOptions as ct, type EnrollAuthenticatorWrappingDEKsOptions as cu, type EnrollAuthenticatorWrappingKEKOptions as cv, type EnrollRecoveryResult as cw, type ExportCapability as cx, type ExportChunk as cy, type ExportFormat as cz, type DictionaryOptions as d, type RotatePassphraseInput as d$, type ListUsersOptions as d0, type LiveQueryOptions as d1, type LiveUserEnvelope as d2, type LocaleReadOptions as d3, Lru as d4, type LruOptions as d5, type LruStats as d6, MAGIC_LINK_CONTENT_INFO_PREFIX as d7, MAGIC_LINK_GRANTS_COLLECTION as d8, MAGIC_LINK_KEK_INFO_PREFIX as d9, PresenceHandle as dA, type PresencePeer as dB, type PublicEnvelopeField as dC, type PublicEnvelopeSchema as dD, type PublicEnvelopeText as dE, type PullMode as dF, type PullOptions as dG, type PullPolicy as dH, type PullResult as dI, type PushMode as dJ, type PushOptions as dK, type PushPolicy as dL, type PushResult as dM, type PutManyItemOptions as dN, type PutManyOptions as dO, type PutManyResult as dP, type QueryAcrossOptions as dQ, type QueryAcrossResult as dR, type QuickUnlockState as dS, QuickUnlockStore as dT, type ReAuthOperation as dU, type RecoverPassphraseInput as dV, type RecoverPassphraseResult as dW, type RecoverUserOptions as dX, type RecoveryProof as dY, type ResolvedPublicEnvelopeSchema as dZ, type RevokeOptions as d_, type MagicLinkGrantPayload as da, type MagicLinkGrantRecord as db, type MaterializedViewDescriptor as dc, MemoryRecipientSealer as dd, MemorySealingKeyProvider as de, NOYDB_BACKUP_VERSION as df, NOYDB_FORMAT_VERSION as dg, NOYDB_KEYRING_VERSION as dh, NOYDB_SYNC_VERSION as di, type NextOptions as dj, Noydb as dk, type NoydbEventMap as dl, type NoydbOptions as dm, type Assignment as dn, type OverlayViewDescriptor as dp, PUBLIC_ENVELOPE_FIELDS as dq, type PaperRecoveryDoc as dr, type PaperRecoveryEntry as ds, type PassphrasePolicy as dt, type PassphraseValidationResult as du, type Permission as dv, type Permissions as dw, type PersistedSchemaKind as dx, type PlaintextTranslatorContext as dy, type PlaintextTranslatorFn as dz, type I18nMap as e, VaultGroup as e$, type RotateRecoveryOptions as e0, type RotateRecoveryResult as e1, SEALED_PASSPHRASE_RECORD_ID as e2, type SchemaDelta as e3, type SchemaIntrospection as e4, type SchemaManifestRow as e5, type SealedEnvelope as e6, type SealedPassphrase as e7, type SequenceHandle as e8, type SequenceOptions as e9, type SyncTarget as eA, type SyncTargetRole as eB, SyncTransaction as eC, type SyncTransactionResult as eD, type TabChannel as eE, type TabCoordinationOptions as eF, type TabLockManager as eG, type TabPresence as eH, type TabRole as eI, type TierMode as eJ, type TransactionInvariant as eK, type TranslatorAuditEntry as eL, TxCollection as eM, type TxOp as eN, TxVault as eO, USER_ENVELOPE_COLLECTION as eP, USER_ENVELOPE_MAX_BYTES as eQ, type Unsubscribe as eR, type UpdateAuthenticatorOptions as eS, type UpdateContext as eT, type UpdateUserOptions as eU, UserApi as eV, type UserEnvelopeCheckGate as eW, UserEnvelopeOversizedError as eX, type UserEnvelopePresented as eY, type UserInfo as eZ, type VaultBackup as e_, SequenceStore as ea, type SessionPolicy as eb, type SetPublicEnvelopeInput as ec, type ShamirRecoveryDoc as ed, type ShamirRecoveryEntry as ee, ShardedCollection as ef, ShardedGroupedQuery as eg, ShardedQuery as eh, type ShardingConfig as ei, type SkippedVault as ej, type SlotRewrapCeremony as ek, type SlotRewrapContext as el, type StandardSchemaV1 as em, type StandardSchemaV1Issue as en, type StandardSchemaV1SyncResult as eo, StateManagementVault as ep, type StoreAuth as eq, type StoreAuthKind as er, type StoreCapabilities as es, type StoreTime as et, SyncEngine as eu, type SyncMetadata as ev, type SyncPolicy as ew, SyncScheduler as ex, type SyncSchedulerStatus as ey, type SyncStatus as ez, type I18nTextDescriptor as f, validatePublicEnvelopeInput as f$, type VaultGroupOptions as f0, type VaultPolicyOnDisk as f1, type VaultRegistryRow as f2, type VaultSchemaSnapshot as f3, type VaultSnapshot as f4, type VaultTemplate as f5, type WarningRules as f6, WeakPassphraseError as f7, type WeakPassphraseReason as f8, type WithArchiveOptions as f9, listUsers as fA, listUsersWithEnvelopes as fB, loadActiveDelegations as fC, loadPaperRecoveryEntries as fD, loadSealedPassphrase as fE, loadShamirRecoveryEntries as fF, magicLinkGrantRecordId as fG, mintPaperRecoveryEntry as fH, mintShamirRecoveryEntry as fI, mintWrappedDeksBlob as fJ, parseSealedEnvelope as fK, readMagicLinkGrantRecord as fL, recoverUser as fM, removeAuthenticator as fN, resolveSchema as fO, resolveSequenceKey as fP, revokeDelegation as fQ, revokeMagicLinkGrant as fR, runTransaction as fS, savePaperRecoveryEntries as fT, saveSealedPassphrase as fU, saveShamirRecoveryEntries as fV, unwrapDeksFromBlob as fW, unwrapDeksFromPaperEntry as fX, unwrapDeksFromShamirEntry as fY, unwrapMagicLinkGrant as fZ, validatePassphrase as f_, type WrappedDeksBlob as fa, type WriteConflict as fb, type WriteEvent as fc, type WriteHook as fd, type WriteQueue as fe, assertStrongPassphrase as ff, buildRecipientKeyringFile as fg, burnPaperRecoveryEntry as fh, createNoydb as fi, createStore as fj, deriveMagicLinkContentKey as fk, enrollAuthenticator as fl, estimateEntropy as fm, evalComputedFields as fn, evaluateExportCapability as fo, evaluateImportCapability as fp, findAuthenticator as fq, hasExportCapability as fr, hasImportCapability as fs, hasRecoveryEnrolled as ft, isMagicLinkGrantExpired as fu, isPublicEnvelope as fv, issueDelegation as fw, recoverPassphrase as fx, rotatePassphrase as fy, listMagicLinkGrants as fz, type I18nTextOptions as g, validateSchemaInput as g0, validateSchemaOutput as g1, withArchive as g2, withDeferredNumbering as g3, writeMagicLinkGrant as g4, changeSecret as g5, createOwnerKeyring as g6, ensureCollectionDEK as g7, grant as g8, loadKeyring as g9, persistKeyring as ga, revoke as gb, updateAuthenticator as gc, updateKeyringIdentity as gd, type TxStrategy as ge, type AmendmentTxOptions as gf, type OnMissingPolicy as h, applyI18nLocale as i, dictCollectionName as j, dictKey as k, enforceScript as l, getAtPath as m, i18nText as n, inferScripts as o, isDictCollectionName as p, isDictKeyDescriptor as q, isI18nTextDescriptor as r, resolveI18nText as s, resolvePolicy as t, setAtPathInPlace as u, validateI18nTextValue as v, type SessionStrategy as w, createEnforcer as x, validateSessionPolicy as y, BLOB_CHUNKS_COLLECTION as z };
+export { DEFAULT_CHUNK_SIZE as $, createEnforcer as A, validateSessionPolicy as B, type BlobStrategy as C, DICT_COLLECTION_PREFIX as D, BLOB_CHUNKS_COLLECTION as E, BLOB_COLLECTION as F, BLOB_EVICTION_AUDIT_COLLECTION as G, BLOB_INDEX_COLLECTION as H, type I18nStrategy as I, BLOB_SLOTS_PREFIX as J, BLOB_VERSIONS_PREFIX as K, type Layer as L, type BlobEvictionEntry as M, type BlobFieldPolicy as N, type OnMissing as O, PolicyEnforcer as P, type BlobFieldsConfig as Q, type ResolveI18nOptions as R, type ScriptWarning as S, type BlobObject as T, type BlobPutOptions as U, type BlobResponseOptions as V, BlobSet as W, type BlobStrategyOpenArgs as X, type CompactRunOptions as Y, type CompactionContext as Z, type CompactionResult as _, type DictEntry as a, type Role as a$, EXPORT_AUDIT_COLLECTION as a0, ExportBlobsAbortedError as a1, type ExportBlobsAuditEntry as a2, type ExportBlobsHandle as a3, type ExportBlobsOptions as a4, type ExportedBlob as a5, type SlotInfo as a6, type SlotRecord as a7, type VersionRecord as a8, createExportBlobsHandle as a9, ReadOnlyVaultFacade as aA, type ShadowStrategy as aB, CollectionFrame as aC, VaultFrame as aD, type NoydbBundleStore as aE, type RetentionPolicy as aF, type SnapshotPolicy as aG, type SnapshotStrategy as aH, type SnapshotMeta as aI, type SnapshotMode as aJ, type DerivationStrategy as aK, type DerivationContext as aL, type ArrayOutputSpec as aM, DerivationRegistry as aN, type DerivationStrategyHandle as aO, type DerivedFromMeta as aP, type OutputSpec as aQ, type RecordOutputSpec as aR, type MaterializedViewStrategy as aS, type MaterializedViewStrategyHandle as aT, type OverlayedViewStrategy as aU, Collection as aV, type OverlayFieldMergeMode as aW, type OverlayFieldMergeRule as aX, OverlayedViewRegistry as aY, type OverlayedViewStrategyHandle as aZ, type SyncStrategy as a_, runCompaction as aa, type ConsentStrategy as ab, CONSENT_AUDIT_COLLECTION as ac, type ConsentAuditEntry as ad, type ConsentAuditFilter as ae, type ConsentContext as af, type ConsentOp as ag, loadConsentEntries as ah, writeConsentEntry as ai, type PeriodsStrategy as aj, type CarryForwardContext as ak, type ClosePeriodOptions as al, type OpenPeriodOptions as am, PERIODS_COLLECTION as an, type PeriodRecord as ao, type ReadOnlyCollection as ap, appendPeriodLedgerEntry as aq, assertTsWritable as ar, chainAnchor as as, loadPeriods as at, validatePeriodName as au, type GuardStrategy as av, type GuardChange as aw, type GuardContext as ax, GuardRegistry as ay, type GuardStrategyHandle as az, type DictKeyDescriptor as b, type CollectionStats as b$, type UnlockedKeyring as b0, type HistoryStrategy as b1, type NoydbStore as b2, type HistoryOptions as b3, type EncryptedEnvelope as b4, type PruneOptions as b5, type AppendInput as b6, type ChangeType as b7, CollectionInstant as b8, type DiffEntry as b9, type UserEnvelope as bA, type GateName as bB, type GatePolicy as bC, type VaultPolicy as bD, type ActiveTier as bE, type FactorProof as bF, type SchemaUpdateStrategy as bG, type TransformFn as bH, type PersistedSchemaEnvelope as bI, type UpdateDecision as bJ, type DirectoryConfig as bK, type UserVisibility as bL, type AccessibleVault as bM, type AffectedDocument as bN, type ArchivePolicy as bO, type ArchiveResult as bP, type ArchiveRunOptions as bQ, type ArchiveStrategy as bR, BUNDLE_STORE_POLICY as bS, type BuiltInGateName as bT, type CacheOptions as bU, type CacheStats as bV, type CapturedBlueprint as bW, type ChangeEvent as bX, type CollectionChangeEvent as bY, type CollectionConflictResolver as bZ, type CollectionDescriptor as b_, type JsonPatch as ba, type JsonPatchOp as bb, LedgerStore as bc, type VaultEngine as bd, VaultInstant as be, type VerifyResult as bf, applyPatch as bg, computePatch as bh, diff as bi, formatDiff as bj, type PublicEnvelope as bk, type SealingKeyProvider as bl, type BundleRecipient as bm, type RecipientSealer as bn, type RecipientHint as bo, Vault as bp, type RecoveryEnrollmentInput as bq, type ShamirRecoveryProvider as br, TxContext as bs, type MVQueryContext as bt, type RegisteredMV as bu, MaterializedViewRegistry as bv, type MaterializedFromMeta as bw, type MaterializedViewOutput as bx, type UnionArmJoin as by, type UnionSource as bz, DictionaryHandle as c, type LiveUserEnvelope as c$, ComputedFieldError as c0, type ComputedFields as c1, type ComputedFn as c2, type Conflict as c3, type ConflictPolicy as c4, type ConflictStrategy as c5, type CrossTierAccessEvent as c6, CrossVaultAggregation as c7, CrossVaultGroupedAggregation as c8, type GroupedRow as c9, type FactorRequirement as cA, type FanoutQueryOptions as cB, type FanoutResult as cC, type FenceDoc as cD, type FenceState as cE, type FieldChange as cF, type FieldDescriptor as cG, type FieldSource as cH, type GhostRecord as cI, type GrantOptions as cJ, type GuardViolation as cK, type HistoryConfig as cL, type HistoryEntry as cM, INDEXED_STORE_POLICY as cN, type ImportCapability as cO, type InferOutput as cP, type InternalCollectionStats as cQ, type IssueDelegationOptions as cR, type IssueMagicLinkGrantOptions as cS, type KeyringAuthenticator as cT, type KeyringAuthenticatorWrappingDEKs as cU, type KeyringAuthenticatorWrappingKEK as cV, type KeyringFile as cW, type ListAccessibleVaultsOptions as cX, type ListPageResult as cY, type ListUsersOptions as cZ, type LiveQueryOptions as c_, type CrossVaultLiveAggregation as ca, type CrossVaultLiveQuery as cb, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as cc, DELEGATIONS_COLLECTION as cd, type DeepPartial as ce, type DeepPartialOrNull as cf, type DeferredNumberingConfig as cg, type DelegationToken as ch, type DeleteManyResult as ci, type DeploymentEvent as cj, type DerivationDescriptor as ck, type DirtyEntry as cl, type DryRunResult as cm, type DumpSchemaOptions as cn, ELEVATION_AUDIT_COLLECTION as co, ElevatedHandle as cp, type EnrollAuthenticatorOptions as cq, type EnrollAuthenticatorWrappingDEKsOptions as cr, type EnrollAuthenticatorWrappingKEKOptions as cs, type EnrollRecoveryResult as ct, type ExportCapability as cu, type ExportChunk as cv, type ExportFormat as cw, type ExportStreamOptions as cx, type FactorKind as cy, type FactorProofBundle as cz, type DictionaryOptions as d, SEALED_PASSPHRASE_RECORD_ID as d$, type LocaleReadOptions as d0, Lru as d1, type LruOptions as d2, type LruStats as d3, MAGIC_LINK_CONTENT_INFO_PREFIX as d4, MAGIC_LINK_GRANTS_COLLECTION as d5, MAGIC_LINK_KEK_INFO_PREFIX as d6, type MagicLinkGrantPayload as d7, type MagicLinkGrantRecord as d8, type MaterializedViewDescriptor as d9, type PublicEnvelopeSchema as dA, type PublicEnvelopeText as dB, type PullMode as dC, type PullOptions as dD, type PullPolicy as dE, type PullResult as dF, type PushMode as dG, type PushOptions as dH, type PushPolicy as dI, type PushResult as dJ, type PutManyItemOptions as dK, type PutManyOptions as dL, type PutManyResult as dM, type QueryAcrossOptions as dN, type QueryAcrossResult as dO, type QuickUnlockState as dP, QuickUnlockStore as dQ, type ReAuthOperation as dR, type RecoverPassphraseInput as dS, type RecoverPassphraseResult as dT, type RecoverUserOptions as dU, type RecoveryProof as dV, type ResolvedPublicEnvelopeSchema as dW, type RevokeOptions as dX, type RotatePassphraseInput as dY, type RotateRecoveryOptions as dZ, type RotateRecoveryResult as d_, MemoryRecipientSealer as da, MemorySealingKeyProvider as db, NOYDB_BACKUP_VERSION as dc, NOYDB_FORMAT_VERSION as dd, NOYDB_KEYRING_VERSION as de, NOYDB_SYNC_VERSION as df, type NextOptions as dg, Noydb as dh, type NoydbEventMap as di, type NoydbOptions as dj, type Assignment as dk, type OverlayViewDescriptor as dl, PUBLIC_ENVELOPE_FIELDS as dm, type PaperRecoveryDoc as dn, type PaperRecoveryEntry as dp, type PassphrasePolicy as dq, type PassphraseValidationResult as dr, type Permission as ds, type Permissions as dt, type PersistedSchemaKind as du, type PlaintextTranslatorContext as dv, type PlaintextTranslatorFn as dw, PresenceHandle as dx, type PresencePeer as dy, type PublicEnvelopeField as dz, type I18nMap as e, type VaultRegistryRow as e$, type SchemaDelta as e0, type SchemaIntrospection as e1, type SchemaManifestRow as e2, type SealedEnvelope as e3, type SealedPassphrase as e4, type SequenceHandle as e5, type SequenceOptions as e6, SequenceStore as e7, type SessionPolicy as e8, type SetPublicEnvelopeInput as e9, type SyncTransactionResult as eA, type TabChannel as eB, type TabCoordinationOptions as eC, type TabLockManager as eD, type TabPresence as eE, type TabRole as eF, type TierMode as eG, type TransactionInvariant as eH, type TranslatorAuditEntry as eI, TxCollection as eJ, type TxOp as eK, TxVault as eL, USER_ENVELOPE_COLLECTION as eM, USER_ENVELOPE_MAX_BYTES as eN, type Unsubscribe as eO, type UpdateAuthenticatorOptions as eP, type UpdateContext as eQ, type UpdateUserOptions as eR, UserApi as eS, type UserEnvelopeCheckGate as eT, UserEnvelopeOversizedError as eU, type UserEnvelopePresented as eV, type UserInfo as eW, type VaultBackup as eX, VaultGroup as eY, type VaultGroupOptions as eZ, type VaultPolicyOnDisk as e_, type ShamirRecoveryDoc as ea, type ShamirRecoveryEntry as eb, ShardedCollection as ec, ShardedGroupedQuery as ed, ShardedQuery as ee, type ShardingConfig as ef, type SkippedVault as eg, type SlotRewrapCeremony as eh, type SlotRewrapContext as ei, type StandardSchemaV1 as ej, type StandardSchemaV1Issue as ek, type StandardSchemaV1SyncResult as el, StateManagementVault as em, type StoreAuth as en, type StoreAuthKind as eo, type StoreCapabilities as ep, type StoreTime as eq, SyncEngine as er, type SyncMetadata as es, type SyncPolicy as et, SyncScheduler as eu, type SyncSchedulerStatus as ev, type SyncStatus as ew, type SyncTarget as ex, type SyncTargetRole as ey, SyncTransaction as ez, type I18nTextDescriptor as f, validatePublicEnvelopeInput as f$, type VaultSchemaSnapshot as f0, type VaultSnapshot as f1, type VaultTemplate as f2, type WarningRules as f3, WeakPassphraseError as f4, type WeakPassphraseReason as f5, type WithArchiveOptions as f6, type WrappedDeksBlob as f7, type WriteConflict as f8, type WriteEvent as f9, loadActiveDelegations as fA, loadPaperRecoveryEntries as fB, loadSealedPassphrase as fC, loadShamirRecoveryEntries as fD, magicLinkGrantRecordId as fE, mintPaperRecoveryEntry as fF, mintShamirRecoveryEntry as fG, mintWrappedDeksBlob as fH, parseRsaOaepTlv as fI, parseSealedEnvelope as fJ, readMagicLinkGrantRecord as fK, recoverUser as fL, removeAuthenticator as fM, resolveSchema as fN, resolveSequenceKey as fO, revokeDelegation as fP, revokeMagicLinkGrant as fQ, runTransaction as fR, savePaperRecoveryEntries as fS, saveSealedPassphrase as fT, saveShamirRecoveryEntries as fU, sealRsaOaepTlv as fV, unwrapDeksFromBlob as fW, unwrapDeksFromPaperEntry as fX, unwrapDeksFromShamirEntry as fY, unwrapMagicLinkGrant as fZ, validatePassphrase as f_, type WriteHook as fa, type WriteQueue as fb, aesGcmOpen as fc, assertStrongPassphrase as fd, buildRecipientKeyringFile as fe, burnPaperRecoveryEntry as ff, createNoydb as fg, createStore as fh, deriveMagicLinkContentKey as fi, enrollAuthenticator as fj, estimateEntropy as fk, evalComputedFields as fl, evaluateExportCapability as fm, evaluateImportCapability as fn, findAuthenticator as fo, hasExportCapability as fp, hasImportCapability as fq, hasRecoveryEnrolled as fr, isMagicLinkGrantExpired as fs, isPublicEnvelope as ft, issueDelegation as fu, recoverPassphrase as fv, rotatePassphrase as fw, listMagicLinkGrants as fx, listUsers as fy, listUsersWithEnvelopes as fz, type I18nTextOptions as g, validateSchemaInput as g0, validateSchemaOutput as g1, withArchive as g2, withDeferredNumbering as g3, writeMagicLinkGrant as g4, changeSecret as g5, createOwnerKeyring as g6, ensureCollectionDEK as g7, grant as g8, loadKeyring as g9, persistKeyring as ga, revoke as gb, updateAuthenticator as gc, updateKeyringIdentity as gd, type TxStrategy as ge, type AmendmentTxOptions as gf, type OnMissingPolicy as h, type StaticDictDescriptor as i, applyI18nLocale as j, dictCollectionName as k, dictKey as l, enforceScript as m, getAtPath as n, i18nText as o, inferScripts as p, isDictCollectionName as q, isDictKeyDescriptor as r, isI18nTextDescriptor as s, isStaticDictDescriptor as t, resolveI18nText as u, resolvePolicy as v, setAtPathInPlace as w, staticDict as x, validateI18nTextValue as y, type SessionStrategy as z };