@noy-db/hub 0.2.0-pre.21 → 0.2.0-pre.23

package/dist/bundle/index.d.cts

@@ -1,6 +1,6 @@
-import { T as TransferSealPayload } from '../ulid-LaxfH2tK.cjs';
-export { C as COMPRESSION_BROTLI, a as COMPRESSION_GZIP, b as COMPRESSION_NONE, c as CompressionAlgo, F as FLAG_COMPRESSED, d as FLAG_HAS_INTEGRITY_HASH, N as NOYDB_BUNDLE_FORMAT_VERSION, e as NOYDB_BUNDLE_MAGIC, f as NOYDB_BUNDLE_PREFIX_BYTES, g as NoydbBundleHeader, h as NoydbBundleReadResult, R as ReadNoydbBundleOptions, W as WriteNoydbBundleOptions, i as encodeBundleHeader, j as generateULID, k as isULID, r as readNoydbBundle, l as readNoydbBundleHeader, m as resetBrotliSupportCache, v as validateBundleHeader, w as writeNoydbBundle } from '../ulid-LaxfH2tK.cjs';
-import { bh as Vault, aW as NoydbStore, bd as SealingKeyProvider, bi as RecoveryEnrollmentInput, bj as ShamirRecoveryProvider } from '../types-DyOI6XZ_.cjs';
+import { T as TransferSealPayload } from '../ulid-Bg-IBJyA.cjs';
+export { C as COMPRESSION_BROTLI, a as COMPRESSION_GZIP, b as COMPRESSION_NONE, c as CompressionAlgo, F as FLAG_COMPRESSED, d as FLAG_HAS_INTEGRITY_HASH, N as NOYDB_BUNDLE_FORMAT_VERSION, e as NOYDB_BUNDLE_MAGIC, f as NOYDB_BUNDLE_PREFIX_BYTES, g as NoydbBundleHeader, h as NoydbBundleReadResult, R as ReadNoydbBundleOptions, W as WriteNoydbBundleOptions, i as encodeBundleHeader, j as generateULID, k as isULID, r as readNoydbBundle, l as readNoydbBundleHeader, m as resetBrotliSupportCache, v as validateBundleHeader, w as writeNoydbBundle } from '../ulid-Bg-IBJyA.cjs';
+import { bh as Vault, aW as NoydbStore, bd as SealingKeyProvider, bi as RecoveryEnrollmentInput, bj as ShamirRecoveryProvider } from '../types-Bhs2i_Ll.cjs';
 export { t as AdoptionStateError, B as BackupCorruptedError, u as BackupLedgerError, v as BundleIntegrityError, w as BundleSealMismatchError, x as BundleVersionConflictError, P as PartitionExtractionError, y as TransferSealError } from '../errors-Dkc_fi-S.cjs';
 import '../lazy-builder-eYZzLEL1.cjs';
 import '../predicate-BmhBSPCH.cjs';

package/dist/bundle/index.d.ts

@@ -1,6 +1,6 @@
-import { T as TransferSealPayload } from '../ulid-B2L_aqVA.js';
-export { C as COMPRESSION_BROTLI, a as COMPRESSION_GZIP, b as COMPRESSION_NONE, c as CompressionAlgo, F as FLAG_COMPRESSED, d as FLAG_HAS_INTEGRITY_HASH, N as NOYDB_BUNDLE_FORMAT_VERSION, e as NOYDB_BUNDLE_MAGIC, f as NOYDB_BUNDLE_PREFIX_BYTES, g as NoydbBundleHeader, h as NoydbBundleReadResult, R as ReadNoydbBundleOptions, W as WriteNoydbBundleOptions, i as encodeBundleHeader, j as generateULID, k as isULID, r as readNoydbBundle, l as readNoydbBundleHeader, m as resetBrotliSupportCache, v as validateBundleHeader, w as writeNoydbBundle } from '../ulid-B2L_aqVA.js';
-import { bh as Vault, aW as NoydbStore, bd as SealingKeyProvider, bi as RecoveryEnrollmentInput, bj as ShamirRecoveryProvider } from '../types-DLfWFr6U.js';
+import { T as TransferSealPayload } from '../ulid-Dwt3JEcy.js';
+export { C as COMPRESSION_BROTLI, a as COMPRESSION_GZIP, b as COMPRESSION_NONE, c as CompressionAlgo, F as FLAG_COMPRESSED, d as FLAG_HAS_INTEGRITY_HASH, N as NOYDB_BUNDLE_FORMAT_VERSION, e as NOYDB_BUNDLE_MAGIC, f as NOYDB_BUNDLE_PREFIX_BYTES, g as NoydbBundleHeader, h as NoydbBundleReadResult, R as ReadNoydbBundleOptions, W as WriteNoydbBundleOptions, i as encodeBundleHeader, j as generateULID, k as isULID, r as readNoydbBundle, l as readNoydbBundleHeader, m as resetBrotliSupportCache, v as validateBundleHeader, w as writeNoydbBundle } from '../ulid-Dwt3JEcy.js';
+import { bh as Vault, aW as NoydbStore, bd as SealingKeyProvider, bi as RecoveryEnrollmentInput, bj as ShamirRecoveryProvider } from '../types-DONgts0n.js';
 export { t as AdoptionStateError, B as BackupCorruptedError, u as BackupLedgerError, v as BundleIntegrityError, w as BundleSealMismatchError, x as BundleVersionConflictError, P as PartitionExtractionError, y as TransferSealError } from '../errors-Dkc_fi-S.js';
 import '../lazy-builder-ChSqcF5t.js';
 import '../predicate-BmhBSPCH.js';

package/dist/bundle/index.js

@@ -543,7 +543,7 @@ async function createOwnerOnAdoptedPartition(store, vaultName, opts) {
     }
   }
   if (isManaged(opts)) {
-    const { createNoydb } = await import("../noydb-ZZCRF6TE.js");
+    const { createNoydb } = await import("../noydb-VGR2HLDB.js");
     const db = await createNoydb({
       store,
       user: userId,

package/dist/{chunk-7PH4OPBZ.js → chunk-P65YMN5V.js}

@@ -44,6 +44,9 @@ import {
   savePersistedSchema,
   saveSealedPassphrase
 } from "./chunk-C6W5KVDV.js";
+import {
+  writeNoydbBundle
+} from "./chunk-WE2BUQD2.js";
 import {
   loadPublicEnvelope,
   readPublicEnvelope,
@@ -4296,6 +4299,265 @@ function valuesMatch(stored, live) {
   }
 }
 
+// src/bundle/export-accessible.ts
+function resolveAccessibleCollections(keyring, scope, writableOnly = false) {
+  let collections;
+  if (keyring.role === "operator" || keyring.role === "client") {
+    collections = Object.entries(keyring.permissions).filter(([, mode]) => !writableOnly || mode === "rw").map(([c]) => c);
+  }
+  if (scope?.collections) {
+    const allow = new Set(scope.collections);
+    collections = (collections ?? [...scope.collections]).filter((c) => allow.has(c));
+  }
+  return collections;
+}
+async function buildAccessibleBundle(vault, collections, reKey, compression = "auto") {
+  return writeNoydbBundle(vault, {
+    compression,
+    ...collections !== void 0 ? { collections } : {},
+    ...reKey ? { exportPassphrase: reKey.passphrase } : {}
+  });
+}
+async function exportAccessibleData(vault, opts = {}) {
+  const { keyring } = vault._introspectState();
+  const collections = resolveAccessibleCollections(keyring, opts.scope);
+  const bytes = await buildAccessibleBundle(vault, collections, opts.reKey, opts.compression ?? "auto");
+  await vault._getLedgerOrNull()?.append({
+    op: "lifecycle",
+    collection: "",
+    id: "",
+    version: 0,
+    actor: keyring.userId,
+    payloadHash: "",
+    reason: `user-export:${keyring.userId}`
+  });
+  return bytes;
+}
+
+// src/bundle/withdraw-accessible.ts
+var FROZEN_SNAPSHOTS_COLLECTION = "_frozen_snapshots";
+var ENC = new TextEncoder();
+function randomId() {
+  const b = globalThis.crypto.getRandomValues(new Uint8Array(12));
+  return Array.from(b, (x) => x.toString(16).padStart(2, "0")).join("");
+}
+async function freezeAndDeleteClosure(vault, collections, opts) {
+  const { name: vaultName, adapter } = vault._introspectState();
+  const closure = [];
+  for (const c of collections) {
+    for (const id of await adapter.list(vaultName, c)) closure.push({ collection: c, id });
+  }
+  let snapshot;
+  if (opts.disposition === "freeze") {
+    const withdrawalId = opts.withdrawalId ?? `wd-${randomId()}`;
+    const snap = {};
+    for (const { collection, id } of closure) {
+      const env = await adapter.get(vaultName, collection, id);
+      if (env) (snap[collection] ??= {})[id] = env;
+    }
+    const frozenAt = (/* @__PURE__ */ new Date()).toISOString();
+    const body = JSON.stringify({ withdrawalId, frozenAt, by: opts.actorUserId, collections: snap });
+    const sha = await sha256Hex(ENC.encode(body));
+    await adapter.put(
+      vaultName,
+      FROZEN_SNAPSHOTS_COLLECTION,
+      withdrawalId,
+      { _noydb: NOYDB_FORMAT_VERSION, _v: 1, _ts: frozenAt, _iv: "", _data: body, _by: opts.actorUserId },
+      0
+    );
+    await vault._getLedgerOrNull()?.append({
+      op: "lifecycle",
+      collection: "",
+      id: "",
+      version: 0,
+      actor: opts.actorUserId,
+      payloadHash: "",
+      reason: `withdrawal-frozen-snapshot:${withdrawalId}:${sha}`
+    });
+    snapshot = { withdrawalId, sha256: sha, recordCount: closure.length, frozenAt };
+  }
+  for (const { collection, id } of closure) {
+    await vault.collection(collection).delete(id);
+  }
+  return snapshot;
+}
+async function withdrawAccessibleData(vault, opts) {
+  const { keyring } = vault._introspectState();
+  const disposition = opts.disposition ?? "delete";
+  if (keyring.role === "owner" || keyring.role === "admin") {
+    throw new ReadOnlyError(
+      "unilateralWithdrawal is the scoped self-service path; an owner/admin should use extractPartition"
+    );
+  }
+  if (keyring.role === "client" || keyring.role === "viewer") {
+    throw new ReadOnlyError(
+      "read-only role cannot self-serve a destructive withdrawal \u2014 use requestWithdrawal (two-party)"
+    );
+  }
+  const collections = resolveAccessibleCollections(keyring, opts.scope, true);
+  if (!collections || collections.length === 0) {
+    throw new ReadOnlyError(
+      "unilateralWithdrawal requires rw access on the withdrawn collections \u2014 use requestWithdrawal for read-only scope"
+    );
+  }
+  const bundle = await buildAccessibleBundle(vault, collections, opts.reKey);
+  const snapshot = await freezeAndDeleteClosure(vault, collections, {
+    disposition,
+    actorUserId: keyring.userId,
+    ...opts.withdrawalId ? { withdrawalId: opts.withdrawalId } : {}
+  });
+  await vault._getLedgerOrNull()?.append({
+    op: "lifecycle",
+    collection: "",
+    id: "",
+    version: 0,
+    actor: keyring.userId,
+    payloadHash: "",
+    reason: `user-unilateral-withdrawal:${keyring.userId}:${disposition}:${opts.legalBasis}`
+  });
+  return snapshot ? { bundle, snapshot } : { bundle };
+}
+
+// src/bundle/request-withdrawal.ts
+var WITHDRAWAL_REQUESTS_COLLECTION = "_user_withdrawal_requests";
+var WithdrawalRequestError = class extends NoydbError {
+  constructor(message) {
+    super("WITHDRAWAL_REQUEST", message);
+    this.name = "WithdrawalRequestError";
+  }
+};
+function writeRequest(vault, req, expectedVersion) {
+  const { name: vaultName, adapter } = vault._introspectState();
+  const body = JSON.stringify(req);
+  const env = {
+    _noydb: NOYDB_FORMAT_VERSION,
+    _v: expectedVersion + 1,
+    _ts: req.decidedAt ?? req.requestedAt,
+    _iv: "",
+    _data: body,
+    _by: req.decidedBy ?? req.requester
+  };
+  return adapter.put(vaultName, WITHDRAWAL_REQUESTS_COLLECTION, req.requestId, env, expectedVersion);
+}
+async function readRequest(vault, requestId) {
+  const { name: vaultName, adapter } = vault._introspectState();
+  const env = await adapter.get(vaultName, WITHDRAWAL_REQUESTS_COLLECTION, requestId);
+  if (!env) throw new WithdrawalRequestError(`withdrawal request "${requestId}" not found`);
+  return { req: JSON.parse(env._data), version: env._v };
+}
+async function requestWithdrawal(vault, opts = {}) {
+  const { keyring } = vault._introspectState();
+  const collections = resolveAccessibleCollections(keyring, opts.scope, false);
+  if (!collections || collections.length === 0) {
+    throw new WithdrawalRequestError(
+      "requestWithdrawal needs a concrete scope.collections (the caller has all-collection access \u2014 name the collections to withdraw)"
+    );
+  }
+  const requestId = `wr-${randomId()}`;
+  const requestedAt = (/* @__PURE__ */ new Date()).toISOString();
+  const req = {
+    requestId,
+    requester: keyring.userId,
+    collections,
+    disposition: opts.disposition ?? "delete",
+    status: "pending",
+    requestedAt,
+    ...opts.legalBasis ? { legalBasis: opts.legalBasis } : {},
+    ...opts.expiresInMs ? { expiresAt: new Date(Date.parse(requestedAt) + opts.expiresInMs).toISOString() } : {}
+  };
+  await writeRequest(vault, req, 0);
+  await vault._getLedgerOrNull()?.append({
+    op: "lifecycle",
+    collection: "",
+    id: "",
+    version: 0,
+    actor: keyring.userId,
+    payloadHash: "",
+    reason: `user-withdrawal-request:${requestId}:${keyring.userId}`
+  });
+  return { requestId, status: "pending", ...req.expiresAt ? { expiresAt: req.expiresAt } : {} };
+}
+async function listWithdrawalRequests(vault, opts = {}) {
+  const { name: vaultName, adapter } = vault._introspectState();
+  const ids = await adapter.list(vaultName, WITHDRAWAL_REQUESTS_COLLECTION);
+  const out = [];
+  for (const id of ids) {
+    const env = await adapter.get(vaultName, WITHDRAWAL_REQUESTS_COLLECTION, id);
+    if (!env) continue;
+    const req = JSON.parse(env._data);
+    if (!opts.status || req.status === opts.status) out.push(req);
+  }
+  return out;
+}
+function assertApprover(vault) {
+  const { keyring } = vault._introspectState();
+  if (keyring.role !== "owner" && keyring.role !== "admin") {
+    throw new WithdrawalRequestError("approveWithdrawal / rejectWithdrawal require an owner or admin");
+  }
+  return keyring.userId;
+}
+function assertPending(req) {
+  if (req.status !== "pending") {
+    throw new WithdrawalRequestError(`withdrawal request "${req.requestId}" is already ${req.status}`);
+  }
+  if (req.expiresAt && Date.now() > Date.parse(req.expiresAt)) {
+    throw new WithdrawalRequestError(`withdrawal request "${req.requestId}" expired at ${req.expiresAt}`);
+  }
+}
+async function approveWithdrawal(vault, requestId, opts = {}) {
+  const approver = assertApprover(vault);
+  const { req, version } = await readRequest(vault, requestId);
+  assertPending(req);
+  const bundle = await buildAccessibleBundle(vault, [...req.collections], opts.reKey);
+  const snapshot = await freezeAndDeleteClosure(vault, req.collections, {
+    disposition: req.disposition,
+    actorUserId: approver,
+    withdrawalId: `wd-${requestId}`
+  });
+  const decidedAt = (/* @__PURE__ */ new Date()).toISOString();
+  await writeRequest(vault, {
+    ...req,
+    status: "approved",
+    decidedAt,
+    decidedBy: approver,
+    ...snapshot ? { snapshotSha256: snapshot.sha256 } : {}
+  }, version);
+  await vault._getLedgerOrNull()?.append({
+    op: "lifecycle",
+    collection: "",
+    id: "",
+    version: 0,
+    actor: approver,
+    payloadHash: "",
+    reason: `user-withdrawal-approved:${requestId}:${req.requester}:${req.disposition}`
+  });
+  return snapshot ? { bundle, snapshot } : { bundle };
+}
+async function rejectWithdrawal(vault, requestId, opts = {}) {
+  const approver = assertApprover(vault);
+  const { req, version } = await readRequest(vault, requestId);
+  assertPending(req);
+  const decidedAt = (/* @__PURE__ */ new Date()).toISOString();
+  const updated = {
+    ...req,
+    status: "rejected",
+    decidedAt,
+    decidedBy: approver,
+    ...opts.reason ? { rejectReason: opts.reason } : {}
+  };
+  await writeRequest(vault, updated, version);
+  await vault._getLedgerOrNull()?.append({
+    op: "lifecycle",
+    collection: "",
+    id: "",
+    version: 0,
+    actor: approver,
+    payloadHash: "",
+    reason: `user-withdrawal-rejected:${requestId}:${req.requester}`
+  });
+  return updated;
+}
+
 // src/archive/engine.ts
 function isHeld(policy, record) {
   if (!policy.legalHold) return false;
@@ -4971,20 +5233,99 @@ var LinkIntegrityError = class extends NoydbError {
 
 // src/meta/user-envelope/api.ts
 var UserApi = class {
-  constructor(adapter, vaultName, writerKeyringId, getDek, checkGate2) {
+  constructor(adapter, vaultName, writerKeyringId, getDek, checkGate2, exportAccessible, unilateralWithdraw, requestWithdraw, listWithdrawals, approveWithdraw, rejectWithdraw) {
     this.adapter = adapter;
     this.vaultName = vaultName;
     this.writerKeyringId = writerKeyringId;
     this.getDek = getDek;
     this.checkGate = checkGate2;
+    this.exportAccessible = exportAccessible;
+    this.unilateralWithdraw = unilateralWithdraw;
+    this.requestWithdraw = requestWithdraw;
+    this.listWithdrawals = listWithdrawals;
+    this.approveWithdraw = approveWithdraw;
+    this.rejectWithdraw = rejectWithdraw;
   }
   adapter;
   vaultName;
   writerKeyringId;
   getDek;
   checkGate;
+  exportAccessible;
+  unilateralWithdraw;
+  requestWithdraw;
+  listWithdrawals;
+  approveWithdraw;
+  rejectWithdraw;
   /** keyringId → set of listeners. Wildcard '*' fires on every change. */
   listeners = /* @__PURE__ */ new Map();
+  /**
+   * #199 P3 — file a two-party withdrawal request for the caller's accessible
+   * scope. Non-destructive (writes a pending request); an owner later approves
+   * or rejects. This is the path for read-only roles (`client`/`viewer`) that
+   * cannot self-serve a destructive `unilateralWithdrawal`. Gated by
+   * `user-request-withdrawal` (enabled by default).
+   */
+  async requestWithdrawal(opts = {}) {
+    if (this.checkGate) await this.checkGate("user-request-withdrawal");
+    if (!this.requestWithdraw) {
+      throw new Error("requestWithdrawal requires a Noydb-backed vault (not a bare UserApi)");
+    }
+    return this.requestWithdraw(opts);
+  }
+  /** #199 P3 — owner side: list filed withdrawal requests (optionally by status). */
+  async listWithdrawalRequests(opts = {}) {
+    if (!this.listWithdrawals) {
+      throw new Error("listWithdrawalRequests requires a Noydb-backed vault (not a bare UserApi)");
+    }
+    return this.listWithdrawals(opts);
+  }
+  /**
+   * #199 P3 — owner side: approve a pending request. Extracts the requester's
+   * recorded scope under firm authority, disposes of the source per the
+   * request's disposition, and returns the re-keyed bundle to hand back. Gated
+   * by `approve-user-withdrawal` (tier-2 default) + owner/admin role.
+   */
+  async approveWithdrawal(requestId, opts = {}) {
+    if (this.checkGate) await this.checkGate("approve-user-withdrawal");
+    if (!this.approveWithdraw) {
+      throw new Error("approveWithdrawal requires a Noydb-backed vault (not a bare UserApi)");
+    }
+    return this.approveWithdraw(requestId, opts);
+  }
+  /** #199 P3 — owner side: reject a pending request (no data is touched). */
+  async rejectWithdrawal(requestId, opts = {}) {
+    if (this.checkGate) await this.checkGate("approve-user-withdrawal");
+    if (!this.rejectWithdraw) {
+      throw new Error("rejectWithdrawal requires a Noydb-backed vault (not a bare UserApi)");
+    }
+    return this.rejectWithdraw(requestId, opts);
+  }
+  /**
+   * #199 P2 — single-party withdrawal: export the caller's accessible scope
+   * (re-keyed) and dispose of the source (`delete` or `freeze`). Gated by the
+   * fail-closed built-in `client-unilateral-withdraw` policy — undefined or
+   * disabled → throws (use `requestWithdrawal`). The firm enables it at vault
+   * creation.
+   */
+  async unilateralWithdrawal(opts) {
+    if (this.checkGate) await this.checkGate("client-unilateral-withdraw");
+    if (!this.unilateralWithdraw) {
+      throw new Error("unilateralWithdrawal requires a Noydb-backed vault (not a bare UserApi)");
+    }
+    return this.unilateralWithdraw(opts);
+  }
+  /**
+   * #199 — export the calling user's accessible scope as a portable, re-keyed
+   * `.noydb` bundle. Non-destructive and **always allowed** (data sovereignty
+   * by construction, §11.11) but audited. Scope = the caller's DEK access set.
+   */
+  async exportMyAccessibleData(opts = {}) {
+    if (!this.exportAccessible) {
+      throw new Error("exportMyAccessibleData requires a Noydb-backed vault (not a bare UserApi)");
+    }
+    return this.exportAccessible(opts);
+  }
   // ─── Write-self ──────────────────────────────────────────────────────
   /** Read the writer's own envelope. Returns null if never written. */
   async me() {
@@ -6221,7 +6562,13 @@ var Vault = class {
       this.name,
       this.keyring.userId,
       () => this.getDEK(USER_ENVELOPE_COLLECTION),
-      (gate, presented) => this.noydb.checkGate(this.name, gate, presented)
+      (gate, presented) => this.noydb.checkGate(this.name, gate, presented),
+      (opts2) => exportAccessibleData(this, opts2),
+      (opts2) => withdrawAccessibleData(this, opts2),
+      (opts2) => requestWithdrawal(this, opts2),
+      (opts2) => listWithdrawalRequests(this, opts2),
+      (requestId, opts2) => approveWithdrawal(this, requestId, opts2),
+      (requestId, opts2) => rejectWithdrawal(this, requestId, opts2)
     );
   }
   /**
@@ -8612,6 +8959,7 @@ var Vault = class {
       collectionCache: this.collectionCache,
       refRegistry: this.refRegistry,
       getDEK: this.getDEK,
+      keyring: this.keyring,
       subsystems: {
         guards: this.guardRegistry !== null,
         derivations: this.derivationRegistry !== null,
@@ -10005,7 +10353,18 @@ var PERSONAL_POLICY = Object.freeze({
     //   Setting `enabled: false` makes vault.user.list() return only
     //   self (privacy-strict opt-out).
     "edit-own-profile": { minTier: 3 },
-    "view-team-profiles": { minTier: 2 }
+    "view-team-profiles": { minTier: 2 },
+    // client-unilateral-withdraw: a non-owner's self-service DESTRUCTIVE
+    // withdrawal (export-and-delete/freeze, #199). Fail-closed by default —
+    // the firm opts in per jurisdiction/contract (e.g. GDPR Art. 17).
+    // Listed explicitly (not just relying on the built-in default) so it is
+    // discoverable in describeGate / policy dumps.
+    "client-unilateral-withdraw": { minTier: 1, enabled: false },
+    // Two-party withdrawal (#199 P3): filing a request is non-destructive
+    // (tier-1, enabled so a read-only client can ask); deciding it is the
+    // destructive step (tier-2 floor + owner/admin role, enforced in code).
+    "user-request-withdrawal": { minTier: 1 },
+    "approve-user-withdrawal": { minTier: 2 }
   }
 });
 var STRICT_POLICY = Object.freeze({
@@ -10104,7 +10463,24 @@ var STRICT_POLICY = Object.freeze({
       minTier: 2,
       factors: [{ anyOf: ["totp", "email-otp"] }]
     },
-    "view-team-profiles": { minTier: 2 }
+    "view-team-profiles": { minTier: 2 },
+    // STRICT: still fail-closed, but if a regulated firm flips enabled:true
+    // they inherit a two-factor proof + shared-device block for the
+    // destructive withdrawal (mirrors export-plaintext's hardening).
+    "client-unilateral-withdraw": {
+      minTier: 1,
+      enabled: false,
+      factors: [{ anyOf: ["totp", "email-otp"], count: 2 }],
+      warn: { sharedDevice: "block" }
+    },
+    // STRICT: filing stays tier-1; the destructive APPROVE demands an
+    // off-device factor + shared-device block (mirrors export-bundle).
+    "user-request-withdrawal": { minTier: 1 },
+    "approve-user-withdrawal": {
+      minTier: 2,
+      factors: [{ anyOf: ["totp", "email-otp"] }],
+      warn: { sharedDevice: "block" }
+    }
   }
 });
 function mergePolicy(base, override) {
@@ -12526,6 +12902,13 @@ export {
   compileSequenceFormat,
   resolveSequenceKey,
   SequenceStore,
+  exportAccessibleData,
+  withdrawAccessibleData,
+  WithdrawalRequestError,
+  requestWithdrawal,
+  listWithdrawalRequests,
+  approveWithdrawal,
+  rejectWithdrawal,
   validateSchemaInput,
   validateSchemaOutput,
   isZodSchema,
@@ -12569,4 +12952,4 @@ export {
   Noydb,
   createNoydb
 };
-//# sourceMappingURL=chunk-7PH4OPBZ.js.map
+//# sourceMappingURL=chunk-P65YMN5V.js.map