@noy-db/hub 0.2.0-pre.21 → 0.2.0-pre.24

package/dist/{chunk-7PH4OPBZ.js → chunk-QOXZM3L2.js}

@@ -1,16 +1,13 @@
-import {
-  STATE_VAULT_NAME
-} from "./chunk-ZC7J6ZYV.js";
 import {
   resolveSchema
 } from "./chunk-EMIGCR7X.js";
 import {
   TxContext,
   revertExecuted
-} from "./chunk-IY24WS2P.js";
+} from "./chunk-BCMHJYVT.js";
 import {
   OverlayedCollection
-} from "./chunk-MBXKRHSS.js";
+} from "./chunk-CCNRFAL3.js";
 import {
   NO_AGGREGATE,
   Query,
@@ -20,36 +17,39 @@ import {
   decodeMoneyFields,
   quantizeMoneyFields,
   validateMoneyFieldPaths
-} from "./chunk-NV4IHBZS.js";
+} from "./chunk-3XJU3OHE.js";
 import {
   EXPORT_AUDIT_COLLECTION,
   createExportBlobsHandle,
   runCompaction
-} from "./chunk-2XA2ZML4.js";
+} from "./chunk-FG6IQ3ZL.js";
 import {
   LazyQuery,
   decodeIdxId,
   encodeIdxId
-} from "./chunk-3HNKR65T.js";
+} from "./chunk-U6LTLN7O.js";
 import {
   canonicalGroupKey
-} from "./chunk-JYNH4FIM.js";
+} from "./chunk-77WF53XY.js";
 import {
   readPath
-} from "./chunk-U2XSUCDF.js";
+} from "./chunk-GEWIFM4J.js";
 import {
   SCHEMAS_COLLECTION,
   loadPersistedSchema,
   resolveManagedSecret,
   savePersistedSchema,
   saveSealedPassphrase
-} from "./chunk-C6W5KVDV.js";
+} from "./chunk-XC32SZPW.js";
+import {
+  writeNoydbBundle
+} from "./chunk-4TCMCCC3.js";
 import {
   loadPublicEnvelope,
   readPublicEnvelope,
   savePublicEnvelope,
   validatePublicEnvelopeInput
-} from "./chunk-JOK73NDT.js";
+} from "./chunk-P7OL22JP.js";
 import {
   buildTombstone,
   isTombstone,
@@ -58,19 +58,19 @@ import {
   rewrapBodyToDek,
   rotateRecordCek,
   sealRecordToHost
-} from "./chunk-BZW5IL43.js";
+} from "./chunk-DCA2BDHA.js";
 import {
   PERIODS_COLLECTION
-} from "./chunk-I3IYTUUI.js";
+} from "./chunk-HHJ5DZCZ.js";
 import {
   isDictCollectionName,
   isStaticDictDescriptor
-} from "./chunk-O5XKZCUD.js";
+} from "./chunk-7X4EF35A.js";
 import {
   getAtPath,
   resolvePolicy,
   setAtPathInPlace
-} from "./chunk-TNH5SLCD.js";
+} from "./chunk-HD4QCT2O.js";
 import {
   ManagedRecoveryNotEnrolledError,
   PolicyDeniedError,
@@ -92,11 +92,11 @@ import {
   saveShamirRecoveryEntries,
   updateAuthenticator,
   writeMagicLinkGrant
-} from "./chunk-HYJMAV53.js";
+} from "./chunk-OWAMTSAI.js";
 import {
   assertTierAccess,
   dekKey
-} from "./chunk-F5GWNSE2.js";
+} from "./chunk-TOMSCJRV.js";
 import {
   USER_ENVELOPE_COLLECTION,
   assertKeyringOpenAllowed,
@@ -121,7 +121,7 @@ import {
   rotateKeys,
   saveUserEnvelope,
   updateKeyringIdentity
-} from "./chunk-FRRJIUSI.js";
+} from "./chunk-B5CSNGSE.js";
 import {
   INDEXED_STORE_POLICY
 } from "./chunk-2QR2PQTT.js";
@@ -131,7 +131,7 @@ import {
 import {
   LEDGER_COLLECTION,
   LEDGER_DELTAS_COLLECTION
-} from "./chunk-JDCPRJVS.js";
+} from "./chunk-AONK5GCC.js";
 import {
   sha256Hex as sha256Hex2
 } from "./chunk-PDVP3C2I.js";
@@ -143,19 +143,20 @@ import {
   readDottedPath,
   rebuildSubjectIndex,
   removeSubjectRef
-} from "./chunk-CQYEDODS.js";
+} from "./chunk-35U5YNRR.js";
 import {
   NOYDB_BACKUP_VERSION,
   NOYDB_FORMAT_VERSION
-} from "./chunk-TA6HPKWQ.js";
+} from "./chunk-LR7CODVN.js";
 import {
   decrypt,
   encrypt,
   encryptDeterministic,
   sha256Hex,
   unwrapCek,
-  wrapCek
-} from "./chunk-37VGJM3T.js";
+  wrapCek,
+  wrapKey
+} from "./chunk-WQ3KAGOV.js";
 import {
   AlreadyElevatedError,
   AttestationError,
@@ -167,6 +168,7 @@ import {
   DerivationCapExceededError,
   ElevationExpiredError,
   ExportCapabilityError,
+  FederationMovedError,
   ForgetStrategyNotConfiguredError,
   ImportCapabilityError,
   IndexWriteFailureError,
@@ -181,7 +183,6 @@ import {
   QuiesceTimeoutError,
   ReadOnlyError,
   ReservedCollectionNameError,
-  ReservedVaultNameError,
   SchemaFenceError,
   SchemaValidationError,
   SequenceContentionError,
@@ -194,9 +195,8 @@ import {
   UniqueConstraintError,
   UnknownDictCodeError,
   UnsupportedIndexOptionError,
-  ValidationError,
-  VaultTemplateNotFoundError
-} from "./chunk-OTWT6BAJ.js";
+  ValidationError
+} from "./chunk-4BB4T3O7.js";
 
 // src/policy/storage.ts
 var META_COLLECTION = "_meta";
@@ -910,7 +910,7 @@ async function resolveStaleOnRead(accessor, outputCollection, id) {
     }
     const sourceWithId = { ...source, id };
     if (DerivationExecutor === null) {
-      ({ DerivationExecutor } = await import("./executor-4IEW4KG5.js"));
+      ({ DerivationExecutor } = await import("./executor-VJSCTBWY.js"));
     }
     const ctx = { vault: accessor.getReadOnlyFacade() };
     const result = await DerivationExecutor.run(spec, sourceWithId, 0, strategyHash, ctx);
@@ -1156,6 +1156,13 @@ var Collection = class {
    * flag) still decrypts CEK records.
    */
   perRecordCek;
+  /**
+   * Per-record provenance opt-in (`provenance: true`). When set, `put()` calls
+   * that supply a `source` option stamp `_source`/`_sourceTs` onto the
+   * unencrypted envelope metadata. Off by default — zero cost for collections
+   * that don't need lineage tracking (FR-5, #445).
+   */
+  provenance;
   /**
    * Session-scoped `(id) → CEK` cache for this collection. Lets updates
    * reuse a record's stable CEK and lets repeated reads skip the AES-KW
@@ -1315,6 +1322,7 @@ var Collection = class {
     }
     this.perRecordCek = opts.perRecordKeys === true;
     this.cekCache = this.perRecordCek ? new Lru({ maxRecords: 4096 }) : null;
+    this.provenance = opts.provenance === true;
     if (opts.crdt && opts.onRegisterConflictResolver) {
       const crdtMode = opts.crdt;
       const crdtResolver = async (id, local, remote) => {
@@ -1459,7 +1467,7 @@ var Collection = class {
       }
     }
     if (this.materializedViewSource !== void 0) {
-      const { resolveStaleMVOnRead } = await import("./stale-CPESGAPL.js");
+      const { resolveStaleMVOnRead } = await import("./stale-PW6VBGSP.js");
       await resolveStaleMVOnRead(this.materializedViewSource, this.name);
     }
     let record;
@@ -1502,6 +1510,33 @@ var Collection = class {
     if (json === null) return null;
     return JSON.parse(json);
   }
+  /**
+   * Read a record's unencrypted envelope metadata (version, timestamps,
+   * provenance) without decrypting the body.
+   *
+   * Returns `null` when no envelope exists for `id` (record absent or never
+   * written). Only `_source`/`_sourceTs` fields are populated when the
+   * collection was opened with `provenance: true` AND the record was written
+   * with a `source` option — but this method works on any collection because
+   * it reads the raw envelope directly.
+   *
+   * @returns `{ version, timestamp, by?, source?, sourceTs? }` or `null`.
+   *
+   * @example
+   * const meta = await clients.getMetadata('c1')
+   * if (meta) console.log(meta.source, meta.timestamp)
+   */
+  async getMetadata(id) {
+    const env = await this.adapter.get(this.vault, this.name, id);
+    if (!env) return null;
+    return {
+      version: env._v,
+      timestamp: env._ts,
+      ...env._by !== void 0 ? { by: env._by } : {},
+      ...env._source !== void 0 ? { source: env._source } : {},
+      ...env._sourceTs !== void 0 ? { sourceTs: env._sourceTs } : {}
+    };
+  }
   /**
    * Return a presence handle for this collection.
    *
@@ -1539,6 +1574,14 @@ var Collection = class {
    *                `reason` is stamped onto the resulting ledger entry
    *                so audit consumers can filter via
    *                `entries.filter(e => e.reason?.startsWith('import:'))`.
+   *                `source` is an opaque source id (e.g. `'crm-sync'`, `'firm-A'`)
+   *                stamped onto the envelope as `_source`/`_sourceTs` when
+   *                the collection has `provenance: true`. Ignored otherwise
+   *                (zero cost). (FR-5, #445)
+   *                `sourceTs` is an optional ISO-8601 origin timestamp override;
+   *                when supplied together with `source` on a provenance collection,
+   *                replaces the machine-stamped `now()` so re-merges preserve the
+   *                ORIGIN refresh time across vaults. (FR-4)
    */
   async put(id, record, options) {
     await this.schemaUpdateGate?.assertWritable();
@@ -1570,6 +1613,20 @@ var Collection = class {
       if (busAfterPut) await this.subsystemBus.dispatch("afterPut", event);
     }
   }
+  /**
+   * Validate a record against this collection's schema WITHOUT writing it.
+   * Returns the (possibly coerced) record on success; throws
+   * {@link SchemaValidationError} (direction: `'input'`) on violation.
+   * A no-op pass-through when no schema is declared.
+   *
+   * Used by FR-8 migrate-then-merge to pre-validate all staged records
+   * before `mergeDecryptedRecords` writes anything — so a failed upgrade
+   * never half-writes the receiver.
+   */
+  async validateInput(record) {
+    if (this.schema === void 0) return record;
+    return validateSchemaInput(this.schema, record, `validateInput(${this.name})`);
+  }
   /** @internal — true when hooks should fire for this write (handlers exist, not re-entrant). */
   #hooksActive() {
     return this.writeHooks !== void 0 && this.writeHooks.hasHandlers && !this.writeHooks.suppressed;
@@ -1727,7 +1784,7 @@ var Collection = class {
       }
       const version2 = existingVersion + 1;
       const cek2 = this.perRecordCek ? await this.resolveRecordCek(id) : void 0;
-      const envelope2 = await this.encryptJsonString(JSON.stringify(crdtState), version2, cek2);
+      const envelope2 = await this.encryptJsonString(JSON.stringify(crdtState), version2, cek2, options?.source, options?.sourceTs);
       await this.adapter.put(this.vault, this.name, id, envelope2);
       const resolvedRecord = this.crdtStrategy.resolveCrdtSnapshot(crdtState);
       const existingResolvedRecord = existingEnvelope ? await this.decryptRecord(existingEnvelope, { skipValidation: true }) : null;
@@ -1806,7 +1863,7 @@ var Collection = class {
         });
       }
     }
-    const envelope = await this.encryptRecord(record, version, cek);
+    const envelope = await this.encryptRecord(record, version, cek, options?.source, options?.sourceTs);
     await this.adapter.put(this.vault, this.name, id, envelope);
     if (this.ledger) {
       const appendInput = {
@@ -1869,7 +1926,7 @@ var Collection = class {
       if (mode === "eager") {
         if (executor === null) {
           ;
-          ({ MaterializedViewExecutor: executor } = await import("./executor-KYJCJCIN.js"));
+          ({ MaterializedViewExecutor: executor } = await import("./executor-UYXSQB4D.js"));
         }
         await executor.refresh(reg, {
           getCollection: (name) => this.materializedViewSource.getCollection(name),
@@ -1878,7 +1935,7 @@ var Collection = class {
         });
       } else if (mode === "lazy") {
         if (staleHelpers === null) {
-          staleHelpers = await import("./stale-CPESGAPL.js");
+          staleHelpers = await import("./stale-PW6VBGSP.js");
         }
         staleHelpers.markMVStale(registry, reg.spec.name);
       }
@@ -2052,7 +2109,7 @@ var Collection = class {
         continue;
       }
       if (DerivationExecutor === null) {
-        ({ DerivationExecutor } = await import("./executor-4IEW4KG5.js"));
+        ({ DerivationExecutor } = await import("./executor-VJSCTBWY.js"));
       }
       for (const run of runs) {
         const ctx = { vault: this.derivationSource.getReadOnlyFacade() };
@@ -2071,7 +2128,7 @@ var Collection = class {
           const outputCollection = this.derivationSource.getCollection(outSpec.collection);
           const txCtx = this.derivationSource.getActiveTxContext();
           if (out.kind === "array") {
-            const { loadFanoutSidecar, saveFanoutSidecar } = await import("./fanout-sidecar-YXNAEZ33.js");
+            const { loadFanoutSidecar, saveFanoutSidecar } = await import("./fanout-sidecar-ZQT4Y7PF.js");
             const prior = await loadFanoutSidecar(
               this.adapter,
               this.vault,
@@ -2099,7 +2156,7 @@ var Collection = class {
                   priorEnvelope
                 });
               }
-              await outputCollection.put(entry.key, entry.value);
+              await outputCollection.put(entry.key, entry.value, { source: "derived" });
             }
             await saveFanoutSidecar(this.adapter, this.vault, {
               source: spec.source,
@@ -2132,7 +2189,7 @@ var Collection = class {
                 priorEnvelope: prior
               });
             }
-            await outputCollection.put(run.runId, patched);
+            await outputCollection.put(run.runId, patched, { source: "derived" });
             continue;
           }
           if (txCtx !== null) {
@@ -2147,7 +2204,7 @@ var Collection = class {
               priorEnvelope: prior
             });
           }
-          await outputCollection.put(run.runId, out.value);
+          await outputCollection.put(run.runId, out.value, { source: "derived" });
         }
       }
     }
@@ -2434,7 +2491,7 @@ var Collection = class {
       for (const [outputKey, outSpec] of Object.entries(spec.outputs)) {
         if (outSpec.shape !== "array") continue;
         if (helpers === null) {
-          helpers = await import("./fanout-sidecar-YXNAEZ33.js");
+          helpers = await import("./fanout-sidecar-ZQT4Y7PF.js");
         }
         const sidecar = await helpers.loadFanoutSidecar(
           this.adapter,
@@ -2474,7 +2531,7 @@ var Collection = class {
       if (mode === "eager") {
         if (executor === null) {
           ;
-          ({ MaterializedViewExecutor: executor } = await import("./executor-KYJCJCIN.js"));
+          ({ MaterializedViewExecutor: executor } = await import("./executor-UYXSQB4D.js"));
         }
         await executor.refresh(reg, {
           getCollection: (name) => this.materializedViewSource.getCollection(name),
@@ -2483,7 +2540,7 @@ var Collection = class {
         });
       } else if (mode === "lazy") {
         if (staleHelpers === null) {
-          staleHelpers = await import("./stale-CPESGAPL.js");
+          staleHelpers = await import("./stale-PW6VBGSP.js");
         }
         staleHelpers.markMVStale(registry, reg.spec.name);
       }
@@ -2506,7 +2563,7 @@ var Collection = class {
       );
     }
     if (this.materializedViewSource !== void 0) {
-      const { resolveStaleMVOnRead } = await import("./stale-CPESGAPL.js");
+      const { resolveStaleMVOnRead } = await import("./stale-PW6VBGSP.js");
       await resolveStaleMVOnRead(this.materializedViewSource, this.name);
     }
     await this.ensureHydrated();
@@ -3810,7 +3867,7 @@ var Collection = class {
    * (see {@link encryptRecord}). Rejects `_`-prefixed record fields, which
    * would collide with the reserved metadata namespace.
    */
-  buildDebugEnvelope(record, version) {
+  buildDebugEnvelope(record, version, source, sourceTs) {
     const rec = record;
     for (const key of Object.keys(rec)) {
       if (key.startsWith("_")) throw new DebugReservedFieldError(this.name, key);
@@ -3823,11 +3880,13 @@ var Collection = class {
       _data: "",
       _by: this.keyring.userId,
       _debug: NOYDB_FORMAT_VERSION,
+      ...this.provenance && source !== void 0 ? { _source: source, _sourceTs: sourceTs ?? (/* @__PURE__ */ new Date()).toISOString() } : {},
       ...rec
     };
   }
-  async encryptJsonString(json, version, cek) {
+  async encryptJsonString(json, version, cek, source, sourceTs) {
     const by = this.keyring.userId;
+    const provenanceFields = this.provenance && source !== void 0 ? { _source: source, _sourceTs: sourceTs ?? (/* @__PURE__ */ new Date()).toISOString() } : {};
     if (!this.encrypted) {
       return {
         _noydb: NOYDB_FORMAT_VERSION,
@@ -3835,7 +3894,8 @@ var Collection = class {
         _ts: (/* @__PURE__ */ new Date()).toISOString(),
         _iv: "",
         _data: json,
-        _by: by
+        _by: by,
+        ...provenanceFields
       };
     }
     const dek = await this.getDEK(this.name);
@@ -3849,7 +3909,8 @@ var Collection = class {
         _iv: iv2,
         _data: data2,
         _by: by,
-        _cek: wrapped
+        _cek: wrapped,
+        ...provenanceFields
       };
     }
     const { iv, data } = await encrypt(json, dek);
@@ -3859,14 +3920,15 @@ var Collection = class {
       _ts: (/* @__PURE__ */ new Date()).toISOString(),
       _iv: iv,
       _data: data,
-      _by: by
+      _by: by,
+      ...provenanceFields
     };
   }
-  async encryptRecord(record, version, cek) {
+  async encryptRecord(record, version, cek, source, sourceTs) {
     if (!this.encrypted && this.keyring.debugPlaintext === true && !this.name.startsWith("_")) {
-      return this.buildDebugEnvelope(record, version);
+      return this.buildDebugEnvelope(record, version, source, sourceTs);
     }
-    const base = await this.encryptJsonString(JSON.stringify(record), version, cek);
+    const base = await this.encryptJsonString(JSON.stringify(record), version, cek, source, sourceTs);
     if (!this.deterministicFields || !this.encrypted) return base;
     const dek = await this.getDEK(this.name);
     const rec = record;
@@ -4000,7 +4062,8 @@ var Collection = class {
       _iv: iv,
       _data: data,
       _by: this.keyring.userId,
-      ...tier > 0 && { _tier: tier }
+      ...tier > 0 && { _tier: tier },
+      ...this.provenance && opts?.source !== void 0 ? { _source: opts.source, _sourceTs: opts.sourceTs ?? (/* @__PURE__ */ new Date()).toISOString() } : {}
     };
     await this.adapter.put(this.vault, this.name, id, envelope);
     if (tier > 0) {
@@ -4296,6 +4359,276 @@ function valuesMatch(stored, live) {
   }
 }
 
+// src/bundle/export-accessible.ts
+function resolveAccessibleCollections(keyring, scope, writableOnly = false) {
+  let collections;
+  if (keyring.role === "operator" || keyring.role === "client") {
+    collections = Object.entries(keyring.permissions).filter(([, mode]) => !writableOnly || mode === "rw").map(([c]) => c);
+  }
+  if (scope?.collections) {
+    const allow = new Set(scope.collections);
+    collections = (collections ?? [...scope.collections]).filter((c) => allow.has(c));
+  }
+  return collections;
+}
+async function buildAccessibleBundle(vault, collections, reKey, compression = "auto") {
+  return writeNoydbBundle(vault, {
+    compression,
+    ...collections !== void 0 ? { collections } : {},
+    ...reKey ? { exportPassphrase: reKey.passphrase } : {}
+  });
+}
+async function exportAccessibleData(vault, opts = {}) {
+  const { keyring } = vault._introspectState();
+  const collections = resolveAccessibleCollections(keyring, opts.scope);
+  const bytes = await buildAccessibleBundle(vault, collections, opts.reKey, opts.compression ?? "auto");
+  await vault._getLedgerOrNull()?.append({
+    op: "lifecycle",
+    collection: "",
+    id: "",
+    version: 0,
+    actor: keyring.userId,
+    payloadHash: "",
+    reason: `user-export:${keyring.userId}`
+  });
+  return bytes;
+}
+
+// src/bundle/withdraw-accessible.ts
+var FROZEN_SNAPSHOTS_COLLECTION = "_frozen_snapshots";
+var ENC = new TextEncoder();
+function randomId() {
+  const b = globalThis.crypto.getRandomValues(new Uint8Array(12));
+  return Array.from(b, (x) => x.toString(16).padStart(2, "0")).join("");
+}
+async function freezeSnapshotOnly(vault, collections, opts) {
+  const { name: vaultName, adapter } = vault._introspectState();
+  const closure = [];
+  for (const c of collections) {
+    for (const id of await adapter.list(vaultName, c)) closure.push({ collection: c, id });
+  }
+  const withdrawalId = opts.withdrawalId ?? `wd-${randomId()}`;
+  const snap = {};
+  for (const { collection, id } of closure) {
+    const env = await adapter.get(vaultName, collection, id);
+    if (env) (snap[collection] ??= {})[id] = env;
+  }
+  const frozenAt = (/* @__PURE__ */ new Date()).toISOString();
+  const body = JSON.stringify({ withdrawalId, frozenAt, by: opts.actorUserId, collections: snap });
+  const sha = await sha256Hex(ENC.encode(body));
+  await adapter.put(
+    vaultName,
+    FROZEN_SNAPSHOTS_COLLECTION,
+    withdrawalId,
+    { _noydb: NOYDB_FORMAT_VERSION, _v: 1, _ts: frozenAt, _iv: "", _data: body, _by: opts.actorUserId },
+    0
+  );
+  await vault._getLedgerOrNull()?.append({
+    op: "lifecycle",
+    collection: "",
+    id: "",
+    version: 0,
+    actor: opts.actorUserId,
+    payloadHash: "",
+    reason: `withdrawal-frozen-snapshot:${withdrawalId}:${sha}`
+  });
+  return { withdrawalId, sha256: sha, recordCount: closure.length, frozenAt };
+}
+async function freezeAndDeleteClosure(vault, collections, opts) {
+  const snapshot = opts.disposition === "freeze" ? await freezeSnapshotOnly(vault, collections, {
+    actorUserId: opts.actorUserId,
+    ...opts.withdrawalId ? { withdrawalId: opts.withdrawalId } : {}
+  }) : void 0;
+  const { name: vaultName, adapter } = vault._introspectState();
+  for (const c of collections) {
+    for (const id of await adapter.list(vaultName, c)) {
+      await vault.collection(c).delete(id);
+    }
+  }
+  return snapshot;
+}
+async function withdrawAccessibleData(vault, opts) {
+  const { keyring } = vault._introspectState();
+  const disposition = opts.disposition ?? "delete";
+  if (keyring.role === "owner" || keyring.role === "admin") {
+    throw new ReadOnlyError(
+      "unilateralWithdrawal is the scoped self-service path; an owner/admin should use extractPartition"
+    );
+  }
+  if (keyring.role === "custodian") {
+    throw new ReadOnlyError(
+      "a custodian cannot destructively withdraw/sever; use vault.custody.liberate for an audited ownership claim"
+    );
+  }
+  if (keyring.role === "client" || keyring.role === "viewer") {
+    throw new ReadOnlyError(
+      "read-only role cannot self-serve a destructive withdrawal \u2014 use requestWithdrawal (two-party)"
+    );
+  }
+  const collections = resolveAccessibleCollections(keyring, opts.scope, true);
+  if (!collections || collections.length === 0) {
+    throw new ReadOnlyError(
+      "unilateralWithdrawal requires rw access on the withdrawn collections \u2014 use requestWithdrawal for read-only scope"
+    );
+  }
+  const bundle = await buildAccessibleBundle(vault, collections, opts.reKey);
+  const snapshot = await freezeAndDeleteClosure(vault, collections, {
+    disposition,
+    actorUserId: keyring.userId,
+    ...opts.withdrawalId ? { withdrawalId: opts.withdrawalId } : {}
+  });
+  await vault._getLedgerOrNull()?.append({
+    op: "lifecycle",
+    collection: "",
+    id: "",
+    version: 0,
+    actor: keyring.userId,
+    payloadHash: "",
+    reason: `user-unilateral-withdrawal:${keyring.userId}:${disposition}:${opts.legalBasis}`
+  });
+  return snapshot ? { bundle, snapshot } : { bundle };
+}
+
+// src/bundle/request-withdrawal.ts
+var WITHDRAWAL_REQUESTS_COLLECTION = "_user_withdrawal_requests";
+var WithdrawalRequestError = class extends NoydbError {
+  constructor(message) {
+    super("WITHDRAWAL_REQUEST", message);
+    this.name = "WithdrawalRequestError";
+  }
+};
+function writeRequest(vault, req, expectedVersion) {
+  const { name: vaultName, adapter } = vault._introspectState();
+  const body = JSON.stringify(req);
+  const env = {
+    _noydb: NOYDB_FORMAT_VERSION,
+    _v: expectedVersion + 1,
+    _ts: req.decidedAt ?? req.requestedAt,
+    _iv: "",
+    _data: body,
+    _by: req.decidedBy ?? req.requester
+  };
+  return adapter.put(vaultName, WITHDRAWAL_REQUESTS_COLLECTION, req.requestId, env, expectedVersion);
+}
+async function readRequest(vault, requestId) {
+  const { name: vaultName, adapter } = vault._introspectState();
+  const env = await adapter.get(vaultName, WITHDRAWAL_REQUESTS_COLLECTION, requestId);
+  if (!env) throw new WithdrawalRequestError(`withdrawal request "${requestId}" not found`);
+  return { req: JSON.parse(env._data), version: env._v };
+}
+async function requestWithdrawal(vault, opts = {}) {
+  const { keyring } = vault._introspectState();
+  const collections = resolveAccessibleCollections(keyring, opts.scope, false);
+  if (!collections || collections.length === 0) {
+    throw new WithdrawalRequestError(
+      "requestWithdrawal needs a concrete scope.collections (the caller has all-collection access \u2014 name the collections to withdraw)"
+    );
+  }
+  const requestId = `wr-${randomId()}`;
+  const requestedAt = (/* @__PURE__ */ new Date()).toISOString();
+  const req = {
+    requestId,
+    requester: keyring.userId,
+    collections,
+    disposition: opts.disposition ?? "delete",
+    status: "pending",
+    requestedAt,
+    ...opts.legalBasis ? { legalBasis: opts.legalBasis } : {},
+    ...opts.expiresInMs ? { expiresAt: new Date(Date.parse(requestedAt) + opts.expiresInMs).toISOString() } : {}
+  };
+  await writeRequest(vault, req, 0);
+  await vault._getLedgerOrNull()?.append({
+    op: "lifecycle",
+    collection: "",
+    id: "",
+    version: 0,
+    actor: keyring.userId,
+    payloadHash: "",
+    reason: `user-withdrawal-request:${requestId}:${keyring.userId}`
+  });
+  return { requestId, status: "pending", ...req.expiresAt ? { expiresAt: req.expiresAt } : {} };
+}
+async function listWithdrawalRequests(vault, opts = {}) {
+  const { name: vaultName, adapter } = vault._introspectState();
+  const ids = await adapter.list(vaultName, WITHDRAWAL_REQUESTS_COLLECTION);
+  const out = [];
+  for (const id of ids) {
+    const env = await adapter.get(vaultName, WITHDRAWAL_REQUESTS_COLLECTION, id);
+    if (!env) continue;
+    const req = JSON.parse(env._data);
+    if (!opts.status || req.status === opts.status) out.push(req);
+  }
+  return out;
+}
+function assertApprover(vault) {
+  const { keyring } = vault._introspectState();
+  if (keyring.role !== "owner" && keyring.role !== "admin") {
+    throw new WithdrawalRequestError("approveWithdrawal / rejectWithdrawal require an owner or admin");
+  }
+  return keyring.userId;
+}
+function assertPending(req) {
+  if (req.status !== "pending") {
+    throw new WithdrawalRequestError(`withdrawal request "${req.requestId}" is already ${req.status}`);
+  }
+  if (req.expiresAt && Date.now() > Date.parse(req.expiresAt)) {
+    throw new WithdrawalRequestError(`withdrawal request "${req.requestId}" expired at ${req.expiresAt}`);
+  }
+}
+async function approveWithdrawal(vault, requestId, opts = {}) {
+  const approver = assertApprover(vault);
+  const { req, version } = await readRequest(vault, requestId);
+  assertPending(req);
+  const bundle = await buildAccessibleBundle(vault, [...req.collections], opts.reKey);
+  const snapshot = await freezeAndDeleteClosure(vault, req.collections, {
+    disposition: req.disposition,
+    actorUserId: approver,
+    withdrawalId: `wd-${requestId}`
+  });
+  const decidedAt = (/* @__PURE__ */ new Date()).toISOString();
+  await writeRequest(vault, {
+    ...req,
+    status: "approved",
+    decidedAt,
+    decidedBy: approver,
+    ...snapshot ? { snapshotSha256: snapshot.sha256 } : {}
+  }, version);
+  await vault._getLedgerOrNull()?.append({
+    op: "lifecycle",
+    collection: "",
+    id: "",
+    version: 0,
+    actor: approver,
+    payloadHash: "",
+    reason: `user-withdrawal-approved:${requestId}:${req.requester}:${req.disposition}`
+  });
+  return snapshot ? { bundle, snapshot } : { bundle };
+}
+async function rejectWithdrawal(vault, requestId, opts = {}) {
+  const approver = assertApprover(vault);
+  const { req, version } = await readRequest(vault, requestId);
+  assertPending(req);
+  const decidedAt = (/* @__PURE__ */ new Date()).toISOString();
+  const updated = {
+    ...req,
+    status: "rejected",
+    decidedAt,
+    decidedBy: approver,
+    ...opts.reason ? { rejectReason: opts.reason } : {}
+  };
+  await writeRequest(vault, updated, version);
+  await vault._getLedgerOrNull()?.append({
+    op: "lifecycle",
+    collection: "",
+    id: "",
+    version: 0,
+    actor: approver,
+    payloadHash: "",
+    reason: `user-withdrawal-rejected:${requestId}:${req.requester}`
+  });
+  return updated;
+}
+
 // src/archive/engine.ts
 function isHeld(policy, record) {
   if (!policy.legalHold) return false;
@@ -4971,20 +5304,99 @@ var LinkIntegrityError = class extends NoydbError {
 
 // src/meta/user-envelope/api.ts
 var UserApi = class {
-  constructor(adapter, vaultName, writerKeyringId, getDek, checkGate2) {
+  constructor(adapter, vaultName, writerKeyringId, getDek, checkGate2, exportAccessible, unilateralWithdraw, requestWithdraw, listWithdrawals, approveWithdraw, rejectWithdraw) {
     this.adapter = adapter;
     this.vaultName = vaultName;
     this.writerKeyringId = writerKeyringId;
     this.getDek = getDek;
     this.checkGate = checkGate2;
+    this.exportAccessible = exportAccessible;
+    this.unilateralWithdraw = unilateralWithdraw;
+    this.requestWithdraw = requestWithdraw;
+    this.listWithdrawals = listWithdrawals;
+    this.approveWithdraw = approveWithdraw;
+    this.rejectWithdraw = rejectWithdraw;
   }
   adapter;
   vaultName;
   writerKeyringId;
   getDek;
   checkGate;
+  exportAccessible;
+  unilateralWithdraw;
+  requestWithdraw;
+  listWithdrawals;
+  approveWithdraw;
+  rejectWithdraw;
   /** keyringId → set of listeners. Wildcard '*' fires on every change. */
   listeners = /* @__PURE__ */ new Map();
+  /**
+   * #199 P3 — file a two-party withdrawal request for the caller's accessible
+   * scope. Non-destructive (writes a pending request); an owner later approves
+   * or rejects. This is the path for read-only roles (`client`/`viewer`) that
+   * cannot self-serve a destructive `unilateralWithdrawal`. Gated by
+   * `user-request-withdrawal` (enabled by default).
+   */
+  async requestWithdrawal(opts = {}) {
+    if (this.checkGate) await this.checkGate("user-request-withdrawal");
+    if (!this.requestWithdraw) {
+      throw new Error("requestWithdrawal requires a Noydb-backed vault (not a bare UserApi)");
+    }
+    return this.requestWithdraw(opts);
+  }
+  /** #199 P3 — owner side: list filed withdrawal requests (optionally by status). */
+  async listWithdrawalRequests(opts = {}) {
+    if (!this.listWithdrawals) {
+      throw new Error("listWithdrawalRequests requires a Noydb-backed vault (not a bare UserApi)");
+    }
+    return this.listWithdrawals(opts);
+  }
+  /**
+   * #199 P3 — owner side: approve a pending request. Extracts the requester's
+   * recorded scope under firm authority, disposes of the source per the
+   * request's disposition, and returns the re-keyed bundle to hand back. Gated
+   * by `approve-user-withdrawal` (tier-2 default) + owner/admin role.
+   */
+  async approveWithdrawal(requestId, opts = {}) {
+    if (this.checkGate) await this.checkGate("approve-user-withdrawal");
+    if (!this.approveWithdraw) {
+      throw new Error("approveWithdrawal requires a Noydb-backed vault (not a bare UserApi)");
+    }
+    return this.approveWithdraw(requestId, opts);
+  }
+  /** #199 P3 — owner side: reject a pending request (no data is touched). */
+  async rejectWithdrawal(requestId, opts = {}) {
+    if (this.checkGate) await this.checkGate("approve-user-withdrawal");
+    if (!this.rejectWithdraw) {
+      throw new Error("rejectWithdrawal requires a Noydb-backed vault (not a bare UserApi)");
+    }
+    return this.rejectWithdraw(requestId, opts);
+  }
+  /**
+   * #199 P2 — single-party withdrawal: export the caller's accessible scope
+   * (re-keyed) and dispose of the source (`delete` or `freeze`). Gated by the
+   * fail-closed built-in `client-unilateral-withdraw` policy — undefined or
+   * disabled → throws (use `requestWithdrawal`). The firm enables it at vault
+   * creation.
+   */
+  async unilateralWithdrawal(opts) {
+    if (this.checkGate) await this.checkGate("client-unilateral-withdraw");
+    if (!this.unilateralWithdraw) {
+      throw new Error("unilateralWithdrawal requires a Noydb-backed vault (not a bare UserApi)");
+    }
+    return this.unilateralWithdraw(opts);
+  }
+  /**
+   * #199 — export the calling user's accessible scope as a portable, re-keyed
+   * `.noydb` bundle. Non-destructive and **always allowed** (data sovereignty
+   * by construction, §11.11) but audited. Scope = the caller's DEK access set.
+   */
+  async exportMyAccessibleData(opts = {}) {
+    if (!this.exportAccessible) {
+      throw new Error("exportMyAccessibleData requires a Noydb-backed vault (not a bare UserApi)");
+    }
+    return this.exportAccessible(opts);
+  }
   // ─── Write-self ──────────────────────────────────────────────────────
   /** Read the writer's own envelope. Returns null if never written. */
   async me() {
@@ -5237,6 +5649,148 @@ function isPlainObject(x) {
   return proto === Object.prototype || proto === null;
 }
 
+// src/custody/index.ts
+var CustodyApi = class {
+  constructor(_grantCustodian, _revokeCustodian, _liberate) {
+    this._grantCustodian = _grantCustodian;
+    this._revokeCustodian = _revokeCustodian;
+    this._liberate = _liberate;
+  }
+  _grantCustodian;
+  _revokeCustodian;
+  _liberate;
+  /**
+   * Owner-only: grant the FR-6 `custodian` role. The custodian operates every
+   * collection (rw + access) but is provably unable to grant / revoke / rotate /
+   * extract-and-sever. Defended in depth (gate + owner-only role check) inside
+   * the injected `Noydb.grantCustodian`.
+   */
+  async grantCustodian(options, factors) {
+    return this._grantCustodian(options, factors);
+  }
+  /** Owner-only: revoke a custodian. */
+  async revokeCustodian(options, factors) {
+    return this._revokeCustodian(options, factors);
+  }
+  /**
+   * Custodian-only: the audited claim of ownership over a sealed-owner (Deed)
+   * vault. Mints a DISTINCT new owner re-wrapping the incumbent DEKs under a
+   * fresh KEK (the latent owner is never impersonated), ledger-audited. See
+   * {@link liberateVault}.
+   */
+  async liberate(opts) {
+    return this._liberate(opts);
+  }
+};
+
+// src/team/deed.ts
+var DEED_RECORD_ID = "deed";
+async function createDeedOwner(store, vault, ownerUserId, sealing) {
+  const passphrase = await resolveManagedSecret(store, vault, sealing);
+  const keyring = await createOwnerKeyring(store, vault, ownerUserId, passphrase);
+  await saveDeedMarker(store, vault, {
+    ownerUserId,
+    sealedUnder: sealing.id,
+    latent: true,
+    issuedAt: (/* @__PURE__ */ new Date()).toISOString()
+  });
+  return keyring;
+}
+async function loadDeedMarker(store, vault) {
+  const envelope = await store.get(vault, "_meta", DEED_RECORD_ID);
+  if (!envelope) return null;
+  let payload;
+  try {
+    payload = JSON.parse(envelope._data);
+  } catch {
+    return null;
+  }
+  if (typeof payload !== "object" || payload === null) return null;
+  const r = payload;
+  if (r._noydb_deed !== 1) return null;
+  if (typeof r.ownerUserId !== "string" || typeof r.sealedUnder !== "string" || r.latent !== true || typeof r.issuedAt !== "string") {
+    return null;
+  }
+  const marker = {
+    ownerUserId: r.ownerUserId,
+    sealedUnder: r.sealedUnder,
+    latent: true,
+    issuedAt: r.issuedAt,
+    ...typeof r.liberatedAt === "string" ? { liberatedAt: r.liberatedAt } : {}
+  };
+  return marker;
+}
+async function isDeedVault(store, vault) {
+  return await loadDeedMarker(store, vault) !== null;
+}
+async function saveDeedMarker(store, vault, marker) {
+  const persisted = { _noydb_deed: 1, ...marker };
+  const prior = await store.get(vault, "_meta", DEED_RECORD_ID);
+  const env = {
+    _noydb: NOYDB_FORMAT_VERSION,
+    _v: (prior?._v ?? 0) + 1,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    // AES-GCM bypassed — the marker is plaintext audit metadata.
+    _iv: "",
+    _data: JSON.stringify(persisted)
+  };
+  await store.put(vault, "_meta", DEED_RECORD_ID, env);
+}
+
+// src/custody/liberate.ts
+async function liberateVault(vault, opts) {
+  await vault.noydb.checkGate(vault.name, "liberate-vault", opts.factors);
+  const { name: vaultName, adapter, keyring } = vault._introspectState();
+  if (keyring.role !== "custodian") {
+    throw new PermissionDeniedError(
+      "liberation is claimed only by the custodian (the de-facto authority holding the DEKs)"
+    );
+  }
+  const existing = await adapter.get(vaultName, "_keyring", opts.newOwnerId);
+  if (existing) {
+    throw new PermissionDeniedError(
+      `liberateVault: newOwnerId "${opts.newOwnerId}" already exists as a principal; choose a fresh id (liberation mints a distinct owner, it never overwrites an existing keyring)`
+    );
+  }
+  const collections = await listOperationalCollections(vault);
+  const snapshot = await freezeSnapshotOnly(vault, collections, { actorUserId: keyring.userId });
+  const newOwner = await createOwnerKeyring(adapter, vaultName, opts.newOwnerId, opts.newOwnerPassphrase);
+  if (!newOwner.kek) {
+    throw new PermissionDeniedError(
+      `new owner keyring for "${opts.newOwnerId}" has no KEK to re-wrap the incumbent DEKs under`
+    );
+  }
+  const env = await adapter.get(vaultName, "_keyring", opts.newOwnerId);
+  if (!env) {
+    throw new PermissionDeniedError(`new owner keyring for "${opts.newOwnerId}" did not persist`);
+  }
+  const keyringFile = JSON.parse(env._data);
+  const mergedDeks = { ...keyringFile.deks };
+  for (const [collection, dek] of keyring.deks) {
+    mergedDeks[collection] = await wrapKey(dek, newOwner.kek);
+  }
+  const mergedFile = { ...keyringFile, deks: mergedDeks };
+  await adapter.put(vaultName, "_keyring", opts.newOwnerId, { ...env, _data: JSON.stringify(mergedFile) });
+  await vault._getLedgerOrNull()?.append({
+    op: "lifecycle",
+    collection: "",
+    id: "",
+    version: 0,
+    actor: opts.newOwnerId,
+    payloadHash: "",
+    reason: `liberation-claimed:${opts.newOwnerId}:${opts.legalBasis}`
+  });
+  const marker = await loadDeedMarker(adapter, vaultName);
+  if (marker) {
+    await saveDeedMarker(adapter, vaultName, { ...marker, liberatedAt: (/* @__PURE__ */ new Date()).toISOString() });
+  }
+  return { snapshot };
+}
+async function listOperationalCollections(vault) {
+  const { keyring } = vault._introspectState();
+  return [...keyring.deks.keys()].filter((c) => !c.startsWith("_"));
+}
+
 // src/persisted-schemas/canonicalize.ts
 function canonicalize(value) {
   if (value === null || typeof value !== "object") {
@@ -6019,6 +6573,18 @@ var Vault = class {
    * @see docs/superpowers/specs/2026-05-05-user-envelope-design.md
    */
   user;
+  /**
+   * FR-6 custody API — the sovereign-custody surface, mirroring `vault.user.*`.
+   *
+   * - `grantCustodian(opts)` / `revokeCustodian(opts)` — owner-only: mint /
+   *   remove a `custodian` who operates the vault fully but can never grant /
+   *   rotate / sever / extract.
+   * - `liberate(opts)` — custodian-only: the audited claim of ownership over a
+   *   sealed-owner (Deed) vault (mints a DISTINCT new owner; ledger-audited).
+   *
+   * @see docs/superpowers/specs/2026-06-17-fr6-deed-custodian-liberate-design.md
+   */
+  custody;
   /**
    * Optional callback that re-derives an UnlockedKeyring from the
    * adapter using the active user's passphrase. Called by `load()`
@@ -6221,7 +6787,18 @@ var Vault = class {
       this.name,
       this.keyring.userId,
       () => this.getDEK(USER_ENVELOPE_COLLECTION),
-      (gate, presented) => this.noydb.checkGate(this.name, gate, presented)
+      (gate, presented) => this.noydb.checkGate(this.name, gate, presented),
+      (opts2) => exportAccessibleData(this, opts2),
+      (opts2) => withdrawAccessibleData(this, opts2),
+      (opts2) => requestWithdrawal(this, opts2),
+      (opts2) => listWithdrawalRequests(this, opts2),
+      (requestId, opts2) => approveWithdrawal(this, requestId, opts2),
+      (requestId, opts2) => rejectWithdrawal(this, requestId, opts2)
+    );
+    this.custody = new CustodyApi(
+      (options, factors) => this.noydb.grantCustodian(this.name, options, factors),
+      (options, factors) => this.noydb.revokeCustodian(this.name, options, factors),
+      (opts2) => liberateVault(this, opts2)
     );
   }
   /**
@@ -6450,6 +7027,7 @@ var Vault = class {
         }
         collOpts.perRecordKeys = true;
       }
+      if (options?.provenance !== void 0) collOpts.provenance = options.provenance;
       if (options?.tiers !== void 0) collOpts.tiers = options.tiers;
       if (options?.tierMode !== void 0) collOpts.tierMode = options.tierMode;
       collOpts.onCrossTierAccess = (event) => this.emitCrossTier(event);
@@ -7134,12 +7712,12 @@ var Vault = class {
     if (!fieldSchema) {
       throw new AttestationError(`issueAttestation: collection '${collectionName}' has no attestation field-schema. Declare it via vault.collection('${collectionName}', { attestation: { fields: [...] } }).`);
     }
-    const { issueAttestationCore } = await import("./issue-JXC6T2QR.js");
+    const { issueAttestationCore } = await import("./issue-KLRMW5DH.js");
     const out = await issueAttestationCore(this.makeIssueContext(), { collection: collectionName, id, fieldSchema });
     return { docId: out.docId, qr: out.qr, keyId: out.keyId, publicKeyB64: out.publicKeyB64 };
   }
   async getDocumentSigningPublicKey() {
-    const { loadSigner, loadOrCreateSigner } = await import("./signer-I6YARZQA.js");
+    const { loadSigner, loadOrCreateSigner } = await import("./signer-UJF3CFDC.js");
     const existing = await loadSigner(this.adapter, this.name, this.getDEK);
     if (existing) return { keyId: existing.keyId, publicKeyB64: existing.publicKeyB64 };
     if (this.keyring.role !== "owner") {
@@ -7165,19 +7743,19 @@ var Vault = class {
     };
   }
   async revokeAttestation(docId) {
-    const { revokeDocCore } = await import("./revoke-5IEK22KT.js");
+    const { revokeDocCore } = await import("./revoke-WUY4AYRJ.js");
     await revokeDocCore(this.makeRevokeContext(), docId);
   }
   async unrevokeAttestation(docId) {
-    const { unrevokeDocCore } = await import("./revoke-5IEK22KT.js");
+    const { unrevokeDocCore } = await import("./revoke-WUY4AYRJ.js");
     await unrevokeDocCore(this.makeRevokeContext(), docId);
   }
   async getRevokedDocIds() {
-    const { getRevokedDocIdsCore } = await import("./revoke-5IEK22KT.js");
+    const { getRevokedDocIdsCore } = await import("./revoke-WUY4AYRJ.js");
     return getRevokedDocIdsCore(this.makeRevokeContext());
   }
   async publishRevocationList() {
-    const { publishRevocationListCore } = await import("./revoke-5IEK22KT.js");
+    const { publishRevocationListCore } = await import("./revoke-WUY4AYRJ.js");
     return publishRevocationListCore(this.makeRevokeContext());
   }
   makeRevokeContext() {
@@ -7836,7 +8414,7 @@ var Vault = class {
   async _initDerivations(handles) {
     if (handles.length === 0) return;
     const [{ DerivationRegistry }, { ReadOnlyVaultFacade }] = await Promise.all([
-      import("./registry-ATRHOG5B.js"),
+      import("./registry-GAIFVWXF.js"),
       import("./read-only-facade-EX6WZZBP.js")
     ]);
     const registry = new DerivationRegistry();
@@ -7867,7 +8445,7 @@ var Vault = class {
    */
   async _initMaterializedViews(handles) {
     if (handles.length === 0) return;
-    const { MaterializedViewRegistry } = await import("./registry-NWHOLD5M.js");
+    const { MaterializedViewRegistry } = await import("./registry-JGEVJ6YC.js");
     const registry = new MaterializedViewRegistry();
     this.materializedViewRegistry = registry;
     const db = this;
@@ -7891,7 +8469,7 @@ var Vault = class {
    */
   async _initOverlayedViews(handles) {
     if (handles.length === 0) return;
-    const { OverlayedViewRegistry } = await import("./registry-LEHB26TY.js");
+    const { OverlayedViewRegistry } = await import("./registry-J77ZUQ7G.js");
     const registry = new OverlayedViewRegistry();
     const mvRegistry = this.materializedViewRegistry;
     const overlayNames = /* @__PURE__ */ new Set();
@@ -7938,13 +8516,13 @@ var Vault = class {
     if (!reg) {
       throw new Error(`refreshView: no MV registered with name "${name}"`);
     }
-    const { MaterializedViewExecutor } = await import("./executor-KYJCJCIN.js");
+    const { MaterializedViewExecutor } = await import("./executor-UYXSQB4D.js");
     const result = await MaterializedViewExecutor.refresh(reg, {
       getCollection: (n) => this.collection(n),
       getActiveTxContext: () => this.noydb._activeTxContextOrNull,
       getQueryContext: () => this
     });
-    const { clearMVStale } = await import("./stale-CPESGAPL.js");
+    const { clearMVStale } = await import("./stale-PW6VBGSP.js");
     clearMVStale(registry, name);
     return result;
   }
@@ -7960,7 +8538,7 @@ var Vault = class {
     if (registry === null) return { derived: 0, failed: 0 };
     const strategies = registry.strategiesForSource(sourceCollection);
     if (strategies.length === 0) return { derived: 0, failed: 0 };
-    const { DerivationExecutor } = await import("./executor-4IEW4KG5.js");
+    const { DerivationExecutor } = await import("./executor-VJSCTBWY.js");
     const sourceColl = this.collection(sourceCollection);
     const records = await sourceColl.list();
     const ctx = { vault: this.derivationFacade ?? new (await import("./read-only-facade-EX6WZZBP.js")).ReadOnlyVaultFacade(this, "derivation") };
@@ -7985,7 +8563,7 @@ var Vault = class {
           if (!outSpec) continue;
           const outputColl = this.collection(outSpec.collection);
           if (out.kind === "array") {
-            const { loadFanoutSidecar, saveFanoutSidecar } = await import("./fanout-sidecar-YXNAEZ33.js");
+            const { loadFanoutSidecar, saveFanoutSidecar } = await import("./fanout-sidecar-ZQT4Y7PF.js");
             const prior = await loadFanoutSidecar(this.adapter, this.name, spec.source, id, key);
             const prevKeys = new Set(prior?.keys ?? []);
             const newKeysList = out.entries.map((e) => e.key);
@@ -8207,7 +8785,7 @@ var Vault = class {
    * collection.
    */
   async delegate(opts) {
-    const { issueDelegation, DELEGATIONS_COLLECTION } = await import("./delegation-DP4COTXB.js");
+    const { issueDelegation, DELEGATIONS_COLLECTION } = await import("./delegation-6ABSJGXV.js");
     if (!this.keyring.kek) {
       throw new ValidationError(
         "issueDelegation: keyring.kek is null \u2014 issuing a delegation requires a tier-1 unlock. Re-authenticate at tier 1 (passphrase) first."
@@ -8229,7 +8807,7 @@ var Vault = class {
    * if the id does not exist.
    */
   async revokeDelegation(id) {
-    const { revokeDelegation, DELEGATIONS_COLLECTION } = await import("./delegation-DP4COTXB.js");
+    const { revokeDelegation, DELEGATIONS_COLLECTION } = await import("./delegation-6ABSJGXV.js");
     await revokeDelegation(this.adapter, this.name, id);
     void DELEGATIONS_COLLECTION;
   }
@@ -8272,7 +8850,7 @@ var Vault = class {
     if (this.activeElevation) {
       throw new AlreadyElevatedError(this.activeElevation.tier);
     }
-    if (this.keyring.role !== "owner" && this.keyring.role !== "admin") {
+    if (this.keyring.role !== "owner" && this.keyring.role !== "admin" && this.keyring.role !== "custodian") {
       const suffix = `#${tier}`;
       let found = false;
       for (const k of this.keyring.deks.keys()) {
@@ -8612,6 +9190,7 @@ var Vault = class {
       collectionCache: this.collectionCache,
       refRegistry: this.refRegistry,
       getDEK: this.getDEK,
+      keyring: this.keyring,
       subsystems: {
         guards: this.guardRegistry !== null,
         derivations: this.derivationRegistry !== null,
@@ -8698,7 +9277,7 @@ var Vault = class {
    * @see docs/subsystems/public-envelope.md
    */
   async getPublicEnvelope(opts = {}) {
-    const { readPublicEnvelope: readPublicEnvelope2 } = await import("./public-envelope-5XRTUNKF.js");
+    const { readPublicEnvelope: readPublicEnvelope2 } = await import("./public-envelope-IJJMWSTJ.js");
     return readPublicEnvelope2(this.adapter, this.name, opts);
   }
   /**
@@ -10005,7 +10584,18 @@ var PERSONAL_POLICY = Object.freeze({
     //   Setting `enabled: false` makes vault.user.list() return only
     //   self (privacy-strict opt-out).
     "edit-own-profile": { minTier: 3 },
-    "view-team-profiles": { minTier: 2 }
+    "view-team-profiles": { minTier: 2 },
+    // client-unilateral-withdraw: a non-owner's self-service DESTRUCTIVE
+    // withdrawal (export-and-delete/freeze, #199). Fail-closed by default —
+    // the firm opts in per jurisdiction/contract (e.g. GDPR Art. 17).
+    // Listed explicitly (not just relying on the built-in default) so it is
+    // discoverable in describeGate / policy dumps.
+    "client-unilateral-withdraw": { minTier: 1, enabled: false },
+    // Two-party withdrawal (#199 P3): filing a request is non-destructive
+    // (tier-1, enabled so a read-only client can ask); deciding it is the
+    // destructive step (tier-2 floor + owner/admin role, enforced in code).
+    "user-request-withdrawal": { minTier: 1 },
+    "approve-user-withdrawal": { minTier: 2 }
   }
 });
 var STRICT_POLICY = Object.freeze({
@@ -10104,7 +10694,24 @@ var STRICT_POLICY = Object.freeze({
       minTier: 2,
       factors: [{ anyOf: ["totp", "email-otp"] }]
     },
-    "view-team-profiles": { minTier: 2 }
+    "view-team-profiles": { minTier: 2 },
+    // STRICT: still fail-closed, but if a regulated firm flips enabled:true
+    // they inherit a two-factor proof + shared-device block for the
+    // destructive withdrawal (mirrors export-plaintext's hardening).
+    "client-unilateral-withdraw": {
+      minTier: 1,
+      enabled: false,
+      factors: [{ anyOf: ["totp", "email-otp"], count: 2 }],
+      warn: { sharedDevice: "block" }
+    },
+    // STRICT: filing stays tier-1; the destructive APPROVE demands an
+    // off-device factor + shared-device block (mirrors export-bundle).
+    "user-request-withdrawal": { minTier: 1 },
+    "approve-user-withdrawal": {
+      minTier: 2,
+      factors: [{ anyOf: ["totp", "email-otp"] }],
+      warn: { sharedDevice: "block" }
+    }
   }
 });
 function mergePolicy(base, override) {
@@ -10187,6 +10794,12 @@ var ROLE_RANK = {
   client: 1,
   viewer: 2,
   operator: 3,
+  // FR-6: custodian is operationally admin-rank (rw + access on every
+  // collection) — it ranks alongside admin for "how much can this
+  // principal see/operate." It is NOT above admin, and explicitly below
+  // owner: a custodian can never grant/revoke/rotate/sever (those are
+  // owner meta-capabilities), so it must not outrank or equal the owner.
+  custodian: 4,
   admin: 4,
   owner: 5
 };
@@ -10248,7 +10861,6 @@ var Noydb = class {
   writeRelay;
   /** Per-vault policy enforcers. */
   policyEnforcers = /* @__PURE__ */ new Map();
-  vaultTemplates = /* @__PURE__ */ new Map();
   txStrategy;
   forgetStrategy;
   sessionStrategy;
@@ -10379,7 +10991,7 @@ var Noydb = class {
       if (!facade) return;
       const ctx = { existing, vault: facade, userId: e.userId, role: e.role };
       await registry.runChecks(e.collection, incoming, ctx);
-      const { GuardExecutor } = await import("./executor-W7VIBOBZ.js");
+      const { GuardExecutor } = await import("./executor-JKMSEB34.js");
       for (const g of guards) {
         await GuardExecutor.checkFrozenFields(g, e.docId, existing, incoming, e.computedFieldNames);
       }
@@ -10698,6 +11310,37 @@ var Noydb = class {
     const keyring = await this.getKeyringInternal(vault);
     await revoke(this.options.store, vault, keyring, options);
   }
+  /**
+   * Grant the FR-6 `custodian` role to a user (owner-only custody API).
+   *
+   * A custodian operates every collection (rw + access) but is provably
+   * unable to grant / revoke / rotate / extract-and-sever. Only the Deed
+   * owner may mint one. Defended in depth: the `grant-custodian` gate
+   * (fail-closed) AND an explicit `keyring.role !== 'owner'` check — the
+   * gate enforces host policy, the role check enforces the cryptographic
+   * owner-only invariant even if a host mis-configures the gate.
+   */
+  async grantCustodian(vault, options, factors) {
+    this.checkPolicyOperation(vault, "grant");
+    await this.checkGate(vault, "grant-custodian", factors);
+    const keyring = await this.getKeyringInternal(vault);
+    if (keyring.role !== "owner") throw new PermissionDeniedError("only the Deed owner can grant a custodian");
+    await grant(this.options.store, vault, keyring, { ...options, role: "custodian" });
+  }
+  /**
+   * Revoke a custodian (owner-only custody API).
+   *
+   * Mirrors {@link revoke} but pins the caller to the Deed owner: defended
+   * in depth by the `revoke-user` gate AND an explicit `keyring.role !==
+   * 'owner'` check, so an admin cannot unwind a custodianship.
+   */
+  async revokeCustodian(vault, options, factors) {
+    this.checkPolicyOperation(vault, "revoke");
+    await this.checkGate(vault, "revoke-user", factors);
+    const keyring = await this.getKeyringInternal(vault);
+    if (keyring.role !== "owner") throw new PermissionDeniedError("only the Deed owner can revoke a custodian");
+    await revoke(this.options.store, vault, keyring, options);
+  }
   /**
    * Mutate post-grant identity fields on an existing keyring — `role`,
    * `displayName`, and/or `permissions`. Pure plaintext-header rewrite:
@@ -10967,52 +11610,24 @@ var Noydb = class {
     return results;
   }
   /**
-   * Register a shard schema blueprint. `createShard` / `openVaultGroup`
-   * stamp shards from the named template. See the MVF design spec.
+   * @internal True once `close()` has been called. Read by
+   * `@klum-db/lobby`'s Lobby entry points (which can't see the private
+   * `closed` field).
    */
-  withVaultTemplate(name, template) {
-    this.vaultTemplates.set(name, template);
+  get isClosed() {
+    return this.closed;
   }
-  /**
-   * Open a VaultGroup — transparent routing over per-partition shard
-   * vaults, with shard discovery backed by the supplied `vault-registry`
-   * collection.
-   */
-  async openVaultGroup(name, opts) {
-    if (this.closed) throw new ValidationError("Instance is closed");
-    if (name === STATE_VAULT_NAME) throw new ReservedVaultNameError(name);
-    const template = this.vaultTemplates.get(opts.sharding.vaultTemplate);
-    if (!template) throw new VaultTemplateNotFoundError(opts.sharding.vaultTemplate);
-    const { VaultGroup } = await import("./vault-group-BB246VIM.js");
-    const { StateManagementVault } = await import("./state-vault-JR3CFGNP.js");
-    const stateVault = opts.registry ? void 0 : await StateManagementVault.open(this);
-    const registry = opts.registry ?? stateVault.registry;
-    const group = new VaultGroup(this, name, registry, opts.sharding, template, opts.migrateOnOpen ?? false);
-    if (stateVault) {
-      group._attachStateVault(stateVault);
-      await stateVault.recordManifest(opts.sharding.vaultTemplate, template);
-      try {
-        await stateVault.appendEvent({
-          type: "manifest-recorded",
-          group: name,
-          templateName: opts.sharding.vaultTemplate,
-          version: template.version
-        });
-        await stateVault.appendEvent({ type: "group-opened", group: name });
-      } catch {
-      }
-    }
-    return group;
+  /** @deprecated Federation moved to @klum-db/lobby. Use `createLobby(db).withVaultTemplate(...)`. */
+  withVaultTemplate() {
+    throw new FederationMovedError("withVaultTemplate");
   }
-  /**
-   * Open the reserved StateManagement control-plane vault (registry +
-   * schema-manifest + deployment-events). Lazy-loaded so the federation
-   * chunk stays out of the core graph until used.
-   */
+  /** @deprecated Federation moved to @klum-db/lobby. Use `createLobby(db).openVaultGroup(...)`. */
+  async openVaultGroup() {
+    throw new FederationMovedError("openVaultGroup");
+  }
+  /** @deprecated Federation moved to @klum-db/lobby. Use `createLobby(db).openStateManagementVault()`. */
   async openStateManagementVault() {
-    if (this.closed) throw new ValidationError("Instance is closed");
-    const { StateManagementVault } = await import("./state-vault-JR3CFGNP.js");
-    return StateManagementVault.open(this);
+    throw new FederationMovedError("openStateManagementVault");
   }
   /**
    * @internal — true when an encrypted shard vault is provisioned
@@ -12526,22 +13141,13 @@ export {
   compileSequenceFormat,
   resolveSequenceKey,
   SequenceStore,
-  validateSchemaInput,
-  validateSchemaOutput,
-  isZodSchema,
-  derivePersistedSchema,
-  persistSchemaIfNeeded,
-  isRefArray,
-  RefIntegrityError,
-  RefScopeError,
-  ref,
-  refArray,
-  RefRegistry,
-  isLinkCollectionName,
-  LinkEndpointError,
-  LinkIntegrityError,
-  QuickUnlockStore,
-  UserApi,
+  exportAccessibleData,
+  withdrawAccessibleData,
+  WithdrawalRequestError,
+  requestWithdrawal,
+  listWithdrawalRequests,
+  approveWithdrawal,
+  rejectWithdrawal,
   META_COLLECTION,
   POLICY_RECORD_ID,
   loadVaultPolicy,
@@ -12552,14 +13158,36 @@ export {
   describeAllUsersAuth,
   ComputedFieldError,
   evalComputedFields,
+  validateSchemaInput,
+  validateSchemaOutput,
   tokenize,
   Lru,
   parseBytes,
   estimateRecordBytes,
   Collection,
+  isRefArray,
+  RefIntegrityError,
+  RefScopeError,
+  ref,
+  refArray,
+  RefRegistry,
+  isLinkCollectionName,
+  LinkEndpointError,
+  LinkIntegrityError,
+  UserApi,
+  CustodyApi,
+  DEED_RECORD_ID,
+  createDeedOwner,
+  loadDeedMarker,
+  isDeedVault,
+  liberateVault,
+  isZodSchema,
+  derivePersistedSchema,
+  persistSchemaIfNeeded,
   Vault,
   ELEVATION_AUDIT_COLLECTION,
   ElevatedHandle,
+  QuickUnlockStore,
   PERSONAL_POLICY,
   STRICT_POLICY,
   mergePolicy,
@@ -12569,4 +13197,4 @@ export {
   Noydb,
   createNoydb
 };
-//# sourceMappingURL=chunk-7PH4OPBZ.js.map
+//# sourceMappingURL=chunk-QOXZM3L2.js.map