@noy-db/hub 0.2.0-pre.21 → 0.2.0-pre.24

package/dist/{types-DyOI6XZ_.d.cts → types-COQ6qJZh.d.cts}

@@ -1,10 +1,10 @@
 import { I as IndexStrategy, d as LazyQuery } from './lazy-builder-eYZzLEL1.cjs';
-import { c as OnMissingPolicy, a as I18nTextDescriptor, L as Layer, u as LiveAggregation, j as AggregateSpec, h as AggregateResult, N as MoneyDescriptor, A as AggregateStrategy } from './strategy-WtB-jXYv.cjs';
+import { c as OnMissingPolicy, a as I18nTextDescriptor, L as Layer, j as AggregateSpec, N as MoneyDescriptor, A as AggregateStrategy } from './strategy-BWmgRPA2.cjs';
 import { C as CrdtStrategy, a as CrdtMode, b as CrdtState } from './strategy-BSxFXGzb.cjs';
 import { L as LedgerEntry, F as ForgetStrategy, S as SubjectRef, b as ForgetResult } from './index-BMmajblo.cjs';
-import { N as NoydbError } from './errors-Dkc_fi-S.cjs';
-import { L as LiveQuery, Q as Query, c as JoinStrategy, j as RefRegistry, R as RefDescriptor, d as JoinableSource, l as RefViolation, S as ScanBuilder } from './index-tZqVB9g5.cjs';
-import { I as IndexDef, O as Operator, F as FieldClause, C as CollectionIndexes } from './predicate-BmhBSPCH.cjs';
+import { N as NoydbError } from './errors-B2tUcRPg.cjs';
+import { Q as Query, c as JoinStrategy, j as RefRegistry, R as RefDescriptor, d as JoinableSource, l as RefViolation, S as ScanBuilder } from './index-BthnP2MA.cjs';
+import { F as FieldClause, I as IndexDef, C as CollectionIndexes } from './predicate-BmhBSPCH.cjs';
 import { AttestationFieldSchema, RevocationList } from '@noy-db/attestation';
 
 /**
@@ -3759,269 +3759,6 @@ declare class SyncEngine {
     private persistMeta;
 }
 
-/**
- * @category capability
- * Multi-vault partition federation (MVF) — public types for VaultGroup
- * transparent shard routing. See
- * docs/superpowers/specs/2026-06-07-mvf-vaultgroup-routing-mvp-design.md.
- */
-
-/**
- * A schema blueprint for a class of shard vaults. `configure` is
- * re-applied to every shard handle so all shards are configured
- * identically (collections, indexes, schemas). `version` is recorded
- * into each shard's registry row and drives the fan-out
- * `minVersion` guard.
- */
-interface VaultTemplate {
-    readonly version: number;
-    readonly configure: (vault: Vault) => void;
-}
-/** One row in the StateManagement `vault-registry` collection. */
-interface VaultRegistryRow {
-    readonly vaultId: string;
-    readonly partitionKey: string;
-    readonly templateName: string;
-    readonly schemaVersion: number;
-    readonly createdAt: number;
-    /** Which VaultGroup this shard belongs to (registry is shared across groups). */
-    readonly group: string;
-}
-/** How a VaultGroup maps records to shards. */
-interface ShardingConfig<T> {
-    /** Extract the partition key from a record. */
-    readonly keyOf: (record: T) => string;
-    /** Name of the template (registered via `withVaultTemplate`) shards are stamped from. */
-    readonly vaultTemplate: string;
-    /** When a write targets an unknown partition key, stamp a shard inline. Default `true`. */
-    readonly autoCreate?: boolean;
-    /**
-     * Data-residency guard (#271): the geographic region a record's shard must
-     * live in (e.g. `'eu'`). When set, `createShard` resolves the candidate
-     * backend (via `routeStore`'s vault-prefix routing) and throws
-     * `DataResidencyError` if its `capabilities.region` doesn't match — so a
-     * shard never lands on a non-compliant backend. Advisory until a region is
-     * declared on the backing store; pair with `routeStore({ vaultRoutes })`
-     * and a region-encoded partition key (e.g. `eu-acme` → `firm--eu-`).
-     */
-    readonly regionOf?: (record: T) => string;
-}
-/** Options for `Noydb.openVaultGroup`. */
-interface VaultGroupOptions<T> {
-    /**
-     * The `vault-registry` collection (source of truth for shard discovery).
-     * Optional: when omitted, the reserved StateManagement vault's registry
-     * is auto-opened and used.
-     */
-    readonly registry?: Collection<VaultRegistryRow>;
-    readonly sharding: ShardingConfig<T>;
-    /**
-     * Lazy migrate-on-open (#271 fleet migration). When `true`, opening a shard
-     * whose registry `schemaVersion` is behind the template's version runs that
-     * shard's cutover inline (via `migrateShard`) before surfacing the handle.
-     * Zero cost for shards never opened. Default `false` (use `migrateFleet`).
-     */
-    readonly migrateOnOpen?: boolean;
-}
-/** Result of `VaultGroup.migrateFleet` (#271 active batch runner). */
-interface FleetMigrationResult {
-    /** The version migrated toward (the template's current version). */
-    readonly target: number;
-    /** vaultIds successfully migrated (or already current). */
-    readonly migrated: string[];
-    /** vaultIds whose cutover failed, with the error message. */
-    readonly failed: {
-        readonly vaultId: string;
-        readonly error: string;
-    }[];
-}
-/** Options for a cross-shard fan-out read. */
-interface FanoutQueryOptions {
-    /** Skip shards whose registry `schemaVersion` is below this. */
-    readonly minVersion?: number;
-    /** Max shards queried in parallel (passed to queryAcross). Default 1. */
-    readonly concurrency?: number;
-}
-/** A shard excluded from a fan-out result, with the reason. */
-interface SkippedVault {
-    readonly vaultId: string;
-    readonly reason: 'schema-drift' | 'error' | 'no-grant';
-    readonly error?: Error;
-}
-/** The result of a cross-shard fan-out read. */
-interface FanoutResult<R> {
-    readonly results: R[];
-    readonly skippedVaults: SkippedVault[];
-}
-/** A single captured where-clause, replayed inside each shard. */
-interface WhereClause {
-    readonly field: string;
-    readonly op: Operator;
-    readonly value: unknown;
-}
-/** Options for the live/aggregate fan-out (extends the one-shot opts). */
-interface LiveQueryOptions extends FanoutQueryOptions {
-    /** Coalesce window before recompute. Default 0 (microtask). */
-    readonly debounceMs?: number;
-}
-/** A grouped aggregate output row: the grouped field + the reduced spec result. */
-type GroupedRow<F extends string, Spec extends AggregateSpec> = {
-    readonly [K in F]: unknown;
-} & AggregateResult<Spec>;
-/** Reactive cross-shard record (or grouped-row) query — array-shaped, mirrors LiveQuery<T>. */
-interface CrossVaultLiveQuery<T> extends LiveQuery<T> {
-    readonly skippedVaults: readonly SkippedVault[];
-    readonly ready: Promise<void>;
-}
-/** Reactive cross-shard scalar aggregate — mirrors LiveAggregation<R>. */
-interface CrossVaultLiveAggregation<R> extends LiveAggregation<R> {
-    readonly skippedVaults: readonly SkippedVault[];
-    readonly ready: Promise<void>;
-}
-/**
- * Context passed to a cross-vault `derive` callback (#271 Insight Vault).
- * One call per shard; identifies which shard the records came from.
- */
-interface CrossVaultDerivationContext {
-    /** The shard's vault id (e.g. `firm-clients--acme`). */
-    readonly vaultId: string;
-    /** The shard's partition key (e.g. `acme`). */
-    readonly partitionKey: string;
-    /** The shard's schema/template version, from its registry row. */
-    readonly schemaVersion: number;
-}
-/**
- * A push-model cross-vault derivation (#271, Insight Vault — Layer 4).
- *
- * For each eligible shard, `refreshInsights()` reads the shard's `source`
- * collection, runs `derive` on that shard's records, and writes the returned
- * summary row into a separate analytics ("Insight") vault — keyed by partition
- * key, one row per shard. The summary is re-encrypted under the Insight Vault's
- * own DEK; the shard's ciphertext never leaves its DEK boundary (the push model
- * that resolves the cross-vault DEK conflict). See the ZK note in the spec —
- * the Insight Vault backend sees aggregated structure across shards, a weaker
- * profile than per-shard vaults; opt-in.
- */
-interface CrossVaultDerivationSpec<R = Record<string, unknown>, S = Record<string, unknown>> {
-    /** Collection read from each shard. */
-    readonly source: string;
-    /** Destination Insight Vault + collection for the per-shard summary rows. */
-    readonly target: {
-        readonly vault: string;
-        readonly collection: string;
-    };
-    /** Per-shard reducer: that shard's source records + context → one summary row. */
-    readonly derive: (records: R[], ctx: CrossVaultDerivationContext) => S;
-}
-/** The result of `refreshInsights()`. */
-interface RefreshInsightsResult {
-    /** Number of summary rows written (one per eligible shard × registered derivation). */
-    readonly written: number;
-    /** Shards excluded (schema-drift, unprovisioned, or read error). */
-    readonly skippedVaults: SkippedVault[];
-}
-/** A serializable blueprint captured from a VaultTemplate.configure run. */
-interface CapturedBlueprint {
-    /** Sorted collection names declared by the template. */
-    readonly collections: string[];
-    /** Per-collection index defs (key order canonicalized). */
-    readonly indexes: Record<string, IndexDef[]>;
-    /** Collections that declared `persistJsonSchema: true`. */
-    readonly persistJsonSchema: string[];
-}
-/** One row in the StateManagement `schema-manifest` collection, keyed by `${templateName}:${version}`. */
-interface SchemaManifestRow {
-    readonly templateName: string;
-    readonly version: number;
-    readonly collections: string[];
-    readonly indexes: Record<string, IndexDef[]>;
-    readonly persistJsonSchema: string[];
-    /** sha256 over the canonicalized serializable blueprint. */
-    readonly fingerprint: string;
-    readonly recordedAt: number;
-}
-/** One row in the append-only StateManagement `deployment-events` collection. */
-interface DeploymentEvent {
-    readonly id: string;
-    readonly ts: number;
-    readonly type: 'shard-created' | 'manifest-recorded' | 'group-opened' | 'migration-started' | 'migration-completed' | 'migration-failed';
-    readonly group: string;
-    readonly vaultId?: string;
-    readonly templateName?: string;
-    readonly version?: number;
-    readonly actor?: string;
-    /** Free-form detail (e.g. migration error message). */
-    readonly detail?: string;
-}
-/**
- * One row in the StateManagement `migration-status` collection (#271 fleet
- * schema-migration runner), keyed by `vaultId`. Tracks each shard's progress
- * toward the template's current version so the active batch runner is
- * resumable and the staged rollout can verify a cohort before proceeding.
- */
-interface MigrationStatusRow {
-    readonly vaultId: string;
-    readonly group: string;
-    /** The shard's registry schemaVersion at the time of this status. */
-    readonly currentVersion: number;
-    /** The version the runner is moving this shard to (the template's version). */
-    readonly targetVersion: number;
-    readonly status: 'pending' | 'running' | 'done' | 'failed';
-    readonly startedAt?: number;
-    readonly finishedAt?: number;
-    /** Records migrated by the per-shard cutover (when status `done`). */
-    readonly migrated?: number;
-    readonly error?: string;
-}
-
-/**
- * @category capability
- * StateManagement Vault — federation control plane (registry +
- * schema-manifest + append-only deployment-events). See
- * docs/superpowers/specs/2026-06-08-statemanagement-vault-design.md.
- */
-
-declare class StateManagementVault {
-    #private;
-    readonly registry: Collection<VaultRegistryRow>;
-    readonly schemaManifest: Collection<SchemaManifestRow>;
-    private constructor();
-    /** Idempotently open the reserved state vault and bind the control-plane collections. */
-    static open(db: Noydb): Promise<StateManagementVault>;
-    /** Read one shard's migration status (or null). */
-    getMigrationStatus(vaultId: string): Promise<MigrationStatusRow | null>;
-    /** All migration-status rows (hydrates first). */
-    listMigrationStatus(): Promise<MigrationStatusRow[]>;
-    /** Upsert one shard's migration status (keyed by vaultId). */
-    upsertMigrationStatus(row: MigrationStatusRow): Promise<void>;
-    /** Read-only query over the append-only deployment-events log. */
-    queryEvents(): Query<DeploymentEvent>;
-    /**
-     * Append a deployment event with a fresh unique (ULID) id. This is the
-     * only write path to the events log; no update/delete is exposed.
-     * Callers should treat failures as non-fatal — this method does not
-     * swallow errors, so wrap the call site in try/catch where appropriate.
-     */
-    appendEvent(event: Omit<DeploymentEvent, 'id' | 'ts'> & {
-        ts?: number;
-    }): Promise<void>;
-    /**
-     * Ensure a manifest row exists for `(templateName, template.version)`.
-     * Safe to call repeatedly: the `fingerprint` is a deterministic hash of
-     * the template's declared shape (stable across calls), though each call
-     * refreshes `recordedAt`.
-     */
-    recordManifest(templateName: string, template: VaultTemplate): Promise<string>;
-    /**
-     * True when `template`'s current declared shape does not match the recorded
-     * manifest for `(templateName, template.version)`. Because shards carry no
-     * schema state independent of their template, this catches "a template's
-     * shape changed without bumping `version`" — not independent per-shard drift.
-     * A missing manifest is treated as drift (nothing to verify against).
-     */
-    detectDrift(templateName: string, template: VaultTemplate): Promise<boolean>;
-}
-
 /**
  * **Wrap-DEKs primitive** — a single canonical shape for the
  * pattern of "serialize a DEK set, encrypt it under a credential-derived
@@ -5553,7 +5290,46 @@ type BuiltInGateName = 'rotate-passphrase' | 'recover-passphrase' | 'enroll-auth
  * mirrors `db.grant`'s hierarchy (admin cannot promote to owner)
  * regardless of this gate's settings.
  */
- | 'update-user';
+ | 'update-user'
+/**
+ * Authorize a non-owner's self-service **destructive** withdrawal —
+ * `vault.user.unilateralWithdrawal` (#199). The actor exports their
+ * own re-keyed copy and then removes (delete-closure) or freezes the
+ * source records. Because it both egresses data AND destroys the
+ * firm's live copy, it MUST fail closed: undefined in a policy = denied.
+ * Hosts opt in explicitly (and typically pin `minTier`/factor proofs).
+ */
+ | 'client-unilateral-withdraw'
+/**
+ * Authorize FILING a two-party withdrawal request —
+ * `vault.user.requestWithdrawal` (#199 P3). Non-destructive (writes a
+ * pending request only); enabled by default so a read-only client can ask.
+ */
+ | 'user-request-withdrawal'
+/**
+ * Authorize DECIDING a two-party withdrawal request (approve/reject) —
+ * `vault.user.approveWithdrawal` / `rejectWithdrawal` (#199 P3). The approve
+ * path is destructive (extract-and-dispose under firm authority), so it
+ * defaults to a tier-2 floor; owner/admin role is enforced structurally.
+ */
+ | 'approve-user-withdrawal'
+/**
+ * Authorize minting a **custodian** — `db.grantCustodian` (FR-6). The
+ * custodian is the de-facto operational authority on a sealed-owner (Deed)
+ * vault, so granting one is an ownership-level act: this gate MUST fail
+ * closed (undefined in a policy = denied) and owner-only role is enforced
+ * structurally. Hosts opt in explicitly, typically pinning factor proofs.
+ */
+ | 'grant-custodian'
+/**
+ * Authorize the audited **Liberate** ceremony — `vault.custody.liberate`
+ * (FR-6). The custodian (holding the live DEKs) claims ownership of a
+ * sealed-owner vault under a recorded legal basis, minting a NEW owner
+ * keyring. Destructive-of-the-old-ownership and irreversible, so it MUST
+ * fail closed (undefined = denied); the caller-is-custodian check is
+ * enforced structurally in the ceremony.
+ */
+ | 'liberate-vault';
 /** Either a built-in gate name or an `app:*` custom gate. */
 type GateName = BuiltInGateName | `app:${string}`;
 /**
@@ -5596,290 +5372,6 @@ interface FactorProofBundle {
 /** Active session tier — what the engine compares against `gate.minTier`. */
 type ActiveTier = 1 | 2 | 3;
 
-/** Public options for `ShardedQuery.crossShardJoin`. */
-interface CrossShardJoinOptions {
-    /** Alias key under which the joined same-shard record attaches. */
-    readonly as: string;
-    /** Per-shard row ceiling override (default DEFAULT_JOIN_MAX_ROWS). */
-    readonly maxRows?: number;
-    /** Planner strategy override, passed through to intra-vault `.join()`. */
-    readonly strategy?: JoinStrategy;
-}
-/**
- * Minimal structural shape of a broadcast dimension source. A
- * `Collection` satisfies this natively: `list()` hydrates and returns
- * the decoded records. Kept as a one-method interface so plain test
- * sources are trivial to construct.
- */
-interface BroadcastSource {
-    list(): Promise<readonly unknown[]>;
-}
-/** Public options for `ShardedQuery.broadcastJoin`. */
-interface BroadcastJoinOptions {
-    /** Alias key under which the dimension record attaches. */
-    readonly as: string;
-    /** The shared dimension collection (an opened handle in another vault). */
-    readonly from: BroadcastSource;
-    /** Right-side key to match `field` against. Default 'id'. */
-    readonly on?: string;
-    /** Miss behavior. 'warn' (default) attaches null + one-shot warning; 'cascade' is silent. */
-    readonly mode?: 'warn' | 'cascade';
-}
-/** Internal co-partitioned leg carried on ShardedQuery. */
-interface CoPartitionedLeg {
-    readonly field: string;
-    readonly as: string;
-    readonly maxRows: number | undefined;
-    readonly strategy: JoinStrategy | undefined;
-}
-/** Internal broadcast leg carried on ShardedQuery. */
-interface BroadcastLeg {
-    readonly field: string;
-    readonly as: string;
-    readonly from: BroadcastSource;
-    readonly on: string;
-    readonly mode: 'warn' | 'cascade';
-}
-
-/** A source that can fan out records across shards. Satisfied by ShardedQuery. */
-interface FanoutRecordSource<R> {
-    fanoutRecords(options: FanoutQueryOptions): Promise<{
-        records: R[];
-        skippedVaults: SkippedVault[];
-    }>;
-}
-/** Live-binding hooks (change subscription + relevance) threaded from ShardedQuery. */
-interface LiveBinding {
-    subscribeToChanges: (handler: (e: ChangeEvent) => void) => () => void;
-    isRelevant: (e: ChangeEvent) => boolean;
-}
-/**
- * One-shot cross-vault aggregate. Concatenates all shard records and runs a
- * single central reduce, ensuring correct avg/mean values.
- */
-declare class CrossVaultAggregation<R, Spec extends AggregateSpec> {
-    private readonly src;
-    private readonly spec;
-    private readonly bind?;
-    constructor(src: FanoutRecordSource<R>, spec: Spec, bind?: LiveBinding | undefined);
-    run(options?: FanoutQueryOptions): Promise<{
-        result: AggregateResult<Spec>;
-        skippedVaults: SkippedVault[];
-    }>;
-    live(options?: LiveQueryOptions): CrossVaultLiveAggregation<AggregateResult<Spec>>;
-}
-/**
- * One-shot cross-vault grouped aggregate. Concatenates all shard records and
- * runs a single central group-and-reduce, emitting one row per bucket.
- */
-declare class CrossVaultGroupedAggregation<R, F extends string, Spec extends AggregateSpec> {
-    private readonly src;
-    private readonly field;
-    private readonly spec;
-    private readonly bind?;
-    constructor(src: FanoutRecordSource<R>, field: F, spec: Spec, bind?: LiveBinding | undefined);
-    run(options?: FanoutQueryOptions): Promise<{
-        results: GroupedRow<F, Spec>[];
-        skippedVaults: SkippedVault[];
-    }>;
-    live(options?: LiveQueryOptions): CrossVaultLiveQuery<GroupedRow<F, Spec>>;
-}
-
-/**
- * @category capability
- * Multi-vault partition federation — VaultGroup transparent shard
- * routing. Spec:
- * docs/superpowers/specs/2026-06-07-mvf-vaultgroup-routing-mvp-design.md.
- */
-
-declare class VaultGroup<T> {
-    /** @internal */ readonly db: Noydb;
-    /** @internal */ readonly name: string;
-    /** @internal */ readonly registry: Collection<VaultRegistryRow>;
-    /** @internal */ readonly sharding: ShardingConfig<T>;
-    /** @internal */ readonly template: VaultTemplate;
-    /** @internal — lazy migrate-on-open (#271). */ readonly migrateOnOpen: boolean;
-    constructor(
-    /** @internal */ db: Noydb, 
-    /** @internal */ name: string, 
-    /** @internal */ registry: Collection<VaultRegistryRow>, 
-    /** @internal */ sharding: ShardingConfig<T>, 
-    /** @internal */ template: VaultTemplate, 
-    /** @internal — lazy migrate-on-open (#271). */ migrateOnOpen?: boolean);
-    /** @internal — set when the group is managed (no explicit registry). */
-    private stateVault;
-    /** @internal */
-    _attachStateVault(sv: StateManagementVault): void;
-    /** Deterministic vault name for a partition key, namespaced by the group. */
-    shardVaultId(partitionKey: string): string;
-    /**
-     * @internal — group-qualified registry record key (avoids cross-group key
-     * collisions). Identical to the shard vault id by design — the registry row
-     * for a shard is keyed by that shard's vault id — so it delegates to
-     * `shardVaultId`, reusing its partition-key validation.
-     */
-    registryId(partitionKey: string): string;
-    /**
-     * Registry rows for THIS group (hydrates the registry collection first).
-     * The registry may be shared across groups (the auto-wired StateManagement
-     * vault holds one `vaultRegistry` for the whole instance), so rows are
-     * filtered by `group` — without this, a group's fan-out reads would leak
-     * across into other groups' shards. Mirrors the `${group}--` scoping that
-     * `liveBinding().isRelevant` already applies to the reactive path.
-     */
-    allRows(): Promise<VaultRegistryRow[]>;
-    /**
-     * Open an existing shard and apply the template. When `migrateOnOpen` is set
-     * (#271) and the shard's registry version is behind the template, its cutover
-     * runs inline first — so a behind shard never surfaces a stale handle.
-     */
-    openShard(partitionKey: string): Promise<Vault>;
-    /** @internal — open + configure with no migrate-on-open hook (used by the migration path itself to avoid recursion). */
-    private _openShardRaw;
-    /**
-     * Idempotently provision a shard for `partitionKey`. Returns the
-     * configured vault handle.
-     *
-     * - row + vault present → no-op, return handle
-     * - row present, vault gone → ShardProvisioningError
-     * - row absent (vault present or not) → open-or-create, configure, write row
-     *
-     * When `region` is given (the routing `put` passes `sharding.regionOf(record)`),
-     * the candidate backend's `capabilities.region` must match or this throws
-     * `DataResidencyError` BEFORE provisioning (#271 data-residency guard).
-     */
-    createShard(partitionKey: string, region?: string): Promise<Vault>;
-    /**
-     * Drill down to a single shard's full Collection API. Throws if the shard is unknown.
-     * Also throws ShardProvisioningError if the registry row exists but the vault has been deleted
-     * (registry/store divergence).
-     */
-    shard(partitionKey: string): Promise<Vault>;
-    /** A sharded view over one logical collection across all shards. */
-    collection<R = T>(collectionName: string): ShardedCollection<T, R>;
-    /** @internal — eligible (openable-candidate) rows + drift/divergence skips. */
-    resolveEligible(options?: {
-        minVersion?: number;
-    }): Promise<{
-        eligible: VaultRegistryRow[];
-        skipped: SkippedVault[];
-    }>;
-    /** @internal — registered push-model cross-vault derivations (#271 Insight Vault). */
-    private readonly crossVaultDerivations;
-    /**
-     * Register a push-model cross-vault derivation — the Insight Vault pattern
-     * (#271, Layer 4). Drive it with {@link refreshInsights}.
-     *
-     * For each shard, `derive(records, ctx)` runs on that shard's `source`
-     * records and its return value is written into the analytics
-     * (`target.vault` / `target.collection`) vault, keyed by partition key —
-     * one summary row per shard. The derivation runs in-process under THIS
-     * group's `Noydb` (which already holds both the shard and Insight Vault
-     * keyrings); the shard's decrypted records are reduced to a summary that is
-     * re-encrypted under the Insight Vault's own DEK, so no shard ciphertext
-     * crosses a DEK boundary.
-     *
-     * **Zero-knowledge note:** the Insight Vault backend sees aggregated
-     * structure (totals, counts, timestamps) drawn from many shards — a weaker
-     * ZK profile than the per-shard vaults. Opt-in; keep summaries to aggregate
-     * scalars (no embeddings / no raw records).
-     *
-     * v1 is explicit-refresh (no write-path push); call `refreshInsights()`
-     * after a batch of writes, or on a schedule.
-     *
-     * The `target.vault` must NOT be the group itself or one of its shards —
-     * a summary writing back into client-shard data would breach the Insight
-     * Vault's separate-DEK-boundary contract. Such a target throws a
-     * `ValidationError` at registration (#271 Insight-write isolation).
-     */
-    withCrossVaultDerivation<R = Record<string, unknown>, S = Record<string, unknown>>(spec: CrossVaultDerivationSpec<R, S>): void;
-    /**
-     * Run every registered {@link withCrossVaultDerivation}: read each eligible
-     * shard's source records, derive a per-shard summary, and write it into the
-     * Insight Vault keyed by partition key. Shards behind `minVersion`,
-     * unprovisioned, or whose read errors are reported in `skippedVaults` and
-     * are not written (a stale summary is never left behind for a failed shard).
-     */
-    refreshInsights(options?: {
-        minVersion?: number;
-        concurrency?: number;
-    }): Promise<RefreshInsightsResult>;
-    /** @internal — the control-plane vault for migration status; lazily opened. */
-    private ensureStateVault;
-    /**
-     * Migrate ONE shard to the template's current version (#271 fleet runner,
-     * per-shard step). Opens the shard (applying the template, which arms the
-     * M12 cutover), drains schema-write detection, runs `vault.runSchemaCutover()`
-     * (the per-vault drain-barrier-transform protocol), then advances the
-     * registry row's `schemaVersion` and records `migration-status`. A shard
-     * already at the template version is a no-op (`status: 'done'`, migrated 0).
-     * Never throws on a cutover failure — it records `status: 'failed'` and
-     * returns the row, so a fleet run continues past a bad shard.
-     */
-    migrateShard(partitionKey: string): Promise<MigrationStatusRow>;
-    /**
-     * Active batch runner (#271): migrate every shard behind the template version
-     * to it, in controlled batches. **Resumable + crash-safe** — shards already at
-     * the target are skipped (the registry version is the source of truth), so a
-     * re-run after a crash only picks up the unfinished + previously-failed shards.
-     *
-     * - `cohort` — restrict to these partition keys (the staged / canary rollout:
-     *   migrate a small cohort, verify the Insight Vault, then run the rest).
-     * - `batchSize` — max shards migrated concurrently per batch (back-pressure).
-     *   Default 4. Batches run sequentially; shards within a batch run in parallel.
-     */
-    migrateFleet(options?: {
-        cohort?: readonly string[];
-        batchSize?: number;
-    }): Promise<FleetMigrationResult>;
-}
-declare class ShardedCollection<T, R = T> {
-    private readonly group;
-    private readonly collectionName;
-    constructor(group: VaultGroup<T>, collectionName: string);
-    /** Route a write to the shard owning `keyOf(record)`. */
-    put(id: string, record: T): Promise<void>;
-    /** Begin a cross-shard fan-out query. */
-    query(): ShardedQuery<T, R>;
-}
-declare class ShardedQuery<T, R = T> {
-    private readonly group;
-    private readonly collectionName;
-    private readonly clauses;
-    private readonly coPartitionedLegs;
-    private readonly broadcastLegs;
-    constructor(group: VaultGroup<T>, collectionName: string, clauses: readonly WhereClause[], coPartitionedLegs?: readonly CoPartitionedLeg[], broadcastLegs?: readonly BroadcastLeg[]);
-    where(field: string, op: WhereClause['op'], value: unknown): ShardedQuery<T, R>;
-    /** Co-partitioned join: each shard joins its own same-vault right collection (resolved via ref()), then union. */
-    crossShardJoin(field: string, opts: CrossShardJoinOptions): ShardedQuery<T, R>;
-    /** Broadcast dimension join: enrich every merged row from a single shared collection. */
-    broadcastJoin(field: string, opts: BroadcastJoinOptions): ShardedQuery<T, R>;
-    /** @internal — fan out the where-filtered records across eligible shards. */
-    fanoutRecords(options?: FanoutQueryOptions): Promise<{
-        records: R[];
-        skippedVaults: SkippedVault[];
-    }>;
-    /** Fan out across eligible shards, merge, then apply any broadcast dimension legs. */
-    toArray(options?: FanoutQueryOptions): Promise<FanoutResult<R>>;
-    /** @internal — build the change-subscription + relevance binding for this query's group+collection. */
-    liveBinding(): LiveBinding;
-    /** @internal — joined queries don't support reactive/aggregate surfaces in v1. */
-    private assertNoJoinLegs;
-    /** Returns a reactive cross-shard live query — a facade over CrossVaultLive. */
-    live(options?: LiveQueryOptions): CrossVaultLiveQuery<R>;
-    /** One-shot distributed aggregate — central reduce over all shard records. */
-    aggregate<Spec extends AggregateSpec>(spec: Spec): CrossVaultAggregation<R, Spec>;
-    /** Begin a grouped cross-shard aggregate. */
-    groupBy<F extends string>(field: F): ShardedGroupedQuery<T, R, F>;
-}
-/** Grouped cross-shard query — intermediate after `.groupBy(field)`, terminates with `.aggregate(spec)`. */
-declare class ShardedGroupedQuery<T, R, F extends string> {
-    private readonly query;
-    private readonly field;
-    constructor(query: ShardedQuery<T, R>, field: F);
-    aggregate<Spec extends AggregateSpec>(spec: Spec): CrossVaultGroupedAggregation<R, F, Spec>;
-}
-
 /** The top-level NOYDB instance. */
 declare class Noydb {
     #private;
@@ -5927,7 +5419,6 @@ declare class Noydb {
     private writeRelay;
     /** Per-vault policy enforcers. */
     private readonly policyEnforcers;
-    private readonly vaultTemplates;
     private readonly txStrategy;
     private readonly forgetStrategy;
     private readonly sessionStrategy;
@@ -6009,6 +5500,25 @@ declare class Noydb {
      * fires on top — both are independent opt-ins.
      */
     revoke(vault: string, options: RevokeOptions, factors?: FactorProofBundle): Promise<void>;
+    /**
+     * Grant the FR-6 `custodian` role to a user (owner-only custody API).
+     *
+     * A custodian operates every collection (rw + access) but is provably
+     * unable to grant / revoke / rotate / extract-and-sever. Only the Deed
+     * owner may mint one. Defended in depth: the `grant-custodian` gate
+     * (fail-closed) AND an explicit `keyring.role !== 'owner'` check — the
+     * gate enforces host policy, the role check enforces the cryptographic
+     * owner-only invariant even if a host mis-configures the gate.
+     */
+    grantCustodian(vault: string, options: Omit<GrantOptions, 'role'>, factors?: FactorProofBundle): Promise<void>;
+    /**
+     * Revoke a custodian (owner-only custody API).
+     *
+     * Mirrors {@link revoke} but pins the caller to the Deed owner: defended
+     * in depth by the `revoke-user` gate AND an explicit `keyring.role !==
+     * 'owner'` check, so an admin cannot unwind a custodianship.
+     */
+    revokeCustodian(vault: string, options: RevokeOptions, factors?: FactorProofBundle): Promise<void>;
     /**
      * Mutate post-grant identity fields on an existing keyring — `role`,
      * `displayName`, and/or `permissions`. Pure plaintext-header rewrite:
@@ -6183,22 +5693,17 @@ declare class Noydb {
      */
     queryAcross<T>(vaultIds: string[], fn: (vault: Vault) => Promise<T>, options?: QueryAcrossOptions): Promise<QueryAcrossResult<T>[]>;
     /**
-     * Register a shard schema blueprint. `createShard` / `openVaultGroup`
-     * stamp shards from the named template. See the MVF design spec.
-     */
-    withVaultTemplate(name: string, template: VaultTemplate): void;
-    /**
-     * Open a VaultGroup — transparent routing over per-partition shard
-     * vaults, with shard discovery backed by the supplied `vault-registry`
-     * collection.
+     * @internal True once `close()` has been called. Read by
+     * `@klum-db/lobby`'s Lobby entry points (which can't see the private
+     * `closed` field).
      */
-    openVaultGroup<T>(name: string, opts: VaultGroupOptions<T>): Promise<VaultGroup<T>>;
-    /**
-     * Open the reserved StateManagement control-plane vault (registry +
-     * schema-manifest + deployment-events). Lazy-loaded so the federation
-     * chunk stays out of the core graph until used.
-     */
-    openStateManagementVault(): Promise<StateManagementVault>;
+    get isClosed(): boolean;
+    /** @deprecated Federation moved to @klum-db/lobby. Use `createLobby(db).withVaultTemplate(...)`. */
+    withVaultTemplate(): never;
+    /** @deprecated Federation moved to @klum-db/lobby. Use `createLobby(db).openVaultGroup(...)`. */
+    openVaultGroup(): Promise<never>;
+    /** @deprecated Federation moved to @klum-db/lobby. Use `createLobby(db).openStateManagementVault()`. */
+    openStateManagementVault(): Promise<never>;
     /**
      * @internal — true when an encrypted shard vault is provisioned
      * (its keyring exists in the store).
@@ -8766,6 +8271,168 @@ interface UserVisibility {
     readonly hidden: boolean;
 }
 
+/**
+ * #199 P1 — `exportMyAccessibleData`: a non-owner user exports the scope they
+ * can decrypt as a portable, re-keyed `.noydb` bundle. Non-destructive and
+ * **always allowed** (the "data sovereignty by construction" property of
+ * sealing-at-dimension §11.11 — the firm cannot deny it) but **audited**.
+ *
+ * Reuses the existing bundle machinery: the access boundary is the caller's DEK
+ * set (operator/client → `keyring.permissions`; owner/admin/viewer → all), so a
+ * record outside the caller's keys can never enter the bundle. Re-keying to a
+ * new owner reuses `writeNoydbBundle`'s `exportPassphrase` shorthand.
+ */
+
+interface ExportAccessibleOptions {
+    /**
+     * Re-key the bundle so it is independently openable by a new owner with this
+     * passphrase (the receiving firm / the client themselves). Omit to inherit
+     * the source keyring (personal backup).
+     */
+    readonly reKey?: {
+        readonly passphrase: string;
+    };
+    /** Narrow the export to a subset of the caller's accessible collections. */
+    readonly scope?: {
+        readonly collections?: readonly string[];
+    };
+    readonly compression?: 'auto' | 'brotli' | 'gzip' | 'none';
+}
+/**
+ * Produce a re-keyed, access-scoped `.noydb` bundle of the caller's accessible
+ * data. Appends a tamper-evident audit entry (`reason: 'user-export:<userId>'`).
+ */
+declare function exportAccessibleData(vault: Vault, opts?: ExportAccessibleOptions): Promise<Uint8Array>;
+
+/**
+ * #199 P2 — `unilateralWithdrawal`: a non-owner extracts their accessible scope
+ * AND disposes of the source copy. Destructive; gated by the default-off
+ * fail-closed built-in `client-unilateral-withdraw` policy (checked in the
+ * UserApi wrapper).
+ *
+ * Two source dispositions (see the #199 design spec §9/§9b):
+ *  - 'delete'  — delete-closure: the records leave the source vault entirely.
+ *  - 'freeze'  — the firm retains a cryptographically-frozen, read-only, write-once
+ *                snapshot (hash-pinned in the tamper-evident ledger) while the live
+ *                records are removed.
+ *
+ * Ordering guarantees no data loss: the client's re-keyed export bundle (and the
+ * freeze snapshot) are produced BEFORE anything is deleted.
+ *
+ * The `freezeAndDeleteClosure` core is shared with the two-party approval path
+ * (#199 P3, `bundle/request-withdrawal.ts`).
+ */
+
+interface FrozenSnapshotRef {
+    readonly withdrawalId: string;
+    readonly sha256: string;
+    readonly recordCount: number;
+    readonly frozenAt: string;
+}
+interface WithdrawAccessibleOptions {
+    /** Legal/contractual basis recorded in the audit (e.g. 'gdpr-art-17'). */
+    readonly legalBasis: string;
+    /** Re-key the exported bundle to a new owner passphrase. */
+    readonly reKey?: {
+        readonly passphrase: string;
+    };
+    /** Source disposition. Default 'delete'. */
+    readonly disposition?: 'delete' | 'freeze';
+    readonly scope?: {
+        readonly collections?: readonly string[];
+    };
+    /** Stable id for idempotent resume (default random). */
+    readonly withdrawalId?: string;
+}
+interface WithdrawResult {
+    readonly bundle: Uint8Array;
+    readonly snapshot?: FrozenSnapshotRef;
+}
+declare function withdrawAccessibleData(vault: Vault, opts: WithdrawAccessibleOptions): Promise<WithdrawResult>;
+
+/**
+ * #199 P3 — two-party withdrawal ceremony.
+ *
+ * The conservative counterpart to `unilateralWithdrawal` (P2): a non-owner —
+ * including a read-only `client`/`viewer` who cannot self-serve a deletion —
+ * files a durable REQUEST; an owner/admin reviews it and either APPROVES
+ * (extract-and-dispose under firm authority) or REJECTS it. Every step is
+ * audited in the tamper-evident ledger.
+ *
+ *   requester:  vault.user.requestWithdrawal({ scope, disposition?, legalBasis? })
+ *   owner:      vault.user.listWithdrawalRequests()
+ *               vault.user.approveWithdrawal(requestId, { reKey })  → { bundle, snapshot? }
+ *               vault.user.rejectWithdrawal(requestId, { reason })
+ *
+ * Requests live in the reserved `_user_withdrawal_requests` namespace. The
+ * record body is plaintext metadata (collection names + disposition + legal
+ * basis — none secret in this trust model; the owner sees the data anyway) and
+ * carries NO passphrase: the re-key passphrase is supplied by the approver at
+ * approval time and conveyed to the requester out-of-band, so no secret is
+ * stored at rest.
+ */
+
+/** Raised when a request is missing, already decided, or expired. */
+declare class WithdrawalRequestError extends NoydbError {
+    constructor(message: string);
+}
+type WithdrawalRequestStatus = 'pending' | 'approved' | 'rejected';
+interface WithdrawalRequest {
+    readonly requestId: string;
+    readonly requester: string;
+    readonly collections: readonly string[];
+    readonly disposition: 'delete' | 'freeze';
+    readonly legalBasis?: string;
+    readonly status: WithdrawalRequestStatus;
+    readonly requestedAt: string;
+    readonly expiresAt?: string;
+    readonly decidedAt?: string;
+    readonly decidedBy?: string;
+    readonly rejectReason?: string;
+    readonly snapshotSha256?: string;
+}
+interface RequestWithdrawalOptions {
+    readonly scope?: {
+        readonly collections?: readonly string[];
+    };
+    readonly disposition?: 'delete' | 'freeze';
+    readonly legalBasis?: string;
+    /** Time-to-live in ms; after this the request can no longer be approved. */
+    readonly expiresInMs?: number;
+}
+interface RequestWithdrawalResult {
+    readonly requestId: string;
+    readonly status: WithdrawalRequestStatus;
+    readonly expiresAt?: string;
+}
+/**
+ * Requester side. Files a durable request for the caller's accessible scope.
+ * Gated by `user-request-withdrawal` (checked in the UserApi wrapper).
+ */
+declare function requestWithdrawal(vault: Vault, opts?: RequestWithdrawalOptions): Promise<RequestWithdrawalResult>;
+/** Owner side. List filed requests (optionally by status). */
+declare function listWithdrawalRequests(vault: Vault, opts?: {
+    status?: WithdrawalRequestStatus;
+}): Promise<WithdrawalRequest[]>;
+interface ApproveWithdrawalOptions {
+    /** Re-key the handed-back bundle to a passphrase the requester will use. */
+    readonly reKey?: {
+        readonly passphrase: string;
+    };
+}
+/**
+ * Owner side. Extract the requester's recorded scope under firm authority,
+ * dispose of the source per the request's disposition, mark the request
+ * approved, and return the re-keyed bundle to hand back. Gated by
+ * `approve-user-withdrawal` (checked in the UserApi wrapper) + owner/admin role.
+ */
+declare function approveWithdrawal(vault: Vault, requestId: string, opts?: ApproveWithdrawalOptions): Promise<WithdrawResult>;
+interface RejectWithdrawalOptions {
+    readonly reason?: string;
+}
+/** Owner side. Decline a pending request (no data is touched). */
+declare function rejectWithdrawal(vault: Vault, requestId: string, opts?: RejectWithdrawalOptions): Promise<WithdrawalRequest>;
+
 /**
  * Public `vault.user.*` API surface.
  *
@@ -8828,7 +8495,7 @@ interface UserEnvelopePresented {
  * delegates to `Noydb.checkGate(vault, gate, presented)`. In tests, a
  * no-op stub is fine.
  */
-type UserEnvelopeCheckGate = (gate: 'edit-own-profile' | 'view-team-profiles', presented?: UserEnvelopePresented) => Promise<void>;
+type UserEnvelopeCheckGate = (gate: 'edit-own-profile' | 'view-team-profiles' | 'client-unilateral-withdraw' | 'user-request-withdrawal' | 'approve-user-withdrawal', presented?: UserEnvelopePresented) => Promise<void>;
 /**
  * Reactive handle returned by `live()`. `current` is the most recently
  * observed value; `subscribe(cb)` fires on subsequent local writes.
@@ -8858,6 +8525,24 @@ declare class UserApi {
      * Production paths always wire the Noydb-backed implementation.
      */
     private readonly checkGate?;
+    /**
+     * Noydb-backed `exportMyAccessibleData` (#199), injected by the Vault
+     * (which holds the keyring + bundle machinery). Omitted in low-level tests.
+     */
+    private readonly exportAccessible?;
+    /**
+     * Noydb-backed `unilateralWithdrawal` (#199 P2), injected by the Vault.
+     * Destructive — extract + dispose (delete | freeze). Omitted in low-level tests.
+     */
+    private readonly unilateralWithdraw?;
+    /**
+     * Noydb-backed two-party withdrawal ceremony (#199 P3), injected by the
+     * Vault. requestWithdraw = requester side; the rest = owner side.
+     */
+    private readonly requestWithdraw?;
+    private readonly listWithdrawals?;
+    private readonly approveWithdraw?;
+    private readonly rejectWithdraw?;
     /** keyringId → set of listeners. Wildcard '*' fires on every change. */
     private readonly listeners;
     constructor(adapter: NoydbStore, vaultName: string, 
@@ -8868,7 +8553,59 @@ declare class UserApi {
      * for low-level tests that exercise the storage layer directly.
      * Production paths always wire the Noydb-backed implementation.
      */
-    checkGate?: UserEnvelopeCheckGate | undefined);
+    checkGate?: UserEnvelopeCheckGate | undefined, 
+    /**
+     * Noydb-backed `exportMyAccessibleData` (#199), injected by the Vault
+     * (which holds the keyring + bundle machinery). Omitted in low-level tests.
+     */
+    exportAccessible?: ((opts: ExportAccessibleOptions) => Promise<Uint8Array>) | undefined, 
+    /**
+     * Noydb-backed `unilateralWithdrawal` (#199 P2), injected by the Vault.
+     * Destructive — extract + dispose (delete | freeze). Omitted in low-level tests.
+     */
+    unilateralWithdraw?: ((opts: WithdrawAccessibleOptions) => Promise<WithdrawResult>) | undefined, 
+    /**
+     * Noydb-backed two-party withdrawal ceremony (#199 P3), injected by the
+     * Vault. requestWithdraw = requester side; the rest = owner side.
+     */
+    requestWithdraw?: ((opts: RequestWithdrawalOptions) => Promise<RequestWithdrawalResult>) | undefined, listWithdrawals?: ((opts: {
+        status?: WithdrawalRequestStatus;
+    }) => Promise<WithdrawalRequest[]>) | undefined, approveWithdraw?: ((requestId: string, opts: ApproveWithdrawalOptions) => Promise<WithdrawResult>) | undefined, rejectWithdraw?: ((requestId: string, opts: RejectWithdrawalOptions) => Promise<WithdrawalRequest>) | undefined);
+    /**
+     * #199 P3 — file a two-party withdrawal request for the caller's accessible
+     * scope. Non-destructive (writes a pending request); an owner later approves
+     * or rejects. This is the path for read-only roles (`client`/`viewer`) that
+     * cannot self-serve a destructive `unilateralWithdrawal`. Gated by
+     * `user-request-withdrawal` (enabled by default).
+     */
+    requestWithdrawal(opts?: RequestWithdrawalOptions): Promise<RequestWithdrawalResult>;
+    /** #199 P3 — owner side: list filed withdrawal requests (optionally by status). */
+    listWithdrawalRequests(opts?: {
+        status?: WithdrawalRequestStatus;
+    }): Promise<WithdrawalRequest[]>;
+    /**
+     * #199 P3 — owner side: approve a pending request. Extracts the requester's
+     * recorded scope under firm authority, disposes of the source per the
+     * request's disposition, and returns the re-keyed bundle to hand back. Gated
+     * by `approve-user-withdrawal` (tier-2 default) + owner/admin role.
+     */
+    approveWithdrawal(requestId: string, opts?: ApproveWithdrawalOptions): Promise<WithdrawResult>;
+    /** #199 P3 — owner side: reject a pending request (no data is touched). */
+    rejectWithdrawal(requestId: string, opts?: RejectWithdrawalOptions): Promise<WithdrawalRequest>;
+    /**
+     * #199 P2 — single-party withdrawal: export the caller's accessible scope
+     * (re-keyed) and dispose of the source (`delete` or `freeze`). Gated by the
+     * fail-closed built-in `client-unilateral-withdraw` policy — undefined or
+     * disabled → throws (use `requestWithdrawal`). The firm enables it at vault
+     * creation.
+     */
+    unilateralWithdrawal(opts: WithdrawAccessibleOptions): Promise<WithdrawResult>;
+    /**
+     * #199 — export the calling user's accessible scope as a portable, re-keyed
+     * `.noydb` bundle. Non-destructive and **always allowed** (data sovereignty
+     * by construction, §11.11) but audited. Scope = the caller's DEK access set.
+     */
+    exportMyAccessibleData(opts?: ExportAccessibleOptions): Promise<Uint8Array>;
     /** Read the writer's own envelope. Returns null if never written. */
     me<T = unknown>(): Promise<UserEnvelope<T> | null>;
     /**
@@ -8983,6 +8720,135 @@ declare class UserApi {
     private fireChange;
 }
 
+/**
+ * FR-6 Task 5 — `liberateVault`: the audited claim of ownership over a
+ * sealed-owner (Deed) vault. The inverse of #199 withdrawal.
+ *
+ * A **Deed** vault's owner credential is sealed under a non-firm provider, so
+ * the firm-side **custodian** (which holds every collection DEK and operates
+ * the vault fully) can never reach `KEK_owner`. Liberation is the ONLY route
+ * by which a custodian assumes ownership, and it is deliberately a manual,
+ * audited ceremony:
+ *
+ *   1. gate `'liberate-vault'` (fail-closed)
+ *   2. caller MUST be the `custodian` (the de-facto authority holding the DEKs)
+ *   3. freeze a PRE-liberation EVIDENCE snapshot (hash-pinned in the ledger) —
+ *      but PRESERVE the live data for the new owner (see the freeze decision
+ *      below)
+ *   4. mint a NEW owner keyring re-wrapping the incumbent DEKs under the new
+ *      owner's KEK
+ *   5. lifecycle ledger `liberation-claimed:<newOwnerId>:<legalBasis>`
+ *   6. stamp the `_meta/deed` marker with `liberatedAt`
+ *
+ * ## Security: the inalienability floor
+ *
+ * Liberation **mints a new owner from the custodian's DEKs** — it does NOT
+ * unseal the original sealed owner. The old sealed-owner credential is left
+ * untouched and ORPHANED (its `_keyring/<id>` file remains, its KEK is still
+ * sealed under the non-firm provider), never impersonated. The new owner is a
+ * DISTINCT principal under a fresh KEK derived from `newOwnerPassphrase`. This
+ * preserves the inalienability floor: the act of claiming ownership is itself
+ * auditable and produces a different principal, rather than silently assuming
+ * the latent owner's identity.
+ *
+ * ## Freeze decision: snapshot-only, not freeze-and-delete
+ *
+ * `freezeAndDeleteClosure` (withdraw-accessible.ts) writes a hash-pinned
+ * snapshot and THEN delete-closures the live records — correct for a
+ * destructive #199 withdrawal, WRONG for liberation. Liberation transfers
+ * operational continuity; it must leave the live data intact for the new
+ * owner. We therefore call the snapshot-only core `freezeSnapshotOnly`
+ * (factored out of that module; the freeze-AND-delete withdrawal path is
+ * unchanged) to pin the evidence snapshot while preserving the records.
+ *
+ * @module
+ */
+
+interface LiberateOptions {
+    /** The id of the new owner principal the custodian mints by claiming ownership. */
+    readonly newOwnerId: string;
+    /** The passphrase that derives the new owner's KEK (the DEKs are re-wrapped under it). */
+    readonly newOwnerPassphrase: string;
+    /** Legal/contractual basis recorded in the audit (e.g. 'contractual-handover'). */
+    readonly legalBasis: string;
+    readonly factors?: FactorProofBundle;
+}
+interface LiberateResult {
+    /** The hash-pinned pre-liberation evidence snapshot. */
+    readonly snapshot: FrozenSnapshotRef;
+}
+/**
+ * Audited claim of ownership over a sealed-owner vault by its custodian. See
+ * the module doc for the full ceremony + security rationale.
+ */
+declare function liberateVault(vault: Vault, opts: LiberateOptions): Promise<LiberateResult>;
+
+/**
+ * Public `vault.custody.*` API surface (FR-6).
+ *
+ * The custody namespace is the vault-instance face of the FR-6 sovereign-custody
+ * model — it mirrors `vault.user.*` exactly: a thin delegation shell with NO
+ * business logic. The Vault constructs one `CustodyApi` per session, injecting
+ * closures that bind the vault name / keyring into the genuinely-core
+ * implementations (`Noydb.grantCustodian` / `Noydb.revokeCustodian` and the
+ * `liberateVault` ceremony). Each method just forwards to its injected callback.
+ *
+ * Three operations:
+ *  - `grantCustodian(opts)` — owner-only: mint a `custodian` who operates the
+ *    vault fully but can never grant / rotate / sever / extract.
+ *  - `revokeCustodian(opts)` — owner-only: remove a custodian.
+ *  - `liberate(opts)` — custodian-only: audited claim of ownership over a
+ *    sealed-owner (Deed) vault (mints a DISTINCT new owner; ledger-audited).
+ *
+ * Provisioning a Deed (`createDeedOwner`) is deliberately NOT on this class: it
+ * is a store-level operation that mints the vault's first owner, so there is no
+ * vault instance (and thus no custody namespace) yet — it stays the exported
+ * `team/deed.ts` function.
+ *
+ * @see docs/superpowers/specs/2026-06-17-fr6-deed-custodian-liberate-design.md
+ * @module
+ */
+
+/** Options for `vault.custody.grantCustodian` — a grant with the role fixed to `custodian`. */
+type GrantCustodianOptions = Omit<GrantOptions, 'role'>;
+/**
+ * Implementation behind `vault.custody`. Constructed once per Vault. Holds the
+ * injected, vault-bound implementations in closure; every method delegates with
+ * no added logic (the owner-only / custodian-only / gate checks all live in the
+ * injected implementations — `Noydb.grantCustodian` etc. and `liberateVault`).
+ */
+declare class CustodyApi {
+    /** Bound `Noydb.grantCustodian(this.name, ...)` — owner-only, gated. */
+    private readonly _grantCustodian;
+    /** Bound `Noydb.revokeCustodian(this.name, ...)` — owner-only, gated. */
+    private readonly _revokeCustodian;
+    /** Bound `liberateVault(this, ...)` — custodian-only audited ownership claim. */
+    private readonly _liberate;
+    constructor(
+    /** Bound `Noydb.grantCustodian(this.name, ...)` — owner-only, gated. */
+    _grantCustodian: (options: GrantCustodianOptions, factors?: FactorProofBundle) => Promise<void>, 
+    /** Bound `Noydb.revokeCustodian(this.name, ...)` — owner-only, gated. */
+    _revokeCustodian: (options: RevokeOptions, factors?: FactorProofBundle) => Promise<void>, 
+    /** Bound `liberateVault(this, ...)` — custodian-only audited ownership claim. */
+    _liberate: (opts: LiberateOptions) => Promise<LiberateResult>);
+    /**
+     * Owner-only: grant the FR-6 `custodian` role. The custodian operates every
+     * collection (rw + access) but is provably unable to grant / revoke / rotate /
+     * extract-and-sever. Defended in depth (gate + owner-only role check) inside
+     * the injected `Noydb.grantCustodian`.
+     */
+    grantCustodian(options: GrantCustodianOptions, factors?: FactorProofBundle): Promise<void>;
+    /** Owner-only: revoke a custodian. */
+    revokeCustodian(options: RevokeOptions, factors?: FactorProofBundle): Promise<void>;
+    /**
+     * Custodian-only: the audited claim of ownership over a sealed-owner (Deed)
+     * vault. Mints a DISTINCT new owner re-wrapping the incumbent DEKs under a
+     * fresh KEK (the latent owner is never impersonated), ledger-audited. See
+     * {@link liberateVault}.
+     */
+    liberate(opts: LiberateOptions): Promise<LiberateResult>;
+}
+
 /**
  * Persisted-schema envelope shape.
  *
@@ -9153,6 +9019,8 @@ interface VaultIntrospectState {
     readonly collectionCache: Map<string, Collection<unknown>>;
     readonly refRegistry: RefRegistry;
     readonly getDEK: (collectionName: string) => Promise<CryptoKey>;
+    /** The active unlocked keyring — role/permissions/userId for access-scoped ops. */
+    readonly keyring: UnlockedKeyring;
     readonly subsystems: Record<string, boolean>;
     readonly mvRegistry: unknown;
     readonly overlayRegistry: unknown;
@@ -9260,6 +9128,18 @@ declare class Vault {
      * @see docs/superpowers/specs/2026-05-05-user-envelope-design.md
      */
     readonly user: UserApi;
+    /**
+     * FR-6 custody API — the sovereign-custody surface, mirroring `vault.user.*`.
+     *
+     * - `grantCustodian(opts)` / `revokeCustodian(opts)` — owner-only: mint /
+     *   remove a `custodian` who operates the vault fully but can never grant /
+     *   rotate / sever / extract.
+     * - `liberate(opts)` — custodian-only: the audited claim of ownership over a
+     *   sealed-owner (Deed) vault (mints a DISTINCT new owner; ledger-audited).
+     *
+     * @see docs/superpowers/specs/2026-06-17-fr6-deed-custodian-liberate-design.md
+     */
+    readonly custody: CustodyApi;
     /**
      * Optional callback that re-derives an UnlockedKeyring from the
      * adapter using the active user's passphrase. Called by `load()`
@@ -9532,6 +9412,12 @@ declare class Vault {
          * default; non-adopting collections take the legacy path unchanged.
          */
         perRecordKeys?: boolean;
+        /**
+         * Per-record provenance tracking. When `true`, `put()` calls that
+         * supply a `source` option stamp `_source` / `_sourceTs` onto the
+         * unencrypted envelope metadata. Off by default. (FR-5, #445)
+         */
+        provenance?: boolean;
         /**
          * declarative blob retention / TTL policy per slot
          * name. Values are `{ retainDays?, evictWhen? }`. Evaluated only
@@ -11123,6 +11009,13 @@ declare class Collection<T> {
      * flag) still decrypts CEK records.
      */
     private readonly perRecordCek;
+    /**
+     * Per-record provenance opt-in (`provenance: true`). When set, `put()` calls
+     * that supply a `source` option stamp `_source`/`_sourceTs` onto the
+     * unencrypted envelope metadata. Off by default — zero cost for collections
+     * that don't need lineage tracking (FR-5, #445).
+     */
+    private readonly provenance;
     /**
      * Session-scoped `(id) → CEK` cache for this collection. Lets updates
      * reuse a record's stable CEK and lets repeated reads skip the AES-KW
@@ -11446,6 +11339,14 @@ declare class Collection<T> {
          * keyed to the collection DEK regardless.
          */
         perRecordKeys?: boolean | undefined;
+        /**
+         * Per-record provenance tracking. When `true`, `put()` calls that
+         * supply a `source` option stamp `_source` (opaque source id) and
+         * `_sourceTs` (ISO-8601 timestamp) onto the unencrypted envelope
+         * metadata. Off by default — zero cost for collections that don't
+         * need lineage tracking. (FR-5, #445)
+         */
+        provenance?: boolean | undefined;
         /**
          * declared tiers this collection supports. An
          * undefined or empty list disables the hierarchical-tier surface
@@ -11554,6 +11455,29 @@ declare class Collection<T> {
      * Throws if the collection is not in CRDT mode.
      */
     getRaw(id: string): Promise<CrdtState | null>;
+    /**
+     * Read a record's unencrypted envelope metadata (version, timestamps,
+     * provenance) without decrypting the body.
+     *
+     * Returns `null` when no envelope exists for `id` (record absent or never
+     * written). Only `_source`/`_sourceTs` fields are populated when the
+     * collection was opened with `provenance: true` AND the record was written
+     * with a `source` option — but this method works on any collection because
+     * it reads the raw envelope directly.
+     *
+     * @returns `{ version, timestamp, by?, source?, sourceTs? }` or `null`.
+     *
+     * @example
+     * const meta = await clients.getMetadata('c1')
+     * if (meta) console.log(meta.source, meta.timestamp)
+     */
+    getMetadata(id: string): Promise<{
+        readonly version: number;
+        readonly timestamp: string;
+        readonly by?: string;
+        readonly source?: string;
+        readonly sourceTs?: string;
+    } | null>;
     /**
      * Return a presence handle for this collection.
      *
@@ -11581,10 +11505,31 @@ declare class Collection<T> {
      *                `reason` is stamped onto the resulting ledger entry
      *                so audit consumers can filter via
      *                `entries.filter(e => e.reason?.startsWith('import:'))`.
+     *                `source` is an opaque source id (e.g. `'crm-sync'`, `'firm-A'`)
+     *                stamped onto the envelope as `_source`/`_sourceTs` when
+     *                the collection has `provenance: true`. Ignored otherwise
+     *                (zero cost). (FR-5, #445)
+     *                `sourceTs` is an optional ISO-8601 origin timestamp override;
+     *                when supplied together with `source` on a provenance collection,
+     *                replaces the machine-stamped `now()` so re-merges preserve the
+     *                ORIGIN refresh time across vaults. (FR-4)
      */
     put(id: string, record: T, options?: {
         readonly reason?: string;
+        readonly source?: string;
+        readonly sourceTs?: string;
     }): Promise<void>;
+    /**
+     * Validate a record against this collection's schema WITHOUT writing it.
+     * Returns the (possibly coerced) record on success; throws
+     * {@link SchemaValidationError} (direction: `'input'`) on violation.
+     * A no-op pass-through when no schema is declared.
+     *
+     * Used by FR-8 migrate-then-merge to pre-validate all staged records
+     * before `mergeDecryptedRecords` writes anything — so a failed upgrade
+     * never half-writes the receiver.
+     */
+    validateInput(record: T): Promise<T>;
     /** @internal Untracked put body — call {@link put}, not this. */
     private putInternal;
     /**
@@ -12343,6 +12288,8 @@ declare class Collection<T> {
             reason: string;
             fromTier: number;
         };
+        source?: string;
+        sourceTs?: string;
     }): Promise<void>;
     /**
      * tier-aware get. When the stored record is at a
@@ -12711,15 +12658,26 @@ declare const NOYDB_SYNC_VERSION: 1;
  * Roles control both the operations a user can perform and which DEKs
  * they receive in their keyring:
  *
- * | Role       | Collections      | Can grant/revoke | Can export |
- * |------------|-----------------|:----------------:|:----------:|
- * | `owner`    | all (rw)        | Yes (all roles)  | Yes        |
- * | `admin`    | all (rw)        | Yes (≤ admin)    | Yes        |
- * | `operator` | explicit (rw)   | No               | ACL-scoped |
- * | `viewer`   | all (ro)        | No               | Yes        |
- * | `client`   | explicit (ro)   | No               | ACL-scoped |
- */
-type Role = 'owner' | 'admin' | 'operator' | 'viewer' | 'client';
+ * | Role        | Collections      | Can grant/revoke | Can export |
+ * |-------------|-----------------|:----------------:|:----------:|
+ * | `owner`     | all (rw)        | Yes (all roles)  | Yes        |
+ * | `admin`     | all (rw)        | Yes (≤ admin)    | Yes        |
+ * | `custodian` | all (rw)        | No (see below)   | Yes        |
+ * | `operator`  | explicit (rw)   | No               | ACL-scoped |
+ * | `viewer`    | all (ro)        | No               | Yes        |
+ * | `client`    | explicit (ro)   | No               | ACL-scoped |
+ *
+ * **`custodian` (FR-6 sovereign custody).** Operationally admin-rank —
+ * rw + access on every collection, receives all collection DEKs on grant
+ * — but is *provably non-owning*: it CANNOT grant, revoke, rotate keys,
+ * destructively withdraw/sever, or extract-and-sever a partition (rotate is
+ * blocked in `rotateKeys`, sever in `withdrawAccessibleData`, and extract in
+ * `extractPartition`). Only the (sealed Deed) **owner** may
+ * mint or remove a custodian; an admin cannot. This is the inalienability
+ * floor — a custodian can run the vault day-to-day yet never escalate to
+ * the owner credential.
+ */
+type Role = 'owner' | 'admin' | 'custodian' | 'operator' | 'viewer' | 'client';
 /**
  * Read-write or read-only access on a collection.
  * Stored per-collection in the user's keyring.
@@ -12739,6 +12697,14 @@ interface EncryptedEnvelope {
     readonly _data: string;
     /** User who created this version (unencrypted metadata). */
     readonly _by?: string;
+    /**
+     * Opaque provenance source id — which party/registry wrote this version.
+     * Unencrypted; present only when the collection opts into `provenance: true`
+     * and a `source` is supplied to `put()`. Off by default (zero cost).
+     */
+    readonly _source?: string;
+    /** ISO-8601 timestamp the provenance source was recorded. Present alongside `_source`. */
+    readonly _sourceTs?: string;
     /**
      * Hierarchical access tier. Omitted → tier 0.
      *
@@ -14702,4 +14668,4 @@ interface DeleteManyResult {
     }>;
 }
 
-export { type VersionRecord as $, type BlobPutOptions as A, type BlobStrategy as B, type BlobResponseOptions as C, DICT_COLLECTION_PREFIX as D, BlobSet as E, type BlobStrategyOpenArgs as F, type CompactRunOptions as G, type CompactionContext as H, type I18nStrategy as I, type CompactionResult as J, DEFAULT_CHUNK_SIZE as K, EXPORT_AUDIT_COLLECTION as L, ExportBlobsAbortedError as M, type ExportBlobsAuditEntry as N, type ExportBlobsHandle as O, PolicyEnforcer as P, type ExportBlobsOptions as Q, type ExportedBlob as R, type ScriptWarning as S, type ObjectListEntry as T, type ObjectMeta as U, type ObjectProjection as V, type ObjectUrlOptions as W, type PutObjectOptions as X, type PutUrlOptions as Y, type SlotInfo as Z, type SlotRecord as _, type DictEntry as a, type ChangeType as a$, createExportBlobsHandle as a0, memoryObjectProjection as a1, runCompaction as a2, type ConsentStrategy as a3, CONSENT_AUDIT_COLLECTION as a4, type ConsentAuditEntry as a5, type ConsentAuditFilter as a6, type ConsentContext as a7, type ConsentOp as a8, loadConsentEntries as a9, type SnapshotMeta as aA, type SnapshotMode as aB, type DerivationStrategy as aC, type DerivationContext as aD, type ArrayOutputSpec as aE, DerivationRegistry as aF, type DerivationStrategyHandle as aG, type DerivedFromMeta as aH, type OutputSpec as aI, type RecordOutputSpec as aJ, type MaterializedViewStrategy as aK, type MaterializedViewStrategyHandle as aL, type OverlayedViewStrategy as aM, Collection as aN, type OverlayFieldMergeMode as aO, type OverlayFieldMergeRule as aP, OverlayedViewRegistry as aQ, type OverlayedViewStrategyHandle as aR, type SyncStrategy as aS, type Role as aT, type UnlockedKeyring as aU, type HistoryStrategy as aV, type NoydbStore as aW, type HistoryOptions as aX, type EncryptedEnvelope as aY, type PruneOptions as aZ, type AppendInput as a_, writeConsentEntry as aa, type PeriodsStrategy as ab, type CarryForwardContext as ac, type ClosePeriodOptions as ad, type OpenPeriodOptions as ae, PERIODS_COLLECTION as af, type PeriodRecord as ag, type ReadOnlyCollection as ah, appendPeriodLedgerEntry as ai, assertTsWritable as aj, chainAnchor as ak, loadPeriods as al, validatePeriodName as am, type GuardStrategy as an, type GuardChange as ao, type GuardContext as ap, GuardRegistry as aq, type GuardStrategyHandle as ar, ReadOnlyVaultFacade as as, type ShadowStrategy as at, CollectionFrame as au, VaultFrame as av, type NoydbBundleStore as aw, type RetentionPolicy as ax, type SnapshotPolicy as ay, type SnapshotStrategy as az, type DictKeyDescriptor as b, CrossVaultAggregation as b$, CollectionInstant as b0, type DiffEntry as b1, type JsonPatch as b2, type JsonPatchOp as b3, LedgerStore as b4, type VaultEngine as b5, VaultInstant as b6, type VerifyResult as b7, applyPatch as b8, computePatch as b9, type PersistedSchemaEnvelope as bA, type UpdateDecision as bB, type DirectoryConfig as bC, type UserVisibility as bD, type AccessibleVault as bE, type AffectedDocument as bF, type ArchivePolicy as bG, type ArchiveResult as bH, type ArchiveRunOptions as bI, type ArchiveStrategy as bJ, BUNDLE_STORE_POLICY as bK, type BuiltInGateName as bL, type CacheOptions as bM, type CacheStats as bN, type CapturedBlueprint as bO, type ChangeEvent as bP, type CollectionChangeEvent as bQ, type CollectionConflictResolver as bR, type CollectionDescriptor as bS, type CollectionStats as bT, ComputedFieldError as bU, type ComputedFields as bV, type ComputedFn as bW, type Conflict as bX, type ConflictPolicy as bY, type ConflictStrategy as bZ, type CrossTierAccessEvent as b_, diff as ba, formatDiff as bb, type PublicEnvelope as bc, type SealingKeyProvider as bd, type BundleRecipient as be, type RecipientSealer as bf, type RecipientHint as bg, Vault as bh, type RecoveryEnrollmentInput as bi, type ShamirRecoveryProvider as bj, TxContext as bk, type MVQueryContext as bl, type RegisteredMV as bm, MaterializedViewRegistry as bn, type MaterializedFromMeta as bo, type MaterializedViewOutput as bp, type UnionArmJoin as bq, type UnionSource as br, type UserEnvelope as bs, type GateName as bt, type GatePolicy as bu, type VaultPolicy as bv, type ActiveTier as bw, type FactorProof as bx, type SchemaUpdateStrategy as by, type TransformFn as bz, DictionaryHandle as c, type ListUsersOptions as c$, type CrossVaultDerivationContext as c0, type CrossVaultDerivationSpec as c1, CrossVaultGroupedAggregation as c2, type GroupedRow as c3, type CrossVaultLiveAggregation as c4, type CrossVaultLiveQuery as c5, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as c6, DELEGATIONS_COLLECTION as c7, type DeepPartial as c8, type DeepPartialOrNull as c9, type FieldDescriptor as cA, type FieldSource as cB, type FleetMigrationResult as cC, type FormattedSequenceHandle as cD, type GhostRecord as cE, type GrantOptions as cF, type GuardViolation as cG, type HistoryConfig as cH, type HistoryEntry as cI, INDEXED_STORE_POLICY as cJ, type ImportCapability as cK, type InferOutput as cL, type InternalCollectionStats as cM, type IssueDelegationOptions as cN, type IssueMagicLinkGrantOptions as cO, type KeyringAuthenticator as cP, type KeyringAuthenticatorWrappingDEKs as cQ, type KeyringAuthenticatorWrappingKEK as cR, type KeyringFile as cS, LinkEndpointError as cT, LinkIntegrityError as cU, type LinkOnDelete as cV, type LinkRow as cW, type LinkSetHandle as cX, type LinkSpec as cY, type ListAccessibleVaultsOptions as cZ, type ListPageResult as c_, type DeferredNumberingConfig as ca, type DelegationToken as cb, type DeleteManyResult as cc, type DeploymentEvent as cd, type DerivationDescriptor as ce, type DirtyEntry as cf, type DryRunResult as cg, type DumpSchemaOptions as ch, ELEVATION_AUDIT_COLLECTION as ci, ElevatedHandle as cj, type EnrollAuthenticatorOptions as ck, type EnrollAuthenticatorWrappingDEKsOptions as cl, type EnrollAuthenticatorWrappingKEKOptions as cm, type EnrollRecoveryResult as cn, type ExportCapability as co, type ExportChunk as cp, type ExportFormat as cq, type ExportStreamOptions as cr, type FactorKind as cs, type FactorProofBundle as ct, type FactorRequirement as cu, type FanoutQueryOptions as cv, type FanoutResult as cw, type FenceDoc as cx, type FenceState as cy, type FieldChange as cz, type DictionaryOptions as d, type RevokeOptions as d$, type LiveQueryOptions as d0, type LiveUserEnvelope as d1, type LocaleReadOptions as d2, Lru as d3, type LruOptions as d4, type LruStats as d5, MAGIC_LINK_CONTENT_INFO_PREFIX as d6, MAGIC_LINK_GRANTS_COLLECTION as d7, MAGIC_LINK_KEK_INFO_PREFIX as d8, type MagicLinkGrantPayload as d9, PresenceHandle as dA, type PresencePeer as dB, type PublicEnvelopeField as dC, type PublicEnvelopeSchema as dD, type PublicEnvelopeText as dE, type PullMode as dF, type PullOptions as dG, type PullPolicy as dH, type PullResult as dI, type PushMode as dJ, type PushOptions as dK, type PushPolicy as dL, type PushResult as dM, type PutManyItemOptions as dN, type PutManyOptions as dO, type PutManyResult as dP, type QueryAcrossOptions as dQ, type QueryAcrossResult as dR, type QuickUnlockState as dS, QuickUnlockStore as dT, type ReAuthOperation as dU, type RecoverPassphraseInput as dV, type RecoverPassphraseResult as dW, type RecoverUserOptions as dX, type RecoveryProof as dY, type RefreshInsightsResult as dZ, type ResolvedPublicEnvelopeSchema as d_, type MagicLinkGrantRecord as da, type MaterializedViewDescriptor as db, MemoryRecipientSealer as dc, MemorySealingKeyProvider as dd, type MigrationStatusRow as de, NOYDB_BACKUP_VERSION as df, NOYDB_FORMAT_VERSION as dg, NOYDB_KEYRING_VERSION as dh, NOYDB_SYNC_VERSION as di, type NextOptions as dj, Noydb as dk, type NoydbEventMap as dl, type NoydbOptions as dm, type Assignment as dn, type OverlayViewDescriptor as dp, PUBLIC_ENVELOPE_FIELDS as dq, type PaperRecoveryDoc as dr, type PaperRecoveryEntry as ds, type PassphrasePolicy as dt, type PassphraseValidationResult as du, type Permission as dv, type Permissions as dw, type PersistedSchemaKind as dx, type PlaintextTranslatorContext as dy, type PlaintextTranslatorFn as dz, type StaticDictDescriptor as e, UserEnvelopeOversizedError as e$, type RotatePassphraseInput as e0, type RotateRecoveryOptions as e1, type RotateRecoveryResult as e2, SEALED_PASSPHRASE_RECORD_ID as e3, type SchemaDelta as e4, type SchemaIntrospection as e5, type SchemaManifestRow as e6, type SealedEnvelope as e7, type SealedPassphrase as e8, type SearchEntry as e9, type SyncPolicy as eA, SyncScheduler as eB, type SyncSchedulerStatus as eC, type SyncStatus as eD, type SyncTarget as eE, type SyncTargetRole as eF, SyncTransaction as eG, type SyncTransactionResult as eH, type TabChannel as eI, type TabCoordinationOptions as eJ, type TabLockManager as eK, type TabPresence as eL, type TabRole as eM, type TierMode as eN, type TransactionInvariant as eO, type TranslatorAuditEntry as eP, TxCollection as eQ, type TxOp as eR, TxVault as eS, USER_ENVELOPE_COLLECTION as eT, USER_ENVELOPE_MAX_BYTES as eU, type Unsubscribe as eV, type UpdateAuthenticatorOptions as eW, type UpdateContext as eX, type UpdateUserOptions as eY, UserApi as eZ, type UserEnvelopeCheckGate as e_, type SearchOptions as ea, type SearchResult as eb, type SequenceHandle as ec, type SequenceOptions as ed, SequenceStore as ee, type SessionPolicy as ef, type SetPublicEnvelopeInput as eg, type ShamirRecoveryDoc as eh, type ShamirRecoveryEntry as ei, ShardedCollection as ej, ShardedGroupedQuery as ek, ShardedQuery as el, type ShardingConfig as em, type SkippedVault as en, type SlotRewrapCeremony as eo, type SlotRewrapContext as ep, type StandardSchemaV1 as eq, type StandardSchemaV1Issue as er, type StandardSchemaV1SyncResult as es, StateManagementVault as et, type StoreAuth as eu, type StoreAuthKind as ev, type StoreCapabilities as ew, type StoreTime as ex, SyncEngine as ey, type SyncMetadata as ez, dictCollectionName as f, savePaperRecoveryEntries as f$, type UserEnvelopePresented as f0, type UserInfo as f1, type VaultBackup as f2, VaultGroup as f3, type VaultGroupOptions as f4, type VaultPolicyOnDisk as f5, type VaultRegistryRow as f6, type VaultSchemaSnapshot as f7, type VaultSnapshot as f8, type VaultTemplate as f9, isLinkCollectionName as fA, isMagicLinkGrantExpired as fB, isPublicEnvelope as fC, issueDelegation as fD, recoverPassphrase as fE, rotatePassphrase as fF, listMagicLinkGrants as fG, listUsers as fH, listUsersWithEnvelopes as fI, loadActiveDelegations as fJ, loadPaperRecoveryEntries as fK, loadSealedPassphrase as fL, loadShamirRecoveryEntries as fM, magicLinkGrantRecordId as fN, mintPaperRecoveryEntry as fO, mintShamirRecoveryEntry as fP, mintWrappedDeksBlob as fQ, parseRsaOaepTlv as fR, parseSealedEnvelope as fS, readMagicLinkGrantRecord as fT, recoverUser as fU, removeAuthenticator as fV, resolveSchema as fW, resolveSequenceKey as fX, revokeDelegation as fY, revokeMagicLinkGrant as fZ, runTransaction as f_, type WarningRules as fa, WeakPassphraseError as fb, type WeakPassphraseReason as fc, type WithArchiveOptions as fd, type WrappedDeksBlob as fe, type WriteConflict as ff, type WriteEvent as fg, type WriteHook as fh, type WriteQueue as fi, aesGcmOpen as fj, assertStrongPassphrase as fk, buildRecipientKeyringFile as fl, burnPaperRecoveryEntry as fm, compileSequenceFormat as fn, createNoydb as fo, createStore as fp, deriveMagicLinkContentKey as fq, enrollAuthenticator as fr, estimateEntropy as fs, evalComputedFields as ft, evaluateExportCapability as fu, evaluateImportCapability as fv, findAuthenticator as fw, hasExportCapability as fx, hasImportCapability as fy, hasRecoveryEnrolled as fz, dictKey as g, saveSealedPassphrase as g0, saveShamirRecoveryEntries as g1, sealRsaOaepTlv as g2, unwrapDeksFromBlob as g3, unwrapDeksFromPaperEntry as g4, unwrapDeksFromShamirEntry as g5, unwrapMagicLinkGrant as g6, validatePassphrase as g7, validatePublicEnvelopeInput as g8, validateSchemaInput as g9, validateSchemaOutput as ga, withArchive as gb, withDeferredNumbering as gc, writeMagicLinkGrant as gd, changeSecret as ge, createOwnerKeyring as gf, ensureCollectionDEK as gg, grant as gh, loadKeyring as gi, persistKeyring as gj, revoke as gk, updateAuthenticator as gl, updateKeyringIdentity as gm, type TxStrategy as gn, type AmendmentTxOptions as go, enforceScript as h, inferScripts as i, isDictCollectionName as j, isDictKeyDescriptor as k, isStaticDictDescriptor as l, type SessionStrategy as m, createEnforcer as n, BLOB_CHUNKS_COLLECTION as o, BLOB_COLLECTION as p, BLOB_EVICTION_AUDIT_COLLECTION as q, BLOB_INDEX_COLLECTION as r, staticDict as s, BLOB_SLOTS_PREFIX as t, BLOB_VERSIONS_PREFIX as u, validateSessionPolicy as v, type BlobEvictionEntry as w, type BlobFieldPolicy as x, type BlobFieldsConfig as y, type BlobObject as z };
+export { type VersionRecord as $, type BlobPutOptions as A, type BlobStrategy as B, type BlobResponseOptions as C, DICT_COLLECTION_PREFIX as D, BlobSet as E, type BlobStrategyOpenArgs as F, type CompactRunOptions as G, type CompactionContext as H, type I18nStrategy as I, type CompactionResult as J, DEFAULT_CHUNK_SIZE as K, EXPORT_AUDIT_COLLECTION as L, ExportBlobsAbortedError as M, type ExportBlobsAuditEntry as N, type ExportBlobsHandle as O, PolicyEnforcer as P, type ExportBlobsOptions as Q, type ExportedBlob as R, type ScriptWarning as S, type ObjectListEntry as T, type ObjectMeta as U, type ObjectProjection as V, type ObjectUrlOptions as W, type PutObjectOptions as X, type PutUrlOptions as Y, type SlotInfo as Z, type SlotRecord as _, type DictEntry as a, type ChangeType as a$, createExportBlobsHandle as a0, memoryObjectProjection as a1, runCompaction as a2, type ConsentStrategy as a3, CONSENT_AUDIT_COLLECTION as a4, type ConsentAuditEntry as a5, type ConsentAuditFilter as a6, type ConsentContext as a7, type ConsentOp as a8, loadConsentEntries as a9, type SnapshotMeta as aA, type SnapshotMode as aB, type DerivationStrategy as aC, type DerivationContext as aD, type ArrayOutputSpec as aE, DerivationRegistry as aF, type DerivationStrategyHandle as aG, type DerivedFromMeta as aH, type OutputSpec as aI, type RecordOutputSpec as aJ, type MaterializedViewStrategy as aK, type MaterializedViewStrategyHandle as aL, type OverlayedViewStrategy as aM, Collection as aN, type OverlayFieldMergeMode as aO, type OverlayFieldMergeRule as aP, OverlayedViewRegistry as aQ, type OverlayedViewStrategyHandle as aR, type SyncStrategy as aS, type Role as aT, type UnlockedKeyring as aU, type HistoryStrategy as aV, type NoydbStore as aW, type HistoryOptions as aX, type EncryptedEnvelope as aY, type PruneOptions as aZ, type AppendInput as a_, writeConsentEntry as aa, type PeriodsStrategy as ab, type CarryForwardContext as ac, type ClosePeriodOptions as ad, type OpenPeriodOptions as ae, PERIODS_COLLECTION as af, type PeriodRecord as ag, type ReadOnlyCollection as ah, appendPeriodLedgerEntry as ai, assertTsWritable as aj, chainAnchor as ak, loadPeriods as al, validatePeriodName as am, type GuardStrategy as an, type GuardChange as ao, type GuardContext as ap, GuardRegistry as aq, type GuardStrategyHandle as ar, ReadOnlyVaultFacade as as, type ShadowStrategy as at, CollectionFrame as au, VaultFrame as av, type NoydbBundleStore as aw, type RetentionPolicy as ax, type SnapshotPolicy as ay, type SnapshotStrategy as az, type DictKeyDescriptor as b, CustodyApi as b$, CollectionInstant as b0, type DiffEntry as b1, type JsonPatch as b2, type JsonPatchOp as b3, LedgerStore as b4, type VaultEngine as b5, VaultInstant as b6, type VerifyResult as b7, applyPatch as b8, computePatch as b9, type PersistedSchemaEnvelope as bA, type UpdateDecision as bB, type DirectoryConfig as bC, type UserVisibility as bD, type AccessibleVault as bE, type AffectedDocument as bF, type ApproveWithdrawalOptions as bG, type ArchivePolicy as bH, type ArchiveResult as bI, type ArchiveRunOptions as bJ, type ArchiveStrategy as bK, BUNDLE_STORE_POLICY as bL, type BuiltInGateName as bM, type CacheOptions as bN, type CacheStats as bO, type ChangeEvent as bP, type CollectionChangeEvent as bQ, type CollectionConflictResolver as bR, type CollectionDescriptor as bS, type CollectionStats as bT, ComputedFieldError as bU, type ComputedFields as bV, type ComputedFn as bW, type Conflict as bX, type ConflictPolicy as bY, type ConflictStrategy as bZ, type CrossTierAccessEvent as b_, diff as ba, formatDiff as bb, Vault as bc, type SealingKeyProvider as bd, type RecoveryEnrollmentInput as be, type ShamirRecoveryProvider as bf, type PublicEnvelope as bg, type BundleRecipient as bh, type RecipientSealer as bi, type RecipientHint as bj, TxContext as bk, type MVQueryContext as bl, type RegisteredMV as bm, MaterializedViewRegistry as bn, type MaterializedFromMeta as bo, type MaterializedViewOutput as bp, type UnionArmJoin as bq, type UnionSource as br, type UserEnvelope as bs, type GateName as bt, type GatePolicy as bu, type VaultPolicy as bv, type ActiveTier as bw, type FactorProof as bx, type SchemaUpdateStrategy as by, type TransformFn as bz, DictionaryHandle as c, type LruStats as c$, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as c0, DELEGATIONS_COLLECTION as c1, type DeepPartial as c2, type DeepPartialOrNull as c3, type DeferredNumberingConfig as c4, type DelegationToken as c5, type DeleteManyResult as c6, type DerivationDescriptor as c7, type DirtyEntry as c8, type DryRunResult as c9, type HistoryConfig as cA, type HistoryEntry as cB, INDEXED_STORE_POLICY as cC, type ImportCapability as cD, type InferOutput as cE, type InternalCollectionStats as cF, type IssueDelegationOptions as cG, type IssueMagicLinkGrantOptions as cH, type KeyringAuthenticator as cI, type KeyringAuthenticatorWrappingDEKs as cJ, type KeyringAuthenticatorWrappingKEK as cK, type KeyringFile as cL, type LiberateOptions as cM, type LiberateResult as cN, LinkEndpointError as cO, LinkIntegrityError as cP, type LinkOnDelete as cQ, type LinkRow as cR, type LinkSetHandle as cS, type LinkSpec as cT, type ListAccessibleVaultsOptions as cU, type ListPageResult as cV, type ListUsersOptions as cW, type LiveUserEnvelope as cX, type LocaleReadOptions as cY, Lru as cZ, type LruOptions as c_, type DumpSchemaOptions as ca, ELEVATION_AUDIT_COLLECTION as cb, ElevatedHandle as cc, type EnrollAuthenticatorOptions as cd, type EnrollAuthenticatorWrappingDEKsOptions as ce, type EnrollAuthenticatorWrappingKEKOptions as cf, type EnrollRecoveryResult as cg, type ExportAccessibleOptions as ch, type ExportCapability as ci, type ExportChunk as cj, type ExportFormat as ck, type ExportStreamOptions as cl, type FactorKind as cm, type FactorProofBundle as cn, type FactorRequirement as co, type FenceDoc as cp, type FenceState as cq, type FieldChange as cr, type FieldDescriptor as cs, type FieldSource as ct, type FormattedSequenceHandle as cu, type FrozenSnapshotRef as cv, type GhostRecord as cw, type GrantCustodianOptions as cx, type GrantOptions as cy, type GuardViolation as cz, type DictionaryOptions as d, type SchemaDelta as d$, MAGIC_LINK_CONTENT_INFO_PREFIX as d0, MAGIC_LINK_GRANTS_COLLECTION as d1, MAGIC_LINK_KEK_INFO_PREFIX as d2, type MagicLinkGrantPayload as d3, type MagicLinkGrantRecord as d4, type MaterializedViewDescriptor as d5, MemoryRecipientSealer as d6, MemorySealingKeyProvider as d7, NOYDB_BACKUP_VERSION as d8, NOYDB_FORMAT_VERSION as d9, type PullPolicy as dA, type PullResult as dB, type PushMode as dC, type PushOptions as dD, type PushPolicy as dE, type PushResult as dF, type PutManyItemOptions as dG, type PutManyOptions as dH, type PutManyResult as dI, type QueryAcrossOptions as dJ, type QueryAcrossResult as dK, type QuickUnlockState as dL, QuickUnlockStore as dM, type ReAuthOperation as dN, type RecoverPassphraseInput as dO, type RecoverPassphraseResult as dP, type RecoverUserOptions as dQ, type RecoveryProof as dR, type RejectWithdrawalOptions as dS, type RequestWithdrawalOptions as dT, type RequestWithdrawalResult as dU, type ResolvedPublicEnvelopeSchema as dV, type RevokeOptions as dW, type RotatePassphraseInput as dX, type RotateRecoveryOptions as dY, type RotateRecoveryResult as dZ, SEALED_PASSPHRASE_RECORD_ID as d_, NOYDB_KEYRING_VERSION as da, NOYDB_SYNC_VERSION as db, type NextOptions as dc, Noydb as dd, type NoydbEventMap as de, type NoydbOptions as df, type Assignment as dg, type OverlayViewDescriptor as dh, PUBLIC_ENVELOPE_FIELDS as di, type PaperRecoveryDoc as dj, type PaperRecoveryEntry as dk, type PassphrasePolicy as dl, type PassphraseValidationResult as dm, type Permission as dn, type Permissions as dp, type PersistedSchemaKind as dq, type PlaintextTranslatorContext as dr, type PlaintextTranslatorFn as ds, PresenceHandle as dt, type PresencePeer as du, type PublicEnvelopeField as dv, type PublicEnvelopeSchema as dw, type PublicEnvelopeText as dx, type PullMode as dy, type PullOptions as dz, type StaticDictDescriptor as e, type WithdrawResult as e$, type SchemaIntrospection as e0, type SealedEnvelope as e1, type SealedPassphrase as e2, type SearchEntry as e3, type SearchOptions as e4, type SearchResult as e5, type SequenceHandle as e6, type SequenceOptions as e7, SequenceStore as e8, type SessionPolicy as e9, type TabRole as eA, type TierMode as eB, type TransactionInvariant as eC, type TranslatorAuditEntry as eD, TxCollection as eE, type TxOp as eF, TxVault as eG, USER_ENVELOPE_COLLECTION as eH, USER_ENVELOPE_MAX_BYTES as eI, type Unsubscribe as eJ, type UpdateAuthenticatorOptions as eK, type UpdateContext as eL, type UpdateUserOptions as eM, UserApi as eN, type UserEnvelopeCheckGate as eO, UserEnvelopeOversizedError as eP, type UserEnvelopePresented as eQ, type UserInfo as eR, type VaultBackup as eS, type VaultPolicyOnDisk as eT, type VaultSchemaSnapshot as eU, type VaultSnapshot as eV, type WarningRules as eW, WeakPassphraseError as eX, type WeakPassphraseReason as eY, type WithArchiveOptions as eZ, type WithdrawAccessibleOptions as e_, type SetPublicEnvelopeInput as ea, type ShamirRecoveryDoc as eb, type ShamirRecoveryEntry as ec, type SlotRewrapCeremony as ed, type SlotRewrapContext as ee, type StandardSchemaV1 as ef, type StandardSchemaV1Issue as eg, type StandardSchemaV1SyncResult as eh, type StoreAuth as ei, type StoreAuthKind as ej, type StoreCapabilities as ek, type StoreTime as el, SyncEngine as em, type SyncMetadata as en, type SyncPolicy as eo, SyncScheduler as ep, type SyncSchedulerStatus as eq, type SyncStatus as er, type SyncTarget as es, type SyncTargetRole as et, SyncTransaction as eu, type SyncTransactionResult as ev, type TabChannel as ew, type TabCoordinationOptions as ex, type TabLockManager as ey, type TabPresence as ez, dictCollectionName as f, unwrapDeksFromPaperEntry as f$, type WithdrawalRequest as f0, WithdrawalRequestError as f1, type WithdrawalRequestStatus as f2, type WrappedDeksBlob as f3, type WriteConflict as f4, type WriteEvent as f5, type WriteHook as f6, type WriteQueue as f7, aesGcmOpen as f8, approveWithdrawal as f9, listUsersWithEnvelopes as fA, listWithdrawalRequests as fB, loadActiveDelegations as fC, loadPaperRecoveryEntries as fD, loadSealedPassphrase as fE, loadShamirRecoveryEntries as fF, magicLinkGrantRecordId as fG, mintPaperRecoveryEntry as fH, mintShamirRecoveryEntry as fI, mintWrappedDeksBlob as fJ, parseRsaOaepTlv as fK, parseSealedEnvelope as fL, readMagicLinkGrantRecord as fM, recoverUser as fN, rejectWithdrawal as fO, removeAuthenticator as fP, requestWithdrawal as fQ, resolveSchema as fR, resolveSequenceKey as fS, revokeDelegation as fT, revokeMagicLinkGrant as fU, runTransaction as fV, savePaperRecoveryEntries as fW, saveSealedPassphrase as fX, saveShamirRecoveryEntries as fY, sealRsaOaepTlv as fZ, unwrapDeksFromBlob as f_, assertStrongPassphrase as fa, buildRecipientKeyringFile as fb, burnPaperRecoveryEntry as fc, compileSequenceFormat as fd, createNoydb as fe, createStore as ff, deriveMagicLinkContentKey as fg, enrollAuthenticator as fh, estimateEntropy as fi, evalComputedFields as fj, evaluateExportCapability as fk, evaluateImportCapability as fl, exportAccessibleData as fm, findAuthenticator as fn, hasExportCapability as fo, hasImportCapability as fp, hasRecoveryEnrolled as fq, isLinkCollectionName as fr, isMagicLinkGrantExpired as fs, isPublicEnvelope as ft, issueDelegation as fu, recoverPassphrase as fv, rotatePassphrase as fw, liberateVault as fx, listMagicLinkGrants as fy, listUsers as fz, dictKey as g, unwrapDeksFromShamirEntry as g0, unwrapMagicLinkGrant as g1, validatePassphrase as g2, validatePublicEnvelopeInput as g3, validateSchemaInput as g4, validateSchemaOutput as g5, withArchive as g6, withDeferredNumbering as g7, withdrawAccessibleData as g8, writeMagicLinkGrant as g9, changeSecret as ga, createOwnerKeyring as gb, ensureCollectionDEK as gc, grant as gd, loadKeyring as ge, persistKeyring as gf, revoke as gg, updateAuthenticator as gh, updateKeyringIdentity as gi, type TxStrategy as gj, type AmendmentTxOptions as gk, enforceScript as h, inferScripts as i, isDictCollectionName as j, isDictKeyDescriptor as k, isStaticDictDescriptor as l, type SessionStrategy as m, createEnforcer as n, BLOB_CHUNKS_COLLECTION as o, BLOB_COLLECTION as p, BLOB_EVICTION_AUDIT_COLLECTION as q, BLOB_INDEX_COLLECTION as r, staticDict as s, BLOB_SLOTS_PREFIX as t, BLOB_VERSIONS_PREFIX as u, validateSessionPolicy as v, type BlobEvictionEntry as w, type BlobFieldPolicy as x, type BlobFieldsConfig as y, type BlobObject as z };