@noy-db/hub 0.2.0-pre.23 → 0.2.0-pre.24

package/dist/{types-Bhs2i_Ll.d.cts → types-COQ6qJZh.d.cts}

@@ -1,10 +1,10 @@
 import { I as IndexStrategy, d as LazyQuery } from './lazy-builder-eYZzLEL1.cjs';
-import { c as OnMissingPolicy, a as I18nTextDescriptor, L as Layer, u as LiveAggregation, j as AggregateSpec, h as AggregateResult, N as MoneyDescriptor, A as AggregateStrategy } from './strategy-WtB-jXYv.cjs';
+import { c as OnMissingPolicy, a as I18nTextDescriptor, L as Layer, j as AggregateSpec, N as MoneyDescriptor, A as AggregateStrategy } from './strategy-BWmgRPA2.cjs';
 import { C as CrdtStrategy, a as CrdtMode, b as CrdtState } from './strategy-BSxFXGzb.cjs';
 import { L as LedgerEntry, F as ForgetStrategy, S as SubjectRef, b as ForgetResult } from './index-BMmajblo.cjs';
-import { N as NoydbError } from './errors-Dkc_fi-S.cjs';
-import { L as LiveQuery, Q as Query, c as JoinStrategy, j as RefRegistry, R as RefDescriptor, d as JoinableSource, l as RefViolation, S as ScanBuilder } from './index-tZqVB9g5.cjs';
-import { I as IndexDef, O as Operator, F as FieldClause, C as CollectionIndexes } from './predicate-BmhBSPCH.cjs';
+import { N as NoydbError } from './errors-B2tUcRPg.cjs';
+import { Q as Query, c as JoinStrategy, j as RefRegistry, R as RefDescriptor, d as JoinableSource, l as RefViolation, S as ScanBuilder } from './index-BthnP2MA.cjs';
+import { F as FieldClause, I as IndexDef, C as CollectionIndexes } from './predicate-BmhBSPCH.cjs';
 import { AttestationFieldSchema, RevocationList } from '@noy-db/attestation';
 
 /**
@@ -3759,269 +3759,6 @@ declare class SyncEngine {
     private persistMeta;
 }
 
-/**
- * @category capability
- * Multi-vault partition federation (MVF) — public types for VaultGroup
- * transparent shard routing. See
- * docs/superpowers/specs/2026-06-07-mvf-vaultgroup-routing-mvp-design.md.
- */
-
-/**
- * A schema blueprint for a class of shard vaults. `configure` is
- * re-applied to every shard handle so all shards are configured
- * identically (collections, indexes, schemas). `version` is recorded
- * into each shard's registry row and drives the fan-out
- * `minVersion` guard.
- */
-interface VaultTemplate {
-    readonly version: number;
-    readonly configure: (vault: Vault) => void;
-}
-/** One row in the StateManagement `vault-registry` collection. */
-interface VaultRegistryRow {
-    readonly vaultId: string;
-    readonly partitionKey: string;
-    readonly templateName: string;
-    readonly schemaVersion: number;
-    readonly createdAt: number;
-    /** Which VaultGroup this shard belongs to (registry is shared across groups). */
-    readonly group: string;
-}
-/** How a VaultGroup maps records to shards. */
-interface ShardingConfig<T> {
-    /** Extract the partition key from a record. */
-    readonly keyOf: (record: T) => string;
-    /** Name of the template (registered via `withVaultTemplate`) shards are stamped from. */
-    readonly vaultTemplate: string;
-    /** When a write targets an unknown partition key, stamp a shard inline. Default `true`. */
-    readonly autoCreate?: boolean;
-    /**
-     * Data-residency guard (#271): the geographic region a record's shard must
-     * live in (e.g. `'eu'`). When set, `createShard` resolves the candidate
-     * backend (via `routeStore`'s vault-prefix routing) and throws
-     * `DataResidencyError` if its `capabilities.region` doesn't match — so a
-     * shard never lands on a non-compliant backend. Advisory until a region is
-     * declared on the backing store; pair with `routeStore({ vaultRoutes })`
-     * and a region-encoded partition key (e.g. `eu-acme` → `firm--eu-`).
-     */
-    readonly regionOf?: (record: T) => string;
-}
-/** Options for `Noydb.openVaultGroup`. */
-interface VaultGroupOptions<T> {
-    /**
-     * The `vault-registry` collection (source of truth for shard discovery).
-     * Optional: when omitted, the reserved StateManagement vault's registry
-     * is auto-opened and used.
-     */
-    readonly registry?: Collection<VaultRegistryRow>;
-    readonly sharding: ShardingConfig<T>;
-    /**
-     * Lazy migrate-on-open (#271 fleet migration). When `true`, opening a shard
-     * whose registry `schemaVersion` is behind the template's version runs that
-     * shard's cutover inline (via `migrateShard`) before surfacing the handle.
-     * Zero cost for shards never opened. Default `false` (use `migrateFleet`).
-     */
-    readonly migrateOnOpen?: boolean;
-}
-/** Result of `VaultGroup.migrateFleet` (#271 active batch runner). */
-interface FleetMigrationResult {
-    /** The version migrated toward (the template's current version). */
-    readonly target: number;
-    /** vaultIds successfully migrated (or already current). */
-    readonly migrated: string[];
-    /** vaultIds whose cutover failed, with the error message. */
-    readonly failed: {
-        readonly vaultId: string;
-        readonly error: string;
-    }[];
-}
-/** Options for a cross-shard fan-out read. */
-interface FanoutQueryOptions {
-    /** Skip shards whose registry `schemaVersion` is below this. */
-    readonly minVersion?: number;
-    /** Max shards queried in parallel (passed to queryAcross). Default 1. */
-    readonly concurrency?: number;
-}
-/** A shard excluded from a fan-out result, with the reason. */
-interface SkippedVault {
-    readonly vaultId: string;
-    readonly reason: 'schema-drift' | 'error' | 'no-grant';
-    readonly error?: Error;
-}
-/** The result of a cross-shard fan-out read. */
-interface FanoutResult<R> {
-    readonly results: R[];
-    readonly skippedVaults: SkippedVault[];
-}
-/** A single captured where-clause, replayed inside each shard. */
-interface WhereClause {
-    readonly field: string;
-    readonly op: Operator;
-    readonly value: unknown;
-}
-/** Options for the live/aggregate fan-out (extends the one-shot opts). */
-interface LiveQueryOptions extends FanoutQueryOptions {
-    /** Coalesce window before recompute. Default 0 (microtask). */
-    readonly debounceMs?: number;
-}
-/** A grouped aggregate output row: the grouped field + the reduced spec result. */
-type GroupedRow<F extends string, Spec extends AggregateSpec> = {
-    readonly [K in F]: unknown;
-} & AggregateResult<Spec>;
-/** Reactive cross-shard record (or grouped-row) query — array-shaped, mirrors LiveQuery<T>. */
-interface CrossVaultLiveQuery<T> extends LiveQuery<T> {
-    readonly skippedVaults: readonly SkippedVault[];
-    readonly ready: Promise<void>;
-}
-/** Reactive cross-shard scalar aggregate — mirrors LiveAggregation<R>. */
-interface CrossVaultLiveAggregation<R> extends LiveAggregation<R> {
-    readonly skippedVaults: readonly SkippedVault[];
-    readonly ready: Promise<void>;
-}
-/**
- * Context passed to a cross-vault `derive` callback (#271 Insight Vault).
- * One call per shard; identifies which shard the records came from.
- */
-interface CrossVaultDerivationContext {
-    /** The shard's vault id (e.g. `firm-clients--acme`). */
-    readonly vaultId: string;
-    /** The shard's partition key (e.g. `acme`). */
-    readonly partitionKey: string;
-    /** The shard's schema/template version, from its registry row. */
-    readonly schemaVersion: number;
-}
-/**
- * A push-model cross-vault derivation (#271, Insight Vault — Layer 4).
- *
- * For each eligible shard, `refreshInsights()` reads the shard's `source`
- * collection, runs `derive` on that shard's records, and writes the returned
- * summary row into a separate analytics ("Insight") vault — keyed by partition
- * key, one row per shard. The summary is re-encrypted under the Insight Vault's
- * own DEK; the shard's ciphertext never leaves its DEK boundary (the push model
- * that resolves the cross-vault DEK conflict). See the ZK note in the spec —
- * the Insight Vault backend sees aggregated structure across shards, a weaker
- * profile than per-shard vaults; opt-in.
- */
-interface CrossVaultDerivationSpec<R = Record<string, unknown>, S = Record<string, unknown>> {
-    /** Collection read from each shard. */
-    readonly source: string;
-    /** Destination Insight Vault + collection for the per-shard summary rows. */
-    readonly target: {
-        readonly vault: string;
-        readonly collection: string;
-    };
-    /** Per-shard reducer: that shard's source records + context → one summary row. */
-    readonly derive: (records: R[], ctx: CrossVaultDerivationContext) => S;
-}
-/** The result of `refreshInsights()`. */
-interface RefreshInsightsResult {
-    /** Number of summary rows written (one per eligible shard × registered derivation). */
-    readonly written: number;
-    /** Shards excluded (schema-drift, unprovisioned, or read error). */
-    readonly skippedVaults: SkippedVault[];
-}
-/** A serializable blueprint captured from a VaultTemplate.configure run. */
-interface CapturedBlueprint {
-    /** Sorted collection names declared by the template. */
-    readonly collections: string[];
-    /** Per-collection index defs (key order canonicalized). */
-    readonly indexes: Record<string, IndexDef[]>;
-    /** Collections that declared `persistJsonSchema: true`. */
-    readonly persistJsonSchema: string[];
-}
-/** One row in the StateManagement `schema-manifest` collection, keyed by `${templateName}:${version}`. */
-interface SchemaManifestRow {
-    readonly templateName: string;
-    readonly version: number;
-    readonly collections: string[];
-    readonly indexes: Record<string, IndexDef[]>;
-    readonly persistJsonSchema: string[];
-    /** sha256 over the canonicalized serializable blueprint. */
-    readonly fingerprint: string;
-    readonly recordedAt: number;
-}
-/** One row in the append-only StateManagement `deployment-events` collection. */
-interface DeploymentEvent {
-    readonly id: string;
-    readonly ts: number;
-    readonly type: 'shard-created' | 'manifest-recorded' | 'group-opened' | 'migration-started' | 'migration-completed' | 'migration-failed';
-    readonly group: string;
-    readonly vaultId?: string;
-    readonly templateName?: string;
-    readonly version?: number;
-    readonly actor?: string;
-    /** Free-form detail (e.g. migration error message). */
-    readonly detail?: string;
-}
-/**
- * One row in the StateManagement `migration-status` collection (#271 fleet
- * schema-migration runner), keyed by `vaultId`. Tracks each shard's progress
- * toward the template's current version so the active batch runner is
- * resumable and the staged rollout can verify a cohort before proceeding.
- */
-interface MigrationStatusRow {
-    readonly vaultId: string;
-    readonly group: string;
-    /** The shard's registry schemaVersion at the time of this status. */
-    readonly currentVersion: number;
-    /** The version the runner is moving this shard to (the template's version). */
-    readonly targetVersion: number;
-    readonly status: 'pending' | 'running' | 'done' | 'failed';
-    readonly startedAt?: number;
-    readonly finishedAt?: number;
-    /** Records migrated by the per-shard cutover (when status `done`). */
-    readonly migrated?: number;
-    readonly error?: string;
-}
-
-/**
- * @category capability
- * StateManagement Vault — federation control plane (registry +
- * schema-manifest + append-only deployment-events). See
- * docs/superpowers/specs/2026-06-08-statemanagement-vault-design.md.
- */
-
-declare class StateManagementVault {
-    #private;
-    readonly registry: Collection<VaultRegistryRow>;
-    readonly schemaManifest: Collection<SchemaManifestRow>;
-    private constructor();
-    /** Idempotently open the reserved state vault and bind the control-plane collections. */
-    static open(db: Noydb): Promise<StateManagementVault>;
-    /** Read one shard's migration status (or null). */
-    getMigrationStatus(vaultId: string): Promise<MigrationStatusRow | null>;
-    /** All migration-status rows (hydrates first). */
-    listMigrationStatus(): Promise<MigrationStatusRow[]>;
-    /** Upsert one shard's migration status (keyed by vaultId). */
-    upsertMigrationStatus(row: MigrationStatusRow): Promise<void>;
-    /** Read-only query over the append-only deployment-events log. */
-    queryEvents(): Query<DeploymentEvent>;
-    /**
-     * Append a deployment event with a fresh unique (ULID) id. This is the
-     * only write path to the events log; no update/delete is exposed.
-     * Callers should treat failures as non-fatal — this method does not
-     * swallow errors, so wrap the call site in try/catch where appropriate.
-     */
-    appendEvent(event: Omit<DeploymentEvent, 'id' | 'ts'> & {
-        ts?: number;
-    }): Promise<void>;
-    /**
-     * Ensure a manifest row exists for `(templateName, template.version)`.
-     * Safe to call repeatedly: the `fingerprint` is a deterministic hash of
-     * the template's declared shape (stable across calls), though each call
-     * refreshes `recordedAt`.
-     */
-    recordManifest(templateName: string, template: VaultTemplate): Promise<string>;
-    /**
-     * True when `template`'s current declared shape does not match the recorded
-     * manifest for `(templateName, template.version)`. Because shards carry no
-     * schema state independent of their template, this catches "a template's
-     * shape changed without bumping `version`" — not independent per-shard drift.
-     * A missing manifest is treated as drift (nothing to verify against).
-     */
-    detectDrift(templateName: string, template: VaultTemplate): Promise<boolean>;
-}
-
 /**
  * **Wrap-DEKs primitive** — a single canonical shape for the
  * pattern of "serialize a DEK set, encrypt it under a credential-derived
@@ -5575,7 +5312,24 @@ type BuiltInGateName = 'rotate-passphrase' | 'recover-passphrase' | 'enroll-auth
  * path is destructive (extract-and-dispose under firm authority), so it
  * defaults to a tier-2 floor; owner/admin role is enforced structurally.
  */
- | 'approve-user-withdrawal';
+ | 'approve-user-withdrawal'
+/**
+ * Authorize minting a **custodian** — `db.grantCustodian` (FR-6). The
+ * custodian is the de-facto operational authority on a sealed-owner (Deed)
+ * vault, so granting one is an ownership-level act: this gate MUST fail
+ * closed (undefined in a policy = denied) and owner-only role is enforced
+ * structurally. Hosts opt in explicitly, typically pinning factor proofs.
+ */
+ | 'grant-custodian'
+/**
+ * Authorize the audited **Liberate** ceremony — `vault.custody.liberate`
+ * (FR-6). The custodian (holding the live DEKs) claims ownership of a
+ * sealed-owner vault under a recorded legal basis, minting a NEW owner
+ * keyring. Destructive-of-the-old-ownership and irreversible, so it MUST
+ * fail closed (undefined = denied); the caller-is-custodian check is
+ * enforced structurally in the ceremony.
+ */
+ | 'liberate-vault';
 /** Either a built-in gate name or an `app:*` custom gate. */
 type GateName = BuiltInGateName | `app:${string}`;
 /**
@@ -5618,290 +5372,6 @@ interface FactorProofBundle {
 /** Active session tier — what the engine compares against `gate.minTier`. */
 type ActiveTier = 1 | 2 | 3;
 
-/** Public options for `ShardedQuery.crossShardJoin`. */
-interface CrossShardJoinOptions {
-    /** Alias key under which the joined same-shard record attaches. */
-    readonly as: string;
-    /** Per-shard row ceiling override (default DEFAULT_JOIN_MAX_ROWS). */
-    readonly maxRows?: number;
-    /** Planner strategy override, passed through to intra-vault `.join()`. */
-    readonly strategy?: JoinStrategy;
-}
-/**
- * Minimal structural shape of a broadcast dimension source. A
- * `Collection` satisfies this natively: `list()` hydrates and returns
- * the decoded records. Kept as a one-method interface so plain test
- * sources are trivial to construct.
- */
-interface BroadcastSource {
-    list(): Promise<readonly unknown[]>;
-}
-/** Public options for `ShardedQuery.broadcastJoin`. */
-interface BroadcastJoinOptions {
-    /** Alias key under which the dimension record attaches. */
-    readonly as: string;
-    /** The shared dimension collection (an opened handle in another vault). */
-    readonly from: BroadcastSource;
-    /** Right-side key to match `field` against. Default 'id'. */
-    readonly on?: string;
-    /** Miss behavior. 'warn' (default) attaches null + one-shot warning; 'cascade' is silent. */
-    readonly mode?: 'warn' | 'cascade';
-}
-/** Internal co-partitioned leg carried on ShardedQuery. */
-interface CoPartitionedLeg {
-    readonly field: string;
-    readonly as: string;
-    readonly maxRows: number | undefined;
-    readonly strategy: JoinStrategy | undefined;
-}
-/** Internal broadcast leg carried on ShardedQuery. */
-interface BroadcastLeg {
-    readonly field: string;
-    readonly as: string;
-    readonly from: BroadcastSource;
-    readonly on: string;
-    readonly mode: 'warn' | 'cascade';
-}
-
-/** A source that can fan out records across shards. Satisfied by ShardedQuery. */
-interface FanoutRecordSource<R> {
-    fanoutRecords(options: FanoutQueryOptions): Promise<{
-        records: R[];
-        skippedVaults: SkippedVault[];
-    }>;
-}
-/** Live-binding hooks (change subscription + relevance) threaded from ShardedQuery. */
-interface LiveBinding {
-    subscribeToChanges: (handler: (e: ChangeEvent) => void) => () => void;
-    isRelevant: (e: ChangeEvent) => boolean;
-}
-/**
- * One-shot cross-vault aggregate. Concatenates all shard records and runs a
- * single central reduce, ensuring correct avg/mean values.
- */
-declare class CrossVaultAggregation<R, Spec extends AggregateSpec> {
-    private readonly src;
-    private readonly spec;
-    private readonly bind?;
-    constructor(src: FanoutRecordSource<R>, spec: Spec, bind?: LiveBinding | undefined);
-    run(options?: FanoutQueryOptions): Promise<{
-        result: AggregateResult<Spec>;
-        skippedVaults: SkippedVault[];
-    }>;
-    live(options?: LiveQueryOptions): CrossVaultLiveAggregation<AggregateResult<Spec>>;
-}
-/**
- * One-shot cross-vault grouped aggregate. Concatenates all shard records and
- * runs a single central group-and-reduce, emitting one row per bucket.
- */
-declare class CrossVaultGroupedAggregation<R, F extends string, Spec extends AggregateSpec> {
-    private readonly src;
-    private readonly field;
-    private readonly spec;
-    private readonly bind?;
-    constructor(src: FanoutRecordSource<R>, field: F, spec: Spec, bind?: LiveBinding | undefined);
-    run(options?: FanoutQueryOptions): Promise<{
-        results: GroupedRow<F, Spec>[];
-        skippedVaults: SkippedVault[];
-    }>;
-    live(options?: LiveQueryOptions): CrossVaultLiveQuery<GroupedRow<F, Spec>>;
-}
-
-/**
- * @category capability
- * Multi-vault partition federation — VaultGroup transparent shard
- * routing. Spec:
- * docs/superpowers/specs/2026-06-07-mvf-vaultgroup-routing-mvp-design.md.
- */
-
-declare class VaultGroup<T> {
-    /** @internal */ readonly db: Noydb;
-    /** @internal */ readonly name: string;
-    /** @internal */ readonly registry: Collection<VaultRegistryRow>;
-    /** @internal */ readonly sharding: ShardingConfig<T>;
-    /** @internal */ readonly template: VaultTemplate;
-    /** @internal — lazy migrate-on-open (#271). */ readonly migrateOnOpen: boolean;
-    constructor(
-    /** @internal */ db: Noydb, 
-    /** @internal */ name: string, 
-    /** @internal */ registry: Collection<VaultRegistryRow>, 
-    /** @internal */ sharding: ShardingConfig<T>, 
-    /** @internal */ template: VaultTemplate, 
-    /** @internal — lazy migrate-on-open (#271). */ migrateOnOpen?: boolean);
-    /** @internal — set when the group is managed (no explicit registry). */
-    private stateVault;
-    /** @internal */
-    _attachStateVault(sv: StateManagementVault): void;
-    /** Deterministic vault name for a partition key, namespaced by the group. */
-    shardVaultId(partitionKey: string): string;
-    /**
-     * @internal — group-qualified registry record key (avoids cross-group key
-     * collisions). Identical to the shard vault id by design — the registry row
-     * for a shard is keyed by that shard's vault id — so it delegates to
-     * `shardVaultId`, reusing its partition-key validation.
-     */
-    registryId(partitionKey: string): string;
-    /**
-     * Registry rows for THIS group (hydrates the registry collection first).
-     * The registry may be shared across groups (the auto-wired StateManagement
-     * vault holds one `vaultRegistry` for the whole instance), so rows are
-     * filtered by `group` — without this, a group's fan-out reads would leak
-     * across into other groups' shards. Mirrors the `${group}--` scoping that
-     * `liveBinding().isRelevant` already applies to the reactive path.
-     */
-    allRows(): Promise<VaultRegistryRow[]>;
-    /**
-     * Open an existing shard and apply the template. When `migrateOnOpen` is set
-     * (#271) and the shard's registry version is behind the template, its cutover
-     * runs inline first — so a behind shard never surfaces a stale handle.
-     */
-    openShard(partitionKey: string): Promise<Vault>;
-    /** @internal — open + configure with no migrate-on-open hook (used by the migration path itself to avoid recursion). */
-    private _openShardRaw;
-    /**
-     * Idempotently provision a shard for `partitionKey`. Returns the
-     * configured vault handle.
-     *
-     * - row + vault present → no-op, return handle
-     * - row present, vault gone → ShardProvisioningError
-     * - row absent (vault present or not) → open-or-create, configure, write row
-     *
-     * When `region` is given (the routing `put` passes `sharding.regionOf(record)`),
-     * the candidate backend's `capabilities.region` must match or this throws
-     * `DataResidencyError` BEFORE provisioning (#271 data-residency guard).
-     */
-    createShard(partitionKey: string, region?: string): Promise<Vault>;
-    /**
-     * Drill down to a single shard's full Collection API. Throws if the shard is unknown.
-     * Also throws ShardProvisioningError if the registry row exists but the vault has been deleted
-     * (registry/store divergence).
-     */
-    shard(partitionKey: string): Promise<Vault>;
-    /** A sharded view over one logical collection across all shards. */
-    collection<R = T>(collectionName: string): ShardedCollection<T, R>;
-    /** @internal — eligible (openable-candidate) rows + drift/divergence skips. */
-    resolveEligible(options?: {
-        minVersion?: number;
-    }): Promise<{
-        eligible: VaultRegistryRow[];
-        skipped: SkippedVault[];
-    }>;
-    /** @internal — registered push-model cross-vault derivations (#271 Insight Vault). */
-    private readonly crossVaultDerivations;
-    /**
-     * Register a push-model cross-vault derivation — the Insight Vault pattern
-     * (#271, Layer 4). Drive it with {@link refreshInsights}.
-     *
-     * For each shard, `derive(records, ctx)` runs on that shard's `source`
-     * records and its return value is written into the analytics
-     * (`target.vault` / `target.collection`) vault, keyed by partition key —
-     * one summary row per shard. The derivation runs in-process under THIS
-     * group's `Noydb` (which already holds both the shard and Insight Vault
-     * keyrings); the shard's decrypted records are reduced to a summary that is
-     * re-encrypted under the Insight Vault's own DEK, so no shard ciphertext
-     * crosses a DEK boundary.
-     *
-     * **Zero-knowledge note:** the Insight Vault backend sees aggregated
-     * structure (totals, counts, timestamps) drawn from many shards — a weaker
-     * ZK profile than the per-shard vaults. Opt-in; keep summaries to aggregate
-     * scalars (no embeddings / no raw records).
-     *
-     * v1 is explicit-refresh (no write-path push); call `refreshInsights()`
-     * after a batch of writes, or on a schedule.
-     *
-     * The `target.vault` must NOT be the group itself or one of its shards —
-     * a summary writing back into client-shard data would breach the Insight
-     * Vault's separate-DEK-boundary contract. Such a target throws a
-     * `ValidationError` at registration (#271 Insight-write isolation).
-     */
-    withCrossVaultDerivation<R = Record<string, unknown>, S = Record<string, unknown>>(spec: CrossVaultDerivationSpec<R, S>): void;
-    /**
-     * Run every registered {@link withCrossVaultDerivation}: read each eligible
-     * shard's source records, derive a per-shard summary, and write it into the
-     * Insight Vault keyed by partition key. Shards behind `minVersion`,
-     * unprovisioned, or whose read errors are reported in `skippedVaults` and
-     * are not written (a stale summary is never left behind for a failed shard).
-     */
-    refreshInsights(options?: {
-        minVersion?: number;
-        concurrency?: number;
-    }): Promise<RefreshInsightsResult>;
-    /** @internal — the control-plane vault for migration status; lazily opened. */
-    private ensureStateVault;
-    /**
-     * Migrate ONE shard to the template's current version (#271 fleet runner,
-     * per-shard step). Opens the shard (applying the template, which arms the
-     * M12 cutover), drains schema-write detection, runs `vault.runSchemaCutover()`
-     * (the per-vault drain-barrier-transform protocol), then advances the
-     * registry row's `schemaVersion` and records `migration-status`. A shard
-     * already at the template version is a no-op (`status: 'done'`, migrated 0).
-     * Never throws on a cutover failure — it records `status: 'failed'` and
-     * returns the row, so a fleet run continues past a bad shard.
-     */
-    migrateShard(partitionKey: string): Promise<MigrationStatusRow>;
-    /**
-     * Active batch runner (#271): migrate every shard behind the template version
-     * to it, in controlled batches. **Resumable + crash-safe** — shards already at
-     * the target are skipped (the registry version is the source of truth), so a
-     * re-run after a crash only picks up the unfinished + previously-failed shards.
-     *
-     * - `cohort` — restrict to these partition keys (the staged / canary rollout:
-     *   migrate a small cohort, verify the Insight Vault, then run the rest).
-     * - `batchSize` — max shards migrated concurrently per batch (back-pressure).
-     *   Default 4. Batches run sequentially; shards within a batch run in parallel.
-     */
-    migrateFleet(options?: {
-        cohort?: readonly string[];
-        batchSize?: number;
-    }): Promise<FleetMigrationResult>;
-}
-declare class ShardedCollection<T, R = T> {
-    private readonly group;
-    private readonly collectionName;
-    constructor(group: VaultGroup<T>, collectionName: string);
-    /** Route a write to the shard owning `keyOf(record)`. */
-    put(id: string, record: T): Promise<void>;
-    /** Begin a cross-shard fan-out query. */
-    query(): ShardedQuery<T, R>;
-}
-declare class ShardedQuery<T, R = T> {
-    private readonly group;
-    private readonly collectionName;
-    private readonly clauses;
-    private readonly coPartitionedLegs;
-    private readonly broadcastLegs;
-    constructor(group: VaultGroup<T>, collectionName: string, clauses: readonly WhereClause[], coPartitionedLegs?: readonly CoPartitionedLeg[], broadcastLegs?: readonly BroadcastLeg[]);
-    where(field: string, op: WhereClause['op'], value: unknown): ShardedQuery<T, R>;
-    /** Co-partitioned join: each shard joins its own same-vault right collection (resolved via ref()), then union. */
-    crossShardJoin(field: string, opts: CrossShardJoinOptions): ShardedQuery<T, R>;
-    /** Broadcast dimension join: enrich every merged row from a single shared collection. */
-    broadcastJoin(field: string, opts: BroadcastJoinOptions): ShardedQuery<T, R>;
-    /** @internal — fan out the where-filtered records across eligible shards. */
-    fanoutRecords(options?: FanoutQueryOptions): Promise<{
-        records: R[];
-        skippedVaults: SkippedVault[];
-    }>;
-    /** Fan out across eligible shards, merge, then apply any broadcast dimension legs. */
-    toArray(options?: FanoutQueryOptions): Promise<FanoutResult<R>>;
-    /** @internal — build the change-subscription + relevance binding for this query's group+collection. */
-    liveBinding(): LiveBinding;
-    /** @internal — joined queries don't support reactive/aggregate surfaces in v1. */
-    private assertNoJoinLegs;
-    /** Returns a reactive cross-shard live query — a facade over CrossVaultLive. */
-    live(options?: LiveQueryOptions): CrossVaultLiveQuery<R>;
-    /** One-shot distributed aggregate — central reduce over all shard records. */
-    aggregate<Spec extends AggregateSpec>(spec: Spec): CrossVaultAggregation<R, Spec>;
-    /** Begin a grouped cross-shard aggregate. */
-    groupBy<F extends string>(field: F): ShardedGroupedQuery<T, R, F>;
-}
-/** Grouped cross-shard query — intermediate after `.groupBy(field)`, terminates with `.aggregate(spec)`. */
-declare class ShardedGroupedQuery<T, R, F extends string> {
-    private readonly query;
-    private readonly field;
-    constructor(query: ShardedQuery<T, R>, field: F);
-    aggregate<Spec extends AggregateSpec>(spec: Spec): CrossVaultGroupedAggregation<R, F, Spec>;
-}
-
 /** The top-level NOYDB instance. */
 declare class Noydb {
     #private;
@@ -5949,7 +5419,6 @@ declare class Noydb {
     private writeRelay;
     /** Per-vault policy enforcers. */
     private readonly policyEnforcers;
-    private readonly vaultTemplates;
     private readonly txStrategy;
     private readonly forgetStrategy;
     private readonly sessionStrategy;
@@ -6031,6 +5500,25 @@ declare class Noydb {
      * fires on top — both are independent opt-ins.
      */
     revoke(vault: string, options: RevokeOptions, factors?: FactorProofBundle): Promise<void>;
+    /**
+     * Grant the FR-6 `custodian` role to a user (owner-only custody API).
+     *
+     * A custodian operates every collection (rw + access) but is provably
+     * unable to grant / revoke / rotate / extract-and-sever. Only the Deed
+     * owner may mint one. Defended in depth: the `grant-custodian` gate
+     * (fail-closed) AND an explicit `keyring.role !== 'owner'` check — the
+     * gate enforces host policy, the role check enforces the cryptographic
+     * owner-only invariant even if a host mis-configures the gate.
+     */
+    grantCustodian(vault: string, options: Omit<GrantOptions, 'role'>, factors?: FactorProofBundle): Promise<void>;
+    /**
+     * Revoke a custodian (owner-only custody API).
+     *
+     * Mirrors {@link revoke} but pins the caller to the Deed owner: defended
+     * in depth by the `revoke-user` gate AND an explicit `keyring.role !==
+     * 'owner'` check, so an admin cannot unwind a custodianship.
+     */
+    revokeCustodian(vault: string, options: RevokeOptions, factors?: FactorProofBundle): Promise<void>;
     /**
      * Mutate post-grant identity fields on an existing keyring — `role`,
      * `displayName`, and/or `permissions`. Pure plaintext-header rewrite:
@@ -6205,22 +5693,17 @@ declare class Noydb {
      */
     queryAcross<T>(vaultIds: string[], fn: (vault: Vault) => Promise<T>, options?: QueryAcrossOptions): Promise<QueryAcrossResult<T>[]>;
     /**
-     * Register a shard schema blueprint. `createShard` / `openVaultGroup`
-     * stamp shards from the named template. See the MVF design spec.
+     * @internal True once `close()` has been called. Read by
+     * `@klum-db/lobby`'s Lobby entry points (which can't see the private
+     * `closed` field).
      */
-    withVaultTemplate(name: string, template: VaultTemplate): void;
-    /**
-     * Open a VaultGroup — transparent routing over per-partition shard
-     * vaults, with shard discovery backed by the supplied `vault-registry`
-     * collection.
-     */
-    openVaultGroup<T>(name: string, opts: VaultGroupOptions<T>): Promise<VaultGroup<T>>;
-    /**
-     * Open the reserved StateManagement control-plane vault (registry +
-     * schema-manifest + deployment-events). Lazy-loaded so the federation
-     * chunk stays out of the core graph until used.
-     */
-    openStateManagementVault(): Promise<StateManagementVault>;
+    get isClosed(): boolean;
+    /** @deprecated Federation moved to @klum-db/lobby. Use `createLobby(db).withVaultTemplate(...)`. */
+    withVaultTemplate(): never;
+    /** @deprecated Federation moved to @klum-db/lobby. Use `createLobby(db).openVaultGroup(...)`. */
+    openVaultGroup(): Promise<never>;
+    /** @deprecated Federation moved to @klum-db/lobby. Use `createLobby(db).openStateManagementVault()`. */
+    openStateManagementVault(): Promise<never>;
     /**
      * @internal — true when an encrypted shard vault is provisioned
      * (its keyring exists in the store).
@@ -9237,6 +8720,135 @@ declare class UserApi {
     private fireChange;
 }
 
+/**
+ * FR-6 Task 5 — `liberateVault`: the audited claim of ownership over a
+ * sealed-owner (Deed) vault. The inverse of #199 withdrawal.
+ *
+ * A **Deed** vault's owner credential is sealed under a non-firm provider, so
+ * the firm-side **custodian** (which holds every collection DEK and operates
+ * the vault fully) can never reach `KEK_owner`. Liberation is the ONLY route
+ * by which a custodian assumes ownership, and it is deliberately a manual,
+ * audited ceremony:
+ *
+ *   1. gate `'liberate-vault'` (fail-closed)
+ *   2. caller MUST be the `custodian` (the de-facto authority holding the DEKs)
+ *   3. freeze a PRE-liberation EVIDENCE snapshot (hash-pinned in the ledger) —
+ *      but PRESERVE the live data for the new owner (see the freeze decision
+ *      below)
+ *   4. mint a NEW owner keyring re-wrapping the incumbent DEKs under the new
+ *      owner's KEK
+ *   5. lifecycle ledger `liberation-claimed:<newOwnerId>:<legalBasis>`
+ *   6. stamp the `_meta/deed` marker with `liberatedAt`
+ *
+ * ## Security: the inalienability floor
+ *
+ * Liberation **mints a new owner from the custodian's DEKs** — it does NOT
+ * unseal the original sealed owner. The old sealed-owner credential is left
+ * untouched and ORPHANED (its `_keyring/<id>` file remains, its KEK is still
+ * sealed under the non-firm provider), never impersonated. The new owner is a
+ * DISTINCT principal under a fresh KEK derived from `newOwnerPassphrase`. This
+ * preserves the inalienability floor: the act of claiming ownership is itself
+ * auditable and produces a different principal, rather than silently assuming
+ * the latent owner's identity.
+ *
+ * ## Freeze decision: snapshot-only, not freeze-and-delete
+ *
+ * `freezeAndDeleteClosure` (withdraw-accessible.ts) writes a hash-pinned
+ * snapshot and THEN delete-closures the live records — correct for a
+ * destructive #199 withdrawal, WRONG for liberation. Liberation transfers
+ * operational continuity; it must leave the live data intact for the new
+ * owner. We therefore call the snapshot-only core `freezeSnapshotOnly`
+ * (factored out of that module; the freeze-AND-delete withdrawal path is
+ * unchanged) to pin the evidence snapshot while preserving the records.
+ *
+ * @module
+ */
+
+interface LiberateOptions {
+    /** The id of the new owner principal the custodian mints by claiming ownership. */
+    readonly newOwnerId: string;
+    /** The passphrase that derives the new owner's KEK (the DEKs are re-wrapped under it). */
+    readonly newOwnerPassphrase: string;
+    /** Legal/contractual basis recorded in the audit (e.g. 'contractual-handover'). */
+    readonly legalBasis: string;
+    readonly factors?: FactorProofBundle;
+}
+interface LiberateResult {
+    /** The hash-pinned pre-liberation evidence snapshot. */
+    readonly snapshot: FrozenSnapshotRef;
+}
+/**
+ * Audited claim of ownership over a sealed-owner vault by its custodian. See
+ * the module doc for the full ceremony + security rationale.
+ */
+declare function liberateVault(vault: Vault, opts: LiberateOptions): Promise<LiberateResult>;
+
+/**
+ * Public `vault.custody.*` API surface (FR-6).
+ *
+ * The custody namespace is the vault-instance face of the FR-6 sovereign-custody
+ * model — it mirrors `vault.user.*` exactly: a thin delegation shell with NO
+ * business logic. The Vault constructs one `CustodyApi` per session, injecting
+ * closures that bind the vault name / keyring into the genuinely-core
+ * implementations (`Noydb.grantCustodian` / `Noydb.revokeCustodian` and the
+ * `liberateVault` ceremony). Each method just forwards to its injected callback.
+ *
+ * Three operations:
+ *  - `grantCustodian(opts)` — owner-only: mint a `custodian` who operates the
+ *    vault fully but can never grant / rotate / sever / extract.
+ *  - `revokeCustodian(opts)` — owner-only: remove a custodian.
+ *  - `liberate(opts)` — custodian-only: audited claim of ownership over a
+ *    sealed-owner (Deed) vault (mints a DISTINCT new owner; ledger-audited).
+ *
+ * Provisioning a Deed (`createDeedOwner`) is deliberately NOT on this class: it
+ * is a store-level operation that mints the vault's first owner, so there is no
+ * vault instance (and thus no custody namespace) yet — it stays the exported
+ * `team/deed.ts` function.
+ *
+ * @see docs/superpowers/specs/2026-06-17-fr6-deed-custodian-liberate-design.md
+ * @module
+ */
+
+/** Options for `vault.custody.grantCustodian` — a grant with the role fixed to `custodian`. */
+type GrantCustodianOptions = Omit<GrantOptions, 'role'>;
+/**
+ * Implementation behind `vault.custody`. Constructed once per Vault. Holds the
+ * injected, vault-bound implementations in closure; every method delegates with
+ * no added logic (the owner-only / custodian-only / gate checks all live in the
+ * injected implementations — `Noydb.grantCustodian` etc. and `liberateVault`).
+ */
+declare class CustodyApi {
+    /** Bound `Noydb.grantCustodian(this.name, ...)` — owner-only, gated. */
+    private readonly _grantCustodian;
+    /** Bound `Noydb.revokeCustodian(this.name, ...)` — owner-only, gated. */
+    private readonly _revokeCustodian;
+    /** Bound `liberateVault(this, ...)` — custodian-only audited ownership claim. */
+    private readonly _liberate;
+    constructor(
+    /** Bound `Noydb.grantCustodian(this.name, ...)` — owner-only, gated. */
+    _grantCustodian: (options: GrantCustodianOptions, factors?: FactorProofBundle) => Promise<void>, 
+    /** Bound `Noydb.revokeCustodian(this.name, ...)` — owner-only, gated. */
+    _revokeCustodian: (options: RevokeOptions, factors?: FactorProofBundle) => Promise<void>, 
+    /** Bound `liberateVault(this, ...)` — custodian-only audited ownership claim. */
+    _liberate: (opts: LiberateOptions) => Promise<LiberateResult>);
+    /**
+     * Owner-only: grant the FR-6 `custodian` role. The custodian operates every
+     * collection (rw + access) but is provably unable to grant / revoke / rotate /
+     * extract-and-sever. Defended in depth (gate + owner-only role check) inside
+     * the injected `Noydb.grantCustodian`.
+     */
+    grantCustodian(options: GrantCustodianOptions, factors?: FactorProofBundle): Promise<void>;
+    /** Owner-only: revoke a custodian. */
+    revokeCustodian(options: RevokeOptions, factors?: FactorProofBundle): Promise<void>;
+    /**
+     * Custodian-only: the audited claim of ownership over a sealed-owner (Deed)
+     * vault. Mints a DISTINCT new owner re-wrapping the incumbent DEKs under a
+     * fresh KEK (the latent owner is never impersonated), ledger-audited. See
+     * {@link liberateVault}.
+     */
+    liberate(opts: LiberateOptions): Promise<LiberateResult>;
+}
+
 /**
  * Persisted-schema envelope shape.
  *
@@ -9516,6 +9128,18 @@ declare class Vault {
      * @see docs/superpowers/specs/2026-05-05-user-envelope-design.md
      */
     readonly user: UserApi;
+    /**
+     * FR-6 custody API — the sovereign-custody surface, mirroring `vault.user.*`.
+     *
+     * - `grantCustodian(opts)` / `revokeCustodian(opts)` — owner-only: mint /
+     *   remove a `custodian` who operates the vault fully but can never grant /
+     *   rotate / sever / extract.
+     * - `liberate(opts)` — custodian-only: the audited claim of ownership over a
+     *   sealed-owner (Deed) vault (mints a DISTINCT new owner; ledger-audited).
+     *
+     * @see docs/superpowers/specs/2026-06-17-fr6-deed-custodian-liberate-design.md
+     */
+    readonly custody: CustodyApi;
     /**
      * Optional callback that re-derives an UnlockedKeyring from the
      * adapter using the active user's passphrase. Called by `load()`
@@ -9788,6 +9412,12 @@ declare class Vault {
          * default; non-adopting collections take the legacy path unchanged.
          */
         perRecordKeys?: boolean;
+        /**
+         * Per-record provenance tracking. When `true`, `put()` calls that
+         * supply a `source` option stamp `_source` / `_sourceTs` onto the
+         * unencrypted envelope metadata. Off by default. (FR-5, #445)
+         */
+        provenance?: boolean;
         /**
          * declarative blob retention / TTL policy per slot
          * name. Values are `{ retainDays?, evictWhen? }`. Evaluated only
@@ -11379,6 +11009,13 @@ declare class Collection<T> {
      * flag) still decrypts CEK records.
      */
     private readonly perRecordCek;
+    /**
+     * Per-record provenance opt-in (`provenance: true`). When set, `put()` calls
+     * that supply a `source` option stamp `_source`/`_sourceTs` onto the
+     * unencrypted envelope metadata. Off by default — zero cost for collections
+     * that don't need lineage tracking (FR-5, #445).
+     */
+    private readonly provenance;
     /**
      * Session-scoped `(id) → CEK` cache for this collection. Lets updates
      * reuse a record's stable CEK and lets repeated reads skip the AES-KW
@@ -11702,6 +11339,14 @@ declare class Collection<T> {
          * keyed to the collection DEK regardless.
          */
         perRecordKeys?: boolean | undefined;
+        /**
+         * Per-record provenance tracking. When `true`, `put()` calls that
+         * supply a `source` option stamp `_source` (opaque source id) and
+         * `_sourceTs` (ISO-8601 timestamp) onto the unencrypted envelope
+         * metadata. Off by default — zero cost for collections that don't
+         * need lineage tracking. (FR-5, #445)
+         */
+        provenance?: boolean | undefined;
         /**
          * declared tiers this collection supports. An
          * undefined or empty list disables the hierarchical-tier surface
@@ -11810,6 +11455,29 @@ declare class Collection<T> {
      * Throws if the collection is not in CRDT mode.
      */
     getRaw(id: string): Promise<CrdtState | null>;
+    /**
+     * Read a record's unencrypted envelope metadata (version, timestamps,
+     * provenance) without decrypting the body.
+     *
+     * Returns `null` when no envelope exists for `id` (record absent or never
+     * written). Only `_source`/`_sourceTs` fields are populated when the
+     * collection was opened with `provenance: true` AND the record was written
+     * with a `source` option — but this method works on any collection because
+     * it reads the raw envelope directly.
+     *
+     * @returns `{ version, timestamp, by?, source?, sourceTs? }` or `null`.
+     *
+     * @example
+     * const meta = await clients.getMetadata('c1')
+     * if (meta) console.log(meta.source, meta.timestamp)
+     */
+    getMetadata(id: string): Promise<{
+        readonly version: number;
+        readonly timestamp: string;
+        readonly by?: string;
+        readonly source?: string;
+        readonly sourceTs?: string;
+    } | null>;
     /**
      * Return a presence handle for this collection.
      *
@@ -11837,10 +11505,31 @@ declare class Collection<T> {
      *                `reason` is stamped onto the resulting ledger entry
      *                so audit consumers can filter via
      *                `entries.filter(e => e.reason?.startsWith('import:'))`.
+     *                `source` is an opaque source id (e.g. `'crm-sync'`, `'firm-A'`)
+     *                stamped onto the envelope as `_source`/`_sourceTs` when
+     *                the collection has `provenance: true`. Ignored otherwise
+     *                (zero cost). (FR-5, #445)
+     *                `sourceTs` is an optional ISO-8601 origin timestamp override;
+     *                when supplied together with `source` on a provenance collection,
+     *                replaces the machine-stamped `now()` so re-merges preserve the
+     *                ORIGIN refresh time across vaults. (FR-4)
      */
     put(id: string, record: T, options?: {
         readonly reason?: string;
+        readonly source?: string;
+        readonly sourceTs?: string;
     }): Promise<void>;
+    /**
+     * Validate a record against this collection's schema WITHOUT writing it.
+     * Returns the (possibly coerced) record on success; throws
+     * {@link SchemaValidationError} (direction: `'input'`) on violation.
+     * A no-op pass-through when no schema is declared.
+     *
+     * Used by FR-8 migrate-then-merge to pre-validate all staged records
+     * before `mergeDecryptedRecords` writes anything — so a failed upgrade
+     * never half-writes the receiver.
+     */
+    validateInput(record: T): Promise<T>;
     /** @internal Untracked put body — call {@link put}, not this. */
     private putInternal;
     /**
@@ -12599,6 +12288,8 @@ declare class Collection<T> {
             reason: string;
             fromTier: number;
         };
+        source?: string;
+        sourceTs?: string;
     }): Promise<void>;
     /**
      * tier-aware get. When the stored record is at a
@@ -12967,15 +12658,26 @@ declare const NOYDB_SYNC_VERSION: 1;
  * Roles control both the operations a user can perform and which DEKs
  * they receive in their keyring:
  *
- * | Role       | Collections      | Can grant/revoke | Can export |
- * |------------|-----------------|:----------------:|:----------:|
- * | `owner`    | all (rw)        | Yes (all roles)  | Yes        |
- * | `admin`    | all (rw)        | Yes (≤ admin)    | Yes        |
- * | `operator` | explicit (rw)   | No               | ACL-scoped |
- * | `viewer`   | all (ro)        | No               | Yes        |
- * | `client`   | explicit (ro)   | No               | ACL-scoped |
- */
-type Role = 'owner' | 'admin' | 'operator' | 'viewer' | 'client';
+ * | Role        | Collections      | Can grant/revoke | Can export |
+ * |-------------|-----------------|:----------------:|:----------:|
+ * | `owner`     | all (rw)        | Yes (all roles)  | Yes        |
+ * | `admin`     | all (rw)        | Yes (≤ admin)    | Yes        |
+ * | `custodian` | all (rw)        | No (see below)   | Yes        |
+ * | `operator`  | explicit (rw)   | No               | ACL-scoped |
+ * | `viewer`    | all (ro)        | No               | Yes        |
+ * | `client`    | explicit (ro)   | No               | ACL-scoped |
+ *
+ * **`custodian` (FR-6 sovereign custody).** Operationally admin-rank —
+ * rw + access on every collection, receives all collection DEKs on grant
+ * — but is *provably non-owning*: it CANNOT grant, revoke, rotate keys,
+ * destructively withdraw/sever, or extract-and-sever a partition (rotate is
+ * blocked in `rotateKeys`, sever in `withdrawAccessibleData`, and extract in
+ * `extractPartition`). Only the (sealed Deed) **owner** may
+ * mint or remove a custodian; an admin cannot. This is the inalienability
+ * floor — a custodian can run the vault day-to-day yet never escalate to
+ * the owner credential.
+ */
+type Role = 'owner' | 'admin' | 'custodian' | 'operator' | 'viewer' | 'client';
 /**
  * Read-write or read-only access on a collection.
  * Stored per-collection in the user's keyring.
@@ -12995,6 +12697,14 @@ interface EncryptedEnvelope {
     readonly _data: string;
     /** User who created this version (unencrypted metadata). */
     readonly _by?: string;
+    /**
+     * Opaque provenance source id — which party/registry wrote this version.
+     * Unencrypted; present only when the collection opts into `provenance: true`
+     * and a `source` is supplied to `put()`. Off by default (zero cost).
+     */
+    readonly _source?: string;
+    /** ISO-8601 timestamp the provenance source was recorded. Present alongside `_source`. */
+    readonly _sourceTs?: string;
     /**
      * Hierarchical access tier. Omitted → tier 0.
      *
@@ -14958,4 +14668,4 @@ interface DeleteManyResult {
     }>;
 }
 
-export { type VersionRecord as $, type BlobPutOptions as A, type BlobStrategy as B, type BlobResponseOptions as C, DICT_COLLECTION_PREFIX as D, BlobSet as E, type BlobStrategyOpenArgs as F, type CompactRunOptions as G, type CompactionContext as H, type I18nStrategy as I, type CompactionResult as J, DEFAULT_CHUNK_SIZE as K, EXPORT_AUDIT_COLLECTION as L, ExportBlobsAbortedError as M, type ExportBlobsAuditEntry as N, type ExportBlobsHandle as O, PolicyEnforcer as P, type ExportBlobsOptions as Q, type ExportedBlob as R, type ScriptWarning as S, type ObjectListEntry as T, type ObjectMeta as U, type ObjectProjection as V, type ObjectUrlOptions as W, type PutObjectOptions as X, type PutUrlOptions as Y, type SlotInfo as Z, type SlotRecord as _, type DictEntry as a, type ChangeType as a$, createExportBlobsHandle as a0, memoryObjectProjection as a1, runCompaction as a2, type ConsentStrategy as a3, CONSENT_AUDIT_COLLECTION as a4, type ConsentAuditEntry as a5, type ConsentAuditFilter as a6, type ConsentContext as a7, type ConsentOp as a8, loadConsentEntries as a9, type SnapshotMeta as aA, type SnapshotMode as aB, type DerivationStrategy as aC, type DerivationContext as aD, type ArrayOutputSpec as aE, DerivationRegistry as aF, type DerivationStrategyHandle as aG, type DerivedFromMeta as aH, type OutputSpec as aI, type RecordOutputSpec as aJ, type MaterializedViewStrategy as aK, type MaterializedViewStrategyHandle as aL, type OverlayedViewStrategy as aM, Collection as aN, type OverlayFieldMergeMode as aO, type OverlayFieldMergeRule as aP, OverlayedViewRegistry as aQ, type OverlayedViewStrategyHandle as aR, type SyncStrategy as aS, type Role as aT, type UnlockedKeyring as aU, type HistoryStrategy as aV, type NoydbStore as aW, type HistoryOptions as aX, type EncryptedEnvelope as aY, type PruneOptions as aZ, type AppendInput as a_, writeConsentEntry as aa, type PeriodsStrategy as ab, type CarryForwardContext as ac, type ClosePeriodOptions as ad, type OpenPeriodOptions as ae, PERIODS_COLLECTION as af, type PeriodRecord as ag, type ReadOnlyCollection as ah, appendPeriodLedgerEntry as ai, assertTsWritable as aj, chainAnchor as ak, loadPeriods as al, validatePeriodName as am, type GuardStrategy as an, type GuardChange as ao, type GuardContext as ap, GuardRegistry as aq, type GuardStrategyHandle as ar, ReadOnlyVaultFacade as as, type ShadowStrategy as at, CollectionFrame as au, VaultFrame as av, type NoydbBundleStore as aw, type RetentionPolicy as ax, type SnapshotPolicy as ay, type SnapshotStrategy as az, type DictKeyDescriptor as b, type CrossTierAccessEvent as b$, CollectionInstant as b0, type DiffEntry as b1, type JsonPatch as b2, type JsonPatchOp as b3, LedgerStore as b4, type VaultEngine as b5, VaultInstant as b6, type VerifyResult as b7, applyPatch as b8, computePatch as b9, type PersistedSchemaEnvelope as bA, type UpdateDecision as bB, type DirectoryConfig as bC, type UserVisibility as bD, type AccessibleVault as bE, type AffectedDocument as bF, type ApproveWithdrawalOptions as bG, type ArchivePolicy as bH, type ArchiveResult as bI, type ArchiveRunOptions as bJ, type ArchiveStrategy as bK, BUNDLE_STORE_POLICY as bL, type BuiltInGateName as bM, type CacheOptions as bN, type CacheStats as bO, type CapturedBlueprint as bP, type ChangeEvent as bQ, type CollectionChangeEvent as bR, type CollectionConflictResolver as bS, type CollectionDescriptor as bT, type CollectionStats as bU, ComputedFieldError as bV, type ComputedFields as bW, type ComputedFn as bX, type Conflict as bY, type ConflictPolicy as bZ, type ConflictStrategy as b_, diff as ba, formatDiff as bb, type PublicEnvelope as bc, type SealingKeyProvider as bd, type BundleRecipient as be, type RecipientSealer as bf, type RecipientHint as bg, Vault as bh, type RecoveryEnrollmentInput as bi, type ShamirRecoveryProvider as bj, TxContext as bk, type MVQueryContext as bl, type RegisteredMV as bm, MaterializedViewRegistry as bn, type MaterializedFromMeta as bo, type MaterializedViewOutput as bp, type UnionArmJoin as bq, type UnionSource as br, type UserEnvelope as bs, type GateName as bt, type GatePolicy as bu, type VaultPolicy as bv, type ActiveTier as bw, type FactorProof as bx, type SchemaUpdateStrategy as by, type TransformFn as bz, DictionaryHandle as c, type LinkSpec as c$, CrossVaultAggregation as c0, type CrossVaultDerivationContext as c1, type CrossVaultDerivationSpec as c2, CrossVaultGroupedAggregation as c3, type GroupedRow as c4, type CrossVaultLiveAggregation as c5, type CrossVaultLiveQuery as c6, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as c7, DELEGATIONS_COLLECTION as c8, type DeepPartial as c9, type FenceState as cA, type FieldChange as cB, type FieldDescriptor as cC, type FieldSource as cD, type FleetMigrationResult as cE, type FormattedSequenceHandle as cF, type FrozenSnapshotRef as cG, type GhostRecord as cH, type GrantOptions as cI, type GuardViolation as cJ, type HistoryConfig as cK, type HistoryEntry as cL, INDEXED_STORE_POLICY as cM, type ImportCapability as cN, type InferOutput as cO, type InternalCollectionStats as cP, type IssueDelegationOptions as cQ, type IssueMagicLinkGrantOptions as cR, type KeyringAuthenticator as cS, type KeyringAuthenticatorWrappingDEKs as cT, type KeyringAuthenticatorWrappingKEK as cU, type KeyringFile as cV, LinkEndpointError as cW, LinkIntegrityError as cX, type LinkOnDelete as cY, type LinkRow as cZ, type LinkSetHandle as c_, type DeepPartialOrNull as ca, type DeferredNumberingConfig as cb, type DelegationToken as cc, type DeleteManyResult as cd, type DeploymentEvent as ce, type DerivationDescriptor as cf, type DirtyEntry as cg, type DryRunResult as ch, type DumpSchemaOptions as ci, ELEVATION_AUDIT_COLLECTION as cj, ElevatedHandle as ck, type EnrollAuthenticatorOptions as cl, type EnrollAuthenticatorWrappingDEKsOptions as cm, type EnrollAuthenticatorWrappingKEKOptions as cn, type EnrollRecoveryResult as co, type ExportAccessibleOptions as cp, type ExportCapability as cq, type ExportChunk as cr, type ExportFormat as cs, type ExportStreamOptions as ct, type FactorKind as cu, type FactorProofBundle as cv, type FactorRequirement as cw, type FanoutQueryOptions as cx, type FanoutResult as cy, type FenceDoc as cz, type DictionaryOptions as d, type RecoveryProof as d$, type ListAccessibleVaultsOptions as d0, type ListPageResult as d1, type ListUsersOptions as d2, type LiveQueryOptions as d3, type LiveUserEnvelope as d4, type LocaleReadOptions as d5, Lru as d6, type LruOptions as d7, type LruStats as d8, MAGIC_LINK_CONTENT_INFO_PREFIX as d9, type PersistedSchemaKind as dA, type PlaintextTranslatorContext as dB, type PlaintextTranslatorFn as dC, PresenceHandle as dD, type PresencePeer as dE, type PublicEnvelopeField as dF, type PublicEnvelopeSchema as dG, type PublicEnvelopeText as dH, type PullMode as dI, type PullOptions as dJ, type PullPolicy as dK, type PullResult as dL, type PushMode as dM, type PushOptions as dN, type PushPolicy as dO, type PushResult as dP, type PutManyItemOptions as dQ, type PutManyOptions as dR, type PutManyResult as dS, type QueryAcrossOptions as dT, type QueryAcrossResult as dU, type QuickUnlockState as dV, QuickUnlockStore as dW, type ReAuthOperation as dX, type RecoverPassphraseInput as dY, type RecoverPassphraseResult as dZ, type RecoverUserOptions as d_, MAGIC_LINK_GRANTS_COLLECTION as da, MAGIC_LINK_KEK_INFO_PREFIX as db, type MagicLinkGrantPayload as dc, type MagicLinkGrantRecord as dd, type MaterializedViewDescriptor as de, MemoryRecipientSealer as df, MemorySealingKeyProvider as dg, type MigrationStatusRow as dh, NOYDB_BACKUP_VERSION as di, NOYDB_FORMAT_VERSION as dj, NOYDB_KEYRING_VERSION as dk, NOYDB_SYNC_VERSION as dl, type NextOptions as dm, Noydb as dn, type NoydbEventMap as dp, type NoydbOptions as dq, type Assignment as dr, type OverlayViewDescriptor as ds, PUBLIC_ENVELOPE_FIELDS as dt, type PaperRecoveryDoc as du, type PaperRecoveryEntry as dv, type PassphrasePolicy as dw, type PassphraseValidationResult as dx, type Permission as dy, type Permissions as dz, type StaticDictDescriptor as e, type Unsubscribe as e$, type RefreshInsightsResult as e0, type RejectWithdrawalOptions as e1, type RequestWithdrawalOptions as e2, type RequestWithdrawalResult as e3, type ResolvedPublicEnvelopeSchema as e4, type RevokeOptions as e5, type RotatePassphraseInput as e6, type RotateRecoveryOptions as e7, type RotateRecoveryResult as e8, SEALED_PASSPHRASE_RECORD_ID as e9, type StoreAuth as eA, type StoreAuthKind as eB, type StoreCapabilities as eC, type StoreTime as eD, SyncEngine as eE, type SyncMetadata as eF, type SyncPolicy as eG, SyncScheduler as eH, type SyncSchedulerStatus as eI, type SyncStatus as eJ, type SyncTarget as eK, type SyncTargetRole as eL, SyncTransaction as eM, type SyncTransactionResult as eN, type TabChannel as eO, type TabCoordinationOptions as eP, type TabLockManager as eQ, type TabPresence as eR, type TabRole as eS, type TierMode as eT, type TransactionInvariant as eU, type TranslatorAuditEntry as eV, TxCollection as eW, type TxOp as eX, TxVault as eY, USER_ENVELOPE_COLLECTION as eZ, USER_ENVELOPE_MAX_BYTES as e_, type SchemaDelta as ea, type SchemaIntrospection as eb, type SchemaManifestRow as ec, type SealedEnvelope as ed, type SealedPassphrase as ee, type SearchEntry as ef, type SearchOptions as eg, type SearchResult as eh, type SequenceHandle as ei, type SequenceOptions as ej, SequenceStore as ek, type SessionPolicy as el, type SetPublicEnvelopeInput as em, type ShamirRecoveryDoc as en, type ShamirRecoveryEntry as eo, ShardedCollection as ep, ShardedGroupedQuery as eq, ShardedQuery as er, type ShardingConfig as es, type SkippedVault as et, type SlotRewrapCeremony as eu, type SlotRewrapContext as ev, type StandardSchemaV1 as ew, type StandardSchemaV1Issue as ex, type StandardSchemaV1SyncResult as ey, StateManagementVault as ez, dictCollectionName as f, magicLinkGrantRecordId as f$, type UpdateAuthenticatorOptions as f0, type UpdateContext as f1, type UpdateUserOptions as f2, UserApi as f3, type UserEnvelopeCheckGate as f4, UserEnvelopeOversizedError as f5, type UserEnvelopePresented as f6, type UserInfo as f7, type VaultBackup as f8, VaultGroup as f9, createNoydb as fA, createStore as fB, deriveMagicLinkContentKey as fC, enrollAuthenticator as fD, estimateEntropy as fE, evalComputedFields as fF, evaluateExportCapability as fG, evaluateImportCapability as fH, exportAccessibleData as fI, findAuthenticator as fJ, hasExportCapability as fK, hasImportCapability as fL, hasRecoveryEnrolled as fM, isLinkCollectionName as fN, isMagicLinkGrantExpired as fO, isPublicEnvelope as fP, issueDelegation as fQ, recoverPassphrase as fR, rotatePassphrase as fS, listMagicLinkGrants as fT, listUsers as fU, listUsersWithEnvelopes as fV, listWithdrawalRequests as fW, loadActiveDelegations as fX, loadPaperRecoveryEntries as fY, loadSealedPassphrase as fZ, loadShamirRecoveryEntries as f_, type VaultGroupOptions as fa, type VaultPolicyOnDisk as fb, type VaultRegistryRow as fc, type VaultSchemaSnapshot as fd, type VaultSnapshot as fe, type VaultTemplate as ff, type WarningRules as fg, WeakPassphraseError as fh, type WeakPassphraseReason as fi, type WithArchiveOptions as fj, type WithdrawAccessibleOptions as fk, type WithdrawResult as fl, type WithdrawalRequest as fm, WithdrawalRequestError as fn, type WithdrawalRequestStatus as fo, type WrappedDeksBlob as fp, type WriteConflict as fq, type WriteEvent as fr, type WriteHook as fs, type WriteQueue as ft, aesGcmOpen as fu, approveWithdrawal as fv, assertStrongPassphrase as fw, buildRecipientKeyringFile as fx, burnPaperRecoveryEntry as fy, compileSequenceFormat as fz, dictKey as g, mintPaperRecoveryEntry as g0, mintShamirRecoveryEntry as g1, mintWrappedDeksBlob as g2, parseRsaOaepTlv as g3, parseSealedEnvelope as g4, readMagicLinkGrantRecord as g5, recoverUser as g6, rejectWithdrawal as g7, removeAuthenticator as g8, requestWithdrawal as g9, persistKeyring as gA, revoke as gB, updateAuthenticator as gC, updateKeyringIdentity as gD, type TxStrategy as gE, type AmendmentTxOptions as gF, resolveSchema as ga, resolveSequenceKey as gb, revokeDelegation as gc, revokeMagicLinkGrant as gd, runTransaction as ge, savePaperRecoveryEntries as gf, saveSealedPassphrase as gg, saveShamirRecoveryEntries as gh, sealRsaOaepTlv as gi, unwrapDeksFromBlob as gj, unwrapDeksFromPaperEntry as gk, unwrapDeksFromShamirEntry as gl, unwrapMagicLinkGrant as gm, validatePassphrase as gn, validatePublicEnvelopeInput as go, validateSchemaInput as gp, validateSchemaOutput as gq, withArchive as gr, withDeferredNumbering as gs, withdrawAccessibleData as gt, writeMagicLinkGrant as gu, changeSecret as gv, createOwnerKeyring as gw, ensureCollectionDEK as gx, grant as gy, loadKeyring as gz, enforceScript as h, inferScripts as i, isDictCollectionName as j, isDictKeyDescriptor as k, isStaticDictDescriptor as l, type SessionStrategy as m, createEnforcer as n, BLOB_CHUNKS_COLLECTION as o, BLOB_COLLECTION as p, BLOB_EVICTION_AUDIT_COLLECTION as q, BLOB_INDEX_COLLECTION as r, staticDict as s, BLOB_SLOTS_PREFIX as t, BLOB_VERSIONS_PREFIX as u, validateSessionPolicy as v, type BlobEvictionEntry as w, type BlobFieldPolicy as x, type BlobFieldsConfig as y, type BlobObject as z };
+export { type VersionRecord as $, type BlobPutOptions as A, type BlobStrategy as B, type BlobResponseOptions as C, DICT_COLLECTION_PREFIX as D, BlobSet as E, type BlobStrategyOpenArgs as F, type CompactRunOptions as G, type CompactionContext as H, type I18nStrategy as I, type CompactionResult as J, DEFAULT_CHUNK_SIZE as K, EXPORT_AUDIT_COLLECTION as L, ExportBlobsAbortedError as M, type ExportBlobsAuditEntry as N, type ExportBlobsHandle as O, PolicyEnforcer as P, type ExportBlobsOptions as Q, type ExportedBlob as R, type ScriptWarning as S, type ObjectListEntry as T, type ObjectMeta as U, type ObjectProjection as V, type ObjectUrlOptions as W, type PutObjectOptions as X, type PutUrlOptions as Y, type SlotInfo as Z, type SlotRecord as _, type DictEntry as a, type ChangeType as a$, createExportBlobsHandle as a0, memoryObjectProjection as a1, runCompaction as a2, type ConsentStrategy as a3, CONSENT_AUDIT_COLLECTION as a4, type ConsentAuditEntry as a5, type ConsentAuditFilter as a6, type ConsentContext as a7, type ConsentOp as a8, loadConsentEntries as a9, type SnapshotMeta as aA, type SnapshotMode as aB, type DerivationStrategy as aC, type DerivationContext as aD, type ArrayOutputSpec as aE, DerivationRegistry as aF, type DerivationStrategyHandle as aG, type DerivedFromMeta as aH, type OutputSpec as aI, type RecordOutputSpec as aJ, type MaterializedViewStrategy as aK, type MaterializedViewStrategyHandle as aL, type OverlayedViewStrategy as aM, Collection as aN, type OverlayFieldMergeMode as aO, type OverlayFieldMergeRule as aP, OverlayedViewRegistry as aQ, type OverlayedViewStrategyHandle as aR, type SyncStrategy as aS, type Role as aT, type UnlockedKeyring as aU, type HistoryStrategy as aV, type NoydbStore as aW, type HistoryOptions as aX, type EncryptedEnvelope as aY, type PruneOptions as aZ, type AppendInput as a_, writeConsentEntry as aa, type PeriodsStrategy as ab, type CarryForwardContext as ac, type ClosePeriodOptions as ad, type OpenPeriodOptions as ae, PERIODS_COLLECTION as af, type PeriodRecord as ag, type ReadOnlyCollection as ah, appendPeriodLedgerEntry as ai, assertTsWritable as aj, chainAnchor as ak, loadPeriods as al, validatePeriodName as am, type GuardStrategy as an, type GuardChange as ao, type GuardContext as ap, GuardRegistry as aq, type GuardStrategyHandle as ar, ReadOnlyVaultFacade as as, type ShadowStrategy as at, CollectionFrame as au, VaultFrame as av, type NoydbBundleStore as aw, type RetentionPolicy as ax, type SnapshotPolicy as ay, type SnapshotStrategy as az, type DictKeyDescriptor as b, CustodyApi as b$, CollectionInstant as b0, type DiffEntry as b1, type JsonPatch as b2, type JsonPatchOp as b3, LedgerStore as b4, type VaultEngine as b5, VaultInstant as b6, type VerifyResult as b7, applyPatch as b8, computePatch as b9, type PersistedSchemaEnvelope as bA, type UpdateDecision as bB, type DirectoryConfig as bC, type UserVisibility as bD, type AccessibleVault as bE, type AffectedDocument as bF, type ApproveWithdrawalOptions as bG, type ArchivePolicy as bH, type ArchiveResult as bI, type ArchiveRunOptions as bJ, type ArchiveStrategy as bK, BUNDLE_STORE_POLICY as bL, type BuiltInGateName as bM, type CacheOptions as bN, type CacheStats as bO, type ChangeEvent as bP, type CollectionChangeEvent as bQ, type CollectionConflictResolver as bR, type CollectionDescriptor as bS, type CollectionStats as bT, ComputedFieldError as bU, type ComputedFields as bV, type ComputedFn as bW, type Conflict as bX, type ConflictPolicy as bY, type ConflictStrategy as bZ, type CrossTierAccessEvent as b_, diff as ba, formatDiff as bb, Vault as bc, type SealingKeyProvider as bd, type RecoveryEnrollmentInput as be, type ShamirRecoveryProvider as bf, type PublicEnvelope as bg, type BundleRecipient as bh, type RecipientSealer as bi, type RecipientHint as bj, TxContext as bk, type MVQueryContext as bl, type RegisteredMV as bm, MaterializedViewRegistry as bn, type MaterializedFromMeta as bo, type MaterializedViewOutput as bp, type UnionArmJoin as bq, type UnionSource as br, type UserEnvelope as bs, type GateName as bt, type GatePolicy as bu, type VaultPolicy as bv, type ActiveTier as bw, type FactorProof as bx, type SchemaUpdateStrategy as by, type TransformFn as bz, DictionaryHandle as c, type LruStats as c$, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as c0, DELEGATIONS_COLLECTION as c1, type DeepPartial as c2, type DeepPartialOrNull as c3, type DeferredNumberingConfig as c4, type DelegationToken as c5, type DeleteManyResult as c6, type DerivationDescriptor as c7, type DirtyEntry as c8, type DryRunResult as c9, type HistoryConfig as cA, type HistoryEntry as cB, INDEXED_STORE_POLICY as cC, type ImportCapability as cD, type InferOutput as cE, type InternalCollectionStats as cF, type IssueDelegationOptions as cG, type IssueMagicLinkGrantOptions as cH, type KeyringAuthenticator as cI, type KeyringAuthenticatorWrappingDEKs as cJ, type KeyringAuthenticatorWrappingKEK as cK, type KeyringFile as cL, type LiberateOptions as cM, type LiberateResult as cN, LinkEndpointError as cO, LinkIntegrityError as cP, type LinkOnDelete as cQ, type LinkRow as cR, type LinkSetHandle as cS, type LinkSpec as cT, type ListAccessibleVaultsOptions as cU, type ListPageResult as cV, type ListUsersOptions as cW, type LiveUserEnvelope as cX, type LocaleReadOptions as cY, Lru as cZ, type LruOptions as c_, type DumpSchemaOptions as ca, ELEVATION_AUDIT_COLLECTION as cb, ElevatedHandle as cc, type EnrollAuthenticatorOptions as cd, type EnrollAuthenticatorWrappingDEKsOptions as ce, type EnrollAuthenticatorWrappingKEKOptions as cf, type EnrollRecoveryResult as cg, type ExportAccessibleOptions as ch, type ExportCapability as ci, type ExportChunk as cj, type ExportFormat as ck, type ExportStreamOptions as cl, type FactorKind as cm, type FactorProofBundle as cn, type FactorRequirement as co, type FenceDoc as cp, type FenceState as cq, type FieldChange as cr, type FieldDescriptor as cs, type FieldSource as ct, type FormattedSequenceHandle as cu, type FrozenSnapshotRef as cv, type GhostRecord as cw, type GrantCustodianOptions as cx, type GrantOptions as cy, type GuardViolation as cz, type DictionaryOptions as d, type SchemaDelta as d$, MAGIC_LINK_CONTENT_INFO_PREFIX as d0, MAGIC_LINK_GRANTS_COLLECTION as d1, MAGIC_LINK_KEK_INFO_PREFIX as d2, type MagicLinkGrantPayload as d3, type MagicLinkGrantRecord as d4, type MaterializedViewDescriptor as d5, MemoryRecipientSealer as d6, MemorySealingKeyProvider as d7, NOYDB_BACKUP_VERSION as d8, NOYDB_FORMAT_VERSION as d9, type PullPolicy as dA, type PullResult as dB, type PushMode as dC, type PushOptions as dD, type PushPolicy as dE, type PushResult as dF, type PutManyItemOptions as dG, type PutManyOptions as dH, type PutManyResult as dI, type QueryAcrossOptions as dJ, type QueryAcrossResult as dK, type QuickUnlockState as dL, QuickUnlockStore as dM, type ReAuthOperation as dN, type RecoverPassphraseInput as dO, type RecoverPassphraseResult as dP, type RecoverUserOptions as dQ, type RecoveryProof as dR, type RejectWithdrawalOptions as dS, type RequestWithdrawalOptions as dT, type RequestWithdrawalResult as dU, type ResolvedPublicEnvelopeSchema as dV, type RevokeOptions as dW, type RotatePassphraseInput as dX, type RotateRecoveryOptions as dY, type RotateRecoveryResult as dZ, SEALED_PASSPHRASE_RECORD_ID as d_, NOYDB_KEYRING_VERSION as da, NOYDB_SYNC_VERSION as db, type NextOptions as dc, Noydb as dd, type NoydbEventMap as de, type NoydbOptions as df, type Assignment as dg, type OverlayViewDescriptor as dh, PUBLIC_ENVELOPE_FIELDS as di, type PaperRecoveryDoc as dj, type PaperRecoveryEntry as dk, type PassphrasePolicy as dl, type PassphraseValidationResult as dm, type Permission as dn, type Permissions as dp, type PersistedSchemaKind as dq, type PlaintextTranslatorContext as dr, type PlaintextTranslatorFn as ds, PresenceHandle as dt, type PresencePeer as du, type PublicEnvelopeField as dv, type PublicEnvelopeSchema as dw, type PublicEnvelopeText as dx, type PullMode as dy, type PullOptions as dz, type StaticDictDescriptor as e, type WithdrawResult as e$, type SchemaIntrospection as e0, type SealedEnvelope as e1, type SealedPassphrase as e2, type SearchEntry as e3, type SearchOptions as e4, type SearchResult as e5, type SequenceHandle as e6, type SequenceOptions as e7, SequenceStore as e8, type SessionPolicy as e9, type TabRole as eA, type TierMode as eB, type TransactionInvariant as eC, type TranslatorAuditEntry as eD, TxCollection as eE, type TxOp as eF, TxVault as eG, USER_ENVELOPE_COLLECTION as eH, USER_ENVELOPE_MAX_BYTES as eI, type Unsubscribe as eJ, type UpdateAuthenticatorOptions as eK, type UpdateContext as eL, type UpdateUserOptions as eM, UserApi as eN, type UserEnvelopeCheckGate as eO, UserEnvelopeOversizedError as eP, type UserEnvelopePresented as eQ, type UserInfo as eR, type VaultBackup as eS, type VaultPolicyOnDisk as eT, type VaultSchemaSnapshot as eU, type VaultSnapshot as eV, type WarningRules as eW, WeakPassphraseError as eX, type WeakPassphraseReason as eY, type WithArchiveOptions as eZ, type WithdrawAccessibleOptions as e_, type SetPublicEnvelopeInput as ea, type ShamirRecoveryDoc as eb, type ShamirRecoveryEntry as ec, type SlotRewrapCeremony as ed, type SlotRewrapContext as ee, type StandardSchemaV1 as ef, type StandardSchemaV1Issue as eg, type StandardSchemaV1SyncResult as eh, type StoreAuth as ei, type StoreAuthKind as ej, type StoreCapabilities as ek, type StoreTime as el, SyncEngine as em, type SyncMetadata as en, type SyncPolicy as eo, SyncScheduler as ep, type SyncSchedulerStatus as eq, type SyncStatus as er, type SyncTarget as es, type SyncTargetRole as et, SyncTransaction as eu, type SyncTransactionResult as ev, type TabChannel as ew, type TabCoordinationOptions as ex, type TabLockManager as ey, type TabPresence as ez, dictCollectionName as f, unwrapDeksFromPaperEntry as f$, type WithdrawalRequest as f0, WithdrawalRequestError as f1, type WithdrawalRequestStatus as f2, type WrappedDeksBlob as f3, type WriteConflict as f4, type WriteEvent as f5, type WriteHook as f6, type WriteQueue as f7, aesGcmOpen as f8, approveWithdrawal as f9, listUsersWithEnvelopes as fA, listWithdrawalRequests as fB, loadActiveDelegations as fC, loadPaperRecoveryEntries as fD, loadSealedPassphrase as fE, loadShamirRecoveryEntries as fF, magicLinkGrantRecordId as fG, mintPaperRecoveryEntry as fH, mintShamirRecoveryEntry as fI, mintWrappedDeksBlob as fJ, parseRsaOaepTlv as fK, parseSealedEnvelope as fL, readMagicLinkGrantRecord as fM, recoverUser as fN, rejectWithdrawal as fO, removeAuthenticator as fP, requestWithdrawal as fQ, resolveSchema as fR, resolveSequenceKey as fS, revokeDelegation as fT, revokeMagicLinkGrant as fU, runTransaction as fV, savePaperRecoveryEntries as fW, saveSealedPassphrase as fX, saveShamirRecoveryEntries as fY, sealRsaOaepTlv as fZ, unwrapDeksFromBlob as f_, assertStrongPassphrase as fa, buildRecipientKeyringFile as fb, burnPaperRecoveryEntry as fc, compileSequenceFormat as fd, createNoydb as fe, createStore as ff, deriveMagicLinkContentKey as fg, enrollAuthenticator as fh, estimateEntropy as fi, evalComputedFields as fj, evaluateExportCapability as fk, evaluateImportCapability as fl, exportAccessibleData as fm, findAuthenticator as fn, hasExportCapability as fo, hasImportCapability as fp, hasRecoveryEnrolled as fq, isLinkCollectionName as fr, isMagicLinkGrantExpired as fs, isPublicEnvelope as ft, issueDelegation as fu, recoverPassphrase as fv, rotatePassphrase as fw, liberateVault as fx, listMagicLinkGrants as fy, listUsers as fz, dictKey as g, unwrapDeksFromShamirEntry as g0, unwrapMagicLinkGrant as g1, validatePassphrase as g2, validatePublicEnvelopeInput as g3, validateSchemaInput as g4, validateSchemaOutput as g5, withArchive as g6, withDeferredNumbering as g7, withdrawAccessibleData as g8, writeMagicLinkGrant as g9, changeSecret as ga, createOwnerKeyring as gb, ensureCollectionDEK as gc, grant as gd, loadKeyring as ge, persistKeyring as gf, revoke as gg, updateAuthenticator as gh, updateKeyringIdentity as gi, type TxStrategy as gj, type AmendmentTxOptions as gk, enforceScript as h, inferScripts as i, isDictCollectionName as j, isDictKeyDescriptor as k, isStaticDictDescriptor as l, type SessionStrategy as m, createEnforcer as n, BLOB_CHUNKS_COLLECTION as o, BLOB_COLLECTION as p, BLOB_EVICTION_AUDIT_COLLECTION as q, BLOB_INDEX_COLLECTION as r, staticDict as s, BLOB_SLOTS_PREFIX as t, BLOB_VERSIONS_PREFIX as u, validateSessionPolicy as v, type BlobEvictionEntry as w, type BlobFieldPolicy as x, type BlobFieldsConfig as y, type BlobObject as z };