@noy-db/hub 0.2.0-pre.8 → 0.3.0-pre.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (541) hide show
  1. package/README.md +129 -3
  2. package/dist/adapter/index.d.ts +5 -0
  3. package/dist/adapter/index.js +15 -0
  4. package/dist/aggregate/index.d.ts +6 -2
  5. package/dist/aggregate/index.js +24 -16
  6. package/dist/aggregate/index.js.map +1 -1
  7. package/dist/api-RW3KP7WU.js +14 -0
  8. package/dist/as/index.d.ts +7 -0
  9. package/dist/as/index.js +24 -0
  10. package/dist/at/index.d.ts +5 -0
  11. package/dist/at/index.js +1 -0
  12. package/dist/attestation/index.d.ts +15 -47
  13. package/dist/attestation/index.js +54 -10
  14. package/dist/attestation/index.js.map +1 -1
  15. package/dist/backup-XV3IOEGB.js +217 -0
  16. package/dist/backup-XV3IOEGB.js.map +1 -0
  17. package/dist/blobs/index.d.ts +6 -8
  18. package/dist/blobs/index.js +19 -12
  19. package/dist/blobs/index.js.map +1 -1
  20. package/dist/bundle/index.d.ts +16 -70
  21. package/dist/bundle/index.js +39 -476
  22. package/dist/bundle/index.js.map +1 -1
  23. package/dist/{ulid-BFJkYRRW.d.ts → bundle-CH-H06dp.d.ts} +31 -86
  24. package/dist/by/index.d.ts +1 -0
  25. package/dist/by/index.js +11 -0
  26. package/dist/cargo/index.d.ts +9 -0
  27. package/dist/cargo/index.js +89 -0
  28. package/dist/chunk-26LGBE4T.js +42 -0
  29. package/dist/chunk-26LGBE4T.js.map +1 -0
  30. package/dist/chunk-2P2HZEXU.js +233 -0
  31. package/dist/chunk-2P2HZEXU.js.map +1 -0
  32. package/dist/{chunk-K3DK3NU5.js → chunk-3YFXJ3ZP.js} +20 -5
  33. package/dist/chunk-3YFXJ3ZP.js.map +1 -0
  34. package/dist/chunk-4Q6HSHHL.js +90 -0
  35. package/dist/chunk-4Q6HSHHL.js.map +1 -0
  36. package/dist/chunk-5LUY7UTV.js +380 -0
  37. package/dist/chunk-5LUY7UTV.js.map +1 -0
  38. package/dist/chunk-5N6CZTCY.js +367 -0
  39. package/dist/chunk-5N6CZTCY.js.map +1 -0
  40. package/dist/chunk-5O3AOPDT.js +992 -0
  41. package/dist/chunk-5O3AOPDT.js.map +1 -0
  42. package/dist/chunk-5R3ERCDH.js +239 -0
  43. package/dist/chunk-5R3ERCDH.js.map +1 -0
  44. package/dist/{chunk-6774ZOQ7.js → chunk-5R5JW2JT.js} +7095 -4769
  45. package/dist/chunk-5R5JW2JT.js.map +1 -0
  46. package/dist/chunk-5TDJ56JE.js +32 -0
  47. package/dist/chunk-5TDJ56JE.js.map +1 -0
  48. package/dist/{chunk-T7JEBOGN.js → chunk-62QYRORB.js} +18 -11
  49. package/dist/chunk-62QYRORB.js.map +1 -0
  50. package/dist/{chunk-J66GRPNH.js → chunk-6S7T6WC4.js} +2 -2
  51. package/dist/chunk-6S7T6WC4.js.map +1 -0
  52. package/dist/chunk-76722EBH.js +451 -0
  53. package/dist/chunk-76722EBH.js.map +1 -0
  54. package/dist/{chunk-Z6FNBOTC.js → chunk-AIWULCUO.js} +13 -17
  55. package/dist/chunk-AIWULCUO.js.map +1 -0
  56. package/dist/{chunk-O3VZPBZG.js → chunk-AQTBSL7R.js} +47 -11
  57. package/dist/chunk-AQTBSL7R.js.map +1 -0
  58. package/dist/chunk-AURFOK3D.js +35 -0
  59. package/dist/chunk-AURFOK3D.js.map +1 -0
  60. package/dist/{chunk-53XBRIRT.js → chunk-AXRXJTE2.js} +9 -9
  61. package/dist/chunk-AXRXJTE2.js.map +1 -0
  62. package/dist/chunk-AZAOEIKW.js +155 -0
  63. package/dist/chunk-AZAOEIKW.js.map +1 -0
  64. package/dist/{chunk-HNRHLRDC.js → chunk-BG3SPSR4.js} +3 -3
  65. package/dist/chunk-BG3SPSR4.js.map +1 -0
  66. package/dist/chunk-BGIZAFY7.js +1 -0
  67. package/dist/chunk-CHFZDSE4.js +1 -0
  68. package/dist/{chunk-DJHHA6XH.js → chunk-CMGR4ZEW.js} +50 -20
  69. package/dist/chunk-CMGR4ZEW.js.map +1 -0
  70. package/dist/chunk-CWPPNPOH.js +23 -0
  71. package/dist/chunk-CWPPNPOH.js.map +1 -0
  72. package/dist/{chunk-QODLLGQ7.js → chunk-DFEMTNPJ.js} +371 -38
  73. package/dist/chunk-DFEMTNPJ.js.map +1 -0
  74. package/dist/{chunk-ZYWZWG6G.js → chunk-DGDI2D4M.js} +10 -10
  75. package/dist/chunk-DGDI2D4M.js.map +1 -0
  76. package/dist/{chunk-SYMWGEET.js → chunk-EIZUR2XW.js} +3 -3
  77. package/dist/chunk-EIZUR2XW.js.map +1 -0
  78. package/dist/{chunk-BVRYKATC.js → chunk-FISN7WE4.js} +36 -33
  79. package/dist/chunk-FISN7WE4.js.map +1 -0
  80. package/dist/chunk-GHVIKOHT.js +1 -0
  81. package/dist/chunk-GYGWYIOZ.js +200 -0
  82. package/dist/chunk-GYGWYIOZ.js.map +1 -0
  83. package/dist/chunk-HCIPRAGS.js +45 -0
  84. package/dist/chunk-HCIPRAGS.js.map +1 -0
  85. package/dist/{chunk-PX35GA7L.js → chunk-I2NOIW44.js} +10 -10
  86. package/dist/chunk-I2NOIW44.js.map +1 -0
  87. package/dist/{chunk-OIF6LZUR.js → chunk-I3TIKTJO.js} +3 -3
  88. package/dist/chunk-I3TIKTJO.js.map +1 -0
  89. package/dist/chunk-I7FD46FF.js +9 -0
  90. package/dist/chunk-I7FD46FF.js.map +1 -0
  91. package/dist/chunk-IAGBDSCS.js +40 -0
  92. package/dist/chunk-IAGBDSCS.js.map +1 -0
  93. package/dist/{chunk-JWRVQKRZ.js → chunk-IELYAOGG.js} +6 -18
  94. package/dist/chunk-IELYAOGG.js.map +1 -0
  95. package/dist/chunk-IGUYVGGI.js +205 -0
  96. package/dist/chunk-IGUYVGGI.js.map +1 -0
  97. package/dist/{chunk-U26HQ6KJ.js → chunk-IO6GRPT6.js} +4 -4
  98. package/dist/chunk-IO6GRPT6.js.map +1 -0
  99. package/dist/chunk-IPB7FTQX.js +273 -0
  100. package/dist/chunk-IPB7FTQX.js.map +1 -0
  101. package/dist/chunk-ITNUCOXM.js +148 -0
  102. package/dist/chunk-ITNUCOXM.js.map +1 -0
  103. package/dist/{chunk-WPLVTJ5D.js → chunk-IUEN57TV.js} +10 -10
  104. package/dist/chunk-IUEN57TV.js.map +1 -0
  105. package/dist/{chunk-DL3HWOQ5.js → chunk-JNUWZ6D3.js} +9 -9
  106. package/dist/chunk-JNUWZ6D3.js.map +1 -0
  107. package/dist/chunk-K2WCO3NX.js +1 -0
  108. package/dist/chunk-KVOXU4T5.js +30 -0
  109. package/dist/chunk-KVOXU4T5.js.map +1 -0
  110. package/dist/chunk-KXGNJJXB.js +135 -0
  111. package/dist/chunk-KXGNJJXB.js.map +1 -0
  112. package/dist/chunk-LB7FD65R.js +163 -0
  113. package/dist/chunk-LB7FD65R.js.map +1 -0
  114. package/dist/{chunk-22DWZL57.js → chunk-LFLXAY2W.js} +43 -218
  115. package/dist/chunk-LFLXAY2W.js.map +1 -0
  116. package/dist/chunk-LMTH2RM6.js +129 -0
  117. package/dist/chunk-LMTH2RM6.js.map +1 -0
  118. package/dist/{aggregate/index.cjs → chunk-LV7M27WM.js} +390 -219
  119. package/dist/chunk-LV7M27WM.js.map +1 -0
  120. package/dist/{chunk-PE2FR4J3.js → chunk-LXQT4WMP.js} +16 -18
  121. package/dist/chunk-LXQT4WMP.js.map +1 -0
  122. package/dist/chunk-M2YKN37S.js +524 -0
  123. package/dist/chunk-M2YKN37S.js.map +1 -0
  124. package/dist/chunk-M6OST55S.js +14 -0
  125. package/dist/chunk-M6OST55S.js.map +1 -0
  126. package/dist/{chunk-F3GDRNUT.js → chunk-MD3Y6J3L.js} +35 -69
  127. package/dist/chunk-MD3Y6J3L.js.map +1 -0
  128. package/dist/{chunk-XJFLDA7A.js → chunk-MTMJVJ5W.js} +8 -7
  129. package/dist/chunk-MTMJVJ5W.js.map +1 -0
  130. package/dist/{chunk-DFMLEQZB.js → chunk-NF5JWERG.js} +5 -10
  131. package/dist/chunk-NF5JWERG.js.map +1 -0
  132. package/dist/{chunk-DO7C2TOG.js → chunk-PKHL44ER.js} +3 -3
  133. package/dist/{chunk-DO7C2TOG.js.map → chunk-PKHL44ER.js.map} +1 -1
  134. package/dist/chunk-PSMV73A5.js +117 -0
  135. package/dist/chunk-PSMV73A5.js.map +1 -0
  136. package/dist/chunk-PY4KJPYU.js +9 -0
  137. package/dist/chunk-PY4KJPYU.js.map +1 -0
  138. package/dist/chunk-PZ5AY32C.js +10 -0
  139. package/dist/{chunk-DE6GKS6G.js → chunk-Q7SS3IME.js} +50 -9
  140. package/dist/chunk-Q7SS3IME.js.map +1 -0
  141. package/dist/chunk-QHJW5EXU.js +54 -0
  142. package/dist/chunk-QHJW5EXU.js.map +1 -0
  143. package/dist/{chunk-NONAAENK.js → chunk-RUEKROOS.js} +11 -4
  144. package/dist/chunk-RUEKROOS.js.map +1 -0
  145. package/dist/chunk-RUIMKQTA.js +23 -0
  146. package/dist/chunk-RUIMKQTA.js.map +1 -0
  147. package/dist/{chunk-TFBP23BX.js → chunk-SKF73JOP.js} +66 -7
  148. package/dist/chunk-SKF73JOP.js.map +1 -0
  149. package/dist/chunk-SM3AVUHC.js +42 -0
  150. package/dist/chunk-SM3AVUHC.js.map +1 -0
  151. package/dist/{chunk-ML236QKC.js → chunk-SMXWYP24.js} +5 -5
  152. package/dist/chunk-SMXWYP24.js.map +1 -0
  153. package/dist/chunk-SRB2XEWB.js +148 -0
  154. package/dist/chunk-SRB2XEWB.js.map +1 -0
  155. package/dist/chunk-SVLR4POP.js +64 -0
  156. package/dist/chunk-SVLR4POP.js.map +1 -0
  157. package/dist/chunk-TA66UMI4.js +123 -0
  158. package/dist/chunk-TA66UMI4.js.map +1 -0
  159. package/dist/chunk-TEILUWOI.js +664 -0
  160. package/dist/chunk-TEILUWOI.js.map +1 -0
  161. package/dist/chunk-TJYQIGAP.js +82 -0
  162. package/dist/chunk-TJYQIGAP.js.map +1 -0
  163. package/dist/{chunk-H2X3ISXG.js → chunk-UAG5KWVA.js} +7 -7
  164. package/dist/chunk-UAG5KWVA.js.map +1 -0
  165. package/dist/chunk-UDRIWL7A.js +382 -0
  166. package/dist/chunk-UDRIWL7A.js.map +1 -0
  167. package/dist/{chunk-2GLDA55J.js → chunk-UIU2THRG.js} +498 -133
  168. package/dist/chunk-UIU2THRG.js.map +1 -0
  169. package/dist/{chunk-3YPCK6JX.js → chunk-UPJNJGGA.js} +165 -423
  170. package/dist/chunk-UPJNJGGA.js.map +1 -0
  171. package/dist/chunk-UV5MFVO3.js +21 -0
  172. package/dist/chunk-UV5MFVO3.js.map +1 -0
  173. package/dist/{chunk-2WUSG3IT.js → chunk-V7RWQRG7.js} +5 -5
  174. package/dist/chunk-V7RWQRG7.js.map +1 -0
  175. package/dist/{chunk-VTKGMEPP.js → chunk-VCTFO5CO.js} +13 -3
  176. package/dist/chunk-VCTFO5CO.js.map +1 -0
  177. package/dist/{chunk-5T22KDPN.js → chunk-VFQGRQIH.js} +8 -8
  178. package/dist/chunk-VFQGRQIH.js.map +1 -0
  179. package/dist/{chunk-2QR2PQTT.js → chunk-VQNJ7UZL.js} +5 -3
  180. package/dist/chunk-VQNJ7UZL.js.map +1 -0
  181. package/dist/{chunk-DONMZAD2.js → chunk-WWGT2MDV.js} +43 -165
  182. package/dist/chunk-WWGT2MDV.js.map +1 -0
  183. package/dist/{chunk-EMIGCR7X.js → chunk-WXSYDNBT.js} +2 -2
  184. package/dist/chunk-WXSYDNBT.js.map +1 -0
  185. package/dist/chunk-WYSO2NIH.js +30 -0
  186. package/dist/chunk-WYSO2NIH.js.map +1 -0
  187. package/dist/chunk-XXYIOFUB.js +164 -0
  188. package/dist/chunk-XXYIOFUB.js.map +1 -0
  189. package/dist/{chunk-3BFJOWSU.js → chunk-Y22T3KQE.js} +35 -7
  190. package/dist/chunk-Y22T3KQE.js.map +1 -0
  191. package/dist/{chunk-A3JMGXPG.js → chunk-YMUGBZN2.js} +2 -2
  192. package/dist/chunk-YMUGBZN2.js.map +1 -0
  193. package/dist/{chunk-I5FOWO4J.js → chunk-ZCGAHGUS.js} +52 -73
  194. package/dist/chunk-ZCGAHGUS.js.map +1 -0
  195. package/dist/{chunk-FZU343FL.js → chunk-ZJADGNYF.js} +2 -2
  196. package/dist/chunk-ZJADGNYF.js.map +1 -0
  197. package/dist/{chunk-B6PB7JLN.js → chunk-ZYUC53LT.js} +427 -6
  198. package/dist/chunk-ZYUC53LT.js.map +1 -0
  199. package/dist/collection-facade-GQAOGJP2.js +33 -0
  200. package/dist/consent/index.d.ts +5 -7
  201. package/dist/consent/index.js +7 -5
  202. package/dist/consent/index.js.map +1 -1
  203. package/dist/crdt/index.d.ts +6 -2
  204. package/dist/crdt/index.js +3 -2
  205. package/dist/crdt/index.js.map +1 -1
  206. package/dist/decrypt-partition-IHtxEnTi.d.ts +21 -0
  207. package/dist/delegation-UL5HKLER.js +19 -0
  208. package/dist/derivations/index.d.ts +7 -9
  209. package/dist/derivations/index.js +11 -6
  210. package/dist/describe/index.d.ts +1 -0
  211. package/dist/describe/index.js +1 -0
  212. package/dist/describe-aBkJR2sd.d.ts +131 -0
  213. package/dist/{dev-unlock-p3ysikWP.d.ts → dev-unlock-C9Ro3v_O.d.ts} +1 -1
  214. package/dist/discriminant-BN9REW3o.d.ts +60 -0
  215. package/dist/enclave-UL5LW66V.js +88 -0
  216. package/dist/executor-2FWQRLMG.js +15 -0
  217. package/dist/executor-QZ7BXICW.js +9 -0
  218. package/dist/executor-Z5ZLJVTV.js +9 -0
  219. package/dist/export-accessible-KRV5W4GH.js +17 -0
  220. package/dist/extract-partition-GLKBOXFQ.js +30 -0
  221. package/dist/{fanout-sidecar-OKPMMPLG.js → fanout-sidecar-GF3DJ6KR.js} +34 -14
  222. package/dist/fanout-sidecar-GF3DJ6KR.js.map +1 -0
  223. package/dist/forget/index.d.ts +36 -0
  224. package/dist/forget/index.js +19 -0
  225. package/dist/forget/index.js.map +1 -0
  226. package/dist/guards/index.d.ts +13 -9
  227. package/dist/guards/index.js +12 -5
  228. package/dist/{hash-BPsYPcv_.d.cts → hash-Cp5uwiox.d.ts} +5 -1
  229. package/dist/history/index.d.ts +6 -8
  230. package/dist/history/index.js +19 -12
  231. package/dist/history/index.js.map +1 -1
  232. package/dist/i18n/index.d.ts +5 -7
  233. package/dist/i18n/index.js +104 -15
  234. package/dist/i18n/index.js.map +1 -1
  235. package/dist/in/index.d.ts +5 -0
  236. package/dist/in/index.js +1 -0
  237. package/dist/in/index.js.map +1 -0
  238. package/dist/index-B9QdHytu.d.ts +123 -0
  239. package/dist/index-BF9_96A5.d.ts +123 -0
  240. package/dist/{types-DGU60JDt.d.ts → index-BzUo1B6n.d.ts} +16306 -8352
  241. package/dist/index.d.ts +1088 -450
  242. package/dist/index.js +1165 -293
  243. package/dist/index.js.map +1 -1
  244. package/dist/indexing/index.d.ts +6 -3
  245. package/dist/indexing/index.js +6 -5
  246. package/dist/indexing/index.js.map +1 -1
  247. package/dist/issue-Y6UVIR43.js +13 -0
  248. package/dist/issue-Y6UVIR43.js.map +1 -0
  249. package/dist/kernel/index.d.ts +32 -0
  250. package/dist/kernel/index.js +53 -0
  251. package/dist/kernel/index.js.map +1 -0
  252. package/dist/{ledger-TMRZYNVJ.js → ledger-RYI35CDS.js} +12 -9
  253. package/dist/ledger-RYI35CDS.js.map +1 -0
  254. package/dist/liberate-CRPZEV7O.js +18 -0
  255. package/dist/liberate-CRPZEV7O.js.map +1 -0
  256. package/dist/materialized-views/index.d.ts +6 -19
  257. package/dist/materialized-views/index.js +16 -12
  258. package/dist/mime-magic-CGhw37_E.d.ts +103 -0
  259. package/dist/noydb-367AM4HT.js +50 -0
  260. package/dist/noydb-367AM4HT.js.map +1 -0
  261. package/dist/on/index.d.ts +5 -0
  262. package/dist/on/index.js +11 -0
  263. package/dist/on/index.js.map +1 -0
  264. package/dist/overlay-views/index.d.ts +27 -11
  265. package/dist/overlay-views/index.js +7 -6
  266. package/dist/periods/index.d.ts +5 -7
  267. package/dist/periods/index.js +13 -9
  268. package/dist/pod/index.d.ts +63 -0
  269. package/dist/pod/index.js +61 -0
  270. package/dist/pod/index.js.map +1 -0
  271. package/dist/policy-IXK4FVXP.js +41 -0
  272. package/dist/policy-IXK4FVXP.js.map +1 -0
  273. package/dist/portability/index.d.ts +20 -0
  274. package/dist/portability/index.js +43 -0
  275. package/dist/portability/index.js.map +1 -0
  276. package/dist/{public-envelope-BW6OXORV.js → public-envelope-JHDQCPSX.js} +6 -5
  277. package/dist/public-envelope-JHDQCPSX.js.map +1 -0
  278. package/dist/query/index.d.ts +5 -3
  279. package/dist/query/index.js +21 -13
  280. package/dist/read-only-facade-5ADRJVTM.js +8 -0
  281. package/dist/read-only-facade-5ADRJVTM.js.map +1 -0
  282. package/dist/registry-45RJNWGU.js +9 -0
  283. package/dist/registry-45RJNWGU.js.map +1 -0
  284. package/dist/registry-5GRV5VXI.js +13 -0
  285. package/dist/registry-5GRV5VXI.js.map +1 -0
  286. package/dist/registry-VW6P6A3J.js +8 -0
  287. package/dist/registry-VW6P6A3J.js.map +1 -0
  288. package/dist/registry-WEUCHBO4.js +11 -0
  289. package/dist/registry-WEUCHBO4.js.map +1 -0
  290. package/dist/request-withdrawal-GBPH2FDY.js +25 -0
  291. package/dist/request-withdrawal-GBPH2FDY.js.map +1 -0
  292. package/dist/revoke-TUFRGI6S.js +18 -0
  293. package/dist/revoke-TUFRGI6S.js.map +1 -0
  294. package/dist/sealed-record/index.d.ts +69 -0
  295. package/dist/sealed-record/index.js +65 -0
  296. package/dist/sealed-record/index.js.map +1 -0
  297. package/dist/session/index.d.ts +6 -8
  298. package/dist/session/index.js +7 -5
  299. package/dist/session/index.js.map +1 -1
  300. package/dist/shadow/index.d.ts +5 -7
  301. package/dist/shadow/index.js +4 -3
  302. package/dist/shadow/index.js.map +1 -1
  303. package/dist/{signer-72QAUSVW.js → signer-PNKTBVF7.js} +6 -5
  304. package/dist/signer-PNKTBVF7.js.map +1 -0
  305. package/dist/snapshots/index.d.ts +16 -11
  306. package/dist/snapshots/index.js +49 -13
  307. package/dist/snapshots/index.js.map +1 -1
  308. package/dist/{stale-6ZDBTQT7.js → stale-3JWHNDIY.js} +3 -2
  309. package/dist/stale-3JWHNDIY.js.map +1 -0
  310. package/dist/store-coordination-provider-3I7XWZZK.js +142 -0
  311. package/dist/store-coordination-provider-3I7XWZZK.js.map +1 -0
  312. package/dist/subject-index-O75wKshW.d.ts +362 -0
  313. package/dist/sync/index.d.ts +4 -6
  314. package/dist/sync/index.js +7 -6
  315. package/dist/sync/index.js.map +1 -1
  316. package/dist/team/index.d.ts +5 -7
  317. package/dist/team/index.js +20 -16
  318. package/dist/tiers/index.d.ts +5 -0
  319. package/dist/tiers/index.js +33 -0
  320. package/dist/tiers/index.js.map +1 -0
  321. package/dist/to/index.d.ts +5 -0
  322. package/dist/to/index.js +17 -0
  323. package/dist/to/index.js.map +1 -0
  324. package/dist/transition-guard-C7ol6oPw.d.ts +165 -0
  325. package/dist/tx/index.d.ts +23 -9
  326. package/dist/tx/index.js +13 -8
  327. package/dist/tx/index.js.map +1 -1
  328. package/dist/ui/index.d.ts +1 -0
  329. package/dist/ui/index.js +1 -0
  330. package/dist/ui/index.js.map +1 -0
  331. package/dist/ulid-DRH25k3y.d.ts +66 -0
  332. package/dist/ulid-PTAIMDG4.js +10 -0
  333. package/dist/ulid-PTAIMDG4.js.map +1 -0
  334. package/dist/util/index.d.ts +2 -0
  335. package/dist/util/index.js +7 -2
  336. package/dist/util/index.js.map +1 -1
  337. package/dist/vault-diff-B5fYNBL7.d.ts +147 -0
  338. package/dist/with/index.d.ts +38 -0
  339. package/dist/with/index.js +25 -0
  340. package/dist/with/index.js.map +1 -0
  341. package/dist/{with-materialized-view-BiasFcYx.d.ts → with-materialized-view-6p0Fk8bL.d.ts} +1 -1
  342. package/dist/{with-overlayed-view-CQViuko_.d.ts → with-overlayed-view-BJ6mXGMd.d.ts} +2 -3
  343. package/dist/with-rollup-BvQo3ROo.d.ts +47 -0
  344. package/dist/withdraw-accessible-FFS46EOD.js +22 -0
  345. package/dist/withdraw-accessible-FFS46EOD.js.map +1 -0
  346. package/dist/zod-HAJM7LMS.js +14763 -0
  347. package/dist/zod-HAJM7LMS.js.map +1 -0
  348. package/package.json +121 -201
  349. package/dist/aggregate/index.cjs.map +0 -1
  350. package/dist/aggregate/index.d.cts +0 -38
  351. package/dist/attestation/index.cjs +0 -305
  352. package/dist/attestation/index.cjs.map +0 -1
  353. package/dist/attestation/index.d.cts +0 -52
  354. package/dist/blobs/index.cjs +0 -1480
  355. package/dist/blobs/index.cjs.map +0 -1
  356. package/dist/blobs/index.d.cts +0 -46
  357. package/dist/bundle/index.cjs +0 -19104
  358. package/dist/bundle/index.cjs.map +0 -1
  359. package/dist/bundle/index.d.cts +0 -176
  360. package/dist/chunk-22DWZL57.js.map +0 -1
  361. package/dist/chunk-2GLDA55J.js.map +0 -1
  362. package/dist/chunk-2QR2PQTT.js.map +0 -1
  363. package/dist/chunk-2WUSG3IT.js.map +0 -1
  364. package/dist/chunk-3BFJOWSU.js.map +0 -1
  365. package/dist/chunk-3YPCK6JX.js.map +0 -1
  366. package/dist/chunk-53XBRIRT.js.map +0 -1
  367. package/dist/chunk-5T22KDPN.js.map +0 -1
  368. package/dist/chunk-5XHKQ56N.js +0 -340
  369. package/dist/chunk-5XHKQ56N.js.map +0 -1
  370. package/dist/chunk-6774ZOQ7.js.map +0 -1
  371. package/dist/chunk-6STK5TQP.js +0 -139
  372. package/dist/chunk-6STK5TQP.js.map +0 -1
  373. package/dist/chunk-A3JMGXPG.js.map +0 -1
  374. package/dist/chunk-B6PB7JLN.js.map +0 -1
  375. package/dist/chunk-BVRYKATC.js.map +0 -1
  376. package/dist/chunk-DE6GKS6G.js.map +0 -1
  377. package/dist/chunk-DFMLEQZB.js.map +0 -1
  378. package/dist/chunk-DJHHA6XH.js.map +0 -1
  379. package/dist/chunk-DL3HWOQ5.js.map +0 -1
  380. package/dist/chunk-DONMZAD2.js.map +0 -1
  381. package/dist/chunk-EMIGCR7X.js.map +0 -1
  382. package/dist/chunk-F3GDRNUT.js.map +0 -1
  383. package/dist/chunk-FZU343FL.js.map +0 -1
  384. package/dist/chunk-H2X3ISXG.js.map +0 -1
  385. package/dist/chunk-HNRHLRDC.js.map +0 -1
  386. package/dist/chunk-I5FOWO4J.js.map +0 -1
  387. package/dist/chunk-J66GRPNH.js.map +0 -1
  388. package/dist/chunk-JWRVQKRZ.js.map +0 -1
  389. package/dist/chunk-K3DK3NU5.js.map +0 -1
  390. package/dist/chunk-ML236QKC.js.map +0 -1
  391. package/dist/chunk-NONAAENK.js.map +0 -1
  392. package/dist/chunk-O3VZPBZG.js.map +0 -1
  393. package/dist/chunk-OIF6LZUR.js.map +0 -1
  394. package/dist/chunk-OQ6PIGHA.js +0 -19
  395. package/dist/chunk-OQ6PIGHA.js.map +0 -1
  396. package/dist/chunk-PE2FR4J3.js.map +0 -1
  397. package/dist/chunk-PP6W64Y3.js +0 -275
  398. package/dist/chunk-PP6W64Y3.js.map +0 -1
  399. package/dist/chunk-PX35GA7L.js.map +0 -1
  400. package/dist/chunk-QEILDE6R.js +0 -793
  401. package/dist/chunk-QEILDE6R.js.map +0 -1
  402. package/dist/chunk-QODLLGQ7.js.map +0 -1
  403. package/dist/chunk-RAZ4OVLL.js +0 -51
  404. package/dist/chunk-RAZ4OVLL.js.map +0 -1
  405. package/dist/chunk-SYMWGEET.js.map +0 -1
  406. package/dist/chunk-T7JEBOGN.js.map +0 -1
  407. package/dist/chunk-TFBP23BX.js.map +0 -1
  408. package/dist/chunk-TV3YZ35S.js +0 -90
  409. package/dist/chunk-TV3YZ35S.js.map +0 -1
  410. package/dist/chunk-U26HQ6KJ.js.map +0 -1
  411. package/dist/chunk-UF3BUNQZ.js +0 -1
  412. package/dist/chunk-UMLVJTYV.js +0 -20
  413. package/dist/chunk-UMLVJTYV.js.map +0 -1
  414. package/dist/chunk-VTKGMEPP.js.map +0 -1
  415. package/dist/chunk-W6EQLGMB.js +0 -100
  416. package/dist/chunk-W6EQLGMB.js.map +0 -1
  417. package/dist/chunk-WIRRPTFH.js +0 -17
  418. package/dist/chunk-WIRRPTFH.js.map +0 -1
  419. package/dist/chunk-WPLVTJ5D.js.map +0 -1
  420. package/dist/chunk-XJFLDA7A.js.map +0 -1
  421. package/dist/chunk-Z6FNBOTC.js.map +0 -1
  422. package/dist/chunk-ZYWZWG6G.js.map +0 -1
  423. package/dist/consent/index.cjs +0 -204
  424. package/dist/consent/index.cjs.map +0 -1
  425. package/dist/consent/index.d.cts +0 -25
  426. package/dist/crdt/index.cjs +0 -152
  427. package/dist/crdt/index.cjs.map +0 -1
  428. package/dist/crdt/index.d.cts +0 -30
  429. package/dist/crypto-HTZ4FJOP.js +0 -44
  430. package/dist/delegation-RI54P6I5.js +0 -17
  431. package/dist/derivations/index.cjs +0 -351
  432. package/dist/derivations/index.cjs.map +0 -1
  433. package/dist/derivations/index.d.cts +0 -72
  434. package/dist/dev-unlock-M4VAWNq_.d.cts +0 -263
  435. package/dist/executor-5PNY7LGW.js +0 -8
  436. package/dist/executor-B4QIYGZX.js +0 -8
  437. package/dist/executor-BWXXDQ7K.js +0 -11
  438. package/dist/fanout-sidecar-OKPMMPLG.js.map +0 -1
  439. package/dist/guards/index.cjs +0 -322
  440. package/dist/guards/index.cjs.map +0 -1
  441. package/dist/guards/index.d.cts +0 -31
  442. package/dist/hash-C1GtiOhR.d.ts +0 -63
  443. package/dist/history/index.cjs +0 -1222
  444. package/dist/history/index.cjs.map +0 -1
  445. package/dist/history/index.d.cts +0 -63
  446. package/dist/i18n/index.cjs +0 -1100
  447. package/dist/i18n/index.cjs.map +0 -1
  448. package/dist/i18n/index.d.cts +0 -39
  449. package/dist/index-4fBVt8j9.d.cts +0 -2387
  450. package/dist/index-D8I_pyJD.d.ts +0 -2387
  451. package/dist/index.cjs +0 -24334
  452. package/dist/index.cjs.map +0 -1
  453. package/dist/index.d.cts +0 -776
  454. package/dist/indexing/index.cjs +0 -742
  455. package/dist/indexing/index.cjs.map +0 -1
  456. package/dist/indexing/index.d.cts +0 -36
  457. package/dist/issue-VGDPP4B5.js +0 -12
  458. package/dist/lazy-builder-7tIpFyWN.d.ts +0 -304
  459. package/dist/lazy-builder-wY4pMCEe.d.cts +0 -304
  460. package/dist/materialized-views/index.cjs +0 -854
  461. package/dist/materialized-views/index.cjs.map +0 -1
  462. package/dist/materialized-views/index.d.cts +0 -186
  463. package/dist/mime-magic-CBBSOkjm.d.cts +0 -50
  464. package/dist/mime-magic-CBBSOkjm.d.ts +0 -50
  465. package/dist/noydb-LZBH3XDK.js +0 -34
  466. package/dist/overlay-views/index.cjs +0 -359
  467. package/dist/overlay-views/index.cjs.map +0 -1
  468. package/dist/overlay-views/index.d.cts +0 -82
  469. package/dist/periods/index.cjs +0 -1041
  470. package/dist/periods/index.cjs.map +0 -1
  471. package/dist/periods/index.d.cts +0 -22
  472. package/dist/predicate-BSAGEyu5.d.cts +0 -209
  473. package/dist/predicate-BSAGEyu5.d.ts +0 -209
  474. package/dist/query/index.cjs +0 -2375
  475. package/dist/query/index.cjs.map +0 -1
  476. package/dist/query/index.d.cts +0 -3
  477. package/dist/read-only-facade-ITU6L7BL.js +0 -7
  478. package/dist/registry-3QP3YKQS.js +0 -8
  479. package/dist/registry-DKEXOJVO.js +0 -7
  480. package/dist/registry-OJIOSBV6.js +0 -10
  481. package/dist/registry-USRVT6YF.js +0 -8
  482. package/dist/revoke-JCC7N56X.js +0 -17
  483. package/dist/session/index.cjs +0 -495
  484. package/dist/session/index.cjs.map +0 -1
  485. package/dist/session/index.d.cts +0 -46
  486. package/dist/shadow/index.cjs +0 -133
  487. package/dist/shadow/index.cjs.map +0 -1
  488. package/dist/shadow/index.d.cts +0 -17
  489. package/dist/snapshots/index.cjs +0 -903
  490. package/dist/snapshots/index.cjs.map +0 -1
  491. package/dist/snapshots/index.d.cts +0 -21
  492. package/dist/store/index.cjs +0 -1083
  493. package/dist/store/index.cjs.map +0 -1
  494. package/dist/store/index.d.cts +0 -492
  495. package/dist/store/index.d.ts +0 -492
  496. package/dist/store/index.js +0 -37
  497. package/dist/strategy-BSxFXGzb.d.cts +0 -110
  498. package/dist/strategy-BSxFXGzb.d.ts +0 -110
  499. package/dist/strategy-DSTrsZ8t.d.cts +0 -601
  500. package/dist/strategy-DSTrsZ8t.d.ts +0 -601
  501. package/dist/sync/index.cjs +0 -1062
  502. package/dist/sync/index.cjs.map +0 -1
  503. package/dist/sync/index.d.cts +0 -43
  504. package/dist/team/index.cjs +0 -2798
  505. package/dist/team/index.cjs.map +0 -1
  506. package/dist/team/index.d.cts +0 -118
  507. package/dist/tx/index.cjs +0 -544
  508. package/dist/tx/index.cjs.map +0 -1
  509. package/dist/tx/index.d.cts +0 -21
  510. package/dist/types-DjunxzJa.d.cts +0 -12776
  511. package/dist/ulid-COREQ2RQ.js +0 -9
  512. package/dist/ulid-DPeuPgi3.d.cts +0 -603
  513. package/dist/util/index.cjs +0 -230
  514. package/dist/util/index.cjs.map +0 -1
  515. package/dist/util/index.d.cts +0 -77
  516. package/dist/with-derivation-Df0kMlED.d.cts +0 -13
  517. package/dist/with-derivation-DfOpKjFw.d.ts +0 -13
  518. package/dist/with-guard-0KksDtSR.d.ts +0 -18
  519. package/dist/with-guard-C6W5RVrH.d.cts +0 -18
  520. package/dist/with-materialized-view-BmDKyHrm.d.cts +0 -27
  521. package/dist/with-overlayed-view-CA66vhHz.d.cts +0 -13
  522. /package/dist/{store → adapter}/index.js.map +0 -0
  523. /package/dist/{chunk-UF3BUNQZ.js.map → api-RW3KP7WU.js.map} +0 -0
  524. /package/dist/{crypto-HTZ4FJOP.js.map → as/index.js.map} +0 -0
  525. /package/dist/{delegation-RI54P6I5.js.map → at/index.js.map} +0 -0
  526. /package/dist/{executor-5PNY7LGW.js.map → by/index.js.map} +0 -0
  527. /package/dist/{executor-B4QIYGZX.js.map → cargo/index.js.map} +0 -0
  528. /package/dist/{executor-BWXXDQ7K.js.map → chunk-BGIZAFY7.js.map} +0 -0
  529. /package/dist/{issue-VGDPP4B5.js.map → chunk-CHFZDSE4.js.map} +0 -0
  530. /package/dist/{ledger-TMRZYNVJ.js.map → chunk-GHVIKOHT.js.map} +0 -0
  531. /package/dist/{noydb-LZBH3XDK.js.map → chunk-K2WCO3NX.js.map} +0 -0
  532. /package/dist/{public-envelope-BW6OXORV.js.map → chunk-PZ5AY32C.js.map} +0 -0
  533. /package/dist/{read-only-facade-ITU6L7BL.js.map → collection-facade-GQAOGJP2.js.map} +0 -0
  534. /package/dist/{registry-3QP3YKQS.js.map → delegation-UL5HKLER.js.map} +0 -0
  535. /package/dist/{registry-DKEXOJVO.js.map → describe/index.js.map} +0 -0
  536. /package/dist/{registry-OJIOSBV6.js.map → enclave-UL5LW66V.js.map} +0 -0
  537. /package/dist/{registry-USRVT6YF.js.map → executor-2FWQRLMG.js.map} +0 -0
  538. /package/dist/{revoke-JCC7N56X.js.map → executor-QZ7BXICW.js.map} +0 -0
  539. /package/dist/{signer-72QAUSVW.js.map → executor-Z5ZLJVTV.js.map} +0 -0
  540. /package/dist/{stale-6ZDBTQT7.js.map → export-accessible-KRV5W4GH.js.map} +0 -0
  541. /package/dist/{ulid-COREQ2RQ.js.map → extract-partition-GLKBOXFQ.js.map} +0 -0
package/dist/index.d.ts CHANGED
@@ -1,77 +1,27 @@
1
- import { b1 as NoydbStore, bD as UserEnvelope, bp as PublicEnvelope, bE as GateName, bF as GatePolicy, bG as VaultPolicy, bH as ActiveTier, bI as FactorProof, bJ as SchemaUpdateStrategy, bK as TransformFn, bL as PersistedSchemaEnvelope, bM as UpdateDecision, bN as DirectoryConfig, bO as UserVisibility, a$ as UnlockedKeyring, bu as Vault, b8 as DiffEntry } from './types-DGU60JDt.js';
2
- export { bP as AccessibleVault, bQ as AffectedDocument, b5 as AppendInput, aN as ArrayOutputSpec, z as BLOB_CHUNKS_COLLECTION, A as BLOB_COLLECTION, E as BLOB_INDEX_COLLECTION, F as BLOB_SLOTS_PREFIX, G as BLOB_VERSIONS_PREFIX, bR as BUNDLE_STORE_POLICY, M as BlobObject, N as BlobPutOptions, Q as BlobResponseOptions, T as BlobSet, bS as BuiltInGateName, br as BundleRecipient, a9 as CONSENT_AUDIT_COLLECTION, bT as CacheOptions, bU as CacheStats, bV as ChangeEvent, b6 as ChangeType, ai as ClosePeriodOptions, aW as Collection, bW as CollectionChangeEvent, bX as CollectionConflictResolver, bY as CollectionDescriptor, az as CollectionFrame, b7 as CollectionInstant, bZ as CollectionStats, b_ as Conflict, b$ as ConflictPolicy, c0 as ConflictStrategy, aa as ConsentAuditEntry, ab as ConsentAuditFilter, ac as ConsentContext, ad as ConsentOp, c1 as CrossTierAccessEvent, Y as DEFAULT_CHUNK_SIZE, c2 as DEFAULT_PUBLIC_ENVELOPE_SCHEMA, c3 as DELEGATIONS_COLLECTION, D as DICT_COLLECTION_PREFIX, c4 as DeepPartial, c5 as DeepPartialOrNull, c6 as DelegationToken, c7 as DeleteManyResult, c8 as DerivationDescriptor, aL as DerivationStrategy, aP as DerivationStrategyHandle, aQ as DerivedFromMeta, a as DictEntry, b as DictKeyDescriptor, c as DictionaryHandle, d as DictionaryOptions, c9 as DirtyEntry, ca as DryRunResult, cb as DumpSchemaOptions, cc as ELEVATION_AUDIT_COLLECTION, cd as ElevatedHandle, b3 as EncryptedEnvelope, ce as EnrollAuthenticatorOptions, cf as EnrollAuthenticatorWrappingDEKsOptions, cg as EnrollAuthenticatorWrappingKEKOptions, ch as EnrollRecoveryResult, ci as ExportCapability, cj as ExportChunk, ck as ExportFormat, cl as ExportStreamOptions, cm as FactorKind, cn as FactorProofBundle, co as FactorRequirement, cp as FenceDoc, cq as FenceState, cr as FieldChange, cs as FieldDescriptor, ct as FieldSource, cu as GhostRecord, cv as GrantOptions, at as GuardChange, au as GuardContext, as as GuardStrategy, aw as GuardStrategyHandle, cw as GuardViolation, cx as HistoryConfig, cy as HistoryEntry, b2 as HistoryOptions, e as I18nMap, f as I18nTextDescriptor, g as I18nTextOptions, cz as INDEXED_STORE_POLICY, cA as ImportCapability, cB as InferOutput, cC as InternalCollectionStats, cD as IssueDelegationOptions, cE as IssueMagicLinkGrantOptions, b9 as JsonPatch, ba as JsonPatchOp, cF as KeyringAuthenticator, cG as KeyringAuthenticatorWrappingDEKs, cH as KeyringAuthenticatorWrappingKEK, cI as KeyringFile, L as Layer, bb as LedgerEntry, bc as LedgerStore, cJ as ListAccessibleVaultsOptions, cK as ListPageResult, cL as ListUsersOptions, cM as LiveUserEnvelope, cN as LocaleReadOptions, cO as Lru, cP as LruOptions, cQ as LruStats, cR as MAGIC_LINK_CONTENT_INFO_PREFIX, cS as MAGIC_LINK_GRANTS_COLLECTION, cT as MAGIC_LINK_KEK_INFO_PREFIX, cU as MagicLinkGrantPayload, cV as MagicLinkGrantRecord, bA as MaterializedFromMeta, cW as MaterializedViewDescriptor, bB as MaterializedViewOutput, aT as MaterializedViewStrategy, aU as MaterializedViewStrategyHandle, cX as MemoryRecipientSealer, cY as MemorySealingKeyProvider, cZ as NOYDB_BACKUP_VERSION, c_ as NOYDB_FORMAT_VERSION, c$ as NOYDB_KEYRING_VERSION, d0 as NOYDB_SYNC_VERSION, d1 as Noydb, aB as NoydbBundleStore, d2 as NoydbEventMap, d3 as NoydbOptions, O as OnMissing, h as OnMissingPolicy, aj as OpenPeriodOptions, aR as OutputSpec, d4 as OverlayViewDescriptor, aV as OverlayedViewStrategy, aY as OverlayedViewStrategyHandle, ak as PERIODS_COLLECTION, d5 as PUBLIC_ENVELOPE_FIELDS, d6 as PaperRecoveryDoc, d7 as PaperRecoveryEntry, d8 as PassphrasePolicy, d9 as PassphraseValidationResult, al as PeriodRecord, da as Permission, db as Permissions, dc as PersistedSchemaKind, dd as PlaintextTranslatorContext, de as PlaintextTranslatorFn, P as PolicyEnforcer, df as PresenceHandle, dg as PresencePeer, b4 as PruneOptions, dh as PublicEnvelopeField, di as PublicEnvelopeSchema, dj as PublicEnvelopeText, dk as PullMode, dl as PullOptions, dm as PullPolicy, dn as PullResult, dp as PushMode, dq as PushOptions, dr as PushPolicy, ds as PushResult, dt as PutManyItemOptions, du as PutManyOptions, dv as PutManyResult, dw as QueryAcrossOptions, dx as QueryAcrossResult, dy as QuickUnlockState, dz as QuickUnlockStore, dA as ReAuthOperation, bt as RecipientHint, bs as RecipientSealer, aS as RecordOutputSpec, dB as RecoverPassphraseInput, dC as RecoverPassphraseResult, dD as RecoverUserOptions, dE as RecoveryProof, R as ResolveI18nOptions, dF as ResolvedPublicEnvelopeSchema, aC as RetentionPolicy, dG as RevokeOptions, a_ as Role, dH as RotatePassphraseInput, dI as RotateRecoveryOptions, dJ as RotateRecoveryResult, dK as SEALED_PASSPHRASE_RECORD_ID, dL as SchemaDelta, dM as SchemaIntrospection, S as ScriptWarning, dN as SealedEnvelope, dO as SealedPassphrase, bq as SealingKeyProvider, dP as SessionPolicy, dQ as SetPublicEnvelopeInput, dR as ShamirRecoveryDoc, dS as ShamirRecoveryEntry, bw as ShamirRecoveryProvider, a3 as SlotInfo, a4 as SlotRecord, dT as SlotRewrapCeremony, dU as SlotRewrapContext, aE as SnapshotMeta, dV as StandardSchemaV1, dW as StandardSchemaV1Issue, dX as StandardSchemaV1SyncResult, dY as StoreAuth, dZ as StoreAuthKind, d_ as StoreCapabilities, d$ as SyncEngine, e0 as SyncMetadata, e1 as SyncPolicy, e2 as SyncScheduler, e3 as SyncSchedulerStatus, e4 as SyncStatus, e5 as SyncTarget, e6 as SyncTargetRole, e7 as SyncTransaction, e8 as SyncTransactionResult, e9 as TabChannel, ea as TabCoordinationOptions, eb as TabLockManager, ec as TabPresence, ed as TabRole, ee as TierMode, ef as TranslatorAuditEntry, aH as TxCollection, aI as TxContext, eg as TxOp, aJ as TxVault, eh as USER_ENVELOPE_COLLECTION, ei as USER_ENVELOPE_MAX_BYTES, bC as UnionSource, ej as Unsubscribe, ek as UpdateAuthenticatorOptions, el as UpdateContext, em as UpdateUserOptions, en as UserApi, eo as UserEnvelopeCheckGate, ep as UserEnvelopeOversizedError, eq as UserEnvelopePresented, er as UserInfo, es as VaultBackup, bd as VaultEngine, aA as VaultFrame, be as VaultInstant, et as VaultPolicyOnDisk, eu as VaultSchemaSnapshot, ev as VaultSnapshot, bf as VerifyResult, a5 as VersionRecord, ew as WarningRules, ex as WeakPassphraseError, ey as WeakPassphraseReason, ez as WrappedDeksBlob, eA as WriteConflict, eB as WriteEvent, eC as WriteHook, eD as WriteQueue, i as applyI18nLocale, bg as applyPatch, eE as assertStrongPassphrase, eF as buildRecipientKeyringFile, eG as burnPaperRecoveryEntry, bh as canonicalJson, bi as computePatch, x as createEnforcer, eH as createNoydb, eI as createStore, eJ as deriveMagicLinkContentKey, j as dictCollectionName, k as dictKey, bj as diff, l as enforceScript, eK as enrollAuthenticator, eL as estimateEntropy, eM as evaluateExportCapability, eN as evaluateImportCapability, eO as findAuthenticator, bk as formatDiff, eP as hasExportCapability, eQ as hasImportCapability, eR as hasRecoveryEnrolled, bl as hashEntry, n as i18nText, o as inferScripts, p as isDictCollectionName, q as isDictKeyDescriptor, r as isI18nTextDescriptor, eS as isMagicLinkGrantExpired, eT as isPublicEnvelope, eU as issueDelegation, eV as keyringRecoverPassphrase, eW as keyringRotatePassphrase, eX as listMagicLinkGrants, eY as listUsers, eZ as listUsersWithEnvelopes, e_ as loadActiveDelegations, e$ as loadPaperRecoveryEntries, f0 as loadSealedPassphrase, f1 as loadShamirRecoveryEntries, f2 as magicLinkGrantRecordId, f3 as mintPaperRecoveryEntry, f4 as mintShamirRecoveryEntry, f5 as mintWrappedDeksBlob, bm as paddedIndex, bn as parseIndex, f6 as parseSealedEnvelope, f7 as readMagicLinkGrantRecord, f8 as recoverUser, f9 as removeAuthenticator, s as resolveI18nText, t as resolvePolicy, fa as resolvePublicEnvelopeSchema, fb as revokeDelegation, fc as revokeMagicLinkGrant, aK as runTransaction, fd as savePaperRecoveryEntries, fe as saveSealedPassphrase, ff as saveShamirRecoveryEntries, bo as sha256Hex, fg as unwrapDeksFromBlob, fh as unwrapDeksFromPaperEntry, fi as unwrapDeksFromShamirEntry, fj as unwrapMagicLinkGrant, v as validateI18nTextValue, fk as validatePassphrase, fl as validatePublicEnvelopeInput, fm as validateSchemaInput, fn as validateSchemaOutput, y as validateSessionPolicy, fo as writeMagicLinkGrant } from './types-DGU60JDt.js';
3
- export { d as detectMagic, a as detectMimeType, i as isPreCompressed } from './mime-magic-CBBSOkjm.js';
4
- export { AgeRoute, BlobLifecyclePolicy, BlobStoreRoute, CircuitBreakerOptions, HealthCheckOptions, LogLevel, LoggingOptions, MetricsOptions, OverrideOptions, OverrideTarget, RetryOptions, RouteStatus, RouteStoreOptions, RoutedNoydbStore, StoreCacheOptions, StoreMiddleware, StoreOperation, SuspendOptions, WrapBundleStoreOptions, WrappedBundleNoydbStore, createBundleStore, routeStore, withCache, withCircuitBreaker, withHealthCheck, withLogging, withMetrics, withRetry, wrapBundleStore, wrapStore } from './store/index.js';
5
- import { N as NoydbError } from './index-D8I_pyJD.js';
6
- export { z as AlreadyElevatedError, A as AmendmentForbiddenError, o as AttestationError, B as BackupCorruptedError, q as BackupLedgerError, r as BundleIntegrityError, s as BundleSealMismatchError, t as BundleVersionConflictError, C as ConflictError, E as CrossJoinSourceUnknownError, G as CrossJoinTooLargeError, H as DEFAULT_CROSS_JOIN_MAX_ROWS, J as DEFAULT_JOIN_MAX_ROWS, K as DanglingReferenceError, U as DecryptionError, V as DelegationTargetMissingError, g as DerivationCapExceededError, h as DerivationCycleError, i as DerivationDepthError, j as DerivationOutputShapeError, k as DerivationOutputUnknownError, D as DictKeyInUseError, a as DictKeyMissingError, W as DirectoryDisabledError, X as ElevationExpiredError, Y as ExportCapabilityError, F as FieldFrozenError, Z as FilenameSanitizationError, _ as GroupCardinalityError, $ as ImportCapabilityError, a0 as IndexRequiredError, a1 as IndexWriteFailureError, a2 as InvalidKeyError, I as InvariantError, a3 as JoinContext, a4 as JoinLeg, a5 as JoinStrategy, a6 as JoinTooLargeError, a7 as JoinableSource, a8 as KeyringCorruptError, a9 as KeyringExpiredError, aa as LedgerContentionError, ab as LiveQuery, ac as LiveUpstream, L as LocaleNotSpecifiedError, v as MaterializedViewConfigError, w as MaterializedViewCycleError, x as MaterializedViewSourceUnknownError, y as MaterializedViewTooLargeError, ad as MigrationRequiredError, M as MissingTranslationError, ae as NetworkError, af as NoAccessError, ag as NonAdditiveSchemaChangeError, ah as NotFoundError, ai as OrderBy, O as OverlayBaseIsVirtualError, l as OverlayCollectionUnavailableError, m as OverlayIdMismatchError, n as OverlayNameCollisionError, aj as PathEscapeError, ak as PeriodClosedError, al as PermissionDeniedError, am as PrivilegeEscalationError, Q as Query, an as QueryPlan, ao as QuerySource, ap as QuiesceTimeoutError, aq as ReadOnlyAtInstantError, ar as ReadOnlyError, as as ReadOnlyFrameError, e as RecordLockedError, at as RefDescriptor, au as RefIntegrityError, av as RefMode, aw as RefRegistry, ax as RefScopeError, ay as RefViolation, R as ReservedCollectionNameError, az as ScanBuilder, aA as ScanPageProvider, aB as SchemaFenceError, aC as SchemaLockedError, aD as SchemaUpdateError, aE as SchemaValidationError, S as ScriptViolationError, b as SessionExpiredError, c as SessionNotFoundError, d as SessionPolicyError, f as SnapshotNotFoundError, aF as StoreCapabilityError, aG as TamperedError, aH as TierDemoteDeniedError, aI as TierNotGrantedError, T as TranslatorNotConfiguredError, aJ as ValidationError, aK as applyJoins, aL as buildLiveQuery, aM as executePlan, aN as ref, aO as resetJoinWarnings } from './index-D8I_pyJD.js';
7
- export { A as AutoCredential, n as AutoCredentialKind, c as CompressionAlgo, N as NOYDB_BUNDLE_FORMAT_VERSION, e as NOYDB_BUNDLE_MAGIC, f as NOYDB_BUNDLE_PREFIX_BYTES, g as NoydbBundleHeader, h as NoydbBundleReadResult, R as ReadNoydbBundleOptions, W as WriteNoydbBundleOptions, j as generateULID, o as hasNoydbBundleMagic, k as isULID, r as readNoydbBundle, l as readNoydbBundleHeader, p as readNoydbBundlePublicEnvelope, m as resetBrotliSupportCache, w as writeNoydbBundle } from './ulid-BFJkYRRW.js';
8
- export { a as CrdtMode, b as CrdtState, L as LwwMapState, R as RgaState, Y as YjsState, m as mergeCrdtStates, r as resolveCrdtSnapshot } from './strategy-BSxFXGzb.js';
9
- export { w as withGuard } from './with-guard-0KksDtSR.js';
10
- export { w as withDerivation } from './with-derivation-DfOpKjFw.js';
11
- export { w as withMaterializedView } from './with-materialized-view-BiasFcYx.js';
12
- export { a as Clause, C as CollectionIndexes, F as FieldClause, b as FilterClause, G as GroupClause, H as HashIndex, I as IndexDef, O as Operator, e as evaluateClause, c as evaluateFieldClause, r as readPath } from './predicate-BSAGEyu5.js';
13
- export { w as withOverlayedView } from './with-overlayed-view-CQViuko_.js';
1
+ import { e0 as SearchStrategy, e1 as SequenceStrategy, e2 as CustodyStrategy, cV as EncryptedEnvelope, e3 as SchemaUpdateStrategy, e4 as TransformFn, cT as NoydbStore, e5 as PersistedSchemaEnvelope, dj as EnclaveKey, e6 as UpdateDecision, dL as PublicEnvelope, e7 as UserEnvelope, e8 as VaultUserApi, e9 as UserApiDeps, cy as RequestWithdrawalOptions, cz as RequestWithdrawalResult, cD as WithdrawalRequestStatus, cC as WithdrawalRequest, ct as ApproveWithdrawalOptions, cB as WithdrawResult, cx as RejectWithdrawalOptions, cA as WithdrawAccessibleOptions, cu as ExportAccessibleOptions, ea as DeepPartialOrNull, eb as UserEnvelopePresented, ec as Unsubscribe, ed as LiveUserEnvelope, ee as RoundingMode, cF as UnlockedKeyring, ef as VaultPolicy, eg as ActiveTier, eh as FactorProof, ei as GateName, ej as PolicyDenyReason, ek as GatePolicy } from './index-BzUo1B6n.js';
2
+ export { el as AccessibleVault, em as AffectedDocument, aP as AggregateResult, aQ as AggregateSpec, aR as Aggregation, aS as AggregationUpstream, en as AlreadyElevatedError, bM as AmendmentForbiddenError, cX as AppendInput, eo as ArchivePolicy, ep as ArchiveResult, eq as ArchiveRunOptions, er as ArchiveStrategy, c4 as ArrayOutputSpec, dz as AttestationError, dA as AttestationNotEnabledError, Y as BLOB_CHUNKS_COLLECTION, Z as BLOB_COLLECTION, $ as BLOB_INDEX_COLLECTION, a0 as BLOB_SLOTS_PREFIX, a1 as BLOB_VERSIONS_PREFIX, es as BUNDLE_STORE_POLICY, dl as BackupCorruptedError, dm as BackupLedgerError, a5 as BlobObject, a6 as BlobPutOptions, a7 as BlobResponseOptions, a8 as BlobSet, et as BuiltInGateName, dn as BundleIntegrityError, dM as BundleRecipient, dp as BundleSealMismatchError, dq as BundleVersionConflictError, bq as CONSENT_AUDIT_COLLECTION, eu as CacheOptions, ev as CacheStats, ew as CargoNotEnabledError, ex as CargoStrategy, ey as ChangeEvent, cY as ChangeType, ez as Clause, bz as ClosePeriodOptions, ci as Collection, eA as CollectionChangeEvent, eB as CollectionConfig, eC as CollectionConflictResolver, eD as CollectionDescriptor, bV as CollectionFrame, ay as CollectionIndexes, cZ as CollectionInstant, eE as CollectionStats, eF as ComputedFieldError, eG as ComputedFields, eH as ComputedFn, eI as Conflict, eJ as ConflictError, eK as ConflictPolicy, eL as ConflictStrategy, br as ConsentAuditEntry, bs as ConsentAuditFilter, bt as ConsentContext, bu as ConsentOp, bg as CrdtMode, bh as CrdtState, eM as CrossJoinSourceUnknownError, eN as CrossJoinTooLargeError, eO as CrossTierAccessEvent, eP as CustodyApi, eQ as CustodyHost, eR as CustodyNotEnabledError, ad as DEFAULT_CHUNK_SIZE, eS as DEFAULT_CROSS_JOIN_MAX_ROWS, eT as DEFAULT_JOIN_MAX_ROWS, eU as DEFAULT_PUBLIC_ENVELOPE_SCHEMA, eV as DELEGATIONS_COLLECTION, D as DICT_COLLECTION_PREFIX, eW as DanglingReferenceError, eX as DataResidencyError, eY as DebugPlaintextError, eZ as DebugReservedFieldError, e_ as DecryptionError, e$ as DeepPartial, f0 as DeferredNumberingConfig, f1 as DelegationTargetMissingError, f2 as DelegationToken, f3 as DeleteManyResult, c5 as DerivationCapExceededError, c6 as DerivationCycleError, c7 as DerivationDepthError, f4 as DerivationDescriptor, c8 as DerivationOutputShapeError, c9 as DerivationOutputUnknownError, c2 as DerivationStrategy, cb as DerivationStrategyHandle, cc as DerivedFromMeta, a as DictEntry, b as DictKeyDescriptor, c as DictKeyInUseError, d as DictKeyMissingError, e as DictionaryHandle, f as DictionaryOptions, cE as DiffEntry, f5 as DirectoryDisabledError, f6 as DirtyEntry, f7 as DryRunResult, f8 as DumpSchemaOptions, f9 as ELEVATION_AUDIT_COLLECTION, fa as ElevatedHandle, fb as ElevationExpiredError, fc as EmbeddingDescriptor, fd as EmbeddingDimMismatchError, fe as EmbeddingModelMismatchError, ff as EnclaveNotSupportedError, fg as EnrollAuthenticatorOptions, fh as EnrollAuthenticatorWrappingDEKsOptions, fi as EnrollAuthenticatorWrappingKEKOptions, fj as EnrollRecoveryResult, fk as ExportCapability, fl as ExportCapabilityError, fm as ExportChunk, cG as ExportFormat, fn as ExportStreamOptions, fo as FactorKind, fp as FactorProofBundle, fq as FactorRequirement, fr as FenceDoc, fs as FenceState, ft as FieldChange, fu as FieldClause, fv as FieldDescriptor, bN as FieldFrozenError, fw as FieldSource, fx as FilenameSanitizationError, fy as FilterClause, fz as ForgetStrategyNotConfiguredError, fA as FormattedSequenceHandle, fB as FrozenSnapshotRef, aT as GROUPBY_MAX_CARDINALITY, aU as GROUPBY_WARN_CARDINALITY, fC as GhostRecord, fD as GrantCustodianOptions, fE as GrantOptions, fF as GroupCardinalityError, fG as GroupClause, aV as GroupedAggregation, aW as GroupedQuery, aX as GroupedQueryN, aY as GroupedRow, aZ as GroupedRowN, bK as GuardChange, bL as GuardContext, bJ as GuardStrategy, bP as GuardStrategyHandle, fH as GuardViolation, az as HashIndex, fI as HistoryConfig, fJ as HistoryEntry, cU as HistoryOptions, g as I18nMap, h as I18nTextDescriptor, i as I18nTextOptions, fK as INDEXED_STORE_POLICY, bQ as IllegalTransitionError, fL as ImportCapability, fM as ImportCapabilityError, aB as IndexDef, fN as IndexFieldName, fO as IndexRequiredError, fP as IndexWriteFailureError, fQ as InferOutput, fR as InternalCollectionStats, fS as InvalidKeyError, bR as InvariantError, fT as IssueDelegationOptions, fU as IssueMagicLinkGrantOptions, fV as JoinContext, fW as JoinLeg, fX as JoinStrategy, fY as JoinTooLargeError, fZ as JoinableSource, c_ as JsonPatch, c$ as JsonPatchOp, f_ as KeyringAuthenticator, f$ as KeyringAuthenticatorWrappingDEKs, g0 as KeyringAuthenticatorWrappingKEK, g1 as KeyringCorruptError, g2 as KeyringExpiredError, g3 as KeyringFile, L as Layer, g4 as LedgerContentionError, d0 as LedgerStore, g5 as LiberateOptions, g6 as LiberateResult, g7 as LinkEndpointError, g8 as LinkIntegrityError, g9 as LinkOnDelete, ga as LinkRow, gb as LinkSetHandle, gc as LinkSpec, gd as ListAccessibleVaultsOptions, ge as ListPageResult, gf as ListUsersOptions, a_ as LiveAggregation, gg as LiveQuery, gh as LiveUpstream, j as LocaleNotSpecifiedError, gi as LocaleReadOptions, gj as Lru, gk as LruOptions, gl as LruStats, bi as LwwMapState, gm as MAGIC_LINK_CONTENT_INFO_PREFIX, gn as MAGIC_LINK_GRANTS_COLLECTION, go as MAGIC_LINK_KEK_INFO_PREFIX, gp as MagicLinkGrantPayload, gq as MagicLinkGrantRecord, gr as ManagedRecoveryNotEnrolledError, dU as MaterializedFromMeta, dV as MaterializedViewConfigError, dW as MaterializedViewCycleError, gs as MaterializedViewDescriptor, dX as MaterializedViewOutput, dY as MaterializedViewSourceUnknownError, cf as MaterializedViewStrategy, cg as MaterializedViewStrategyHandle, dZ as MaterializedViewTooLargeError, gt as MemoryRecipientSealer, gu as MemorySealingKeyProvider, gv as MigrationRequiredError, M as MissingTranslationError, gw as MoneyCurrencyError, gx as MoneyDescriptor, gy as MoneyOptions, gz as MoneyOptionsFixed, gA as MoneyOptionsMulti, gB as MoneyPrecisionError, gC as MoneyString, gD as MoneyUnsupportedError, gE as NOYDB_BACKUP_VERSION, gF as NOYDB_FORMAT_VERSION, gG as NOYDB_KEYRING_VERSION, gH as NOYDB_SYNC_VERSION, gI as NO_CARGO, gJ as NO_CUSTODY, gK as NO_SEARCH, gL as NO_SEQUENCE, gM as NetworkError, gN as NextOptions, gO as NoAccessError, gP as NonAdditiveSchemaChangeError, gQ as NotFoundError, gR as Noydb, gS as NoydbBundleStore, gT as NoydbError, gU as NoydbEventMap, gV as NoydbOptions, bX as NoydbPodStore, gW as NumberingAssignment, gX as NumberingUncertaintyError, ak as ObjectListEntry, al as ObjectMeta, am as ObjectProjection, an as ObjectUrlOptions, O as OnMissing, k as OnMissingPolicy, bA as OpenPeriodOptions, gY as Operator, gZ as OrderBy, cd as OutputSpec, cj as OverlayBaseIsVirtualError, ck as OverlayCollectionUnavailableError, cl as OverlayFieldMergeMode, cm as OverlayFieldMergeRule, cn as OverlayIdMismatchError, co as OverlayNameCollisionError, g_ as OverlayViewDescriptor, ch as OverlayedViewStrategy, cq as OverlayedViewStrategyHandle, bB as PERIODS_COLLECTION, g$ as POD_STORE_POLICY, h0 as PUBLIC_ENVELOPE_FIELDS, h1 as PaperRecoveryDoc, h2 as PaperRecoveryEntry, h3 as PassphrasePolicy, h4 as PassphraseValidationResult, h5 as PathEscapeError, h6 as PeriodClosedError, bC as PeriodRecord, h7 as Permission, h8 as PermissionDeniedError, h9 as Permissions, ha as PersistedSchemaKind, hb as PlaintextTranslatorContext, hc as PlaintextTranslatorFn, du as PodVersionConflictError, hd as PolicyDeniedError, P as PolicyEnforcer, cw as PortabilityNotEnabledError, he as PresenceHandle, hf as PresencePeer, hg as PrivilegeEscalationError, cW as PruneOptions, hh as PublicEnvelopeField, hi as PublicEnvelopeSchema, hj as PublicEnvelopeText, hk as PullMode, hl as PullOptions, hm as PullPolicy, hn as PullResult, ho as PushMode, hp as PushOptions, hq as PushPolicy, hr as PushResult, hs as PutManyItemOptions, ht as PutManyOptions, hu as PutManyResult, ao as PutObjectOptions, ap as PutUrlOptions, dS as Query, hv as QueryAcrossOptions, hw as QueryAcrossResult, hx as QueryField, hy as QueryPlan, hz as QuerySource, hA as QuickUnlockState, hB as QuickUnlockStore, hC as QuiesceTimeoutError, hD as ReAuthOperation, hE as ReadOnlyAtInstantError, hF as ReadOnlyError, hG as ReadOnlyFrameError, dO as RecipientHint, dN as RecipientSealer, hH as RecordCekNotFoundError, bT as RecordLockedError, ce as RecordOutputSpec, hI as RecoverPassphraseInput, hJ as RecoverPassphraseResult, hK as RecoverUserOptions, hL as RecoveryNotEnrolledError, hM as RecoveryProfileNotImplementedError, hN as RecoveryProof, a$ as Reducer, b0 as ReducerBuilder, b1 as ReducerOptions, hO as RefDescriptor, hP as RefIntegrityError, hQ as RefMode, hR as RefRegistry, hS as RefScopeError, hT as RefViolation, R as ReservedCollectionNameError, hU as ReservedVaultNameError, l as ResolveI18nOptions, hV as ResolvedPublicEnvelopeSchema, bY as RetentionPolicy, hW as RetrieveHit, hX as RetrieveOptions, hY as RevokeOptions, bj as RgaState, cR as Role, hZ as RotatePassphraseInput, h_ as RotateRecoveryOptions, h$ as RotateRecoveryResult, i0 as SEALED_PASSPHRASE_RECORD_ID, i1 as ScanBuilder, i2 as ScanPageProvider, i3 as SchemaDelta, i4 as SchemaFenceError, i5 as SchemaIntrospection, i6 as SchemaLockedError, i7 as SchemaUpdateError, i8 as SchemaValidationError, S as ScriptViolationError, m as ScriptWarning, i9 as Sealed, ia as SealedEnvelope, ib as SealedHandle, ic as SealedPassphrase, dc as SealedRecordExpiredError, dd as SealedRecordMismatchError, de as SealedRecordNotEnabledError, id as SealedView, dg as SealingKeyProvider, ie as SearchEntry, ig as SearchNotEnabledError, ih as SearchOptions, ii as SearchResult, ij as SequenceContentionError, ik as SequenceHandle, il as SequenceNotEnabledError, im as SequenceOfflineError, io as SequenceOptions, ip as SequenceStore, iq as SequenceStoreOptions, J as SessionExpiredError, K as SessionNotFoundError, ir as SessionPolicy, N as SessionPolicyError, is as SetPublicEnvelopeInput, it as ShamirRecoveryDoc, iu as ShamirRecoveryEntry, di as ShamirRecoveryProvider, iv as ShardProvisioningError, aq as SlotInfo, ar as SlotRecord, iw as SlotRewrapCeremony, ix as SlotRewrapContext, b$ as SnapshotMeta, c1 as SnapshotNotFoundError, iy as StandardSchemaV1, iz as StandardSchemaV1Issue, iA as StandardSchemaV1SyncResult, n as StaticDictDescriptor, o as StaticDictReadonlyError, iB as StoreAuth, iC as StoreAuthKind, iD as StoreCapabilities, iE as StoreCapabilityError, iF as StoreTime, iG as SyncEngine, iH as SyncMetadata, iI as SyncPolicy, iJ as SyncScheduler, iK as SyncSchedulerStatus, iL as SyncStatus, iM as SyncTarget, iN as SyncTargetRole, iO as SyncTransaction, iP as SyncTransactionResult, iQ as TabChannel, iR as TabCoordinationOptions, iS as TabLockManager, iT as TabPresence, iU as TabRole, iV as TamperedError, iW as TierDemoteDeniedError, iX as TierMode, iY as TierNotGrantedError, iZ as TiersNotEnabledError, i_ as TransactionInvariant, i$ as TranslatorAuditEntry, T as TranslatorNotConfiguredError, j0 as TxCollection, dP as TxContext, j1 as TxOp, j2 as TxVault, d_ as UnionArmJoin, d$ as UnionSource, j3 as UniqueConstraintError, U as UnknownDictCodeError, j4 as UnknownShardError, j5 as UnsupportedIndexOptionError, j6 as UpdateAuthenticatorOptions, j7 as UpdateContext, j8 as UpdateUserOptions, j9 as UserEnvelopeCheckGate, ja as UserEnvelopeOversizedError, jb as UserInfo, jc as ValidationError, V as Vault, jd as VaultBackup, d1 as VaultEngine, bW as VaultFrame, d2 as VaultInstant, je as VaultPolicyOnDisk, jf as VaultSchemaSnapshot, jg as VaultSnapshot, jh as VaultTemplateNotFoundError, d3 as VerifyResult, as as VersionRecord, ji as WarningRules, jj as WeakPassphraseError, jk as WeakPassphraseReason, jl as WithArchiveOptions, jm as WithdrawalRequestError, jn as WrappedDeksBlob, jo as WriteConflict, jp as WriteQueue, bk as YjsState, jq as aesGcmOpen, p as applyI18nLocale, jr as applyJoins, d4 as applyPatch, js as approveWithdrawal, jt as asMoney, ju as assertStrongPassphrase, b2 as avg, jv as base64ToBuffer, jw as bufferToBase64, jx as buildLiveQuery, jy as buildRecipientKeyringFile, jz as burnPaperRecoveryEntry, jA as compileSequenceFormat, d5 as computePatch, b4 as count, Q as createEnforcer, jB as createNoydb, jC as createStore, jD as decryptBytes, jE as decryptDeterministic, jF as deriveMagicLinkContentKey, jG as derivePresenceKey, q as dictCollectionName, r as dictKey, d6 as diff, jH as encryptBytes, jI as encryptDeterministic, s as enforceScript, jJ as enrollAuthenticator, jK as estimateEntropy, jL as evalComputedFields, jM as evaluateClause, jN as evaluateExportCapability, jO as evaluateFieldClause, jP as evaluateImportCapability, jQ as executePlan, jR as exportAccessibleData, jS as findAuthenticator, d7 as formatDiff, b5 as groupAndReduce, jT as hasExportCapability, jU as hasImportCapability, jV as hasRecoveryEnrolled, u as i18nText, v as inferScripts, w as isDictCollectionName, x as isDictKeyDescriptor, y as isI18nTextDescriptor, jW as isLinkCollectionName, jX as isMagicLinkGrantExpired, jY as isMoneyDescriptor, jZ as isMoneyString, j_ as isPublicEnvelope, j$ as isRefArray, z as isStaticDictDescriptor, k0 as issueDelegation, k1 as keyringRecoverPassphrase, k2 as keyringRotatePassphrase, k3 as liberateVault, k4 as listMagicLinkGrants, k5 as listUsers, k6 as listUsersWithEnvelopes, k7 as listWithdrawalRequests, k8 as loadActiveDelegations, k9 as loadPaperRecoveryEntries, ka as loadSealedPassphrase, kb as loadShamirRecoveryEntries, kc as magicLinkGrantRecordId, b6 as max, au as memoryObjectProjection, bn as mergeCrdtStates, b7 as min, kd as mintPaperRecoveryEntry, ke as mintShamirRecoveryEntry, kf as mintWrappedDeksBlob, kg as money, b8 as moneyMax, b9 as moneyMin, kh as moneyNumber, ba as moneySum, ki as parseRsaOaepTlv, kj as parseSealedEnvelope, kk as readMagicLinkGrantRecord, kl as readPath, km as recoverUser, bb as reduceRecords, bc as reducerBuilder, kn as ref, ko as refArray, kp as rejectWithdrawal, kq as removeAuthenticator, kr as requestWithdrawal, ks as resetJoinWarnings, bo as resolveCrdtSnapshot, A as resolveI18nText, B as resolvePolicy, kt as resolvePublicEnvelopeSchema, ku as resolveSequenceKey, kv as revokeDelegation, kw as revokeMagicLinkGrant, kx as runTransaction, ky as savePaperRecoveryEntries, kz as saveSealedPassphrase, kA as saveShamirRecoveryEntries, kB as sealRsaOaepTlv, E as staticDict, be as sum, kC as unwrapDeksFromBlob, kD as unwrapDeksFromPaperEntry, kE as unwrapDeksFromShamirEntry, kF as unwrapMagicLinkGrant, G as validateI18nTextValue, kG as validatePassphrase, kH as validatePublicEnvelopeInput, kI as validateSchemaInput, kJ as validateSchemaOutput, W as validateSessionPolicy, kK as withArchive, kL as withDeferredNumbering, kM as withdrawAccessibleData, kN as writeMagicLinkGrant } from './index-BzUo1B6n.js';
3
+ export { I as ImportExternalOptions, a as ImportExternalResult, b as ImportableCollection, d as detectMagic, c as detectMimeType, i as importExternalObjects, e as isPreCompressed } from './mime-magic-CGhw37_E.js';
4
+ export { WrapBundleStoreOptions, WrapPodStoreOptions, WrappedBundleNoydbStore, WrappedPodNoydbStore, createBundleStore, createPodStore, wrapBundleStore, wrapPodStore } from './pod/index.js';
5
+ export { W as WriteEvent, a as WriteHook } from './index-B9QdHytu.js';
6
+ export { C as CollectionDescription, a as CollectionMeta, D as DescribeOptions, b as DescribedField, F as FieldMeta, S as SemanticType, V as VaultMeta } from './describe-aBkJR2sd.js';
7
+ export { D as DEED_RECORD_ID, a as DeedMarker, S as STATE_VAULT_NAME, U as USER_ENVELOPE_COLLECTION, b as USER_ENVELOPE_MAX_BYTES, c as createDeedOwner, i as isDeedVault, l as loadDeedMarker, w as withCargo } from './index-BF9_96A5.js';
8
+ export { A as AutoCredential, q as AutoCredentialKind, d as CompressionAlgo, f as NOYDB_BUNDLE_FORMAT_VERSION, g as NOYDB_BUNDLE_MAGIC, h as NOYDB_BUNDLE_PREFIX_BYTES, i as NoydbBundleHeader, j as NoydbBundleReadResult, N as NoydbPodHeader, R as ReadNoydbBundleOptions, k as WriteNoydbBundleOptions, W as WritePodOptions, s as hasNoydbBundleMagic, m as readNoydbBundle, n as readNoydbBundleHeader, t as readNoydbBundlePublicEnvelope, r as readPod, a as readPodHeader, o as resetBrotliSupportCache, p as writeNoydbBundle, w as writePod } from './bundle-CH-H06dp.js';
9
+ export { g as generateULID, i as isULID } from './ulid-DRH25k3y.js';
10
+ export { D as DecryptedRecord, d as decryptExtractedPartition } from './decrypt-partition-IHtxEnTi.js';
11
+ export { L as LedgerEntry, d as canonicalJson, h as hashEntry, p as paddedIndex, e as parseIndex, s as sha256Hex } from './subject-index-O75wKshW.js';
12
+ export { TransactionStrategyOptions } from './tx/index.js';
13
+ export { I as ImmutableGuardConfig, T as TransitionGuardConfig, i as immutableGuard, t as transitionGuard, w as withGuard } from './transition-guard-C7ol6oPw.js';
14
+ export { w as withDerivation, a as withRollup } from './with-rollup-BvQo3ROo.js';
15
+ export { w as withMaterializedView } from './with-materialized-view-6p0Fk8bL.js';
16
+ export { w as withOverlayedView } from './with-overlayed-view-BJ6mXGMd.js';
14
17
  export { SYNC_CREDENTIALS_COLLECTION, SyncCredential, credentialStatus, deleteCredential, getCredential, listCredentials, putCredential } from './team/index.js';
15
- export { C as CreateSessionOptions, a as CreateSessionResult, D as DevUnlockOptions, S as SessionToken, b as activeSessionCount, c as clearDevUnlock, d as createSession, e as enableDevUnlock, i as isDevUnlockActive, f as isSessionAlive, l as loadDevUnlock, r as resolveSession, g as revokeAllSessions, h as revokeSession } from './dev-unlock-p3ysikWP.js';
16
- export { a as AggregateResult, b as AggregateSpec, c as Aggregation, d as AggregationUpstream, G as GROUPBY_MAX_CARDINALITY, e as GROUPBY_WARN_CARDINALITY, f as GroupedAggregation, g as GroupedQuery, h as GroupedQueryN, i as GroupedRow, j as GroupedRowN, L as LiveAggregation, R as Reducer, k as ReducerOptions, l as avg, n as count, o as groupAndReduce, p as max, q as min, r as reduceRecords, t as sum } from './strategy-DSTrsZ8t.js';
17
- export { L as LEDGER_COLLECTION, a as LEDGER_DELTAS_COLLECTION, e as envelopePayloadHash } from './hash-C1GtiOhR.js';
18
- import './lazy-builder-7tIpFyWN.js';
18
+ export { C as CreateSessionOptions, a as CreateSessionResult, D as DevUnlockOptions, S as SessionToken, b as activeSessionCount, c as clearDevUnlock, d as createSession, e as enableDevUnlock, i as isDevUnlockActive, f as isSessionAlive, l as loadDevUnlock, r as resolveSession, g as revokeAllSessions, h as revokeSession } from './dev-unlock-C9Ro3v_O.js';
19
+ export { i as isDiscriminant } from './discriminant-BN9REW3o.js';
20
+ export { FuseOptions, fuseRetrieval } from './kernel/index.js';
21
+ export { D as DiffCandidate, a as DiffOptions, V as VaultDiff, b as VaultDiffEntry, c as VaultDiffModifiedEntry, d as diffVault } from './vault-diff-B5fYNBL7.js';
22
+ export { L as LEDGER_COLLECTION, a as LEDGER_DELTAS_COLLECTION, e as envelopePayloadHash } from './hash-Cp5uwiox.js';
19
23
  import '@noy-db/attestation';
20
24
 
21
- /**
22
- * Persistence helpers for per-principal user envelopes stored at
23
- * `_users/<keyringId>` (logically: `_meta/user/<keyringId>`).
24
- *
25
- * Unlike `_meta/policy` and `_meta/handle` which are plaintext, user
26
- * envelopes carry user data and are encrypted with a dedicated
27
- * {@link USER_ENVELOPE_COLLECTION} DEK (provisioned at vault open and
28
- * propagated to every keyring via the system-collection DEK path in
29
- * `team/keyring.ts`).
30
- *
31
- * This module is the **storage primitive** layer. The public API
32
- * (`vault.user.*`) sits on top of this; permission gates, own-only
33
- * write enforcement, and presence-channel propagation live there.
34
- *
35
- * @see docs/superpowers/specs/2026-05-05-user-envelope-design.md
36
- *
37
- * @module
38
- */
39
-
40
- /**
41
- * Read and decrypt the user envelope for `keyringId`. Returns `null`
42
- * when no envelope has been persisted (either the principal has never
43
- * called `updateMe`, or the keyring predates this feature).
44
- *
45
- * Decryption errors propagate — a tampered or wrong-keyed envelope
46
- * surfaces as the underlying crypto error rather than masquerading as
47
- * "not found".
48
- */
49
- declare function loadUserEnvelope<T = unknown>(store: NoydbStore, vault: string, keyringId: string, dek: CryptoKey): Promise<UserEnvelope<T> | null>;
50
- /**
51
- * Encrypt and persist the user envelope for `keyringId`. The new
52
- * version is `(prior._v ?? 0) + 1`. Pass `expectedVersion` to enable
53
- * optimistic-concurrency checks: a mismatch with the stored version
54
- * throws {@link ConflictError} with the actual stored version.
55
- *
56
- * `expectedVersion: 0` means "expect no prior envelope"; the write
57
- * succeeds only if no envelope exists yet.
58
- *
59
- * Soft-caps the JSON-serialized payload at {@link USER_ENVELOPE_MAX_BYTES};
60
- * larger payloads throw {@link UserEnvelopeOversizedError}.
61
- */
62
- declare function saveUserEnvelope<T>(store: NoydbStore, vault: string, keyringId: string, payload: T, dek: CryptoKey, expectedVersion?: number): Promise<UserEnvelope<T>>;
63
- /**
64
- * Delete the user envelope for `keyringId`. Idempotent — no error if
65
- * the envelope is already absent. Called from the keyring revoke path
66
- * (cascade-delete) and is a no-op for keyrings that never wrote.
67
- */
68
- declare function deleteUserEnvelope(store: NoydbStore, vault: string, keyringId: string): Promise<void>;
69
- /**
70
- * List the keyring ids that have a user envelope persisted in `vault`.
71
- * Order is store-defined — callers that need a stable order should sort.
72
- */
73
- declare function listUserEnvelopeIds(store: NoydbStore, vault: string): Promise<string[]>;
74
-
75
25
  /**
76
26
  * Cache policy helpers — parse human-friendly byte budgets into raw numbers.
77
27
  *
@@ -106,340 +56,965 @@ declare function parseBytes(input: number | string): number;
106
56
  declare function estimateRecordBytes(record: unknown): number;
107
57
 
108
58
  /**
109
- * Persistence helpers for `_meta/public-envelope`. Mirrors the
110
- * bypass-AES pattern used by `_meta/handle` and `_meta/policy` —
111
- * the document is plaintext JSON, the envelope's `_iv` field is
112
- * left empty.
59
+ * Default text tokenizer for scan-mode search.
60
+ *
61
+ * NFKC-normalize lowercase split on Unicode letter/number runs. This is a
62
+ * word-boundary tokenizer: it does **not** segment scripts written without
63
+ * inter-word spaces (Thai, Lao, Khmer, CJK) — those collapse to one token per
64
+ * run. For such data, a dictionary/ICU segmenter is the right `tokenizer`
65
+ * (the engine takes one as a parameter); substring/`contains` matching is the
66
+ * pragmatic fallback until then.
67
+ */
68
+ type Tokenizer = (text: string) => string[];
69
+ declare const tokenize: Tokenizer;
70
+
71
+ /**
72
+ * Enable the search / retrieval capability.
73
+ * Pass to `createNoydb({ searchStrategy: withSearch() })` to make a collection's
74
+ * `search` / `retrieve` / `similarTo` / `warmIndex` / `flushIndex` methods live,
75
+ * and to enable the put()-time embedding-vector compute for collections that
76
+ * declare an `embeddings` config. The search/retrieval engine is dynamically
77
+ * imported here, so it stays out of the floor bundle until opted in.
78
+ */
79
+
80
+ declare function withSearch(): SearchStrategy;
81
+
82
+ /**
83
+ * Enable the atomic-sequence capability.
84
+ * Pass to `createNoydb({ sequenceStrategy: withSequence() })` to make
85
+ * `vault.sequence('name').next()` / `.peek()` / `.seedTo()` live. The
86
+ * {@link SequenceStore} CAS engine is statically imported here, so it is pulled
87
+ * into the bundle only when `withSequence()` is referenced (the floor never
88
+ * imports it).
89
+ */
90
+
91
+ declare function withSequence(): SequenceStrategy;
92
+
93
+ /**
94
+ * Enable the sovereign-custody (FR-6) capability.
95
+ * Pass to `createNoydb({ custodyStrategy: withCustody() })` to make
96
+ * `db.grantCustodian` / `db.revokeCustodian` (and the `vault.custody.*` facade
97
+ * that delegates to them) plus `vault.custody.liberate()` live. The heavy
98
+ * `liberateVault` ceremony is dynamically imported here, so it is reached only
99
+ * via opt-in; grant/revoke run the host's own gate + keyring engine.
100
+ */
101
+
102
+ declare function withCustody(): CustodyStrategy;
103
+
104
+ /**
105
+ * Helpers for reading records out of a *plaintext* store (`encrypt: false`)
106
+ * with native tooling — the programmatic core of a `noydb cat`-style unwrap.
107
+ * See the plaintext/debug-store-mode design.
108
+ */
109
+
110
+ /**
111
+ * Extract the record from a plaintext stored envelope, handling both layouts:
113
112
  *
114
- * @module
113
+ * - **classic plaintext** (`encrypt: false`): the record is JSON in `_data`.
114
+ * - **debugPlaintext**: the record's fields are inlined beside the
115
+ * `_`-prefixed metadata (marked by `_debug`).
116
+ *
117
+ * Returns `null` for an empty/absent body. Throws if handed an **encrypted**
118
+ * envelope (non-empty `_iv`) — there is no key here; decrypt through the vault
119
+ * instead. Intended for record envelopes, not blob chunks.
120
+ *
121
+ * @example
122
+ * ```ts
123
+ * // node script over a to-file store, no vault needed:
124
+ * const env = JSON.parse(readFileSync('data/acme/invoices/inv-1.json', 'utf8'))
125
+ * console.log(readPlaintextRecord(env)) // → { id: 'inv-1', total: '120.00', … }
126
+ * ```
115
127
  */
128
+ declare function readPlaintextRecord<T = Record<string, unknown>>(envelope: EncryptedEnvelope): T | null;
116
129
 
117
- /** Reserved id for the vault-level public envelope record. */
118
- declare const PUBLIC_ENVELOPE_RECORD_ID = "public-envelope";
130
+ /** Allow any schema change. Explicit blind / back-compat. */
131
+ declare function blindUpdate(): SchemaUpdateStrategy;
132
+ /** Allow additive changes; reject non-additive ones. The safety backstop. */
133
+ declare function additiveOnly(): SchemaUpdateStrategy;
119
134
  /**
120
- * Read the public envelope from `_meta/public-envelope`. Returns
121
- * `undefined` when no envelope has been persisted (fresh vault, or
122
- * a vault written before the feature was enabled). Tolerates
123
- * corrupted documents — a JSON parse failure surfaces as `undefined`,
124
- * not a thrown error, mirroring `_meta/handle`'s contract.
135
+ * Reject schema changes. With `fields`, reject only when one of those
136
+ * fields is added/removed/changed; otherwise reject any non-`none` delta.
125
137
  */
126
- declare function loadPublicEnvelope(store: NoydbStore, vault: string): Promise<PublicEnvelope | undefined>;
127
- /** Persist the public envelope. Idempotent — overwrites any prior write. */
128
- declare function savePublicEnvelope(store: NoydbStore, vault: string, envelope: PublicEnvelope): Promise<void>;
138
+ declare function lockSchema(opts?: {
139
+ readonly fields?: readonly string[];
140
+ }): SchemaUpdateStrategy;
141
+
142
+ /** The coordinatedCutover update strategy (single-step — no from/to). */
143
+
144
+ declare function coordinatedCutover(opts: {
145
+ readonly transform: TransformFn;
146
+ }): SchemaUpdateStrategy;
147
+
129
148
  /**
130
- * Public, no-key reader. Plain function, not a method on `Noydb` —
131
- * the whole point is it works without an authenticated session, so
132
- * a UI can show "Acme 2026 Tax Records" before unlocking.
149
+ * Built-in in-memory store the kernel's zero-config default.
133
150
  *
134
- * Resolves any `name` / `description` locale map through the supplied
135
- * `locale` (when provided). Omitting `locale` returns the raw
136
- * envelope, which a multilingual picker can render as it pleases.
151
+ * Nested `Map`s: `vault collection id → envelope`. Non-persistent
152
+ * (data is lost on process exit). A conformant 6-method {@link NoydbStore}
153
+ * with CAS atomicity and a monotonic store clock the kernel version of
154
+ * `@noy-db/to-memory`'s core, so `createNoydb()` works with no store package.
155
+ *
156
+ * Portable: imports only `types` + `errors` (no crypto primitive) — passes
157
+ * the `stores-ciphertext-only` architecture guard.
158
+ *
159
+ * Implements the 6-method core only (no optional `listVaults`/`ping`/`tx`),
160
+ * so `Noydb.listAccessibleVaults()` throws its documented capability error
161
+ * rather than enumerating vaults under the default store.
137
162
  */
138
- declare function readPublicEnvelope(store: NoydbStore, vault: string, opts?: {
139
- readonly locale?: string;
140
- }): Promise<PublicEnvelope | undefined>;
163
+ declare function memoryStore(): NoydbStore;
141
164
 
142
165
  /**
143
- * Why a gate denied a request. Stable across hub versions so consumers
144
- * can switch on the value in error UIs.
166
+ * Store router / multiplexer.
167
+ *
168
+ * Dispatches `NoydbStore` operations to different backends based on
169
+ * collection type, record size, record age, collection name, or vault name.
170
+ *
171
+ * ```ts
172
+ * const db = await createNoydb({
173
+ * store: routeStore({
174
+ * default: dynamo({ table: 'myapp' }),
175
+ * blobs: s3Store({ bucket: 'myapp-blobs' }),
176
+ * }),
177
+ * })
178
+ * ```
179
+ *
180
+ * @module
145
181
  */
146
- type PolicyDenyReason = 'insufficient-tier' | 'missing-factor' | 'stale-proof' | 'disabled' | 'shared-device-blocked';
182
+
147
183
  /**
148
- * Thrown by {@link checkGate} when the active session does not meet
149
- * the gate's requirements. Carries the gate name, the reason, and the
150
- * full required {@link GatePolicy} so error UIs can prompt the user
151
- * for the missing factor without re-reading the policy document.
184
+ * Size-tiered blob routing configuration.
185
+ *
186
+ * Routes blob chunks to different stores based on byte size. Small blobs
187
+ * (under `threshold`) stay in the primary or `small` store; large blobs
188
+ * go to `large`. This lets you keep DynamoDB as the default while sending
189
+ * large binary objects to S3.
152
190
  */
153
- declare class PolicyDeniedError extends NoydbError {
154
- readonly gate: GateName;
155
- readonly reason: PolicyDenyReason;
156
- readonly required: GatePolicy;
157
- constructor(gate: GateName, reason: PolicyDenyReason, required: GatePolicy, message?: string);
191
+ interface BlobStoreRoute {
192
+ /** Store for small blobs (under threshold). Falls back to `default`. */
193
+ readonly small?: NoydbStore;
194
+ /** Store for large blobs (over threshold). */
195
+ readonly large: NoydbStore;
196
+ /** Size threshold in bytes. Default: `400 * 1024` (DynamoDB item limit). */
197
+ readonly threshold?: number;
158
198
  }
159
199
  /**
160
- * Raised by `createNoydb({ ... })` when the developer omits a recovery
161
- * profile and `recover-passphrase` is not explicitly disabled. Vaults
162
- * MUST have at least one recovery path enrolled before being
163
- * production-ready (paper, shamir, multi-channel, or admin-mediated).
200
+ * Blob lifecycle management policies evaluated during `compact()`.
164
201
  *
165
- * The error message carries a pointer to the recovery design docs.
202
+ * Controls orphan cleanup, cold-tier archival, and hard deletion of
203
+ * blobs that are no longer referenced by any record.
166
204
  */
167
- declare class RecoveryNotEnrolledError extends NoydbError {
168
- constructor(message?: string);
205
+ interface BlobLifecyclePolicy {
206
+ /** Delete orphan blobs (refCount: 0) after this many days. Default: 7. */
207
+ readonly orphanRetentionDays?: number;
208
+ /** Move blobs not accessed in this many days to the cold blob store. */
209
+ readonly archiveAfterDays?: number;
210
+ /** Store for archived blobs. Required if archiveAfterDays is set. */
211
+ readonly archiveStore?: NoydbStore;
212
+ /** Hard-delete archived blobs after this many days. */
213
+ readonly expireAfterDays?: number;
169
214
  }
170
215
  /**
171
- * Raised by `openVault` when a managed-passphrase-mode vault has no
172
- * STRONG recovery profile enrolled.
216
+ * Age-based hot/cold tiering configuration.
173
217
  *
174
- * Managed mode means the user never types a passphrase — the unlock
175
- * material lives in a `SealingKeyProvider` (`at-*` package). If that
176
- * provider's key is lost AND no strong recovery is enrolled, the
177
- * vault is irrecoverable. To prevent that footgun, managed-mode vaults
178
- * require at least one strong recovery profile (Shamir today;
179
- * multi-channel / admin-mediated when those ship).
180
- *
181
- * Paper recovery alone is NOT strong under managed mode: the user has
182
- * no memorized passphrase to fall back on, so losing the paper sheet =
183
- * losing every record permanently.
218
+ * Records whose `_ts` timestamp is older than `coldAfterDays` are migrated
219
+ * to the `cold` store during `compact()`. Reads transparently fall through
220
+ * to the cold store when the hot store returns null, so callers don't need
221
+ * to know which tier a record lives in.
222
+ */
223
+ interface AgeRoute {
224
+ /** Store for records older than the cutoff. */
225
+ readonly cold: NoydbStore;
226
+ /** Days after last modification before a record is cold-eligible. */
227
+ readonly coldAfterDays: number;
228
+ /**
229
+ * Collections that participate in age tiering.
230
+ * Empty array or omitted = all user collections (excluding `_` prefixed).
231
+ */
232
+ readonly collections?: string[];
233
+ }
234
+ /**
235
+ * Options for `routeStore()` — the store multiplexer.
184
236
  *
185
- * Bootstrap with `db.openVaultAndEnrollRecovery(vault, { recovery: [{ profile: "shamir", k, n }] })`
186
- * to atomically create-and-enroll, or call `db.enrollRecovery(vault, { profile: "shamir", ... })`
187
- * separately before re-attempting `openVault`.
237
+ * At minimum, provide a `default` store. All other fields are optional
238
+ * extensions for specific routing scenarios (blobs S3, geographic sharding,
239
+ * age-based tiering, etc.).
188
240
  */
189
- declare class ManagedRecoveryNotEnrolledError extends NoydbError {
190
- readonly vault: string;
191
- constructor(vault: string);
241
+ interface RouteStoreOptions {
242
+ /** Default store for all unmatched operations. */
243
+ readonly default: NoydbStore;
244
+ /**
245
+ * Route blob chunk data to a separate store.
246
+ * - Pass a `NoydbStore` for simple prefix routing (all chunks → that store).
247
+ * - Pass `{ small?, large, threshold? }` for size-tiered routing.
248
+ */
249
+ readonly blobs?: NoydbStore | BlobStoreRoute;
250
+ /** Route all blob metadata (index, slots, versions) to the blobs store too. Default: false. */
251
+ readonly routeBlobMeta?: boolean;
252
+ /** Route specific user collections to dedicated stores. */
253
+ readonly routes?: Record<string, NoydbStore>;
254
+ /** Route by vault name (prefix patterns, e.g. `'EU-'`). */
255
+ readonly vaultRoutes?: Record<string, NoydbStore>;
256
+ /**
257
+ * Age-based tiering: records older than `coldAfterDays` are read from
258
+ * the cold store. A background `compact()` method migrates them.
259
+ */
260
+ readonly age?: AgeRoute;
261
+ /**
262
+ * Content-aware blob routing.
263
+ * Route blob chunks by MIME type glob pattern. The MIME type is stored
264
+ * in `BlobObject` and matched at read time via `storeHint`.
265
+ */
266
+ readonly blobRoutes?: Record<string, NoydbStore>;
267
+ /**
268
+ * Blob lifecycle policies.
269
+ * Evaluated during `compact()`.
270
+ */
271
+ readonly blobLifecycle?: BlobLifecyclePolicy;
272
+ /**
273
+ * Quota-aware overflow.
274
+ * When the default store's usage exceeds the threshold, new writes
275
+ * overflow to the specified store.
276
+ */
277
+ readonly overflow?: NoydbStore;
278
+ /**
279
+ * Quota threshold (0-1). Default: 0.8 (overflow at 80% usage).
280
+ * Only effective when `overflow` is set.
281
+ */
282
+ readonly quotaThreshold?: number;
192
283
  }
193
284
  /**
194
- * Raised by `db.recoverPassphrase` / `db.enrollRecovery` /
195
- * `db.rotateRecovery` when the developer requests a recovery profile
196
- * not yet wired in this hub release.
285
+ * Named route that can be overridden or suspended at runtime.
197
286
  *
198
- * Implemented: `paper` and `shamir`.
199
- * Pending: `multi-channel` and `admin-mediated` (follow-up slices).
287
+ * Built-in names: `'default'`, `'blobs'`, `'cold'`.
288
+ * Custom names: any collection name from `routes`, any vault prefix from
289
+ * `vaultRoutes`, or any sync target label.
290
+ */
291
+ type OverrideTarget = 'default' | 'blobs' | 'cold' | (string & {});
292
+ /**
293
+ * Options for `RoutedNoydbStore.override()`.
200
294
  *
201
- * The carried `profile` and `tracking` fields let consumers steer the
202
- * UI ("multi-channel recovery is not yet wired up — open issue #N to follow").
295
+ * Controls whether the new store is pre-populated with data from the
296
+ * original store before the switch takes effect.
203
297
  */
204
- declare class RecoveryProfileNotImplementedError extends NoydbError {
205
- readonly profile: string;
206
- readonly tracking: string;
207
- constructor(profile: string, tracking: string);
298
+ interface OverrideOptions {
299
+ /**
300
+ * Hydrate the override store from the original before activating.
301
+ * - `true` — copy all data for all vaults.
302
+ * - `string[]` — copy only named collections.
303
+ * Makes `override()` async — returns a Promise.
304
+ */
305
+ hydrate?: boolean | string[];
208
306
  }
209
-
210
307
  /**
211
- * Default policy for personal vaults and SMB deployments — the gates
212
- * that need an off-device factor get one (TOTP / email-OTP / paper
213
- * recovery), the rest take a tier-1 unlock alone. Tier-3 (PIN) is the
214
- * floor only for `rotate-unlock` because that's the
215
- * "change my PIN" flow.
308
+ * Options for `RoutedNoydbStore.suspend()`.
216
309
  *
217
- * The unspecified gates (e.g. `view-user-auth`) inherit the engine
218
- * default of `{ enabled: false, minTier: 1 }` they fail closed.
219
- *
220
- * @see docs/subsystems/session-tiers.md → Built-in gates
310
+ * A suspended route becomes a null store: reads return null/[], writes
311
+ * are dropped (or buffered if `queue: true`). Useful for maintenance
312
+ * windows or restricted-network scenarios.
221
313
  */
222
- declare const PERSONAL_POLICY: VaultPolicy;
314
+ interface SuspendOptions {
315
+ /**
316
+ * Buffer write operations during suspension. On `resume()`, queued
317
+ * writes are replayed against the restored store.
318
+ */
319
+ queue?: boolean;
320
+ /**
321
+ * Maximum queued operations. When exceeded, oldest entries are dropped.
322
+ * Default: 10_000.
323
+ */
324
+ maxQueueSize?: number;
325
+ }
223
326
  /**
224
- * Strict policy for regulated deployments and shared workstations
225
- * raises the phrase floor to 8 words, demands two distinct factors for
226
- * exports, and blocks export-on-shared-device. Use as a base for
227
- * `policy: { ...STRICT_POLICY, gates: { ...STRICT_POLICY.gates, ... } }`
228
- * tweaks.
327
+ * Snapshot of the current override and suspend state of a `RoutedNoydbStore`.
328
+ * Returned by `routeStatus()` for diagnostics and health dashboards.
229
329
  */
230
- declare const STRICT_POLICY: VaultPolicy;
330
+ interface RouteStatus {
331
+ /** Active overrides: route name → override store name. */
332
+ readonly overrides: Record<string, string>;
333
+ /** Currently suspended routes. */
334
+ readonly suspended: string[];
335
+ /** Queued writes per suspended route (only for routes suspended with `queue: true`). */
336
+ readonly queued: Record<string, number>;
337
+ }
231
338
  /**
232
- * Merge a developer override onto a preset. Unspecified gates inherit;
233
- * specified gates fully replace the preset's entry for that gate.
339
+ * Extended `NoydbStore` returned by `routeStore()`.
234
340
  *
235
- * Example:
341
+ * Satisfies the full `NoydbStore` contract plus adds runtime control
342
+ * methods for overriding, suspending, and inspecting routes.
343
+ */
344
+ interface RoutedNoydbStore extends NoydbStore {
345
+ /**
346
+ * Migrate records older than the age cutoff from the hot store to the
347
+ * cold store. Only applies when `age` is configured. Returns the number
348
+ * of records migrated.
349
+ */
350
+ compact(vault: string): Promise<number>;
351
+ /**
352
+ * Override a named route at runtime.
353
+ *
354
+ * The override persists until `clearOverride()` is called or the
355
+ * instance is closed. In-flight operations complete on the original
356
+ * store; new operations use the override.
357
+ *
358
+ * Options:
359
+ * - `hydrate: true` — async: copies all data from the original store
360
+ * into the override before activating the switch.
361
+ * - `hydrate: ['invoices', 'clients']` — copies only named collections.
362
+ *
363
+ * Use cases:
364
+ * - Shared device: `await store.override('default', memory(), { hydrate: true })`
365
+ * - Restricted network: `store.override('blobs', localFile(...))`
366
+ */
367
+ override(route: OverrideTarget, store: NoydbStore, opts?: OverrideOptions): void | Promise<void>;
368
+ /** Clear a runtime override, reverting to the original store. */
369
+ clearOverride(route: OverrideTarget): void;
370
+ /**
371
+ * Suspend a route entirely. Operations to suspended stores become
372
+ * no-ops (puts silently dropped, gets return null, lists return []).
373
+ *
374
+ * Options:
375
+ * - `queue: true` — buffer write operations (put/delete) during
376
+ * suspension. When `resume()` is called, queued writes are replayed
377
+ * against the restored store.
378
+ *
379
+ * Returns a `SuspendHandle` when `queue: true`, for inspecting queue state.
380
+ */
381
+ suspend(route: OverrideTarget, opts?: SuspendOptions): void;
382
+ /**
383
+ * Resume a previously suspended route.
384
+ * If the route was suspended with `queue: true`, replays queued writes.
385
+ * Returns the number of replayed operations.
386
+ */
387
+ resume(route: OverrideTarget): Promise<number>;
388
+ /** Snapshot the current override/suspend state for diagnostics. */
389
+ routeStatus(): RouteStatus;
390
+ /**
391
+ * Resolve the physical backend a vault id maps to via the geographic
392
+ * `vaultRoutes` prefix routing (collection-independent), falling back to
393
+ * the `default` store. Used by the federation data-residency guard
394
+ * to read the placement backend's `capabilities.region`.
395
+ */
396
+ resolveBackend(vaultId: string): NoydbStore;
397
+ }
398
+ /**
399
+ * Create a store multiplexer that dispatches operations to different backends
400
+ * based on collection type, record size, record age, vault prefix, or
401
+ * runtime overrides.
236
402
  *
237
403
  * ```ts
238
- * mergePolicy(PERSONAL_POLICY, {
239
- * gates: {
240
- * 'app:approve-large-payment': { minTier: 2, factors: [{ anyOf: ['totp'] }] },
241
- * },
404
+ * const store = routeStore({
405
+ * default: dynamo({ table: 'myapp' }),
406
+ * blobs: s3({ bucket: 'myapp-blobs' }),
407
+ * routes: { auditLog: s3({ bucket: 'myapp-audit' }) },
242
408
  * })
243
- * // → PERSONAL_POLICY plus the new app gate; existing gates intact.
244
409
  * ```
410
+ *
411
+ * The returned store satisfies `NoydbStore` and can be passed directly to
412
+ * `createNoydb({ store })`. It also exposes additional methods
413
+ * (`override`, `suspend`, `resume`, `routeStatus`, `compact`) for runtime
414
+ * control and maintenance.
245
415
  */
246
- declare function mergePolicy(base: VaultPolicy, override?: Partial<VaultPolicy>): VaultPolicy;
416
+ declare function routeStore(opts: RouteStoreOptions): RoutedNoydbStore;
247
417
 
248
418
  /**
249
- * Policy gate engine the {@link checkGate} entry point.
419
+ * Store middlewarecomposable interceptors for NoydbStore.
250
420
  *
251
- * Given a configured {@link VaultPolicy}, an active session tier, and
252
- * the factor proofs an actor is presenting, decide whether the gate
253
- * permits the action. On denial, throws {@link PolicyDeniedError} with
254
- * a stable {@link PolicyDenyReason} so consumers can branch in error
255
- * UIs.
421
+ * ```ts
422
+ * const resilient = wrapStore(
423
+ * dynamo({ table: 'myapp' }),
424
+ * withRetry({ maxRetries: 3 }),
425
+ * withLogging({ level: 'debug' }),
426
+ * withCache({ ttlMs: 60_000 }),
427
+ * )
428
+ * ```
256
429
  *
257
- * @see docs/subsystems/session-tiers.md checkGate() API
430
+ * Each middleware is `(next: NoydbStore) => NoydbStore`. They compose
431
+ * left-to-right: first middleware is outermost (processes requests first,
432
+ * responses last).
258
433
  *
259
434
  * @module
260
435
  */
261
436
 
262
- /** Default freshness window — 5 minutes. */
263
- declare const DEFAULT_FRESHNESS_MS: number;
264
- /** Caller-supplied context for one `checkGate` invocation. */
265
- interface CheckGateContext {
266
- /** Tier the active session currently holds. */
267
- readonly activeTier: ActiveTier;
268
- /** Proofs the actor is presenting for this gate. */
269
- readonly factors?: ReadonlyArray<FactorProof>;
270
- /**
271
- * If the host knows the actor is on a shared device, set this to
272
- * `true` so the engine can apply `warn.sharedDevice` rules. Defaults
273
- * to `false`.
274
- */
275
- readonly sharedDevice?: boolean;
437
+ /**
438
+ * A store middleware function.
439
+ *
440
+ * Takes the next store in the chain and returns a wrapped store. Middlewares
441
+ * compose left-to-right via `wrapStore()`: the first argument is outermost
442
+ * (first to intercept requests, last to process responses).
443
+ *
444
+ * ```ts
445
+ * const mw: StoreMiddleware = (next) => ({
446
+ * ...next,
447
+ * async get(vault, collection, id) {
448
+ * console.log('get', id)
449
+ * return next.get(vault, collection, id)
450
+ * },
451
+ * })
452
+ * ```
453
+ */
454
+ type StoreMiddleware = (next: NoydbStore) => NoydbStore;
455
+ /**
456
+ * Wrap a store with one or more middlewares. Middlewares compose left-to-right.
457
+ */
458
+ declare function wrapStore(store: NoydbStore, ...middlewares: StoreMiddleware[]): NoydbStore;
459
+ /** Options for `withRetry()`. */
460
+ interface RetryOptions {
461
+ /** Maximum retry attempts. Default: 3. */
462
+ maxRetries?: number;
463
+ /** Base backoff delay in ms. Default: 500. */
464
+ backoffMs?: number;
465
+ /** Jitter factor (0-1). Adds random delay up to `backoffMs * jitter`. Default: 0.3. */
466
+ jitter?: number;
467
+ /** Only retry on these error codes. Default: retry all errors. */
468
+ retryOn?: string[];
469
+ }
470
+ /**
471
+ * Middleware that retries failed store operations with exponential backoff
472
+ * and optional jitter. Useful for transient network errors on DynamoDB/S3.
473
+ *
474
+ * ```ts
475
+ * wrapStore(dynamo({ table: 'myapp' }), withRetry({ maxRetries: 5, retryOn: ['NETWORK_ERROR'] }))
476
+ * ```
477
+ */
478
+ declare function withRetry(opts?: RetryOptions): StoreMiddleware;
479
+ /** Log level for `withLogging()`. Maps to standard console method names. */
480
+ type LogLevel = 'debug' | 'info' | 'warn' | 'error';
481
+ /** Options for `withLogging()`. */
482
+ interface LoggingOptions {
483
+ /** Minimum log level. Default: 'info'. */
484
+ level?: LogLevel;
485
+ /** Custom logger. Default: console. */
486
+ logger?: {
487
+ debug(msg: string, ...args: unknown[]): void;
488
+ info(msg: string, ...args: unknown[]): void;
489
+ warn(msg: string, ...args: unknown[]): void;
490
+ error(msg: string, ...args: unknown[]): void;
491
+ };
492
+ /** Log the data payload (envelope contents). Default: false (privacy). */
493
+ logData?: boolean;
494
+ }
495
+ /**
496
+ * Middleware that logs every store operation with its method name, arguments,
497
+ * and elapsed duration. Privacy-safe by default: envelope payloads are not
498
+ * logged unless `logData: true` is set.
499
+ */
500
+ declare function withLogging(opts?: LoggingOptions): StoreMiddleware;
501
+ /**
502
+ * Data emitted to `MetricsOptions.onOperation` after every store call.
503
+ *
504
+ * Carries method name, vault/collection/id context, elapsed duration,
505
+ * and success/failure status. Wire this into your metrics pipeline
506
+ * (DataDog, Prometheus, CloudWatch) to get per-operation latency histograms.
507
+ */
508
+ interface StoreOperation {
509
+ method: 'get' | 'put' | 'delete' | 'list' | 'loadAll' | 'saveAll';
510
+ vault: string;
511
+ collection?: string;
512
+ id?: string;
513
+ durationMs: number;
514
+ success: boolean;
515
+ error?: Error;
516
+ }
517
+ /** Options for `withMetrics()`. */
518
+ interface MetricsOptions {
519
+ /** Called after every store operation. */
520
+ onOperation: (op: StoreOperation) => void;
521
+ }
522
+ /**
523
+ * Middleware that calls `onOperation` after every store method with timing
524
+ * and success/failure data. Designed for low-overhead integration with
525
+ * metrics systems — the callback is synchronous and fire-and-forget.
526
+ */
527
+ declare function withMetrics(opts: MetricsOptions): StoreMiddleware;
528
+ /**
529
+ * Options for `withCircuitBreaker()`.
530
+ *
531
+ * The circuit breaker moves through three states:
532
+ * - `closed`: normal operation.
533
+ * - `open`: store is failing; all calls return fallback values immediately.
534
+ * - `half-open`: one probe call after `resetTimeoutMs` — success closes, failure re-opens.
535
+ */
536
+ interface CircuitBreakerOptions {
537
+ /** Number of consecutive failures before opening the circuit. Default: 5. */
538
+ failureThreshold?: number;
539
+ /** Time in ms before attempting to half-open the circuit. Default: 30_000. */
540
+ resetTimeoutMs?: number;
541
+ /** Called when the circuit opens (store becomes unavailable). */
542
+ onOpen?: () => void;
543
+ /** Called when the circuit closes (store recovers). */
544
+ onClose?: () => void;
545
+ }
546
+ /**
547
+ * Middleware that implements the circuit-breaker pattern.
548
+ *
549
+ * When the wrapped store fails `failureThreshold` consecutive times, the
550
+ * circuit opens: subsequent calls return safe fallback values (`null`, `[]`,
551
+ * `{}`) without hitting the store. After `resetTimeoutMs` the circuit
552
+ * half-opens and allows one probe — success closes the circuit, failure
553
+ * keeps it open. Pair with `withRetry` to handle transient errors before
554
+ * they trip the circuit.
555
+ */
556
+ declare function withCircuitBreaker(opts?: CircuitBreakerOptions): StoreMiddleware;
557
+ /**
558
+ * Options for `withCache()`.
559
+ *
560
+ * The cache is a read-through LRU that caches individual record fetches
561
+ * (`get`). Writes (`put`, `delete`) invalidate the relevant cache entry
562
+ * immediately. `list`, `loadAll`, and `saveAll` bypass the cache.
563
+ *
564
+ * Named `StoreCacheOptions` to distinguish from `CacheOptions` in
565
+ * `@noy-db/hub/collection`, which controls the in-memory decrypted-record LRU.
566
+ */
567
+ interface StoreCacheOptions {
568
+ /** Maximum cached entries. Default: 500. */
569
+ maxEntries?: number;
570
+ /** Cache TTL in ms. Default: 60_000 (1 minute). 0 = no expiry. */
571
+ ttlMs?: number;
572
+ }
573
+ /**
574
+ * Middleware that adds a read-through LRU cache for `get()` calls.
575
+ *
576
+ * Reduces latency for frequently-read records (e.g. lookup tables, user
577
+ * profiles) by serving repeat reads from memory. Because NOYDB records are
578
+ * encrypted at rest, caching envelopes is safe — the cache holds ciphertext,
579
+ * not plaintext. For write-heavy workloads, the cache provides little benefit
580
+ * and should be omitted to avoid the invalidation overhead.
581
+ */
582
+ declare function withCache(opts?: StoreCacheOptions): StoreMiddleware;
583
+ interface HealthCheckOptions {
584
+ /** Ping interval in ms. Default: 30_000. */
585
+ checkIntervalMs?: number;
586
+ /** Suspend after N consecutive ping failures. Default: 3. */
587
+ suspendAfterFailures?: number;
588
+ /** Resume after N consecutive ping successes. Default: 1. */
589
+ resumeAfterSuccess?: number;
590
+ /** Called when the store is auto-suspended. */
591
+ onSuspend?: () => void;
592
+ /** Called when the store is auto-resumed. */
593
+ onResume?: () => void;
276
594
  /**
277
- * Override `now()` for tests. Defaults to `Date.now()`.
278
- * @internal
595
+ * Custom health check. Default: calls `store.ping()` if available,
596
+ * otherwise attempts a `list()` on a sentinel collection.
279
597
  */
280
- readonly now?: number;
598
+ check?: () => Promise<boolean>;
281
599
  }
282
600
  /**
283
- * Decide whether `gate` permits the action under `context`. Throws
284
- * {@link PolicyDeniedError} on denial; resolves with `void` on success.
601
+ * Auto-suspends a store when health checks fail, auto-resumes when they recover.
285
602
  *
286
- * Lookup rules:
287
- * - **Built-in gates** without a configured policy fail closed
288
- * (`enabled: false`).
289
- * - **App-defined gates** (`app:*`) without a configured policy are
290
- * treated as no-op (allow). The developer registered the policy if
291
- * they wanted enforcement; absence means the gate is informational.
603
+ * When suspended, `get` returns null, `put`/`delete` are no-ops, `list` returns [].
604
+ * This is identical to the `NullStore` behavior from `routeStore.suspend()`.
292
605
  */
293
- declare function checkGate(policy: VaultPolicy, gate: GateName, context: CheckGateContext): Promise<void>;
606
+ declare function withHealthCheck(opts?: HealthCheckOptions): StoreMiddleware;
607
+
294
608
  /**
295
- * Same as {@link checkGate} but returns a structured verdict instead
296
- * of throwing. Useful when an error UI wants to show the user
297
- * "you'll need TOTP plus a recovery code to do that" without first
298
- * triggering the action.
609
+ * Derive a {@link PersistedSchemaEnvelope} from a Standard Schema v1
610
+ * validator. Supports zod 3 (via the optional `zod-to-json-schema` peer-dep)
611
+ * and zod 4 (via its native `z.toJSONSchema()`); both are loaded lazily so
612
+ * hub never statically imports zod. Other validator families write a stub
613
+ * envelope flagging the kind.
614
+ *
615
+ * @see docs/superpowers/specs/2026-05-22-schema-dump-design.md
616
+ *
617
+ * @module
299
618
  */
300
- declare function describeGate(policy: VaultPolicy, gate: GateName, context: CheckGateContext): Promise<{
301
- ok: true;
302
- } | {
303
- ok: false;
304
- reason: PolicyDenyReason;
305
- required: GatePolicy;
306
- }>;
307
619
 
308
620
  /**
309
- * Persistence helpers for the vault-level policy document
310
- * (`_meta/policy`). Mirrors the bypass-AES pattern used by
311
- * `_meta/handle` the policy document is plain JSON, the envelope's
312
- * `_iv` field is left empty.
621
+ * Heuristic Zod detection — uses the Standard Schema v1 `~standard.vendor`
622
+ * property (present in Zod v3.23+ and Zod v4+). Falls back to the
623
+ * `_def.typeName` heuristic for older Zod v3 builds that predate Standard
624
+ * Schema support.
625
+ */
626
+ declare function isZodSchema(value: unknown): boolean;
627
+ declare function derivePersistedSchema(validator: unknown): Promise<PersistedSchemaEnvelope>;
628
+
629
+ /**
630
+ * Read / write the per-collection persisted-schema envelope. Mirrors the
631
+ * standard noy-db record envelope shape and is **AES-GCM encrypted with
632
+ * the collection's DEK** — the schema body (field names, enum values,
633
+ * constraints) is sensitive metadata, so it gets the same encryption
634
+ * envelope as the records it describes.
635
+ *
636
+ * Storage layout:
637
+ *
638
+ * <vault>/_schemas/<collection> → EncryptedEnvelope
313
639
  *
314
- * @see docs/subsystems/session-tiers.md Storage location
640
+ * The DEK passed to {@link savePersistedSchema} / {@link loadPersistedSchema}
641
+ * is the same key the collection uses for its records.
315
642
  *
316
643
  * @module
317
644
  */
318
645
 
319
- /** Reserved collection name for vault-level metadata documents. */
320
- declare const META_COLLECTION = "_meta";
321
- /** Reserved id for the vault-level policy document. */
322
- declare const POLICY_RECORD_ID = "policy";
646
+ /** Reserved collection name where persisted schemas live. */
647
+ declare const SCHEMAS_COLLECTION: "_schemas";
323
648
  /**
324
- * Read the vault-level policy from `_meta/policy`. Returns `undefined`
325
- * when no policy has been persisted (fresh vault, or a vault written
326
- * before the policy module landed). The caller falls back to the
327
- * default preset.
328
- *
329
- * Tolerates corrupted documents the same way `_meta/handle` does: a
330
- * JSON parse failure surfaces as `undefined`, not a thrown error, so
331
- * a bad write never permanently locks a vault.
649
+ * Read and decrypt the persisted-schema envelope for one collection.
650
+ * Returns `undefined` when no envelope has been written or when decryption
651
+ * fails (e.g. wrong DEK passed). Tolerates corrupted records JSON parse
652
+ * failures surface as `undefined`, mirroring `_meta/handle`'s contract.
332
653
  */
333
- declare function loadVaultPolicy(store: NoydbStore, vault: string): Promise<VaultPolicy | undefined>;
654
+ declare function loadPersistedSchema(store: NoydbStore, vault: string, collection: string, dek: EnclaveKey): Promise<PersistedSchemaEnvelope | undefined>;
334
655
  /**
335
- * Persist the vault-level policy at `_meta/policy`. Idempotent call
336
- * once at vault creation and again on `db.updatePolicy()` invocations.
656
+ * Encrypt and persist a schema envelope for one collection. Always
657
+ * overwrites any prior write (callers gate on hash equality before calling
658
+ * to avoid no-op writes).
337
659
  */
338
- declare function saveVaultPolicy(store: NoydbStore, vault: string, policy: VaultPolicy): Promise<void>;
660
+ declare function savePersistedSchema(store: NoydbStore, vault: string, collection: string, dek: EnclaveKey, payload: PersistedSchemaEnvelope): Promise<void>;
339
661
 
340
- /** Allow any schema change. Explicit blind / back-compat. */
341
- declare function blindUpdate(): SchemaUpdateStrategy;
342
- /** Allow additive changes; reject non-additive ones. The safety backstop. */
343
- declare function additiveOnly(): SchemaUpdateStrategy;
344
662
  /**
345
- * Reject schema changes. With `fields`, reject only when one of those
346
- * fields is added/removed/changed; otherwise reject any non-`none` delta.
663
+ * Orchestrate the derive hash skip-or-write cycle for a collection's
664
+ * persisted JSON Schema. Called by the Vault at collection-registration
665
+ * time when the developer opts in via `collection({ persistJsonSchema:
666
+ * true })`.
667
+ *
668
+ * Skip semantics:
669
+ *
670
+ * - Zod validators: skip when the new hash equals the stored hash.
671
+ * - Non-Zod (stub envelopes have hash=null): skip when the stored
672
+ * envelope's `kind` matches the freshly-detected kind (since there's
673
+ * no body to compare yet — a kind change is the only signal).
674
+ *
675
+ * @module
347
676
  */
348
- declare function lockSchema(opts?: {
349
- readonly fields?: readonly string[];
350
- }): SchemaUpdateStrategy;
351
677
 
352
- /** The coordinatedCutover update strategy (single-step — no from/to). */
678
+ interface PersistSchemaResult {
679
+ /** True when a fresh envelope was written to storage. */
680
+ readonly written: boolean;
681
+ /** True when an existing envelope matched and the write was skipped. */
682
+ readonly skipped: boolean;
683
+ /** The envelope that was either written or matched. */
684
+ readonly envelope: PersistedSchemaEnvelope;
685
+ /** The update-strategy decision, present when strategies ran. */
686
+ readonly decision?: UpdateDecision;
687
+ }
688
+ declare function persistSchemaIfNeeded(opts: {
689
+ readonly store: NoydbStore;
690
+ readonly vault: string;
691
+ readonly collectionName: string;
692
+ readonly validator: unknown;
693
+ readonly dek: EnclaveKey;
694
+ readonly strategies?: readonly SchemaUpdateStrategy[];
695
+ }): Promise<PersistSchemaResult>;
353
696
 
354
- declare function coordinatedCutover(opts: {
355
- readonly transform: TransformFn;
356
- }): SchemaUpdateStrategy;
697
+ /**
698
+ * Persistence helpers for `_meta/public-envelope`. Mirrors the
699
+ * bypass-AES pattern used by `_meta/handle` and `_meta/policy` —
700
+ * the document is plaintext JSON, the envelope's `_iv` field is
701
+ * left empty.
702
+ *
703
+ * @module
704
+ */
705
+
706
+ /** Reserved id for the vault-level public envelope record. */
707
+ declare const PUBLIC_ENVELOPE_RECORD_ID = "public-envelope";
708
+ /**
709
+ * Read the public envelope from `_meta/public-envelope`. Returns
710
+ * `undefined` when no envelope has been persisted (fresh vault, or
711
+ * a vault written before the feature was enabled). Tolerates
712
+ * corrupted documents — a JSON parse failure surfaces as `undefined`,
713
+ * not a thrown error, mirroring `_meta/handle`'s contract.
714
+ */
715
+ declare function loadPublicEnvelope(store: NoydbStore, vault: string): Promise<PublicEnvelope | undefined>;
716
+ /** Persist the public envelope. Idempotent — overwrites any prior write. */
717
+ declare function savePublicEnvelope(store: NoydbStore, vault: string, envelope: PublicEnvelope): Promise<void>;
718
+ /**
719
+ * Public, no-key reader. Plain function, not a method on `Noydb` —
720
+ * the whole point is it works without an authenticated session, so
721
+ * a UI can show "Acme 2026 Tax Records" before unlocking.
722
+ *
723
+ * Resolves any `name` / `description` locale map through the supplied
724
+ * `locale` (when provided). Omitting `locale` returns the raw
725
+ * envelope, which a multilingual picker can render as it pleases.
726
+ */
727
+ declare function readPublicEnvelope(store: NoydbStore, vault: string, opts?: {
728
+ readonly locale?: string;
729
+ }): Promise<PublicEnvelope | undefined>;
357
730
 
358
731
  /**
359
- * Derive a {@link PersistedSchemaEnvelope} from a Standard Schema v1
360
- * validator. v0 supports Zod via `zod-to-json-schema` (optional peer-dep);
361
- * other families write a stub envelope flagging the kind.
732
+ * Persistence helpers for per-principal user envelopes stored at
733
+ * `_users/<keyringId>` (logically: `_meta/user/<keyringId>`).
734
+ *
735
+ * Unlike `_meta/policy` and `_meta/handle` which are plaintext, user
736
+ * envelopes carry user data and are encrypted with a dedicated
737
+ * {@link USER_ENVELOPE_COLLECTION} DEK (provisioned at vault open and
738
+ * propagated to every keyring via the system-collection DEK path in
739
+ * `team/keyring.ts`).
740
+ *
741
+ * This module is the **storage primitive** layer. The public API
742
+ * (`vault.user.*`) sits on top of this; permission gates, own-only
743
+ * write enforcement, and presence-channel propagation live there.
744
+ *
745
+ * @see docs/superpowers/specs/2026-05-05-user-envelope-design.md
746
+ *
747
+ * @module
748
+ */
749
+
750
+ /**
751
+ * Read and decrypt the user envelope for `keyringId`. Returns `null`
752
+ * when no envelope has been persisted (either the principal has never
753
+ * called `updateMe`, or the keyring predates this feature).
754
+ *
755
+ * Decryption errors propagate — a tampered or wrong-keyed envelope
756
+ * surfaces as the underlying crypto error rather than masquerading as
757
+ * "not found".
758
+ */
759
+ declare function loadUserEnvelope<T = unknown>(store: NoydbStore, vault: string, keyringId: string, dek: EnclaveKey): Promise<UserEnvelope<T> | null>;
760
+ /**
761
+ * Encrypt and persist the user envelope for `keyringId`. The new
762
+ * version is `(prior._v ?? 0) + 1`. Pass `expectedVersion` to enable
763
+ * optimistic-concurrency checks: a mismatch with the stored version
764
+ * throws {@link ConflictError} with the actual stored version.
362
765
  *
363
- * @see docs/superpowers/specs/2026-05-22-schema-dump-design.md
766
+ * `expectedVersion: 0` means "expect no prior envelope"; the write
767
+ * succeeds only if no envelope exists yet.
364
768
  *
365
- * @module
769
+ * Soft-caps the JSON-serialized payload at {@link USER_ENVELOPE_MAX_BYTES};
770
+ * larger payloads throw {@link UserEnvelopeOversizedError}.
366
771
  */
367
-
772
+ declare function saveUserEnvelope<T>(store: NoydbStore, vault: string, keyringId: string, payload: T, dek: EnclaveKey, expectedVersion?: number): Promise<UserEnvelope<T>>;
368
773
  /**
369
- * Heuristic Zod detection Zod schemas carry a `_def.typeName` property
370
- * starting with `Zod` (e.g. `ZodObject`, `ZodString`). This survives Zod's
371
- * minor-version bumps because the typeName naming is stable across v3.
774
+ * Delete the user envelope for `keyringId`. Idempotent no error if
775
+ * the envelope is already absent. Called from the keyring revoke path
776
+ * (cascade-delete) and is a no-op for keyrings that never wrote.
372
777
  */
373
- declare function isZodSchema(value: unknown): boolean;
374
- declare function derivePersistedSchema(validator: unknown): Promise<PersistedSchemaEnvelope>;
778
+ declare function deleteUserEnvelope(store: NoydbStore, vault: string, keyringId: string): Promise<void>;
779
+ /**
780
+ * List the keyring ids that have a user envelope persisted in `vault`.
781
+ * Order is store-defined — callers that need a stable order should sort.
782
+ */
783
+ declare function listUserEnvelopeIds(store: NoydbStore, vault: string): Promise<string[]>;
375
784
 
376
785
  /**
377
- * Read / write the per-collection persisted-schema envelope. Mirrors the
378
- * standard noy-db record envelope shape and is **AES-GCM encrypted with
379
- * the collection's DEK** — the schema body (field names, enum values,
380
- * constraints) is sensitive metadata, so it gets the same encryption
381
- * envelope as the records it describes.
786
+ * Type surface for the user-list visibility service.
382
787
  *
383
- * Storage layout:
788
+ * Two complementary flags:
789
+ * - {@link DirectoryConfig} — vault-level "is the directory listing
790
+ * enabled at all?" toggle. Owner-only mutation.
791
+ * - {@link UserVisibility} — per-user "hide me from teammate listings"
792
+ * opt-out. Self-mutation via `vault.user.setMyVisibility`.
384
793
  *
385
- * <vault>/_schemas/<collection> → EncryptedEnvelope
794
+ * Both flags live in the existing `_meta` collection as plaintext-bypass
795
+ * sidecars (`_iv: ''`). Neither is a security boundary — the keyring
796
+ * file is still observable at `_keyring/*` and the envelope ciphertext
797
+ * is still at `_users/*` to anyone with direct store read access. The
798
+ * flags exist to keep admin-UI listings tidy, not to hide principals
799
+ * from a determined attacker.
386
800
  *
387
- * The DEK passed to {@link savePersistedSchema} / {@link loadPersistedSchema}
388
- * is the same key the collection uses for its records.
801
+ * @see https://github.com/vLannaAi/noy-db-docs/blob/main/content/docs/services/user-envelope.md Directory visibility
389
802
  *
390
803
  * @module
391
804
  */
392
-
393
- /** Reserved collection name where persisted schemas live. */
394
- declare const SCHEMAS_COLLECTION: "_schemas";
395
805
  /**
396
- * Read and decrypt the persisted-schema envelope for one collection.
397
- * Returns `undefined` when no envelope has been written or when decryption
398
- * fails (e.g. wrong DEK passed). Tolerates corrupted recordsJSON parse
399
- * failures surface as `undefined`, mirroring `_meta/handle`'s contract.
806
+ * Vault-level directory toggle. Persisted at `_meta/directory`.
807
+ *
808
+ * - `enabled: true` (default when no document exists)every authenticated
809
+ * caller can enumerate users via `listUsersWithEnvelopes`.
810
+ * - `enabled: false` — only `owner` and `admin` callers can enumerate;
811
+ * anyone else gets {@link import('../../kernel/errors.js').DirectoryDisabledError}.
400
812
  */
401
- declare function loadPersistedSchema(store: NoydbStore, vault: string, collection: string, dek: CryptoKey): Promise<PersistedSchemaEnvelope | undefined>;
813
+ interface DirectoryConfig {
814
+ readonly enabled: boolean;
815
+ }
402
816
  /**
403
- * Encrypt and persist a schema envelope for one collection. Always
404
- * overwrites any prior write (callers gate on hash equality before calling
405
- * to avoid no-op writes).
817
+ * Per-user visibility flag. Persisted at `_meta/visibility/<keyringId>`.
818
+ *
819
+ * - `hidden: false` (default when no document exists) — the user shows up
820
+ * in `listUsersWithEnvelopes` like any other principal.
821
+ * - `hidden: true` — the user is filtered out of the default listing.
822
+ * `owner`/`admin` callers can still see them by passing
823
+ * `{ includeHidden: true }`.
406
824
  */
407
- declare function savePersistedSchema(store: NoydbStore, vault: string, collection: string, dek: CryptoKey, payload: PersistedSchemaEnvelope): Promise<void>;
825
+ interface UserVisibility {
826
+ readonly hidden: boolean;
827
+ }
408
828
 
409
829
  /**
410
- * Orchestrate the derive hash skip-or-write cycle for a collection's
411
- * persisted JSON Schema. Called by the Vault at collection-registration
412
- * time when the developer opts in via `collection({ persistJsonSchema:
413
- * true })`.
414
- *
415
- * Skip semantics:
416
- *
417
- * - Zod validators: skip when the new hash equals the stored hash.
418
- * - Non-Zod (stub envelopes have hash=null): skip when the stored
419
- * envelope's `kind` matches the freshly-detected kind (since there's
420
- * no body to compare yet — a kind change is the only signal).
421
- *
422
- * @module
830
+ * Implementation behind `vault.user`. Constructed once per Vault via
831
+ * {@link createUserApi}, holds the writer's keyringId in closure so
832
+ * `updateMe`/`setMe` cannot target any other principal the own-only
833
+ * rule is enforced at the type level (no `set(otherKeyringId, …)`
834
+ * method) AND at runtime (the keyringId argument simply doesn't exist
835
+ * on the write path).
423
836
  */
424
-
425
- interface PersistSchemaResult {
426
- /** True when a fresh envelope was written to storage. */
427
- readonly written: boolean;
428
- /** True when an existing envelope matched and the write was skipped. */
429
- readonly skipped: boolean;
430
- /** The envelope that was either written or matched. */
431
- readonly envelope: PersistedSchemaEnvelope;
432
- /** The update-strategy decision, present when strategies ran. */
433
- readonly decision?: UpdateDecision;
837
+ declare class UserApi implements VaultUserApi {
838
+ /** keyringId → set of listeners. Wildcard '*' fires on every change. */
839
+ private readonly listeners;
840
+ private readonly adapter;
841
+ private readonly vaultName;
842
+ /** The writer's own keyringId. Frozen at construction time. */
843
+ private readonly writerKeyringId;
844
+ private readonly getDek;
845
+ /**
846
+ * Policy-gate validator. When omitted, gates are skipped — useful
847
+ * for low-level tests that exercise the storage layer directly.
848
+ * Production paths always wire the Noydb-backed implementation.
849
+ */
850
+ private readonly checkGate?;
851
+ /**
852
+ * Noydb-backed `exportMyAccessibleData`, injected by the Vault
853
+ * (which holds the keyring + bundle machinery). Omitted in low-level tests.
854
+ */
855
+ private readonly exportAccessible?;
856
+ /**
857
+ * Noydb-backed `unilateralWithdrawal`, injected by the Vault.
858
+ * Destructive — extract + dispose (delete | freeze). Omitted in low-level tests.
859
+ */
860
+ private readonly unilateralWithdraw?;
861
+ /**
862
+ * Noydb-backed two-party withdrawal ceremony, injected by the
863
+ * Vault. requestWithdraw = requester side; the rest = owner side.
864
+ */
865
+ private readonly requestWithdraw?;
866
+ private readonly listWithdrawals?;
867
+ private readonly approveWithdraw?;
868
+ private readonly rejectWithdraw?;
869
+ constructor(deps: UserApiDeps);
870
+ /**
871
+ * File a two-party withdrawal request for the caller's accessible
872
+ * scope. Non-destructive (writes a pending request); an owner later approves
873
+ * or rejects. This is the path for read-only roles (`client`/`viewer`) that
874
+ * cannot self-serve a destructive `unilateralWithdrawal`. Gated by
875
+ * `user-request-withdrawal` (enabled by default).
876
+ */
877
+ requestWithdrawal(opts?: RequestWithdrawalOptions): Promise<RequestWithdrawalResult>;
878
+ /** Owner side: list filed withdrawal requests (optionally by status). */
879
+ listWithdrawalRequests(opts?: {
880
+ status?: WithdrawalRequestStatus;
881
+ }): Promise<WithdrawalRequest[]>;
882
+ /**
883
+ * Owner side: approve a pending request. Extracts the requester's
884
+ * recorded scope under firm authority, disposes of the source per the
885
+ * request's disposition, and returns the re-keyed bundle to hand back. Gated
886
+ * by `approve-user-withdrawal` (tier-2 default) + owner/admin role.
887
+ */
888
+ approveWithdrawal(requestId: string, opts?: ApproveWithdrawalOptions): Promise<WithdrawResult>;
889
+ /** Owner side: reject a pending request (no data is touched). */
890
+ rejectWithdrawal(requestId: string, opts?: RejectWithdrawalOptions): Promise<WithdrawalRequest>;
891
+ /**
892
+ * Single-party withdrawal: export the caller's accessible scope
893
+ * (re-keyed) and dispose of the source (`delete` or `freeze`). Gated by the
894
+ * fail-closed built-in `client-unilateral-withdraw` policy — undefined or
895
+ * disabled → throws (use `requestWithdrawal`). The firm enables it at vault
896
+ * creation.
897
+ */
898
+ unilateralWithdrawal(opts: WithdrawAccessibleOptions): Promise<WithdrawResult>;
899
+ /**
900
+ * Export the calling user's accessible scope as a portable, re-keyed
901
+ * `.noydb` bundle. Non-destructive and **always allowed** (data sovereignty
902
+ * by construction) but audited. Scope = the caller's DEK access set.
903
+ */
904
+ exportMyAccessibleData(opts?: ExportAccessibleOptions): Promise<Uint8Array>;
905
+ /** Read the writer's own envelope. Returns null if never written. */
906
+ me<T = unknown>(): Promise<UserEnvelope<T> | null>;
907
+ /**
908
+ * Deep-merge a partial patch into the writer's own envelope. Creates
909
+ * the envelope on first call. Optimistic-concurrency safe — a stale
910
+ * `_v` (parallel writer on another device) throws `ConflictError`.
911
+ *
912
+ * Patch semantics:
913
+ * - `undefined` (or omitted key) — skip; existing value preserved
914
+ * - `null` — delete the field from the merged result
915
+ * - any other value — overwrite (deep-merge for plain objects,
916
+ * replace for primitives / arrays)
917
+ *
918
+ * To clear a field, pass `null` rather than `undefined`. Callers
919
+ * with shape `T = string | null` where `null` is a meaningful value
920
+ * should use `setMe` for that specific field instead — `null` here
921
+ * always means delete.
922
+ *
923
+ * Gated by the `edit-own-profile` policy gate (default `minTier: 3`).
924
+ * Pass `presented` to satisfy tightened policies that require a
925
+ * factor proof (e.g. STRICT_POLICY's TOTP requirement).
926
+ */
927
+ updateMe<T extends object = Record<string, unknown>>(patch: DeepPartialOrNull<T>, presented?: UserEnvelopePresented): Promise<UserEnvelope<T>>;
928
+ /**
929
+ * Replace the writer's own envelope with `payload`. Use sparingly —
930
+ * `updateMe` is the canonical mutation. No `expectedVersion` check;
931
+ * callers explicitly take last-write-wins semantics.
932
+ *
933
+ * Gated by `edit-own-profile`. See `updateMe` for `presented` usage.
934
+ */
935
+ setMe<T = unknown>(payload: T, presented?: UserEnvelopePresented): Promise<UserEnvelope<T>>;
936
+ /**
937
+ * Read the current user's visibility flag from
938
+ * `_meta/visibility/<keyringId>`. Returns `{ hidden: false }` when no
939
+ * document has been persisted (the default-visible case).
940
+ */
941
+ getMyVisibility(): Promise<UserVisibility>;
942
+ /**
943
+ * Update the current user's visibility in the team directory.
944
+ *
945
+ * - `hidden: true` — opt out of the default `listUsersWithEnvelopes`
946
+ * listing. `owner`/`admin` callers can still see the user by passing
947
+ * `{ includeHidden: true }`.
948
+ * - `hidden: false` — opt back in.
949
+ *
950
+ * Own-only by construction: the keyringId argument doesn't exist on
951
+ * this method, so no caller can hide or unhide another principal.
952
+ *
953
+ * Honest caveat: this is a UX flag, not a privacy guarantee. The
954
+ * envelope ciphertext at `_users/<keyringId>` and the keyring file at
955
+ * `_keyring/<userId>` are both still observable to anyone with direct
956
+ * store read access. See `https://github.com/vLannaAi/noy-db-docs/blob/main/content/docs/services/user-envelope.md` →
957
+ * "Directory visibility".
958
+ */
959
+ setMyVisibility(visibility: UserVisibility): Promise<void>;
960
+ /**
961
+ * Read another principal's envelope by their keyringId. Returns null
962
+ * if the principal exists but has no envelope yet, or if the
963
+ * keyringId does not exist at all.
964
+ *
965
+ * Gated by `view-team-profiles` (default `minTier: 2`) — but ONLY for
966
+ * cross-principal reads. Reading your own envelope (`keyringId ===
967
+ * self`) is never gated; that's just `me()` written long-form.
968
+ */
969
+ get<T = unknown>(keyringId: string, presented?: UserEnvelopePresented): Promise<UserEnvelope<T> | null>;
970
+ /**
971
+ * Read every persisted envelope in the vault. Order is store-defined.
972
+ *
973
+ * Gated by `view-team-profiles`. Default policy (`minTier: 2`) lets
974
+ * any authenticated session read all envelopes. Two privacy-strict
975
+ * opt-outs:
976
+ *
977
+ * - `view-team-profiles.enabled: false` → list() returns only the
978
+ * caller's own envelope (silent self-fallback, no thrown error).
979
+ * - `view-team-profiles.minTier: 1` + insufficient tier → throws
980
+ * `PolicyDeniedError` with `reason: 'insufficient-tier'`. The
981
+ * caller is expected to elevate, not silently degrade.
982
+ *
983
+ * The asymmetry is deliberate: `enabled: false` is a deliberate
984
+ * design choice ("nobody sees teammate profiles in this app");
985
+ * `insufficient-tier` is "you need to authenticate further". Different
986
+ * UX prompts for different intents.
987
+ */
988
+ list<T = unknown>(presented?: UserEnvelopePresented): Promise<UserEnvelope<T>[]>;
989
+ /**
990
+ * Listen for changes to a specific keyringId's envelope. The callback
991
+ * fires synchronously after every successful local `updateMe` /
992
+ * `setMe` for that principal.
993
+ *
994
+ * Cross-instance changes (a teammate edits their profile on their
995
+ * device, the sync engine pulls the diff onto this device) will fire
996
+ * subscribers when the sync layer replays the write through this API.
997
+ * In v1, subscribers do NOT fire on raw store changes — wire your sync
998
+ * layer to call back through `vault.user.setMe` / `updateMe` if you
999
+ * need that.
1000
+ *
1001
+ * Pass keyringId `'*'` to fire on every change in the vault.
1002
+ */
1003
+ subscribe<T = unknown>(keyringId: string, cb: (env: UserEnvelope<T> | null) => void): Unsubscribe;
1004
+ /**
1005
+ * Reactive handle that caches the current value and re-reads on every
1006
+ * change for the given keyringId. Convenient for framework bindings:
1007
+ *
1008
+ * const live = vault.user.live<UserShape>(vault.userId)
1009
+ * live.subscribe(env => render(env?.data))
1010
+ *
1011
+ * Initial value is `null` until the first `current()` call materializes
1012
+ * it via `vault.user.get()`. Call `stop()` when done to release the
1013
+ * subscription.
1014
+ */
1015
+ live<T = unknown>(keyringId: string): LiveUserEnvelope<T>;
1016
+ private fireChange;
434
1017
  }
435
- declare function persistSchemaIfNeeded(opts: {
436
- readonly store: NoydbStore;
437
- readonly vault: string;
438
- readonly collectionName: string;
439
- readonly validator: unknown;
440
- readonly dek: CryptoKey;
441
- readonly strategies?: readonly SchemaUpdateStrategy[];
442
- }): Promise<PersistSchemaResult>;
443
1018
 
444
1019
  /**
445
1020
  * Authentication introspection.
@@ -492,8 +1067,8 @@ declare function describeAllUsersAuth(store: NoydbStore, vault: string): Promise
492
1067
  * `_meta/policy` — the directory document is plain JSON, the
493
1068
  * envelope's `_iv` field is left empty.
494
1069
  *
495
- * @see docs/subsystems/user-envelope.md → Directory visibility
496
- * @see docs/subsystems/plaintext-bypass.md — every `_iv: ''` write site
1070
+ * @see https://github.com/vLannaAi/noy-db-docs/blob/main/content/docs/services/user-envelope.md → Directory visibility
1071
+ * @see https://github.com/vLannaAi/noy-db-docs/blob/main/content/docs/services/plaintext-bypass.md — every `_iv: ''` write site
497
1072
  *
498
1073
  * @module
499
1074
  */
@@ -533,8 +1108,8 @@ declare function persistDirectoryConfig(store: NoydbStore, vault: string, config
533
1108
  * work even when decryption fails (legacy keyrings predating the
534
1109
  * envelope feature, or a corrupted envelope).
535
1110
  *
536
- * @see docs/subsystems/user-envelope.md → Directory visibility
537
- * @see docs/subsystems/plaintext-bypass.md — every `_iv: ''` write site
1111
+ * @see https://github.com/vLannaAi/noy-db-docs/blob/main/content/docs/services/user-envelope.md → Directory visibility
1112
+ * @see https://github.com/vLannaAi/noy-db-docs/blob/main/content/docs/services/plaintext-bypass.md — every `_iv: ''` write site
538
1113
  *
539
1114
  * @module
540
1115
  */
@@ -564,60 +1139,107 @@ declare function persistUserVisibility(store: NoydbStore, vault: string, keyring
564
1139
  */
565
1140
  declare function deleteUserVisibility(store: NoydbStore, vault: string, keyringId: string): Promise<void>;
566
1141
 
567
- interface EncryptResult {
568
- iv: string;
569
- data: string;
570
- }
571
1142
  /**
572
- * Encrypt raw bytes with AES-256-GCM using a fresh random IV.
573
- * Used by the attachment store so binary blobs avoid double base64 encoding
574
- * (the existing `encrypt()` function calls `TextEncoder` on a string — here
575
- * we pass the `Uint8Array` directly to `subtle.encrypt`).
1143
+ * Return the ISO-4217 minor-unit scale for a currency code, or `null`
1144
+ * when the code is not in the known set (caller must supply an explicit
1145
+ * scale).
576
1146
  */
577
- declare function encryptBytes(data: Uint8Array, dek: CryptoKey): Promise<EncryptResult>;
1147
+ declare function scaleForCurrency(code: string): number | null;
1148
+
578
1149
  /**
579
- * Decrypt AES-256-GCM ciphertext back to raw bytes.
580
- * Counterpart to `encryptBytes`. Throws `TamperedError` on auth-tag failure.
1150
+ * Money-aware aggregation: exact `sum` / `min` / `max` over money
1151
+ * fields.
1152
+ *
1153
+ * The generic reducers (`aggregate/reducers.ts`) read a field via
1154
+ * `readNumber`, which coerces a string (the stored scaled-integer form
1155
+ * of money, e.g. `'12345'`) to `0` — so an un-wrapped money `sum` would
1156
+ * silently return zero. {@link wrapMoneyReducers} rewrites any `sum` /
1157
+ * `min` / `max` over a declared money field into a reducer that
1158
+ * accumulates per-currency `BigInt` totals of the stored integers, so
1159
+ * the result is exact for any magnitude (past `Number.MAX_SAFE_INTEGER`
1160
+ * included).
1161
+ *
1162
+ * Results are currency-aware and never silently mix currencies:
1163
+ * - **fixed** mode → a single exact decimal string.
1164
+ * - **multi** mode → an exact `Record<currency, string>` map.
1165
+ * - **`sum` with `convertTo` + `fx`** → a single exact string, with
1166
+ * each currency converted via BigInt arithmetic (no float).
1167
+ *
1168
+ * `remove()` is implemented for every money reducer so they participate
1169
+ * in incremental live-aggregation and materialized-view maintenance
1170
+ * exactly like the generic reducers they replace.
581
1171
  */
582
- declare function decryptBytes(ivBase64: string, dataBase64: string, dek: CryptoKey): Promise<Uint8Array>;
1172
+
1173
+ type FxRates = Record<string, number | string>;
1174
+
583
1175
  /**
584
- * Derive an AES-256-GCM presence key from a collection DEK using HKDF-SHA256.
585
- *
586
- * The presence key is domain-separated from the data DEK by the fixed salt
587
- * `'noydb-presence'` and the `info` = collection name. This means:
588
- * - The adapter never sees the presence key.
589
- * - Presence payloads rotate automatically when the collection DEK is rotated.
590
- * - Revoked users cannot derive the new presence key after a DEK rotation.
591
- *
592
- * @param dek The collection's AES-256-GCM DEK (extractable).
593
- * @param collectionName Used as the HKDF `info` parameter for domain separation.
594
- * @returns A non-extractable AES-256-GCM key suitable for presence payload encryption.
1176
+ * Exact money arithmetic helpers `mulRate` and `allocate`.
1177
+ *
1178
+ * Both operate on the canonical decoded string form that `get()`
1179
+ * returns (`'10000.00'`), entirely in scaled-`BigInt` space no
1180
+ * floating-point step anywhere, exact past 2^53. They are pure
1181
+ * functions with no vault or descriptor dependency: the working scale
1182
+ * is inferred from the amount's fractional digits (a canonical money
1183
+ * string always carries exactly the field's scale) or pinned with
1184
+ * `opts.scale`.
1185
+ *
1186
+ * Why these two: app-side invariants of the form
1187
+ * `Σ parts === whole` (receipt totals, net-zero WHT pairs, proration)
1188
+ * carry ±0.01 tolerances ONLY because the math is major-unit floats +
1189
+ * round2. `mulRate` (VAT-style rate application with explicit
1190
+ * rounding) and `allocate` (largest-remainder split — parts sum to the
1191
+ * input EXACTLY, by construction) make those tolerances zero.
595
1192
  */
596
- declare function derivePresenceKey(dek: CryptoKey, collectionName: string): Promise<CryptoKey>;
1193
+
1194
+ interface MulRateOptions {
1195
+ /**
1196
+ * Output scale (fraction digits). Defaults to the amount's own
1197
+ * fractional digits — for a canonical money string that IS the
1198
+ * field's scale.
1199
+ */
1200
+ readonly scale?: number;
1201
+ /** Rounding for the final re-scale. Default `'half-up'`. */
1202
+ readonly rounding?: RoundingMode;
1203
+ }
1204
+ interface AllocateOptions {
1205
+ /** Working scale. Defaults to the amount's own fractional digits. */
1206
+ readonly scale?: number;
1207
+ }
597
1208
  /**
598
- * Encrypt a plaintext string with AES-256-GCM and a deterministic,
599
- * HKDF-derived IV.
1209
+ * Multiply a money amount by a decimal rate, exactly.
600
1210
  *
601
- * The same `{ dek, context, plaintext }` triple always produces the
602
- * same `{ iv, data }` call this twice and you can string-compare the
603
- * ciphertexts to check equality of the inputs without decrypting them.
1211
+ * The rate is parsed at its OWN full precision (`0.07` `7` at scale
1212
+ * 2), the product computed in `BigInt` at `amountScale + rateScale`,
1213
+ * then re-scaled back to the output scale with the requested rounding
1214
+ * one rounding step, at the very end.
604
1215
  *
605
- * @param context Domain-separation string — by convention
606
- * `'<collection>/<field>'`. Different contexts encrypt
607
- * the same plaintext to different ciphertexts, so
608
- * `email` in collection `users` does not collide with
609
- * `email` in collection `customers`.
1216
+ * ```ts
1217
+ * mulRate('10000.00', 0.07) // '700.00' (VAT)
1218
+ * mulRate('33.33', '0.07') // '2.33' (half-up)
1219
+ * mulRate('33.33', 0.07, { rounding: 'floor' }) // '2.33'
1220
+ * mulRate(100, 0.07, { scale: 2 }) // '7.00'
1221
+ * ```
610
1222
  */
611
- declare function encryptDeterministic(plaintext: string, dek: CryptoKey, context: string): Promise<EncryptResult>;
1223
+ declare function mulRate(amount: number | string, rate: number | string, opts?: MulRateOptions): string;
612
1224
  /**
613
- * Counterpart to {@link encryptDeterministic}. The IV is stored
614
- * alongside the ciphertext (exactly like the randomized path), so
615
- * decrypt uses the stored IV and verifies the GCM auth tag — a tampered
616
- * ciphertext throws `TamperedError` just like randomized AES-GCM.
1225
+ * Split a money amount across weighted buckets with ZERO drift: the
1226
+ * returned parts sum to the input exactly, by construction
1227
+ * (largest-remainder method).
1228
+ *
1229
+ * Each bucket gets `floor(amount × weightᵢ / Σweights)`; the leftover
1230
+ * minor units (always fewer than the bucket count) go one each to the
1231
+ * buckets with the largest truncated remainders — ties broken by
1232
+ * position, earlier bucket first. Weights are parsed as exact decimals
1233
+ * (no float division anywhere); they must be non-negative with a
1234
+ * positive sum.
1235
+ *
1236
+ * ```ts
1237
+ * allocate('100.00', [1, 1, 1]) // ['33.34', '33.33', '33.33']
1238
+ * allocate('0.05', [3, 7]) // ['0.02', '0.03']
1239
+ * allocate('-100.00', [1, 1, 1]) // ['-33.34', '-33.33', '-33.33']
1240
+ * ```
617
1241
  */
618
- declare function decryptDeterministic(ivBase64: string, dataBase64: string, dek: CryptoKey): Promise<string>;
619
- declare function bufferToBase64(buffer: ArrayBuffer | Uint8Array): string;
620
- declare function base64ToBuffer(base64: string): Uint8Array<ArrayBuffer>;
1242
+ declare function allocate(amount: number | string, weights: ReadonlyArray<number | string>, opts?: AllocateOptions): string[];
621
1243
 
622
1244
  /**
623
1245
  * Hierarchical access — tier-aware keyring helpers.
@@ -660,117 +1282,133 @@ declare function effectiveClearance(keyring: UnlockedKeyring, collection: string
660
1282
  declare function assertTierAccess(keyring: UnlockedKeyring, collection: string, tier: number): void;
661
1283
 
662
1284
  /**
663
- * Vault-level diff orchestrator.
664
- *
665
- * Compares a live `Vault`'s plaintext state against a candidate state
666
- * (another vault, a plain `{ collection: records[] }` map, or a vault
667
- * dump JSON) and returns a structured `VaultDiff` plan listing the
668
- * records that would be added, modified, or deleted to bring the live
669
- * vault into the candidate's shape.
1285
+ * Default policy for personal vaults and SMB deployments — the gates
1286
+ * that need an off-device factor get one (TOTP / email-OTP / paper
1287
+ * recovery), the rest take a tier-1 unlock alone. Tier-3 (PIN) is the
1288
+ * floor only for `rotate-unlock` because that's the
1289
+ * "change my PIN" flow.
670
1290
  *
671
- * Builds on two existing record-level helpers:
1291
+ * The unspecified gates (e.g. `view-user-auth`) inherit the engine
1292
+ * default of `{ enabled: false, minTier: 1 }` — they fail closed.
672
1293
  *
673
- * 1. `diff(a, b)` from `./history/diff.ts` emits dot-pathed
674
- * `DiffEntry[]` with `type: 'added' | 'removed' | 'changed'` for
675
- * each changed field of two records. Used here for the
676
- * `fieldDiffs` of every `modified` entry, and (with empty result)
677
- * as the default deep-equal check.
1294
+ * @see https://github.com/vLannaAi/noy-db-docs/blob/main/content/docs/services/session-tiers.md Built-in gates
1295
+ */
1296
+ declare const PERSONAL_POLICY: VaultPolicy;
1297
+ /**
1298
+ * Strict policy for regulated deployments and shared workstations —
1299
+ * raises the phrase floor to 8 words, demands two distinct factors for
1300
+ * exports, and blocks export-on-shared-device. Use as a base for
1301
+ * `policy: { ...STRICT_POLICY, gates: { ...STRICT_POLICY.gates, ... } }`
1302
+ * tweaks.
1303
+ */
1304
+ declare const STRICT_POLICY: VaultPolicy;
1305
+ /**
1306
+ * Merge a developer override onto a preset. Unspecified gates inherit;
1307
+ * specified gates fully replace the preset's entry for that gate.
678
1308
  *
679
- * 2. `Vault.exportStream()` from `./vault.ts` — the canonical
680
- * decrypt-and-stream-records iterator. Used to walk both sides
681
- * when the candidate is itself a `Vault`. ACL-scoped: collections
682
- * the caller can't read silently drop out, the same way every
683
- * other plaintext-emitting export pipeline filters them.
1309
+ * Example:
684
1310
  *
685
- * The new orchestration is the **vault-level** enumeration: bucket
686
- * each record id into added (only in candidate), deleted (only in
687
- * vault), or modified (in both with field changes); leave the
688
- * field-level granularity to the existing `diff()`.
1311
+ * ```ts
1312
+ * mergePolicy(PERSONAL_POLICY, {
1313
+ * gates: {
1314
+ * 'app:approve-large-payment': { minTier: 2, factors: [{ anyOf: ['totp'] }] },
1315
+ * },
1316
+ * })
1317
+ * // → PERSONAL_POLICY plus the new app gate; existing gates intact.
1318
+ * ```
1319
+ */
1320
+ declare function mergePolicy(base: VaultPolicy, override?: Partial<VaultPolicy>): VaultPolicy;
1321
+
1322
+ /**
1323
+ * Policy gate engine — the {@link checkGate} entry point.
689
1324
  *
690
- * Use cases:
1325
+ * Given a configured {@link VaultPolicy}, an active session tier, and
1326
+ * the factor proofs an actor is presenting, decide whether the gate
1327
+ * permits the action. On denial, throws {@link PolicyDeniedError} with
1328
+ * a stable {@link PolicyDenyReason} so consumers can branch in error
1329
+ * UIs.
691
1330
  *
692
- * - Import preview (`@noy-db/as-*` `fromString` returns a plan
693
- * whose body is a `VaultDiff`).
694
- * - Backup verification ("does this `.noydb` bundle from yesterday
695
- * match the current vault?").
696
- * - Two-vault reconciliation ("what's different between Office A
697
- * and Office B before we sync?").
698
- * - Test assertions (golden-file testing with one-liner
699
- * `expect(plan.summary).toEqual(...)`).
1331
+ * @see https://github.com/vLannaAi/noy-db-docs/blob/main/content/docs/services/session-tiers.md checkGate() API
700
1332
  *
701
1333
  * @module
702
1334
  */
703
1335
 
704
- /** Per-record entry shapeadded and deleted records carry only the record value. */
705
- interface VaultDiffEntry<T = unknown> {
706
- readonly collection: string;
707
- readonly id: string;
708
- readonly record: T;
709
- }
710
- /** Modified records carry both halves of the diff plus the field-level breakdown. */
711
- interface VaultDiffModifiedEntry<T = unknown> extends VaultDiffEntry<T> {
712
- /** The record as it stands in the live vault. */
713
- readonly before: T;
714
- /** Top-level keys whose values differ between `before` and `record`. */
715
- readonly fieldsChanged: readonly string[];
716
- /**
717
- * Field-level diff entries from `diff(before, record)`. Reuses the
718
- * existing per-record diff helper so consumers can render git-style
719
- * `path: from → to` rows without re-walking the records.
720
- */
721
- readonly fieldDiffs: readonly DiffEntry[];
722
- }
723
- interface VaultDiff<T = unknown> {
724
- readonly added: readonly VaultDiffEntry<T>[];
725
- readonly modified: readonly VaultDiffModifiedEntry<T>[];
726
- readonly deleted: readonly VaultDiffEntry<T>[];
727
- /** Only populated when `options.includeUnchanged: true`. */
728
- readonly unchanged: readonly VaultDiffEntry<T>[] | undefined;
729
- readonly summary: {
730
- readonly add: number;
731
- readonly modify: number;
732
- readonly delete: number;
733
- readonly total: number;
734
- };
1336
+ /** Default freshness window5 minutes. */
1337
+ declare const DEFAULT_FRESHNESS_MS: number;
1338
+ /** Caller-supplied context for one `checkGate` invocation. */
1339
+ interface CheckGateContext {
1340
+ /** Tier the active session currently holds. */
1341
+ readonly activeTier: ActiveTier;
1342
+ /** Proofs the actor is presenting for this gate. */
1343
+ readonly factors?: ReadonlyArray<FactorProof>;
735
1344
  /**
736
- * Format the diff as a human-readable string.
737
- *
738
- * - `'count'` — one line, just the numbers (`12 added · 3 modified · 0 deleted`)
739
- * - `'one-line'` — count plus a single overview line
740
- * - `'full'` — count + one row per added/modified/deleted record (default)
1345
+ * If the host knows the actor is on a shared device, set this to
1346
+ * `true` so the engine can apply `warn.sharedDevice` rules. Defaults
1347
+ * to `false`.
741
1348
  */
742
- format(opts?: {
743
- detail?: 'count' | 'one-line' | 'full';
744
- }): string;
745
- }
746
- interface DiffOptions {
747
- /** Restrict the diff to a subset of collections. */
748
- readonly collections?: readonly string[];
749
- /** Field on each record that carries its id. Defaults to `'id'`. */
750
- readonly idKey?: string;
751
- /** Override the default deep-equal check for "modified vs unchanged". */
752
- readonly compareFn?: (a: unknown, b: unknown) => boolean;
753
- /** If true, include unchanged records in the diff (off by default to save memory). */
754
- readonly includeUnchanged?: boolean;
1349
+ readonly sharedDevice?: boolean;
1350
+ /**
1351
+ * Override `now()` for tests. Defaults to `Date.now()`.
1352
+ * @internal
1353
+ */
1354
+ readonly now?: number;
755
1355
  }
756
1356
  /**
757
- * Candidate state to diff the vault against:
1357
+ * Decide whether `gate` permits the action under `context`. Throws
1358
+ * {@link PolicyDeniedError} on denial; resolves with `void` on success.
1359
+ *
1360
+ * Lookup rules:
1361
+ * - **Built-in gates** without a configured policy fail closed
1362
+ * (`enabled: false`).
1363
+ * - **App-defined gates** (`app:*`) without a configured policy are
1364
+ * treated as no-op (allow). The developer registered the policy if
1365
+ * they wanted enforcement; absence means the gate is informational.
1366
+ */
1367
+ declare function checkGate(policy: VaultPolicy, gate: GateName, context: CheckGateContext): Promise<void>;
1368
+ /**
1369
+ * Same as {@link checkGate} but returns a structured verdict instead
1370
+ * of throwing. Useful when an error UI wants to show the user
1371
+ * "you'll need TOTP plus a recovery code to do that" without first
1372
+ * triggering the action.
1373
+ */
1374
+ declare function describeGate(policy: VaultPolicy, gate: GateName, context: CheckGateContext): Promise<{
1375
+ ok: true;
1376
+ } | {
1377
+ ok: false;
1378
+ reason: PolicyDenyReason;
1379
+ required: GatePolicy;
1380
+ }>;
1381
+
1382
+ /**
1383
+ * Persistence helpers for the vault-level policy document
1384
+ * (`_meta/policy`). Mirrors the bypass-AES pattern used by
1385
+ * `_meta/handle` — the policy document is plain JSON, the envelope's
1386
+ * `_iv` field is left empty.
758
1387
  *
759
- * - A `Vault` instance both sides are walked via `exportStream()`.
760
- * - A `Record<collection, records[]>` map — same shape `as-json.toObject()`
761
- * produces. Useful for diffing parsed file content against the live vault.
762
- * - A `VaultDump` (output of `vault.dump()`) — a JSON string carrying the
763
- * full vault state. Parsed and reduced to the map shape above.
1388
+ * @see https://github.com/vLannaAi/noy-db-docs/blob/main/content/docs/services/session-tiers.md Storage location
1389
+ *
1390
+ * @module
764
1391
  */
765
- type DiffCandidate<T = unknown> = Vault | Record<string, readonly T[]> | string;
1392
+
1393
+ /** Reserved collection name for vault-level metadata documents. */
1394
+ declare const META_COLLECTION = "_meta";
1395
+ /** Reserved id for the vault-level policy document. */
1396
+ declare const POLICY_RECORD_ID = "policy";
766
1397
  /**
767
- * Compute the diff between a live vault and a candidate state.
1398
+ * Read the vault-level policy from `_meta/policy`. Returns `undefined`
1399
+ * when no policy has been persisted (fresh vault, or a vault written
1400
+ * before the policy module landed). The caller falls back to the
1401
+ * default preset.
768
1402
  *
769
- * Returns a fully buffered `VaultDiff` no streaming. Memory cost is
770
- * O(n + m) in the row count of vault + candidate. For documented
771
- * 1K-50K-record vaults this is fine; a streaming variant lands as a
772
- * follow-up if a > 100K-record consumer arrives.
1403
+ * Tolerates corrupted documents the same way `_meta/handle` does: a
1404
+ * JSON parse failure surfaces as `undefined`, not a thrown error, so
1405
+ * a bad write never permanently locks a vault.
1406
+ */
1407
+ declare function loadVaultPolicy(store: NoydbStore, vault: string): Promise<VaultPolicy | undefined>;
1408
+ /**
1409
+ * Persist the vault-level policy at `_meta/policy`. Idempotent — call
1410
+ * once at vault creation and again on `db.updatePolicy()` invocations.
773
1411
  */
774
- declare function diffVault<T = unknown>(vault: Vault, candidate: DiffCandidate<T>, options?: DiffOptions): Promise<VaultDiff<T>>;
1412
+ declare function saveVaultPolicy(store: NoydbStore, vault: string, policy: VaultPolicy): Promise<void>;
775
1413
 
776
- export { ActiveTier, type CheckGateContext, DEFAULT_FRESHNESS_MS, DIRECTORY_RECORD_ID, type DiffCandidate, DiffEntry, type DiffOptions, DirectoryConfig, FactorProof, GateName, GatePolicy, META_COLLECTION, ManagedRecoveryNotEnrolledError, NoydbError, NoydbStore, PERSONAL_POLICY, POLICY_RECORD_ID, PUBLIC_ENVELOPE_RECORD_ID, type PersistSchemaResult, PersistedSchemaEnvelope, PolicyDeniedError, type PolicyDenyReason, PublicEnvelope, RecoveryNotEnrolledError, RecoveryProfileNotImplementedError, SCHEMAS_COLLECTION, STRICT_POLICY, SchemaUpdateStrategy, UnlockedKeyring, UpdateDecision, UserEnvelope, UserVisibility, VISIBILITY_RECORD_PREFIX, Vault, type VaultDiff, type VaultDiffEntry, type VaultDiffModifiedEntry, VaultPolicy, additiveOnly, assertTierAccess, base64ToBuffer, blindUpdate, bufferToBase64, checkGate, coordinatedCutover, decryptBytes, decryptDeterministic, dekKey, deleteUserEnvelope, deleteUserVisibility, derivePersistedSchema, derivePresenceKey, describeAllUsersAuth, describeAuthConfig, describeGate, describeUserAuth, diagramAuthConfig, diffVault, effectiveClearance, encryptBytes, encryptDeterministic, estimateRecordBytes, isZodSchema, listUserEnvelopeIds, loadPersistedSchema, loadPublicEnvelope, loadUserEnvelope, loadVaultPolicy, lockSchema, mergePolicy, parseBytes, persistDirectoryConfig, persistSchemaIfNeeded, persistUserVisibility, readDirectoryConfig, readPublicEnvelope, readUserVisibility, savePersistedSchema, savePublicEnvelope, saveUserEnvelope, saveVaultPolicy, visibilityRecordId };
1414
+ export { ActiveTier, type AgeRoute, type AllocateOptions, ApproveWithdrawalOptions, type BlobLifecyclePolicy, type BlobStoreRoute, type CheckGateContext, type CircuitBreakerOptions, CustodyStrategy, DEFAULT_FRESHNESS_MS, DIRECTORY_RECORD_ID, DeepPartialOrNull, type DirectoryConfig, EncryptedEnvelope, ExportAccessibleOptions, FactorProof, type FxRates, GateName, GatePolicy, type HealthCheckOptions, LiveUserEnvelope, type LogLevel, type LoggingOptions, META_COLLECTION, type MetricsOptions, type MulRateOptions, NoydbStore, type OverrideOptions, type OverrideTarget, PERSONAL_POLICY, POLICY_RECORD_ID, PUBLIC_ENVELOPE_RECORD_ID, type PersistSchemaResult, PersistedSchemaEnvelope, PolicyDenyReason, PublicEnvelope, RejectWithdrawalOptions, RequestWithdrawalOptions, RequestWithdrawalResult, type RetryOptions, RoundingMode, type RouteStatus, type RouteStoreOptions, type RoutedNoydbStore, SCHEMAS_COLLECTION, STRICT_POLICY, SchemaUpdateStrategy, SearchStrategy, SequenceStrategy, type StoreCacheOptions, type StoreMiddleware, type StoreOperation, type SuspendOptions, type Tokenizer, UnlockedKeyring, Unsubscribe, UpdateDecision, UserApi, UserEnvelope, UserEnvelopePresented, type UserVisibility, VISIBILITY_RECORD_PREFIX, VaultPolicy, WithdrawAccessibleOptions, WithdrawResult, WithdrawalRequest, WithdrawalRequestStatus, additiveOnly, allocate, assertTierAccess, blindUpdate, checkGate, coordinatedCutover, dekKey, deleteUserEnvelope, deleteUserVisibility, derivePersistedSchema, describeAllUsersAuth, describeAuthConfig, describeGate, describeUserAuth, diagramAuthConfig, effectiveClearance, estimateRecordBytes, isZodSchema, listUserEnvelopeIds, loadPersistedSchema, loadPublicEnvelope, loadUserEnvelope, loadVaultPolicy, lockSchema, memoryStore, mergePolicy, mulRate, parseBytes, persistDirectoryConfig, persistSchemaIfNeeded, persistUserVisibility, readDirectoryConfig, readPlaintextRecord, readPublicEnvelope, readUserVisibility, routeStore, savePersistedSchema, savePublicEnvelope, saveUserEnvelope, saveVaultPolicy, scaleForCurrency, tokenize, visibilityRecordId, withCache, withCircuitBreaker, withCustody, withHealthCheck, withLogging, withMetrics, withRetry, withSearch, withSequence, wrapStore };