@noy-db/hub 0.3.0-pre.2 → 0.3.0-pre.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (383) hide show
  1. package/dist/adapter/index.d.ts +2 -2
  2. package/dist/adapter/index.js +1 -1
  3. package/dist/aggregate/index.d.ts +3 -3
  4. package/dist/aggregate/index.js +4 -4
  5. package/dist/api-JOXUNSKP.js +20 -0
  6. package/dist/as/index.d.ts +4 -4
  7. package/dist/as/index.js +12 -6
  8. package/dist/at/index.d.ts +2 -2
  9. package/dist/attestation/index.d.ts +3 -3
  10. package/dist/attestation/index.js +19 -13
  11. package/dist/attestation/index.js.map +1 -1
  12. package/dist/{backup-KMJQ66MF.js → backup-MOB27UUN.js} +12 -6
  13. package/dist/{backup-KMJQ66MF.js.map → backup-MOB27UUN.js.map} +1 -1
  14. package/dist/blobs/index.d.ts +4 -4
  15. package/dist/blobs/index.js +11 -5
  16. package/dist/blobs/index.js.map +1 -1
  17. package/dist/bundle/index.d.ts +5 -5
  18. package/dist/bundle/index.js +21 -15
  19. package/dist/bundle/index.js.map +1 -1
  20. package/dist/{bundle-PwBGkhpe.d.ts → bundle-Bs13EZtX.d.ts} +1 -1
  21. package/dist/by/index.js +2 -2
  22. package/dist/cargo/index.d.ts +4 -4
  23. package/dist/cargo/index.js +23 -17
  24. package/dist/{chunk-SMXWYP24.js → chunk-3QRQOBS7.js} +3 -3
  25. package/dist/{chunk-QHJW5EXU.js → chunk-3Y4QLJ6K.js} +2 -2
  26. package/dist/{chunk-NF5JWERG.js → chunk-43ISXURO.js} +2 -2
  27. package/dist/{chunk-5LUY7UTV.js → chunk-4K3MQ5S3.js} +2 -2
  28. package/dist/{chunk-QZISFCVG.js → chunk-5CY35H55.js} +11 -9
  29. package/dist/{chunk-QZISFCVG.js.map → chunk-5CY35H55.js.map} +1 -1
  30. package/dist/chunk-5EWYUR5P.js +37 -0
  31. package/dist/chunk-5EWYUR5P.js.map +1 -0
  32. package/dist/{chunk-Y22T3KQE.js → chunk-5MRE3C4Q.js} +5 -5
  33. package/dist/{chunk-M6OST55S.js → chunk-5W7AOFWA.js} +2 -2
  34. package/dist/{chunk-AXRXJTE2.js → chunk-6HNKCKFZ.js} +7 -7
  35. package/dist/{chunk-UAG5KWVA.js → chunk-6RXPSMKR.js} +3 -3
  36. package/dist/{chunk-TJYQIGAP.js → chunk-7J7JRYXW.js} +9 -5
  37. package/dist/chunk-7J7JRYXW.js.map +1 -0
  38. package/dist/{chunk-UDRIWL7A.js → chunk-A5DYVMDR.js} +3 -3
  39. package/dist/chunk-AF5ZRTZ4.js +108 -0
  40. package/dist/chunk-AF5ZRTZ4.js.map +1 -0
  41. package/dist/{chunk-I3TIKTJO.js → chunk-BKGIWGCX.js} +2 -2
  42. package/dist/{chunk-IO6GRPT6.js → chunk-BMQOH7MM.js} +2 -2
  43. package/dist/{chunk-26LGBE4T.js → chunk-CPXPHQGX.js} +6 -4
  44. package/dist/{chunk-26LGBE4T.js.map → chunk-CPXPHQGX.js.map} +1 -1
  45. package/dist/{chunk-FISN7WE4.js → chunk-EWR7HL3K.js} +4 -4
  46. package/dist/{chunk-AQTBSL7R.js → chunk-FH52CDEW.js} +5 -5
  47. package/dist/chunk-G4MGYGSS.js +130 -0
  48. package/dist/chunk-G4MGYGSS.js.map +1 -0
  49. package/dist/{chunk-UV5MFVO3.js → chunk-G7RDYYTE.js} +2 -2
  50. package/dist/{chunk-UIU2THRG.js → chunk-GBTUANXF.js} +16 -297
  51. package/dist/chunk-GBTUANXF.js.map +1 -0
  52. package/dist/{chunk-TEILUWOI.js → chunk-GOUNIHFA.js} +10 -10
  53. package/dist/{chunk-LXQT4WMP.js → chunk-GQOT6QJR.js} +8 -6
  54. package/dist/{chunk-LXQT4WMP.js.map → chunk-GQOT6QJR.js.map} +1 -1
  55. package/dist/{chunk-RUEKROOS.js → chunk-GXGK22QU.js} +2 -2
  56. package/dist/{chunk-IELYAOGG.js → chunk-GZZL5R73.js} +4 -4
  57. package/dist/{chunk-JNUWZ6D3.js → chunk-H5XRIJX3.js} +7 -5
  58. package/dist/{chunk-JNUWZ6D3.js.map → chunk-H5XRIJX3.js.map} +1 -1
  59. package/dist/{chunk-CWPPNPOH.js → chunk-H7RYPVMJ.js} +2 -2
  60. package/dist/{chunk-5N6CZTCY.js → chunk-HBKDR7R3.js} +3 -3
  61. package/dist/{chunk-KXGNJJXB.js → chunk-HLUKZ36Q.js} +9 -9
  62. package/dist/{chunk-LMTH2RM6.js → chunk-HMXLN43G.js} +2 -2
  63. package/dist/{chunk-BG3SPSR4.js → chunk-HY6ZGGEC.js} +2 -2
  64. package/dist/{chunk-UPJNJGGA.js → chunk-K5P46KB3.js} +27 -10
  65. package/dist/chunk-K5P46KB3.js.map +1 -0
  66. package/dist/chunk-KYY7L72M.js +106 -0
  67. package/dist/chunk-KYY7L72M.js.map +1 -0
  68. package/dist/{chunk-62QYRORB.js → chunk-LIP6JWYK.js} +3 -3
  69. package/dist/{chunk-5TDJ56JE.js → chunk-LN22XH4B.js} +1 -1
  70. package/dist/chunk-LN22XH4B.js.map +1 -0
  71. package/dist/chunk-LP7BEXCT.js +32 -0
  72. package/dist/chunk-LP7BEXCT.js.map +1 -0
  73. package/dist/{chunk-IGUYVGGI.js → chunk-LPRPVCNY.js} +5 -5
  74. package/dist/{chunk-AIWULCUO.js → chunk-M66NAZA4.js} +5 -3
  75. package/dist/{chunk-AIWULCUO.js.map → chunk-M66NAZA4.js.map} +1 -1
  76. package/dist/{chunk-KVOXU4T5.js → chunk-N5YVZHCB.js} +2 -2
  77. package/dist/{chunk-76722EBH.js → chunk-NB47TXGP.js} +14 -12
  78. package/dist/{chunk-76722EBH.js.map → chunk-NB47TXGP.js.map} +1 -1
  79. package/dist/chunk-NO272T7Q.js +194 -0
  80. package/dist/chunk-NO272T7Q.js.map +1 -0
  81. package/dist/{chunk-SRB2XEWB.js → chunk-O2DB4C3M.js} +8 -6
  82. package/dist/{chunk-SRB2XEWB.js.map → chunk-O2DB4C3M.js.map} +1 -1
  83. package/dist/{chunk-IUEN57TV.js → chunk-OFBFAVLI.js} +6 -6
  84. package/dist/{chunk-MTMJVJ5W.js → chunk-OPTFANOX.js} +5 -3
  85. package/dist/chunk-OPTFANOX.js.map +1 -0
  86. package/dist/{chunk-5O3AOPDT.js → chunk-OVO2RZAE.js} +212 -439
  87. package/dist/chunk-OVO2RZAE.js.map +1 -0
  88. package/dist/{chunk-GYGWYIOZ.js → chunk-P27Z66EB.js} +7 -5
  89. package/dist/{chunk-GYGWYIOZ.js.map → chunk-P27Z66EB.js.map} +1 -1
  90. package/dist/{chunk-HCIPRAGS.js → chunk-P2LDXRGP.js} +2 -2
  91. package/dist/chunk-P3NGV5RV.js +41 -0
  92. package/dist/chunk-P3NGV5RV.js.map +1 -0
  93. package/dist/{chunk-5R3ERCDH.js → chunk-P3V7JTB6.js} +25 -9
  94. package/dist/{chunk-5R3ERCDH.js.map → chunk-P3V7JTB6.js.map} +1 -1
  95. package/dist/{chunk-LV7M27WM.js → chunk-P5WXDYMD.js} +8 -197
  96. package/dist/chunk-P5WXDYMD.js.map +1 -0
  97. package/dist/chunk-PGFY7IRW.js +95 -0
  98. package/dist/chunk-PGFY7IRW.js.map +1 -0
  99. package/dist/chunk-QKVILR7N.js +25 -0
  100. package/dist/chunk-QKVILR7N.js.map +1 -0
  101. package/dist/{chunk-V7RWQRG7.js → chunk-QNTEDPWP.js} +3 -3
  102. package/dist/{chunk-Q7SS3IME.js → chunk-RDHAGBEB.js} +3 -3
  103. package/dist/{chunk-EIZUR2XW.js → chunk-RTS23VIJ.js} +2 -2
  104. package/dist/{chunk-LFLXAY2W.js → chunk-SEQ2JI3Y.js} +9 -7
  105. package/dist/{chunk-LFLXAY2W.js.map → chunk-SEQ2JI3Y.js.map} +1 -1
  106. package/dist/{chunk-AZAOEIKW.js → chunk-SW56GSYC.js} +2 -2
  107. package/dist/{chunk-TA66UMI4.js → chunk-T2EGAXPM.js} +2 -2
  108. package/dist/{chunk-SM3AVUHC.js → chunk-T45LAT2Y.js} +2 -2
  109. package/dist/{chunk-SKF73JOP.js → chunk-T65UZXR6.js} +3 -3
  110. package/dist/{chunk-ITNUCOXM.js → chunk-TB5RNNJ4.js} +7 -5
  111. package/dist/{chunk-ITNUCOXM.js.map → chunk-TB5RNNJ4.js.map} +1 -1
  112. package/dist/chunk-TCIUO62Z.js +29 -0
  113. package/dist/chunk-TCIUO62Z.js.map +1 -0
  114. package/dist/chunk-THNJ3IKU.js +17 -0
  115. package/dist/chunk-THNJ3IKU.js.map +1 -0
  116. package/dist/chunk-TLJOJBZD.js +404 -0
  117. package/dist/chunk-TLJOJBZD.js.map +1 -0
  118. package/dist/chunk-TQ3REHVF.js +95 -0
  119. package/dist/chunk-TQ3REHVF.js.map +1 -0
  120. package/dist/{chunk-DGDI2D4M.js → chunk-TVRQ3RYH.js} +28 -7
  121. package/dist/chunk-TVRQ3RYH.js.map +1 -0
  122. package/dist/{chunk-PSMV73A5.js → chunk-TYGW5TOR.js} +7 -7
  123. package/dist/{chunk-ZYUC53LT.js → chunk-U23JUUPX.js} +58 -2
  124. package/dist/{chunk-ZYUC53LT.js.map → chunk-U23JUUPX.js.map} +1 -1
  125. package/dist/{chunk-3YFXJ3ZP.js → chunk-U24XHXNK.js} +2 -2
  126. package/dist/chunk-ULIHDPKL.js +94 -0
  127. package/dist/chunk-ULIHDPKL.js.map +1 -0
  128. package/dist/chunk-UOEWDCUX.js +69 -0
  129. package/dist/chunk-UOEWDCUX.js.map +1 -0
  130. package/dist/{chunk-WWGT2MDV.js → chunk-VAWY44JW.js} +8 -8
  131. package/dist/{chunk-WWGT2MDV.js.map → chunk-VAWY44JW.js.map} +1 -1
  132. package/dist/chunk-VFRNWE5P.js +239 -0
  133. package/dist/chunk-VFRNWE5P.js.map +1 -0
  134. package/dist/{chunk-IPB7FTQX.js → chunk-VMJ5URU7.js} +10 -8
  135. package/dist/chunk-VMJ5URU7.js.map +1 -0
  136. package/dist/{chunk-VFQGRQIH.js → chunk-VPCMJ5Z4.js} +7 -5
  137. package/dist/{chunk-VFQGRQIH.js.map → chunk-VPCMJ5Z4.js.map} +1 -1
  138. package/dist/{chunk-VCTFO5CO.js → chunk-VRPBEOWU.js} +2 -2
  139. package/dist/{chunk-ZCGAHGUS.js → chunk-VWGCJUTV.js} +2 -2
  140. package/dist/{chunk-XXYIOFUB.js → chunk-XJR3COJO.js} +5 -5
  141. package/dist/{chunk-PKHL44ER.js → chunk-XYYW64LB.js} +2 -2
  142. package/dist/{chunk-IAGBDSCS.js → chunk-YFF2RP3X.js} +2 -2
  143. package/dist/{chunk-MD3Y6J3L.js → chunk-Z3FZC5GV.js} +7 -5
  144. package/dist/{chunk-MD3Y6J3L.js.map → chunk-Z3FZC5GV.js.map} +1 -1
  145. package/dist/{chunk-DFEMTNPJ.js → chunk-Z5PIUYNB.js} +10 -8
  146. package/dist/{chunk-DFEMTNPJ.js.map → chunk-Z5PIUYNB.js.map} +1 -1
  147. package/dist/{chunk-WYSO2NIH.js → chunk-Z7KI4WHR.js} +2 -2
  148. package/dist/chunk-ZKF6HH7V.js +120 -0
  149. package/dist/chunk-ZKF6HH7V.js.map +1 -0
  150. package/dist/{chunk-I2NOIW44.js → chunk-ZKYMKF2S.js} +8 -6
  151. package/dist/{chunk-I2NOIW44.js.map → chunk-ZKYMKF2S.js.map} +1 -1
  152. package/dist/{chunk-PSHOXR6C.js → chunk-ZPHDGUZZ.js} +737 -1082
  153. package/dist/chunk-ZPHDGUZZ.js.map +1 -0
  154. package/dist/{chunk-CMGR4ZEW.js → chunk-ZROMNP7Q.js} +2 -2
  155. package/dist/classified/index.d.ts +17 -0
  156. package/dist/classified/index.js +38 -0
  157. package/dist/collection-facade-MKEBZDWW.js +39 -0
  158. package/dist/computed-BMMEFRFJ.js +11 -0
  159. package/dist/config-drift-KGM7ZRW4.js +24 -0
  160. package/dist/config-drift-KGM7ZRW4.js.map +1 -0
  161. package/dist/consent/index.d.ts +3 -3
  162. package/dist/consent/index.js +10 -4
  163. package/dist/consent/index.js.map +1 -1
  164. package/dist/crdt/index.d.ts +3 -3
  165. package/dist/delegation-BQNIEHZE.js +25 -0
  166. package/dist/derivations/index.d.ts +4 -4
  167. package/dist/derivations/index.js +12 -6
  168. package/dist/describe/index.d.ts +1 -1
  169. package/dist/{describe-Ccd1hS7a.d.ts → describe-C6iHNlqJ.d.ts} +19 -0
  170. package/dist/{dev-unlock-h0K-UZTk.d.ts → dev-unlock-Cqd5Xv5J.d.ts} +1 -1
  171. package/dist/{enclave-UL5LW66V.js → enclave-YN6223OG.js} +47 -18
  172. package/dist/executor-CBTNU5VZ.js +9 -0
  173. package/dist/executor-DJHNSTIR.js +9 -0
  174. package/dist/executor-FGISLQIN.js +21 -0
  175. package/dist/export-accessible-P7SLRLK3.js +23 -0
  176. package/dist/extract-partition-RNVSFHAB.js +36 -0
  177. package/dist/{fanout-sidecar-GF3DJ6KR.js → fanout-sidecar-WS22Q5WH.js} +17 -14
  178. package/dist/fanout-sidecar-WS22Q5WH.js.map +1 -0
  179. package/dist/fence-watcher-DHQ775JB.js +69 -0
  180. package/dist/fence-watcher-DHQ775JB.js.map +1 -0
  181. package/dist/find-RNBG7LBY.js +11 -0
  182. package/dist/forget/index.js +10 -4
  183. package/dist/forget/index.js.map +1 -1
  184. package/dist/guards/index.d.ts +4 -4
  185. package/dist/guards/index.js +3 -3
  186. package/dist/{hash-CdSr06sm.d.ts → hash-D8Q5MJLA.d.ts} +7 -2
  187. package/dist/history/index.d.ts +4 -4
  188. package/dist/history/index.js +12 -6
  189. package/dist/history/index.js.map +1 -1
  190. package/dist/i18n/index.d.ts +3 -3
  191. package/dist/i18n/index.js +14 -8
  192. package/dist/i18n/index.js.map +1 -1
  193. package/dist/in/index.d.ts +2 -2
  194. package/dist/{index-_6At2_9_.d.ts → index-D4GQe1Rx.d.ts} +1058 -49
  195. package/dist/{index-CGLLRtFc.d.ts → index-DRxk8q_7.d.ts} +3 -3
  196. package/dist/index.d.ts +60 -15
  197. package/dist/index.js +1081 -121
  198. package/dist/index.js.map +1 -1
  199. package/dist/indexing/index.d.ts +3 -3
  200. package/dist/indexing/index.js +4 -4
  201. package/dist/issue-W5QG53B5.js +19 -0
  202. package/dist/json-schema-I22JCYCG.js +44 -0
  203. package/dist/json-schema-I22JCYCG.js.map +1 -0
  204. package/dist/kernel/index.d.ts +3 -3
  205. package/dist/kernel/index.js +13 -7
  206. package/dist/lazy/index.d.ts +21 -0
  207. package/dist/lazy/index.js +12 -0
  208. package/dist/{ledger-RYI35CDS.js → ledger-KZWBKAG5.js} +12 -6
  209. package/dist/liberate-GMGCHIND.js +24 -0
  210. package/dist/link-set-UQEIYQAM.js +31 -0
  211. package/dist/materialized-views/index.d.ts +4 -4
  212. package/dist/materialized-views/index.js +16 -10
  213. package/dist/{mime-magic-B4RoFj3B.d.ts → mime-magic-DmwT7OzZ.d.ts} +1 -1
  214. package/dist/noydb-KS2O2MRI.js +60 -0
  215. package/dist/on/index.d.ts +2 -2
  216. package/dist/on/index.js +10 -4
  217. package/dist/overlay-views/index.d.ts +4 -4
  218. package/dist/overlay-views/index.js +4 -4
  219. package/dist/periods/index.d.ts +3 -3
  220. package/dist/periods/index.js +13 -7
  221. package/dist/pod/index.d.ts +3 -3
  222. package/dist/pod/index.js +12 -6
  223. package/dist/{policy-IXK4FVXP.js → policy-YIKUH4AD.js} +5 -5
  224. package/dist/portability/index.d.ts +3 -3
  225. package/dist/portability/index.js +8 -8
  226. package/dist/{public-envelope-JHDQCPSX.js → public-envelope-MRN5YYZZ.js} +4 -4
  227. package/dist/query/index.d.ts +2 -2
  228. package/dist/query/index.js +6 -6
  229. package/dist/register-K6DDSIXN.js +21 -0
  230. package/dist/registry-IMNMHWTM.js +17 -0
  231. package/dist/registry-K6VUQXKV.js +19 -0
  232. package/dist/registry-ZVO3T4M5.js +9 -0
  233. package/dist/registry-ZVO3T4M5.js.map +1 -0
  234. package/dist/request-withdrawal-EHALV66Y.js +31 -0
  235. package/dist/request-withdrawal-EHALV66Y.js.map +1 -0
  236. package/dist/reveal-TBLTFWQ2.js +38 -0
  237. package/dist/reveal-TBLTFWQ2.js.map +1 -0
  238. package/dist/revoke-MHAUAESM.js +24 -0
  239. package/dist/revoke-MHAUAESM.js.map +1 -0
  240. package/dist/sealed-record/index.d.ts +3 -3
  241. package/dist/sealed-record/index.js +13 -7
  242. package/dist/sealed-record/index.js.map +1 -1
  243. package/dist/session/index.d.ts +4 -4
  244. package/dist/session/index.js +10 -4
  245. package/dist/session/index.js.map +1 -1
  246. package/dist/shadow/index.d.ts +3 -3
  247. package/dist/shadow/index.js +2 -2
  248. package/dist/signer-PQ74YXRY.js +25 -0
  249. package/dist/signer-PQ74YXRY.js.map +1 -0
  250. package/dist/snapshots/index.d.ts +3 -3
  251. package/dist/snapshots/index.js +11 -5
  252. package/dist/snapshots/index.js.map +1 -1
  253. package/dist/{stale-3JWHNDIY.js → stale-7Q62KVI3.js} +2 -2
  254. package/dist/stale-7Q62KVI3.js.map +1 -0
  255. package/dist/storage-5E6YB2JY.js +21 -0
  256. package/dist/storage-5E6YB2JY.js.map +1 -0
  257. package/dist/{store-coordination-provider-3I7XWZZK.js → store-coordination-provider-JJCEMTAE.js} +3 -3
  258. package/dist/sync/index.d.ts +2 -2
  259. package/dist/sync/index.js +10 -4
  260. package/dist/sync/index.js.map +1 -1
  261. package/dist/team/index.d.ts +18 -4
  262. package/dist/team/index.js +24 -11
  263. package/dist/tiers/index.d.ts +2 -2
  264. package/dist/tiers/index.js +11 -5
  265. package/dist/to/index.d.ts +2 -2
  266. package/dist/to/index.js +1 -1
  267. package/dist/{transition-guard-DqodPNKw.d.ts → transition-guard-C4hvR-Ac.d.ts} +1 -1
  268. package/dist/tx/index.d.ts +3 -3
  269. package/dist/tx/index.js +3 -3
  270. package/dist/ui/index.d.ts +1 -1
  271. package/dist/util/index.js +1 -1
  272. package/dist/validators-Ctgkj5qd.d.ts +101 -0
  273. package/dist/{vault-diff-BtpiBvic.d.ts → vault-diff-B1Ir6EGs.d.ts} +1 -1
  274. package/dist/verify-YB5LQHNA.js +139 -0
  275. package/dist/verify-YB5LQHNA.js.map +1 -0
  276. package/dist/walk-5C3GPKT2.js +241 -0
  277. package/dist/walk-5C3GPKT2.js.map +1 -0
  278. package/dist/with/index.d.ts +3 -3
  279. package/dist/with/index.js +12 -6
  280. package/dist/{with-materialized-view-DMmWtYfJ.d.ts → with-materialized-view-Bp65kKdQ.d.ts} +1 -1
  281. package/dist/{with-overlayed-view-D_IB2nkM.d.ts → with-overlayed-view-BRhdQNrK.d.ts} +1 -1
  282. package/dist/{with-rollup-em2wxoHP.d.ts → with-rollup-bQRPc3y1.d.ts} +1 -1
  283. package/dist/withdraw-accessible-JMX2TCPX.js +28 -0
  284. package/dist/withdraw-accessible-JMX2TCPX.js.map +1 -0
  285. package/package.json +11 -3
  286. package/dist/api-RW3KP7WU.js +0 -14
  287. package/dist/chunk-5O3AOPDT.js.map +0 -1
  288. package/dist/chunk-5TDJ56JE.js.map +0 -1
  289. package/dist/chunk-DGDI2D4M.js.map +0 -1
  290. package/dist/chunk-IPB7FTQX.js.map +0 -1
  291. package/dist/chunk-LV7M27WM.js.map +0 -1
  292. package/dist/chunk-M2YKN37S.js +0 -524
  293. package/dist/chunk-M2YKN37S.js.map +0 -1
  294. package/dist/chunk-MTMJVJ5W.js.map +0 -1
  295. package/dist/chunk-PSHOXR6C.js.map +0 -1
  296. package/dist/chunk-TJYQIGAP.js.map +0 -1
  297. package/dist/chunk-UIU2THRG.js.map +0 -1
  298. package/dist/chunk-UPJNJGGA.js.map +0 -1
  299. package/dist/collection-facade-GQAOGJP2.js +0 -33
  300. package/dist/delegation-UL5HKLER.js +0 -19
  301. package/dist/executor-2FWQRLMG.js +0 -15
  302. package/dist/executor-QZ7BXICW.js +0 -9
  303. package/dist/executor-Z5ZLJVTV.js +0 -9
  304. package/dist/export-accessible-KRV5W4GH.js +0 -17
  305. package/dist/extract-partition-GLKBOXFQ.js +0 -30
  306. package/dist/fanout-sidecar-GF3DJ6KR.js.map +0 -1
  307. package/dist/issue-Y6UVIR43.js +0 -13
  308. package/dist/liberate-CRPZEV7O.js +0 -18
  309. package/dist/noydb-LDEBLNHY.js +0 -50
  310. package/dist/registry-45RJNWGU.js +0 -9
  311. package/dist/registry-5GRV5VXI.js +0 -13
  312. package/dist/registry-WEUCHBO4.js +0 -11
  313. package/dist/request-withdrawal-GBPH2FDY.js +0 -25
  314. package/dist/revoke-TUFRGI6S.js +0 -18
  315. package/dist/signer-PNKTBVF7.js +0 -19
  316. package/dist/withdraw-accessible-FFS46EOD.js +0 -22
  317. /package/dist/{api-RW3KP7WU.js.map → api-JOXUNSKP.js.map} +0 -0
  318. /package/dist/{chunk-SMXWYP24.js.map → chunk-3QRQOBS7.js.map} +0 -0
  319. /package/dist/{chunk-QHJW5EXU.js.map → chunk-3Y4QLJ6K.js.map} +0 -0
  320. /package/dist/{chunk-NF5JWERG.js.map → chunk-43ISXURO.js.map} +0 -0
  321. /package/dist/{chunk-5LUY7UTV.js.map → chunk-4K3MQ5S3.js.map} +0 -0
  322. /package/dist/{chunk-Y22T3KQE.js.map → chunk-5MRE3C4Q.js.map} +0 -0
  323. /package/dist/{chunk-M6OST55S.js.map → chunk-5W7AOFWA.js.map} +0 -0
  324. /package/dist/{chunk-AXRXJTE2.js.map → chunk-6HNKCKFZ.js.map} +0 -0
  325. /package/dist/{chunk-UAG5KWVA.js.map → chunk-6RXPSMKR.js.map} +0 -0
  326. /package/dist/{chunk-UDRIWL7A.js.map → chunk-A5DYVMDR.js.map} +0 -0
  327. /package/dist/{chunk-I3TIKTJO.js.map → chunk-BKGIWGCX.js.map} +0 -0
  328. /package/dist/{chunk-IO6GRPT6.js.map → chunk-BMQOH7MM.js.map} +0 -0
  329. /package/dist/{chunk-FISN7WE4.js.map → chunk-EWR7HL3K.js.map} +0 -0
  330. /package/dist/{chunk-AQTBSL7R.js.map → chunk-FH52CDEW.js.map} +0 -0
  331. /package/dist/{chunk-UV5MFVO3.js.map → chunk-G7RDYYTE.js.map} +0 -0
  332. /package/dist/{chunk-TEILUWOI.js.map → chunk-GOUNIHFA.js.map} +0 -0
  333. /package/dist/{chunk-RUEKROOS.js.map → chunk-GXGK22QU.js.map} +0 -0
  334. /package/dist/{chunk-IELYAOGG.js.map → chunk-GZZL5R73.js.map} +0 -0
  335. /package/dist/{chunk-CWPPNPOH.js.map → chunk-H7RYPVMJ.js.map} +0 -0
  336. /package/dist/{chunk-5N6CZTCY.js.map → chunk-HBKDR7R3.js.map} +0 -0
  337. /package/dist/{chunk-KXGNJJXB.js.map → chunk-HLUKZ36Q.js.map} +0 -0
  338. /package/dist/{chunk-LMTH2RM6.js.map → chunk-HMXLN43G.js.map} +0 -0
  339. /package/dist/{chunk-BG3SPSR4.js.map → chunk-HY6ZGGEC.js.map} +0 -0
  340. /package/dist/{chunk-62QYRORB.js.map → chunk-LIP6JWYK.js.map} +0 -0
  341. /package/dist/{chunk-IGUYVGGI.js.map → chunk-LPRPVCNY.js.map} +0 -0
  342. /package/dist/{chunk-KVOXU4T5.js.map → chunk-N5YVZHCB.js.map} +0 -0
  343. /package/dist/{chunk-IUEN57TV.js.map → chunk-OFBFAVLI.js.map} +0 -0
  344. /package/dist/{chunk-HCIPRAGS.js.map → chunk-P2LDXRGP.js.map} +0 -0
  345. /package/dist/{chunk-V7RWQRG7.js.map → chunk-QNTEDPWP.js.map} +0 -0
  346. /package/dist/{chunk-Q7SS3IME.js.map → chunk-RDHAGBEB.js.map} +0 -0
  347. /package/dist/{chunk-EIZUR2XW.js.map → chunk-RTS23VIJ.js.map} +0 -0
  348. /package/dist/{chunk-AZAOEIKW.js.map → chunk-SW56GSYC.js.map} +0 -0
  349. /package/dist/{chunk-TA66UMI4.js.map → chunk-T2EGAXPM.js.map} +0 -0
  350. /package/dist/{chunk-SM3AVUHC.js.map → chunk-T45LAT2Y.js.map} +0 -0
  351. /package/dist/{chunk-SKF73JOP.js.map → chunk-T65UZXR6.js.map} +0 -0
  352. /package/dist/{chunk-PSMV73A5.js.map → chunk-TYGW5TOR.js.map} +0 -0
  353. /package/dist/{chunk-3YFXJ3ZP.js.map → chunk-U24XHXNK.js.map} +0 -0
  354. /package/dist/{chunk-VCTFO5CO.js.map → chunk-VRPBEOWU.js.map} +0 -0
  355. /package/dist/{chunk-ZCGAHGUS.js.map → chunk-VWGCJUTV.js.map} +0 -0
  356. /package/dist/{chunk-XXYIOFUB.js.map → chunk-XJR3COJO.js.map} +0 -0
  357. /package/dist/{chunk-PKHL44ER.js.map → chunk-XYYW64LB.js.map} +0 -0
  358. /package/dist/{chunk-IAGBDSCS.js.map → chunk-YFF2RP3X.js.map} +0 -0
  359. /package/dist/{chunk-WYSO2NIH.js.map → chunk-Z7KI4WHR.js.map} +0 -0
  360. /package/dist/{chunk-CMGR4ZEW.js.map → chunk-ZROMNP7Q.js.map} +0 -0
  361. /package/dist/{collection-facade-GQAOGJP2.js.map → classified/index.js.map} +0 -0
  362. /package/dist/{delegation-UL5HKLER.js.map → collection-facade-MKEBZDWW.js.map} +0 -0
  363. /package/dist/{enclave-UL5LW66V.js.map → computed-BMMEFRFJ.js.map} +0 -0
  364. /package/dist/{executor-2FWQRLMG.js.map → delegation-BQNIEHZE.js.map} +0 -0
  365. /package/dist/{executor-QZ7BXICW.js.map → enclave-YN6223OG.js.map} +0 -0
  366. /package/dist/{executor-Z5ZLJVTV.js.map → executor-CBTNU5VZ.js.map} +0 -0
  367. /package/dist/{export-accessible-KRV5W4GH.js.map → executor-DJHNSTIR.js.map} +0 -0
  368. /package/dist/{extract-partition-GLKBOXFQ.js.map → executor-FGISLQIN.js.map} +0 -0
  369. /package/dist/{issue-Y6UVIR43.js.map → export-accessible-P7SLRLK3.js.map} +0 -0
  370. /package/dist/{ledger-RYI35CDS.js.map → extract-partition-RNVSFHAB.js.map} +0 -0
  371. /package/dist/{liberate-CRPZEV7O.js.map → find-RNBG7LBY.js.map} +0 -0
  372. /package/dist/{noydb-LDEBLNHY.js.map → issue-W5QG53B5.js.map} +0 -0
  373. /package/dist/{policy-IXK4FVXP.js.map → lazy/index.js.map} +0 -0
  374. /package/dist/{public-envelope-JHDQCPSX.js.map → ledger-KZWBKAG5.js.map} +0 -0
  375. /package/dist/{registry-45RJNWGU.js.map → liberate-GMGCHIND.js.map} +0 -0
  376. /package/dist/{registry-5GRV5VXI.js.map → link-set-UQEIYQAM.js.map} +0 -0
  377. /package/dist/{registry-WEUCHBO4.js.map → noydb-KS2O2MRI.js.map} +0 -0
  378. /package/dist/{request-withdrawal-GBPH2FDY.js.map → policy-YIKUH4AD.js.map} +0 -0
  379. /package/dist/{revoke-TUFRGI6S.js.map → public-envelope-MRN5YYZZ.js.map} +0 -0
  380. /package/dist/{signer-PNKTBVF7.js.map → register-K6DDSIXN.js.map} +0 -0
  381. /package/dist/{stale-3JWHNDIY.js.map → registry-IMNMHWTM.js.map} +0 -0
  382. /package/dist/{withdraw-accessible-FFS46EOD.js.map → registry-K6VUQXKV.js.map} +0 -0
  383. /package/dist/{store-coordination-provider-3I7XWZZK.js.map → store-coordination-provider-JJCEMTAE.js.map} +0 -0
@@ -1,5 +1,5 @@
1
1
  import { L as LedgerEntry, F as ForgetStrategy, c as SubjectRef, a as ForgetResult } from './subject-index-O75wKshW.js';
2
- import { V as VaultMeta, a as CollectionMeta, F as FieldMeta, C as CollectionDescription, D as DescribeOptions } from './describe-Ccd1hS7a.js';
2
+ import { V as VaultMeta, a as CollectionMeta, F as FieldMeta, C as CollectionDescription, D as DescribeOptions } from './describe-C6iHNlqJ.js';
3
3
  import { C as CoordinationProvider, W as WriteEvent, a as WriteHook, U as Unsubscribe$3, b as WriteHookRegistry } from './index-B9QdHytu.js';
4
4
  import { AttestationFieldSchema, QrPayload, RevocationList } from '@noy-db/attestation';
5
5
 
@@ -630,6 +630,17 @@ declare class Lru<K, V> {
630
630
  * Internal service — not exported as a `@noy-db/hub/*` subpath.
631
631
  */
632
632
 
633
+ /**
634
+ * One classified per-slot verdict from {@link RecordCodec.classifySealedShred}.
635
+ * `shreddable` — CEK-only, tombstone makes it undecryptable. `dekResidue` —
636
+ * collection-DEK-keyed, survives in synced/backup copies. The third class is
637
+ * BOTH: a `_bidx` blind-index tag is live-dropped by the tombstone yet retained
638
+ * under the surviving DEK in any pre-forget backup (honest dual accounting).
639
+ */
640
+ type SealedShredSlot = {
641
+ readonly field: string;
642
+ readonly class: 'shreddable' | 'dekResidue' | 'live-shreddable+dekResidue-in-backups';
643
+ };
633
644
  /** Everything the moving crypto methods touched on `this.*`, as a flat context. */
634
645
  interface RecordCodecContext<T> {
635
646
  /** Collection name — the crypto AAD scope and schema-error context. */
@@ -646,6 +657,18 @@ interface RecordCodecContext<T> {
646
657
  readonly sensitiveFields: ReadonlySet<string>;
647
658
  /** Declared deterministic-index fields, or null. */
648
659
  readonly deterministicFields: ReadonlySet<string> | null;
660
+ /** Digest-only classified fields → verify policy (stage 2). Null when none. */
661
+ readonly vdigFields: ReadonlyMap<string, VdigFieldPolicy> | null;
662
+ /**
663
+ * C-A / R10 config-drift signal: the persisted `x-classified` marker's
664
+ * declared digest-only field set (empty when the collection carries no
665
+ * marker). Lazy, memoized (O(1) per handle after the first call). The R10
666
+ * superset guard refuses whenever a field in this set is absent from
667
+ * `vdigFields`. Consulted once per handle on any encrypted write path — the
668
+ * cross-session, prev-free signal a fully-naive create has no `prev` for.
669
+ * Undefined on codecs with no store access (direct-construction tests).
670
+ */
671
+ classifiedMarkerDigestOnly?(): Promise<readonly string[]>;
649
672
  /** CRDT mode (decrypt resolves CrdtState→snapshot when set). */
650
673
  readonly crdtMode: CrdtMode | undefined;
651
674
  /** CRDT strategy seam (resolveCrdtSnapshot). */
@@ -710,7 +733,10 @@ declare class RecordCodec<T> {
710
733
  * to pre-CEK behaviour, so non-adopting collections pay nothing.
711
734
  */
712
735
  encryptJsonString(json: string, version: number, cek?: EnclaveKey, source?: string, sourceTs?: string): Promise<EncryptedEnvelope>;
713
- encryptRecord(record: T, version: number, cek?: EnclaveKey, source?: string, sourceTs?: string): Promise<EncryptedEnvelope>;
736
+ encryptRecord(record: T, version: number, cek?: EnclaveKey, source?: string, sourceTs?: string, vdig?: {
737
+ readonly id: string;
738
+ readonly prev: EncryptedEnvelope | null;
739
+ }): Promise<EncryptedEnvelope>;
714
740
  /**
715
741
  * Resolve the per-record CEK for a stored envelope, or `undefined` for a
716
742
  * legacy (`_cek`-absent) envelope. Unwraps `_cek` under the collection DEK and
@@ -755,8 +781,7 @@ declare class RecordCodec<T> {
755
781
  * `_cek` (pure legacy collection-DEK sealing) ALL slots are residue.
756
782
  */
757
783
  classifySealedShred(live: EncryptedEnvelope): Promise<{
758
- shreddable: string[];
759
- dekResidue: string[];
784
+ readonly slots: readonly SealedShredSlot[];
760
785
  }>;
761
786
  /**
762
787
  * Build a non-leaking {@link Sealed} handle over a sealed field's ciphertext.
@@ -3377,6 +3402,16 @@ declare class AttestationError extends NoydbError {
3377
3402
  declare class AttestationNotEnabledError extends NoydbError {
3378
3403
  constructor(message?: string);
3379
3404
  }
3405
+ /**
3406
+ * Thrown when `collection.reveal()` is called without opting into the
3407
+ * classified capability (the default `NO_CLASSIFIED` stub). Classified reveal
3408
+ * is an opt-in, tree-shakeable capability: enable it with
3409
+ * `classifiedStrategy: withClassified()` from "@noy-db/hub/classified" in
3410
+ * createNoydb().
3411
+ */
3412
+ declare class ClassifiedNotEnabledError extends NoydbError {
3413
+ constructor(message?: string);
3414
+ }
3380
3415
  /**
3381
3416
  * Thrown when a hierarchical-tiers capability method (`putAtTier`, `getAtTier`,
3382
3417
  * `listAtTier`, `elevate`, `demote`) is called without opting into the tiers
@@ -3422,6 +3457,18 @@ declare class PortabilityNotEnabledError extends NoydbError {
3422
3457
  declare class CustodyNotEnabledError extends NoydbError {
3423
3458
  constructor(message?: string);
3424
3459
  }
3460
+ /**
3461
+ * Thrown when a multi-user team operation — `db.grant`, `db.revoke`, or
3462
+ * `db.rotate` — is called without opting into the team capability (the
3463
+ * default `NO_TEAM` stub). The always-on floor is single-user by design
3464
+ * (#267 keyring-grant → team split): enable multi-user grant/revoke/rotate
3465
+ * with `teamStrategy: withTeam()` from "@noy-db/hub/team" in createNoydb().
3466
+ * Single-user primitives (owner keyring, unlock, `listUsers`, `updateUser`,
3467
+ * passphrase rotate/recover) stay ungated.
3468
+ */
3469
+ declare class TeamNotEnabledError extends NoydbError {
3470
+ constructor(message?: string);
3471
+ }
3425
3472
  /**
3426
3473
  * Thrown when a search / retrieval capability method — `collection.search`,
3427
3474
  * `collection.retrieve`, `collection.similarTo`, `collection.warmIndex`,
@@ -3988,6 +4035,47 @@ declare class EnclaveNotSupportedError extends NoydbError {
3988
4035
  readonly group: 'sealing' | 'deterministic' | 'per-record-keys';
3989
4036
  constructor(group: 'sealing' | 'deterministic' | 'per-record-keys', detail?: string);
3990
4037
  }
4038
+ /**
4039
+ * Raised when a collection's `classifiedFields` configuration is invalid
4040
+ * (e.g. a claimed field name collides with a rider companion or another
4041
+ * classified field). Homed in `kernel/errors.ts` (rather than
4042
+ * `with-shape/classified/errors.ts`) so `kernel/enclave/classify/*` can throw
4043
+ * it without importing with-*; `with-shape/classified/errors.ts` re-exports
4044
+ * it under the same name for backward-compatible import paths.
4045
+ */
4046
+ declare class ClassifiedConfigError extends Error {
4047
+ readonly collection: string;
4048
+ constructor(collection: string, message: string);
4049
+ }
4050
+ /**
4051
+ * Raised by `collection.reveal()` when a field cannot be revealed — unknown
4052
+ * field, `storage:'never'`, or missing record. See {@link ClassifiedConfigError}
4053
+ * for why this lives in `kernel/errors.ts`.
4054
+ */
4055
+ declare class ClassifiedRevealError extends Error {
4056
+ readonly collection: string;
4057
+ readonly field: string;
4058
+ constructor(collection: string, field: string, detail: string);
4059
+ }
4060
+ /**
4061
+ * Raised by the classified verify path (`storage:'digest-only'`, stage 2)
4062
+ * when a field cannot be verified — unknown field, not digest-only, or no
4063
+ * digest stored yet.
4064
+ */
4065
+ declare class ClassifiedVerifyError extends Error {
4066
+ readonly collection: string;
4067
+ readonly field: string;
4068
+ constructor(collection: string, field: string, detail: string);
4069
+ }
4070
+ /**
4071
+ * Raised by the classified rotation path (stage 2) when a new value is
4072
+ * refused — e.g. reuse of one of the last N values (`notLastN`).
4073
+ */
4074
+ declare class ClassifiedRotationError extends Error {
4075
+ readonly collection: string;
4076
+ readonly field: string;
4077
+ constructor(collection: string, field: string, detail: string);
4078
+ }
3991
4079
 
3992
4080
  /**
3993
4081
  * The `money()` field descriptor — a branded schema-layer descriptor, a
@@ -4853,8 +4941,17 @@ interface ConsentContext {
4853
4941
  */
4854
4942
  readonly consentHash: string;
4855
4943
  }
4856
- /** Access operation recorded in an audit entry. */
4857
- type ConsentOp = 'get' | 'put' | 'delete';
4944
+ /**
4945
+ * Access operation recorded in an audit entry.
4946
+ *
4947
+ * Union-widening checklist (I-2) — these three sites widen together or a
4948
+ * downstream exhaustive switch breaks at its next in-range minor:
4949
+ * 1. `ConsentOp` here (public, re-exported at `index.ts`).
4950
+ * 2. `onAccess` op union on `kernel/collection-config.ts`.
4951
+ * 3. classified ctx `onAccess` op union on `with-shape/classified/strategy.ts`
4952
+ * (the `ClassifiedVerifyCtx` one — the `ClassifiedRevealCtx` one stays `'reveal'`-only).
4953
+ */
4954
+ type ConsentOp = 'get' | 'put' | 'delete' | 'reveal' | 'verify' | 'find';
4858
4955
  /** One consent-audit record, as decrypted for the caller. */
4859
4956
  interface ConsentAuditEntry {
4860
4957
  /** ULID — stable insertion-order key. */
@@ -5627,6 +5724,61 @@ interface PeriodsStrategy {
5627
5724
  appendPeriodLedgerEntry(ledger: LedgerStore | null, actor: string, envelope: EncryptedEnvelope, periodName: string): Promise<void>;
5628
5725
  }
5629
5726
 
5727
+ /**
5728
+ * Classified fields — behavioral sensitive-field descriptors (stage 1).
5729
+ * Design: docs/superpowers/specs/2026-07-04-classified-fields-design.md
5730
+ * Law: open on write, declarative on read — read-side behavior is this
5731
+ * closed vocabulary; there are no read-side callbacks.
5732
+ * @module
5733
+ */
5734
+ type ClassifiedStorage = 'recoverable' | 'never' | 'digest-only';
5735
+ type ClassifiedList = {
5736
+ readonly kind: 'omit';
5737
+ } | {
5738
+ readonly kind: 'mask';
5739
+ readonly pattern: string;
5740
+ } | {
5741
+ readonly kind: 'rider';
5742
+ readonly rider: string;
5743
+ };
5744
+ type ClassifiedRider = (value: unknown) => unknown;
5745
+ interface ClassifiedFieldSpec {
5746
+ readonly _noydbClassified: true;
5747
+ readonly preset: string;
5748
+ readonly storage: ClassifiedStorage;
5749
+ readonly list: ClassifiedList;
5750
+ readonly sensitivity: 'pii' | 'secret';
5751
+ /** Write-time safe projections; companion field name is `<field>_<rider>`. */
5752
+ readonly riders?: Record<string, ClassifiedRider>;
5753
+ /** Write-time validator: error message, or null when valid. */
5754
+ readonly validate?: (value: unknown) => string | null;
5755
+ /** Digest-only verify policy (stage 2). Mode both sides normalize under. */
5756
+ readonly verifyNormalize?: 'password' | 'secret-answer';
5757
+ /** Decorate ok:true verdicts with mustRotate after this many days (I1). */
5758
+ readonly rotateDays?: number;
5759
+ /** Refuse reuse of the last N values on rotate (cap 8, spec Q4). */
5760
+ readonly notLastN?: number;
5761
+ /** Member of the collection's matchGroup (secretAnswer preset). */
5762
+ readonly verifyGroupMember?: true;
5763
+ /**
5764
+ * Opt into a store-visible blind-index (`_bidx`) tag so equal values become
5765
+ * queryable/joinable while staying digest-only. Digest-only knob (R7); gated
5766
+ * behind the collection's `acknowledgeEquatableRisk` door (R8). Equal values
5767
+ * produce equal tags — a partition leak a DEK holder can offline-dictionary
5768
+ * at the PBKDF2 floor. Absent/false ⇒ refused-by-default.
5769
+ */
5770
+ readonly equatable?: true;
5771
+ }
5772
+ interface ClassifiedGroup {
5773
+ readonly _noydbClassifiedGroup: true;
5774
+ readonly preset: string;
5775
+ /** member record-field name -> spec (differential per-member policy). */
5776
+ readonly members: Record<string, ClassifiedFieldSpec>;
5777
+ }
5778
+ type ClassifiedEntry = ClassifiedFieldSpec | ClassifiedGroup;
5779
+ declare function isClassifiedFieldSpec(x: unknown): x is ClassifiedFieldSpec;
5780
+ declare function isClassifiedGroup(x: unknown): x is ClassifiedGroup;
5781
+
5630
5782
  /**
5631
5783
  * Computed scalar fields — schema-owned derived values evaluated on
5632
5784
  * write and materialized onto the record.
@@ -8260,6 +8412,7 @@ declare const NO_SEARCH: SearchStrategy;
8260
8412
  *
8261
8413
  * @module
8262
8414
  */
8415
+
8263
8416
  /** Family of Standard Schema v1 validator the persisted snapshot was derived from. */
8264
8417
  type PersistedSchemaKind = 'Zod' | 'Valibot' | 'ArkType' | 'Effect' | 'Unknown';
8265
8418
  /**
@@ -8284,6 +8437,15 @@ interface PersistedSchemaEnvelope {
8284
8437
  readonly reason?: string;
8285
8438
  /** ISO-8601 timestamp of the most recent derivation write. */
8286
8439
  readonly derivedAt: string;
8440
+ /**
8441
+ * C-A / R10 config-drift marker. Present when the collection declares
8442
+ * classified digest-only fields. A handle opened WITHOUT `classifiedFields`
8443
+ * (a naive handle, whose codec has `vdigFields === null`) reads this back and
8444
+ * refuses to write — a silent plaintext/tag-drop write would corrupt the
8445
+ * classified record. Independent of `persistJsonSchema`: a classified
8446
+ * collection that never opts into schema persistence still writes this marker.
8447
+ */
8448
+ readonly classified?: ClassifiedMarker;
8287
8449
  }
8288
8450
 
8289
8451
  /**
@@ -10818,6 +10980,48 @@ interface Assignment {
10818
10980
  serial: number;
10819
10981
  }
10820
10982
 
10983
+ /**
10984
+ * Lazy-mode capability contract (#267 Track A tail — lazy-mode promoted out
10985
+ * of `routing` into its own `lazy` service). Lives on the `/with` port (the
10986
+ * one seam the kernel spine may import statically) so `Collection` can hold
10987
+ * the back-compat default without a spine→service static import.
10988
+ *
10989
+ * Lazy mode (`prefetch: false`) skips bulk hydration: reads go per-id
10990
+ * against the store and land in a bounded LRU working set. The strategy owns
10991
+ * constructing that LRU:
10992
+ *
10993
+ * - `withLazy()` (`with-store/lazy/active.ts`, subpath `@noy-db/hub/lazy`)
10994
+ * is the explicit catalog opt-in — silent, forward-stable.
10995
+ * - {@link IMPLICIT_LAZY} is the floor default reached when a collection
10996
+ * declares `prefetch: false` WITHOUT `lazyStrategy: withLazy()`. It keeps
10997
+ * the pre-#267 behavior byte-for-byte (back-compat delegation, pre-1.0)
10998
+ * but emits a one-time deprecation warn outside test env. It will become
10999
+ * a throwing stub at 1.0, letting the LRU leave the floor bundle
11000
+ * entirely once the per-record-CEK cache stops pinning `Lru` there.
11001
+ *
11002
+ * The on-demand read/write branches themselves stay kernel-resident (they
11003
+ * are `if (this.lazy)` forks on the hot get/put/scan paths); the service
11004
+ * seam owns cache construction + budget validation, which is where the
11005
+ * opt-in and the future tree-shake win live.
11006
+ * @internal
11007
+ */
11008
+
11009
+ interface LazyStrategy {
11010
+ /**
11011
+ * Build the bounded LRU working-set cache for a lazy collection.
11012
+ * MUST throw when `cache` declares neither `maxRecords` nor `maxBytes` —
11013
+ * an unbounded lazy cache defeats the purpose.
11014
+ */
11015
+ createCache<V>(collection: string, cache: CacheOptions | undefined): Lru<string, V>;
11016
+ }
11017
+ /**
11018
+ * Back-compat default (deprecated): `prefetch: false` without
11019
+ * `lazyStrategy: withLazy()`. Identical behavior to the explicit opt-in,
11020
+ * plus a one-time deprecation warn (suppressed under NODE_ENV=test,
11021
+ * mirroring the listPage fallback warn). @internal
11022
+ */
11023
+ declare const IMPLICIT_LAZY: LazyStrategy;
11024
+
10821
11025
  /**
10822
11026
  * Enable the hierarchical-tiers capability.
10823
11027
  * Pass to `createNoydb({ tiersStrategy: withTiers() })` to make a collection's
@@ -10942,8 +11146,7 @@ declare function demote<T>(ctx: TiersContext<T>, id: string, toTier: number): Pr
10942
11146
  * here because `vault.ts` forget() reaches in via `collection._classifySealedShred`.
10943
11147
  */
10944
11148
  declare function classifySealedShred<T>(ctx: TiersContext<T>, live: EncryptedEnvelope): Promise<{
10945
- shreddable: string[];
10946
- dekResidue: string[];
11149
+ readonly slots: readonly SealedShredSlot[];
10947
11150
  }>;
10948
11151
 
10949
11152
  /**
@@ -11643,23 +11846,15 @@ interface HistoryStrategy {
11643
11846
  }
11644
11847
 
11645
11848
  /**
11646
- * `_links_*` reserved collectionsmanaged bidirectional many-to-many
11647
- * junctions (design B).
11648
- *
11649
- * Where `refArray` (design A) stores an id-array on one owning record,
11650
- * `vault.link()` creates a first-class junction: a dedicated encrypted
11651
- * `_links_<name>` collection whose rows are `{ a, b, meta? }` link tuples.
11652
- * It is queryable from BOTH sides (`of(id)`), carries optional per-link
11653
- * metadata, and cascades on endpoint delete.
11654
- *
11655
- * Each link is slot-typed: `a` is an id in the `a` endpoint collection,
11656
- * `b` an id in the `b` endpoint collection (they may be the same
11657
- * collection for self-links). A link's identity is the ordered pair
11658
- * `(a, b)`; `of(id)` matches either slot.
11849
+ * Link-set naming helpers, declaration types, and errors the tiny,
11850
+ * always-loadable slice of the links feature (#553).
11659
11851
  *
11660
- * Rows are encrypted under a dedicated `_links_<name>` DEK — same
11661
- * zero-knowledge stack as every other collection (the store sees only
11662
- * ciphertext). Backup/restore rides the normal `loadAll` path.
11852
+ * Split out of `link-set.ts` so the kernel floor (reserved-name guard in
11853
+ * `vault.collection()`, the lazy `vault.links()` handle) and the ref/link
11854
+ * enforcement facade can bind these few lines WITHOUT statically pulling
11855
+ * the `LinkSet` storage engine; that class now loads via dynamic import
11856
+ * on first link I/O. `link-set.ts` re-exports everything here, so import
11857
+ * paths and class identities are unchanged for existing consumers.
11663
11858
  */
11664
11859
 
11665
11860
  /** True for any reserved link-collection name. */
@@ -11698,13 +11893,6 @@ interface LinkSetHandle {
11698
11893
  /** All links in the set. */
11699
11894
  list(): Promise<LinkRow[]>;
11700
11895
  }
11701
- /** Thrown by `connect()` when an endpoint record does not exist. */
11702
- declare class LinkEndpointError extends NoydbError {
11703
- readonly link: string;
11704
- readonly endpoint: string;
11705
- readonly missingId: string;
11706
- constructor(link: string, endpoint: string, missingId: string);
11707
- }
11708
11896
  /** Thrown when a `strict` link blocks deletion of an endpoint that still has links. */
11709
11897
  declare class LinkIntegrityError extends NoydbError {
11710
11898
  readonly link: string;
@@ -12455,11 +12643,13 @@ declare function liberateVault(vault: Vault, opts: LiberateOptions): Promise<Lib
12455
12643
  * The grant/revoke engine the strategy runs when opted in — implemented by
12456
12644
  * `Noydb` (`_grantCustodianImpl` / `_revokeCustodianImpl` hold the gate +
12457
12645
  * keyring logic; the public `grantCustodian` / `revokeCustodian` route through
12458
- * the strategy).
12646
+ * the strategy). Since the #267 team split the keyring grant/revoke engines
12647
+ * are passed IN by `withCustody()` (statically linked there, not in the
12648
+ * kernel) so the single-user floor never carries them.
12459
12649
  */
12460
12650
  interface CustodyHost {
12461
- _grantCustodianImpl(vault: string, options: GrantCustodianOptions, factors?: FactorProofBundle): Promise<void>;
12462
- _revokeCustodianImpl(vault: string, options: RevokeOptions, factors?: FactorProofBundle): Promise<void>;
12651
+ _grantCustodianImpl(engine: (adapter: NoydbStore, vault: string, callerKeyring: UnlockedKeyring, options: GrantOptions) => Promise<void>, vault: string, options: GrantCustodianOptions, factors?: FactorProofBundle): Promise<void>;
12652
+ _revokeCustodianImpl(engine: (adapter: NoydbStore, vault: string, callerKeyring: UnlockedKeyring, options: RevokeOptions) => Promise<void>, vault: string, options: RevokeOptions, factors?: FactorProofBundle): Promise<void>;
12463
12653
  }
12464
12654
  interface CustodyStrategy {
12465
12655
  grantCustodian(host: CustodyHost, vault: string, options: GrantCustodianOptions, factors?: FactorProofBundle): Promise<void>;
@@ -12823,6 +13013,45 @@ interface VaultIntrospectState {
12823
13013
  readonly hasCollectionArchive?: (col: string) => boolean;
12824
13014
  }
12825
13015
 
13016
+ /** The ② capability seam for classified read-egress ops (stage 1: reveal; stage 2: verify). @module */
13017
+
13018
+ interface ClassifiedRevealCtx {
13019
+ readonly collection: string;
13020
+ readonly spec: ClassifiedFieldSpec;
13021
+ /** True on an encrypted collection — false selects the plaintext-body read. */
13022
+ readonly encrypted: boolean;
13023
+ readonly getEnvelope: (id: string) => Promise<EncryptedEnvelope | null>;
13024
+ readonly resolveCek: (env: EncryptedEnvelope) => Promise<EnclaveKey | undefined>;
13025
+ readonly getDEK: () => Promise<EnclaveKey>;
13026
+ readonly onAccess?: ((op: 'reveal', id: string) => Promise<void>) | undefined;
13027
+ }
13028
+ interface ClassifiedVerifyCtx {
13029
+ readonly collection: string;
13030
+ readonly spec: ClassifiedFieldSpec;
13031
+ readonly getEnvelope: (id: string) => Promise<EncryptedEnvelope | null>;
13032
+ readonly resolveCek: (env: EncryptedEnvelope) => Promise<EnclaveKey | undefined>;
13033
+ readonly getDEK: () => Promise<EnclaveKey>;
13034
+ readonly now: () => number;
13035
+ /** Group members resolved by the collection (matchGroup only). */
13036
+ readonly groupMembers?: ReadonlyArray<{
13037
+ readonly field: string;
13038
+ readonly spec: ClassifiedFieldSpec;
13039
+ }>;
13040
+ readonly onAccess?: ((op: 'verify' | 'find', id: string) => Promise<void>) | undefined;
13041
+ }
13042
+ interface ClassifiedStrategy {
13043
+ reveal(ctx: ClassifiedRevealCtx, id: string, field: string): Promise<unknown>;
13044
+ verify(ctx: ClassifiedVerifyCtx, id: string, field: string, candidate: string): Promise<ClassifiedVerdict>;
13045
+ verifyText(ctx: ClassifiedVerifyCtx, id: string, field: string, candidate: string): Promise<ClassifiedVerdict>;
13046
+ matchGroup(ctx: ClassifiedVerifyCtx, id: string, answers: Record<string, string>, opts: {
13047
+ readonly min: number;
13048
+ }): Promise<{
13049
+ readonly passed: boolean;
13050
+ }>;
13051
+ computeTarget(ctx: ClassifiedVerifyCtx, field: string, candidate: string, costByte?: number): Promise<string | null>;
13052
+ }
13053
+ declare const NO_CLASSIFIED: ClassifiedStrategy;
13054
+
12826
13055
  /** A vault (tenant namespace) containing collections. */
12827
13056
  declare class Vault {
12828
13057
  #private;
@@ -12863,6 +13092,7 @@ declare class Vault {
12863
13092
  /** Per-collection record archival policies. Indexed by collection name. */
12864
13093
  private readonly archiveRegistry;
12865
13094
  private readonly indexStrategy;
13095
+ private readonly lazyStrategy;
12866
13096
  private readonly aggregateStrategy;
12867
13097
  private readonly crdtStrategy;
12868
13098
  private readonly tiersStrategy;
@@ -12884,6 +13114,7 @@ declare class Vault {
12884
13114
  private readonly forgetStrategy;
12885
13115
  private readonly i18nStrategy;
12886
13116
  private readonly syncStrategy;
13117
+ private readonly classifiedStrategy;
12887
13118
  /**
12888
13119
  * Per-vault guard registry. `null` until `_initGuards()` runs; stays
12889
13120
  * `null` for vaults that never register any guard strategy. The
@@ -13076,7 +13307,7 @@ declare class Vault {
13076
13307
  private readonly dictionaryCache;
13077
13308
  /** Registered link specs, keyed by link name; set by `vault.link()`. */
13078
13309
  private readonly linkRegistry;
13079
- /** Cache of LinkSet handles, one per link name. */
13310
+ /** Cache of link-set handles, one per link name (lazy -- see links()). */
13080
13311
  private readonly linkSetCache;
13081
13312
  /** — subscribers for cross-tier access events. */
13082
13313
  private readonly crossTierSubs;
@@ -13118,6 +13349,7 @@ declare class Vault {
13118
13349
  objectStore?: ObjectProjection | undefined;
13119
13350
  archiveStrategy?: ArchiveStrategy | undefined;
13120
13351
  indexStrategy?: IndexStrategy | undefined;
13352
+ lazyStrategy?: LazyStrategy | undefined;
13121
13353
  aggregateStrategy?: AggregateStrategy | undefined;
13122
13354
  crdtStrategy?: CrdtStrategy | undefined;
13123
13355
  tiersStrategy?: TiersStrategy | undefined;
@@ -13133,6 +13365,7 @@ declare class Vault {
13133
13365
  numberingConfigs?: ReadonlyArray<DeferredNumberingConfig> | undefined;
13134
13366
  forgetStrategy?: ForgetStrategy | undefined;
13135
13367
  attestationStrategy?: AttestationStrategy | undefined;
13368
+ classifiedStrategy?: ClassifiedStrategy | undefined;
13136
13369
  sealedRecordStrategy?: SealedRecordStrategy | undefined;
13137
13370
  portabilityStrategy?: PortabilityStrategy | undefined;
13138
13371
  sequenceStrategy?: SequenceStrategy | undefined;
@@ -13205,6 +13438,8 @@ declare class Vault {
13205
13438
  moneyFields?: MoneyFieldsOpt<T, M>;
13206
13439
  /** — declare computed scalar fields, evaluated on write (schema-owned). */
13207
13440
  computed?: ComputedFields<T>;
13441
+ /** — declare classified() sensitive-field descriptors. See the classified-fields spec. */
13442
+ classifiedFields?: Record<string, ClassifiedEntry>;
13208
13443
  /** — per-collection conflict resolution policy. */
13209
13444
  conflictPolicy?: ConflictPolicy<T>;
13210
13445
  /** — CRDT mode for collaborative editing without conflicts. */
@@ -13217,6 +13452,9 @@ declare class Vault {
13217
13452
  deterministicFields?: readonly IndexFieldName<T, S>[];
13218
13453
  /** — explicit ack that deterministic encryption leaks equality. */
13219
13454
  acknowledgeDeterministicRisk?: boolean;
13455
+ /** — explicit ack for the classified `equatable` knob (R8 door). Required
13456
+ * when any classified field declares `equatable: true`. */
13457
+ acknowledgeEquatableRisk?: boolean;
13220
13458
  /**
13221
13459
  * — structural group-encryption. Fields sealed into their own
13222
13460
  * `_sealed[field]` envelope slot (per-field key), kept out of the open
@@ -13327,8 +13565,8 @@ declare class Vault {
13327
13565
  abortSchemaCutover(): Promise<void>;
13328
13566
  /** Current schema-cutover fence state for this vault. Thin live read. */
13329
13567
  schemaFenceState(): Promise<FenceDoc>;
13330
- /** @internal Start the per-client heartbeat + fence watcher once a cutover is registered. */
13331
- _ensureFenceCoordination(): void;
13568
+ /** @internal Start heartbeat + fence watcher once a cutover is registered. Async since #553: FenceWatcher dynamic-imports on demand. */
13569
+ _ensureFenceCoordination(): Promise<void>;
13332
13570
  /** @internal Stop the heartbeat/watcher (vault lock/close). */
13333
13571
  _stopFenceCoordination(): void;
13334
13572
  /** @internal Best-effort flush of all open collections' persisted
@@ -14554,6 +14792,23 @@ interface GateEventMap {
14554
14792
  }
14555
14793
  type GatePoint = keyof GateEventMap;
14556
14794
  type GateHandler<P extends GatePoint> = (event: GateEventMap[P]) => void | Promise<void>;
14795
+ /**
14796
+ * Registration options for a gate handler.
14797
+ *
14798
+ * `needsPrior` (default `true`) declares whether the handler reads the
14799
+ * prior-derived event fields — `existing`, `existingVersion`, `existingTs`,
14800
+ * and (on `beforePut`) `op`. When EVERY handler registered at a point set
14801
+ * `needsPrior: false`, the write path skips the prior-read (store get +
14802
+ * decrypt) entirely and dispatches the event with `existing: null`,
14803
+ * `existingVersion: 0`, `existingTs: undefined` (and `op: 'create'` on
14804
+ * `beforePut`; a `beforeDelete` gate then also fires for delete-of-absent).
14805
+ * A handler that opts out MUST NOT rely on those fields. (#267 prior-read
14806
+ * elision — pure perf; one prior-needing handler restores the old behavior
14807
+ * for the whole point.)
14808
+ */
14809
+ interface GateRegisterOptions {
14810
+ readonly needsPrior?: boolean;
14811
+ }
14557
14812
  declare class ServiceBus {
14558
14813
  #private;
14559
14814
  /** Register a handler for an observe point. Returns an unsubscribe fn. */
@@ -14579,10 +14834,21 @@ declare class ServiceBus {
14579
14834
  * cannot loop (same rationale as WriteHookRegistry.#suppressed).
14580
14835
  */
14581
14836
  dispatch<P extends LifecyclePoint>(point: P, event: LifecycleEventMap[P]): Promise<void>;
14582
- /** Register a write-gating handler. A throw from the handler ABORTS the write. Returns an unsubscribe fn. */
14583
- registerGate<P extends GatePoint>(point: P, handler: GateHandler<P>): Unsubscribe$2;
14837
+ /**
14838
+ * Register a write-gating handler. A throw from the handler ABORTS the
14839
+ * write. Returns an unsubscribe fn. See {@link GateRegisterOptions} for
14840
+ * the `needsPrior` prior-read declaration (#267).
14841
+ */
14842
+ registerGate<P extends GatePoint>(point: P, handler: GateHandler<P>, opts?: GateRegisterOptions): Unsubscribe$2;
14584
14843
  /** Cheap gate for the write path — true when any gate handler is registered for the point. */
14585
14844
  hasGateHandlers(point: GatePoint): boolean;
14845
+ /**
14846
+ * True when at least one gate handler at `point` needs the prior record
14847
+ * (the default). False when the point has no handlers or every handler
14848
+ * registered with `needsPrior: false` — the write path then skips the
14849
+ * prior-read before dispatching (#267 prior-read elision).
14850
+ */
14851
+ gateNeedsPrior(point: GatePoint): boolean;
14586
14852
  /**
14587
14853
  * Run gate handlers in registration order, awaited. Unlike `dispatch`
14588
14854
  * (observe), a handler throw is NOT swallowed — it PROPAGATES, aborting the
@@ -14799,7 +15065,7 @@ interface DryRunResult {
14799
15065
  }
14800
15066
 
14801
15067
  /** NoydbOptions with the store resolved to a non-optional value (internal use only). */
14802
- type ResolvedNoydbOptions = NoydbOptions & {
15068
+ type ResolvedNoydbOptions$1 = NoydbOptions & {
14803
15069
  readonly store: NoydbStore;
14804
15070
  };
14805
15071
  /** The top-level NOYDB instance. */
@@ -14818,6 +15084,15 @@ declare class Noydb {
14818
15084
  /** Pre-resolved `vault.user` API factory (mirrors `coordinationProvider` above). Public so `Vault` can call it. */
14819
15085
  readonly userApiFactory: UserApiFactory;
14820
15086
  private readonly vaultCache;
15087
+ /**
15088
+ * In-flight `openVault` promise per name — concurrent opens of the same
15089
+ * vault must converge on ONE Vault instance. Without this, two callers
15090
+ * racing past the `vaultCache` miss each construct a Vault (and later two
15091
+ * Collections with independent DEKs for the same store slice), so a record
15092
+ * written through one fails decryption through the other with a spurious
15093
+ * `TamperedError` (#564).
15094
+ */
15095
+ private readonly vaultOpening;
14821
15096
  private readonly keyringCache;
14822
15097
  private readonly syncEngines;
14823
15098
  /**
@@ -14857,6 +15132,11 @@ declare class Noydb {
14857
15132
  * through it; grant/revoke route through it from this class. @internal
14858
15133
  */
14859
15134
  readonly custodyStrategy: CustodyStrategy;
15135
+ /**
15136
+ * Opt-in multi-user team strategy (#267 keyring-grant → team split) —
15137
+ * `NO_TEAM` (throwing) unless `withTeam()` was passed; the keyring
15138
+ * engines are linked only by the active strategy, not by this file. */
15139
+ private readonly teamStrategy;
14860
15140
  private readonly sessionStrategy;
14861
15141
  private readonly syncStrategy;
14862
15142
  private readonly snapshots;
@@ -14882,7 +15162,7 @@ declare class Noydb {
14882
15162
  private readonly translatorCache;
14883
15163
  /** Audit log for all translator invocations in this session. Cleared on `close()`. */
14884
15164
  private readonly _translatorAuditLog;
14885
- constructor(options: ResolvedNoydbOptions);
15165
+ constructor(options: ResolvedNoydbOptions$1);
14886
15166
  /** @internal — resolved forget strategy (NO_FORGET when not configured). */
14887
15167
  get _forgetStrategy(): ForgetStrategy;
14888
15168
  private resetSessionTimer;
@@ -14922,6 +15202,7 @@ declare class Noydb {
14922
15202
  *
14923
15203
  * The legacy `requireReAuthFor: ['grant']` session-policy check still
14924
15204
  * fires on top — both are independent opt-ins.
15205
+ * Opt-in (#267): throws {@link TeamNotEnabledError} without `withTeam()`.
14925
15206
  */
14926
15207
  grant(vault: string, options: GrantOptions, factors?: FactorProofBundle): Promise<void>;
14927
15208
  /**
@@ -14932,6 +15213,7 @@ declare class Noydb {
14932
15213
  *
14933
15214
  * The legacy `requireReAuthFor: ['revoke']` session-policy check still
14934
15215
  * fires on top — both are independent opt-ins.
15216
+ * Opt-in (#267): throws {@link TeamNotEnabledError} without `withTeam()`.
14935
15217
  */
14936
15218
  revoke(vault: string, options: RevokeOptions, factors?: FactorProofBundle): Promise<void>;
14937
15219
  /**
@@ -14945,8 +15227,9 @@ declare class Noydb {
14945
15227
  * owner-only invariant even if a host mis-configures the gate.
14946
15228
  */
14947
15229
  grantCustodian(vault: string, options: Omit<GrantOptions, 'role'>, factors?: FactorProofBundle): Promise<void>;
14948
- /** @internal — the grant-custodian engine, reached only when withCustody() is opted in. */
14949
- _grantCustodianImpl(vault: string, options: Omit<GrantOptions, 'role'>, factors?: FactorProofBundle): Promise<void>;
15230
+ /** @internal — grant-custodian engine, reached only via withCustody(); the
15231
+ * keyring engine arrives as an argument so the floor never carries it (#267). */
15232
+ _grantCustodianImpl(engine: (adapter: NoydbStore, vault: string, callerKeyring: UnlockedKeyring, options: GrantOptions) => Promise<void>, vault: string, options: Omit<GrantOptions, 'role'>, factors?: FactorProofBundle): Promise<void>;
14950
15233
  /**
14951
15234
  * Revoke a custodian (owner-only custody API).
14952
15235
  *
@@ -14955,8 +15238,9 @@ declare class Noydb {
14955
15238
  * 'owner'` check, so an admin cannot unwind a custodianship.
14956
15239
  */
14957
15240
  revokeCustodian(vault: string, options: RevokeOptions, factors?: FactorProofBundle): Promise<void>;
14958
- /** @internal — the revoke-custodian engine, reached only when withCustody() is opted in. */
14959
- _revokeCustodianImpl(vault: string, options: RevokeOptions, factors?: FactorProofBundle): Promise<void>;
15241
+ /** @internal — revoke-custodian engine, reached only via withCustody().
15242
+ * Mirrors `_grantCustodianImpl` (#267: engine passed in). */
15243
+ _revokeCustodianImpl(engine: (adapter: NoydbStore, vault: string, callerKeyring: UnlockedKeyring, options: RevokeOptions) => Promise<void>, vault: string, options: RevokeOptions, factors?: FactorProofBundle): Promise<void>;
14960
15244
  /**
14961
15245
  * Mutate post-grant identity fields on an existing keyring — `role`,
14962
15246
  * `displayName`, and/or `permissions`. Pure plaintext-header rewrite:
@@ -15015,6 +15299,7 @@ declare class Noydb {
15015
15299
  * Exposed on Noydb (rather than only on the lower-level keyring
15016
15300
  * module) so CLI and admin tooling can trigger rotation without
15017
15301
  * reaching into internals. See `noy-db rotate` for the CLI wrapper.
15302
+ * Opt-in (#267): throws {@link TeamNotEnabledError} without `withTeam()`.
15018
15303
  */
15019
15304
  rotate(vault: string, collections: string[]): Promise<void>;
15020
15305
  /** List all users with access to a vault. */
@@ -15962,6 +16247,12 @@ interface CollectionOpts<T> {
15962
16247
  * unbounded lazy cache defeats the purpose.
15963
16248
  */
15964
16249
  cache?: CacheOptions | undefined;
16250
+ /**
16251
+ * Lazy service seam (#267) — supplies the bounded-LRU working-set cache
16252
+ * when `prefetch: false`. Omitted → the deprecated IMPLICIT_LAZY
16253
+ * back-compat default (identical behavior + one-time warn).
16254
+ */
16255
+ lazyStrategy?: LazyStrategy | undefined;
15965
16256
  /**
15966
16257
  * Optional Standard Schema v1 validator (Zod, Valibot, ArkType,
15967
16258
  * Effect Schema, etc.). When set, every `put()` is validated before
@@ -16023,6 +16314,16 @@ interface CollectionOpts<T> {
16023
16314
  /** — outbound ref declarations (snapshot from vault refRegistry). Used by describe(). */
16024
16315
  declaredRefs?: Record<string, RefDescriptor> | undefined;
16025
16316
  computed?: ComputedFields | undefined;
16317
+ /** — declare classified() sensitive-field descriptors (sealed + riders + projections). */
16318
+ classifiedFields?: Record<string, ClassifiedEntry> | undefined;
16319
+ /**
16320
+ * The forget-cascade subject key for this collection (from
16321
+ * `withForgetCascade({ subjects })`), plumbed by the Vault. Consumed by the
16322
+ * classified refusal matrix (R4: a digest-only field cannot be the subject key).
16323
+ */
16324
+ subjectKeyField?: string | undefined;
16325
+ /** — tree-shake seam for `collection.reveal()`. Defaults to `NO_CLASSIFIED`. */
16326
+ classifiedStrategy?: ClassifiedStrategy | undefined;
16026
16327
  /**
16027
16328
  * async callback that resolves a dict key to its label
16028
16329
  * for a given locale. Provided by the Vault.
@@ -16079,7 +16380,7 @@ interface CollectionOpts<T> {
16079
16380
  * outside a consent scope the callback is a no-op. Awaited so a
16080
16381
  * thrown audit write surfaces to the caller.
16081
16382
  */
16082
- onAccess?: (op: 'get' | 'put' | 'delete', id: string) => Promise<void>;
16383
+ onAccess?: (op: 'get' | 'put' | 'delete' | 'reveal' | 'verify' | 'find', id: string) => Promise<void>;
16083
16384
  /**
16084
16385
  * invoked by `put`/`delete` before any adapter
16085
16386
  * write. Receives the prior envelope timestamp + decrypted
@@ -16109,6 +16410,13 @@ interface CollectionOpts<T> {
16109
16410
  * any deterministic field is declared. Any other value throws.
16110
16411
  */
16111
16412
  acknowledgeDeterministicRisk?: boolean | undefined;
16413
+ /**
16414
+ * gate for the classified `equatable` knob (R8 double door). Must be `true`
16415
+ * when any classified field declares `equatable: true`; otherwise construction
16416
+ * throws. One-directional — setting it with zero equatable members is a
16417
+ * silent no-op (mirrors `acknowledgeDeterministicRisk`).
16418
+ */
16419
+ acknowledgeEquatableRisk?: boolean | undefined;
16112
16420
  /**
16113
16421
  * Structural group-encryption. Fields listed here are
16114
16422
  * encrypted into their own `_sealed[field]` envelope slot — each under
@@ -16461,6 +16769,35 @@ declare class Collection<T, S extends keyof T = never, Q extends keyof T & strin
16461
16769
  * the same MV-pre-creation reconcile as {@link moneyFields}.
16462
16770
  */
16463
16771
  private computed;
16772
+ /**
16773
+ * Resolved classified() sensitive-field descriptors, declared via the
16774
+ * `classifiedFields` collection option. Mutable so {@link _applyClassifiedFields}
16775
+ * can attach a declaration to a collection MV-analysis pre-created.
16776
+ */
16777
+ private classified;
16778
+ /**
16779
+ * Frozen construction-time facts the refusal matrix (R1-R5) checks against.
16780
+ * Stored so {@link _applyClassifiedFields} — door 2, the reconcile seam —
16781
+ * can re-run the SAME guard the config resolver ran at door 1 (C5's lesson:
16782
+ * crdt/conflictPolicy/perRecordKeys are construction-only but
16783
+ * classifiedFields can attach later).
16784
+ */
16785
+ private readonly classifiedGuardCtx;
16786
+ /**
16787
+ * Digest-only classified fields (`storage: 'digest-only'`), keyed by field
16788
+ * name — the enclave-consumable policy map the codec's write path carries
16789
+ * `_vdig` forward under (C6). `null` when the collection declares none.
16790
+ */
16791
+ private readonly vdigFields;
16792
+ /** C-A/R10 memoization: marker declared-set lookup (undefined=unresolved) + classified-handle persist-once flag. */
16793
+ private _markerDigestOnlyCache;
16794
+ private _markerPersisted;
16795
+ /**
16796
+ * Tree-shake seam for `reveal()` — defaults to `NO_CLASSIFIED`, which
16797
+ * throws `ClassifiedNotEnabledError`. Set via the `classifiedStrategy`
16798
+ * `createNoydb()` option (opt in with `withClassified()`).
16799
+ */
16800
+ private readonly classifiedStrategy;
16464
16801
  /**
16465
16802
  * Async callback provided by the Vault that resolves a dict key
16466
16803
  * to its label for a given locale. Used by the locale-read path for
@@ -16666,6 +17003,70 @@ declare class Collection<T, S extends keyof T = never, Q extends keyof T & strin
16666
17003
  private describeAsync;
16667
17004
  /** JSON Schema for this collection with describe() metadata as x- extensions. */
16668
17005
  toJSONSchema(): Promise<object>;
17006
+ /** Single-point audited reveal of one classified field. Requires withClassified(). */
17007
+ reveal(id: string, field: string): Promise<unknown>;
17008
+ /** Verify-without-reveal: verdict-only oracle for one classified field. Requires withClassified(). */
17009
+ verify(id: string, field: string, candidate: string): Promise<ClassifiedVerdict>;
17010
+ /** k-of-n challenge over the collection's secretAnswer members. Requires withClassified(). */
17011
+ verifyGroup(id: string, answers: Record<string, string>, opts: {
17012
+ readonly min: number;
17013
+ }): Promise<{
17014
+ readonly passed: boolean;
17015
+ }>;
17016
+ private _classifiedVerifyCtx;
17017
+ /**
17018
+ * Equatable blind-index lookup: the ids whose classified digest-only
17019
+ * `equatable` field carries a `_bidx` tag matching `candidate` AND whose
17020
+ * `_vdig` payload confirms it. Requires the field to be declared
17021
+ * `classified.password({ equatable: true })` (or `secretAnswer`) and the
17022
+ * collection to have opened its `acknowledgeEquatableRisk` door.
17023
+ *
17024
+ * The algorithm order is load-bearing (spec §3):
17025
+ * 1. Caller-bug refusals thrown at ~0 elapsed, BEFORE any PBKDF2 (R9 /
17026
+ * Oracle #6): the three field mis-declarations share ONE constant,
17027
+ * field-name-free message so the refusal text cannot enumerate which
17028
+ * fields are classified / digest-only / equatable.
17029
+ * 2. Derive the ONE blind-index target UNCONDITIONALLY (I-1 / F1): an empty
17030
+ * collection still pays exactly one 600K PBKDF2, so wall-time can never
17031
+ * distinguish "no records" from "no match". No early return may precede
17032
+ * this line.
17033
+ * 3. Scan `list + one get` per id, string-comparing the stored `_bidx` tag —
17034
+ * decrypting NOTHING — and retain each hit's already-fetched envelope.
17035
+ * 4. Emit the single sweep consent op (`onAccess('find', '*')`) now — after
17036
+ * the scan, before confirm (Oracle #5) — fixing its store-write timestamp
17037
+ * independent of hit count.
17038
+ * 5. Confirm-by-verify against the ALREADY-FETCHED envelope (C-B): run the
17039
+ * enclave `verifyDigestField` on an in-memory `getEnvelope` closure so the
17040
+ * confirm reads ZERO additional envelopes. A tag-hit whose `_vdig` fails
17041
+ * to confirm is dropped silently (a splice is indistinguishable from a
17042
+ * stale tag). Store-shape law: the only store calls are `list + N get`.
17043
+ */
17044
+ findByDigest(field: string, candidate: string): Promise<readonly string[]>;
17045
+ /**
17046
+ * Retire a field's equatable blind-index (`_bidx`) coverage across every
17047
+ * live record — the SOLE lazy-write-independent drop-path for a still-live
17048
+ * record's tag (besides clear / `forget()` / DEK-rotation). For each envelope
17049
+ * carrying `_bidx[field]`, rewrite it WITHOUT that slot (dropping the whole
17050
+ * `_bidx` map when it becomes empty), leaving `_vdig[field]` and everything
17051
+ * else INTACT — the field stays `digest-only`, only the index coverage is
17052
+ * retired. NO crypto, NO re-mint, NO re-encrypt: a targeted envelope rewrite.
17053
+ * Returns the count of records scrubbed.
17054
+ *
17055
+ * This is a maintenance write, not a read-egress: it emits NO `'find'` op and
17056
+ * no consent. The field is validated to a declared equatable digest-only
17057
+ * classified field (only such a field ever carries `_bidx`).
17058
+ *
17059
+ * **Ledger consistency**: dropping `_bidx[field]` changes the envelope's
17060
+ * payload hash (`_bidx` is bound into `envelopeBodyForHash`), so a raw
17061
+ * `adapter.put` of the scrubbed envelope WITHOUT a matching ledger entry would
17062
+ * desync the chain and make a future integrity cross-check flag false
17063
+ * tampering. After each rewrite we therefore append an `op:'migration'` entry
17064
+ * recording the NEW payloadHash at the SAME version — this is index retirement,
17065
+ * not a new record version, so `_v` is NOT bumped; the migration op is
17066
+ * reverse-delta-inert (`ledger.reconstruct` skips non-put/delete ops) yet
17067
+ * keeps the hash chain and the record's latest recorded payloadHash correct.
17068
+ */
17069
+ scrubEquatableTags(field: string): Promise<number>;
16669
17070
  /**
16670
17071
  * @internal — attach money descriptors post-construction. MV dependency
16671
17072
  * analysis auto-creates a source collection (without options) during
@@ -16679,6 +17080,16 @@ declare class Collection<T, S extends keyof T = never, Q extends keyof T & strin
16679
17080
  _applyFieldMeta(fieldMeta: Record<string, FieldMeta>): void;
16680
17081
  /** @internal — attach collection-level meta post-construction. See {@link _applyMoneyFields}. First-wins. */
16681
17082
  _applyMeta(meta: CollectionMeta): void;
17083
+ /**
17084
+ * @internal — attach classified fields post-construction. See {@link _applyMoneyFields}.
17085
+ * First-wins. Note: unlike money/computed/meta, this cannot retro-seal a
17086
+ * collection that was already auto-created — `sensitiveFields` is frozen at
17087
+ * construction time. A reconciled declaration is only accepted when none of
17088
+ * its members are `storage: 'recoverable'` (those require sealing at first
17089
+ * open); otherwise this throws rather than silently persisting the value as
17090
+ * inline plaintext while `describe()` advertises protection.
17091
+ */
17092
+ _applyClassifiedFields(classifiedFields: Record<string, ClassifiedEntry>): void;
16682
17093
  /** @internal — used only in tests; do not read in production code. */
16683
17094
  get _ramCiphertext(): boolean;
16684
17095
  /**
@@ -16798,6 +17209,17 @@ declare class Collection<T, S extends keyof T = never, Q extends keyof T & strin
16798
17209
  * cache directly (no extra I/O), matching the previous behaviour exactly.
16799
17210
  */
16800
17211
  private resolvePriorValues;
17212
+ /** Resolves the prior envelope/record for a gate event; elides the read (#267) when no handler at `point` needs it (`elided: true`, `env`/`record` null). */
17213
+ private resolveGatePrior;
17214
+ /**
17215
+ * Wraps {@link RecordCodec.toCacheRecord} with an additional strip for
17216
+ * digest-only classified fields: the codec already omits them from `_data`
17217
+ * on write, but the write path caches the pre-encrypt `record` object
17218
+ * directly (to skip a redundant decrypt) — without this, a vdig field's
17219
+ * plaintext would sit in the working-set cache and `get()` would leak it
17220
+ * right back out, defeating C6.
17221
+ */
17222
+ private _toCacheableRecord;
16801
17223
  /** @internal Untracked put body — call {@link put}, not this. */
16802
17224
  private _putInternal;
16803
17225
  /**
@@ -17520,6 +17942,10 @@ declare class Collection<T, S extends keyof T = never, Q extends keyof T & strin
17520
17942
  * CEK cache, live-envelope reader, and DEK resolver.
17521
17943
  */
17522
17944
  private resolveRecordCek;
17945
+ /** C-A/R10: persist the classified marker once per classified handle (store I/O in config-drift.ts). */
17946
+ private _ensureClassifiedMarker;
17947
+ /** C-A/R10 drift signal — the marker's declared digest-only set, memoized to one store read per handle (see config-drift.ts). */
17948
+ private _classifiedMarkerDigestOnly;
17523
17949
  /**
17524
17950
  * find the first record whose deterministic field matches
17525
17951
  * the given plaintext. Returns `null` when no match exists.
@@ -17574,8 +18000,7 @@ declare class Collection<T, S extends keyof T = never, Q extends keyof T & strin
17574
18000
  * Collection because `vault.ts` forget() reaches in via this name.
17575
18001
  */
17576
18002
  _classifySealedShred(live: EncryptedEnvelope): Promise<{
17577
- shreddable: string[];
17578
- dekResidue: string[];
18003
+ readonly slots: readonly SealedShredSlot[];
17579
18004
  }>;
17580
18005
  /**
17581
18006
  * Bind the {@link TiersContext} the tier ops need. The `cekCache` is passed
@@ -17724,6 +18149,517 @@ interface TxStrategy {
17724
18149
  runDryRun(db: Noydb, fn: (tx: TxContext) => unknown): Promise<DryRunResult>;
17725
18150
  }
17726
18151
 
18152
+ /**
18153
+ * Noydb-side auth / recovery / enrollment facade.
18154
+ *
18155
+ * Holds the tier-2 authenticator enrollment/unlock wrappers, WebAuthn
18156
+ * enrollment, auth-config introspection, the tier-1 passphrase
18157
+ * rotate/recover flows, the paper/Shamir recovery rotate/enroll flows,
18158
+ * managed-passphrase recovery, peer-recovery, tier-3 PIN unlock, and the
18159
+ * public `getKeyring` accessor.
18160
+ *
18161
+ * The near-parallel rotate/recover variants (managed vs user vs paper vs
18162
+ * Shamir) are deliberately NOT consolidated. The
18163
+ * keyring/active-tier/quick-unlock/policy caches stay `Noydb`-resident
18164
+ * (shared by the kernel's unlock path) and arrive **by reference** through
18165
+ * {@link TeamFacadeDeps}; the keyring-unlock path (`getKeyringInternal`),
18166
+ * the policy gate (`checkGate`), the managed-recovery enrolment check
18167
+ * (`assertRecoveryEnrolled`), `openVault`, and the one-shot
18168
+ * managed-recovery skip flag stay kernel-resident and arrive as callbacks.
18169
+ *
18170
+ * Internal service — reached through `noydb.rotatePassphrase(...)` etc.
18171
+ */
18172
+
18173
+ /** NoydbOptions with the store resolved to a non-optional value (internal use only). */
18174
+ type ResolvedNoydbOptions = NoydbOptions & {
18175
+ readonly store: NoydbStore;
18176
+ };
18177
+ /** Everything the moving auth/recovery/enrollment methods touched on the Noydb instance's `this.*`. */
18178
+ interface TeamFacadeDeps {
18179
+ /** Resolved Noydb options (store, user, passphraseMode, sealingKey, shamirRecovery, …). */
18180
+ readonly options: ResolvedNoydbOptions;
18181
+ /** Live unlocked-keyring cache (Noydb-resident; read/written by reference). */
18182
+ readonly keyringCache: Map<string, UnlockedKeyring>;
18183
+ /** Per-vault active session tier (Noydb-resident; read/written by reference). */
18184
+ readonly activeTier: Map<string, ActiveTier>;
18185
+ /** Per-vault tier-3 quick-unlock state (Noydb-resident; read/written by reference). */
18186
+ readonly quickUnlock: QuickUnlockStore;
18187
+ /** Per-vault loaded policy cache (Noydb-resident; read/written by reference). */
18188
+ readonly policyCache: Map<string, VaultPolicy>;
18189
+ /** Evaluate the policy gate for an operation (kernel-resident). */
18190
+ checkGate(vault: string, gate: GateName, factors?: FactorProofBundle): Promise<void>;
18191
+ /** Legacy `requireReAuthFor` session-policy check (kernel-resident). */
18192
+ checkPolicyOperation(vault: string, op: ReAuthOperation): void;
18193
+ /** Live-reference keyring unlock path (kernel-resident). */
18194
+ getKeyringInternal(vault: string, opts?: {
18195
+ create: boolean;
18196
+ }): Promise<UnlockedKeyring>;
18197
+ /** Managed-recovery enrolment check (kernel-resident). */
18198
+ assertRecoveryEnrolled(vault: string, policy: VaultPolicy, opts?: {
18199
+ skipManagedCheck?: boolean;
18200
+ }): Promise<void>;
18201
+ /** Open (or create) a vault (kernel-resident). */
18202
+ openVault(vault: string, opts?: {
18203
+ locale?: string;
18204
+ }): Promise<Vault>;
18205
+ /** Toggle the one-shot managed-mode strong-recovery bypass flag (kernel-resident). */
18206
+ setSkipNextManagedRecoveryCheck(value: boolean): void;
18207
+ }
18208
+ declare class TeamFacade {
18209
+ private readonly deps;
18210
+ constructor(deps: TeamFacadeDeps);
18211
+ private requireShamirProvider;
18212
+ /** Gate + run a `grant` engine. See `Noydb.grant` for the public contract. */
18213
+ runGrant(engine: (adapter: NoydbStore, vault: string, callerKeyring: UnlockedKeyring, options: GrantOptions) => Promise<void>, vault: string, options: GrantOptions, factors?: FactorProofBundle): Promise<void>;
18214
+ /** Gate + run a `revoke` engine. See `Noydb.revoke` for the public contract. */
18215
+ runRevoke(engine: (adapter: NoydbStore, vault: string, callerKeyring: UnlockedKeyring, options: RevokeOptions) => Promise<void>, vault: string, options: RevokeOptions, factors?: FactorProofBundle): Promise<void>;
18216
+ /** Gate + run a `rotateKeys` engine. See `Noydb.rotate` for the public contract. */
18217
+ runRotate(engine: (adapter: NoydbStore, vault: string, callerKeyring: UnlockedKeyring, collections: string[]) => Promise<void>, vault: string, collections: string[]): Promise<void>;
18218
+ /**
18219
+ * Add a tier-2 authenticator slot to the calling user's keyring.
18220
+ * Each slot independently wraps the SAME KEK under a method-specific
18221
+ * key — adding a slot is a constant-time keyring write.
18222
+ *
18223
+ * The wrapping ciphertext is produced by the corresponding
18224
+ * `@noy-db/on-*` package (e.g. `enrollPasswordAuthenticator` from
18225
+ * `@noy-db/on-password`); the hub persists the result.
18226
+ *
18227
+ * Gated by `enroll-authenticator`; `presented` carries any factor
18228
+ * proofs the active policy demands.
18229
+ */
18230
+ enrollAuthenticator(vault: string, options: EnrollAuthenticatorOptions, factors?: FactorProofBundle): Promise<void>;
18231
+ /**
18232
+ * Remove a tier-2 authenticator slot. Idempotent — removing a
18233
+ * non-existent slot is a successful no-op. Gated by
18234
+ * `remove-authenticator`.
18235
+ */
18236
+ removeAuthenticator(vault: string, slotId: string, factors?: FactorProofBundle): Promise<void>;
18237
+ /** Read the slot list for a vault. Internal — `describeAuthConfig` consumes this. */
18238
+ listAuthenticators(vault: string): Promise<ReadonlyArray<KeyringAuthenticator>>;
18239
+ /**
18240
+ * Mutate the `meta` blob on an existing authenticator slot — slot
18241
+ * rename, label change, attachment of UI hints. The slot's `id`,
18242
+ * `method`, and wrap material (`wrapped_kek` / `wrapped_deks` + `iv`)
18243
+ * are immutable through this method. Anti-slot-swap is structural,
18244
+ * not gate-driven.
18245
+ *
18246
+ * `meta` patch semantics (top-level merge):
18247
+ * - Top-level merge — absent keys preserved
18248
+ * - `null` value — delete that meta key
18249
+ * - Other values — replace verbatim
18250
+ *
18251
+ * Use case: per-slot nickname for "iPhone Touch ID" vs "MacBook
18252
+ * Touch ID" disambiguation in admin UIs. The slot id (auto-derived
18253
+ * from credentialId prefix) is not human-friendly; `meta.nickname`
18254
+ * is.
18255
+ *
18256
+ * Gated by `update-authenticator`. PERSONAL_POLICY: tier-1 unlock
18257
+ * alone (matches enroll/remove). STRICT_POLICY: tier-1 +
18258
+ * TOTP/email-OTP factor proof — a malicious rename on a shared
18259
+ * workstation could mislead the user about which device a slot
18260
+ * corresponds to, so STRICT requires fresh factor binding.
18261
+ *
18262
+ * @throws `NoAccessError` when no slot with the given id exists.
18263
+ * @throws `ValidationError` when no patch field is provided.
18264
+ */
18265
+ updateAuthenticator(vault: string, slotId: string, options: UpdateAuthenticatorOptions, factors?: FactorProofBundle): Promise<void>;
18266
+ /**
18267
+ * Native WebAuthn enrollment using the **real** internal keyring.
18268
+ *
18269
+ * Why this exists: when a consumer is using `createNoydb({ secret })`,
18270
+ * they cannot reach the live `UnlockedKeyring` to feed it to
18271
+ * `enrollWebAuthn(keyring, vault, opts)` from `@noy-db/on-webauthn`.
18272
+ * Constructing a synthetic keyring (the previous workaround) produces
18273
+ * a slot whose `wrapped_kek` references the synthetic payload, not
18274
+ * the live session — so `unlockViaAuthenticator()` later replaces the
18275
+ * live DEK map with stale wrapped DEKs and every decrypt fails.
18276
+ *
18277
+ * This method runs `ceremony` with the REAL keyring (still in
18278
+ * `keyringCache`). The ceremony performs the WebAuthn enrollment and
18279
+ * returns the slot options that hub then persists via the standard
18280
+ * tier-2 enrollAuthenticator path.
18281
+ *
18282
+ * Layering note: hub does not import `@noy-db/on-webauthn` (that
18283
+ * would invert the dep graph). The consumer wires it in:
18284
+ *
18285
+ * ```ts
18286
+ * import { enrollWebAuthn } from '@noy-db/on-webauthn'
18287
+ *
18288
+ * await db.enrollWebAuthn('demo', async (keyring) => {
18289
+ * const e = await enrollWebAuthn(keyring, 'demo', { rp: {...} })
18290
+ * return {
18291
+ * id: `webauthn-${e.credentialId.slice(0, 8)}`,
18292
+ * method: 'webauthn',
18293
+ * wrapped_kek: e.wrappedPayload,
18294
+ * meta: {
18295
+ * credentialId: e.credentialId,
18296
+ * wrapIv: e.wrapIv,
18297
+ * prfUsed: e.prfUsed,
18298
+ * beFlag: e.beFlag,
18299
+ * requireSingleDevice: e.requireSingleDevice,
18300
+ * },
18301
+ * }
18302
+ * })
18303
+ * ```
18304
+ *
18305
+ * Returns the WebAuthn `credentialId` (extracted from `meta.credentialId`)
18306
+ * for the caller's lookup index (a bootstrap vault, a PublicEnvelope,
18307
+ * a server-side allowlist).
18308
+ *
18309
+ * Gated by `enroll-authenticator` like `enrollAuthenticator()` itself.
18310
+ */
18311
+ enrollWebAuthn(vault: string, ceremony: (keyring: UnlockedKeyring) => Promise<EnrollAuthenticatorOptions>, factors?: FactorProofBundle): Promise<{
18312
+ credentialId: string;
18313
+ }>;
18314
+ /**
18315
+ * Filter the slot list to webauthn-method slots only. Useful for
18316
+ * "you have N WebAuthn credentials enrolled" UI surfaces and for
18317
+ * deciding when a new device prompt should appear. Identity is
18318
+ * `id` + `enrolled_at`; the `meta.credentialId` (base64) is used by
18319
+ * `allowCredentials` at unlock time.
18320
+ */
18321
+ listWebAuthnSlots(vault: string): Promise<ReadonlyArray<{
18322
+ id: string;
18323
+ enrolledAt: string;
18324
+ credentialId: string;
18325
+ }>>;
18326
+ /**
18327
+ * Resolve a slot by id, then hand the wrapped-KEK ciphertext + meta
18328
+ * to the caller-supplied verifier. The verifier is the
18329
+ * `unlockWith*` function from the corresponding `@noy-db/on-*`
18330
+ * package, e.g. `unlockWithPassword(slot, password)`.
18331
+ *
18332
+ * On success, mark the active session tier as 2 — subsequent
18333
+ * `checkGate` calls see a tier-2 unlock.
18334
+ */
18335
+ unlockViaAuthenticator(vault: string, slotId: string, verify: (slot: KeyringAuthenticator) => Promise<UnlockedKeyring>): Promise<UnlockedKeyring>;
18336
+ /** English summary of the configured auth model. */
18337
+ describeAuthConfig(vault: string): Promise<string>;
18338
+ /** Mermaid `flowchart TB` source for the auth graph. */
18339
+ diagramAuthConfig(vault: string): Promise<string>;
18340
+ /**
18341
+ * Per-user enrollment summary. Gated by `view-user-auth` (default:
18342
+ * disabled). Sanitization is allowlist-based — never renders cred
18343
+ * ids, password hashes, secrets, or any field outside the allowlist.
18344
+ */
18345
+ describeUserAuth(vault: string, userId: string, factors?: FactorProofBundle): Promise<string>;
18346
+ /** Bulk variant for owner dashboards. Gated by `view-user-auth`. */
18347
+ describeAllUsersAuth(vault: string, factors?: FactorProofBundle): Promise<Array<{
18348
+ userId: string;
18349
+ description: string;
18350
+ }>>;
18351
+ /**
18352
+ * Rotate the user's passphrase (user remembers old). Validates the
18353
+ * new phrase against the configured `passphrase` policy, runs the
18354
+ * `rotate-passphrase` gate, then re-derives + re-wraps every DEK.
18355
+ *
18356
+ * Tier-2 authenticator slots are dropped — each slot wraps the old
18357
+ * KEK and would need its derivation key to be re-presented. Re-enrol
18358
+ * via `db.enrollAuthenticator` after rotation.
18359
+ *
18360
+ * @throws `WeakPassphraseError` on a weak new phrase.
18361
+ * @throws `PolicyDeniedError` when the gate denies (missing factor, …).
18362
+ * @throws `InvalidKeyError` when `oldPassphrase` is wrong.
18363
+ */
18364
+ rotatePassphrase(vault: string, input: RotatePassphraseInput, factors?: FactorProofBundle): Promise<void>;
18365
+ /**
18366
+ * Reset the passphrase using a recovery proof (user forgot the old).
18367
+ * Currently supports the `'paper'` profile end-to-end; the
18368
+ * other profiles throw {@link RecoveryProfileNotImplementedError}.
18369
+ *
18370
+ * Burns the used recovery entry on success.
18371
+ */
18372
+ recoverPassphrase(vault: string, input: RecoverPassphraseInput, factors?: FactorProofBundle): Promise<RecoverPassphraseResult>;
18373
+ /**
18374
+ * Deliberate paper-recovery-code regeneration. User knows their
18375
+ * passphrase but wants a fresh sheet — they lost the printout or
18376
+ * suspect compromise of the off-site copy.
18377
+ *
18378
+ * Symmetric to {@link rotatePassphrase} for the recovery profile:
18379
+ * gated, audit-trackable, ergonomic. Replaces (not appends) the
18380
+ * paper sheet under `_meta/recovery-paper` in a single envelope `put`.
18381
+ *
18382
+ * Gated by the `rotate-recovery` policy gate:
18383
+ * - PERSONAL_POLICY: `{ minTier: 1 }` — knowing the passphrase
18384
+ * suffices, matching the lower-level flow's bar.
18385
+ * - STRICT_POLICY: `{ minTier: 1, factors: [{ anyOf: ['totp',
18386
+ * 'email-otp', 'webauthn-roaming'] }] }` — rotation is an
18387
+ * off-site-trust event; require an off-device factor so a
18388
+ * stolen unlocked laptop cannot silently mint a sheet for the
18389
+ * attacker.
18390
+ *
18391
+ * Defaults `count` to the existing sheet size so consumers aren't
18392
+ * surprised by a different code count. Explicit `count` overrides.
18393
+ *
18394
+ * @throws {@link RecoveryProfileNotImplementedError} when `profile`
18395
+ * is anything other than `'paper'` (v1 dispatch limit).
18396
+ * @throws {@link PolicyDeniedError} when the gate denies (missing
18397
+ * factor, tier mismatch, ...).
18398
+ * @throws on missing paper sheet — "nothing to rotate" surfaces as
18399
+ * an error rather than silently minting an entire new sheet.
18400
+ *
18401
+ * @example Default count + show-once UI
18402
+ * ```ts
18403
+ * const { newCodes } = await db.rotateRecovery('acme', { profile: 'paper' })
18404
+ * showCodesToUser(newCodes)
18405
+ * ```
18406
+ *
18407
+ * @example STRICT-policy site with TOTP factor proof
18408
+ * ```ts
18409
+ * await db.rotateRecovery(
18410
+ * 'acme',
18411
+ * { profile: 'paper', count: 10 },
18412
+ * { factors: [{ kind: 'totp', proof: '123456' }] },
18413
+ * )
18414
+ * ```
18415
+ */
18416
+ rotateRecovery(vault: string, options: RotateRecoveryOptions, factors?: FactorProofBundle): Promise<RotateRecoveryResult>;
18417
+ private rotateRecoveryPaper;
18418
+ private rotateRecoveryShamir;
18419
+ /**
18420
+ * **Atomic create-and-enroll for managed-mode vaults.**
18421
+ *
18422
+ * Bootstraps a managed-mode vault and enrolls strong recovery in
18423
+ * a single ceremony. Under `passphraseMode: 'managed'`, every
18424
+ * `openVault` call requires a strong recovery profile (Shamir
18425
+ * today) to be enrolled — otherwise it throws
18426
+ * {@link ManagedRecoveryNotEnrolledError}. This method bypasses
18427
+ * the check temporarily so the keyring can be created, enrolls
18428
+ * the supplied recovery profile(s), then returns the vault.
18429
+ *
18430
+ * For Shamir enrollments, the show-once share strings come back
18431
+ * in `recoveryEnrollments[i].shares`. The hub never retains them
18432
+ * — the caller MUST display them to the user (once) before any
18433
+ * subsequent operation.
18434
+ *
18435
+ * Paper alone is NOT a strong profile under managed mode; passing
18436
+ * `{ profile: 'paper', ... }` without an accompanying shamir entry
18437
+ * is rejected at validation time.
18438
+ *
18439
+ * ```ts
18440
+ * const db = await createNoydb({
18441
+ * store, user: 'alice',
18442
+ * passphraseMode: 'managed',
18443
+ * sealingKey: macosKeychainSealingProvider({ ... }),
18444
+ * })
18445
+ *
18446
+ * const { vault, recoveryEnrollments } = await db.openVaultAndEnrollRecovery('acme', {
18447
+ * recovery: [{ profile: 'shamir', k: 2, n: 3 }],
18448
+ * })
18449
+ * for (const r of recoveryEnrollments) {
18450
+ * if (r.shares) showSharesToUser(r.shares) // ONCE
18451
+ * }
18452
+ * ```
18453
+ *
18454
+ * @throws ValidationError if recovery is empty, or contains no
18455
+ * strong profile under managed mode.
18456
+ */
18457
+ openVaultAndEnrollRecovery(vault: string, opts: {
18458
+ readonly recovery: ReadonlyArray<RecoveryEnrollmentInput>;
18459
+ readonly locale?: string;
18460
+ }): Promise<{
18461
+ readonly vault: Vault;
18462
+ readonly recoveryEnrollments: ReadonlyArray<EnrollRecoveryResult>;
18463
+ }>;
18464
+ /**
18465
+ * **Recovery flow under managed-passphrase mode.**
18466
+ *
18467
+ * Replaces the sealed passphrase of a managed-mode vault with a
18468
+ * fresh 256-bit random, sealed under the configured
18469
+ * `SealingKeyProvider`. The user never sees the new passphrase.
18470
+ *
18471
+ * Internally:
18472
+ * 1. Verify the recovery proof (Shamir today) and unwrap the
18473
+ * DEK set.
18474
+ * 2. Mint a fresh 256-bit random as the new effective passphrase.
18475
+ * 3. Rewrap the DEK set under a fresh KEK derived from the new
18476
+ * passphrase (via the existing `recoverPassphrase` path).
18477
+ * 4. Seal the random bytes under the provider and overwrite
18478
+ * `_meta/sealed-passphrase`.
18479
+ * 5. Drop the keyring cache so the next operation re-derives.
18480
+ *
18481
+ * The vault's strong-recovery enrollment is preserved across
18482
+ * recovery (Shamir entries are not burned on use).
18483
+ *
18484
+ * @throws ValidationError if the Noydb instance is not in managed mode.
18485
+ */
18486
+ recoverManagedPassphrase(vault: string, options: {
18487
+ readonly recoveryProof: RecoveryProof;
18488
+ readonly passphrasePolicy?: PassphrasePolicy;
18489
+ }): Promise<void>;
18490
+ /**
18491
+ * Atomic peer-recovery — re-wraps an EXISTING user's keyring under
18492
+ * a fresh temp passphrase in a single store write. Closes the
18493
+ * partial-failure window (the previous compose-from-primitives
18494
+ * pattern was `db.revoke + db.grant`, two writes — if the issuer
18495
+ * cancelled between them the target was locked out entirely).
18496
+ *
18497
+ * Different from `db.revoke + db.grant`:
18498
+ *
18499
+ * - Same `userId`, role, permissions, capabilities preserved.
18500
+ * - DEKs unchanged → every other principal in the vault keeps
18501
+ * access. No key rotation.
18502
+ * - Allows owner→owner natively. The existing
18503
+ * `db.revoke` retains its block — peer-recovery is a separate,
18504
+ * intentionally-named operation.
18505
+ * - Tier-2 slots dropped (they wrap the old KEK).
18506
+ *
18507
+ * Gated by `peer-recover-user`; `STRICT_POLICY` requires a
18508
+ * recovery / TOTP / email-OTP factor proof at the moment of
18509
+ * recovery, so the issuer affirmatively re-asserts identity.
18510
+ *
18511
+ * The recipient should call `db.rotatePassphrase` on first session
18512
+ * to choose their own phrase — the temp acts as a single-use
18513
+ * bridge.
18514
+ *
18515
+ * ```ts
18516
+ * await db.recoverUser('acme', {
18517
+ * userId: 'bob',
18518
+ * passphrase: 'temporary-correct-horse-battery-staple-printer',
18519
+ * }, { factors: [{ kind: 'recovery' }] })
18520
+ * // Bob opens createNoydb({ user: 'bob', secret: tempPhrase })
18521
+ * // and immediately calls db.rotatePassphrase to set his own.
18522
+ * ```
18523
+ *
18524
+ * @throws `NoAccessError` when no keyring exists for the target.
18525
+ * @throws `PermissionDeniedError` when the caller's role can't
18526
+ * recover the target's role (admin→owner is blocked even
18527
+ * under recovery).
18528
+ * @throws `PrivilegeEscalationError` when the caller lacks a DEK
18529
+ * the target previously had access to.
18530
+ *
18531
+ */
18532
+ recoverUser(vault: string, options: RecoverUserOptions, factors?: FactorProofBundle): Promise<void>;
18533
+ /**
18534
+ * Persist a recovery enrollment. Accepts the `'paper'`
18535
+ * profile.
18536
+ *
18537
+ * The hub wraps the user's DEK set (not the KEK) under a code-derived
18538
+ * AES-GCM key — see `team/recovery.ts` for the rationale. The mint
18539
+ * helper {@link mintPaperRecoveryEntry} is the canonical primitive;
18540
+ * pair it with `db.getKeyring(vault)` to obtain the live DEK set:
18541
+ *
18542
+ * ```ts
18543
+ * import { mintPaperRecoveryEntry } from '@noy-db/hub'
18544
+ *
18545
+ * const keyring = await db.getKeyring('acme')
18546
+ * const codes: string[] = ['CORRECT-HORSE-1', 'BATTERY-STAPLE-2', ...]
18547
+ * const entries = await Promise.all(
18548
+ * codes.map((code, i) => mintPaperRecoveryEntry(keyring.deks, code, `code-${i}`)),
18549
+ * )
18550
+ * await db.enrollRecovery('acme', { profile: 'paper', entries })
18551
+ * showCodesToUser(codes)
18552
+ * ```
18553
+ *
18554
+ * `@noy-db/on-recovery`'s `generateRecoveryCodeSet`
18555
+ * delegates to `mintPaperRecoveryEntry` internally — its output is
18556
+ * fed directly to this API. Pick whichever fits your code-gen layer:
18557
+ *
18558
+ * ```ts
18559
+ * import { generateRecoveryCodeSet } from '@noy-db/on-recovery'
18560
+ * const { codes, entries } = await generateRecoveryCodeSet({ deks: keyring.deks, count: 8 })
18561
+ * await db.enrollRecovery('acme', { profile: 'paper', entries })
18562
+ * ```
18563
+ */
18564
+ enrollRecovery(vault: string, enrollment: RecoveryEnrollmentInput): Promise<EnrollRecoveryResult>;
18565
+ /** Read the persisted recovery entries (paper + Shamir). Used by `describeAuthConfig`. */
18566
+ listRecoveryEntries(vault: string): Promise<{
18567
+ paper: ReadonlyArray<PaperRecoveryEntry>;
18568
+ shamir: ReadonlyArray<ShamirRecoveryEntry>;
18569
+ }>;
18570
+ /**
18571
+ * Register a tier-3 quick-unlock state for the vault. The state is
18572
+ * an opaque blob produced by `@noy-db/on-pin/enrollPin` (or any
18573
+ * compatible primitive). It is held in memory only — never persisted
18574
+ * — and auto-clears when its `expiresAt` elapses.
18575
+ *
18576
+ * Gated by `rotate-unlock` (the same gate covers "set" and "rotate"
18577
+ * because tier-3 is a single-slot rolling secret).
18578
+ */
18579
+ enrollUnlock(vault: string, state: QuickUnlockState, factors?: FactorProofBundle): Promise<void>;
18580
+ /**
18581
+ * Resume a session via the registered tier-3 state. The verifier is
18582
+ * `@noy-db/on-pin/resumePin` (or compatible). On success, mark the
18583
+ * active session tier as 3 — every operation must re-authenticate at
18584
+ * tier 2 to elevate.
18585
+ *
18586
+ * Returns `undefined` (caller should fall back to tier 2) when no
18587
+ * tier-3 state is registered.
18588
+ */
18589
+ unlockViaPin(vault: string, resume: (state: QuickUnlockState) => Promise<UnlockedKeyring>): Promise<UnlockedKeyring | undefined>;
18590
+ /** Drop the tier-3 state for a vault — explicit logout. */
18591
+ clearQuickUnlock(vault: string): void;
18592
+ /**
18593
+ * Public accessor for the unlocked keyring of a vault.
18594
+ *
18595
+ * Returns a **defensive shallow copy** so consumers can read the DEK
18596
+ * map and authenticator list without the risk of mutating the hub's
18597
+ * internal cache. Internal hub code paths use a live reference
18598
+ * via `getKeyringInternal`; ceremonies and external consumers always
18599
+ * get a snapshot.
18600
+ *
18601
+ * The CryptoKey values inside `deks` are not cloned — Web Crypto
18602
+ * keys are opaque handles, and a shared handle is intentional
18603
+ * (encrypt / decrypt go through the same key the cache holds).
18604
+ * Only the container Map / authenticator array is fresh.
18605
+ *
18606
+ * Used by `@noy-db/on-*` ceremonies that need the live DEK set
18607
+ * (paper recovery via {@link mintPaperRecoveryEntry}, tier-3 PIN
18608
+ * enrolment via on-pin's `enrollPin`, custom on-* ceremonies that
18609
+ * don't have a hub-side wrapper).
18610
+ *
18611
+ * No new permission gate — this is an accessor over already-unlocked
18612
+ * state. The keyring is materialized only after the calling session
18613
+ * has unlocked the vault at tier 1, 2, or 3, so exposing it does not
18614
+ * widen access. Throws `ValidationError` when encryption is enabled
18615
+ * and no `secret` / `getKeyring` is configured.
18616
+ *
18617
+ * ```ts
18618
+ * const keyring = await db.getKeyring('acme')
18619
+ * // keyring.deks: Map<collection, CryptoKey>
18620
+ * // keyring.kek: CryptoKey | null (null for tier-3 / wrap-DEKs sessions)
18621
+ * // keyring.role / .permissions / .authenticators
18622
+ * ```
18623
+ */
18624
+ getKeyring(vault: string): Promise<UnlockedKeyring>;
18625
+ }
18626
+
18627
+ /**
18628
+ * Multi-user team capability contract (#267 Track A tail — the
18629
+ * keyring-grant → team split). Lives on the `/with` port (the one seam the
18630
+ * kernel spine may import statically) so `Noydb` can hold the `NO_TEAM`
18631
+ * floor default without a spine→service static import.
18632
+ *
18633
+ * The active engine (`withTeam()` in `with-party/team/active.ts`)
18634
+ * statically links the grant/revoke/rotate keyring engines from
18635
+ * `keyring.ts` — bundle-charged to consumers of the `@noy-db/hub/team`
18636
+ * subpath, never to the single-user floor. {@link NO_TEAM} (the floor
18637
+ * default) throws {@link TeamNotEnabledError}.
18638
+ *
18639
+ * `Noydb.grant` / `Noydb.revoke` / `Noydb.rotate` delegate here, passing
18640
+ * their `TeamFacade` — the facade owns the policy-gate + keyring plumbing
18641
+ * (`runGrant` / `runRevoke` / `runRotate`) and receives the engine as an
18642
+ * argument from the strategy.
18643
+ *
18644
+ * Deliberately NOT gated (single-user primitives): owner keyring creation,
18645
+ * unlock, `listUsers`, `updateUser`, passphrase rotate/recover, and the
18646
+ * `createDeedOwner` free function (no createNoydb instance to gate against —
18647
+ * the same carve-out as `liberateVault`).
18648
+ * @internal
18649
+ */
18650
+
18651
+ interface TeamStrategy {
18652
+ grant(team: TeamFacade, vault: string, options: GrantOptions, factors?: FactorProofBundle): Promise<void>;
18653
+ revoke(team: TeamFacade, vault: string, options: RevokeOptions, factors?: FactorProofBundle): Promise<void>;
18654
+ rotate(team: TeamFacade, vault: string, collections: string[]): Promise<void>;
18655
+ }
18656
+ /**
18657
+ * No-op stub — the floor default. Every multi-user team operation throws
18658
+ * {@link TeamNotEnabledError}; opt in with `teamStrategy: withTeam()` in
18659
+ * createNoydb. @internal
18660
+ */
18661
+ declare const NO_TEAM: TeamStrategy;
18662
+
17727
18663
  /**
17728
18664
  * Session policies —
17729
18665
  *
@@ -17978,6 +18914,24 @@ interface EncryptedEnvelope {
17978
18914
  * map is absent and `_data` is unchanged (byte-identical to legacy output).
17979
18915
  */
17980
18916
  readonly _sealed?: Record<string, string>;
18917
+ /**
18918
+ * Verify-digest slots (classified stage 2). Map of digest-only field name →
18919
+ * AES-256-GCM `iv:data` blob sealed under the HKDF(CEK) vdig slot key with
18920
+ * AAD ['noydb-classify-vdig', collection, recordId, field]. The store sees
18921
+ * only ciphertext; only the enclave verify path can read the digest. At most
18922
+ * one of `_sealed[field]` / `_vdig[field]` exists per field (I4).
18923
+ */
18924
+ readonly _vdig?: Record<string, string>;
18925
+ /**
18926
+ * Equatable blind-index tags (classified slice 2b). Map of digest-only field
18927
+ * name → base64 33-byte tag (1-byte cost/version discriminator ‖ 32-byte keyed
18928
+ * MAC), CURRENT VALUE ONLY (the _vdig ring is never indexed). This is the ONLY
18929
+ * store-visible classified artifact: a keyed MAC, comparable without a key
18930
+ * ceremony, with NO inline cryptographic integrity by construction. Invariant:
18931
+ * _bidx[field] present ⇒ _vdig[field] present. Confirm-by-verify (findByDigest)
18932
+ * makes any read-side orphan/splice unreturnable.
18933
+ */
18934
+ readonly _bidx?: Record<string, string>;
17981
18935
  /**
17982
18936
  * Per-record content-encryption key (CEK), base64 AES-KW-wrapped under
17983
18937
  * the collection (or tier) DEK. Present only on records written by a
@@ -18010,6 +18964,33 @@ interface EncryptedEnvelope {
18010
18964
  */
18011
18965
  readonly _debug?: typeof NOYDB_FORMAT_VERSION;
18012
18966
  }
18967
+ /** Spine policy for one digest-only classified field — the enclave-consumable
18968
+ * projection of a ClassifiedFieldSpec (the enclave never imports with-*). */
18969
+ interface VdigFieldPolicy {
18970
+ readonly normalize: 'password' | 'secret-answer';
18971
+ /** Ring size for reuse refusal; 0 = no ring. Cap 8 (spec Q4). */
18972
+ readonly notLastN: number;
18973
+ readonly rotateDays?: number;
18974
+ /** default false — refused unless the double door is open (R8) */
18975
+ readonly equatable: boolean;
18976
+ }
18977
+ /**
18978
+ * The persisted classified-fields config marker (C-A / R10). Reuses the
18979
+ * stage-2 persisted-schema record; this is the shape of the marker stored
18980
+ * there.
18981
+ */
18982
+ interface ClassifiedMarker {
18983
+ /** field names declared digest-only (have _vdig); non-empty ⇒ writes need the classified codec */
18984
+ readonly digestOnly: readonly string[];
18985
+ /** field names additionally declared equatable (have _bidx when covered) */
18986
+ readonly equatable: readonly string[];
18987
+ }
18988
+ /** Verdict-only egress of the enclave oracle (spec §3). */
18989
+ interface ClassifiedVerdict {
18990
+ readonly ok: boolean;
18991
+ /** I1: present ONLY when ok === true — never computed for a false verdict. */
18992
+ readonly mustRotate?: true;
18993
+ }
18013
18994
  /**
18014
18995
  * Opaque access gate for a sealed (`sensitive`) field returned by a public
18015
18996
  * read (the access layer). The handle carries only the per-field
@@ -19814,6 +20795,13 @@ interface NoydbOptions {
19814
20795
  * signer engines are tree-shaken out.
19815
20796
  */
19816
20797
  readonly attestationStrategy?: AttestationStrategy;
20798
+ /**
20799
+ * Tree-shake seam — optional classified-field capability. Pass
20800
+ * `withClassified()` from `@noy-db/hub/classified` to enable
20801
+ * `collection.reveal()`. When omitted, `reveal()` throws
20802
+ * `ClassifiedNotEnabledError` and the reveal engine is tree-shaken out.
20803
+ */
20804
+ readonly classifiedStrategy?: ClassifiedStrategy;
19817
20805
  /**
19818
20806
  * Tree-shake seam — optional sealed-record (grantor-side) capability. Pass
19819
20807
  * `withSealedRecord()` from `@noy-db/hub/sealed-record` to enable
@@ -19852,6 +20840,27 @@ interface NoydbOptions {
19852
20840
  * stays ungated (it has no createNoydb instance to gate against).
19853
20841
  */
19854
20842
  readonly custodyStrategy?: CustodyStrategy;
20843
+ /**
20844
+ * Tree-shake seam — optional multi-user team capability (#267
20845
+ * keyring-grant → team split). Pass `withTeam()` from `@noy-db/hub/team`
20846
+ * to enable `db.grant` / `db.revoke` / `db.rotate`. When omitted, those
20847
+ * throw `TeamNotEnabledError` and the keyring grant/revoke/rotate engines
20848
+ * are reached only via opt-in — the always-on floor is single-user.
20849
+ * Single-user primitives (owner keyring, unlock, `listUsers`,
20850
+ * `updateUser`, passphrase rotate/recover) stay ungated, as does the
20851
+ * `createDeedOwner` free function (no createNoydb instance to gate
20852
+ * against).
20853
+ */
20854
+ readonly teamStrategy?: TeamStrategy;
20855
+ /**
20856
+ * Opt-in seam — the `lazy` service (#267). Pass `withLazy()` from
20857
+ * `@noy-db/hub/lazy` to explicitly enable lazy mode's bounded-LRU
20858
+ * working set for collections declared with `prefetch: false`. When
20859
+ * omitted, `prefetch: false` still works via the deprecated implicit
20860
+ * back-compat path (identical behavior, one-time deprecation warn);
20861
+ * the implicit path will be removed at 1.0.
20862
+ */
20863
+ readonly lazyStrategy?: LazyStrategy;
19855
20864
  /**
19856
20865
  * Tree-shake seam — optional search / retrieval capability. Pass
19857
20866
  * `withSearch()` from `@noy-db/hub` to enable a collection's `search`
@@ -20727,4 +21736,4 @@ interface NoydbPolicyDeps {
20727
21736
  */
20728
21737
  type NoydbPolicyFactory = (deps: NoydbPolicyDeps) => NoydbPolicyApi;
20729
21738
 
20730
- export { BLOB_INDEX_COLLECTION as $, resolveI18nText as A, resolvePolicy as B, setAtPathInPlace as C, DICT_COLLECTION_PREFIX as D, staticDict as E, stripI18nFilled as F, validateI18nTextValue as G, type SessionStrategy as H, type I18nStrategy as I, SessionExpiredError as J, SessionNotFoundError as K, type Layer as L, MissingTranslationError as M, SessionPolicyError as N, type OnMissing as O, PolicyEnforcer as P, createEnforcer as Q, ReservedCollectionNameError as R, ScriptViolationError as S, TranslatorNotConfiguredError as T, UnknownDictCodeError as U, Vault as V, validateSessionPolicy as W, type BlobStrategy as X, BLOB_CHUNKS_COLLECTION as Y, BLOB_COLLECTION as Z, BLOB_EVICTION_AUDIT_COLLECTION as _, type DictEntry as a, type Reducer as a$, BLOB_SLOTS_PREFIX as a0, BLOB_VERSIONS_PREFIX as a1, type BlobEvictionEntry as a2, type BlobFieldPolicy as a3, type BlobFieldsConfig as a4, type BlobObject as a5, type BlobPutOptions as a6, type BlobResponseOptions as a7, BlobSet as a8, type BlobStrategyOpenArgs as a9, IDX_PREFIX as aA, type IndexDef as aB, type IndexState as aC, type IngestRow as aD, type LazyOrderBy as aE, LazyQuery as aF, type LazyQuerySource as aG, type OrderedEntry as aH, PersistedCollectionIndex as aI, type PersistedIndexDef as aJ, compositeKey as aK, decodeIdxId as aL, encodeIdxId as aM, isIdxId as aN, type AggregateStrategy as aO, type AggregateResult as aP, type AggregateSpec as aQ, Aggregation as aR, type AggregationUpstream as aS, GROUPBY_MAX_CARDINALITY as aT, GROUPBY_WARN_CARDINALITY as aU, GroupedAggregation as aV, GroupedQuery as aW, GroupedQueryN as aX, type GroupedRow as aY, type GroupedRowN as aZ, type LiveAggregation as a_, type CompactRunOptions as aa, type CompactionContext as ab, type CompactionResult as ac, DEFAULT_CHUNK_SIZE as ad, EXPORT_AUDIT_COLLECTION as ae, ExportBlobsAbortedError as af, type ExportBlobsAuditEntry as ag, type ExportBlobsHandle as ah, type ExportBlobsOptions as ai, type ExportedBlob as aj, type ObjectListEntry as ak, type ObjectMeta as al, type ObjectProjection as am, type ObjectUrlOptions as an, type PutObjectOptions as ao, type PutUrlOptions as ap, type SlotInfo as aq, type SlotRecord as ar, type VersionRecord as as, createExportBlobsHandle as at, memoryObjectProjection as au, runCompaction as av, type IndexStrategy as aw, COMPOSITE_DELIMITER as ax, CollectionIndexes as ay, type HashIndex as az, type DictKeyDescriptor as b, type SnapshotMeta as b$, type ReducerBuilder as b0, type ReducerOptions as b1, avg as b2, buildLiveAggregation as b3, count as b4, groupAndReduce as b5, max as b6, min as b7, moneyMax as b8, moneyMin as b9, type OpenPeriodOptions as bA, PERIODS_COLLECTION as bB, type PeriodRecord as bC, type ReadOnlyCollection as bD, appendPeriodLedgerEntry as bE, assertTsWritable as bF, chainAnchor as bG, loadPeriods as bH, validatePeriodName as bI, type GuardStrategy as bJ, type GuardChange as bK, type GuardContext as bL, AmendmentForbiddenError as bM, FieldFrozenError as bN, GuardRegistry as bO, type GuardStrategyHandle as bP, IllegalTransitionError as bQ, InvariantError as bR, ReadOnlyVaultFacade as bS, RecordLockedError as bT, type ShadowStrategy as bU, CollectionFrame as bV, VaultFrame as bW, type NoydbPodStore as bX, type RetentionPolicy as bY, type SnapshotPolicy as bZ, type SnapshotStrategy as b_, moneySum as ba, reduceRecords as bb, reducerBuilder as bc, resetGroupByWarnings as bd, sum as be, type CrdtStrategy as bf, type CrdtMode as bg, type CrdtState as bh, type LwwMapState as bi, type RgaState as bj, type YjsState as bk, buildLwwMapState as bl, buildRgaState as bm, mergeCrdtStates as bn, resolveCrdtSnapshot as bo, type ConsentStrategy as bp, CONSENT_AUDIT_COLLECTION as bq, type ConsentAuditEntry as br, type ConsentAuditFilter as bs, type ConsentContext as bt, type ConsentOp as bu, loadConsentEntries as bv, writeConsentEntry as bw, type PeriodsStrategy as bx, type CarryForwardContext as by, type ClosePeriodOptions as bz, DictKeyInUseError as c, type JsonPatchOp as c$, type SnapshotMode as c0, SnapshotNotFoundError as c1, type DerivationStrategy as c2, type DerivationContext as c3, type ArrayOutputSpec as c4, DerivationCapExceededError as c5, DerivationCycleError as c6, DerivationDepthError as c7, DerivationOutputShapeError as c8, DerivationOutputUnknownError as c9, type WithdrawAccessibleOptions as cA, type WithdrawResult as cB, type WithdrawalRequest as cC, type WithdrawalRequestStatus as cD, type DiffEntry as cE, type UnlockedKeyring as cF, type ExportFormat as cG, type BusHandler as cH, type GateDeleteEvent as cI, type GateEventMap as cJ, type GateHandler as cK, type GatePoint as cL, type GatePutEvent as cM, type LifecycleEventMap as cN, type LifecyclePoint as cO, ServiceBus as cP, SubsystemBus as cQ, type Role as cR, type HistoryStrategy as cS, type NoydbStore as cT, type HistoryOptions as cU, type EncryptedEnvelope as cV, type PruneOptions as cW, type AppendInput as cX, type ChangeType as cY, CollectionInstant as cZ, type JsonPatch as c_, DerivationRegistry as ca, type DerivationStrategyHandle as cb, type DerivedFromMeta as cc, type OutputSpec as cd, type RecordOutputSpec as ce, type MaterializedViewStrategy as cf, type MaterializedViewStrategyHandle as cg, type OverlayedViewStrategy as ch, Collection as ci, OverlayBaseIsVirtualError as cj, OverlayCollectionUnavailableError as ck, type OverlayFieldMergeMode as cl, type OverlayFieldMergeRule as cm, OverlayIdMismatchError as cn, OverlayNameCollisionError as co, OverlayedViewRegistry as cp, type OverlayedViewStrategyHandle as cq, type SyncStrategy as cr, type PortabilityStrategy as cs, type ApproveWithdrawalOptions as ct, type ExportAccessibleOptions as cu, NO_PORTABILITY as cv, PortabilityNotEnabledError as cw, type RejectWithdrawalOptions as cx, type RequestWithdrawalOptions as cy, type RequestWithdrawalResult as cz, DictKeyMissingError as d, type UnionSource as d$, LedgerStore as d0, type VaultEngine as d1, VaultInstant as d2, type VerifyResult as d3, applyPatch as d4, computePatch as d5, diff as d6, formatDiff as d7, type SealedRecordStrategy as d8, type SealedCekDeliveryEnvelope as d9, AttestationNotEnabledError as dA, type IssueArgs as dB, type IssueContext as dC, type IssueResult as dD, NO_ATTESTATION as dE, type RevokeContext as dF, getRevokedDocIdsCore as dG, issueAttestationCore as dH, publishRevocationListCore as dI, revokeDocCore as dJ, unrevokeDocCore as dK, type PublicEnvelope as dL, type BundleRecipient as dM, type RecipientSealer as dN, type RecipientHint as dO, TxContext as dP, type MVQueryContext as dQ, type RegisteredMV as dR, Query as dS, MaterializedViewRegistry as dT, type MaterializedFromMeta as dU, MaterializedViewConfigError as dV, MaterializedViewCycleError as dW, type MaterializedViewOutput as dX, MaterializedViewSourceUnknownError as dY, MaterializedViewTooLargeError as dZ, type UnionArmJoin as d_, NO_SEALED_RECORD as da, type SealedCekBinding as db, SealedRecordExpiredError as dc, SealedRecordMismatchError as dd, SealedRecordNotEnabledError as de, type WalkClosureOptions as df, type SealingKeyProvider as dg, type RecoveryEnrollmentInput as dh, type ShamirRecoveryProvider as di, type EnclaveKey as dj, AdoptionStateError as dk, BackupCorruptedError as dl, BackupLedgerError as dm, BundleIntegrityError as dn, BundleSealMismatchError as dp, BundleVersionConflictError as dq, type ClosureResult as dr, type ExtractPartitionResult as ds, PartitionExtractionError as dt, PodVersionConflictError as du, TransferSealError as dv, extractPartition as dw, walkClosure as dx, type AttestationStrategy as dy, AttestationError as dz, DictionaryHandle as e, type DeepPartial as e$, type SearchStrategy as e0, type SequenceStrategy as e1, type CustodyStrategy as e2, type SchemaUpdateStrategy as e3, type TransformFn as e4, type PersistedSchemaEnvelope as e5, type UpdateDecision as e6, type UserEnvelope as e7, type VaultUserApi as e8, type UserApiDeps as e9, type CollectionChangeEvent as eA, type CollectionConfig as eB, type CollectionConflictResolver as eC, type CollectionDescriptor as eD, type CollectionStats as eE, ComputedFieldError as eF, type ComputedFields as eG, type ComputedFn as eH, type Conflict as eI, ConflictError as eJ, type ConflictPolicy as eK, type ConflictStrategy as eL, CrossJoinSourceUnknownError as eM, CrossJoinTooLargeError as eN, type CrossTierAccessEvent as eO, CustodyApi as eP, type CustodyHost as eQ, CustodyNotEnabledError as eR, DEFAULT_CROSS_JOIN_MAX_ROWS as eS, DEFAULT_JOIN_MAX_ROWS as eT, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as eU, DELEGATIONS_COLLECTION as eV, DanglingReferenceError as eW, DataResidencyError as eX, DebugPlaintextError as eY, DebugReservedFieldError as eZ, DecryptionError as e_, type DeepPartialOrNull as ea, type UserEnvelopePresented as eb, type Unsubscribe as ec, type LiveUserEnvelope as ed, type RoundingMode as ee, type VaultPolicy as ef, type ActiveTier as eg, type FactorProof as eh, type GateName as ei, type PolicyDenyReason as ej, type GatePolicy as ek, type AccessibleVault as el, type AffectedDocument as em, AlreadyElevatedError as en, type ArchivePolicy as eo, type ArchiveResult as ep, type ArchiveRunOptions as eq, type ArchiveStrategy as er, BUNDLE_STORE_POLICY as es, type BuiltInGateName as et, type CacheOptions as eu, type CacheStats as ev, CargoNotEnabledError as ew, type CargoStrategy as ex, type ChangeEvent as ey, type Clause as ez, type DictionaryOptions as f, type KeyringAuthenticatorWrappingDEKs as f$, type DeferredNumberingConfig as f0, DelegationTargetMissingError as f1, type DelegationToken as f2, type DeleteManyResult as f3, type DerivationDescriptor as f4, DirectoryDisabledError as f5, type DirtyEntry as f6, type DryRunResult as f7, type DumpSchemaOptions as f8, ELEVATION_AUDIT_COLLECTION as f9, type FormattedSequenceHandle as fA, type FrozenSnapshotRef as fB, type GhostRecord as fC, type GrantCustodianOptions as fD, type GrantOptions as fE, GroupCardinalityError as fF, type GroupClause as fG, type GuardViolation as fH, type HistoryConfig as fI, type HistoryEntry as fJ, INDEXED_STORE_POLICY as fK, type ImportCapability as fL, ImportCapabilityError as fM, type IndexFieldName as fN, IndexRequiredError as fO, IndexWriteFailureError as fP, type InferOutput as fQ, type InternalCollectionStats as fR, InvalidKeyError as fS, type IssueDelegationOptions as fT, type IssueMagicLinkGrantOptions as fU, type JoinContext as fV, type JoinLeg as fW, type JoinStrategy as fX, JoinTooLargeError as fY, type JoinableSource as fZ, type KeyringAuthenticator as f_, ElevatedHandle as fa, ElevationExpiredError as fb, type EmbeddingDescriptor as fc, EmbeddingDimMismatchError as fd, EmbeddingModelMismatchError as fe, EnclaveNotSupportedError as ff, type EnrollAuthenticatorOptions as fg, type EnrollAuthenticatorWrappingDEKsOptions as fh, type EnrollAuthenticatorWrappingKEKOptions as fi, type EnrollRecoveryResult as fj, type ExportCapability as fk, ExportCapabilityError as fl, type ExportChunk as fm, type ExportStreamOptions as fn, type FactorKind as fo, type FactorProofBundle as fp, type FactorRequirement as fq, type FenceDoc as fr, type FenceState as fs, type FieldChange as ft, type FieldClause as fu, type FieldDescriptor as fv, type FieldSource as fw, FilenameSanitizationError as fx, type FilterClause as fy, ForgetStrategyNotConfiguredError as fz, type I18nMap as g, POD_STORE_POLICY as g$, type KeyringAuthenticatorWrappingKEK as g0, KeyringCorruptError as g1, KeyringExpiredError as g2, type KeyringFile as g3, LedgerContentionError as g4, type LiberateOptions as g5, type LiberateResult as g6, LinkEndpointError as g7, LinkIntegrityError as g8, type LinkOnDelete as g9, type MoneyOptionsMulti as gA, MoneyPrecisionError as gB, type MoneyString as gC, MoneyUnsupportedError as gD, NOYDB_BACKUP_VERSION as gE, NOYDB_FORMAT_VERSION as gF, NOYDB_KEYRING_VERSION as gG, NOYDB_SYNC_VERSION as gH, NO_CARGO as gI, NO_CUSTODY as gJ, NO_SEARCH as gK, NO_SEQUENCE as gL, NetworkError as gM, type NextOptions as gN, NoAccessError as gO, NonAdditiveSchemaChangeError as gP, NotFoundError as gQ, Noydb as gR, type NoydbBundleStore as gS, NoydbError as gT, type NoydbEventMap as gU, type NoydbOptions as gV, type Assignment as gW, NumberingUncertaintyError as gX, type Operator as gY, type OrderBy as gZ, type OverlayViewDescriptor as g_, type LinkRow as ga, type LinkSetHandle as gb, type LinkSpec as gc, type ListAccessibleVaultsOptions as gd, type ListPageResult as ge, type ListUsersOptions as gf, type LiveQuery as gg, type LiveUpstream as gh, type LocaleReadOptions as gi, Lru as gj, type LruOptions as gk, type LruStats as gl, MAGIC_LINK_CONTENT_INFO_PREFIX as gm, MAGIC_LINK_GRANTS_COLLECTION as gn, MAGIC_LINK_KEK_INFO_PREFIX as go, type MagicLinkGrantPayload as gp, type MagicLinkGrantRecord as gq, ManagedRecoveryNotEnrolledError as gr, type MaterializedViewDescriptor as gs, MemoryRecipientSealer as gt, MemorySealingKeyProvider as gu, MigrationRequiredError as gv, MoneyCurrencyError as gw, type MoneyDescriptor as gx, type MoneyOptions as gy, type MoneyOptionsFixed as gz, type I18nTextDescriptor as h, type RotateRecoveryResult as h$, PUBLIC_ENVELOPE_FIELDS as h0, type PaperRecoveryDoc as h1, type PaperRecoveryEntry as h2, type PassphrasePolicy as h3, type PassphraseValidationResult as h4, PathEscapeError as h5, PeriodClosedError as h6, type Permission as h7, PermissionDeniedError as h8, type Permissions as h9, type QuickUnlockState as hA, QuickUnlockStore as hB, QuiesceTimeoutError as hC, type ReAuthOperation as hD, ReadOnlyAtInstantError as hE, ReadOnlyError as hF, ReadOnlyFrameError as hG, RecordCekNotFoundError as hH, type RecoverPassphraseInput as hI, type RecoverPassphraseResult as hJ, type RecoverUserOptions as hK, RecoveryNotEnrolledError as hL, RecoveryProfileNotImplementedError as hM, type RecoveryProof as hN, type RefDescriptor as hO, RefIntegrityError as hP, type RefMode as hQ, RefRegistry as hR, RefScopeError as hS, type RefViolation as hT, ReservedVaultNameError as hU, type ResolvedPublicEnvelopeSchema as hV, type RetrieveHit as hW, type RetrieveOptions as hX, type RevokeOptions as hY, type RotatePassphraseInput as hZ, type RotateRecoveryOptions as h_, type PersistedSchemaKind as ha, type PlaintextTranslatorContext as hb, type PlaintextTranslatorFn as hc, PolicyDeniedError as hd, PresenceHandle as he, type PresencePeer as hf, PrivilegeEscalationError as hg, type PublicEnvelopeField as hh, type PublicEnvelopeSchema as hi, type PublicEnvelopeText as hj, type PullMode as hk, type PullOptions as hl, type PullPolicy as hm, type PullResult as hn, type PushMode as ho, type PushOptions as hp, type PushPolicy as hq, type PushResult as hr, type PutManyItemOptions as hs, type PutManyOptions as ht, type PutManyResult as hu, type QueryAcrossOptions as hv, type QueryAcrossResult as hw, type QueryField as hx, type QueryPlan as hy, type QuerySource as hz, type I18nTextOptions as i, type TranslatorAuditEntry as i$, SEALED_PASSPHRASE_RECORD_ID as i0, ScanBuilder as i1, type ScanPageProvider as i2, type SchemaDelta as i3, SchemaFenceError as i4, type SchemaIntrospection as i5, SchemaLockedError as i6, SchemaUpdateError as i7, SchemaValidationError as i8, type Sealed as i9, type StandardSchemaV1SyncResult as iA, type StoreAuth as iB, type StoreAuthKind as iC, type StoreCapabilities as iD, StoreCapabilityError as iE, type StoreTime as iF, SyncEngine as iG, type SyncMetadata as iH, type SyncPolicy as iI, SyncScheduler as iJ, type SyncSchedulerStatus as iK, type SyncStatus as iL, type SyncTarget as iM, type SyncTargetRole as iN, SyncTransaction as iO, type SyncTransactionResult as iP, type TabChannel as iQ, type TabCoordinationOptions as iR, type TabLockManager as iS, type TabPresence as iT, type TabRole as iU, TamperedError as iV, TierDemoteDeniedError as iW, type TierMode as iX, TierNotGrantedError as iY, TiersNotEnabledError as iZ, type TransactionInvariant as i_, type SealedEnvelope as ia, SealedHandle as ib, type SealedPassphrase as ic, type SealedView as id, type SearchEntry as ie, SearchNotEnabledError as ig, type SearchOptions as ih, type SearchResult as ii, SequenceContentionError as ij, type SequenceHandle as ik, SequenceNotEnabledError as il, SequenceOfflineError as im, type SequenceOptions as io, SequenceStore as ip, type SequenceStoreOptions as iq, type SessionPolicy as ir, type SetPublicEnvelopeInput as is, type ShamirRecoveryDoc as it, type ShamirRecoveryEntry as iu, ShardProvisioningError as iv, type SlotRewrapCeremony as iw, type SlotRewrapContext as ix, type StandardSchemaV1 as iy, type StandardSchemaV1Issue as iz, LocaleNotSpecifiedError as j, isRefArray as j$, TxCollection as j0, type TxOp as j1, TxVault as j2, UniqueConstraintError as j3, UnknownShardError as j4, UnsupportedIndexOptionError as j5, type UpdateAuthenticatorOptions as j6, type UpdateContext as j7, type UpdateUserOptions as j8, type UserEnvelopeCheckGate as j9, compileSequenceFormat as jA, createNoydb as jB, createStore as jC, decryptBytes as jD, decryptDeterministic as jE, deriveMagicLinkContentKey as jF, derivePresenceKey as jG, encryptBytes as jH, encryptDeterministic as jI, enrollAuthenticator as jJ, estimateEntropy as jK, evalComputedFields as jL, evaluateClause as jM, evaluateExportCapability as jN, evaluateFieldClause as jO, evaluateImportCapability as jP, executePlan as jQ, exportAccessibleData as jR, findAuthenticator as jS, hasExportCapability as jT, hasImportCapability as jU, hasRecoveryEnrolled as jV, isLinkCollectionName as jW, isMagicLinkGrantExpired as jX, isMoneyDescriptor as jY, isMoneyString as jZ, isPublicEnvelope as j_, UserEnvelopeOversizedError as ja, type UserInfo as jb, ValidationError as jc, type VaultBackup as jd, type VaultPolicyOnDisk as je, type VaultSchemaSnapshot as jf, type VaultSnapshot as jg, VaultTemplateNotFoundError as jh, type WarningRules as ji, WeakPassphraseError as jj, type WeakPassphraseReason as jk, type WithArchiveOptions as jl, WithdrawalRequestError as jm, type WrappedDeksBlob as jn, type WriteConflict as jo, type WriteQueue as jp, aesGcmOpen as jq, applyJoins as jr, approveWithdrawal as js, asMoney as jt, assertStrongPassphrase as ju, base64ToBuffer as jv, bufferToBase64 as jw, buildLiveQuery as jx, buildRecipientKeyringFile as jy, burnPaperRecoveryEntry as jz, type OnMissingPolicy as k, type CrossJoinClause as k$, issueDelegation as k0, recoverPassphrase as k1, rotatePassphrase as k2, liberateVault as k3, listMagicLinkGrants as k4, listUsers as k5, listUsersWithEnvelopes as k6, listWithdrawalRequests as k7, loadActiveDelegations as k8, loadPaperRecoveryEntries as k9, saveShamirRecoveryEntries as kA, sealRsaOaepTlv as kB, unwrapDeksFromBlob as kC, unwrapDeksFromPaperEntry as kD, unwrapDeksFromShamirEntry as kE, unwrapMagicLinkGrant as kF, validatePassphrase as kG, validatePublicEnvelopeInput as kH, validateSchemaInput as kI, validateSchemaOutput as kJ, withArchive as kK, withDeferredNumbering as kL, withdrawAccessibleData as kM, writeMagicLinkGrant as kN, changeSecret as kO, createOwnerKeyring as kP, ensureCollectionDEK as kQ, grant as kR, loadKeyring as kS, persistKeyring as kT, revoke as kU, updateAuthenticator as kV, updateKeyringIdentity as kW, type TxStrategy as kX, type AmendmentTxOptions as kY, CrossShardJoinError as kZ, sha256Hex as k_, loadSealedPassphrase as ka, loadShamirRecoveryEntries as kb, magicLinkGrantRecordId as kc, mintPaperRecoveryEntry as kd, mintShamirRecoveryEntry as ke, mintWrappedDeksBlob as kf, money as kg, moneyNumber as kh, parseRsaOaepTlv as ki, parseSealedEnvelope as kj, readMagicLinkGrantRecord as kk, readPath as kl, recoverUser as km, ref as kn, refArray as ko, rejectWithdrawal as kp, removeAuthenticator as kq, requestWithdrawal as kr, resetJoinWarnings as ks, resolveSchema as kt, resolveSequenceKey as ku, revokeDelegation as kv, revokeMagicLinkGrant as kw, runTransaction as kx, savePaperRecoveryEntries as ky, saveSealedPassphrase as kz, type ResolveI18nOptions as l, NO_TIERS as l0, type TiersContext as l1, type TiersStrategy as l2, assertDeclaredTier as l3, assertTiersEnabled as l4, classifySealedShred as l5, demote as l6, elevate as l7, getAtTier as l8, listAtTier as l9, putAtTier as la, withTiers as lb, type ScriptWarning as m, type StaticDictDescriptor as n, StaticDictReadonlyError as o, applyI18nLocale as p, dictCollectionName as q, dictKey as r, enforceScript as s, getAtPath as t, i18nText as u, inferScripts as v, isDictCollectionName as w, isDictKeyDescriptor as x, isI18nTextDescriptor as y, isStaticDictDescriptor as z };
21739
+ export { BLOB_INDEX_COLLECTION as $, resolveI18nText as A, resolvePolicy as B, setAtPathInPlace as C, DICT_COLLECTION_PREFIX as D, staticDict as E, stripI18nFilled as F, validateI18nTextValue as G, type SessionStrategy as H, type I18nStrategy as I, SessionExpiredError as J, SessionNotFoundError as K, type Layer as L, MissingTranslationError as M, SessionPolicyError as N, type OnMissing as O, PolicyEnforcer as P, createEnforcer as Q, ReservedCollectionNameError as R, ScriptViolationError as S, TranslatorNotConfiguredError as T, UnknownDictCodeError as U, Vault as V, validateSessionPolicy as W, type BlobStrategy as X, BLOB_CHUNKS_COLLECTION as Y, BLOB_COLLECTION as Z, BLOB_EVICTION_AUDIT_COLLECTION as _, type DictEntry as a, type Reducer as a$, BLOB_SLOTS_PREFIX as a0, BLOB_VERSIONS_PREFIX as a1, type BlobEvictionEntry as a2, type BlobFieldPolicy as a3, type BlobFieldsConfig as a4, type BlobObject as a5, type BlobPutOptions as a6, type BlobResponseOptions as a7, BlobSet as a8, type BlobStrategyOpenArgs as a9, IDX_PREFIX as aA, type IndexDef as aB, type IndexState as aC, type IngestRow as aD, type LazyOrderBy as aE, LazyQuery as aF, type LazyQuerySource as aG, type OrderedEntry as aH, PersistedCollectionIndex as aI, type PersistedIndexDef as aJ, compositeKey as aK, decodeIdxId as aL, encodeIdxId as aM, isIdxId as aN, type AggregateStrategy as aO, type AggregateResult as aP, type AggregateSpec as aQ, Aggregation as aR, type AggregationUpstream as aS, GROUPBY_MAX_CARDINALITY as aT, GROUPBY_WARN_CARDINALITY as aU, GroupedAggregation as aV, GroupedQuery as aW, GroupedQueryN as aX, type GroupedRow as aY, type GroupedRowN as aZ, type LiveAggregation as a_, type CompactRunOptions as aa, type CompactionContext as ab, type CompactionResult as ac, DEFAULT_CHUNK_SIZE as ad, EXPORT_AUDIT_COLLECTION as ae, ExportBlobsAbortedError as af, type ExportBlobsAuditEntry as ag, type ExportBlobsHandle as ah, type ExportBlobsOptions as ai, type ExportedBlob as aj, type ObjectListEntry as ak, type ObjectMeta as al, type ObjectProjection as am, type ObjectUrlOptions as an, type PutObjectOptions as ao, type PutUrlOptions as ap, type SlotInfo as aq, type SlotRecord as ar, type VersionRecord as as, createExportBlobsHandle as at, memoryObjectProjection as au, runCompaction as av, type IndexStrategy as aw, COMPOSITE_DELIMITER as ax, CollectionIndexes as ay, type HashIndex as az, type DictKeyDescriptor as b, type SnapshotMeta as b$, type ReducerBuilder as b0, type ReducerOptions as b1, avg as b2, buildLiveAggregation as b3, count as b4, groupAndReduce as b5, max as b6, min as b7, moneyMax as b8, moneyMin as b9, type OpenPeriodOptions as bA, PERIODS_COLLECTION as bB, type PeriodRecord as bC, type ReadOnlyCollection as bD, appendPeriodLedgerEntry as bE, assertTsWritable as bF, chainAnchor as bG, loadPeriods as bH, validatePeriodName as bI, type GuardStrategy as bJ, type GuardChange as bK, type GuardContext as bL, AmendmentForbiddenError as bM, FieldFrozenError as bN, GuardRegistry as bO, type GuardStrategyHandle as bP, IllegalTransitionError as bQ, InvariantError as bR, ReadOnlyVaultFacade as bS, RecordLockedError as bT, type ShadowStrategy as bU, CollectionFrame as bV, VaultFrame as bW, type NoydbPodStore as bX, type RetentionPolicy as bY, type SnapshotPolicy as bZ, type SnapshotStrategy as b_, moneySum as ba, reduceRecords as bb, reducerBuilder as bc, resetGroupByWarnings as bd, sum as be, type CrdtStrategy as bf, type CrdtMode as bg, type CrdtState as bh, type LwwMapState as bi, type RgaState as bj, type YjsState as bk, buildLwwMapState as bl, buildRgaState as bm, mergeCrdtStates as bn, resolveCrdtSnapshot as bo, type ConsentStrategy as bp, CONSENT_AUDIT_COLLECTION as bq, type ConsentAuditEntry as br, type ConsentAuditFilter as bs, type ConsentContext as bt, type ConsentOp as bu, loadConsentEntries as bv, writeConsentEntry as bw, type PeriodsStrategy as bx, type CarryForwardContext as by, type ClosePeriodOptions as bz, DictKeyInUseError as c, type JsonPatchOp as c$, type SnapshotMode as c0, SnapshotNotFoundError as c1, type DerivationStrategy as c2, type DerivationContext as c3, type ArrayOutputSpec as c4, DerivationCapExceededError as c5, DerivationCycleError as c6, DerivationDepthError as c7, DerivationOutputShapeError as c8, DerivationOutputUnknownError as c9, type WithdrawAccessibleOptions as cA, type WithdrawResult as cB, type WithdrawalRequest as cC, type WithdrawalRequestStatus as cD, type DiffEntry as cE, type UnlockedKeyring as cF, type ExportFormat as cG, type BusHandler as cH, type GateDeleteEvent as cI, type GateEventMap as cJ, type GateHandler as cK, type GatePoint as cL, type GatePutEvent as cM, type LifecycleEventMap as cN, type LifecyclePoint as cO, ServiceBus as cP, SubsystemBus as cQ, type Role as cR, type HistoryStrategy as cS, type NoydbStore as cT, type HistoryOptions as cU, type EncryptedEnvelope as cV, type PruneOptions as cW, type AppendInput as cX, type ChangeType as cY, CollectionInstant as cZ, type JsonPatch as c_, DerivationRegistry as ca, type DerivationStrategyHandle as cb, type DerivedFromMeta as cc, type OutputSpec as cd, type RecordOutputSpec as ce, type MaterializedViewStrategy as cf, type MaterializedViewStrategyHandle as cg, type OverlayedViewStrategy as ch, Collection as ci, OverlayBaseIsVirtualError as cj, OverlayCollectionUnavailableError as ck, type OverlayFieldMergeMode as cl, type OverlayFieldMergeRule as cm, OverlayIdMismatchError as cn, OverlayNameCollisionError as co, OverlayedViewRegistry as cp, type OverlayedViewStrategyHandle as cq, type SyncStrategy as cr, type PortabilityStrategy as cs, type ApproveWithdrawalOptions as ct, type ExportAccessibleOptions as cu, NO_PORTABILITY as cv, PortabilityNotEnabledError as cw, type RejectWithdrawalOptions as cx, type RequestWithdrawalOptions as cy, type RequestWithdrawalResult as cz, DictKeyMissingError as d, isClassifiedGroup as d$, LedgerStore as d0, type VaultEngine as d1, VaultInstant as d2, type VerifyResult as d3, applyPatch as d4, computePatch as d5, diff as d6, formatDiff as d7, type SealedRecordStrategy as d8, type SealedCekDeliveryEnvelope as d9, AttestationNotEnabledError as dA, type IssueArgs as dB, type IssueContext as dC, type IssueResult as dD, NO_ATTESTATION as dE, type RevokeContext as dF, getRevokedDocIdsCore as dG, issueAttestationCore as dH, publishRevocationListCore as dI, revokeDocCore as dJ, unrevokeDocCore as dK, type ClassifiedFieldSpec as dL, type ClassifiedStrategy as dM, ClassifiedConfigError as dN, type ClassifiedEntry as dO, type ClassifiedGroup as dP, type ClassifiedList as dQ, type ClassifiedRevealCtx as dR, ClassifiedRevealError as dS, type ClassifiedRider as dT, ClassifiedRotationError as dU, type ClassifiedStorage as dV, type ClassifiedVerdict as dW, type ClassifiedVerifyCtx as dX, ClassifiedVerifyError as dY, NO_CLASSIFIED as dZ, isClassifiedFieldSpec as d_, NO_SEALED_RECORD as da, type SealedCekBinding as db, SealedRecordExpiredError as dc, SealedRecordMismatchError as dd, SealedRecordNotEnabledError as de, type WalkClosureOptions as df, type SealingKeyProvider as dg, type RecoveryEnrollmentInput as dh, type ShamirRecoveryProvider as di, type EnclaveKey as dj, AdoptionStateError as dk, BackupCorruptedError as dl, BackupLedgerError as dm, BundleIntegrityError as dn, BundleSealMismatchError as dp, BundleVersionConflictError as dq, type ClosureResult as dr, type ExtractPartitionResult as ds, PartitionExtractionError as dt, PodVersionConflictError as du, TransferSealError as dv, extractPartition as dw, walkClosure as dx, type AttestationStrategy as dy, AttestationError as dz, DictionaryHandle as e, type Conflict as e$, type PublicEnvelope as e0, type BundleRecipient as e1, type RecipientSealer as e2, type RecipientHint as e3, TxContext as e4, type MVQueryContext as e5, type RegisteredMV as e6, Query as e7, MaterializedViewRegistry as e8, type MaterializedFromMeta as e9, type GateName as eA, type PolicyDenyReason as eB, type GatePolicy as eC, type AccessibleVault as eD, type AffectedDocument as eE, AlreadyElevatedError as eF, type ArchivePolicy as eG, type ArchiveResult as eH, type ArchiveRunOptions as eI, type ArchiveStrategy as eJ, BUNDLE_STORE_POLICY as eK, type BuiltInGateName as eL, type CacheOptions as eM, type CacheStats as eN, CargoNotEnabledError as eO, type CargoStrategy as eP, type ChangeEvent as eQ, ClassifiedNotEnabledError as eR, type Clause as eS, type CollectionChangeEvent as eT, type CollectionConfig as eU, type CollectionConflictResolver as eV, type CollectionDescriptor as eW, type CollectionStats as eX, ComputedFieldError as eY, type ComputedFields as eZ, type ComputedFn as e_, MaterializedViewConfigError as ea, MaterializedViewCycleError as eb, type MaterializedViewOutput as ec, MaterializedViewSourceUnknownError as ed, MaterializedViewTooLargeError as ee, type UnionArmJoin as ef, type UnionSource as eg, type SearchStrategy as eh, type SequenceStrategy as ei, type CustodyStrategy as ej, type SchemaUpdateStrategy as ek, type TransformFn as el, type PersistedSchemaEnvelope as em, type UpdateDecision as en, NoydbError as eo, type UserEnvelope as ep, type VaultUserApi as eq, type UserApiDeps as er, type DeepPartialOrNull as es, type UserEnvelopePresented as et, type Unsubscribe as eu, type LiveUserEnvelope as ev, type RoundingMode as ew, type VaultPolicy as ex, type ActiveTier as ey, type FactorProof as ez, type DictionaryOptions as f, type HistoryConfig as f$, ConflictError as f0, type ConflictPolicy as f1, type ConflictStrategy as f2, CrossJoinSourceUnknownError as f3, CrossJoinTooLargeError as f4, type CrossTierAccessEvent as f5, CustodyApi as f6, type CustodyHost as f7, CustodyNotEnabledError as f8, DEFAULT_CROSS_JOIN_MAX_ROWS as f9, type EnrollAuthenticatorWrappingDEKsOptions as fA, type EnrollAuthenticatorWrappingKEKOptions as fB, type EnrollRecoveryResult as fC, type ExportCapability as fD, ExportCapabilityError as fE, type ExportChunk as fF, type ExportStreamOptions as fG, type FactorKind as fH, type FactorProofBundle as fI, type FactorRequirement as fJ, type FenceDoc as fK, type FenceState as fL, type FieldChange as fM, type FieldClause as fN, type FieldDescriptor as fO, type FieldSource as fP, FilenameSanitizationError as fQ, type FilterClause as fR, ForgetStrategyNotConfiguredError as fS, type FormattedSequenceHandle as fT, type FrozenSnapshotRef as fU, type GhostRecord as fV, type GrantCustodianOptions as fW, type GrantOptions as fX, GroupCardinalityError as fY, type GroupClause as fZ, type GuardViolation as f_, DEFAULT_JOIN_MAX_ROWS as fa, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as fb, DELEGATIONS_COLLECTION as fc, DanglingReferenceError as fd, DataResidencyError as fe, DebugPlaintextError as ff, DebugReservedFieldError as fg, DecryptionError as fh, type DeepPartial as fi, type DeferredNumberingConfig as fj, DelegationTargetMissingError as fk, type DelegationToken as fl, type DeleteManyResult as fm, type DerivationDescriptor as fn, DirectoryDisabledError as fo, type DirtyEntry as fp, type DryRunResult as fq, type DumpSchemaOptions as fr, ELEVATION_AUDIT_COLLECTION as fs, ElevatedHandle as ft, ElevationExpiredError as fu, type EmbeddingDescriptor as fv, EmbeddingDimMismatchError as fw, EmbeddingModelMismatchError as fx, EnclaveNotSupportedError as fy, type EnrollAuthenticatorOptions as fz, type I18nMap as g, NO_CARGO as g$, type HistoryEntry as g0, INDEXED_STORE_POLICY as g1, type ImportCapability as g2, ImportCapabilityError as g3, type IndexFieldName as g4, IndexRequiredError as g5, IndexWriteFailureError as g6, type InferOutput as g7, type InternalCollectionStats as g8, InvalidKeyError as g9, type LiveUpstream as gA, type LocaleReadOptions as gB, Lru as gC, type LruOptions as gD, type LruStats as gE, MAGIC_LINK_CONTENT_INFO_PREFIX as gF, MAGIC_LINK_GRANTS_COLLECTION as gG, MAGIC_LINK_KEK_INFO_PREFIX as gH, type MagicLinkGrantPayload as gI, type MagicLinkGrantRecord as gJ, ManagedRecoveryNotEnrolledError as gK, type MaterializedViewDescriptor as gL, MemoryRecipientSealer as gM, MemorySealingKeyProvider as gN, MigrationRequiredError as gO, MoneyCurrencyError as gP, type MoneyDescriptor as gQ, type MoneyOptions as gR, type MoneyOptionsFixed as gS, type MoneyOptionsMulti as gT, MoneyPrecisionError as gU, type MoneyString as gV, MoneyUnsupportedError as gW, NOYDB_BACKUP_VERSION as gX, NOYDB_FORMAT_VERSION as gY, NOYDB_KEYRING_VERSION as gZ, NOYDB_SYNC_VERSION as g_, type IssueDelegationOptions as ga, type IssueMagicLinkGrantOptions as gb, type JoinContext as gc, type JoinLeg as gd, type JoinStrategy as ge, JoinTooLargeError as gf, type JoinableSource as gg, type KeyringAuthenticator as gh, type KeyringAuthenticatorWrappingDEKs as gi, type KeyringAuthenticatorWrappingKEK as gj, KeyringCorruptError as gk, KeyringExpiredError as gl, type KeyringFile as gm, type LazyStrategy as gn, LedgerContentionError as go, type LiberateOptions as gp, type LiberateResult as gq, LinkIntegrityError as gr, type LinkOnDelete as gs, type LinkRow as gt, type LinkSetHandle as gu, type LinkSpec as gv, type ListAccessibleVaultsOptions as gw, type ListPageResult as gx, type ListUsersOptions as gy, type LiveQuery as gz, type I18nTextDescriptor as h, type RecoverPassphraseInput as h$, NO_CUSTODY as h0, NO_SEARCH as h1, NO_SEQUENCE as h2, NO_TEAM as h3, NetworkError as h4, type NextOptions as h5, NoAccessError as h6, NonAdditiveSchemaChangeError as h7, NotFoundError as h8, Noydb as h9, type PublicEnvelopeField as hA, type PublicEnvelopeSchema as hB, type PublicEnvelopeText as hC, type PullMode as hD, type PullOptions as hE, type PullPolicy as hF, type PullResult as hG, type PushMode as hH, type PushOptions as hI, type PushPolicy as hJ, type PushResult as hK, type PutManyItemOptions as hL, type PutManyOptions as hM, type PutManyResult as hN, type QueryAcrossOptions as hO, type QueryAcrossResult as hP, type QueryField as hQ, type QueryPlan as hR, type QuerySource as hS, type QuickUnlockState as hT, QuickUnlockStore as hU, QuiesceTimeoutError as hV, type ReAuthOperation as hW, ReadOnlyAtInstantError as hX, ReadOnlyError as hY, ReadOnlyFrameError as hZ, RecordCekNotFoundError as h_, type NoydbBundleStore as ha, type NoydbEventMap as hb, type NoydbOptions as hc, type Assignment as hd, NumberingUncertaintyError as he, type Operator as hf, type OrderBy as hg, type OverlayViewDescriptor as hh, POD_STORE_POLICY as hi, PUBLIC_ENVELOPE_FIELDS as hj, type PaperRecoveryDoc as hk, type PaperRecoveryEntry as hl, type PassphrasePolicy as hm, type PassphraseValidationResult as hn, PathEscapeError as ho, PeriodClosedError as hp, type Permission as hq, PermissionDeniedError as hr, type Permissions as hs, type PersistedSchemaKind as ht, type PlaintextTranslatorContext as hu, type PlaintextTranslatorFn as hv, PolicyDeniedError as hw, PresenceHandle as hx, type PresencePeer as hy, PrivilegeEscalationError as hz, type I18nTextOptions as i, type SyncPolicy as i$, type RecoverPassphraseResult as i0, type RecoverUserOptions as i1, RecoveryNotEnrolledError as i2, RecoveryProfileNotImplementedError as i3, type RecoveryProof as i4, type RefDescriptor as i5, RefIntegrityError as i6, type RefMode as i7, RefRegistry as i8, RefScopeError as i9, SearchNotEnabledError as iA, type SearchOptions as iB, type SearchResult as iC, SequenceContentionError as iD, type SequenceHandle as iE, SequenceNotEnabledError as iF, SequenceOfflineError as iG, type SequenceOptions as iH, SequenceStore as iI, type SequenceStoreOptions as iJ, type SessionPolicy as iK, type SetPublicEnvelopeInput as iL, type ShamirRecoveryDoc as iM, type ShamirRecoveryEntry as iN, ShardProvisioningError as iO, type SlotRewrapCeremony as iP, type SlotRewrapContext as iQ, type StandardSchemaV1 as iR, type StandardSchemaV1Issue as iS, type StandardSchemaV1SyncResult as iT, type StoreAuth as iU, type StoreAuthKind as iV, type StoreCapabilities as iW, StoreCapabilityError as iX, type StoreTime as iY, SyncEngine as iZ, type SyncMetadata as i_, type RefViolation as ia, ReservedVaultNameError as ib, type ResolvedPublicEnvelopeSchema as ic, type RetrieveHit as id, type RetrieveOptions as ie, type RevokeOptions as ig, type RotatePassphraseInput as ih, type RotateRecoveryOptions as ii, type RotateRecoveryResult as ij, SEALED_PASSPHRASE_RECORD_ID as ik, ScanBuilder as il, type ScanPageProvider as im, type SchemaDelta as io, SchemaFenceError as ip, type SchemaIntrospection as iq, SchemaLockedError as ir, SchemaUpdateError as is, SchemaValidationError as it, type Sealed as iu, type SealedEnvelope as iv, SealedHandle as iw, type SealedPassphrase as ix, type SealedView as iy, type SearchEntry as iz, LocaleNotSpecifiedError as j, derivePresenceKey as j$, SyncScheduler as j0, type SyncSchedulerStatus as j1, type SyncStatus as j2, type SyncTarget as j3, type SyncTargetRole as j4, SyncTransaction as j5, type SyncTransactionResult as j6, type TabChannel as j7, type TabCoordinationOptions as j8, type TabLockManager as j9, type VaultSchemaSnapshot as jA, type VaultSnapshot as jB, VaultTemplateNotFoundError as jC, type WarningRules as jD, WeakPassphraseError as jE, type WeakPassphraseReason as jF, type WithArchiveOptions as jG, WithdrawalRequestError as jH, type WrappedDeksBlob as jI, type WriteConflict as jJ, type WriteQueue as jK, aesGcmOpen as jL, applyJoins as jM, approveWithdrawal as jN, asMoney as jO, assertStrongPassphrase as jP, base64ToBuffer as jQ, bufferToBase64 as jR, buildLiveQuery as jS, buildRecipientKeyringFile as jT, burnPaperRecoveryEntry as jU, compileSequenceFormat as jV, createNoydb as jW, createStore as jX, decryptBytes as jY, decryptDeterministic as jZ, deriveMagicLinkContentKey as j_, type TabPresence as ja, type TabRole as jb, TamperedError as jc, TeamNotEnabledError as jd, type TeamStrategy as je, TierDemoteDeniedError as jf, type TierMode as jg, TierNotGrantedError as jh, TiersNotEnabledError as ji, type TransactionInvariant as jj, type TranslatorAuditEntry as jk, TxCollection as jl, type TxOp as jm, TxVault as jn, UniqueConstraintError as jo, UnknownShardError as jp, UnsupportedIndexOptionError as jq, type UpdateAuthenticatorOptions as jr, type UpdateContext as js, type UpdateUserOptions as jt, type UserEnvelopeCheckGate as ju, UserEnvelopeOversizedError as jv, type UserInfo as jw, ValidationError as jx, type VaultBackup as jy, type VaultPolicyOnDisk as jz, type OnMissingPolicy as k, validatePassphrase as k$, encryptBytes as k0, encryptDeterministic as k1, enrollAuthenticator as k2, estimateEntropy as k3, evalComputedFields as k4, evaluateClause as k5, evaluateExportCapability as k6, evaluateFieldClause as k7, evaluateImportCapability as k8, executePlan as k9, mintWrappedDeksBlob as kA, money as kB, moneyNumber as kC, parseRsaOaepTlv as kD, parseSealedEnvelope as kE, readMagicLinkGrantRecord as kF, readPath as kG, recoverUser as kH, ref as kI, refArray as kJ, rejectWithdrawal as kK, removeAuthenticator as kL, requestWithdrawal as kM, resetJoinWarnings as kN, resolveSchema as kO, resolveSequenceKey as kP, revokeDelegation as kQ, revokeMagicLinkGrant as kR, runTransaction as kS, savePaperRecoveryEntries as kT, saveSealedPassphrase as kU, saveShamirRecoveryEntries as kV, sealRsaOaepTlv as kW, unwrapDeksFromBlob as kX, unwrapDeksFromPaperEntry as kY, unwrapDeksFromShamirEntry as kZ, unwrapMagicLinkGrant as k_, exportAccessibleData as ka, findAuthenticator as kb, hasExportCapability as kc, hasImportCapability as kd, hasRecoveryEnrolled as ke, isLinkCollectionName as kf, isMagicLinkGrantExpired as kg, isMoneyDescriptor as kh, isMoneyString as ki, isPublicEnvelope as kj, isRefArray as kk, issueDelegation as kl, recoverPassphrase as km, rotatePassphrase as kn, liberateVault as ko, listMagicLinkGrants as kp, listUsers as kq, listUsersWithEnvelopes as kr, listWithdrawalRequests as ks, loadActiveDelegations as kt, loadPaperRecoveryEntries as ku, loadSealedPassphrase as kv, loadShamirRecoveryEntries as kw, magicLinkGrantRecordId as kx, mintPaperRecoveryEntry as ky, mintShamirRecoveryEntry as kz, type ResolveI18nOptions as l, validatePublicEnvelopeInput as l0, validateSchemaInput as l1, validateSchemaOutput as l2, withArchive as l3, withDeferredNumbering as l4, withdrawAccessibleData as l5, writeMagicLinkGrant as l6, changeSecret as l7, createOwnerKeyring as l8, ensureCollectionDEK as l9, grant as la, loadKeyring as lb, persistKeyring as lc, revoke as ld, updateAuthenticator as le, updateKeyringIdentity as lf, IMPLICIT_LAZY as lg, type TxStrategy as lh, type AmendmentTxOptions as li, CrossShardJoinError as lj, sha256Hex as lk, type CrossJoinClause as ll, NO_TIERS as lm, type TiersContext as ln, type TiersStrategy as lo, assertDeclaredTier as lp, assertTiersEnabled as lq, classifySealedShred as lr, demote as ls, elevate as lt, getAtTier as lu, listAtTier as lv, putAtTier as lw, withTiers as lx, type ScriptWarning as m, type StaticDictDescriptor as n, StaticDictReadonlyError as o, applyI18nLocale as p, dictCollectionName as q, dictKey as r, enforceScript as s, getAtPath as t, i18nText as u, inferScripts as v, isDictCollectionName as w, isDictKeyDescriptor as x, isI18nTextDescriptor as y, isStaticDictDescriptor as z };