### Changed - Rewrite functionality for checking for valid vault(1) configurations: include an actual validation function which throws errors upon encountering format violations, and which allows specifying which types of extensions (unknown settings, `derivepassphrase`-only settings) to tolerate during validation. This is a **breaking API change** because the function return annotation changed, from [`typing.TypeGuard`][] to [`typing_extensions.TypeIs`][]. These were the originally intended semantics, but when `derivepassphrase` was first designed, the Python type system did not support this kind of partial type narrowing.