@noy-db/hub 0.1.0-pre.8 → 0.2.0-pre.1

package/dist/index.js

@@ -1,22 +1,42 @@
+import {
+  DELEGATIONS_COLLECTION,
+  issueDelegation,
+  loadActiveDelegations,
+  revokeDelegation
+} from "./chunk-I6MX32UC.js";
 import {
   DEFAULT_PUBLIC_ENVELOPE_SCHEMA,
   PUBLIC_ENVELOPE_FIELDS,
   resolveSchema
 } from "./chunk-EMIGCR7X.js";
 import {
-  DELEGATIONS_COLLECTION,
-  assertTierAccess,
-  dekKey,
-  effectiveClearance,
-  issueDelegation,
-  loadActiveDelegations,
-  revokeDelegation
-} from "./chunk-SCZXXXU4.js";
+  TxCollection,
+  TxContext,
+  TxVault,
+  revertExecuted,
+  runTransaction
+} from "./chunk-6HPZY4ON.js";
+import {
+  withDerivation
+} from "./chunk-EGQYGYIU.js";
+import "./chunk-FCXOFQAJ.js";
+import "./chunk-HB3Z2GCR.js";
+import {
+  withMaterializedView
+} from "./chunk-RD5LYKD6.js";
+import "./chunk-SIZWEV2Y.js";
+import "./chunk-DPMFBCV6.js";
+import "./chunk-UZXLQCHP.js";
+import {
+  OverlayedCollection,
+  withOverlayedView
+} from "./chunk-Z72JH4KG.js";
+import "./chunk-OMLIZL2P.js";
 import {
   LazyQuery,
   decodeIdxId,
   encodeIdxId
-} from "./chunk-ZFKD4QMV.js";
+} from "./chunk-DYECX3IX.js";
 import {
   mergeCrdtStates,
   resolveCrdtSnapshot
@@ -31,7 +51,7 @@ import {
   readNoydbBundlePublicEnvelope,
   resetBrotliSupportCache,
   writeNoydbBundle
-} from "./chunk-WN6UK7PM.js";
+} from "./chunk-7H6DOO3E.js";
 import {
   PUBLIC_ENVELOPE_RECORD_ID,
   isPublicEnvelope,
@@ -39,24 +59,24 @@ import {
   readPublicEnvelope,
   savePublicEnvelope,
   validatePublicEnvelopeInput
-} from "./chunk-RSPLI376.js";
+} from "./chunk-5SCJ5UEF.js";
 import {
   CONSENT_AUDIT_COLLECTION
-} from "./chunk-M62XNWRA.js";
+} from "./chunk-5DWL3JBF.js";
 import {
   PERIODS_COLLECTION
-} from "./chunk-7XBQS42M.js";
+} from "./chunk-537VFZTR.js";
 import "./chunk-UF3BUNQZ.js";
+import {
+  withGuard
+} from "./chunk-MKSA2V7A.js";
+import "./chunk-PEULZC6M.js";
+import "./chunk-UMLVJTYV.js";
+import "./chunk-34YSDCDP.js";
 import {
   CollectionFrame,
   VaultFrame
-} from "./chunk-R36SIKES.js";
-import {
-  TxCollection,
-  TxContext,
-  TxVault,
-  runTransaction
-} from "./chunk-BTDCBVJW.js";
+} from "./chunk-ZNOEIM6Y.js";
 import {
   DICT_COLLECTION_PREFIX,
   DictionaryHandle,
@@ -69,7 +89,7 @@ import {
   isI18nTextDescriptor,
   resolveI18nText,
   validateI18nTextValue
-} from "./chunk-2WGMYBYS.js";
+} from "./chunk-NIOHFJPJ.js";
 import {
   createBundleStore,
   routeStore,
@@ -81,30 +101,73 @@ import {
   withRetry,
   wrapBundleStore,
   wrapStore
-} from "./chunk-USKYUS74.js";
+} from "./chunk-P7EQ2S5O.js";
 import {
+  MAGIC_LINK_CONTENT_INFO_PREFIX,
+  MAGIC_LINK_GRANTS_COLLECTION,
+  MAGIC_LINK_KEK_INFO_PREFIX,
+  ManagedRecoveryNotEnrolledError,
+  PolicyDeniedError,
+  RecoveryNotEnrolledError,
+  RecoveryProfileNotImplementedError,
   SYNC_CREDENTIALS_COLLECTION,
+  burnPaperRecoveryEntry,
   credentialStatus,
   deleteCredential,
+  deriveMagicLinkContentKey,
+  enrollAuthenticator,
+  findAuthenticator,
   getCredential,
+  hasRecoveryEnrolled,
+  hasStrongRecoveryEnrolled,
+  isMagicLinkGrantExpired,
   listCredentials,
-  putCredential
-} from "./chunk-TOQK4KAN.js";
+  listMagicLinkGrants,
+  loadPaperRecoveryEntries,
+  loadShamirRecoveryEntries,
+  magicLinkGrantRecordId,
+  mintPaperRecoveryEntry,
+  mintShamirRecoveryEntry,
+  mintWrappedDeksBlob,
+  putCredential,
+  readMagicLinkGrantRecord,
+  recoverPassphrase,
+  recoverUser,
+  removeAuthenticator,
+  revokeMagicLinkGrant,
+  rotatePassphrase,
+  savePaperRecoveryEntries,
+  saveShamirRecoveryEntries,
+  unwrapDeksFromBlob,
+  unwrapDeksFromPaperEntry,
+  unwrapDeksFromShamirEntry,
+  unwrapMagicLinkGrant,
+  updateAuthenticator,
+  writeMagicLinkGrant
+} from "./chunk-CBAHB2BF.js";
+import {
+  assertTierAccess,
+  dekKey,
+  effectiveClearance
+} from "./chunk-DYBQG5PQ.js";
 import {
   PresenceHandle,
   SyncEngine,
   SyncTransaction
-} from "./chunk-HC7Z5EQZ.js";
+} from "./chunk-4TFSM22V.js";
 import {
+  DIRECTORY_RECORD_ID,
   USER_ENVELOPE_COLLECTION,
   USER_ENVELOPE_MAX_BYTES,
   UserEnvelopeOversizedError,
+  VISIBILITY_RECORD_PREFIX,
   WeakPassphraseError,
   assertStrongPassphrase,
   buildRecipientKeyringFile,
   changeSecret,
   createOwnerKeyring,
   deleteUserEnvelope,
+  deleteUserVisibility,
   ensureCollectionDEK,
   estimateEntropy,
   evaluateExportCapability,
@@ -119,12 +182,17 @@ import {
   listUsersWithEnvelopes,
   loadKeyring,
   loadUserEnvelope,
-  persistKeyring,
+  persistDirectoryConfig,
+  persistUserVisibility,
+  readDirectoryConfig,
+  readUserVisibility,
   revoke,
   rotateKeys,
   saveUserEnvelope,
-  validatePassphrase
-} from "./chunk-YVFTBQHL.js";
+  updateKeyringIdentity,
+  validatePassphrase,
+  visibilityRecordId
+} from "./chunk-PA6R5ZCI.js";
 import {
   BUNDLE_STORE_POLICY,
   INDEXED_STORE_POLICY,
@@ -144,7 +212,7 @@ import {
   revokeAllSessions,
   revokeSession,
   validateSessionPolicy
-} from "./chunk-VQBTTTUN.js";
+} from "./chunk-KESP7GOK.js";
 import {
   generateULID,
   isULID
@@ -154,22 +222,22 @@ import {
   VaultInstant,
   diff,
   formatDiff
-} from "./chunk-NXFEYLVG.js";
+} from "./chunk-MIQHZESA.js";
 import {
   LEDGER_COLLECTION,
   LEDGER_DELTAS_COLLECTION,
   LedgerStore,
   applyPatch,
   computePatch
-} from "./chunk-Y4CMTMUW.js";
+} from "./chunk-UA4RI7OT.js";
 import {
   canonicalJson,
   envelopePayloadHash,
   hashEntry,
   paddedIndex,
   parseIndex,
-  sha256Hex
-} from "./chunk-CIMZBAZB.js";
+  sha256Hex as sha256Hex2
+} from "./chunk-2AXFIYHT.js";
 import {
   DEFAULT_JOIN_MAX_ROWS,
   NO_AGGREGATE,
@@ -179,29 +247,32 @@ import {
   buildLiveQuery,
   executePlan,
   resetJoinWarnings
-} from "./chunk-GOUT6DND.js";
+} from "./chunk-23TTQXVO.js";
 import {
   CollectionIndexes
-} from "./chunk-NPC4LFV5.js";
+} from "./chunk-YMYK7US4.js";
+import {
+  avg,
+  count,
+  max,
+  min,
+  sum
+} from "./chunk-5ZGZ6HIZ.js";
 import {
   Aggregation,
   GROUPBY_MAX_CARDINALITY,
   GROUPBY_WARN_CARDINALITY,
   GroupedAggregation,
   GroupedQuery,
-  avg,
-  count,
+  GroupedQueryN,
   groupAndReduce,
-  max,
-  min,
-  reduceRecords,
-  sum
-} from "./chunk-TDR6T5CJ.js";
+  reduceRecords
+} from "./chunk-XGSOTWYX.js";
 import {
   evaluateClause,
   evaluateFieldClause,
   readPath
-} from "./chunk-M5INGEFC.js";
+} from "./chunk-MRIBLZL3.js";
 import {
   BLOB_CHUNKS_COLLECTION,
   BLOB_COLLECTION,
@@ -216,58 +287,74 @@ import {
   detectMimeType,
   isPreCompressed,
   runCompaction
-} from "./chunk-R2ZTGEVP.js";
+} from "./chunk-VMIO4IXG.js";
 import {
   NOYDB_BACKUP_VERSION,
   NOYDB_FORMAT_VERSION,
   NOYDB_KEYRING_VERSION,
   NOYDB_SYNC_VERSION,
   createStore
-} from "./chunk-PJK6IOBC.js";
+} from "./chunk-YS3POABP.js";
 import {
   base64ToBuffer,
   bufferToBase64,
   decrypt,
   decryptBytes,
   decryptDeterministic,
-  deriveKey,
   derivePresenceKey,
   encrypt,
   encryptBytes,
   encryptDeterministic,
-  generateSalt,
-  unwrapKey,
-  wrapKey
-} from "./chunk-MR4424N3.js";
+  sha256Hex
+} from "./chunk-WCA2NROQ.js";
 import {
   AlreadyElevatedError,
+  AmendmentForbiddenError,
   BackupCorruptedError,
   BackupLedgerError,
   BundleIntegrityError,
+  BundleSealMismatchError,
   BundleVersionConflictError,
   ConflictError,
   DanglingReferenceError,
   DecryptionError,
   DelegationTargetMissingError,
+  DerivationCapExceededError,
+  DerivationCycleError,
+  DerivationDepthError,
+  DerivationOutputShapeError,
+  DerivationOutputUnknownError,
   DictKeyInUseError,
   DictKeyMissingError,
+  DirectoryDisabledError,
   ElevationExpiredError,
   ExportCapabilityError,
+  FieldFrozenError,
   FilenameSanitizationError,
   GroupCardinalityError,
   ImportCapabilityError,
   IndexRequiredError,
   IndexWriteFailureError,
   InvalidKeyError,
+  InvariantError,
   JoinTooLargeError,
+  KeyringCorruptError,
   KeyringExpiredError,
   LedgerContentionError,
   LocaleNotSpecifiedError,
+  MaterializedViewConfigError,
+  MaterializedViewCycleError,
+  MaterializedViewSourceUnknownError,
+  MaterializedViewTooLargeError,
   MissingTranslationError,
   NetworkError,
   NoAccessError,
   NotFoundError,
   NoydbError,
+  OverlayBaseIsVirtualError,
+  OverlayCollectionUnavailableError,
+  OverlayIdMismatchError,
+  OverlayNameCollisionError,
   PathEscapeError,
   PeriodClosedError,
   PermissionDeniedError,
@@ -275,6 +362,7 @@ import {
   ReadOnlyAtInstantError,
   ReadOnlyError,
   ReadOnlyFrameError,
+  RecordLockedError,
   ReservedCollectionNameError,
   SchemaValidationError,
   SessionExpiredError,
@@ -286,7 +374,7 @@ import {
   TierNotGrantedError,
   TranslatorNotConfiguredError,
   ValidationError
-} from "./chunk-ACLDOTNQ.js";
+} from "./chunk-ADQ5MQ54.js";
 
 // src/schema.ts
 async function validateSchemaInput(schema, value, context) {
@@ -326,6 +414,109 @@ function formatPath(path) {
   ).join(".");
 }
 
+// src/persisted-schemas/canonicalize.ts
+function canonicalize(value) {
+  if (value === null || typeof value !== "object") {
+    return JSON.stringify(value);
+  }
+  if (Array.isArray(value)) {
+    return "[" + value.map(canonicalize).join(",") + "]";
+  }
+  const obj = value;
+  const keys = Object.keys(obj).sort();
+  const parts = keys.map((k) => JSON.stringify(k) + ":" + canonicalize(obj[k]));
+  return "{" + parts.join(",") + "}";
+}
+
+// src/persisted-schemas/derive.ts
+function isZodSchema(value) {
+  if (value === null || typeof value !== "object") return false;
+  const def = value._def;
+  if (!def || typeof def !== "object") return false;
+  return typeof def.typeName === "string" && def.typeName.startsWith("Zod");
+}
+function detectKind(validator) {
+  if (isZodSchema(validator)) return "Zod";
+  return "Unknown";
+}
+async function loadZodConverter() {
+  try {
+    const mod = await import("zod-to-json-schema");
+    if (!mod.zodToJsonSchema) {
+      throw new Error("zod-to-json-schema export missing");
+    }
+    return mod.zodToJsonSchema;
+  } catch (err) {
+    throw new Error(
+      `persistJsonSchema requires the optional peer-dep \`zod-to-json-schema\`. Install it: \`pnpm add zod-to-json-schema\` (or npm/yarn equivalent). Original error: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+}
+async function derivePersistedSchema(validator) {
+  const kind = detectKind(validator);
+  const derivedAt = (/* @__PURE__ */ new Date()).toISOString();
+  if (kind === "Zod") {
+    const convert = await loadZodConverter();
+    const jsonSchema = convert(validator);
+    const canonical = canonicalize(jsonSchema);
+    const hash = await sha256Hex(new TextEncoder().encode(canonical));
+    return { _noydb_schema: 1, kind, jsonSchema, hash, derivedAt };
+  }
+  return {
+    _noydb_schema: 1,
+    kind,
+    jsonSchema: null,
+    hash: null,
+    reason: `derivation not yet supported for kind=${kind} (v0 supports Zod only)`,
+    derivedAt
+  };
+}
+
+// src/persisted-schemas/storage.ts
+var SCHEMAS_COLLECTION = "_schemas";
+async function loadPersistedSchema(store, vault, collection, dek) {
+  const envelope = await store.get(vault, SCHEMAS_COLLECTION, collection);
+  if (!envelope) return void 0;
+  try {
+    const plaintext = await decrypt(envelope._iv, envelope._data, dek);
+    const parsed = JSON.parse(plaintext);
+    if (parsed._noydb_schema !== 1) return void 0;
+    return parsed;
+  } catch {
+    return void 0;
+  }
+}
+async function savePersistedSchema(store, vault, collection, dek, payload) {
+  const json = JSON.stringify(payload);
+  const { iv, data } = await encrypt(json, dek);
+  const prior = await store.get(vault, SCHEMAS_COLLECTION, collection);
+  const env = {
+    _noydb: NOYDB_FORMAT_VERSION,
+    _v: (prior?._v ?? 0) + 1,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    _iv: iv,
+    _data: data
+  };
+  await store.put(vault, SCHEMAS_COLLECTION, collection, env);
+}
+
+// src/persisted-schemas/register.ts
+async function persistSchemaIfNeeded(opts) {
+  const fresh = await derivePersistedSchema(opts.validator);
+  const stored = await loadPersistedSchema(opts.store, opts.vault, opts.collectionName, opts.dek);
+  if (stored && isEquivalent(stored, fresh)) {
+    return { written: false, skipped: true, envelope: stored };
+  }
+  await savePersistedSchema(opts.store, opts.vault, opts.collectionName, opts.dek, fresh);
+  return { written: true, skipped: false, envelope: fresh };
+}
+function isEquivalent(a, b) {
+  if (a.kind !== b.kind) return false;
+  if (a.hash && b.hash) return a.hash === b.hash;
+  if (a.hash === null && b.hash === null) return true;
+  return false;
+}
+
 // src/refs.ts
 var RefIntegrityError = class extends NoydbError {
   collection;
@@ -426,56 +617,6 @@ var RefRegistry = class {
   }
 };
 
-// src/team/authenticators.ts
-async function enrollAuthenticator(store, vault, keyring, options) {
-  const existing = keyring.authenticators.find((a) => a.id === options.id);
-  if (existing) {
-    throw new ValidationError(
-      `enrollAuthenticator: slot id "${options.id}" already exists in vault "${vault}". Remove the slot first or pick a unique id.`
-    );
-  }
-  const base = {
-    id: options.id,
-    method: options.method,
-    enrolled_at: (/* @__PURE__ */ new Date()).toISOString(),
-    enrolled_via_tier: options.enrolled_via_tier ?? 1,
-    meta: options.meta
-  };
-  const slot = options.wrapKind === "deks" ? {
-    ...base,
-    wrapKind: "deks",
-    wrapped_deks: options.wrapped_deks,
-    iv: options.iv
-  } : {
-    ...base,
-    wrapped_kek: options.wrapped_kek
-  };
-  const next = appendSlot(keyring, slot);
-  await persistKeyring(store, vault, next);
-  return next;
-}
-async function removeAuthenticator(store, vault, keyring, slotId) {
-  const filtered = keyring.authenticators.filter((a) => a.id !== slotId);
-  if (filtered.length === keyring.authenticators.length) {
-    return keyring;
-  }
-  const next = {
-    ...keyring,
-    authenticators: filtered
-  };
-  await persistKeyring(store, vault, next);
-  return next;
-}
-function findAuthenticator(keyring, slotId) {
-  return keyring.authenticators.find((a) => a.id === slotId);
-}
-function appendSlot(keyring, slot) {
-  return {
-    ...keyring,
-    authenticators: [...keyring.authenticators, slot]
-  };
-}
-
 // src/session/unlock-state.ts
 var QuickUnlockStore = class {
   states = /* @__PURE__ */ new Map();
@@ -517,357 +658,6 @@ var QuickUnlockStore = class {
   }
 };
 
-// src/policy/errors.ts
-var PolicyDeniedError = class extends NoydbError {
-  gate;
-  reason;
-  required;
-  constructor(gate, reason, required, message) {
-    super(
-      "POLICY_DENIED",
-      message ?? `Gate "${gate}" denied: ${reason}.`
-    );
-    this.name = "PolicyDeniedError";
-    this.gate = gate;
-    this.reason = reason;
-    this.required = required;
-  }
-};
-var RecoveryNotEnrolledError = class extends NoydbError {
-  constructor(message = 'Recovery profile not enrolled. Pass `recovery: [{ profile: "paper", codes: 10 }]` to `createNoydb()`, or set `policy.gates["recover-passphrase"].enabled = false` to opt out of recovery (passphrase loss = data loss). See docs/subsystems/session-tiers.md.') {
-    super("RECOVERY_NOT_ENROLLED", message);
-    this.name = "RecoveryNotEnrolledError";
-  }
-};
-var RecoveryProfileNotImplementedError = class extends NoydbError {
-  profile;
-  tracking;
-  constructor(profile, tracking) {
-    super(
-      "RECOVERY_PROFILE_NOT_IMPLEMENTED",
-      `Recovery profile "${profile}" is not yet implemented in this hub release. Tracking: ${tracking}. Use the "paper" profile via @noy-db/on-recovery in the meantime.`
-    );
-    this.name = "RecoveryProfileNotImplementedError";
-    this.profile = profile;
-    this.tracking = tracking;
-  }
-};
-
-// src/team/wrapped-deks.ts
-var PBKDF2_ITERATIONS = 6e5;
-var SALT_BYTES = 32;
-var IV_BYTES = 12;
-var subtle = globalThis.crypto.subtle;
-async function mintWrappedDeksBlob(deks, credential) {
-  const salt = crypto.getRandomValues(new Uint8Array(SALT_BYTES));
-  const iv = crypto.getRandomValues(new Uint8Array(IV_BYTES));
-  const wrappingKey = await deriveWrappingKey(credential, salt);
-  const exported = {};
-  for (const [coll, dek] of deks) {
-    const raw = await subtle.exportKey("raw", dek);
-    exported[coll] = bytesToBase64(new Uint8Array(raw));
-  }
-  const plaintext = new TextEncoder().encode(JSON.stringify({ deks: exported }));
-  const ciphertext = await subtle.encrypt(
-    { name: "AES-GCM", iv },
-    wrappingKey,
-    plaintext
-  );
-  return {
-    salt: bytesToBase64(salt),
-    iv: bytesToBase64(iv),
-    wrappedDeks: bytesToBase64(new Uint8Array(ciphertext))
-  };
-}
-async function unwrapDeksFromBlob(blob, credential) {
-  const wrappingKey = await deriveWrappingKey(credential, base64ToBytes(blob.salt));
-  const plaintext = await subtle.decrypt(
-    { name: "AES-GCM", iv: base64ToBytes(blob.iv) },
-    wrappingKey,
-    base64ToBytes(blob.wrappedDeks)
-  );
-  const parsed = JSON.parse(new TextDecoder().decode(plaintext));
-  const deks = /* @__PURE__ */ new Map();
-  for (const [coll, b64] of Object.entries(parsed.deks)) {
-    const raw = base64ToBytes(b64);
-    const key = await subtle.importKey(
-      "raw",
-      raw,
-      { name: "AES-GCM", length: 256 },
-      true,
-      ["encrypt", "decrypt"]
-    );
-    deks.set(coll, key);
-  }
-  return deks;
-}
-async function deriveWrappingKey(credential, salt) {
-  const ikm = await subtle.importKey(
-    "raw",
-    new TextEncoder().encode(credential),
-    "PBKDF2",
-    false,
-    ["deriveKey"]
-  );
-  return subtle.deriveKey(
-    {
-      name: "PBKDF2",
-      salt,
-      iterations: PBKDF2_ITERATIONS,
-      hash: "SHA-256"
-    },
-    ikm,
-    { name: "AES-GCM", length: 256 },
-    false,
-    ["encrypt", "decrypt"]
-  );
-}
-function bytesToBase64(b) {
-  let s = "";
-  for (const x of b) s += String.fromCharCode(x);
-  return btoa(s);
-}
-function base64ToBytes(b64) {
-  const s = atob(b64);
-  const out = new Uint8Array(s.length);
-  for (let i = 0; i < s.length; i++) out[i] = s.charCodeAt(i);
-  return out;
-}
-
-// src/team/recovery.ts
-var PAPER_DOC_ID = "recovery-paper";
-async function loadPaperRecoveryEntries(store, vault) {
-  const env = await store.get(vault, "_meta", PAPER_DOC_ID);
-  if (!env) return [];
-  try {
-    const doc = JSON.parse(env._data);
-    if (doc.profile !== "paper" || !Array.isArray(doc.entries)) return [];
-    return doc.entries;
-  } catch {
-    return [];
-  }
-}
-async function savePaperRecoveryEntries(store, vault, entries) {
-  const doc = {
-    _noydb_recovery: 1,
-    profile: "paper",
-    entries
-  };
-  const envelope = {
-    _noydb: NOYDB_FORMAT_VERSION,
-    _v: 1,
-    _ts: (/* @__PURE__ */ new Date()).toISOString(),
-    _iv: "",
-    _data: JSON.stringify(doc)
-  };
-  await store.put(vault, "_meta", PAPER_DOC_ID, envelope);
-}
-async function burnPaperRecoveryEntry(store, vault, codeId) {
-  const entries = await loadPaperRecoveryEntries(store, vault);
-  const remaining = entries.filter((e) => e.codeId !== codeId);
-  await savePaperRecoveryEntries(store, vault, remaining);
-}
-async function hasRecoveryEnrolled(store, vault) {
-  const paper = await loadPaperRecoveryEntries(store, vault);
-  return paper.length > 0;
-}
-async function mintPaperRecoveryEntry(deks, code, codeId) {
-  const blob = await mintWrappedDeksBlob(deks, code);
-  return {
-    ...blob,
-    codeId,
-    enrolledAt: (/* @__PURE__ */ new Date()).toISOString()
-  };
-}
-async function unwrapDeksFromPaperEntry(entry, code) {
-  return unwrapDeksFromBlob(entry, code);
-}
-
-// src/team/rotate-recover.ts
-async function rotatePassphrase(store, vault, userId, input) {
-  if (!input.allowWeakPassphrase) {
-    assertStrongPassphrase(input.newPassphrase, input.passphrasePolicy);
-  }
-  const env = await store.get(vault, "_keyring", userId);
-  if (!env) {
-    throw new NoAccessError(`No keyring found for user "${userId}" in vault "${vault}".`);
-  }
-  const file = JSON.parse(env._data);
-  const oldSalt = base64ToBuffer(file.salt);
-  const oldKek = await deriveKey(input.oldPassphrase, oldSalt);
-  const deks = /* @__PURE__ */ new Map();
-  for (const [coll, wrapped] of Object.entries(file.deks)) {
-    deks.set(coll, await unwrapKey(wrapped, oldKek));
-  }
-  const newSalt = generateSalt();
-  const newKek = await deriveKey(input.newPassphrase, newSalt);
-  const wrappedDeks = {};
-  for (const [coll, dek] of deks) {
-    wrappedDeks[coll] = await wrapKey(dek, newKek);
-  }
-  const oldSlots = file.authenticators ?? [];
-  const newSlots = [];
-  if (input.slotCeremonies && oldSlots.length > 0) {
-    for (const oldSlot of oldSlots) {
-      const ceremony = input.slotCeremonies[oldSlot.id];
-      if (!ceremony) continue;
-      const result = await ceremony({ newKek, newDeks: deks, oldSlot });
-      if (result.id !== oldSlot.id) {
-        throw new ValidationError(
-          `slotCeremonies['${oldSlot.id}'] returned id="${result.id}". The id must match the rotated slot \u2014 a ceremony cannot change a slot's identity.`
-        );
-      }
-      if (result.method !== oldSlot.method) {
-        throw new ValidationError(
-          `slotCeremonies['${oldSlot.id}'] returned method="${result.method}", expected "${oldSlot.method}". The method must match the rotated slot \u2014 a ceremony cannot change the auth method (e.g. webauthn \u2192 password) under cover of rotation.`
-        );
-      }
-      const baseFields = {
-        id: result.id,
-        method: result.method,
-        // Preserve original enrolled_at — rotation is rewrapping, not
-        // re-enrollment. The slot's enrolment timestamp tracks when
-        // the user originally added the slot, not when it was last
-        // rewrapped. Forensics consumers reading enrolled_at are
-        // tracking the slot's ORIGIN, not its CURRENT wrapping.
-        enrolled_at: oldSlot.enrolled_at,
-        enrolled_via_tier: result.enrolled_via_tier ?? oldSlot.enrolled_via_tier,
-        meta: result.meta
-      };
-      const newSlot = result.wrapKind === "deks" ? {
-        ...baseFields,
-        wrapKind: "deks",
-        wrapped_deks: result.wrapped_deks,
-        iv: result.iv
-      } : {
-        ...baseFields,
-        wrapped_kek: result.wrapped_kek
-      };
-      newSlots.push(newSlot);
-    }
-  }
-  const next = {
-    ...file,
-    _noydb_keyring: NOYDB_KEYRING_VERSION,
-    deks: wrappedDeks,
-    salt: bufferToBase64(newSalt),
-    authenticators: newSlots
-  };
-  await writeKeyringFile(store, vault, userId, next);
-  return {
-    userId: file.user_id,
-    displayName: file.display_name,
-    role: file.role,
-    permissions: file.permissions,
-    deks,
-    kek: newKek,
-    salt: newSalt,
-    authenticators: newSlots,
-    ...file.export_capability !== void 0 && { exportCapability: file.export_capability },
-    ...file.import_capability !== void 0 && { importCapability: file.import_capability }
-  };
-}
-async function recoverPassphrase(store, vault, userId, input) {
-  if (!input.allowWeakPassphrase) {
-    assertStrongPassphrase(input.newPassphrase, input.passphrasePolicy);
-  }
-  switch (input.recoveryProof.profile) {
-    case "paper":
-      return recoverViaPaperCode(store, vault, userId, input);
-    case "shamir":
-      throw new RecoveryProfileNotImplementedError(
-        "shamir",
-        "https://github.com/vLannaAi/noy-db/issues/10"
-      );
-    case "multi-channel":
-      throw new RecoveryProfileNotImplementedError(
-        "multi-channel",
-        "https://github.com/vLannaAi/noy-db/issues/10"
-      );
-    case "admin-mediated":
-      throw new RecoveryProfileNotImplementedError(
-        "admin-mediated",
-        "https://github.com/vLannaAi/noy-db/issues/10"
-      );
-    default: {
-      const _exhaustive = input.recoveryProof;
-      throw new Error(`Unknown recovery profile: ${String(_exhaustive)}`);
-    }
-  }
-}
-async function recoverViaPaperCode(store, vault, userId, input) {
-  if (input.recoveryProof.profile !== "paper") throw new Error("unreachable");
-  const { code } = input.recoveryProof.payload;
-  const env = await store.get(vault, "_keyring", userId);
-  if (!env) {
-    throw new NoAccessError(`No keyring found for user "${userId}" in vault "${vault}".`);
-  }
-  const file = JSON.parse(env._data);
-  const entries = await loadPaperRecoveryEntries(store, vault);
-  if (entries.length === 0) {
-    throw new NoAccessError(
-      `No paper-recovery entries enrolled for vault "${vault}". Enroll via \`db.enrollRecovery({ profile: "paper", entries })\` before relying on recovery.`
-    );
-  }
-  const normalized = normalizePaperCode(code);
-  let recovered;
-  for (const entry of entries) {
-    try {
-      const deks2 = await unwrapDeksFromPaperEntry(entry, normalized);
-      recovered = { deks: deks2, entry };
-      break;
-    } catch {
-    }
-  }
-  if (!recovered) {
-    throw new InvalidKeyError(
-      "Recovery code does not match any enrolled paper entry. The code may have been previously used (single-use) or typed incorrectly."
-    );
-  }
-  const deks = recovered.deks;
-  const newSalt = generateSalt();
-  const newKek = await deriveKey(input.newPassphrase, newSalt);
-  const wrappedDeks = {};
-  for (const [coll, dek] of deks) {
-    wrappedDeks[coll] = await wrapKey(dek, newKek);
-  }
-  const next = {
-    ...file,
-    _noydb_keyring: NOYDB_KEYRING_VERSION,
-    deks: wrappedDeks,
-    salt: bufferToBase64(newSalt),
-    authenticators: []
-    // tier-2 slots wrap old KEK, drop them
-  };
-  await writeKeyringFile(store, vault, userId, next);
-  await burnPaperRecoveryEntry(store, vault, recovered.entry.codeId);
-  return {
-    userId: file.user_id,
-    displayName: file.display_name,
-    role: file.role,
-    permissions: file.permissions,
-    deks,
-    kek: newKek,
-    salt: newSalt,
-    authenticators: [],
-    ...file.export_capability !== void 0 && { exportCapability: file.export_capability },
-    ...file.import_capability !== void 0 && { importCapability: file.import_capability }
-  };
-}
-function normalizePaperCode(input) {
-  return input.toUpperCase().replace(/[\s\-_]/g, "");
-}
-async function writeKeyringFile(store, vault, userId, file) {
-  const envelope = {
-    _noydb: 1,
-    _v: 1,
-    _ts: (/* @__PURE__ */ new Date()).toISOString(),
-    _iv: "",
-    _data: JSON.stringify(file)
-  };
-  await store.put(vault, "_keyring", userId, envelope);
-}
-
 // src/meta/user-envelope/api.ts
 var UserApi = class {
   constructor(adapter, vaultName, writerKeyringId, getDek, checkGate2) {
@@ -895,6 +685,17 @@ var UserApi = class {
    * the envelope on first call. Optimistic-concurrency safe — a stale
    * `_v` (parallel writer on another device) throws `ConflictError`.
    *
+   * Patch semantics (#57):
+   *   - `undefined` (or omitted key) — skip; existing value preserved
+   *   - `null` — delete the field from the merged result
+   *   - any other value — overwrite (deep-merge for plain objects,
+   *     replace for primitives / arrays)
+   *
+   * To clear a field, pass `null` rather than `undefined`. Callers
+   * with shape `T = string | null` where `null` is a meaningful value
+   * should use `setMe` for that specific field instead — `null` here
+   * always means delete.
+   *
    * Gated by the `edit-own-profile` policy gate (default `minTier: 3`).
    * Pass `presented` to satisfy tightened policies that require a
    * factor proof (e.g. STRICT_POLICY's TOTP requirement).
@@ -940,6 +741,41 @@ var UserApi = class {
     this.fireChange(this.writerKeyringId, written);
     return written;
   }
+  // ─── Visibility (#122) ───────────────────────────────────────────────
+  /**
+   * Read the current user's visibility flag from
+   * `_meta/visibility/<keyringId>`. Returns `{ hidden: false }` when no
+   * document has been persisted (the default-visible case).
+   */
+  async getMyVisibility() {
+    const persisted = await readUserVisibility(this.adapter, this.vaultName, this.writerKeyringId);
+    return persisted ?? { hidden: false };
+  }
+  /**
+   * Update the current user's visibility in the team directory.
+   *
+   * - `hidden: true` — opt out of the default `listUsersWithEnvelopes`
+   *   listing. `owner`/`admin` callers can still see the user by passing
+   *   `{ includeHidden: true }`.
+   * - `hidden: false` — opt back in.
+   *
+   * Own-only by construction: the keyringId argument doesn't exist on
+   * this method, so no caller can hide or unhide another principal.
+   *
+   * Honest caveat: this is a UX flag, not a privacy guarantee. The
+   * envelope ciphertext at `_users/<keyringId>` and the keyring file at
+   * `_keyring/<userId>` are both still observable to anyone with direct
+   * store read access. See `docs/subsystems/user-envelope.md` →
+   * "Directory visibility".
+   */
+  async setMyVisibility(visibility) {
+    await persistUserVisibility(
+      this.adapter,
+      this.vaultName,
+      this.writerKeyringId,
+      { hidden: visibility.hidden }
+    );
+  }
   // ─── Read-anyone ─────────────────────────────────────────────────────
   /**
    * Read another principal's envelope by their keyringId. Returns null
@@ -1066,9 +902,17 @@ function deepMerge(source, patch) {
   }
   const out = { ...source };
   for (const [key, patchVal] of Object.entries(patch)) {
+    if (patchVal === void 0) {
+      continue;
+    }
+    if (patchVal === null) {
+      delete out[key];
+      continue;
+    }
     const sourceVal = source[key];
-    if (isPlainObject(sourceVal) && isPlainObject(patchVal)) {
-      out[key] = deepMerge(sourceVal, patchVal);
+    if (isPlainObject(patchVal)) {
+      const recurseSource = isPlainObject(sourceVal) ? sourceVal : {};
+      out[key] = deepMerge(recurseSource, patchVal);
     } else {
       out[key] = patchVal;
     }
@@ -1124,7 +968,7 @@ async function describeAuthConfig(store, vault) {
   lines.push(`  Phrase format: ${policy.passphrase?.minWords ?? 6}+ words, lowercase letters, \u2265${policy.passphrase?.minWordLength ?? 3} chars/word`);
   lines.push("  Strength validator: enforced (override available for tests only)");
   lines.push("");
-  lines.push("Tier 2 \u2014 Authenticate (daily login)");
+  lines.push("Tier 2 \u2014 Authenticate (routine login)");
   lines.push("  Allowed methods: WebAuthn (passkey), OIDC, Password");
   lines.push("  Slots per user: unlimited");
   lines.push("");
@@ -1236,68 +1080,131 @@ function sanitizeId(s) {
   return s.replace(/[^a-zA-Z0-9]/g, "_");
 }
 
-// src/team/peer-recover.ts
-var ADMIN_RECOVERABLE_TARGETS = ["operator", "viewer", "client", "admin"];
-function canRecover(callerRole, targetRole) {
-  if (callerRole === "owner") return true;
-  if (callerRole === "admin") return ADMIN_RECOVERABLE_TARGETS.includes(targetRole);
-  return false;
-}
-async function recoverUser(store, vault, callerKeyring, options) {
-  const env = await store.get(vault, "_keyring", options.userId);
-  if (!env) {
-    throw new NoAccessError(
-      `recoverUser: user "${options.userId}" has no keyring in vault "${vault}".`
-    );
-  }
-  const target = JSON.parse(env._data);
-  const targetRole = options.role ?? target.role;
-  if (!canRecover(callerKeyring.role, targetRole)) {
-    throw new PermissionDeniedError(
-      `Role "${callerKeyring.role}" cannot recover role "${targetRole}"`
-    );
+// src/team/managed-passphrase.ts
+var MemorySealingKeyProvider = class {
+  id;
+  fingerprint;
+  keyBytes;
+  constructor(opts) {
+    this.id = opts.id;
+    const encoded = new TextEncoder().encode(opts.id);
+    let h = 0;
+    for (let i = 0; i < encoded.length; i++) {
+      h = h * 31 + encoded[i] >>> 0;
+    }
+    this.fingerprint = new Uint8Array([
+      h >>> 24 & 255,
+      h >>> 16 & 255,
+      h >>> 8 & 255,
+      h & 255
+    ]);
+    this.keyBytes = new Uint8Array(16);
+    for (let i = 0; i < 16; i++) {
+      this.keyBytes[i] = this.fingerprint[i % 4] ^ i * 17;
+    }
   }
-  if (!canRecover(callerKeyring.role, target.role)) {
-    throw new PermissionDeniedError(
-      `Role "${callerKeyring.role}" cannot recover role "${target.role}"`
-    );
+  async seal(passphrase) {
+    const out = new Uint8Array(4 + passphrase.length);
+    out.set(this.fingerprint, 0);
+    for (let i = 0; i < passphrase.length; i++) {
+      out[4 + i] = passphrase[i] ^ this.keyBytes[i % 16];
+    }
+    return out;
   }
-  for (const coll of Object.keys(target.deks)) {
-    if (!callerKeyring.deks.has(coll)) {
-      throw new PrivilegeEscalationError(coll);
+  async unseal(sealed) {
+    if (sealed.length < 4) {
+      throw new Error("MemorySealingKeyProvider: sealed input too short");
+    }
+    for (let i = 0; i < 4; i++) {
+      if (sealed[i] !== this.fingerprint[i]) {
+        throw new Error(
+          `MemorySealingKeyProvider("${this.id}"): provider-id mismatch on unseal (sealed bytes were produced by a different provider)`
+        );
+      }
     }
+    const body = sealed.subarray(4);
+    const out = new Uint8Array(body.length);
+    for (let i = 0; i < body.length; i++) {
+      out[i] = body[i] ^ this.keyBytes[i % 16];
+    }
+    return out;
   }
-  if (options.validatePassphrase && !options.allowWeakPassphrase) {
-    assertStrongPassphrase(options.passphrase, options.passphrasePolicy);
+};
+var SEALED_PASSPHRASE_RECORD_ID = "sealed-passphrase";
+function bytesToBase64(bytes) {
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) binary += String.fromCharCode(bytes[i]);
+  return btoa(binary);
+}
+function base64ToBytes(b64) {
+  const binary = atob(b64);
+  const out = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) out[i] = binary.charCodeAt(i);
+  return out;
+}
+function parseSealedEnvelope(raw) {
+  if (typeof raw !== "object" || raw === null) return void 0;
+  const r = raw;
+  if (r._noydb_sealed !== 1) return void 0;
+  if (r.v === 1 && typeof r.pid === "string" && typeof r.payload === "string") {
+    return {
+      _noydb_sealed: 1,
+      providerId: r.pid,
+      sealed: base64ToBytes(r.payload)
+    };
   }
-  const newSalt = generateSalt();
-  const newKek = await deriveKey(options.passphrase, newSalt);
-  const wrappedDeks = {};
-  for (const coll of Object.keys(target.deks)) {
-    const callerDek = callerKeyring.deks.get(coll);
-    if (!callerDek) {
-      throw new PrivilegeEscalationError(coll);
-    }
-    wrappedDeks[coll] = await wrapKey(callerDek, newKek);
+  if (typeof r.providerId === "string" && typeof r.sealed === "string") {
+    return {
+      _noydb_sealed: 1,
+      providerId: r.providerId,
+      sealed: base64ToBytes(r.sealed)
+    };
   }
-  const next = {
-    ...target,
-    _noydb_keyring: NOYDB_KEYRING_VERSION,
-    role: targetRole,
-    display_name: options.displayName ?? target.display_name,
-    deks: wrappedDeks,
-    salt: bufferToBase64(newSalt),
-    granted_by: callerKeyring.userId,
-    authenticators: []
+  return void 0;
+}
+async function saveSealedPassphrase(store, vault, payload) {
+  const persisted = {
+    v: 1,
+    _noydb_sealed: 1,
+    pid: payload.providerId,
+    payload: bytesToBase64(payload.sealed)
   };
-  const envelope = {
-    _noydb: 1,
-    _v: 1,
+  const prior = await store.get(vault, "_meta", SEALED_PASSPHRASE_RECORD_ID);
+  const env = {
+    _noydb: NOYDB_FORMAT_VERSION,
+    _v: (prior?._v ?? 0) + 1,
     _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    // AES-GCM bypassed — the sealing layer is the security boundary.
     _iv: "",
-    _data: JSON.stringify(next)
+    _data: JSON.stringify(persisted)
   };
-  await store.put(vault, "_keyring", options.userId, envelope);
+  await store.put(vault, "_meta", SEALED_PASSPHRASE_RECORD_ID, env);
+}
+async function loadSealedPassphrase(store, vault) {
+  const envelope = await store.get(vault, "_meta", SEALED_PASSPHRASE_RECORD_ID);
+  if (!envelope) return void 0;
+  try {
+    return parseSealedEnvelope(JSON.parse(envelope._data));
+  } catch {
+    return void 0;
+  }
+}
+async function resolveManagedSecret(store, vault, provider) {
+  const existing = await loadSealedPassphrase(store, vault);
+  if (existing) {
+    if (existing.providerId !== provider.id) {
+      throw new Error(
+        `Managed-mode vault "${vault}" was sealed under provider id "${existing.providerId}" but the current SealingKeyProvider is "${provider.id}". Pass the same provider that originally enrolled the vault, or treat this as a fresh enrollment and clear \`_meta/sealed-passphrase\` first.`
+      );
+    }
+    const plaintext = await provider.unseal(existing.sealed);
+    return bytesToBase64(plaintext);
+  }
+  const random = new Uint8Array(32);
+  globalThis.crypto.getRandomValues(random);
+  const sealed = await provider.seal(random);
+  await saveSealedPassphrase(store, vault, { providerId: provider.id, sealed });
+  return bytesToBase64(random);
 }
 
 // src/crdt/strategy.ts
@@ -1573,6 +1480,79 @@ var NO_BLOBS = {
   }
 };
 
+// src/derivations/stale.ts
+var _staleByRegistry = /* @__PURE__ */ new WeakMap();
+var keyFor = (source, sourceId) => `${source}/${sourceId}`;
+async function markStale(registry, strategy, sourceId) {
+  let map = _staleByRegistry.get(registry);
+  if (!map) {
+    map = /* @__PURE__ */ new Map();
+    _staleByRegistry.set(registry, map);
+  }
+  const k = keyFor(strategy.source, sourceId);
+  let set = map.get(k);
+  if (!set) {
+    set = /* @__PURE__ */ new Set();
+    map.set(k, set);
+  }
+  set.add(strategy);
+}
+async function resolveStaleOnRead(accessor, outputCollection, id) {
+  const registry = accessor.registry();
+  const producers = registry.strategiesProducingOutput(outputCollection);
+  if (producers.length === 0) return;
+  const map = _staleByRegistry.get(registry);
+  if (!map) return;
+  let DerivationExecutor = null;
+  for (const { spec, strategyHash } of producers) {
+    const k = keyFor(spec.source, id);
+    const pending = map.get(k);
+    if (!pending || !pending.has(spec)) continue;
+    const sourceColl = accessor.getCollection(spec.source);
+    const source = await sourceColl.get(id);
+    if (!source) {
+      pending.delete(spec);
+      continue;
+    }
+    const sourceWithId = { ...source, id };
+    if (DerivationExecutor === null) {
+      ({ DerivationExecutor } = await import("./executor-X4SQ3ZLC.js"));
+    }
+    const ctx = { vault: accessor.getReadOnlyFacade() };
+    const result = await DerivationExecutor.run(spec, sourceWithId, 0, strategyHash, ctx);
+    for (const key of Object.keys(spec.outputs)) {
+      const out = result.outputs[key];
+      if (!out) continue;
+      if (out.kind === "failed") {
+        const err = out.error;
+        if (spec.strict) {
+          throw err;
+        }
+        console.warn(
+          `[derivation] lazy output "${key}" for source "${spec.source}" id="${id}" failed:`,
+          err
+        );
+        continue;
+      }
+      if (out.kind === "array") {
+        console.warn(
+          `[derivation] unexpected array-shape output "${key}" in lazy resolve path; array-shape derivations require lifecycle: "eager" (#200 slice 1).`
+        );
+        continue;
+      }
+      const outSpec = spec.outputs[key];
+      if (!outSpec) continue;
+      const outputColl = accessor.getCollection(outSpec.collection);
+      if (out.skipped === true) {
+        await outputColl._internalDelete(id, accessor.getActiveTxContext());
+        continue;
+      }
+      await outputColl.put(id, out.value);
+    }
+    pending.delete(spec);
+  }
+}
+
 // src/collection.ts
 var fallbackWarned = /* @__PURE__ */ new Set();
 function warnOnceFallback(adapterName) {
@@ -1580,7 +1560,7 @@ function warnOnceFallback(adapterName) {
   fallbackWarned.add(adapterName);
   if (typeof process !== "undefined" && process.env["NODE_ENV"] === "test") return;
   console.warn(
-    `[noy-db] Adapter "${adapterName}" does not implement listPage(); Collection.scan()/listPage() are using a synthetic fallback (slower). Add a listPage method to opt into the streaming fast path.`
+    `[noy-db] Store "${adapterName}" does not implement listPage(); Collection.scan()/listPage() are using a synthetic fallback (slower). Add a listPage method to opt into the streaming fast path.`
   );
 }
 var Collection = class {
@@ -1790,6 +1770,34 @@ var Collection = class {
    * adapter on first use.
    */
   periodGuard;
+  /**
+   * Optional back-reference to the owning vault's guard registry + a
+   * read-only vault facade. When present, `Collection.put` and
+   * `Collection.delete` consult the registry for guards declared
+   * against this collection and run their `check` + `frozenFields`
+   * before the adapter write. Absent in unit tests that construct
+   * a Collection directly; production code always sets it via
+   * `Vault.collection()`.
+   *
+   * Typed structurally rather than as `Vault` to avoid a circular
+   * import (mirrors the `refEnforcer` / `joinResolver` pattern).
+   */
+  guardSource;
+  /**
+   * Vault-internal hook for derivation dispatch. When set,
+   * `Collection.put` consults the registry after the source-write
+   * commits and writes derived outputs through `getCollection(name).put`.
+   * Same structural-interface pattern as `guardSource` to avoid a
+   * circular Vault import.
+   */
+  derivationSource;
+  /**
+   * Vault-internal hook for materialized-view dispatch (#143/#150).
+   * Parallel to `derivationSource` — when set, `Collection.put` fires
+   * `MaterializedViewRegistry.onSourceWrite` after the source-write
+   * commits + after `dispatchDerivations` has run.
+   */
+  materializedViewSource;
   /**
    * Optional back-reference to the owning compartment's ref
    * enforcer. When present, `Collection.put` calls
@@ -1860,6 +1868,9 @@ var Collection = class {
     this.syncAdapter = opts.syncAdapter;
     this.onAccess = opts.onAccess;
     this.periodGuard = opts.periodGuard;
+    this.guardSource = opts.guardSource;
+    this.derivationSource = opts.derivationSource;
+    this.materializedViewSource = opts.materializedViewSource;
     this.tiers = opts.tiers && opts.tiers.length > 0 ? new Set(opts.tiers) : null;
     this.tierMode = opts.tierMode ?? "invisibility";
     this.onCrossTierAccess = opts.onCrossTierAccess;
@@ -1984,6 +1995,16 @@ var Collection = class {
    *          `null` if not found.
    */
   async get(id, locale) {
+    if (this.derivationSource !== void 0) {
+      const registry = this.derivationSource.registry();
+      if (registry.strategiesProducingOutput(this.name).length > 0) {
+        await resolveStaleOnRead(this.derivationSource, this.name, id);
+      }
+    }
+    if (this.materializedViewSource !== void 0) {
+      const { resolveStaleMVOnRead } = await import("./stale-HSC5YO2O.js");
+      await resolveStaleMVOnRead(this.materializedViewSource, this.name);
+    }
     let record;
     if (this.lazy && this.lru) {
       const cached = this.lru.get(id);
@@ -2047,11 +2068,53 @@ var Collection = class {
     if (opts?.pollIntervalMs !== void 0) presenceOpts.pollIntervalMs = opts.pollIntervalMs;
     return this.syncStrategy.buildPresence(presenceOpts);
   }
-  /** Create or update a record. */
-  async put(id, record) {
+  /**
+   * Create or update a record.
+   *
+   * @param id      Record identifier.
+   * @param record  The record body (validated by the collection's schema
+   *                if one was attached at `vault.collection(...)` time).
+   * @param options Optional metadata for audit + import workflows.
+   *                `reason` is stamped onto the resulting ledger entry
+   *                (see #1) so audit consumers can filter via
+   *                `entries.filter(e => e.reason?.startsWith('import:'))`.
+   */
+  async put(id, record, options) {
     if (!hasWritePermission(this.keyring, this.name)) {
       throw new ReadOnlyError();
     }
+    if (this.guardSource) {
+      const registry = this.guardSource.registry();
+      const guards = registry.guardsFor(this.name);
+      if (guards.length > 0) {
+        const existingEnv = await this.adapter.get(this.vault, this.name, id);
+        let existingRecord = null;
+        if (existingEnv) {
+          try {
+            existingRecord = await this.decryptRecord(existingEnv, { skipValidation: true });
+          } catch {
+            existingRecord = null;
+          }
+        }
+        const incomingRecord = record;
+        const ctx = {
+          existing: existingRecord,
+          vault: this.guardSource.readOnlyVault(),
+          userId: this.keyring.userId,
+          role: this.keyring.role
+        };
+        if (registry.isAmendmentActive()) {
+          const vBefore = existingEnv?._v ?? 0;
+          registry.collectChange(this.name, id, existingRecord, incomingRecord, vBefore, vBefore + 1);
+        } else {
+          await registry.runChecks(this.name, incomingRecord, ctx);
+          const { GuardExecutor } = await import("./executor-CEWX2FQI.js");
+          for (const g of guards) {
+            await GuardExecutor.checkFrozenFields(g, id, existingRecord, incomingRecord);
+          }
+        }
+      }
+    }
     if (this.periodGuard !== void 0) {
       const existingEnv = await this.adapter.get(this.vault, this.name, id);
       let priorRecord = null;
@@ -2160,6 +2223,7 @@ var Collection = class {
           payloadHash: await this.historyStrategy.envelopePayloadHash(envelope2)
         };
         if (existingResolved) appendInput.delta = this.historyStrategy.computePatch(resolvedRecord, existingResolved.record);
+        if (options?.reason !== void 0) appendInput.reason = options.reason;
         await this.ledger.append(appendInput);
       }
       if (this.lazy && this.lru) {
@@ -2177,6 +2241,8 @@ var Collection = class {
       await this.onDirty?.(this.name, id, "put", version2);
       this.emitter.emit("change", { vault: this.vault, collection: this.name, id, action: "put" });
       await this.onAccess?.("put", id);
+      await this.dispatchDerivations(id, record, version2);
+      await this.dispatchMaterializedViews(id, record);
       return;
     }
     let existing;
@@ -2223,6 +2289,7 @@ var Collection = class {
       if (existing) {
         appendInput.delta = this.historyStrategy.computePatch(record, existing.record);
       }
+      if (options?.reason !== void 0) appendInput.reason = options.reason;
       await this.ledger.append(appendInput);
     }
     if (this.lazy && this.lru) {
@@ -2240,13 +2307,256 @@ var Collection = class {
       action: "put"
     });
     await this.onAccess?.("put", id);
+    await this.dispatchDerivations(id, record, version);
+    await this.dispatchMaterializedViews(id, record);
+  }
+  /**
+   * Fire registered MV strategies whose dependency set includes this
+   * collection. Eager-mode MVs re-materialize inline via
+   * `MaterializedViewExecutor.refresh`; lazy / manual modes are
+   * no-ops in the foundation (subtask #150) — wired in #151.
+   *
+   * Skips entirely when the record being written is itself an
+   * MV-emitted row (carries `_materializedFrom`) — defensive guard
+   * against missed cycle detection.
+   *
+   * @internal
+   */
+  async dispatchMaterializedViews(id, record) {
+    void id;
+    if (this.materializedViewSource === void 0) return;
+    const incoming = record;
+    if (incoming && typeof incoming === "object" && "_materializedFrom" in incoming) return;
+    const registry = this.materializedViewSource.registry();
+    const mvs = registry.mvsForSource(this.name);
+    if (mvs.length === 0) return;
+    let executor = null;
+    let staleHelpers = null;
+    for (const reg of mvs) {
+      const mode = reg.spec.refresh;
+      if (mode === "eager") {
+        if (executor === null) {
+          ;
+          ({ MaterializedViewExecutor: executor } = await import("./executor-7E3VFGW7.js"));
+        }
+        await executor.refresh(reg, {
+          getCollection: (name) => this.materializedViewSource.getCollection(name),
+          getActiveTxContext: () => this.materializedViewSource.getActiveTxContext(),
+          getQueryContext: () => this.materializedViewSource.getQueryContext()
+        });
+      } else if (mode === "lazy") {
+        if (staleHelpers === null) {
+          staleHelpers = await import("./stale-HSC5YO2O.js");
+        }
+        staleHelpers.markMVStale(registry, reg.spec.name);
+      }
+    }
+  }
+  /**
+   * Fire registered derivation strategies for this source collection.
+   * Eager mode runs `derive` inline and writes each output via the
+   * sibling `Collection.put`; lazy mode marks dependent outputs stale
+   * (D11 stub today). Errors in non-strict mode are logged and
+   * skipped; strict mode propagates the first failing output's error.
+   *
+   * Skips entirely when the record being written is itself a derived
+   * output (carries `_derivedFrom`) — defensive guard against missed
+   * cycle detection.
+   */
+  async dispatchDerivations(id, record, version) {
+    if (this.derivationSource === void 0) return;
+    const incoming = record;
+    if (incoming && typeof incoming === "object" && "_derivedFrom" in incoming) return;
+    const registry = this.derivationSource.registry();
+    const strategies = registry.strategiesForSource(this.name);
+    if (strategies.length === 0) return;
+    let DerivationExecutor = null;
+    for (const { spec, strategyHash } of strategies) {
+      const mode = typeof spec.lifecycle === "string" ? spec.lifecycle : spec.lifecycle.mode;
+      if (mode === "eager") {
+        if (DerivationExecutor === null) {
+          ({ DerivationExecutor } = await import("./executor-X4SQ3ZLC.js"));
+        }
+        const sourceWithId = { ...incoming, id };
+        const ctx = { vault: this.derivationSource.getReadOnlyFacade() };
+        const result = await DerivationExecutor.run(spec, sourceWithId, version, strategyHash, ctx);
+        for (const key of Object.keys(spec.outputs)) {
+          const out = result.outputs[key];
+          if (!out) continue;
+          if (out.kind === "failed") {
+            const err = out.error;
+            if (spec.strict) throw err;
+            console.warn(`[derivation] output "${key}" for source "${spec.source}" id="${id}" failed:`, err);
+            continue;
+          }
+          const outSpec = spec.outputs[key];
+          if (!outSpec) continue;
+          const outputCollection = this.derivationSource.getCollection(outSpec.collection);
+          const txCtx = this.derivationSource.getActiveTxContext();
+          if (out.kind === "array") {
+            const { loadFanoutSidecar, saveFanoutSidecar } = await import("./fanout-sidecar-VJ52RIEY.js");
+            const prior = await loadFanoutSidecar(
+              this.adapter,
+              this.vault,
+              spec.source,
+              id,
+              key
+            );
+            const prevKeys = new Set(prior?.keys ?? []);
+            const newKeysList = out.entries.map((e) => e.key);
+            const newKeysSet = new Set(newKeysList);
+            for (const k of prevKeys) {
+              if (newKeysSet.has(k)) continue;
+              await outputCollection._internalDelete(k, txCtx);
+            }
+            for (const entry of out.entries) {
+              if (txCtx !== null) {
+                const priorEnvelope = await this.adapter.get(this.vault, outSpec.collection, entry.key);
+                txCtx._executed.push({
+                  op: {
+                    type: "put",
+                    vaultName: this.vault,
+                    collectionName: outSpec.collection,
+                    id: entry.key
+                  },
+                  priorEnvelope
+                });
+              }
+              await outputCollection.put(entry.key, entry.value);
+            }
+            await saveFanoutSidecar(this.adapter, this.vault, {
+              source: spec.source,
+              sourceId: id,
+              outputKey: key,
+              outputCollection: outSpec.collection,
+              keys: newKeysList
+            });
+            continue;
+          }
+          if (out.skipped === true) {
+            await outputCollection._internalDelete(id, txCtx);
+            continue;
+          }
+          if (txCtx !== null) {
+            const prior = await this.adapter.get(this.vault, outSpec.collection, id);
+            txCtx._executed.push({
+              op: {
+                type: "put",
+                vaultName: this.vault,
+                collectionName: outSpec.collection,
+                id
+              },
+              priorEnvelope: prior
+            });
+          }
+          await outputCollection.put(id, out.value);
+        }
+      } else {
+        await markStale(registry, spec, id);
+      }
+    }
   }
   /** Delete a record by ID. */
   async delete(id) {
+    await this._doDelete(id, false);
+  }
+  /**
+   * @internal — system-internal delete that bypasses user-facing
+   * delete hooks (`onDelete`, accounting-period guard, FK ref
+   * enforcer). Used by derivation tombstones (#144) and MV refresh
+   * (Dim 14 v2) — system housekeeping shouldn't trip user invariants
+   * registered against the output collection. The ledger entry and
+   * history snapshot still fire so backup integrity and time-travel
+   * reconstruction stay consistent.
+   *
+   * Returns silently for delete-of-absent (idempotent contract — both
+   * paths honour this: the `txCtx === null` path also reads the prior
+   * envelope and short-circuits before the ledger/event side-effects).
+   *
+   * When a `txCtx` is supplied, the prior envelope is captured and
+   * pushed onto `txCtx._executed` BEFORE the delete fires — mirrors
+   * the #133 rollback hardening for puts. Callers outside a
+   * multi-record transaction pass `null` and skip the tracking.
+   *
+   * Amendment composition: if `_internalDelete` runs while a vault's
+   * `GuardRegistry` has an amendment window open, the `{before, after:
+   * null}` change pair is pushed onto the amendment change-set the
+   * same way a user-initiated delete would. The `onDelete` user-hook
+   * is still skipped (housekeeping must not trip user invariants in
+   * normal mode), but the amendment's invariant DOES see the change
+   * — so a `RCT-CANCEL-001`-style invariant pairing can reject a
+   * derivation-driven tombstone fired during an admin amendment.
+   *
+   * Constraint to surface to consumers: output collections of
+   * derivations with `optional: true` outputs should not be the
+   * targets of `strict` or `cascade` inbound foreign-key refs —
+   * `_internalDelete` bypasses the ref enforcer by design (the
+   * `onDelete` bypass primitive). Treat the housekeeping path as
+   * "system can tombstone its own emissions regardless of FK shape."
+   *
+   * Permission handling is unchanged: the caller must still hold
+   * write permission on the collection (derivations run under the
+   * user's keyring).
+   */
+  async _internalDelete(id, txCtx = null) {
+    const prior = await this.adapter.get(this.vault, this.name, id);
+    if (prior === null) return;
+    if (txCtx !== null) {
+      txCtx._executed.push({
+        op: {
+          type: "delete",
+          vaultName: this.vault,
+          collectionName: this.name,
+          id
+        },
+        priorEnvelope: prior
+      });
+    }
+    await this._doDelete(id, true);
+  }
+  async _doDelete(id, internal) {
     if (!hasWritePermission(this.keyring, this.name)) {
       throw new ReadOnlyError();
     }
-    if (this.periodGuard !== void 0) {
+    if (this.guardSource) {
+      const registry = this.guardSource.registry();
+      const guards = registry.guardsFor(this.name);
+      if (guards.length > 0) {
+        const existingEnv = await this.adapter.get(this.vault, this.name, id);
+        if (existingEnv) {
+          let existingRecord = null;
+          try {
+            existingRecord = await this.decryptRecord(existingEnv, { skipValidation: true });
+          } catch {
+            existingRecord = null;
+          }
+          if (registry.isAmendmentActive()) {
+            const vBefore = existingEnv._v;
+            registry.collectChange(
+              this.name,
+              id,
+              existingRecord,
+              null,
+              vBefore,
+              vBefore
+            );
+          } else if (!internal) {
+            const ctx = {
+              existing: existingRecord,
+              vault: this.guardSource.readOnlyVault(),
+              userId: this.keyring.userId,
+              role: this.keyring.role
+            };
+            await registry.runOnDelete(
+              this.name,
+              existingRecord ?? {},
+              ctx
+            );
+          }
+        }
+      }
+    }
+    if (!internal && this.periodGuard !== void 0) {
       const existingEnv = await this.adapter.get(this.vault, this.name, id);
       let priorRecord = null;
       if (existingEnv) {
@@ -2261,7 +2571,7 @@ var Collection = class {
         null
       );
     }
-    if (this.refEnforcer !== void 0) {
+    if (!internal && this.refEnforcer !== void 0) {
       await this.refEnforcer.enforceRefsOnDelete(this.name, id);
     }
     let existing;
@@ -2313,6 +2623,87 @@ var Collection = class {
       action: "delete"
     });
     await this.onAccess?.("delete", id);
+    if (!internal) {
+      await this.dispatchMaterializedViewsOnDelete(id);
+      await this.dispatchArrayDerivationsOnDelete(id);
+    }
+  }
+  /**
+   * Cascade deletes of array-shape derived rows when a source row is
+   * deleted (#200). Reads each registered strategy's fanout sidecar
+   * for this source id, deletes every listed derived row, then
+   * deletes the sidecar itself.
+   *
+   * Record-shape derivations are skipped — see _doDelete's comment
+   * for why the asymmetry is correct.
+   *
+   * @internal
+   */
+  async dispatchArrayDerivationsOnDelete(id) {
+    if (this.derivationSource === void 0) return;
+    const registry = this.derivationSource.registry();
+    const strategies = registry.strategiesForSource(this.name);
+    if (strategies.length === 0) return;
+    let helpers = null;
+    const txCtx = this.derivationSource.getActiveTxContext();
+    for (const { spec } of strategies) {
+      for (const [outputKey, outSpec] of Object.entries(spec.outputs)) {
+        if (outSpec.shape !== "array") continue;
+        if (helpers === null) {
+          helpers = await import("./fanout-sidecar-VJ52RIEY.js");
+        }
+        const sidecar = await helpers.loadFanoutSidecar(
+          this.adapter,
+          this.vault,
+          spec.source,
+          id,
+          outputKey
+        );
+        if (!sidecar) continue;
+        const outputCollection = this.derivationSource.getCollection(outSpec.collection);
+        for (const derivedId of sidecar.keys) {
+          await outputCollection._internalDelete(derivedId, txCtx);
+        }
+        await helpers.deleteFanoutSidecar(this.adapter, this.vault, spec.source, id, outputKey);
+      }
+    }
+  }
+  /**
+   * Mirror of {@link dispatchMaterializedViews} for the delete path
+   * (#181). No record content is available (it's gone), so the
+   * `_materializedFrom` skip used by the put-side dispatch doesn't
+   * apply here — instead, the recursion guard is the `internal` gate
+   * at the `_doDelete` call site above.
+   *
+   * @internal
+   */
+  async dispatchMaterializedViewsOnDelete(id) {
+    void id;
+    if (this.materializedViewSource === void 0) return;
+    const registry = this.materializedViewSource.registry();
+    const mvs = registry.mvsForSource(this.name);
+    if (mvs.length === 0) return;
+    let executor = null;
+    let staleHelpers = null;
+    for (const reg of mvs) {
+      const mode = reg.spec.refresh;
+      if (mode === "eager") {
+        if (executor === null) {
+          ;
+          ({ MaterializedViewExecutor: executor } = await import("./executor-7E3VFGW7.js"));
+        }
+        await executor.refresh(reg, {
+          getCollection: (name) => this.materializedViewSource.getCollection(name),
+          getActiveTxContext: () => this.materializedViewSource.getActiveTxContext(),
+          getQueryContext: () => this.materializedViewSource.getQueryContext()
+        });
+      } else if (mode === "lazy") {
+        if (staleHelpers === null) {
+          staleHelpers = await import("./stale-HSC5YO2O.js");
+        }
+        staleHelpers.markMVStale(registry, reg.spec.name);
+      }
+    }
   }
   /**
    * List all records in the collection.
@@ -2330,6 +2721,10 @@ var Collection = class {
         `Collection "${this.name}": list() is not available in lazy mode (prefetch: false). Use collection.scan({ pageSize }) to iterate over the full collection.`
       );
     }
+    if (this.materializedViewSource !== void 0) {
+      const { resolveStaleMVOnRead } = await import("./stale-HSC5YO2O.js");
+      await resolveStaleMVOnRead(this.materializedViewSource, this.name);
+    }
     await this.ensureHydrated();
     const records = [...this.cache.values()].map((e) => e.record);
     if (!locale) return records;
@@ -2404,22 +2799,42 @@ var Collection = class {
         }
       }
     }
-    const executed = [];
+    const txCtx = this.derivationSource?.createTxContext() ?? null;
+    if (txCtx !== null && this.derivationSource) {
+      this.derivationSource.setActiveTxContext(txCtx);
+    }
+    const localExecuted = [];
     try {
       for (const [id, record] of entries) {
+        const entry = {
+          op: { type: "put", vaultName: this.vault, collectionName: this.name, id },
+          priorEnvelope: priors.get(id) ?? null
+        };
+        if (txCtx !== null) txCtx._executed.push(entry);
+        else localExecuted.push(entry);
         await this.put(id, record);
-        executed.push({ id, prior: priors.get(id) ?? null });
       }
-      return { ok: true, success: executed.map((e) => e.id), failures: [] };
+      return { ok: true, success: entries.map(([id]) => id), failures: [] };
     } catch (err) {
-      for (const { id, prior } of executed.slice().reverse()) {
+      const executedForRevert = txCtx !== null ? txCtx._executed : localExecuted;
+      await revertExecuted(executedForRevert, this.adapter);
+      for (const { op } of [...executedForRevert].reverse()) {
+        if (op.vaultName !== this.vault) continue;
         try {
-          if (prior) await this.adapter.put(this.vault, this.name, id, prior);
-          else await this.adapter.delete(this.vault, this.name, id);
+          if (op.collectionName === this.name) {
+            await this._invalidateCacheEntry(op.id);
+          } else if (this.derivationSource) {
+            const sibling = this.derivationSource.getCollection(op.collectionName);
+            await sibling._invalidateCacheEntry(op.id);
+          }
         } catch {
         }
       }
       throw err;
+    } finally {
+      if (txCtx !== null && this.derivationSource) {
+        this.derivationSource.clearActiveTxContext(txCtx);
+      }
     }
   }
   /**
@@ -2785,6 +3200,11 @@ var Collection = class {
    *   .aggregate({ total: sum('amount'), n: count() })
    * ```
    *
+   * **Lazy-MV gap (#157):** `scan()` is synchronous-build and does
+   * NOT trigger lazy materialized-view resolve-on-read. For lazy
+   * MVs, call `list()` (which DOES resolve) or `vault.refreshView(name)`
+   * before scanning. Same shape as the `query()` limitation.
+   *
    * Returns a `ScanBuilder<T>` instead of the raw async iterator
    * that previous versions used. The builder implements
    * `AsyncIterable<T>`, so every existing `for await … of` call
@@ -2828,6 +3248,38 @@ var Collection = class {
   }
   // ─── Internal ──────────────────────────────────────────────────
   /** Load all records from adapter into memory cache. */
+  /**
+   * @internal — refresh the in-memory cache entry for a single id by
+   * re-reading from the adapter. Used by the transaction executor's
+   * Phase-3 revert path: that path writes the prior envelope directly
+   * via the raw store (to avoid re-firing Collection-level side
+   * effects), which would otherwise leave this Collection's eager
+   * cache holding the rolled-back value. After revert, the executor
+   * calls this hook so subsequent `get` / `query` reads see the
+   * actual on-disk state.
+   *
+   * Lazy mode: drops the LRU entry; the next `get` repopulates from
+   * the adapter. Eager mode: re-reads the envelope and either sets
+   * the cache entry (record still present) or deletes it (record was
+   * gone before the tx and the revert deleted it again).
+   */
+  async _invalidateCacheEntry(id) {
+    if (this.lazy && this.lru) {
+      this.lru.remove(id);
+      return;
+    }
+    if (!this.hydrated) return;
+    const previous = this.cache.get(id);
+    const envelope = await this.adapter.get(this.vault, this.name, id);
+    if (!envelope) {
+      this.cache.delete(id);
+      if (previous) this.indexes?.remove(id, previous.record);
+      return;
+    }
+    const record = await this.decryptRecord(envelope);
+    this.cache.set(id, { record, version: envelope._v });
+    this.indexes?.upsert(id, record, previous ? previous.record : null);
+  }
   async ensureHydrated() {
     if (this.hydrated) return;
     const ids = await this.adapter.list(this.vault, this.name);
@@ -3799,97 +4251,246 @@ var NO_PERIODS = {
   }
 };
 
-// src/team/magic-link-grant.ts
-var MAGIC_LINK_GRANTS_COLLECTION = "_magic_link_grants";
-var MAGIC_LINK_CONTENT_INFO_PREFIX = "noydb-magic-link-content-v1:";
-var MAGIC_LINK_KEK_INFO_PREFIX = "noydb-magic-link-v1:";
-async function deriveMagicLinkContentKey(serverSecret, token, vault) {
-  const subtle2 = globalThis.crypto.subtle;
-  const ikmBytes = serverSecret instanceof Uint8Array ? serverSecret : new TextEncoder().encode(serverSecret);
-  const tokenBytes = new TextEncoder().encode(token);
-  const saltBuffer = await subtle2.digest("SHA-256", tokenBytes);
-  const info = new TextEncoder().encode(MAGIC_LINK_CONTENT_INFO_PREFIX + vault);
-  const ikm = await subtle2.importKey("raw", ikmBytes, "HKDF", false, ["deriveKey"]);
-  return subtle2.deriveKey(
-    { name: "HKDF", hash: "SHA-256", salt: saltBuffer, info },
-    ikm,
-    { name: "AES-GCM", length: 256 },
-    false,
-    ["encrypt", "decrypt"]
-  );
+// src/introspection/fields.ts
+function jsonSchemaType(node) {
+  if (Array.isArray(node.type)) {
+    const non = node.type.filter((t) => t !== "null");
+    return non[0] ?? "opaque";
+  }
+  if (node.enum && Array.isArray(node.enum)) return "enum";
+  if (typeof node.type === "string") return node.type;
+  return "opaque";
 }
-async function writeMagicLinkGrant(store, vault, grantor, contentKey, grantKek, recordId, opts) {
-  const collectionName = opts.collection ?? null;
-  const sourceKey = collectionName ? dekKey(collectionName, opts.tier) : `__any#${opts.tier}`;
-  const sourceDek = grantor.deks.get(sourceKey);
-  if (!sourceDek) {
-    throw new DelegationTargetMissingError(
-      `grantor cannot find tier ${opts.tier} DEK for ${collectionName ?? "(any)"}`
-    );
+function constraintsFor(node) {
+  const out = {};
+  if (node.enum) out.values = node.enum;
+  if (node.minLength !== void 0) out.minLength = node.minLength;
+  if (node.maxLength !== void 0) out.maxLength = node.maxLength;
+  if (node.pattern !== void 0) out.pattern = node.pattern;
+  if (node.format !== void 0) out.format = node.format;
+  if (node.minimum !== void 0) out.minimum = node.minimum;
+  if (node.maximum !== void 0) out.maximum = node.maximum;
+  if (node.exclusiveMinimum !== void 0) out.gt = node.exclusiveMinimum;
+  if (node.exclusiveMaximum !== void 0) out.lt = node.exclusiveMaximum;
+  return Object.keys(out).length === 0 ? void 0 : out;
+}
+function jsonSchemaToFields(jsonSchema, source, refs) {
+  if (!jsonSchema || typeof jsonSchema !== "object") return {};
+  const root = jsonSchema;
+  if (!root.properties || typeof root.properties !== "object") return {};
+  const required = new Set(Array.isArray(root.required) ? root.required : []);
+  const out = {};
+  for (const [name, node] of Object.entries(root.properties)) {
+    const descriptor = {
+      type: jsonSchemaType(node),
+      source,
+      ...required.has(name) ? {} : { optional: true },
+      ...refs?.[name] ? { references: `${refs[name].target}.id` } : {}
+    };
+    const constraints = constraintsFor(node);
+    if (constraints) descriptor.constraints = constraints;
+    out[name] = descriptor;
   }
-  const wrappedDek = await wrapKey(sourceDek, grantKek);
-  const until = typeof opts.until === "string" ? opts.until : opts.until.toISOString();
-  const createdAt = (/* @__PURE__ */ new Date()).toISOString();
-  const payload = {
-    id: recordId,
-    toUser: opts.toUser,
-    fromUser: grantor.userId,
-    tier: opts.tier,
-    collection: collectionName,
-    ...opts.record && { record: opts.record },
-    until,
-    wrappedDek,
-    createdAt,
-    ...opts.note && { note: opts.note }
-  };
-  const { iv, data } = await encrypt(JSON.stringify(payload), contentKey);
-  const envelope = {
-    _noydb: 1,
-    _v: 1,
-    _ts: createdAt,
-    _iv: iv,
-    _data: data,
-    _by: grantor.userId
+  return out;
+}
+
+// src/introspection/walk.ts
+var INTERNAL_PREFIX = "_";
+var KNOWN_INTERNAL_NAMES = ["_keyring", "_ledger", "_meta", "_schemas", "_deltas"];
+async function dumpVaultSchema(vault, opts) {
+  const state = vault._introspectState();
+  const sampleSize = opts.sampleSize ?? 50;
+  const withStats = opts.withStats === true;
+  const cacheNames = [...state.collectionCache.keys()];
+  const storageNames = (await safeListAllCollections(state.adapter, state.name)).filter((n) => !n.startsWith(INTERNAL_PREFIX));
+  const allNames = Array.from(/* @__PURE__ */ new Set([...cacheNames, ...storageNames])).sort();
+  const collections = {};
+  for (const name of allNames) {
+    collections[name] = await describeCollection(state, name, sampleSize, withStats);
+  }
+  const materializedViews = describeMVs(state.mvRegistry);
+  const overlayViews = describeOverlays(state.overlayRegistry);
+  const derivations = describeDerivations(state.derivationRegistry);
+  let internal;
+  if (withStats) {
+    internal = {};
+    for (const name of KNOWN_INTERNAL_NAMES) {
+      const stats = await statsForCollection(state.adapter, state.name, name);
+      if (stats.records > 0) {
+        internal[name] = { records: stats.records, bytes: stats.bytes };
+      }
+    }
+  }
+  const snap = {
+    _noydb_snapshot: 1,
+    vault: state.name,
+    emittedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    subsystems: state.subsystems,
+    collections,
+    materializedViews,
+    overlayViews,
+    derivations,
+    ...internal !== void 0 ? { internal } : {}
   };
-  await store.put(vault, MAGIC_LINK_GRANTS_COLLECTION, recordId, envelope);
-  return { recordId, payload };
+  return snap;
 }
-async function readMagicLinkGrantRecord(store, vault, contentKey, recordId) {
-  const env = await store.get(vault, MAGIC_LINK_GRANTS_COLLECTION, recordId);
-  if (!env) return null;
+async function safeListAllCollections(adapter, vault) {
   try {
-    const json = await decrypt(env._iv, env._data, contentKey);
-    return JSON.parse(json);
+    const snap = await adapter.loadAll(vault);
+    return Object.keys(snap);
   } catch {
-    return null;
+    return [];
+  }
+}
+async function describeCollection(state, collectionName, sampleSize, withStats) {
+  let fields = {};
+  let validator;
+  const refsRaw = state.refRegistry.getOutbound(collectionName);
+  const refs = {};
+  for (const [name, desc] of Object.entries(refsRaw)) {
+    refs[name] = { target: desc.target, mode: desc.mode };
+  }
+  try {
+    const dek = await state.getDEK(collectionName);
+    const persisted = await loadPersistedSchema(state.adapter, state.name, collectionName, dek);
+    if (persisted) {
+      validator = { kind: persisted.kind, source: "persisted" };
+      if (persisted.jsonSchema) {
+        fields = jsonSchemaToFields(persisted.jsonSchema, "persisted", refsRaw);
+      }
+    }
+  } catch {
+  }
+  if (!validator) {
+    const coll = state.collectionCache.get(collectionName);
+    const schema = coll?.getSchema();
+    if (schema) {
+      try {
+        const derived = await derivePersistedSchema(schema);
+        validator = { kind: derived.kind, source: "live-validator" };
+        if (derived.jsonSchema) {
+          fields = jsonSchemaToFields(derived.jsonSchema, "live-validator", refsRaw);
+        }
+      } catch {
+      }
+    }
+  }
+  if (Object.keys(fields).length === 0 && sampleSize > 0) {
+  }
+  const descriptor = {
+    fields,
+    indexes: [],
+    refs,
+    ...validator ? { validator } : {}
+  };
+  if (withStats) {
+    const stats = await statsForCollection(state.adapter, state.name, collectionName);
+    descriptor.stats = stats;
+  }
+  return descriptor;
+}
+async function statsForCollection(adapter, vault, collection) {
+  const ids = await adapter.list(vault, collection);
+  if (ids.length === 0) {
+    return { records: 0, bytes: 0, bytesAvg: 0, bytesMin: 0, bytesMax: 0, oldest: "", newest: "" };
+  }
+  let total = 0;
+  let min2 = Number.POSITIVE_INFINITY;
+  let max2 = 0;
+  let oldest = "\uFFFF";
+  let newest = "";
+  for (const id of ids) {
+    const env = await adapter.get(vault, collection, id);
+    if (!env) continue;
+    const size = env._data.length;
+    total += size;
+    if (size < min2) min2 = size;
+    if (size > max2) max2 = size;
+    if (env._ts < oldest) oldest = env._ts;
+    if (env._ts > newest) newest = env._ts;
   }
+  return {
+    records: ids.length,
+    bytes: total,
+    bytesAvg: Math.round(total / ids.length),
+    bytesMin: min2 === Number.POSITIVE_INFINITY ? 0 : min2,
+    bytesMax: max2,
+    oldest: oldest === "\uFFFF" ? "" : oldest,
+    newest
+  };
 }
-async function listMagicLinkGrants(store, vault, contentKey, token) {
-  const ids = await store.list(vault, MAGIC_LINK_GRANTS_COLLECTION);
-  const matching = ids.filter((id) => id === token || id.startsWith(`${token}:`));
-  const out = [];
-  for (const id of matching) {
-    const payload = await readMagicLinkGrantRecord(store, vault, contentKey, id);
-    if (payload) out.push(payload);
+function describeMVs(registry) {
+  if (!registry || typeof registry !== "object") return {};
+  const items = listFromRegistry(registry);
+  const out = {};
+  for (const item of items) {
+    const reg = item;
+    const spec = reg.spec;
+    if (!spec?.name) continue;
+    const sources = spec.unionSources ? spec.unionSources.map((u) => u.collection) : reg.dependencies ? [...reg.dependencies].sort() : [];
+    const groupBy = spec.groupBy ? Array.isArray(spec.groupBy) ? [...spec.groupBy] : [spec.groupBy] : void 0;
+    const aggregate = spec.aggregate ? Object.fromEntries(
+      Object.entries(spec.aggregate).map(([k, v]) => [k, summariseAggregateOp(v)])
+    ) : void 0;
+    out[spec.name] = {
+      sources,
+      ...groupBy ? { groupBy } : {},
+      ...aggregate ? { aggregate } : {},
+      refresh: spec.refresh ?? "eager"
+    };
   }
   return out;
 }
-async function unwrapMagicLinkGrant(payload, grantKek) {
-  return unwrapKey(payload.wrappedDek, grantKek);
+function describeOverlays(registry) {
+  if (!registry || typeof registry !== "object") return {};
+  const specs = listFromRegistry(registry);
+  const out = {};
+  for (const spec of specs) {
+    const s = spec;
+    if (!s.name || !s.base || !s.overlay) continue;
+    out[s.name] = { base: s.base, overlay: s.overlay };
+  }
+  return out;
 }
-async function revokeMagicLinkGrant(store, vault, token) {
-  const ids = await store.list(vault, MAGIC_LINK_GRANTS_COLLECTION);
-  const matching = ids.filter((id) => id === token || id.startsWith(`${token}:`));
-  for (const id of matching) {
-    await store.delete(vault, MAGIC_LINK_GRANTS_COLLECTION, id);
+function describeDerivations(registry) {
+  if (!registry || typeof registry !== "object") return {};
+  const specs = listFromRegistry(registry);
+  const out = {};
+  for (const spec of specs) {
+    const s = spec;
+    if (!s.name) continue;
+    out[s.name] = {
+      source: s.source ?? "",
+      outputs: s.outputs ?? []
+    };
   }
-  return matching.length;
+  return out;
 }
-function magicLinkGrantRecordId(token, index) {
-  return index === 0 ? token : `${token}:${index}`;
+function listFromRegistry(reg) {
+  for (const method of ["all", "list", "specs", "values"]) {
+    const fn = reg[method];
+    if (typeof fn === "function") {
+      try {
+        const out = fn.call(reg);
+        if (Array.isArray(out)) return out;
+        if (out && typeof out.values === "function") {
+          return [...out.values()];
+        }
+      } catch {
+        continue;
+      }
+    }
+  }
+  return [];
 }
-function isMagicLinkGrantExpired(payload, now = /* @__PURE__ */ new Date()) {
-  return payload.until <= now.toISOString();
+function summariseAggregateOp(value) {
+  if (value && typeof value === "object") {
+    const op = value.op ?? value.kind;
+    const field = value.field;
+    if (op && field) return `${op}(${field})`;
+    if (op) return op;
+  }
+  return String(value);
 }
 
 // src/vault.ts
@@ -3934,6 +4535,40 @@ var Vault = class {
   historyStrategy;
   i18nStrategy;
   syncStrategy;
+  /**
+   * Per-vault guard registry. `null` until `_initGuards()` runs; stays
+   * `null` for vaults that never register any guard strategy. The
+   * runtime class is dynamic-imported on demand so consumers that
+   * never use guards don't pull `GuardRegistry`/`GuardExecutor` into
+   * their bundle (#130).
+   */
+  guardRegistry = null;
+  /**
+   * Per-vault derivation registry. Same lazy-load contract as
+   * `guardRegistry` — `null` until `_initDerivations()` runs with at
+   * least one strategy handle. See #130 for the bundle motivation.
+   */
+  derivationRegistry = null;
+  /**
+   * Per-vault materialized-view registry (#143/#150). Same lazy-load
+   * contract as `derivationRegistry` — `null` until
+   * `_initMaterializedViews()` runs with at least one MV handle.
+   */
+  materializedViewRegistry = null;
+  /**
+   * Per-vault overlay registry (#154). Same lazy-load contract as
+   * `materializedViewRegistry` — `null` until `_initOverlayedViews()`
+   * runs with at least one handle.
+   */
+  overlayedViewRegistry = null;
+  /**
+   * Cached read-only facade handed to guard callbacks via `ctx.vault`,
+   * and to derivation callbacks via `derive(source, ctx)`. Allocated
+   * eagerly inside `_initGuards()` and/or `_initDerivations()` so read
+   * accessors stay synchronous (callers in `tx/transaction.ts` rely on
+   * that). Stays `null` for vaults with neither subsystem configured.
+   */
+  readOnlyFacade = null;
   getDEK;
   /**
    * Per-principal user envelope API.
@@ -3981,6 +4616,16 @@ var Vault = class {
    * docstring.
    */
   ledgerStore = null;
+  /**
+   * Background writes for persisted-schema envelopes (#schema-dump v0
+   * slice 1). One promise per `collection({ persistJsonSchema: true })`
+   * registration that actually fired a derive call. Fire-and-forget
+   * from the collection factory; tests await
+   * {@link _drainPendingSchemaWrites} before asserting on storage.
+   * Production code does not need to drain — the writes are
+   * idempotent fingerprints, not correctness invariants.
+   */
+  _pendingSchemaWrites = [];
   /**
    * Per-vault foreign-key reference registry. Collections
    * register their `refs` option here on construction; the
@@ -4075,6 +4720,7 @@ var Vault = class {
     this.historyStrategy = opts.historyStrategy ?? NO_HISTORY;
     this.i18nStrategy = opts.i18nStrategy ?? NO_I18N;
     this.syncStrategy = opts.syncStrategy ?? NO_SYNC;
+    void opts.guardStrategies;
     this.historyConfig = opts.historyConfig ?? { enabled: true };
     this.reloadKeyring = opts.reloadKeyring;
     this.locale = opts.locale;
@@ -4134,6 +4780,16 @@ var Vault = class {
    * Collection constructor for the rationale.
    */
   collection(collectionName, options) {
+    const overlayRegistry = this.overlayedViewRegistry;
+    if (overlayRegistry !== null && overlayRegistry.isOverlay(collectionName)) {
+      const spec = overlayRegistry.byName(collectionName);
+      if (spec) {
+        const base = this.collection(spec.base);
+        const overlay = this.collection(spec.overlay);
+        const baseRowKey = overlayRegistry.resolveBaseRowKey(collectionName, this.materializedViewRegistry);
+        return new OverlayedCollection(spec, base, overlay, baseRowKey);
+      }
+    }
     if (isDictCollectionName(collectionName)) {
       throw new ReservedCollectionNameError(collectionName);
     }
@@ -4181,7 +4837,38 @@ var Vault = class {
         defaultLocale: this.locale,
         onRegisterConflictResolver: this.onRegisterConflictResolver,
         onAccess: (op, id) => this._logConsent(op, collectionName, id),
-        periodGuard: (existing, incoming) => this._assertTsWritable(existing, incoming)
+        periodGuard: (existing, incoming) => this._assertTsWritable(existing, incoming),
+        // Guard / derivation sources are only wired when the
+        // corresponding registry has been initialised. Vaults without
+        // guards/derivations skip this entirely so `Collection.put`'s
+        // `if (this.guardSource)` / `if (this.derivationSource)`
+        // branches no-op without ever touching the subsystem code.
+        ...this.guardRegistry !== null ? {
+          guardSource: {
+            registry: () => this.guardRegistry,
+            readOnlyVault: () => this._ensureReadOnlyFacade()
+          }
+        } : {},
+        ...this.derivationRegistry !== null ? {
+          derivationSource: {
+            registry: () => this.derivationRegistry,
+            getCollection: (name) => this.collection(name),
+            getReadOnlyFacade: () => this._ensureReadOnlyFacade(),
+            getActiveTxContext: () => this.noydb._activeTxContextOrNull,
+            createTxContext: () => this.noydb._createTxContext(),
+            setActiveTxContext: (ctx) => this.noydb._setActiveTxContext(ctx),
+            clearActiveTxContext: (ctx) => this.noydb._clearActiveTxContext(ctx)
+          }
+        } : {},
+        ...this.materializedViewRegistry !== null ? {
+          materializedViewSource: {
+            // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+            registry: () => this.materializedViewRegistry,
+            getCollection: (name) => this.collection(name),
+            getActiveTxContext: () => this.noydb._activeTxContextOrNull,
+            getQueryContext: () => this
+          }
+        } : {}
       };
       if (options?.indexes !== void 0) collOpts.indexes = options.indexes;
       if (options?.reconcileOnOpen !== void 0) collOpts.reconcileOnOpen = options.reconcileOnOpen;
@@ -4218,9 +4905,39 @@ var Vault = class {
       }
       coll = new Collection(collOpts);
       this.collectionCache.set(collectionName, coll);
+      if (options?.persistJsonSchema === true && options.schema !== void 0) {
+        const validator = options.schema;
+        const work = (async () => {
+          try {
+            const dek = await this.getDEK(collectionName);
+            await persistSchemaIfNeeded({
+              store: this.adapter,
+              vault: this.name,
+              collectionName,
+              validator,
+              dek
+            });
+          } catch (err) {
+            console.warn(
+              `[noy-db] persisted-schema write failed for "${collectionName}": ` + (err instanceof Error ? err.message : String(err))
+            );
+          }
+        })();
+        this._pendingSchemaWrites.push(work);
+      }
     }
     return coll;
   }
+  /**
+   * Await all background persisted-schema writes triggered by
+   * `collection({ persistJsonSchema: true })` calls on this vault.
+   * Used in tests; production code does not need to call this.
+   */
+  async _drainPendingSchemaWrites() {
+    const pending = this._pendingSchemaWrites;
+    this._pendingSchemaWrites = [];
+    await Promise.allSettled(pending);
+  }
   /**
    * Validate i18nText fields on a `put()`. Called by Collection just
    * before the adapter write, after schema validation. Throws
@@ -4804,6 +5521,270 @@ var Vault = class {
     }
     return this.ledgerStore;
   }
+  /**
+   * @internal — called by `Noydb.openVault` after construction.
+   * Dynamic-imports `GuardRegistry` + `ReadOnlyVaultFacade` and seeds
+   * the registry with the supplied strategy handles. No-op when the
+   * handles array is empty — keeps the guard subsystem out of the
+   * floor bundle for consumers that don't use guards (#130).
+   *
+   * The read-only facade is eagerly instantiated here so the sync
+   * accessor `_getReadOnlyFacade()` (called from the tx amendment
+   * runner) stays synchronous.
+   */
+  async _initGuards(handles) {
+    if (handles.length === 0) return;
+    const [{ GuardRegistry }, { ReadOnlyVaultFacade }] = await Promise.all([
+      import("./registry-RFGGMVNJ.js"),
+      import("./read-only-facade-ITU6L7BL.js")
+    ]);
+    const registry = new GuardRegistry();
+    for (const h of handles) registry.register(h.spec);
+    this.guardRegistry = registry;
+    this.readOnlyFacade = new ReadOnlyVaultFacade(this);
+  }
+  /**
+   * @internal — Collection.put calls into this. Returns `null` for
+   * vaults that never registered any guard strategy. Callers MUST
+   * gate on null (the existing `if (this.guardSource)` branches in
+   * `Collection` already do this transitively).
+   */
+  _getGuardRegistry() {
+    return this.guardRegistry;
+  }
+  /**
+   * @internal — called by `Noydb.openVault` after construction.
+   * Dynamic-imports `DerivationRegistry` and registers the supplied
+   * derivation strategies (async because `strategyHash` computation
+   * goes through `crypto.subtle.digest`). No-op when the handles
+   * array is empty — keeps the derivation subsystem out of the floor
+   * bundle for consumers that don't use derivations (#130). Throws
+   * `DerivationCycleError` if a cycle is detected after registration.
+   */
+  async _initDerivations(handles) {
+    if (handles.length === 0) return;
+    const [{ DerivationRegistry }, { ReadOnlyVaultFacade }] = await Promise.all([
+      import("./registry-WLLMODKN.js"),
+      import("./read-only-facade-ITU6L7BL.js")
+    ]);
+    const registry = new DerivationRegistry();
+    for (const h of handles) {
+      await registry.register(h.spec);
+    }
+    registry.validate();
+    this.derivationRegistry = registry;
+    if (this.readOnlyFacade === null) {
+      this.readOnlyFacade = new ReadOnlyVaultFacade(this);
+    }
+  }
+  /**
+   * @internal — consumed by `Collection.put` at write-time. Returns
+   * `null` for vaults that never registered any derivation strategy.
+   */
+  _getDerivationRegistry() {
+    return this.derivationRegistry;
+  }
+  /**
+   * @internal — called by `Noydb.openVault` after collections are
+   * wired. Dynamic-imports `MaterializedViewRegistry`, registers each
+   * MV spec (which invokes its `query()` once for dependency
+   * analysis), then runs the unified cycle detection across the MV +
+   * derivation graphs. No-op when the handles array is empty — keeps
+   * the MV subsystem out of the floor bundle (mirrors v1 #130).
+   * Throws `MaterializedViewCycleError` if a cycle is detected.
+   */
+  async _initMaterializedViews(handles) {
+    if (handles.length === 0) return;
+    const { MaterializedViewRegistry } = await import("./registry-3L3N3PTG.js");
+    const registry = new MaterializedViewRegistry();
+    this.materializedViewRegistry = registry;
+    const db = this;
+    for (const h of handles) {
+      await registry.register(h.spec, db);
+    }
+    registry.validate(this.derivationRegistry);
+  }
+  /**
+   * @internal — consumed by `Collection.put` at write-time. Returns
+   * `null` for vaults that never registered any MV strategy.
+   */
+  _getMaterializedViewRegistry() {
+    return this.materializedViewRegistry;
+  }
+  /**
+   * @internal — called by `Noydb.openVault` after MVs are wired.
+   * Dynamic-imports `OverlayedViewRegistry`, registers each spec,
+   * validates against the MV registry for name/base/overlay collisions.
+   * Throws on validation failure.
+   */
+  async _initOverlayedViews(handles) {
+    if (handles.length === 0) return;
+    const { OverlayedViewRegistry } = await import("./registry-O47PUPSY.js");
+    const registry = new OverlayedViewRegistry();
+    const mvRegistry = this.materializedViewRegistry;
+    const overlayNames = /* @__PURE__ */ new Set();
+    for (const h of handles) overlayNames.add(h.spec.name);
+    const isMVOutput = (name) => {
+      if (!mvRegistry) return false;
+      for (const reg of mvRegistry.all()) {
+        if (reg.outputCollection === name) return true;
+      }
+      return false;
+    };
+    for (const h of handles) {
+      registry.register(h.spec, {
+        isOverlayName: (n) => overlayNames.has(n) && n !== h.spec.name,
+        isMVOutput
+      });
+    }
+    this.overlayedViewRegistry = registry;
+  }
+  /**
+   * @internal — consumed by `Vault.collection()`. Returns `null` for
+   * vaults with no overlays registered.
+   */
+  _getOverlayedViewRegistry() {
+    return this.overlayedViewRegistry;
+  }
+  /**
+   * Manual re-materialize for a single registered MV (#151). Useful
+   * for `refresh: 'manual'` MVs (whose consumer drives refreshes
+   * externally), for stale-bit recovery on vault re-open, and as the
+   * explicit bulk-recompute escape hatch after a strategy change.
+   *
+   * Returns `{ written, deleted, failed }`. `deleted` is always 0 in
+   * foundation + this sub-issue — tombstoning lands in #152.
+   *
+   * Throws if `name` is not a registered MV.
+   */
+  async refreshView(name) {
+    const registry = this.materializedViewRegistry;
+    if (registry === null) {
+      return { written: 0, deleted: 0, failed: 0 };
+    }
+    const reg = registry.byName(name);
+    if (!reg) {
+      throw new Error(`refreshView: no MV registered with name "${name}"`);
+    }
+    const { MaterializedViewExecutor } = await import("./executor-7E3VFGW7.js");
+    const result = await MaterializedViewExecutor.refresh(reg, {
+      getCollection: (n) => this.collection(n),
+      getActiveTxContext: () => this.noydb._activeTxContextOrNull,
+      getQueryContext: () => this
+    });
+    const { clearMVStale } = await import("./stale-HSC5YO2O.js");
+    clearMVStale(registry, name);
+    return result;
+  }
+  /**
+   * Re-derive every record in the named source collection. Useful
+   * after a strategy change to bring previously-derived records
+   * up-to-date.
+   *
+   * Sequential in v1; parallelisation deferred to v2.
+   */
+  async deriveAll(sourceCollection) {
+    const registry = this._getDerivationRegistry();
+    if (registry === null) return { derived: 0, failed: 0 };
+    const strategies = registry.strategiesForSource(sourceCollection);
+    if (strategies.length === 0) return { derived: 0, failed: 0 };
+    const { DerivationExecutor } = await import("./executor-X4SQ3ZLC.js");
+    const sourceColl = this.collection(sourceCollection);
+    const records = await sourceColl.list();
+    const ctx = { vault: this.readOnlyFacade ?? new (await import("./read-only-facade-ITU6L7BL.js")).ReadOnlyVaultFacade(this) };
+    let derived = 0;
+    let failed = 0;
+    for (const record of records) {
+      if (typeof record !== "object" || record === null) continue;
+      const id = record.id;
+      if (typeof id !== "string") continue;
+      for (const { spec, strategyHash } of strategies) {
+        const sourceWithId = { ...record, id };
+        const result = await DerivationExecutor.run(spec, sourceWithId, 0, strategyHash, ctx);
+        let anyFailed = false;
+        for (const key of Object.keys(spec.outputs)) {
+          const out = result.outputs[key];
+          if (!out) continue;
+          if (out.kind === "failed") {
+            anyFailed = true;
+            continue;
+          }
+          const outSpec = spec.outputs[key];
+          if (!outSpec) continue;
+          const outputColl = this.collection(outSpec.collection);
+          if (out.kind === "array") {
+            const { loadFanoutSidecar, saveFanoutSidecar } = await import("./fanout-sidecar-VJ52RIEY.js");
+            const prior = await loadFanoutSidecar(this.adapter, this.name, spec.source, id, key);
+            const prevKeys = new Set(prior?.keys ?? []);
+            const newKeysList = out.entries.map((e) => e.key);
+            const newKeysSet = new Set(newKeysList);
+            for (const k of prevKeys) {
+              if (newKeysSet.has(k)) continue;
+              await outputColl._internalDelete(k);
+            }
+            for (const entry of out.entries) {
+              await outputColl.put(entry.key, entry.value);
+            }
+            await saveFanoutSidecar(this.adapter, this.name, {
+              source: spec.source,
+              sourceId: id,
+              outputKey: key,
+              outputCollection: outSpec.collection,
+              keys: newKeysList
+            });
+            continue;
+          }
+          if (out.skipped === true) {
+            await outputColl._internalDelete(id);
+            continue;
+          }
+          await outputColl.put(id, out.value);
+        }
+        if (anyFailed) failed++;
+        else derived++;
+      }
+    }
+    return { derived, failed };
+  }
+  /**
+   * @internal — exposed for `runTransaction({ amendment: true })` so
+   * the amendment invariant runner can pass the SAME read-only vault
+   * facade that the per-record `Collection.put` guard hook uses
+   * (`guardSource.readOnlyVault()` above). Eagerly instantiated by
+   * `_initGuards()` so this accessor stays synchronous; returns
+   * `null` for vaults that never registered any guard (amendments
+   * require at least one guard, so the caller should never see null).
+   */
+  _getReadOnlyFacade() {
+    return this.readOnlyFacade;
+  }
+  /**
+   * Internal lazy-allocator for the read-only facade. Used by the
+   * per-collection `guardSource.readOnlyVault` callback when guards
+   * ARE configured but `_initGuards()` raced with the first guard
+   * invocation (theoretically impossible — `Noydb.openVault` awaits
+   * `_initGuards` before returning — but we keep the defensive lazy
+   * path so the closure's contract stays "always returns a facade").
+   */
+  _ensureReadOnlyFacade() {
+    if (this.readOnlyFacade !== null) return this.readOnlyFacade;
+    throw new Error(
+      "Vault: guard hook fired before _initGuards() completed. This typically means the vault was opened via the sync fallback path (Noydb.vault(name)) without first calling await db.openVault(name). See issue #132."
+    );
+  }
+  /**
+   * @internal — exposed for `runTransaction({ amendment: true })`
+   * to append the structured `op: 'amendment'` audit entry without
+   * dragging this private accessor onto the public surface or
+   * forcing the tx executor to depend on the history-strategy
+   * shape directly. Returns `null` when no history strategy is
+   * configured, in which case the amendment commits silently
+   * (the records still write through; only the multi-record
+   * audit summary is skipped).
+   */
+  _getLedgerOrNull() {
+    return this.getLedgerOrNull();
+  }
   /**
    * Return a read-only view of this vault as it existed at
    * `timestamp`. Time-machine queries are reconstructed from the
@@ -4956,7 +5937,7 @@ var Vault = class {
    * collection.
    */
   async delegate(opts) {
-    const { issueDelegation: issueDelegation2, DELEGATIONS_COLLECTION: DELEGATIONS_COLLECTION2 } = await import("./delegation-2DBS2EOH.js");
+    const { issueDelegation: issueDelegation2, DELEGATIONS_COLLECTION: DELEGATIONS_COLLECTION2 } = await import("./delegation-YBA4X4JN.js");
     if (!this.keyring.kek) {
       throw new ValidationError(
         "issueDelegation: keyring.kek is null \u2014 issuing a delegation requires a tier-1 unlock. Re-authenticate at tier 1 (passphrase) first."
@@ -4978,7 +5959,7 @@ var Vault = class {
    * if the id does not exist.
    */
   async revokeDelegation(id) {
-    const { revokeDelegation: revokeDelegation2, DELEGATIONS_COLLECTION: DELEGATIONS_COLLECTION2 } = await import("./delegation-2DBS2EOH.js");
+    const { revokeDelegation: revokeDelegation2, DELEGATIONS_COLLECTION: DELEGATIONS_COLLECTION2 } = await import("./delegation-YBA4X4JN.js");
     await revokeDelegation2(this.adapter, this.name, id);
     void DELEGATIONS_COLLECTION2;
   }
@@ -5303,6 +6284,54 @@ var Vault = class {
     const snapshot = await this.adapter.loadAll(this.name);
     return Object.keys(snapshot);
   }
+  /**
+   * Emit a structured introspection snapshot of this vault — vault name,
+   * subsystem opt-in matrix, collections + their fields, materialized
+   * views, overlay views, derivations. With `withStats: true`, walks
+   * every collection's envelopes to compute record counts, byte totals,
+   * and oldest/newest timestamps.
+   *
+   * Consumed by the `noydb describe` CLI to produce human-readable
+   * audit YAML/JSON from a `.noydb` bundle.
+   *
+   * Field provenance:
+   *   - `persisted`: read from `_schemas/<col>` envelope (Route B opt-in)
+   *   - `live-validator`: derived in-process from a Zod schema attached
+   *     to the live `Collection`
+   *   - `sampled`: inferred from decrypted records (deferred to a follow-up)
+   *   - `unknown`: no schema info available
+   *
+   * @see docs/superpowers/specs/2026-05-22-schema-dump-design.md
+   */
+  async dumpSchema(opts = {}) {
+    return dumpVaultSchema(this, opts);
+  }
+  /**
+   * Internal accessor for {@link dumpVaultSchema}. Exposes the structural
+   * state the walker needs (collection cache, registries, ref registry,
+   * adapter) without widening the public Vault surface.
+   *
+   * @internal
+   */
+  _introspectState() {
+    return {
+      name: this.name,
+      adapter: this.adapter,
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      collectionCache: this.collectionCache,
+      refRegistry: this.refRegistry,
+      getDEK: this.getDEK,
+      subsystems: {
+        guards: this.guardRegistry !== null,
+        derivations: this.derivationRegistry !== null,
+        materializedViews: this.materializedViewRegistry !== null,
+        overlayViews: this.overlayedViewRegistry !== null
+      },
+      mvRegistry: this.materializedViewRegistry,
+      overlayRegistry: this.overlayedViewRegistry,
+      derivationRegistry: this.derivationRegistry
+    };
+  }
   /**
    * Return the stable opaque bundle handle for this vault,
    * generating and persisting a fresh ULID on first call.
@@ -5378,7 +6407,7 @@ var Vault = class {
    * @see docs/subsystems/public-envelope.md
    */
   async getPublicEnvelope(opts = {}) {
-    const { readPublicEnvelope: readPublicEnvelope2 } = await import("./public-envelope-3QTQADDW.js");
+    const { readPublicEnvelope: readPublicEnvelope2 } = await import("./public-envelope-PY6NKFLI.js");
     return readPublicEnvelope2(this.adapter, this.name, opts);
   }
   /**
@@ -5403,7 +6432,7 @@ var Vault = class {
       }
     }
     const internalSnapshot = {};
-    for (const internalName of [LEDGER_COLLECTION, LEDGER_DELTAS_COLLECTION]) {
+    for (const internalName of [LEDGER_COLLECTION, LEDGER_DELTAS_COLLECTION, SCHEMAS_COLLECTION]) {
       const ids = await this.adapter.list(this.name, internalName);
       if (ids.length === 0) continue;
       const records = {};
@@ -5552,6 +6581,7 @@ var Vault = class {
     for (let i = allEntries.length - 1; i >= 0; i--) {
       const entry = allEntries[i];
       if (!entry) continue;
+      if (entry.op === "amendment") continue;
       const key = `${entry.collection}/${entry.id}`;
       if (seen.has(key)) continue;
       seen.add(key);
@@ -5573,7 +6603,7 @@ var Vault = class {
           message: `Ledger expects data record "${collection}/${id}" to exist, but the adapter has no envelope for it.`
         };
       }
-      const actualHash = await sha256Hex(envelope._data);
+      const actualHash = await sha256Hex2(envelope._data);
       if (actualHash !== expectedHash) {
         return {
           ok: false,
@@ -5974,8 +7004,18 @@ var PERSONAL_POLICY = Object.freeze({
       minTier: 1,
       enabled: true
     },
+    // rotate-recovery (#121): deliberate paper-sheet regeneration
+    // when the user remembers their passphrase. PERSONAL matches the
+    // pre-#121 low-level flow's bar — knowing the passphrase is enough.
+    "rotate-recovery": { minTier: 1 },
     "enroll-authenticator": { minTier: 1 },
     "remove-authenticator": { minTier: 1 },
+    // update-authenticator: meta-only mutation (slot rename, label
+    // changes). Symmetric with enroll/remove under PERSONAL — tier-1
+    // unlock alone. The structural anti-slot-swap guard inside the
+    // implementation enforces wrap-material/id/method immutability
+    // regardless of this gate's settings.
+    "update-authenticator": { minTier: 1 },
     "rotate-unlock": { minTier: 2 },
     "enroll-user": { minTier: 1 },
     "revoke-user": { minTier: 1 },
@@ -5985,6 +7025,12 @@ var PERSONAL_POLICY = Object.freeze({
     // virtue of being a co-owner). Tier-1 unlock is the floor; the
     // STRICT preset adds a recovery/email-OTP requirement.
     "peer-recover-user": { minTier: 1 },
+    // update-user: post-grant identity mutation (role/displayName/
+    // permissions). PERSONAL_POLICY treats this on par with enroll-user
+    // / revoke-user — tier-1 unlock alone. The role-elevation guard
+    // inside the implementation is the structural backstop that this
+    // gate's settings cannot weaken.
+    "update-user": { minTier: 1 },
     "export-bundle": { minTier: 1 },
     "export-plaintext": {
       minTier: 1,
@@ -6021,6 +7067,14 @@ var STRICT_POLICY = Object.freeze({
       minTier: 1,
       enabled: true
     },
+    // rotate-recovery (#121): STRICT requires an off-device factor —
+    // rotating recovery is an off-site-trust event; a stolen unlocked
+    // laptop must not be able to silently mint a new sheet for the
+    // attacker. Matches the `peer-recover-user` STRICT default.
+    "rotate-recovery": {
+      minTier: 1,
+      factors: [{ anyOf: ["totp", "email-otp", "webauthn-roaming"] }]
+    },
     "enroll-authenticator": {
       minTier: 1,
       factors: [{ anyOf: ["totp", "email-otp"] }]
@@ -6029,6 +7083,15 @@ var STRICT_POLICY = Object.freeze({
       minTier: 1,
       factors: [{ anyOf: ["totp", "email-otp"] }]
     },
+    // STRICT update-authenticator: same factor floor as enroll/remove.
+    // Even though meta changes don't touch wrap material, a malicious
+    // rename could mislead the user about which device a slot
+    // corresponds to ("MacBook Touch ID" → "iPhone Touch ID" on a
+    // shared workstation). STRICT requires a fresh factor proof.
+    "update-authenticator": {
+      minTier: 1,
+      factors: [{ anyOf: ["totp", "email-otp"] }]
+    },
     "rotate-unlock": { minTier: 1 },
     "enroll-user": {
       minTier: 1,
@@ -6051,6 +7114,18 @@ var STRICT_POLICY = Object.freeze({
       minTier: 1,
       factors: [{ anyOf: ["recovery", "totp", "email-otp", "webauthn-roaming"] }]
     },
+    // STRICT update-user: matches the enroll-user / revoke-user shape
+    // (off-device factor required). Update-user is admin-shaped — it
+    // mutates someone else's role/permissions; STRICT requires a fresh
+    // off-device factor proof so the operator affirmatively re-asserts
+    // identity at the moment of mutation. Platform-bound factors
+    // (Touch ID / password / PIN) intentionally excluded: same logic as
+    // peer-recover-user — the off-device requirement is the whole
+    // point under STRICT.
+    "update-user": {
+      minTier: 1,
+      factors: [{ anyOf: ["totp", "email-otp"] }]
+    },
     "export-bundle": {
       minTier: 1,
       factors: [{ anyOf: ["totp", "email-otp"] }],
@@ -6188,6 +7263,14 @@ var Noydb = class {
    * `_meta/policy` load; replaced by `db.updatePolicy()`.
    */
   policyCache = /* @__PURE__ */ new Map();
+  /**
+   * One-shot bypass for the managed-mode strong-recovery check (#195).
+   * Set true by {@link openVaultAndEnrollRecovery} for the duration of
+   * the bootstrap window so the keyring can be created before the
+   * strong recovery is enrolled. Always cleared (try/finally).
+   * @internal
+   */
+  _skipNextManagedRecoveryCheck = false;
   /** Per-vault tier-3 (PIN / quick-resume) state — issue #11. */
   quickUnlock = new QuickUnlockStore();
   /**
@@ -6203,6 +7286,17 @@ var Noydb = class {
   txStrategy;
   sessionStrategy;
   syncStrategy;
+  /**
+   * Currently-running multi-record transaction, set by
+   * `runTransaction` at the start of Phase 2 (commit) and cleared in
+   * the same function's `finally` block. Side-effect writes triggered
+   * during a staged op's `Collection.put` (today: eager derivation
+   * outputs) register their pre-write envelope on `_executed` here so
+   * a mid-batch failure rolls them back alongside the main staged ops
+   * (#133). `null` outside of Phase 2.
+   * @internal
+   */
+  _activeTxContext = null;
   // ─── plaintextTranslator state ─────────────────────────
   /**
    * In-process translation cache. Key is `"${field}\x00${collection}\x00${from}\x00${to}\x00${text}"`.
@@ -6287,7 +7381,7 @@ var Noydb = class {
       }
       return comp;
     }
-    const keyring = await this.getKeyring(name);
+    const keyring = await this.getKeyringInternal(name);
     if (!this.activeTier.has(name)) {
       this.activeTier.set(name, 1);
     }
@@ -6354,6 +7448,7 @@ var Noydb = class {
       ...this.options.historyStrategy !== void 0 ? { historyStrategy: this.options.historyStrategy } : {},
       ...this.options.i18nStrategy !== void 0 ? { i18nStrategy: this.options.i18nStrategy } : {},
       ...this.options.syncStrategy !== void 0 ? { syncStrategy: this.options.syncStrategy } : {},
+      ...this.options.guardStrategies !== void 0 ? { guardStrategies: this.options.guardStrategies } : {},
       locale: opts?.locale,
       // Thread the translator hook so Collection.put() can invoke it
       plaintextTranslator: this.options.plaintextTranslator ? (text, from, to, field, collection) => this.invokeTranslator(text, from, to, field, collection) : void 0,
@@ -6374,6 +7469,10 @@ var Noydb = class {
         return refreshed;
       } : void 0
     });
+    await comp._initGuards(this.options.guardStrategies ?? []);
+    await comp._initDerivations(this.options.derivationStrategies ?? []);
+    await comp._initMaterializedViews(this.options.materializedViewStrategies ?? []);
+    await comp._initOverlayedViews(this.options.overlayedViewStrategies ?? []);
     this.vaultCache.set(name, comp);
     return comp;
   }
@@ -6400,7 +7499,8 @@ var Noydb = class {
         ...this.options.shadowStrategy !== void 0 ? { shadowStrategy: this.options.shadowStrategy } : {},
         ...this.options.historyStrategy !== void 0 ? { historyStrategy: this.options.historyStrategy } : {},
         ...this.options.i18nStrategy !== void 0 ? { i18nStrategy: this.options.i18nStrategy } : {},
-        ...this.options.syncStrategy !== void 0 ? { syncStrategy: this.options.syncStrategy } : {}
+        ...this.options.syncStrategy !== void 0 ? { syncStrategy: this.options.syncStrategy } : {},
+        ...this.options.guardStrategies !== void 0 ? { guardStrategies: this.options.guardStrategies } : {}
       });
       this.vaultCache.set(name, comp2);
       return comp2;
@@ -6428,23 +7528,93 @@ var Noydb = class {
       ...this.options.historyStrategy !== void 0 ? { historyStrategy: this.options.historyStrategy } : {},
       ...this.options.i18nStrategy !== void 0 ? { i18nStrategy: this.options.i18nStrategy } : {},
       ...this.options.syncStrategy !== void 0 ? { syncStrategy: this.options.syncStrategy } : {},
+      ...this.options.guardStrategies !== void 0 ? { guardStrategies: this.options.guardStrategies } : {},
       emitter: this.emitter
     });
     this.vaultCache.set(name, comp);
     return comp;
   }
-  /** Grant access to a user for a vault. */
-  async grant(vault, options) {
+  /**
+   * Grant access to a user for a vault.
+   *
+   * Gated by `enroll-user`. `STRICT_POLICY` requires a TOTP / email-OTP
+   * factor proof so the operator affirmatively re-asserts identity at
+   * the moment of grant; `PERSONAL_POLICY` accepts a tier-1 unlock alone.
+   *
+   * The legacy `requireReAuthFor: ['grant']` session-policy check still
+   * fires on top — both are independent opt-ins.
+   */
+  async grant(vault, options, factors) {
     this.checkPolicyOperation(vault, "grant");
-    const keyring = await this.getKeyring(vault);
+    await this.checkGate(vault, "enroll-user", factors);
+    const keyring = await this.getKeyringInternal(vault);
     await grant(this.options.store, vault, keyring, options);
   }
-  /** Revoke a user's access to a vault. */
-  async revoke(vault, options) {
+  /**
+   * Revoke a user's access to a vault.
+   *
+   * Gated by `revoke-user`. `STRICT_POLICY` requires a TOTP / email-OTP
+   * factor proof; `PERSONAL_POLICY` accepts a tier-1 unlock alone.
+   *
+   * The legacy `requireReAuthFor: ['revoke']` session-policy check still
+   * fires on top — both are independent opt-ins.
+   */
+  async revoke(vault, options, factors) {
     this.checkPolicyOperation(vault, "revoke");
-    const keyring = await this.getKeyring(vault);
+    await this.checkGate(vault, "revoke-user", factors);
+    const keyring = await this.getKeyringInternal(vault);
     await revoke(this.options.store, vault, keyring, options);
   }
+  /**
+   * Mutate post-grant identity fields on an existing keyring — `role`,
+   * `displayName`, and/or `permissions`. Pure plaintext-header rewrite:
+   * no DEK rewrap, no KEK required, no authenticator slots touched.
+   * Tier-2 enrollments and recovery codes survive.
+   *
+   * Different from `db.revoke + db.grant`:
+   *
+   *   - Same `userId`, same DEK wrappings, same `granted_by`, same
+   *     `_users/<keyringId>` envelope. Only the specified header
+   *     fields move. Last-write-wins via the standard keyring put.
+   *   - No cascade on role demotion (admins demoted to operator keep
+   *     the keyrings they previously granted; the cascade rules are
+   *     a `db.revoke` concern, not `db.updateUser`).
+   *   - Tier-2 slots NOT dropped — the wrapping is unaffected.
+   *
+   * Role-elevation guard: BOTH the old and new role must satisfy
+   * `db.grant`'s hierarchy. Owner can do anything; admin manages
+   * admin/operator/viewer/client laterally; admin cannot promote to
+   * owner OR demote from owner. The guard runs regardless of the
+   * `update-user` policy gate's settings — gates can only be more
+   * permissive than the structural floor, never less.
+   *
+   * Gated by `update-user`. `STRICT_POLICY` requires a TOTP/email-OTP
+   * factor proof so the operator affirmatively re-asserts identity at
+   * the moment of mutation; `PERSONAL_POLICY` accepts a tier-1 unlock
+   * alone.
+   *
+   * ```ts
+   * await db.updateUser('acme', {
+   *   userId: 'bob',
+   *   role: 'operator',                 // promote
+   *   permissions: { invoices: 'rw' },
+   * }, { factors: [{ kind: 'totp' }] })
+   * ```
+   *
+   * @throws `NoAccessError` when no keyring exists for the target.
+   * @throws `PermissionDeniedError` when the role hierarchy rejects.
+   * @throws `ValidationError` when no field is provided.
+   *
+   * @see #54
+   */
+  async updateUser(vault, options, factors) {
+    await this.checkGate(vault, "update-user", factors);
+    const keyring = await this.getKeyringInternal(vault);
+    await updateKeyringIdentity(this.options.store, vault, keyring, options);
+    if (options.userId === this.options.user) {
+      this.keyringCache.delete(vault);
+    }
+  }
   /**
    * Rotate the DEKs for the given collections in a vault.
    *
@@ -6465,7 +7635,7 @@ var Noydb = class {
    */
   async rotate(vault, collections) {
     this.checkPolicyOperation(vault, "rotate");
-    const keyring = await this.getKeyring(vault);
+    const keyring = await this.getKeyringInternal(vault);
     await rotateKeys(this.options.store, vault, keyring, collections);
     this.keyringCache.set(vault, keyring);
   }
@@ -6568,7 +7738,7 @@ var Noydb = class {
           this.options.secret
         );
       } catch (err) {
-        if (err instanceof NoAccessError || err instanceof InvalidKeyError) {
+        if (err instanceof NoAccessError || err instanceof InvalidKeyError || err instanceof KeyringCorruptError) {
           continue;
         }
         throw err;
@@ -6665,15 +7835,23 @@ var Noydb = class {
     }
     return results;
   }
-  /** Change the current user's passphrase for a vault. */
-  async changeSecret(vault, newPassphrase) {
+  /**
+   * Change the current user's passphrase for a vault.
+   *
+   * Validates the new passphrase against the strength rules. Pass
+   * `{ allowWeakPassphrase: true }` to skip — typically only useful for
+   * fixtures and migrations. Pass a `PassphrasePolicy` to override the
+   * default rules (e.g. consumer-tunable `pattern` / `customValidator`).
+   */
+  async changeSecret(vault, newPassphrase, options) {
     this.checkPolicyOperation(vault, "changeSecret");
-    const keyring = await this.getKeyring(vault);
+    const keyring = await this.getKeyringInternal(vault);
     const updated = await changeSecret(
       this.options.store,
       vault,
       keyring,
-      newPassphrase
+      newPassphrase,
+      options
     );
     this.keyringCache.set(vault, updated);
   }
@@ -6718,10 +7896,18 @@ var Noydb = class {
     }
     return result;
   }
-  transaction(arg) {
+  transaction(arg, maybeFn) {
     if (typeof arg === "function") {
       return this.txStrategy.runTransaction(this, arg);
     }
+    if (typeof arg === "object" && arg !== null && arg.amendment === true) {
+      if (typeof maybeFn !== "function") {
+        throw new ValidationError(
+          "db.transaction({ amendment: true }, fn) requires the callback as the second argument."
+        );
+      }
+      return this.txStrategy.runTransaction(this, maybeFn, arg);
+    }
     const vault = arg;
     const comp = this.vaultCache.get(vault);
     if (!comp) {
@@ -6742,6 +7928,59 @@ var Noydb = class {
   get _store() {
     return this.options.store;
   }
+  /**
+   * Currently-running multi-record transaction, or `null` outside
+   * Phase 2. `Collection.dispatchDerivations` consults this so a
+   * recursive derived-output write inside `Collection.put` can register
+   * its envelope onto `ctx._executed` and roll back with the main
+   * staged ops on mid-batch failure (#133).
+   *
+   * @internal
+   */
+  get _activeTxContextOrNull() {
+    return this._activeTxContext;
+  }
+  /**
+   * Called by `runTransaction` at Phase 2 start, and by
+   * `Collection.putManyAtomic` (via `derivationSource.setActiveTxContext`)
+   * for its own Phase 2 loop. Nested or concurrent (non-nested)
+   * transactions on the same Noydb instance are NOT supported —
+   * overwriting an active context means another transaction is still
+   * running and its `_executed` list would be cross-contaminated by
+   * the nested writes. We tolerate the overwrite (best-effort, no
+   * throw) to keep the rare interleaving from breaking consumers who
+   * currently get lucky with timing, but applications should ensure
+   * their multi-record commits are serialised on a single Noydb.
+   *
+   * @internal
+   */
+  _setActiveTxContext(ctx) {
+    this._activeTxContext = ctx;
+  }
+  /**
+   * Factory for a transient `TxContext` bound to this Noydb. Used by
+   * `Collection.putManyAtomic` (via `derivationSource.createTxContext`)
+   * to publish an active context for the duration of its bulk-atomic
+   * Phase 2 loop, so recursive derivation-output writes register on
+   * `ctx._executed` and roll back together with the source ops (#133).
+   *
+   * @internal
+   */
+  _createTxContext() {
+    return new TxContext(this);
+  }
+  /**
+   * Called by `runTransaction` in its `finally`. Only clears when the
+   * passed ctx matches the active one — a defensive no-op if some
+   * other code path already cleared it.
+   *
+   * @internal
+   */
+  _clearActiveTxContext(ctx) {
+    if (this._activeTxContext === ctx) {
+      this._activeTxContext = null;
+    }
+  }
   /** Get sync status for a vault. */
   syncStatus(vault) {
     const engine = this.syncEngines.get(vault);
@@ -6750,6 +7989,15 @@ var Noydb = class {
     }
     return engine.status();
   }
+  requireShamirProvider() {
+    const p = this.options.shamirRecovery;
+    if (!p) {
+      throw new Error(
+        "shamir recovery requires a ShamirRecoveryProvider \u2014 pass shamirRecovery: shamirRecoveryProvider() from '@noy-db/on-shamir' to createNoydb()"
+      );
+    }
+    return p;
+  }
   getSyncEngine(vault) {
     const engine = this.syncEngines.get(vault);
     if (!engine) {
@@ -6894,6 +8142,40 @@ var Noydb = class {
     this.policyCache.set(vault, merged);
     return merged;
   }
+  /**
+   * Read the current vault-level user-directory toggle (#122). Returns
+   * the default-on shape (`{ enabled: true }`) when no `_meta/directory`
+   * document has been persisted yet.
+   *
+   * No role gate — anyone who can open the vault can read the toggle.
+   */
+  async getDirectoryEnabled(vault) {
+    if (this.closed) throw new ValidationError("Instance is closed");
+    const persisted = await readDirectoryConfig(this.options.store, vault);
+    return persisted?.enabled ?? true;
+  }
+  /**
+   * Toggle the vault's user-directory listing on or off (#122).
+   * Owner-only. When disabled, `listUsersWithEnvelopes()` throws
+   * {@link import('./errors.js').DirectoryDisabledError} for callers
+   * whose role is neither `owner` nor `admin`.
+   *
+   * Honest caveat: this is a UX flag, not a privacy guarantee. The
+   * keyring file at `_keyring/<userId>` and the envelope ciphertext at
+   * `_users/<keyringId>` remain observable to anyone with direct store
+   * read access — only the hub-level enumeration is gated. See
+   * `docs/subsystems/user-envelope.md` → "Directory visibility".
+   */
+  async setDirectoryEnabled(vault, enabled) {
+    if (this.closed) throw new ValidationError("Instance is closed");
+    const keyring = await this.getKeyringInternal(vault);
+    if (keyring.role !== "owner") {
+      throw new PermissionDeniedError(
+        `setDirectoryEnabled requires owner role; caller has role "${keyring.role}"`
+      );
+    }
+    await persistDirectoryConfig(this.options.store, vault, { enabled });
+  }
   /**
    * Evaluate a policy gate against the active session tier and the
    * presented factor proofs. Throws {@link PolicyDeniedError} on
@@ -6904,40 +8186,61 @@ var Noydb = class {
    *                 or app-defined (`app:*`).
    * @param presented Caller-supplied factor proofs.
    */
-  async checkGate(vault, gate, presented) {
+  async checkGate(vault, gate, factors) {
     const policy = await this.getPolicy(vault);
     const tier = this.activeTier.get(vault) ?? 1;
     await checkGate(policy, gate, {
       activeTier: tier,
-      ...presented?.factors !== void 0 ? { factors: presented.factors } : {},
-      ...presented?.sharedDevice !== void 0 ? { sharedDevice: presented.sharedDevice } : {}
+      ...factors?.factors !== void 0 ? { factors: factors.factors } : {},
+      ...factors?.sharedDevice !== void 0 ? { sharedDevice: factors.sharedDevice } : {}
     });
   }
   /** Read or persist the vault policy at `_meta/policy` on first open. */
-  async bootstrapPolicy(vault) {
+  async bootstrapPolicy(vault, opts) {
     const onDisk = await loadVaultPolicy(this.options.store, vault);
     if (onDisk) {
       this.policyCache.set(vault, onDisk);
-      await this.assertRecoveryEnrolled(vault, onDisk);
+      await this.assertRecoveryEnrolled(vault, onDisk, opts);
       return;
     }
     const initial = this.options.policy ? mergePolicy(PERSONAL_POLICY, this.options.policy) : PERSONAL_POLICY;
     await saveVaultPolicy(this.options.store, vault, initial);
     this.policyCache.set(vault, initial);
-    await this.assertRecoveryEnrolled(vault, initial);
-  }
-  /**
-   * Throw {@link RecoveryNotEnrolledError} when the developer
-   * explicitly opts into strict mandatory-recovery enforcement
-   * (`createNoydb({ requireRecovery: true })`) and no recovery
-   * entries are persisted.
-   *
-   * The default behavior is lenient — `recover-passphrase` is enabled
-   * in `PERSONAL_POLICY` but the hub does not block vault open on
-   * missing enrollment. v1.0 will flip the default to strict; for now,
-   * apps that want the spec-mandated check turn it on per-vault.
-   */
-  async assertRecoveryEnrolled(vault, policy) {
+    await this.assertRecoveryEnrolled(vault, initial, opts);
+  }
+  /**
+   * Throw {@link RecoveryNotEnrolledError} or
+   * {@link ManagedRecoveryNotEnrolledError} when recovery enrollment
+   * is missing.
+   *
+   * Two enforcement modes:
+   *
+   * 1. **Managed-mode mandatory strong-recovery (#195).** When
+   *    `passphraseMode === 'managed'`, the vault MUST have at least
+   *    one **strong** recovery profile (Shamir today). Paper alone is
+   *    rejected because under managed mode the user has no memorized
+   *    passphrase, so losing the paper sheet = losing every record.
+   *    This check is unconditional — independent of `requireRecovery`
+   *    and the `recover-passphrase` gate.
+   *
+   * 2. **Opt-in strict mandatory-recovery.** When
+   *    `requireRecovery: true` is set on createNoydb (and the gate is
+   *    not explicitly disabled), require ANY recovery profile (paper
+   *    or shamir). This is the v0.x default-off behavior; v1.0 may
+   *    flip it default-on.
+   *
+   * The managed-mode check fires from {@link bootstrapPolicy} unless
+   * the `skipManagedCheck` flag is set (used by
+   * {@link openVaultAndEnrollRecovery} to allow atomic create-and-enroll).
+   */
+  async assertRecoveryEnrolled(vault, policy, opts) {
+    const skipManaged = (opts?.skipManagedCheck ?? false) || this._skipNextManagedRecoveryCheck;
+    if (this.options.passphraseMode === "managed" && !skipManaged) {
+      const enrolled2 = await hasStrongRecoveryEnrolled(this.options.store, vault);
+      if (!enrolled2) {
+        throw new ManagedRecoveryNotEnrolledError(vault);
+      }
+    }
     if (this.options.requireRecovery !== true) return;
     const gate = policy.gates["recover-passphrase"];
     if (gate?.enabled === false) return;
@@ -6966,9 +8269,9 @@ var Noydb = class {
    * Gated by `enroll-authenticator`; `presented` carries any factor
    * proofs the active policy demands.
    */
-  async enrollAuthenticator(vault, options, presented) {
-    await this.checkGate(vault, "enroll-authenticator", presented);
-    const keyring = await this.getKeyring(vault);
+  async enrollAuthenticator(vault, options, factors) {
+    await this.checkGate(vault, "enroll-authenticator", factors);
+    const keyring = await this.getKeyringInternal(vault);
     const next = await enrollAuthenticator(this.options.store, vault, keyring, options);
     this.keyringCache.set(vault, next);
   }
@@ -6977,17 +8280,51 @@ var Noydb = class {
    * non-existent slot is a successful no-op. Gated by
    * `remove-authenticator`.
    */
-  async removeAuthenticator(vault, slotId, presented) {
-    await this.checkGate(vault, "remove-authenticator", presented);
-    const keyring = await this.getKeyring(vault);
+  async removeAuthenticator(vault, slotId, factors) {
+    await this.checkGate(vault, "remove-authenticator", factors);
+    const keyring = await this.getKeyringInternal(vault);
     const next = await removeAuthenticator(this.options.store, vault, keyring, slotId);
     this.keyringCache.set(vault, next);
   }
   /** Read the slot list for a vault. Internal — `describeAuthConfig` (#13) consumes this. */
   async listAuthenticators(vault) {
-    const keyring = await this.getKeyring(vault);
+    const keyring = await this.getKeyringInternal(vault);
     return keyring.authenticators;
   }
+  /**
+   * Mutate the `meta` blob on an existing authenticator slot — slot
+   * rename, label change, attachment of UI hints. The slot's `id`,
+   * `method`, and wrap material (`wrapped_kek` / `wrapped_deks` + `iv`)
+   * are immutable through this method. Anti-slot-swap is structural,
+   * not gate-driven.
+   *
+   * `meta` patch semantics (#57-aligned):
+   *   - Top-level merge — absent keys preserved
+   *   - `null` value — delete that meta key
+   *   - Other values — replace verbatim
+   *
+   * Use case: per-slot nickname for "iPhone Touch ID" vs "MacBook
+   * Touch ID" disambiguation in admin UIs. The slot id (auto-derived
+   * from credentialId prefix) is not human-friendly; `meta.nickname`
+   * is.
+   *
+   * Gated by `update-authenticator`. PERSONAL_POLICY: tier-1 unlock
+   * alone (matches enroll/remove). STRICT_POLICY: tier-1 +
+   * TOTP/email-OTP factor proof — a malicious rename on a shared
+   * workstation could mislead the user about which device a slot
+   * corresponds to, so STRICT requires fresh factor binding.
+   *
+   * @throws `NoAccessError` when no slot with the given id exists.
+   * @throws `ValidationError` when no patch field is provided.
+   *
+   * @see #55
+   */
+  async updateAuthenticator(vault, slotId, options, factors) {
+    await this.checkGate(vault, "update-authenticator", factors);
+    const keyring = await this.getKeyringInternal(vault);
+    const next = await updateAuthenticator(this.options.store, vault, keyring, slotId, options);
+    this.keyringCache.set(vault, next);
+  }
   /**
    * Native WebAuthn enrollment using the **real** internal keyring (#16).
    *
@@ -7035,9 +8372,9 @@ var Noydb = class {
    *
    * @see #16
    */
-  async enrollWebAuthn(vault, ceremony, presented) {
-    await this.checkGate(vault, "enroll-authenticator", presented);
-    const keyring = await this.getKeyring(vault);
+  async enrollWebAuthn(vault, ceremony, factors) {
+    await this.checkGate(vault, "enroll-authenticator", factors);
+    const keyring = await this.getKeyringInternal(vault);
     const slotOptions = await ceremony(keyring);
     if (slotOptions.method !== "webauthn") {
       throw new ValidationError(
@@ -7064,7 +8401,7 @@ var Noydb = class {
    * @see #16
    */
   async listWebAuthnSlots(vault) {
-    const keyring = await this.getKeyring(vault);
+    const keyring = await this.getKeyringInternal(vault);
     return keyring.authenticators.filter((a) => a.method === "webauthn").map((a) => {
       const credentialId = a.meta.credentialId;
       return {
@@ -7084,7 +8421,7 @@ var Noydb = class {
    * `checkGate` calls see a tier-2 unlock.
    */
   async unlockViaAuthenticator(vault, slotId, verify) {
-    const keyring = await this.getKeyring(vault);
+    const keyring = await this.getKeyringInternal(vault);
     const slot = findAuthenticator(keyring, slotId);
     if (!slot) {
       throw new ValidationError(
@@ -7182,6 +8519,14 @@ var Noydb = class {
    * @throws `InvalidKeyError` when `oldPassphrase` is wrong.
    */
   async rotatePassphrase(vault, input, factors) {
+    if (this.options.passphraseMode === "managed") {
+      throw new PolicyDeniedError(
+        "rotate-passphrase",
+        "disabled",
+        { minTier: 1, enabled: false },
+        "Managed-passphrase mode (#14): the passphrase is hub-generated and sealed under the SealingKeyProvider \u2014 there is no plaintext to rotate. Use the recovery flow (follow-up issue) to mint a fresh sealed passphrase."
+      );
+    }
     await this.checkGate(vault, "rotate-passphrase", factors);
     const userId = this.options.user;
     const next = await rotatePassphrase(this.options.store, vault, userId, input);
@@ -7198,7 +8543,7 @@ var Noydb = class {
     await this.checkGate(vault, "recover-passphrase", factors);
     const userId = this.options.user;
     const entriesBeforeRecovery = await loadPaperRecoveryEntries(this.options.store, vault);
-    const next = await recoverPassphrase(this.options.store, vault, userId, input);
+    const next = await recoverPassphrase(this.options.shamirRecovery, this.options.store, vault, userId, input);
     this.keyringCache.set(vault, next);
     const rotateRemaining = input.rotateRemainingCodes ?? true;
     const remainingAfterBurn = Math.max(0, entriesBeforeRecovery.length - 1);
@@ -7218,6 +8563,256 @@ var Noydb = class {
     await savePaperRecoveryEntries(this.options.store, vault, newEntries);
     return { newCodes: codes };
   }
+  /**
+   * Deliberate paper-recovery-code regeneration (#121). User knows their
+   * passphrase but wants a fresh sheet — they lost the printout or
+   * suspect compromise of the off-site copy.
+   *
+   * Symmetric to {@link rotatePassphrase} for the recovery profile:
+   * gated, audit-trackable, ergonomic. Replaces (not appends) the
+   * paper sheet under `_meta/recovery-paper` in a single envelope `put`.
+   *
+   * Gated by the `rotate-recovery` policy gate:
+   *   - PERSONAL_POLICY: `{ minTier: 1 }` — knowing the passphrase
+   *     suffices, matching the pre-#121 low-level flow's bar.
+   *   - STRICT_POLICY: `{ minTier: 1, factors: [{ anyOf: ['totp',
+   *     'email-otp', 'webauthn-roaming'] }] }` — rotation is an
+   *     off-site-trust event; require an off-device factor so a
+   *     stolen unlocked laptop cannot silently mint a sheet for the
+   *     attacker.
+   *
+   * Defaults `count` to the existing sheet size so consumers aren't
+   * surprised by a different code count. Explicit `count` overrides.
+   *
+   * @throws {@link RecoveryProfileNotImplementedError} when `profile`
+   *         is anything other than `'paper'` (v1 dispatch limit).
+   * @throws {@link PolicyDeniedError} when the gate denies (missing
+   *         factor, tier mismatch, ...).
+   * @throws on missing paper sheet — "nothing to rotate" surfaces as
+   *         an error rather than silently minting an entire new sheet.
+   *
+   * @example Default count + show-once UI
+   * ```ts
+   * const { newCodes } = await db.rotateRecovery('acme', { profile: 'paper' })
+   * showCodesToUser(newCodes)
+   * ```
+   *
+   * @example STRICT-policy site with TOTP factor proof
+   * ```ts
+   * await db.rotateRecovery(
+   *   'acme',
+   *   { profile: 'paper', count: 10 },
+   *   { factors: [{ kind: 'totp', proof: '123456' }] },
+   * )
+   * ```
+   */
+  async rotateRecovery(vault, options, factors) {
+    if (options.profile === "paper") {
+      return this.rotateRecoveryPaper(vault, options, factors);
+    }
+    if (options.profile === "shamir") {
+      return this.rotateRecoveryShamir(vault, options, factors);
+    }
+    throw new RecoveryProfileNotImplementedError(
+      options.profile,
+      "#196"
+    );
+  }
+  async rotateRecoveryPaper(vault, options, factors) {
+    await this.checkGate(vault, "rotate-recovery", factors);
+    const existing = await loadPaperRecoveryEntries(this.options.store, vault);
+    if (existing.length === 0) {
+      throw new Error(
+        `db.rotateRecovery: no recovery codes are enrolled for vault "${vault}". Call db.enrollRecovery({ profile: 'paper', entries }) first; rotateRecovery replaces an existing sheet rather than minting one from scratch.`
+      );
+    }
+    const keyring = await this.getKeyring(vault);
+    const codeGen = options.codeGenerator ?? generateULID;
+    const count2 = options.count ?? existing.length;
+    const codes = [];
+    const newEntries = [];
+    for (let i = 0; i < count2; i++) {
+      const rawCode = codeGen();
+      const entry = await mintPaperRecoveryEntry(keyring.deks, rawCode, generateULID());
+      codes.push(rawCode);
+      newEntries.push(entry);
+    }
+    await savePaperRecoveryEntries(this.options.store, vault, newEntries);
+    return { newCodes: codes, entryId: "paper-batch" };
+  }
+  async rotateRecoveryShamir(vault, options, factors) {
+    await this.checkGate(vault, "rotate-recovery", factors);
+    const existing = await loadShamirRecoveryEntries(this.options.store, vault);
+    if (existing.length === 0) {
+      throw new Error(
+        `db.rotateRecovery: no Shamir recovery entry is enrolled for vault "${vault}". Call db.enrollRecovery({ profile: 'shamir', k, n }) first; rotateRecovery replaces an existing entry rather than minting one from scratch.`
+      );
+    }
+    let targetEntryId;
+    if (options.entryId !== void 0) {
+      const found = existing.find((e) => e.entryId === options.entryId);
+      if (!found) {
+        throw new Error(
+          `db.rotateRecovery: no Shamir entry with entryId="${options.entryId}" found in vault "${vault}". Available: ${existing.map((e) => `"${e.entryId}"`).join(", ")}.`
+        );
+      }
+      targetEntryId = options.entryId;
+    } else {
+      if (existing.length > 1) {
+        throw new Error(
+          `db.rotateRecovery: vault "${vault}" has ${existing.length} Shamir entries enrolled (${existing.map((e) => `"${e.entryId}"`).join(", ")}). Pass \`entryId\` to disambiguate which one to rotate; ambiguous rotation would risk replacing the wrong entry.`
+        );
+      }
+      targetEntryId = existing[0].entryId;
+    }
+    const keyring = await this.getKeyring(vault);
+    const { entry, shareStrings } = await mintShamirRecoveryEntry(
+      this.requireShamirProvider(),
+      keyring.deks,
+      targetEntryId,
+      options.k,
+      options.n,
+      options.label
+    );
+    const next = existing.filter((e) => e.entryId !== targetEntryId).concat(entry);
+    await saveShamirRecoveryEntries(this.options.store, vault, next);
+    return { newShares: shareStrings, entryId: targetEntryId };
+  }
+  /**
+   * **Atomic create-and-enroll for managed-mode vaults (#195).**
+   *
+   * Bootstraps a managed-mode vault and enrolls strong recovery in
+   * a single ceremony. Under `passphraseMode: 'managed'`, every
+   * `openVault` call requires a strong recovery profile (Shamir
+   * today) to be enrolled — otherwise it throws
+   * {@link ManagedRecoveryNotEnrolledError}. This method bypasses
+   * the check temporarily so the keyring can be created, enrolls
+   * the supplied recovery profile(s), then returns the vault.
+   *
+   * For Shamir enrollments, the show-once share strings come back
+   * in `recoveryEnrollments[i].shares`. The hub never retains them
+   * — the caller MUST display them to the user (once) before any
+   * subsequent operation.
+   *
+   * Paper alone is NOT a strong profile under managed mode; passing
+   * `{ profile: 'paper', ... }` without an accompanying shamir entry
+   * is rejected at validation time.
+   *
+   * ```ts
+   * const db = await createNoydb({
+   *   store, user: 'alice',
+   *   passphraseMode: 'managed',
+   *   sealingKey: macosKeychainSealingProvider({ ... }),
+   * })
+   *
+   * const { vault, recoveryEnrollments } = await db.openVaultAndEnrollRecovery('acme', {
+   *   recovery: [{ profile: 'shamir', k: 2, n: 3 }],
+   * })
+   * for (const r of recoveryEnrollments) {
+   *   if (r.shares) showSharesToUser(r.shares)  // ONCE
+   * }
+   * ```
+   *
+   * @throws ValidationError if recovery is empty, or contains no
+   *   strong profile under managed mode.
+   */
+  async openVaultAndEnrollRecovery(vault, opts) {
+    if (opts.recovery.length === 0) {
+      throw new ValidationError(
+        "openVaultAndEnrollRecovery: at least one recovery enrollment is required."
+      );
+    }
+    if (this.options.passphraseMode === "managed") {
+      const hasStrong = opts.recovery.some((r) => r.profile === "shamir");
+      if (!hasStrong) {
+        throw new ValidationError(
+          'openVaultAndEnrollRecovery: managed-mode vaults require at least one strong recovery profile in the `recovery` array. Paper alone is not strong under managed mode (no user passphrase to fall back on). Include { profile: "shamir", k, n } in `recovery`.'
+        );
+      }
+    }
+    this._skipNextManagedRecoveryCheck = true;
+    let vaultHandle;
+    try {
+      vaultHandle = await this.openVault(vault, opts.locale !== void 0 ? { locale: opts.locale } : void 0);
+    } finally {
+      this._skipNextManagedRecoveryCheck = false;
+    }
+    const recoveryEnrollments = [];
+    for (const enrollment of opts.recovery) {
+      recoveryEnrollments.push(await this.enrollRecovery(vault, enrollment));
+    }
+    if (this.options.passphraseMode === "managed") {
+      const policy = this.policyCache.get(vault);
+      if (policy) {
+        await this.assertRecoveryEnrolled(vault, policy);
+      }
+    }
+    return { vault: vaultHandle, recoveryEnrollments };
+  }
+  /**
+   * **Recovery flow under managed-passphrase mode (#195).**
+   *
+   * Replaces the sealed passphrase of a managed-mode vault with a
+   * fresh 256-bit random, sealed under the configured
+   * `SealingKeyProvider`. The user never sees the new passphrase.
+   *
+   * Internally:
+   *   1. Verify the recovery proof (Shamir today) and unwrap the
+   *      DEK set.
+   *   2. Mint a fresh 256-bit random as the new effective passphrase.
+   *   3. Rewrap the DEK set under a fresh KEK derived from the new
+   *      passphrase (via the existing `recoverPassphrase` path).
+   *   4. Seal the random bytes under the provider and overwrite
+   *      `_meta/sealed-passphrase`.
+   *   5. Drop the keyring cache so the next operation re-derives.
+   *
+   * The vault's strong-recovery enrollment is preserved across
+   * recovery (Shamir entries are not burned on use — see #196).
+   *
+   * @throws ValidationError if the Noydb instance is not in managed mode.
+   */
+  async recoverManagedPassphrase(vault, options) {
+    if (this.options.passphraseMode !== "managed") {
+      throw new ValidationError(
+        "recoverManagedPassphrase: this method only applies to vaults opened in managed-passphrase mode. For standard mode, use db.recoverPassphrase."
+      );
+    }
+    const provider = this.options.sealingKey;
+    if (!provider) {
+      throw new ValidationError(
+        'recoverManagedPassphrase: createNoydb({ passphraseMode: "managed" }) requires `sealingKey` to be supplied; without it the new sealed passphrase cannot be persisted.'
+      );
+    }
+    const randomBytes = new Uint8Array(32);
+    globalThis.crypto.getRandomValues(randomBytes);
+    let binary = "";
+    for (let i = 0; i < randomBytes.length; i++) binary += String.fromCharCode(randomBytes[i]);
+    const newPassphrase = btoa(binary);
+    try {
+      const sealed = await provider.seal(randomBytes);
+      await recoverPassphrase(
+        this.options.shamirRecovery,
+        this.options.store,
+        vault,
+        this.options.user,
+        {
+          newPassphrase,
+          recoveryProof: options.recoveryProof,
+          // The new passphrase IS 256 bits of random; policy gates on
+          // length/entropy don't apply.
+          allowWeakPassphrase: true,
+          ...options.passphrasePolicy !== void 0 ? { passphrasePolicy: options.passphrasePolicy } : {}
+        }
+      );
+      await saveSealedPassphrase(this.options.store, vault, {
+        providerId: provider.id,
+        sealed
+      });
+    } finally {
+      randomBytes.fill(0);
+    }
+    this.keyringCache.delete(vault);
+  }
   /**
    * Atomic peer-recovery — re-wraps an EXISTING user's keyring under
    * a fresh temp passphrase in a single store write. Closes #34's
@@ -7263,7 +8858,7 @@ var Noydb = class {
    */
   async recoverUser(vault, options, factors) {
     await this.checkGate(vault, "peer-recover-user", factors);
-    const callerKeyring = await this.getKeyring(vault);
+    const callerKeyring = await this.getKeyringInternal(vault);
     await recoverUser(this.options.store, vault, callerKeyring, options);
     if (options.userId === this.options.user) {
       this.keyringCache.delete(vault);
@@ -7301,21 +8896,40 @@ var Noydb = class {
    * ```
    */
   async enrollRecovery(vault, enrollment) {
-    if (enrollment.profile !== "paper") {
-      throw new ValidationError(
-        `enrollRecovery: only 'paper' is implemented in v0.1.0-pre.5. Profile '${enrollment.profile}' is tracked under issue #10.`
+    if (enrollment.profile === "paper") {
+      const existing = await loadPaperRecoveryEntries(this.options.store, vault);
+      await savePaperRecoveryEntries(this.options.store, vault, [
+        ...existing,
+        ...enrollment.entries
+      ]);
+      return { entryId: "paper-batch" };
+    }
+    if (enrollment.profile === "shamir") {
+      const keyring = await this.getKeyring(vault);
+      const entryId = enrollment.entryId ?? generateULID();
+      const { entry, shareStrings } = await mintShamirRecoveryEntry(
+        this.requireShamirProvider(),
+        keyring.deks,
+        entryId,
+        enrollment.k,
+        enrollment.n,
+        enrollment.label
       );
-    }
-    const existing = await loadPaperRecoveryEntries(this.options.store, vault);
-    await savePaperRecoveryEntries(this.options.store, vault, [
-      ...existing,
-      ...enrollment.entries
-    ]);
+      const existing = await loadShamirRecoveryEntries(this.options.store, vault);
+      const next = existing.filter((e) => e.entryId !== entryId).concat(entry);
+      await saveShamirRecoveryEntries(this.options.store, vault, next);
+      return { entryId, shares: shareStrings };
+    }
+    throw new RecoveryProfileNotImplementedError(
+      enrollment.profile,
+      "#196"
+    );
   }
-  /** Read the persisted paper-recovery entries. Used by `describeAuthConfig` (#13). */
+  /** Read the persisted recovery entries (paper + Shamir). Used by `describeAuthConfig` (#13). */
   async listRecoveryEntries(vault) {
     const paper = await loadPaperRecoveryEntries(this.options.store, vault);
-    return { paper };
+    const shamir = await loadShamirRecoveryEntries(this.options.store, vault);
+    return { paper, shamir };
   }
   // ─── Tier-3 enroll / unlock (issue #11) ────────────────────────
   /**
@@ -7327,8 +8941,8 @@ var Noydb = class {
    * Gated by `rotate-unlock` (the same gate covers "set" and "rotate"
    * because tier-3 is a single-slot rolling secret).
    */
-  async enrollUnlock(vault, state, presented) {
-    await this.checkGate(vault, "rotate-unlock", presented);
+  async enrollUnlock(vault, state, factors) {
+    await this.checkGate(vault, "rotate-unlock", factors);
     this.quickUnlock.set(vault, state);
   }
   /**
@@ -7355,8 +8969,17 @@ var Noydb = class {
   /**
    * Public accessor for the unlocked keyring of a vault — issue #28.
    *
-   * Returns the cached `UnlockedKeyring` (already in memory after
-   * `createNoydb` + first vault touch); loads it on demand if absent.
+   * Returns a **defensive shallow copy** so consumers can read the DEK
+   * map and authenticator list without the risk of mutating the hub's
+   * internal cache (#88). Internal hub code paths use a live reference
+   * via `getKeyringInternal`; ceremonies and external consumers always
+   * get a snapshot.
+   *
+   * The CryptoKey values inside `deks` are not cloned — Web Crypto
+   * keys are opaque handles, and a shared handle is intentional
+   * (encrypt / decrypt go through the same key the cache holds).
+   * Only the container Map / authenticator array is fresh.
+   *
    * Used by `@noy-db/on-*` ceremonies that need the live DEK set
    * (paper recovery via {@link mintPaperRecoveryEntry}, tier-3 PIN
    * enrolment via on-pin's `enrollPin`, custom on-* ceremonies that
@@ -7371,11 +8994,33 @@ var Noydb = class {
    * ```ts
    * const keyring = await db.getKeyring('acme')
    * // keyring.deks: Map<collection, CryptoKey>
-   * // keyring.kek:  CryptoKey   (non-extractable; null for tier-3 sessions)
+   * // keyring.kek:  CryptoKey | null   (null for tier-3 / wrap-DEKs sessions)
    * // keyring.role / .permissions / .authenticators
    * ```
    */
   async getKeyring(vault) {
+    const live = await this.getKeyringInternal(vault);
+    return {
+      ...live,
+      deks: new Map(live.deks),
+      permissions: { ...live.permissions },
+      authenticators: live.authenticators.map((a) => ({
+        ...a,
+        meta: { ...a.meta }
+      })),
+      ...live.policy !== void 0 ? { policy: { ...live.policy } } : {},
+      ...live.exportCapability !== void 0 ? { exportCapability: { ...live.exportCapability } } : {},
+      ...live.importCapability !== void 0 ? { importCapability: { ...live.importCapability } } : {}
+    };
+  }
+  /**
+   * Live-reference variant used by the hub's own code paths. Internal
+   * mutations on `deks` (e.g. {@link ensureCollectionDEK} adding a
+   * collection key) need to land on the cached keyring so subsequent
+   * accesses see them. Not exposed publicly — callers outside hub
+   * should use {@link getKeyring}, which returns a defensive copy.
+   */
+  async getKeyringInternal(vault) {
     if (this.options.encrypt === false) {
       return createPlaintextKeyring(this.options.user);
     }
@@ -7386,20 +9031,36 @@ var Noydb = class {
       this.keyringCache.set(vault, keyring2);
       return keyring2;
     }
-    if (!this.options.secret) {
+    let effectiveSecret;
+    if (this.options.passphraseMode === "managed") {
+      effectiveSecret = await resolveManagedSecret(
+        this.options.store,
+        vault,
+        this.options.sealingKey
+      );
+    } else {
+      effectiveSecret = this.options.secret;
+    }
+    if (!effectiveSecret) {
       throw new ValidationError("A secret (passphrase) or getKeyring callback is required when encryption is enabled");
     }
     let keyring;
     try {
-      keyring = await loadKeyring(this.options.store, vault, this.options.user, this.options.secret);
+      keyring = await loadKeyring(this.options.store, vault, this.options.user, effectiveSecret);
     } catch (err) {
       if (err instanceof NoAccessError) {
         keyring = await createOwnerKeyring(
           this.options.store,
           vault,
           this.options.user,
-          this.options.secret,
-          { validate: this.options.validatePassphrase === true }
+          effectiveSecret,
+          {
+            // Managed mode generates 256-bit base64 strings that don't satisfy
+            // the human-passphrase strength rules (no spaces, no "words").
+            // Skip validation in managed mode — the entropy floor is already
+            // 256 bits by construction.
+            validate: this.options.passphraseMode === "managed" ? false : this.options.validatePassphrase === true
+          }
         );
       } else if (err instanceof InvalidKeyError && this.options.onInvalidKey === "reset") {
         await this.options.store.delete(vault, "_keyring", this.options.user);
@@ -7407,8 +9068,10 @@ var Noydb = class {
           this.options.store,
           vault,
           this.options.user,
-          this.options.secret,
-          { validate: this.options.validatePassphrase === true }
+          effectiveSecret,
+          {
+            validate: this.options.passphraseMode === "managed" ? false : this.options.validatePassphrase === true
+          }
         );
       } else {
         throw err;
@@ -7420,10 +9083,28 @@ var Noydb = class {
 };
 async function createNoydb(options) {
   const encrypted = options.encrypt !== false;
+  const managed = options.passphraseMode === "managed";
   if (options.secret && options.getKeyring) {
     throw new ValidationError("Provide either `secret` or `getKeyring`, not both");
   }
-  if (encrypted && !options.secret && !options.getKeyring) {
+  if (managed) {
+    if (options.secret) {
+      throw new ValidationError(
+        '`passphraseMode: "managed"` is mutually exclusive with `secret` \u2014 managed mode generates the passphrase itself. Drop `secret`.'
+      );
+    }
+    if (options.getKeyring) {
+      throw new ValidationError(
+        '`passphraseMode: "managed"` is mutually exclusive with `getKeyring` \u2014 a custom unlock callback would bypass the sealing flow. Drop `getKeyring`.'
+      );
+    }
+    if (!options.sealingKey) {
+      throw new ValidationError(
+        '`passphraseMode: "managed"` requires `sealingKey: SealingKeyProvider` (see @noy-db/seal-macos-keychain / @noy-db/seal-aws-kms / etc.).'
+      );
+    }
+  }
+  if (encrypted && !managed && !options.secret && !options.getKeyring) {
     throw new ValidationError("A secret (passphrase) or getKeyring callback is required when encryption is enabled");
   }
   return new Noydb(options);
@@ -7591,6 +9272,7 @@ function shortJSON(value) {
 export {
   Aggregation,
   AlreadyElevatedError,
+  AmendmentForbiddenError,
   BLOB_CHUNKS_COLLECTION,
   BLOB_COLLECTION,
   BLOB_INDEX_COLLECTION,
@@ -7601,6 +9283,7 @@ export {
   BackupLedgerError,
   BlobSet,
   BundleIntegrityError,
+  BundleSealMismatchError,
   BundleVersionConflictError,
   CONSENT_AUDIT_COLLECTION,
   Collection,
@@ -7614,28 +9297,39 @@ export {
   DEFAULT_PUBLIC_ENVELOPE_SCHEMA,
   DELEGATIONS_COLLECTION,
   DICT_COLLECTION_PREFIX,
+  DIRECTORY_RECORD_ID,
   DanglingReferenceError,
   DecryptionError,
   DelegationTargetMissingError,
+  DerivationCapExceededError,
+  DerivationCycleError,
+  DerivationDepthError,
+  DerivationOutputShapeError,
+  DerivationOutputUnknownError,
   DictKeyInUseError,
   DictKeyMissingError,
   DictionaryHandle,
+  DirectoryDisabledError,
   ELEVATION_AUDIT_COLLECTION,
   ElevatedHandle,
   ElevationExpiredError,
   ExportCapabilityError,
+  FieldFrozenError,
   FilenameSanitizationError,
   GROUPBY_MAX_CARDINALITY,
   GROUPBY_WARN_CARDINALITY,
   GroupCardinalityError,
   GroupedAggregation,
   GroupedQuery,
+  GroupedQueryN,
   INDEXED_STORE_POLICY,
   ImportCapabilityError,
   IndexRequiredError,
   IndexWriteFailureError,
   InvalidKeyError,
+  InvariantError,
   JoinTooLargeError,
+  KeyringCorruptError,
   KeyringExpiredError,
   LEDGER_COLLECTION,
   LEDGER_DELTAS_COLLECTION,
@@ -7647,6 +9341,12 @@ export {
   MAGIC_LINK_GRANTS_COLLECTION,
   MAGIC_LINK_KEK_INFO_PREFIX,
   META_COLLECTION,
+  ManagedRecoveryNotEnrolledError,
+  MaterializedViewConfigError,
+  MaterializedViewCycleError,
+  MaterializedViewSourceUnknownError,
+  MaterializedViewTooLargeError,
+  MemorySealingKeyProvider,
   MissingTranslationError,
   NOYDB_BACKUP_VERSION,
   NOYDB_BUNDLE_FORMAT_VERSION,
@@ -7660,6 +9360,10 @@ export {
   NotFoundError,
   Noydb,
   NoydbError,
+  OverlayBaseIsVirtualError,
+  OverlayCollectionUnavailableError,
+  OverlayIdMismatchError,
+  OverlayNameCollisionError,
   PERIODS_COLLECTION,
   PERSONAL_POLICY,
   POLICY_RECORD_ID,
@@ -7677,12 +9381,15 @@ export {
   ReadOnlyAtInstantError,
   ReadOnlyError,
   ReadOnlyFrameError,
+  RecordLockedError,
   RecoveryNotEnrolledError,
   RecoveryProfileNotImplementedError,
   RefIntegrityError,
   RefRegistry,
   RefScopeError,
   ReservedCollectionNameError,
+  SCHEMAS_COLLECTION,
+  SEALED_PASSPHRASE_RECORD_ID,
   STRICT_POLICY,
   SYNC_CREDENTIALS_COLLECTION,
   ScanBuilder,
@@ -7705,6 +9412,7 @@ export {
   USER_ENVELOPE_MAX_BYTES,
   UserApi,
   UserEnvelopeOversizedError,
+  VISIBILITY_RECORD_PREFIX,
   ValidationError,
   Vault,
   VaultFrame,
@@ -7738,7 +9446,9 @@ export {
   dekKey,
   deleteCredential,
   deleteUserEnvelope,
+  deleteUserVisibility,
   deriveMagicLinkContentKey,
+  derivePersistedSchema,
   derivePresenceKey,
   describeAllUsersAuth,
   describeAuthConfig,
@@ -7784,6 +9494,7 @@ export {
   isPublicEnvelope,
   isSessionAlive,
   isULID,
+  isZodSchema,
   issueDelegation,
   recoverPassphrase as keyringRecoverPassphrase,
   rotatePassphrase as keyringRotatePassphrase,
@@ -7795,7 +9506,10 @@ export {
   loadActiveDelegations,
   loadDevUnlock,
   loadPaperRecoveryEntries,
+  loadPersistedSchema,
   loadPublicEnvelope,
+  loadSealedPassphrase,
+  loadShamirRecoveryEntries,
   loadUserEnvelope,
   loadVaultPolicy,
   magicLinkGrantRecordId,
@@ -7804,17 +9518,24 @@ export {
   mergePolicy,
   min,
   mintPaperRecoveryEntry,
+  mintShamirRecoveryEntry,
   mintWrappedDeksBlob,
   paddedIndex,
   parseBytes,
   parseIndex,
+  parseSealedEnvelope,
+  persistDirectoryConfig,
+  persistSchemaIfNeeded,
+  persistUserVisibility,
   putCredential,
+  readDirectoryConfig,
   readMagicLinkGrantRecord,
   readNoydbBundle,
   readNoydbBundleHeader,
   readNoydbBundlePublicEnvelope,
   readPath,
   readPublicEnvelope,
+  readUserVisibility,
   recoverUser,
   reduceRecords,
   ref,
@@ -7832,13 +9553,17 @@ export {
   routeStore,
   runTransaction,
   savePaperRecoveryEntries,
+  savePersistedSchema,
   savePublicEnvelope,
+  saveSealedPassphrase,
+  saveShamirRecoveryEntries,
   saveUserEnvelope,
   saveVaultPolicy,
-  sha256Hex,
+  sha256Hex2 as sha256Hex,
   sum,
   unwrapDeksFromBlob,
   unwrapDeksFromPaperEntry,
+  unwrapDeksFromShamirEntry,
   unwrapMagicLinkGrant,
   validateI18nTextValue,
   validatePassphrase,
@@ -7846,11 +9571,16 @@ export {
   validateSchemaInput,
   validateSchemaOutput,
   validateSessionPolicy,
+  visibilityRecordId,
   withCache,
   withCircuitBreaker,
+  withDerivation,
+  withGuard,
   withHealthCheck,
   withLogging,
+  withMaterializedView,
   withMetrics,
+  withOverlayedView,
   withRetry,
   wrapBundleStore,
   wrapStore,