@noy-db/hub 0.1.0-pre.8 → 0.2.0-pre.1

package/dist/{types-arFMsCtn.d.cts → types-DW9RGSSs.d.ts}

@@ -1,8 +1,8 @@
-import { I as IndexStrategy, d as LazyQuery } from './lazy-builder-CZVLKh0Z.cjs';
-import { A as AggregateStrategy } from './strategy-D-SrOLCl.cjs';
-import { C as CrdtStrategy, a as CrdtMode, b as CrdtState } from './strategy-BSxFXGzb.cjs';
-import { N as NoydbError, U as RefDescriptor, p as JoinableSource, Z as RefViolation, Q as Query, $ as ScanBuilder } from './index-6xNpPsxR.cjs';
-import { I as IndexDef, C as CollectionIndexes } from './predicate-SBHmi6D0.cjs';
+import { I as IndexStrategy, d as LazyQuery } from './lazy-builder-Rpd-V3jP.js';
+import { b as AggregateSpec, A as AggregateStrategy } from './strategy-DSTrsZ8t.js';
+import { C as CrdtStrategy, a as CrdtMode, b as CrdtState } from './strategy-BSxFXGzb.js';
+import { N as NoydbError, Q as Query, ak as RefRegistry, ah as RefDescriptor, _ as JoinableSource, am as RefViolation, an as ScanBuilder } from './index-CNwA-B6-.js';
+import { F as FieldClause, I as IndexDef, C as CollectionIndexes } from './predicate-Dnu81tsS.js';
 
 /**
  * Standard Schema v1 integration.
@@ -785,12 +785,17 @@ interface LedgerEntry {
     readonly prevHash: string;
     /**
      * Which kind of mutation this entry records. only supports
-     * data operations (`put`, `delete`). Access-control operations
-     * (`grant`, `revoke`, `rotate`) will be added in a follow-up once
-     * the keyring write path is instrumented — that's tracked in the
-     * epic issue.
+     * data operations (`put`, `delete`, `amendment`). Access-control
+     * operations (`grant`, `revoke`, `rotate`) will be added in a
+     * follow-up once the keyring write path is instrumented — that's
+     * tracked in the epic issue.
+     *
+     * `'amendment'` is the multi-record audit entry written by the
+     * guards subsystem when an admin/owner uses `withTransactions(...)`
+     * to repair a constraint-violating state. See `amendment` field
+     * below for the structured payload.
      */
-    readonly op: 'put' | 'delete';
+    readonly op: 'put' | 'delete' | 'amendment';
     /** The collection the mutation targeted. */
     readonly collection: string;
     /** The record id the mutation targeted. */
@@ -814,6 +819,17 @@ interface LedgerEntry {
      * the file docstring.
      */
     readonly payloadHash: string;
+    /**
+     * Optional human-readable tag describing why this mutation happened
+     * (#1). Threaded through `collection.put(_, _, { reason })`. Common
+     * values include `'import:csv'`, `'import:json'`, `'import:xlsx'` from
+     * `as-*` ImportPlan.apply(), but consumers can use any string for
+     * domain-specific audit filtering. Auto-strip via `canonicalJson` —
+     * absent on the wire, never serialized as `null`.
+     *
+     * Audit consumers filter: `entries.filter(e => e.reason?.startsWith('import:'))`.
+     */
+    readonly reason?: string;
     /**
      * Optional hex-encoded sha256 of the encrypted JSON Patch delta
      * blob stored alongside this entry in `_ledger_deltas/`. Present
@@ -837,6 +853,24 @@ interface LedgerEntry {
      * entirely — never `{ deltaHash: undefined }`.
      */
     readonly deltaHash?: string;
+    /**
+     * Present only when `op === 'amendment'`. Records the human reason,
+     * the role of the actor, the (collection, id, vBefore, vAfter) tuple
+     * for every record touched, and which guard invariants passed.
+     *
+     * See docs/superpowers/specs/2026-05-18-guards-design.md.
+     */
+    readonly amendment?: {
+        readonly reason: string;
+        readonly role: 'admin' | 'owner';
+        readonly changes: ReadonlyArray<{
+            readonly collection: string;
+            readonly id: string;
+            readonly vBefore: number;
+            readonly vAfter: number;
+        }>;
+        readonly invariantsPassed: ReadonlyArray<string>;
+    };
 }
 /**
  * Canonical (sort-stable) JSON encoder.
@@ -1056,6 +1090,20 @@ interface AppendInput {
      * as the entry's `deltaHash` field.
      */
     delta?: JsonPatch;
+    /**
+     * Present only for `op === 'amendment'` — structured audit
+     * payload for multi-record repair operations performed via
+     * `withTransactions(...)`. Carried through verbatim to the
+     * resulting ledger entry.
+     */
+    amendment?: LedgerEntry['amendment'];
+    /**
+     * Optional human-readable tag describing why this mutation happened
+     * (#1). Threaded from `collection.put(_, _, { reason })`.
+     * Carried verbatim onto the resulting ledger entry's `reason` field;
+     * omitted from canonical JSON when undefined.
+     */
+    reason?: string;
 }
 /**
  * Result of `LedgerStore.verify()`. On success, `head` is the hash of
@@ -1949,8 +1997,9 @@ interface UnlockedKeyring {
      */
     readonly exportCapability?: ExportCapability;
     /**
-     * `@noy-db/as-*` import capability (issue ). Absent when the
-     * keyring was written before  landed — default-closed semantics
+     * `@noy-db/as-*` import capability. Absent when the
+     * keyring was written before the import-capability extension
+     * landed — default-closed semantics
      * apply via `hasImportCapability` (no plaintext format granted, no
      * bundle import granted, regardless of role).
      */
@@ -1970,6 +2019,65 @@ interface UnlockedKeyring {
      */
     readonly policy?: VaultPolicyOnDisk;
 }
+/** Load and unlock a user's keyring for a vault. */
+declare function loadKeyring(adapter: NoydbStore, vault: string, userId: string, passphrase: string): Promise<UnlockedKeyring>;
+/**
+ * Create the initial owner keyring for a new vault.
+ *
+ * Pass `{ validate: true }` (or a `PassphrasePolicy`) to gate creation
+ * on the phrase-format strength rules — `Noydb` threads this from
+ * `NoydbOptions.validatePassphrase`. Direct callers (CLI, scripts,
+ * test fixtures) opt in explicitly.
+ */
+declare function createOwnerKeyring(adapter: NoydbStore, vault: string, userId: string, passphrase: string, passphraseOpts?: PassphrasePolicy & {
+    validate?: boolean;
+    allowWeakPassphrase?: boolean;
+}): Promise<UnlockedKeyring>;
+/** Grant access to a new user. Caller must have grant privilege. */
+declare function grant(adapter: NoydbStore, vault: string, callerKeyring: UnlockedKeyring, options: GrantOptions): Promise<void>;
+/** Revoke a user's access. Optionally rotate keys for affected collections. */
+declare function revoke(adapter: NoydbStore, vault: string, callerKeyring: UnlockedKeyring, options: RevokeOptions): Promise<void>;
+/**
+ * Mutate `role`, `displayName`, and/or `permissions` on an existing
+ * keyring. Pure plaintext-header rewrite — no DEK rewrap, no KEK
+ * required, no authenticator slots touched. Tier-2 enrollments and
+ * recovery codes survive the operation.
+ *
+ * Role-elevation guard: BOTH the old role AND the new role must
+ * satisfy `canUpdateRole(callerRole, _)`. This blocks the two
+ * privilege-escalation shapes:
+ *   - admin elevates someone (or themselves) to owner
+ *   - admin demotes an owner to a role they then control
+ *
+ * Owner is always allowed. Admin manages admin / operator / viewer /
+ * client laterally.
+ *
+ * Identity preserved: same userId, same DEK wrappings. Last-write-wins
+ * through the standard keyring put (same concurrency story as `grant`
+ * and `revoke`).
+ *
+ * @throws `NoAccessError` when no keyring exists for the target.
+ * @throws `PermissionDeniedError` when the role hierarchy rejects.
+ * @throws `ValidationError` when the diff is empty (nothing to update).
+ *
+ * @see #54
+ */
+declare function updateKeyringIdentity(adapter: NoydbStore, vault: string, callerKeyring: UnlockedKeyring, options: UpdateUserOptions): Promise<void>;
+/**
+ * Change the user's passphrase. Re-wraps every DEK under the new KEK.
+ *
+ * Validates the new passphrase against the strength rules unless
+ * `allowWeakPassphrase: true` is passed. Mirrors `rotatePassphrase`'s
+ * default-on validation contract.
+ *
+ * `db.rotatePassphrase()` adds a `checkGate('rotate-passphrase')` step
+ * on top of this primitive and additionally requires the OLD passphrase
+ * for re-derivation; `changeSecret` reuses the cached unlocked KEK so
+ * the OLD passphrase is not retyped.
+ */
+declare function changeSecret(adapter: NoydbStore, vault: string, keyring: UnlockedKeyring, newPassphrase: string, passphraseOpts?: PassphrasePolicy & {
+    allowWeakPassphrase?: boolean;
+}): Promise<UnlockedKeyring>;
 /**
  * Recipient slot in a re-keyed `.noydb` bundle. Each slot becomes its
  * own keyring file inside the bundle, sealed with its own passphrase.
@@ -2027,6 +2135,17 @@ interface BundleRecipient {
 declare function buildRecipientKeyringFile(callerKeyring: UnlockedKeyring, recipient: BundleRecipient): Promise<KeyringFile>;
 /** List all users with access to a vault. */
 declare function listUsers(adapter: NoydbStore, vault: string): Promise<UserInfo[]>;
+/**
+ * Optional filter knobs for {@link listUsersWithEnvelopes}.
+ *
+ * - `includeHidden` — when true, principals with `_meta/visibility/<id>`
+ *   set to `{ hidden: true }` are returned alongside everyone else.
+ *   Requires `owner` or `admin` callerRole; lower roles get
+ *   {@link import('../errors.js').PermissionDeniedError}.
+ */
+interface ListUsersOptions {
+    readonly includeHidden?: boolean;
+}
 /**
  * Joined enumeration: every keyring + its `_users/<keyringId>`
  * envelope side by side. Convenience for admin UIs that want to
@@ -2036,6 +2155,27 @@ declare function listUsers(adapter: NoydbStore, vault: string): Promise<UserInfo
  * `userEnvelopeDek` is the vault's `_users` collection DEK
  * (`vault.getDEK('_users')`); used to decrypt every envelope.
  *
+ * `callerRole` (#122) drives the directory-visibility checks:
+ *
+ *  - When the vault's `_meta/directory` document has `enabled: false`,
+ *    only `owner` and `admin` callers may enumerate; anyone else gets
+ *    {@link import('../errors.js').DirectoryDisabledError}.
+ *  - Principals with `_meta/visibility/<id>` set to `{ hidden: true }`
+ *    are filtered out by default. `owner`/`admin` callers can pass
+ *    `{ includeHidden: true }` to see them; lower roles passing that
+ *    option get `PermissionDeniedError`.
+ *
+ * Honest caveat (#122): these filters are a UX hint, not a security
+ * boundary. The keyring file is still listed at `_keyring/*` and the
+ * envelope ciphertext at `_users/*`. A caller with direct store access
+ * — or a caller that calls this function with `callerRole: 'owner'`
+ * unconditionally — sees every principal. The protection is only as
+ * strong as the role the calling layer passes in. The hub-level wrapper
+ * on `Vault` sources `callerRole` from the unlocked keyring's `role`
+ * field, which is signed-by-construction (it lives in the user's own
+ * keyring file). See `docs/subsystems/user-envelope.md` →
+ * "Directory visibility".
+ *
  * Principals without a persisted envelope (legacy keyrings predating
  * the user-envelope feature) come back with `envelope: null`. The
  * caller chooses how to render — usually "fall back to keyring's
@@ -2044,10 +2184,14 @@ declare function listUsers(adapter: NoydbStore, vault: string): Promise<UserInfo
  * Order matches `listUsers()` (store-defined; sort if you need a
  * stable display order).
  */
-declare function listUsersWithEnvelopes<T = unknown>(adapter: NoydbStore, vault: string, userEnvelopeDek: CryptoKey): Promise<Array<{
+declare function listUsersWithEnvelopes<T = unknown>(adapter: NoydbStore, vault: string, userEnvelopeDek: CryptoKey, callerRole: Role, options?: ListUsersOptions): Promise<Array<{
     user: UserInfo;
     envelope: UserEnvelope<T> | null;
 }>>;
+/** Ensure a DEK exists for a collection. Generates one if new. */
+declare function ensureCollectionDEK(adapter: NoydbStore, vault: string, keyring: UnlockedKeyring): Promise<(collectionName: string) => Promise<CryptoKey>>;
+/** Persist a keyring file to the adapter. */
+declare function persistKeyring(adapter: NoydbStore, vault: string, keyring: UnlockedKeyring): Promise<void>;
 /**
  * Check whether a keyring is authorised for a given `@noy-db/as-*`
  * export tier.
@@ -2946,6 +3090,283 @@ declare class SyncEngine {
     private persistMeta;
 }
 
+/**
+ * **Wrap-DEKs primitive (#44)** — a single canonical shape for the
+ * pattern of "serialize a DEK set, encrypt it under a credential-derived
+ * AES-GCM key." Used by:
+ *
+ *   - **tier-0** — paper recovery entries (`_meta/recovery-paper`),
+ *     credential = the printed code.
+ *   - **tier-2** — password authenticator slots (`KeyringFile.authenticators`,
+ *     `wrapKind: 'deks'`), credential = the user's password.
+ *
+ * **Not** used by `@noy-db/on-pin` — tier-3 wraps the DEK set under
+ * the same conceptual pattern but at **100,000 PBKDF2 iterations**
+ * (vs the 600,000 here), because the protection window for a PIN
+ * slot is short (idle-timeout-bounded, typically 15 min) and 600k
+ * iterations would make every PIN-resume noticeably slow. The wire
+ * formats are deliberately incompatible. See `@noy-db/on-pin`'s
+ * `PIN_PBKDF2_ITERATIONS` and the threat-model rationale in its
+ * module docstring.
+ *
+ * Before #44, the same crypto lived in two places: `mintPaperRecoveryEntry`
+ * (in `team/recovery.ts`) and `enrollPasswordAuthenticator` (in
+ * `@noy-db/on-password`). Both functions did identical work — PBKDF2
+ * the credential, AES-GCM-encrypt the JSON-serialized DEK set — but
+ * their implementations had drifted apart enough that fixing a bug
+ * in one wouldn't fix the other.
+ *
+ * This module owns the canonical implementation. Consumers compose:
+ *
+ *   - `mintPaperRecoveryEntry` is now a thin wrapper that calls
+ *     `mintWrappedDeksBlob` and adds `{ codeId, enrolledAt }`.
+ *   - `enrollPasswordAuthenticator` calls `mintWrappedDeksBlob` and
+ *     wraps the result in the slot envelope.
+ *
+ * @module
+ */
+/**
+ * The wrap-DEKs primitive — a serialized + AES-GCM-encrypted DEK set
+ * keyed under a credential-derived key.
+ *
+ * All three fields are base64-encoded so the blob is JSON-safe and
+ * round-trips through `_meta/*` envelopes (which carry plaintext
+ * JSON in `_data`).
+ *
+ * Composition: `PaperRecoveryEntry extends WrappedDeksBlob` plus
+ * `{ codeId, enrolledAt }`. `KeyringAuthenticatorWrappingDEKs`
+ * carries the same three fields with `salt` stored in `meta` for
+ * slot-format back-compat (#44 defers moving it to top-level).
+ */
+interface WrappedDeksBlob {
+    /** Base64 PBKDF2 salt for the credential-derived wrapping key. */
+    readonly salt: string;
+    /** Base64 AES-GCM IV used for the `wrappedDeks` ciphertext. */
+    readonly iv: string;
+    /** Base64 AES-GCM ciphertext of `{ deks: { collection: base64rawDek } }`. */
+    readonly wrappedDeks: string;
+}
+/**
+ * Mint a fresh `WrappedDeksBlob` from a DEK set + a string credential.
+ *
+ * Generates a random salt + IV, derives a 256-bit AES-GCM key via
+ * PBKDF2-SHA256(credential, salt, 600K), serializes the DEK set as
+ * `{ deks: { coll: rawBase64 } }`, and AES-GCM-encrypts.
+ *
+ * The `credential` is the user-typed string (recovery code, password,
+ * PIN). Caller normalization rules apply (e.g. paper
+ * recovery uppercase-strips the code before reaching this function).
+ *
+ * @param deks - DEK set to wrap. Each DEK must be exportable via
+ *               `subtle.exportKey('raw', dek)` (the hub mints DEKs
+ *               this way; consumers feeding non-extractable keys
+ *               will get `InvalidAccessError` from WebCrypto).
+ * @param credential - String input the consumer minted (paper code,
+ *               password, PIN). Treated as opaque bytes by PBKDF2.
+ */
+declare function mintWrappedDeksBlob(deks: Map<string, CryptoKey>, credential: string): Promise<WrappedDeksBlob>;
+/**
+ * Reverse of {@link mintWrappedDeksBlob}. Re-derives the wrapping key
+ * from the credential + stored salt, AES-GCM-decrypts the wrapped DEK
+ * set, and re-imports each DEK as an extractable AES-GCM CryptoKey.
+ *
+ * Throws (AES-GCM auth tag failure) when the credential doesn't
+ * match the blob. Callers iterating over multiple blobs (e.g. paper
+ * recovery's "try every entry until one matches") should catch.
+ */
+declare function unwrapDeksFromBlob(blob: WrappedDeksBlob, credential: string): Promise<Map<string, CryptoKey>>;
+
+/**
+ * String-level Shamir provider injected into hub for `profile: 'shamir'`
+ * recovery. Keeps hub free of any `@noy-db/on-shamir` import — hub never
+ * sees `RawShare` or the share codecs. Implemented by
+ * `shamirRecoveryProvider()` from `@noy-db/on-shamir`.
+ */
+interface ShamirRecoveryProvider {
+    /** Split `secret` into `n` base32 share strings; any `k` recombine it. */
+    splitToShares(secret: Uint8Array, k: number, n: number): string[];
+    /**
+     * Recombine `k`+ share strings into the secret. MUST throw on malformed,
+     * truncated, insufficient, or mismatched shares.
+     */
+    combineShares(shares: readonly string[]): Uint8Array;
+}
+
+/**
+ * Recovery profile persistence + dispatch — issue #10.
+ *
+ * v0.1.0-pre.5 wires the **paper** profile end-to-end through
+ * `@noy-db/on-recovery`. The other three profiles (Shamir,
+ * multi-channel, admin-mediated) ship the API surface and throw
+ * {@link RecoveryProfileNotImplementedError} during use; per-profile
+ * dispatch lands in follow-up issues.
+ *
+ * Storage layout:
+ *
+ * ```
+ * _meta/recovery-paper       — JSON { entries: RecoveryCodeEntry[] } produced by `on-recovery`.
+ * _meta/recovery-shamir      — reserved
+ * _meta/recovery-multi       — reserved
+ * _meta/recovery-admin       — reserved
+ * ```
+ *
+ * Like `_meta/policy` and `_meta/handle`, the documents are plain JSON
+ * with empty `_iv` — the recovery-code wrapping is what protects the
+ * KEK; the entries themselves are inert without the user's code.
+ *
+ * @module
+ */
+
+/**
+ * One paper recovery code as persisted in `_meta/recovery-paper`.
+ *
+ * The hub's KEK is intentionally non-extractable (see `crypto.ts`),
+ * so the recovery entry can't AES-KW-wrap the KEK directly. Instead
+ * we wrap a serialized DEK set: the entry holds the AES-GCM
+ * ciphertext of `{ deks: { collection: rawDekBase64 } }`. Recovery
+ * deserializes the DEK set, then mints a fresh KEK from the new
+ * passphrase and rewraps the DEKs under it.
+ *
+ * This is the same pattern `@noy-db/on-pin` uses for tier-3 quick
+ * resume — the cryptographic guarantee is identical (AES-GCM with a
+ * PBKDF2-derived key), and it sidesteps the non-extractable-KEK
+ * constraint cleanly.
+ *
+ * Type-level composition (#44): `PaperRecoveryEntry extends
+ * WrappedDeksBlob` — the three crypto fields (`salt`, `iv`,
+ * `wrappedDeks`) come from the shared primitive; `codeId` and
+ * `enrolledAt` are paper-recovery's own metadata. Wire format
+ * unchanged.
+ */
+interface PaperRecoveryEntry extends WrappedDeksBlob {
+    readonly codeId: string;
+    readonly enrolledAt: string;
+}
+interface PaperRecoveryDoc {
+    readonly _noydb_recovery: 1;
+    readonly profile: 'paper';
+    readonly entries: ReadonlyArray<PaperRecoveryEntry>;
+}
+/** Read the paper-recovery entries. Returns empty array when absent. */
+declare function loadPaperRecoveryEntries(store: NoydbStore, vault: string): Promise<ReadonlyArray<PaperRecoveryEntry>>;
+/** Replace the paper-recovery entries (used after burn-on-recovery). */
+declare function savePaperRecoveryEntries(store: NoydbStore, vault: string, entries: ReadonlyArray<PaperRecoveryEntry>): Promise<void>;
+/** Drop a single paper-recovery entry (burn-on-use). */
+declare function burnPaperRecoveryEntry(store: NoydbStore, vault: string, codeId: string): Promise<void>;
+/** Whether at least one recovery profile has any enrolled entries. */
+declare function hasRecoveryEnrolled(store: NoydbStore, vault: string): Promise<boolean>;
+/**
+ * One Shamir-recovery entry as persisted in `_meta/recovery-shamir`.
+ *
+ * Like {@link PaperRecoveryEntry}, the entry composes
+ * {@link WrappedDeksBlob} (DEKs wrapped under a fresh ephemeral
+ * recovery secret) with profile-specific metadata. Unlike paper, the
+ * "credential" was never visible to the user — it was 32 random
+ * bytes split into N Shamir shares at enrollment. The shares ARE
+ * the credential; the user holds them, the hub never sees them
+ * again after `enrollRecovery` returns.
+ *
+ * Per the spec §5: the recovery secret is base64-encoded and
+ * passed as the `credential` arg to
+ * {@link mintWrappedDeksBlob} / {@link unwrapDeksFromBlob}. The
+ * PBKDF2 round over high-entropy input is harmless overhead — it
+ * keeps the shared primitive unchanged while letting Shamir reuse
+ * the same wrapping pipeline as paper.
+ */
+interface ShamirRecoveryEntry extends WrappedDeksBlob {
+    /** Stable id for this entry. Allows multiple Shamir splits to coexist. */
+    readonly entryId: string;
+    /** Threshold — minimum shares to reconstruct. */
+    readonly k: number;
+    /** Total shares minted at enrollment. */
+    readonly n: number;
+    /** x-coordinates of the n minted shares. Informational. Omitted as of 0.2
+     *  (string-level provider doesn't expose share x-coords); kept optional so
+     *  pre-0.2 entries still read. */
+    readonly xCoords?: ReadonlyArray<number>;
+    /** ISO timestamp. */
+    readonly enrolledAt: string;
+    /** Optional caller-supplied label (e.g., "2-of-3 board escrow"). */
+    readonly label?: string;
+}
+interface ShamirRecoveryDoc {
+    readonly _noydb_recovery: 1;
+    readonly profile: 'shamir';
+    readonly entries: ReadonlyArray<ShamirRecoveryEntry>;
+}
+/** Read the Shamir-recovery entries. Returns empty array when absent. */
+declare function loadShamirRecoveryEntries(store: NoydbStore, vault: string): Promise<ReadonlyArray<ShamirRecoveryEntry>>;
+/** Replace the Shamir-recovery entries (used by enrollment and rotation). */
+declare function saveShamirRecoveryEntries(store: NoydbStore, vault: string, entries: ReadonlyArray<ShamirRecoveryEntry>): Promise<void>;
+/**
+ * Mint a fresh Shamir recovery entry from a DEK set.
+ *
+ * 1. Generates a 32-byte recovery secret.
+ * 2. Wraps the DEK set under that secret via
+ *    {@link mintWrappedDeksBlob} (the recovery secret is base64-
+ *    encoded as the credential string — PBKDF2 over high-entropy
+ *    input is harmless overhead).
+ * 3. Splits the recovery secret via Shamir into `n` shares with
+ *    threshold `k`.
+ * 4. Zeros the in-memory recovery secret after wrapping + splitting.
+ *
+ * Returns:
+ *   - `entry` — the {@link ShamirRecoveryEntry} to persist.
+ *   - `shareStrings` — the `n` Base32-encoded share strings to
+ *     return to the caller. The HUB MUST NOT PERSIST THESE; once
+ *     returned they are the user's responsibility.
+ *
+ * @param deks - DEK set to wrap.
+ * @param entryId - Stable id for this entry (caller-supplied or
+ *                  hub-generated).
+ * @param k - Threshold (>= 2).
+ * @param n - Total shares (k <= n <= 255).
+ * @param label - Optional caller label.
+ */
+declare function mintShamirRecoveryEntry(provider: ShamirRecoveryProvider, deks: Map<string, CryptoKey>, entryId: string, k: number, n: number, label?: string): Promise<{
+    entry: ShamirRecoveryEntry;
+    shareStrings: string[];
+}>;
+/**
+ * Decrypt a Shamir recovery entry to recover the raw DEK set.
+ *
+ * Combines K or more `shares`, reconstructs the recovery secret,
+ * unwraps the DEKs via {@link unwrapDeksFromBlob}.
+ *
+ * Throws (AES-GCM auth-tag mismatch) when the shares don't combine
+ * to the secret originally used to mint the entry — typically
+ * because they came from a different enrollment or were tampered
+ * with. Callers iterating multiple entries should catch.
+ */
+declare function unwrapDeksFromShamirEntry(provider: ShamirRecoveryProvider, entry: ShamirRecoveryEntry, shareStrings: readonly string[]): Promise<Map<string, CryptoKey>>;
+/**
+ * Generate one paper-recovery entry from an unlocked DEK set.
+ *
+ * Returns the serializable entry (persisted via
+ * {@link savePaperRecoveryEntries}). The recovery flow unwraps the
+ * DEK set, then mints a fresh KEK from the user's new passphrase.
+ *
+ * Thin wrapper over {@link mintWrappedDeksBlob} (#44) — the crypto
+ * lives in the shared primitive; this function just adds paper-
+ * recovery's own metadata (`codeId`, `enrolledAt`).
+ *
+ * @param deks      Map of collection-name → DEK (extractable).
+ * @param code      The plaintext recovery code (caller-supplied;
+ *                  pair this with `@noy-db/on-recovery`'s code
+ *                  generator/parser if available).
+ * @param codeId    Stable id used by `burnPaperRecoveryEntry`.
+ */
+declare function mintPaperRecoveryEntry(deks: Map<string, CryptoKey>, code: string, codeId: string): Promise<PaperRecoveryEntry>;
+/**
+ * Decrypt a recovery entry to recover the raw DEK set. Used by the
+ * `recoverPassphrase` flow after the user's code has been parsed.
+ *
+ * Thin wrapper over {@link unwrapDeksFromBlob} (#44).
+ *
+ * @throws when the code does not match the entry (AES-GCM auth tag fail).
+ */
+declare function unwrapDeksFromPaperEntry(entry: PaperRecoveryEntry, code: string): Promise<Map<string, CryptoKey>>;
+
 /**
  * Tier-2 authenticator slot management — issue #11.
  *
@@ -2996,6 +3417,40 @@ type EnrollAuthenticatorOptions = EnrollAuthenticatorWrappingKEKOptions | Enroll
  * input. The variant is preserved verbatim into `KeyringAuthenticator`.
  */
 declare function enrollAuthenticator(store: NoydbStore, vault: string, keyring: UnlockedKeyring, options: EnrollAuthenticatorOptions): Promise<UnlockedKeyring>;
+/**
+ * Caller payload for {@link updateAuthenticator} (#55). Mutates only
+ * `meta` — the slot's id, method, and wrap material are immutable
+ * through this primitive, preserving the anti-slot-swap guard.
+ *
+ * `meta` is **merged** at the top level: keys absent from the patch
+ * are preserved, keys present overwrite. To clear a meta key, pass
+ * `null` for that key explicitly. (Same semantics as #57's
+ * `UserApi.updateMe`, scoped to this top-level merge — no recursion
+ * into nested meta values.)
+ */
+interface UpdateAuthenticatorOptions {
+    readonly meta?: Record<string, unknown>;
+}
+/**
+ * Mutate a tier-2 authenticator slot's `meta` blob (slot rename,
+ * label changes). The slot's `id`, `method`, and wrap material
+ * (`wrapped_kek` for wrap-KEK; `wrapped_deks` + `iv` for wrap-DEKs)
+ * are immutable through this entry point — the anti-slot-swap guard
+ * is structural, not gate-driven, so even if the policy gate is
+ * weakened a future caller cannot use this path to swap one slot's
+ * crypto for another's.
+ *
+ * `meta` patch semantics:
+ *   - Top-level merge — absent keys preserved, present keys overwrite
+ *   - `null` value — delete that meta key
+ *   - Non-object values (string, number, boolean, array) — replace verbatim
+ *
+ * @throws `NoAccessError` when no slot with the given id exists.
+ * @throws `ValidationError` when no patch field is provided.
+ *
+ * @see #55
+ */
+declare function updateAuthenticator(store: NoydbStore, vault: string, keyring: UnlockedKeyring, slotId: string, options: UpdateAuthenticatorOptions): Promise<UnlockedKeyring>;
 /**
  * Drop a slot by id. No-op if the slot doesn't exist (idempotent —
  * removing a non-existent slot is a recoverable retry, not an error).
@@ -3030,8 +3485,8 @@ declare function findAuthenticator(keyring: UnlockedKeyring, slotId: string): Ke
 /**
  * Context handed to a {@link SlotRewrapCeremony} when `rotatePassphrase`
  * preserves a tier-2 slot. The ceremony's job is to re-derive its
- * method-specific wrapping material (PRF assertion, PBKDF2 of a
- * daily-password, etc.) and wrap the freshly rewrapped DEK set under
+ * method-specific wrapping material (PRF assertion, PBKDF2 of the
+ * password, etc.) and wrap the freshly rewrapped DEK set under
  * the new wrapping key.
  *
  * Two surfaces are exposed:
@@ -3109,7 +3564,15 @@ interface RotatePassphraseInput {
  *         slot's id or method (anti-slot-swap guard).
  */
 declare function rotatePassphrase(store: NoydbStore, vault: string, userId: string, input: RotatePassphraseInput): Promise<UnlockedKeyring>;
-/** Caller payload for {@link recoverPassphrase}. */
+/**
+ * Caller payload for {@link recoverPassphrase}.
+ *
+ * As of #196 slice 1, `paper` and `shamir` are wired end-to-end.
+ * The remaining two profiles (`multi-channel`, `admin-mediated`)
+ * stay outside the union and throw
+ * {@link RecoveryProfileNotImplementedError} at the runtime guard
+ * when bypassed via `as unknown as RecoveryProof`.
+ */
 type RecoveryProof = {
     readonly profile: 'paper';
     readonly payload: {
@@ -3118,19 +3581,12 @@ type RecoveryProof = {
 } | {
     readonly profile: 'shamir';
     readonly payload: {
+        /** Optional disambiguator when multiple Shamir entries are enrolled.
+         *  When omitted, hub tries each entry until one combines. */
+        readonly entryId?: string;
+        /** K or more opaque share strings, as returned by `ShamirRecoveryProvider.splitToShares`. */
         readonly shares: ReadonlyArray<string>;
     };
-} | {
-    readonly profile: 'multi-channel';
-    readonly payload: {
-        readonly proofs: ReadonlyArray<unknown>;
-    };
-} | {
-    readonly profile: 'admin-mediated';
-    readonly payload: {
-        readonly token: string;
-        readonly factor?: unknown;
-    };
 };
 interface RecoverPassphraseInput {
     readonly newPassphrase: string;
@@ -3191,19 +3647,96 @@ interface RecoverPassphraseResult {
     readonly newCodes: readonly string[];
 }
 /**
- * Reset the user's passphrase using a recovery proof. v0.1.0-pre.5
- * supports the `'paper'` profile via `@noy-db/on-recovery` entries
- * persisted in `_meta/recovery-paper`. The other three profiles throw
- * {@link RecoveryProfileNotImplementedError}.
- *
- * On success, the used recovery entry is burned (deleted from the
- * stored set).
+ * Input for {@link Noydb.rotateRecovery} (#121) — deliberate
+ * recovery-credential regeneration when the user knows their
+ * passphrase but wants a fresh sheet (paper) or fresh shares
+ * (shamir). Symmetric to {@link RotatePassphraseInput}.
  */
-declare function recoverPassphrase(store: NoydbStore, vault: string, userId: string, input: RecoverPassphraseInput): Promise<UnlockedKeyring>;
-
-/**
- * Atomic peer-recovery primitive — issues #33 + #34.
- *
+type RotateRecoveryOptions = {
+    readonly profile: 'paper';
+    /** How many fresh codes to mint. Default: existing sheet size. */
+    readonly count?: number;
+    /** Optional code generator — see {@link RecoverPassphraseInput.codeGenerator}. */
+    readonly codeGenerator?: () => string;
+} | {
+    readonly profile: 'shamir';
+    /** New threshold. */
+    readonly k: number;
+    /** New total share count. */
+    readonly n: number;
+    /** Disambiguator when multiple Shamir entries exist; required if there are 2+. */
+    readonly entryId?: string;
+    /** Optional updated label. */
+    readonly label?: string;
+};
+/**
+ * Result of {@link Noydb.rotateRecovery}. Shape varies by profile:
+ *
+ * - `paper` → `{ newCodes: string[] }` (and `entryId === 'paper-batch'`)
+ * - `shamir` → `{ newShares: string[], entryId }`
+ *
+ * `newCodes` is populated for paper rotations; `newShares` for
+ * Shamir rotations. Both are show-once — the hub does not
+ * retain them.
+ */
+interface RotateRecoveryResult {
+    readonly newCodes?: readonly string[];
+    readonly newShares?: readonly string[];
+    readonly entryId?: string;
+}
+/**
+ * Result of {@link Noydb.enrollRecovery}. Shape varies by profile:
+ *
+ * - `paper` → `{ entryId: 'paper-batch' }` (caller minted the
+ *   entries; this is a sentinel since paper enrollments are batch-shaped).
+ * - `shamir` → `{ entryId, shares: string[] }` — shares are
+ *   show-once; the hub does not retain them.
+ */
+interface EnrollRecoveryResult {
+    readonly entryId: string;
+    readonly shares?: readonly string[];
+}
+/**
+ * Input shape for {@link Noydb.enrollRecovery} and
+ * {@link Noydb.openVaultAndEnrollRecovery} (#195). Discriminated
+ * union over recovery profiles.
+ *
+ * - `paper`: caller pre-mints entries (typically via
+ *   `mintPaperRecoveryEntry` or `@noy-db/on-recovery`'s
+ *   `generateRecoveryCodeSet`) and passes them in. The hub stores
+ *   them and surfaces an opaque batch id.
+ * - `shamir`: hub mints the recovery secret + the shares at
+ *   enrollment time. The shares are returned in
+ *   {@link EnrollRecoveryResult.shares} (show-once); the hub never
+ *   retains them.
+ *
+ * Multi-channel and admin-mediated will be added when the respective
+ * dispatch slices ship.
+ */
+type RecoveryEnrollmentInput = {
+    readonly profile: 'paper';
+    readonly entries: ReadonlyArray<PaperRecoveryEntry>;
+} | {
+    readonly profile: 'shamir';
+    readonly k: number;
+    readonly n: number;
+    readonly label?: string;
+    readonly entryId?: string;
+};
+/**
+ * Reset the user's passphrase using a recovery proof. v0.1.0-pre.5
+ * supports the `'paper'` profile via `@noy-db/on-recovery` entries
+ * persisted in `_meta/recovery-paper`. The other three profiles throw
+ * {@link RecoveryProfileNotImplementedError}.
+ *
+ * On success, the used recovery entry is burned (deleted from the
+ * stored set).
+ */
+declare function recoverPassphrase(provider: ShamirRecoveryProvider | undefined, store: NoydbStore, vault: string, userId: string, input: RecoverPassphraseInput): Promise<UnlockedKeyring>;
+
+/**
+ * Atomic peer-recovery primitive — issues #33 + #34.
+ *
  * `recoverUser` is a SEPARATE operation from `revoke + grant`. It
  * exists because peer-recovery has different semantics than account
  * removal-then-reissue:
@@ -3281,183 +3814,6 @@ interface RecoverUserOptions {
  */
 declare function recoverUser(store: NoydbStore, vault: string, callerKeyring: UnlockedKeyring, options: RecoverUserOptions): Promise<void>;
 
-/**
- * **Wrap-DEKs primitive (#44)** — a single canonical shape for the
- * pattern of "serialize a DEK set, encrypt it under a credential-derived
- * AES-GCM key." Used by:
- *
- *   - **tier-0** — paper recovery entries (`_meta/recovery-paper`),
- *     credential = the printed code.
- *   - **tier-2** — password authenticator slots (`KeyringFile.authenticators`,
- *     `wrapKind: 'deks'`), credential = the daily password.
- *
- * **Not** used by `@noy-db/on-pin` — tier-3 wraps the DEK set under
- * the same conceptual pattern but at **100,000 PBKDF2 iterations**
- * (vs the 600,000 here), because the protection window for a PIN
- * slot is short (idle-timeout-bounded, typically 15 min) and 600k
- * iterations would make every PIN-resume noticeably slow. The wire
- * formats are deliberately incompatible. See `@noy-db/on-pin`'s
- * `PIN_PBKDF2_ITERATIONS` and the threat-model rationale in its
- * module docstring.
- *
- * Before #44, the same crypto lived in two places: `mintPaperRecoveryEntry`
- * (in `team/recovery.ts`) and `enrollPasswordAuthenticator` (in
- * `@noy-db/on-password`). Both functions did identical work — PBKDF2
- * the credential, AES-GCM-encrypt the JSON-serialized DEK set — but
- * their implementations had drifted apart enough that fixing a bug
- * in one wouldn't fix the other.
- *
- * This module owns the canonical implementation. Consumers compose:
- *
- *   - `mintPaperRecoveryEntry` is now a thin wrapper that calls
- *     `mintWrappedDeksBlob` and adds `{ codeId, enrolledAt }`.
- *   - `enrollPasswordAuthenticator` calls `mintWrappedDeksBlob` and
- *     wraps the result in the slot envelope.
- *
- * @module
- */
-/**
- * The wrap-DEKs primitive — a serialized + AES-GCM-encrypted DEK set
- * keyed under a credential-derived key.
- *
- * All three fields are base64-encoded so the blob is JSON-safe and
- * round-trips through `_meta/*` envelopes (which carry plaintext
- * JSON in `_data`).
- *
- * Composition: `PaperRecoveryEntry extends WrappedDeksBlob` plus
- * `{ codeId, enrolledAt }`. `KeyringAuthenticatorWrappingDEKs`
- * carries the same three fields with `salt` stored in `meta` for
- * slot-format back-compat (#44 defers moving it to top-level).
- */
-interface WrappedDeksBlob {
-    /** Base64 PBKDF2 salt for the credential-derived wrapping key. */
-    readonly salt: string;
-    /** Base64 AES-GCM IV used for the `wrappedDeks` ciphertext. */
-    readonly iv: string;
-    /** Base64 AES-GCM ciphertext of `{ deks: { collection: base64rawDek } }`. */
-    readonly wrappedDeks: string;
-}
-/**
- * Mint a fresh `WrappedDeksBlob` from a DEK set + a string credential.
- *
- * Generates a random salt + IV, derives a 256-bit AES-GCM key via
- * PBKDF2-SHA256(credential, salt, 600K), serializes the DEK set as
- * `{ deks: { coll: rawBase64 } }`, and AES-GCM-encrypts.
- *
- * The `credential` is the user-typed string (recovery code, daily
- * password, PIN). Caller normalization rules apply (e.g. paper
- * recovery uppercase-strips the code before reaching this function).
- *
- * @param deks - DEK set to wrap. Each DEK must be exportable via
- *               `subtle.exportKey('raw', dek)` (the hub mints DEKs
- *               this way; consumers feeding non-extractable keys
- *               will get `InvalidAccessError` from WebCrypto).
- * @param credential - String input the consumer minted (paper code,
- *               password, PIN). Treated as opaque bytes by PBKDF2.
- */
-declare function mintWrappedDeksBlob(deks: Map<string, CryptoKey>, credential: string): Promise<WrappedDeksBlob>;
-/**
- * Reverse of {@link mintWrappedDeksBlob}. Re-derives the wrapping key
- * from the credential + stored salt, AES-GCM-decrypts the wrapped DEK
- * set, and re-imports each DEK as an extractable AES-GCM CryptoKey.
- *
- * Throws (AES-GCM auth tag failure) when the credential doesn't
- * match the blob. Callers iterating over multiple blobs (e.g. paper
- * recovery's "try every entry until one matches") should catch.
- */
-declare function unwrapDeksFromBlob(blob: WrappedDeksBlob, credential: string): Promise<Map<string, CryptoKey>>;
-
-/**
- * Recovery profile persistence + dispatch — issue #10.
- *
- * v0.1.0-pre.5 wires the **paper** profile end-to-end through
- * `@noy-db/on-recovery`. The other three profiles (Shamir,
- * multi-channel, admin-mediated) ship the API surface and throw
- * {@link RecoveryProfileNotImplementedError} during use; per-profile
- * dispatch lands in follow-up issues.
- *
- * Storage layout:
- *
- * ```
- * _meta/recovery-paper       — JSON { entries: RecoveryCodeEntry[] } produced by `on-recovery`.
- * _meta/recovery-shamir      — reserved
- * _meta/recovery-multi       — reserved
- * _meta/recovery-admin       — reserved
- * ```
- *
- * Like `_meta/policy` and `_meta/handle`, the documents are plain JSON
- * with empty `_iv` — the recovery-code wrapping is what protects the
- * KEK; the entries themselves are inert without the user's code.
- *
- * @module
- */
-
-/**
- * One paper recovery code as persisted in `_meta/recovery-paper`.
- *
- * The hub's KEK is intentionally non-extractable (see `crypto.ts`),
- * so the recovery entry can't AES-KW-wrap the KEK directly. Instead
- * we wrap a serialized DEK set: the entry holds the AES-GCM
- * ciphertext of `{ deks: { collection: rawDekBase64 } }`. Recovery
- * deserializes the DEK set, then mints a fresh KEK from the new
- * passphrase and rewraps the DEKs under it.
- *
- * This is the same pattern `@noy-db/on-pin` uses for tier-3 quick
- * resume — the cryptographic guarantee is identical (AES-GCM with a
- * PBKDF2-derived key), and it sidesteps the non-extractable-KEK
- * constraint cleanly.
- *
- * Type-level composition (#44): `PaperRecoveryEntry extends
- * WrappedDeksBlob` — the three crypto fields (`salt`, `iv`,
- * `wrappedDeks`) come from the shared primitive; `codeId` and
- * `enrolledAt` are paper-recovery's own metadata. Wire format
- * unchanged.
- */
-interface PaperRecoveryEntry extends WrappedDeksBlob {
-    readonly codeId: string;
-    readonly enrolledAt: string;
-}
-interface PaperRecoveryDoc {
-    readonly _noydb_recovery: 1;
-    readonly profile: 'paper';
-    readonly entries: ReadonlyArray<PaperRecoveryEntry>;
-}
-/** Read the paper-recovery entries. Returns empty array when absent. */
-declare function loadPaperRecoveryEntries(store: NoydbStore, vault: string): Promise<ReadonlyArray<PaperRecoveryEntry>>;
-/** Replace the paper-recovery entries (used after burn-on-recovery). */
-declare function savePaperRecoveryEntries(store: NoydbStore, vault: string, entries: ReadonlyArray<PaperRecoveryEntry>): Promise<void>;
-/** Drop a single paper-recovery entry (burn-on-use). */
-declare function burnPaperRecoveryEntry(store: NoydbStore, vault: string, codeId: string): Promise<void>;
-/** Whether at least one recovery profile has any enrolled entries. */
-declare function hasRecoveryEnrolled(store: NoydbStore, vault: string): Promise<boolean>;
-/**
- * Generate one paper-recovery entry from an unlocked DEK set.
- *
- * Returns the serializable entry (persisted via
- * {@link savePaperRecoveryEntries}). The recovery flow unwraps the
- * DEK set, then mints a fresh KEK from the user's new passphrase.
- *
- * Thin wrapper over {@link mintWrappedDeksBlob} (#44) — the crypto
- * lives in the shared primitive; this function just adds paper-
- * recovery's own metadata (`codeId`, `enrolledAt`).
- *
- * @param deks      Map of collection-name → DEK (extractable).
- * @param code      The plaintext recovery code (caller-supplied;
- *                  pair this with `@noy-db/on-recovery`'s code
- *                  generator/parser if available).
- * @param codeId    Stable id used by `burnPaperRecoveryEntry`.
- */
-declare function mintPaperRecoveryEntry(deks: Map<string, CryptoKey>, code: string, codeId: string): Promise<PaperRecoveryEntry>;
-/**
- * Decrypt a recovery entry to recover the raw DEK set. Used by the
- * `recoverPassphrase` flow after the user's code has been parsed.
- *
- * Thin wrapper over {@link unwrapDeksFromBlob} (#44).
- *
- * @throws when the code does not match the entry (AES-GCM auth tag fail).
- */
-declare function unwrapDeksFromPaperEntry(entry: PaperRecoveryEntry, code: string): Promise<Map<string, CryptoKey>>;
-
 /**
  * Public envelope — owner-curated plaintext metadata, readable
  * before vault unlock or bundle decryption.
@@ -3678,6 +4034,33 @@ interface StagedOp {
     id: string;
     record?: unknown;
     expectedVersion?: number;
+    /**
+     * Optional human-readable tag forwarded to the resulting ledger
+     * entry's `reason` field (#1). Set by callers via
+     * `tx.vault(v).collection(c).put(id, record, { reason })`.
+     */
+    reason?: string;
+}
+/**
+ * One executed op (main staged op or recursive side-effect like a
+ * derivation output) paired with the envelope captured before the write.
+ * `revertExecuted` walks this array in reverse on rollback.
+ * @internal
+ */
+interface ExecutedOp {
+    op: StagedOp;
+    priorEnvelope: EncryptedEnvelope | null;
+}
+/**
+ * Options accepted by `db.transaction({ amendment, reason }, fn)`.
+ * Only the amendment variant uses these — a plain `db.transaction(fn)`
+ * never sees this shape.
+ */
+interface AmendmentTxOptions {
+    /** Opt into amendment mode. Required to be `true`. */
+    readonly amendment: true;
+    /** Human-readable rationale recorded in the ledger entry. Required. */
+    readonly reason: string;
 }
 /**
  * Transaction handle passed to the user's body. Use
@@ -3687,10 +4070,27 @@ interface StagedOp {
 declare class TxContext {
     /** @internal */
     readonly _ops: StagedOp[];
+    /**
+     * @internal — write log built up in Phase 2. Each entry records the
+     * envelope captured BEFORE the write so a mid-batch failure can
+     * restore prior state via `revertExecuted`. Side-effect writes (e.g.
+     * recursive derivation outputs fired inside `Collection.put`) are
+     * appended here in execution order so they roll back alongside the
+     * main staged ops (#133).
+     */
+    readonly _executed: ExecutedOp[];
     /** @internal */
     readonly _db: Noydb;
+    /**
+     * @internal — true when this TxContext was opened in amendment
+     * mode. Toggles the lazy-`beginAmendment` + role-check path on first
+     * `tx.vault(name)` and unlocks the post-Phase-2 invariant + audit run.
+     */
+    readonly _amendment: boolean;
+    /** @internal — vaults that have already had `beginAmendment` called. */
+    readonly _amendmentVaults: Map<string, Vault>;
     /** @internal */
-    constructor(db: Noydb);
+    constructor(db: Noydb, amendment?: boolean);
     /** Scope subsequent `collection()` calls to the named vault. */
     vault(name: string): TxVault;
 }
@@ -3729,6 +4129,7 @@ declare class TxCollection<T> {
      */
     put(id: string, record: T, options?: {
         expectedVersion?: number;
+        reason?: string;
     }): void;
     /**
      * Stage a delete. Does not write until the transaction body returns.
@@ -3740,14 +4141,16 @@ declare class TxCollection<T> {
     }): void;
 }
 /**
- * Commit plan: pre-flight check + execution + revert plan. Returned
- * from `runTransaction`.
+ * Commit plan: pre-flight check + execution + revert plan.
  *
- * @internal — exposed only for the `Collection.putMany({atomic:true})`
- * wire-up so the bulk path can share the executor without creating
- * an outer TxContext.
+ * @internal — driven by `withTransactions()` (via `tx/active.ts`) for
+ * user-facing `db.transaction(...)` calls and by the `amendment` path
+ * in `noydb.ts`. `Collection.putManyAtomic` runs its own Phase 2 loop
+ * but shares the `_activeTxContext` mechanism (and the `revertExecuted`
+ * helper) so nested side-effect derivation writes get registered for
+ * revert alongside the bulk-put source ops (#133).
  */
-declare function runTransaction<T>(db: Noydb, fn: (tx: TxContext) => Promise<T> | T): Promise<T>;
+declare function runTransaction<T>(db: Noydb, fn: (tx: TxContext) => Promise<T> | T, options?: AmendmentTxOptions): Promise<T>;
 
 /**
  * Policy gate DSL types — issue #9.
@@ -3774,7 +4177,7 @@ declare function runTransaction<T>(db: Noydb, fn: (tx: TxContext) => Promise<T>
  * | `shamir` | k-of-n threshold share (`@noy-db/on-shamir`) | yes |
  * | `webauthn-roaming` | hardware key (YubiKey, SoloKey, Titan) | yes (key portable) |
  * | `webauthn-platform` | platform passkey (Touch ID, Face ID, Hello) | no (device-bound) |
- * | `password` | tier-2 daily password (`@noy-db/on-password`) | no |
+ * | `password` | tier-2 password (`@noy-db/on-password`) | no |
  * | `pin` | tier-3 quick-resume PIN (`@noy-db/on-pin`) | no |
  *
  * Off-device kinds (TOTP, email-OTP, recovery, shamir, roaming WebAuthn)
@@ -3830,7 +4233,26 @@ interface GatePolicy {
  * and use the same engine; the engine treats unknown names with no
  * configured policy as "no gate" (no-op).
  */
-type BuiltInGateName = 'rotate-passphrase' | 'recover-passphrase' | 'enroll-authenticator' | 'remove-authenticator' | 'rotate-unlock' | 'enroll-user' | 'revoke-user' | 'export-bundle' | 'export-plaintext' | 'view-user-auth'
+type BuiltInGateName = 'rotate-passphrase' | 'recover-passphrase' | 'enroll-authenticator' | 'remove-authenticator'
+/**
+ * Authorize a deliberate paper-recovery-code regeneration —
+ * `db.rotateRecovery` (#121). Symmetric to `rotate-passphrase` for
+ * the case where the user remembers their passphrase but wants a
+ * fresh sheet (lost the printout, suspect compromise of the off-site
+ * copy). PERSONAL allows tier-1; STRICT requires an off-device
+ * factor so a stolen unlocked laptop cannot silently mint a new
+ * sheet for an attacker.
+ */
+ | 'rotate-recovery'
+/**
+ * Authorize a meta-only mutation on an existing authenticator slot —
+ * `db.updateAuthenticator` (#55). The slot's wrap material, id, and
+ * method are immutable through this gate; only the `meta` blob
+ * (nicknames, method-specific labels) can change. Anti-slot-swap
+ * guard is preserved structurally regardless of this gate's
+ * settings.
+ */
+ | 'update-authenticator' | 'rotate-unlock' | 'enroll-user' | 'revoke-user' | 'export-bundle' | 'export-plaintext' | 'view-user-auth'
 /** Authorize a write to one's own user envelope (#22). */
  | 'edit-own-profile'
 /** Authorize reading other principals' user envelopes (#22). */
@@ -3844,7 +4266,16 @@ type BuiltInGateName = 'rotate-passphrase' | 'recover-passphrase' | 'enroll-auth
  * factor-proof default in `STRICT_POLICY` so the issuer must
  * affirmatively prove identity at the moment of recovery.
  */
- | 'peer-recover-user';
+ | 'peer-recover-user'
+/**
+ * Authorize a post-grant identity mutation — `db.updateUser` (#54).
+ * Covers `role`, `displayName`, `permissions` changes on an existing
+ * keyring. Pure plaintext-header rewrite — no DEKs touched, no KEK
+ * required. The role-elevation guard inside the implementation
+ * mirrors `db.grant`'s hierarchy (admin cannot promote to owner)
+ * regardless of this gate's settings.
+ */
+ | 'update-user';
 /** Either a built-in gate name or an `app:*` custom gate. */
 type GateName = BuiltInGateName | `app:${string}`;
 /**
@@ -3865,6 +4296,25 @@ interface FactorProof {
     /** Method-specific payload. The engine treats it as opaque — verification is delegated. */
     readonly payload?: unknown;
 }
+/**
+ * Bundle of factor proofs + session-context flags passed to a gated
+ * Noydb method. Used as the optional last parameter of every method
+ * that runs through `checkGate`: `db.grant`, `db.revoke`, `db.updateUser`,
+ * `db.enrollAuthenticator`, `db.removeAuthenticator`, `db.updateAuthenticator`,
+ * `db.enrollWebAuthn`, `db.rotatePassphrase`, `db.recoverPassphrase`,
+ * `db.recoverUser`, `db.enrollUnlock`, `db.describeUserAuth`,
+ * `db.describeAllUsersAuth`.
+ *
+ * Pre-#89 this type was inlined at every call site as
+ * `{ factors?: ReadonlyArray<FactorProof>; sharedDevice?: boolean }`
+ * and parameter names alternated between `factors` and `presented`.
+ * Now exported so consumers can name their helpers and so the param
+ * name converges to `factors` everywhere.
+ */
+interface FactorProofBundle {
+    readonly factors?: ReadonlyArray<FactorProof>;
+    readonly sharedDevice?: boolean;
+}
 /** Active session tier — what the engine compares against `gate.minTier`. */
 type ActiveTier = 1 | 2 | 3;
 
@@ -3886,6 +4336,14 @@ declare class Noydb {
      * `_meta/policy` load; replaced by `db.updatePolicy()`.
      */
     private readonly policyCache;
+    /**
+     * One-shot bypass for the managed-mode strong-recovery check (#195).
+     * Set true by {@link openVaultAndEnrollRecovery} for the duration of
+     * the bootstrap window so the keyring can be created before the
+     * strong recovery is enrolled. Always cleared (try/finally).
+     * @internal
+     */
+    private _skipNextManagedRecoveryCheck;
     /** Per-vault tier-3 (PIN / quick-resume) state — issue #11. */
     private readonly quickUnlock;
     /**
@@ -3901,6 +4359,17 @@ declare class Noydb {
     private readonly txStrategy;
     private readonly sessionStrategy;
     private readonly syncStrategy;
+    /**
+     * Currently-running multi-record transaction, set by
+     * `runTransaction` at the start of Phase 2 (commit) and cleared in
+     * the same function's `finally` block. Side-effect writes triggered
+     * during a staged op's `Collection.put` (today: eager derivation
+     * outputs) register their pre-write envelope on `_executed` here so
+     * a mid-batch failure rolls them back alongside the main staged ops
+     * (#133). `null` outside of Phase 2.
+     * @internal
+     */
+    private _activeTxContext;
     /**
      * In-process translation cache. Key is `"${field}\x00${collection}\x00${from}\x00${to}\x00${text}"`.
      * Cleared on `close()` alongside the KEK and DEKs.
@@ -3940,21 +4409,81 @@ declare class Noydb {
     }): Promise<Vault>;
     /** Synchronous vault access (must call openVault first, or auto-opens). */
     vault(name: string): Vault;
-    /** Grant access to a user for a vault. */
-    grant(vault: string, options: GrantOptions): Promise<void>;
-    /** Revoke a user's access to a vault. */
-    revoke(vault: string, options: RevokeOptions): Promise<void>;
     /**
-     * Rotate the DEKs for the given collections in a vault.
+     * Grant access to a user for a vault.
      *
-     * Generates fresh DEKs, re-encrypts every record in each collection,
-     * and re-wraps the new DEKs into every remaining user's keyring. The
-     * old DEKs become unreachable — useful as a defense-in-depth measure
-     * after a suspected key leak, or as the scheduled half of a
-     * key-rotation policy.
+     * Gated by `enroll-user`. `STRICT_POLICY` requires a TOTP / email-OTP
+     * factor proof so the operator affirmatively re-asserts identity at
+     * the moment of grant; `PERSONAL_POLICY` accepts a tier-1 unlock alone.
      *
-     * Unlike `revoke({ rotateKeys: true })`, this call does NOT remove
-     * any users — every current member keeps access, but with fresh
+     * The legacy `requireReAuthFor: ['grant']` session-policy check still
+     * fires on top — both are independent opt-ins.
+     */
+    grant(vault: string, options: GrantOptions, factors?: FactorProofBundle): Promise<void>;
+    /**
+     * Revoke a user's access to a vault.
+     *
+     * Gated by `revoke-user`. `STRICT_POLICY` requires a TOTP / email-OTP
+     * factor proof; `PERSONAL_POLICY` accepts a tier-1 unlock alone.
+     *
+     * The legacy `requireReAuthFor: ['revoke']` session-policy check still
+     * fires on top — both are independent opt-ins.
+     */
+    revoke(vault: string, options: RevokeOptions, factors?: FactorProofBundle): Promise<void>;
+    /**
+     * Mutate post-grant identity fields on an existing keyring — `role`,
+     * `displayName`, and/or `permissions`. Pure plaintext-header rewrite:
+     * no DEK rewrap, no KEK required, no authenticator slots touched.
+     * Tier-2 enrollments and recovery codes survive.
+     *
+     * Different from `db.revoke + db.grant`:
+     *
+     *   - Same `userId`, same DEK wrappings, same `granted_by`, same
+     *     `_users/<keyringId>` envelope. Only the specified header
+     *     fields move. Last-write-wins via the standard keyring put.
+     *   - No cascade on role demotion (admins demoted to operator keep
+     *     the keyrings they previously granted; the cascade rules are
+     *     a `db.revoke` concern, not `db.updateUser`).
+     *   - Tier-2 slots NOT dropped — the wrapping is unaffected.
+     *
+     * Role-elevation guard: BOTH the old and new role must satisfy
+     * `db.grant`'s hierarchy. Owner can do anything; admin manages
+     * admin/operator/viewer/client laterally; admin cannot promote to
+     * owner OR demote from owner. The guard runs regardless of the
+     * `update-user` policy gate's settings — gates can only be more
+     * permissive than the structural floor, never less.
+     *
+     * Gated by `update-user`. `STRICT_POLICY` requires a TOTP/email-OTP
+     * factor proof so the operator affirmatively re-asserts identity at
+     * the moment of mutation; `PERSONAL_POLICY` accepts a tier-1 unlock
+     * alone.
+     *
+     * ```ts
+     * await db.updateUser('acme', {
+     *   userId: 'bob',
+     *   role: 'operator',                 // promote
+     *   permissions: { invoices: 'rw' },
+     * }, { factors: [{ kind: 'totp' }] })
+     * ```
+     *
+     * @throws `NoAccessError` when no keyring exists for the target.
+     * @throws `PermissionDeniedError` when the role hierarchy rejects.
+     * @throws `ValidationError` when no field is provided.
+     *
+     * @see #54
+     */
+    updateUser(vault: string, options: UpdateUserOptions, factors?: FactorProofBundle): Promise<void>;
+    /**
+     * Rotate the DEKs for the given collections in a vault.
+     *
+     * Generates fresh DEKs, re-encrypts every record in each collection,
+     * and re-wraps the new DEKs into every remaining user's keyring. The
+     * old DEKs become unreachable — useful as a defense-in-depth measure
+     * after a suspected key leak, or as the scheduled half of a
+     * key-rotation policy.
+     *
+     * Unlike `revoke({ rotateKeys: true })`, this call does NOT remove
+     * any users — every current member keeps access, but with fresh
      * keys. This is the "just rotate" path; the "revoke and rotate"
      * path still lives in `revoke()`.
      *
@@ -4076,8 +4605,17 @@ declare class Noydb {
      * ```
      */
     queryAcross<T>(vaultIds: string[], fn: (vault: Vault) => Promise<T>, options?: QueryAcrossOptions): Promise<QueryAcrossResult<T>[]>;
-    /** Change the current user's passphrase for a vault. */
-    changeSecret(vault: string, newPassphrase: string): Promise<void>;
+    /**
+     * Change the current user's passphrase for a vault.
+     *
+     * Validates the new passphrase against the strength rules. Pass
+     * `{ allowWeakPassphrase: true }` to skip — typically only useful for
+     * fixtures and migrations. Pass a `PassphrasePolicy` to override the
+     * default rules (e.g. consumer-tunable `pattern` / `customValidator`).
+     */
+    changeSecret(vault: string, newPassphrase: string, options?: PassphrasePolicy & {
+        allowWeakPassphrase?: boolean;
+    }): Promise<void>;
     /** Push local changes to remote for a vault. */
     push(vault: string, options?: PushOptions): Promise<PushResult>;
     /** Pull remote changes to local for a vault. */
@@ -4109,6 +4647,16 @@ declare class Noydb {
      * which batches push/pull across sync peers.
      */
     transaction<T>(fn: (tx: TxContext) => Promise<T> | T): Promise<T>;
+    /**
+     * Open an amendment-mode transaction. Requires `admin` or `owner`
+     * role on every vault touched by the body; throws
+     * `AmendmentForbiddenError` on first non-privileged `tx.vault(name)`
+     * call. Guard `check` callbacks are SKIPPED inside an amendment —
+     * the staged change-set is fed to each guard's `amendment.invariant`
+     * after the body returns, and the multi-record summary is appended
+     * to the vault's ledger as `op: 'amendment'`.
+     */
+    transaction<T>(options: AmendmentTxOptions, fn: (tx: TxContext) => Promise<T> | T): Promise<T>;
     /**
      * Create a sync transaction for the given vault.
      * The vault must already be open via `openVault()`.
@@ -4124,8 +4672,52 @@ declare class Noydb {
      * @internal
      */
     get _store(): NoydbStore;
+    /**
+     * Currently-running multi-record transaction, or `null` outside
+     * Phase 2. `Collection.dispatchDerivations` consults this so a
+     * recursive derived-output write inside `Collection.put` can register
+     * its envelope onto `ctx._executed` and roll back with the main
+     * staged ops on mid-batch failure (#133).
+     *
+     * @internal
+     */
+    get _activeTxContextOrNull(): TxContext | null;
+    /**
+     * Called by `runTransaction` at Phase 2 start, and by
+     * `Collection.putManyAtomic` (via `derivationSource.setActiveTxContext`)
+     * for its own Phase 2 loop. Nested or concurrent (non-nested)
+     * transactions on the same Noydb instance are NOT supported —
+     * overwriting an active context means another transaction is still
+     * running and its `_executed` list would be cross-contaminated by
+     * the nested writes. We tolerate the overwrite (best-effort, no
+     * throw) to keep the rare interleaving from breaking consumers who
+     * currently get lucky with timing, but applications should ensure
+     * their multi-record commits are serialised on a single Noydb.
+     *
+     * @internal
+     */
+    _setActiveTxContext(ctx: TxContext): void;
+    /**
+     * Factory for a transient `TxContext` bound to this Noydb. Used by
+     * `Collection.putManyAtomic` (via `derivationSource.createTxContext`)
+     * to publish an active context for the duration of its bulk-atomic
+     * Phase 2 loop, so recursive derivation-output writes register on
+     * `ctx._executed` and roll back together with the source ops (#133).
+     *
+     * @internal
+     */
+    _createTxContext(): TxContext;
+    /**
+     * Called by `runTransaction` in its `finally`. Only clears when the
+     * passed ctx matches the active one — a defensive no-op if some
+     * other code path already cleared it.
+     *
+     * @internal
+     */
+    _clearActiveTxContext(ctx: TxContext): void;
     /** Get sync status for a vault. */
     syncStatus(vault: string): SyncStatus;
+    private requireShamirProvider;
     private getSyncEngine;
     on<K extends keyof NoydbEventMap>(event: K, handler: (data: NoydbEventMap[K]) => void): void;
     off<K extends keyof NoydbEventMap>(event: K, handler: (data: NoydbEventMap[K]) => void): void;
@@ -4181,6 +4773,27 @@ declare class Noydb {
      * change is fundamentally a privilege-management action).
      */
     updatePolicy(vault: string, override: Partial<VaultPolicy>): Promise<VaultPolicy>;
+    /**
+     * Read the current vault-level user-directory toggle (#122). Returns
+     * the default-on shape (`{ enabled: true }`) when no `_meta/directory`
+     * document has been persisted yet.
+     *
+     * No role gate — anyone who can open the vault can read the toggle.
+     */
+    getDirectoryEnabled(vault: string): Promise<boolean>;
+    /**
+     * Toggle the vault's user-directory listing on or off (#122).
+     * Owner-only. When disabled, `listUsersWithEnvelopes()` throws
+     * {@link import('./errors.js').DirectoryDisabledError} for callers
+     * whose role is neither `owner` nor `admin`.
+     *
+     * Honest caveat: this is a UX flag, not a privacy guarantee. The
+     * keyring file at `_keyring/<userId>` and the envelope ciphertext at
+     * `_users/<keyringId>` remain observable to anyone with direct store
+     * read access — only the hub-level enumeration is gated. See
+     * `docs/subsystems/user-envelope.md` → "Directory visibility".
+     */
+    setDirectoryEnabled(vault: string, enabled: boolean): Promise<void>;
     /**
      * Evaluate a policy gate against the active session tier and the
      * presented factor proofs. Throws {@link PolicyDeniedError} on
@@ -4191,22 +4804,33 @@ declare class Noydb {
      *                 or app-defined (`app:*`).
      * @param presented Caller-supplied factor proofs.
      */
-    checkGate(vault: string, gate: GateName, presented?: {
-        factors?: ReadonlyArray<FactorProof>;
-        sharedDevice?: boolean;
-    }): Promise<void>;
+    checkGate(vault: string, gate: GateName, factors?: FactorProofBundle): Promise<void>;
     /** Read or persist the vault policy at `_meta/policy` on first open. */
     private bootstrapPolicy;
     /**
-     * Throw {@link RecoveryNotEnrolledError} when the developer
-     * explicitly opts into strict mandatory-recovery enforcement
-     * (`createNoydb({ requireRecovery: true })`) and no recovery
-     * entries are persisted.
+     * Throw {@link RecoveryNotEnrolledError} or
+     * {@link ManagedRecoveryNotEnrolledError} when recovery enrollment
+     * is missing.
+     *
+     * Two enforcement modes:
      *
-     * The default behavior is lenient — `recover-passphrase` is enabled
-     * in `PERSONAL_POLICY` but the hub does not block vault open on
-     * missing enrollment. v1.0 will flip the default to strict; for now,
-     * apps that want the spec-mandated check turn it on per-vault.
+     * 1. **Managed-mode mandatory strong-recovery (#195).** When
+     *    `passphraseMode === 'managed'`, the vault MUST have at least
+     *    one **strong** recovery profile (Shamir today). Paper alone is
+     *    rejected because under managed mode the user has no memorized
+     *    passphrase, so losing the paper sheet = losing every record.
+     *    This check is unconditional — independent of `requireRecovery`
+     *    and the `recover-passphrase` gate.
+     *
+     * 2. **Opt-in strict mandatory-recovery.** When
+     *    `requireRecovery: true` is set on createNoydb (and the gate is
+     *    not explicitly disabled), require ANY recovery profile (paper
+     *    or shamir). This is the v0.x default-off behavior; v1.0 may
+     *    flip it default-on.
+     *
+     * The managed-mode check fires from {@link bootstrapPolicy} unless
+     * the `skipManagedCheck` flag is set (used by
+     * {@link openVaultAndEnrollRecovery} to allow atomic create-and-enroll).
      */
     private assertRecoveryEnrolled;
     /**
@@ -4227,21 +4851,44 @@ declare class Noydb {
      * Gated by `enroll-authenticator`; `presented` carries any factor
      * proofs the active policy demands.
      */
-    enrollAuthenticator(vault: string, options: EnrollAuthenticatorOptions, presented?: {
-        factors?: ReadonlyArray<FactorProof>;
-        sharedDevice?: boolean;
-    }): Promise<void>;
+    enrollAuthenticator(vault: string, options: EnrollAuthenticatorOptions, factors?: FactorProofBundle): Promise<void>;
     /**
      * Remove a tier-2 authenticator slot. Idempotent — removing a
      * non-existent slot is a successful no-op. Gated by
      * `remove-authenticator`.
      */
-    removeAuthenticator(vault: string, slotId: string, presented?: {
-        factors?: ReadonlyArray<FactorProof>;
-        sharedDevice?: boolean;
-    }): Promise<void>;
+    removeAuthenticator(vault: string, slotId: string, factors?: FactorProofBundle): Promise<void>;
     /** Read the slot list for a vault. Internal — `describeAuthConfig` (#13) consumes this. */
     listAuthenticators(vault: string): Promise<ReadonlyArray<KeyringAuthenticator>>;
+    /**
+     * Mutate the `meta` blob on an existing authenticator slot — slot
+     * rename, label change, attachment of UI hints. The slot's `id`,
+     * `method`, and wrap material (`wrapped_kek` / `wrapped_deks` + `iv`)
+     * are immutable through this method. Anti-slot-swap is structural,
+     * not gate-driven.
+     *
+     * `meta` patch semantics (#57-aligned):
+     *   - Top-level merge — absent keys preserved
+     *   - `null` value — delete that meta key
+     *   - Other values — replace verbatim
+     *
+     * Use case: per-slot nickname for "iPhone Touch ID" vs "MacBook
+     * Touch ID" disambiguation in admin UIs. The slot id (auto-derived
+     * from credentialId prefix) is not human-friendly; `meta.nickname`
+     * is.
+     *
+     * Gated by `update-authenticator`. PERSONAL_POLICY: tier-1 unlock
+     * alone (matches enroll/remove). STRICT_POLICY: tier-1 +
+     * TOTP/email-OTP factor proof — a malicious rename on a shared
+     * workstation could mislead the user about which device a slot
+     * corresponds to, so STRICT requires fresh factor binding.
+     *
+     * @throws `NoAccessError` when no slot with the given id exists.
+     * @throws `ValidationError` when no patch field is provided.
+     *
+     * @see #55
+     */
+    updateAuthenticator(vault: string, slotId: string, options: UpdateAuthenticatorOptions, factors?: FactorProofBundle): Promise<void>;
     /**
      * Native WebAuthn enrollment using the **real** internal keyring (#16).
      *
@@ -4289,10 +4936,7 @@ declare class Noydb {
      *
      * @see #16
      */
-    enrollWebAuthn(vault: string, ceremony: (keyring: UnlockedKeyring) => Promise<EnrollAuthenticatorOptions>, presented?: {
-        factors?: ReadonlyArray<FactorProof>;
-        sharedDevice?: boolean;
-    }): Promise<{
+    enrollWebAuthn(vault: string, ceremony: (keyring: UnlockedKeyring) => Promise<EnrollAuthenticatorOptions>, factors?: FactorProofBundle): Promise<{
         credentialId: string;
     }>;
     /**
@@ -4353,15 +4997,9 @@ declare class Noydb {
      * disabled). Sanitization is allowlist-based — never renders cred
      * ids, password hashes, secrets, or any field outside the allowlist.
      */
-    describeUserAuth(vault: string, userId: string, factors?: {
-        factors?: ReadonlyArray<FactorProof>;
-        sharedDevice?: boolean;
-    }): Promise<string>;
+    describeUserAuth(vault: string, userId: string, factors?: FactorProofBundle): Promise<string>;
     /** Bulk variant for owner dashboards. Gated by `view-user-auth`. */
-    describeAllUsersAuth(vault: string, factors?: {
-        factors?: ReadonlyArray<FactorProof>;
-        sharedDevice?: boolean;
-    }): Promise<Array<{
+    describeAllUsersAuth(vault: string, factors?: FactorProofBundle): Promise<Array<{
         userId: string;
         description: string;
     }>>;
@@ -4379,10 +5017,7 @@ declare class Noydb {
      * @throws `PolicyDeniedError` when the gate denies (missing factor, …).
      * @throws `InvalidKeyError` when `oldPassphrase` is wrong.
      */
-    rotatePassphrase(vault: string, input: RotatePassphraseInput, factors?: {
-        factors?: ReadonlyArray<FactorProof>;
-        sharedDevice?: boolean;
-    }): Promise<void>;
+    rotatePassphrase(vault: string, input: RotatePassphraseInput, factors?: FactorProofBundle): Promise<void>;
     /**
      * Reset the passphrase using a recovery proof (user forgot the old).
      * v0.1.0-pre.5 supports the `'paper'` profile end-to-end; the
@@ -4390,10 +5025,124 @@ declare class Noydb {
      *
      * Burns the used recovery entry on success.
      */
-    recoverPassphrase(vault: string, input: RecoverPassphraseInput, factors?: {
-        factors?: ReadonlyArray<FactorProof>;
-        sharedDevice?: boolean;
-    }): Promise<RecoverPassphraseResult>;
+    recoverPassphrase(vault: string, input: RecoverPassphraseInput, factors?: FactorProofBundle): Promise<RecoverPassphraseResult>;
+    /**
+     * Deliberate paper-recovery-code regeneration (#121). User knows their
+     * passphrase but wants a fresh sheet — they lost the printout or
+     * suspect compromise of the off-site copy.
+     *
+     * Symmetric to {@link rotatePassphrase} for the recovery profile:
+     * gated, audit-trackable, ergonomic. Replaces (not appends) the
+     * paper sheet under `_meta/recovery-paper` in a single envelope `put`.
+     *
+     * Gated by the `rotate-recovery` policy gate:
+     *   - PERSONAL_POLICY: `{ minTier: 1 }` — knowing the passphrase
+     *     suffices, matching the pre-#121 low-level flow's bar.
+     *   - STRICT_POLICY: `{ minTier: 1, factors: [{ anyOf: ['totp',
+     *     'email-otp', 'webauthn-roaming'] }] }` — rotation is an
+     *     off-site-trust event; require an off-device factor so a
+     *     stolen unlocked laptop cannot silently mint a sheet for the
+     *     attacker.
+     *
+     * Defaults `count` to the existing sheet size so consumers aren't
+     * surprised by a different code count. Explicit `count` overrides.
+     *
+     * @throws {@link RecoveryProfileNotImplementedError} when `profile`
+     *         is anything other than `'paper'` (v1 dispatch limit).
+     * @throws {@link PolicyDeniedError} when the gate denies (missing
+     *         factor, tier mismatch, ...).
+     * @throws on missing paper sheet — "nothing to rotate" surfaces as
+     *         an error rather than silently minting an entire new sheet.
+     *
+     * @example Default count + show-once UI
+     * ```ts
+     * const { newCodes } = await db.rotateRecovery('acme', { profile: 'paper' })
+     * showCodesToUser(newCodes)
+     * ```
+     *
+     * @example STRICT-policy site with TOTP factor proof
+     * ```ts
+     * await db.rotateRecovery(
+     *   'acme',
+     *   { profile: 'paper', count: 10 },
+     *   { factors: [{ kind: 'totp', proof: '123456' }] },
+     * )
+     * ```
+     */
+    rotateRecovery(vault: string, options: RotateRecoveryOptions, factors?: FactorProofBundle): Promise<RotateRecoveryResult>;
+    private rotateRecoveryPaper;
+    private rotateRecoveryShamir;
+    /**
+     * **Atomic create-and-enroll for managed-mode vaults (#195).**
+     *
+     * Bootstraps a managed-mode vault and enrolls strong recovery in
+     * a single ceremony. Under `passphraseMode: 'managed'`, every
+     * `openVault` call requires a strong recovery profile (Shamir
+     * today) to be enrolled — otherwise it throws
+     * {@link ManagedRecoveryNotEnrolledError}. This method bypasses
+     * the check temporarily so the keyring can be created, enrolls
+     * the supplied recovery profile(s), then returns the vault.
+     *
+     * For Shamir enrollments, the show-once share strings come back
+     * in `recoveryEnrollments[i].shares`. The hub never retains them
+     * — the caller MUST display them to the user (once) before any
+     * subsequent operation.
+     *
+     * Paper alone is NOT a strong profile under managed mode; passing
+     * `{ profile: 'paper', ... }` without an accompanying shamir entry
+     * is rejected at validation time.
+     *
+     * ```ts
+     * const db = await createNoydb({
+     *   store, user: 'alice',
+     *   passphraseMode: 'managed',
+     *   sealingKey: macosKeychainSealingProvider({ ... }),
+     * })
+     *
+     * const { vault, recoveryEnrollments } = await db.openVaultAndEnrollRecovery('acme', {
+     *   recovery: [{ profile: 'shamir', k: 2, n: 3 }],
+     * })
+     * for (const r of recoveryEnrollments) {
+     *   if (r.shares) showSharesToUser(r.shares)  // ONCE
+     * }
+     * ```
+     *
+     * @throws ValidationError if recovery is empty, or contains no
+     *   strong profile under managed mode.
+     */
+    openVaultAndEnrollRecovery(vault: string, opts: {
+        readonly recovery: ReadonlyArray<RecoveryEnrollmentInput>;
+        readonly locale?: string;
+    }): Promise<{
+        readonly vault: Vault;
+        readonly recoveryEnrollments: ReadonlyArray<EnrollRecoveryResult>;
+    }>;
+    /**
+     * **Recovery flow under managed-passphrase mode (#195).**
+     *
+     * Replaces the sealed passphrase of a managed-mode vault with a
+     * fresh 256-bit random, sealed under the configured
+     * `SealingKeyProvider`. The user never sees the new passphrase.
+     *
+     * Internally:
+     *   1. Verify the recovery proof (Shamir today) and unwrap the
+     *      DEK set.
+     *   2. Mint a fresh 256-bit random as the new effective passphrase.
+     *   3. Rewrap the DEK set under a fresh KEK derived from the new
+     *      passphrase (via the existing `recoverPassphrase` path).
+     *   4. Seal the random bytes under the provider and overwrite
+     *      `_meta/sealed-passphrase`.
+     *   5. Drop the keyring cache so the next operation re-derives.
+     *
+     * The vault's strong-recovery enrollment is preserved across
+     * recovery (Shamir entries are not burned on use — see #196).
+     *
+     * @throws ValidationError if the Noydb instance is not in managed mode.
+     */
+    recoverManagedPassphrase(vault: string, options: {
+        readonly recoveryProof: RecoveryProof;
+        readonly passphrasePolicy?: PassphrasePolicy;
+    }): Promise<void>;
     /**
      * Atomic peer-recovery — re-wraps an EXISTING user's keyring under
      * a fresh temp passphrase in a single store write. Closes #34's
@@ -4437,10 +5186,7 @@ declare class Noydb {
      *
      * @see #33 #34 — the issues this method closes.
      */
-    recoverUser(vault: string, options: RecoverUserOptions, factors?: {
-        factors?: ReadonlyArray<FactorProof>;
-        sharedDevice?: boolean;
-    }): Promise<void>;
+    recoverUser(vault: string, options: RecoverUserOptions, factors?: FactorProofBundle): Promise<void>;
     /**
      * Persist a recovery enrollment. v0.1.0-pre.5 accepts the `'paper'`
      * profile.
@@ -4472,13 +5218,11 @@ declare class Noydb {
      * await db.enrollRecovery('acme', { profile: 'paper', entries })
      * ```
      */
-    enrollRecovery(vault: string, enrollment: {
-        profile: 'paper';
-        entries: ReadonlyArray<PaperRecoveryEntry>;
-    }): Promise<void>;
-    /** Read the persisted paper-recovery entries. Used by `describeAuthConfig` (#13). */
+    enrollRecovery(vault: string, enrollment: RecoveryEnrollmentInput): Promise<EnrollRecoveryResult>;
+    /** Read the persisted recovery entries (paper + Shamir). Used by `describeAuthConfig` (#13). */
     listRecoveryEntries(vault: string): Promise<{
         paper: ReadonlyArray<PaperRecoveryEntry>;
+        shamir: ReadonlyArray<ShamirRecoveryEntry>;
     }>;
     /**
      * Register a tier-3 quick-unlock state for the vault. The state is
@@ -4489,10 +5233,7 @@ declare class Noydb {
      * Gated by `rotate-unlock` (the same gate covers "set" and "rotate"
      * because tier-3 is a single-slot rolling secret).
      */
-    enrollUnlock(vault: string, state: QuickUnlockState, presented?: {
-        factors?: ReadonlyArray<FactorProof>;
-        sharedDevice?: boolean;
-    }): Promise<void>;
+    enrollUnlock(vault: string, state: QuickUnlockState, factors?: FactorProofBundle): Promise<void>;
     /**
      * Resume a session via the registered tier-3 state. The verifier is
      * `@noy-db/on-pin/resumePin` (or compatible). On success, mark the
@@ -4508,8 +5249,17 @@ declare class Noydb {
     /**
      * Public accessor for the unlocked keyring of a vault — issue #28.
      *
-     * Returns the cached `UnlockedKeyring` (already in memory after
-     * `createNoydb` + first vault touch); loads it on demand if absent.
+     * Returns a **defensive shallow copy** so consumers can read the DEK
+     * map and authenticator list without the risk of mutating the hub's
+     * internal cache (#88). Internal hub code paths use a live reference
+     * via `getKeyringInternal`; ceremonies and external consumers always
+     * get a snapshot.
+     *
+     * The CryptoKey values inside `deks` are not cloned — Web Crypto
+     * keys are opaque handles, and a shared handle is intentional
+     * (encrypt / decrypt go through the same key the cache holds).
+     * Only the container Map / authenticator array is fresh.
+     *
      * Used by `@noy-db/on-*` ceremonies that need the live DEK set
      * (paper recovery via {@link mintPaperRecoveryEntry}, tier-3 PIN
      * enrolment via on-pin's `enrollPin`, custom on-* ceremonies that
@@ -4524,11 +5274,19 @@ declare class Noydb {
      * ```ts
      * const keyring = await db.getKeyring('acme')
      * // keyring.deks: Map<collection, CryptoKey>
-     * // keyring.kek:  CryptoKey   (non-extractable; null for tier-3 sessions)
+     * // keyring.kek:  CryptoKey | null   (null for tier-3 / wrap-DEKs sessions)
      * // keyring.role / .permissions / .authenticators
      * ```
      */
     getKeyring(vault: string): Promise<UnlockedKeyring>;
+    /**
+     * Live-reference variant used by the hub's own code paths. Internal
+     * mutations on `deks` (e.g. {@link ensureCollectionDEK} adding a
+     * collection key) need to land on the cached keyring so subsequent
+     * accesses see them. Not exposed publicly — callers outside hub
+     * should use {@link getKeyring}, which returns a defensive copy.
+     */
+    private getKeyringInternal;
 }
 /** Create a new NOYDB instance. */
 declare function createNoydb(options: NoydbOptions): Promise<Noydb>;
@@ -4607,18 +5365,771 @@ interface IssueDelegationOptions {
  */
 declare function issueDelegation(store: NoydbStore, vault: string, grantor: UnlockedKeyring, targetKek: CryptoKey | null, delegationsDek: CryptoKey, opts: IssueDelegationOptions): Promise<DelegationToken>;
 /**
- * Enumerate every live (non-expired) delegation addressed to `toUser`
- * and merge the unwrapped tier DEKs into their keyring. Returns the
- * list of merged delegations so the caller can register per-access
- * audit context.
+ * Enumerate every live (non-expired) delegation addressed to `toUser`
+ * and merge the unwrapped tier DEKs into their keyring. Returns the
+ * list of merged delegations so the caller can register per-access
+ * audit context.
+ */
+declare function loadActiveDelegations(store: NoydbStore, vault: string, user: UnlockedKeyring, delegationsDek: CryptoKey, now?: Date): Promise<DelegationToken[]>;
+/**
+ * Revoke a delegation by id — the caller resolves the envelope and
+ * issues a `delete`. Provided as a stable helper so the naming is
+ * symmetric to `issueDelegation`.
+ */
+declare function revokeDelegation(store: NoydbStore, vault: string, id: string): Promise<void>;
+
+/**
+ * Minimum read surface exposed to guard `check` functions. Intentionally
+ * narrow — guards can read other collections but never write.
+ *
+ * `query()` returns the same chainable builder used elsewhere. `Query<T>`
+ * has no write terminals (no `.update()` / `.delete()`) so exposing it
+ * here preserves the read-only contract while letting guards aggregate
+ * with `.where().aggregate()` / `.groupBy()` / `.join()` instead of
+ * decrypting every sibling row via `.list()`.
+ */
+interface ReadOnlyVaultFacade$1 {
+    collection<T = unknown>(name: string): {
+        get(id: string): Promise<T | null>;
+        list(): Promise<T[]>;
+        query(): Query<T>;
+    };
+}
+/**
+ * Runtime context passed to `check` and `invariant` callbacks.
+ * `existing` is the currently-persisted record (null for inserts).
+ */
+interface GuardContext<T> {
+    existing: T | null;
+    vault: ReadOnlyVaultFacade$1;
+    userId: string;
+    role: Role;
+}
+/**
+ * One {before, after} pair handed to an `invariant` function. `before`
+ * is null for inserts; `after` reflects the proposed post-commit record.
+ */
+interface GuardChange<T> {
+    before: T | null;
+    after: T;
+}
+/** @internal — output of {@link withGuard}. */
+interface GuardStrategyHandle<T extends Record<string, unknown>> {
+    readonly __noydb_strategy: 'guard';
+    readonly spec: GuardStrategy<T>;
+}
+/**
+ * Existential erasure of `GuardStrategyHandle<T>` — used as the
+ * element type of `ReadonlyArray<>` fields where the per-handle T
+ * differs (e.g. `guardStrategies: [invoiceGuard, disbursementGuard]`).
+ *
+ * Background: `GuardStrategyHandle<T>` is INVARIANT in T because T
+ * appears in callback positions on the spec (`check(incoming: T, ctx)`,
+ * `invariant(changes: ReadonlyArray<GuardChange<T>>, ctx)`). So
+ * `Handle<Invoice>` is not assignable to `Handle<Record<string, unknown>>`.
+ * A bounded existential ("there exists some T satisfying the constraint
+ * such that this is a Handle<T>") is the right shape; TypeScript has
+ * no first-class existentials, so we fake it with a structurally narrow
+ * interface that ERASES T from both the discriminant and the spec.
+ *
+ * Consumers continue to construct typed handles via `withGuard<T>(...)`
+ * which returns `GuardStrategyHandle<T>`. Both `Handle<Invoice>` and
+ * `Handle<Disbursement>` structurally assign to `GuardStrategyHandleAny`,
+ * so an array of them is `GuardStrategyHandleAny[]`.
+ *
+ * Internal code that needs T re-narrows via the runtime discriminant
+ * (`__noydb_strategy === 'guard'`) plus per-handle type information
+ * carried by the registry.
+ *
+ * NOT exported from the public barrel — keeping this internal
+ * discourages consumers from constructing it directly. Used only as
+ * the array-element type on `Vault` / `NoydbOptions.guardStrategies`.
+ *
+ * @internal
+ */
+interface GuardStrategyHandleAny {
+    readonly __noydb_strategy: 'guard';
+    readonly spec: GuardStrategy<any>;
+}
+/** Public registration shape. See `withGuard()`. */
+interface GuardStrategy<T extends Record<string, unknown>> {
+    collection: string;
+    /**
+     * Fires on `Collection.put` (insert + update). The `incoming` argument
+     * is the record being written. Throw to cancel the put.
+     *
+     * Does NOT fire on `Collection.delete` — use {@link onDelete} for
+     * delete-time validation. Skipped during an amendment transaction
+     * (`db.transaction({ amendment: true })`) — admin/owner override.
+     */
+    check?: (incoming: T, ctx: GuardContext<T>) => Promise<void> | void;
+    /**
+     * Fires on user-initiated `Collection.delete` before the adapter
+     * delete and before the ledger append. The `existing` argument is
+     * the currently-persisted record. Throw to cancel the delete — no
+     * partial state, no tombstone ledger entry.
+     *
+     * Skipped during an amendment transaction (admin/owner override) —
+     * amendments are the unlock primitive. To make a delete TRULY
+     * unconditional (e.g. legal-document immutability rules), pair
+     * `onDelete` with an `amendment.invariant` that re-throws on any
+     * `before !== null && after === null` change:
+     *
+     * ```ts
+     * withGuard<Receipt>({
+     *   collection: 'receipts',
+     *   onDelete: () => { throw new RecordLockedError(...) },
+     *   amendment: {
+     *     roles: ['admin', 'owner'],
+     *     invariant: (changes) => {
+     *       for (const c of changes) {
+     *         if (c.before !== null && c.after === null) {
+     *           throw new RecordLockedError(...) // wrapped as InvariantError
+     *         }
+     *       }
+     *     },
+     *   },
+     * })
+     * ```
+     *
+     * Also skipped on system-internal deletes (derivation tombstones from
+     * #144, MV refresh from Dim 14 v2) — those use `_internalDelete`
+     * which bypasses every user-facing delete hook. Housekeeping ops are
+     * NOT user-initiated and should not trip user invariants.
+     *
+     * Delete of an absent record is a no-op and does not consult any
+     * guard, matching the idempotent-delete contract.
+     */
+    onDelete?: (existing: T, ctx: GuardContext<T>) => Promise<void> | void;
+    frozenFields?: {
+        when: (existing: T) => boolean;
+        fields: ReadonlyArray<keyof T>;
+    };
+    amendment?: {
+        roles: ReadonlyArray<'admin' | 'owner'>;
+        invariant: (changes: ReadonlyArray<GuardChange<T>>, ctx: GuardContext<T>) => Promise<void> | void;
+    };
+}
+
+/**
+ * Runtime context handed to `derive(source, ctx)`. Mirrors `GuardContext`'s
+ * narrow shape: read-only vault access, no write capability, no
+ * transaction handle. Determinism is the consumer's responsibility — the
+ * strategy hash includes `derive.toString()`, so the source string fixes
+ * the function's inputs; whatever sibling reads `derive` performs must
+ * yield the same outputs for the same source.
+ */
+interface DerivationContext {
+    vault: ReadOnlyVaultFacade$1;
+}
+/**
+ * Metadata that travels inside the `_data` payload of a derived record.
+ * Lives in encrypted payload, not in the unencrypted envelope — the
+ * storage backend cannot infer the derivation graph from listing.
+ */
+interface DerivedFromMeta {
+    /** Source collection name. */
+    readonly source: string;
+    /** Source record id. */
+    readonly sourceId: string;
+    /** `_v` of the source at derivation time. */
+    readonly sourceVersion: number;
+    /** ISO timestamp when this output was derived. */
+    readonly derivedAt: string;
+    /**
+     * SHA-256 of (source + outputs map keys + derive function source).
+     * Changes when the strategy changes → forces `vault.deriveAll` to
+     * recompute on next visit.
+     */
+    readonly strategyHash: string;
+}
+/** Record-shape output — one source row produces (optionally) one output row at the source's id. */
+interface RecordOutputSpec {
+    shape: 'record';
+    collection: string;
+    /**
+     * When `true`, the `derive` function may return `null` (or
+     * `undefined`) for this output key. The executor interprets that as
+     * "no output for this invocation": a previously-emitted output at
+     * the same id is deleted (mirroring the empty-group / empty-aggregate
+     * semantics flagged in #142); a never-emitted output is a silent
+     * no-op. When `false` (default), returning `null` throws
+     * `DerivationOutputShapeError` — same as v1.
+     */
+    optional?: boolean;
+}
+/**
+ * Array-shape output (#200) — one source row produces a variable-length
+ * list of output rows, each with its own id (from the `key` extractor).
+ *
+ * On every source-row change, the dispatcher diffs the previously
+ * emitted key set against the new one: removed keys are deleted via
+ * `_internalDelete`, new and unchanged keys are upserted via
+ * `Collection.put`. Strict-mode rollback is preserved via the existing
+ * `_executed` tracking.
+ *
+ * Storage of the per-source-row key set lives at
+ * `_meta/derivations-fanout/<source>/<sourceId>/<outputKey>` as a
+ * plain JSON sidecar — keeps dispatch cost O(1) per source row.
+ *
+ * **Slice 1 limitation**: only `lifecycle: 'eager'` is supported.
+ * Registering an array-shape output with `lifecycle: 'lazy'` throws
+ * at `withDerivation` construction time.
+ */
+interface ArrayOutputSpec {
+    shape: 'array';
+    collection: string;
+    /**
+     * Stable identity extractor for each derived row. Called on every
+     * row returned by `derive`. The string MUST be unique within a
+     * single invocation — duplicate keys throw
+     * `DerivationOutputShapeError`.
+     *
+     * Type is intentionally `(out: Record<string, unknown>) => string`
+     * (not generic) because OutputSpec is type-erased at the registry
+     * level. Strategy-level inference still produces typed `out`
+     * through the strategy's `outputs` map.
+     */
+    key: (output: Record<string, unknown>) => string;
+    /**
+     * Cap on derived rows per source-row invocation. Defaults to 64.
+     * Raise for carry-forward cases (e.g. monthly expansion of
+     * multi-year contracts). Exceeding the cap throws
+     * `DerivationCapExceededError` BEFORE any writes — partial fanout
+     * is never persisted.
+     */
+    maxFanout?: number;
+}
+/** Discriminated union — record + array. */
+type OutputSpec = RecordOutputSpec | ArrayOutputSpec;
+/**
+ * Registration shape passed to `withDerivation()`.
+ *
+ * @typeParam TSource - the source record type
+ * @typeParam TOutputs - map of output-key → output record type
+ */
+interface DerivationStrategy<TSource extends Record<string, unknown>, TOutputs extends Record<string, Record<string, unknown>>> {
+    /** Source collection name. */
+    source: string;
+    /** v1: only deterministic derivations supported. */
+    deterministic: true;
+    /**
+     * Output declarations keyed by name. The `derive` function's return
+     * value must have the same keys.
+     */
+    outputs: {
+        [K in keyof TOutputs]: OutputSpec;
+    };
+    /**
+     * Pure function from source to outputs. Runs on plaintext, after DEK
+     * unwrap. Returns a map of named outputs. Each output is encrypted +
+     * stored via the existing `Collection.put` pipeline.
+     *
+     * `ctx.vault` is the same `ReadOnlyVaultFacade` guards see — fetch
+     * sibling records via `ctx.vault.collection<T>(name).get(id)` /
+     * `.list()` / `.query()`. The vault accessor is read-only; there is
+     * no path to a writer from `ctx`.
+     */
+    derive: (source: TSource, ctx: DerivationContext) => Promise<TOutputs> | TOutputs;
+    /**
+     * `'eager'` runs `derive` synchronously inside the source-write
+     * transaction. `'lazy'` marks outputs stale on source-change and
+     * derives on first read.
+     */
+    lifecycle: 'eager' | 'lazy' | {
+        mode: 'eager' | 'lazy';
+        maxDepth?: number;
+    };
+    /**
+     * `true` = any output failure rolls back the source write (only with
+     * `withTransactions`). `false` = isolate per-output failure, log,
+     * continue. Default `false`.
+     */
+    strict?: boolean;
+}
+/** Returned by `withDerivation()` and consumed by `createNoydb`. */
+interface DerivationStrategyHandle {
+    readonly __noydb_strategy: 'derivation';
+    readonly spec: DerivationStrategy<any, any>;
+}
+
+interface RegisteredStrategy {
+    spec: DerivationStrategy<any, any>;
+    strategyHash: string;
+}
+/**
+ * Vault-internal registry of derivation strategies. Owned by `Vault`;
+ * not exported.
+ *
+ * @internal
+ */
+declare class DerivationRegistry {
+    private readonly _bySource;
+    private readonly _byOutput;
+    register(spec: DerivationStrategy<any, any>): Promise<void>;
+    strategiesForSource(source: string): ReadonlyArray<RegisteredStrategy>;
+    strategiesProducingOutput(collection: string): ReadonlyArray<RegisteredStrategy>;
+    /**
+     * Cycle detection over the source → output → … graph. Call after all
+     * `register()` calls complete (i.e. at vault open). Throws
+     * `DerivationCycleError` on the first cycle found.
+     */
+    validate(): void;
+}
+
+/**
+ * Minimal vault-shaped accessor passed to the MV `query()` callback.
+ * Defined as a structural interface so the strategy types don't have
+ * to import the full `Vault` class (avoids a circular import). The
+ * Vault implements this shape natively.
+ */
+interface MVQueryContext {
+    collection<T extends Record<string, unknown>>(name: string): Collection<T>;
+}
+/**
+ * Metadata that travels inside the `_data` payload of a materialized
+ * row. Lives in encrypted payload, not in the unencrypted envelope —
+ * the storage backend cannot infer the MV graph from listing.
+ *
+ * Extends the `_derivedFrom` precedent from v1: same encryption shape,
+ * same "metadata-inside-data" location.
+ */
+interface MaterializedFromMeta {
+    /** Stable identity for the MV that emitted this row. */
+    readonly mvName: string;
+    /**
+     * SHA-256 of (mvName + canonical query plan + dependency-set).
+     * Changes when the query structure changes → forces refresh on
+     * next visit (parallels v1's `strategyHash`).
+     */
+    readonly queryHash: string;
+    /**
+     * Map from source collection name → `_v` of the source row(s) that
+     * contributed to this MV row at materialization time. For aggregates
+     * over many rows, this is `max(_v)` per source collection — coarse
+     * but sufficient for stale detection.
+     */
+    readonly sourceVersions: Record<string, number>;
+    /** ISO timestamp when this row was materialized. */
+    readonly materializedAt: string;
+}
+/** Output routing for an MV. Optional — when omitted, writes to a collection named after `name`. */
+interface MaterializedViewOutput {
+    /** Output collection name. Defaults to `name`. */
+    collection?: string;
+    /**
+     * For same-collection-as-source MVs — see § Same-collection partition
+     * discriminator in the v2 spec. The cycle detector resolves the
+     * same-collection edge IFF the query has a where-clause that
+     * provably excludes `partition.value` (supports `==` against a
+     * different value, `!=` against the value, and `in` lists that
+     * don't contain it). Naïve same-collection MVs without a disjoint
+     * clause throw `MaterializedViewCycleError` at vault open.
+     */
+    partition?: {
+        field: string;
+        value: unknown;
+    };
+}
+/**
+ * One arm of a UNION materialized view. Reads rows from `collection`,
+ * then maps each into the MV's row shape via `map`.
+ *
+ * The per-source `map` is the schema-unification boundary — sibling
+ * collections can have different schemas, and `map` is where they
+ * meet the MV's row type. The hub does NOT compare schemas across
+ * arms; consumer responsibility is that every arm's `map` returns
+ * the same shape (the strategy's `TRow` type parameter enforces this
+ * at compile time).
+ */
+interface UnionSource<TRow extends Record<string, unknown>> {
+    /** Source collection name. Must exist in the vault. */
+    readonly collection: string;
+    /**
+     * Pure function from a source row to the unified MV row shape.
+     * Called once per source row at materialization time. Each arm's
+     * mapped output is concatenated into a single stream before
+     * `groupBy` + `aggregate` run.
+     */
+    readonly map: (sourceRow: Record<string, unknown>) => TRow;
+}
+/**
+ * Registration shape passed to `withMaterializedView()`.
+ *
+ * @typeParam TRow - the materialized row type (the query's result row)
+ */
+interface MaterializedViewStrategy<TRow extends Record<string, unknown>> {
+    /**
+     * Stable identity for this view. Used as the output collection name
+     * unless `output.collection` overrides. Must be unique within the vault.
+     */
+    name: string;
+    /**
+     * Declared query (single-source mode). Called at registration time
+     * with a vault-shaped accessor so the closure can compose collections
+     * without pre-existing in-scope references; called again at each
+     * refresh.
+     *
+     * Built via the same `Query<T>` chainable builder used elsewhere —
+     * `.where()`, `.join()`, `.groupBy()`, `.aggregate()`. The
+     * dependency analyzer walks the returned plan to determine source
+     * collections.
+     *
+     * Mutually exclusive with {@link unionSources}: a strategy must
+     * declare exactly one of `query` (single-source) or `unionSources`
+     * (multi-source UNION). Registration throws
+     * `MaterializedViewConfigError` if both are set or neither is set.
+     */
+    query?: (db: MVQueryContext) => Query<TRow>;
+    /**
+     * UNION-form sources (#165): an explicit list of sibling collections
+     * that contribute rows to a single MV. Each arm's `map` projects a
+     * source row into the MV's unified row shape; the mapped streams are
+     * concatenated, then {@link groupBy} + {@link aggregate} run on the
+     * combined output.
+     *
+     * Mutually exclusive with {@link query}. Registration throws
+     * `MaterializedViewConfigError` if both are set, if `unionSources`
+     * has fewer than 2 arms, or if two arms name the same `collection`.
+     *
+     * UNION mode replaces the dependency-analyzer path: the source
+     * collections come directly from `unionSources[].collection`, and
+     * {@link sources} is ignored.
+     */
+    unionSources?: ReadonlyArray<UnionSource<TRow>>;
+    /**
+     * Group-key field(s) for UNION mode (#165). Applied to the
+     * concatenated mapped-row stream from {@link unionSources} before
+     * {@link aggregate} runs. Accepts a single field name or a tuple of
+     * field names for multi-key grouping (same shape as
+     * `Query.groupBy(...fields)`).
+     *
+     * UNION-mode only. Ignored if {@link query} is set — single-source
+     * grouping is expressed inside the `Query<T>` returned from `query()`
+     * via `.groupBy(...).aggregate(...)`.
+     */
+    groupBy?: string | ReadonlyArray<string>;
+    /**
+     * Aggregation spec for UNION mode (#165). Applied per-group after
+     * {@link groupBy} buckets the concatenated mapped-row stream from
+     * {@link unionSources}. Same shape as the `AggregateSpec` passed to
+     * `Query.aggregate()`.
+     *
+     * UNION-mode only. Ignored if {@link query} is set.
+     */
+    aggregate?: AggregateSpec;
+    /**
+     * Pure function from a materialized row → stable id used in the
+     * output collection. Required — explicit always beats default-with-pitfalls
+     * (see niwat-review of #149 round 1 for the slash-collision rationale).
+     */
+    rowKey: (row: TRow) => string;
+    /**
+     * Explicit source collections (#152). Required when `query()` returns
+     * an `Aggregation` or `GroupedAggregation` rather than a `Query<T>`
+     * — the dependency analyzer can't introspect through `groupBy().aggregate()`
+     * back to the source. Optional for plain `Query<T>` results — the
+     * analyzer extracts dependencies automatically from the query plan.
+     *
+     * When set, takes precedence over auto-analysis.
+     */
+    sources?: ReadonlyArray<string>;
+    /**
+     * Declared deterministic predicates (#153). Each entry pairs a
+     * consumer-stable `hash` with a function. The `query()` callback's
+     * Query<T> can invoke them via `.wherePredicate(name, ctx?)`. The
+     * predicate's `hash` + a canonical-JSON hash of `ctx` both fold
+     * into `queryHash` — bumping either forces refresh on next visit.
+     *
+     * Consumer responsibility: bump `hash` when the function's semantics
+     * change. Failing to bump after a non-equivalent change leaves
+     * stale rows around until the next explicit refresh.
+     */
+    predicates?: {
+        [name: string]: {
+            hash: string;
+            fn: (row: TRow, ctx?: unknown) => boolean;
+        };
+    };
+    /**
+     * Refresh policy.
+     *
+     * - `'eager'` — re-materialize synchronously inside the source-write
+     *   transaction (composes with `withTransactions` for strict-mode
+     *   rollback).
+     * - `'lazy'` — mark stale on source-change; materialize on first
+     *   read of the MV.
+     * - `'manual'` — only materializes when `vault.refreshView(name)` is
+     *   called. Useful for very expensive MVs or time-dependent queries
+     *   whose `ctx` changes externally.
+     */
+    refresh: 'eager' | 'lazy' | 'manual';
+    /** Output routing. Optional; defaults to writing the collection named after `name`. */
+    output?: MaterializedViewOutput;
+    /**
+     * What to do when a re-materialization produces zero rows for a key
+     * that previously had rows.
+     *
+     * - `'delete'` (default) — tombstone the prior MV row via
+     *   `Collection._internalDelete` (system housekeeping bypasses user
+     *   `onDelete` guards on the output collection — see PR #148's
+     *   composition fix).
+     * - `'keep'` — leave the prior MV row in place. Useful when zero
+     *   is a meaningful state.
+     */
+    onEmpty?: 'delete' | 'keep';
+    /**
+     * `true` re-throws on any row-write failure → composes with
+     * `withTransactions` to roll back the source-write atomically via
+     * `revertExecuted` (#133). Default `false` (failed rows are
+     * isolated; other rows commit).
+     */
+    strict?: boolean;
+    /**
+     * Row-count ceiling for the materialized output. Throws
+     * `MaterializedViewTooLargeError` before any writes when exceeded
+     * — keeps the rollback clean. Default `100_000`; override per-MV
+     * when the domain warrants it.
+     */
+    maxRows?: number;
+}
+/** Returned by `withMaterializedView()` and consumed by `createNoydb`. */
+interface MaterializedViewStrategyHandle {
+    readonly __noydb_strategy: 'materialized-view';
+    readonly spec: MaterializedViewStrategy<any>;
+}
+
+/**
+ * One registered MV strategy alongside its derived metadata. Stored
+ * type-erased on `TRow` so the registry can hold heterogeneous MVs.
+ */
+interface RegisteredMV {
+    readonly spec: MaterializedViewStrategy<any>;
+    /** Output collection name (`spec.output?.collection ?? spec.name`). */
+    readonly outputCollection: string;
+    /** Set of source collections; populated at registration via the analyzer. */
+    readonly dependencies: ReadonlySet<string>;
+    /** Canonical `queryHash` — `_materializedFrom.queryHash` for every emitted row. */
+    readonly queryHash: string;
+    /**
+     * Top-level FieldClauses on the partition field, captured at
+     * registration time. Used by the cycle detector to resolve
+     * same-collection-as-source edges via the partition-discriminator
+     * check (#152). Empty when `spec.output?.partition` is undefined.
+     */
+    readonly partitionClauses: readonly FieldClause[];
+}
+/**
+ * Vault-internal registry of MV strategies. Owned by `Vault`; not
+ * exported. Parallel to v1's `DerivationRegistry`; the two graphs share
+ * a single cycle-detection pass at vault open (see `validate`).
+ *
+ * @internal
+ */
+declare class MaterializedViewRegistry {
+    /** Keyed by `spec.name`. */
+    private readonly _byName;
+    /** Keyed by dependency source-collection → MVs that depend on it. */
+    private readonly _bySource;
+    /**
+     * Register an MV. Invokes `spec.query()` once at registration time to
+     * read the plan + join context; the resulting `Query<T>` is discarded
+     * after dependency extraction. `vault.collection(...)` must therefore
+     * be functional by the time this runs — typically wired from
+     * `Vault._initMaterializedViews` after collection bootstrap.
+     *
+     * Throws `MaterializedViewSourceUnknownError` if the analyzer
+     * surfaces a dependency the vault doesn't know about (when a
+     * `knownCollections` checker is supplied).
+     */
+    register(spec: MaterializedViewStrategy<any>, db: MVQueryContext, options?: {
+        knownCollections?: (name: string) => boolean;
+    }): Promise<void>;
+    /** All MVs that depend on `source`, in registration order. */
+    mvsForSource(source: string): ReadonlyArray<RegisteredMV>;
+    /** Single MV by name, or `undefined`. */
+    byName(name: string): RegisteredMV | undefined;
+    /** Iterate over every registered MV. */
+    all(): ReadonlyArray<RegisteredMV>;
+    /**
+     * Cycle detection over the combined derivation + MV graph. Edges:
+     *   - Derivation: derivation.source → output.collection (each output)
+     *   - MV: every dep in MV.dependencies → MV.outputCollection
+     *
+     * Throws `MaterializedViewCycleError` if the cycle's terminal node
+     * is an MV output collection; otherwise (a pure-derivation cycle)
+     * the caller's `DerivationRegistry.validate()` will surface
+     * `DerivationCycleError` separately at vault open.
+     *
+     * Call AFTER all `register()` calls complete.
+     */
+    validate(derivationRegistry?: DerivationRegistry | null): void;
+}
+
+/**
+ * Read-shadow overlay primitive (#154, MV v2 spec § Composition with
+ * operator-editable lifecycle). Binds an MV's read-only base output
+ * to a separate user-writable overlay collection; reads merge via a
+ * single shadow predicate, writes route to the overlay.
+ *
+ * v2 ships the read-shadow variant only — arbitrary `mergePolicy`
+ * callbacks are deferred to v3.
+ */
+interface OverlayedViewStrategy {
+    /**
+     * Virtual collection name. `vault.collection(name)` returns a
+     * proxy that merges `base` and `overlay` per the shadow rule.
+     * Writes to the proxy route to the `overlay` collection. The name
+     * must be unique within the vault — collisions with MV outputs or
+     * concrete source collections throw `OverlayNameCollisionError` at
+     * vault open.
+     */
+    name: string;
+    /**
+     * The collection providing the default rows. Typically an MV's
+     * output collection. Must be a CONCRETE collection (a real source
+     * or an MV output) — not itself another overlay's virtual name.
+     * Multi-overlay stacking is a v3 non-goal; the constraint is
+     * enforced at vault open via `OverlayBaseIsVirtualError`.
+     */
+    base: string;
+    /**
+     * User-writable collection that carries overrides. Must be a real,
+     * vault-known collection that is NOT an MV-output collection. The
+     * overlay's `withGuard` / `withDerivation` registrations apply to
+     * direct writes; the virtual layer's `put(record)` also flows
+     * through the overlay's normal write pipeline.
+     */
+    overlay: string;
+    /**
+     * Single-field shadow predicate. When `overlay[shadowField] ===
+     * shadowValue` for a given id, virtual-collection reads of that id
+     * return the overlay row; otherwise reads return the base row.
+     *
+     * Niwat's canonical example: `dataStatus === 'override'` flips a
+     * row into operator-controlled mode.
+     *
+     * No callback merge, no priority lattice, no field-level merge —
+     * v2 stays explicitly narrow.
+     */
+    shadowField: string;
+    shadowValue: unknown;
+}
+/** Returned by `withOverlayedView()` and consumed by `createNoydb`. */
+interface OverlayedViewStrategyHandle {
+    readonly __noydb_strategy: 'overlayed-view';
+    readonly spec: OverlayedViewStrategy;
+}
+
+/**
+ * Vault-internal registry of overlay strategies. Resolves the base
+ * MV's `rowKey` lazily so virtual-collection writes can derive ids
+ * from the row.
+ *
+ * @internal
+ */
+declare class OverlayedViewRegistry {
+    private readonly _byName;
+    /**
+     * Register an overlay. Validates name uniqueness, base concreteness,
+     * and overlay availability AGAINST the MV registry — overlays
+     * declared without the MV registry context skip cross-registry
+     * checks but still validate self-consistency.
+     */
+    register(spec: OverlayedViewStrategy, options: {
+        isOverlayName?: (name: string) => boolean;
+        isMVOutput?: (name: string) => boolean;
+        isKnownCollection?: (name: string) => boolean;
+    }): void;
+    byName(name: string): OverlayedViewStrategy | undefined;
+    /** All overlay virtual names. */
+    names(): ReadonlySet<string>;
+    isOverlay(name: string): boolean;
+    /**
+     * Resolve the `rowKey` function for an overlay's base MV. Returns
+     * `undefined` if the base isn't an MV (raw source collection) or
+     * if the MV registry isn't supplied. Used by the virtual-collection
+     * proxy to derive ids from `put(record)` calls.
+     */
+    resolveBaseRowKey(name: string, mvRegistry: MaterializedViewRegistry | null): ((row: Record<string, unknown>) => string) | undefined;
+}
+
+/**
+ * Vault-internal singleton that holds the guard graph and dispatches
+ * per-collection guard execution. Owned by `Vault`; not exported.
+ *
+ * @internal
  */
-declare function loadActiveDelegations(store: NoydbStore, vault: string, user: UnlockedKeyring, delegationsDek: CryptoKey, now?: Date): Promise<DelegationToken[]>;
+type AnyGuard = GuardStrategy<Record<string, unknown>>;
+type AnyChange = GuardChange<Record<string, unknown>>;
+declare class GuardRegistry {
+    private readonly _byCollection;
+    private _amendmentChanges;
+    private _amendmentMeta;
+    /** Register a guard. Multiple guards per collection are allowed. */
+    register<T extends Record<string, unknown>>(spec: GuardStrategy<T>): void;
+    /** All guards registered against `collection` in registration order. */
+    guardsFor(collection: string): ReadonlyArray<AnyGuard>;
+    /**
+     * Run every guard's `check` for this collection. First throw wins —
+     * remaining guards are not invoked. Guards without a `check` skip.
+     */
+    runChecks<T>(collection: string, incoming: T, ctx: GuardContext<T>): Promise<void>;
+    /**
+     * Run every guard's `onDelete` for this collection. First throw wins —
+     * remaining guards are not invoked. Guards without an `onDelete` skip.
+     * Mirrors {@link runChecks} but for the delete path.
+     */
+    runOnDelete<T>(collection: string, existing: T, ctx: GuardContext<T>): Promise<void>;
+    /** True if any guard for `collection` declares an `amendment` block. */
+    hasAmendment(collection: string): boolean;
+    /** Open a new amendment change-collection window. */
+    beginAmendment(): void;
+    /** True iff we're currently inside an amendment transaction. */
+    isAmendmentActive(): boolean;
+    /**
+     * Record a {before, after} pair for the active amendment. `vBefore`
+     * and `vAfter` are stored in a parallel meta structure so the public
+     * {@link GuardChange} shape handed to invariant callbacks stays
+     * `{ before, after }` only — the audit ledger reads version metadata
+     * via {@link consumeMeta}.
+     */
+    collectChange<T>(collection: string, id: string, before: T | null, after: T, vBefore?: number, vAfter?: number): void;
+    /**
+     * Drain the change-set and close the amendment window. The caller
+     * (transaction commit) feeds these to each affected guard's invariant.
+     */
+    consumeChanges(): ReadonlyMap<string, ReadonlyArray<AnyChange>>;
+    /**
+     * Drain the parallel id/version metadata captured during the
+     * amendment. Returned as a flat list with `collection` denormalised
+     * so the audit ledger can emit one `{ collection, id, vBefore,
+     * vAfter }` tuple per record. Must be called AFTER
+     * {@link consumeChanges} (or independently) — calling it closes the
+     * meta window in the same way.
+     */
+    consumeMeta(): ReadonlyArray<{
+        collection: string;
+        id: string;
+        vBefore: number;
+        vAfter: number;
+    }>;
+}
+
 /**
- * Revoke a delegation by id — the caller resolves the envelope and
- * issues a `delete`. Provided as a stable helper so the naming is
- * symmetric to `issueDelegation`.
+ * Minimal read-only wrapper over a `Vault`. Used as `ctx.vault` inside
+ * guard callbacks so they can fetch related records without acquiring
+ * any write capability.
  */
-declare function revokeDelegation(store: NoydbStore, vault: string, id: string): Promise<void>;
+declare class ReadOnlyVaultFacade implements ReadOnlyVaultFacade$1 {
+    private readonly _vault;
+    constructor(vault: Vault);
+    collection<T = unknown>(name: string): {
+        get(id: string): Promise<T | null>;
+        list(): Promise<T[]>;
+        query(): Query<T>;
+    };
+}
 
 /**
  * `vault.exportBlobs()` — bulk blob extraction primitive.
@@ -4994,6 +6505,50 @@ declare function magicLinkGrantRecordId(token: string, index: number): string;
  */
 declare function isMagicLinkGrantExpired(payload: MagicLinkGrantPayload, now?: Date): boolean;
 
+/**
+ * Type surface for the user-list visibility subsystem (#122).
+ *
+ * Two complementary flags:
+ *  - {@link DirectoryConfig} — vault-level "is the directory listing
+ *    enabled at all?" toggle. Owner-only mutation.
+ *  - {@link UserVisibility} — per-user "hide me from teammate listings"
+ *    opt-out. Self-mutation via `vault.user.setMyVisibility`.
+ *
+ * Both flags live in the existing `_meta` collection as plaintext-bypass
+ * sidecars (`_iv: ''`). Neither is a security boundary — the keyring
+ * file is still observable at `_keyring/*` and the envelope ciphertext
+ * is still at `_users/*` to anyone with direct store read access. The
+ * flags exist to keep admin-UI listings tidy, not to hide principals
+ * from a determined attacker.
+ *
+ * @see docs/subsystems/user-envelope.md → Directory visibility
+ *
+ * @module
+ */
+/**
+ * Vault-level directory toggle. Persisted at `_meta/directory`.
+ *
+ * - `enabled: true` (default when no document exists) — every authenticated
+ *   caller can enumerate users via `listUsersWithEnvelopes`.
+ * - `enabled: false` — only `owner` and `admin` callers can enumerate;
+ *   anyone else gets {@link import('../errors.js').DirectoryDisabledError}.
+ */
+interface DirectoryConfig {
+    readonly enabled: boolean;
+}
+/**
+ * Per-user visibility flag. Persisted at `_meta/visibility/<keyringId>`.
+ *
+ * - `hidden: false` (default when no document exists) — the user shows up
+ *   in `listUsersWithEnvelopes` like any other principal.
+ * - `hidden: true` — the user is filtered out of the default listing.
+ *   `owner`/`admin` callers can still see them by passing
+ *   `{ includeHidden: true }`.
+ */
+interface UserVisibility {
+    readonly hidden: boolean;
+}
+
 /**
  * Public `vault.user.*` API surface.
  *
@@ -5020,6 +6575,24 @@ declare function isMagicLinkGrantExpired(payload: MagicLinkGrantPayload, now?: D
 type DeepPartial<T> = T extends object ? {
     [P in keyof T]?: DeepPartial<T[P]>;
 } : T;
+/**
+ * Recursive partial with `null` allowed at every level — used by
+ * `updateMe` (#57) to express deletion intent in addition to merge.
+ *
+ * Semantics inside `updateMe`:
+ *   - `undefined` (or absent key) — skip; source value preserved
+ *   - `null` — delete the key from the resulting envelope
+ *   - any other value — overwrite (deep-merge for plain objects,
+ *     replace for primitives / arrays)
+ *
+ * Matches lodash `_.merge` behavior on `null` and Firestore's
+ * `FieldValue.delete()` semantics. Loosened from `DeepPartial<T>` per
+ * #57; consumers wanting the original "merge-only" surface can keep
+ * importing `DeepPartial` and avoid passing `null`.
+ */
+type DeepPartialOrNull<T> = T extends object ? {
+    [P in keyof T]?: DeepPartialOrNull<T[P]> | null;
+} : T;
 /** Cancel a previously-registered subscription. */
 type Unsubscribe = () => void;
 /**
@@ -5086,11 +6659,22 @@ declare class UserApi {
      * the envelope on first call. Optimistic-concurrency safe — a stale
      * `_v` (parallel writer on another device) throws `ConflictError`.
      *
+     * Patch semantics (#57):
+     *   - `undefined` (or omitted key) — skip; existing value preserved
+     *   - `null` — delete the field from the merged result
+     *   - any other value — overwrite (deep-merge for plain objects,
+     *     replace for primitives / arrays)
+     *
+     * To clear a field, pass `null` rather than `undefined`. Callers
+     * with shape `T = string | null` where `null` is a meaningful value
+     * should use `setMe` for that specific field instead — `null` here
+     * always means delete.
+     *
      * Gated by the `edit-own-profile` policy gate (default `minTier: 3`).
      * Pass `presented` to satisfy tightened policies that require a
      * factor proof (e.g. STRICT_POLICY's TOTP requirement).
      */
-    updateMe<T extends object = Record<string, unknown>>(patch: DeepPartial<T>, presented?: UserEnvelopePresented): Promise<UserEnvelope<T>>;
+    updateMe<T extends object = Record<string, unknown>>(patch: DeepPartialOrNull<T>, presented?: UserEnvelopePresented): Promise<UserEnvelope<T>>;
     /**
      * Replace the writer's own envelope with `payload`. Use sparingly —
      * `updateMe` is the canonical mutation. No `expectedVersion` check;
@@ -5099,6 +6683,30 @@ declare class UserApi {
      * Gated by `edit-own-profile`. See `updateMe` for `presented` usage.
      */
     setMe<T = unknown>(payload: T, presented?: UserEnvelopePresented): Promise<UserEnvelope<T>>;
+    /**
+     * Read the current user's visibility flag from
+     * `_meta/visibility/<keyringId>`. Returns `{ hidden: false }` when no
+     * document has been persisted (the default-visible case).
+     */
+    getMyVisibility(): Promise<UserVisibility>;
+    /**
+     * Update the current user's visibility in the team directory.
+     *
+     * - `hidden: true` — opt out of the default `listUsersWithEnvelopes`
+     *   listing. `owner`/`admin` callers can still see the user by passing
+     *   `{ includeHidden: true }`.
+     * - `hidden: false` — opt back in.
+     *
+     * Own-only by construction: the keyringId argument doesn't exist on
+     * this method, so no caller can hide or unhide another principal.
+     *
+     * Honest caveat: this is a UX flag, not a privacy guarantee. The
+     * envelope ciphertext at `_users/<keyringId>` and the keyring file at
+     * `_keyring/<userId>` are both still observable to anyone with direct
+     * store read access. See `docs/subsystems/user-envelope.md` →
+     * "Directory visibility".
+     */
+    setMyVisibility(visibility: UserVisibility): Promise<void>;
     /**
      * Read another principal's envelope by their keyringId. Returns null
      * if the principal exists but has no envelope yet, or if the
@@ -5158,6 +6766,159 @@ declare class UserApi {
     private fireChange;
 }
 
+/**
+ * Persisted-schema envelope shape.
+ *
+ * Stored encrypted under `_schemas/<collection>` with the same DEK as the
+ * collection's records. Auditors who can unlock the collection's data can
+ * also read its schema; nothing more.
+ *
+ * @see docs/superpowers/specs/2026-05-22-schema-dump-design.md
+ *
+ * @module
+ */
+/** Family of Standard Schema v1 validator the persisted snapshot was derived from. */
+type PersistedSchemaKind = 'Zod' | 'Valibot' | 'ArkType' | 'Effect' | 'Unknown';
+/**
+ * Plaintext payload encrypted into the `_data` field of the
+ * `_schemas/<collection>` envelope. The wrapper `EncryptedEnvelope` adds
+ * `_noydb`, `_v`, `_ts`, `_iv`, `_data` per the standard noy-db record
+ * format.
+ */
+interface PersistedSchemaEnvelope {
+    readonly _noydb_schema: 1;
+    /** Detected validator family. */
+    readonly kind: PersistedSchemaKind;
+    /**
+     * JSON Schema (Draft 2020-12) derived from the validator. Null when
+     * derivation isn't yet supported for `kind`; in that case `reason` is
+     * populated.
+     */
+    readonly jsonSchema: object | null;
+    /** SHA-256 (hex) of the canonicalised JSON Schema, or null when unavailable. */
+    readonly hash: string | null;
+    /** Human-readable reason when `jsonSchema` is null. */
+    readonly reason?: string;
+    /** ISO-8601 timestamp of the most recent derivation write. */
+    readonly derivedAt: string;
+}
+
+/**
+ * Types for {@link VaultSchemaSnapshot} — the structured object returned
+ * by `vault.dumpSchema()`. Consumed by the upcoming `noydb describe`
+ * CLI to emit human-readable YAML/JSON audit output.
+ *
+ * @see docs/superpowers/specs/2026-05-22-schema-dump-design.md
+ *
+ * @module
+ */
+
+/** Where the field-level info in the snapshot came from. */
+type FieldSource = 'persisted' | 'live-validator' | 'sampled' | 'unknown';
+interface FieldDescriptor {
+    /** Inferred type tag: 'string' | 'number' | 'boolean' | 'enum' | 'object' | 'array' | 'null' | 'opaque'. */
+    readonly type: string;
+    /** Where this field info was sourced from. */
+    readonly source: FieldSource;
+    /** Optional constraints — minLength, maxLength, enum values, gt, etc. */
+    readonly constraints?: Record<string, unknown>;
+    /** True when the schema marks this field optional. */
+    readonly optional?: boolean;
+    /** Foreign-key target as `<collection>.<field>` when declared. */
+    readonly references?: string;
+}
+interface CollectionStats {
+    readonly records: number;
+    readonly bytes: number;
+    readonly bytesAvg: number;
+    readonly bytesMin: number;
+    readonly bytesMax: number;
+    /** ISO-8601 from min(_ts) across envelopes. Empty string when no records. */
+    readonly oldest: string;
+    /** ISO-8601 from max(_ts) across envelopes. Empty string when no records. */
+    readonly newest: string;
+}
+interface CollectionDescriptor {
+    readonly fields: Record<string, FieldDescriptor>;
+    readonly indexes: ReadonlyArray<{
+        readonly fields: ReadonlyArray<string>;
+        readonly unique?: boolean;
+    }>;
+    readonly refs: Record<string, {
+        readonly target: string;
+        readonly mode: 'strict' | 'warn' | 'cascade';
+    }>;
+    readonly validator?: {
+        readonly kind: PersistedSchemaKind;
+        readonly source: 'persisted' | 'live-validator';
+    };
+    readonly stats?: CollectionStats;
+}
+interface MaterializedViewDescriptor {
+    readonly sources: ReadonlyArray<string>;
+    readonly groupBy?: ReadonlyArray<string>;
+    readonly aggregate?: Record<string, string>;
+    readonly refresh: string;
+    readonly stats?: CollectionStats;
+}
+interface OverlayViewDescriptor {
+    readonly base: string;
+    readonly overlay: string;
+}
+interface DerivationDescriptor {
+    readonly source: string;
+    readonly outputs: ReadonlyArray<string>;
+}
+interface InternalCollectionStats {
+    readonly records: number;
+    readonly bytes: number;
+}
+interface VaultSchemaSnapshot {
+    readonly _noydb_snapshot: 1;
+    readonly vault: string;
+    readonly emittedAt: string;
+    readonly subsystems: Record<string, boolean>;
+    readonly aclRoles?: ReadonlyArray<string>;
+    readonly collections: Record<string, CollectionDescriptor>;
+    readonly materializedViews: Record<string, MaterializedViewDescriptor>;
+    readonly overlayViews: Record<string, OverlayViewDescriptor>;
+    readonly derivations: Record<string, DerivationDescriptor>;
+    /** Only present when `dumpSchema({ withStats: true })` was called. */
+    readonly internal?: Record<string, InternalCollectionStats>;
+}
+interface DumpSchemaOptions {
+    /** When true, walk every collection's envelopes to compute counters. Default `false`. */
+    readonly withStats?: boolean;
+    /** Sample N records per collection lacking a persisted/live schema. Default 50. `0` disables sampling. */
+    readonly sampleSize?: number;
+}
+
+/**
+ * Orchestrate the structural walk of a Vault, producing a
+ * {@link VaultSchemaSnapshot}. Called from `Vault.dumpSchema()`.
+ *
+ * @module
+ */
+
+/**
+ * The minimal slice of Vault internal state the walker needs.
+ * Exposed via `vault._introspectState()` to keep the public Vault
+ * surface narrow.
+ *
+ * @internal
+ */
+interface VaultIntrospectState {
+    readonly name: string;
+    readonly adapter: NoydbStore;
+    readonly collectionCache: Map<string, Collection<unknown>>;
+    readonly refRegistry: RefRegistry;
+    readonly getDEK: (collectionName: string) => Promise<CryptoKey>;
+    readonly subsystems: Record<string, boolean>;
+    readonly mvRegistry: unknown;
+    readonly overlayRegistry: unknown;
+    readonly derivationRegistry: unknown;
+}
+
 /** A vault (tenant namespace) containing collections. */
 declare class Vault {
     private readonly adapter;
@@ -5200,6 +6961,40 @@ declare class Vault {
     private readonly historyStrategy;
     private readonly i18nStrategy;
     private readonly syncStrategy;
+    /**
+     * Per-vault guard registry. `null` until `_initGuards()` runs; stays
+     * `null` for vaults that never register any guard strategy. The
+     * runtime class is dynamic-imported on demand so consumers that
+     * never use guards don't pull `GuardRegistry`/`GuardExecutor` into
+     * their bundle (#130).
+     */
+    private guardRegistry;
+    /**
+     * Per-vault derivation registry. Same lazy-load contract as
+     * `guardRegistry` — `null` until `_initDerivations()` runs with at
+     * least one strategy handle. See #130 for the bundle motivation.
+     */
+    private derivationRegistry;
+    /**
+     * Per-vault materialized-view registry (#143/#150). Same lazy-load
+     * contract as `derivationRegistry` — `null` until
+     * `_initMaterializedViews()` runs with at least one MV handle.
+     */
+    private materializedViewRegistry;
+    /**
+     * Per-vault overlay registry (#154). Same lazy-load contract as
+     * `materializedViewRegistry` — `null` until `_initOverlayedViews()`
+     * runs with at least one handle.
+     */
+    private overlayedViewRegistry;
+    /**
+     * Cached read-only facade handed to guard callbacks via `ctx.vault`,
+     * and to derivation callbacks via `derive(source, ctx)`. Allocated
+     * eagerly inside `_initGuards()` and/or `_initDerivations()` so read
+     * accessors stay synchronous (callers in `tx/transaction.ts` rely on
+     * that). Stays `null` for vaults with neither subsystem configured.
+     */
+    private readOnlyFacade;
     private getDEK;
     /**
      * Per-principal user envelope API.
@@ -5247,6 +7042,16 @@ declare class Vault {
      * docstring.
      */
     private ledgerStore;
+    /**
+     * Background writes for persisted-schema envelopes (#schema-dump v0
+     * slice 1). One promise per `collection({ persistJsonSchema: true })`
+     * registration that actually fired a derive call. Fire-and-forget
+     * from the collection factory; tests await
+     * {@link _drainPendingSchemaWrites} before asserting on storage.
+     * Production code does not need to drain — the writes are
+     * idempotent fingerprints, not correctness invariants.
+     */
+    private _pendingSchemaWrites;
     /**
      * Per-vault foreign-key reference registry. Collections
      * register their `refs` option here on construction; the
@@ -5358,6 +7163,7 @@ declare class Vault {
         historyStrategy?: HistoryStrategy | undefined;
         i18nStrategy?: I18nStrategy | undefined;
         syncStrategy?: SyncStrategy | undefined;
+        guardStrategies?: ReadonlyArray<GuardStrategyHandleAny> | undefined;
     });
     /**
      * Construct (or reconstruct) the lazy DEK resolver. Captures the
@@ -5430,7 +7236,26 @@ declare class Vault {
         tiers?: readonly number[];
         /**  — how lower-tier reads see above-tier records. */
         tierMode?: TierMode;
+        /**
+         * Opt-in persisted JSON Schema. When `true` AND a Zod `schema` is
+         * provided, hub derives a JSON Schema via `zod-to-json-schema`
+         * (optional peer-dep) and writes an encrypted snapshot to
+         * `_schemas/<collectionName>`. Re-runs on every open; hash-skip
+         * avoids write churn when the schema is unchanged.
+         *
+         * Default: `false`. Non-Zod Standard Schema validators receive a
+         * stub envelope flagging the kind without a JSON Schema body.
+         *
+         * @see docs/superpowers/specs/2026-05-22-schema-dump-design.md
+         */
+        persistJsonSchema?: boolean;
     }): Collection<T>;
+    /**
+     * Await all background persisted-schema writes triggered by
+     * `collection({ persistJsonSchema: true })` calls on this vault.
+     * Used in tests; production code does not need to call this.
+     */
+    _drainPendingSchemaWrites(): Promise<void>;
     /**
      * Validate i18nText fields on a `put()`. Called by Collection just
      * before the adapter write, after schema validation. Throws
@@ -5720,6 +7545,124 @@ declare class Vault {
      * throws on null; this one stays silent so the off-path no-ops.
      */
     private getLedgerOrNull;
+    /**
+     * @internal — called by `Noydb.openVault` after construction.
+     * Dynamic-imports `GuardRegistry` + `ReadOnlyVaultFacade` and seeds
+     * the registry with the supplied strategy handles. No-op when the
+     * handles array is empty — keeps the guard subsystem out of the
+     * floor bundle for consumers that don't use guards (#130).
+     *
+     * The read-only facade is eagerly instantiated here so the sync
+     * accessor `_getReadOnlyFacade()` (called from the tx amendment
+     * runner) stays synchronous.
+     */
+    _initGuards(handles: ReadonlyArray<GuardStrategyHandleAny>): Promise<void>;
+    /**
+     * @internal — Collection.put calls into this. Returns `null` for
+     * vaults that never registered any guard strategy. Callers MUST
+     * gate on null (the existing `if (this.guardSource)` branches in
+     * `Collection` already do this transitively).
+     */
+    _getGuardRegistry(): GuardRegistry | null;
+    /**
+     * @internal — called by `Noydb.openVault` after construction.
+     * Dynamic-imports `DerivationRegistry` and registers the supplied
+     * derivation strategies (async because `strategyHash` computation
+     * goes through `crypto.subtle.digest`). No-op when the handles
+     * array is empty — keeps the derivation subsystem out of the floor
+     * bundle for consumers that don't use derivations (#130). Throws
+     * `DerivationCycleError` if a cycle is detected after registration.
+     */
+    _initDerivations(handles: ReadonlyArray<DerivationStrategyHandle>): Promise<void>;
+    /**
+     * @internal — consumed by `Collection.put` at write-time. Returns
+     * `null` for vaults that never registered any derivation strategy.
+     */
+    _getDerivationRegistry(): DerivationRegistry | null;
+    /**
+     * @internal — called by `Noydb.openVault` after collections are
+     * wired. Dynamic-imports `MaterializedViewRegistry`, registers each
+     * MV spec (which invokes its `query()` once for dependency
+     * analysis), then runs the unified cycle detection across the MV +
+     * derivation graphs. No-op when the handles array is empty — keeps
+     * the MV subsystem out of the floor bundle (mirrors v1 #130).
+     * Throws `MaterializedViewCycleError` if a cycle is detected.
+     */
+    _initMaterializedViews(handles: ReadonlyArray<MaterializedViewStrategyHandle>): Promise<void>;
+    /**
+     * @internal — consumed by `Collection.put` at write-time. Returns
+     * `null` for vaults that never registered any MV strategy.
+     */
+    _getMaterializedViewRegistry(): MaterializedViewRegistry | null;
+    /**
+     * @internal — called by `Noydb.openVault` after MVs are wired.
+     * Dynamic-imports `OverlayedViewRegistry`, registers each spec,
+     * validates against the MV registry for name/base/overlay collisions.
+     * Throws on validation failure.
+     */
+    _initOverlayedViews(handles: ReadonlyArray<OverlayedViewStrategyHandle>): Promise<void>;
+    /**
+     * @internal — consumed by `Vault.collection()`. Returns `null` for
+     * vaults with no overlays registered.
+     */
+    _getOverlayedViewRegistry(): OverlayedViewRegistry | null;
+    /**
+     * Manual re-materialize for a single registered MV (#151). Useful
+     * for `refresh: 'manual'` MVs (whose consumer drives refreshes
+     * externally), for stale-bit recovery on vault re-open, and as the
+     * explicit bulk-recompute escape hatch after a strategy change.
+     *
+     * Returns `{ written, deleted, failed }`. `deleted` is always 0 in
+     * foundation + this sub-issue — tombstoning lands in #152.
+     *
+     * Throws if `name` is not a registered MV.
+     */
+    refreshView(name: string): Promise<{
+        written: number;
+        deleted: number;
+        failed: number;
+    }>;
+    /**
+     * Re-derive every record in the named source collection. Useful
+     * after a strategy change to bring previously-derived records
+     * up-to-date.
+     *
+     * Sequential in v1; parallelisation deferred to v2.
+     */
+    deriveAll(sourceCollection: string): Promise<{
+        derived: number;
+        failed: number;
+    }>;
+    /**
+     * @internal — exposed for `runTransaction({ amendment: true })` so
+     * the amendment invariant runner can pass the SAME read-only vault
+     * facade that the per-record `Collection.put` guard hook uses
+     * (`guardSource.readOnlyVault()` above). Eagerly instantiated by
+     * `_initGuards()` so this accessor stays synchronous; returns
+     * `null` for vaults that never registered any guard (amendments
+     * require at least one guard, so the caller should never see null).
+     */
+    _getReadOnlyFacade(): ReadOnlyVaultFacade | null;
+    /**
+     * Internal lazy-allocator for the read-only facade. Used by the
+     * per-collection `guardSource.readOnlyVault` callback when guards
+     * ARE configured but `_initGuards()` raced with the first guard
+     * invocation (theoretically impossible — `Noydb.openVault` awaits
+     * `_initGuards` before returning — but we keep the defensive lazy
+     * path so the closure's contract stays "always returns a facade").
+     */
+    private _ensureReadOnlyFacade;
+    /**
+     * @internal — exposed for `runTransaction({ amendment: true })`
+     * to append the structured `op: 'amendment'` audit entry without
+     * dragging this private accessor onto the public surface or
+     * forcing the tx executor to depend on the history-strategy
+     * shape directly. Returns `null` when no history strategy is
+     * configured, in which case the amendment commits silently
+     * (the records still write through; only the multi-record
+     * audit summary is skipped).
+     */
+    _getLedgerOrNull(): LedgerStore | null;
     /**
      * Return a read-only view of this vault as it existed at
      * `timestamp`. Time-machine queries are reconstructed from the
@@ -5923,6 +7866,34 @@ declare class Vault {
     private _decryptPeriodRecord;
     /** List all collection names in this vault. */
     collections(): Promise<string[]>;
+    /**
+     * Emit a structured introspection snapshot of this vault — vault name,
+     * subsystem opt-in matrix, collections + their fields, materialized
+     * views, overlay views, derivations. With `withStats: true`, walks
+     * every collection's envelopes to compute record counts, byte totals,
+     * and oldest/newest timestamps.
+     *
+     * Consumed by the `noydb describe` CLI to produce human-readable
+     * audit YAML/JSON from a `.noydb` bundle.
+     *
+     * Field provenance:
+     *   - `persisted`: read from `_schemas/<col>` envelope (Route B opt-in)
+     *   - `live-validator`: derived in-process from a Zod schema attached
+     *     to the live `Collection`
+     *   - `sampled`: inferred from decrypted records (deferred to a follow-up)
+     *   - `unknown`: no schema info available
+     *
+     * @see docs/superpowers/specs/2026-05-22-schema-dump-design.md
+     */
+    dumpSchema(opts?: DumpSchemaOptions): Promise<VaultSchemaSnapshot>;
+    /**
+     * Internal accessor for {@link dumpVaultSchema}. Exposes the structural
+     * state the walker needs (collection cache, registries, ref registry,
+     * adapter) without widening the public Vault surface.
+     *
+     * @internal
+     */
+    _introspectState(): VaultIntrospectState;
     /**
      * Return the stable opaque bundle handle for this vault,
      * generating and persisting a fresh ULID on first call.
@@ -6590,6 +8561,34 @@ declare class Collection<T> {
      * adapter on first use.
      */
     private readonly periodGuard;
+    /**
+     * Optional back-reference to the owning vault's guard registry + a
+     * read-only vault facade. When present, `Collection.put` and
+     * `Collection.delete` consult the registry for guards declared
+     * against this collection and run their `check` + `frozenFields`
+     * before the adapter write. Absent in unit tests that construct
+     * a Collection directly; production code always sets it via
+     * `Vault.collection()`.
+     *
+     * Typed structurally rather than as `Vault` to avoid a circular
+     * import (mirrors the `refEnforcer` / `joinResolver` pattern).
+     */
+    private readonly guardSource;
+    /**
+     * Vault-internal hook for derivation dispatch. When set,
+     * `Collection.put` consults the registry after the source-write
+     * commits and writes derived outputs through `getCollection(name).put`.
+     * Same structural-interface pattern as `guardSource` to avoid a
+     * circular Vault import.
+     */
+    private readonly derivationSource;
+    /**
+     * Vault-internal hook for materialized-view dispatch (#143/#150).
+     * Parallel to `derivationSource` — when set, `Collection.put` fires
+     * `MaterializedViewRegistry.onSourceWrite` after the source-write
+     * commits + after `dispatchDerivations` has run.
+     */
+    private readonly materializedViewSource;
     /**
      * Optional back-reference to the owning compartment's ref
      * enforcer. When present, `Collection.put` calls
@@ -6843,6 +8842,63 @@ declare class Collection<T> {
             ts: string | null;
             record: Record<string, unknown> | null;
         } | null, incoming: Record<string, unknown> | null) => Promise<void>;
+        /**
+         * Optional back-reference to the owning vault's guard registry +
+         * read-only facade. When present, put/delete consult registered
+         * guards for this collection. Same structural-interface pattern
+         * as `refEnforcer` to avoid a circular Vault import.
+         */
+        guardSource?: {
+            registry(): GuardRegistry;
+            readOnlyVault(): ReadOnlyVaultFacade$1;
+        } | undefined;
+        /**
+         * Optional back-reference to the owning vault's derivation
+         * registry + collection accessor. When present, successful
+         * `put()` dispatches registered derivation strategies for the
+         * source collection. Same structural-interface pattern as
+         * `guardSource` to avoid a circular Vault import.
+         */
+        derivationSource?: {
+            registry(): DerivationRegistry;
+            getCollection(name: string): Collection<Record<string, unknown>>;
+            /**
+             * Read-only vault facade handed to `derive(source, ctx)` so a
+             * derivation can fetch sibling records (#147). Same shape and
+             * instance the guards subsystem uses for `check(incoming, ctx)`.
+             */
+            getReadOnlyFacade(): ReadOnlyVaultFacade$1;
+            /**
+             * Read access to the owning Noydb's currently-active multi-record
+             * transaction context, or `null` when no transaction is running.
+             * `dispatchDerivations` consults this so a recursive derived-output
+             * write can register its pre-write envelope onto `ctx._executed`
+             * and roll back alongside the source op on mid-batch failure (#133).
+             */
+            getActiveTxContext(): TxContext | null;
+            /**
+             * Construct a transient TxContext bound to the owning Noydb. Used
+             * by `Collection.putManyAtomic` to publish an active context for
+             * its Phase 2 loop (#133).
+             */
+            createTxContext(): TxContext;
+            /** Publish a TxContext for the duration of a bulk-atomic loop. */
+            setActiveTxContext(ctx: TxContext): void;
+            /** Drop a previously-published TxContext. */
+            clearActiveTxContext(ctx: TxContext): void;
+        } | undefined;
+        /**
+         * Vault-internal hook for materialized-view dispatch (#143/#150).
+         * Parallel to `derivationSource`. When set, `Collection.put` fires
+         * registered MV `onSourceWrite` after the standard derivation
+         * dispatch.
+         */
+        materializedViewSource?: {
+            registry(): MaterializedViewRegistry;
+            getCollection(name: string): Collection<any>;
+            getActiveTxContext(): TxContext | null;
+            getQueryContext(): MVQueryContext;
+        } | undefined;
     });
     /**
      * Return the Standard Schema validator attached to this collection,
@@ -6893,10 +8949,109 @@ declare class Collection<T> {
         staleMs?: number;
         pollIntervalMs?: number;
     }): PresenceHandle<P>;
-    /** Create or update a record. */
-    put(id: string, record: T): Promise<void>;
+    /**
+     * Create or update a record.
+     *
+     * @param id      Record identifier.
+     * @param record  The record body (validated by the collection's schema
+     *                if one was attached at `vault.collection(...)` time).
+     * @param options Optional metadata for audit + import workflows.
+     *                `reason` is stamped onto the resulting ledger entry
+     *                (see #1) so audit consumers can filter via
+     *                `entries.filter(e => e.reason?.startsWith('import:'))`.
+     */
+    put(id: string, record: T, options?: {
+        readonly reason?: string;
+    }): Promise<void>;
+    /**
+     * Fire registered MV strategies whose dependency set includes this
+     * collection. Eager-mode MVs re-materialize inline via
+     * `MaterializedViewExecutor.refresh`; lazy / manual modes are
+     * no-ops in the foundation (subtask #150) — wired in #151.
+     *
+     * Skips entirely when the record being written is itself an
+     * MV-emitted row (carries `_materializedFrom`) — defensive guard
+     * against missed cycle detection.
+     *
+     * @internal
+     */
+    private dispatchMaterializedViews;
+    /**
+     * Fire registered derivation strategies for this source collection.
+     * Eager mode runs `derive` inline and writes each output via the
+     * sibling `Collection.put`; lazy mode marks dependent outputs stale
+     * (D11 stub today). Errors in non-strict mode are logged and
+     * skipped; strict mode propagates the first failing output's error.
+     *
+     * Skips entirely when the record being written is itself a derived
+     * output (carries `_derivedFrom`) — defensive guard against missed
+     * cycle detection.
+     */
+    private dispatchDerivations;
     /** Delete a record by ID. */
     delete(id: string): Promise<void>;
+    /**
+     * @internal — system-internal delete that bypasses user-facing
+     * delete hooks (`onDelete`, accounting-period guard, FK ref
+     * enforcer). Used by derivation tombstones (#144) and MV refresh
+     * (Dim 14 v2) — system housekeeping shouldn't trip user invariants
+     * registered against the output collection. The ledger entry and
+     * history snapshot still fire so backup integrity and time-travel
+     * reconstruction stay consistent.
+     *
+     * Returns silently for delete-of-absent (idempotent contract — both
+     * paths honour this: the `txCtx === null` path also reads the prior
+     * envelope and short-circuits before the ledger/event side-effects).
+     *
+     * When a `txCtx` is supplied, the prior envelope is captured and
+     * pushed onto `txCtx._executed` BEFORE the delete fires — mirrors
+     * the #133 rollback hardening for puts. Callers outside a
+     * multi-record transaction pass `null` and skip the tracking.
+     *
+     * Amendment composition: if `_internalDelete` runs while a vault's
+     * `GuardRegistry` has an amendment window open, the `{before, after:
+     * null}` change pair is pushed onto the amendment change-set the
+     * same way a user-initiated delete would. The `onDelete` user-hook
+     * is still skipped (housekeeping must not trip user invariants in
+     * normal mode), but the amendment's invariant DOES see the change
+     * — so a `RCT-CANCEL-001`-style invariant pairing can reject a
+     * derivation-driven tombstone fired during an admin amendment.
+     *
+     * Constraint to surface to consumers: output collections of
+     * derivations with `optional: true` outputs should not be the
+     * targets of `strict` or `cascade` inbound foreign-key refs —
+     * `_internalDelete` bypasses the ref enforcer by design (the
+     * `onDelete` bypass primitive). Treat the housekeeping path as
+     * "system can tombstone its own emissions regardless of FK shape."
+     *
+     * Permission handling is unchanged: the caller must still hold
+     * write permission on the collection (derivations run under the
+     * user's keyring).
+     */
+    _internalDelete(id: string, txCtx?: TxContext | null): Promise<void>;
+    private _doDelete;
+    /**
+     * Cascade deletes of array-shape derived rows when a source row is
+     * deleted (#200). Reads each registered strategy's fanout sidecar
+     * for this source id, deletes every listed derived row, then
+     * deletes the sidecar itself.
+     *
+     * Record-shape derivations are skipped — see _doDelete's comment
+     * for why the asymmetry is correct.
+     *
+     * @internal
+     */
+    private dispatchArrayDerivationsOnDelete;
+    /**
+     * Mirror of {@link dispatchMaterializedViews} for the delete path
+     * (#181). No record content is available (it's gone), so the
+     * `_materializedFrom` skip used by the put-side dispatch doesn't
+     * apply here — instead, the recursion guard is the `internal` gate
+     * at the `_doDelete` call site above.
+     *
+     * @internal
+     */
+    private dispatchMaterializedViewsOnDelete;
     /**
      * List all records in the collection.
      *
@@ -6971,6 +9126,15 @@ declare class Collection<T> {
      * the filtered records directly (the API). Prefer the chainable
      * form for new code.
      *
+     * **Lazy-MV gap (#157):** `query()` is synchronous and does NOT
+     * trigger lazy materialized-view resolve-on-read. If this
+     * collection is a lazy MV's output and the MV is currently stale,
+     * `query().toArray()` returns the pre-stale snapshot. To force a
+     * fresh read on a lazy MV, either call `list()` (which DOES
+     * trigger resolve) or `vault.refreshView(mvName)` before querying.
+     * The proper fix — extending `QuerySource` with an async prepare
+     * hook — is a separate PR.
+     *
      * @example
      * ```ts
      * // New chainable API:
@@ -7123,6 +9287,11 @@ declare class Collection<T> {
      *   .aggregate({ total: sum('amount'), n: count() })
      * ```
      *
+     * **Lazy-MV gap (#157):** `scan()` is synchronous-build and does
+     * NOT trigger lazy materialized-view resolve-on-read. For lazy
+     * MVs, call `list()` (which DOES resolve) or `vault.refreshView(name)`
+     * before scanning. Same shape as the `query()` limitation.
+     *
      * Returns a `ScanBuilder<T>` instead of the raw async iterator
      * that previous versions used. The builder implements
      * `AsyncIterable<T>`, so every existing `for await … of` call
@@ -7141,6 +9310,22 @@ declare class Collection<T> {
     /** Decrypt a page of envelopes returned by `adapter.listPage`. */
     private decryptPage;
     /** Load all records from adapter into memory cache. */
+    /**
+     * @internal — refresh the in-memory cache entry for a single id by
+     * re-reading from the adapter. Used by the transaction executor's
+     * Phase-3 revert path: that path writes the prior envelope directly
+     * via the raw store (to avoid re-firing Collection-level side
+     * effects), which would otherwise leave this Collection's eager
+     * cache holding the rolled-back value. After revert, the executor
+     * calls this hook so subsequent `get` / `query` reads see the
+     * actual on-disk state.
+     *
+     * Lazy mode: drops the LRU entry; the next `get` repopulates from
+     * the adapter. Eager mode: re-reads the envelope and either sets
+     * the cache entry (record still present) or deletes it (record was
+     * gone before the tx and the revert deleted it again).
+     */
+    _invalidateCacheEntry(id: string): Promise<void>;
     private ensureHydrated;
     /** Hydrate from a pre-loaded snapshot (used by Vault). */
     hydrateFromSnapshot(records: Record<string, EncryptedEnvelope>): Promise<void>;
@@ -7565,7 +9750,7 @@ interface ShadowStrategy {
  * @internal
  */
 interface TxStrategy {
-    runTransaction<T>(db: Noydb, fn: (tx: TxContext) => Promise<T> | T): Promise<T>;
+    runTransaction<T>(db: Noydb, fn: (tx: TxContext) => Promise<T> | T, options?: AmendmentTxOptions): Promise<T>;
 }
 
 /**
@@ -7695,6 +9880,160 @@ interface SessionStrategy {
     revokeAllSessions(): void;
 }
 
+/**
+ * Managed-passphrase mode — issue #14, rubber-hose-resistant vaults.
+ *
+ * A vault mode where the passphrase is machine-generated and never
+ * exposed to the user, sealed under a developer-provided
+ * {@link SealingKeyProvider} (macOS Keychain, Windows Credential
+ * Manager, libsecret, AWS KMS, …). The user has no secret to give
+ * up to coercion — they can't reveal what they don't know.
+ *
+ * ## Components in this file
+ *
+ *   - {@link SealingKeyProvider} — the interface concrete providers
+ *     implement. Provider implementations live OUTSIDE hub (per-
+ *     platform packages).
+ *   - {@link MemorySealingKeyProvider} — in-memory test provider; uses
+ *     a deterministic per-instance "key" so two providers with
+ *     different ids cannot unseal each other's outputs.
+ *   - {@link loadSealedPassphrase} / {@link saveSealedPassphrase} —
+ *     plaintext envelope storage at `_meta/sealed-passphrase`.
+ *     Mirrors the `_meta/handle` and `_meta/public-envelope` AES-
+ *     GCM-bypassed patterns. The sealing layer (provider's job)
+ *     is the security boundary; hub doesn't have a key to encrypt
+ *     with at this layer — that's the whole point of the design.
+ *   - {@link resolveManagedSecret} — orchestrates the "generate +
+ *     seal + persist on first open; unseal on reopen" flow.
+ *     Returns the plaintext passphrase string that the rest of the
+ *     `createNoydb` keyring path consumes.
+ *
+ * Slice 1 of #14. Deferred to follow-ups:
+ *   - Block `rotate-passphrase` policy gate under managed mode.
+ *   - Mandatory strong-recovery enforcement (depends on #10).
+ *   - Recovery flow under managed mode (generates fresh sealed phrase).
+ *
+ * @see docs/subsystems/session-tiers.md → Managed-passphrase mode
+ *
+ * @module
+ */
+
+/**
+ * The contract concrete providers (per-platform key stores) implement
+ * to seal and unseal a hub-generated random passphrase. The plaintext
+ * passphrase NEVER leaves hub-controlled memory in unsealed form —
+ * the provider receives the bytes, returns opaque sealed bytes, and
+ * later reverses the operation. Hub treats the sealed bytes as
+ * fully opaque.
+ *
+ * Implementations live OUTSIDE `@noy-db/hub` (separate packages
+ * per the issue's "Concrete providers (live outside hub)" note):
+ *
+ * | Platform | Package (TBD) | Backing |
+ * |---|---|---|
+ * | macOS | `@noy-db/seal-macos-keychain` | Security.framework |
+ * | Windows | `@noy-db/seal-wincred` | Credential Manager |
+ * | Linux | `@noy-db/seal-libsecret` | libsecret / secret-service |
+ * | Cloud / server | `@noy-db/seal-aws-kms` | AWS KMS Decrypt |
+ */
+interface SealingKeyProvider {
+    /**
+     * Non-sensitive identifier disclosed in the persisted envelope.
+     * Surfaced to consumers via `loadSealedPassphrase().providerId` so
+     * a vault opened with the wrong provider class can detect the
+     * mismatch and surface a clear error. NOT secret — fine to log.
+     *
+     * Suggested format: `<family>:<scope>` — e.g. `macos-keychain:com.acme.app`,
+     * `aws-kms:arn:aws:kms:us-east-1:123:key/abc`. The hub never
+     * parses this; it's purely audit metadata.
+     */
+    readonly id: string;
+    /** Seal raw passphrase bytes. Output bytes are opaque to hub. */
+    seal(passphrase: Uint8Array): Promise<Uint8Array>;
+    /**
+     * Reverse {@link seal}. MUST throw on tamper, wrong-provider, or
+     * any other failure — hub treats a thrown error as "this provider
+     * cannot unlock this vault" and surfaces it to the caller.
+     */
+    unseal(sealed: Uint8Array): Promise<Uint8Array>;
+}
+/**
+ * In-memory test provider. NOT secure — uses a deterministic
+ * per-instance "key" (16-byte SHA-256 of `id`) XOR'd over the
+ * passphrase plus a 4-byte provider-id fingerprint prefix. The XOR is
+ * sufficient to make different `id` values produce mutually-unsealable
+ * outputs (the contract tests for that), but offers ZERO real
+ * confidentiality — never use outside tests.
+ *
+ * Replace with a real platform provider in production.
+ */
+declare class MemorySealingKeyProvider implements SealingKeyProvider {
+    readonly id: string;
+    private readonly fingerprint;
+    private readonly keyBytes;
+    constructor(opts: {
+        id: string;
+    });
+    seal(passphrase: Uint8Array): Promise<Uint8Array>;
+    unseal(sealed: Uint8Array): Promise<Uint8Array>;
+}
+/** Reserved id for the managed-passphrase envelope under `_meta`. */
+declare const SEALED_PASSPHRASE_RECORD_ID: "sealed-passphrase";
+/** Plaintext payload stored inside the `_meta/sealed-passphrase` envelope. */
+interface SealedPassphrase {
+    readonly _noydb_sealed: 1;
+    readonly providerId: string;
+    /** Sealed bytes. Base64-encoded on the wire; decoded on load. */
+    readonly sealed: Uint8Array;
+}
+/**
+ * Wire-format envelope persisted at `_meta/sealed-passphrase` for
+ * managed-mode vaults. The provider produces raw sealed bytes via
+ * {@link SealingKeyProvider.seal}; this wrapper carries the dispatch
+ * metadata hub needs to pick the right provider on the unseal path.
+ *
+ * Stability boundary: once shipped, the wire format only grows by
+ * adding optional fields. See the at-* sealing dimension foundation
+ * doc, §11.9.1.
+ *
+ * v1 shape (this release): `{ v: 1, _noydb_sealed: 1, pid, payload }`.
+ *
+ * Legacy shape (pre.14, pre.15): `{ _noydb_sealed: 1, providerId, sealed }`
+ * — accepted on read for backwards compatibility; never produced on
+ * write going forward.
+ */
+interface SealedEnvelope {
+    /** Envelope schema version. v1 is the shape shipped in pre.16. */
+    readonly v: 1;
+    /** Magic marker for forensics + legacy-shape detection. */
+    readonly _noydb_sealed: 1;
+    /** Matches the producing provider's `.id`. Dispatch key on unseal. */
+    readonly pid: string;
+    /** Sealed bytes from the provider, base64-encoded on the wire. */
+    readonly payload: string;
+}
+/**
+ * Parse a `_meta/sealed-passphrase` `_data` JSON string into the
+ * in-memory {@link SealedPassphrase} representation. Accepts both:
+ *
+ *   1. v1 wire format `{ v: 1, _noydb_sealed: 1, pid, payload }` —
+ *      the shape produced from pre.16 onward.
+ *   2. Legacy wire format `{ _noydb_sealed: 1, providerId, sealed }` —
+ *      the shape produced in pre.14/pre.15. Read-only; never written
+ *      going forward.
+ *
+ * Returns `undefined` for any input that doesn't match either shape,
+ * so callers can fall back to "no managed-mode envelope present."
+ *
+ * @internal — exported only for the migration safety-net test suite.
+ */
+declare function parseSealedEnvelope(raw: unknown): SealedPassphrase | undefined;
+declare function saveSealedPassphrase(store: NoydbStore, vault: string, payload: {
+    readonly providerId: string;
+    readonly sealed: Uint8Array;
+}): Promise<void>;
+declare function loadSealedPassphrase(store: NoydbStore, vault: string): Promise<SealedPassphrase | undefined>;
+
 /**
  * Core types — the {@link NoydbStore} interface, envelope format, roles, and
  * all configuration shapes consumed by {@link createNoydb}.
@@ -7753,7 +10092,7 @@ type Permission = 'rw' | 'ro';
  * `'*'` is the wildcard collection matching all collections in the vault.
  */
 type Permissions = Record<string, Permission>;
-/** The encrypted wrapper stored by adapters. Adapters only ever see this. */
+/** The encrypted wrapper stored by stores. Stores only ever see this. */
 interface EncryptedEnvelope {
     readonly _noydb: typeof NOYDB_FORMAT_VERSION;
     readonly _v: number;
@@ -7856,8 +10195,8 @@ interface ListPageResult {
 }
 interface NoydbStore {
     /**
-     * Optional human-readable adapter name (e.g. 'memory', 'file', 'dynamo').
-     * Used in diagnostic messages and the listPage fallback warning. Adapters
+     * Optional human-readable store name (e.g. 'memory', 'file', 'dynamo').
+     * Used in diagnostic messages and the listPage fallback warning. Stores
      * are encouraged to set this so logs are clearer about which backend is
      * involved when something goes wrong.
      */
@@ -7878,22 +10217,22 @@ interface NoydbStore {
     ping?(): Promise<boolean>;
     /**
      * Optional: list record IDs in a collection that have `_ts` after `since`.
-     * Used by partial sync (`pull({ modifiedSince })`). Adapters that omit this
+     * Used by partial sync (`pull({ modifiedSince })`). Stores that omit this
      * fall back to a full `loadAll` + client-side timestamp filter.
      */
     listSince?(vault: string, collection: string, since: string): Promise<string[]>;
     /**
-     * Optional pagination extension. Adapters that implement `listPage` get
-     * the streaming `Collection.scan()` fast path; adapters that don't are
+     * Optional pagination extension. Stores that implement `listPage` get
+     * the streaming `Collection.scan()` fast path; stores that don't are
      * silently fallen back to a full `loadAll()` + slice (with a one-time
      * console.warn).
      *
-     * `cursor` is opaque to the core — each adapter encodes its own paging
+     * `cursor` is opaque to the core — each store encodes its own paging
      * state (DynamoDB: base64 LastEvaluatedKey JSON; S3: ContinuationToken;
      * memory/file/browser: numeric offset of a sorted id list). Pass
      * `undefined` to start from the beginning.
      *
-     * `limit` is a soft upper bound on `items.length`. Adapters MAY return
+     * `limit` is a soft upper bound on `items.length`. Stores MAY return
      * fewer items even when more exist (e.g. if the underlying store has
      * its own page size cap), and MUST signal "no more pages" by returning
      * `nextCursor: null`.
@@ -8106,7 +10445,7 @@ type RecoveryEnrollment = {
  * metadata only.
  */
 interface KeyringAuthenticatorBase {
-    /** Caller-chosen identifier — e.g. `'webauthn-yubikey-blue'`, `'oidc-google'`, `'password-daily'`. */
+    /** Caller-chosen identifier — e.g. `'webauthn-yubikey-blue'`, `'oidc-google'`, `'password'`. */
     readonly id: string;
     /** Method family — selects which `@noy-db/on-*` package handles unlock. */
     readonly method: 'webauthn' | 'oidc' | 'password';
@@ -8191,6 +10530,21 @@ interface KeyringFile {
     readonly salt: string;
     readonly created_at: string;
     readonly granted_by: string;
+    /**
+     * Passphrase canary — base64 AES-KW-wrapped form of a known constant
+     * 256-bit value, wrapped under the keyring's KEK (#113).
+     *
+     * Optional: pre-#113 keyrings load with no canary and fall back to
+     * the multi-DEK corruption heuristic from #82. Keyrings written after
+     * #113 carry one and let `loadKeyring` distinguish wrong-passphrase
+     * from corruption even when ALL DEKs (including a single-DEK keyring's
+     * sole DEK) are corrupted.
+     *
+     * AES-KW is deterministic — every write site mints fresh on each
+     * persist; same KEK + same constant input always produces the same
+     * ciphertext, so this round-trips without state.
+     */
+    readonly canary?: string;
     /**
      * Tier-2 authenticator slots (multi-slot keyring extension).
      * Optional / append-only: keyring files written before the
@@ -8434,7 +10788,7 @@ interface PullOptions {
     collections?: string[];
     /**
      * Only pull records with `_ts` strictly after this ISO timestamp.
-     * Adapters that implement `listSince` use it directly; others fall back
+     * Stores that implement `listSince` use it directly; others fall back
      * to a full scan with client-side filtering.
      */
     modifiedSince?: string;
@@ -8586,6 +10940,44 @@ interface GrantOptions {
      */
     readonly initialProfile?: unknown;
 }
+/**
+ * Caller payload for `db.updateUser` (#54). Mutate one or more
+ * identity fields on an existing keyring without rotating any keys.
+ *
+ * `role`, `displayName`, and `permissions` live in the plaintext header
+ * of `_keyring/<userId>` (the sync engine reads them without keys).
+ * Mutating them is a JSON header swap — no DEK rewrap, no KEK
+ * required, no authenticator slots touched. Tier-2 slots and recovery
+ * enrollments survive unchanged. Last-write-wins through the existing
+ * keyring put (same concurrency story as `db.grant` / `db.revoke`).
+ *
+ * Top-level fields are partial-merge: absent fields are not modified.
+ * `null` on `displayName` clears the field (stored as the empty string;
+ * UI consumers typically render the empty case by falling back to the
+ * user id). `undefined` / absent leaves the field untouched. Mirrors
+ * the `null`-as-clear convention `UserApi.updateMe` uses (#57).
+ *
+ * `permissions`, however, is a **full replacement** at the map level —
+ * passing `{ invoices: 'rw' }` REPLACES the entire permissions map,
+ * silently dropping any other entries. To partially update, read the
+ * current keyring and merge: `permissions: { ...current, invoices: 'rw' }`.
+ * To clear all permissions, pass `permissions: {}` explicitly.
+ *
+ * Role-elevation guard: the same hierarchy as `db.grant`. Admins can
+ * change `admin` / `operator` / `viewer` / `client` to and from each
+ * other; admins cannot promote to or demote from `owner`. Owners can
+ * do anything. Non-admin callers (operator/viewer/client) cannot call
+ * `db.updateUser` at all — for self-displayName changes, use
+ * `vault.user.updateMe` (the user-envelope API).
+ *
+ * @see #54
+ */
+interface UpdateUserOptions {
+    readonly userId: string;
+    readonly role?: Role;
+    readonly displayName?: string | null;
+    readonly permissions?: Permissions;
+}
 interface RevokeOptions {
     readonly userId: string;
     readonly rotateKeys?: boolean;
@@ -8626,8 +11018,8 @@ interface AccessibleVault {
  */
 interface ListAccessibleVaultsOptions {
     /**
-     * Minimum role the caller must hold to include a compartment in the
-     * result. Compartments where the caller's role is strictly *below*
+     * Minimum role the caller must hold to include a vault in the
+     * result. Vaults where the caller's role is strictly *below*
      * this threshold are silently excluded. Defaults to `'client'`,
      * which means "every vault I can unwrap is returned." Set to
      * `'admin'` for "vaults where I can grant/revoke," or
@@ -9154,6 +11546,37 @@ interface NoydbOptions {
      * @internal
      */
     readonly syncStrategy?: SyncStrategy;
+    /**
+     * Optional guard strategies — collection-level write guards. Each
+     * handle is the output of `withGuard()` from `@noy-db/hub/guards`.
+     * Multiple guards per collection are allowed; they are dispatched
+     * in registration order on `collection.put()`.
+     */
+    readonly guardStrategies?: ReadonlyArray<GuardStrategyHandleAny>;
+    /**
+     * Optional derivation strategies — source-to-output projections that
+     * fire on `collection.put()`. Each handle is the output of
+     * `withDerivation()` from `@noy-db/hub/derivations`. The vault
+     * validates the derivation graph for cycles on `openVault`; a cyclic
+     * graph throws `DerivationCycleError`.
+     */
+    readonly derivationStrategies?: ReadonlyArray<DerivationStrategyHandle>;
+    /**
+     * Optional materialized-view strategies (#143, foundation in #150).
+     * Each handle returned by `withMaterializedView()` from
+     * `@noy-db/hub/materialized-views`. The vault runs unified cycle
+     * detection across the MV + derivation graphs at `openVault`; a
+     * cyclic graph throws `MaterializedViewCycleError`.
+     */
+    readonly materializedViewStrategies?: ReadonlyArray<MaterializedViewStrategyHandle>;
+    /**
+     * Optional overlay strategies (#154). Each handle returned by
+     * `withOverlayedView()` from `@noy-db/hub/overlay-views`. The vault
+     * validates name uniqueness + base concreteness + overlay
+     * availability at `openVault`; a clash throws one of the
+     * `Overlay*Error` family.
+     */
+    readonly overlayedViewStrategies?: ReadonlyArray<OverlayedViewStrategyHandle>;
     /** Optional remote store(s) for sync. Accepts a single store, a SyncTarget, or an array. */
     readonly sync?: NoydbStore | SyncTarget | SyncTarget[];
     /** User identifier. */
@@ -9199,6 +11622,32 @@ interface NoydbOptions {
      * subsequent sessions.
      */
     readonly getKeyring?: (vault: string) => Promise<UnlockedKeyring>;
+    /**
+     * Passphrase mode (#14). Default `'standard'`.
+     *
+     *   - `'standard'` — the legacy flow. `secret` supplies the
+     *     plaintext passphrase, the user knows it, and the policy gate
+     *     `rotate-passphrase` is enabled.
+     *   - `'managed'` — rubber-hose-resistant mode. Hub generates a
+     *     256-bit random passphrase at first open and seals it under
+     *     the provided `sealingKey`. The user never sees or types the
+     *     passphrase, defeating the $5-wrench attack. Mutually
+     *     exclusive with `secret` and `getKeyring`.
+     *
+     * @see docs/subsystems/session-tiers.md → Managed-passphrase mode
+     */
+    readonly passphraseMode?: 'standard' | 'managed';
+    /**
+     * Provider that seals/unseals the auto-generated managed-mode
+     * passphrase. Required when `passphraseMode === 'managed'`; ignored
+     * otherwise. Implementations live in per-platform packages
+     * (`@noy-db/seal-macos-keychain`, `@noy-db/seal-wincred`,
+     * `@noy-db/seal-libsecret`, `@noy-db/seal-aws-kms`, …).
+     */
+    readonly sealingKey?: SealingKeyProvider;
+    /** Required to use `profile: 'shamir'` recovery. Pass
+     *  `shamirRecoveryProvider()` from `@noy-db/on-shamir`. */
+    readonly shamirRecovery?: ShamirRecoveryProvider;
     /** Auth method. Default: 'passphrase'. */
     readonly auth?: 'passphrase' | 'biometric';
     /** Enable encryption. Default: true. */
@@ -9402,4 +11851,4 @@ interface DeleteManyResult {
     }>;
 }
 
-export { type ConsentAuditEntry as $, type BlobObject as A, type BlobStrategy as B, type BlobPutOptions as C, DICT_COLLECTION_PREFIX as D, type BlobResponseOptions as E, BlobSet as F, type BlobStrategyOpenArgs as G, type CompactRunOptions as H, type I18nStrategy as I, type CompactionContext as J, type CompactionResult as K, DEFAULT_CHUNK_SIZE as L, EXPORT_AUDIT_COLLECTION as M, ExportBlobsAbortedError as N, type ExportBlobsAuditEntry as O, PolicyEnforcer as P, type ExportBlobsHandle as Q, type ExportBlobsOptions as R, type SessionStrategy as S, type ExportedBlob as T, type SlotInfo as U, type SlotRecord as V, type VersionRecord as W, createExportBlobsHandle as X, runCompaction as Y, type ConsentStrategy as Z, CONSENT_AUDIT_COLLECTION as _, type DictEntry as a, type BuiltInGateName as a$, type ConsentAuditFilter as a0, type ConsentContext as a1, type ConsentOp as a2, loadConsentEntries as a3, writeConsentEntry as a4, type PeriodsStrategy as a5, type CarryForwardContext as a6, type ClosePeriodOptions as a7, type OpenPeriodOptions as a8, PERIODS_COLLECTION as a9, type DiffEntry as aA, type JsonPatch as aB, type JsonPatchOp as aC, type LedgerEntry as aD, LedgerStore as aE, type VaultEngine as aF, VaultInstant as aG, type VerifyResult as aH, applyPatch as aI, canonicalJson as aJ, computePatch as aK, diff as aL, formatDiff as aM, hashEntry as aN, paddedIndex as aO, parseIndex as aP, sha256Hex as aQ, type UserEnvelope as aR, type PublicEnvelope as aS, type GateName as aT, type GatePolicy as aU, type VaultPolicy as aV, type ActiveTier as aW, type FactorProof as aX, Vault as aY, type AccessibleVault as aZ, BUNDLE_STORE_POLICY as a_, type PeriodRecord as aa, type ReadOnlyCollection as ab, appendPeriodLedgerEntry as ac, assertTsWritable as ad, chainAnchor as ae, loadPeriods as af, validatePeriodName as ag, type ShadowStrategy as ah, CollectionFrame as ai, VaultFrame as aj, type TxStrategy as ak, TxCollection as al, TxContext as am, TxVault as an, runTransaction as ao, type SyncStrategy as ap, type Role as aq, type UnlockedKeyring as ar, type HistoryStrategy as as, type NoydbStore as at, type HistoryOptions as au, type EncryptedEnvelope as av, type PruneOptions as aw, type AppendInput as ax, type ChangeType as ay, CollectionInstant as az, type DictKeyDescriptor as b, type Permissions as b$, type BundleRecipient as b0, type CacheOptions as b1, type CacheStats as b2, type ChangeEvent as b3, Collection as b4, type CollectionChangeEvent as b5, type CollectionConflictResolver as b6, type Conflict as b7, type ConflictPolicy as b8, type ConflictStrategy as b9, type KeyringFile as bA, type ListAccessibleVaultsOptions as bB, type ListPageResult as bC, type LiveUserEnvelope as bD, type LocaleReadOptions as bE, Lru as bF, type LruOptions as bG, type LruStats as bH, MAGIC_LINK_CONTENT_INFO_PREFIX as bI, MAGIC_LINK_GRANTS_COLLECTION as bJ, MAGIC_LINK_KEK_INFO_PREFIX as bK, type MagicLinkGrantPayload as bL, type MagicLinkGrantRecord as bM, NOYDB_BACKUP_VERSION as bN, NOYDB_FORMAT_VERSION as bO, NOYDB_KEYRING_VERSION as bP, NOYDB_SYNC_VERSION as bQ, Noydb as bR, type NoydbBundleStore as bS, type NoydbEventMap as bT, type NoydbOptions as bU, PUBLIC_ENVELOPE_FIELDS as bV, type PaperRecoveryDoc as bW, type PaperRecoveryEntry as bX, type PassphrasePolicy as bY, type PassphraseValidationResult as bZ, type Permission as b_, type CrossTierAccessEvent as ba, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as bb, DELEGATIONS_COLLECTION as bc, type DeepPartial as bd, type DelegationToken as be, type DeleteManyResult as bf, type DirtyEntry as bg, ELEVATION_AUDIT_COLLECTION as bh, ElevatedHandle as bi, type EnrollAuthenticatorOptions as bj, type ExportCapability as bk, type ExportChunk as bl, type ExportFormat as bm, type ExportStreamOptions as bn, type FactorKind as bo, type FactorRequirement as bp, type GhostRecord as bq, type GrantOptions as br, type HistoryConfig as bs, type HistoryEntry as bt, INDEXED_STORE_POLICY as bu, type ImportCapability as bv, type InferOutput as bw, type IssueDelegationOptions as bx, type IssueMagicLinkGrantOptions as by, type KeyringAuthenticator as bz, DictionaryHandle as c, WeakPassphraseError as c$, type PlaintextTranslatorContext as c0, type PlaintextTranslatorFn as c1, PresenceHandle as c2, type PresencePeer as c3, type PublicEnvelopeField as c4, type PublicEnvelopeSchema as c5, type PublicEnvelopeText as c6, type PullMode as c7, type PullOptions as c8, type PullPolicy as c9, type StoreAuthKind as cA, type StoreCapabilities as cB, SyncEngine as cC, type SyncMetadata as cD, type SyncPolicy as cE, SyncScheduler as cF, type SyncSchedulerStatus as cG, type SyncStatus as cH, type SyncTarget as cI, type SyncTargetRole as cJ, SyncTransaction as cK, type SyncTransactionResult as cL, type TierMode as cM, type TranslatorAuditEntry as cN, type TxOp as cO, USER_ENVELOPE_COLLECTION as cP, USER_ENVELOPE_MAX_BYTES as cQ, type Unsubscribe as cR, UserApi as cS, type UserEnvelopeCheckGate as cT, UserEnvelopeOversizedError as cU, type UserEnvelopePresented as cV, type UserInfo as cW, type VaultBackup as cX, type VaultPolicyOnDisk as cY, type VaultSnapshot as cZ, type WarningRules as c_, type PullResult as ca, type PushMode as cb, type PushOptions as cc, type PushPolicy as cd, type PushResult as ce, type PutManyItemOptions as cf, type PutManyOptions as cg, type PutManyResult as ch, type QueryAcrossOptions as ci, type QueryAcrossResult as cj, type QuickUnlockState as ck, QuickUnlockStore as cl, type ReAuthOperation as cm, type RecoverPassphraseInput as cn, type RecoverPassphraseResult as co, type RecoverUserOptions as cp, type RecoveryProof as cq, type ResolvedPublicEnvelopeSchema as cr, type RevokeOptions as cs, type RotatePassphraseInput as ct, type SessionPolicy as cu, type SetPublicEnvelopeInput as cv, type StandardSchemaV1 as cw, type StandardSchemaV1Issue as cx, type StandardSchemaV1SyncResult as cy, type StoreAuth as cz, type DictionaryOptions as d, type WeakPassphraseReason as d0, type WrappedDeksBlob as d1, assertStrongPassphrase as d2, buildRecipientKeyringFile as d3, burnPaperRecoveryEntry as d4, createNoydb as d5, createStore as d6, deriveMagicLinkContentKey as d7, enrollAuthenticator as d8, estimateEntropy as d9, savePaperRecoveryEntries as dA, unwrapDeksFromBlob as dB, unwrapDeksFromPaperEntry as dC, unwrapMagicLinkGrant as dD, validatePassphrase as dE, validatePublicEnvelopeInput as dF, validateSchemaInput as dG, validateSchemaOutput as dH, writeMagicLinkGrant as dI, evaluateExportCapability as da, evaluateImportCapability as db, findAuthenticator as dc, hasExportCapability as dd, hasImportCapability as de, hasRecoveryEnrolled as df, isMagicLinkGrantExpired as dg, isPublicEnvelope as dh, issueDelegation as di, recoverPassphrase as dj, rotatePassphrase as dk, listMagicLinkGrants as dl, listUsers as dm, listUsersWithEnvelopes as dn, loadActiveDelegations as dp, loadPaperRecoveryEntries as dq, magicLinkGrantRecordId as dr, mintPaperRecoveryEntry as ds, mintWrappedDeksBlob as dt, readMagicLinkGrantRecord as du, recoverUser as dv, removeAuthenticator as dw, resolveSchema as dx, revokeDelegation as dy, revokeMagicLinkGrant as dz, type I18nTextDescriptor as e, type I18nTextOptions as f, applyI18nLocale as g, dictCollectionName as h, dictKey as i, i18nText as j, isDictCollectionName as k, isDictKeyDescriptor as l, isI18nTextDescriptor as m, createEnforcer as n, validateSessionPolicy as o, BLOB_CHUNKS_COLLECTION as p, BLOB_COLLECTION as q, resolveI18nText as r, BLOB_EVICTION_AUDIT_COLLECTION as s, BLOB_INDEX_COLLECTION as t, BLOB_SLOTS_PREFIX as u, validateI18nTextValue as v, BLOB_VERSIONS_PREFIX as w, type BlobEvictionEntry as x, type BlobFieldPolicy as y, type BlobFieldsConfig as z };
+export { type ConsentAuditEntry as $, type BlobObject as A, type BlobStrategy as B, type BlobPutOptions as C, DICT_COLLECTION_PREFIX as D, type BlobResponseOptions as E, BlobSet as F, type BlobStrategyOpenArgs as G, type CompactRunOptions as H, type I18nStrategy as I, type CompactionContext as J, type CompactionResult as K, DEFAULT_CHUNK_SIZE as L, EXPORT_AUDIT_COLLECTION as M, ExportBlobsAbortedError as N, type ExportBlobsAuditEntry as O, PolicyEnforcer as P, type ExportBlobsHandle as Q, type ExportBlobsOptions as R, type SessionStrategy as S, type ExportedBlob as T, type SlotInfo as U, type SlotRecord as V, type VersionRecord as W, createExportBlobsHandle as X, runCompaction as Y, type ConsentStrategy as Z, CONSENT_AUDIT_COLLECTION as _, type DictEntry as a, VaultInstant as a$, type ConsentAuditFilter as a0, type ConsentContext as a1, type ConsentOp as a2, loadConsentEntries as a3, writeConsentEntry as a4, type PeriodsStrategy as a5, type CarryForwardContext as a6, type ClosePeriodOptions as a7, type OpenPeriodOptions as a8, PERIODS_COLLECTION as a9, type DerivationStrategyHandle as aA, type DerivedFromMeta as aB, type OutputSpec as aC, type RecordOutputSpec as aD, type MaterializedViewStrategy as aE, type MaterializedViewStrategyHandle as aF, type OverlayedViewStrategy as aG, Collection as aH, OverlayedViewRegistry as aI, type OverlayedViewStrategyHandle as aJ, type SyncStrategy as aK, type Role as aL, type UnlockedKeyring as aM, type HistoryStrategy as aN, type NoydbStore as aO, type HistoryOptions as aP, type EncryptedEnvelope as aQ, type PruneOptions as aR, type AppendInput as aS, type ChangeType as aT, CollectionInstant as aU, type DiffEntry as aV, type JsonPatch as aW, type JsonPatchOp as aX, type LedgerEntry as aY, LedgerStore as aZ, type VaultEngine as a_, type PeriodRecord as aa, type ReadOnlyCollection as ab, appendPeriodLedgerEntry as ac, assertTsWritable as ad, chainAnchor as ae, loadPeriods as af, validatePeriodName as ag, type GuardStrategy as ah, type GuardChange as ai, type GuardContext as aj, GuardRegistry as ak, type GuardStrategyHandle as al, ReadOnlyVaultFacade as am, type ShadowStrategy as an, CollectionFrame as ao, VaultFrame as ap, type TxStrategy as aq, type AmendmentTxOptions as ar, TxCollection as as, TxContext as at, TxVault as au, runTransaction as av, type DerivationStrategy as aw, type DerivationContext as ax, type ArrayOutputSpec as ay, DerivationRegistry as az, type DictKeyDescriptor as b, type FactorRequirement as b$, type VerifyResult as b0, applyPatch as b1, canonicalJson as b2, computePatch as b3, diff as b4, formatDiff as b5, hashEntry as b6, paddedIndex as b7, parseIndex as b8, sha256Hex as b9, type CollectionDescriptor as bA, type CollectionStats as bB, type Conflict as bC, type ConflictPolicy as bD, type ConflictStrategy as bE, type CrossTierAccessEvent as bF, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as bG, DELEGATIONS_COLLECTION as bH, type DeepPartial as bI, type DeepPartialOrNull as bJ, type DelegationToken as bK, type DeleteManyResult as bL, type DerivationDescriptor as bM, type DirtyEntry as bN, type DumpSchemaOptions as bO, ELEVATION_AUDIT_COLLECTION as bP, ElevatedHandle as bQ, type EnrollAuthenticatorOptions as bR, type EnrollAuthenticatorWrappingDEKsOptions as bS, type EnrollAuthenticatorWrappingKEKOptions as bT, type EnrollRecoveryResult as bU, type ExportCapability as bV, type ExportChunk as bW, type ExportFormat as bX, type ExportStreamOptions as bY, type FactorKind as bZ, type FactorProofBundle as b_, type MVQueryContext as ba, type RegisteredMV as bb, MaterializedViewRegistry as bc, type MaterializedFromMeta as bd, type MaterializedViewOutput as be, type UnionSource as bf, type UserEnvelope as bg, type PublicEnvelope as bh, type GateName as bi, type GatePolicy as bj, type VaultPolicy as bk, type ActiveTier as bl, type FactorProof as bm, type PersistedSchemaEnvelope as bn, type DirectoryConfig as bo, type UserVisibility as bp, Vault as bq, type AccessibleVault as br, BUNDLE_STORE_POLICY as bs, type BuiltInGateName as bt, type BundleRecipient as bu, type CacheOptions as bv, type CacheStats as bw, type ChangeEvent as bx, type CollectionChangeEvent as by, type CollectionConflictResolver as bz, DictionaryHandle as c, type PutManyItemOptions as c$, type FieldDescriptor as c0, type FieldSource as c1, type GhostRecord as c2, type GrantOptions as c3, type HistoryConfig as c4, type HistoryEntry as c5, INDEXED_STORE_POLICY as c6, type ImportCapability as c7, type InferOutput as c8, type InternalCollectionStats as c9, type NoydbBundleStore as cA, type NoydbEventMap as cB, type NoydbOptions as cC, type OverlayViewDescriptor as cD, PUBLIC_ENVELOPE_FIELDS as cE, type PaperRecoveryDoc as cF, type PaperRecoveryEntry as cG, type PassphrasePolicy as cH, type PassphraseValidationResult as cI, type Permission as cJ, type Permissions as cK, type PersistedSchemaKind as cL, type PlaintextTranslatorContext as cM, type PlaintextTranslatorFn as cN, PresenceHandle as cO, type PresencePeer as cP, type PublicEnvelopeField as cQ, type PublicEnvelopeSchema as cR, type PublicEnvelopeText as cS, type PullMode as cT, type PullOptions as cU, type PullPolicy as cV, type PullResult as cW, type PushMode as cX, type PushOptions as cY, type PushPolicy as cZ, type PushResult as c_, type IssueDelegationOptions as ca, type IssueMagicLinkGrantOptions as cb, type KeyringAuthenticator as cc, type KeyringAuthenticatorWrappingDEKs as cd, type KeyringAuthenticatorWrappingKEK as ce, type KeyringFile as cf, type ListAccessibleVaultsOptions as cg, type ListPageResult as ch, type ListUsersOptions as ci, type LiveUserEnvelope as cj, type LocaleReadOptions as ck, Lru as cl, type LruOptions as cm, type LruStats as cn, MAGIC_LINK_CONTENT_INFO_PREFIX as co, MAGIC_LINK_GRANTS_COLLECTION as cp, MAGIC_LINK_KEK_INFO_PREFIX as cq, type MagicLinkGrantPayload as cr, type MagicLinkGrantRecord as cs, type MaterializedViewDescriptor as ct, MemorySealingKeyProvider as cu, NOYDB_BACKUP_VERSION as cv, NOYDB_FORMAT_VERSION as cw, NOYDB_KEYRING_VERSION as cx, NOYDB_SYNC_VERSION as cy, Noydb as cz, type DictionaryOptions as d, type WeakPassphraseReason as d$, type PutManyOptions as d0, type PutManyResult as d1, type QueryAcrossOptions as d2, type QueryAcrossResult as d3, type QuickUnlockState as d4, QuickUnlockStore as d5, type ReAuthOperation as d6, type RecoverPassphraseInput as d7, type RecoverPassphraseResult as d8, type RecoverUserOptions as d9, type SyncPolicy as dA, SyncScheduler as dB, type SyncSchedulerStatus as dC, type SyncStatus as dD, type SyncTarget as dE, type SyncTargetRole as dF, SyncTransaction as dG, type SyncTransactionResult as dH, type TierMode as dI, type TranslatorAuditEntry as dJ, type TxOp as dK, USER_ENVELOPE_COLLECTION as dL, USER_ENVELOPE_MAX_BYTES as dM, type Unsubscribe as dN, type UpdateAuthenticatorOptions as dO, type UpdateUserOptions as dP, UserApi as dQ, type UserEnvelopeCheckGate as dR, UserEnvelopeOversizedError as dS, type UserEnvelopePresented as dT, type UserInfo as dU, type VaultBackup as dV, type VaultPolicyOnDisk as dW, type VaultSchemaSnapshot as dX, type VaultSnapshot as dY, type WarningRules as dZ, WeakPassphraseError as d_, type RecoveryProof as da, type ResolvedPublicEnvelopeSchema as db, type RevokeOptions as dc, type RotatePassphraseInput as dd, type RotateRecoveryOptions as de, type RotateRecoveryResult as df, SEALED_PASSPHRASE_RECORD_ID as dg, type SealedEnvelope as dh, type SealedPassphrase as di, type SealingKeyProvider as dj, type SessionPolicy as dk, type SetPublicEnvelopeInput as dl, type ShamirRecoveryDoc as dm, type ShamirRecoveryEntry as dn, type ShamirRecoveryProvider as dp, type SlotRewrapCeremony as dq, type SlotRewrapContext as dr, type StandardSchemaV1 as ds, type StandardSchemaV1Issue as dt, type StandardSchemaV1SyncResult as du, type StoreAuth as dv, type StoreAuthKind as dw, type StoreCapabilities as dx, SyncEngine as dy, type SyncMetadata as dz, type I18nTextDescriptor as e, type WrappedDeksBlob as e0, assertStrongPassphrase as e1, buildRecipientKeyringFile as e2, burnPaperRecoveryEntry as e3, createNoydb as e4, createStore as e5, deriveMagicLinkContentKey as e6, enrollAuthenticator as e7, estimateEntropy as e8, evaluateExportCapability as e9, revokeDelegation as eA, revokeMagicLinkGrant as eB, savePaperRecoveryEntries as eC, saveSealedPassphrase as eD, saveShamirRecoveryEntries as eE, unwrapDeksFromBlob as eF, unwrapDeksFromPaperEntry as eG, unwrapDeksFromShamirEntry as eH, unwrapMagicLinkGrant as eI, validatePassphrase as eJ, validatePublicEnvelopeInput as eK, validateSchemaInput as eL, validateSchemaOutput as eM, writeMagicLinkGrant as eN, changeSecret as eO, createOwnerKeyring as eP, ensureCollectionDEK as eQ, grant as eR, loadKeyring as eS, persistKeyring as eT, revoke as eU, updateAuthenticator as eV, updateKeyringIdentity as eW, evaluateImportCapability as ea, findAuthenticator as eb, hasExportCapability as ec, hasImportCapability as ed, hasRecoveryEnrolled as ee, isMagicLinkGrantExpired as ef, isPublicEnvelope as eg, issueDelegation as eh, recoverPassphrase as ei, rotatePassphrase as ej, listMagicLinkGrants as ek, listUsers as el, listUsersWithEnvelopes as em, loadActiveDelegations as en, loadPaperRecoveryEntries as eo, loadSealedPassphrase as ep, loadShamirRecoveryEntries as eq, magicLinkGrantRecordId as er, mintPaperRecoveryEntry as es, mintShamirRecoveryEntry as et, mintWrappedDeksBlob as eu, parseSealedEnvelope as ev, readMagicLinkGrantRecord as ew, recoverUser as ex, removeAuthenticator as ey, resolveSchema as ez, type I18nTextOptions as f, applyI18nLocale as g, dictCollectionName as h, dictKey as i, i18nText as j, isDictCollectionName as k, isDictKeyDescriptor as l, isI18nTextDescriptor as m, createEnforcer as n, validateSessionPolicy as o, BLOB_CHUNKS_COLLECTION as p, BLOB_COLLECTION as q, resolveI18nText as r, BLOB_EVICTION_AUDIT_COLLECTION as s, BLOB_INDEX_COLLECTION as t, BLOB_SLOTS_PREFIX as u, validateI18nTextValue as v, BLOB_VERSIONS_PREFIX as w, type BlobEvictionEntry as x, type BlobFieldPolicy as y, type BlobFieldsConfig as z };