@noy-db/hub 0.1.0-pre.9 → 0.2.0-pre.2

package/dist/{types-Bo7NSXJr.d.ts → types-BoFFiskX.d.ts}

@@ -1,8 +1,9 @@
-import { I as IndexStrategy, d as LazyQuery } from './lazy-builder-BwEoBQZ9.js';
-import { A as AggregateStrategy } from './strategy-D-SrOLCl.js';
+import { I as IndexStrategy, d as LazyQuery } from './lazy-builder-Rpd-V3jP.js';
+import { b as AggregateSpec, A as AggregateStrategy } from './strategy-DSTrsZ8t.js';
 import { C as CrdtStrategy, a as CrdtMode, b as CrdtState } from './strategy-BSxFXGzb.js';
-import { N as NoydbError, U as RefDescriptor, p as JoinableSource, Z as RefViolation, Q as Query, $ as ScanBuilder } from './index-DJTf9yxn.js';
-import { I as IndexDef, C as CollectionIndexes } from './predicate-SBHmi6D0.js';
+import { N as NoydbError, Q as Query, ao as RefRegistry, al as RefDescriptor, a2 as JoinableSource, aq as RefViolation, ar as ScanBuilder } from './index-BCKdioeh.js';
+import { F as FieldClause, I as IndexDef, C as CollectionIndexes } from './predicate-Dnu81tsS.js';
+import { AttestationFieldSchema, RevocationList } from '@noy-db/attestation';
 
 /**
  * Standard Schema v1 integration.
@@ -785,12 +786,24 @@ interface LedgerEntry {
     readonly prevHash: string;
     /**
      * Which kind of mutation this entry records. only supports
-     * data operations (`put`, `delete`). Access-control operations
-     * (`grant`, `revoke`, `rotate`) will be added in a follow-up once
-     * the keyring write path is instrumented — that's tracked in the
-     * epic issue.
-     */
-    readonly op: 'put' | 'delete';
+     * data operations (`put`, `delete`, `amendment`). Access-control
+     * operations (`grant`, `revoke`, `rotate`) will be added in a
+     * follow-up once the keyring write path is instrumented — that's
+     * tracked in the epic issue.
+     *
+     * `'amendment'` is the multi-record audit entry written by the
+     * guards subsystem when an admin/owner uses `withTransactions(...)`
+     * to repair a constraint-violating state. See `amendment` field
+     * below for the structured payload.
+     *
+     * `'lifecycle'` records a non-data audit event (e.g. partition
+     * handover, #226) — `collection`/`id` are empty and the event detail
+     * lives in `reason` (e.g. `'partition-handed-over:<sealId>'`). Like
+     * `amendment`, it carries no data envelope, so `verifyBackupIntegrity`
+     * skips it in the data cross-check (it still participates in the
+     * tamper-evident chain).
+     */
+    readonly op: 'put' | 'delete' | 'amendment' | 'lifecycle';
     /** The collection the mutation targeted. */
     readonly collection: string;
     /** The record id the mutation targeted. */
@@ -814,6 +827,17 @@ interface LedgerEntry {
      * the file docstring.
      */
     readonly payloadHash: string;
+    /**
+     * Optional human-readable tag describing why this mutation happened
+     * (#1). Threaded through `collection.put(_, _, { reason })`. Common
+     * values include `'import:csv'`, `'import:json'`, `'import:xlsx'` from
+     * `as-*` ImportPlan.apply(), but consumers can use any string for
+     * domain-specific audit filtering. Auto-strip via `canonicalJson` —
+     * absent on the wire, never serialized as `null`.
+     *
+     * Audit consumers filter: `entries.filter(e => e.reason?.startsWith('import:'))`.
+     */
+    readonly reason?: string;
     /**
      * Optional hex-encoded sha256 of the encrypted JSON Patch delta
      * blob stored alongside this entry in `_ledger_deltas/`. Present
@@ -837,6 +861,24 @@ interface LedgerEntry {
      * entirely — never `{ deltaHash: undefined }`.
      */
     readonly deltaHash?: string;
+    /**
+     * Present only when `op === 'amendment'`. Records the human reason,
+     * the role of the actor, the (collection, id, vBefore, vAfter) tuple
+     * for every record touched, and which guard invariants passed.
+     *
+     * See docs/superpowers/specs/2026-05-18-guards-design.md.
+     */
+    readonly amendment?: {
+        readonly reason: string;
+        readonly role: 'admin' | 'owner';
+        readonly changes: ReadonlyArray<{
+            readonly collection: string;
+            readonly id: string;
+            readonly vBefore: number;
+            readonly vAfter: number;
+        }>;
+        readonly invariantsPassed: ReadonlyArray<string>;
+    };
 }
 /**
  * Canonical (sort-stable) JSON encoder.
@@ -1056,6 +1098,20 @@ interface AppendInput {
      * as the entry's `deltaHash` field.
      */
     delta?: JsonPatch;
+    /**
+     * Present only for `op === 'amendment'` — structured audit
+     * payload for multi-record repair operations performed via
+     * `withTransactions(...)`. Carried through verbatim to the
+     * resulting ledger entry.
+     */
+    amendment?: LedgerEntry['amendment'];
+    /**
+     * Optional human-readable tag describing why this mutation happened
+     * (#1). Threaded from `collection.put(_, _, { reason })`.
+     * Carried verbatim onto the resulting ledger entry's `reason` field;
+     * omitted from canonical JSON when undefined.
+     */
+    reason?: string;
 }
 /**
  * Result of `LedgerStore.verify()`. On success, `head` is the hash of
@@ -1949,8 +2005,9 @@ interface UnlockedKeyring {
      */
     readonly exportCapability?: ExportCapability;
     /**
-     * `@noy-db/as-*` import capability (issue ). Absent when the
-     * keyring was written before  landed — default-closed semantics
+     * `@noy-db/as-*` import capability. Absent when the
+     * keyring was written before the import-capability extension
+     * landed — default-closed semantics
      * apply via `hasImportCapability` (no plaintext format granted, no
      * bundle import granted, regardless of role).
      */
@@ -1970,6 +2027,65 @@ interface UnlockedKeyring {
      */
     readonly policy?: VaultPolicyOnDisk;
 }
+/** Load and unlock a user's keyring for a vault. */
+declare function loadKeyring(adapter: NoydbStore, vault: string, userId: string, passphrase: string): Promise<UnlockedKeyring>;
+/**
+ * Create the initial owner keyring for a new vault.
+ *
+ * Pass `{ validate: true }` (or a `PassphrasePolicy`) to gate creation
+ * on the phrase-format strength rules — `Noydb` threads this from
+ * `NoydbOptions.validatePassphrase`. Direct callers (CLI, scripts,
+ * test fixtures) opt in explicitly.
+ */
+declare function createOwnerKeyring(adapter: NoydbStore, vault: string, userId: string, passphrase: string, passphraseOpts?: PassphrasePolicy & {
+    validate?: boolean;
+    allowWeakPassphrase?: boolean;
+}): Promise<UnlockedKeyring>;
+/** Grant access to a new user. Caller must have grant privilege. */
+declare function grant(adapter: NoydbStore, vault: string, callerKeyring: UnlockedKeyring, options: GrantOptions): Promise<void>;
+/** Revoke a user's access. Optionally rotate keys for affected collections. */
+declare function revoke(adapter: NoydbStore, vault: string, callerKeyring: UnlockedKeyring, options: RevokeOptions): Promise<void>;
+/**
+ * Mutate `role`, `displayName`, and/or `permissions` on an existing
+ * keyring. Pure plaintext-header rewrite — no DEK rewrap, no KEK
+ * required, no authenticator slots touched. Tier-2 enrollments and
+ * recovery codes survive the operation.
+ *
+ * Role-elevation guard: BOTH the old role AND the new role must
+ * satisfy `canUpdateRole(callerRole, _)`. This blocks the two
+ * privilege-escalation shapes:
+ *   - admin elevates someone (or themselves) to owner
+ *   - admin demotes an owner to a role they then control
+ *
+ * Owner is always allowed. Admin manages admin / operator / viewer /
+ * client laterally.
+ *
+ * Identity preserved: same userId, same DEK wrappings. Last-write-wins
+ * through the standard keyring put (same concurrency story as `grant`
+ * and `revoke`).
+ *
+ * @throws `NoAccessError` when no keyring exists for the target.
+ * @throws `PermissionDeniedError` when the role hierarchy rejects.
+ * @throws `ValidationError` when the diff is empty (nothing to update).
+ *
+ * @see #54
+ */
+declare function updateKeyringIdentity(adapter: NoydbStore, vault: string, callerKeyring: UnlockedKeyring, options: UpdateUserOptions): Promise<void>;
+/**
+ * Change the user's passphrase. Re-wraps every DEK under the new KEK.
+ *
+ * Validates the new passphrase against the strength rules unless
+ * `allowWeakPassphrase: true` is passed. Mirrors `rotatePassphrase`'s
+ * default-on validation contract.
+ *
+ * `db.rotatePassphrase()` adds a `checkGate('rotate-passphrase')` step
+ * on top of this primitive and additionally requires the OLD passphrase
+ * for re-derivation; `changeSecret` reuses the cached unlocked KEK so
+ * the OLD passphrase is not retyped.
+ */
+declare function changeSecret(adapter: NoydbStore, vault: string, keyring: UnlockedKeyring, newPassphrase: string, passphraseOpts?: PassphrasePolicy & {
+    allowWeakPassphrase?: boolean;
+}): Promise<UnlockedKeyring>;
 /**
  * Recipient slot in a re-keyed `.noydb` bundle. Each slot becomes its
  * own keyring file inside the bundle, sealed with its own passphrase.
@@ -2027,6 +2143,17 @@ interface BundleRecipient {
 declare function buildRecipientKeyringFile(callerKeyring: UnlockedKeyring, recipient: BundleRecipient): Promise<KeyringFile>;
 /** List all users with access to a vault. */
 declare function listUsers(adapter: NoydbStore, vault: string): Promise<UserInfo[]>;
+/**
+ * Optional filter knobs for {@link listUsersWithEnvelopes}.
+ *
+ * - `includeHidden` — when true, principals with `_meta/visibility/<id>`
+ *   set to `{ hidden: true }` are returned alongside everyone else.
+ *   Requires `owner` or `admin` callerRole; lower roles get
+ *   {@link import('../errors.js').PermissionDeniedError}.
+ */
+interface ListUsersOptions {
+    readonly includeHidden?: boolean;
+}
 /**
  * Joined enumeration: every keyring + its `_users/<keyringId>`
  * envelope side by side. Convenience for admin UIs that want to
@@ -2036,6 +2163,27 @@ declare function listUsers(adapter: NoydbStore, vault: string): Promise<UserInfo
  * `userEnvelopeDek` is the vault's `_users` collection DEK
  * (`vault.getDEK('_users')`); used to decrypt every envelope.
  *
+ * `callerRole` (#122) drives the directory-visibility checks:
+ *
+ *  - When the vault's `_meta/directory` document has `enabled: false`,
+ *    only `owner` and `admin` callers may enumerate; anyone else gets
+ *    {@link import('../errors.js').DirectoryDisabledError}.
+ *  - Principals with `_meta/visibility/<id>` set to `{ hidden: true }`
+ *    are filtered out by default. `owner`/`admin` callers can pass
+ *    `{ includeHidden: true }` to see them; lower roles passing that
+ *    option get `PermissionDeniedError`.
+ *
+ * Honest caveat (#122): these filters are a UX hint, not a security
+ * boundary. The keyring file is still listed at `_keyring/*` and the
+ * envelope ciphertext at `_users/*`. A caller with direct store access
+ * — or a caller that calls this function with `callerRole: 'owner'`
+ * unconditionally — sees every principal. The protection is only as
+ * strong as the role the calling layer passes in. The hub-level wrapper
+ * on `Vault` sources `callerRole` from the unlocked keyring's `role`
+ * field, which is signed-by-construction (it lives in the user's own
+ * keyring file). See `docs/subsystems/user-envelope.md` →
+ * "Directory visibility".
+ *
  * Principals without a persisted envelope (legacy keyrings predating
  * the user-envelope feature) come back with `envelope: null`. The
  * caller chooses how to render — usually "fall back to keyring's
@@ -2044,10 +2192,14 @@ declare function listUsers(adapter: NoydbStore, vault: string): Promise<UserInfo
  * Order matches `listUsers()` (store-defined; sort if you need a
  * stable display order).
  */
-declare function listUsersWithEnvelopes<T = unknown>(adapter: NoydbStore, vault: string, userEnvelopeDek: CryptoKey): Promise<Array<{
+declare function listUsersWithEnvelopes<T = unknown>(adapter: NoydbStore, vault: string, userEnvelopeDek: CryptoKey, callerRole: Role, options?: ListUsersOptions): Promise<Array<{
     user: UserInfo;
     envelope: UserEnvelope<T> | null;
 }>>;
+/** Ensure a DEK exists for a collection. Generates one if new. */
+declare function ensureCollectionDEK(adapter: NoydbStore, vault: string, keyring: UnlockedKeyring): Promise<(collectionName: string) => Promise<CryptoKey>>;
+/** Persist a keyring file to the adapter. */
+declare function persistKeyring(adapter: NoydbStore, vault: string, keyring: UnlockedKeyring): Promise<void>;
 /**
  * Check whether a keyring is authorised for a given `@noy-db/as-*`
  * export tier.
@@ -2946,6 +3098,283 @@ declare class SyncEngine {
     private persistMeta;
 }
 
+/**
+ * **Wrap-DEKs primitive (#44)** — a single canonical shape for the
+ * pattern of "serialize a DEK set, encrypt it under a credential-derived
+ * AES-GCM key." Used by:
+ *
+ *   - **tier-0** — paper recovery entries (`_meta/recovery-paper`),
+ *     credential = the printed code.
+ *   - **tier-2** — password authenticator slots (`KeyringFile.authenticators`,
+ *     `wrapKind: 'deks'`), credential = the user's password.
+ *
+ * **Not** used by `@noy-db/on-pin` — tier-3 wraps the DEK set under
+ * the same conceptual pattern but at **100,000 PBKDF2 iterations**
+ * (vs the 600,000 here), because the protection window for a PIN
+ * slot is short (idle-timeout-bounded, typically 15 min) and 600k
+ * iterations would make every PIN-resume noticeably slow. The wire
+ * formats are deliberately incompatible. See `@noy-db/on-pin`'s
+ * `PIN_PBKDF2_ITERATIONS` and the threat-model rationale in its
+ * module docstring.
+ *
+ * Before #44, the same crypto lived in two places: `mintPaperRecoveryEntry`
+ * (in `team/recovery.ts`) and `enrollPasswordAuthenticator` (in
+ * `@noy-db/on-password`). Both functions did identical work — PBKDF2
+ * the credential, AES-GCM-encrypt the JSON-serialized DEK set — but
+ * their implementations had drifted apart enough that fixing a bug
+ * in one wouldn't fix the other.
+ *
+ * This module owns the canonical implementation. Consumers compose:
+ *
+ *   - `mintPaperRecoveryEntry` is now a thin wrapper that calls
+ *     `mintWrappedDeksBlob` and adds `{ codeId, enrolledAt }`.
+ *   - `enrollPasswordAuthenticator` calls `mintWrappedDeksBlob` and
+ *     wraps the result in the slot envelope.
+ *
+ * @module
+ */
+/**
+ * The wrap-DEKs primitive — a serialized + AES-GCM-encrypted DEK set
+ * keyed under a credential-derived key.
+ *
+ * All three fields are base64-encoded so the blob is JSON-safe and
+ * round-trips through `_meta/*` envelopes (which carry plaintext
+ * JSON in `_data`).
+ *
+ * Composition: `PaperRecoveryEntry extends WrappedDeksBlob` plus
+ * `{ codeId, enrolledAt }`. `KeyringAuthenticatorWrappingDEKs`
+ * carries the same three fields with `salt` stored in `meta` for
+ * slot-format back-compat (#44 defers moving it to top-level).
+ */
+interface WrappedDeksBlob {
+    /** Base64 PBKDF2 salt for the credential-derived wrapping key. */
+    readonly salt: string;
+    /** Base64 AES-GCM IV used for the `wrappedDeks` ciphertext. */
+    readonly iv: string;
+    /** Base64 AES-GCM ciphertext of `{ deks: { collection: base64rawDek } }`. */
+    readonly wrappedDeks: string;
+}
+/**
+ * Mint a fresh `WrappedDeksBlob` from a DEK set + a string credential.
+ *
+ * Generates a random salt + IV, derives a 256-bit AES-GCM key via
+ * PBKDF2-SHA256(credential, salt, 600K), serializes the DEK set as
+ * `{ deks: { coll: rawBase64 } }`, and AES-GCM-encrypts.
+ *
+ * The `credential` is the user-typed string (recovery code, password,
+ * PIN). Caller normalization rules apply (e.g. paper
+ * recovery uppercase-strips the code before reaching this function).
+ *
+ * @param deks - DEK set to wrap. Each DEK must be exportable via
+ *               `subtle.exportKey('raw', dek)` (the hub mints DEKs
+ *               this way; consumers feeding non-extractable keys
+ *               will get `InvalidAccessError` from WebCrypto).
+ * @param credential - String input the consumer minted (paper code,
+ *               password, PIN). Treated as opaque bytes by PBKDF2.
+ */
+declare function mintWrappedDeksBlob(deks: Map<string, CryptoKey>, credential: string): Promise<WrappedDeksBlob>;
+/**
+ * Reverse of {@link mintWrappedDeksBlob}. Re-derives the wrapping key
+ * from the credential + stored salt, AES-GCM-decrypts the wrapped DEK
+ * set, and re-imports each DEK as an extractable AES-GCM CryptoKey.
+ *
+ * Throws (AES-GCM auth tag failure) when the credential doesn't
+ * match the blob. Callers iterating over multiple blobs (e.g. paper
+ * recovery's "try every entry until one matches") should catch.
+ */
+declare function unwrapDeksFromBlob(blob: WrappedDeksBlob, credential: string): Promise<Map<string, CryptoKey>>;
+
+/**
+ * String-level Shamir provider injected into hub for `profile: 'shamir'`
+ * recovery. Keeps hub free of any `@noy-db/on-shamir` import — hub never
+ * sees `RawShare` or the share codecs. Implemented by
+ * `shamirRecoveryProvider()` from `@noy-db/on-shamir`.
+ */
+interface ShamirRecoveryProvider {
+    /** Split `secret` into `n` base32 share strings; any `k` recombine it. */
+    splitToShares(secret: Uint8Array, k: number, n: number): string[];
+    /**
+     * Recombine `k`+ share strings into the secret. MUST throw on malformed,
+     * truncated, insufficient, or mismatched shares.
+     */
+    combineShares(shares: readonly string[]): Uint8Array;
+}
+
+/**
+ * Recovery profile persistence + dispatch — issue #10.
+ *
+ * v0.1.0-pre.5 wires the **paper** profile end-to-end through
+ * `@noy-db/on-recovery`. The other three profiles (Shamir,
+ * multi-channel, admin-mediated) ship the API surface and throw
+ * {@link RecoveryProfileNotImplementedError} during use; per-profile
+ * dispatch lands in follow-up issues.
+ *
+ * Storage layout:
+ *
+ * ```
+ * _meta/recovery-paper       — JSON { entries: RecoveryCodeEntry[] } produced by `on-recovery`.
+ * _meta/recovery-shamir      — reserved
+ * _meta/recovery-multi       — reserved
+ * _meta/recovery-admin       — reserved
+ * ```
+ *
+ * Like `_meta/policy` and `_meta/handle`, the documents are plain JSON
+ * with empty `_iv` — the recovery-code wrapping is what protects the
+ * KEK; the entries themselves are inert without the user's code.
+ *
+ * @module
+ */
+
+/**
+ * One paper recovery code as persisted in `_meta/recovery-paper`.
+ *
+ * The hub's KEK is intentionally non-extractable (see `crypto.ts`),
+ * so the recovery entry can't AES-KW-wrap the KEK directly. Instead
+ * we wrap a serialized DEK set: the entry holds the AES-GCM
+ * ciphertext of `{ deks: { collection: rawDekBase64 } }`. Recovery
+ * deserializes the DEK set, then mints a fresh KEK from the new
+ * passphrase and rewraps the DEKs under it.
+ *
+ * This is the same pattern `@noy-db/on-pin` uses for tier-3 quick
+ * resume — the cryptographic guarantee is identical (AES-GCM with a
+ * PBKDF2-derived key), and it sidesteps the non-extractable-KEK
+ * constraint cleanly.
+ *
+ * Type-level composition (#44): `PaperRecoveryEntry extends
+ * WrappedDeksBlob` — the three crypto fields (`salt`, `iv`,
+ * `wrappedDeks`) come from the shared primitive; `codeId` and
+ * `enrolledAt` are paper-recovery's own metadata. Wire format
+ * unchanged.
+ */
+interface PaperRecoveryEntry extends WrappedDeksBlob {
+    readonly codeId: string;
+    readonly enrolledAt: string;
+}
+interface PaperRecoveryDoc {
+    readonly _noydb_recovery: 1;
+    readonly profile: 'paper';
+    readonly entries: ReadonlyArray<PaperRecoveryEntry>;
+}
+/** Read the paper-recovery entries. Returns empty array when absent. */
+declare function loadPaperRecoveryEntries(store: NoydbStore, vault: string): Promise<ReadonlyArray<PaperRecoveryEntry>>;
+/** Replace the paper-recovery entries (used after burn-on-recovery). */
+declare function savePaperRecoveryEntries(store: NoydbStore, vault: string, entries: ReadonlyArray<PaperRecoveryEntry>): Promise<void>;
+/** Drop a single paper-recovery entry (burn-on-use). */
+declare function burnPaperRecoveryEntry(store: NoydbStore, vault: string, codeId: string): Promise<void>;
+/** Whether at least one recovery profile has any enrolled entries. */
+declare function hasRecoveryEnrolled(store: NoydbStore, vault: string): Promise<boolean>;
+/**
+ * One Shamir-recovery entry as persisted in `_meta/recovery-shamir`.
+ *
+ * Like {@link PaperRecoveryEntry}, the entry composes
+ * {@link WrappedDeksBlob} (DEKs wrapped under a fresh ephemeral
+ * recovery secret) with profile-specific metadata. Unlike paper, the
+ * "credential" was never visible to the user — it was 32 random
+ * bytes split into N Shamir shares at enrollment. The shares ARE
+ * the credential; the user holds them, the hub never sees them
+ * again after `enrollRecovery` returns.
+ *
+ * Per the spec §5: the recovery secret is base64-encoded and
+ * passed as the `credential` arg to
+ * {@link mintWrappedDeksBlob} / {@link unwrapDeksFromBlob}. The
+ * PBKDF2 round over high-entropy input is harmless overhead — it
+ * keeps the shared primitive unchanged while letting Shamir reuse
+ * the same wrapping pipeline as paper.
+ */
+interface ShamirRecoveryEntry extends WrappedDeksBlob {
+    /** Stable id for this entry. Allows multiple Shamir splits to coexist. */
+    readonly entryId: string;
+    /** Threshold — minimum shares to reconstruct. */
+    readonly k: number;
+    /** Total shares minted at enrollment. */
+    readonly n: number;
+    /** x-coordinates of the n minted shares. Informational. Omitted as of 0.2
+     *  (string-level provider doesn't expose share x-coords); kept optional so
+     *  pre-0.2 entries still read. */
+    readonly xCoords?: ReadonlyArray<number>;
+    /** ISO timestamp. */
+    readonly enrolledAt: string;
+    /** Optional caller-supplied label (e.g., "2-of-3 board escrow"). */
+    readonly label?: string;
+}
+interface ShamirRecoveryDoc {
+    readonly _noydb_recovery: 1;
+    readonly profile: 'shamir';
+    readonly entries: ReadonlyArray<ShamirRecoveryEntry>;
+}
+/** Read the Shamir-recovery entries. Returns empty array when absent. */
+declare function loadShamirRecoveryEntries(store: NoydbStore, vault: string): Promise<ReadonlyArray<ShamirRecoveryEntry>>;
+/** Replace the Shamir-recovery entries (used by enrollment and rotation). */
+declare function saveShamirRecoveryEntries(store: NoydbStore, vault: string, entries: ReadonlyArray<ShamirRecoveryEntry>): Promise<void>;
+/**
+ * Mint a fresh Shamir recovery entry from a DEK set.
+ *
+ * 1. Generates a 32-byte recovery secret.
+ * 2. Wraps the DEK set under that secret via
+ *    {@link mintWrappedDeksBlob} (the recovery secret is base64-
+ *    encoded as the credential string — PBKDF2 over high-entropy
+ *    input is harmless overhead).
+ * 3. Splits the recovery secret via Shamir into `n` shares with
+ *    threshold `k`.
+ * 4. Zeros the in-memory recovery secret after wrapping + splitting.
+ *
+ * Returns:
+ *   - `entry` — the {@link ShamirRecoveryEntry} to persist.
+ *   - `shareStrings` — the `n` Base32-encoded share strings to
+ *     return to the caller. The HUB MUST NOT PERSIST THESE; once
+ *     returned they are the user's responsibility.
+ *
+ * @param deks - DEK set to wrap.
+ * @param entryId - Stable id for this entry (caller-supplied or
+ *                  hub-generated).
+ * @param k - Threshold (>= 2).
+ * @param n - Total shares (k <= n <= 255).
+ * @param label - Optional caller label.
+ */
+declare function mintShamirRecoveryEntry(provider: ShamirRecoveryProvider, deks: Map<string, CryptoKey>, entryId: string, k: number, n: number, label?: string): Promise<{
+    entry: ShamirRecoveryEntry;
+    shareStrings: string[];
+}>;
+/**
+ * Decrypt a Shamir recovery entry to recover the raw DEK set.
+ *
+ * Combines K or more `shares`, reconstructs the recovery secret,
+ * unwraps the DEKs via {@link unwrapDeksFromBlob}.
+ *
+ * Throws (AES-GCM auth-tag mismatch) when the shares don't combine
+ * to the secret originally used to mint the entry — typically
+ * because they came from a different enrollment or were tampered
+ * with. Callers iterating multiple entries should catch.
+ */
+declare function unwrapDeksFromShamirEntry(provider: ShamirRecoveryProvider, entry: ShamirRecoveryEntry, shareStrings: readonly string[]): Promise<Map<string, CryptoKey>>;
+/**
+ * Generate one paper-recovery entry from an unlocked DEK set.
+ *
+ * Returns the serializable entry (persisted via
+ * {@link savePaperRecoveryEntries}). The recovery flow unwraps the
+ * DEK set, then mints a fresh KEK from the user's new passphrase.
+ *
+ * Thin wrapper over {@link mintWrappedDeksBlob} (#44) — the crypto
+ * lives in the shared primitive; this function just adds paper-
+ * recovery's own metadata (`codeId`, `enrolledAt`).
+ *
+ * @param deks      Map of collection-name → DEK (extractable).
+ * @param code      The plaintext recovery code (caller-supplied;
+ *                  pair this with `@noy-db/on-recovery`'s code
+ *                  generator/parser if available).
+ * @param codeId    Stable id used by `burnPaperRecoveryEntry`.
+ */
+declare function mintPaperRecoveryEntry(deks: Map<string, CryptoKey>, code: string, codeId: string): Promise<PaperRecoveryEntry>;
+/**
+ * Decrypt a recovery entry to recover the raw DEK set. Used by the
+ * `recoverPassphrase` flow after the user's code has been parsed.
+ *
+ * Thin wrapper over {@link unwrapDeksFromBlob} (#44).
+ *
+ * @throws when the code does not match the entry (AES-GCM auth tag fail).
+ */
+declare function unwrapDeksFromPaperEntry(entry: PaperRecoveryEntry, code: string): Promise<Map<string, CryptoKey>>;
+
 /**
  * Tier-2 authenticator slot management — issue #11.
  *
@@ -3010,6 +3439,26 @@ declare function enrollAuthenticator(store: NoydbStore, vault: string, keyring:
 interface UpdateAuthenticatorOptions {
     readonly meta?: Record<string, unknown>;
 }
+/**
+ * Mutate a tier-2 authenticator slot's `meta` blob (slot rename,
+ * label changes). The slot's `id`, `method`, and wrap material
+ * (`wrapped_kek` for wrap-KEK; `wrapped_deks` + `iv` for wrap-DEKs)
+ * are immutable through this entry point — the anti-slot-swap guard
+ * is structural, not gate-driven, so even if the policy gate is
+ * weakened a future caller cannot use this path to swap one slot's
+ * crypto for another's.
+ *
+ * `meta` patch semantics:
+ *   - Top-level merge — absent keys preserved, present keys overwrite
+ *   - `null` value — delete that meta key
+ *   - Non-object values (string, number, boolean, array) — replace verbatim
+ *
+ * @throws `NoAccessError` when no slot with the given id exists.
+ * @throws `ValidationError` when no patch field is provided.
+ *
+ * @see #55
+ */
+declare function updateAuthenticator(store: NoydbStore, vault: string, keyring: UnlockedKeyring, slotId: string, options: UpdateAuthenticatorOptions): Promise<UnlockedKeyring>;
 /**
  * Drop a slot by id. No-op if the slot doesn't exist (idempotent —
  * removing a non-existent slot is a recoverable retry, not an error).
@@ -3044,8 +3493,8 @@ declare function findAuthenticator(keyring: UnlockedKeyring, slotId: string): Ke
 /**
  * Context handed to a {@link SlotRewrapCeremony} when `rotatePassphrase`
  * preserves a tier-2 slot. The ceremony's job is to re-derive its
- * method-specific wrapping material (PRF assertion, PBKDF2 of a
- * daily-password, etc.) and wrap the freshly rewrapped DEK set under
+ * method-specific wrapping material (PRF assertion, PBKDF2 of the
+ * password, etc.) and wrap the freshly rewrapped DEK set under
  * the new wrapping key.
  *
  * Two surfaces are exposed:
@@ -3123,7 +3572,15 @@ interface RotatePassphraseInput {
  *         slot's id or method (anti-slot-swap guard).
  */
 declare function rotatePassphrase(store: NoydbStore, vault: string, userId: string, input: RotatePassphraseInput): Promise<UnlockedKeyring>;
-/** Caller payload for {@link recoverPassphrase}. */
+/**
+ * Caller payload for {@link recoverPassphrase}.
+ *
+ * As of #196 slice 1, `paper` and `shamir` are wired end-to-end.
+ * The remaining two profiles (`multi-channel`, `admin-mediated`)
+ * stay outside the union and throw
+ * {@link RecoveryProfileNotImplementedError} at the runtime guard
+ * when bypassed via `as unknown as RecoveryProof`.
+ */
 type RecoveryProof = {
     readonly profile: 'paper';
     readonly payload: {
@@ -3132,19 +3589,12 @@ type RecoveryProof = {
 } | {
     readonly profile: 'shamir';
     readonly payload: {
+        /** Optional disambiguator when multiple Shamir entries are enrolled.
+         *  When omitted, hub tries each entry until one combines. */
+        readonly entryId?: string;
+        /** K or more opaque share strings, as returned by `ShamirRecoveryProvider.splitToShares`. */
         readonly shares: ReadonlyArray<string>;
     };
-} | {
-    readonly profile: 'multi-channel';
-    readonly payload: {
-        readonly proofs: ReadonlyArray<unknown>;
-    };
-} | {
-    readonly profile: 'admin-mediated';
-    readonly payload: {
-        readonly token: string;
-        readonly factor?: unknown;
-    };
 };
 interface RecoverPassphraseInput {
     readonly newPassphrase: string;
@@ -3205,20 +3655,97 @@ interface RecoverPassphraseResult {
     readonly newCodes: readonly string[];
 }
 /**
- * Reset the user's passphrase using a recovery proof. v0.1.0-pre.5
- * supports the `'paper'` profile via `@noy-db/on-recovery` entries
- * persisted in `_meta/recovery-paper`. The other three profiles throw
- * {@link RecoveryProfileNotImplementedError}.
- *
- * On success, the used recovery entry is burned (deleted from the
- * stored set).
+ * Input for {@link Noydb.rotateRecovery} (#121) — deliberate
+ * recovery-credential regeneration when the user knows their
+ * passphrase but wants a fresh sheet (paper) or fresh shares
+ * (shamir). Symmetric to {@link RotatePassphraseInput}.
  */
-declare function recoverPassphrase(store: NoydbStore, vault: string, userId: string, input: RecoverPassphraseInput): Promise<UnlockedKeyring>;
-
+type RotateRecoveryOptions = {
+    readonly profile: 'paper';
+    /** How many fresh codes to mint. Default: existing sheet size. */
+    readonly count?: number;
+    /** Optional code generator — see {@link RecoverPassphraseInput.codeGenerator}. */
+    readonly codeGenerator?: () => string;
+} | {
+    readonly profile: 'shamir';
+    /** New threshold. */
+    readonly k: number;
+    /** New total share count. */
+    readonly n: number;
+    /** Disambiguator when multiple Shamir entries exist; required if there are 2+. */
+    readonly entryId?: string;
+    /** Optional updated label. */
+    readonly label?: string;
+};
 /**
- * Atomic peer-recovery primitive — issues #33 + #34.
+ * Result of {@link Noydb.rotateRecovery}. Shape varies by profile:
  *
- * `recoverUser` is a SEPARATE operation from `revoke + grant`. It
+ * - `paper` → `{ newCodes: string[] }` (and `entryId === 'paper-batch'`)
+ * - `shamir` → `{ newShares: string[], entryId }`
+ *
+ * `newCodes` is populated for paper rotations; `newShares` for
+ * Shamir rotations. Both are show-once — the hub does not
+ * retain them.
+ */
+interface RotateRecoveryResult {
+    readonly newCodes?: readonly string[];
+    readonly newShares?: readonly string[];
+    readonly entryId?: string;
+}
+/**
+ * Result of {@link Noydb.enrollRecovery}. Shape varies by profile:
+ *
+ * - `paper` → `{ entryId: 'paper-batch' }` (caller minted the
+ *   entries; this is a sentinel since paper enrollments are batch-shaped).
+ * - `shamir` → `{ entryId, shares: string[] }` — shares are
+ *   show-once; the hub does not retain them.
+ */
+interface EnrollRecoveryResult {
+    readonly entryId: string;
+    readonly shares?: readonly string[];
+}
+/**
+ * Input shape for {@link Noydb.enrollRecovery} and
+ * {@link Noydb.openVaultAndEnrollRecovery} (#195). Discriminated
+ * union over recovery profiles.
+ *
+ * - `paper`: caller pre-mints entries (typically via
+ *   `mintPaperRecoveryEntry` or `@noy-db/on-recovery`'s
+ *   `generateRecoveryCodeSet`) and passes them in. The hub stores
+ *   them and surfaces an opaque batch id.
+ * - `shamir`: hub mints the recovery secret + the shares at
+ *   enrollment time. The shares are returned in
+ *   {@link EnrollRecoveryResult.shares} (show-once); the hub never
+ *   retains them.
+ *
+ * Multi-channel and admin-mediated will be added when the respective
+ * dispatch slices ship.
+ */
+type RecoveryEnrollmentInput = {
+    readonly profile: 'paper';
+    readonly entries: ReadonlyArray<PaperRecoveryEntry>;
+} | {
+    readonly profile: 'shamir';
+    readonly k: number;
+    readonly n: number;
+    readonly label?: string;
+    readonly entryId?: string;
+};
+/**
+ * Reset the user's passphrase using a recovery proof. v0.1.0-pre.5
+ * supports the `'paper'` profile via `@noy-db/on-recovery` entries
+ * persisted in `_meta/recovery-paper`. The other three profiles throw
+ * {@link RecoveryProfileNotImplementedError}.
+ *
+ * On success, the used recovery entry is burned (deleted from the
+ * stored set).
+ */
+declare function recoverPassphrase(provider: ShamirRecoveryProvider | undefined, store: NoydbStore, vault: string, userId: string, input: RecoverPassphraseInput): Promise<UnlockedKeyring>;
+
+/**
+ * Atomic peer-recovery primitive — issues #33 + #34.
+ *
+ * `recoverUser` is a SEPARATE operation from `revoke + grant`. It
  * exists because peer-recovery has different semantics than account
  * removal-then-reissue:
  *
@@ -3295,183 +3822,6 @@ interface RecoverUserOptions {
  */
 declare function recoverUser(store: NoydbStore, vault: string, callerKeyring: UnlockedKeyring, options: RecoverUserOptions): Promise<void>;
 
-/**
- * **Wrap-DEKs primitive (#44)** — a single canonical shape for the
- * pattern of "serialize a DEK set, encrypt it under a credential-derived
- * AES-GCM key." Used by:
- *
- *   - **tier-0** — paper recovery entries (`_meta/recovery-paper`),
- *     credential = the printed code.
- *   - **tier-2** — password authenticator slots (`KeyringFile.authenticators`,
- *     `wrapKind: 'deks'`), credential = the daily password.
- *
- * **Not** used by `@noy-db/on-pin` — tier-3 wraps the DEK set under
- * the same conceptual pattern but at **100,000 PBKDF2 iterations**
- * (vs the 600,000 here), because the protection window for a PIN
- * slot is short (idle-timeout-bounded, typically 15 min) and 600k
- * iterations would make every PIN-resume noticeably slow. The wire
- * formats are deliberately incompatible. See `@noy-db/on-pin`'s
- * `PIN_PBKDF2_ITERATIONS` and the threat-model rationale in its
- * module docstring.
- *
- * Before #44, the same crypto lived in two places: `mintPaperRecoveryEntry`
- * (in `team/recovery.ts`) and `enrollPasswordAuthenticator` (in
- * `@noy-db/on-password`). Both functions did identical work — PBKDF2
- * the credential, AES-GCM-encrypt the JSON-serialized DEK set — but
- * their implementations had drifted apart enough that fixing a bug
- * in one wouldn't fix the other.
- *
- * This module owns the canonical implementation. Consumers compose:
- *
- *   - `mintPaperRecoveryEntry` is now a thin wrapper that calls
- *     `mintWrappedDeksBlob` and adds `{ codeId, enrolledAt }`.
- *   - `enrollPasswordAuthenticator` calls `mintWrappedDeksBlob` and
- *     wraps the result in the slot envelope.
- *
- * @module
- */
-/**
- * The wrap-DEKs primitive — a serialized + AES-GCM-encrypted DEK set
- * keyed under a credential-derived key.
- *
- * All three fields are base64-encoded so the blob is JSON-safe and
- * round-trips through `_meta/*` envelopes (which carry plaintext
- * JSON in `_data`).
- *
- * Composition: `PaperRecoveryEntry extends WrappedDeksBlob` plus
- * `{ codeId, enrolledAt }`. `KeyringAuthenticatorWrappingDEKs`
- * carries the same three fields with `salt` stored in `meta` for
- * slot-format back-compat (#44 defers moving it to top-level).
- */
-interface WrappedDeksBlob {
-    /** Base64 PBKDF2 salt for the credential-derived wrapping key. */
-    readonly salt: string;
-    /** Base64 AES-GCM IV used for the `wrappedDeks` ciphertext. */
-    readonly iv: string;
-    /** Base64 AES-GCM ciphertext of `{ deks: { collection: base64rawDek } }`. */
-    readonly wrappedDeks: string;
-}
-/**
- * Mint a fresh `WrappedDeksBlob` from a DEK set + a string credential.
- *
- * Generates a random salt + IV, derives a 256-bit AES-GCM key via
- * PBKDF2-SHA256(credential, salt, 600K), serializes the DEK set as
- * `{ deks: { coll: rawBase64 } }`, and AES-GCM-encrypts.
- *
- * The `credential` is the user-typed string (recovery code, daily
- * password, PIN). Caller normalization rules apply (e.g. paper
- * recovery uppercase-strips the code before reaching this function).
- *
- * @param deks - DEK set to wrap. Each DEK must be exportable via
- *               `subtle.exportKey('raw', dek)` (the hub mints DEKs
- *               this way; consumers feeding non-extractable keys
- *               will get `InvalidAccessError` from WebCrypto).
- * @param credential - String input the consumer minted (paper code,
- *               password, PIN). Treated as opaque bytes by PBKDF2.
- */
-declare function mintWrappedDeksBlob(deks: Map<string, CryptoKey>, credential: string): Promise<WrappedDeksBlob>;
-/**
- * Reverse of {@link mintWrappedDeksBlob}. Re-derives the wrapping key
- * from the credential + stored salt, AES-GCM-decrypts the wrapped DEK
- * set, and re-imports each DEK as an extractable AES-GCM CryptoKey.
- *
- * Throws (AES-GCM auth tag failure) when the credential doesn't
- * match the blob. Callers iterating over multiple blobs (e.g. paper
- * recovery's "try every entry until one matches") should catch.
- */
-declare function unwrapDeksFromBlob(blob: WrappedDeksBlob, credential: string): Promise<Map<string, CryptoKey>>;
-
-/**
- * Recovery profile persistence + dispatch — issue #10.
- *
- * v0.1.0-pre.5 wires the **paper** profile end-to-end through
- * `@noy-db/on-recovery`. The other three profiles (Shamir,
- * multi-channel, admin-mediated) ship the API surface and throw
- * {@link RecoveryProfileNotImplementedError} during use; per-profile
- * dispatch lands in follow-up issues.
- *
- * Storage layout:
- *
- * ```
- * _meta/recovery-paper       — JSON { entries: RecoveryCodeEntry[] } produced by `on-recovery`.
- * _meta/recovery-shamir      — reserved
- * _meta/recovery-multi       — reserved
- * _meta/recovery-admin       — reserved
- * ```
- *
- * Like `_meta/policy` and `_meta/handle`, the documents are plain JSON
- * with empty `_iv` — the recovery-code wrapping is what protects the
- * KEK; the entries themselves are inert without the user's code.
- *
- * @module
- */
-
-/**
- * One paper recovery code as persisted in `_meta/recovery-paper`.
- *
- * The hub's KEK is intentionally non-extractable (see `crypto.ts`),
- * so the recovery entry can't AES-KW-wrap the KEK directly. Instead
- * we wrap a serialized DEK set: the entry holds the AES-GCM
- * ciphertext of `{ deks: { collection: rawDekBase64 } }`. Recovery
- * deserializes the DEK set, then mints a fresh KEK from the new
- * passphrase and rewraps the DEKs under it.
- *
- * This is the same pattern `@noy-db/on-pin` uses for tier-3 quick
- * resume — the cryptographic guarantee is identical (AES-GCM with a
- * PBKDF2-derived key), and it sidesteps the non-extractable-KEK
- * constraint cleanly.
- *
- * Type-level composition (#44): `PaperRecoveryEntry extends
- * WrappedDeksBlob` — the three crypto fields (`salt`, `iv`,
- * `wrappedDeks`) come from the shared primitive; `codeId` and
- * `enrolledAt` are paper-recovery's own metadata. Wire format
- * unchanged.
- */
-interface PaperRecoveryEntry extends WrappedDeksBlob {
-    readonly codeId: string;
-    readonly enrolledAt: string;
-}
-interface PaperRecoveryDoc {
-    readonly _noydb_recovery: 1;
-    readonly profile: 'paper';
-    readonly entries: ReadonlyArray<PaperRecoveryEntry>;
-}
-/** Read the paper-recovery entries. Returns empty array when absent. */
-declare function loadPaperRecoveryEntries(store: NoydbStore, vault: string): Promise<ReadonlyArray<PaperRecoveryEntry>>;
-/** Replace the paper-recovery entries (used after burn-on-recovery). */
-declare function savePaperRecoveryEntries(store: NoydbStore, vault: string, entries: ReadonlyArray<PaperRecoveryEntry>): Promise<void>;
-/** Drop a single paper-recovery entry (burn-on-use). */
-declare function burnPaperRecoveryEntry(store: NoydbStore, vault: string, codeId: string): Promise<void>;
-/** Whether at least one recovery profile has any enrolled entries. */
-declare function hasRecoveryEnrolled(store: NoydbStore, vault: string): Promise<boolean>;
-/**
- * Generate one paper-recovery entry from an unlocked DEK set.
- *
- * Returns the serializable entry (persisted via
- * {@link savePaperRecoveryEntries}). The recovery flow unwraps the
- * DEK set, then mints a fresh KEK from the user's new passphrase.
- *
- * Thin wrapper over {@link mintWrappedDeksBlob} (#44) — the crypto
- * lives in the shared primitive; this function just adds paper-
- * recovery's own metadata (`codeId`, `enrolledAt`).
- *
- * @param deks      Map of collection-name → DEK (extractable).
- * @param code      The plaintext recovery code (caller-supplied;
- *                  pair this with `@noy-db/on-recovery`'s code
- *                  generator/parser if available).
- * @param codeId    Stable id used by `burnPaperRecoveryEntry`.
- */
-declare function mintPaperRecoveryEntry(deks: Map<string, CryptoKey>, code: string, codeId: string): Promise<PaperRecoveryEntry>;
-/**
- * Decrypt a recovery entry to recover the raw DEK set. Used by the
- * `recoverPassphrase` flow after the user's code has been parsed.
- *
- * Thin wrapper over {@link unwrapDeksFromBlob} (#44).
- *
- * @throws when the code does not match the entry (AES-GCM auth tag fail).
- */
-declare function unwrapDeksFromPaperEntry(entry: PaperRecoveryEntry, code: string): Promise<Map<string, CryptoKey>>;
-
 /**
  * Public envelope — owner-curated plaintext metadata, readable
  * before vault unlock or bundle decryption.
@@ -3692,6 +4042,33 @@ interface StagedOp {
     id: string;
     record?: unknown;
     expectedVersion?: number;
+    /**
+     * Optional human-readable tag forwarded to the resulting ledger
+     * entry's `reason` field (#1). Set by callers via
+     * `tx.vault(v).collection(c).put(id, record, { reason })`.
+     */
+    reason?: string;
+}
+/**
+ * One executed op (main staged op or recursive side-effect like a
+ * derivation output) paired with the envelope captured before the write.
+ * `revertExecuted` walks this array in reverse on rollback.
+ * @internal
+ */
+interface ExecutedOp {
+    op: StagedOp;
+    priorEnvelope: EncryptedEnvelope | null;
+}
+/**
+ * Options accepted by `db.transaction({ amendment, reason }, fn)`.
+ * Only the amendment variant uses these — a plain `db.transaction(fn)`
+ * never sees this shape.
+ */
+interface AmendmentTxOptions {
+    /** Opt into amendment mode. Required to be `true`. */
+    readonly amendment: true;
+    /** Human-readable rationale recorded in the ledger entry. Required. */
+    readonly reason: string;
 }
 /**
  * Transaction handle passed to the user's body. Use
@@ -3701,10 +4078,27 @@ interface StagedOp {
 declare class TxContext {
     /** @internal */
     readonly _ops: StagedOp[];
+    /**
+     * @internal — write log built up in Phase 2. Each entry records the
+     * envelope captured BEFORE the write so a mid-batch failure can
+     * restore prior state via `revertExecuted`. Side-effect writes (e.g.
+     * recursive derivation outputs fired inside `Collection.put`) are
+     * appended here in execution order so they roll back alongside the
+     * main staged ops (#133).
+     */
+    readonly _executed: ExecutedOp[];
     /** @internal */
     readonly _db: Noydb;
+    /**
+     * @internal — true when this TxContext was opened in amendment
+     * mode. Toggles the lazy-`beginAmendment` + role-check path on first
+     * `tx.vault(name)` and unlocks the post-Phase-2 invariant + audit run.
+     */
+    readonly _amendment: boolean;
+    /** @internal — vaults that have already had `beginAmendment` called. */
+    readonly _amendmentVaults: Map<string, Vault>;
     /** @internal */
-    constructor(db: Noydb);
+    constructor(db: Noydb, amendment?: boolean);
     /** Scope subsequent `collection()` calls to the named vault. */
     vault(name: string): TxVault;
 }
@@ -3743,6 +4137,7 @@ declare class TxCollection<T> {
      */
     put(id: string, record: T, options?: {
         expectedVersion?: number;
+        reason?: string;
     }): void;
     /**
      * Stage a delete. Does not write until the transaction body returns.
@@ -3754,14 +4149,16 @@ declare class TxCollection<T> {
     }): void;
 }
 /**
- * Commit plan: pre-flight check + execution + revert plan. Returned
- * from `runTransaction`.
+ * Commit plan: pre-flight check + execution + revert plan.
  *
- * @internal — exposed only for the `Collection.putMany({atomic:true})`
- * wire-up so the bulk path can share the executor without creating
- * an outer TxContext.
+ * @internal — driven by `withTransactions()` (via `tx/active.ts`) for
+ * user-facing `db.transaction(...)` calls and by the `amendment` path
+ * in `noydb.ts`. `Collection.putManyAtomic` runs its own Phase 2 loop
+ * but shares the `_activeTxContext` mechanism (and the `revertExecuted`
+ * helper) so nested side-effect derivation writes get registered for
+ * revert alongside the bulk-put source ops (#133).
  */
-declare function runTransaction<T>(db: Noydb, fn: (tx: TxContext) => Promise<T> | T): Promise<T>;
+declare function runTransaction<T>(db: Noydb, fn: (tx: TxContext) => Promise<T> | T, options?: AmendmentTxOptions): Promise<T>;
 
 /**
  * Policy gate DSL types — issue #9.
@@ -3788,7 +4185,7 @@ declare function runTransaction<T>(db: Noydb, fn: (tx: TxContext) => Promise<T>
  * | `shamir` | k-of-n threshold share (`@noy-db/on-shamir`) | yes |
  * | `webauthn-roaming` | hardware key (YubiKey, SoloKey, Titan) | yes (key portable) |
  * | `webauthn-platform` | platform passkey (Touch ID, Face ID, Hello) | no (device-bound) |
- * | `password` | tier-2 daily password (`@noy-db/on-password`) | no |
+ * | `password` | tier-2 password (`@noy-db/on-password`) | no |
  * | `pin` | tier-3 quick-resume PIN (`@noy-db/on-pin`) | no |
  *
  * Off-device kinds (TOTP, email-OTP, recovery, shamir, roaming WebAuthn)
@@ -3845,6 +4242,16 @@ interface GatePolicy {
  * configured policy as "no gate" (no-op).
  */
 type BuiltInGateName = 'rotate-passphrase' | 'recover-passphrase' | 'enroll-authenticator' | 'remove-authenticator'
+/**
+ * Authorize a deliberate paper-recovery-code regeneration —
+ * `db.rotateRecovery` (#121). Symmetric to `rotate-passphrase` for
+ * the case where the user remembers their passphrase but wants a
+ * fresh sheet (lost the printout, suspect compromise of the off-site
+ * copy). PERSONAL allows tier-1; STRICT requires an off-device
+ * factor so a stolen unlocked laptop cannot silently mint a new
+ * sheet for an attacker.
+ */
+ | 'rotate-recovery'
 /**
  * Authorize a meta-only mutation on an existing authenticator slot —
  * `db.updateAuthenticator` (#55). The slot's wrap material, id, and
@@ -3897,6 +4304,25 @@ interface FactorProof {
     /** Method-specific payload. The engine treats it as opaque — verification is delegated. */
     readonly payload?: unknown;
 }
+/**
+ * Bundle of factor proofs + session-context flags passed to a gated
+ * Noydb method. Used as the optional last parameter of every method
+ * that runs through `checkGate`: `db.grant`, `db.revoke`, `db.updateUser`,
+ * `db.enrollAuthenticator`, `db.removeAuthenticator`, `db.updateAuthenticator`,
+ * `db.enrollWebAuthn`, `db.rotatePassphrase`, `db.recoverPassphrase`,
+ * `db.recoverUser`, `db.enrollUnlock`, `db.describeUserAuth`,
+ * `db.describeAllUsersAuth`.
+ *
+ * Pre-#89 this type was inlined at every call site as
+ * `{ factors?: ReadonlyArray<FactorProof>; sharedDevice?: boolean }`
+ * and parameter names alternated between `factors` and `presented`.
+ * Now exported so consumers can name their helpers and so the param
+ * name converges to `factors` everywhere.
+ */
+interface FactorProofBundle {
+    readonly factors?: ReadonlyArray<FactorProof>;
+    readonly sharedDevice?: boolean;
+}
 /** Active session tier — what the engine compares against `gate.minTier`. */
 type ActiveTier = 1 | 2 | 3;
 
@@ -3918,6 +4344,14 @@ declare class Noydb {
      * `_meta/policy` load; replaced by `db.updatePolicy()`.
      */
     private readonly policyCache;
+    /**
+     * One-shot bypass for the managed-mode strong-recovery check (#195).
+     * Set true by {@link openVaultAndEnrollRecovery} for the duration of
+     * the bootstrap window so the keyring can be created before the
+     * strong recovery is enrolled. Always cleared (try/finally).
+     * @internal
+     */
+    private _skipNextManagedRecoveryCheck;
     /** Per-vault tier-3 (PIN / quick-resume) state — issue #11. */
     private readonly quickUnlock;
     /**
@@ -3933,6 +4367,17 @@ declare class Noydb {
     private readonly txStrategy;
     private readonly sessionStrategy;
     private readonly syncStrategy;
+    /**
+     * Currently-running multi-record transaction, set by
+     * `runTransaction` at the start of Phase 2 (commit) and cleared in
+     * the same function's `finally` block. Side-effect writes triggered
+     * during a staged op's `Collection.put` (today: eager derivation
+     * outputs) register their pre-write envelope on `_executed` here so
+     * a mid-batch failure rolls them back alongside the main staged ops
+     * (#133). `null` outside of Phase 2.
+     * @internal
+     */
+    private _activeTxContext;
     /**
      * In-process translation cache. Key is `"${field}\x00${collection}\x00${from}\x00${to}\x00${text}"`.
      * Cleared on `close()` alongside the KEK and DEKs.
@@ -3972,10 +4417,27 @@ declare class Noydb {
     }): Promise<Vault>;
     /** Synchronous vault access (must call openVault first, or auto-opens). */
     vault(name: string): Vault;
-    /** Grant access to a user for a vault. */
-    grant(vault: string, options: GrantOptions): Promise<void>;
-    /** Revoke a user's access to a vault. */
-    revoke(vault: string, options: RevokeOptions): Promise<void>;
+    /**
+     * Grant access to a user for a vault.
+     *
+     * Gated by `enroll-user`. `STRICT_POLICY` requires a TOTP / email-OTP
+     * factor proof so the operator affirmatively re-asserts identity at
+     * the moment of grant; `PERSONAL_POLICY` accepts a tier-1 unlock alone.
+     *
+     * The legacy `requireReAuthFor: ['grant']` session-policy check still
+     * fires on top — both are independent opt-ins.
+     */
+    grant(vault: string, options: GrantOptions, factors?: FactorProofBundle): Promise<void>;
+    /**
+     * Revoke a user's access to a vault.
+     *
+     * Gated by `revoke-user`. `STRICT_POLICY` requires a TOTP / email-OTP
+     * factor proof; `PERSONAL_POLICY` accepts a tier-1 unlock alone.
+     *
+     * The legacy `requireReAuthFor: ['revoke']` session-policy check still
+     * fires on top — both are independent opt-ins.
+     */
+    revoke(vault: string, options: RevokeOptions, factors?: FactorProofBundle): Promise<void>;
     /**
      * Mutate post-grant identity fields on an existing keyring — `role`,
      * `displayName`, and/or `permissions`. Pure plaintext-header rewrite:
@@ -4018,10 +4480,7 @@ declare class Noydb {
      *
      * @see #54
      */
-    updateUser(vault: string, options: UpdateUserOptions, factors?: {
-        factors?: ReadonlyArray<FactorProof>;
-        sharedDevice?: boolean;
-    }): Promise<void>;
+    updateUser(vault: string, options: UpdateUserOptions, factors?: FactorProofBundle): Promise<void>;
     /**
      * Rotate the DEKs for the given collections in a vault.
      *
@@ -4154,8 +4613,17 @@ declare class Noydb {
      * ```
      */
     queryAcross<T>(vaultIds: string[], fn: (vault: Vault) => Promise<T>, options?: QueryAcrossOptions): Promise<QueryAcrossResult<T>[]>;
-    /** Change the current user's passphrase for a vault. */
-    changeSecret(vault: string, newPassphrase: string): Promise<void>;
+    /**
+     * Change the current user's passphrase for a vault.
+     *
+     * Validates the new passphrase against the strength rules. Pass
+     * `{ allowWeakPassphrase: true }` to skip — typically only useful for
+     * fixtures and migrations. Pass a `PassphrasePolicy` to override the
+     * default rules (e.g. consumer-tunable `pattern` / `customValidator`).
+     */
+    changeSecret(vault: string, newPassphrase: string, options?: PassphrasePolicy & {
+        allowWeakPassphrase?: boolean;
+    }): Promise<void>;
     /** Push local changes to remote for a vault. */
     push(vault: string, options?: PushOptions): Promise<PushResult>;
     /** Pull remote changes to local for a vault. */
@@ -4187,6 +4655,16 @@ declare class Noydb {
      * which batches push/pull across sync peers.
      */
     transaction<T>(fn: (tx: TxContext) => Promise<T> | T): Promise<T>;
+    /**
+     * Open an amendment-mode transaction. Requires `admin` or `owner`
+     * role on every vault touched by the body; throws
+     * `AmendmentForbiddenError` on first non-privileged `tx.vault(name)`
+     * call. Guard `check` callbacks are SKIPPED inside an amendment —
+     * the staged change-set is fed to each guard's `amendment.invariant`
+     * after the body returns, and the multi-record summary is appended
+     * to the vault's ledger as `op: 'amendment'`.
+     */
+    transaction<T>(options: AmendmentTxOptions, fn: (tx: TxContext) => Promise<T> | T): Promise<T>;
     /**
      * Create a sync transaction for the given vault.
      * The vault must already be open via `openVault()`.
@@ -4202,13 +4680,57 @@ declare class Noydb {
      * @internal
      */
     get _store(): NoydbStore;
-    /** Get sync status for a vault. */
-    syncStatus(vault: string): SyncStatus;
-    private getSyncEngine;
-    on<K extends keyof NoydbEventMap>(event: K, handler: (data: NoydbEventMap[K]) => void): void;
-    off<K extends keyof NoydbEventMap>(event: K, handler: (data: NoydbEventMap[K]) => void): void;
     /**
-     * Soft-lock a single vault: clear its in-memory keyring, DEKs, vault
+     * Currently-running multi-record transaction, or `null` outside
+     * Phase 2. `Collection.dispatchDerivations` consults this so a
+     * recursive derived-output write inside `Collection.put` can register
+     * its envelope onto `ctx._executed` and roll back with the main
+     * staged ops on mid-batch failure (#133).
+     *
+     * @internal
+     */
+    get _activeTxContextOrNull(): TxContext | null;
+    /**
+     * Called by `runTransaction` at Phase 2 start, and by
+     * `Collection.putManyAtomic` (via `derivationSource.setActiveTxContext`)
+     * for its own Phase 2 loop. Nested or concurrent (non-nested)
+     * transactions on the same Noydb instance are NOT supported —
+     * overwriting an active context means another transaction is still
+     * running and its `_executed` list would be cross-contaminated by
+     * the nested writes. We tolerate the overwrite (best-effort, no
+     * throw) to keep the rare interleaving from breaking consumers who
+     * currently get lucky with timing, but applications should ensure
+     * their multi-record commits are serialised on a single Noydb.
+     *
+     * @internal
+     */
+    _setActiveTxContext(ctx: TxContext): void;
+    /**
+     * Factory for a transient `TxContext` bound to this Noydb. Used by
+     * `Collection.putManyAtomic` (via `derivationSource.createTxContext`)
+     * to publish an active context for the duration of its bulk-atomic
+     * Phase 2 loop, so recursive derivation-output writes register on
+     * `ctx._executed` and roll back together with the source ops (#133).
+     *
+     * @internal
+     */
+    _createTxContext(): TxContext;
+    /**
+     * Called by `runTransaction` in its `finally`. Only clears when the
+     * passed ctx matches the active one — a defensive no-op if some
+     * other code path already cleared it.
+     *
+     * @internal
+     */
+    _clearActiveTxContext(ctx: TxContext): void;
+    /** Get sync status for a vault. */
+    syncStatus(vault: string): SyncStatus;
+    private requireShamirProvider;
+    private getSyncEngine;
+    on<K extends keyof NoydbEventMap>(event: K, handler: (data: NoydbEventMap[K]) => void): void;
+    off<K extends keyof NoydbEventMap>(event: K, handler: (data: NoydbEventMap[K]) => void): void;
+    /**
+     * Soft-lock a single vault: clear its in-memory keyring, DEKs, vault
      * instance, sync engine, policy enforcer, and active-tier entry —
      * WITHOUT destroying the `Noydb` instance.
      *
@@ -4259,6 +4781,27 @@ declare class Noydb {
      * change is fundamentally a privilege-management action).
      */
     updatePolicy(vault: string, override: Partial<VaultPolicy>): Promise<VaultPolicy>;
+    /**
+     * Read the current vault-level user-directory toggle (#122). Returns
+     * the default-on shape (`{ enabled: true }`) when no `_meta/directory`
+     * document has been persisted yet.
+     *
+     * No role gate — anyone who can open the vault can read the toggle.
+     */
+    getDirectoryEnabled(vault: string): Promise<boolean>;
+    /**
+     * Toggle the vault's user-directory listing on or off (#122).
+     * Owner-only. When disabled, `listUsersWithEnvelopes()` throws
+     * {@link import('./errors.js').DirectoryDisabledError} for callers
+     * whose role is neither `owner` nor `admin`.
+     *
+     * Honest caveat: this is a UX flag, not a privacy guarantee. The
+     * keyring file at `_keyring/<userId>` and the envelope ciphertext at
+     * `_users/<keyringId>` remain observable to anyone with direct store
+     * read access — only the hub-level enumeration is gated. See
+     * `docs/subsystems/user-envelope.md` → "Directory visibility".
+     */
+    setDirectoryEnabled(vault: string, enabled: boolean): Promise<void>;
     /**
      * Evaluate a policy gate against the active session tier and the
      * presented factor proofs. Throws {@link PolicyDeniedError} on
@@ -4269,22 +4812,33 @@ declare class Noydb {
      *                 or app-defined (`app:*`).
      * @param presented Caller-supplied factor proofs.
      */
-    checkGate(vault: string, gate: GateName, presented?: {
-        factors?: ReadonlyArray<FactorProof>;
-        sharedDevice?: boolean;
-    }): Promise<void>;
+    checkGate(vault: string, gate: GateName, factors?: FactorProofBundle): Promise<void>;
     /** Read or persist the vault policy at `_meta/policy` on first open. */
     private bootstrapPolicy;
     /**
-     * Throw {@link RecoveryNotEnrolledError} when the developer
-     * explicitly opts into strict mandatory-recovery enforcement
-     * (`createNoydb({ requireRecovery: true })`) and no recovery
-     * entries are persisted.
+     * Throw {@link RecoveryNotEnrolledError} or
+     * {@link ManagedRecoveryNotEnrolledError} when recovery enrollment
+     * is missing.
+     *
+     * Two enforcement modes:
+     *
+     * 1. **Managed-mode mandatory strong-recovery (#195).** When
+     *    `passphraseMode === 'managed'`, the vault MUST have at least
+     *    one **strong** recovery profile (Shamir today). Paper alone is
+     *    rejected because under managed mode the user has no memorized
+     *    passphrase, so losing the paper sheet = losing every record.
+     *    This check is unconditional — independent of `requireRecovery`
+     *    and the `recover-passphrase` gate.
      *
-     * The default behavior is lenient — `recover-passphrase` is enabled
-     * in `PERSONAL_POLICY` but the hub does not block vault open on
-     * missing enrollment. v1.0 will flip the default to strict; for now,
-     * apps that want the spec-mandated check turn it on per-vault.
+     * 2. **Opt-in strict mandatory-recovery.** When
+     *    `requireRecovery: true` is set on createNoydb (and the gate is
+     *    not explicitly disabled), require ANY recovery profile (paper
+     *    or shamir). This is the v0.x default-off behavior; v1.0 may
+     *    flip it default-on.
+     *
+     * The managed-mode check fires from {@link bootstrapPolicy} unless
+     * the `skipManagedCheck` flag is set (used by
+     * {@link openVaultAndEnrollRecovery} to allow atomic create-and-enroll).
      */
     private assertRecoveryEnrolled;
     /**
@@ -4305,19 +4859,13 @@ declare class Noydb {
      * Gated by `enroll-authenticator`; `presented` carries any factor
      * proofs the active policy demands.
      */
-    enrollAuthenticator(vault: string, options: EnrollAuthenticatorOptions, presented?: {
-        factors?: ReadonlyArray<FactorProof>;
-        sharedDevice?: boolean;
-    }): Promise<void>;
+    enrollAuthenticator(vault: string, options: EnrollAuthenticatorOptions, factors?: FactorProofBundle): Promise<void>;
     /**
      * Remove a tier-2 authenticator slot. Idempotent — removing a
      * non-existent slot is a successful no-op. Gated by
      * `remove-authenticator`.
      */
-    removeAuthenticator(vault: string, slotId: string, presented?: {
-        factors?: ReadonlyArray<FactorProof>;
-        sharedDevice?: boolean;
-    }): Promise<void>;
+    removeAuthenticator(vault: string, slotId: string, factors?: FactorProofBundle): Promise<void>;
     /** Read the slot list for a vault. Internal — `describeAuthConfig` (#13) consumes this. */
     listAuthenticators(vault: string): Promise<ReadonlyArray<KeyringAuthenticator>>;
     /**
@@ -4348,10 +4896,7 @@ declare class Noydb {
      *
      * @see #55
      */
-    updateAuthenticator(vault: string, slotId: string, options: UpdateAuthenticatorOptions, presented?: {
-        factors?: ReadonlyArray<FactorProof>;
-        sharedDevice?: boolean;
-    }): Promise<void>;
+    updateAuthenticator(vault: string, slotId: string, options: UpdateAuthenticatorOptions, factors?: FactorProofBundle): Promise<void>;
     /**
      * Native WebAuthn enrollment using the **real** internal keyring (#16).
      *
@@ -4399,10 +4944,7 @@ declare class Noydb {
      *
      * @see #16
      */
-    enrollWebAuthn(vault: string, ceremony: (keyring: UnlockedKeyring) => Promise<EnrollAuthenticatorOptions>, presented?: {
-        factors?: ReadonlyArray<FactorProof>;
-        sharedDevice?: boolean;
-    }): Promise<{
+    enrollWebAuthn(vault: string, ceremony: (keyring: UnlockedKeyring) => Promise<EnrollAuthenticatorOptions>, factors?: FactorProofBundle): Promise<{
         credentialId: string;
     }>;
     /**
@@ -4463,15 +5005,9 @@ declare class Noydb {
      * disabled). Sanitization is allowlist-based — never renders cred
      * ids, password hashes, secrets, or any field outside the allowlist.
      */
-    describeUserAuth(vault: string, userId: string, factors?: {
-        factors?: ReadonlyArray<FactorProof>;
-        sharedDevice?: boolean;
-    }): Promise<string>;
+    describeUserAuth(vault: string, userId: string, factors?: FactorProofBundle): Promise<string>;
     /** Bulk variant for owner dashboards. Gated by `view-user-auth`. */
-    describeAllUsersAuth(vault: string, factors?: {
-        factors?: ReadonlyArray<FactorProof>;
-        sharedDevice?: boolean;
-    }): Promise<Array<{
+    describeAllUsersAuth(vault: string, factors?: FactorProofBundle): Promise<Array<{
         userId: string;
         description: string;
     }>>;
@@ -4489,10 +5025,7 @@ declare class Noydb {
      * @throws `PolicyDeniedError` when the gate denies (missing factor, …).
      * @throws `InvalidKeyError` when `oldPassphrase` is wrong.
      */
-    rotatePassphrase(vault: string, input: RotatePassphraseInput, factors?: {
-        factors?: ReadonlyArray<FactorProof>;
-        sharedDevice?: boolean;
-    }): Promise<void>;
+    rotatePassphrase(vault: string, input: RotatePassphraseInput, factors?: FactorProofBundle): Promise<void>;
     /**
      * Reset the passphrase using a recovery proof (user forgot the old).
      * v0.1.0-pre.5 supports the `'paper'` profile end-to-end; the
@@ -4500,10 +5033,124 @@ declare class Noydb {
      *
      * Burns the used recovery entry on success.
      */
-    recoverPassphrase(vault: string, input: RecoverPassphraseInput, factors?: {
-        factors?: ReadonlyArray<FactorProof>;
-        sharedDevice?: boolean;
-    }): Promise<RecoverPassphraseResult>;
+    recoverPassphrase(vault: string, input: RecoverPassphraseInput, factors?: FactorProofBundle): Promise<RecoverPassphraseResult>;
+    /**
+     * Deliberate paper-recovery-code regeneration (#121). User knows their
+     * passphrase but wants a fresh sheet — they lost the printout or
+     * suspect compromise of the off-site copy.
+     *
+     * Symmetric to {@link rotatePassphrase} for the recovery profile:
+     * gated, audit-trackable, ergonomic. Replaces (not appends) the
+     * paper sheet under `_meta/recovery-paper` in a single envelope `put`.
+     *
+     * Gated by the `rotate-recovery` policy gate:
+     *   - PERSONAL_POLICY: `{ minTier: 1 }` — knowing the passphrase
+     *     suffices, matching the pre-#121 low-level flow's bar.
+     *   - STRICT_POLICY: `{ minTier: 1, factors: [{ anyOf: ['totp',
+     *     'email-otp', 'webauthn-roaming'] }] }` — rotation is an
+     *     off-site-trust event; require an off-device factor so a
+     *     stolen unlocked laptop cannot silently mint a sheet for the
+     *     attacker.
+     *
+     * Defaults `count` to the existing sheet size so consumers aren't
+     * surprised by a different code count. Explicit `count` overrides.
+     *
+     * @throws {@link RecoveryProfileNotImplementedError} when `profile`
+     *         is anything other than `'paper'` (v1 dispatch limit).
+     * @throws {@link PolicyDeniedError} when the gate denies (missing
+     *         factor, tier mismatch, ...).
+     * @throws on missing paper sheet — "nothing to rotate" surfaces as
+     *         an error rather than silently minting an entire new sheet.
+     *
+     * @example Default count + show-once UI
+     * ```ts
+     * const { newCodes } = await db.rotateRecovery('acme', { profile: 'paper' })
+     * showCodesToUser(newCodes)
+     * ```
+     *
+     * @example STRICT-policy site with TOTP factor proof
+     * ```ts
+     * await db.rotateRecovery(
+     *   'acme',
+     *   { profile: 'paper', count: 10 },
+     *   { factors: [{ kind: 'totp', proof: '123456' }] },
+     * )
+     * ```
+     */
+    rotateRecovery(vault: string, options: RotateRecoveryOptions, factors?: FactorProofBundle): Promise<RotateRecoveryResult>;
+    private rotateRecoveryPaper;
+    private rotateRecoveryShamir;
+    /**
+     * **Atomic create-and-enroll for managed-mode vaults (#195).**
+     *
+     * Bootstraps a managed-mode vault and enrolls strong recovery in
+     * a single ceremony. Under `passphraseMode: 'managed'`, every
+     * `openVault` call requires a strong recovery profile (Shamir
+     * today) to be enrolled — otherwise it throws
+     * {@link ManagedRecoveryNotEnrolledError}. This method bypasses
+     * the check temporarily so the keyring can be created, enrolls
+     * the supplied recovery profile(s), then returns the vault.
+     *
+     * For Shamir enrollments, the show-once share strings come back
+     * in `recoveryEnrollments[i].shares`. The hub never retains them
+     * — the caller MUST display them to the user (once) before any
+     * subsequent operation.
+     *
+     * Paper alone is NOT a strong profile under managed mode; passing
+     * `{ profile: 'paper', ... }` without an accompanying shamir entry
+     * is rejected at validation time.
+     *
+     * ```ts
+     * const db = await createNoydb({
+     *   store, user: 'alice',
+     *   passphraseMode: 'managed',
+     *   sealingKey: macosKeychainSealingProvider({ ... }),
+     * })
+     *
+     * const { vault, recoveryEnrollments } = await db.openVaultAndEnrollRecovery('acme', {
+     *   recovery: [{ profile: 'shamir', k: 2, n: 3 }],
+     * })
+     * for (const r of recoveryEnrollments) {
+     *   if (r.shares) showSharesToUser(r.shares)  // ONCE
+     * }
+     * ```
+     *
+     * @throws ValidationError if recovery is empty, or contains no
+     *   strong profile under managed mode.
+     */
+    openVaultAndEnrollRecovery(vault: string, opts: {
+        readonly recovery: ReadonlyArray<RecoveryEnrollmentInput>;
+        readonly locale?: string;
+    }): Promise<{
+        readonly vault: Vault;
+        readonly recoveryEnrollments: ReadonlyArray<EnrollRecoveryResult>;
+    }>;
+    /**
+     * **Recovery flow under managed-passphrase mode (#195).**
+     *
+     * Replaces the sealed passphrase of a managed-mode vault with a
+     * fresh 256-bit random, sealed under the configured
+     * `SealingKeyProvider`. The user never sees the new passphrase.
+     *
+     * Internally:
+     *   1. Verify the recovery proof (Shamir today) and unwrap the
+     *      DEK set.
+     *   2. Mint a fresh 256-bit random as the new effective passphrase.
+     *   3. Rewrap the DEK set under a fresh KEK derived from the new
+     *      passphrase (via the existing `recoverPassphrase` path).
+     *   4. Seal the random bytes under the provider and overwrite
+     *      `_meta/sealed-passphrase`.
+     *   5. Drop the keyring cache so the next operation re-derives.
+     *
+     * The vault's strong-recovery enrollment is preserved across
+     * recovery (Shamir entries are not burned on use — see #196).
+     *
+     * @throws ValidationError if the Noydb instance is not in managed mode.
+     */
+    recoverManagedPassphrase(vault: string, options: {
+        readonly recoveryProof: RecoveryProof;
+        readonly passphrasePolicy?: PassphrasePolicy;
+    }): Promise<void>;
     /**
      * Atomic peer-recovery — re-wraps an EXISTING user's keyring under
      * a fresh temp passphrase in a single store write. Closes #34's
@@ -4547,10 +5194,7 @@ declare class Noydb {
      *
      * @see #33 #34 — the issues this method closes.
      */
-    recoverUser(vault: string, options: RecoverUserOptions, factors?: {
-        factors?: ReadonlyArray<FactorProof>;
-        sharedDevice?: boolean;
-    }): Promise<void>;
+    recoverUser(vault: string, options: RecoverUserOptions, factors?: FactorProofBundle): Promise<void>;
     /**
      * Persist a recovery enrollment. v0.1.0-pre.5 accepts the `'paper'`
      * profile.
@@ -4582,13 +5226,11 @@ declare class Noydb {
      * await db.enrollRecovery('acme', { profile: 'paper', entries })
      * ```
      */
-    enrollRecovery(vault: string, enrollment: {
-        profile: 'paper';
-        entries: ReadonlyArray<PaperRecoveryEntry>;
-    }): Promise<void>;
-    /** Read the persisted paper-recovery entries. Used by `describeAuthConfig` (#13). */
+    enrollRecovery(vault: string, enrollment: RecoveryEnrollmentInput): Promise<EnrollRecoveryResult>;
+    /** Read the persisted recovery entries (paper + Shamir). Used by `describeAuthConfig` (#13). */
     listRecoveryEntries(vault: string): Promise<{
         paper: ReadonlyArray<PaperRecoveryEntry>;
+        shamir: ReadonlyArray<ShamirRecoveryEntry>;
     }>;
     /**
      * Register a tier-3 quick-unlock state for the vault. The state is
@@ -4599,10 +5241,7 @@ declare class Noydb {
      * Gated by `rotate-unlock` (the same gate covers "set" and "rotate"
      * because tier-3 is a single-slot rolling secret).
      */
-    enrollUnlock(vault: string, state: QuickUnlockState, presented?: {
-        factors?: ReadonlyArray<FactorProof>;
-        sharedDevice?: boolean;
-    }): Promise<void>;
+    enrollUnlock(vault: string, state: QuickUnlockState, factors?: FactorProofBundle): Promise<void>;
     /**
      * Resume a session via the registered tier-3 state. The verifier is
      * `@noy-db/on-pin/resumePin` (or compatible). On success, mark the
@@ -4618,8 +5257,17 @@ declare class Noydb {
     /**
      * Public accessor for the unlocked keyring of a vault — issue #28.
      *
-     * Returns the cached `UnlockedKeyring` (already in memory after
-     * `createNoydb` + first vault touch); loads it on demand if absent.
+     * Returns a **defensive shallow copy** so consumers can read the DEK
+     * map and authenticator list without the risk of mutating the hub's
+     * internal cache (#88). Internal hub code paths use a live reference
+     * via `getKeyringInternal`; ceremonies and external consumers always
+     * get a snapshot.
+     *
+     * The CryptoKey values inside `deks` are not cloned — Web Crypto
+     * keys are opaque handles, and a shared handle is intentional
+     * (encrypt / decrypt go through the same key the cache holds).
+     * Only the container Map / authenticator array is fresh.
+     *
      * Used by `@noy-db/on-*` ceremonies that need the live DEK set
      * (paper recovery via {@link mintPaperRecoveryEntry}, tier-3 PIN
      * enrolment via on-pin's `enrollPin`, custom on-* ceremonies that
@@ -4634,11 +5282,19 @@ declare class Noydb {
      * ```ts
      * const keyring = await db.getKeyring('acme')
      * // keyring.deks: Map<collection, CryptoKey>
-     * // keyring.kek:  CryptoKey   (non-extractable; null for tier-3 sessions)
+     * // keyring.kek:  CryptoKey | null   (null for tier-3 / wrap-DEKs sessions)
      * // keyring.role / .permissions / .authenticators
      * ```
      */
     getKeyring(vault: string): Promise<UnlockedKeyring>;
+    /**
+     * Live-reference variant used by the hub's own code paths. Internal
+     * mutations on `deks` (e.g. {@link ensureCollectionDEK} adding a
+     * collection key) need to land on the cached keyring so subsequent
+     * accesses see them. Not exposed publicly — callers outside hub
+     * should use {@link getKeyring}, which returns a defensive copy.
+     */
+    private getKeyringInternal;
 }
 /** Create a new NOYDB instance. */
 declare function createNoydb(options: NoydbOptions): Promise<Noydb>;
@@ -4722,13 +5378,766 @@ declare function issueDelegation(store: NoydbStore, vault: string, grantor: Unlo
  * list of merged delegations so the caller can register per-access
  * audit context.
  */
-declare function loadActiveDelegations(store: NoydbStore, vault: string, user: UnlockedKeyring, delegationsDek: CryptoKey, now?: Date): Promise<DelegationToken[]>;
+declare function loadActiveDelegations(store: NoydbStore, vault: string, user: UnlockedKeyring, delegationsDek: CryptoKey, now?: Date): Promise<DelegationToken[]>;
+/**
+ * Revoke a delegation by id — the caller resolves the envelope and
+ * issues a `delete`. Provided as a stable helper so the naming is
+ * symmetric to `issueDelegation`.
+ */
+declare function revokeDelegation(store: NoydbStore, vault: string, id: string): Promise<void>;
+
+/**
+ * Minimum read surface exposed to guard `check` functions. Intentionally
+ * narrow — guards can read other collections but never write.
+ *
+ * `query()` returns the same chainable builder used elsewhere. `Query<T>`
+ * has no write terminals (no `.update()` / `.delete()`) so exposing it
+ * here preserves the read-only contract while letting guards aggregate
+ * with `.where().aggregate()` / `.groupBy()` / `.join()` instead of
+ * decrypting every sibling row via `.list()`.
+ */
+interface ReadOnlyVaultFacade$1 {
+    collection<T = unknown>(name: string): {
+        get(id: string): Promise<T | null>;
+        list(): Promise<T[]>;
+        query(): Query<T>;
+    };
+}
+/**
+ * Runtime context passed to `check` and `invariant` callbacks.
+ * `existing` is the currently-persisted record (null for inserts).
+ */
+interface GuardContext<T> {
+    existing: T | null;
+    vault: ReadOnlyVaultFacade$1;
+    userId: string;
+    role: Role;
+}
+/**
+ * One {before, after} pair handed to an `invariant` function. `before`
+ * is null for inserts; `after` reflects the proposed post-commit record.
+ */
+interface GuardChange<T> {
+    before: T | null;
+    after: T;
+}
+/** @internal — output of {@link withGuard}. */
+interface GuardStrategyHandle<T extends Record<string, unknown>> {
+    readonly __noydb_strategy: 'guard';
+    readonly spec: GuardStrategy<T>;
+}
+/**
+ * Existential erasure of `GuardStrategyHandle<T>` — used as the
+ * element type of `ReadonlyArray<>` fields where the per-handle T
+ * differs (e.g. `guardStrategies: [invoiceGuard, disbursementGuard]`).
+ *
+ * Background: `GuardStrategyHandle<T>` is INVARIANT in T because T
+ * appears in callback positions on the spec (`check(incoming: T, ctx)`,
+ * `invariant(changes: ReadonlyArray<GuardChange<T>>, ctx)`). So
+ * `Handle<Invoice>` is not assignable to `Handle<Record<string, unknown>>`.
+ * A bounded existential ("there exists some T satisfying the constraint
+ * such that this is a Handle<T>") is the right shape; TypeScript has
+ * no first-class existentials, so we fake it with a structurally narrow
+ * interface that ERASES T from both the discriminant and the spec.
+ *
+ * Consumers continue to construct typed handles via `withGuard<T>(...)`
+ * which returns `GuardStrategyHandle<T>`. Both `Handle<Invoice>` and
+ * `Handle<Disbursement>` structurally assign to `GuardStrategyHandleAny`,
+ * so an array of them is `GuardStrategyHandleAny[]`.
+ *
+ * Internal code that needs T re-narrows via the runtime discriminant
+ * (`__noydb_strategy === 'guard'`) plus per-handle type information
+ * carried by the registry.
+ *
+ * NOT exported from the public barrel — keeping this internal
+ * discourages consumers from constructing it directly. Used only as
+ * the array-element type on `Vault` / `NoydbOptions.guardStrategies`.
+ *
+ * @internal
+ */
+interface GuardStrategyHandleAny {
+    readonly __noydb_strategy: 'guard';
+    readonly spec: GuardStrategy<any>;
+}
+/** Public registration shape. See `withGuard()`. */
+interface GuardStrategy<T extends Record<string, unknown>> {
+    collection: string;
+    /**
+     * Fires on `Collection.put` (insert + update). The `incoming` argument
+     * is the record being written. Throw to cancel the put.
+     *
+     * Does NOT fire on `Collection.delete` — use {@link onDelete} for
+     * delete-time validation. Skipped during an amendment transaction
+     * (`db.transaction({ amendment: true })`) — admin/owner override.
+     */
+    check?: (incoming: T, ctx: GuardContext<T>) => Promise<void> | void;
+    /**
+     * Fires on user-initiated `Collection.delete` before the adapter
+     * delete and before the ledger append. The `existing` argument is
+     * the currently-persisted record. Throw to cancel the delete — no
+     * partial state, no tombstone ledger entry.
+     *
+     * Skipped during an amendment transaction (admin/owner override) —
+     * amendments are the unlock primitive. To make a delete TRULY
+     * unconditional (e.g. legal-document immutability rules), pair
+     * `onDelete` with an `amendment.invariant` that re-throws on any
+     * `before !== null && after === null` change:
+     *
+     * ```ts
+     * withGuard<Receipt>({
+     *   collection: 'receipts',
+     *   onDelete: () => { throw new RecordLockedError(...) },
+     *   amendment: {
+     *     roles: ['admin', 'owner'],
+     *     invariant: (changes) => {
+     *       for (const c of changes) {
+     *         if (c.before !== null && c.after === null) {
+     *           throw new RecordLockedError(...) // wrapped as InvariantError
+     *         }
+     *       }
+     *     },
+     *   },
+     * })
+     * ```
+     *
+     * Also skipped on system-internal deletes (derivation tombstones from
+     * #144, MV refresh from Dim 14 v2) — those use `_internalDelete`
+     * which bypasses every user-facing delete hook. Housekeeping ops are
+     * NOT user-initiated and should not trip user invariants.
+     *
+     * Delete of an absent record is a no-op and does not consult any
+     * guard, matching the idempotent-delete contract.
+     */
+    onDelete?: (existing: T, ctx: GuardContext<T>) => Promise<void> | void;
+    frozenFields?: {
+        when: (existing: T) => boolean;
+        fields: ReadonlyArray<keyof T>;
+    };
+    amendment?: {
+        roles: ReadonlyArray<'admin' | 'owner'>;
+        invariant: (changes: ReadonlyArray<GuardChange<T>>, ctx: GuardContext<T>) => Promise<void> | void;
+    };
+}
+
+/**
+ * Runtime context handed to `derive(source, ctx)`. Mirrors `GuardContext`'s
+ * narrow shape: read-only vault access, no write capability, no
+ * transaction handle. Determinism is the consumer's responsibility — the
+ * strategy hash includes `derive.toString()`, so the source string fixes
+ * the function's inputs; whatever sibling reads `derive` performs must
+ * yield the same outputs for the same source.
+ */
+interface DerivationContext {
+    vault: ReadOnlyVaultFacade$1;
+}
+/**
+ * Metadata that travels inside the `_data` payload of a derived record.
+ * Lives in encrypted payload, not in the unencrypted envelope — the
+ * storage backend cannot infer the derivation graph from listing.
+ */
+interface DerivedFromMeta {
+    /** Source collection name. */
+    readonly source: string;
+    /** Source record id. */
+    readonly sourceId: string;
+    /** `_v` of the source at derivation time. */
+    readonly sourceVersion: number;
+    /** ISO timestamp when this output was derived. */
+    readonly derivedAt: string;
+    /**
+     * SHA-256 of (source + outputs map keys + derive function source).
+     * Changes when the strategy changes → forces `vault.deriveAll` to
+     * recompute on next visit.
+     */
+    readonly strategyHash: string;
+}
+/** Record-shape output — one source row produces (optionally) one output row at the source's id. */
+interface RecordOutputSpec {
+    shape: 'record';
+    collection: string;
+    /**
+     * When `true`, the `derive` function may return `null` (or
+     * `undefined`) for this output key. The executor interprets that as
+     * "no output for this invocation": a previously-emitted output at
+     * the same id is deleted (mirroring the empty-group / empty-aggregate
+     * semantics flagged in #142); a never-emitted output is a silent
+     * no-op. When `false` (default), returning `null` throws
+     * `DerivationOutputShapeError` — same as v1.
+     */
+    optional?: boolean;
+}
+/**
+ * Array-shape output (#200) — one source row produces a variable-length
+ * list of output rows, each with its own id (from the `key` extractor).
+ *
+ * On every source-row change, the dispatcher diffs the previously
+ * emitted key set against the new one: removed keys are deleted via
+ * `_internalDelete`, new and unchanged keys are upserted via
+ * `Collection.put`. Strict-mode rollback is preserved via the existing
+ * `_executed` tracking.
+ *
+ * Storage of the per-source-row key set lives at
+ * `_meta/derivations-fanout/<source>/<sourceId>/<outputKey>` as a
+ * plain JSON sidecar — keeps dispatch cost O(1) per source row.
+ *
+ * **Slice 1 limitation**: only `lifecycle: 'eager'` is supported.
+ * Registering an array-shape output with `lifecycle: 'lazy'` throws
+ * at `withDerivation` construction time.
+ */
+interface ArrayOutputSpec {
+    shape: 'array';
+    collection: string;
+    /**
+     * Stable identity extractor for each derived row. Called on every
+     * row returned by `derive`. The string MUST be unique within a
+     * single invocation — duplicate keys throw
+     * `DerivationOutputShapeError`.
+     *
+     * Type is intentionally `(out: Record<string, unknown>) => string`
+     * (not generic) because OutputSpec is type-erased at the registry
+     * level. Strategy-level inference still produces typed `out`
+     * through the strategy's `outputs` map.
+     */
+    key: (output: Record<string, unknown>) => string;
+    /**
+     * Cap on derived rows per source-row invocation. Defaults to 64.
+     * Raise for carry-forward cases (e.g. monthly expansion of
+     * multi-year contracts). Exceeding the cap throws
+     * `DerivationCapExceededError` BEFORE any writes — partial fanout
+     * is never persisted.
+     */
+    maxFanout?: number;
+}
+/** Discriminated union — record + array. */
+type OutputSpec = RecordOutputSpec | ArrayOutputSpec;
+/**
+ * Registration shape passed to `withDerivation()`.
+ *
+ * @typeParam TSource - the source record type
+ * @typeParam TOutputs - map of output-key → output record type
+ */
+interface DerivationStrategy<TSource extends Record<string, unknown>, TOutputs extends Record<string, Record<string, unknown>>> {
+    /** Source collection name. */
+    source: string;
+    /** v1: only deterministic derivations supported. */
+    deterministic: true;
+    /**
+     * Output declarations keyed by name. The `derive` function's return
+     * value must have the same keys.
+     */
+    outputs: {
+        [K in keyof TOutputs]: OutputSpec;
+    };
+    /**
+     * Pure function from source to outputs. Runs on plaintext, after DEK
+     * unwrap. Returns a map of named outputs. Each output is encrypted +
+     * stored via the existing `Collection.put` pipeline.
+     *
+     * `ctx.vault` is the same `ReadOnlyVaultFacade` guards see — fetch
+     * sibling records via `ctx.vault.collection<T>(name).get(id)` /
+     * `.list()` / `.query()`. The vault accessor is read-only; there is
+     * no path to a writer from `ctx`.
+     */
+    derive: (source: TSource, ctx: DerivationContext) => Promise<TOutputs> | TOutputs;
+    /**
+     * `'eager'` runs `derive` synchronously inside the source-write
+     * transaction. `'lazy'` marks outputs stale on source-change and
+     * derives on first read.
+     */
+    lifecycle: 'eager' | 'lazy' | {
+        mode: 'eager' | 'lazy';
+        maxDepth?: number;
+    };
+    /**
+     * `true` = any output failure rolls back the source write (only with
+     * `withTransactions`). `false` = isolate per-output failure, log,
+     * continue. Default `false`.
+     */
+    strict?: boolean;
+}
+/** Returned by `withDerivation()` and consumed by `createNoydb`. */
+interface DerivationStrategyHandle {
+    readonly __noydb_strategy: 'derivation';
+    readonly spec: DerivationStrategy<any, any>;
+}
+
+interface RegisteredStrategy {
+    spec: DerivationStrategy<any, any>;
+    strategyHash: string;
+}
+/**
+ * Vault-internal registry of derivation strategies. Owned by `Vault`;
+ * not exported.
+ *
+ * @internal
+ */
+declare class DerivationRegistry {
+    private readonly _bySource;
+    private readonly _byOutput;
+    register(spec: DerivationStrategy<any, any>): Promise<void>;
+    strategiesForSource(source: string): ReadonlyArray<RegisteredStrategy>;
+    strategiesProducingOutput(collection: string): ReadonlyArray<RegisteredStrategy>;
+    /**
+     * Cycle detection over the source → output → … graph. Call after all
+     * `register()` calls complete (i.e. at vault open). Throws
+     * `DerivationCycleError` on the first cycle found.
+     */
+    validate(): void;
+}
+
+/**
+ * Minimal vault-shaped accessor passed to the MV `query()` callback.
+ * Defined as a structural interface so the strategy types don't have
+ * to import the full `Vault` class (avoids a circular import). The
+ * Vault implements this shape natively.
+ */
+interface MVQueryContext {
+    collection<T extends Record<string, unknown>>(name: string): Collection<T>;
+}
+/**
+ * Metadata that travels inside the `_data` payload of a materialized
+ * row. Lives in encrypted payload, not in the unencrypted envelope —
+ * the storage backend cannot infer the MV graph from listing.
+ *
+ * Extends the `_derivedFrom` precedent from v1: same encryption shape,
+ * same "metadata-inside-data" location.
+ */
+interface MaterializedFromMeta {
+    /** Stable identity for the MV that emitted this row. */
+    readonly mvName: string;
+    /**
+     * SHA-256 of (mvName + canonical query plan + dependency-set).
+     * Changes when the query structure changes → forces refresh on
+     * next visit (parallels v1's `strategyHash`).
+     */
+    readonly queryHash: string;
+    /**
+     * Map from source collection name → `_v` of the source row(s) that
+     * contributed to this MV row at materialization time. For aggregates
+     * over many rows, this is `max(_v)` per source collection — coarse
+     * but sufficient for stale detection.
+     */
+    readonly sourceVersions: Record<string, number>;
+    /** ISO timestamp when this row was materialized. */
+    readonly materializedAt: string;
+}
+/** Output routing for an MV. Optional — when omitted, writes to a collection named after `name`. */
+interface MaterializedViewOutput {
+    /** Output collection name. Defaults to `name`. */
+    collection?: string;
+    /**
+     * For same-collection-as-source MVs — see § Same-collection partition
+     * discriminator in the v2 spec. The cycle detector resolves the
+     * same-collection edge IFF the query has a where-clause that
+     * provably excludes `partition.value` (supports `==` against a
+     * different value, `!=` against the value, and `in` lists that
+     * don't contain it). Naïve same-collection MVs without a disjoint
+     * clause throw `MaterializedViewCycleError` at vault open.
+     */
+    partition?: {
+        field: string;
+        value: unknown;
+    };
+}
+/**
+ * One arm of a UNION materialized view. Reads rows from `collection`,
+ * then maps each into the MV's row shape via `map`.
+ *
+ * The per-source `map` is the schema-unification boundary — sibling
+ * collections can have different schemas, and `map` is where they
+ * meet the MV's row type. The hub does NOT compare schemas across
+ * arms; consumer responsibility is that every arm's `map` returns
+ * the same shape (the strategy's `TRow` type parameter enforces this
+ * at compile time).
+ */
+interface UnionSource<TRow extends Record<string, unknown>> {
+    /** Source collection name. Must exist in the vault. */
+    readonly collection: string;
+    /**
+     * Pure function from a source row to the unified MV row shape.
+     * Called once per source row at materialization time. Each arm's
+     * mapped output is concatenated into a single stream before
+     * `groupBy` + `aggregate` run.
+     */
+    readonly map: (sourceRow: Record<string, unknown>) => TRow;
+}
+/**
+ * Registration shape passed to `withMaterializedView()`.
+ *
+ * @typeParam TRow - the materialized row type (the query's result row)
+ */
+interface MaterializedViewStrategy<TRow extends Record<string, unknown>> {
+    /**
+     * Stable identity for this view. Used as the output collection name
+     * unless `output.collection` overrides. Must be unique within the vault.
+     */
+    name: string;
+    /**
+     * Declared query (single-source mode). Called at registration time
+     * with a vault-shaped accessor so the closure can compose collections
+     * without pre-existing in-scope references; called again at each
+     * refresh.
+     *
+     * Built via the same `Query<T>` chainable builder used elsewhere —
+     * `.where()`, `.join()`, `.groupBy()`, `.aggregate()`. The
+     * dependency analyzer walks the returned plan to determine source
+     * collections.
+     *
+     * Mutually exclusive with {@link unionSources}: a strategy must
+     * declare exactly one of `query` (single-source) or `unionSources`
+     * (multi-source UNION). Registration throws
+     * `MaterializedViewConfigError` if both are set or neither is set.
+     */
+    query?: (db: MVQueryContext) => Query<TRow>;
+    /**
+     * UNION-form sources (#165): an explicit list of sibling collections
+     * that contribute rows to a single MV. Each arm's `map` projects a
+     * source row into the MV's unified row shape; the mapped streams are
+     * concatenated, then {@link groupBy} + {@link aggregate} run on the
+     * combined output.
+     *
+     * Mutually exclusive with {@link query}. Registration throws
+     * `MaterializedViewConfigError` if both are set, if `unionSources`
+     * has fewer than 2 arms, or if two arms name the same `collection`.
+     *
+     * UNION mode replaces the dependency-analyzer path: the source
+     * collections come directly from `unionSources[].collection`, and
+     * {@link sources} is ignored.
+     */
+    unionSources?: ReadonlyArray<UnionSource<TRow>>;
+    /**
+     * Group-key field(s) for UNION mode (#165). Applied to the
+     * concatenated mapped-row stream from {@link unionSources} before
+     * {@link aggregate} runs. Accepts a single field name or a tuple of
+     * field names for multi-key grouping (same shape as
+     * `Query.groupBy(...fields)`).
+     *
+     * UNION-mode only. Ignored if {@link query} is set — single-source
+     * grouping is expressed inside the `Query<T>` returned from `query()`
+     * via `.groupBy(...).aggregate(...)`.
+     */
+    groupBy?: string | ReadonlyArray<string>;
+    /**
+     * Aggregation spec for UNION mode (#165). Applied per-group after
+     * {@link groupBy} buckets the concatenated mapped-row stream from
+     * {@link unionSources}. Same shape as the `AggregateSpec` passed to
+     * `Query.aggregate()`.
+     *
+     * UNION-mode only. Ignored if {@link query} is set.
+     */
+    aggregate?: AggregateSpec;
+    /**
+     * Pure function from a materialized row → stable id used in the
+     * output collection. Required — explicit always beats default-with-pitfalls
+     * (see niwat-review of #149 round 1 for the slash-collision rationale).
+     */
+    rowKey: (row: TRow) => string;
+    /**
+     * Explicit source collections (#152). Required when `query()` returns
+     * an `Aggregation` or `GroupedAggregation` rather than a `Query<T>`
+     * — the dependency analyzer can't introspect through `groupBy().aggregate()`
+     * back to the source. Optional for plain `Query<T>` results — the
+     * analyzer extracts dependencies automatically from the query plan.
+     *
+     * When set, takes precedence over auto-analysis.
+     */
+    sources?: ReadonlyArray<string>;
+    /**
+     * Declared deterministic predicates (#153). Each entry pairs a
+     * consumer-stable `hash` with a function. The `query()` callback's
+     * Query<T> can invoke them via `.wherePredicate(name, ctx?)`. The
+     * predicate's `hash` + a canonical-JSON hash of `ctx` both fold
+     * into `queryHash` — bumping either forces refresh on next visit.
+     *
+     * Consumer responsibility: bump `hash` when the function's semantics
+     * change. Failing to bump after a non-equivalent change leaves
+     * stale rows around until the next explicit refresh.
+     */
+    predicates?: {
+        [name: string]: {
+            hash: string;
+            fn: (row: TRow, ctx?: unknown) => boolean;
+        };
+    };
+    /**
+     * Refresh policy.
+     *
+     * - `'eager'` — re-materialize synchronously inside the source-write
+     *   transaction (composes with `withTransactions` for strict-mode
+     *   rollback).
+     * - `'lazy'` — mark stale on source-change; materialize on first
+     *   read of the MV.
+     * - `'manual'` — only materializes when `vault.refreshView(name)` is
+     *   called. Useful for very expensive MVs or time-dependent queries
+     *   whose `ctx` changes externally.
+     */
+    refresh: 'eager' | 'lazy' | 'manual';
+    /** Output routing. Optional; defaults to writing the collection named after `name`. */
+    output?: MaterializedViewOutput;
+    /**
+     * What to do when a re-materialization produces zero rows for a key
+     * that previously had rows.
+     *
+     * - `'delete'` (default) — tombstone the prior MV row via
+     *   `Collection._internalDelete` (system housekeeping bypasses user
+     *   `onDelete` guards on the output collection — see PR #148's
+     *   composition fix).
+     * - `'keep'` — leave the prior MV row in place. Useful when zero
+     *   is a meaningful state.
+     */
+    onEmpty?: 'delete' | 'keep';
+    /**
+     * `true` re-throws on any row-write failure → composes with
+     * `withTransactions` to roll back the source-write atomically via
+     * `revertExecuted` (#133). Default `false` (failed rows are
+     * isolated; other rows commit).
+     */
+    strict?: boolean;
+    /**
+     * Row-count ceiling for the materialized output. Throws
+     * `MaterializedViewTooLargeError` before any writes when exceeded
+     * — keeps the rollback clean. Default `100_000`; override per-MV
+     * when the domain warrants it.
+     */
+    maxRows?: number;
+}
+/** Returned by `withMaterializedView()` and consumed by `createNoydb`. */
+interface MaterializedViewStrategyHandle {
+    readonly __noydb_strategy: 'materialized-view';
+    readonly spec: MaterializedViewStrategy<any>;
+}
+
+/**
+ * One registered MV strategy alongside its derived metadata. Stored
+ * type-erased on `TRow` so the registry can hold heterogeneous MVs.
+ */
+interface RegisteredMV {
+    readonly spec: MaterializedViewStrategy<any>;
+    /** Output collection name (`spec.output?.collection ?? spec.name`). */
+    readonly outputCollection: string;
+    /** Set of source collections; populated at registration via the analyzer. */
+    readonly dependencies: ReadonlySet<string>;
+    /** Canonical `queryHash` — `_materializedFrom.queryHash` for every emitted row. */
+    readonly queryHash: string;
+    /**
+     * Top-level FieldClauses on the partition field, captured at
+     * registration time. Used by the cycle detector to resolve
+     * same-collection-as-source edges via the partition-discriminator
+     * check (#152). Empty when `spec.output?.partition` is undefined.
+     */
+    readonly partitionClauses: readonly FieldClause[];
+}
+/**
+ * Vault-internal registry of MV strategies. Owned by `Vault`; not
+ * exported. Parallel to v1's `DerivationRegistry`; the two graphs share
+ * a single cycle-detection pass at vault open (see `validate`).
+ *
+ * @internal
+ */
+declare class MaterializedViewRegistry {
+    /** Keyed by `spec.name`. */
+    private readonly _byName;
+    /** Keyed by dependency source-collection → MVs that depend on it. */
+    private readonly _bySource;
+    /**
+     * Register an MV. Invokes `spec.query()` once at registration time to
+     * read the plan + join context; the resulting `Query<T>` is discarded
+     * after dependency extraction. `vault.collection(...)` must therefore
+     * be functional by the time this runs — typically wired from
+     * `Vault._initMaterializedViews` after collection bootstrap.
+     *
+     * Throws `MaterializedViewSourceUnknownError` if the analyzer
+     * surfaces a dependency the vault doesn't know about (when a
+     * `knownCollections` checker is supplied).
+     */
+    register(spec: MaterializedViewStrategy<any>, db: MVQueryContext, options?: {
+        knownCollections?: (name: string) => boolean;
+    }): Promise<void>;
+    /** All MVs that depend on `source`, in registration order. */
+    mvsForSource(source: string): ReadonlyArray<RegisteredMV>;
+    /** Single MV by name, or `undefined`. */
+    byName(name: string): RegisteredMV | undefined;
+    /** Iterate over every registered MV. */
+    all(): ReadonlyArray<RegisteredMV>;
+    /**
+     * Cycle detection over the combined derivation + MV graph. Edges:
+     *   - Derivation: derivation.source → output.collection (each output)
+     *   - MV: every dep in MV.dependencies → MV.outputCollection
+     *
+     * Throws `MaterializedViewCycleError` if the cycle's terminal node
+     * is an MV output collection; otherwise (a pure-derivation cycle)
+     * the caller's `DerivationRegistry.validate()` will surface
+     * `DerivationCycleError` separately at vault open.
+     *
+     * Call AFTER all `register()` calls complete.
+     */
+    validate(derivationRegistry?: DerivationRegistry | null): void;
+}
+
+/**
+ * Read-shadow overlay primitive (#154, MV v2 spec § Composition with
+ * operator-editable lifecycle). Binds an MV's read-only base output
+ * to a separate user-writable overlay collection; reads merge via a
+ * single shadow predicate, writes route to the overlay.
+ *
+ * v2 ships the read-shadow variant only — arbitrary `mergePolicy`
+ * callbacks are deferred to v3.
+ */
+interface OverlayedViewStrategy {
+    /**
+     * Virtual collection name. `vault.collection(name)` returns a
+     * proxy that merges `base` and `overlay` per the shadow rule.
+     * Writes to the proxy route to the `overlay` collection. The name
+     * must be unique within the vault — collisions with MV outputs or
+     * concrete source collections throw `OverlayNameCollisionError` at
+     * vault open.
+     */
+    name: string;
+    /**
+     * The collection providing the default rows. Typically an MV's
+     * output collection. Must be a CONCRETE collection (a real source
+     * or an MV output) — not itself another overlay's virtual name.
+     * Multi-overlay stacking is a v3 non-goal; the constraint is
+     * enforced at vault open via `OverlayBaseIsVirtualError`.
+     */
+    base: string;
+    /**
+     * User-writable collection that carries overrides. Must be a real,
+     * vault-known collection that is NOT an MV-output collection. The
+     * overlay's `withGuard` / `withDerivation` registrations apply to
+     * direct writes; the virtual layer's `put(record)` also flows
+     * through the overlay's normal write pipeline.
+     */
+    overlay: string;
+    /**
+     * Single-field shadow predicate. When `overlay[shadowField] ===
+     * shadowValue` for a given id, virtual-collection reads of that id
+     * return the overlay row; otherwise reads return the base row.
+     *
+     * Niwat's canonical example: `dataStatus === 'override'` flips a
+     * row into operator-controlled mode.
+     *
+     * No callback merge, no priority lattice, no field-level merge —
+     * v2 stays explicitly narrow.
+     */
+    shadowField: string;
+    shadowValue: unknown;
+}
+/** Returned by `withOverlayedView()` and consumed by `createNoydb`. */
+interface OverlayedViewStrategyHandle {
+    readonly __noydb_strategy: 'overlayed-view';
+    readonly spec: OverlayedViewStrategy;
+}
+
+/**
+ * Vault-internal registry of overlay strategies. Resolves the base
+ * MV's `rowKey` lazily so virtual-collection writes can derive ids
+ * from the row.
+ *
+ * @internal
+ */
+declare class OverlayedViewRegistry {
+    private readonly _byName;
+    /**
+     * Register an overlay. Validates name uniqueness, base concreteness,
+     * and overlay availability AGAINST the MV registry — overlays
+     * declared without the MV registry context skip cross-registry
+     * checks but still validate self-consistency.
+     */
+    register(spec: OverlayedViewStrategy, options: {
+        isOverlayName?: (name: string) => boolean;
+        isMVOutput?: (name: string) => boolean;
+        isKnownCollection?: (name: string) => boolean;
+    }): void;
+    byName(name: string): OverlayedViewStrategy | undefined;
+    /** All overlay virtual names. */
+    names(): ReadonlySet<string>;
+    isOverlay(name: string): boolean;
+    /**
+     * Resolve the `rowKey` function for an overlay's base MV. Returns
+     * `undefined` if the base isn't an MV (raw source collection) or
+     * if the MV registry isn't supplied. Used by the virtual-collection
+     * proxy to derive ids from `put(record)` calls.
+     */
+    resolveBaseRowKey(name: string, mvRegistry: MaterializedViewRegistry | null): ((row: Record<string, unknown>) => string) | undefined;
+}
+
+/**
+ * Vault-internal singleton that holds the guard graph and dispatches
+ * per-collection guard execution. Owned by `Vault`; not exported.
+ *
+ * @internal
+ */
+type AnyGuard = GuardStrategy<Record<string, unknown>>;
+type AnyChange = GuardChange<Record<string, unknown>>;
+declare class GuardRegistry {
+    private readonly _byCollection;
+    private _amendmentChanges;
+    private _amendmentMeta;
+    /** Register a guard. Multiple guards per collection are allowed. */
+    register<T extends Record<string, unknown>>(spec: GuardStrategy<T>): void;
+    /** All guards registered against `collection` in registration order. */
+    guardsFor(collection: string): ReadonlyArray<AnyGuard>;
+    /**
+     * Run every guard's `check` for this collection. First throw wins —
+     * remaining guards are not invoked. Guards without a `check` skip.
+     */
+    runChecks<T>(collection: string, incoming: T, ctx: GuardContext<T>): Promise<void>;
+    /**
+     * Run every guard's `onDelete` for this collection. First throw wins —
+     * remaining guards are not invoked. Guards without an `onDelete` skip.
+     * Mirrors {@link runChecks} but for the delete path.
+     */
+    runOnDelete<T>(collection: string, existing: T, ctx: GuardContext<T>): Promise<void>;
+    /** True if any guard for `collection` declares an `amendment` block. */
+    hasAmendment(collection: string): boolean;
+    /** Open a new amendment change-collection window. */
+    beginAmendment(): void;
+    /** True iff we're currently inside an amendment transaction. */
+    isAmendmentActive(): boolean;
+    /**
+     * Record a {before, after} pair for the active amendment. `vBefore`
+     * and `vAfter` are stored in a parallel meta structure so the public
+     * {@link GuardChange} shape handed to invariant callbacks stays
+     * `{ before, after }` only — the audit ledger reads version metadata
+     * via {@link consumeMeta}.
+     */
+    collectChange<T>(collection: string, id: string, before: T | null, after: T, vBefore?: number, vAfter?: number): void;
+    /**
+     * Drain the change-set and close the amendment window. The caller
+     * (transaction commit) feeds these to each affected guard's invariant.
+     */
+    consumeChanges(): ReadonlyMap<string, ReadonlyArray<AnyChange>>;
+    /**
+     * Drain the parallel id/version metadata captured during the
+     * amendment. Returned as a flat list with `collection` denormalised
+     * so the audit ledger can emit one `{ collection, id, vBefore,
+     * vAfter }` tuple per record. Must be called AFTER
+     * {@link consumeChanges} (or independently) — calling it closes the
+     * meta window in the same way.
+     */
+    consumeMeta(): ReadonlyArray<{
+        collection: string;
+        id: string;
+        vBefore: number;
+        vAfter: number;
+    }>;
+}
+
 /**
- * Revoke a delegation by id — the caller resolves the envelope and
- * issues a `delete`. Provided as a stable helper so the naming is
- * symmetric to `issueDelegation`.
+ * Minimal read-only wrapper over a `Vault`. Used as `ctx.vault` inside
+ * guard callbacks so they can fetch related records without acquiring
+ * any write capability.
  */
-declare function revokeDelegation(store: NoydbStore, vault: string, id: string): Promise<void>;
+declare class ReadOnlyVaultFacade implements ReadOnlyVaultFacade$1 {
+    private readonly _vault;
+    constructor(vault: Vault);
+    collection<T = unknown>(name: string): {
+        get(id: string): Promise<T | null>;
+        list(): Promise<T[]>;
+        query(): Query<T>;
+    };
+}
 
 /**
  * `vault.exportBlobs()` — bulk blob extraction primitive.
@@ -5104,6 +6513,50 @@ declare function magicLinkGrantRecordId(token: string, index: number): string;
  */
 declare function isMagicLinkGrantExpired(payload: MagicLinkGrantPayload, now?: Date): boolean;
 
+/**
+ * Type surface for the user-list visibility subsystem (#122).
+ *
+ * Two complementary flags:
+ *  - {@link DirectoryConfig} — vault-level "is the directory listing
+ *    enabled at all?" toggle. Owner-only mutation.
+ *  - {@link UserVisibility} — per-user "hide me from teammate listings"
+ *    opt-out. Self-mutation via `vault.user.setMyVisibility`.
+ *
+ * Both flags live in the existing `_meta` collection as plaintext-bypass
+ * sidecars (`_iv: ''`). Neither is a security boundary — the keyring
+ * file is still observable at `_keyring/*` and the envelope ciphertext
+ * is still at `_users/*` to anyone with direct store read access. The
+ * flags exist to keep admin-UI listings tidy, not to hide principals
+ * from a determined attacker.
+ *
+ * @see docs/subsystems/user-envelope.md → Directory visibility
+ *
+ * @module
+ */
+/**
+ * Vault-level directory toggle. Persisted at `_meta/directory`.
+ *
+ * - `enabled: true` (default when no document exists) — every authenticated
+ *   caller can enumerate users via `listUsersWithEnvelopes`.
+ * - `enabled: false` — only `owner` and `admin` callers can enumerate;
+ *   anyone else gets {@link import('../errors.js').DirectoryDisabledError}.
+ */
+interface DirectoryConfig {
+    readonly enabled: boolean;
+}
+/**
+ * Per-user visibility flag. Persisted at `_meta/visibility/<keyringId>`.
+ *
+ * - `hidden: false` (default when no document exists) — the user shows up
+ *   in `listUsersWithEnvelopes` like any other principal.
+ * - `hidden: true` — the user is filtered out of the default listing.
+ *   `owner`/`admin` callers can still see them by passing
+ *   `{ includeHidden: true }`.
+ */
+interface UserVisibility {
+    readonly hidden: boolean;
+}
+
 /**
  * Public `vault.user.*` API surface.
  *
@@ -5238,6 +6691,30 @@ declare class UserApi {
      * Gated by `edit-own-profile`. See `updateMe` for `presented` usage.
      */
     setMe<T = unknown>(payload: T, presented?: UserEnvelopePresented): Promise<UserEnvelope<T>>;
+    /**
+     * Read the current user's visibility flag from
+     * `_meta/visibility/<keyringId>`. Returns `{ hidden: false }` when no
+     * document has been persisted (the default-visible case).
+     */
+    getMyVisibility(): Promise<UserVisibility>;
+    /**
+     * Update the current user's visibility in the team directory.
+     *
+     * - `hidden: true` — opt out of the default `listUsersWithEnvelopes`
+     *   listing. `owner`/`admin` callers can still see the user by passing
+     *   `{ includeHidden: true }`.
+     * - `hidden: false` — opt back in.
+     *
+     * Own-only by construction: the keyringId argument doesn't exist on
+     * this method, so no caller can hide or unhide another principal.
+     *
+     * Honest caveat: this is a UX flag, not a privacy guarantee. The
+     * envelope ciphertext at `_users/<keyringId>` and the keyring file at
+     * `_keyring/<userId>` are both still observable to anyone with direct
+     * store read access. See `docs/subsystems/user-envelope.md` →
+     * "Directory visibility".
+     */
+    setMyVisibility(visibility: UserVisibility): Promise<void>;
     /**
      * Read another principal's envelope by their keyringId. Returns null
      * if the principal exists but has no envelope yet, or if the
@@ -5297,6 +6774,159 @@ declare class UserApi {
     private fireChange;
 }
 
+/**
+ * Persisted-schema envelope shape.
+ *
+ * Stored encrypted under `_schemas/<collection>` with the same DEK as the
+ * collection's records. Auditors who can unlock the collection's data can
+ * also read its schema; nothing more.
+ *
+ * @see docs/superpowers/specs/2026-05-22-schema-dump-design.md
+ *
+ * @module
+ */
+/** Family of Standard Schema v1 validator the persisted snapshot was derived from. */
+type PersistedSchemaKind = 'Zod' | 'Valibot' | 'ArkType' | 'Effect' | 'Unknown';
+/**
+ * Plaintext payload encrypted into the `_data` field of the
+ * `_schemas/<collection>` envelope. The wrapper `EncryptedEnvelope` adds
+ * `_noydb`, `_v`, `_ts`, `_iv`, `_data` per the standard noy-db record
+ * format.
+ */
+interface PersistedSchemaEnvelope {
+    readonly _noydb_schema: 1;
+    /** Detected validator family. */
+    readonly kind: PersistedSchemaKind;
+    /**
+     * JSON Schema (Draft 2020-12) derived from the validator. Null when
+     * derivation isn't yet supported for `kind`; in that case `reason` is
+     * populated.
+     */
+    readonly jsonSchema: object | null;
+    /** SHA-256 (hex) of the canonicalised JSON Schema, or null when unavailable. */
+    readonly hash: string | null;
+    /** Human-readable reason when `jsonSchema` is null. */
+    readonly reason?: string;
+    /** ISO-8601 timestamp of the most recent derivation write. */
+    readonly derivedAt: string;
+}
+
+/**
+ * Types for {@link VaultSchemaSnapshot} — the structured object returned
+ * by `vault.dumpSchema()`. Consumed by the upcoming `noydb describe`
+ * CLI to emit human-readable YAML/JSON audit output.
+ *
+ * @see docs/superpowers/specs/2026-05-22-schema-dump-design.md
+ *
+ * @module
+ */
+
+/** Where the field-level info in the snapshot came from. */
+type FieldSource = 'persisted' | 'live-validator' | 'sampled' | 'unknown';
+interface FieldDescriptor {
+    /** Inferred type tag: 'string' | 'number' | 'boolean' | 'enum' | 'object' | 'array' | 'null' | 'opaque'. */
+    readonly type: string;
+    /** Where this field info was sourced from. */
+    readonly source: FieldSource;
+    /** Optional constraints — minLength, maxLength, enum values, gt, etc. */
+    readonly constraints?: Record<string, unknown>;
+    /** True when the schema marks this field optional. */
+    readonly optional?: boolean;
+    /** Foreign-key target as `<collection>.<field>` when declared. */
+    readonly references?: string;
+}
+interface CollectionStats {
+    readonly records: number;
+    readonly bytes: number;
+    readonly bytesAvg: number;
+    readonly bytesMin: number;
+    readonly bytesMax: number;
+    /** ISO-8601 from min(_ts) across envelopes. Empty string when no records. */
+    readonly oldest: string;
+    /** ISO-8601 from max(_ts) across envelopes. Empty string when no records. */
+    readonly newest: string;
+}
+interface CollectionDescriptor {
+    readonly fields: Record<string, FieldDescriptor>;
+    readonly indexes: ReadonlyArray<{
+        readonly fields: ReadonlyArray<string>;
+        readonly unique?: boolean;
+    }>;
+    readonly refs: Record<string, {
+        readonly target: string;
+        readonly mode: 'strict' | 'warn' | 'cascade';
+    }>;
+    readonly validator?: {
+        readonly kind: PersistedSchemaKind;
+        readonly source: 'persisted' | 'live-validator';
+    };
+    readonly stats?: CollectionStats;
+}
+interface MaterializedViewDescriptor {
+    readonly sources: ReadonlyArray<string>;
+    readonly groupBy?: ReadonlyArray<string>;
+    readonly aggregate?: Record<string, string>;
+    readonly refresh: string;
+    readonly stats?: CollectionStats;
+}
+interface OverlayViewDescriptor {
+    readonly base: string;
+    readonly overlay: string;
+}
+interface DerivationDescriptor {
+    readonly source: string;
+    readonly outputs: ReadonlyArray<string>;
+}
+interface InternalCollectionStats {
+    readonly records: number;
+    readonly bytes: number;
+}
+interface VaultSchemaSnapshot {
+    readonly _noydb_snapshot: 1;
+    readonly vault: string;
+    readonly emittedAt: string;
+    readonly subsystems: Record<string, boolean>;
+    readonly aclRoles?: ReadonlyArray<string>;
+    readonly collections: Record<string, CollectionDescriptor>;
+    readonly materializedViews: Record<string, MaterializedViewDescriptor>;
+    readonly overlayViews: Record<string, OverlayViewDescriptor>;
+    readonly derivations: Record<string, DerivationDescriptor>;
+    /** Only present when `dumpSchema({ withStats: true })` was called. */
+    readonly internal?: Record<string, InternalCollectionStats>;
+}
+interface DumpSchemaOptions {
+    /** When true, walk every collection's envelopes to compute counters. Default `false`. */
+    readonly withStats?: boolean;
+    /** Sample N records per collection lacking a persisted/live schema. Default 50. `0` disables sampling. */
+    readonly sampleSize?: number;
+}
+
+/**
+ * Orchestrate the structural walk of a Vault, producing a
+ * {@link VaultSchemaSnapshot}. Called from `Vault.dumpSchema()`.
+ *
+ * @module
+ */
+
+/**
+ * The minimal slice of Vault internal state the walker needs.
+ * Exposed via `vault._introspectState()` to keep the public Vault
+ * surface narrow.
+ *
+ * @internal
+ */
+interface VaultIntrospectState {
+    readonly name: string;
+    readonly adapter: NoydbStore;
+    readonly collectionCache: Map<string, Collection<unknown>>;
+    readonly refRegistry: RefRegistry;
+    readonly getDEK: (collectionName: string) => Promise<CryptoKey>;
+    readonly subsystems: Record<string, boolean>;
+    readonly mvRegistry: unknown;
+    readonly overlayRegistry: unknown;
+    readonly derivationRegistry: unknown;
+}
+
 /** A vault (tenant namespace) containing collections. */
 declare class Vault {
     private readonly adapter;
@@ -5339,6 +6969,40 @@ declare class Vault {
     private readonly historyStrategy;
     private readonly i18nStrategy;
     private readonly syncStrategy;
+    /**
+     * Per-vault guard registry. `null` until `_initGuards()` runs; stays
+     * `null` for vaults that never register any guard strategy. The
+     * runtime class is dynamic-imported on demand so consumers that
+     * never use guards don't pull `GuardRegistry`/`GuardExecutor` into
+     * their bundle (#130).
+     */
+    private guardRegistry;
+    /**
+     * Per-vault derivation registry. Same lazy-load contract as
+     * `guardRegistry` — `null` until `_initDerivations()` runs with at
+     * least one strategy handle. See #130 for the bundle motivation.
+     */
+    private derivationRegistry;
+    /**
+     * Per-vault materialized-view registry (#143/#150). Same lazy-load
+     * contract as `derivationRegistry` — `null` until
+     * `_initMaterializedViews()` runs with at least one MV handle.
+     */
+    private materializedViewRegistry;
+    /**
+     * Per-vault overlay registry (#154). Same lazy-load contract as
+     * `materializedViewRegistry` — `null` until `_initOverlayedViews()`
+     * runs with at least one handle.
+     */
+    private overlayedViewRegistry;
+    /**
+     * Cached read-only facade handed to guard callbacks via `ctx.vault`,
+     * and to derivation callbacks via `derive(source, ctx)`. Allocated
+     * eagerly inside `_initGuards()` and/or `_initDerivations()` so read
+     * accessors stay synchronous (callers in `tx/transaction.ts` rely on
+     * that). Stays `null` for vaults with neither subsystem configured.
+     */
+    private readOnlyFacade;
     private getDEK;
     /**
      * Per-principal user envelope API.
@@ -5373,6 +7037,12 @@ declare class Vault {
      * `vault.compact()`. Indexed by collection name.
      */
     private readonly blobFieldsRegistry;
+    /**
+     * Per-collection attestation field-schema (issue side). Populated on
+     * `collection({ attestation })` and read by `issueAttestation()`.
+     * Indexed by collection name.
+     */
+    private readonly attestationRegistry;
     /**
      * Per-vault ledger store. Lazy-initialized on first
      * `collection()` call (which passes it through to the Collection)
@@ -5386,6 +7056,16 @@ declare class Vault {
      * docstring.
      */
     private ledgerStore;
+    /**
+     * Background writes for persisted-schema envelopes (#schema-dump v0
+     * slice 1). One promise per `collection({ persistJsonSchema: true })`
+     * registration that actually fired a derive call. Fire-and-forget
+     * from the collection factory; tests await
+     * {@link _drainPendingSchemaWrites} before asserting on storage.
+     * Production code does not need to drain — the writes are
+     * idempotent fingerprints, not correctness invariants.
+     */
+    private _pendingSchemaWrites;
     /**
      * Per-vault foreign-key reference registry. Collections
      * register their `refs` option here on construction; the
@@ -5497,6 +7177,7 @@ declare class Vault {
         historyStrategy?: HistoryStrategy | undefined;
         i18nStrategy?: I18nStrategy | undefined;
         syncStrategy?: SyncStrategy | undefined;
+        guardStrategies?: ReadonlyArray<GuardStrategyHandleAny> | undefined;
     });
     /**
      * Construct (or reconstruct) the lazy DEK resolver. Captures the
@@ -5569,7 +7250,28 @@ declare class Vault {
         tiers?: readonly number[];
         /**  — how lower-tier reads see above-tier records. */
         tierMode?: TierMode;
+        /**
+         * Opt-in persisted JSON Schema. When `true` AND a Zod `schema` is
+         * provided, hub derives a JSON Schema via `zod-to-json-schema`
+         * (optional peer-dep) and writes an encrypted snapshot to
+         * `_schemas/<collectionName>`. Re-runs on every open; hash-skip
+         * avoids write churn when the schema is unchanged.
+         *
+         * Default: `false`. Non-Zod Standard Schema validators receive a
+         * stub envelope flagging the kind without a JSON Schema body.
+         *
+         * @see docs/superpowers/specs/2026-05-22-schema-dump-design.md
+         */
+        persistJsonSchema?: boolean;
+        /** — declare the per-field schema for document attestation (issue side). */
+        attestation?: AttestationFieldSchema;
     }): Collection<T>;
+    /**
+     * Await all background persisted-schema writes triggered by
+     * `collection({ persistJsonSchema: true })` calls on this vault.
+     * Used in tests; production code does not need to call this.
+     */
+    _drainPendingSchemaWrites(): Promise<void>;
     /**
      * Validate i18nText fields on a `put()`. Called by Collection just
      * before the adapter write, after schema validation. Throws
@@ -5745,6 +7447,22 @@ declare class Vault {
      */
     compact(options?: CompactRunOptions): Promise<CompactionResult>;
     exportBlobs(options?: ExportBlobsOptions): ExportBlobsHandle;
+    issueAttestation(collectionName: string, id: string): Promise<{
+        docId: string;
+        qr: string;
+        keyId: string;
+        publicKeyB64: string;
+    }>;
+    getDocumentSigningPublicKey(): Promise<{
+        keyId: string;
+        publicKeyB64: string;
+    }>;
+    private makeIssueContext;
+    revokeAttestation(docId: string): Promise<void>;
+    unrevokeAttestation(docId: string): Promise<void>;
+    getRevokedDocIds(): Promise<string[]>;
+    publishRevocationList(): Promise<RevocationList>;
+    private makeRevokeContext;
     private writeExportAudit;
     /**
      * Read-only accessor for the invoking keyring's export capability,
@@ -5859,6 +7577,124 @@ declare class Vault {
      * throws on null; this one stays silent so the off-path no-ops.
      */
     private getLedgerOrNull;
+    /**
+     * @internal — called by `Noydb.openVault` after construction.
+     * Dynamic-imports `GuardRegistry` + `ReadOnlyVaultFacade` and seeds
+     * the registry with the supplied strategy handles. No-op when the
+     * handles array is empty — keeps the guard subsystem out of the
+     * floor bundle for consumers that don't use guards (#130).
+     *
+     * The read-only facade is eagerly instantiated here so the sync
+     * accessor `_getReadOnlyFacade()` (called from the tx amendment
+     * runner) stays synchronous.
+     */
+    _initGuards(handles: ReadonlyArray<GuardStrategyHandleAny>): Promise<void>;
+    /**
+     * @internal — Collection.put calls into this. Returns `null` for
+     * vaults that never registered any guard strategy. Callers MUST
+     * gate on null (the existing `if (this.guardSource)` branches in
+     * `Collection` already do this transitively).
+     */
+    _getGuardRegistry(): GuardRegistry | null;
+    /**
+     * @internal — called by `Noydb.openVault` after construction.
+     * Dynamic-imports `DerivationRegistry` and registers the supplied
+     * derivation strategies (async because `strategyHash` computation
+     * goes through `crypto.subtle.digest`). No-op when the handles
+     * array is empty — keeps the derivation subsystem out of the floor
+     * bundle for consumers that don't use derivations (#130). Throws
+     * `DerivationCycleError` if a cycle is detected after registration.
+     */
+    _initDerivations(handles: ReadonlyArray<DerivationStrategyHandle>): Promise<void>;
+    /**
+     * @internal — consumed by `Collection.put` at write-time. Returns
+     * `null` for vaults that never registered any derivation strategy.
+     */
+    _getDerivationRegistry(): DerivationRegistry | null;
+    /**
+     * @internal — called by `Noydb.openVault` after collections are
+     * wired. Dynamic-imports `MaterializedViewRegistry`, registers each
+     * MV spec (which invokes its `query()` once for dependency
+     * analysis), then runs the unified cycle detection across the MV +
+     * derivation graphs. No-op when the handles array is empty — keeps
+     * the MV subsystem out of the floor bundle (mirrors v1 #130).
+     * Throws `MaterializedViewCycleError` if a cycle is detected.
+     */
+    _initMaterializedViews(handles: ReadonlyArray<MaterializedViewStrategyHandle>): Promise<void>;
+    /**
+     * @internal — consumed by `Collection.put` at write-time. Returns
+     * `null` for vaults that never registered any MV strategy.
+     */
+    _getMaterializedViewRegistry(): MaterializedViewRegistry | null;
+    /**
+     * @internal — called by `Noydb.openVault` after MVs are wired.
+     * Dynamic-imports `OverlayedViewRegistry`, registers each spec,
+     * validates against the MV registry for name/base/overlay collisions.
+     * Throws on validation failure.
+     */
+    _initOverlayedViews(handles: ReadonlyArray<OverlayedViewStrategyHandle>): Promise<void>;
+    /**
+     * @internal — consumed by `Vault.collection()`. Returns `null` for
+     * vaults with no overlays registered.
+     */
+    _getOverlayedViewRegistry(): OverlayedViewRegistry | null;
+    /**
+     * Manual re-materialize for a single registered MV (#151). Useful
+     * for `refresh: 'manual'` MVs (whose consumer drives refreshes
+     * externally), for stale-bit recovery on vault re-open, and as the
+     * explicit bulk-recompute escape hatch after a strategy change.
+     *
+     * Returns `{ written, deleted, failed }`. `deleted` is always 0 in
+     * foundation + this sub-issue — tombstoning lands in #152.
+     *
+     * Throws if `name` is not a registered MV.
+     */
+    refreshView(name: string): Promise<{
+        written: number;
+        deleted: number;
+        failed: number;
+    }>;
+    /**
+     * Re-derive every record in the named source collection. Useful
+     * after a strategy change to bring previously-derived records
+     * up-to-date.
+     *
+     * Sequential in v1; parallelisation deferred to v2.
+     */
+    deriveAll(sourceCollection: string): Promise<{
+        derived: number;
+        failed: number;
+    }>;
+    /**
+     * @internal — exposed for `runTransaction({ amendment: true })` so
+     * the amendment invariant runner can pass the SAME read-only vault
+     * facade that the per-record `Collection.put` guard hook uses
+     * (`guardSource.readOnlyVault()` above). Eagerly instantiated by
+     * `_initGuards()` so this accessor stays synchronous; returns
+     * `null` for vaults that never registered any guard (amendments
+     * require at least one guard, so the caller should never see null).
+     */
+    _getReadOnlyFacade(): ReadOnlyVaultFacade | null;
+    /**
+     * Internal lazy-allocator for the read-only facade. Used by the
+     * per-collection `guardSource.readOnlyVault` callback when guards
+     * ARE configured but `_initGuards()` raced with the first guard
+     * invocation (theoretically impossible — `Noydb.openVault` awaits
+     * `_initGuards` before returning — but we keep the defensive lazy
+     * path so the closure's contract stays "always returns a facade").
+     */
+    private _ensureReadOnlyFacade;
+    /**
+     * @internal — exposed for `runTransaction({ amendment: true })`
+     * to append the structured `op: 'amendment'` audit entry without
+     * dragging this private accessor onto the public surface or
+     * forcing the tx executor to depend on the history-strategy
+     * shape directly. Returns `null` when no history strategy is
+     * configured, in which case the amendment commits silently
+     * (the records still write through; only the multi-record
+     * audit summary is skipped).
+     */
+    _getLedgerOrNull(): LedgerStore | null;
     /**
      * Return a read-only view of this vault as it existed at
      * `timestamp`. Time-machine queries are reconstructed from the
@@ -6062,6 +7898,34 @@ declare class Vault {
     private _decryptPeriodRecord;
     /** List all collection names in this vault. */
     collections(): Promise<string[]>;
+    /**
+     * Emit a structured introspection snapshot of this vault — vault name,
+     * subsystem opt-in matrix, collections + their fields, materialized
+     * views, overlay views, derivations. With `withStats: true`, walks
+     * every collection's envelopes to compute record counts, byte totals,
+     * and oldest/newest timestamps.
+     *
+     * Consumed by the `noydb describe` CLI to produce human-readable
+     * audit YAML/JSON from a `.noydb` bundle.
+     *
+     * Field provenance:
+     *   - `persisted`: read from `_schemas/<col>` envelope (Route B opt-in)
+     *   - `live-validator`: derived in-process from a Zod schema attached
+     *     to the live `Collection`
+     *   - `sampled`: inferred from decrypted records (deferred to a follow-up)
+     *   - `unknown`: no schema info available
+     *
+     * @see docs/superpowers/specs/2026-05-22-schema-dump-design.md
+     */
+    dumpSchema(opts?: DumpSchemaOptions): Promise<VaultSchemaSnapshot>;
+    /**
+     * Internal accessor for {@link dumpVaultSchema}. Exposes the structural
+     * state the walker needs (collection cache, registries, ref registry,
+     * adapter) without widening the public Vault surface.
+     *
+     * @internal
+     */
+    _introspectState(): VaultIntrospectState;
     /**
      * Return the stable opaque bundle handle for this vault,
      * generating and persisting a fresh ULID on first call.
@@ -6729,6 +8593,34 @@ declare class Collection<T> {
      * adapter on first use.
      */
     private readonly periodGuard;
+    /**
+     * Optional back-reference to the owning vault's guard registry + a
+     * read-only vault facade. When present, `Collection.put` and
+     * `Collection.delete` consult the registry for guards declared
+     * against this collection and run their `check` + `frozenFields`
+     * before the adapter write. Absent in unit tests that construct
+     * a Collection directly; production code always sets it via
+     * `Vault.collection()`.
+     *
+     * Typed structurally rather than as `Vault` to avoid a circular
+     * import (mirrors the `refEnforcer` / `joinResolver` pattern).
+     */
+    private readonly guardSource;
+    /**
+     * Vault-internal hook for derivation dispatch. When set,
+     * `Collection.put` consults the registry after the source-write
+     * commits and writes derived outputs through `getCollection(name).put`.
+     * Same structural-interface pattern as `guardSource` to avoid a
+     * circular Vault import.
+     */
+    private readonly derivationSource;
+    /**
+     * Vault-internal hook for materialized-view dispatch (#143/#150).
+     * Parallel to `derivationSource` — when set, `Collection.put` fires
+     * `MaterializedViewRegistry.onSourceWrite` after the source-write
+     * commits + after `dispatchDerivations` has run.
+     */
+    private readonly materializedViewSource;
     /**
      * Optional back-reference to the owning compartment's ref
      * enforcer. When present, `Collection.put` calls
@@ -6982,6 +8874,63 @@ declare class Collection<T> {
             ts: string | null;
             record: Record<string, unknown> | null;
         } | null, incoming: Record<string, unknown> | null) => Promise<void>;
+        /**
+         * Optional back-reference to the owning vault's guard registry +
+         * read-only facade. When present, put/delete consult registered
+         * guards for this collection. Same structural-interface pattern
+         * as `refEnforcer` to avoid a circular Vault import.
+         */
+        guardSource?: {
+            registry(): GuardRegistry;
+            readOnlyVault(): ReadOnlyVaultFacade$1;
+        } | undefined;
+        /**
+         * Optional back-reference to the owning vault's derivation
+         * registry + collection accessor. When present, successful
+         * `put()` dispatches registered derivation strategies for the
+         * source collection. Same structural-interface pattern as
+         * `guardSource` to avoid a circular Vault import.
+         */
+        derivationSource?: {
+            registry(): DerivationRegistry;
+            getCollection(name: string): Collection<Record<string, unknown>>;
+            /**
+             * Read-only vault facade handed to `derive(source, ctx)` so a
+             * derivation can fetch sibling records (#147). Same shape and
+             * instance the guards subsystem uses for `check(incoming, ctx)`.
+             */
+            getReadOnlyFacade(): ReadOnlyVaultFacade$1;
+            /**
+             * Read access to the owning Noydb's currently-active multi-record
+             * transaction context, or `null` when no transaction is running.
+             * `dispatchDerivations` consults this so a recursive derived-output
+             * write can register its pre-write envelope onto `ctx._executed`
+             * and roll back alongside the source op on mid-batch failure (#133).
+             */
+            getActiveTxContext(): TxContext | null;
+            /**
+             * Construct a transient TxContext bound to the owning Noydb. Used
+             * by `Collection.putManyAtomic` to publish an active context for
+             * its Phase 2 loop (#133).
+             */
+            createTxContext(): TxContext;
+            /** Publish a TxContext for the duration of a bulk-atomic loop. */
+            setActiveTxContext(ctx: TxContext): void;
+            /** Drop a previously-published TxContext. */
+            clearActiveTxContext(ctx: TxContext): void;
+        } | undefined;
+        /**
+         * Vault-internal hook for materialized-view dispatch (#143/#150).
+         * Parallel to `derivationSource`. When set, `Collection.put` fires
+         * registered MV `onSourceWrite` after the standard derivation
+         * dispatch.
+         */
+        materializedViewSource?: {
+            registry(): MaterializedViewRegistry;
+            getCollection(name: string): Collection<any>;
+            getActiveTxContext(): TxContext | null;
+            getQueryContext(): MVQueryContext;
+        } | undefined;
     });
     /**
      * Return the Standard Schema validator attached to this collection,
@@ -7032,10 +8981,109 @@ declare class Collection<T> {
         staleMs?: number;
         pollIntervalMs?: number;
     }): PresenceHandle<P>;
-    /** Create or update a record. */
-    put(id: string, record: T): Promise<void>;
+    /**
+     * Create or update a record.
+     *
+     * @param id      Record identifier.
+     * @param record  The record body (validated by the collection's schema
+     *                if one was attached at `vault.collection(...)` time).
+     * @param options Optional metadata for audit + import workflows.
+     *                `reason` is stamped onto the resulting ledger entry
+     *                (see #1) so audit consumers can filter via
+     *                `entries.filter(e => e.reason?.startsWith('import:'))`.
+     */
+    put(id: string, record: T, options?: {
+        readonly reason?: string;
+    }): Promise<void>;
+    /**
+     * Fire registered MV strategies whose dependency set includes this
+     * collection. Eager-mode MVs re-materialize inline via
+     * `MaterializedViewExecutor.refresh`; lazy / manual modes are
+     * no-ops in the foundation (subtask #150) — wired in #151.
+     *
+     * Skips entirely when the record being written is itself an
+     * MV-emitted row (carries `_materializedFrom`) — defensive guard
+     * against missed cycle detection.
+     *
+     * @internal
+     */
+    private dispatchMaterializedViews;
+    /**
+     * Fire registered derivation strategies for this source collection.
+     * Eager mode runs `derive` inline and writes each output via the
+     * sibling `Collection.put`; lazy mode marks dependent outputs stale
+     * (D11 stub today). Errors in non-strict mode are logged and
+     * skipped; strict mode propagates the first failing output's error.
+     *
+     * Skips entirely when the record being written is itself a derived
+     * output (carries `_derivedFrom`) — defensive guard against missed
+     * cycle detection.
+     */
+    private dispatchDerivations;
     /** Delete a record by ID. */
     delete(id: string): Promise<void>;
+    /**
+     * @internal — system-internal delete that bypasses user-facing
+     * delete hooks (`onDelete`, accounting-period guard, FK ref
+     * enforcer). Used by derivation tombstones (#144) and MV refresh
+     * (Dim 14 v2) — system housekeeping shouldn't trip user invariants
+     * registered against the output collection. The ledger entry and
+     * history snapshot still fire so backup integrity and time-travel
+     * reconstruction stay consistent.
+     *
+     * Returns silently for delete-of-absent (idempotent contract — both
+     * paths honour this: the `txCtx === null` path also reads the prior
+     * envelope and short-circuits before the ledger/event side-effects).
+     *
+     * When a `txCtx` is supplied, the prior envelope is captured and
+     * pushed onto `txCtx._executed` BEFORE the delete fires — mirrors
+     * the #133 rollback hardening for puts. Callers outside a
+     * multi-record transaction pass `null` and skip the tracking.
+     *
+     * Amendment composition: if `_internalDelete` runs while a vault's
+     * `GuardRegistry` has an amendment window open, the `{before, after:
+     * null}` change pair is pushed onto the amendment change-set the
+     * same way a user-initiated delete would. The `onDelete` user-hook
+     * is still skipped (housekeeping must not trip user invariants in
+     * normal mode), but the amendment's invariant DOES see the change
+     * — so a `RCT-CANCEL-001`-style invariant pairing can reject a
+     * derivation-driven tombstone fired during an admin amendment.
+     *
+     * Constraint to surface to consumers: output collections of
+     * derivations with `optional: true` outputs should not be the
+     * targets of `strict` or `cascade` inbound foreign-key refs —
+     * `_internalDelete` bypasses the ref enforcer by design (the
+     * `onDelete` bypass primitive). Treat the housekeeping path as
+     * "system can tombstone its own emissions regardless of FK shape."
+     *
+     * Permission handling is unchanged: the caller must still hold
+     * write permission on the collection (derivations run under the
+     * user's keyring).
+     */
+    _internalDelete(id: string, txCtx?: TxContext | null): Promise<void>;
+    private _doDelete;
+    /**
+     * Cascade deletes of array-shape derived rows when a source row is
+     * deleted (#200). Reads each registered strategy's fanout sidecar
+     * for this source id, deletes every listed derived row, then
+     * deletes the sidecar itself.
+     *
+     * Record-shape derivations are skipped — see _doDelete's comment
+     * for why the asymmetry is correct.
+     *
+     * @internal
+     */
+    private dispatchArrayDerivationsOnDelete;
+    /**
+     * Mirror of {@link dispatchMaterializedViews} for the delete path
+     * (#181). No record content is available (it's gone), so the
+     * `_materializedFrom` skip used by the put-side dispatch doesn't
+     * apply here — instead, the recursion guard is the `internal` gate
+     * at the `_doDelete` call site above.
+     *
+     * @internal
+     */
+    private dispatchMaterializedViewsOnDelete;
     /**
      * List all records in the collection.
      *
@@ -7110,6 +9158,15 @@ declare class Collection<T> {
      * the filtered records directly (the API). Prefer the chainable
      * form for new code.
      *
+     * **Lazy-MV gap (#157):** `query()` is synchronous and does NOT
+     * trigger lazy materialized-view resolve-on-read. If this
+     * collection is a lazy MV's output and the MV is currently stale,
+     * `query().toArray()` returns the pre-stale snapshot. To force a
+     * fresh read on a lazy MV, either call `list()` (which DOES
+     * trigger resolve) or `vault.refreshView(mvName)` before querying.
+     * The proper fix — extending `QuerySource` with an async prepare
+     * hook — is a separate PR.
+     *
      * @example
      * ```ts
      * // New chainable API:
@@ -7262,6 +9319,11 @@ declare class Collection<T> {
      *   .aggregate({ total: sum('amount'), n: count() })
      * ```
      *
+     * **Lazy-MV gap (#157):** `scan()` is synchronous-build and does
+     * NOT trigger lazy materialized-view resolve-on-read. For lazy
+     * MVs, call `list()` (which DOES resolve) or `vault.refreshView(name)`
+     * before scanning. Same shape as the `query()` limitation.
+     *
      * Returns a `ScanBuilder<T>` instead of the raw async iterator
      * that previous versions used. The builder implements
      * `AsyncIterable<T>`, so every existing `for await … of` call
@@ -7280,6 +9342,22 @@ declare class Collection<T> {
     /** Decrypt a page of envelopes returned by `adapter.listPage`. */
     private decryptPage;
     /** Load all records from adapter into memory cache. */
+    /**
+     * @internal — refresh the in-memory cache entry for a single id by
+     * re-reading from the adapter. Used by the transaction executor's
+     * Phase-3 revert path: that path writes the prior envelope directly
+     * via the raw store (to avoid re-firing Collection-level side
+     * effects), which would otherwise leave this Collection's eager
+     * cache holding the rolled-back value. After revert, the executor
+     * calls this hook so subsequent `get` / `query` reads see the
+     * actual on-disk state.
+     *
+     * Lazy mode: drops the LRU entry; the next `get` repopulates from
+     * the adapter. Eager mode: re-reads the envelope and either sets
+     * the cache entry (record still present) or deletes it (record was
+     * gone before the tx and the revert deleted it again).
+     */
+    _invalidateCacheEntry(id: string): Promise<void>;
     private ensureHydrated;
     /** Hydrate from a pre-loaded snapshot (used by Vault). */
     hydrateFromSnapshot(records: Record<string, EncryptedEnvelope>): Promise<void>;
@@ -7704,7 +9782,7 @@ interface ShadowStrategy {
  * @internal
  */
 interface TxStrategy {
-    runTransaction<T>(db: Noydb, fn: (tx: TxContext) => Promise<T> | T): Promise<T>;
+    runTransaction<T>(db: Noydb, fn: (tx: TxContext) => Promise<T> | T, options?: AmendmentTxOptions): Promise<T>;
 }
 
 /**
@@ -7834,6 +9912,244 @@ interface SessionStrategy {
     revokeAllSessions(): void;
 }
 
+/**
+ * Managed-passphrase mode — issue #14, rubber-hose-resistant vaults.
+ *
+ * A vault mode where the passphrase is machine-generated and never
+ * exposed to the user, sealed under a developer-provided
+ * {@link SealingKeyProvider} (macOS Keychain, Windows Credential
+ * Manager, libsecret, AWS KMS, …). The user has no secret to give
+ * up to coercion — they can't reveal what they don't know.
+ *
+ * ## Components in this file
+ *
+ *   - {@link SealingKeyProvider} — the interface concrete providers
+ *     implement. Provider implementations live OUTSIDE hub (per-
+ *     platform packages).
+ *   - {@link MemorySealingKeyProvider} — in-memory test provider; uses
+ *     a deterministic per-instance "key" so two providers with
+ *     different ids cannot unseal each other's outputs.
+ *   - {@link RecipientHint} — public material a sender uses to seal
+ *     plaintext for a specific recipient; published by
+ *     {@link RecipientSealer.publishRecipientHint} and transported
+ *     out-of-band to the sender before bundle writes.
+ *   - {@link RecipientSealer} — interface for asymmetric/granted
+ *     providers that support recipient-target sealing (RSA-OAEP,
+ *     cloud-KMS asymmetric, etc.); distinct from self-only
+ *     {@link SealingKeyProvider} (macOS Keychain, WebAuthn-PRF).
+ *   - {@link MemoryRecipientSealer} — in-process reference
+ *     implementation of both `RecipientSealer` and
+ *     `SealingKeyProvider` using real WebCrypto RSA-OAEP + AES-GCM;
+ *     safe for tests and same-process sender/recipient scenarios.
+ *   - {@link loadSealedPassphrase} / {@link saveSealedPassphrase} —
+ *     plaintext envelope storage at `_meta/sealed-passphrase`.
+ *     Mirrors the `_meta/handle` and `_meta/public-envelope` AES-
+ *     GCM-bypassed patterns. The sealing layer (provider's job)
+ *     is the security boundary; hub doesn't have a key to encrypt
+ *     with at this layer — that's the whole point of the design.
+ *   - {@link resolveManagedSecret} — orchestrates the "generate +
+ *     seal + persist on first open; unseal on reopen" flow.
+ *     Returns the plaintext passphrase string that the rest of the
+ *     `createNoydb` keyring path consumes.
+ *
+ * Slice 1 of #14. Deferred to follow-ups:
+ *   - Block `rotate-passphrase` policy gate under managed mode.
+ *   - Mandatory strong-recovery enforcement (depends on #10).
+ *   - Recovery flow under managed mode (generates fresh sealed phrase).
+ *
+ * @see docs/subsystems/session-tiers.md → Managed-passphrase mode
+ *
+ * @module
+ */
+
+/**
+ * The contract concrete providers (per-platform key stores) implement
+ * to seal and unseal a hub-generated random passphrase. The plaintext
+ * passphrase NEVER leaves hub-controlled memory in unsealed form —
+ * the provider receives the bytes, returns opaque sealed bytes, and
+ * later reverses the operation. Hub treats the sealed bytes as
+ * fully opaque.
+ *
+ * Implementations live OUTSIDE `@noy-db/hub` (separate packages
+ * per the issue's "Concrete providers (live outside hub)" note):
+ *
+ * | Platform | Package (TBD) | Backing |
+ * |---|---|---|
+ * | macOS | `@noy-db/seal-macos-keychain` | Security.framework |
+ * | Windows | `@noy-db/seal-wincred` | Credential Manager |
+ * | Linux | `@noy-db/seal-libsecret` | libsecret / secret-service |
+ * | Cloud / server | `@noy-db/seal-aws-kms` | AWS KMS Decrypt |
+ */
+interface SealingKeyProvider {
+    /**
+     * Non-sensitive identifier disclosed in the persisted envelope.
+     * Surfaced to consumers via `loadSealedPassphrase().providerId` so
+     * a vault opened with the wrong provider class can detect the
+     * mismatch and surface a clear error. NOT secret — fine to log.
+     *
+     * Suggested format: `<family>:<scope>` — e.g. `macos-keychain:com.acme.app`,
+     * `aws-kms:arn:aws:kms:us-east-1:123:key/abc`. The hub never
+     * parses this; it's purely audit metadata.
+     */
+    readonly id: string;
+    /** Seal raw passphrase bytes. Output bytes are opaque to hub. */
+    seal(passphrase: Uint8Array): Promise<Uint8Array>;
+    /**
+     * Reverse {@link seal}. MUST throw on tamper, wrong-provider, or
+     * any other failure — hub treats a thrown error as "this provider
+     * cannot unlock this vault" and surfaces it to the caller.
+     */
+    unseal(sealed: Uint8Array): Promise<Uint8Array>;
+}
+/**
+ * In-memory test provider. NOT secure — uses a deterministic
+ * per-instance "key" (16-byte SHA-256 of `id`) XOR'd over the
+ * passphrase plus a 4-byte provider-id fingerprint prefix. The XOR is
+ * sufficient to make different `id` values produce mutually-unsealable
+ * outputs (the contract tests for that), but offers ZERO real
+ * confidentiality — never use outside tests.
+ *
+ * Replace with a real platform provider in production.
+ */
+declare class MemorySealingKeyProvider implements SealingKeyProvider {
+    readonly id: string;
+    private readonly fingerprint;
+    private readonly keyBytes;
+    constructor(opts: {
+        id: string;
+    });
+    seal(passphrase: Uint8Array): Promise<Uint8Array>;
+    unseal(sealed: Uint8Array): Promise<Uint8Array>;
+}
+/**
+ * Public material a sender uses to seal-for-this-recipient. Published by
+ * a recipient's RecipientSealer; transported to the sender out-of-band
+ * (email, S3, in-app message). The sender obtains the hint, supplies it
+ * to writeNoydbBundle's sealedCredentials.perUser[userId].hint, and the
+ * hub seals each user's credential against it. Per foundation §11.4.
+ */
+type RecipientHint = {
+    readonly v: 1;
+    /** Recipient's provider id; matches the SealedAutoUnlockEntry.pid they'll unseal under. */
+    readonly pid: string;
+    /** Algorithm the sender uses to produce the seal. Slice 1 ships RSA-OAEP-SHA256 only. */
+    readonly alg: 'rsa-oaep-sha256';
+    /** Public material — alg-specific. For 'rsa-oaep-sha256': { publicKeyPem: string }. */
+    readonly material: Readonly<Record<string, unknown>>;
+};
+/**
+ * Handover-capable provider. Implemented additionally by asymmetric/granted
+ * providers (cloud-KMS asymmetric, Azure RSA Key Vault, AWS KMS with grant).
+ * Self-only providers (macOS Keychain, env-var, WebAuthn-PRF) do NOT
+ * implement this — the §11.2 capability matrix lives in the type system.
+ *
+ * Per foundation §11.4. A function that requires recipient-target sealing
+ * takes `RecipientSealer`, not `SealingKeyProvider` — the compiler rejects
+ * passing a self-only provider at the spec site.
+ */
+interface RecipientSealer {
+    readonly id: string;
+    /** Produce hint material a sender uses to seal-for-this-recipient. */
+    publishRecipientHint(): Promise<RecipientHint>;
+    /**
+     * Seal plaintext for the recipient described by `hint`. Returns opaque
+     * bytes — same contract as `SealingKeyProvider.seal()`. The bundle
+     * layer base64-encodes the bytes into `SealedAutoUnlockEntry.sealed`
+     * without inspecting them.
+     */
+    sealForRecipient(plaintext: Uint8Array, hint: RecipientHint): Promise<Uint8Array>;
+}
+/**
+ * Reference implementation of `RecipientSealer` + `SealingKeyProvider`.
+ * Uses WebCrypto RSA-OAEP-SHA256 (2048-bit) to wrap a fresh 32-byte
+ * AES-GCM CEK, AES-GCM-encrypts plaintext under it, and packs the
+ * result into a self-describing TLV:
+ *
+ *   byte  0       : version (0x01)
+ *   bytes 1..256  : RSA-OAEP-wrapped CEK (fixed 256 bytes at RSA-2048)
+ *   bytes 257..268: AES-GCM IV (12 bytes)
+ *   bytes 269..   : AES-GCM ciphertext ‖ 16-byte tag
+ *
+ * Implements BOTH interfaces. `seal(plaintext)` (self-target) is just
+ * `sealForRecipient(plaintext, this own hint)` — same TLV. Convenient
+ * for tests where one provider plays both ends. Real cloud providers
+ * (`at-aws-kms`, etc.) will pick their own internal layouts; the only
+ * contract is round-trip identity.
+ *
+ * SAFE for production within its scope — the cryptography is real
+ * (RSA-OAEP + AES-GCM via WebCrypto), but the keypair lives in-process
+ * and is regenerated on every construction. Not suitable as a managed
+ * keychain; use it for tests and for shipping bundles where the
+ * recipient instance lives in the same process as the sender (rare).
+ */
+declare class MemoryRecipientSealer implements SealingKeyProvider, RecipientSealer {
+    readonly id: string;
+    private readonly keypair;
+    constructor(opts: {
+        id: string;
+    });
+    publishRecipientHint(): Promise<RecipientHint>;
+    sealForRecipient(plaintext: Uint8Array, hint: RecipientHint): Promise<Uint8Array>;
+    seal(plaintext: Uint8Array): Promise<Uint8Array>;
+    unseal(bytes: Uint8Array): Promise<Uint8Array>;
+}
+/** Reserved id for the managed-passphrase envelope under `_meta`. */
+declare const SEALED_PASSPHRASE_RECORD_ID: "sealed-passphrase";
+/** Plaintext payload stored inside the `_meta/sealed-passphrase` envelope. */
+interface SealedPassphrase {
+    readonly _noydb_sealed: 1;
+    readonly providerId: string;
+    /** Sealed bytes. Base64-encoded on the wire; decoded on load. */
+    readonly sealed: Uint8Array;
+}
+/**
+ * Wire-format envelope persisted at `_meta/sealed-passphrase` for
+ * managed-mode vaults. The provider produces raw sealed bytes via
+ * {@link SealingKeyProvider.seal}; this wrapper carries the dispatch
+ * metadata hub needs to pick the right provider on the unseal path.
+ *
+ * Stability boundary: once shipped, the wire format only grows by
+ * adding optional fields. See the at-* sealing dimension foundation
+ * doc, §11.9.1.
+ *
+ * v1 shape (this release): `{ v: 1, _noydb_sealed: 1, pid, payload }`.
+ *
+ * Legacy shape (pre.14, pre.15): `{ _noydb_sealed: 1, providerId, sealed }`
+ * — accepted on read for backwards compatibility; never produced on
+ * write going forward.
+ */
+interface SealedEnvelope {
+    /** Envelope schema version. v1 is the shape shipped in pre.16. */
+    readonly v: 1;
+    /** Magic marker for forensics + legacy-shape detection. */
+    readonly _noydb_sealed: 1;
+    /** Matches the producing provider's `.id`. Dispatch key on unseal. */
+    readonly pid: string;
+    /** Sealed bytes from the provider, base64-encoded on the wire. */
+    readonly payload: string;
+}
+/**
+ * Parse a `_meta/sealed-passphrase` `_data` JSON string into the
+ * in-memory {@link SealedPassphrase} representation. Accepts both:
+ *
+ *   1. v1 wire format `{ v: 1, _noydb_sealed: 1, pid, payload }` —
+ *      the shape produced from pre.16 onward.
+ *   2. Legacy wire format `{ _noydb_sealed: 1, providerId, sealed }` —
+ *      the shape produced in pre.14/pre.15. Read-only; never written
+ *      going forward.
+ *
+ * Returns `undefined` for any input that doesn't match either shape,
+ * so callers can fall back to "no managed-mode envelope present."
+ *
+ * @internal — exported only for the migration safety-net test suite.
+ */
+declare function parseSealedEnvelope(raw: unknown): SealedPassphrase | undefined;
+declare function saveSealedPassphrase(store: NoydbStore, vault: string, payload: {
+    readonly providerId: string;
+    readonly sealed: Uint8Array;
+}): Promise<void>;
+declare function loadSealedPassphrase(store: NoydbStore, vault: string): Promise<SealedPassphrase | undefined>;
+
 /**
  * Core types — the {@link NoydbStore} interface, envelope format, roles, and
  * all configuration shapes consumed by {@link createNoydb}.
@@ -7892,7 +10208,7 @@ type Permission = 'rw' | 'ro';
  * `'*'` is the wildcard collection matching all collections in the vault.
  */
 type Permissions = Record<string, Permission>;
-/** The encrypted wrapper stored by adapters. Adapters only ever see this. */
+/** The encrypted wrapper stored by stores. Stores only ever see this. */
 interface EncryptedEnvelope {
     readonly _noydb: typeof NOYDB_FORMAT_VERSION;
     readonly _v: number;
@@ -7995,8 +10311,8 @@ interface ListPageResult {
 }
 interface NoydbStore {
     /**
-     * Optional human-readable adapter name (e.g. 'memory', 'file', 'dynamo').
-     * Used in diagnostic messages and the listPage fallback warning. Adapters
+     * Optional human-readable store name (e.g. 'memory', 'file', 'dynamo').
+     * Used in diagnostic messages and the listPage fallback warning. Stores
      * are encouraged to set this so logs are clearer about which backend is
      * involved when something goes wrong.
      */
@@ -8017,22 +10333,22 @@ interface NoydbStore {
     ping?(): Promise<boolean>;
     /**
      * Optional: list record IDs in a collection that have `_ts` after `since`.
-     * Used by partial sync (`pull({ modifiedSince })`). Adapters that omit this
+     * Used by partial sync (`pull({ modifiedSince })`). Stores that omit this
      * fall back to a full `loadAll` + client-side timestamp filter.
      */
     listSince?(vault: string, collection: string, since: string): Promise<string[]>;
     /**
-     * Optional pagination extension. Adapters that implement `listPage` get
-     * the streaming `Collection.scan()` fast path; adapters that don't are
+     * Optional pagination extension. Stores that implement `listPage` get
+     * the streaming `Collection.scan()` fast path; stores that don't are
      * silently fallen back to a full `loadAll()` + slice (with a one-time
      * console.warn).
      *
-     * `cursor` is opaque to the core — each adapter encodes its own paging
+     * `cursor` is opaque to the core — each store encodes its own paging
      * state (DynamoDB: base64 LastEvaluatedKey JSON; S3: ContinuationToken;
      * memory/file/browser: numeric offset of a sorted id list). Pass
      * `undefined` to start from the beginning.
      *
-     * `limit` is a soft upper bound on `items.length`. Adapters MAY return
+     * `limit` is a soft upper bound on `items.length`. Stores MAY return
      * fewer items even when more exist (e.g. if the underlying store has
      * its own page size cap), and MUST signal "no more pages" by returning
      * `nextCursor: null`.
@@ -8245,7 +10561,7 @@ type RecoveryEnrollment = {
  * metadata only.
  */
 interface KeyringAuthenticatorBase {
-    /** Caller-chosen identifier — e.g. `'webauthn-yubikey-blue'`, `'oidc-google'`, `'password-daily'`. */
+    /** Caller-chosen identifier — e.g. `'webauthn-yubikey-blue'`, `'oidc-google'`, `'password'`. */
     readonly id: string;
     /** Method family — selects which `@noy-db/on-*` package handles unlock. */
     readonly method: 'webauthn' | 'oidc' | 'password';
@@ -8330,6 +10646,21 @@ interface KeyringFile {
     readonly salt: string;
     readonly created_at: string;
     readonly granted_by: string;
+    /**
+     * Passphrase canary — base64 AES-KW-wrapped form of a known constant
+     * 256-bit value, wrapped under the keyring's KEK (#113).
+     *
+     * Optional: pre-#113 keyrings load with no canary and fall back to
+     * the multi-DEK corruption heuristic from #82. Keyrings written after
+     * #113 carry one and let `loadKeyring` distinguish wrong-passphrase
+     * from corruption even when ALL DEKs (including a single-DEK keyring's
+     * sole DEK) are corrupted.
+     *
+     * AES-KW is deterministic — every write site mints fresh on each
+     * persist; same KEK + same constant input always produces the same
+     * ciphertext, so this round-trips without state.
+     */
+    readonly canary?: string;
     /**
      * Tier-2 authenticator slots (multi-slot keyring extension).
      * Optional / append-only: keyring files written before the
@@ -8573,7 +10904,7 @@ interface PullOptions {
     collections?: string[];
     /**
      * Only pull records with `_ts` strictly after this ISO timestamp.
-     * Adapters that implement `listSince` use it directly; others fall back
+     * Stores that implement `listSince` use it directly; others fall back
      * to a full scan with client-side filtering.
      */
     modifiedSince?: string;
@@ -8737,6 +11068,11 @@ interface GrantOptions {
  * keyring put (same concurrency story as `db.grant` / `db.revoke`).
  *
  * Top-level fields are partial-merge: absent fields are not modified.
+ * `null` on `displayName` clears the field (stored as the empty string;
+ * UI consumers typically render the empty case by falling back to the
+ * user id). `undefined` / absent leaves the field untouched. Mirrors
+ * the `null`-as-clear convention `UserApi.updateMe` uses (#57).
+ *
  * `permissions`, however, is a **full replacement** at the map level —
  * passing `{ invoices: 'rw' }` REPLACES the entire permissions map,
  * silently dropping any other entries. To partially update, read the
@@ -8755,7 +11091,7 @@ interface GrantOptions {
 interface UpdateUserOptions {
     readonly userId: string;
     readonly role?: Role;
-    readonly displayName?: string;
+    readonly displayName?: string | null;
     readonly permissions?: Permissions;
 }
 interface RevokeOptions {
@@ -8798,8 +11134,8 @@ interface AccessibleVault {
  */
 interface ListAccessibleVaultsOptions {
     /**
-     * Minimum role the caller must hold to include a compartment in the
-     * result. Compartments where the caller's role is strictly *below*
+     * Minimum role the caller must hold to include a vault in the
+     * result. Vaults where the caller's role is strictly *below*
      * this threshold are silently excluded. Defaults to `'client'`,
      * which means "every vault I can unwrap is returned." Set to
      * `'admin'` for "vaults where I can grant/revoke," or
@@ -9326,6 +11662,37 @@ interface NoydbOptions {
      * @internal
      */
     readonly syncStrategy?: SyncStrategy;
+    /**
+     * Optional guard strategies — collection-level write guards. Each
+     * handle is the output of `withGuard()` from `@noy-db/hub/guards`.
+     * Multiple guards per collection are allowed; they are dispatched
+     * in registration order on `collection.put()`.
+     */
+    readonly guardStrategies?: ReadonlyArray<GuardStrategyHandleAny>;
+    /**
+     * Optional derivation strategies — source-to-output projections that
+     * fire on `collection.put()`. Each handle is the output of
+     * `withDerivation()` from `@noy-db/hub/derivations`. The vault
+     * validates the derivation graph for cycles on `openVault`; a cyclic
+     * graph throws `DerivationCycleError`.
+     */
+    readonly derivationStrategies?: ReadonlyArray<DerivationStrategyHandle>;
+    /**
+     * Optional materialized-view strategies (#143, foundation in #150).
+     * Each handle returned by `withMaterializedView()` from
+     * `@noy-db/hub/materialized-views`. The vault runs unified cycle
+     * detection across the MV + derivation graphs at `openVault`; a
+     * cyclic graph throws `MaterializedViewCycleError`.
+     */
+    readonly materializedViewStrategies?: ReadonlyArray<MaterializedViewStrategyHandle>;
+    /**
+     * Optional overlay strategies (#154). Each handle returned by
+     * `withOverlayedView()` from `@noy-db/hub/overlay-views`. The vault
+     * validates name uniqueness + base concreteness + overlay
+     * availability at `openVault`; a clash throws one of the
+     * `Overlay*Error` family.
+     */
+    readonly overlayedViewStrategies?: ReadonlyArray<OverlayedViewStrategyHandle>;
     /** Optional remote store(s) for sync. Accepts a single store, a SyncTarget, or an array. */
     readonly sync?: NoydbStore | SyncTarget | SyncTarget[];
     /** User identifier. */
@@ -9371,6 +11738,32 @@ interface NoydbOptions {
      * subsequent sessions.
      */
     readonly getKeyring?: (vault: string) => Promise<UnlockedKeyring>;
+    /**
+     * Passphrase mode (#14). Default `'standard'`.
+     *
+     *   - `'standard'` — the legacy flow. `secret` supplies the
+     *     plaintext passphrase, the user knows it, and the policy gate
+     *     `rotate-passphrase` is enabled.
+     *   - `'managed'` — rubber-hose-resistant mode. Hub generates a
+     *     256-bit random passphrase at first open and seals it under
+     *     the provided `sealingKey`. The user never sees or types the
+     *     passphrase, defeating the $5-wrench attack. Mutually
+     *     exclusive with `secret` and `getKeyring`.
+     *
+     * @see docs/subsystems/session-tiers.md → Managed-passphrase mode
+     */
+    readonly passphraseMode?: 'standard' | 'managed';
+    /**
+     * Provider that seals/unseals the auto-generated managed-mode
+     * passphrase. Required when `passphraseMode === 'managed'`; ignored
+     * otherwise. Implementations live in per-platform packages
+     * (`@noy-db/seal-macos-keychain`, `@noy-db/seal-wincred`,
+     * `@noy-db/seal-libsecret`, `@noy-db/seal-aws-kms`, …).
+     */
+    readonly sealingKey?: SealingKeyProvider;
+    /** Required to use `profile: 'shamir'` recovery. Pass
+     *  `shamirRecoveryProvider()` from `@noy-db/on-shamir`. */
+    readonly shamirRecovery?: ShamirRecoveryProvider;
     /** Auth method. Default: 'passphrase'. */
     readonly auth?: 'passphrase' | 'biometric';
     /** Enable encryption. Default: true. */
@@ -9574,4 +11967,4 @@ interface DeleteManyResult {
     }>;
 }
 
-export { type ConsentAuditEntry as $, type BlobObject as A, type BlobStrategy as B, type BlobPutOptions as C, DICT_COLLECTION_PREFIX as D, type BlobResponseOptions as E, BlobSet as F, type BlobStrategyOpenArgs as G, type CompactRunOptions as H, type I18nStrategy as I, type CompactionContext as J, type CompactionResult as K, DEFAULT_CHUNK_SIZE as L, EXPORT_AUDIT_COLLECTION as M, ExportBlobsAbortedError as N, type ExportBlobsAuditEntry as O, PolicyEnforcer as P, type ExportBlobsHandle as Q, type ExportBlobsOptions as R, type SessionStrategy as S, type ExportedBlob as T, type SlotInfo as U, type SlotRecord as V, type VersionRecord as W, createExportBlobsHandle as X, runCompaction as Y, type ConsentStrategy as Z, CONSENT_AUDIT_COLLECTION as _, type DictEntry as a, type BuiltInGateName as a$, type ConsentAuditFilter as a0, type ConsentContext as a1, type ConsentOp as a2, loadConsentEntries as a3, writeConsentEntry as a4, type PeriodsStrategy as a5, type CarryForwardContext as a6, type ClosePeriodOptions as a7, type OpenPeriodOptions as a8, PERIODS_COLLECTION as a9, type DiffEntry as aA, type JsonPatch as aB, type JsonPatchOp as aC, type LedgerEntry as aD, LedgerStore as aE, type VaultEngine as aF, VaultInstant as aG, type VerifyResult as aH, applyPatch as aI, canonicalJson as aJ, computePatch as aK, diff as aL, formatDiff as aM, hashEntry as aN, paddedIndex as aO, parseIndex as aP, sha256Hex as aQ, type UserEnvelope as aR, type PublicEnvelope as aS, type GateName as aT, type GatePolicy as aU, type VaultPolicy as aV, type ActiveTier as aW, type FactorProof as aX, Vault as aY, type AccessibleVault as aZ, BUNDLE_STORE_POLICY as a_, type PeriodRecord as aa, type ReadOnlyCollection as ab, appendPeriodLedgerEntry as ac, assertTsWritable as ad, chainAnchor as ae, loadPeriods as af, validatePeriodName as ag, type ShadowStrategy as ah, CollectionFrame as ai, VaultFrame as aj, type TxStrategy as ak, TxCollection as al, TxContext as am, TxVault as an, runTransaction as ao, type SyncStrategy as ap, type Role as aq, type UnlockedKeyring as ar, type HistoryStrategy as as, type NoydbStore as at, type HistoryOptions as au, type EncryptedEnvelope as av, type PruneOptions as aw, type AppendInput as ax, type ChangeType as ay, CollectionInstant as az, type DictKeyDescriptor as b, type Permission as b$, type BundleRecipient as b0, type CacheOptions as b1, type CacheStats as b2, type ChangeEvent as b3, Collection as b4, type CollectionChangeEvent as b5, type CollectionConflictResolver as b6, type Conflict as b7, type ConflictPolicy as b8, type ConflictStrategy as b9, type KeyringAuthenticator as bA, type KeyringFile as bB, type ListAccessibleVaultsOptions as bC, type ListPageResult as bD, type LiveUserEnvelope as bE, type LocaleReadOptions as bF, Lru as bG, type LruOptions as bH, type LruStats as bI, MAGIC_LINK_CONTENT_INFO_PREFIX as bJ, MAGIC_LINK_GRANTS_COLLECTION as bK, MAGIC_LINK_KEK_INFO_PREFIX as bL, type MagicLinkGrantPayload as bM, type MagicLinkGrantRecord as bN, NOYDB_BACKUP_VERSION as bO, NOYDB_FORMAT_VERSION as bP, NOYDB_KEYRING_VERSION as bQ, NOYDB_SYNC_VERSION as bR, Noydb as bS, type NoydbBundleStore as bT, type NoydbEventMap as bU, type NoydbOptions as bV, PUBLIC_ENVELOPE_FIELDS as bW, type PaperRecoveryDoc as bX, type PaperRecoveryEntry as bY, type PassphrasePolicy as bZ, type PassphraseValidationResult as b_, type CrossTierAccessEvent as ba, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as bb, DELEGATIONS_COLLECTION as bc, type DeepPartial as bd, type DeepPartialOrNull as be, type DelegationToken as bf, type DeleteManyResult as bg, type DirtyEntry as bh, ELEVATION_AUDIT_COLLECTION as bi, ElevatedHandle as bj, type EnrollAuthenticatorOptions as bk, type ExportCapability as bl, type ExportChunk as bm, type ExportFormat as bn, type ExportStreamOptions as bo, type FactorKind as bp, type FactorRequirement as bq, type GhostRecord as br, type GrantOptions as bs, type HistoryConfig as bt, type HistoryEntry as bu, INDEXED_STORE_POLICY as bv, type ImportCapability as bw, type InferOutput as bx, type IssueDelegationOptions as by, type IssueMagicLinkGrantOptions as bz, DictionaryHandle as c, type UserInfo as c$, type Permissions as c0, type PlaintextTranslatorContext as c1, type PlaintextTranslatorFn as c2, PresenceHandle as c3, type PresencePeer as c4, type PublicEnvelopeField as c5, type PublicEnvelopeSchema as c6, type PublicEnvelopeText as c7, type PullMode as c8, type PullOptions as c9, type StandardSchemaV1Issue as cA, type StandardSchemaV1SyncResult as cB, type StoreAuth as cC, type StoreAuthKind as cD, type StoreCapabilities as cE, SyncEngine as cF, type SyncMetadata as cG, type SyncPolicy as cH, SyncScheduler as cI, type SyncSchedulerStatus as cJ, type SyncStatus as cK, type SyncTarget as cL, type SyncTargetRole as cM, SyncTransaction as cN, type SyncTransactionResult as cO, type TierMode as cP, type TranslatorAuditEntry as cQ, type TxOp as cR, USER_ENVELOPE_COLLECTION as cS, USER_ENVELOPE_MAX_BYTES as cT, type Unsubscribe as cU, type UpdateAuthenticatorOptions as cV, type UpdateUserOptions as cW, UserApi as cX, type UserEnvelopeCheckGate as cY, UserEnvelopeOversizedError as cZ, type UserEnvelopePresented as c_, type PullPolicy as ca, type PullResult as cb, type PushMode as cc, type PushOptions as cd, type PushPolicy as ce, type PushResult as cf, type PutManyItemOptions as cg, type PutManyOptions as ch, type PutManyResult as ci, type QueryAcrossOptions as cj, type QueryAcrossResult as ck, type QuickUnlockState as cl, QuickUnlockStore as cm, type ReAuthOperation as cn, type RecoverPassphraseInput as co, type RecoverPassphraseResult as cp, type RecoverUserOptions as cq, type RecoveryProof as cr, type ResolvedPublicEnvelopeSchema as cs, type RevokeOptions as ct, type RotatePassphraseInput as cu, type SessionPolicy as cv, type SetPublicEnvelopeInput as cw, type SlotRewrapCeremony as cx, type SlotRewrapContext as cy, type StandardSchemaV1 as cz, type DictionaryOptions as d, type VaultBackup as d0, type VaultPolicyOnDisk as d1, type VaultSnapshot as d2, type WarningRules as d3, WeakPassphraseError as d4, type WeakPassphraseReason as d5, type WrappedDeksBlob as d6, assertStrongPassphrase as d7, buildRecipientKeyringFile as d8, burnPaperRecoveryEntry as d9, recoverUser as dA, removeAuthenticator as dB, resolveSchema as dC, revokeDelegation as dD, revokeMagicLinkGrant as dE, savePaperRecoveryEntries as dF, unwrapDeksFromBlob as dG, unwrapDeksFromPaperEntry as dH, unwrapMagicLinkGrant as dI, validatePassphrase as dJ, validatePublicEnvelopeInput as dK, validateSchemaInput as dL, validateSchemaOutput as dM, writeMagicLinkGrant as dN, createNoydb as da, createStore as db, deriveMagicLinkContentKey as dc, enrollAuthenticator as dd, estimateEntropy as de, evaluateExportCapability as df, evaluateImportCapability as dg, findAuthenticator as dh, hasExportCapability as di, hasImportCapability as dj, hasRecoveryEnrolled as dk, isMagicLinkGrantExpired as dl, isPublicEnvelope as dm, issueDelegation as dn, recoverPassphrase as dp, rotatePassphrase as dq, listMagicLinkGrants as dr, listUsers as ds, listUsersWithEnvelopes as dt, loadActiveDelegations as du, loadPaperRecoveryEntries as dv, magicLinkGrantRecordId as dw, mintPaperRecoveryEntry as dx, mintWrappedDeksBlob as dy, readMagicLinkGrantRecord as dz, type I18nTextDescriptor as e, type I18nTextOptions as f, applyI18nLocale as g, dictCollectionName as h, dictKey as i, i18nText as j, isDictCollectionName as k, isDictKeyDescriptor as l, isI18nTextDescriptor as m, createEnforcer as n, validateSessionPolicy as o, BLOB_CHUNKS_COLLECTION as p, BLOB_COLLECTION as q, resolveI18nText as r, BLOB_EVICTION_AUDIT_COLLECTION as s, BLOB_INDEX_COLLECTION as t, BLOB_SLOTS_PREFIX as u, validateI18nTextValue as v, BLOB_VERSIONS_PREFIX as w, type BlobEvictionEntry as x, type BlobFieldPolicy as y, type BlobFieldsConfig as z };
+export { type ConsentAuditEntry as $, type BlobObject as A, type BlobStrategy as B, type BlobPutOptions as C, DICT_COLLECTION_PREFIX as D, type BlobResponseOptions as E, BlobSet as F, type BlobStrategyOpenArgs as G, type CompactRunOptions as H, type I18nStrategy as I, type CompactionContext as J, type CompactionResult as K, DEFAULT_CHUNK_SIZE as L, EXPORT_AUDIT_COLLECTION as M, ExportBlobsAbortedError as N, type ExportBlobsAuditEntry as O, PolicyEnforcer as P, type ExportBlobsHandle as Q, type ExportBlobsOptions as R, type SessionStrategy as S, type ExportedBlob as T, type SlotInfo as U, type SlotRecord as V, type VersionRecord as W, createExportBlobsHandle as X, runCompaction as Y, type ConsentStrategy as Z, CONSENT_AUDIT_COLLECTION as _, type DictEntry as a, VaultInstant as a$, type ConsentAuditFilter as a0, type ConsentContext as a1, type ConsentOp as a2, loadConsentEntries as a3, writeConsentEntry as a4, type PeriodsStrategy as a5, type CarryForwardContext as a6, type ClosePeriodOptions as a7, type OpenPeriodOptions as a8, PERIODS_COLLECTION as a9, type DerivationStrategyHandle as aA, type DerivedFromMeta as aB, type OutputSpec as aC, type RecordOutputSpec as aD, type MaterializedViewStrategy as aE, type MaterializedViewStrategyHandle as aF, type OverlayedViewStrategy as aG, Collection as aH, OverlayedViewRegistry as aI, type OverlayedViewStrategyHandle as aJ, type SyncStrategy as aK, type Role as aL, type UnlockedKeyring as aM, type HistoryStrategy as aN, type NoydbStore as aO, type HistoryOptions as aP, type EncryptedEnvelope as aQ, type PruneOptions as aR, type AppendInput as aS, type ChangeType as aT, CollectionInstant as aU, type DiffEntry as aV, type JsonPatch as aW, type JsonPatchOp as aX, type LedgerEntry as aY, LedgerStore as aZ, type VaultEngine as a_, type PeriodRecord as aa, type ReadOnlyCollection as ab, appendPeriodLedgerEntry as ac, assertTsWritable as ad, chainAnchor as ae, loadPeriods as af, validatePeriodName as ag, type GuardStrategy as ah, type GuardChange as ai, type GuardContext as aj, GuardRegistry as ak, type GuardStrategyHandle as al, ReadOnlyVaultFacade as am, type ShadowStrategy as an, CollectionFrame as ao, VaultFrame as ap, type TxStrategy as aq, type AmendmentTxOptions as ar, TxCollection as as, TxContext as at, TxVault as au, runTransaction as av, type DerivationStrategy as aw, type DerivationContext as ax, type ArrayOutputSpec as ay, DerivationRegistry as az, type DictKeyDescriptor as b, type ExportChunk as b$, type VerifyResult as b0, applyPatch as b1, canonicalJson as b2, computePatch as b3, diff as b4, formatDiff as b5, hashEntry as b6, paddedIndex as b7, parseIndex as b8, sha256Hex as b9, type CacheOptions as bA, type CacheStats as bB, type ChangeEvent as bC, type CollectionChangeEvent as bD, type CollectionConflictResolver as bE, type CollectionDescriptor as bF, type CollectionStats as bG, type Conflict as bH, type ConflictPolicy as bI, type ConflictStrategy as bJ, type CrossTierAccessEvent as bK, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as bL, DELEGATIONS_COLLECTION as bM, type DeepPartial as bN, type DeepPartialOrNull as bO, type DelegationToken as bP, type DeleteManyResult as bQ, type DerivationDescriptor as bR, type DirtyEntry as bS, type DumpSchemaOptions as bT, ELEVATION_AUDIT_COLLECTION as bU, ElevatedHandle as bV, type EnrollAuthenticatorOptions as bW, type EnrollAuthenticatorWrappingDEKsOptions as bX, type EnrollAuthenticatorWrappingKEKOptions as bY, type EnrollRecoveryResult as bZ, type ExportCapability as b_, type PublicEnvelope as ba, type SealingKeyProvider as bb, type BundleRecipient as bc, type RecipientSealer as bd, type RecipientHint as be, Vault as bf, type RecoveryEnrollmentInput as bg, type ShamirRecoveryProvider as bh, type MVQueryContext as bi, type RegisteredMV as bj, MaterializedViewRegistry as bk, type MaterializedFromMeta as bl, type MaterializedViewOutput as bm, type UnionSource as bn, type UserEnvelope as bo, type GateName as bp, type GatePolicy as bq, type VaultPolicy as br, type ActiveTier as bs, type FactorProof as bt, type PersistedSchemaEnvelope as bu, type DirectoryConfig as bv, type UserVisibility as bw, type AccessibleVault as bx, BUNDLE_STORE_POLICY as by, type BuiltInGateName as bz, DictionaryHandle as c, type PullPolicy as c$, type ExportFormat as c0, type ExportStreamOptions as c1, type FactorKind as c2, type FactorProofBundle as c3, type FactorRequirement as c4, type FieldDescriptor as c5, type FieldSource as c6, type GhostRecord as c7, type GrantOptions as c8, type HistoryConfig as c9, MemorySealingKeyProvider as cA, NOYDB_BACKUP_VERSION as cB, NOYDB_FORMAT_VERSION as cC, NOYDB_KEYRING_VERSION as cD, NOYDB_SYNC_VERSION as cE, Noydb as cF, type NoydbBundleStore as cG, type NoydbEventMap as cH, type NoydbOptions as cI, type OverlayViewDescriptor as cJ, PUBLIC_ENVELOPE_FIELDS as cK, type PaperRecoveryDoc as cL, type PaperRecoveryEntry as cM, type PassphrasePolicy as cN, type PassphraseValidationResult as cO, type Permission as cP, type Permissions as cQ, type PersistedSchemaKind as cR, type PlaintextTranslatorContext as cS, type PlaintextTranslatorFn as cT, PresenceHandle as cU, type PresencePeer as cV, type PublicEnvelopeField as cW, type PublicEnvelopeSchema as cX, type PublicEnvelopeText as cY, type PullMode as cZ, type PullOptions as c_, type HistoryEntry as ca, INDEXED_STORE_POLICY as cb, type ImportCapability as cc, type InferOutput as cd, type InternalCollectionStats as ce, type IssueDelegationOptions as cf, type IssueMagicLinkGrantOptions as cg, type KeyringAuthenticator as ch, type KeyringAuthenticatorWrappingDEKs as ci, type KeyringAuthenticatorWrappingKEK as cj, type KeyringFile as ck, type ListAccessibleVaultsOptions as cl, type ListPageResult as cm, type ListUsersOptions as cn, type LiveUserEnvelope as co, type LocaleReadOptions as cp, Lru as cq, type LruOptions as cr, type LruStats as cs, MAGIC_LINK_CONTENT_INFO_PREFIX as ct, MAGIC_LINK_GRANTS_COLLECTION as cu, MAGIC_LINK_KEK_INFO_PREFIX as cv, type MagicLinkGrantPayload as cw, type MagicLinkGrantRecord as cx, type MaterializedViewDescriptor as cy, MemoryRecipientSealer as cz, type DictionaryOptions as d, type VaultSchemaSnapshot as d$, type PullResult as d0, type PushMode as d1, type PushOptions as d2, type PushPolicy as d3, type PushResult as d4, type PutManyItemOptions as d5, type PutManyOptions as d6, type PutManyResult as d7, type QueryAcrossOptions as d8, type QueryAcrossResult as d9, type StoreAuthKind as dA, type StoreCapabilities as dB, SyncEngine as dC, type SyncMetadata as dD, type SyncPolicy as dE, SyncScheduler as dF, type SyncSchedulerStatus as dG, type SyncStatus as dH, type SyncTarget as dI, type SyncTargetRole as dJ, SyncTransaction as dK, type SyncTransactionResult as dL, type TierMode as dM, type TranslatorAuditEntry as dN, type TxOp as dO, USER_ENVELOPE_COLLECTION as dP, USER_ENVELOPE_MAX_BYTES as dQ, type Unsubscribe as dR, type UpdateAuthenticatorOptions as dS, type UpdateUserOptions as dT, UserApi as dU, type UserEnvelopeCheckGate as dV, UserEnvelopeOversizedError as dW, type UserEnvelopePresented as dX, type UserInfo as dY, type VaultBackup as dZ, type VaultPolicyOnDisk as d_, type QuickUnlockState as da, QuickUnlockStore as db, type ReAuthOperation as dc, type RecoverPassphraseInput as dd, type RecoverPassphraseResult as de, type RecoverUserOptions as df, type RecoveryProof as dg, type ResolvedPublicEnvelopeSchema as dh, type RevokeOptions as di, type RotatePassphraseInput as dj, type RotateRecoveryOptions as dk, type RotateRecoveryResult as dl, SEALED_PASSPHRASE_RECORD_ID as dm, type SealedEnvelope as dn, type SealedPassphrase as dp, type SessionPolicy as dq, type SetPublicEnvelopeInput as dr, type ShamirRecoveryDoc as ds, type ShamirRecoveryEntry as dt, type SlotRewrapCeremony as du, type SlotRewrapContext as dv, type StandardSchemaV1 as dw, type StandardSchemaV1Issue as dx, type StandardSchemaV1SyncResult as dy, type StoreAuth as dz, type I18nTextDescriptor as e, type VaultSnapshot as e0, type WarningRules as e1, WeakPassphraseError as e2, type WeakPassphraseReason as e3, type WrappedDeksBlob as e4, assertStrongPassphrase as e5, buildRecipientKeyringFile as e6, burnPaperRecoveryEntry as e7, createNoydb as e8, createStore as e9, readMagicLinkGrantRecord as eA, recoverUser as eB, removeAuthenticator as eC, resolveSchema as eD, revokeDelegation as eE, revokeMagicLinkGrant as eF, savePaperRecoveryEntries as eG, saveSealedPassphrase as eH, saveShamirRecoveryEntries as eI, unwrapDeksFromBlob as eJ, unwrapDeksFromPaperEntry as eK, unwrapDeksFromShamirEntry as eL, unwrapMagicLinkGrant as eM, validatePassphrase as eN, validatePublicEnvelopeInput as eO, validateSchemaInput as eP, validateSchemaOutput as eQ, writeMagicLinkGrant as eR, changeSecret as eS, createOwnerKeyring as eT, ensureCollectionDEK as eU, grant as eV, loadKeyring as eW, persistKeyring as eX, revoke as eY, updateAuthenticator as eZ, updateKeyringIdentity as e_, deriveMagicLinkContentKey as ea, enrollAuthenticator as eb, estimateEntropy as ec, evaluateExportCapability as ed, evaluateImportCapability as ee, findAuthenticator as ef, hasExportCapability as eg, hasImportCapability as eh, hasRecoveryEnrolled as ei, isMagicLinkGrantExpired as ej, isPublicEnvelope as ek, issueDelegation as el, recoverPassphrase as em, rotatePassphrase as en, listMagicLinkGrants as eo, listUsers as ep, listUsersWithEnvelopes as eq, loadActiveDelegations as er, loadPaperRecoveryEntries as es, loadSealedPassphrase as et, loadShamirRecoveryEntries as eu, magicLinkGrantRecordId as ev, mintPaperRecoveryEntry as ew, mintShamirRecoveryEntry as ex, mintWrappedDeksBlob as ey, parseSealedEnvelope as ez, type I18nTextOptions as f, applyI18nLocale as g, dictCollectionName as h, dictKey as i, i18nText as j, isDictCollectionName as k, isDictKeyDescriptor as l, isI18nTextDescriptor as m, createEnforcer as n, validateSessionPolicy as o, BLOB_CHUNKS_COLLECTION as p, BLOB_COLLECTION as q, resolveI18nText as r, BLOB_EVICTION_AUDIT_COLLECTION as s, BLOB_INDEX_COLLECTION as t, BLOB_SLOTS_PREFIX as u, validateI18nTextValue as v, BLOB_VERSIONS_PREFIX as w, type BlobEvictionEntry as x, type BlobFieldPolicy as y, type BlobFieldsConfig as z };