@noy-db/hub 0.2.0-pre.1 → 0.2.0-pre.10

package/dist/{types-C4lwMKKF.d.cts → types-n2_IfwlQ.d.cts}

@@ -1,8 +1,9 @@
-import { I as IndexStrategy, d as LazyQuery } from './lazy-builder-C-rPfWG0.cjs';
-import { b as AggregateSpec, A as AggregateStrategy } from './strategy-DSTrsZ8t.cjs';
+import { I as IndexStrategy, d as LazyQuery } from './lazy-builder-Ci5_YG73.cjs';
+import { b as AggregateSpec, A as AggregateStrategy } from './strategy-CT2LCKAX.cjs';
 import { C as CrdtStrategy, a as CrdtMode, b as CrdtState } from './strategy-BSxFXGzb.cjs';
-import { N as NoydbError, Q as Query, ak as RefRegistry, ah as RefDescriptor, _ as JoinableSource, am as RefViolation, an as ScanBuilder } from './index-CmVgTkqk.cjs';
-import { F as FieldClause, I as IndexDef, C as CollectionIndexes } from './predicate-Dnu81tsS.cjs';
+import { N as NoydbError, Q as Query, aw as RefRegistry, at as RefDescriptor, a7 as JoinableSource, ay as RefViolation, az as ScanBuilder } from './index-B8bjExET.cjs';
+import { F as FieldClause, I as IndexDef, C as CollectionIndexes } from './predicate-Bt5ft-9c.cjs';
+import { AttestationFieldSchema, RevocationList } from '@noy-db/attestation';
 
 /**
  * Standard Schema v1 integration.
@@ -794,8 +795,15 @@ interface LedgerEntry {
      * guards subsystem when an admin/owner uses `withTransactions(...)`
      * to repair a constraint-violating state. See `amendment` field
      * below for the structured payload.
+     *
+     * `'lifecycle'` records a non-data audit event (e.g. partition
+     * handover) — `collection`/`id` are empty and the event detail
+     * lives in `reason` (e.g. `'partition-handed-over:<sealId>'`). Like
+     * `amendment`, it carries no data envelope, so `verifyBackupIntegrity`
+     * skips it in the data cross-check (it still participates in the
+     * tamper-evident chain).
      */
-    readonly op: 'put' | 'delete' | 'amendment';
+    readonly op: 'put' | 'delete' | 'amendment' | 'lifecycle' | 'migration';
     /** The collection the mutation targeted. */
     readonly collection: string;
     /** The record id the mutation targeted. */
@@ -820,8 +828,8 @@ interface LedgerEntry {
      */
     readonly payloadHash: string;
     /**
-     * Optional human-readable tag describing why this mutation happened
-     * (#1). Threaded through `collection.put(_, _, { reason })`. Common
+     * Optional human-readable tag describing why this mutation happened.
+     * Threaded through `collection.put(_, _, { reason })`. Common
      * values include `'import:csv'`, `'import:json'`, `'import:xlsx'` from
      * `as-*` ImportPlan.apply(), but consumers can use any string for
      * domain-specific audit filtering. Auto-strip via `canonicalJson` —
@@ -1098,8 +1106,8 @@ interface AppendInput {
      */
     amendment?: LedgerEntry['amendment'];
     /**
-     * Optional human-readable tag describing why this mutation happened
-     * (#1). Threaded from `collection.put(_, _, { reason })`.
+     * Optional human-readable tag describing why this mutation happened.
+     * Threaded from `collection.put(_, _, { reason })`.
      * Carried verbatim onto the resulting ledger entry's `reason` field;
      * omitted from canonical JSON when undefined.
      */
@@ -1636,6 +1644,51 @@ interface PeriodsStrategy {
     appendPeriodLedgerEntry(ledger: LedgerStore | null, actor: string, envelope: EncryptedEnvelope, periodName: string): Promise<void>;
 }
 
+/**
+ * Per-layer i18n resolution policy.
+ *
+ * `onMissing` governs what happens when a multilingual field is resolved
+ * to a target locale that is absent. It may be a single scalar policy or
+ * a per-layer map, so a field can be lenient at the app read boundary but
+ * strict inside a materialized view.
+ *
+ * Effective policy for layer `λ`:
+ *
+ * ```
+ * explicit(λ) = typeof onMissing === 'object' ? onMissing[λ] : undefined
+ * scalar      = typeof onMissing === 'string' ? onMissing : undefined
+ * policy(λ)   = explicit(λ) ?? layerDefault(λ) ?? scalar ?? 'throw'
+ * ```
+ *
+ * - `layerDefault('guard') = 'substitute'` — guards are lenient unless
+ *   EXPLICITLY overridden; they never inherit a scalar policy (a guard
+ *   reading a display value must not hard-fail on a missing locale).
+ * - every other layer has no default, so it inherits the scalar, else
+ *   falls back to `'throw'` (today's behavior — zero breaking change).
+ *
+ * @public
+ */
+type OnMissing = 'substitute' | 'null' | 'throw';
+/**
+ * The contexts in which a multilingual field is resolved. Each can carry
+ * its own `onMissing` policy.
+ *
+ * - `read`       — ordinary app reads (`get`/`list`/query projection).
+ * - `guard`      — a guard callback reading a value.
+ * - `join`       — a joined record expanded onto a row.
+ * - `mv`         — materialized-view input.
+ * - `derivation` — derivation input.
+ * - `export`     — bundle/public-envelope export.
+ */
+type Layer = 'read' | 'guard' | 'join' | 'mv' | 'derivation' | 'export';
+/** Field-level policy: a single scalar, or a per-layer map. */
+type OnMissingPolicy = OnMissing | Partial<Record<Layer, OnMissing>>;
+/**
+ * Resolve the effective `OnMissing` for a layer from a field's declared
+ * policy. See module docs for the resolution rule.
+ */
+declare function resolvePolicy(onMissing: OnMissingPolicy | undefined, layer: Layer): OnMissing;
+
 /**
  * i18nText schema type —
  *
@@ -1677,6 +1730,37 @@ interface PeriodsStrategy {
  * Pluralization, RTL rendering, date/number formatting, per-locale CRDT
  * merging.
  */
+
+/** Flatten an intersection into a single object literal for nicer hovers. */
+type Prettify<T> = {
+    [K in keyof T]: T[K];
+} & {};
+/**
+ * The stored shape of a multilingual field, inferred from its `required`
+ * mode — so the compiler forces you to handle an absent optional locale
+ * (`string | undefined`) instead of silently yielding `undefined`.
+ *
+ * Mirrors `i18nText({ languages, required })`:
+ * - `'all'` (default) — every locale required: `{ th: string; en: string }`
+ * - `'any'`           — every locale optional: `{ th?: string; en?: string }`
+ *   (the "at least one present" guarantee is runtime-only — not expressible
+ *   in TypeScript — so each key is optional)
+ * - `readonly L[]`    — listed locales required, the rest optional:
+ *   `I18nMap<'th'|'en', ['th']>` → `{ th: string; en?: string }`
+ *
+ * @example
+ * ```ts
+ * type Lang = 'th' | 'en'
+ * interface Contact {
+ *   name: I18nMap<Lang, 'any'>      // { th?: string; en?: string }
+ *   legalName: I18nMap<Lang, ['th']> // { th: string; en?: string }
+ *   slug: I18nMap<Lang>             // { th: string; en: string }
+ * }
+ * ```
+ *
+ * @public
+ */
+type I18nMap<Langs extends string, Required extends 'all' | 'any' | readonly Langs[] = 'all'> = Required extends 'all' ? Record<Langs, string> : Required extends 'any' ? Partial<Record<Langs, string>> : Required extends readonly (infer R extends Langs)[] ? Prettify<Record<R, string> & Partial<Record<Exclude<Langs, R>, string>>> : never;
 /**
  * Options for `i18nText()`.
  *
@@ -1705,6 +1789,38 @@ interface I18nTextOptions {
      * before `put()` if a translator is configured. Default: `false`.
      */
     readonly autoTranslate?: boolean;
+    /**
+     * What to do when this field is resolved to a locale that is absent.
+     * A single policy, or a per-layer map (read/guard/join/mv/derivation/
+     * export). Default `'throw'` — today's behavior, zero breaking change.
+     * See {@link OnMissingPolicy}.
+     *
+     * NOTE (current wiring): the `read` layer (`get`/`list`) is enforced.
+     * Guard, derivation, mv, join and export reads currently resolve
+     * through the same read path and so observe the `read`/scalar policy;
+     * dedicated per-layer enforcement for those contexts is a tracked
+     * follow-up (mv/join additionally require resolution to be injected
+     * into the query/aggregate pipeline, which today reads raw maps).
+     */
+    readonly onMissing?: OnMissingPolicy;
+    /**
+     * Ordered preferred-substitute locales used when `onMissing` resolves
+     * to `'substitute'` and the target locale is absent. `'any'` as an
+     * element means "first non-empty value". A caller-supplied `fallback`
+     * at read time takes precedence over this declared list.
+     */
+    readonly substitute?: readonly string[];
+    /**
+     * Per-locale script enforcement (write-time). `'auto'` infers the
+     * allowed Unicode scripts per locale (asymmetric Latin tolerance); an
+     * object overrides per slot. Absent ⇒ no check. See `./script.ts`.
+     */
+    readonly script?: 'auto' | Partial<Record<string, readonly string[]>>;
+    /**
+     * What to do when a slot's value contains characters outside its
+     * allowed script set. Default `'reject'`.
+     */
+    readonly onScriptViolation?: 'reject' | 'filter' | 'warn';
 }
 /**
  * Descriptor returned by `i18nText()`. Attach to the collection's
@@ -1759,23 +1875,52 @@ declare function validateI18nTextValue(value: unknown, field: string, descriptor
  * @param field    Field name used in `LocaleNotSpecifiedError` messages.
  * @returns The resolved string, OR the original map when `locale === 'raw'`.
  */
+/** Options for the policy-aware form of {@link resolveI18nText}. */
+interface ResolveI18nOptions {
+    /** Effective policy for the resolution layer. Default `'throw'`. */
+    readonly policy?: OnMissing;
+    /** Declared substitute chain; applied only under policy `'substitute'`. */
+    readonly substitute?: readonly string[];
+}
 declare function resolveI18nText(value: Record<string, string>, locale: string, fallback?: string | readonly string[], field?: string): string | Record<string, string>;
+declare function resolveI18nText(value: Record<string, string>, locale: string, fallback: string | readonly string[] | undefined, field: string | undefined, opts: ResolveI18nOptions): string | Record<string, string> | null;
+/**
+ * Return all leaf values at `path`, expanding `[].` array wildcards.
+ *
+ * - `'name'`              → `[obj.name]`
+ * - `'address.lineOne'`   → `[obj.address.lineOne]`
+ * - `'contacts[].title'`  → `[obj.contacts[0].title, obj.contacts[1].title, …]`
+ *
+ * Returns an empty array when the path does not resolve (missing key,
+ * wrong type, etc.). Used by `enforceI18nOnPut` to validate nested fields.
+ */
+declare function getAtPath(obj: Record<string, unknown>, path: string): unknown[];
 /**
- * Apply locale resolution to a single record, in-place over a copy.
+ * Mutate `obj` in-place, setting `value` at the nested `path`.
+ * Supports dot notation (`'address.lineOne'`) but not array wildcards —
+ * auto-translate on `contacts[].title` style paths is not supported.
+ */
+declare function setAtPathInPlace(obj: Record<string, unknown>, path: string, value: unknown): void;
+/**
+ * Apply locale resolution to a single record, returning a new copy.
  *
  * For each field registered as an `i18nText` descriptor:
  * - If `locale === 'raw'`, the field value is left as the stored map.
  * - Otherwise, the field value is replaced with the resolved string.
  *
- * Records that are not plain objects (null, array, primitives) are
- * returned unchanged.
+ * Field paths support dot notation (`'address.lineOne'`) and array
+ * wildcards (`'contacts[].title'`). Top-level fields work as before.
  *
  * @param record      The decrypted record.
- * @param i18nFields  Map of field name → `I18nTextDescriptor`.
+ * @param i18nFields  Map of field path → `I18nTextDescriptor`.
  * @param locale      The requested locale (or `'raw'`).
  * @param fallback    Fallback chain (optional).
+ * @param layer       Resolution layer (default `'read'`). Each field's
+ *                    `onMissing` policy is resolved for this layer, so the
+ *                    same record resolves leniently on a get but strictly
+ *                    inside an mv/derivation.
  */
-declare function applyI18nLocale(record: Record<string, unknown>, i18nFields: Record<string, I18nTextDescriptor>, locale: string, fallback?: string | readonly string[]): Record<string, unknown>;
+declare function applyI18nLocale(record: Record<string, unknown>, i18nFields: Record<string, I18nTextDescriptor>, locale: string, fallback?: string | readonly string[], layer?: Layer): Record<string, unknown>;
 
 type EventHandler<T> = (data: T) => void;
 /** Typed event emitter for NOYDB events. */
@@ -1840,7 +1985,6 @@ interface PassphrasePolicy {
      * double-space). For non-space-delimited word semantics, use
      * {@link customValidator} instead.
      *
-     * Added in pre.8 (#31).
      */
     readonly pattern?: RegExp;
     /**
@@ -1858,7 +2002,6 @@ interface PassphrasePolicy {
      * {@link assertStrongPassphrase} dispatches on — `ok: true` accepts;
      * `ok: false` throws `WeakPassphraseError` with the supplied reason.
      *
-     * Added in pre.8 (#31).
      */
     readonly customValidator?: (phrase: string) => PassphraseValidationResult;
 }
@@ -1975,7 +2118,7 @@ interface UnlockedKeyring {
      *   - Unencrypted mode (no KEK exists)
      *   - Tier-3 PIN quick-resume (`@noy-db/on-pin`)
      *   - Wrap-DEKs tier-2 unlock (`@noy-db/on-password`'s
-     *     `verifyPasswordSlot` after #26 Path C)
+     *     `verifyPasswordSlot`)
      *   - Session-state restore (`session/session.ts`)
      *   - Dev-unlock fixture (`session/dev-unlock.ts`)
      *
@@ -1984,9 +2127,8 @@ interface UnlockedKeyring {
      * null-check and throw a clear error if absent — re-authenticate
      * at tier 1 first to recover the KEK.
      *
-     * Tightened from `CryptoKey` to `CryptoKey | null` in pre.8 (#41).
-     * The runtime contract has always allowed null; the type now
-     * matches reality.
+     * Tightened from `CryptoKey` to `CryptoKey | null`; the runtime
+     * contract has always allowed null, the type now matches reality.
      */
     readonly kek: CryptoKey | null;
     readonly salt: Uint8Array;
@@ -2007,7 +2149,7 @@ interface UnlockedKeyring {
     /**
      * Tier-2 authenticator slots — readonly snapshot loaded from the
      * keyring file. Mutations go through `enrollAuthenticator` /
-     * `removeAuthenticator` (issue #11), which write back via
+     * `removeAuthenticator`, which write back via
      * `persistKeyring`. Always defined; loads with an empty array for
      * keyrings written before the multi-slot extension landed.
      */
@@ -2060,7 +2202,6 @@ declare function revoke(adapter: NoydbStore, vault: string, callerKeyring: Unloc
  * @throws `PermissionDeniedError` when the role hierarchy rejects.
  * @throws `ValidationError` when the diff is empty (nothing to update).
  *
- * @see #54
  */
 declare function updateKeyringIdentity(adapter: NoydbStore, vault: string, callerKeyring: UnlockedKeyring, options: UpdateUserOptions): Promise<void>;
 /**
@@ -2155,7 +2296,7 @@ interface ListUsersOptions {
  * `userEnvelopeDek` is the vault's `_users` collection DEK
  * (`vault.getDEK('_users')`); used to decrypt every envelope.
  *
- * `callerRole` (#122) drives the directory-visibility checks:
+ * `callerRole` drives the directory-visibility checks:
  *
  *  - When the vault's `_meta/directory` document has `enabled: false`,
  *    only `owner` and `admin` callers may enumerate; anyone else gets
@@ -2165,7 +2306,7 @@ interface ListUsersOptions {
  *    `{ includeHidden: true }` to see them; lower roles passing that
  *    option get `PermissionDeniedError`.
  *
- * Honest caveat (#122): these filters are a UX hint, not a security
+ * Honest caveat: these filters are a UX hint, not a security
  * boundary. The keyring file is still listed at `_keyring/*` and the
  * envelope ciphertext at `_users/*`. A caller with direct store access
  * — or a caller that calls this function with `callerRole: 'owner'`
@@ -2304,6 +2445,16 @@ interface DictKeyDescriptor<Keys extends string = string> {
     readonly name: string;
     /** Declared valid keys. When set, `put()` rejects keys not in this set. */
     readonly keys: readonly Keys[] | undefined;
+    /**
+     * What to do when a label is missing for the resolved locale. Mirrors
+     * `i18nText`'s `onMissing`. Default behavior (when unset) preserves the
+     * legacy contract: a missing label is omitted (scalar) or `null`
+     * (array element) — i.e. `'null'`. Set `'substitute'` to walk the
+     * declared `substitute` chain, or `'throw'` to raise.
+     */
+    readonly onMissing?: OnMissingPolicy;
+    /** Ordered preferred-substitute locales for label resolution. */
+    readonly substitute?: readonly string[];
 }
 /**
  * Create a `DictKeyDescriptor` for a dictionary-backed enum field.
@@ -2322,7 +2473,10 @@ interface DictKeyDescriptor<Keys extends string = string> {
  * })
  * ```
  */
-declare function dictKey<Keys extends string>(name: string, keys?: readonly Keys[]): DictKeyDescriptor<Keys>;
+declare function dictKey<Keys extends string>(name: string, keys?: readonly Keys[], opts?: {
+    onMissing?: OnMissingPolicy;
+    substitute?: readonly string[];
+}): DictKeyDescriptor<Keys>;
 /** Runtime predicate for detecting a DictKeyDescriptor. */
 declare function isDictKeyDescriptor(x: unknown): x is DictKeyDescriptor;
 /**
@@ -2466,6 +2620,32 @@ declare class DictionaryHandle<Keys extends string = string> {
     resolveLabel(key: string, locale: string, fallback?: string | readonly string[]): Promise<string | undefined>;
 }
 
+/**
+ * Infer the allowed Unicode scripts for a BCP-47 locale, with asymmetric
+ * Latin tolerance. A script subtag (`th-Latn`) wins over the base
+ * language. Unknown locales default to `['Latin']`.
+ */
+declare function inferScripts(locale: string): readonly string[];
+/** A non-fatal script violation recorded under `'filter'`/`'warn'` modes. */
+interface ScriptWarning {
+    readonly field: string;
+    readonly locale: string;
+    readonly expected: readonly string[];
+    readonly sample: string;
+}
+/**
+ * Enforce a field's script constraint over an i18nText value map.
+ *
+ * - No `script` option ⇒ returns the value unchanged.
+ * - `onScriptViolation: 'reject'` (default) ⇒ throws {@link ScriptViolationError}.
+ * - `'filter'` ⇒ returns a copy with disallowed characters stripped + warnings.
+ * - `'warn'` ⇒ returns the value unchanged + warnings.
+ */
+declare function enforceScript(value: Record<string, unknown>, field: string, descriptor: I18nTextDescriptor): {
+    value: Record<string, unknown>;
+    warnings: ScriptWarning[];
+};
+
 /**
  * Strategy seam for the optional i18n (multi-locale + dictionary)
  * subsystem. Core imports `I18nStrategy` type-only + `NO_I18N` stub;
@@ -2527,13 +2707,23 @@ interface I18nStrategy {
      * return a new object. Returns the input unchanged under
      * `NO_I18N`.
      */
-    applyI18nLocale(record: Record<string, unknown>, fields: Record<string, I18nTextDescriptor>, locale: string, fallback?: string | readonly string[]): Record<string, unknown>;
+    applyI18nLocale(record: Record<string, unknown>, fields: Record<string, I18nTextDescriptor>, locale: string, fallback?: string | readonly string[], layer?: Layer): Record<string, unknown>;
     /**
      * Validate that an i18nText field's value satisfies its descriptor
      * (required locales present, etc.). Throws under `NO_I18N` —
      * declaring i18nFields without opting in is a misconfiguration.
      */
     validateI18nTextValue(value: unknown, field: string, descriptor: I18nTextDescriptor): void;
+    /**
+     * Enforce per-locale script constraints over an i18nText value map
+     * (write-time). Returns the (possibly filtered) value plus any
+     * non-fatal warnings. Returns the value unchanged when the field has
+     * no `script` option, or under `NO_I18N`.
+     */
+    enforceScript(value: Record<string, unknown>, field: string, descriptor: I18nTextDescriptor): {
+        value: Record<string, unknown>;
+        warnings: ScriptWarning[];
+    };
     /**
      * Construct a typed `DictionaryHandle` for the named dictionary.
      * Throws under `NO_I18N`.
@@ -2541,6 +2731,326 @@ interface I18nStrategy {
     buildDictionaryHandle<Keys extends string = string>(opts: BuildDictionaryHandleOptions<Keys>): DictionaryHandle<Keys>;
 }
 
+/**
+ * Observable write-queue.
+ *
+ * Tracks outstanding in-flight *logical* writes (a full Collection.put /
+ * delete, including ledger + cache + derivation + MV dispatch — not just
+ * the adapter call). The hub holds one tracker per instance; it is
+ * framework-agnostic (no Vue/React dependency). UI layers subscribe via
+ * onChange(); the migration drain (Slice 2) quiesces via onFlush().
+ */
+/** Public, read-only view of the hub's write-queue. */
+interface WriteQueue {
+    /** True while one or more writes are in flight (`depth > 0`). */
+    readonly pending: boolean;
+    /** Count of outstanding write operations. */
+    readonly depth: number;
+    /**
+     * Subscribe to depth changes (fires on every begin and settle).
+     * Returns an unsubscribe function. Intended for reactive wrappers
+     * (e.g. `@noy-db/in-vue` turns this into a `ref`).
+     */
+    onChange(handler: () => void): () => void;
+    /**
+     * Resolves once `depth` reaches 0. If a write settled with an error
+     * while this flush was waiting, the returned promise REJECTS with that
+     * error instead — so a drain caller surfaces the failure rather than
+     * hanging. Resolves immediately when already idle and error-free.
+     */
+    onFlush(): Promise<void>;
+}
+declare class WriteQueueTracker implements WriteQueue {
+    #private;
+    get pending(): boolean;
+    get depth(): number;
+    /** Mark one write as started. */
+    begin(): void;
+    /** Mark one write as finished. Pass the error if it failed. */
+    settle(error?: Error): void;
+    onChange(handler: () => void): () => void;
+    onFlush(): Promise<void>;
+    /**
+     * Run `fn` as a tracked write: depth++ on entry, depth-- on settle
+     * (success or failure). The fn's resolved value is returned; a thrown
+     * error is re-thrown after the queue is decremented.
+     */
+    track<R>(fn: () => Promise<R>): Promise<R>;
+}
+
+/**
+ * Hub-level write lifecycle hooks. `onBeforeWrite` may abort (throw);
+ * `onAfterWrite` is awaited and its errors are warned, not thrown. A
+ * re-entrancy flag suppresses nested firing so a handler that writes can't
+ * loop. Held on the Noydb instance, threaded into every Collection.
+ */
+interface WriteEvent {
+    readonly op: 'create' | 'update' | 'delete';
+    readonly vault: string;
+    readonly collection: string;
+    readonly docId: string;
+    readonly before: unknown;
+    readonly after: unknown;
+    readonly baseVersion: number;
+    readonly version: number;
+    readonly userId: string;
+    readonly timestamp: number;
+    readonly txId: string;
+}
+type WriteHook = (event: WriteEvent) => void | Promise<void>;
+type Unsubscribe$3 = () => void;
+declare class WriteHookRegistry {
+    #private;
+    /** True while handlers are running — used by the write path to skip nested firing. */
+    get suppressed(): boolean;
+    /** True when any hook is registered (cheap gate for the write path). */
+    get hasHandlers(): boolean;
+    onBeforeWrite(handler: WriteHook): Unsubscribe$3;
+    onAfterWrite(handler: WriteHook): Unsubscribe$3;
+    /** Run before-hooks (awaited, in order). A throw propagates and aborts the write. */
+    runBefore(event: WriteEvent): Promise<void>;
+    /** Run after-hooks (awaited, in order). Per-handler errors are warned, not thrown. */
+    runAfter(event: WriteEvent): Promise<void>;
+}
+
+/**
+ * Generic per-instance **observe** bus. Observe-class
+ * subsystems (devtools inspector, audit, sync-dirty notification) register
+ * handlers against named lifecycle points instead of the kernel naming each
+ * subsystem. Mirrors the registry pattern of {@link WriteHookRegistry} but is
+ * internal and keyed by lifecycle point.
+ *
+ * OBSERVE SEMANTICS: handlers react to a write that already happened. A
+ * handler throw is warned, not propagated — it can never abort a write. Write-
+ * *gating* subsystems (guards, periods) need a throw-propagating gate bus.
+ * Add observe points by extending {@link LifecycleEventMap}. Write-*gating*
+ * subsystems use the sibling gate API on this same class
+ * (`registerGate`/`dispatchGate`, throw-propagating); see {@link GateEventMap}.
+ *
+ * @module
+ */
+
+/** Typed map of OBSERVE lifecycle point → event payload. Extend by adding keys. */
+interface LifecycleEventMap {
+    afterPut: WriteEvent;
+    afterDelete: WriteEvent;
+}
+type LifecyclePoint = keyof LifecycleEventMap;
+type BusHandler<P extends LifecyclePoint> = (event: LifecycleEventMap[P]) => void | Promise<void>;
+type Unsubscribe$2 = () => void;
+/** Payload for a `beforePut` gate — carries the data guards and periods need to validate or reject a write. */
+interface GatePutEvent {
+    readonly op: 'create' | 'update';
+    readonly vault: string;
+    readonly collection: string;
+    readonly docId: string;
+    /** The record about to be written (pre schema-validation). */
+    readonly incoming: unknown;
+    /** Decrypted prior record, or null on create / when prior is unreadable. */
+    readonly existing: unknown;
+    /** Prior envelope version, or 0 when none. */
+    readonly existingVersion: number;
+    /** Prior envelope timestamp (`_ts` ISO string), or undefined when none — periods compares against this. */
+    readonly existingTs: string | undefined;
+    readonly userId: string;
+    readonly role: Role;
+}
+/** Payload for a `beforeDelete` gate. Like {@link GatePutEvent} without `incoming`. */
+interface GateDeleteEvent {
+    readonly vault: string;
+    readonly collection: string;
+    readonly docId: string;
+    /** True for system-internal (housekeeping) deletes — handlers branch on this. */
+    readonly internal: boolean;
+    readonly existing: unknown;
+    readonly existingVersion: number;
+    readonly existingTs: string | undefined;
+    readonly userId: string;
+    readonly role: Role;
+}
+/** Typed map of GATE lifecycle point → event payload. Extend by adding keys. */
+interface GateEventMap {
+    beforePut: GatePutEvent;
+    beforeDelete: GateDeleteEvent;
+}
+type GatePoint = keyof GateEventMap;
+type GateHandler<P extends GatePoint> = (event: GateEventMap[P]) => void | Promise<void>;
+declare class SubsystemBus {
+    #private;
+    /** Register a handler for an observe point. Returns an unsubscribe fn. */
+    register<P extends LifecyclePoint>(point: P, handler: BusHandler<P>): Unsubscribe$2;
+    /** Cheap gate for the write path — true when any handler is registered for the point. */
+    hasHandlers(point: LifecyclePoint): boolean;
+    /**
+     * True while one or more dispatches are in flight. Backed by a depth counter
+     * so that two concurrent async dispatches (`Promise.all([put('a'), put('b')])`
+     * each captured `busAfterPut=true` at their respective put() tops while depth
+     * was 0) both proceed independently — the counter stays > 0 until BOTH finish,
+     * so any nested write attempted by a handler still sees `dispatching === true`
+     * and is suppressed by the write-path gate in `collection.ts`
+     * (`busAfterPut = hasHandlers('afterPut') && !dispatching`). Re-entrancy
+     * suppression lives exclusively on that write-path gate; concurrent independent
+     * dispatches must not drop each other's events.
+     */
+    get dispatching(): boolean;
+    /**
+     * Dispatch in registration order, awaited. Per-handler errors are warned, not
+     * thrown — an observe handler must never abort a completed write. A
+     * re-entrancy guard suppresses nested firing so a handler that itself writes
+     * cannot loop (same rationale as WriteHookRegistry.#suppressed).
+     */
+    dispatch<P extends LifecyclePoint>(point: P, event: LifecycleEventMap[P]): Promise<void>;
+    /** Register a write-gating handler. A throw from the handler ABORTS the write. Returns an unsubscribe fn. */
+    registerGate<P extends GatePoint>(point: P, handler: GateHandler<P>): Unsubscribe$2;
+    /** Cheap gate for the write path — true when any gate handler is registered for the point. */
+    hasGateHandlers(point: GatePoint): boolean;
+    /**
+     * Run gate handlers in registration order, awaited. Unlike `dispatch`
+     * (observe), a handler throw is NOT swallowed — it PROPAGATES, aborting the
+     * write before it reaches the store. The first throw stops the remaining
+     * handlers (fail-fast). This is the seam guards/periods migrate onto.
+     *
+     * Note: gate handlers are validators that read, not write. A gate handler
+     * that writes back into the same collection would re-enter the write path
+     * and re-dispatch this point; loop-suppression for that case is deferred to
+     * the migration slice (contract: gate handlers must not perform writes that
+     * re-trigger their own point).
+     */
+    dispatchGate<P extends GatePoint>(point: P, event: GateEventMap[P]): Promise<void>;
+}
+
+/**
+ * Schema-update strategy framework types (M12 §3a).
+ *
+ * The hub core detects a schema change (SchemaDelta) and dispatches it
+ * through a collection's ordered strategy list. Strategies decide what
+ * happens; the core only knows this interface.
+ */
+/** A single changed top-level property in a schema delta. */
+interface FieldChange {
+    readonly field: string;
+    /** True when the field's required-ness flipped. */
+    readonly requiredChanged: boolean;
+    /** True when the field's subschema shape changed. */
+    readonly shapeChanged: boolean;
+}
+/** The classified difference between a stored and a freshly-derived schema. */
+interface SchemaDelta {
+    readonly collection: string;
+    readonly kind: 'none' | 'additive' | 'non-additive';
+    /** Top-level properties present in the new schema but not the old. */
+    readonly added: readonly string[];
+    /** Top-level properties present in the old schema but not the new. */
+    readonly removed: readonly string[];
+    /** Top-level properties present in both but altered. */
+    readonly changed: readonly FieldChange[];
+}
+/** Context handed to a strategy alongside the delta. */
+interface UpdateContext {
+    readonly collection: string;
+}
+/** Bulk transform run by the coordinatedCutover strategy. */
+type TransformFn = (doc: Record<string, unknown>) => Record<string, unknown>;
+/**
+ * A strategy's verdict on a detected schema change.
+ * - `allow`   — no objection; the dispatcher falls through to the next strategy.
+ * - `reject`  — terminal: refuse the change; `error` is thrown at the write path.
+ * - `cutover` — terminal: run a coordinated drain-barrier (handled by coordinatedCutover).
+ * New terminal actions may be added without breaking existing strategies.
+ */
+type UpdateDecision = {
+    readonly action: 'allow';
+} | {
+    readonly action: 'reject';
+    readonly error: Error;
+} | {
+    readonly action: 'cutover';
+    readonly transform: TransformFn;
+};
+/** A pluggable schema-evolution policy. */
+interface SchemaUpdateStrategy {
+    readonly name: string;
+    onSchemaDelta(delta: SchemaDelta, ctx: UpdateContext): UpdateDecision | Promise<UpdateDecision>;
+}
+
+/**
+ * Per-collection write gate. Holds the (async) update decision
+ * computed at registration; `Collection.put`/`delete` await it before
+ * writing and throw the strategy's rejection error.
+ *
+ * Detection FAILURE (the promise rejecting) is deliberately NOT a write
+ * block — schema detection is a fingerprint safety net, not a correctness
+ * invariant (matches how persisted-schema write failures are swallowed).
+ * Only an explicit `reject` decision blocks writes.
+ */
+
+declare class SchemaUpdateGate {
+    #private;
+    constructor(decision: Promise<UpdateDecision>);
+    assertWritable(): Promise<void>;
+}
+
+/**
+ * Schema-fence document. Vault-level generation counter + drain
+ * state, stored at `_meta/schema-fence` using the plaintext-envelope
+ * pattern of `_meta/policy` (no PII — a counter + a state enum).
+ */
+
+type FenceState = 'normal' | 'draining' | 'migrating' | 'complete';
+interface FenceDoc {
+    readonly currentSchemaVersion: number;
+    readonly fenceState: FenceState;
+}
+
+/**
+ * Vault-level schema-fence controller.
+ *
+ * Owns the open-time generation snapshot, the pending-cutover registry,
+ * and the cutover orchestration. 3a: single-client (the caller is the
+ * migrator). 3b: a cooperative ack-barrier — after `draining`, the
+ * migrator waits for the active client set (registry heartbeats) to ack
+ * the draining generation before transforming. No leader election.
+ */
+
+/** Runs one collection's transform; supplied by the Vault (binds to a Collection). */
+type RunTransform = (collection: string, transform: TransformFn) => Promise<void>;
+declare class SchemaFenceController {
+    #private;
+    constructor(opts: {
+        store: NoydbStore;
+        vault: string;
+        onFlush: () => Promise<void>;
+        clientId?: string;
+        now?: () => number;
+        staleMs?: number;
+        quiesceTimeoutMs?: number;
+        emit?: (e: {
+            currentSchemaVersion: number;
+            fenceState: FenceState;
+        }) => void;
+    });
+    /** Capture the generation snapshot at vault-open. */
+    init(): Promise<void>;
+    /** Record a per-collection pending cutover (from a registration `cutover` decision). */
+    registerPendingCutover(collection: string, transform: TransformFn): void;
+    /** Write-path gate. Throws when behind, fenced, or this collection is cutover-pending. */
+    assertWritable(collection: string): Promise<void>;
+    /**
+     * Admin trigger. Drain → wait for the active set to quiesce (or time out)
+     * → migrate each pending transform → bump → complete → normal. The
+     * migrator excludes itself from the barrier (it drained synchronously
+     * here). `onPoll` (tests) advances other clients between barrier checks;
+     * production falls back to a short real delay.
+     */
+    runCutover(run: RunTransform, opts?: {
+        onPoll?: () => Promise<void>;
+    }): Promise<{
+        migrated: number;
+    }>;
+    /** Recover a stuck drain: reset fenceState to normal at the current version (no bump). */
+    abort(): Promise<void>;
+}
+
 /**
  * Zero-dependency JSON diff.
  * Produces a flat list of changes between two plain objects.
@@ -3091,7 +3601,7 @@ declare class SyncEngine {
 }
 
 /**
- * **Wrap-DEKs primitive (#44)** — a single canonical shape for the
+ * **Wrap-DEKs primitive** — a single canonical shape for the
  * pattern of "serialize a DEK set, encrypt it under a credential-derived
  * AES-GCM key." Used by:
  *
@@ -3109,7 +3619,7 @@ declare class SyncEngine {
  * `PIN_PBKDF2_ITERATIONS` and the threat-model rationale in its
  * module docstring.
  *
- * Before #44, the same crypto lived in two places: `mintPaperRecoveryEntry`
+ * Previously, the same crypto lived in two places: `mintPaperRecoveryEntry`
  * (in `team/recovery.ts`) and `enrollPasswordAuthenticator` (in
  * `@noy-db/on-password`). Both functions did identical work — PBKDF2
  * the credential, AES-GCM-encrypt the JSON-serialized DEK set — but
@@ -3136,7 +3646,7 @@ declare class SyncEngine {
  * Composition: `PaperRecoveryEntry extends WrappedDeksBlob` plus
  * `{ codeId, enrolledAt }`. `KeyringAuthenticatorWrappingDEKs`
  * carries the same three fields with `salt` stored in `meta` for
- * slot-format back-compat (#44 defers moving it to top-level).
+ * slot-format back-compat (defers moving it to top-level).
  */
 interface WrappedDeksBlob {
     /** Base64 PBKDF2 salt for the credential-derived wrapping key. */
@@ -3193,9 +3703,9 @@ interface ShamirRecoveryProvider {
 }
 
 /**
- * Recovery profile persistence + dispatch — issue #10.
+ * Recovery profile persistence + dispatch.
  *
- * v0.1.0-pre.5 wires the **paper** profile end-to-end through
+ * Wires the **paper** profile end-to-end through
  * `@noy-db/on-recovery`. The other three profiles (Shamir,
  * multi-channel, admin-mediated) ship the API surface and throw
  * {@link RecoveryProfileNotImplementedError} during use; per-profile
@@ -3232,7 +3742,7 @@ interface ShamirRecoveryProvider {
  * PBKDF2-derived key), and it sidesteps the non-extractable-KEK
  * constraint cleanly.
  *
- * Type-level composition (#44): `PaperRecoveryEntry extends
+ * Type-level composition: `PaperRecoveryEntry extends
  * WrappedDeksBlob` — the three crypto fields (`salt`, `iv`,
  * `wrappedDeks`) come from the shared primitive; `codeId` and
  * `enrolledAt` are paper-recovery's own metadata. Wire format
@@ -3346,7 +3856,7 @@ declare function unwrapDeksFromShamirEntry(provider: ShamirRecoveryProvider, ent
  * {@link savePaperRecoveryEntries}). The recovery flow unwraps the
  * DEK set, then mints a fresh KEK from the user's new passphrase.
  *
- * Thin wrapper over {@link mintWrappedDeksBlob} (#44) — the crypto
+ * Thin wrapper over {@link mintWrappedDeksBlob} — the crypto
  * lives in the shared primitive; this function just adds paper-
  * recovery's own metadata (`codeId`, `enrolledAt`).
  *
@@ -3361,14 +3871,14 @@ declare function mintPaperRecoveryEntry(deks: Map<string, CryptoKey>, code: stri
  * Decrypt a recovery entry to recover the raw DEK set. Used by the
  * `recoverPassphrase` flow after the user's code has been parsed.
  *
- * Thin wrapper over {@link unwrapDeksFromBlob} (#44).
+ * Thin wrapper over {@link unwrapDeksFromBlob}.
  *
  * @throws when the code does not match the entry (AES-GCM auth tag fail).
  */
 declare function unwrapDeksFromPaperEntry(entry: PaperRecoveryEntry, code: string): Promise<Map<string, CryptoKey>>;
 
 /**
- * Tier-2 authenticator slot management — issue #11.
+ * Tier-2 authenticator slot management.
  *
  * Each slot independently wraps the SAME KEK under a method-specific
  * derived key (LUKS pattern). Enrolling adds a slot; removing drops
@@ -3418,15 +3928,14 @@ type EnrollAuthenticatorOptions = EnrollAuthenticatorWrappingKEKOptions | Enroll
  */
 declare function enrollAuthenticator(store: NoydbStore, vault: string, keyring: UnlockedKeyring, options: EnrollAuthenticatorOptions): Promise<UnlockedKeyring>;
 /**
- * Caller payload for {@link updateAuthenticator} (#55). Mutates only
+ * Caller payload for {@link updateAuthenticator}. Mutates only
  * `meta` — the slot's id, method, and wrap material are immutable
  * through this primitive, preserving the anti-slot-swap guard.
  *
  * `meta` is **merged** at the top level: keys absent from the patch
  * are preserved, keys present overwrite. To clear a meta key, pass
- * `null` for that key explicitly. (Same semantics as #57's
- * `UserApi.updateMe`, scoped to this top-level merge — no recursion
- * into nested meta values.)
+ * `null` for that key explicitly. (Same top-level merge semantics as
+ * `UserApi.updateMe`, non-recursive — meta is a flat label bag.)
  */
 interface UpdateAuthenticatorOptions {
     readonly meta?: Record<string, unknown>;
@@ -3448,7 +3957,6 @@ interface UpdateAuthenticatorOptions {
  * @throws `NoAccessError` when no slot with the given id exists.
  * @throws `ValidationError` when no patch field is provided.
  *
- * @see #55
  */
 declare function updateAuthenticator(store: NoydbStore, vault: string, keyring: UnlockedKeyring, slotId: string, options: UpdateAuthenticatorOptions): Promise<UnlockedKeyring>;
 /**
@@ -3465,7 +3973,7 @@ declare function findAuthenticator(keyring: UnlockedKeyring, slotId: string): Ke
 
 /**
  * Tier-1 change flows — `rotatePassphrase` (user remembers old) and
- * `recoverPassphrase` (user supplies a recovery proof). Issue #10.
+ * `recoverPassphrase` (user supplies a recovery proof).
  *
  * The two flows share the post-verification half — fresh salt, fresh
  * KEK, rewrap every DEK — and differ only in how they re-derive the
@@ -3531,10 +4039,9 @@ interface RotatePassphraseInput {
      * Map of slot id → re-enrolment ceremony. Slots whose id appears
      * here are PRESERVED across rotation (the ceremony re-derives the
      * method-specific wrapping under the new keyring); slots whose id
-     * is absent are DROPPED (the pre-#29 behavior).
+     * is absent are DROPPED (the pre-slot-ceremony behavior).
      *
-     * Without this map, `rotatePassphrase` retains the pre-pre.8
-     * behavior of wiping every tier-2 slot. Consumers building a
+     * Without this map, `rotatePassphrase` wipes every tier-2 slot. Consumers building a
      * "rotate without losing my biometric" flow supply ceremonies for
      * each slot they want to keep.
      *
@@ -3542,7 +4049,7 @@ interface RotatePassphraseInput {
      * state. Callers wrap individual ceremonies in try/catch + return
      * a sentinel if they want graceful degradation per slot.
      *
-     * Added in pre.8 (#29).
+     * Added when slot-ceremony rewrapping landed.
      */
     readonly slotCeremonies?: {
         readonly [slotId: string]: SlotRewrapCeremony;
@@ -3553,10 +4060,10 @@ interface RotatePassphraseInput {
  * under a freshly-derived KEK from `newPassphrase`, and persist.
  *
  * Tier-2 authenticator slots are dropped UNLESS the caller supplies
- * a `slotCeremonies` map (#29) — each ceremony re-derives its
+ * a `slotCeremonies` map — each ceremony re-derives its
  * method-specific wrapping under the new keyring, and hub persists
  * the rewrapped slots atomically with the rotation. Slots whose id
- * isn't in the map are still dropped (pre-pre.8 behavior).
+ * isn't in the map are still dropped.
  *
  * @throws `InvalidKeyError` if `oldPassphrase` does not unwrap the keyring.
  * @throws `WeakPassphraseError` if `newPassphrase` fails the strength rule.
@@ -3567,7 +4074,7 @@ declare function rotatePassphrase(store: NoydbStore, vault: string, userId: stri
 /**
  * Caller payload for {@link recoverPassphrase}.
  *
- * As of #196 slice 1, `paper` and `shamir` are wired end-to-end.
+ * `paper` and `shamir` are wired end-to-end.
  * The remaining two profiles (`multi-channel`, `admin-mediated`)
  * stay outside the union and throw
  * {@link RecoveryProfileNotImplementedError} at the runtime guard
@@ -3597,7 +4104,7 @@ interface RecoverPassphraseInput {
      * After a successful paper-recovery, replace ALL remaining recovery
      * entries with freshly-minted ones. Defaults to `true` (defensive).
      *
-     * Rationale (issue #36): the user just demonstrated they had access
+     * Rationale: the user just demonstrated they had access
      * to AT LEAST one code. The remaining codes from the same printed
      * sheet may also be compromised — photographed, leaked via a
      * screen-share slip, or in the hands of whoever stole the sheet.
@@ -3647,7 +4154,7 @@ interface RecoverPassphraseResult {
     readonly newCodes: readonly string[];
 }
 /**
- * Input for {@link Noydb.rotateRecovery} (#121) — deliberate
+ * Input for {@link Noydb.rotateRecovery} — deliberate
  * recovery-credential regeneration when the user knows their
  * passphrase but wants a fresh sheet (paper) or fresh shares
  * (shamir). Symmetric to {@link RotatePassphraseInput}.
@@ -3698,7 +4205,7 @@ interface EnrollRecoveryResult {
 }
 /**
  * Input shape for {@link Noydb.enrollRecovery} and
- * {@link Noydb.openVaultAndEnrollRecovery} (#195). Discriminated
+ * {@link Noydb.openVaultAndEnrollRecovery}. Discriminated
  * union over recovery profiles.
  *
  * - `paper`: caller pre-mints entries (typically via
@@ -3724,9 +4231,8 @@ type RecoveryEnrollmentInput = {
     readonly entryId?: string;
 };
 /**
- * Reset the user's passphrase using a recovery proof. v0.1.0-pre.5
- * supports the `'paper'` profile via `@noy-db/on-recovery` entries
- * persisted in `_meta/recovery-paper`. The other three profiles throw
+ * Reset the user's passphrase using a recovery proof.
+ * Supports `'paper'` and `'shamir'` profiles. The other profiles throw
  * {@link RecoveryProfileNotImplementedError}.
  *
  * On success, the used recovery entry is burned (deleted from the
@@ -3735,7 +4241,7 @@ type RecoveryEnrollmentInput = {
 declare function recoverPassphrase(provider: ShamirRecoveryProvider | undefined, store: NoydbStore, vault: string, userId: string, input: RecoverPassphraseInput): Promise<UnlockedKeyring>;
 
 /**
- * Atomic peer-recovery primitive — issues #33 + #34.
+ * Atomic peer-recovery primitive.
  *
  * `recoverUser` is a SEPARATE operation from `revoke + grant`. It
  * exists because peer-recovery has different semantics than account
@@ -3764,7 +4270,7 @@ declare function recoverPassphrase(provider: ShamirRecoveryProvider | undefined,
  *
  * Caller must be at least as privileged as the target. The hub
  * `db.recoverUser` method gates this with the `peer-recover-user`
- * policy gate (#33's factor-proof requirement); the function below
+ * policy gate (the `peer-recover-user` factor-proof requirement); the function below
  * enforces only the role + anti-privilege-escalation invariants.
  *
  * @module
@@ -3920,7 +4426,64 @@ declare function validatePublicEnvelopeInput(input: SetPublicEnvelopeInput, sche
 declare function isPublicEnvelope(x: unknown): x is PublicEnvelope;
 
 /**
- * Per-vault tier-3 (PIN / quick-resume) state — issue #11.
+ * Multi-tab coordination: primary/secondary election (Web Locks)
+ * + presence heartbeat (BroadcastChannel). Browser-only; opt-in; no-op
+ * when the APIs are absent. The lock/channel interfaces are hub-local
+ * (structurally compatible with @noy-db/by-peer + @noy-db/by-tabs, but
+ * not imported — those packages depend on hub).
+ */
+type TabRole = 'primary' | 'secondary' | 'unknown';
+interface TabPresence {
+    readonly tabId: string;
+    readonly lastSeen: number;
+    readonly role: TabRole;
+}
+type Unsubscribe$1 = () => void;
+/** Structural subset of the Web Locks API / by-peer's MinimalLockManager. */
+interface TabLockManager {
+    request<T>(name: string, options: {
+        mode?: 'exclusive' | 'shared';
+        signal?: AbortSignal;
+    }, callback: (lock: unknown) => Promise<T>): Promise<T>;
+}
+/** Structural subset of by-peer's PeerChannel / a BroadcastChannel wrapper. */
+interface TabChannel {
+    send(payload: string): void;
+    on(event: 'message', listener: (payload: string) => void): Unsubscribe$1;
+    on(event: 'close', listener: () => void): Unsubscribe$1;
+    close(): void;
+    readonly isOpen: boolean;
+}
+interface TabCoordinationOptions {
+    readonly lockManager?: TabLockManager;
+    readonly channel?: TabChannel;
+    readonly tabId?: string;
+    readonly lockName?: string;
+    readonly heartbeatMs?: number;
+    readonly staleMs?: number;
+    readonly now?: () => number;
+    /**
+     * Close the channel on `dispose()`. Set this only for a channel the
+     * coordinator owns (e.g. the one `defaultChannel()` created); leave it
+     * false for a caller-injected channel so the coordinator never closes a
+     * channel it didn't create. Default: false.
+     */
+    readonly closeChannelOnDispose?: boolean;
+    /**
+     * Also propagate committed writes to other tabs. Default true:
+     * when tab coordination is enabled and a channel is available, a write in
+     * one tab refreshes that document in every other tab. Set false to opt out.
+     */
+    readonly propagateWrites?: boolean;
+    /**
+     * Channel for write propagation — distinct from the presence
+     * channel. Default: an inline BroadcastChannel on `noydb:tab-writes`.
+     */
+    readonly writeChannel?: TabChannel;
+}
+
+/**
+ * Per-vault tier-3 (PIN / quick-resume) state.
  *
  * The hub holds a `PinResumeState`-shaped record in memory, keyed by
  * vault. `enrollUnlock` populates it; `unlockViaPin` consumes it via
@@ -3967,6 +4530,69 @@ declare class QuickUnlockStore {
     private clearTimer;
 }
 
+/**
+ * Cadence policy for automatic snapshots. Borrows the vocabulary of the sync
+ * `SyncPolicy` (debounce / interval / minInterval / onUnload) but is a separate,
+ * snapshot-specific shape — automatic snapshots write the single rolling
+ * `<vault>__auto` key, never the immutable on-demand pool.
+ *
+ * Default mode is `'manual'`: no timers, snapshots stay on-demand.
+ */
+type SnapshotMode = 'manual' | 'debounce' | 'interval';
+interface SnapshotPolicy {
+    /** Trigger mode. Default `'manual'` — no automatic snapshots. */
+    readonly mode?: SnapshotMode;
+    /** Idle delay (ms) after a write before an auto-snapshot fires. `mode:'debounce'`. Default 30_000. */
+    readonly debounceMs?: number;
+    /** Fixed interval (ms). `mode:'interval'`. Default 300_000. */
+    readonly intervalMs?: number;
+    /** Hard floor (ms) between auto-snapshots regardless of mode. Default 0. */
+    readonly minIntervalMs?: number;
+    /** Flush a pending auto-snapshot on tab-hide / process exit. Default true for non-manual modes. */
+    readonly onUnload?: boolean;
+    /** Label applied to each auto-snapshot. Default `'auto'`. */
+    readonly label?: string;
+}
+
+interface SnapshotMeta {
+    readonly version: string;
+    readonly label?: string;
+    readonly note?: string;
+    readonly exportedAt: string;
+    readonly exportedBy: string;
+    readonly size: number;
+    /**
+     * `'verified'` — bundle was produced by `writeNoydbBundle(vault, {})`, which embeds
+     * ledgerHead metadata; `vault.load()` runs `verifyBackupIntegrity()` on restore.
+     * `'legacy-unverifiable'` — reserved for v2 import paths that read pre-existing bundles
+     * lacking a ledgerHead; not produced by the current engine.
+     */
+    readonly integrity: 'verified' | 'legacy-unverifiable';
+    /** `true` for the rolling auto-snapshot; absent on on-demand checkpoints. */
+    readonly auto?: true;
+}
+interface RetentionPolicy {
+    readonly keepLast?: number;
+    readonly maxAgeDays?: number;
+    readonly prune?: boolean;
+}
+/** @internal */
+interface SnapshotStrategy {
+    snapshot(vault: unknown, by: string, opts?: {
+        label?: string;
+        note?: string;
+    }): Promise<SnapshotMeta>;
+    listSnapshots(vaultId: string): Promise<SnapshotMeta[]>;
+    restoreSnapshot(vault: unknown, version: string): Promise<void>;
+    /** Rolling auto-snapshot to the fixed `<vault>__auto` key. */
+    autoSnapshot(vault: unknown, by: string, opts?: {
+        label?: string;
+        note?: string;
+    }): Promise<SnapshotMeta>;
+    /** Configured cadence policy. Undefined or `mode:'manual'` ⇒ no scheduler is wired. */
+    readonly policy?: SnapshotPolicy;
+}
+
 /**
  * Multi-record atomic transactions.
  *
@@ -4036,7 +4662,7 @@ interface StagedOp {
     expectedVersion?: number;
     /**
      * Optional human-readable tag forwarded to the resulting ledger
-     * entry's `reason` field (#1). Set by callers via
+     * entry's `reason` field. Set by callers via
      * `tx.vault(v).collection(c).put(id, record, { reason })`.
      */
     reason?: string;
@@ -4068,6 +4694,8 @@ interface AmendmentTxOptions {
  * facade; its `put`/`delete`/`get` calls stage ops against the tx.
  */
 declare class TxContext {
+    /** Stable id for this transaction; shared by all writes it performs. */
+    readonly txId: string;
     /** @internal */
     readonly _ops: StagedOp[];
     /**
@@ -4076,7 +4704,7 @@ declare class TxContext {
      * restore prior state via `revertExecuted`. Side-effect writes (e.g.
      * recursive derivation outputs fired inside `Collection.put`) are
      * appended here in execution order so they roll back alongside the
-     * main staged ops (#133).
+     * main staged ops.
      */
     readonly _executed: ExecutedOp[];
     /** @internal */
@@ -4148,12 +4776,40 @@ declare class TxCollection<T> {
  * in `noydb.ts`. `Collection.putManyAtomic` runs its own Phase 2 loop
  * but shares the `_activeTxContext` mechanism (and the `revertExecuted`
  * helper) so nested side-effect derivation writes get registered for
- * revert alongside the bulk-put source ops (#133).
+ * revert alongside the bulk-put source ops.
  */
 declare function runTransaction<T>(db: Noydb, fn: (tx: TxContext) => Promise<T> | T, options?: AmendmentTxOptions): Promise<T>;
 
 /**
- * Policy gate DSL types — issue #9.
+ * Dry-run transactions. Runs the tx body to STAGE ops, then builds
+ * the directly-affected diff (before = current committed via collection.get,
+ * after = staged record) and collects guard violations — without executing
+ * phase 2. No adapter writes, no write-hooks, no commit. MV/derivation
+ * cascade is NOT simulated (v2). Mirrors the guard loop in
+ * `Collection.putInternal` — keep the two in sync.
+ */
+
+interface AffectedDocument {
+    readonly vault: string;
+    readonly op: 'create' | 'update' | 'delete';
+    readonly collection: string;
+    readonly docId: string;
+    readonly before: unknown;
+    readonly after: unknown;
+}
+interface GuardViolation {
+    readonly vault: string;
+    readonly collection: string;
+    readonly docId: string;
+    readonly message: string;
+}
+interface DryRunResult {
+    readonly affected: ReadonlyArray<AffectedDocument>;
+    readonly guardViolations: ReadonlyArray<GuardViolation>;
+}
+
+/**
+ * Policy gate DSL types.
  *
  * Sensitive operations (rotate the passphrase, enroll an authenticator,
  * export plaintext, grant a user, …) are gated by a typed policy
@@ -4187,12 +4843,10 @@ declare function runTransaction<T>(db: Noydb, fn: (tx: TxContext) => Promise<T>
  * devices — policies can require ANY of them or insist on a count of 2
  * to force a mix.
  *
- * Added in pre.8 (#30): `webauthn-platform`, `password`, `pin` —
- * previously consumers with no off-device infrastructure (no TOTP,
- * no email-OTP, paper recovery not enrolled) had to disable the
- * factor requirement entirely on `rotate-passphrase`. Now they can
- * pin "any second factor I have wired" without losing the freshness
- * guarantee.
+ * `webauthn-platform`, `password`, `pin` — for consumers with no
+ * off-device infrastructure (no TOTP, no email-OTP, paper recovery not
+ * enrolled) who want to require "any second factor I have wired"
+ * without losing the freshness guarantee.
  */
 type FactorKind = 'totp' | 'email-otp' | 'recovery' | 'shamir' | 'webauthn-roaming' | 'webauthn-platform' | 'password' | 'pin';
 /**
@@ -4236,7 +4890,7 @@ interface GatePolicy {
 type BuiltInGateName = 'rotate-passphrase' | 'recover-passphrase' | 'enroll-authenticator' | 'remove-authenticator'
 /**
  * Authorize a deliberate paper-recovery-code regeneration —
- * `db.rotateRecovery` (#121). Symmetric to `rotate-passphrase` for
+ * `db.rotateRecovery`. Symmetric to `rotate-passphrase` for
  * the case where the user remembers their passphrase but wants a
  * fresh sheet (lost the printout, suspect compromise of the off-site
  * copy). PERSONAL allows tier-1; STRICT requires an off-device
@@ -4246,19 +4900,19 @@ type BuiltInGateName = 'rotate-passphrase' | 'recover-passphrase' | 'enroll-auth
  | 'rotate-recovery'
 /**
  * Authorize a meta-only mutation on an existing authenticator slot —
- * `db.updateAuthenticator` (#55). The slot's wrap material, id, and
+ * `db.updateAuthenticator`. The slot's wrap material, id, and
  * method are immutable through this gate; only the `meta` blob
  * (nicknames, method-specific labels) can change. Anti-slot-swap
  * guard is preserved structurally regardless of this gate's
  * settings.
  */
  | 'update-authenticator' | 'rotate-unlock' | 'enroll-user' | 'revoke-user' | 'export-bundle' | 'export-plaintext' | 'view-user-auth'
-/** Authorize a write to one's own user envelope (#22). */
+/** Authorize a write to one's own user envelope. */
  | 'edit-own-profile'
-/** Authorize reading other principals' user envelopes (#22). */
+/** Authorize reading other principals' user envelopes. */
  | 'view-team-profiles'
 /**
- * Authorize an atomic peer-recovery — `db.recoverUser` (#33, #34).
+ * Authorize an atomic peer-recovery — `db.recoverUser`.
  * Distinct from `revoke-user` because peer-recovery is intentional
  * re-issuance of someone's keyring under a temp passphrase, NOT
  * removal. Allows owner→owner natively (matches the threat model:
@@ -4268,7 +4922,7 @@ type BuiltInGateName = 'rotate-passphrase' | 'recover-passphrase' | 'enroll-auth
  */
  | 'peer-recover-user'
 /**
- * Authorize a post-grant identity mutation — `db.updateUser` (#54).
+ * Authorize a post-grant identity mutation — `db.updateUser`.
  * Covers `role`, `displayName`, `permissions` changes on an existing
  * keyring. Pure plaintext-header rewrite — no DEKs touched, no KEK
  * required. The role-elevation guard inside the implementation
@@ -4281,7 +4935,7 @@ type GateName = BuiltInGateName | `app:${string}`;
 /**
  * Top-level policy object. Persisted at `_meta/policy` once at vault
  * creation. The `passphrase` block configures the strength rules
- * applied at every passphrase ingress (issue #7); `gates` configures
+ * applied at every passphrase ingress; `gates` configures
  * the action-level requirements.
  */
 interface VaultPolicy {
@@ -4305,7 +4959,7 @@ interface FactorProof {
  * `db.recoverUser`, `db.enrollUnlock`, `db.describeUserAuth`,
  * `db.describeAllUsersAuth`.
  *
- * Pre-#89 this type was inlined at every call site as
+ * Previously this type was inlined at every call site as
  * `{ factors?: ReadonlyArray<FactorProof>; sharedDevice?: boolean }`
  * and parameter names alternated between `factors` and `presented`.
  * Now exported so consumers can name their helpers and so the param
@@ -4320,14 +4974,19 @@ type ActiveTier = 1 | 2 | 3;
 
 /** The top-level NOYDB instance. */
 declare class Noydb {
+    #private;
     private readonly options;
     private readonly emitter;
+    private readonly writeQueueTracker;
+    private readonly writeHooks;
+    private readonly subsystemBus;
+    private readonly clientId;
     private readonly vaultCache;
     private readonly keyringCache;
     private readonly syncEngines;
     /**
      * Per-vault active session tier — defaults to `1` after a passphrase
-     * unlock; tier-2 / tier-3 unlocks (issue #11) downgrade it. Used by
+     * unlock; tier-2 / tier-3 unlocks downgrade it. Used by
      * {@link checkGate} to evaluate `gate.minTier`.
      */
     private readonly activeTier;
@@ -4337,14 +4996,14 @@ declare class Noydb {
      */
     private readonly policyCache;
     /**
-     * One-shot bypass for the managed-mode strong-recovery check (#195).
+     * One-shot bypass for the managed-mode strong-recovery check.
      * Set true by {@link openVaultAndEnrollRecovery} for the duration of
      * the bootstrap window so the keyring can be created before the
      * strong recovery is enrolled. Always cleared (try/finally).
      * @internal
      */
     private _skipNextManagedRecoveryCheck;
-    /** Per-vault tier-3 (PIN / quick-resume) state — issue #11. */
+    /** Per-vault tier-3 (PIN / quick-resume) state. */
     private readonly quickUnlock;
     /**
      * Resolved public-envelope schema. Lazily computed once from
@@ -4354,19 +5013,26 @@ declare class Noydb {
     private readonly publicEnvelopeSchema;
     private closed;
     private sessionTimer;
+    /** Same-device multi-tab coordinator; created on `enableTabCoordination()`. */
+    private tabCoordinator;
+    /** Cross-tab write relay; created on `enableTabCoordination()`. */
+    private writeRelay;
     /** Per-vault policy enforcers. */
     private readonly policyEnforcers;
     private readonly txStrategy;
     private readonly sessionStrategy;
     private readonly syncStrategy;
+    private readonly snapshotStrategy;
+    private snapshotScheduler;
+    private readonly dirtySnapshotVaults;
     /**
      * Currently-running multi-record transaction, set by
      * `runTransaction` at the start of Phase 2 (commit) and cleared in
      * the same function's `finally` block. Side-effect writes triggered
      * during a staged op's `Collection.put` (today: eager derivation
      * outputs) register their pre-write envelope on `_executed` here so
-     * a mid-batch failure rolls them back alongside the main staged ops
-     * (#133). `null` outside of Phase 2.
+     * a mid-batch failure rolls them back alongside the main staged ops.
+     * `null` outside of Phase 2.
      * @internal
      */
     private _activeTxContext;
@@ -4469,8 +5135,6 @@ declare class Noydb {
      * @throws `NoAccessError` when no keyring exists for the target.
      * @throws `PermissionDeniedError` when the role hierarchy rejects.
      * @throws `ValidationError` when no field is provided.
-     *
-     * @see #54
      */
     updateUser(vault: string, options: UpdateUserOptions, factors?: FactorProofBundle): Promise<void>;
     /**
@@ -4657,6 +5321,15 @@ declare class Noydb {
      * to the vault's ledger as `op: 'amendment'`.
      */
     transaction<T>(options: AmendmentTxOptions, fn: (tx: TxContext) => Promise<T> | T): Promise<T>;
+    /**
+     * Dry-run a transaction: run the body to stage ops, then return
+     * the directly-affected diff + collected guard violations WITHOUT
+     * committing (no adapter writes, no write hooks). MV/derivation cascade
+     * is not simulated. Requires `withTransactions()`.
+     */
+    transaction(options: {
+        readonly dryRun: true;
+    }, fn: (tx: TxContext) => unknown): Promise<DryRunResult>;
     /**
      * Create a sync transaction for the given vault.
      * The vault must already be open via `openVault()`.
@@ -4677,7 +5350,7 @@ declare class Noydb {
      * Phase 2. `Collection.dispatchDerivations` consults this so a
      * recursive derived-output write inside `Collection.put` can register
      * its envelope onto `ctx._executed` and roll back with the main
-     * staged ops on mid-batch failure (#133).
+     * staged ops on mid-batch failure.
      *
      * @internal
      */
@@ -4702,7 +5375,7 @@ declare class Noydb {
      * `Collection.putManyAtomic` (via `derivationSource.createTxContext`)
      * to publish an active context for the duration of its bulk-atomic
      * Phase 2 loop, so recursive derivation-output writes register on
-     * `ctx._executed` and roll back together with the source ops (#133).
+     * `ctx._executed` and roll back together with the source ops.
      *
      * @internal
      */
@@ -4721,6 +5394,54 @@ declare class Noydb {
     private getSyncEngine;
     on<K extends keyof NoydbEventMap>(event: K, handler: (data: NoydbEventMap[K]) => void): void;
     off<K extends keyof NoydbEventMap>(event: K, handler: (data: NoydbEventMap[K]) => void): void;
+    /**
+     * Observable write-queue for this hub instance. Reflects outstanding
+     * in-flight writes across all collections. See {@link WriteQueue}.
+     *
+     * @example
+     * window.addEventListener('beforeunload', (e) => {
+     *   if (db.writeQueue.pending) { e.preventDefault(); e.returnValue = '' }
+     * })
+     */
+    get writeQueue(): WriteQueue;
+    /**
+     * @internal Mutable tracker behind {@link writeQueue}. Threaded into
+     * each Collection (via Vault) so `put`/`delete` can `track()` writes.
+     * Not part of the public surface — consumers use `writeQueue`.
+     */
+    get _writeQueueTracker(): WriteQueueTracker;
+    /**
+     * Register a hook that runs before each write. Awaited; a throw
+     * aborts the write. Returns an unsubscribe function.
+     */
+    onBeforeWrite(handler: WriteHook): Unsubscribe$3;
+    /**
+     * Register a hook that runs after each committed write. Awaited;
+     * a handler error is warned, never rolled back. Returns an unsubscribe fn.
+     */
+    onAfterWrite(handler: WriteHook): Unsubscribe$3;
+    /** Subscribe to cross-tab write conflicts. Returns an unsubscribe. */
+    onWriteConflict(fn: (c: WriteConflict) => void): Unsubscribe$3;
+    /**
+     * Enable same-device multi-tab coordination: primary/secondary
+     * election + presence. Browser-only — a graceful no-op (role 'unknown')
+     * when Web Locks / BroadcastChannel are unavailable and nothing is
+     * injected. Idempotent; returns a disposer.
+     */
+    enableTabCoordination(opts?: TabCoordinationOptions): {
+        dispose: () => void;
+    };
+    private disableTabCoordination;
+    get tabRole(): TabRole;
+    activeTabs(): TabPresence[];
+    onTabRoleChange(fn: (r: TabRole) => void): Unsubscribe$3;
+    onActiveTabsChange(fn: (t: TabPresence[]) => void): Unsubscribe$3;
+    /** @internal The write-hook registry, threaded into each Collection. */
+    get _writeHooks(): WriteHookRegistry;
+    /** @internal The observe bus, threaded into every Collection. */
+    get _subsystemBus(): SubsystemBus;
+    /** @internal Stable per-instance id for schema-cutover coordination. */
+    get _clientId(): string;
     /**
      * Soft-lock a single vault: clear its in-memory keyring, DEKs, vault
      * instance, sync engine, policy enforcer, and active-tier entry —
@@ -4737,10 +5458,6 @@ declare class Noydb {
      * survives lock; nothing about it changes when DEKs are scrubbed).
      *
      * No-op when `vault` is not currently in cache (idempotent).
-     *
-     * Unblocks vLannaAi/niwat#33.
-     *
-     * @see #17
      */
     lockVault(vault: string): void;
     close(): void;
@@ -4774,7 +5491,7 @@ declare class Noydb {
      */
     updatePolicy(vault: string, override: Partial<VaultPolicy>): Promise<VaultPolicy>;
     /**
-     * Read the current vault-level user-directory toggle (#122). Returns
+     * Read the current vault-level user-directory toggle. Returns
      * the default-on shape (`{ enabled: true }`) when no `_meta/directory`
      * document has been persisted yet.
      *
@@ -4782,7 +5499,7 @@ declare class Noydb {
      */
     getDirectoryEnabled(vault: string): Promise<boolean>;
     /**
-     * Toggle the vault's user-directory listing on or off (#122).
+     * Toggle the vault's user-directory listing on or off.
      * Owner-only. When disabled, `listUsersWithEnvelopes()` throws
      * {@link import('./errors.js').DirectoryDisabledError} for callers
      * whose role is neither `owner` nor `admin`.
@@ -4814,7 +5531,7 @@ declare class Noydb {
      *
      * Two enforcement modes:
      *
-     * 1. **Managed-mode mandatory strong-recovery (#195).** When
+     * 1. **Managed-mode mandatory strong-recovery.** When
      *    `passphraseMode === 'managed'`, the vault MUST have at least
      *    one **strong** recovery profile (Shamir today). Paper alone is
      *    rejected because under managed mode the user has no memorized
@@ -4834,7 +5551,7 @@ declare class Noydb {
      */
     private assertRecoveryEnrolled;
     /**
-     * Internal accessor used by tier-2/tier-3 unlock paths (issue #11)
+     * Internal accessor used by tier-2/tier-3 unlock paths
      * to mark the active session tier.
      * @internal
      */
@@ -4858,7 +5575,7 @@ declare class Noydb {
      * `remove-authenticator`.
      */
     removeAuthenticator(vault: string, slotId: string, factors?: FactorProofBundle): Promise<void>;
-    /** Read the slot list for a vault. Internal — `describeAuthConfig` (#13) consumes this. */
+    /** Read the slot list for a vault. Internal — `describeAuthConfig` consumes this. */
     listAuthenticators(vault: string): Promise<ReadonlyArray<KeyringAuthenticator>>;
     /**
      * Mutate the `meta` blob on an existing authenticator slot — slot
@@ -4867,7 +5584,7 @@ declare class Noydb {
      * are immutable through this method. Anti-slot-swap is structural,
      * not gate-driven.
      *
-     * `meta` patch semantics (#57-aligned):
+     * `meta` patch semantics (top-level merge):
      *   - Top-level merge — absent keys preserved
      *   - `null` value — delete that meta key
      *   - Other values — replace verbatim
@@ -4885,12 +5602,10 @@ declare class Noydb {
      *
      * @throws `NoAccessError` when no slot with the given id exists.
      * @throws `ValidationError` when no patch field is provided.
-     *
-     * @see #55
      */
     updateAuthenticator(vault: string, slotId: string, options: UpdateAuthenticatorOptions, factors?: FactorProofBundle): Promise<void>;
     /**
-     * Native WebAuthn enrollment using the **real** internal keyring (#16).
+     * Native WebAuthn enrollment using the **real** internal keyring.
      *
      * Why this exists: when a consumer is using `createNoydb({ secret })`,
      * they cannot reach the live `UnlockedKeyring` to feed it to
@@ -4933,8 +5648,6 @@ declare class Noydb {
      * a server-side allowlist).
      *
      * Gated by `enroll-authenticator` like `enrollAuthenticator()` itself.
-     *
-     * @see #16
      */
     enrollWebAuthn(vault: string, ceremony: (keyring: UnlockedKeyring) => Promise<EnrollAuthenticatorOptions>, factors?: FactorProofBundle): Promise<{
         credentialId: string;
@@ -4945,8 +5658,6 @@ declare class Noydb {
      * deciding when a new device prompt should appear. Identity is
      * `id` + `enrolled_at`; the `meta.credentialId` (base64) is used by
      * `allowCredentials` at unlock time.
-     *
-     * @see #16
      */
     listWebAuthnSlots(vault: string): Promise<ReadonlyArray<{
         id: string;
@@ -5010,8 +5721,7 @@ declare class Noydb {
      *
      * Tier-2 authenticator slots are dropped — each slot wraps the old
      * KEK and would need its derivation key to be re-presented. Re-enrol
-     * via `db.enrollAuthenticator` after rotation. Tracked as a
-     * v0.1.0-pre.5 limitation.
+     * via `db.enrollAuthenticator` after rotation.
      *
      * @throws `WeakPassphraseError` on a weak new phrase.
      * @throws `PolicyDeniedError` when the gate denies (missing factor, …).
@@ -5020,14 +5730,14 @@ declare class Noydb {
     rotatePassphrase(vault: string, input: RotatePassphraseInput, factors?: FactorProofBundle): Promise<void>;
     /**
      * Reset the passphrase using a recovery proof (user forgot the old).
-     * v0.1.0-pre.5 supports the `'paper'` profile end-to-end; the
-     * other three profiles throw {@link RecoveryProfileNotImplementedError}.
+     * Currently supports the `'paper'` profile end-to-end; the
+     * other profiles throw {@link RecoveryProfileNotImplementedError}.
      *
      * Burns the used recovery entry on success.
      */
     recoverPassphrase(vault: string, input: RecoverPassphraseInput, factors?: FactorProofBundle): Promise<RecoverPassphraseResult>;
     /**
-     * Deliberate paper-recovery-code regeneration (#121). User knows their
+     * Deliberate paper-recovery-code regeneration. User knows their
      * passphrase but wants a fresh sheet — they lost the printout or
      * suspect compromise of the off-site copy.
      *
@@ -5037,7 +5747,7 @@ declare class Noydb {
      *
      * Gated by the `rotate-recovery` policy gate:
      *   - PERSONAL_POLICY: `{ minTier: 1 }` — knowing the passphrase
-     *     suffices, matching the pre-#121 low-level flow's bar.
+     *     suffices, matching the lower-level flow's bar.
      *   - STRICT_POLICY: `{ minTier: 1, factors: [{ anyOf: ['totp',
      *     'email-otp', 'webauthn-roaming'] }] }` — rotation is an
      *     off-site-trust event; require an off-device factor so a
@@ -5073,7 +5783,7 @@ declare class Noydb {
     private rotateRecoveryPaper;
     private rotateRecoveryShamir;
     /**
-     * **Atomic create-and-enroll for managed-mode vaults (#195).**
+     * **Atomic create-and-enroll for managed-mode vaults.**
      *
      * Bootstraps a managed-mode vault and enrolls strong recovery in
      * a single ceremony. Under `passphraseMode: 'managed'`, every
@@ -5118,7 +5828,7 @@ declare class Noydb {
         readonly recoveryEnrollments: ReadonlyArray<EnrollRecoveryResult>;
     }>;
     /**
-     * **Recovery flow under managed-passphrase mode (#195).**
+     * **Recovery flow under managed-passphrase mode.**
      *
      * Replaces the sealed passphrase of a managed-mode vault with a
      * fresh 256-bit random, sealed under the configured
@@ -5135,7 +5845,7 @@ declare class Noydb {
      *   5. Drop the keyring cache so the next operation re-derives.
      *
      * The vault's strong-recovery enrollment is preserved across
-     * recovery (Shamir entries are not burned on use — see #196).
+     * recovery (Shamir entries are not burned on use).
      *
      * @throws ValidationError if the Noydb instance is not in managed mode.
      */
@@ -5145,7 +5855,7 @@ declare class Noydb {
     }): Promise<void>;
     /**
      * Atomic peer-recovery — re-wraps an EXISTING user's keyring under
-     * a fresh temp passphrase in a single store write. Closes #34's
+     * a fresh temp passphrase in a single store write. Closes the
      * partial-failure window (the previous compose-from-primitives
      * pattern was `db.revoke + db.grant`, two writes — if the issuer
      * cancelled between them the target was locked out entirely).
@@ -5155,7 +5865,7 @@ declare class Noydb {
      *   - Same `userId`, role, permissions, capabilities preserved.
      *   - DEKs unchanged → every other principal in the vault keeps
      *     access. No key rotation.
-     *   - Allows owner→owner natively (#33). The existing
+     *   - Allows owner→owner natively. The existing
      *     `db.revoke` retains its block — peer-recovery is a separate,
      *     intentionally-named operation.
      *   - Tier-2 slots dropped (they wrap the old KEK).
@@ -5184,11 +5894,10 @@ declare class Noydb {
      * @throws `PrivilegeEscalationError` when the caller lacks a DEK
      *         the target previously had access to.
      *
-     * @see #33 #34 — the issues this method closes.
      */
     recoverUser(vault: string, options: RecoverUserOptions, factors?: FactorProofBundle): Promise<void>;
     /**
-     * Persist a recovery enrollment. v0.1.0-pre.5 accepts the `'paper'`
+     * Persist a recovery enrollment. Accepts the `'paper'`
      * profile.
      *
      * The hub wraps the user's DEK set (not the KEK) under a code-derived
@@ -5208,7 +5917,7 @@ declare class Noydb {
      * showCodesToUser(codes)
      * ```
      *
-     * As of pre.8, `@noy-db/on-recovery`'s `generateRecoveryCodeSet`
+     * `@noy-db/on-recovery`'s `generateRecoveryCodeSet`
      * delegates to `mintPaperRecoveryEntry` internally — its output is
      * fed directly to this API. Pick whichever fits your code-gen layer:
      *
@@ -5219,7 +5928,7 @@ declare class Noydb {
      * ```
      */
     enrollRecovery(vault: string, enrollment: RecoveryEnrollmentInput): Promise<EnrollRecoveryResult>;
-    /** Read the persisted recovery entries (paper + Shamir). Used by `describeAuthConfig` (#13). */
+    /** Read the persisted recovery entries (paper + Shamir). Used by `describeAuthConfig`. */
     listRecoveryEntries(vault: string): Promise<{
         paper: ReadonlyArray<PaperRecoveryEntry>;
         shamir: ReadonlyArray<ShamirRecoveryEntry>;
@@ -5247,11 +5956,11 @@ declare class Noydb {
     /** Drop the tier-3 state for a vault — explicit logout. */
     clearQuickUnlock(vault: string): void;
     /**
-     * Public accessor for the unlocked keyring of a vault — issue #28.
+     * Public accessor for the unlocked keyring of a vault.
      *
      * Returns a **defensive shallow copy** so consumers can read the DEK
      * map and authenticator list without the risk of mutating the hub's
-     * internal cache (#88). Internal hub code paths use a live reference
+     * internal cache. Internal hub code paths use a live reference
      * via `getKeyringInternal`; ceremonies and external consumers always
      * get a snapshot.
      *
@@ -5287,6 +5996,34 @@ declare class Noydb {
      * should use {@link getKeyring}, which returns a defensive copy.
      */
     private getKeyringInternal;
+    /**
+     * Take an on-demand checkpoint of the given vault.
+     * Requires `snapshotStrategy: withSnapshots({ store })` in `createNoydb`.
+     * @throws ValidationError when the vault is not open
+     */
+    snapshot(vault: string, opts?: {
+        label?: string;
+        note?: string;
+    }): Promise<SnapshotMeta>;
+    /**
+     * Wire the automatic-snapshot cadence when a non-manual `snapshotPolicy` is
+     * configured. Subscribes to `onAfterWrite` to mark the written vault dirty and
+     * nudge the scheduler; the scheduler fires `autoSnapshot()` per dirty vault.
+     * No-op for `mode:'manual'` or no policy.
+     */
+    private initSnapshotCadence;
+    /**
+     * List all snapshots for the given vault, newest first.
+     * Reads only the sidecar index — does not download snapshot bytes.
+     */
+    listSnapshots(vault: string): Promise<SnapshotMeta[]>;
+    /**
+     * Restore the vault to a previously snapshotted state.
+     * Runs `verifyBackupIntegrity()` automatically on restore.
+     * @throws SnapshotNotFoundError when `version` doesn't exist in the store
+     * @throws ValidationError when the vault is not open
+     */
+    restoreSnapshot(vault: string, version: string): Promise<void>;
 }
 /** Create a new NOYDB instance. */
 declare function createNoydb(options: NoydbOptions): Promise<Noydb>;
@@ -5492,8 +6229,8 @@ interface GuardStrategy<T extends Record<string, unknown>> {
      * })
      * ```
      *
-     * Also skipped on system-internal deletes (derivation tombstones from
-     * #144, MV refresh from Dim 14 v2) — those use `_internalDelete`
+     * Also skipped on system-internal deletes (derivation tombstones,
+     * MV refresh from Dim 14 v2) — those use `_internalDelete`
      * which bypasses every user-facing delete hook. Housekeeping ops are
      * NOT user-initiated and should not trip user invariants.
      *
@@ -5552,14 +6289,14 @@ interface RecordOutputSpec {
      * `undefined`) for this output key. The executor interprets that as
      * "no output for this invocation": a previously-emitted output at
      * the same id is deleted (mirroring the empty-group / empty-aggregate
-     * semantics flagged in #142); a never-emitted output is a silent
+     * semantics for empty groups); a never-emitted output is a silent
      * no-op. When `false` (default), returning `null` throws
      * `DerivationOutputShapeError` — same as v1.
      */
     optional?: boolean;
 }
 /**
- * Array-shape output (#200) — one source row produces a variable-length
+ * Array-shape output — one source row produces a variable-length
  * list of output rows, each with its own id (from the `key` extractor).
  *
  * On every source-row change, the dispatcher diffs the previously
@@ -5629,6 +6366,17 @@ interface DerivationStrategy<TSource extends Record<string, unknown>, TOutputs e
      * sibling records via `ctx.vault.collection<T>(name).get(id)` /
      * `.list()` / `.query()`. The vault accessor is read-only; there is
      * no path to a writer from `ctx`.
+     *
+     * **Per-output omission (runtime-supported):** returning `null` or
+     * `undefined` for an individual output key is handled at runtime via
+     * the `optional: true` flag on the output's `RecordOutputSpec` —
+     * the executor deletes any previously-emitted output at that id, or
+     * silently no-ops if none exists. For `shape: 'array'` outputs, null
+     * / undefined is treated as an empty array (clears all prior rows for
+     * that source). The *top-level* return must always be a `TOutputs`
+     * object; returning `null` for the whole result is not supported.
+     * (#297 — MV `unionSources` map drop-row is the analogous feature for
+     * materialized views.)
      */
     derive: (source: TSource, ctx: DerivationContext) => Promise<TOutputs> | TOutputs;
     /**
@@ -5669,6 +6417,17 @@ declare class DerivationRegistry {
     register(spec: DerivationStrategy<any, any>): Promise<void>;
     strategiesForSource(source: string): ReadonlyArray<RegisteredStrategy>;
     strategiesProducingOutput(collection: string): ReadonlyArray<RegisteredStrategy>;
+    /**
+     * All registered strategies as a flat, deduplicated array.
+     * Each strategy is indexed once per source (not once per output key),
+     * so iterating `_bySource.values()` naturally yields each strategy
+     * exactly once per source — deduplication is handled by flattening
+     * the per-source arrays and collecting into a Set by identity.
+     *
+     * Used by `dumpSchema()` / `describeDerivations()` in the introspection
+     * walker to populate the derivations map.
+     */
+    all(): ReadonlyArray<RegisteredStrategy>;
     /**
      * Cycle detection over the source → output → … graph. Call after all
      * `register()` calls complete (i.e. at vault open). Throws
@@ -5750,8 +6509,14 @@ interface UnionSource<TRow extends Record<string, unknown>> {
      * Called once per source row at materialization time. Each arm's
      * mapped output is concatenated into a single stream before
      * `groupBy` + `aggregate` run.
+     *
+     * Returning `null` or `undefined` **omits** the source row from the
+     * materialized output entirely — the row is not pushed into the
+     * unified stream and never reaches `groupBy` / `aggregate`. This
+     * removes the need for sentinel rows (e.g. `{ amount: 0 }`) whose
+     * sole purpose is to be aggregated away (#297).
      */
-    readonly map: (sourceRow: Record<string, unknown>) => TRow;
+    readonly map: (sourceRow: Record<string, unknown>) => TRow | null | undefined;
 }
 /**
  * Registration shape passed to `withMaterializedView()`.
@@ -5782,7 +6547,7 @@ interface MaterializedViewStrategy<TRow extends Record<string, unknown>> {
      */
     query?: (db: MVQueryContext) => Query<TRow>;
     /**
-     * UNION-form sources (#165): an explicit list of sibling collections
+     * UNION-form sources: an explicit list of sibling collections
      * that contribute rows to a single MV. Each arm's `map` projects a
      * source row into the MV's unified row shape; the mapped streams are
      * concatenated, then {@link groupBy} + {@link aggregate} run on the
@@ -5798,7 +6563,7 @@ interface MaterializedViewStrategy<TRow extends Record<string, unknown>> {
      */
     unionSources?: ReadonlyArray<UnionSource<TRow>>;
     /**
-     * Group-key field(s) for UNION mode (#165). Applied to the
+     * Group-key field(s) for UNION mode. Applied to the
      * concatenated mapped-row stream from {@link unionSources} before
      * {@link aggregate} runs. Accepts a single field name or a tuple of
      * field names for multi-key grouping (same shape as
@@ -5810,7 +6575,7 @@ interface MaterializedViewStrategy<TRow extends Record<string, unknown>> {
      */
     groupBy?: string | ReadonlyArray<string>;
     /**
-     * Aggregation spec for UNION mode (#165). Applied per-group after
+     * Aggregation spec for UNION mode. Applied per-group after
      * {@link groupBy} buckets the concatenated mapped-row stream from
      * {@link unionSources}. Same shape as the `AggregateSpec` passed to
      * `Query.aggregate()`.
@@ -5821,11 +6586,11 @@ interface MaterializedViewStrategy<TRow extends Record<string, unknown>> {
     /**
      * Pure function from a materialized row → stable id used in the
      * output collection. Required — explicit always beats default-with-pitfalls
-     * (see niwat-review of #149 round 1 for the slash-collision rationale).
+     * (explicit always beats default-with-pitfalls; see the slash-collision rationale).
      */
     rowKey: (row: TRow) => string;
     /**
-     * Explicit source collections (#152). Required when `query()` returns
+     * Explicit source collections. Required when `query()` returns
      * an `Aggregation` or `GroupedAggregation` rather than a `Query<T>`
      * — the dependency analyzer can't introspect through `groupBy().aggregate()`
      * back to the source. Optional for plain `Query<T>` results — the
@@ -5835,7 +6600,7 @@ interface MaterializedViewStrategy<TRow extends Record<string, unknown>> {
      */
     sources?: ReadonlyArray<string>;
     /**
-     * Declared deterministic predicates (#153). Each entry pairs a
+     * Declared deterministic predicates. Each entry pairs a
      * consumer-stable `hash` with a function. The `query()` callback's
      * Query<T> can invoke them via `.wherePredicate(name, ctx?)`. The
      * predicate's `hash` + a canonical-JSON hash of `ctx` both fold
@@ -5872,8 +6637,8 @@ interface MaterializedViewStrategy<TRow extends Record<string, unknown>> {
      *
      * - `'delete'` (default) — tombstone the prior MV row via
      *   `Collection._internalDelete` (system housekeeping bypasses user
-     *   `onDelete` guards on the output collection — see PR #148's
-     *   composition fix).
+     *   `onDelete` guards on the output collection — the housekeeping
+     *   bypass composition fix).
      * - `'keep'` — leave the prior MV row in place. Useful when zero
      *   is a meaningful state.
      */
@@ -5881,7 +6646,7 @@ interface MaterializedViewStrategy<TRow extends Record<string, unknown>> {
     /**
      * `true` re-throws on any row-write failure → composes with
      * `withTransactions` to roll back the source-write atomically via
-     * `revertExecuted` (#133). Default `false` (failed rows are
+     * `revertExecuted`. Default `false` (failed rows are
      * isolated; other rows commit).
      */
     strict?: boolean;
@@ -5915,7 +6680,7 @@ interface RegisteredMV {
      * Top-level FieldClauses on the partition field, captured at
      * registration time. Used by the cycle detector to resolve
      * same-collection-as-source edges via the partition-discriminator
-     * check (#152). Empty when `spec.output?.partition` is undefined.
+     * check. Empty when `spec.output?.partition` is undefined.
      */
     readonly partitionClauses: readonly FieldClause[];
 }
@@ -5967,7 +6732,7 @@ declare class MaterializedViewRegistry {
 }
 
 /**
- * Read-shadow overlay primitive (#154, MV v2 spec § Composition with
+ * Read-shadow overlay primitive (MV v2 spec § Composition with
  * operator-editable lifecycle). Binds an MV's read-only base output
  * to a separate user-writable overlay collection; reads merge via a
  * single shadow predicate, writes route to the overlay.
@@ -6045,6 +6810,14 @@ declare class OverlayedViewRegistry {
     /** All overlay virtual names. */
     names(): ReadonlySet<string>;
     isOverlay(name: string): boolean;
+    /**
+     * All registered overlay strategies as a flat array.
+     * Each strategy carries `name`, `base`, and `overlay` fields that
+     * `describeOverlays()` in the introspection walker reads directly.
+     *
+     * Used by `dumpSchema()` to populate the `overlayViews` map.
+     */
+    all(): ReadonlyArray<OverlayedViewStrategy>;
     /**
      * Resolve the `rowKey` function for an overlay's base MV. Returns
      * `undefined` if the base isn't an MV (raw source collection) or
@@ -6070,6 +6843,11 @@ declare class GuardRegistry {
     register<T extends Record<string, unknown>>(spec: GuardStrategy<T>): void;
     /** All guards registered against `collection` in registration order. */
     guardsFor(collection: string): ReadonlyArray<AnyGuard>;
+    /** Per-collection guard counts, for introspection. */
+    summary(): {
+        collection: string;
+        count: number;
+    }[];
     /**
      * Run every guard's `check` for this collection. First throw wins —
      * remaining guards are not invoked. Guards without a `check` skip.
@@ -6506,7 +7284,7 @@ declare function magicLinkGrantRecordId(token: string, index: number): string;
 declare function isMagicLinkGrantExpired(payload: MagicLinkGrantPayload, now?: Date): boolean;
 
 /**
- * Type surface for the user-list visibility subsystem (#122).
+ * Type surface for the user-list visibility subsystem.
  *
  * Two complementary flags:
  *  - {@link DirectoryConfig} — vault-level "is the directory listing
@@ -6557,7 +7335,7 @@ interface UserVisibility {
  *    own keyringId. **Own-only write rule** is structural — no method
  *    exists to write someone else's envelope.
  *  - Read-anyone: `get` / `list` — read other principals' envelopes
- *    (subject to `view-team-profiles` policy gate, wired in #22).
+ *    (subject to `view-team-profiles` policy gate).
  *  - Reactive: `subscribe` / `live` — in-process event emission on local
  *    writes. Cross-instance updates land via the team/sync engine and
  *    surface to subscribers when the sync diff replays through this API.
@@ -6577,7 +7355,7 @@ type DeepPartial<T> = T extends object ? {
 } : T;
 /**
  * Recursive partial with `null` allowed at every level — used by
- * `updateMe` (#57) to express deletion intent in addition to merge.
+ * `updateMe` to express deletion intent in addition to merge.
  *
  * Semantics inside `updateMe`:
  *   - `undefined` (or absent key) — skip; source value preserved
@@ -6586,8 +7364,8 @@ type DeepPartial<T> = T extends object ? {
  *     replace for primitives / arrays)
  *
  * Matches lodash `_.merge` behavior on `null` and Firestore's
- * `FieldValue.delete()` semantics. Loosened from `DeepPartial<T>` per
- * #57; consumers wanting the original "merge-only" surface can keep
+ * `FieldValue.delete()` semantics. Loosened from `DeepPartial<T>`.
+ * Consumers wanting the original "merge-only" surface can keep
  * importing `DeepPartial` and avoid passing `null`.
  */
 type DeepPartialOrNull<T> = T extends object ? {
@@ -6659,7 +7437,7 @@ declare class UserApi {
      * the envelope on first call. Optimistic-concurrency safe — a stale
      * `_v` (parallel writer on another device) throws `ConflictError`.
      *
-     * Patch semantics (#57):
+     * Patch semantics:
      *   - `undefined` (or omitted key) — skip; existing value preserved
      *   - `null` — delete the field from the merged result
      *   - any other value — overwrite (deep-merge for plain objects,
@@ -6813,6 +7591,29 @@ interface PersistedSchemaEnvelope {
  * @module
  */
 
+/** Flat snapshot of a vault's registered schema. */
+interface SchemaIntrospection {
+    readonly collections: ReadonlyArray<{
+        name: string;
+        docCount: number;
+    }>;
+    readonly guards: ReadonlyArray<{
+        collection: string;
+        count: number;
+    }>;
+    readonly materializedViews: ReadonlyArray<{
+        name: string;
+        sourceCollections: string[];
+    }>;
+    readonly schemaUpdate: ReadonlyArray<{
+        collection: string;
+        strategies: string[];
+    }>;
+    readonly grants: ReadonlyArray<{
+        collection: string;
+        permission: Permission;
+    }>;
+}
 /** Where the field-level info in the snapshot came from. */
 type FieldSource = 'persisted' | 'live-validator' | 'sampled' | 'unknown';
 interface FieldDescriptor {
@@ -6921,6 +7722,7 @@ interface VaultIntrospectState {
 
 /** A vault (tenant namespace) containing collections. */
 declare class Vault {
+    #private;
     private readonly adapter;
     /** The vault's name as passed to `openVault()`. Stable for the instance lifetime. */
     readonly name: string;
@@ -6966,23 +7768,23 @@ declare class Vault {
      * `null` for vaults that never register any guard strategy. The
      * runtime class is dynamic-imported on demand so consumers that
      * never use guards don't pull `GuardRegistry`/`GuardExecutor` into
-     * their bundle (#130).
+     * their bundle.
      */
     private guardRegistry;
     /**
      * Per-vault derivation registry. Same lazy-load contract as
      * `guardRegistry` — `null` until `_initDerivations()` runs with at
-     * least one strategy handle. See #130 for the bundle motivation.
+     * least one strategy handle.
      */
     private derivationRegistry;
     /**
-     * Per-vault materialized-view registry (#143/#150). Same lazy-load
+     * Per-vault materialized-view registry. Same lazy-load
      * contract as `derivationRegistry` — `null` until
      * `_initMaterializedViews()` runs with at least one MV handle.
      */
     private materializedViewRegistry;
     /**
-     * Per-vault overlay registry (#154). Same lazy-load contract as
+     * Per-vault overlay registry. Same lazy-load contract as
      * `materializedViewRegistry` — `null` until `_initOverlayedViews()`
      * runs with at least one handle.
      */
@@ -7003,7 +7805,7 @@ declare class Vault {
      *   target this vault session's keyringId. There is no method to write
      *   another principal's envelope (own-only write rule, structural).
      * - Read-anyone: `get(keyringId)`, `list()` — read other principals'
-     *   envelopes, subject to the `view-team-profiles` policy gate (#22).
+     *   envelopes, subject to the `view-team-profiles` policy gate.
      * - Reactive: `subscribe(id, cb)`, `live(id)` — fire on local writes.
      *
      * @see docs/superpowers/specs/2026-05-05-user-envelope-design.md
@@ -7023,12 +7825,20 @@ declare class Vault {
      */
     private readonly reloadKeyring;
     private readonly collectionCache;
+    /** Vault-level schema cutover fence/controller. */
+    readonly schemaFence: SchemaFenceController;
     /**
      * per-collection `blobFields` retention/TTL config.
      * Populated on `collection({ blobFields })` and read by
      * `vault.compact()`. Indexed by collection name.
      */
     private readonly blobFieldsRegistry;
+    /**
+     * Per-collection attestation field-schema (issue side). Populated on
+     * `collection({ attestation })` and read by `issueAttestation()`.
+     * Indexed by collection name.
+     */
+    private readonly attestationRegistry;
     /**
      * Per-vault ledger store. Lazy-initialized on first
      * `collection()` call (which passes it through to the Collection)
@@ -7089,8 +7899,7 @@ declare class Vault {
      * Cache of closed/opened accounting periods.
      * Populated on first `closePeriod` / `openPeriod` / `listPeriods` /
      * per-collection write call. Kept in memory as an ordered list (by
-     * `closedAt`) so the `periodGuard` hook runs synchronously against
-     * each collection's put/delete path.
+     * `closedAt`) so period checks run fast when the gate bus fires.
      *
      * Sentinel `null` means "not yet loaded" — the first consumer
      * triggers a one-time `loadPeriods()` pass. Every subsequent
@@ -7249,6 +8058,15 @@ declare class Vault {
          * @see docs/superpowers/specs/2026-05-22-schema-dump-design.md
          */
         persistJsonSchema?: boolean;
+        /**
+         * Ordered schema-update strategies. On a detected schema
+         * change, evaluated in order; the first non-`allow` decision wins.
+         * A `reject` is enforced at the write path (`put`/`delete` throw).
+         * Requires `persistJsonSchema: true` (detection needs the baseline).
+         */
+        schemaUpdate?: readonly SchemaUpdateStrategy[];
+        /** — declare the per-field schema for document attestation (issue side). */
+        attestation?: AttestationFieldSchema;
     }): Collection<T>;
     /**
      * Await all background persisted-schema writes triggered by
@@ -7256,6 +8074,45 @@ declare class Vault {
      * Used in tests; production code does not need to call this.
      */
     _drainPendingSchemaWrites(): Promise<void>;
+    /**
+     * Run a coordinated schema cutover. Drains pending writes, waits
+     * for the active client set to quiesce (the ack-barrier), applies every
+     * pending collection transform in bulk, bumps the vault schema generation,
+     * and clears the fence. Returns the count of collections migrated.
+     * `opts.onPoll` (tests) advances other clients between barrier checks.
+     */
+    runSchemaCutover(opts?: {
+        onPoll?: () => Promise<void>;
+    }): Promise<{
+        migrated: number;
+    }>;
+    /**
+     * Refresh a loaded collection's view of one document from a peer
+     * tab's broadcast. No-op when the collection isn't loaded in this tab
+     * (it will read fresh on next open). Mirrors `#runCutoverTransform`'s guard.
+     */
+    _applyRemoteWrite(collectionName: string, docId: string, action: 'put' | 'delete'): Promise<void>;
+    /**
+     * For a detected conflict: capture this tab's clobbered record,
+     * read the common ancestor from history, converge the cache to the store's
+     * authoritative value (the re-read), and return all three for the
+     * WriteConflict payload. Returns null when the collection isn't loaded.
+     */
+    _captureAndConverge(collectionName: string, docId: string, action: 'put' | 'delete', baseV: number): Promise<{
+        local: unknown;
+        remote: unknown;
+        base: unknown;
+    } | null>;
+    /** Recover a stuck cutover fence — reset to normal without bumping. */
+    abortSchemaCutover(): Promise<void>;
+    /** Current schema-cutover fence state for this vault. Thin live read. */
+    schemaFenceState(): Promise<FenceDoc>;
+    /** @internal Start the per-client heartbeat + fence watcher once a cutover is registered. */
+    _ensureFenceCoordination(): void;
+    /** @internal Stop the heartbeat/watcher (vault lock/close). */
+    _stopFenceCoordination(): void;
+    /** @internal Drive one heartbeat + watch cycle deterministically (tests). */
+    _fenceTick(): Promise<void>;
     /**
      * Validate i18nText fields on a `put()`. Called by Collection just
      * before the adapter write, after schema validation. Throws
@@ -7431,6 +8288,22 @@ declare class Vault {
      */
     compact(options?: CompactRunOptions): Promise<CompactionResult>;
     exportBlobs(options?: ExportBlobsOptions): ExportBlobsHandle;
+    issueAttestation(collectionName: string, id: string): Promise<{
+        docId: string;
+        qr: string;
+        keyId: string;
+        publicKeyB64: string;
+    }>;
+    getDocumentSigningPublicKey(): Promise<{
+        keyId: string;
+        publicKeyB64: string;
+    }>;
+    private makeIssueContext;
+    revokeAttestation(docId: string): Promise<void>;
+    unrevokeAttestation(docId: string): Promise<void>;
+    getRevokedDocIds(): Promise<string[]>;
+    publishRevocationList(): Promise<RevocationList>;
+    private makeRevokeContext;
     private writeExportAudit;
     /**
      * Read-only accessor for the invoking keyring's export capability,
@@ -7550,7 +8423,7 @@ declare class Vault {
      * Dynamic-imports `GuardRegistry` + `ReadOnlyVaultFacade` and seeds
      * the registry with the supplied strategy handles. No-op when the
      * handles array is empty — keeps the guard subsystem out of the
-     * floor bundle for consumers that don't use guards (#130).
+     * floor bundle for consumers that don't use guards.
      *
      * The read-only facade is eagerly instantiated here so the sync
      * accessor `_getReadOnlyFacade()` (called from the tx amendment
@@ -7558,10 +8431,9 @@ declare class Vault {
      */
     _initGuards(handles: ReadonlyArray<GuardStrategyHandleAny>): Promise<void>;
     /**
-     * @internal — Collection.put calls into this. Returns `null` for
-     * vaults that never registered any guard strategy. Callers MUST
-     * gate on null (the existing `if (this.guardSource)` branches in
-     * `Collection` already do this transitively).
+     * @internal — The gate handler in Noydb.#registerGuardGate calls into
+     * this. Returns `null` for vaults that never registered any guard
+     * strategy. Callers MUST gate on null.
      */
     _getGuardRegistry(): GuardRegistry | null;
     /**
@@ -7570,7 +8442,7 @@ declare class Vault {
      * derivation strategies (async because `strategyHash` computation
      * goes through `crypto.subtle.digest`). No-op when the handles
      * array is empty — keeps the derivation subsystem out of the floor
-     * bundle for consumers that don't use derivations (#130). Throws
+     * bundle for consumers that don't use derivations. Throws
      * `DerivationCycleError` if a cycle is detected after registration.
      */
     _initDerivations(handles: ReadonlyArray<DerivationStrategyHandle>): Promise<void>;
@@ -7585,7 +8457,7 @@ declare class Vault {
      * MV spec (which invokes its `query()` once for dependency
      * analysis), then runs the unified cycle detection across the MV +
      * derivation graphs. No-op when the handles array is empty — keeps
-     * the MV subsystem out of the floor bundle (mirrors v1 #130).
+     * the MV subsystem out of the floor bundle (mirrors the derivation lazy-import pattern).
      * Throws `MaterializedViewCycleError` if a cycle is detected.
      */
     _initMaterializedViews(handles: ReadonlyArray<MaterializedViewStrategyHandle>): Promise<void>;
@@ -7607,13 +8479,13 @@ declare class Vault {
      */
     _getOverlayedViewRegistry(): OverlayedViewRegistry | null;
     /**
-     * Manual re-materialize for a single registered MV (#151). Useful
+     * Manual re-materialize for a single registered MV. Useful
      * for `refresh: 'manual'` MVs (whose consumer drives refreshes
      * externally), for stale-bit recovery on vault re-open, and as the
      * explicit bulk-recompute escape hatch after a strategy change.
      *
-     * Returns `{ written, deleted, failed }`. `deleted` is always 0 in
-     * foundation + this sub-issue — tombstoning lands in #152.
+     * Returns `{ written, deleted, failed }`. `deleted` is always 0
+     * when tombstoning is not enabled.
      *
      * Throws if `name` is not a registered MV.
      */
@@ -7636,20 +8508,17 @@ declare class Vault {
     /**
      * @internal — exposed for `runTransaction({ amendment: true })` so
      * the amendment invariant runner can pass the SAME read-only vault
-     * facade that the per-record `Collection.put` guard hook uses
-     * (`guardSource.readOnlyVault()` above). Eagerly instantiated by
-     * `_initGuards()` so this accessor stays synchronous; returns
-     * `null` for vaults that never registered any guard (amendments
-     * require at least one guard, so the caller should never see null).
+     * facade that the gate handler in Noydb.#registerGuardGate uses.
+     * Eagerly instantiated by `_initGuards()` so this accessor stays
+     * synchronous; returns `null` for vaults that never registered any
+     * guard (amendments require at least one guard, so the caller should
+     * never see null).
      */
     _getReadOnlyFacade(): ReadOnlyVaultFacade | null;
     /**
-     * Internal lazy-allocator for the read-only facade. Used by the
-     * per-collection `guardSource.readOnlyVault` callback when guards
-     * ARE configured but `_initGuards()` raced with the first guard
-     * invocation (theoretically impossible — `Noydb.openVault` awaits
-     * `_initGuards` before returning — but we keep the defensive lazy
-     * path so the closure's contract stays "always returns a facade").
+     * Internal lazy-allocator for the read-only facade. Used as a
+     * defensive fallback; in practice `_initGuards()` eagerly
+     * instantiates this, so the lazy path is a no-op.
      */
     private _ensureReadOnlyFacade;
     /**
@@ -7856,7 +8725,7 @@ declare class Vault {
     listPeriods(): Promise<readonly PeriodRecord[]>;
     /** Look up a single period by name. Returns `null` if not found. */
     getPeriod(name: string): Promise<PeriodRecord | null>;
-    /** @internal — periodGuard callback installed on every Collection. */
+    /** @internal — called by the gate bus before put/delete. */
     _assertTsWritable(existing: {
         ts: string | null;
         record: Record<string, unknown> | null;
@@ -7886,6 +8755,14 @@ declare class Vault {
      * @see docs/superpowers/specs/2026-05-22-schema-dump-design.md
      */
     dumpSchema(opts?: DumpSchemaOptions): Promise<VaultSchemaSnapshot>;
+    /**
+     * Lightweight read of the vault's registered schema: collections
+     * (+ doc counts), guards, materialized views, schema-update strategies,
+     * and the unlocked user's grants. Cheap — one `adapter.list` per
+     * collection, no decryption. For a full snapshot + stats use dumpSchema().
+     * Post-unlock by construction (a Vault only exists with an unlocked keyring).
+     */
+    introspect(): Promise<SchemaIntrospection>;
     /**
      * Internal accessor for {@link dumpVaultSchema}. Exposes the structural
      * state the walker needs (collection cache, registries, ref registry,
@@ -8362,12 +9239,19 @@ interface CacheStats extends LruStats {
 }
 /** A typed collection of records within a vault. */
 declare class Collection<T> {
+    #private;
     private readonly adapter;
     private readonly vault;
     private readonly name;
     private readonly keyring;
     private readonly encrypted;
     private readonly emitter;
+    private readonly writeQueue;
+    private readonly schemaUpdateGate;
+    private readonly schemaFence;
+    private readonly writeHooks;
+    private readonly subsystemBus;
+    private readonly activeTxId;
     private readonly getDEK;
     private readonly onDirty;
     private readonly historyConfig;
@@ -8414,6 +9298,12 @@ declare class Collection<T> {
      * caller site.
      */
     private readonly indexState;
+    /**
+     * In-memory unique-constraint enforcement for eager mode.
+     * `null` when no `unique:true` indexes are declared on this collection,
+     * or when the collection is in lazy mode (which throws at registration).
+     */
+    private readonly uniqueConstraints;
     /**
      * True once `_idx/*` side-cars have been bulk-loaded into
      * `persistedIndexes`. Flipped by `ensurePersistedIndexesLoaded()` on
@@ -8548,42 +9438,14 @@ declare class Collection<T> {
     private readonly syncAdapter;
     /** — consent-audit hook, no-op when no scope is active. */
     private readonly onAccess;
-    /**
-     * accounting-period write guard. Called BEFORE any
-     * adapter write with:
-     *   - `existing` — the prior envelope's `_ts` and decrypted record
-     *     (or `null` if no prior envelope exists)
-     *   - `incoming` — the record being written (or `null` for delete)
-     *
-     * Throws `PeriodClosedError` if either side falls inside a closed
-     * period. Installed by Vault; no-op when no period has been closed.
-     * Async so the Vault can lazy-load the period list from the
-     * adapter on first use.
-     */
-    private readonly periodGuard;
-    /**
-     * Optional back-reference to the owning vault's guard registry + a
-     * read-only vault facade. When present, `Collection.put` and
-     * `Collection.delete` consult the registry for guards declared
-     * against this collection and run their `check` + `frozenFields`
-     * before the adapter write. Absent in unit tests that construct
-     * a Collection directly; production code always sets it via
-     * `Vault.collection()`.
-     *
-     * Typed structurally rather than as `Vault` to avoid a circular
-     * import (mirrors the `refEnforcer` / `joinResolver` pattern).
-     */
-    private readonly guardSource;
     /**
      * Vault-internal hook for derivation dispatch. When set,
      * `Collection.put` consults the registry after the source-write
      * commits and writes derived outputs through `getCollection(name).put`.
-     * Same structural-interface pattern as `guardSource` to avoid a
-     * circular Vault import.
      */
     private readonly derivationSource;
     /**
-     * Vault-internal hook for materialized-view dispatch (#143/#150).
+     * Vault-internal hook for materialized-view dispatch.
      * Parallel to `derivationSource` — when set, `Collection.put` fires
      * `MaterializedViewRegistry.onSourceWrite` after the source-write
      * commits + after `dispatchDerivations` has run.
@@ -8635,6 +9497,23 @@ declare class Collection<T> {
         keyring: UnlockedKeyring;
         encrypted: boolean;
         emitter: NoydbEventEmitter;
+        /**
+         * Vault-level in-flight write tracker. When present,
+         * `put`/`delete` run inside `writeQueue.track()` so `hub.writeQueue`
+         * reflects outstanding writes. Optional so direct Collection
+         * construction in tests still works untracked.
+         */
+        writeQueue?: WriteQueueTracker | undefined;
+        /** Per-collection schema-update gate; `put`/`delete` await it. */
+        schemaUpdateGate?: SchemaUpdateGate | undefined;
+        /** Vault-level fence controller; `put`/`delete` consult it. */
+        schemaFence?: SchemaFenceController | undefined;
+        /** Hub-level write-hook registry; fired around put/delete. */
+        writeHooks?: WriteHookRegistry | undefined;
+        /** The observe bus, threaded from Noydb. */
+        subsystemBus?: SubsystemBus | undefined;
+        /** Active transaction id supplier (null outside a transaction). */
+        activeTxId?: (() => string | null) | undefined;
         getDEK: (collectionName: string) => Promise<CryptoKey>;
         historyConfig?: HistoryConfig | undefined;
         onDirty?: OnDirtyCallback | undefined;
@@ -8838,33 +9717,19 @@ declare class Collection<T> {
          * to the ledger.
          */
         onCrossTierAccess?: ((event: CrossTierAccessEvent) => void) | undefined;
-        periodGuard?: (existing: {
-            ts: string | null;
-            record: Record<string, unknown> | null;
-        } | null, incoming: Record<string, unknown> | null) => Promise<void>;
         /**
-         * Optional back-reference to the owning vault's guard registry +
-         * read-only facade. When present, put/delete consult registered
-         * guards for this collection. Same structural-interface pattern
-         * as `refEnforcer` to avoid a circular Vault import.
-         */
-        guardSource?: {
-            registry(): GuardRegistry;
-            readOnlyVault(): ReadOnlyVaultFacade$1;
-        } | undefined;
         /**
          * Optional back-reference to the owning vault's derivation
          * registry + collection accessor. When present, successful
          * `put()` dispatches registered derivation strategies for the
-         * source collection. Same structural-interface pattern as
-         * `guardSource` to avoid a circular Vault import.
+         * source collection.
          */
         derivationSource?: {
             registry(): DerivationRegistry;
             getCollection(name: string): Collection<Record<string, unknown>>;
             /**
              * Read-only vault facade handed to `derive(source, ctx)` so a
-             * derivation can fetch sibling records (#147). Same shape and
+             * derivation can fetch sibling records. Same shape and
              * instance the guards subsystem uses for `check(incoming, ctx)`.
              */
             getReadOnlyFacade(): ReadOnlyVaultFacade$1;
@@ -8873,13 +9738,13 @@ declare class Collection<T> {
              * transaction context, or `null` when no transaction is running.
              * `dispatchDerivations` consults this so a recursive derived-output
              * write can register its pre-write envelope onto `ctx._executed`
-             * and roll back alongside the source op on mid-batch failure (#133).
+             * and roll back alongside the source op on mid-batch failure.
              */
             getActiveTxContext(): TxContext | null;
             /**
              * Construct a transient TxContext bound to the owning Noydb. Used
              * by `Collection.putManyAtomic` to publish an active context for
-             * its Phase 2 loop (#133).
+             * its Phase 2 loop.
              */
             createTxContext(): TxContext;
             /** Publish a TxContext for the duration of a bulk-atomic loop. */
@@ -8888,7 +9753,7 @@ declare class Collection<T> {
             clearActiveTxContext(ctx: TxContext): void;
         } | undefined;
         /**
-         * Vault-internal hook for materialized-view dispatch (#143/#150).
+         * Vault-internal hook for materialized-view dispatch.
          * Parallel to `derivationSource`. When set, `Collection.put` fires
          * registered MV `onSourceWrite` after the standard derivation
          * dispatch.
@@ -8950,24 +9815,27 @@ declare class Collection<T> {
         pollIntervalMs?: number;
     }): PresenceHandle<P>;
     /**
-     * Create or update a record.
+     * Create or update a record. Runs inside the hub's write-queue tracker
+     * so `hub.writeQueue.pending` reflects this write.
      *
      * @param id      Record identifier.
      * @param record  The record body (validated by the collection's schema
      *                if one was attached at `vault.collection(...)` time).
      * @param options Optional metadata for audit + import workflows.
      *                `reason` is stamped onto the resulting ledger entry
-     *                (see #1) so audit consumers can filter via
+     *                so audit consumers can filter via
      *                `entries.filter(e => e.reason?.startsWith('import:'))`.
      */
     put(id: string, record: T, options?: {
         readonly reason?: string;
     }): Promise<void>;
+    /** @internal Untracked put body — call {@link put}, not this. */
+    private putInternal;
     /**
      * Fire registered MV strategies whose dependency set includes this
      * collection. Eager-mode MVs re-materialize inline via
      * `MaterializedViewExecutor.refresh`; lazy / manual modes are
-     * no-ops in the foundation (subtask #150) — wired in #151.
+     * no-ops in the foundation; wired in the lazy-mode implementation.
      *
      * Skips entirely when the record being written is itself an
      * MV-emitted row (carries `_materializedFrom`) — defensive guard
@@ -8988,12 +9856,23 @@ declare class Collection<T> {
      * cycle detection.
      */
     private dispatchDerivations;
-    /** Delete a record by ID. */
+    /**
+     * Delete a record by ID. Runs inside the hub's write-queue tracker
+     * so `hub.writeQueue.pending` reflects this write.
+     */
     delete(id: string): Promise<void>;
+    /**
+     * @internal — bulk-rewrite every record through a cutover transform.
+     * Raw adapter path (bypasses the write gate + guards — the transform is
+     * trusted and runs only during the `migrating` phase). Bumps each
+     * record's `_v` and appends a ledger `op:'migration'` entry.
+     */
+    _applyCutoverTransform(transform: (doc: Record<string, unknown>) => Record<string, unknown>): Promise<number>;
+    /** @internal Untracked delete body — call {@link delete}, not this. */
+    private deleteInternal;
     /**
      * @internal — system-internal delete that bypasses user-facing
-     * delete hooks (`onDelete`, accounting-period guard, FK ref
-     * enforcer). Used by derivation tombstones (#144) and MV refresh
+     * delete hooks (`onDelete`, FK ref enforcer). Used by derivation tombstones and MV refresh
      * (Dim 14 v2) — system housekeeping shouldn't trip user invariants
      * registered against the output collection. The ledger entry and
      * history snapshot still fire so backup integrity and time-travel
@@ -9005,7 +9884,7 @@ declare class Collection<T> {
      *
      * When a `txCtx` is supplied, the prior envelope is captured and
      * pushed onto `txCtx._executed` BEFORE the delete fires — mirrors
-     * the #133 rollback hardening for puts. Callers outside a
+     * the rollback hardening for puts. Callers outside a
      * multi-record transaction pass `null` and skip the tracking.
      *
      * Amendment composition: if `_internalDelete` runs while a vault's
@@ -9032,7 +9911,7 @@ declare class Collection<T> {
     private _doDelete;
     /**
      * Cascade deletes of array-shape derived rows when a source row is
-     * deleted (#200). Reads each registered strategy's fanout sidecar
+     * deleted. Reads each registered strategy's fanout sidecar
      * for this source id, deletes every listed derived row, then
      * deletes the sidecar itself.
      *
@@ -9043,8 +9922,8 @@ declare class Collection<T> {
      */
     private dispatchArrayDerivationsOnDelete;
     /**
-     * Mirror of {@link dispatchMaterializedViews} for the delete path
-     * (#181). No record content is available (it's gone), so the
+     * Mirror of {@link dispatchMaterializedViews} for the delete path.
+     * No record content is available (it's gone), so the
      * `_materializedFrom` skip used by the put-side dispatch doesn't
      * apply here — instead, the recursion guard is the `internal` gate
      * at the `_doDelete` call site above.
@@ -9126,7 +10005,7 @@ declare class Collection<T> {
      * the filtered records directly (the API). Prefer the chainable
      * form for new code.
      *
-     * **Lazy-MV gap (#157):** `query()` is synchronous and does NOT
+     * **Lazy-MV gap:** `query()` is synchronous and does NOT
      * trigger lazy materialized-view resolve-on-read. If this
      * collection is a lazy MV's output and the MV is currently stale,
      * `query().toArray()` returns the pre-stale snapshot. To force a
@@ -9287,7 +10166,7 @@ declare class Collection<T> {
      *   .aggregate({ total: sum('amount'), n: count() })
      * ```
      *
-     * **Lazy-MV gap (#157):** `scan()` is synchronous-build and does
+     * **Lazy-MV gap:** `scan()` is synchronous-build and does
      * NOT trigger lazy materialized-view resolve-on-read. For lazy
      * MVs, call `list()` (which DOES resolve) or `vault.refreshView(name)`
      * before scanning. Same shape as the `query()` limitation.
@@ -9326,6 +10205,15 @@ declare class Collection<T> {
      * gone before the tx and the revert deleted it again).
      */
     _invalidateCacheEntry(id: string): Promise<void>;
+    /**
+     * Apply a peer tab's committed write to THIS tab's in-memory view:
+     * re-read the (already-persisted) envelope from the shared store + refresh
+     * cache/indexes, then emit a `change` event so reactive consumers re-render.
+     * Never writes to the store and never fires write hooks, so it cannot loop.
+     */
+    _applyRemoteChange(id: string, action: 'put' | 'delete'): Promise<void>;
+    /** @internal — the current in-memory record without a store read (for conflict capture). */
+    _peekCached(id: string): T | null;
     private ensureHydrated;
     /** Hydrate from a pre-loaded snapshot (used by Vault). */
     hydrateFromSnapshot(records: Record<string, EncryptedEnvelope>): Promise<void>;
@@ -9340,6 +10228,11 @@ declare class Collection<T> {
      * 1K–50K records this completes in single-digit milliseconds.
      */
     private rebuildEagerIndexesFromCache;
+    /**
+     * Rebuild unique-constraint maps from the current in-memory cache.
+     * Called after any bulk hydration alongside `rebuildEagerIndexesFromCache`.
+     */
+    private rebuildUniqueConstraintsFromCache;
     /**
      * Rebuild every declared index from scratch.
      *
@@ -9751,6 +10644,7 @@ interface ShadowStrategy {
  */
 interface TxStrategy {
     runTransaction<T>(db: Noydb, fn: (tx: TxContext) => Promise<T> | T, options?: AmendmentTxOptions): Promise<T>;
+    runDryRun(db: Noydb, fn: (tx: TxContext) => unknown): Promise<DryRunResult>;
 }
 
 /**
@@ -9881,7 +10775,7 @@ interface SessionStrategy {
 }
 
 /**
- * Managed-passphrase mode — issue #14, rubber-hose-resistant vaults.
+ * Managed-passphrase mode — rubber-hose-resistant vaults.
  *
  * A vault mode where the passphrase is machine-generated and never
  * exposed to the user, sealed under a developer-provided
@@ -9897,6 +10791,18 @@ interface SessionStrategy {
  *   - {@link MemorySealingKeyProvider} — in-memory test provider; uses
  *     a deterministic per-instance "key" so two providers with
  *     different ids cannot unseal each other's outputs.
+ *   - {@link RecipientHint} — public material a sender uses to seal
+ *     plaintext for a specific recipient; published by
+ *     {@link RecipientSealer.publishRecipientHint} and transported
+ *     out-of-band to the sender before bundle writes.
+ *   - {@link RecipientSealer} — interface for asymmetric/granted
+ *     providers that support recipient-target sealing (RSA-OAEP,
+ *     cloud-KMS asymmetric, etc.); distinct from self-only
+ *     {@link SealingKeyProvider} (macOS Keychain, WebAuthn-PRF).
+ *   - {@link MemoryRecipientSealer} — in-process reference
+ *     implementation of both `RecipientSealer` and
+ *     `SealingKeyProvider` using real WebCrypto RSA-OAEP + AES-GCM;
+ *     safe for tests and same-process sender/recipient scenarios.
  *   - {@link loadSealedPassphrase} / {@link saveSealedPassphrase} —
  *     plaintext envelope storage at `_meta/sealed-passphrase`.
  *     Mirrors the `_meta/handle` and `_meta/public-envelope` AES-
@@ -9908,9 +10814,9 @@ interface SessionStrategy {
  *     Returns the plaintext passphrase string that the rest of the
  *     `createNoydb` keyring path consumes.
  *
- * Slice 1 of #14. Deferred to follow-ups:
+ * Deferred to follow-ups:
  *   - Block `rotate-passphrase` policy gate under managed mode.
- *   - Mandatory strong-recovery enforcement (depends on #10).
+ *   - Mandatory strong-recovery enforcement.
  *   - Recovery flow under managed mode (generates fresh sealed phrase).
  *
  * @see docs/subsystems/session-tiers.md → Managed-passphrase mode
@@ -9977,6 +10883,78 @@ declare class MemorySealingKeyProvider implements SealingKeyProvider {
     seal(passphrase: Uint8Array): Promise<Uint8Array>;
     unseal(sealed: Uint8Array): Promise<Uint8Array>;
 }
+/**
+ * Public material a sender uses to seal-for-this-recipient. Published by
+ * a recipient's RecipientSealer; transported to the sender out-of-band
+ * (email, S3, in-app message). The sender obtains the hint, supplies it
+ * to writeNoydbBundle's sealedCredentials.perUser[userId].hint, and the
+ * hub seals each user's credential against it. Per foundation §11.4.
+ */
+type RecipientHint = {
+    readonly v: 1;
+    /** Recipient's provider id; matches the SealedAutoUnlockEntry.pid they'll unseal under. */
+    readonly pid: string;
+    /** Algorithm the sender uses to produce the seal. Slice 1 ships RSA-OAEP-SHA256 only. */
+    readonly alg: 'rsa-oaep-sha256';
+    /** Public material — alg-specific. For 'rsa-oaep-sha256': { publicKeyPem: string }. */
+    readonly material: Readonly<Record<string, unknown>>;
+};
+/**
+ * Handover-capable provider. Implemented additionally by asymmetric/granted
+ * providers (cloud-KMS asymmetric, Azure RSA Key Vault, AWS KMS with grant).
+ * Self-only providers (macOS Keychain, env-var, WebAuthn-PRF) do NOT
+ * implement this — the §11.2 capability matrix lives in the type system.
+ *
+ * Per foundation §11.4. A function that requires recipient-target sealing
+ * takes `RecipientSealer`, not `SealingKeyProvider` — the compiler rejects
+ * passing a self-only provider at the spec site.
+ */
+interface RecipientSealer {
+    readonly id: string;
+    /** Produce hint material a sender uses to seal-for-this-recipient. */
+    publishRecipientHint(): Promise<RecipientHint>;
+    /**
+     * Seal plaintext for the recipient described by `hint`. Returns opaque
+     * bytes — same contract as `SealingKeyProvider.seal()`. The bundle
+     * layer base64-encodes the bytes into `SealedAutoUnlockEntry.sealed`
+     * without inspecting them.
+     */
+    sealForRecipient(plaintext: Uint8Array, hint: RecipientHint): Promise<Uint8Array>;
+}
+/**
+ * Reference implementation of `RecipientSealer` + `SealingKeyProvider`.
+ * Uses WebCrypto RSA-OAEP-SHA256 (2048-bit) to wrap a fresh 32-byte
+ * AES-GCM CEK, AES-GCM-encrypts plaintext under it, and packs the
+ * result into a self-describing TLV:
+ *
+ *   byte  0       : version (0x01)
+ *   bytes 1..256  : RSA-OAEP-wrapped CEK (fixed 256 bytes at RSA-2048)
+ *   bytes 257..268: AES-GCM IV (12 bytes)
+ *   bytes 269..   : AES-GCM ciphertext ‖ 16-byte tag
+ *
+ * Implements BOTH interfaces. `seal(plaintext)` (self-target) is just
+ * `sealForRecipient(plaintext, this own hint)` — same TLV. Convenient
+ * for tests where one provider plays both ends. Real cloud providers
+ * (`at-aws-kms`, etc.) will pick their own internal layouts; the only
+ * contract is round-trip identity.
+ *
+ * SAFE for production within its scope — the cryptography is real
+ * (RSA-OAEP + AES-GCM via WebCrypto), but the keypair lives in-process
+ * and is regenerated on every construction. Not suitable as a managed
+ * keychain; use it for tests and for shipping bundles where the
+ * recipient instance lives in the same process as the sender (rare).
+ */
+declare class MemoryRecipientSealer implements SealingKeyProvider, RecipientSealer {
+    readonly id: string;
+    private readonly keypair;
+    constructor(opts: {
+        id: string;
+    });
+    publishRecipientHint(): Promise<RecipientHint>;
+    sealForRecipient(plaintext: Uint8Array, hint: RecipientHint): Promise<Uint8Array>;
+    seal(plaintext: Uint8Array): Promise<Uint8Array>;
+    unseal(bytes: Uint8Array): Promise<Uint8Array>;
+}
 /** Reserved id for the managed-passphrase envelope under `_meta`. */
 declare const SEALED_PASSPHRASE_RECORD_ID: "sealed-passphrase";
 /** Plaintext payload stored inside the `_meta/sealed-passphrase` envelope. */
@@ -9998,12 +10976,12 @@ interface SealedPassphrase {
  *
  * v1 shape (this release): `{ v: 1, _noydb_sealed: 1, pid, payload }`.
  *
- * Legacy shape (pre.14, pre.15): `{ _noydb_sealed: 1, providerId, sealed }`
+ * Legacy shape (earlier releases): `{ _noydb_sealed: 1, providerId, sealed }`
  * — accepted on read for backwards compatibility; never produced on
  * write going forward.
  */
 interface SealedEnvelope {
-    /** Envelope schema version. v1 is the shape shipped in pre.16. */
+    /** Envelope schema version. v1 is the current shape. */
     readonly v: 1;
     /** Magic marker for forensics + legacy-shape detection. */
     readonly _noydb_sealed: 1;
@@ -10017,9 +10995,9 @@ interface SealedEnvelope {
  * in-memory {@link SealedPassphrase} representation. Accepts both:
  *
  *   1. v1 wire format `{ v: 1, _noydb_sealed: 1, pid, payload }` —
- *      the shape produced from pre.16 onward.
+ *      the current shape.
  *   2. Legacy wire format `{ _noydb_sealed: 1, providerId, sealed }` —
- *      the shape produced in pre.14/pre.15. Read-only; never written
+ *      read-only; never written
  *      going forward.
  *
  * Returns `undefined` for any input that doesn't match either shape,
@@ -10404,9 +11382,9 @@ interface ImportCapability {
  */
 type VaultPolicyOnDisk = Record<string, unknown>;
 /**
- * Recovery profile enrolled at vault creation (issue #10).
+ * Recovery profile enrolled at vault creation.
  *
- * - `paper` — `on-recovery` codes (the only end-to-end profile in v0.1.0-pre.5).
+ * - `paper` — `on-recovery` codes (the standard end-to-end profile).
  * - `shamir` / `multi-channel` / `admin-mediated` — API surface ships;
  *   per-profile dispatch lands in follow-up issues. Calling
  *   `db.recoverPassphrase` against these throws
@@ -10469,7 +11447,7 @@ interface KeyringAuthenticatorBase {
  * extractable KEK from its own credential — WebAuthn (PRF-derived
  * wrapping key) and split-key OIDC.
  *
- * `wrapKind` is optional/absent on slots written before pre.8 — those
+ * `wrapKind` is optional/absent on older slots — those
  * legacy slots are treated as wrap-KEK by default at unlock time.
  */
 interface KeyringAuthenticatorWrappingKEK extends KeyringAuthenticatorBase {
@@ -10532,11 +11510,11 @@ interface KeyringFile {
     readonly granted_by: string;
     /**
      * Passphrase canary — base64 AES-KW-wrapped form of a known constant
-     * 256-bit value, wrapped under the keyring's KEK (#113).
+     * 256-bit value, wrapped under the keyring's KEK.
      *
-     * Optional: pre-#113 keyrings load with no canary and fall back to
-     * the multi-DEK corruption heuristic from #82. Keyrings written after
-     * #113 carry one and let `loadKeyring` distinguish wrong-passphrase
+     * Optional: older keyrings load with no canary and fall back to
+     * the multi-DEK corruption heuristic. Newer keyrings
+     * carry one and let `loadKeyring` distinguish wrong-passphrase
      * from corruption even when ALL DEKs (including a single-DEK keyring's
      * sole DEK) are corrupted.
      *
@@ -10758,6 +11736,23 @@ interface Conflict {
      */
     readonly resolve?: (winner: EncryptedEnvelope | null) => void;
 }
+/**
+ * A same-device cross-tab write conflict: another tab overwrote a
+ * document this tab had written, having diverged from an older base. Records
+ * are decrypted (cross-tab handlers reconcile in plaintext). `base` is the
+ * common ancestor from history, or null when history is unavailable.
+ */
+interface WriteConflict {
+    readonly vault: string;
+    readonly collection: string;
+    readonly docId: string;
+    readonly local: unknown;
+    readonly remote: unknown;
+    readonly base: unknown;
+    readonly localVersion: number;
+    readonly remoteVersion: number;
+    readonly baseVersion: number;
+}
 type ConflictStrategy = 'local-wins' | 'remote-wins' | 'version' | ((conflict: Conflict) => 'local' | 'remote');
 /**
  * Collection-level conflict policy.
@@ -10844,9 +11839,20 @@ interface ChangeEvent {
 interface NoydbEventMap {
     'change': ChangeEvent;
     'error': Error;
+    /**
+     * Same-instance signal that this vault's schema-fence state changed.
+     * For UI integration. Cross-client coordination goes
+     * through the store, not this event.
+     */
+    'schema:fence-changed': {
+        vault: string;
+        currentSchemaVersion: number;
+        fenceState: 'normal' | 'draining' | 'migrating' | 'complete';
+    };
     'sync:push': PushResult;
     'sync:pull': PullResult;
     'sync:conflict': Conflict;
+    'write:conflict': WriteConflict;
     'sync:online': void;
     'sync:offline': void;
     'sync:backup-error': {
@@ -10941,7 +11947,7 @@ interface GrantOptions {
     readonly initialProfile?: unknown;
 }
 /**
- * Caller payload for `db.updateUser` (#54). Mutate one or more
+ * Caller payload for `db.updateUser`. Mutate one or more
  * identity fields on an existing keyring without rotating any keys.
  *
  * `role`, `displayName`, and `permissions` live in the plaintext header
@@ -10955,7 +11961,7 @@ interface GrantOptions {
  * `null` on `displayName` clears the field (stored as the empty string;
  * UI consumers typically render the empty case by falling back to the
  * user id). `undefined` / absent leaves the field untouched. Mirrors
- * the `null`-as-clear convention `UserApi.updateMe` uses (#57).
+ * the `null`-as-clear convention `UserApi.updateMe` uses.
  *
  * `permissions`, however, is a **full replacement** at the map level —
  * passing `{ invoices: 'rw' }` REPLACES the entire permissions map,
@@ -10969,8 +11975,6 @@ interface GrantOptions {
  * do anything. Non-admin callers (operator/viewer/client) cannot call
  * `db.updateUser` at all — for self-displayName changes, use
  * `vault.user.updateMe` (the user-envelope API).
- *
- * @see #54
  */
 interface UpdateUserOptions {
     readonly userId: string;
@@ -11546,6 +12550,13 @@ interface NoydbOptions {
      * @internal
      */
     readonly syncStrategy?: SyncStrategy;
+    /**
+     * Tree-shake seam — optional snapshot-lifecycle subsystem. Pass
+     * `withSnapshots({ store })` from `@noy-db/hub/snapshots` to enable
+     * `db.snapshot()`, `db.listSnapshots()`, and `db.restoreSnapshot()`.
+     * When omitted, all three methods throw with a pointer at the subpath.
+     */
+    readonly snapshotStrategy?: SnapshotStrategy;
     /**
      * Optional guard strategies — collection-level write guards. Each
      * handle is the output of `withGuard()` from `@noy-db/hub/guards`.
@@ -11562,7 +12573,7 @@ interface NoydbOptions {
      */
     readonly derivationStrategies?: ReadonlyArray<DerivationStrategyHandle>;
     /**
-     * Optional materialized-view strategies (#143, foundation in #150).
+     * Optional materialized-view strategies.
      * Each handle returned by `withMaterializedView()` from
      * `@noy-db/hub/materialized-views`. The vault runs unified cycle
      * detection across the MV + derivation graphs at `openVault`; a
@@ -11570,7 +12581,7 @@ interface NoydbOptions {
      */
     readonly materializedViewStrategies?: ReadonlyArray<MaterializedViewStrategyHandle>;
     /**
-     * Optional overlay strategies (#154). Each handle returned by
+     * Optional overlay strategies. Each handle returned by
      * `withOverlayedView()` from `@noy-db/hub/overlay-views`. The vault
      * validates name uniqueness + base concreteness + overlay
      * availability at `openVault`; a clash throws one of the
@@ -11623,7 +12634,7 @@ interface NoydbOptions {
      */
     readonly getKeyring?: (vault: string) => Promise<UnlockedKeyring>;
     /**
-     * Passphrase mode (#14). Default `'standard'`.
+     * Passphrase mode. Default `'standard'`.
      *
      *   - `'standard'` — the legacy flow. `secret` supplies the
      *     plaintext passphrase, the user knows it, and the policy gate
@@ -11684,14 +12695,14 @@ interface NoydbOptions {
     readonly sessionPolicy?: SessionPolicy;
     /**
      * Validate passphrase strength against the phrase format
-     * (`@noy-db/hub` issue #7) on first-time keyring creation. When
+     * on first-time keyring creation. When
      * `true`, weak phrases throw {@link WeakPassphraseError} from
      * `createNoydb()` / `db.rotatePassphrase()`. Default: `false` for
-     * back-compat in v0.1.x; planned to flip to `true` at v1.0.
+     * back-compat; planned to flip to `true` in a future major release.
      */
     readonly validatePassphrase?: boolean;
     /**
-     * Vault-level policy gate document (issue #9). When present, the hub
+     * Vault-level policy gate document. When present, the hub
      * persists the merged policy at `_meta/policy` on first-time vault
      * creation and gates sensitive operations (`db.rotatePassphrase`,
      * `db.export*`, …) against it. Omitted ⇒ the engine uses
@@ -11707,14 +12718,14 @@ interface NoydbOptions {
      */
     readonly policy?: VaultPolicy;
     /**
-     * Mandatory recovery profile enrollment (issue #10). Vaults with
+     * Mandatory recovery profile enrollment. Vaults with
      * `recover-passphrase` enabled MUST register at least one profile
      * before being production-ready, otherwise `createNoydb()` throws
      * {@link RecoveryNotEnrolledError}. Set
      * `policy.gates['recover-passphrase'].enabled = false` to
      * deliberately opt out of recovery (passphrase loss = data loss).
      *
-     * v0.1.0-pre.5 supports the `'paper'` profile end-to-end. Other
+     * The `'paper'` profile is supported end-to-end. Other
      * profiles ship the API shape and throw
      * {@link RecoveryProfileNotImplementedError} during use.
      */
@@ -11722,9 +12733,9 @@ interface NoydbOptions {
     /**
      * When `true`, `createNoydb` rejects vaults with no recovery
      * entries persisted (per the spec's mandatory-enrollment
-     * requirement). Default `false` for v0.1.x back-compat; planned to
-     * flip to `true` at v1.0. Apps in regulated environments should
-     * turn this on now.
+     * requirement). Default `false` for back-compat; planned to
+     * flip to `true` in a future major release. Apps in regulated
+     * environments should turn this on now.
      */
     readonly requireRecovery?: boolean;
     /**
@@ -11851,4 +12862,4 @@ interface DeleteManyResult {
     }>;
 }
 
-export { type ConsentAuditEntry as $, type BlobObject as A, type BlobStrategy as B, type BlobPutOptions as C, DICT_COLLECTION_PREFIX as D, type BlobResponseOptions as E, BlobSet as F, type BlobStrategyOpenArgs as G, type CompactRunOptions as H, type I18nStrategy as I, type CompactionContext as J, type CompactionResult as K, DEFAULT_CHUNK_SIZE as L, EXPORT_AUDIT_COLLECTION as M, ExportBlobsAbortedError as N, type ExportBlobsAuditEntry as O, PolicyEnforcer as P, type ExportBlobsHandle as Q, type ExportBlobsOptions as R, type SessionStrategy as S, type ExportedBlob as T, type SlotInfo as U, type SlotRecord as V, type VersionRecord as W, createExportBlobsHandle as X, runCompaction as Y, type ConsentStrategy as Z, CONSENT_AUDIT_COLLECTION as _, type DictEntry as a, VaultInstant as a$, type ConsentAuditFilter as a0, type ConsentContext as a1, type ConsentOp as a2, loadConsentEntries as a3, writeConsentEntry as a4, type PeriodsStrategy as a5, type CarryForwardContext as a6, type ClosePeriodOptions as a7, type OpenPeriodOptions as a8, PERIODS_COLLECTION as a9, type DerivationStrategyHandle as aA, type DerivedFromMeta as aB, type OutputSpec as aC, type RecordOutputSpec as aD, type MaterializedViewStrategy as aE, type MaterializedViewStrategyHandle as aF, type OverlayedViewStrategy as aG, Collection as aH, OverlayedViewRegistry as aI, type OverlayedViewStrategyHandle as aJ, type SyncStrategy as aK, type Role as aL, type UnlockedKeyring as aM, type HistoryStrategy as aN, type NoydbStore as aO, type HistoryOptions as aP, type EncryptedEnvelope as aQ, type PruneOptions as aR, type AppendInput as aS, type ChangeType as aT, CollectionInstant as aU, type DiffEntry as aV, type JsonPatch as aW, type JsonPatchOp as aX, type LedgerEntry as aY, LedgerStore as aZ, type VaultEngine as a_, type PeriodRecord as aa, type ReadOnlyCollection as ab, appendPeriodLedgerEntry as ac, assertTsWritable as ad, chainAnchor as ae, loadPeriods as af, validatePeriodName as ag, type GuardStrategy as ah, type GuardChange as ai, type GuardContext as aj, GuardRegistry as ak, type GuardStrategyHandle as al, ReadOnlyVaultFacade as am, type ShadowStrategy as an, CollectionFrame as ao, VaultFrame as ap, type TxStrategy as aq, type AmendmentTxOptions as ar, TxCollection as as, TxContext as at, TxVault as au, runTransaction as av, type DerivationStrategy as aw, type DerivationContext as ax, type ArrayOutputSpec as ay, DerivationRegistry as az, type DictKeyDescriptor as b, type FactorRequirement as b$, type VerifyResult as b0, applyPatch as b1, canonicalJson as b2, computePatch as b3, diff as b4, formatDiff as b5, hashEntry as b6, paddedIndex as b7, parseIndex as b8, sha256Hex as b9, type CollectionDescriptor as bA, type CollectionStats as bB, type Conflict as bC, type ConflictPolicy as bD, type ConflictStrategy as bE, type CrossTierAccessEvent as bF, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as bG, DELEGATIONS_COLLECTION as bH, type DeepPartial as bI, type DeepPartialOrNull as bJ, type DelegationToken as bK, type DeleteManyResult as bL, type DerivationDescriptor as bM, type DirtyEntry as bN, type DumpSchemaOptions as bO, ELEVATION_AUDIT_COLLECTION as bP, ElevatedHandle as bQ, type EnrollAuthenticatorOptions as bR, type EnrollAuthenticatorWrappingDEKsOptions as bS, type EnrollAuthenticatorWrappingKEKOptions as bT, type EnrollRecoveryResult as bU, type ExportCapability as bV, type ExportChunk as bW, type ExportFormat as bX, type ExportStreamOptions as bY, type FactorKind as bZ, type FactorProofBundle as b_, type MVQueryContext as ba, type RegisteredMV as bb, MaterializedViewRegistry as bc, type MaterializedFromMeta as bd, type MaterializedViewOutput as be, type UnionSource as bf, type UserEnvelope as bg, type PublicEnvelope as bh, type GateName as bi, type GatePolicy as bj, type VaultPolicy as bk, type ActiveTier as bl, type FactorProof as bm, type PersistedSchemaEnvelope as bn, type DirectoryConfig as bo, type UserVisibility as bp, Vault as bq, type AccessibleVault as br, BUNDLE_STORE_POLICY as bs, type BuiltInGateName as bt, type BundleRecipient as bu, type CacheOptions as bv, type CacheStats as bw, type ChangeEvent as bx, type CollectionChangeEvent as by, type CollectionConflictResolver as bz, DictionaryHandle as c, type PutManyItemOptions as c$, type FieldDescriptor as c0, type FieldSource as c1, type GhostRecord as c2, type GrantOptions as c3, type HistoryConfig as c4, type HistoryEntry as c5, INDEXED_STORE_POLICY as c6, type ImportCapability as c7, type InferOutput as c8, type InternalCollectionStats as c9, type NoydbBundleStore as cA, type NoydbEventMap as cB, type NoydbOptions as cC, type OverlayViewDescriptor as cD, PUBLIC_ENVELOPE_FIELDS as cE, type PaperRecoveryDoc as cF, type PaperRecoveryEntry as cG, type PassphrasePolicy as cH, type PassphraseValidationResult as cI, type Permission as cJ, type Permissions as cK, type PersistedSchemaKind as cL, type PlaintextTranslatorContext as cM, type PlaintextTranslatorFn as cN, PresenceHandle as cO, type PresencePeer as cP, type PublicEnvelopeField as cQ, type PublicEnvelopeSchema as cR, type PublicEnvelopeText as cS, type PullMode as cT, type PullOptions as cU, type PullPolicy as cV, type PullResult as cW, type PushMode as cX, type PushOptions as cY, type PushPolicy as cZ, type PushResult as c_, type IssueDelegationOptions as ca, type IssueMagicLinkGrantOptions as cb, type KeyringAuthenticator as cc, type KeyringAuthenticatorWrappingDEKs as cd, type KeyringAuthenticatorWrappingKEK as ce, type KeyringFile as cf, type ListAccessibleVaultsOptions as cg, type ListPageResult as ch, type ListUsersOptions as ci, type LiveUserEnvelope as cj, type LocaleReadOptions as ck, Lru as cl, type LruOptions as cm, type LruStats as cn, MAGIC_LINK_CONTENT_INFO_PREFIX as co, MAGIC_LINK_GRANTS_COLLECTION as cp, MAGIC_LINK_KEK_INFO_PREFIX as cq, type MagicLinkGrantPayload as cr, type MagicLinkGrantRecord as cs, type MaterializedViewDescriptor as ct, MemorySealingKeyProvider as cu, NOYDB_BACKUP_VERSION as cv, NOYDB_FORMAT_VERSION as cw, NOYDB_KEYRING_VERSION as cx, NOYDB_SYNC_VERSION as cy, Noydb as cz, type DictionaryOptions as d, type WeakPassphraseReason as d$, type PutManyOptions as d0, type PutManyResult as d1, type QueryAcrossOptions as d2, type QueryAcrossResult as d3, type QuickUnlockState as d4, QuickUnlockStore as d5, type ReAuthOperation as d6, type RecoverPassphraseInput as d7, type RecoverPassphraseResult as d8, type RecoverUserOptions as d9, type SyncPolicy as dA, SyncScheduler as dB, type SyncSchedulerStatus as dC, type SyncStatus as dD, type SyncTarget as dE, type SyncTargetRole as dF, SyncTransaction as dG, type SyncTransactionResult as dH, type TierMode as dI, type TranslatorAuditEntry as dJ, type TxOp as dK, USER_ENVELOPE_COLLECTION as dL, USER_ENVELOPE_MAX_BYTES as dM, type Unsubscribe as dN, type UpdateAuthenticatorOptions as dO, type UpdateUserOptions as dP, UserApi as dQ, type UserEnvelopeCheckGate as dR, UserEnvelopeOversizedError as dS, type UserEnvelopePresented as dT, type UserInfo as dU, type VaultBackup as dV, type VaultPolicyOnDisk as dW, type VaultSchemaSnapshot as dX, type VaultSnapshot as dY, type WarningRules as dZ, WeakPassphraseError as d_, type RecoveryProof as da, type ResolvedPublicEnvelopeSchema as db, type RevokeOptions as dc, type RotatePassphraseInput as dd, type RotateRecoveryOptions as de, type RotateRecoveryResult as df, SEALED_PASSPHRASE_RECORD_ID as dg, type SealedEnvelope as dh, type SealedPassphrase as di, type SealingKeyProvider as dj, type SessionPolicy as dk, type SetPublicEnvelopeInput as dl, type ShamirRecoveryDoc as dm, type ShamirRecoveryEntry as dn, type ShamirRecoveryProvider as dp, type SlotRewrapCeremony as dq, type SlotRewrapContext as dr, type StandardSchemaV1 as ds, type StandardSchemaV1Issue as dt, type StandardSchemaV1SyncResult as du, type StoreAuth as dv, type StoreAuthKind as dw, type StoreCapabilities as dx, SyncEngine as dy, type SyncMetadata as dz, type I18nTextDescriptor as e, type WrappedDeksBlob as e0, assertStrongPassphrase as e1, buildRecipientKeyringFile as e2, burnPaperRecoveryEntry as e3, createNoydb as e4, createStore as e5, deriveMagicLinkContentKey as e6, enrollAuthenticator as e7, estimateEntropy as e8, evaluateExportCapability as e9, revokeDelegation as eA, revokeMagicLinkGrant as eB, savePaperRecoveryEntries as eC, saveSealedPassphrase as eD, saveShamirRecoveryEntries as eE, unwrapDeksFromBlob as eF, unwrapDeksFromPaperEntry as eG, unwrapDeksFromShamirEntry as eH, unwrapMagicLinkGrant as eI, validatePassphrase as eJ, validatePublicEnvelopeInput as eK, validateSchemaInput as eL, validateSchemaOutput as eM, writeMagicLinkGrant as eN, changeSecret as eO, createOwnerKeyring as eP, ensureCollectionDEK as eQ, grant as eR, loadKeyring as eS, persistKeyring as eT, revoke as eU, updateAuthenticator as eV, updateKeyringIdentity as eW, evaluateImportCapability as ea, findAuthenticator as eb, hasExportCapability as ec, hasImportCapability as ed, hasRecoveryEnrolled as ee, isMagicLinkGrantExpired as ef, isPublicEnvelope as eg, issueDelegation as eh, recoverPassphrase as ei, rotatePassphrase as ej, listMagicLinkGrants as ek, listUsers as el, listUsersWithEnvelopes as em, loadActiveDelegations as en, loadPaperRecoveryEntries as eo, loadSealedPassphrase as ep, loadShamirRecoveryEntries as eq, magicLinkGrantRecordId as er, mintPaperRecoveryEntry as es, mintShamirRecoveryEntry as et, mintWrappedDeksBlob as eu, parseSealedEnvelope as ev, readMagicLinkGrantRecord as ew, recoverUser as ex, removeAuthenticator as ey, resolveSchema as ez, type I18nTextOptions as f, applyI18nLocale as g, dictCollectionName as h, dictKey as i, i18nText as j, isDictCollectionName as k, isDictKeyDescriptor as l, isI18nTextDescriptor as m, createEnforcer as n, validateSessionPolicy as o, BLOB_CHUNKS_COLLECTION as p, BLOB_COLLECTION as q, resolveI18nText as r, BLOB_EVICTION_AUDIT_COLLECTION as s, BLOB_INDEX_COLLECTION as t, BLOB_SLOTS_PREFIX as u, validateI18nTextValue as v, BLOB_VERSIONS_PREFIX as w, type BlobEvictionEntry as x, type BlobFieldPolicy as y, type BlobFieldsConfig as z };
+export { type ExportBlobsAuditEntry as $, BLOB_COLLECTION as A, type BlobStrategy as B, BLOB_EVICTION_AUDIT_COLLECTION as C, DICT_COLLECTION_PREFIX as D, BLOB_INDEX_COLLECTION as E, BLOB_SLOTS_PREFIX as F, BLOB_VERSIONS_PREFIX as G, type BlobEvictionEntry as H, type I18nStrategy as I, type BlobFieldPolicy as J, type BlobFieldsConfig as K, type Layer as L, type BlobObject as M, type BlobPutOptions as N, type OnMissing as O, PolicyEnforcer as P, type BlobResponseOptions as Q, type ResolveI18nOptions as R, type ScriptWarning as S, BlobSet as T, type BlobStrategyOpenArgs as U, type CompactRunOptions as V, type CompactionContext as W, type CompactionResult as X, DEFAULT_CHUNK_SIZE as Y, EXPORT_AUDIT_COLLECTION as Z, ExportBlobsAbortedError as _, type DictEntry as a, type SyncStrategy as a$, type ExportBlobsHandle as a0, type ExportBlobsOptions as a1, type ExportedBlob as a2, type SlotInfo as a3, type SlotRecord as a4, type VersionRecord as a5, createExportBlobsHandle as a6, runCompaction as a7, type ConsentStrategy as a8, CONSENT_AUDIT_COLLECTION as a9, VaultFrame as aA, type NoydbBundleStore as aB, type RetentionPolicy as aC, type SnapshotPolicy as aD, type SnapshotStrategy as aE, type SnapshotMeta as aF, type SnapshotMode as aG, type TxStrategy as aH, type AmendmentTxOptions as aI, TxCollection as aJ, TxContext as aK, TxVault as aL, runTransaction as aM, type DerivationStrategy as aN, type DerivationContext as aO, type ArrayOutputSpec as aP, DerivationRegistry as aQ, type DerivationStrategyHandle as aR, type DerivedFromMeta as aS, type OutputSpec as aT, type RecordOutputSpec as aU, type MaterializedViewStrategy as aV, type MaterializedViewStrategyHandle as aW, type OverlayedViewStrategy as aX, Collection as aY, OverlayedViewRegistry as aZ, type OverlayedViewStrategyHandle as a_, type ConsentAuditEntry as aa, type ConsentAuditFilter as ab, type ConsentContext as ac, type ConsentOp as ad, loadConsentEntries as ae, writeConsentEntry as af, type PeriodsStrategy as ag, type CarryForwardContext as ah, type ClosePeriodOptions as ai, type OpenPeriodOptions as aj, PERIODS_COLLECTION as ak, type PeriodRecord as al, type ReadOnlyCollection as am, appendPeriodLedgerEntry as an, assertTsWritable as ao, chainAnchor as ap, loadPeriods as aq, validatePeriodName as ar, type GuardStrategy as as, type GuardChange as at, type GuardContext as au, GuardRegistry as av, type GuardStrategyHandle as aw, ReadOnlyVaultFacade as ax, type ShadowStrategy as ay, CollectionFrame as az, type DictKeyDescriptor as b, type CollectionStats as b$, type Role as b0, type UnlockedKeyring as b1, type HistoryStrategy as b2, type NoydbStore as b3, type HistoryOptions as b4, type EncryptedEnvelope as b5, type PruneOptions as b6, type AppendInput as b7, type ChangeType as b8, CollectionInstant as b9, type RegisteredMV as bA, MaterializedViewRegistry as bB, type MaterializedFromMeta as bC, type MaterializedViewOutput as bD, type UnionSource as bE, type UserEnvelope as bF, type GateName as bG, type GatePolicy as bH, type VaultPolicy as bI, type ActiveTier as bJ, type FactorProof as bK, type SchemaUpdateStrategy as bL, type TransformFn as bM, type PersistedSchemaEnvelope as bN, type UpdateDecision as bO, type DirectoryConfig as bP, type UserVisibility as bQ, type AccessibleVault as bR, type AffectedDocument as bS, BUNDLE_STORE_POLICY as bT, type BuiltInGateName as bU, type CacheOptions as bV, type CacheStats as bW, type ChangeEvent as bX, type CollectionChangeEvent as bY, type CollectionConflictResolver as bZ, type CollectionDescriptor as b_, type DiffEntry as ba, type JsonPatch as bb, type JsonPatchOp as bc, type LedgerEntry as bd, LedgerStore as be, type VaultEngine as bf, VaultInstant as bg, type VerifyResult as bh, applyPatch as bi, canonicalJson as bj, computePatch as bk, diff as bl, formatDiff as bm, hashEntry as bn, paddedIndex as bo, parseIndex as bp, sha256Hex as bq, type PublicEnvelope as br, type SealingKeyProvider as bs, type BundleRecipient as bt, type RecipientSealer as bu, type RecipientHint as bv, Vault as bw, type RecoveryEnrollmentInput as bx, type ShamirRecoveryProvider as by, type MVQueryContext as bz, DictionaryHandle as c, NOYDB_BACKUP_VERSION as c$, type Conflict as c0, type ConflictPolicy as c1, type ConflictStrategy as c2, type CrossTierAccessEvent as c3, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as c4, DELEGATIONS_COLLECTION as c5, type DeepPartial as c6, type DeepPartialOrNull as c7, type DelegationToken as c8, type DeleteManyResult as c9, type HistoryEntry as cA, INDEXED_STORE_POLICY as cB, type ImportCapability as cC, type InferOutput as cD, type InternalCollectionStats as cE, type IssueDelegationOptions as cF, type IssueMagicLinkGrantOptions as cG, type KeyringAuthenticator as cH, type KeyringAuthenticatorWrappingDEKs as cI, type KeyringAuthenticatorWrappingKEK as cJ, type KeyringFile as cK, type ListAccessibleVaultsOptions as cL, type ListPageResult as cM, type ListUsersOptions as cN, type LiveUserEnvelope as cO, type LocaleReadOptions as cP, Lru as cQ, type LruOptions as cR, type LruStats as cS, MAGIC_LINK_CONTENT_INFO_PREFIX as cT, MAGIC_LINK_GRANTS_COLLECTION as cU, MAGIC_LINK_KEK_INFO_PREFIX as cV, type MagicLinkGrantPayload as cW, type MagicLinkGrantRecord as cX, type MaterializedViewDescriptor as cY, MemoryRecipientSealer as cZ, MemorySealingKeyProvider as c_, type DerivationDescriptor as ca, type DirtyEntry as cb, type DryRunResult as cc, type DumpSchemaOptions as cd, ELEVATION_AUDIT_COLLECTION as ce, ElevatedHandle as cf, type EnrollAuthenticatorOptions as cg, type EnrollAuthenticatorWrappingDEKsOptions as ch, type EnrollAuthenticatorWrappingKEKOptions as ci, type EnrollRecoveryResult as cj, type ExportCapability as ck, type ExportChunk as cl, type ExportFormat as cm, type ExportStreamOptions as cn, type FactorKind as co, type FactorProofBundle as cp, type FactorRequirement as cq, type FenceDoc as cr, type FenceState as cs, type FieldChange as ct, type FieldDescriptor as cu, type FieldSource as cv, type GhostRecord as cw, type GrantOptions as cx, type GuardViolation as cy, type HistoryConfig as cz, type DictionaryOptions as d, type StoreAuthKind as d$, NOYDB_FORMAT_VERSION as d0, NOYDB_KEYRING_VERSION as d1, NOYDB_SYNC_VERSION as d2, Noydb as d3, type NoydbEventMap as d4, type NoydbOptions as d5, type OverlayViewDescriptor as d6, PUBLIC_ENVELOPE_FIELDS as d7, type PaperRecoveryDoc as d8, type PaperRecoveryEntry as d9, type QuickUnlockState as dA, QuickUnlockStore as dB, type ReAuthOperation as dC, type RecoverPassphraseInput as dD, type RecoverPassphraseResult as dE, type RecoverUserOptions as dF, type RecoveryProof as dG, type ResolvedPublicEnvelopeSchema as dH, type RevokeOptions as dI, type RotatePassphraseInput as dJ, type RotateRecoveryOptions as dK, type RotateRecoveryResult as dL, SEALED_PASSPHRASE_RECORD_ID as dM, type SchemaDelta as dN, type SchemaIntrospection as dO, type SealedEnvelope as dP, type SealedPassphrase as dQ, type SessionPolicy as dR, type SetPublicEnvelopeInput as dS, type ShamirRecoveryDoc as dT, type ShamirRecoveryEntry as dU, type SlotRewrapCeremony as dV, type SlotRewrapContext as dW, type StandardSchemaV1 as dX, type StandardSchemaV1Issue as dY, type StandardSchemaV1SyncResult as dZ, type StoreAuth as d_, type PassphrasePolicy as da, type PassphraseValidationResult as db, type Permission as dc, type Permissions as dd, type PersistedSchemaKind as de, type PlaintextTranslatorContext as df, type PlaintextTranslatorFn as dg, PresenceHandle as dh, type PresencePeer as di, type PublicEnvelopeField as dj, type PublicEnvelopeSchema as dk, type PublicEnvelopeText as dl, type PullMode as dm, type PullOptions as dn, type PullPolicy as dp, type PullResult as dq, type PushMode as dr, type PushOptions as ds, type PushPolicy as dt, type PushResult as du, type PutManyItemOptions as dv, type PutManyOptions as dw, type PutManyResult as dx, type QueryAcrossOptions as dy, type QueryAcrossResult as dz, type I18nMap as e, listUsersWithEnvelopes as e$, type StoreCapabilities as e0, SyncEngine as e1, type SyncMetadata as e2, type SyncPolicy as e3, SyncScheduler as e4, type SyncSchedulerStatus as e5, type SyncStatus as e6, type SyncTarget as e7, type SyncTargetRole as e8, SyncTransaction as e9, type WeakPassphraseReason as eA, type WrappedDeksBlob as eB, type WriteConflict as eC, type WriteEvent as eD, type WriteHook as eE, type WriteQueue as eF, assertStrongPassphrase as eG, buildRecipientKeyringFile as eH, burnPaperRecoveryEntry as eI, createNoydb as eJ, createStore as eK, deriveMagicLinkContentKey as eL, enrollAuthenticator as eM, estimateEntropy as eN, evaluateExportCapability as eO, evaluateImportCapability as eP, findAuthenticator as eQ, hasExportCapability as eR, hasImportCapability as eS, hasRecoveryEnrolled as eT, isMagicLinkGrantExpired as eU, isPublicEnvelope as eV, issueDelegation as eW, recoverPassphrase as eX, rotatePassphrase as eY, listMagicLinkGrants as eZ, listUsers as e_, type SyncTransactionResult as ea, type TabChannel as eb, type TabCoordinationOptions as ec, type TabLockManager as ed, type TabPresence as ee, type TabRole as ef, type TierMode as eg, type TranslatorAuditEntry as eh, type TxOp as ei, USER_ENVELOPE_COLLECTION as ej, USER_ENVELOPE_MAX_BYTES as ek, type Unsubscribe as el, type UpdateAuthenticatorOptions as em, type UpdateContext as en, type UpdateUserOptions as eo, UserApi as ep, type UserEnvelopeCheckGate as eq, UserEnvelopeOversizedError as er, type UserEnvelopePresented as es, type UserInfo as et, type VaultBackup as eu, type VaultPolicyOnDisk as ev, type VaultSchemaSnapshot as ew, type VaultSnapshot as ex, type WarningRules as ey, WeakPassphraseError as ez, type I18nTextDescriptor as f, loadActiveDelegations as f0, loadPaperRecoveryEntries as f1, loadSealedPassphrase as f2, loadShamirRecoveryEntries as f3, magicLinkGrantRecordId as f4, mintPaperRecoveryEntry as f5, mintShamirRecoveryEntry as f6, mintWrappedDeksBlob as f7, parseSealedEnvelope as f8, readMagicLinkGrantRecord as f9, recoverUser as fa, removeAuthenticator as fb, resolveSchema as fc, revokeDelegation as fd, revokeMagicLinkGrant as fe, savePaperRecoveryEntries as ff, saveSealedPassphrase as fg, saveShamirRecoveryEntries as fh, unwrapDeksFromBlob as fi, unwrapDeksFromPaperEntry as fj, unwrapDeksFromShamirEntry as fk, unwrapMagicLinkGrant as fl, validatePassphrase as fm, validatePublicEnvelopeInput as fn, validateSchemaInput as fo, validateSchemaOutput as fp, writeMagicLinkGrant as fq, changeSecret as fr, createOwnerKeyring as fs, ensureCollectionDEK as ft, grant as fu, loadKeyring as fv, persistKeyring as fw, revoke as fx, updateAuthenticator as fy, updateKeyringIdentity as fz, type I18nTextOptions as g, type OnMissingPolicy as h, applyI18nLocale as i, dictCollectionName as j, dictKey as k, enforceScript as l, getAtPath as m, i18nText as n, inferScripts as o, isDictCollectionName as p, isDictKeyDescriptor as q, isI18nTextDescriptor as r, resolveI18nText as s, resolvePolicy as t, setAtPathInPlace as u, validateI18nTextValue as v, type SessionStrategy as w, createEnforcer as x, validateSessionPolicy as y, BLOB_CHUNKS_COLLECTION as z };