@noy-db/hub 0.2.0-pre.15 → 0.2.0-pre.17

package/dist/{chunk-7EFFHEN5.js → chunk-D77ZQSQQ.js}

@@ -7,37 +7,68 @@ import {
 import {
   TxContext,
   revertExecuted
-} from "./chunk-YHPM5D7Y.js";
+} from "./chunk-ZNGPEV5J.js";
 import {
   OverlayedCollection
-} from "./chunk-OHVFWCJP.js";
+} from "./chunk-XMHUK5PN.js";
+import {
+  NO_AGGREGATE,
+  Query,
+  ScanBuilder,
+  canonicalizeIncomingMoney,
+  canonicalizeStoredMoney,
+  decodeMoneyFields,
+  quantizeMoneyFields,
+  validateMoneyFieldPaths
+} from "./chunk-HGVSHKZW.js";
+import {
+  EXPORT_AUDIT_COLLECTION,
+  createExportBlobsHandle,
+  runCompaction
+} from "./chunk-KCEHMDZF.js";
 import {
   LazyQuery,
   decodeIdxId,
   encodeIdxId
-} from "./chunk-CZI2A4MQ.js";
+} from "./chunk-NYSYPFXJ.js";
+import {
+  canonicalGroupKey
+} from "./chunk-7H2GEJ3O.js";
+import {
+  readPath
+} from "./chunk-J7RWBXFY.js";
 import {
   SCHEMAS_COLLECTION,
   loadPersistedSchema,
   resolveManagedSecret,
   savePersistedSchema,
   saveSealedPassphrase
-} from "./chunk-WGHU7BLI.js";
+} from "./chunk-AEIKD3PP.js";
 import {
   loadPublicEnvelope,
   readPublicEnvelope,
   savePublicEnvelope,
   validatePublicEnvelopeInput
-} from "./chunk-DKO2QFSA.js";
+} from "./chunk-YYVZYTWW.js";
+import {
+  buildTombstone,
+  isTombstone,
+  resolveStableCek,
+  revokeSealedRecord,
+  rewrapBodyToDek,
+  rotateRecordCek,
+  sealRecordToHost
+} from "./chunk-U5QCMH3W.js";
 import {
   PERIODS_COLLECTION
-} from "./chunk-KI6HAJWL.js";
+} from "./chunk-BH3X5L6A.js";
 import {
   getAtPath,
   isDictCollectionName,
+  isStaticDictDescriptor,
   resolvePolicy,
   setAtPathInPlace
-} from "./chunk-7HT2MEZ5.js";
+} from "./chunk-ROPJVUG3.js";
 import {
   ManagedRecoveryNotEnrolledError,
   PolicyDeniedError,
@@ -59,11 +90,11 @@ import {
   saveShamirRecoveryEntries,
   updateAuthenticator,
   writeMagicLinkGrant
-} from "./chunk-COFPAMX6.js";
+} from "./chunk-QHM6XEAH.js";
 import {
   assertTierAccess,
   dekKey
-} from "./chunk-4TBBMHVC.js";
+} from "./chunk-5LIROIDM.js";
 import {
   USER_ENVELOPE_COLLECTION,
   assertKeyringOpenAllowed,
@@ -88,7 +119,7 @@ import {
   rotateKeys,
   saveUserEnvelope,
   updateKeyringIdentity
-} from "./chunk-A5ZOOZFB.js";
+} from "./chunk-BSZOCSDZ.js";
 import {
   INDEXED_STORE_POLICY
 } from "./chunk-2QR2PQTT.js";
@@ -98,41 +129,31 @@ import {
 import {
   LEDGER_COLLECTION,
   LEDGER_DELTAS_COLLECTION
-} from "./chunk-56DJ7JVK.js";
+} from "./chunk-DWEBTE2W.js";
 import {
   sha256Hex as sha256Hex2
-} from "./chunk-Z6FNBOTC.js";
-import {
-  NO_AGGREGATE,
-  Query,
-  ScanBuilder,
-  canonicalizeIncomingMoney,
-  canonicalizeStoredMoney,
-  decodeMoneyFields,
-  quantizeMoneyFields,
-  validateMoneyFieldPaths
-} from "./chunk-EYVQHAGH.js";
-import {
-  canonicalGroupKey
-} from "./chunk-3EWXMOK3.js";
-import {
-  readPath
-} from "./chunk-CJORTUJ2.js";
+} from "./chunk-PDVP3C2I.js";
 import {
-  EXPORT_AUDIT_COLLECTION,
-  createExportBlobsHandle,
-  runCompaction
-} from "./chunk-6AJBSQU4.js";
+  NO_FORGET,
+  addSubjectRef,
+  coerceSubjectId,
+  lookupSubject,
+  readDottedPath,
+  rebuildSubjectIndex,
+  removeSubjectRef
+} from "./chunk-I5IUYN7B.js";
 import {
   NOYDB_BACKUP_VERSION,
   NOYDB_FORMAT_VERSION
-} from "./chunk-GC4V7RU7.js";
+} from "./chunk-SISBMAPO.js";
 import {
   decrypt,
   encrypt,
   encryptDeterministic,
-  sha256Hex
-} from "./chunk-YULZKK4F.js";
+  sha256Hex,
+  unwrapCek,
+  wrapCek
+} from "./chunk-UNTGHX5A.js";
 import {
   AlreadyElevatedError,
   AttestationError,
@@ -141,6 +162,7 @@ import {
   ConflictError,
   ElevationExpiredError,
   ExportCapabilityError,
+  ForgetStrategyNotConfiguredError,
   ImportCapabilityError,
   IndexWriteFailureError,
   InvalidKeyError,
@@ -159,15 +181,17 @@ import {
   SchemaValidationError,
   SequenceContentionError,
   SequenceOfflineError,
+  StaticDictReadonlyError,
   StoreCapabilityError,
   TierDemoteDeniedError,
   TierNotGrantedError,
   TranslatorNotConfiguredError,
   UniqueConstraintError,
+  UnknownDictCodeError,
   UnsupportedIndexOptionError,
   ValidationError,
   VaultTemplateNotFoundError
-} from "./chunk-535SSHBS.js";
+} from "./chunk-ZEGSDPB7.js";
 
 // src/policy/storage.ts
 var META_COLLECTION = "_meta";
@@ -450,6 +474,9 @@ var NO_HISTORY = {
   async clearHistory() {
     return 0;
   },
+  async tombstoneHistory() {
+    return 0;
+  },
   async envelopePayloadHash() {
     return "";
   },
@@ -810,7 +837,7 @@ async function resolveStaleOnRead(accessor, outputCollection, id) {
     }
     const sourceWithId = { ...source, id };
     if (DerivationExecutor === null) {
-      ({ DerivationExecutor } = await import("./executor-6ZDSDZ6V.js"));
+      ({ DerivationExecutor } = await import("./executor-CFFWPWBJ.js"));
     }
     const ctx = { vault: accessor.getReadOnlyFacade() };
     const result = await DerivationExecutor.run(spec, sourceWithId, 0, strategyHash, ctx);
@@ -1035,6 +1062,25 @@ var Collection = class {
    * is inactive for this collection; a frozen `Set` otherwise.
    */
   deterministicFields;
+  /**
+   * Per-record CEK opt-in (`perRecordKeys: true`). When set, writes mint /
+   * reuse a per-record content-encryption key and stamp `_cek` on the
+   * envelope (see {@link EncryptedEnvelope._cek}). OFF by default — a
+   * non-adopting collection takes the byte-identical legacy path. The READ
+   * path does not consult this flag: `_cek` presence on the envelope is the
+   * format discriminant, so a mixed vault (and a recipient that never set the
+   * flag) still decrypts CEK records.
+   */
+  perRecordCek;
+  /**
+   * Session-scoped `(id) → CEK` cache for this collection. Lets updates
+   * reuse a record's stable CEK and lets repeated reads skip the AES-KW
+   * unwrap. Bounded by LRU; never persisted. Dropped when the owning
+   * collection instance is discarded — `vault.load()` clears the
+   * collectionCache, so a keyring refresh drops every CEK alongside the
+   * DEK cache. `null` unless `perRecordCek` is set.
+   */
+  cekCache;
   /**
    * declared tiers for this collection. `null` when
    * tier-aware methods are disabled. Tier 0 is implicit and never
@@ -1181,19 +1227,24 @@ var Collection = class {
     } else {
       this.deterministicFields = null;
     }
+    this.perRecordCek = opts.perRecordKeys === true;
+    this.cekCache = this.perRecordCek ? new Lru({ maxRecords: 4096 }) : null;
     if (opts.crdt && opts.onRegisterConflictResolver) {
       const crdtMode = opts.crdt;
-      const crdtResolver = async (_id, local, remote) => {
+      const crdtResolver = async (id, local, remote) => {
         if (crdtMode === "yjs") {
           return local._v >= remote._v ? local : remote;
         }
-        const localJson = await this.decryptJsonString(local);
-        const remoteJson = await this.decryptJsonString(remote);
+        const localJson = await this.decryptJsonString(local, id);
+        const remoteJson = await this.decryptJsonString(remote, id);
+        if (localJson === null) return local;
+        if (remoteJson === null) return remote;
         const localState = JSON.parse(localJson);
         const remoteState = JSON.parse(remoteJson);
         const merged = this.crdtStrategy.mergeCrdtStates(localState, remoteState);
         const mergedVersion = Math.max(local._v, remote._v) + 1;
-        return this.encryptJsonString(JSON.stringify(merged), mergedVersion);
+        const cek = this.perRecordCek ? await this.resolveRecordCek(id) : void 0;
+        return this.encryptJsonString(JSON.stringify(merged), mergedVersion, cek);
       };
       opts.onRegisterConflictResolver(this.name, crdtResolver);
     }
@@ -1233,12 +1284,15 @@ var Collection = class {
         });
       } else {
         const mergeFn = policy;
-        resolver = async (_id, local, remote) => {
-          const localRecord = await this.decryptRecord(local, { skipValidation: true });
-          const remoteRecord = await this.decryptRecord(remote, { skipValidation: true });
+        resolver = async (id, local, remote) => {
+          const localRecord = await this.decryptRecord(local, { skipValidation: true, id });
+          const remoteRecord = await this.decryptRecord(remote, { skipValidation: true, id });
+          if (localRecord === null) return local;
+          if (remoteRecord === null) return remote;
           const merged = mergeFn(localRecord, remoteRecord);
           const mergedVersion = Math.max(local._v, remote._v) + 1;
-          return this.encryptRecord(merged, mergedVersion);
+          const cek = this.perRecordCek ? await this.resolveRecordCek(id) : void 0;
+          return this.encryptRecord(merged, mergedVersion, cek);
         };
       }
       opts.onRegisterConflictResolver(collectionName, resolver);
@@ -1319,7 +1373,7 @@ var Collection = class {
       }
     }
     if (this.materializedViewSource !== void 0) {
-      const { resolveStaleMVOnRead } = await import("./stale-JH67FU57.js");
+      const { resolveStaleMVOnRead } = await import("./stale-TOA36SRK.js");
       await resolveStaleMVOnRead(this.materializedViewSource, this.name);
     }
     let record;
@@ -1330,7 +1384,9 @@ var Collection = class {
       } else {
         const envelope = await this.adapter.get(this.vault, this.name, id);
         if (!envelope) return null;
-        record = await this.decryptRecord(envelope);
+        if (isTombstone(envelope, this.encrypted)) return null;
+        record = await this.decryptRecord(envelope, { id });
+        if (record === null) return null;
         this.lru.set(id, { record, version: envelope._v }, estimateRecordBytes(record));
       }
     } else {
@@ -1357,6 +1413,7 @@ var Collection = class {
     const envelope = await this.adapter.get(this.vault, this.name, id);
     if (!envelope) return null;
     const json = await this.decryptJsonString(envelope);
+    if (json === null) return null;
     return JSON.parse(json);
   }
   /**
@@ -1445,7 +1502,7 @@ var Collection = class {
       if (cached2) return { record: cached2.record, version: cached2.version };
       const env = await this.adapter.get(this.vault, this.name, id);
       if (!env) return { record: null, version: 0 };
-      return { record: await this.decryptRecord(env, { skipValidation: true }), version: env._v };
+      return { record: await this.decryptRecord(env, { skipValidation: true }) ?? null, version: env._v };
     }
     await this.ensureHydrated();
     const cached = this.cache.get(id);
@@ -1558,9 +1615,11 @@ var Collection = class {
         let existingState;
         if (existingEnvelope) {
           const prevJson = await this.decryptJsonString(existingEnvelope);
-          const prevParsed = JSON.parse(prevJson);
-          if (prevParsed !== null && typeof prevParsed === "object" && "_crdt" in prevParsed) {
-            existingState = prevParsed;
+          if (prevJson !== null) {
+            const prevParsed = JSON.parse(prevJson);
+            if (prevParsed !== null && typeof prevParsed === "object" && "_crdt" in prevParsed) {
+              existingState = prevParsed;
+            }
           }
         }
         crdtState = this.crdtStrategy.buildLwwMapState(record, existingState, now);
@@ -1568,9 +1627,11 @@ var Collection = class {
         let existingState;
         if (existingEnvelope) {
           const prevJson = await this.decryptJsonString(existingEnvelope);
-          const prevParsed = JSON.parse(prevJson);
-          if (prevParsed !== null && typeof prevParsed === "object" && "_crdt" in prevParsed) {
-            existingState = prevParsed;
+          if (prevJson !== null) {
+            const prevParsed = JSON.parse(prevJson);
+            if (prevParsed !== null && typeof prevParsed === "object" && "_crdt" in prevParsed) {
+              existingState = prevParsed;
+            }
           }
         }
         const arr = Array.isArray(record) ? record : [record];
@@ -1579,12 +1640,14 @@ var Collection = class {
         crdtState = { _crdt: "yjs", update: record };
       }
       const version2 = existingVersion + 1;
-      const envelope2 = await this.encryptJsonString(JSON.stringify(crdtState), version2);
+      const cek2 = this.perRecordCek ? await this.resolveRecordCek(id) : void 0;
+      const envelope2 = await this.encryptJsonString(JSON.stringify(crdtState), version2, cek2);
       await this.adapter.put(this.vault, this.name, id, envelope2);
       const resolvedRecord = this.crdtStrategy.resolveCrdtSnapshot(crdtState);
-      const existingResolved = existingEnvelope ? { record: await this.decryptRecord(existingEnvelope, { skipValidation: true }), version: existingVersion } : void 0;
+      const existingResolvedRecord = existingEnvelope ? await this.decryptRecord(existingEnvelope, { skipValidation: true }) : null;
+      const existingResolved = existingResolvedRecord !== null ? { record: existingResolvedRecord, version: existingVersion } : void 0;
       if (existingResolved && this.historyConfig.enabled !== false) {
-        const histEnvelope = await this.encryptRecord(existingResolved.record, existingResolved.version);
+        const histEnvelope = await this.encryptRecord(existingResolved.record, existingResolved.version, cek2);
         await this.historyStrategy.saveHistory(this.adapter, this.vault, this.name, id, histEnvelope);
         this.emitter.emit("history:save", { vault: this.vault, collection: this.name, id, version: existingResolved.version });
         if (this.historyConfig.maxVersions) {
@@ -1630,7 +1693,9 @@ var Collection = class {
         const previousEnvelope = await this.adapter.get(this.vault, this.name, id);
         if (previousEnvelope) {
           const previousRecord = await this.decryptRecord(previousEnvelope);
-          existing = { record: previousRecord, version: previousEnvelope._v };
+          if (previousRecord !== null) {
+            existing = { record: previousRecord, version: previousEnvelope._v };
+          }
         }
       }
     } else {
@@ -1639,8 +1704,9 @@ var Collection = class {
     }
     const version = existing ? existing.version + 1 : 1;
     this.uniqueConstraints?.check(id, record);
+    const cek = this.perRecordCek ? await this.resolveRecordCek(id) : void 0;
     if (existing && this.historyConfig.enabled !== false) {
-      const historyEnvelope = await this.encryptRecord(existing.record, existing.version);
+      const historyEnvelope = await this.encryptRecord(existing.record, existing.version, cek);
       await this.historyStrategy.saveHistory(this.adapter, this.vault, this.name, id, historyEnvelope);
       this.emitter.emit("history:save", {
         vault: this.vault,
@@ -1654,7 +1720,7 @@ var Collection = class {
         });
       }
     }
-    const envelope = await this.encryptRecord(record, version);
+    const envelope = await this.encryptRecord(record, version, cek);
     await this.adapter.put(this.vault, this.name, id, envelope);
     if (this.ledger) {
       const appendInput = {
@@ -1717,7 +1783,7 @@ var Collection = class {
       if (mode === "eager") {
         if (executor === null) {
           ;
-          ({ MaterializedViewExecutor: executor } = await import("./executor-HSSRXDOB.js"));
+          ({ MaterializedViewExecutor: executor } = await import("./executor-3W63Y44O.js"));
         }
         await executor.refresh(reg, {
           getCollection: (name) => this.materializedViewSource.getCollection(name),
@@ -1726,7 +1792,7 @@ var Collection = class {
         });
       } else if (mode === "lazy") {
         if (staleHelpers === null) {
-          staleHelpers = await import("./stale-JH67FU57.js");
+          staleHelpers = await import("./stale-TOA36SRK.js");
         }
         staleHelpers.markMVStale(registry, reg.spec.name);
       }
@@ -1755,11 +1821,20 @@ var Collection = class {
       const mode = typeof spec.lifecycle === "string" ? spec.lifecycle : spec.lifecycle.mode;
       if (mode === "eager") {
         if (DerivationExecutor === null) {
-          ({ DerivationExecutor } = await import("./executor-6ZDSDZ6V.js"));
+          ({ DerivationExecutor } = await import("./executor-CFFWPWBJ.js"));
+        }
+        let sourceWithId;
+        let sourceVersion = version;
+        if (spec.source === this.name) {
+          sourceWithId = { ...incoming, id };
+        } else {
+          const primary = await this.derivationSource.getCollection(spec.source).get(id);
+          if (primary === null || primary === void 0) continue;
+          sourceWithId = { ...primary, id };
+          sourceVersion = 0;
         }
-        const sourceWithId = { ...incoming, id };
         const ctx = { vault: this.derivationSource.getReadOnlyFacade() };
-        const result = await DerivationExecutor.run(spec, sourceWithId, version, strategyHash, ctx);
+        const result = await DerivationExecutor.run(spec, sourceWithId, sourceVersion, strategyHash, ctx);
         for (const key of Object.keys(spec.outputs)) {
           const out = result.outputs[key];
           if (!out) continue;
@@ -1774,7 +1849,7 @@ var Collection = class {
           const outputCollection = this.derivationSource.getCollection(outSpec.collection);
           const txCtx = this.derivationSource.getActiveTxContext();
           if (out.kind === "array") {
-            const { loadFanoutSidecar, saveFanoutSidecar } = await import("./fanout-sidecar-N6OJX6QR.js");
+            const { loadFanoutSidecar, saveFanoutSidecar } = await import("./fanout-sidecar-FIJJ46YG.js");
             const prior = await loadFanoutSidecar(
               this.adapter,
               this.vault,
@@ -1881,11 +1956,14 @@ var Collection = class {
     let count = 0;
     for (const id of ids) {
       const env = await this.adapter.get(this.vault, this.name, id);
-      if (!env) continue;
-      const record = await this.decryptRecord(env, { skipValidation: true });
+      if (!env || isTombstone(env, this.encrypted)) continue;
+      const decoded = await this.decryptRecord(env, { skipValidation: true, id });
+      if (decoded === null) continue;
+      const record = decoded;
       const next = transform(record);
       const nextVersion = (env._v ?? 0) + 1;
-      const newEnv = await this.encryptRecord(next, nextVersion);
+      const cek = this.perRecordCek ? await this.resolveRecordCek(id) : void 0;
+      const newEnv = await this.encryptRecord(next, nextVersion, cek);
       await this.adapter.put(this.vault, this.name, id, newEnv);
       await this._invalidateCacheEntry(id);
       if (this.ledger) {
@@ -1997,14 +2075,17 @@ var Collection = class {
         const previousEnvelope2 = await this.adapter.get(this.vault, this.name, id);
         if (previousEnvelope2) {
           const previousRecord = await this.decryptRecord(previousEnvelope2);
-          existing = { record: previousRecord, version: previousEnvelope2._v };
+          if (previousRecord !== null) {
+            existing = { record: previousRecord, version: previousEnvelope2._v };
+          }
         }
       }
     } else {
       existing = this.cache.get(id);
     }
     if (existing && this.historyConfig.enabled !== false) {
-      const historyEnvelope = await this.encryptRecord(existing.record, existing.version);
+      const cek = this.perRecordCek ? await this.resolveRecordCek(id) : void 0;
+      const historyEnvelope = await this.encryptRecord(existing.record, existing.version, cek);
       await this.historyStrategy.saveHistory(this.adapter, this.vault, this.name, id, historyEnvelope);
     }
     const previousEnvelope = await this.adapter.get(this.vault, this.name, id);
@@ -2045,6 +2126,50 @@ var Collection = class {
       await this.dispatchArrayDerivationsOnDelete(id);
     }
   }
+  /**
+   * @internal — GDPR crypto-shred a LIVE record to a tombstone (#304).
+   *
+   * Rewrites the on-disk envelope to `{ _noydb, _v, _ts, _by, _iv:'', _data:'' }`,
+   * dropping `_iv`/`_data`/`_cek`/`_det`. The wrapped per-record CEK is gone, so
+   * the body — and (via {@link tombstoneHistory}) every history version under
+   * the same CEK — is permanently undecryptable; the collection DEK and every
+   * other record are untouched. `_det` is stripped too, so `findByDet` no
+   * longer matches the shredded record (avoiding a post-shred TamperedError).
+   *
+   * Unlike `delete()`/`_internalDelete`, this:
+   *   - does NOT fire onDelete guards / MV / derivation dispatch (a shred is an
+   *     erasure, not a domain delete — re-running those would be wrong),
+   *   - does NOT append a per-record ledger entry (`vault.forget()` appends a
+   *     single `op:'forget'` summary for the whole subject),
+   *   - keeps the record KEY present (it's an overwrite, not an adapter delete)
+   *     so the version counter + "record existed" survive for audit.
+   *
+   * Idempotent: returns `null` when the record is absent or already a tombstone.
+   * Otherwise returns `{ previousVersion }`. Invalidates the eager cache, the
+   * lazy LRU, and the per-record CEK cache for this id.
+   */
+  /**
+   * @internal — decrypt an envelope to a plain record for subject-index
+   * rebuild (#304). Returns `null` for a tombstone or unreadable envelope.
+   * Skips schema validation — the rebuild only reads the subject field.
+   */
+  async _decodeEnvelope(envelope, id) {
+    try {
+      const rec = await this.decryptRecord(envelope, { skipValidation: true, id });
+      return rec === null ? null : rec;
+    } catch {
+      return null;
+    }
+  }
+  async _writeTombstone(id, actor) {
+    const live = await this.adapter.get(this.vault, this.name, id);
+    if (!live || isTombstone(live, this.encrypted)) return null;
+    await this.adapter.put(this.vault, this.name, id, buildTombstone(live._v, actor));
+    this.cache.delete(id);
+    this.lru?.remove(id);
+    this.cekCache?.remove(id);
+    return { previousVersion: live._v };
+  }
   /**
    * Cascade deletes of array-shape derived rows when a source row is
    * deleted. Reads each registered strategy's fanout sidecar
@@ -2067,7 +2192,7 @@ var Collection = class {
       for (const [outputKey, outSpec] of Object.entries(spec.outputs)) {
         if (outSpec.shape !== "array") continue;
         if (helpers === null) {
-          helpers = await import("./fanout-sidecar-N6OJX6QR.js");
+          helpers = await import("./fanout-sidecar-FIJJ46YG.js");
         }
         const sidecar = await helpers.loadFanoutSidecar(
           this.adapter,
@@ -2107,7 +2232,7 @@ var Collection = class {
       if (mode === "eager") {
         if (executor === null) {
           ;
-          ({ MaterializedViewExecutor: executor } = await import("./executor-HSSRXDOB.js"));
+          ({ MaterializedViewExecutor: executor } = await import("./executor-3W63Y44O.js"));
         }
         await executor.refresh(reg, {
           getCollection: (name) => this.materializedViewSource.getCollection(name),
@@ -2116,7 +2241,7 @@ var Collection = class {
         });
       } else if (mode === "lazy") {
         if (staleHelpers === null) {
-          staleHelpers = await import("./stale-JH67FU57.js");
+          staleHelpers = await import("./stale-TOA36SRK.js");
         }
         staleHelpers.markMVStale(registry, reg.spec.name);
       }
@@ -2139,7 +2264,7 @@ var Collection = class {
       );
     }
     if (this.materializedViewSource !== void 0) {
-      const { resolveStaleMVOnRead } = await import("./stale-JH67FU57.js");
+      const { resolveStaleMVOnRead } = await import("./stale-TOA36SRK.js");
       await resolveStaleMVOnRead(this.materializedViewSource, this.name);
     }
     await this.ensureHydrated();
@@ -2457,6 +2582,7 @@ var Collection = class {
     const entries = [];
     for (const env of envelopes) {
       const record = await this.decryptRecord(env, { skipValidation: true });
+      if (record === null) continue;
       entries.push({
         version: env._v,
         timestamp: env._ts,
@@ -2593,6 +2719,7 @@ var Collection = class {
       const envelope = await this.adapter.get(this.vault, this.name, id);
       if (envelope) {
         const record = await this.decryptRecord(envelope);
+        if (record === null) continue;
         items.push(record);
         if (!this.lazy && !this.cache.has(id)) {
           this.cache.set(id, { record, version: envelope._v });
@@ -2669,6 +2796,7 @@ var Collection = class {
     const out = [];
     for (const { id, envelope } of items) {
       const record = await this.decryptRecord(envelope);
+      if (record === null) continue;
       out.push({ id, record, version: envelope._v });
     }
     return out;
@@ -2690,6 +2818,18 @@ var Collection = class {
    * the cache entry (record still present) or deletes it (record was
    * gone before the tx and the revert deleted it again).
    */
+  /**
+   * @internal — evict ONLY the per-record CEK cache entry for `id`. Used by
+   * `vault.rotateRecordCek()`: after a hard CEK rotation the cached unwrapped
+   * CEK is stale (it would decrypt the pre-rotation body and fail GCM auth on
+   * the post-rotation body). Eviction must be synchronous with the live-envelope
+   * rewrite so no concurrent read observes the old CEK. Paired with
+   * {@link _invalidateCacheEntry} (which refreshes the decrypted-record cache).
+   * No-op when the collection is not `perRecordKeys`.
+   */
+  _invalidateCekCacheEntry(id) {
+    this.cekCache?.remove(id);
+  }
   async _invalidateCacheEntry(id) {
     if (this.lazy && this.lru) {
       this.lru.remove(id);
@@ -2707,6 +2847,14 @@ var Collection = class {
       return;
     }
     const record = await this.decryptRecord(envelope);
+    if (record === null) {
+      this.cache.delete(id);
+      if (previous) {
+        this.indexes?.remove(id, previous.record);
+        this.uniqueConstraints?.remove(id, previous.record);
+      }
+      return;
+    }
     this.cache.set(id, { record, version: envelope._v });
     this.indexes?.upsert(id, record, previous ? previous.record : null);
     this.uniqueConstraints?.upsert(id, record, previous?.record);
@@ -2731,8 +2879,9 @@ var Collection = class {
     const ids = await this.adapter.list(this.vault, this.name);
     for (const id of ids) {
       const envelope = await this.adapter.get(this.vault, this.name, id);
-      if (envelope) {
-        const record = await this.decryptRecord(envelope);
+      if (envelope && !isTombstone(envelope, this.encrypted)) {
+        const record = await this.decryptRecord(envelope, { id });
+        if (record === null) continue;
         this.cache.set(id, { record, version: envelope._v });
       }
     }
@@ -2743,7 +2892,9 @@ var Collection = class {
   /** Hydrate from a pre-loaded snapshot (used by Vault). */
   async hydrateFromSnapshot(records) {
     for (const [id, envelope] of Object.entries(records)) {
-      const record = await this.decryptRecord(envelope);
+      if (isTombstone(envelope, this.encrypted)) continue;
+      const record = await this.decryptRecord(envelope, { id });
+      if (record === null) continue;
       this.cache.set(id, { record, version: envelope._v });
     }
     this.hydrated = true;
@@ -2831,6 +2982,7 @@ var Collection = class {
       const envelope = await this.adapter.get(this.vault, this.name, recordId);
       if (!envelope) continue;
       const record = await this.decryptRecord(envelope, { skipValidation: true });
+      if (record === null) continue;
       await this.maintainPersistedIndexesOnPut(recordId, record, null, envelope._v);
     }
     this.persistedIndexesLoaded = true;
@@ -2881,8 +3033,13 @@ var Collection = class {
       const env = await this.adapter.get(this.vault, this.name, id);
       if (!env) continue;
       try {
-        const body = JSON.parse(await this.decryptJsonString(env));
-        sidecar.set(decoded.recordId, body.value);
+        const sidecarJson = await this.decryptJsonString(env);
+        if (sidecarJson === null) {
+          sidecar.set(decoded.recordId, void 0);
+        } else {
+          const body = JSON.parse(sidecarJson);
+          sidecar.set(decoded.recordId, body.value);
+        }
       } catch {
         sidecar.set(decoded.recordId, void 0);
       }
@@ -2896,6 +3053,7 @@ var Collection = class {
       const env = await this.adapter.get(this.vault, this.name, id);
       if (!env) continue;
       const record = await this.decryptRecord(env, { skipValidation: true });
+      if (record === null) continue;
       const live = readPersistedValue(record, field);
       const stored = sidecar.get(id);
       const hasSidecar = sidecarIds.has(id);
@@ -2978,7 +3136,8 @@ var Collection = class {
       recordId: id,
       getDEK: this.getDEK,
       encrypted: this.encrypted,
-      userId: this.keyring.userId
+      userId: this.keyring.userId,
+      erasableBlobs: this.perRecordCek
     });
   }
   /** Get all records as encrypted envelopes (for dump). */
@@ -2986,7 +3145,8 @@ var Collection = class {
     await this.ensureHydrated();
     const result = {};
     for (const [id, entry] of this.cache) {
-      result[id] = await this.encryptRecord(entry.record, entry.version);
+      const cek = this.perRecordCek ? await this.resolveRecordCek(id) : void 0;
+      result[id] = await this.encryptRecord(entry.record, entry.version, cek);
     }
     return result;
   }
@@ -3014,8 +3174,11 @@ var Collection = class {
     if (hasMoney && this.moneyFields) {
       result = decodeMoneyFields(result, this.moneyFields, typeof locale === "string" ? locale : void 0);
     }
-    if (!locale) return result;
-    if (hasI18n && this.i18nFields) {
+    const hasStaticDisplay = hasDict && this.dictKeyFields !== void 0 && Object.values(this.dictKeyFields).some(
+      (d) => isStaticDictDescriptor(d) && d.displayLocale !== void 0
+    );
+    if (!locale && !hasStaticDisplay) return result;
+    if (locale && hasI18n && this.i18nFields) {
       result = this.i18nStrategy.applyI18nLocale(result, this.i18nFields, locale, localeOpts?.fallback);
     }
     if (hasDict && this.dictKeyFields && this.dictLabelResolver && locale !== "raw") {
@@ -3024,13 +3187,23 @@ var Collection = class {
       for (const [field, desc] of Object.entries(this.dictKeyFields)) {
         const policy = desc.onMissing ? resolvePolicy(desc.onMissing, "read") : "null";
         const fallback = policy === "substitute" ? localeOpts?.fallback ?? desc.substitute : localeOpts?.fallback;
+        const effLocale = locale ?? (isStaticDictDescriptor(desc) ? desc.displayLocale : void 0);
         const resolveKey = async (key) => {
-          const label = await resolver(desc.name, key, locale, fallback);
+          if (!effLocale) {
+            if (policy === "throw") {
+              throw new LocaleNotSpecifiedError(
+                field,
+                `dictKey "${field}": no locale active to resolve key "${key}".`
+              );
+            }
+            return null;
+          }
+          const label = await resolver(desc.name, key, effLocale, fallback);
           if (label === void 0) {
             if (policy === "throw") {
               throw new LocaleNotSpecifiedError(
                 field,
-                `dictKey "${field}": no label for key "${key}" in locale "${locale}".`
+                `dictKey "${field}": no label for key "${key}" in locale "${effLocale}".`
               );
             }
             return null;
@@ -3187,6 +3360,7 @@ var Collection = class {
       if (!envelope) continue;
       try {
         const json = await this.decryptJsonString(envelope);
+        if (json === null) continue;
         const body = JSON.parse(json);
         if (typeof body.recordId !== "string") continue;
         const rows = byField.get(decoded.field) ?? [];
@@ -3296,7 +3470,31 @@ var Collection = class {
     };
     return new LazyQuery(source);
   }
-  async encryptJsonString(json, version) {
+  /**
+   * Resolve the stable CEK for a record on the WRITE path — see
+   * {@link resolveStableCek}. Thin delegate that supplies the collection's
+   * CEK cache, live-envelope reader, and DEK resolver.
+   */
+  resolveRecordCek(id) {
+    return resolveStableCek(
+      {
+        cache: this.cekCache,
+        getLive: (rid) => this.adapter.get(this.vault, this.name, rid),
+        getDEK: () => this.getDEK(this.name)
+      },
+      id
+    );
+  }
+  /**
+   * Encrypt a JSON body into an envelope.
+   *
+   * When `cek` is supplied (per-record CEK collections), the body is
+   * encrypted under the CEK and the CEK is AES-KW-wrapped under the
+   * collection DEK and stamped on `_cek`. When `cek` is omitted, the legacy
+   * path encrypts the body directly under the collection DEK — byte-identical
+   * to pre-CEK behaviour, so non-adopting collections pay nothing.
+   */
+  async encryptJsonString(json, version, cek) {
     const by = this.keyring.userId;
     if (!this.encrypted) {
       return {
@@ -3309,6 +3507,19 @@ var Collection = class {
       };
     }
     const dek = await this.getDEK(this.name);
+    if (cek !== void 0) {
+      const { iv: iv2, data: data2 } = await encrypt(json, cek);
+      const wrapped = await wrapCek(cek, dek);
+      return {
+        _noydb: NOYDB_FORMAT_VERSION,
+        _v: version,
+        _ts: (/* @__PURE__ */ new Date()).toISOString(),
+        _iv: iv2,
+        _data: data2,
+        _by: by,
+        _cek: wrapped
+      };
+    }
     const { iv, data } = await encrypt(json, dek);
     return {
       _noydb: NOYDB_FORMAT_VERSION,
@@ -3319,8 +3530,8 @@ var Collection = class {
       _by: by
     };
   }
-  async encryptRecord(record, version) {
-    const base = await this.encryptJsonString(JSON.stringify(record), version);
+  async encryptRecord(record, version, cek) {
+    const base = await this.encryptJsonString(JSON.stringify(record), version, cek);
     if (!this.deterministicFields || !this.encrypted) return base;
     const dek = await this.getDEK(this.name);
     const rec = record;
@@ -3398,7 +3609,8 @@ var Collection = class {
       const env = await this.adapter.get(this.vault, this.name, id);
       if (!env || !env._det) continue;
       if (env._det[field] === target) {
-        matches.push(await this.decryptRecord(env));
+        const rec = await this.decryptRecord(env);
+        if (rec !== null) matches.push(rec);
       }
     }
     return matches;
@@ -3499,7 +3711,14 @@ var Collection = class {
       return null;
     }
     const dek = await this.getDEK(key);
-    const plaintext = await decrypt(envelope._iv, envelope._data, dek);
+    let plaintext;
+    if (envelope._cek !== void 0) {
+      const cek = await unwrapCek(envelope._cek, dek);
+      this.cekCache?.set(id, cek, 1);
+      plaintext = await decrypt(envelope._iv, envelope._data, cek);
+    } else {
+      plaintext = await decrypt(envelope._iv, envelope._data, dek);
+    }
     const record = JSON.parse(plaintext);
     this.emitCrossTierEvent({
       actor: this.keyring.userId,
@@ -3555,18 +3774,19 @@ var Collection = class {
     const toKey = dekKey(this.name, toTier);
     const fromDek = await this.getDEK(fromKey);
     const toDek = await this.getDEK(toKey);
-    const plaintext = await decrypt(envelope._iv, envelope._data, fromDek);
-    const { iv, data } = await encrypt(plaintext, toDek);
     const now = (/* @__PURE__ */ new Date()).toISOString();
+    const body = await rewrapBodyToDek(envelope, fromDek, toDek);
+    if (body.cek) this.cekCache?.set(id, body.cek, 1);
     const next = {
       _noydb: NOYDB_FORMAT_VERSION,
       _v: envelope._v + 1,
       _ts: now,
-      _iv: iv,
-      _data: data,
+      _iv: body._iv,
+      _data: body._data,
       _by: this.keyring.userId,
       _tier: toTier,
-      _elevatedBy: this.keyring.userId
+      _elevatedBy: this.keyring.userId,
+      ...body._cek !== void 0 ? { _cek: body._cek } : {}
     };
     await this.adapter.put(this.vault, this.name, id, next);
     this.emitCrossTierEvent({
@@ -3602,17 +3822,18 @@ var Collection = class {
     if (toTier > 0) this.assertDeclaredTier(toTier);
     const fromDek = await this.getDEK(dekKey(this.name, fromTier));
     const toDek = await this.getDEK(dekKey(this.name, toTier));
-    const plaintext = await decrypt(envelope._iv, envelope._data, fromDek);
-    const { iv, data } = await encrypt(plaintext, toDek);
     const now = (/* @__PURE__ */ new Date()).toISOString();
+    const body = await rewrapBodyToDek(envelope, fromDek, toDek);
+    if (body.cek) this.cekCache?.set(id, body.cek, 1);
     const next = {
       _noydb: NOYDB_FORMAT_VERSION,
       _v: envelope._v + 1,
       _ts: now,
-      _iv: iv,
-      _data: data,
+      _iv: body._iv,
+      _data: body._data,
       _by: this.keyring.userId,
-      ...toTier > 0 && { _tier: toTier }
+      ...toTier > 0 && { _tier: toTier },
+      ...body._cek !== void 0 ? { _cek: body._cek } : {}
     };
     await this.adapter.put(this.vault, this.name, id, next);
     this.emitCrossTierEvent({
@@ -3634,10 +3855,30 @@ var Collection = class {
     } catch {
     }
   }
-  /** Low-level: decrypt an envelope and return the raw JSON string. */
-  async decryptJsonString(envelope) {
+  /**
+   * Low-level: decrypt an envelope and return the raw JSON string.
+   *
+   * `_cek` presence is the format discriminant (NOT `this.perRecordCek`),
+   * so a mixed vault — and a recipient that never opted into
+   * `perRecordKeys` — decrypts both legacy and CEK records:
+   *  - `_cek` present → unwrap the CEK under the collection DEK, decrypt the
+   *    body under the CEK (cache the unwrapped CEK so repeated reads skip it).
+   *  - `_cek` absent → legacy path, body decrypts directly under the
+   *    collection DEK.
+   *
+   * The optional `id` lets reads populate the CEK cache; it is omitted by
+   * callers (history, conflict merge) that have only the envelope.
+   */
+  async decryptJsonString(envelope, id) {
+    if (isTombstone(envelope, this.encrypted)) return null;
     if (!this.encrypted) return envelope._data;
     const dek = await this.getDEK(this.name);
+    if (envelope._cek !== void 0) {
+      const cached = id !== void 0 ? this.cekCache?.get(id) : void 0;
+      const cek = cached ?? await unwrapCek(envelope._cek, dek);
+      if (cached === void 0 && id !== void 0) this.cekCache?.set(id, cek, 1);
+      return decrypt(envelope._iv, envelope._data, cek);
+    }
     return decrypt(envelope._iv, envelope._data, dek);
   }
   /**
@@ -3656,7 +3897,8 @@ var Collection = class {
    * false positive. Every non-history read leaves this flag `false`.
    */
   async decryptRecord(envelope, opts = {}) {
-    const json = await this.decryptJsonString(envelope);
+    const json = await this.decryptJsonString(envelope, opts.id);
+    if (json === null) return null;
     let parsed = JSON.parse(json);
     if (this.crdtMode && parsed !== null && typeof parsed === "object" && "_crdt" in parsed) {
       parsed = this.crdtStrategy.resolveCrdtSnapshot(parsed);
@@ -3784,6 +4026,21 @@ function withArchive(opts) {
 // src/sequence/index.ts
 var SEQUENCE_COLLECTION = "_sequences";
 var MAX_NEXT_ATTEMPTS = 16;
+function resolveSequenceKey(series, opts) {
+  const partition = opts?.partition;
+  if (!partition || partition.length === 0) return series;
+  const parts = partition.map((p) => {
+    if (typeof p === "number" && !Number.isFinite(p)) {
+      throw new ValidationError(`sequence partition component must be a finite number, got ${p}`);
+    }
+    const s = String(p);
+    if (s === "") {
+      throw new ValidationError("sequence partition component must not be empty");
+    }
+    return encodeURIComponent(s);
+  });
+  return `${series}\0${parts.join("/")}`;
+}
 async function sleepBackoff(attempt) {
   const ceil = Math.min(2 ** attempt, 32);
   const ms = Math.floor(Math.random() * ceil);
@@ -3814,7 +4071,8 @@ var SequenceStore = class {
   handle(name) {
     return {
       next: () => this.next(name),
-      peek: () => this.peek(name)
+      peek: () => this.peek(name),
+      seedTo: (n) => this.seedTo(name, n)
     };
   }
   assertOnline() {
@@ -3867,6 +4125,30 @@ var SequenceStore = class {
     void lastConflict;
     throw new SequenceContentionError(name, MAX_NEXT_ATTEMPTS);
   }
+  async seedTo(name, n) {
+    this.assertOnline();
+    if (n <= 0) return;
+    let lastConflict;
+    for (let attempt = 0; attempt < MAX_NEXT_ATTEMPTS; attempt++) {
+      const { env, value } = await this.read(name);
+      if (value >= n) return;
+      const expectedVersion = env?._v ?? 0;
+      const envelope = await this.encryptState({ value: n }, expectedVersion + 1);
+      try {
+        await this.adapter.put(this.vault, SEQUENCE_COLLECTION, name, envelope, expectedVersion);
+        return;
+      } catch (err) {
+        if (err instanceof ConflictError) {
+          lastConflict = err;
+          if (attempt < MAX_NEXT_ATTEMPTS - 1) await sleepBackoff(attempt);
+          continue;
+        }
+        throw err;
+      }
+    }
+    void lastConflict;
+    throw new SequenceContentionError(name, MAX_NEXT_ATTEMPTS);
+  }
 };
 
 // src/numbering/index.ts
@@ -5100,6 +5382,19 @@ function summariseAggregateOp(value) {
 }
 
 // src/vault.ts
+function resolveLabelFromMap(labels, locale, fallback) {
+  if (labels[locale] !== void 0) return labels[locale];
+  const chain = Array.isArray(fallback) ? fallback : fallback ? [fallback] : [];
+  for (const fb of chain) {
+    if (fb === "any") {
+      const any = Object.values(labels)[0];
+      if (any !== void 0) return any;
+    } else if (labels[fb] !== void 0) {
+      return labels[fb];
+    }
+  }
+  return void 0;
+}
 var Vault = class {
   adapter;
   /** The vault's name as passed to `openVault()`. Stable for the instance lifetime. */
@@ -5143,6 +5438,7 @@ var Vault = class {
   periodsStrategy;
   shadowStrategy;
   historyStrategy;
+  forgetStrategy;
   i18nStrategy;
   syncStrategy;
   /**
@@ -5309,6 +5605,27 @@ var Vault = class {
    * Populated by `collection()` when the `dictKeyFields` option is passed.
    */
   dictKeyFieldRegistry = /* @__PURE__ */ new Map();
+  /**
+   * Names of dictionaries backed by a `staticDict()` descriptor (#291).
+   * A static dict skips the `dictKeyFieldRegistry` rename machinery, but the
+   * vault must still *know* a name is static so `vault.dictionary(name)` can
+   * refuse mutation (`StaticDictReadonlyError`). Populated at `collection()`
+   * config time whenever a `StaticDictDescriptor` is seen.
+   */
+  staticDictNames = /* @__PURE__ */ new Set();
+  /**
+   * Static-dict descriptors keyed by dictionary name (#291). Backs the
+   * read-path label resolver (resolve from the in-memory table) and the
+   * query-seam `resolveDictSource` snapshot. Last writer wins when the same
+   * name is registered by multiple collections (identical-across-vaults by
+   * construction, so the tables match).
+   */
+  staticByName = /* @__PURE__ */ new Map();
+  /**
+   * Per-collection map of field name → StaticDictDescriptor (#291). Used by
+   * `enforceStaticDictOnPut` to validate stored codes against `desc.keys`.
+   */
+  staticDescriptorByField = /* @__PURE__ */ new Map();
   /**
    * Registry of i18nText fields declared across all collections. Keyed
    * by collection name → field name → I18nTextDescriptor. Used by
@@ -5355,6 +5672,7 @@ var Vault = class {
     this.periodsStrategy = opts.periodsStrategy ?? NO_PERIODS;
     this.shadowStrategy = opts.shadowStrategy ?? NO_SHADOW;
     this.historyStrategy = opts.historyStrategy ?? NO_HISTORY;
+    this.forgetStrategy = opts.forgetStrategy ?? NO_FORGET;
     this.i18nStrategy = opts.i18nStrategy ?? NO_I18N;
     this.syncStrategy = opts.syncStrategy ?? NO_SYNC;
     void opts.guardStrategies;
@@ -5459,10 +5777,22 @@ var Vault = class {
       }
       if (options?.dictKeyFields) {
         const dictFieldMap = {};
+        const staticFieldMap = {};
         for (const [field, desc] of Object.entries(options.dictKeyFields)) {
-          dictFieldMap[field] = desc.name;
+          if (isStaticDictDescriptor(desc)) {
+            staticFieldMap[field] = desc;
+            this.staticDictNames.add(desc.name);
+            this.staticByName.set(desc.name, desc);
+          } else {
+            dictFieldMap[field] = desc.name;
+          }
+        }
+        if (Object.keys(dictFieldMap).length > 0) {
+          this.dictKeyFieldRegistry.set(collectionName, dictFieldMap);
+        }
+        if (Object.keys(staticFieldMap).length > 0) {
+          this.staticDescriptorByField.set(collectionName, staticFieldMap);
         }
-        this.dictKeyFieldRegistry.set(collectionName, dictFieldMap);
       }
       if ((options?.schemaUpdate?.length ?? 0) > 0) {
         this.#schemaUpdateNames.set(collectionName, (options.schemaUpdate ?? []).map((s) => s.name));
@@ -5564,6 +5894,17 @@ var Vault = class {
       if (options?.acknowledgeDeterministicRisk !== void 0) {
         collOpts.acknowledgeDeterministicRisk = options.acknowledgeDeterministicRisk;
       }
+      if (options?.perRecordKeys !== void 0) {
+        collOpts.perRecordKeys = options.perRecordKeys;
+      }
+      if (this.forgetStrategy.subjects[collectionName] !== void 0) {
+        if (options?.perRecordKeys === false) {
+          console.warn(
+            `[noy-db] Collection "${collectionName}" is declared in withForgetCascade but opened with perRecordKeys: false. Forcing perRecordKeys: true \u2014 GDPR crypto-shred requires per-record CEKs.`
+          );
+        }
+        collOpts.perRecordKeys = true;
+      }
       if (options?.tiers !== void 0) collOpts.tiers = options.tiers;
       if (options?.tierMode !== void 0) collOpts.tierMode = options.tierMode;
       collOpts.onCrossTierAccess = (event) => this.emitCrossTier(event);
@@ -5573,6 +5914,11 @@ var Vault = class {
       if (options?.computed !== void 0) collOpts.computed = options.computed;
       if (options?.dictKeyFields !== void 0) {
         collOpts.dictLabelResolver = async (dictName, key, locale, fallback) => {
+          const stat = this.staticByName.get(dictName);
+          if (stat) {
+            const labels = stat.table[key];
+            return labels ? resolveLabelFromMap(labels, locale, fallback) : void 0;
+          }
           const handle = this.dictionary(dictName);
           return handle.resolveLabel(key, locale, fallback);
         };
@@ -5581,6 +5927,7 @@ var Vault = class {
       if (options?.i18nFields !== void 0 || options?.dictKeyFields !== void 0) {
         collOpts.i18nPutValidator = (record) => {
           this.enforceI18nOnPut(collectionName, record);
+          this.enforceStaticDictOnPut(collectionName, record);
         };
       }
       if (options?.i18nFields !== void 0 && this.translateText) {
@@ -5720,6 +6067,34 @@ var Vault = class {
       }
     }
   }
+  /**
+   * Validate staticDict codes on a `put()` (#291). For each `staticDict()`
+   * field, every stored code must be a declared key of the descriptor's
+   * table, else `UnknownDictCodeError`. Opt out per descriptor with
+   * `{ validateCodes: false }`. Supports scalar, dotted, and `[].`-wildcard
+   * field paths via `getAtPath` (same path support as i18n validation).
+   */
+  enforceStaticDictOnPut(collectionName, record) {
+    const staticFields = this.staticDescriptorByField.get(collectionName);
+    if (!staticFields || Object.keys(staticFields).length === 0) return;
+    if (!record || typeof record !== "object") return;
+    const obj = record;
+    for (const [field, desc] of Object.entries(staticFields)) {
+      if (desc.validateCodes === false) continue;
+      const known = new Set(desc.keys);
+      const values = getAtPath(obj, field);
+      for (const value of values) {
+        if (value === void 0 || value === null) continue;
+        const codes = Array.isArray(value) ? value : [value];
+        for (const code of codes) {
+          if (typeof code !== "string") continue;
+          if (!known.has(code)) {
+            throw new UnknownDictCodeError(desc.name, field, code);
+          }
+        }
+      }
+    }
+  }
   /**
    * Apply locale resolution to a record for the given collection.
    *
@@ -5728,14 +6103,18 @@ var Vault = class {
    */
   async applyLocale(collectionName, record, localeOpts) {
     const locale = localeOpts.locale ?? this.locale;
-    if (!locale) return record;
+    const staticFields = this.staticDescriptorByField.get(collectionName);
+    const hasStaticDisplay = staticFields !== void 0 && Object.values(staticFields).some((d) => d.displayLocale !== void 0);
+    if (!locale && !hasStaticDisplay) return record;
     let result = record;
-    const i18nFields = this.i18nFieldRegistry.get(collectionName);
-    if (i18nFields && Object.keys(i18nFields).length > 0) {
-      result = this.i18nStrategy.applyI18nLocale(result, i18nFields, locale, localeOpts.fallback);
+    if (locale) {
+      const i18nFields = this.i18nFieldRegistry.get(collectionName);
+      if (i18nFields && Object.keys(i18nFields).length > 0) {
+        result = this.i18nStrategy.applyI18nLocale(result, i18nFields, locale, localeOpts.fallback);
+      }
     }
     const dictFields = this.dictKeyFieldRegistry.get(collectionName);
-    if (dictFields && Object.keys(dictFields).length > 0 && locale !== "raw") {
+    if (locale && dictFields && Object.keys(dictFields).length > 0 && locale !== "raw") {
       const withLabels = { ...result };
       for (const [field, dictName] of Object.entries(dictFields)) {
         const key = result[field];
@@ -5748,6 +6127,22 @@ var Vault = class {
       }
       result = withLabels;
     }
+    if (staticFields && Object.keys(staticFields).length > 0 && locale !== "raw") {
+      const withLabels = { ...result };
+      for (const [field, desc] of Object.entries(staticFields)) {
+        const effLocale = locale ?? desc.displayLocale;
+        if (!effLocale) continue;
+        const key = result[field];
+        if (typeof key !== "string") continue;
+        const labels = desc.table[key];
+        if (!labels) continue;
+        const label = resolveLabelFromMap(labels, effLocale, localeOpts.fallback ?? desc.substitute);
+        if (label !== void 0) {
+          withLabels[`${field}Label`] = label;
+        }
+      }
+      result = withLabels;
+    }
     return result;
   }
   /**
@@ -5769,6 +6164,9 @@ var Vault = class {
    * ```
    */
   dictionary(name, options = {}) {
+    if (this.staticDictNames.has(name)) {
+      throw new StaticDictReadonlyError(name);
+    }
     let handle = this.dictionaryCache.get(name);
     if (!handle) {
       handle = this.i18nStrategy.buildDictionaryHandle({
@@ -5838,6 +6236,26 @@ var Vault = class {
    * Returns `null` when `field` is not a dictKey in `leftCollection`.
    */
   resolveDictSource(leftCollection, field) {
+    const staticFields = this.staticDescriptorByField.get(leftCollection);
+    if (staticFields && field in staticFields) {
+      const desc = staticFields[field];
+      const rows = Object.entries(desc.table).map(
+        ([key, labels]) => ({ key, labels, ...labels })
+      );
+      const source = {
+        snapshot() {
+          return rows;
+        },
+        lookupById(id) {
+          return rows.find((e) => e["key"] === id);
+        }
+      };
+      if (desc.displayLocale !== void 0) {
+        ;
+        source.displayLocale = desc.displayLocale;
+      }
+      return source;
+    }
     const dictFields = this.dictKeyFieldRegistry.get(leftCollection);
     if (!dictFields || !(field in dictFields)) return null;
     const dictName = dictFields[field];
@@ -6005,17 +6423,23 @@ var Vault = class {
    * const cur = await vault.sequence('invoice-2026').peek()  // current value, no allocation
    * ```
    */
-  sequence(name) {
-    if (this.numberingConfigs.has(name)) {
+  sequence(series, opts) {
+    if (series.includes("\0")) {
+      throw new ValidationError(`sequence("${series}"): series name must not contain a null byte (\\x00).`);
+    }
+    if (this.numberingConfigs.has(series)) {
       const eng = this.deferred();
       return {
-        next: async (opts) => {
-          if (!opts?.for) {
-            throw new ValidationError(`sequence("${name}") is a deferred-numbering series; call next({ for: recordId }).`);
+        next: async (nextOpts) => {
+          if (!nextOpts?.for) {
+            throw new ValidationError(`sequence("${series}") is a deferred-numbering series; call next({ for: recordId }).`);
           }
-          return (await eng.enqueue(name, opts.for)).assigned;
+          return (await eng.enqueue(series, nextOpts.for)).assigned;
         },
-        peek: () => eng.peek(name)
+        peek: () => eng.peek(series),
+        seedTo: () => {
+          throw new ValidationError(`sequence("${series}") is a deferred-numbering series; seedTo is CAS-only.`);
+        }
       };
     }
     if (!this.sequenceStore) {
@@ -6027,7 +6451,7 @@ var Vault = class {
         actor: this.keyring.userId
       });
     }
-    return this.sequenceStore.handle(name);
+    return this.sequenceStore.handle(resolveSequenceKey(series, opts));
   }
   /** @internal — lazily build the deferred-numbering engine with a cache-coherent stamp. */
   deferred() {
@@ -6142,12 +6566,12 @@ var Vault = class {
     if (!fieldSchema) {
       throw new AttestationError(`issueAttestation: collection '${collectionName}' has no attestation field-schema. Declare it via vault.collection('${collectionName}', { attestation: { fields: [...] } }).`);
     }
-    const { issueAttestationCore } = await import("./issue-ADVS4OVP.js");
+    const { issueAttestationCore } = await import("./issue-TTMGHQ2J.js");
     const out = await issueAttestationCore(this.makeIssueContext(), { collection: collectionName, id, fieldSchema });
     return { docId: out.docId, qr: out.qr, keyId: out.keyId, publicKeyB64: out.publicKeyB64 };
   }
   async getDocumentSigningPublicKey() {
-    const { loadSigner, loadOrCreateSigner } = await import("./signer-P5D7Y72U.js");
+    const { loadSigner, loadOrCreateSigner } = await import("./signer-YSXZT574.js");
     const existing = await loadSigner(this.adapter, this.name, this.getDEK);
     if (existing) return { keyId: existing.keyId, publicKeyB64: existing.publicKeyB64 };
     if (this.keyring.role !== "owner") {
@@ -6173,19 +6597,19 @@ var Vault = class {
     };
   }
   async revokeAttestation(docId) {
-    const { revokeDocCore } = await import("./revoke-ZDFKMR5E.js");
+    const { revokeDocCore } = await import("./revoke-B54H2S2W.js");
     await revokeDocCore(this.makeRevokeContext(), docId);
   }
   async unrevokeAttestation(docId) {
-    const { unrevokeDocCore } = await import("./revoke-ZDFKMR5E.js");
+    const { unrevokeDocCore } = await import("./revoke-B54H2S2W.js");
     await unrevokeDocCore(this.makeRevokeContext(), docId);
   }
   async getRevokedDocIds() {
-    const { getRevokedDocIdsCore } = await import("./revoke-ZDFKMR5E.js");
+    const { getRevokedDocIdsCore } = await import("./revoke-B54H2S2W.js");
     return getRevokedDocIdsCore(this.makeRevokeContext());
   }
   async publishRevocationList() {
-    const { publishRevocationListCore } = await import("./revoke-ZDFKMR5E.js");
+    const { publishRevocationListCore } = await import("./revoke-B54H2S2W.js");
     return publishRevocationListCore(this.makeRevokeContext());
   }
   makeRevokeContext() {
@@ -6319,9 +6743,24 @@ var Vault = class {
           });
         }
         if (rule.mode === "cascade") {
+          const txCtx = this.noydb._activeTxContextOrNull;
           for (const match of matches) {
             const matchId = match["id"] ?? null;
             if (matchId === null) continue;
+            if (txCtx !== null) {
+              const prior = await this.adapter.get(this.name, rule.collection, matchId);
+              if (prior !== null) {
+                txCtx._executed.push({
+                  op: {
+                    type: "delete",
+                    vaultName: this.name,
+                    collectionName: rule.collection,
+                    id: matchId
+                  },
+                  priorEnvelope: prior
+                });
+              }
+            }
             await fromCollection.delete(matchId);
           }
         }
@@ -6460,6 +6899,218 @@ var Vault = class {
     }
     return this.ledgerStore;
   }
+  // ─── GDPR right-to-erasure (#304) ────────────────────────────────
+  /** @internal — add a subject→record ref to the encrypted subject index. */
+  async _addSubjectRef(subjectId, ref2) {
+    await addSubjectRef(this.adapter, this.name, this.getDEK, this.encrypted, subjectId, ref2);
+  }
+  /** @internal — drop a subject→record ref from the encrypted subject index. */
+  async _removeSubjectRef(subjectId, ref2) {
+    await removeSubjectRef(this.adapter, this.name, this.getDEK, this.encrypted, subjectId, ref2);
+  }
+  /**
+   * Rebuild the encrypted subject index from canonical records. The recovery
+   * path for the documented read-modify-write race (RISK #3). Returns the
+   * number of distinct subjects re-indexed.
+   */
+  async rebuildSubjectIndex() {
+    if (Object.keys(this.forgetStrategy.subjects).length === 0) {
+      throw new ForgetStrategyNotConfiguredError();
+    }
+    return rebuildSubjectIndex(
+      this.adapter,
+      this.name,
+      this.getDEK,
+      this.encrypted,
+      this.forgetStrategy.subjects,
+      async (collectionName, id, env) => {
+        const coll = this.collection(collectionName);
+        return coll._decodeEnvelope(env, id);
+      }
+    );
+  }
+  /**
+   * GDPR crypto-shred of a data subject (#304). Consults the encrypted subject
+   * index and, per matching record:
+   *   - rewrites the LIVE envelope to a tombstone (drops `_iv`/`_data`/`_cek`/`_det`),
+   *   - tombstones every `_history` version of the record,
+   * so the body and all prior versions become permanently undecryptable while
+   * the collection DEK and every OTHER record stay intact. Then appends ONE
+   * `op:'forget'` ledger entry whose `payloadHash` is `sha256Hex(subjectId)` —
+   * the chain still `verify()`s, PROVING the subject existed and was erased
+   * without retaining any plaintext.
+   *
+   * Reports — but does not silently swallow — two completeness gaps:
+   *   - `unmigratedRecords`: a record whose body was NOT yet migrated to a
+   *     per-record CEK (legacy body still under the shared collection DEK). It
+   *     is still tombstoned, but its pre-shred ciphertext (if leaked to a
+   *     backup before migration) stays decryptable. Migrate, then re-forget.
+   *   - `blobResidueCollections`: a shredded record still has blob attachments,
+   *     which are keyed off a separate `_blob` DEK and are out of scope here.
+   *
+   * @throws ForgetStrategyNotConfiguredError when no `withForgetCascade` was set.
+   */
+  async forget(subjectId) {
+    if (Object.keys(this.forgetStrategy.subjects).length === 0) {
+      throw new ForgetStrategyNotConfiguredError();
+    }
+    const refs = await lookupSubject(this.adapter, this.name, this.getDEK, this.encrypted, subjectId);
+    let recordsShredded = 0;
+    let historyVersionsShredded = 0;
+    const collections = /* @__PURE__ */ new Set();
+    const unmigratedRecords = [];
+    const blobResidueCollections = /* @__PURE__ */ new Set();
+    let blobsShredded = 0;
+    let blobsRetainedShared = 0;
+    const blobsEnabled = this.blobStrategy !== void 0;
+    const actor = this.keyring.userId;
+    for (const ref2 of refs) {
+      const coll = this.collection(ref2.collection);
+      const perRecordKeys = this.forgetStrategy.subjects[ref2.collection] !== void 0;
+      const live = await this.adapter.get(this.name, ref2.collection, ref2.id);
+      if (perRecordKeys && live && live._data && live._cek === void 0) {
+        unmigratedRecords.push(`${ref2.collection}:${ref2.id}`);
+      }
+      const shred = await coll._writeTombstone(ref2.id, actor);
+      if (shred !== null) {
+        recordsShredded++;
+        collections.add(ref2.collection);
+      }
+      historyVersionsShredded += await this.historyStrategy.tombstoneHistory(
+        this.adapter,
+        this.name,
+        ref2.collection,
+        ref2.id,
+        actor
+      );
+      if (blobsEnabled) {
+        const r = await this.collection(ref2.collection).blob(ref2.id).shredAllForRecord();
+        blobsShredded += r.shredded.length;
+        blobsRetainedShared += r.retainedShared.length;
+        if (r.residue.length > 0) blobResidueCollections.add(ref2.collection);
+      } else {
+        try {
+          const slotIds = await this.adapter.list(this.name, `_blob_slots_${ref2.collection}`);
+          if (slotIds.includes(ref2.id)) blobResidueCollections.add(ref2.collection);
+        } catch {
+        }
+      }
+      await this._removeSubjectRef(subjectId, ref2);
+    }
+    const subjectHash = await sha256Hex2(subjectId);
+    const ledger = this.getLedgerOrNull();
+    if (!ledger) {
+      throw new Error(
+        'vault.forget() requires the history strategy for the erasure-proof ledger entry. Pass `historyStrategy: withHistory()` from "@noy-db/hub/history" to createNoydb().'
+      );
+    }
+    const ledgerEntry = await ledger.append({
+      op: "forget",
+      collection: "",
+      id: "",
+      version: 0,
+      actor,
+      payloadHash: subjectHash,
+      reason: JSON.stringify({
+        recordsShredded,
+        historyVersionsShredded,
+        collections: [...collections],
+        unmigratedCount: unmigratedRecords.length,
+        blobsShredded,
+        blobsRetainedShared,
+        blobResidueCollections: [...blobResidueCollections]
+      })
+    });
+    return {
+      subject: subjectId,
+      recordsShredded,
+      historyVersionsShredded,
+      collections: [...collections],
+      unmigratedRecords,
+      blobsShredded,
+      blobsRetainedShared,
+      blobResidueCollections: [...blobResidueCollections],
+      ledgerEntry
+    };
+  }
+  // ─── Record-scoped CEK sealing (#306 slices 2-3) ──────────────────────
+  /**
+   * Seal ONE record's content-encryption key (CEK) to an `at-*` host so that
+   * host — and only that host — can decrypt exactly that record, with no
+   * access to the vault DEK and no ability to read any other record.
+   *
+   * The grantor (this caller, who holds the collection DEK) reads the record's
+   * live `_cek`, unwraps it under the collection DEK, exports the raw CEK
+   * bytes, builds a {@link SealedCekBinding} `{collection, id, cek, expiresAt}`,
+   * seals that binding for the recipient host via the host's published hint,
+   * and persists a thin {@link SealedCekDeliveryEnvelope} at
+   * `_sealed_cek/<collection>/<id>/<pid>`. The binding (not the delivery
+   * envelope) is the security boundary: the host re-verifies `{collection, id}`
+   * and `expiresAt` from inside the sealed payload.
+   *
+   * Only works on a `perRecordKeys` record — a legacy record has no `_cek` to
+   * seal (its body is under the shared collection DEK, which is never exposed
+   * by sealing) → {@link RecordCekNotFoundError}.
+   *
+   * @param collection Collection holding the record.
+   * @param id         Record id.
+   * @param hostSealer The recipient host's {@link RecipientSealer}.
+   * @param opts.expiresAt REQUIRED authoritative expiry (ISO 8601), sealed into
+   *   the binding the host verifies.
+   * @returns `{ pid, envelopeKey }` — the host provider id and the
+   *   `<collection>/<id>/<pid>` key the delivery envelope was written under.
+   */
+  async sealRecordToHost(collection, id, hostSealer, opts) {
+    return sealRecordToHost(this.sealingContext(), collection, id, hostSealer, opts);
+  }
+  /**
+   * Revoke a single sealed-CEK delivery envelope by deleting it from the store.
+   * A soft revocation: it removes the host's copy of the sealed CEK, but a host
+   * that already fetched the envelope keeps whatever it cached. For a hard
+   * revocation that makes the live record undecryptable to every prior grant,
+   * use {@link rotateRecordCek}.
+   */
+  async revokeSealedRecord(collection, id, pid) {
+    return revokeSealedRecord(this.sealingContext(), collection, id, pid);
+  }
+  /**
+   * HARD-rotate a record's CEK: decrypt the live body under the old CEK,
+   * re-encrypt it under a freshly-minted CEK, write the new live envelope, evict
+   * the in-memory caches, and delete EVERY sealed-CEK delivery envelope for the
+   * record. After this, any host holding a previously-sealed CEK can still
+   * decrypt PRE-rotation history versions (they keep their old `_cek`) but NOT
+   * the rotated live record (its body is under the new CEK → the old CEK fails
+   * the AES-GCM auth tag → `TamperedError`). That asymmetry IS the revocation:
+   * old grants lose the live record.
+   *
+   * Administrative path — bypasses `Collection.put` deliberately (no guards, no
+   * history snapshot, no materialized-view refresh): rotation is a key-rotation
+   * operation, not a business write, and must not version-bump history (which
+   * would re-encrypt the prior version under the NEW CEK and defeat the point).
+   *
+   * @throws {@link RecordCekNotFoundError} if the record is missing or has no `_cek`.
+   */
+  async rotateRecordCek(collection, id) {
+    return rotateRecordCek(this.sealingContext(), collection, id);
+  }
+  /**
+   * Build the {@link SealingContext} the record-keys grantor functions need:
+   * the vault-bound adapter, DEK resolver, actor, and the dual-cache eviction
+   * `rotateRecordCek` performs (per-record CEK cache + decrypted-record cache).
+   */
+  sealingContext() {
+    return {
+      adapter: this.adapter,
+      vault: this.name,
+      getDEK: (collection) => this.getDEK(collection),
+      actor: this.keyring.userId,
+      invalidateRecordCaches: async (collection, id) => {
+        const coll = this.collection(collection);
+        coll._invalidateCekCacheEntry(id);
+        await coll._invalidateCacheEntry(id);
+      }
+    };
+  }
   /**
    * @internal — called by `Noydb.openVault` after construction.
    * Dynamic-imports `GuardRegistry` + `ReadOnlyVaultFacade` and seeds
@@ -6502,7 +7153,7 @@ var Vault = class {
   async _initDerivations(handles) {
     if (handles.length === 0) return;
     const [{ DerivationRegistry }, { ReadOnlyVaultFacade }] = await Promise.all([
-      import("./registry-XGLNADIE.js"),
+      import("./registry-TGZISEWC.js"),
       import("./read-only-facade-ITU6L7BL.js")
     ]);
     const registry = new DerivationRegistry();
@@ -6533,7 +7184,7 @@ var Vault = class {
    */
   async _initMaterializedViews(handles) {
     if (handles.length === 0) return;
-    const { MaterializedViewRegistry } = await import("./registry-DK5YWAAA.js");
+    const { MaterializedViewRegistry } = await import("./registry-SECUWSGY.js");
     const registry = new MaterializedViewRegistry();
     this.materializedViewRegistry = registry;
     const db = this;
@@ -6557,7 +7208,7 @@ var Vault = class {
    */
   async _initOverlayedViews(handles) {
     if (handles.length === 0) return;
-    const { OverlayedViewRegistry } = await import("./registry-IUZQVVBB.js");
+    const { OverlayedViewRegistry } = await import("./registry-3YFLZ7WD.js");
     const registry = new OverlayedViewRegistry();
     const mvRegistry = this.materializedViewRegistry;
     const overlayNames = /* @__PURE__ */ new Set();
@@ -6604,13 +7255,13 @@ var Vault = class {
     if (!reg) {
       throw new Error(`refreshView: no MV registered with name "${name}"`);
     }
-    const { MaterializedViewExecutor } = await import("./executor-HSSRXDOB.js");
+    const { MaterializedViewExecutor } = await import("./executor-3W63Y44O.js");
     const result = await MaterializedViewExecutor.refresh(reg, {
       getCollection: (n) => this.collection(n),
       getActiveTxContext: () => this.noydb._activeTxContextOrNull,
       getQueryContext: () => this
     });
-    const { clearMVStale } = await import("./stale-JH67FU57.js");
+    const { clearMVStale } = await import("./stale-TOA36SRK.js");
     clearMVStale(registry, name);
     return result;
   }
@@ -6626,7 +7277,7 @@ var Vault = class {
     if (registry === null) return { derived: 0, failed: 0 };
     const strategies = registry.strategiesForSource(sourceCollection);
     if (strategies.length === 0) return { derived: 0, failed: 0 };
-    const { DerivationExecutor } = await import("./executor-6ZDSDZ6V.js");
+    const { DerivationExecutor } = await import("./executor-CFFWPWBJ.js");
     const sourceColl = this.collection(sourceCollection);
     const records = await sourceColl.list();
     const ctx = { vault: this.readOnlyFacade ?? new (await import("./read-only-facade-ITU6L7BL.js")).ReadOnlyVaultFacade(this) };
@@ -6651,7 +7302,7 @@ var Vault = class {
           if (!outSpec) continue;
           const outputColl = this.collection(outSpec.collection);
           if (out.kind === "array") {
-            const { loadFanoutSidecar, saveFanoutSidecar } = await import("./fanout-sidecar-N6OJX6QR.js");
+            const { loadFanoutSidecar, saveFanoutSidecar } = await import("./fanout-sidecar-FIJJ46YG.js");
             const prior = await loadFanoutSidecar(this.adapter, this.name, spec.source, id, key);
             const prevKeys = new Set(prior?.keys ?? []);
             const newKeysList = out.entries.map((e) => e.key);
@@ -6872,7 +7523,7 @@ var Vault = class {
    * collection.
    */
   async delegate(opts) {
-    const { issueDelegation, DELEGATIONS_COLLECTION } = await import("./delegation-NIQ43IPU.js");
+    const { issueDelegation, DELEGATIONS_COLLECTION } = await import("./delegation-MGH5SODX.js");
     if (!this.keyring.kek) {
       throw new ValidationError(
         "issueDelegation: keyring.kek is null \u2014 issuing a delegation requires a tier-1 unlock. Re-authenticate at tier 1 (passphrase) first."
@@ -6894,7 +7545,7 @@ var Vault = class {
    * if the id does not exist.
    */
   async revokeDelegation(id) {
-    const { revokeDelegation, DELEGATIONS_COLLECTION } = await import("./delegation-NIQ43IPU.js");
+    const { revokeDelegation, DELEGATIONS_COLLECTION } = await import("./delegation-MGH5SODX.js");
     await revokeDelegation(this.adapter, this.name, id);
     void DELEGATIONS_COLLECTION;
   }
@@ -7363,7 +8014,7 @@ var Vault = class {
    * @see docs/subsystems/public-envelope.md
    */
   async getPublicEnvelope(opts = {}) {
-    const { readPublicEnvelope: readPublicEnvelope2 } = await import("./public-envelope-SYHEYQ3X.js");
+    const { readPublicEnvelope: readPublicEnvelope2 } = await import("./public-envelope-RXZNP3V6.js");
     return readPublicEnvelope2(this.adapter, this.name, opts);
   }
   /**
@@ -8561,7 +9212,7 @@ var NOT_ENABLED5 = new Error(
   'Multi-record transactions require the tx strategy. Import `{ withTransactions }` from "@noy-db/hub/tx" and pass it to `createNoydb({ txStrategy: withTransactions() })`.'
 );
 var NO_TX = {
-  async runTransaction() {
+  async runTransaction(_db, _fn, _options, _txInvariants) {
     throw NOT_ENABLED5;
   },
   async runDryRun() {
@@ -8907,6 +9558,7 @@ var Noydb = class {
   policyEnforcers = /* @__PURE__ */ new Map();
   vaultTemplates = /* @__PURE__ */ new Map();
   txStrategy;
+  forgetStrategy;
   sessionStrategy;
   syncStrategy;
   snapshotStrategy;
@@ -8934,6 +9586,7 @@ var Noydb = class {
   constructor(options) {
     this.options = options;
     this.txStrategy = options.txStrategy ?? NO_TX;
+    this.forgetStrategy = options.forgetStrategy ?? NO_FORGET;
     this.sessionStrategy = options.sessionStrategy ?? NO_SESSION;
     this.syncStrategy = options.syncStrategy ?? NO_SYNC;
     this.snapshotStrategy = options.snapshotStrategy ?? NO_SNAPSHOTS;
@@ -8944,8 +9597,61 @@ var Noydb = class {
     }
     this.#registerGuardGate();
     this.#registerPeriodGate();
+    this.#registerForgetHooks();
     this.resetSessionTimer();
   }
+  /** @internal — resolved forget strategy (NO_FORGET when not configured). */
+  get _forgetStrategy() {
+    return this.forgetStrategy;
+  }
+  // #304 — GDPR subject-index maintenance. When `withForgetCascade` declares
+  // any subject fields, keep the encrypted `_subject_index` in lock-step with
+  // writes so `vault.forget(subjectId)` can find every record for a subject.
+  //
+  // Two consumers are required because they cover disjoint events:
+  //   - onAfterWrite fires on create/update (NOT delete) — add the new ref;
+  //     on an update that changed the subject value, drop the stale ref.
+  //   - the subsystemBus `afterDelete` observer fires on delete (onAfterWrite
+  //     does NOT) — drop the ref so a deleted record never lingers in the
+  //     index (RISK #2). Without it, forget() would try to shred a ghost.
+  #registerForgetHooks() {
+    const subjects = this.forgetStrategy.subjects;
+    if (Object.keys(subjects).length === 0) return;
+    const subjectFieldFor = (collection) => subjects[collection];
+    this.writeHooks.onAfterWrite(async (event) => {
+      const field = subjectFieldFor(event.collection);
+      if (field === void 0) return;
+      const vault = this.vaultCache.get(event.vault);
+      if (!vault) return;
+      if (event.after !== null && typeof event.after === "object") {
+        const subjectValue = readDottedPath(event.after, field);
+        if (subjectValue !== void 0 && subjectValue !== null) {
+          await vault._addSubjectRef(coerceSubjectId(subjectValue), { collection: event.collection, id: event.docId });
+        }
+      }
+      if (event.op === "update" && event.before !== null && typeof event.before === "object") {
+        const beforeValue = readDottedPath(event.before, field);
+        const afterValue = event.after !== null && typeof event.after === "object" ? readDottedPath(event.after, field) : void 0;
+        const beforeId = beforeValue === void 0 || beforeValue === null ? void 0 : coerceSubjectId(beforeValue);
+        const afterId = afterValue === void 0 || afterValue === null ? void 0 : coerceSubjectId(afterValue);
+        if (beforeId !== void 0 && beforeId !== afterId) {
+          await vault._removeSubjectRef(beforeId, { collection: event.collection, id: event.docId });
+        }
+      }
+    });
+    this.subsystemBus.register("afterDelete", async (event) => {
+      const field = subjectFieldFor(event.collection);
+      if (field === void 0) return;
+      const vault = this.vaultCache.get(event.vault);
+      if (!vault) return;
+      if (event.before !== null && typeof event.before === "object") {
+        const subjectValue = readDottedPath(event.before, field);
+        if (subjectValue !== void 0 && subjectValue !== null) {
+          await vault._removeSubjectRef(coerceSubjectId(subjectValue), { collection: event.collection, id: event.docId });
+        }
+      }
+    });
+  }
   // Track A — guards migration. Registers record-lock / field-freeze / onDelete
   // / amendment-collect as gate-bus handlers (only when guards are opted in, so
   // the write path is zero-cost otherwise). Resolves the live vault's
@@ -8973,7 +9679,7 @@ var Noydb = class {
       if (!facade) return;
       const ctx = { existing, vault: facade, userId: e.userId, role: e.role };
       await registry.runChecks(e.collection, incoming, ctx);
-      const { GuardExecutor } = await import("./executor-IDZDAFNH.js");
+      const { GuardExecutor } = await import("./executor-VDQQOR4F.js");
       for (const g of guards) {
         await GuardExecutor.checkFrozenFields(g, e.docId, existing, incoming, e.computedFieldNames);
       }
@@ -9166,6 +9872,7 @@ var Noydb = class {
       ...this.options.syncStrategy !== void 0 ? { syncStrategy: this.options.syncStrategy } : {},
       ...this.options.guardStrategies !== void 0 ? { guardStrategies: this.options.guardStrategies } : {},
       ...this.options.numbering !== void 0 ? { numberingConfigs: this.options.numbering } : {},
+      forgetStrategy: this.forgetStrategy,
       locale: opts?.locale,
       // Thread the translator hook so Collection.put() can invoke it
       plaintextTranslator: this.options.plaintextTranslator ? (text, from, to, field, collection) => this.invokeTranslator(text, from, to, field, collection) : void 0,
@@ -9220,7 +9927,8 @@ var Noydb = class {
         ...this.options.i18nStrategy !== void 0 ? { i18nStrategy: this.options.i18nStrategy } : {},
         ...this.options.syncStrategy !== void 0 ? { syncStrategy: this.options.syncStrategy } : {},
         ...this.options.guardStrategies !== void 0 ? { guardStrategies: this.options.guardStrategies } : {},
-        ...this.options.numbering !== void 0 ? { numberingConfigs: this.options.numbering } : {}
+        ...this.options.numbering !== void 0 ? { numberingConfigs: this.options.numbering } : {},
+        forgetStrategy: this.forgetStrategy
       });
       this.vaultCache.set(name, comp2);
       return comp2;
@@ -9572,8 +10280,8 @@ var Noydb = class {
     if (name === STATE_VAULT_NAME) throw new ReservedVaultNameError(name);
     const template = this.vaultTemplates.get(opts.sharding.vaultTemplate);
     if (!template) throw new VaultTemplateNotFoundError(opts.sharding.vaultTemplate);
-    const { VaultGroup } = await import("./vault-group-KOM7QRJG.js");
-    const { StateManagementVault } = await import("./state-vault-TMXZRTY5.js");
+    const { VaultGroup } = await import("./vault-group-DHAHFX2A.js");
+    const { StateManagementVault } = await import("./state-vault-W2OEABNO.js");
     const stateVault = opts.registry ? void 0 : await StateManagementVault.open(this);
     const registry = opts.registry ?? stateVault.registry;
     const group = new VaultGroup(this, name, registry, opts.sharding, template);
@@ -9600,7 +10308,7 @@ var Noydb = class {
    */
   async openStateManagementVault() {
     if (this.closed) throw new ValidationError("Instance is closed");
-    const { StateManagementVault } = await import("./state-vault-TMXZRTY5.js");
+    const { StateManagementVault } = await import("./state-vault-W2OEABNO.js");
     return StateManagementVault.open(this);
   }
   /**
@@ -11102,6 +11810,7 @@ function normalizeSyncTargets(sync) {
 
 export {
   withArchive,
+  resolveSequenceKey,
   SequenceStore,
   validateSchemaInput,
   validateSchemaOutput,
@@ -11140,4 +11849,4 @@ export {
   Noydb,
   createNoydb
 };
-//# sourceMappingURL=chunk-7EFFHEN5.js.map
+//# sourceMappingURL=chunk-D77ZQSQQ.js.map