@noy-db/hub 0.2.0-pre.16 → 0.2.0-pre.17

package/dist/bundle/index.cjs

@@ -31,7 +31,7 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/errors.ts
-var NoydbError, DecryptionError, TamperedError, InvalidKeyError, KeyringCorruptError, NoAccessError, ReadOnlyError, PermissionDeniedError, ExportCapabilityError, KeyringExpiredError, ImportCapabilityError, StoreCapabilityError, PrivilegeEscalationError, ReservedVaultNameError, FieldFrozenError, InvariantError, AmendmentForbiddenError, TierNotGrantedError, ElevationExpiredError, AlreadyElevatedError, TierDemoteDeniedError, DelegationTargetMissingError, ConflictError, LedgerContentionError, SequenceContentionError, SequenceOfflineError, NumberingUncertaintyError, BundleVersionConflictError, ValidationError, SchemaValidationError, SchemaUpdateError, SchemaFenceError, MigrationRequiredError, QuiesceTimeoutError, GroupCardinalityError, IndexRequiredError, UniqueConstraintError, UnsupportedIndexOptionError, IndexWriteFailureError, BundleIntegrityError, BundleSealMismatchError, ReservedCollectionNameError, LocaleNotSpecifiedError, TranslatorNotConfiguredError, BackupLedgerError, BackupCorruptedError, PartitionExtractionError, TransferSealError, AdoptionStateError, AttestationError, JoinTooLargeError, CrossJoinTooLargeError, CrossJoinSourceUnknownError, DanglingReferenceError, DerivationCycleError, DerivationOutputShapeError, DerivationCapExceededError, MaterializedViewCycleError, MaterializedViewSourceUnknownError, MaterializedViewTooLargeError, OverlayBaseIsVirtualError, OverlayCollectionUnavailableError, OverlayNameCollisionError, OverlayIdMismatchError, UnknownShardError, ShardProvisioningError, CrossShardJoinError, VaultTemplateNotFoundError;
+var NoydbError, DecryptionError, TamperedError, InvalidKeyError, KeyringCorruptError, NoAccessError, ReadOnlyError, PermissionDeniedError, ExportCapabilityError, KeyringExpiredError, ImportCapabilityError, StoreCapabilityError, PrivilegeEscalationError, ReservedVaultNameError, FieldFrozenError, InvariantError, AmendmentForbiddenError, TierNotGrantedError, ElevationExpiredError, AlreadyElevatedError, TierDemoteDeniedError, DelegationTargetMissingError, ConflictError, LedgerContentionError, SequenceContentionError, SequenceOfflineError, NumberingUncertaintyError, BundleVersionConflictError, ValidationError, SchemaValidationError, SchemaUpdateError, SchemaFenceError, MigrationRequiredError, QuiesceTimeoutError, GroupCardinalityError, IndexRequiredError, UniqueConstraintError, UnsupportedIndexOptionError, IndexWriteFailureError, BundleIntegrityError, BundleSealMismatchError, ReservedCollectionNameError, LocaleNotSpecifiedError, StaticDictReadonlyError, UnknownDictCodeError, TranslatorNotConfiguredError, BackupLedgerError, BackupCorruptedError, PartitionExtractionError, TransferSealError, AdoptionStateError, AttestationError, JoinTooLargeError, CrossJoinTooLargeError, CrossJoinSourceUnknownError, DanglingReferenceError, DerivationCycleError, DerivationOutputShapeError, DerivationCapExceededError, MaterializedViewCycleError, MaterializedViewSourceUnknownError, MaterializedViewTooLargeError, OverlayBaseIsVirtualError, OverlayCollectionUnavailableError, OverlayNameCollisionError, OverlayIdMismatchError, UnknownShardError, ShardProvisioningError, CrossShardJoinError, VaultTemplateNotFoundError, ForgetStrategyNotConfiguredError, RecordCekNotFoundError;
 var init_errors = __esm({
   "src/errors.ts"() {
     "use strict";
@@ -485,6 +485,36 @@ Resolutions:
         this.field = field;
       }
     };
+    StaticDictReadonlyError = class extends NoydbError {
+      /** The static dictionary name that was the target of the mutation. */
+      dictionaryName;
+      constructor(dictionaryName) {
+        super(
+          "STATIC_DICT_READONLY",
+          `Dictionary "${dictionaryName}" is a staticDict \u2014 its labels are code constants with no mutation surface. put/putAll/rename/delete are not supported; change the label in the staticDict() table and redeploy.`
+        );
+        this.name = "StaticDictReadonlyError";
+        this.dictionaryName = dictionaryName;
+      }
+    };
+    UnknownDictCodeError = class extends NoydbError {
+      /** The static dictionary name. */
+      dictionaryName;
+      /** The field that carried the unknown code. */
+      field;
+      /** The offending code value. */
+      code;
+      constructor(dictionaryName, field, code) {
+        super(
+          "UNKNOWN_DICT_CODE",
+          `Field "${field}": code "${code}" is not a known key of staticDict "${dictionaryName}". Use a declared code, or pass { validateCodes: false } on the descriptor to allow open codes.`
+        );
+        this.name = "UnknownDictCodeError";
+        this.dictionaryName = dictionaryName;
+        this.field = field;
+        this.code = code;
+      }
+    };
     TranslatorNotConfiguredError = class extends NoydbError {
       /** The field that requested auto-translation. */
       field;
@@ -763,6 +793,25 @@ Resolutions:
         this.templateName = templateName;
       }
     };
+    ForgetStrategyNotConfiguredError = class extends NoydbError {
+      constructor(message = 'vault.forget() requires a forget strategy. Pass `forgetStrategy: withForgetCascade({ subjects: { <collection>: <subjectField> } })` from "@noy-db/hub/forget" to createNoydb().') {
+        super("FORGET_NOT_CONFIGURED", message);
+        this.name = "ForgetStrategyNotConfiguredError";
+      }
+    };
+    RecordCekNotFoundError = class extends NoydbError {
+      collection;
+      id;
+      constructor(collection, id) {
+        super(
+          "RECORD_CEK_NOT_FOUND",
+          `No per-record CEK for ${collection}/${id}. The record is missing, or its collection was not opened with { perRecordKeys: true } \u2014 only per-record-key records carry a sealable CEK.`
+        );
+        this.name = "RecordCekNotFoundError";
+        this.collection = collection;
+        this.id = id;
+      }
+    };
   }
 });
 
@@ -1016,6 +1065,39 @@ async function unwrapKey(wrappedBase64, kek) {
     throw new InvalidKeyError();
   }
 }
+async function asKwKey(dek) {
+  const rawDek = await subtle.exportKey("raw", dek);
+  const hkdfKey = await subtle.importKey("raw", rawDek, "HKDF", false, ["deriveBits"]);
+  const salt = new TextEncoder().encode("noydb-cek-wrap");
+  const info = new TextEncoder().encode("v1");
+  const bits = await subtle.deriveBits(
+    { name: "HKDF", hash: "SHA-256", salt, info },
+    hkdfKey,
+    KEY_BITS
+  );
+  return subtle.importKey("raw", bits, "AES-KW", false, ["wrapKey", "unwrapKey"]);
+}
+async function wrapCek(cek, dek) {
+  const kw = await asKwKey(dek);
+  const wrapped = await subtle.wrapKey("raw", cek, kw, "AES-KW");
+  return bufferToBase64(wrapped);
+}
+async function unwrapCek(wrappedBase64, dek) {
+  const kw = await asKwKey(dek);
+  try {
+    return await subtle.unwrapKey(
+      "raw",
+      base64ToBuffer(wrappedBase64),
+      kw,
+      "AES-KW",
+      { name: "AES-GCM", length: KEY_BITS },
+      true,
+      ["encrypt", "decrypt"]
+    );
+  } catch {
+    throw new InvalidKeyError();
+  }
+}
 async function encrypt(plaintext, dek) {
   const iv = generateIV();
   const encoded = new TextEncoder().encode(plaintext);
@@ -1112,6 +1194,163 @@ var init_crypto = __esm({
   }
 });
 
+// src/record-keys/tombstone.ts
+function isTombstone(envelope, encrypted) {
+  if (!encrypted) return false;
+  return !envelope._data && envelope._cek === void 0;
+}
+function buildTombstone(version, actor) {
+  return {
+    _noydb: NOYDB_FORMAT_VERSION,
+    _v: version,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    _iv: "",
+    _data: "",
+    ...actor ? { _by: actor } : {}
+  };
+}
+var init_tombstone = __esm({
+  "src/record-keys/tombstone.ts"() {
+    "use strict";
+    init_types();
+  }
+});
+
+// src/record-keys/lifecycle.ts
+async function resolveStableCek(deps, id) {
+  const cached = deps.cache?.get(id);
+  if (cached) return cached;
+  const live = await deps.getLive(id);
+  if (live?._cek !== void 0) {
+    const cek = await unwrapCek(live._cek, await deps.getDEK());
+    deps.cache?.set(id, cek, 1);
+    return cek;
+  }
+  const fresh = await generateDEK();
+  deps.cache?.set(id, fresh, 1);
+  return fresh;
+}
+async function rewrapBodyToDek(envelope, fromDek, toDek) {
+  if (envelope._cek !== void 0) {
+    const cek = await unwrapCek(envelope._cek, fromDek);
+    const plaintext2 = await decrypt(envelope._iv, envelope._data, cek);
+    const { iv: iv2, data: data2 } = await encrypt(plaintext2, cek);
+    return { _iv: iv2, _data: data2, _cek: await wrapCek(cek, toDek), cek };
+  }
+  const plaintext = await decrypt(envelope._iv, envelope._data, fromDek);
+  const { iv, data } = await encrypt(plaintext, toDek);
+  return { _iv: iv, _data: data, cek: null };
+}
+var init_lifecycle = __esm({
+  "src/record-keys/lifecycle.ts"() {
+    "use strict";
+    init_crypto();
+  }
+});
+
+// src/record-keys/sealing.ts
+async function sealRecordToHost(ctx, collection, id, hostSealer, opts) {
+  if (collection.includes("/")) throw new ValidationError(`sealRecordToHost: collection "${collection}" must not contain "/"`);
+  if (id.includes("/")) throw new ValidationError(`sealRecordToHost: id "${id}" must not contain "/"`);
+  const live = await ctx.adapter.get(ctx.vault, collection, id);
+  if (!live || live._cek === void 0) {
+    throw new RecordCekNotFoundError(collection, id);
+  }
+  const dek = await ctx.getDEK(collection);
+  const cek = await unwrapCek(live._cek, dek);
+  const rawCek = await subtle2.exportKey("raw", cek);
+  const cekB64 = bufferToBase64(rawCek);
+  const hint = await hostSealer.publishRecipientHint();
+  if (hint.pid.includes("/")) throw new ValidationError(`sealRecordToHost: recipient pid "${hint.pid}" must not contain "/"`);
+  const binding = {
+    collection,
+    id,
+    cek: cekB64,
+    expiresAt: opts.expiresAt
+  };
+  const sealed = await hostSealer.sealForRecipient(
+    new TextEncoder().encode(JSON.stringify(binding)),
+    hint
+  );
+  const delivery = {
+    v: 1,
+    _noydb_sealed_cek: 1,
+    pid: hint.pid,
+    payload: bufferToBase64(sealed),
+    expiresAt: opts.expiresAt
+  };
+  const envelopeKey = `${collection}/${id}/${hint.pid}`;
+  const prior = await ctx.adapter.get(ctx.vault, SEALED_CEK_NS, envelopeKey);
+  const env = {
+    _noydb: NOYDB_FORMAT_VERSION,
+    _v: (prior?._v ?? 0) + 1,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    // AES-GCM bypassed — the sealing layer is the security boundary, exactly
+    // like the managed-passphrase `_meta/sealed-passphrase` envelope.
+    _iv: "",
+    _data: JSON.stringify(delivery),
+    ...ctx.actor ? { _by: ctx.actor } : {}
+  };
+  await ctx.adapter.put(ctx.vault, SEALED_CEK_NS, envelopeKey, env);
+  return { pid: hint.pid, envelopeKey };
+}
+async function revokeSealedRecord(ctx, collection, id, pid) {
+  await ctx.adapter.delete(ctx.vault, SEALED_CEK_NS, `${collection}/${id}/${pid}`);
+}
+async function rotateRecordCek(ctx, collection, id) {
+  const live = await ctx.adapter.get(ctx.vault, collection, id);
+  if (!live || live._cek === void 0) {
+    throw new RecordCekNotFoundError(collection, id);
+  }
+  const dek = await ctx.getDEK(collection);
+  const oldCek = await unwrapCek(live._cek, dek);
+  const json = await decrypt(live._iv, live._data, oldCek);
+  const newCek = await generateDEK();
+  const { iv, data } = await encrypt(json, newCek);
+  const env = {
+    _noydb: NOYDB_FORMAT_VERSION,
+    _v: live._v + 1,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    _iv: iv,
+    _data: data,
+    _cek: await wrapCek(newCek, dek),
+    ...ctx.actor ? { _by: ctx.actor } : {},
+    ...live._tier !== void 0 ? { _tier: live._tier } : {},
+    ...live._det !== void 0 ? { _det: live._det } : {}
+  };
+  await ctx.adapter.put(ctx.vault, collection, id, env);
+  await ctx.invalidateRecordCaches(collection, id);
+  const prefix = `${collection}/${id}/`;
+  const keys = await ctx.adapter.list(ctx.vault, SEALED_CEK_NS);
+  for (const key of keys) {
+    if (key.startsWith(prefix)) {
+      await ctx.adapter.delete(ctx.vault, SEALED_CEK_NS, key);
+    }
+  }
+}
+var subtle2, SEALED_CEK_NS;
+var init_sealing = __esm({
+  "src/record-keys/sealing.ts"() {
+    "use strict";
+    init_crypto();
+    init_types();
+    init_errors();
+    subtle2 = globalThis.crypto.subtle;
+    SEALED_CEK_NS = "_sealed_cek";
+  }
+});
+
+// src/record-keys/index.ts
+var init_record_keys = __esm({
+  "src/record-keys/index.ts"() {
+    "use strict";
+    init_crypto();
+    init_tombstone();
+    init_lifecycle();
+    init_sealing();
+  }
+});
+
 // src/persisted-schemas/storage.ts
 async function loadPersistedSchema(store, vault, collection, dek) {
   const envelope = await store.get(vault, SCHEMAS_COLLECTION, collection);
@@ -2815,11 +3054,11 @@ async function mintWrappedDeksBlob(deks, credential) {
   const wrappingKey = await deriveWrappingKey(credential, salt);
   const exported = {};
   for (const [coll, dek] of deks) {
-    const raw = await subtle2.exportKey("raw", dek);
+    const raw = await subtle3.exportKey("raw", dek);
     exported[coll] = bytesToBase643(new Uint8Array(raw));
   }
   const plaintext = new TextEncoder().encode(JSON.stringify({ deks: exported }));
-  const ciphertext = await subtle2.encrypt(
+  const ciphertext = await subtle3.encrypt(
     { name: "AES-GCM", iv },
     wrappingKey,
     plaintext
@@ -2832,7 +3071,7 @@ async function mintWrappedDeksBlob(deks, credential) {
 }
 async function unwrapDeksFromBlob(blob, credential) {
   const wrappingKey = await deriveWrappingKey(credential, base64ToBytes3(blob.salt));
-  const plaintext = await subtle2.decrypt(
+  const plaintext = await subtle3.decrypt(
     { name: "AES-GCM", iv: base64ToBytes3(blob.iv) },
     wrappingKey,
     base64ToBytes3(blob.wrappedDeks)
@@ -2841,7 +3080,7 @@ async function unwrapDeksFromBlob(blob, credential) {
   const deks = /* @__PURE__ */ new Map();
   for (const [coll, b64] of Object.entries(parsed.deks)) {
     const raw = base64ToBytes3(b64);
-    const key = await subtle2.importKey(
+    const key = await subtle3.importKey(
       "raw",
       raw,
       { name: "AES-GCM", length: 256 },
@@ -2853,14 +3092,14 @@ async function unwrapDeksFromBlob(blob, credential) {
   return deks;
 }
 async function deriveWrappingKey(credential, salt) {
-  const ikm = await subtle2.importKey(
+  const ikm = await subtle3.importKey(
     "raw",
     new TextEncoder().encode(credential),
     "PBKDF2",
     false,
     ["deriveKey"]
   );
-  return subtle2.deriveKey(
+  return subtle3.deriveKey(
     {
       name: "PBKDF2",
       salt,
@@ -2884,14 +3123,14 @@ function base64ToBytes3(b64) {
   for (let i = 0; i < s.length; i++) out[i] = s.charCodeAt(i);
   return out;
 }
-var PBKDF2_ITERATIONS2, SALT_BYTES2, IV_BYTES2, subtle2;
+var PBKDF2_ITERATIONS2, SALT_BYTES2, IV_BYTES2, subtle3;
 var init_wrapped_deks = __esm({
   "src/team/wrapped-deks.ts"() {
     "use strict";
     PBKDF2_ITERATIONS2 = 6e5;
     SALT_BYTES2 = 32;
     IV_BYTES2 = 12;
-    subtle2 = globalThis.crypto.subtle;
+    subtle3 = globalThis.crypto.subtle;
   }
 });
 
@@ -3696,6 +3935,21 @@ var init_core = __esm({
   }
 });
 
+// src/i18n/dictionary.ts
+function isDictCollectionName(name) {
+  return name.startsWith(DICT_COLLECTION_PREFIX);
+}
+function isStaticDictDescriptor(x) {
+  return typeof x === "object" && x !== null && x._noydbStaticDict === true;
+}
+var DICT_COLLECTION_PREFIX;
+var init_dictionary = __esm({
+  "src/i18n/dictionary.ts"() {
+    "use strict";
+    DICT_COLLECTION_PREFIX = "_dict_";
+  }
+});
+
 // src/money/fixed-point.ts
 function expandExponent(s) {
   const m = /^([+-]?)(\d+)(?:\.(\d+))?[eE]([+-]?\d+)$/.exec(s);
@@ -4315,6 +4569,9 @@ var init_strategy3 = __esm({
       async clearHistory() {
         return 0;
       },
+      async tombstoneHistory() {
+        return 0;
+      },
       async envelopePayloadHash() {
         return "";
       },
@@ -5279,6 +5536,7 @@ function buildDictLabelResolver(joinCtx, field) {
   const dictSource = joinCtx.resolveDictSource(field);
   if (!dictSource) return void 0;
   const snapshot = dictSource.snapshot();
+  const displayLocale = dictSource.displayLocale;
   const dictMap = /* @__PURE__ */ new Map();
   for (const entry of snapshot) {
     const k = entry["key"];
@@ -5288,9 +5546,11 @@ function buildDictLabelResolver(joinCtx, field) {
     }
   }
   return async (key, locale, fallback) => {
+    const effLocale = locale || displayLocale;
+    if (!effLocale) return void 0;
     const labels = dictMap.get(key);
     if (!labels) return void 0;
-    if (labels[locale] !== void 0) return labels[locale];
+    if (labels[effLocale] !== void 0) return labels[effLocale];
     const chain = Array.isArray(fallback) ? fallback : fallback ? [fallback] : [];
     for (const fb of chain) {
       if (fb === "any") {
@@ -8064,12 +8324,14 @@ var init_collection = __esm({
     init_types();
     init_strategy();
     init_core();
+    init_dictionary();
     init_normalize();
     init_paths();
     init_computed();
     init_strategy2();
     init_policy();
     init_crypto();
+    init_record_keys();
     init_errors();
     init_tiers();
     init_keyring();
@@ -8267,6 +8529,25 @@ var init_collection = __esm({
        * is inactive for this collection; a frozen `Set` otherwise.
        */
       deterministicFields;
+      /**
+       * Per-record CEK opt-in (`perRecordKeys: true`). When set, writes mint /
+       * reuse a per-record content-encryption key and stamp `_cek` on the
+       * envelope (see {@link EncryptedEnvelope._cek}). OFF by default — a
+       * non-adopting collection takes the byte-identical legacy path. The READ
+       * path does not consult this flag: `_cek` presence on the envelope is the
+       * format discriminant, so a mixed vault (and a recipient that never set the
+       * flag) still decrypts CEK records.
+       */
+      perRecordCek;
+      /**
+       * Session-scoped `(id) → CEK` cache for this collection. Lets updates
+       * reuse a record's stable CEK and lets repeated reads skip the AES-KW
+       * unwrap. Bounded by LRU; never persisted. Dropped when the owning
+       * collection instance is discarded — `vault.load()` clears the
+       * collectionCache, so a keyring refresh drops every CEK alongside the
+       * DEK cache. `null` unless `perRecordCek` is set.
+       */
+      cekCache;
       /**
        * declared tiers for this collection. `null` when
        * tier-aware methods are disabled. Tier 0 is implicit and never
@@ -8413,19 +8694,24 @@ var init_collection = __esm({
         } else {
           this.deterministicFields = null;
         }
+        this.perRecordCek = opts.perRecordKeys === true;
+        this.cekCache = this.perRecordCek ? new Lru({ maxRecords: 4096 }) : null;
         if (opts.crdt && opts.onRegisterConflictResolver) {
           const crdtMode = opts.crdt;
-          const crdtResolver = async (_id, local, remote) => {
+          const crdtResolver = async (id, local, remote) => {
             if (crdtMode === "yjs") {
               return local._v >= remote._v ? local : remote;
             }
-            const localJson = await this.decryptJsonString(local);
-            const remoteJson = await this.decryptJsonString(remote);
+            const localJson = await this.decryptJsonString(local, id);
+            const remoteJson = await this.decryptJsonString(remote, id);
+            if (localJson === null) return local;
+            if (remoteJson === null) return remote;
             const localState = JSON.parse(localJson);
             const remoteState = JSON.parse(remoteJson);
             const merged = this.crdtStrategy.mergeCrdtStates(localState, remoteState);
             const mergedVersion = Math.max(local._v, remote._v) + 1;
-            return this.encryptJsonString(JSON.stringify(merged), mergedVersion);
+            const cek = this.perRecordCek ? await this.resolveRecordCek(id) : void 0;
+            return this.encryptJsonString(JSON.stringify(merged), mergedVersion, cek);
           };
           opts.onRegisterConflictResolver(this.name, crdtResolver);
         }
@@ -8465,12 +8751,15 @@ var init_collection = __esm({
             });
           } else {
             const mergeFn = policy;
-            resolver = async (_id, local, remote) => {
-              const localRecord = await this.decryptRecord(local, { skipValidation: true });
-              const remoteRecord = await this.decryptRecord(remote, { skipValidation: true });
+            resolver = async (id, local, remote) => {
+              const localRecord = await this.decryptRecord(local, { skipValidation: true, id });
+              const remoteRecord = await this.decryptRecord(remote, { skipValidation: true, id });
+              if (localRecord === null) return local;
+              if (remoteRecord === null) return remote;
               const merged = mergeFn(localRecord, remoteRecord);
               const mergedVersion = Math.max(local._v, remote._v) + 1;
-              return this.encryptRecord(merged, mergedVersion);
+              const cek = this.perRecordCek ? await this.resolveRecordCek(id) : void 0;
+              return this.encryptRecord(merged, mergedVersion, cek);
             };
           }
           opts.onRegisterConflictResolver(collectionName, resolver);
@@ -8562,7 +8851,9 @@ var init_collection = __esm({
           } else {
             const envelope = await this.adapter.get(this.vault, this.name, id);
             if (!envelope) return null;
-            record = await this.decryptRecord(envelope);
+            if (isTombstone(envelope, this.encrypted)) return null;
+            record = await this.decryptRecord(envelope, { id });
+            if (record === null) return null;
             this.lru.set(id, { record, version: envelope._v }, estimateRecordBytes(record));
           }
         } else {
@@ -8589,6 +8880,7 @@ var init_collection = __esm({
         const envelope = await this.adapter.get(this.vault, this.name, id);
         if (!envelope) return null;
         const json = await this.decryptJsonString(envelope);
+        if (json === null) return null;
         return JSON.parse(json);
       }
       /**
@@ -8677,7 +8969,7 @@ var init_collection = __esm({
           if (cached2) return { record: cached2.record, version: cached2.version };
           const env = await this.adapter.get(this.vault, this.name, id);
           if (!env) return { record: null, version: 0 };
-          return { record: await this.decryptRecord(env, { skipValidation: true }), version: env._v };
+          return { record: await this.decryptRecord(env, { skipValidation: true }) ?? null, version: env._v };
         }
         await this.ensureHydrated();
         const cached = this.cache.get(id);
@@ -8790,9 +9082,11 @@ var init_collection = __esm({
             let existingState;
             if (existingEnvelope) {
               const prevJson = await this.decryptJsonString(existingEnvelope);
-              const prevParsed = JSON.parse(prevJson);
-              if (prevParsed !== null && typeof prevParsed === "object" && "_crdt" in prevParsed) {
-                existingState = prevParsed;
+              if (prevJson !== null) {
+                const prevParsed = JSON.parse(prevJson);
+                if (prevParsed !== null && typeof prevParsed === "object" && "_crdt" in prevParsed) {
+                  existingState = prevParsed;
+                }
               }
             }
             crdtState = this.crdtStrategy.buildLwwMapState(record, existingState, now);
@@ -8800,9 +9094,11 @@ var init_collection = __esm({
             let existingState;
             if (existingEnvelope) {
               const prevJson = await this.decryptJsonString(existingEnvelope);
-              const prevParsed = JSON.parse(prevJson);
-              if (prevParsed !== null && typeof prevParsed === "object" && "_crdt" in prevParsed) {
-                existingState = prevParsed;
+              if (prevJson !== null) {
+                const prevParsed = JSON.parse(prevJson);
+                if (prevParsed !== null && typeof prevParsed === "object" && "_crdt" in prevParsed) {
+                  existingState = prevParsed;
+                }
               }
             }
             const arr = Array.isArray(record) ? record : [record];
@@ -8811,12 +9107,14 @@ var init_collection = __esm({
             crdtState = { _crdt: "yjs", update: record };
           }
           const version2 = existingVersion + 1;
-          const envelope2 = await this.encryptJsonString(JSON.stringify(crdtState), version2);
+          const cek2 = this.perRecordCek ? await this.resolveRecordCek(id) : void 0;
+          const envelope2 = await this.encryptJsonString(JSON.stringify(crdtState), version2, cek2);
           await this.adapter.put(this.vault, this.name, id, envelope2);
           const resolvedRecord = this.crdtStrategy.resolveCrdtSnapshot(crdtState);
-          const existingResolved = existingEnvelope ? { record: await this.decryptRecord(existingEnvelope, { skipValidation: true }), version: existingVersion } : void 0;
+          const existingResolvedRecord = existingEnvelope ? await this.decryptRecord(existingEnvelope, { skipValidation: true }) : null;
+          const existingResolved = existingResolvedRecord !== null ? { record: existingResolvedRecord, version: existingVersion } : void 0;
           if (existingResolved && this.historyConfig.enabled !== false) {
-            const histEnvelope = await this.encryptRecord(existingResolved.record, existingResolved.version);
+            const histEnvelope = await this.encryptRecord(existingResolved.record, existingResolved.version, cek2);
             await this.historyStrategy.saveHistory(this.adapter, this.vault, this.name, id, histEnvelope);
             this.emitter.emit("history:save", { vault: this.vault, collection: this.name, id, version: existingResolved.version });
             if (this.historyConfig.maxVersions) {
@@ -8862,7 +9160,9 @@ var init_collection = __esm({
             const previousEnvelope = await this.adapter.get(this.vault, this.name, id);
             if (previousEnvelope) {
               const previousRecord = await this.decryptRecord(previousEnvelope);
-              existing = { record: previousRecord, version: previousEnvelope._v };
+              if (previousRecord !== null) {
+                existing = { record: previousRecord, version: previousEnvelope._v };
+              }
             }
           }
         } else {
@@ -8871,8 +9171,9 @@ var init_collection = __esm({
         }
         const version = existing ? existing.version + 1 : 1;
         this.uniqueConstraints?.check(id, record);
+        const cek = this.perRecordCek ? await this.resolveRecordCek(id) : void 0;
         if (existing && this.historyConfig.enabled !== false) {
-          const historyEnvelope = await this.encryptRecord(existing.record, existing.version);
+          const historyEnvelope = await this.encryptRecord(existing.record, existing.version, cek);
           await this.historyStrategy.saveHistory(this.adapter, this.vault, this.name, id, historyEnvelope);
           this.emitter.emit("history:save", {
             vault: this.vault,
@@ -8886,7 +9187,7 @@ var init_collection = __esm({
             });
           }
         }
-        const envelope = await this.encryptRecord(record, version);
+        const envelope = await this.encryptRecord(record, version, cek);
         await this.adapter.put(this.vault, this.name, id, envelope);
         if (this.ledger) {
           const appendInput = {
@@ -9122,11 +9423,14 @@ var init_collection = __esm({
         let count = 0;
         for (const id of ids) {
           const env = await this.adapter.get(this.vault, this.name, id);
-          if (!env) continue;
-          const record = await this.decryptRecord(env, { skipValidation: true });
+          if (!env || isTombstone(env, this.encrypted)) continue;
+          const decoded = await this.decryptRecord(env, { skipValidation: true, id });
+          if (decoded === null) continue;
+          const record = decoded;
           const next = transform(record);
           const nextVersion = (env._v ?? 0) + 1;
-          const newEnv = await this.encryptRecord(next, nextVersion);
+          const cek = this.perRecordCek ? await this.resolveRecordCek(id) : void 0;
+          const newEnv = await this.encryptRecord(next, nextVersion, cek);
           await this.adapter.put(this.vault, this.name, id, newEnv);
           await this._invalidateCacheEntry(id);
           if (this.ledger) {
@@ -9238,14 +9542,17 @@ var init_collection = __esm({
             const previousEnvelope2 = await this.adapter.get(this.vault, this.name, id);
             if (previousEnvelope2) {
               const previousRecord = await this.decryptRecord(previousEnvelope2);
-              existing = { record: previousRecord, version: previousEnvelope2._v };
+              if (previousRecord !== null) {
+                existing = { record: previousRecord, version: previousEnvelope2._v };
+              }
             }
           }
         } else {
           existing = this.cache.get(id);
         }
         if (existing && this.historyConfig.enabled !== false) {
-          const historyEnvelope = await this.encryptRecord(existing.record, existing.version);
+          const cek = this.perRecordCek ? await this.resolveRecordCek(id) : void 0;
+          const historyEnvelope = await this.encryptRecord(existing.record, existing.version, cek);
           await this.historyStrategy.saveHistory(this.adapter, this.vault, this.name, id, historyEnvelope);
         }
         const previousEnvelope = await this.adapter.get(this.vault, this.name, id);
@@ -9286,6 +9593,50 @@ var init_collection = __esm({
           await this.dispatchArrayDerivationsOnDelete(id);
         }
       }
+      /**
+       * @internal — GDPR crypto-shred a LIVE record to a tombstone (#304).
+       *
+       * Rewrites the on-disk envelope to `{ _noydb, _v, _ts, _by, _iv:'', _data:'' }`,
+       * dropping `_iv`/`_data`/`_cek`/`_det`. The wrapped per-record CEK is gone, so
+       * the body — and (via {@link tombstoneHistory}) every history version under
+       * the same CEK — is permanently undecryptable; the collection DEK and every
+       * other record are untouched. `_det` is stripped too, so `findByDet` no
+       * longer matches the shredded record (avoiding a post-shred TamperedError).
+       *
+       * Unlike `delete()`/`_internalDelete`, this:
+       *   - does NOT fire onDelete guards / MV / derivation dispatch (a shred is an
+       *     erasure, not a domain delete — re-running those would be wrong),
+       *   - does NOT append a per-record ledger entry (`vault.forget()` appends a
+       *     single `op:'forget'` summary for the whole subject),
+       *   - keeps the record KEY present (it's an overwrite, not an adapter delete)
+       *     so the version counter + "record existed" survive for audit.
+       *
+       * Idempotent: returns `null` when the record is absent or already a tombstone.
+       * Otherwise returns `{ previousVersion }`. Invalidates the eager cache, the
+       * lazy LRU, and the per-record CEK cache for this id.
+       */
+      /**
+       * @internal — decrypt an envelope to a plain record for subject-index
+       * rebuild (#304). Returns `null` for a tombstone or unreadable envelope.
+       * Skips schema validation — the rebuild only reads the subject field.
+       */
+      async _decodeEnvelope(envelope, id) {
+        try {
+          const rec = await this.decryptRecord(envelope, { skipValidation: true, id });
+          return rec === null ? null : rec;
+        } catch {
+          return null;
+        }
+      }
+      async _writeTombstone(id, actor) {
+        const live = await this.adapter.get(this.vault, this.name, id);
+        if (!live || isTombstone(live, this.encrypted)) return null;
+        await this.adapter.put(this.vault, this.name, id, buildTombstone(live._v, actor));
+        this.cache.delete(id);
+        this.lru?.remove(id);
+        this.cekCache?.remove(id);
+        return { previousVersion: live._v };
+      }
       /**
        * Cascade deletes of array-shape derived rows when a source row is
        * deleted. Reads each registered strategy's fanout sidecar
@@ -9698,6 +10049,7 @@ var init_collection = __esm({
         const entries = [];
         for (const env of envelopes) {
           const record = await this.decryptRecord(env, { skipValidation: true });
+          if (record === null) continue;
           entries.push({
             version: env._v,
             timestamp: env._ts,
@@ -9834,6 +10186,7 @@ var init_collection = __esm({
           const envelope = await this.adapter.get(this.vault, this.name, id);
           if (envelope) {
             const record = await this.decryptRecord(envelope);
+            if (record === null) continue;
             items.push(record);
             if (!this.lazy && !this.cache.has(id)) {
               this.cache.set(id, { record, version: envelope._v });
@@ -9910,6 +10263,7 @@ var init_collection = __esm({
         const out = [];
         for (const { id, envelope } of items) {
           const record = await this.decryptRecord(envelope);
+          if (record === null) continue;
           out.push({ id, record, version: envelope._v });
         }
         return out;
@@ -9931,6 +10285,18 @@ var init_collection = __esm({
        * the cache entry (record still present) or deletes it (record was
        * gone before the tx and the revert deleted it again).
        */
+      /**
+       * @internal — evict ONLY the per-record CEK cache entry for `id`. Used by
+       * `vault.rotateRecordCek()`: after a hard CEK rotation the cached unwrapped
+       * CEK is stale (it would decrypt the pre-rotation body and fail GCM auth on
+       * the post-rotation body). Eviction must be synchronous with the live-envelope
+       * rewrite so no concurrent read observes the old CEK. Paired with
+       * {@link _invalidateCacheEntry} (which refreshes the decrypted-record cache).
+       * No-op when the collection is not `perRecordKeys`.
+       */
+      _invalidateCekCacheEntry(id) {
+        this.cekCache?.remove(id);
+      }
       async _invalidateCacheEntry(id) {
         if (this.lazy && this.lru) {
           this.lru.remove(id);
@@ -9948,6 +10314,14 @@ var init_collection = __esm({
           return;
         }
         const record = await this.decryptRecord(envelope);
+        if (record === null) {
+          this.cache.delete(id);
+          if (previous) {
+            this.indexes?.remove(id, previous.record);
+            this.uniqueConstraints?.remove(id, previous.record);
+          }
+          return;
+        }
         this.cache.set(id, { record, version: envelope._v });
         this.indexes?.upsert(id, record, previous ? previous.record : null);
         this.uniqueConstraints?.upsert(id, record, previous?.record);
@@ -9972,8 +10346,9 @@ var init_collection = __esm({
         const ids = await this.adapter.list(this.vault, this.name);
         for (const id of ids) {
           const envelope = await this.adapter.get(this.vault, this.name, id);
-          if (envelope) {
-            const record = await this.decryptRecord(envelope);
+          if (envelope && !isTombstone(envelope, this.encrypted)) {
+            const record = await this.decryptRecord(envelope, { id });
+            if (record === null) continue;
             this.cache.set(id, { record, version: envelope._v });
           }
         }
@@ -9984,7 +10359,9 @@ var init_collection = __esm({
       /** Hydrate from a pre-loaded snapshot (used by Vault). */
       async hydrateFromSnapshot(records) {
         for (const [id, envelope] of Object.entries(records)) {
-          const record = await this.decryptRecord(envelope);
+          if (isTombstone(envelope, this.encrypted)) continue;
+          const record = await this.decryptRecord(envelope, { id });
+          if (record === null) continue;
           this.cache.set(id, { record, version: envelope._v });
         }
         this.hydrated = true;
@@ -10072,6 +10449,7 @@ var init_collection = __esm({
           const envelope = await this.adapter.get(this.vault, this.name, recordId2);
           if (!envelope) continue;
           const record = await this.decryptRecord(envelope, { skipValidation: true });
+          if (record === null) continue;
           await this.maintainPersistedIndexesOnPut(recordId2, record, null, envelope._v);
         }
         this.persistedIndexesLoaded = true;
@@ -10122,8 +10500,13 @@ var init_collection = __esm({
           const env = await this.adapter.get(this.vault, this.name, id);
           if (!env) continue;
           try {
-            const body = JSON.parse(await this.decryptJsonString(env));
-            sidecar.set(decoded.recordId, body.value);
+            const sidecarJson = await this.decryptJsonString(env);
+            if (sidecarJson === null) {
+              sidecar.set(decoded.recordId, void 0);
+            } else {
+              const body = JSON.parse(sidecarJson);
+              sidecar.set(decoded.recordId, body.value);
+            }
           } catch {
             sidecar.set(decoded.recordId, void 0);
           }
@@ -10137,6 +10520,7 @@ var init_collection = __esm({
           const env = await this.adapter.get(this.vault, this.name, id);
           if (!env) continue;
           const record = await this.decryptRecord(env, { skipValidation: true });
+          if (record === null) continue;
           const live = readPersistedValue(record, field);
           const stored = sidecar.get(id);
           const hasSidecar = sidecarIds.has(id);
@@ -10219,7 +10603,8 @@ var init_collection = __esm({
           recordId: id,
           getDEK: this.getDEK,
           encrypted: this.encrypted,
-          userId: this.keyring.userId
+          userId: this.keyring.userId,
+          erasableBlobs: this.perRecordCek
         });
       }
       /** Get all records as encrypted envelopes (for dump). */
@@ -10227,7 +10612,8 @@ var init_collection = __esm({
         await this.ensureHydrated();
         const result = {};
         for (const [id, entry] of this.cache) {
-          result[id] = await this.encryptRecord(entry.record, entry.version);
+          const cek = this.perRecordCek ? await this.resolveRecordCek(id) : void 0;
+          result[id] = await this.encryptRecord(entry.record, entry.version, cek);
         }
         return result;
       }
@@ -10255,8 +10641,11 @@ var init_collection = __esm({
         if (hasMoney && this.moneyFields) {
           result = decodeMoneyFields(result, this.moneyFields, typeof locale === "string" ? locale : void 0);
         }
-        if (!locale) return result;
-        if (hasI18n && this.i18nFields) {
+        const hasStaticDisplay = hasDict && this.dictKeyFields !== void 0 && Object.values(this.dictKeyFields).some(
+          (d) => isStaticDictDescriptor(d) && d.displayLocale !== void 0
+        );
+        if (!locale && !hasStaticDisplay) return result;
+        if (locale && hasI18n && this.i18nFields) {
           result = this.i18nStrategy.applyI18nLocale(result, this.i18nFields, locale, localeOpts?.fallback);
         }
         if (hasDict && this.dictKeyFields && this.dictLabelResolver && locale !== "raw") {
@@ -10265,13 +10654,23 @@ var init_collection = __esm({
           for (const [field, desc] of Object.entries(this.dictKeyFields)) {
             const policy = desc.onMissing ? resolvePolicy(desc.onMissing, "read") : "null";
             const fallback = policy === "substitute" ? localeOpts?.fallback ?? desc.substitute : localeOpts?.fallback;
+            const effLocale = locale ?? (isStaticDictDescriptor(desc) ? desc.displayLocale : void 0);
             const resolveKey = async (key) => {
-              const label = await resolver(desc.name, key, locale, fallback);
+              if (!effLocale) {
+                if (policy === "throw") {
+                  throw new LocaleNotSpecifiedError(
+                    field,
+                    `dictKey "${field}": no locale active to resolve key "${key}".`
+                  );
+                }
+                return null;
+              }
+              const label = await resolver(desc.name, key, effLocale, fallback);
               if (label === void 0) {
                 if (policy === "throw") {
                   throw new LocaleNotSpecifiedError(
                     field,
-                    `dictKey "${field}": no label for key "${key}" in locale "${locale}".`
+                    `dictKey "${field}": no label for key "${key}" in locale "${effLocale}".`
                   );
                 }
                 return null;
@@ -10428,6 +10827,7 @@ var init_collection = __esm({
           if (!envelope) continue;
           try {
             const json = await this.decryptJsonString(envelope);
+            if (json === null) continue;
             const body = JSON.parse(json);
             if (typeof body.recordId !== "string") continue;
             const rows = byField.get(decoded.field) ?? [];
@@ -10537,7 +10937,31 @@ var init_collection = __esm({
         };
         return new LazyQuery(source);
       }
-      async encryptJsonString(json, version) {
+      /**
+       * Resolve the stable CEK for a record on the WRITE path — see
+       * {@link resolveStableCek}. Thin delegate that supplies the collection's
+       * CEK cache, live-envelope reader, and DEK resolver.
+       */
+      resolveRecordCek(id) {
+        return resolveStableCek(
+          {
+            cache: this.cekCache,
+            getLive: (rid) => this.adapter.get(this.vault, this.name, rid),
+            getDEK: () => this.getDEK(this.name)
+          },
+          id
+        );
+      }
+      /**
+       * Encrypt a JSON body into an envelope.
+       *
+       * When `cek` is supplied (per-record CEK collections), the body is
+       * encrypted under the CEK and the CEK is AES-KW-wrapped under the
+       * collection DEK and stamped on `_cek`. When `cek` is omitted, the legacy
+       * path encrypts the body directly under the collection DEK — byte-identical
+       * to pre-CEK behaviour, so non-adopting collections pay nothing.
+       */
+      async encryptJsonString(json, version, cek) {
         const by = this.keyring.userId;
         if (!this.encrypted) {
           return {
@@ -10550,6 +10974,19 @@ var init_collection = __esm({
           };
         }
         const dek = await this.getDEK(this.name);
+        if (cek !== void 0) {
+          const { iv: iv2, data: data2 } = await encrypt(json, cek);
+          const wrapped = await wrapCek(cek, dek);
+          return {
+            _noydb: NOYDB_FORMAT_VERSION,
+            _v: version,
+            _ts: (/* @__PURE__ */ new Date()).toISOString(),
+            _iv: iv2,
+            _data: data2,
+            _by: by,
+            _cek: wrapped
+          };
+        }
         const { iv, data } = await encrypt(json, dek);
         return {
           _noydb: NOYDB_FORMAT_VERSION,
@@ -10560,8 +10997,8 @@ var init_collection = __esm({
           _by: by
         };
       }
-      async encryptRecord(record, version) {
-        const base = await this.encryptJsonString(JSON.stringify(record), version);
+      async encryptRecord(record, version, cek) {
+        const base = await this.encryptJsonString(JSON.stringify(record), version, cek);
         if (!this.deterministicFields || !this.encrypted) return base;
         const dek = await this.getDEK(this.name);
         const rec = record;
@@ -10639,7 +11076,8 @@ var init_collection = __esm({
           const env = await this.adapter.get(this.vault, this.name, id);
           if (!env || !env._det) continue;
           if (env._det[field] === target) {
-            matches.push(await this.decryptRecord(env));
+            const rec = await this.decryptRecord(env);
+            if (rec !== null) matches.push(rec);
           }
         }
         return matches;
@@ -10740,7 +11178,14 @@ var init_collection = __esm({
           return null;
         }
         const dek = await this.getDEK(key);
-        const plaintext = await decrypt(envelope._iv, envelope._data, dek);
+        let plaintext;
+        if (envelope._cek !== void 0) {
+          const cek = await unwrapCek(envelope._cek, dek);
+          this.cekCache?.set(id, cek, 1);
+          plaintext = await decrypt(envelope._iv, envelope._data, cek);
+        } else {
+          plaintext = await decrypt(envelope._iv, envelope._data, dek);
+        }
         const record = JSON.parse(plaintext);
         this.emitCrossTierEvent({
           actor: this.keyring.userId,
@@ -10796,18 +11241,19 @@ var init_collection = __esm({
         const toKey = dekKey(this.name, toTier);
         const fromDek = await this.getDEK(fromKey);
         const toDek = await this.getDEK(toKey);
-        const plaintext = await decrypt(envelope._iv, envelope._data, fromDek);
-        const { iv, data } = await encrypt(plaintext, toDek);
         const now = (/* @__PURE__ */ new Date()).toISOString();
+        const body = await rewrapBodyToDek(envelope, fromDek, toDek);
+        if (body.cek) this.cekCache?.set(id, body.cek, 1);
         const next = {
           _noydb: NOYDB_FORMAT_VERSION,
           _v: envelope._v + 1,
           _ts: now,
-          _iv: iv,
-          _data: data,
+          _iv: body._iv,
+          _data: body._data,
           _by: this.keyring.userId,
           _tier: toTier,
-          _elevatedBy: this.keyring.userId
+          _elevatedBy: this.keyring.userId,
+          ...body._cek !== void 0 ? { _cek: body._cek } : {}
         };
         await this.adapter.put(this.vault, this.name, id, next);
         this.emitCrossTierEvent({
@@ -10843,17 +11289,18 @@ var init_collection = __esm({
         if (toTier > 0) this.assertDeclaredTier(toTier);
         const fromDek = await this.getDEK(dekKey(this.name, fromTier));
         const toDek = await this.getDEK(dekKey(this.name, toTier));
-        const plaintext = await decrypt(envelope._iv, envelope._data, fromDek);
-        const { iv, data } = await encrypt(plaintext, toDek);
         const now = (/* @__PURE__ */ new Date()).toISOString();
+        const body = await rewrapBodyToDek(envelope, fromDek, toDek);
+        if (body.cek) this.cekCache?.set(id, body.cek, 1);
         const next = {
           _noydb: NOYDB_FORMAT_VERSION,
           _v: envelope._v + 1,
           _ts: now,
-          _iv: iv,
-          _data: data,
+          _iv: body._iv,
+          _data: body._data,
           _by: this.keyring.userId,
-          ...toTier > 0 && { _tier: toTier }
+          ...toTier > 0 && { _tier: toTier },
+          ...body._cek !== void 0 ? { _cek: body._cek } : {}
         };
         await this.adapter.put(this.vault, this.name, id, next);
         this.emitCrossTierEvent({
@@ -10875,10 +11322,30 @@ var init_collection = __esm({
         } catch {
         }
       }
-      /** Low-level: decrypt an envelope and return the raw JSON string. */
-      async decryptJsonString(envelope) {
+      /**
+       * Low-level: decrypt an envelope and return the raw JSON string.
+       *
+       * `_cek` presence is the format discriminant (NOT `this.perRecordCek`),
+       * so a mixed vault — and a recipient that never opted into
+       * `perRecordKeys` — decrypts both legacy and CEK records:
+       *  - `_cek` present → unwrap the CEK under the collection DEK, decrypt the
+       *    body under the CEK (cache the unwrapped CEK so repeated reads skip it).
+       *  - `_cek` absent → legacy path, body decrypts directly under the
+       *    collection DEK.
+       *
+       * The optional `id` lets reads populate the CEK cache; it is omitted by
+       * callers (history, conflict merge) that have only the envelope.
+       */
+      async decryptJsonString(envelope, id) {
+        if (isTombstone(envelope, this.encrypted)) return null;
         if (!this.encrypted) return envelope._data;
         const dek = await this.getDEK(this.name);
+        if (envelope._cek !== void 0) {
+          const cached = id !== void 0 ? this.cekCache?.get(id) : void 0;
+          const cek = cached ?? await unwrapCek(envelope._cek, dek);
+          if (cached === void 0 && id !== void 0) this.cekCache?.set(id, cek, 1);
+          return decrypt(envelope._iv, envelope._data, cek);
+        }
         return decrypt(envelope._iv, envelope._data, dek);
       }
       /**
@@ -10897,7 +11364,8 @@ var init_collection = __esm({
        * false positive. Every non-history read leaves this flag `false`.
        */
       async decryptRecord(envelope, opts = {}) {
-        const json = await this.decryptJsonString(envelope);
+        const json = await this.decryptJsonString(envelope, opts.id);
+        if (json === null) return null;
         let parsed = JSON.parse(json);
         if (this.crdtMode && parsed !== null && typeof parsed === "object" && "_crdt" in parsed) {
           parsed = this.crdtStrategy.resolveCrdtSnapshot(parsed);
@@ -11502,9 +11970,125 @@ var init_numbering = __esm({
   }
 });
 
+// src/forget/strategy.ts
+var NO_FORGET;
+var init_strategy7 = __esm({
+  "src/forget/strategy.ts"() {
+    "use strict";
+    NO_FORGET = { subjects: {} };
+  }
+});
+
+// src/forget/subject-index.ts
+async function sha256HexString(input) {
+  const bytes = new TextEncoder().encode(input);
+  const digest = await globalThis.crypto.subtle.digest("SHA-256", bytes);
+  return Array.from(new Uint8Array(digest)).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function subjectKey(subjectId) {
+  return sha256HexString(subjectId);
+}
+async function readRefs(adapter, vault, getDEK, encrypted, key) {
+  const env = await adapter.get(vault, SUBJECT_INDEX_COLLECTION, key);
+  if (!env || !env._data) return [];
+  if (!encrypted) return JSON.parse(env._data);
+  const dek = await getDEK(SUBJECT_INDEX_COLLECTION);
+  const json = await decrypt(env._iv, env._data, dek);
+  return JSON.parse(json);
+}
+async function writeRefs(adapter, vault, getDEK, encrypted, key, refs) {
+  const json = JSON.stringify(refs);
+  let env;
+  if (!encrypted) {
+    env = { _noydb: NOYDB_FORMAT_VERSION, _v: 1, _ts: (/* @__PURE__ */ new Date()).toISOString(), _iv: "", _data: json };
+  } else {
+    const dek = await getDEK(SUBJECT_INDEX_COLLECTION);
+    const { iv, data } = await encrypt(json, dek);
+    env = { _noydb: NOYDB_FORMAT_VERSION, _v: 1, _ts: (/* @__PURE__ */ new Date()).toISOString(), _iv: iv, _data: data };
+  }
+  await adapter.put(vault, SUBJECT_INDEX_COLLECTION, key, env);
+}
+async function addSubjectRef(adapter, vault, getDEK, encrypted, subjectId, ref) {
+  const key = await subjectKey(subjectId);
+  const refs = await readRefs(adapter, vault, getDEK, encrypted, key);
+  if (refs.some((r) => r.collection === ref.collection && r.id === ref.id)) return;
+  refs.push(ref);
+  await writeRefs(adapter, vault, getDEK, encrypted, key, refs);
+}
+async function removeSubjectRef(adapter, vault, getDEK, encrypted, subjectId, ref) {
+  const key = await subjectKey(subjectId);
+  const refs = await readRefs(adapter, vault, getDEK, encrypted, key);
+  const next = refs.filter((r) => !(r.collection === ref.collection && r.id === ref.id));
+  if (next.length === refs.length) return;
+  if (next.length === 0) {
+    await adapter.delete(vault, SUBJECT_INDEX_COLLECTION, key);
+    return;
+  }
+  await writeRefs(adapter, vault, getDEK, encrypted, key, next);
+}
+async function lookupSubject(adapter, vault, getDEK, encrypted, subjectId) {
+  const key = await subjectKey(subjectId);
+  return readRefs(adapter, vault, getDEK, encrypted, key);
+}
+async function rebuildSubjectIndex(adapter, vault, getDEK, encrypted, subjects, decodeRecord) {
+  const existing = await adapter.list(vault, SUBJECT_INDEX_COLLECTION);
+  for (const k of existing) {
+    await adapter.delete(vault, SUBJECT_INDEX_COLLECTION, k);
+  }
+  const bySubject = /* @__PURE__ */ new Map();
+  for (const [collection, field] of Object.entries(subjects)) {
+    const ids = await adapter.list(vault, collection);
+    for (const id of ids) {
+      if (id.startsWith("_")) continue;
+      const env = await adapter.get(vault, collection, id);
+      if (!env || !env._data) continue;
+      const record = await decodeRecord(collection, id, env);
+      if (record === null) continue;
+      const subjectValue = readDottedPath(record, field);
+      if (subjectValue === void 0 || subjectValue === null) continue;
+      const subjectId = coerceSubjectId(subjectValue);
+      const list = bySubject.get(subjectId) ?? [];
+      list.push({ collection, id });
+      bySubject.set(subjectId, list);
+    }
+  }
+  let entries = 0;
+  for (const [subjectId, refs] of bySubject) {
+    const key = await subjectKey(subjectId);
+    await writeRefs(adapter, vault, getDEK, encrypted, key, refs);
+    entries++;
+  }
+  return entries;
+}
+function coerceSubjectId(value) {
+  if (typeof value === "string") return value;
+  if (typeof value === "number" || typeof value === "boolean" || typeof value === "bigint") {
+    return String(value);
+  }
+  return JSON.stringify(value);
+}
+function readDottedPath(record, field) {
+  if (!field.includes(".")) return record[field];
+  let cursor = record;
+  for (const segment of field.split(".")) {
+    if (cursor === null || cursor === void 0) return void 0;
+    cursor = cursor[segment];
+  }
+  return cursor;
+}
+var SUBJECT_INDEX_COLLECTION;
+var init_subject_index = __esm({
+  "src/forget/subject-index.ts"() {
+    "use strict";
+    init_crypto();
+    init_types();
+    SUBJECT_INDEX_COLLECTION = "_subject_index";
+  }
+});
+
 // src/shadow/strategy.ts
 var NOT_ENABLED3, NO_SHADOW;
-var init_strategy7 = __esm({
+var init_strategy8 = __esm({
   "src/shadow/strategy.ts"() {
     "use strict";
     NOT_ENABLED3 = new Error(
@@ -11520,7 +12104,7 @@ var init_strategy7 = __esm({
 
 // src/consent/strategy.ts
 var NO_CONSENT;
-var init_strategy8 = __esm({
+var init_strategy9 = __esm({
   "src/consent/strategy.ts"() {
     "use strict";
     NO_CONSENT = {
@@ -11535,7 +12119,7 @@ var init_strategy8 = __esm({
 
 // src/periods/strategy.ts
 var NOT_ENABLED4, NO_PERIODS;
-var init_strategy9 = __esm({
+var init_strategy10 = __esm({
   "src/periods/strategy.ts"() {
     "use strict";
     NOT_ENABLED4 = new Error(
@@ -11647,18 +12231,6 @@ var init_refs = __esm({
   }
 });
 
-// src/i18n/dictionary.ts
-function isDictCollectionName(name) {
-  return name.startsWith(DICT_COLLECTION_PREFIX);
-}
-var DICT_COLLECTION_PREFIX;
-var init_dictionary = __esm({
-  "src/i18n/dictionary.ts"() {
-    "use strict";
-    DICT_COLLECTION_PREFIX = "_dict_";
-  }
-});
-
 // src/periods/periods.ts
 var PERIODS_COLLECTION;
 var init_periods = __esm({
@@ -13627,6 +14199,19 @@ var init_delegation = __esm({
 });
 
 // src/vault.ts
+function resolveLabelFromMap(labels, locale, fallback) {
+  if (labels[locale] !== void 0) return labels[locale];
+  const chain = Array.isArray(fallback) ? fallback : fallback ? [fallback] : [];
+  for (const fb of chain) {
+    if (fb === "any") {
+      const any = Object.values(labels)[0];
+      if (any !== void 0) return any;
+    } else if (labels[fb] !== void 0) {
+      return labels[fb];
+    }
+  }
+  return void 0;
+}
 var Vault, ELEVATION_AUDIT_COLLECTION, ElevatedHandle;
 var init_vault = __esm({
   "src/vault.ts"() {
@@ -13645,8 +14230,11 @@ var init_vault = __esm({
     init_entry();
     init_strategy3();
     init_strategy7();
+    init_subject_index();
+    init_errors();
     init_strategy8();
     init_strategy9();
+    init_strategy10();
     init_refs();
     init_dictionary();
     init_core();
@@ -13655,6 +14243,7 @@ var init_vault = __esm({
     init_errors();
     init_periods2();
     init_crypto();
+    init_record_keys();
     init_export_blobs();
     init_blob_compaction();
     init_magic_link_grant();
@@ -13710,6 +14299,7 @@ var init_vault = __esm({
       periodsStrategy;
       shadowStrategy;
       historyStrategy;
+      forgetStrategy;
       i18nStrategy;
       syncStrategy;
       /**
@@ -13876,6 +14466,27 @@ var init_vault = __esm({
        * Populated by `collection()` when the `dictKeyFields` option is passed.
        */
       dictKeyFieldRegistry = /* @__PURE__ */ new Map();
+      /**
+       * Names of dictionaries backed by a `staticDict()` descriptor (#291).
+       * A static dict skips the `dictKeyFieldRegistry` rename machinery, but the
+       * vault must still *know* a name is static so `vault.dictionary(name)` can
+       * refuse mutation (`StaticDictReadonlyError`). Populated at `collection()`
+       * config time whenever a `StaticDictDescriptor` is seen.
+       */
+      staticDictNames = /* @__PURE__ */ new Set();
+      /**
+       * Static-dict descriptors keyed by dictionary name (#291). Backs the
+       * read-path label resolver (resolve from the in-memory table) and the
+       * query-seam `resolveDictSource` snapshot. Last writer wins when the same
+       * name is registered by multiple collections (identical-across-vaults by
+       * construction, so the tables match).
+       */
+      staticByName = /* @__PURE__ */ new Map();
+      /**
+       * Per-collection map of field name → StaticDictDescriptor (#291). Used by
+       * `enforceStaticDictOnPut` to validate stored codes against `desc.keys`.
+       */
+      staticDescriptorByField = /* @__PURE__ */ new Map();
       /**
        * Registry of i18nText fields declared across all collections. Keyed
        * by collection name → field name → I18nTextDescriptor. Used by
@@ -13922,6 +14533,7 @@ var init_vault = __esm({
         this.periodsStrategy = opts.periodsStrategy ?? NO_PERIODS;
         this.shadowStrategy = opts.shadowStrategy ?? NO_SHADOW;
         this.historyStrategy = opts.historyStrategy ?? NO_HISTORY;
+        this.forgetStrategy = opts.forgetStrategy ?? NO_FORGET;
         this.i18nStrategy = opts.i18nStrategy ?? NO_I18N;
         this.syncStrategy = opts.syncStrategy ?? NO_SYNC;
         void opts.guardStrategies;
@@ -14026,10 +14638,22 @@ var init_vault = __esm({
           }
           if (options?.dictKeyFields) {
             const dictFieldMap = {};
+            const staticFieldMap = {};
             for (const [field, desc] of Object.entries(options.dictKeyFields)) {
-              dictFieldMap[field] = desc.name;
+              if (isStaticDictDescriptor(desc)) {
+                staticFieldMap[field] = desc;
+                this.staticDictNames.add(desc.name);
+                this.staticByName.set(desc.name, desc);
+              } else {
+                dictFieldMap[field] = desc.name;
+              }
+            }
+            if (Object.keys(dictFieldMap).length > 0) {
+              this.dictKeyFieldRegistry.set(collectionName, dictFieldMap);
+            }
+            if (Object.keys(staticFieldMap).length > 0) {
+              this.staticDescriptorByField.set(collectionName, staticFieldMap);
             }
-            this.dictKeyFieldRegistry.set(collectionName, dictFieldMap);
           }
           if ((options?.schemaUpdate?.length ?? 0) > 0) {
             this.#schemaUpdateNames.set(collectionName, (options.schemaUpdate ?? []).map((s) => s.name));
@@ -14131,6 +14755,17 @@ var init_vault = __esm({
           if (options?.acknowledgeDeterministicRisk !== void 0) {
             collOpts.acknowledgeDeterministicRisk = options.acknowledgeDeterministicRisk;
           }
+          if (options?.perRecordKeys !== void 0) {
+            collOpts.perRecordKeys = options.perRecordKeys;
+          }
+          if (this.forgetStrategy.subjects[collectionName] !== void 0) {
+            if (options?.perRecordKeys === false) {
+              console.warn(
+                `[noy-db] Collection "${collectionName}" is declared in withForgetCascade but opened with perRecordKeys: false. Forcing perRecordKeys: true \u2014 GDPR crypto-shred requires per-record CEKs.`
+              );
+            }
+            collOpts.perRecordKeys = true;
+          }
           if (options?.tiers !== void 0) collOpts.tiers = options.tiers;
           if (options?.tierMode !== void 0) collOpts.tierMode = options.tierMode;
           collOpts.onCrossTierAccess = (event) => this.emitCrossTier(event);
@@ -14140,6 +14775,11 @@ var init_vault = __esm({
           if (options?.computed !== void 0) collOpts.computed = options.computed;
           if (options?.dictKeyFields !== void 0) {
             collOpts.dictLabelResolver = async (dictName, key, locale, fallback) => {
+              const stat = this.staticByName.get(dictName);
+              if (stat) {
+                const labels = stat.table[key];
+                return labels ? resolveLabelFromMap(labels, locale, fallback) : void 0;
+              }
               const handle = this.dictionary(dictName);
               return handle.resolveLabel(key, locale, fallback);
             };
@@ -14148,6 +14788,7 @@ var init_vault = __esm({
           if (options?.i18nFields !== void 0 || options?.dictKeyFields !== void 0) {
             collOpts.i18nPutValidator = (record) => {
               this.enforceI18nOnPut(collectionName, record);
+              this.enforceStaticDictOnPut(collectionName, record);
             };
           }
           if (options?.i18nFields !== void 0 && this.translateText) {
@@ -14287,6 +14928,34 @@ var init_vault = __esm({
           }
         }
       }
+      /**
+       * Validate staticDict codes on a `put()` (#291). For each `staticDict()`
+       * field, every stored code must be a declared key of the descriptor's
+       * table, else `UnknownDictCodeError`. Opt out per descriptor with
+       * `{ validateCodes: false }`. Supports scalar, dotted, and `[].`-wildcard
+       * field paths via `getAtPath` (same path support as i18n validation).
+       */
+      enforceStaticDictOnPut(collectionName, record) {
+        const staticFields = this.staticDescriptorByField.get(collectionName);
+        if (!staticFields || Object.keys(staticFields).length === 0) return;
+        if (!record || typeof record !== "object") return;
+        const obj = record;
+        for (const [field, desc] of Object.entries(staticFields)) {
+          if (desc.validateCodes === false) continue;
+          const known = new Set(desc.keys);
+          const values = getAtPath(obj, field);
+          for (const value of values) {
+            if (value === void 0 || value === null) continue;
+            const codes = Array.isArray(value) ? value : [value];
+            for (const code of codes) {
+              if (typeof code !== "string") continue;
+              if (!known.has(code)) {
+                throw new UnknownDictCodeError(desc.name, field, code);
+              }
+            }
+          }
+        }
+      }
       /**
        * Apply locale resolution to a record for the given collection.
        *
@@ -14295,14 +14964,18 @@ var init_vault = __esm({
        */
       async applyLocale(collectionName, record, localeOpts) {
         const locale = localeOpts.locale ?? this.locale;
-        if (!locale) return record;
+        const staticFields = this.staticDescriptorByField.get(collectionName);
+        const hasStaticDisplay = staticFields !== void 0 && Object.values(staticFields).some((d) => d.displayLocale !== void 0);
+        if (!locale && !hasStaticDisplay) return record;
         let result = record;
-        const i18nFields = this.i18nFieldRegistry.get(collectionName);
-        if (i18nFields && Object.keys(i18nFields).length > 0) {
-          result = this.i18nStrategy.applyI18nLocale(result, i18nFields, locale, localeOpts.fallback);
+        if (locale) {
+          const i18nFields = this.i18nFieldRegistry.get(collectionName);
+          if (i18nFields && Object.keys(i18nFields).length > 0) {
+            result = this.i18nStrategy.applyI18nLocale(result, i18nFields, locale, localeOpts.fallback);
+          }
         }
         const dictFields = this.dictKeyFieldRegistry.get(collectionName);
-        if (dictFields && Object.keys(dictFields).length > 0 && locale !== "raw") {
+        if (locale && dictFields && Object.keys(dictFields).length > 0 && locale !== "raw") {
           const withLabels = { ...result };
           for (const [field, dictName] of Object.entries(dictFields)) {
             const key = result[field];
@@ -14315,6 +14988,22 @@ var init_vault = __esm({
           }
           result = withLabels;
         }
+        if (staticFields && Object.keys(staticFields).length > 0 && locale !== "raw") {
+          const withLabels = { ...result };
+          for (const [field, desc] of Object.entries(staticFields)) {
+            const effLocale = locale ?? desc.displayLocale;
+            if (!effLocale) continue;
+            const key = result[field];
+            if (typeof key !== "string") continue;
+            const labels = desc.table[key];
+            if (!labels) continue;
+            const label = resolveLabelFromMap(labels, effLocale, localeOpts.fallback ?? desc.substitute);
+            if (label !== void 0) {
+              withLabels[`${field}Label`] = label;
+            }
+          }
+          result = withLabels;
+        }
         return result;
       }
       /**
@@ -14336,6 +15025,9 @@ var init_vault = __esm({
        * ```
        */
       dictionary(name, options = {}) {
+        if (this.staticDictNames.has(name)) {
+          throw new StaticDictReadonlyError(name);
+        }
         let handle = this.dictionaryCache.get(name);
         if (!handle) {
           handle = this.i18nStrategy.buildDictionaryHandle({
@@ -14405,6 +15097,26 @@ var init_vault = __esm({
        * Returns `null` when `field` is not a dictKey in `leftCollection`.
        */
       resolveDictSource(leftCollection, field) {
+        const staticFields = this.staticDescriptorByField.get(leftCollection);
+        if (staticFields && field in staticFields) {
+          const desc = staticFields[field];
+          const rows = Object.entries(desc.table).map(
+            ([key, labels]) => ({ key, labels, ...labels })
+          );
+          const source = {
+            snapshot() {
+              return rows;
+            },
+            lookupById(id) {
+              return rows.find((e) => e["key"] === id);
+            }
+          };
+          if (desc.displayLocale !== void 0) {
+            ;
+            source.displayLocale = desc.displayLocale;
+          }
+          return source;
+        }
         const dictFields = this.dictKeyFieldRegistry.get(leftCollection);
         if (!dictFields || !(field in dictFields)) return null;
         const dictName = dictFields[field];
@@ -15048,6 +15760,218 @@ var init_vault = __esm({
         }
         return this.ledgerStore;
       }
+      // ─── GDPR right-to-erasure (#304) ────────────────────────────────
+      /** @internal — add a subject→record ref to the encrypted subject index. */
+      async _addSubjectRef(subjectId, ref) {
+        await addSubjectRef(this.adapter, this.name, this.getDEK, this.encrypted, subjectId, ref);
+      }
+      /** @internal — drop a subject→record ref from the encrypted subject index. */
+      async _removeSubjectRef(subjectId, ref) {
+        await removeSubjectRef(this.adapter, this.name, this.getDEK, this.encrypted, subjectId, ref);
+      }
+      /**
+       * Rebuild the encrypted subject index from canonical records. The recovery
+       * path for the documented read-modify-write race (RISK #3). Returns the
+       * number of distinct subjects re-indexed.
+       */
+      async rebuildSubjectIndex() {
+        if (Object.keys(this.forgetStrategy.subjects).length === 0) {
+          throw new ForgetStrategyNotConfiguredError();
+        }
+        return rebuildSubjectIndex(
+          this.adapter,
+          this.name,
+          this.getDEK,
+          this.encrypted,
+          this.forgetStrategy.subjects,
+          async (collectionName, id, env) => {
+            const coll = this.collection(collectionName);
+            return coll._decodeEnvelope(env, id);
+          }
+        );
+      }
+      /**
+       * GDPR crypto-shred of a data subject (#304). Consults the encrypted subject
+       * index and, per matching record:
+       *   - rewrites the LIVE envelope to a tombstone (drops `_iv`/`_data`/`_cek`/`_det`),
+       *   - tombstones every `_history` version of the record,
+       * so the body and all prior versions become permanently undecryptable while
+       * the collection DEK and every OTHER record stay intact. Then appends ONE
+       * `op:'forget'` ledger entry whose `payloadHash` is `sha256Hex(subjectId)` —
+       * the chain still `verify()`s, PROVING the subject existed and was erased
+       * without retaining any plaintext.
+       *
+       * Reports — but does not silently swallow — two completeness gaps:
+       *   - `unmigratedRecords`: a record whose body was NOT yet migrated to a
+       *     per-record CEK (legacy body still under the shared collection DEK). It
+       *     is still tombstoned, but its pre-shred ciphertext (if leaked to a
+       *     backup before migration) stays decryptable. Migrate, then re-forget.
+       *   - `blobResidueCollections`: a shredded record still has blob attachments,
+       *     which are keyed off a separate `_blob` DEK and are out of scope here.
+       *
+       * @throws ForgetStrategyNotConfiguredError when no `withForgetCascade` was set.
+       */
+      async forget(subjectId) {
+        if (Object.keys(this.forgetStrategy.subjects).length === 0) {
+          throw new ForgetStrategyNotConfiguredError();
+        }
+        const refs = await lookupSubject(this.adapter, this.name, this.getDEK, this.encrypted, subjectId);
+        let recordsShredded = 0;
+        let historyVersionsShredded = 0;
+        const collections = /* @__PURE__ */ new Set();
+        const unmigratedRecords = [];
+        const blobResidueCollections = /* @__PURE__ */ new Set();
+        let blobsShredded = 0;
+        let blobsRetainedShared = 0;
+        const blobsEnabled = this.blobStrategy !== void 0;
+        const actor = this.keyring.userId;
+        for (const ref of refs) {
+          const coll = this.collection(ref.collection);
+          const perRecordKeys = this.forgetStrategy.subjects[ref.collection] !== void 0;
+          const live = await this.adapter.get(this.name, ref.collection, ref.id);
+          if (perRecordKeys && live && live._data && live._cek === void 0) {
+            unmigratedRecords.push(`${ref.collection}:${ref.id}`);
+          }
+          const shred = await coll._writeTombstone(ref.id, actor);
+          if (shred !== null) {
+            recordsShredded++;
+            collections.add(ref.collection);
+          }
+          historyVersionsShredded += await this.historyStrategy.tombstoneHistory(
+            this.adapter,
+            this.name,
+            ref.collection,
+            ref.id,
+            actor
+          );
+          if (blobsEnabled) {
+            const r = await this.collection(ref.collection).blob(ref.id).shredAllForRecord();
+            blobsShredded += r.shredded.length;
+            blobsRetainedShared += r.retainedShared.length;
+            if (r.residue.length > 0) blobResidueCollections.add(ref.collection);
+          } else {
+            try {
+              const slotIds = await this.adapter.list(this.name, `_blob_slots_${ref.collection}`);
+              if (slotIds.includes(ref.id)) blobResidueCollections.add(ref.collection);
+            } catch {
+            }
+          }
+          await this._removeSubjectRef(subjectId, ref);
+        }
+        const subjectHash = await sha256Hex3(subjectId);
+        const ledger = this.getLedgerOrNull();
+        if (!ledger) {
+          throw new Error(
+            'vault.forget() requires the history strategy for the erasure-proof ledger entry. Pass `historyStrategy: withHistory()` from "@noy-db/hub/history" to createNoydb().'
+          );
+        }
+        const ledgerEntry = await ledger.append({
+          op: "forget",
+          collection: "",
+          id: "",
+          version: 0,
+          actor,
+          payloadHash: subjectHash,
+          reason: JSON.stringify({
+            recordsShredded,
+            historyVersionsShredded,
+            collections: [...collections],
+            unmigratedCount: unmigratedRecords.length,
+            blobsShredded,
+            blobsRetainedShared,
+            blobResidueCollections: [...blobResidueCollections]
+          })
+        });
+        return {
+          subject: subjectId,
+          recordsShredded,
+          historyVersionsShredded,
+          collections: [...collections],
+          unmigratedRecords,
+          blobsShredded,
+          blobsRetainedShared,
+          blobResidueCollections: [...blobResidueCollections],
+          ledgerEntry
+        };
+      }
+      // ─── Record-scoped CEK sealing (#306 slices 2-3) ──────────────────────
+      /**
+       * Seal ONE record's content-encryption key (CEK) to an `at-*` host so that
+       * host — and only that host — can decrypt exactly that record, with no
+       * access to the vault DEK and no ability to read any other record.
+       *
+       * The grantor (this caller, who holds the collection DEK) reads the record's
+       * live `_cek`, unwraps it under the collection DEK, exports the raw CEK
+       * bytes, builds a {@link SealedCekBinding} `{collection, id, cek, expiresAt}`,
+       * seals that binding for the recipient host via the host's published hint,
+       * and persists a thin {@link SealedCekDeliveryEnvelope} at
+       * `_sealed_cek/<collection>/<id>/<pid>`. The binding (not the delivery
+       * envelope) is the security boundary: the host re-verifies `{collection, id}`
+       * and `expiresAt` from inside the sealed payload.
+       *
+       * Only works on a `perRecordKeys` record — a legacy record has no `_cek` to
+       * seal (its body is under the shared collection DEK, which is never exposed
+       * by sealing) → {@link RecordCekNotFoundError}.
+       *
+       * @param collection Collection holding the record.
+       * @param id         Record id.
+       * @param hostSealer The recipient host's {@link RecipientSealer}.
+       * @param opts.expiresAt REQUIRED authoritative expiry (ISO 8601), sealed into
+       *   the binding the host verifies.
+       * @returns `{ pid, envelopeKey }` — the host provider id and the
+       *   `<collection>/<id>/<pid>` key the delivery envelope was written under.
+       */
+      async sealRecordToHost(collection, id, hostSealer, opts) {
+        return sealRecordToHost(this.sealingContext(), collection, id, hostSealer, opts);
+      }
+      /**
+       * Revoke a single sealed-CEK delivery envelope by deleting it from the store.
+       * A soft revocation: it removes the host's copy of the sealed CEK, but a host
+       * that already fetched the envelope keeps whatever it cached. For a hard
+       * revocation that makes the live record undecryptable to every prior grant,
+       * use {@link rotateRecordCek}.
+       */
+      async revokeSealedRecord(collection, id, pid) {
+        return revokeSealedRecord(this.sealingContext(), collection, id, pid);
+      }
+      /**
+       * HARD-rotate a record's CEK: decrypt the live body under the old CEK,
+       * re-encrypt it under a freshly-minted CEK, write the new live envelope, evict
+       * the in-memory caches, and delete EVERY sealed-CEK delivery envelope for the
+       * record. After this, any host holding a previously-sealed CEK can still
+       * decrypt PRE-rotation history versions (they keep their old `_cek`) but NOT
+       * the rotated live record (its body is under the new CEK → the old CEK fails
+       * the AES-GCM auth tag → `TamperedError`). That asymmetry IS the revocation:
+       * old grants lose the live record.
+       *
+       * Administrative path — bypasses `Collection.put` deliberately (no guards, no
+       * history snapshot, no materialized-view refresh): rotation is a key-rotation
+       * operation, not a business write, and must not version-bump history (which
+       * would re-encrypt the prior version under the NEW CEK and defeat the point).
+       *
+       * @throws {@link RecordCekNotFoundError} if the record is missing or has no `_cek`.
+       */
+      async rotateRecordCek(collection, id) {
+        return rotateRecordCek(this.sealingContext(), collection, id);
+      }
+      /**
+       * Build the {@link SealingContext} the record-keys grantor functions need:
+       * the vault-bound adapter, DEK resolver, actor, and the dual-cache eviction
+       * `rotateRecordCek` performs (per-record CEK cache + decrypted-record cache).
+       */
+      sealingContext() {
+        return {
+          adapter: this.adapter,
+          vault: this.name,
+          getDEK: (collection) => this.getDEK(collection),
+          actor: this.keyring.userId,
+          invalidateRecordCaches: async (collection, id) => {
+            const coll = this.collection(collection);
+            coll._invalidateCekCacheEntry(id);
+            await coll._invalidateCacheEntry(id);
+          }
+        };
+      }
       /**
        * @internal — called by `Noydb.openVault` after construction.
        * Dynamic-imports `GuardRegistry` + `ReadOnlyVaultFacade` and seeds
@@ -17150,7 +18074,7 @@ var init_unlock_state = __esm({
 
 // src/snapshots/strategy.ts
 var NOT_ENABLED5, NO_SNAPSHOTS;
-var init_strategy10 = __esm({
+var init_strategy11 = __esm({
   "src/snapshots/strategy.ts"() {
     "use strict";
     NOT_ENABLED5 = new Error(
@@ -17291,7 +18215,7 @@ var init_scheduler = __esm({
 
 // src/tx/strategy.ts
 var NOT_ENABLED6, NO_TX;
-var init_strategy11 = __esm({
+var init_strategy12 = __esm({
   "src/tx/strategy.ts"() {
     "use strict";
     NOT_ENABLED6 = new Error(
@@ -17327,7 +18251,7 @@ function notEnabled4(op) {
   );
 }
 var NO_SESSION;
-var init_strategy12 = __esm({
+var init_strategy13 = __esm({
   "src/session/strategy.ts"() {
     "use strict";
     NO_SESSION = {
@@ -18553,12 +19477,14 @@ var init_noydb = __esm({
     init_authenticators();
     init_unlock_state();
     init_sync_strategy();
-    init_strategy10();
+    init_strategy11();
     init_scheduler();
     init_transaction();
-    init_strategy11();
-    init_sync_policy();
     init_strategy12();
+    init_strategy7();
+    init_subject_index();
+    init_sync_policy();
+    init_strategy13();
     init_policy3();
     ROLE_RANK = {
       client: 1,
@@ -18614,6 +19540,7 @@ var init_noydb = __esm({
       policyEnforcers = /* @__PURE__ */ new Map();
       vaultTemplates = /* @__PURE__ */ new Map();
       txStrategy;
+      forgetStrategy;
       sessionStrategy;
       syncStrategy;
       snapshotStrategy;
@@ -18641,6 +19568,7 @@ var init_noydb = __esm({
       constructor(options) {
         this.options = options;
         this.txStrategy = options.txStrategy ?? NO_TX;
+        this.forgetStrategy = options.forgetStrategy ?? NO_FORGET;
         this.sessionStrategy = options.sessionStrategy ?? NO_SESSION;
         this.syncStrategy = options.syncStrategy ?? NO_SYNC;
         this.snapshotStrategy = options.snapshotStrategy ?? NO_SNAPSHOTS;
@@ -18651,8 +19579,61 @@ var init_noydb = __esm({
         }
         this.#registerGuardGate();
         this.#registerPeriodGate();
+        this.#registerForgetHooks();
         this.resetSessionTimer();
       }
+      /** @internal — resolved forget strategy (NO_FORGET when not configured). */
+      get _forgetStrategy() {
+        return this.forgetStrategy;
+      }
+      // #304 — GDPR subject-index maintenance. When `withForgetCascade` declares
+      // any subject fields, keep the encrypted `_subject_index` in lock-step with
+      // writes so `vault.forget(subjectId)` can find every record for a subject.
+      //
+      // Two consumers are required because they cover disjoint events:
+      //   - onAfterWrite fires on create/update (NOT delete) — add the new ref;
+      //     on an update that changed the subject value, drop the stale ref.
+      //   - the subsystemBus `afterDelete` observer fires on delete (onAfterWrite
+      //     does NOT) — drop the ref so a deleted record never lingers in the
+      //     index (RISK #2). Without it, forget() would try to shred a ghost.
+      #registerForgetHooks() {
+        const subjects = this.forgetStrategy.subjects;
+        if (Object.keys(subjects).length === 0) return;
+        const subjectFieldFor = (collection) => subjects[collection];
+        this.writeHooks.onAfterWrite(async (event) => {
+          const field = subjectFieldFor(event.collection);
+          if (field === void 0) return;
+          const vault = this.vaultCache.get(event.vault);
+          if (!vault) return;
+          if (event.after !== null && typeof event.after === "object") {
+            const subjectValue = readDottedPath(event.after, field);
+            if (subjectValue !== void 0 && subjectValue !== null) {
+              await vault._addSubjectRef(coerceSubjectId(subjectValue), { collection: event.collection, id: event.docId });
+            }
+          }
+          if (event.op === "update" && event.before !== null && typeof event.before === "object") {
+            const beforeValue = readDottedPath(event.before, field);
+            const afterValue = event.after !== null && typeof event.after === "object" ? readDottedPath(event.after, field) : void 0;
+            const beforeId = beforeValue === void 0 || beforeValue === null ? void 0 : coerceSubjectId(beforeValue);
+            const afterId = afterValue === void 0 || afterValue === null ? void 0 : coerceSubjectId(afterValue);
+            if (beforeId !== void 0 && beforeId !== afterId) {
+              await vault._removeSubjectRef(beforeId, { collection: event.collection, id: event.docId });
+            }
+          }
+        });
+        this.subsystemBus.register("afterDelete", async (event) => {
+          const field = subjectFieldFor(event.collection);
+          if (field === void 0) return;
+          const vault = this.vaultCache.get(event.vault);
+          if (!vault) return;
+          if (event.before !== null && typeof event.before === "object") {
+            const subjectValue = readDottedPath(event.before, field);
+            if (subjectValue !== void 0 && subjectValue !== null) {
+              await vault._removeSubjectRef(coerceSubjectId(subjectValue), { collection: event.collection, id: event.docId });
+            }
+          }
+        });
+      }
       // Track A — guards migration. Registers record-lock / field-freeze / onDelete
       // / amendment-collect as gate-bus handlers (only when guards are opted in, so
       // the write path is zero-cost otherwise). Resolves the live vault's
@@ -18873,6 +19854,7 @@ var init_noydb = __esm({
           ...this.options.syncStrategy !== void 0 ? { syncStrategy: this.options.syncStrategy } : {},
           ...this.options.guardStrategies !== void 0 ? { guardStrategies: this.options.guardStrategies } : {},
           ...this.options.numbering !== void 0 ? { numberingConfigs: this.options.numbering } : {},
+          forgetStrategy: this.forgetStrategy,
           locale: opts?.locale,
           // Thread the translator hook so Collection.put() can invoke it
           plaintextTranslator: this.options.plaintextTranslator ? (text, from, to, field, collection) => this.invokeTranslator(text, from, to, field, collection) : void 0,
@@ -18927,7 +19909,8 @@ var init_noydb = __esm({
             ...this.options.i18nStrategy !== void 0 ? { i18nStrategy: this.options.i18nStrategy } : {},
             ...this.options.syncStrategy !== void 0 ? { syncStrategy: this.options.syncStrategy } : {},
             ...this.options.guardStrategies !== void 0 ? { guardStrategies: this.options.guardStrategies } : {},
-            ...this.options.numbering !== void 0 ? { numberingConfigs: this.options.numbering } : {}
+            ...this.options.numbering !== void 0 ? { numberingConfigs: this.options.numbering } : {},
+            forgetStrategy: this.forgetStrategy
           });
           this.vaultCache.set(name, comp2);
           return comp2;
@@ -21712,6 +22695,7 @@ async function describeExtraction(vault, opts) {
 // src/bundle/extract-partition.ts
 init_types();
 init_crypto();
+init_record_keys();
 init_errors();
 init_ulid();
 init_storage2();
@@ -21731,6 +22715,14 @@ async function reKeyClosure(vault, closure) {
     for (const id of ids) {
       const env = await adapter.get(vaultName, collectionName, id);
       if (!env) continue;
+      if (env._cek !== void 0) {
+        const cek = await unwrapCek(env._cek, srcDek);
+        const plaintext2 = await decrypt(env._iv, env._data, cek);
+        const { iv: iv2, data: data2 } = await encrypt(plaintext2, cek);
+        const wrapped = await wrapCek(cek, destDek);
+        out[id] = { ...env, _iv: iv2, _data: data2, _cek: wrapped };
+        continue;
+      }
       const plaintext = await decrypt(env._iv, env._data, srcDek);
       const { iv, data } = await encrypt(plaintext, destDek);
       out[id] = { ...env, _iv: iv, _data: data };