@noy-db/hub 0.2.0-pre.16 → 0.2.0-pre.18

package/dist/{chunk-667MB6AH.js → chunk-F2IJ2HGD.js}

@@ -7,37 +7,68 @@ import {
 import {
   TxContext,
   revertExecuted
-} from "./chunk-QVIEAYTP.js";
+} from "./chunk-TFAN3NFD.js";
 import {
   OverlayedCollection
-} from "./chunk-VLMPU56Q.js";
+} from "./chunk-TTS3RWL5.js";
+import {
+  NO_AGGREGATE,
+  Query,
+  ScanBuilder,
+  canonicalizeIncomingMoney,
+  canonicalizeStoredMoney,
+  decodeMoneyFields,
+  quantizeMoneyFields,
+  validateMoneyFieldPaths
+} from "./chunk-647TFNYL.js";
+import {
+  EXPORT_AUDIT_COLLECTION,
+  createExportBlobsHandle,
+  runCompaction
+} from "./chunk-BUBJYIZ7.js";
 import {
   LazyQuery,
   decodeIdxId,
   encodeIdxId
-} from "./chunk-CZI2A4MQ.js";
+} from "./chunk-RQFG2YSV.js";
+import {
+  canonicalGroupKey
+} from "./chunk-32XVU2LT.js";
+import {
+  readPath
+} from "./chunk-RZWQNMMP.js";
 import {
   SCHEMAS_COLLECTION,
   loadPersistedSchema,
   resolveManagedSecret,
   savePersistedSchema,
   saveSealedPassphrase
-} from "./chunk-GNI5STXQ.js";
+} from "./chunk-P57D4KBG.js";
 import {
   loadPublicEnvelope,
   readPublicEnvelope,
   savePublicEnvelope,
   validatePublicEnvelopeInput
-} from "./chunk-OB2ZJQ2D.js";
+} from "./chunk-PGVEL5IZ.js";
+import {
+  buildTombstone,
+  isTombstone,
+  resolveStableCek,
+  revokeSealedRecord,
+  rewrapBodyToDek,
+  rotateRecordCek,
+  sealRecordToHost
+} from "./chunk-45643PAU.js";
 import {
   PERIODS_COLLECTION
-} from "./chunk-QSUK7YWK.js";
+} from "./chunk-4UI5T3K7.js";
 import {
   getAtPath,
   isDictCollectionName,
+  isStaticDictDescriptor,
   resolvePolicy,
   setAtPathInPlace
-} from "./chunk-7BQ4QWYX.js";
+} from "./chunk-KOURQXIU.js";
 import {
   ManagedRecoveryNotEnrolledError,
   PolicyDeniedError,
@@ -59,11 +90,11 @@ import {
   saveShamirRecoveryEntries,
   updateAuthenticator,
   writeMagicLinkGrant
-} from "./chunk-DLZ2ONOD.js";
+} from "./chunk-IQ4GMEYZ.js";
 import {
   assertTierAccess,
   dekKey
-} from "./chunk-4TBBMHVC.js";
+} from "./chunk-6YEC7LLO.js";
 import {
   USER_ENVELOPE_COLLECTION,
   assertKeyringOpenAllowed,
@@ -88,7 +119,7 @@ import {
   rotateKeys,
   saveUserEnvelope,
   updateKeyringIdentity
-} from "./chunk-6H2ZUNR7.js";
+} from "./chunk-FQRAYDS4.js";
 import {
   INDEXED_STORE_POLICY
 } from "./chunk-2QR2PQTT.js";
@@ -98,49 +129,41 @@ import {
 import {
   LEDGER_COLLECTION,
   LEDGER_DELTAS_COLLECTION
-} from "./chunk-BR3AMFGS.js";
+} from "./chunk-MGB67HKX.js";
 import {
   sha256Hex as sha256Hex2
-} from "./chunk-Z6FNBOTC.js";
-import {
-  NO_AGGREGATE,
-  Query,
-  ScanBuilder,
-  canonicalizeIncomingMoney,
-  canonicalizeStoredMoney,
-  decodeMoneyFields,
-  quantizeMoneyFields,
-  validateMoneyFieldPaths
-} from "./chunk-DUREQF5W.js";
-import {
-  canonicalGroupKey
-} from "./chunk-L2BNJ6HM.js";
+} from "./chunk-PDVP3C2I.js";
 import {
-  readPath
-} from "./chunk-CJORTUJ2.js";
-import {
-  EXPORT_AUDIT_COLLECTION,
-  createExportBlobsHandle,
-  runCompaction
-} from "./chunk-XL35NSEN.js";
+  NO_FORGET,
+  addSubjectRef,
+  coerceSubjectId,
+  lookupSubject,
+  readDottedPath,
+  rebuildSubjectIndex,
+  removeSubjectRef
+} from "./chunk-C2OYWD5S.js";
 import {
   NOYDB_BACKUP_VERSION,
   NOYDB_FORMAT_VERSION
-} from "./chunk-F3BPIPLS.js";
+} from "./chunk-LGPSCKWZ.js";
 import {
   decrypt,
   encrypt,
   encryptDeterministic,
-  sha256Hex
-} from "./chunk-YULZKK4F.js";
+  sha256Hex,
+  unwrapCek,
+  wrapCek
+} from "./chunk-QJKZ5WUP.js";
 import {
   AlreadyElevatedError,
   AttestationError,
   BackupCorruptedError,
   BackupLedgerError,
   ConflictError,
+  DerivationCapExceededError,
   ElevationExpiredError,
   ExportCapabilityError,
+  ForgetStrategyNotConfiguredError,
   ImportCapabilityError,
   IndexWriteFailureError,
   InvalidKeyError,
@@ -159,15 +182,17 @@ import {
   SchemaValidationError,
   SequenceContentionError,
   SequenceOfflineError,
+  StaticDictReadonlyError,
   StoreCapabilityError,
   TierDemoteDeniedError,
   TierNotGrantedError,
   TranslatorNotConfiguredError,
   UniqueConstraintError,
+  UnknownDictCodeError,
   UnsupportedIndexOptionError,
   ValidationError,
   VaultTemplateNotFoundError
-} from "./chunk-535SSHBS.js";
+} from "./chunk-HMFC6M2G.js";
 
 // src/policy/storage.ts
 var META_COLLECTION = "_meta";
@@ -450,6 +475,9 @@ var NO_HISTORY = {
   async clearHistory() {
     return 0;
   },
+  async tombstoneHistory() {
+    return 0;
+  },
   async envelopePayloadHash() {
     return "";
   },
@@ -810,7 +838,7 @@ async function resolveStaleOnRead(accessor, outputCollection, id) {
     }
     const sourceWithId = { ...source, id };
     if (DerivationExecutor === null) {
-      ({ DerivationExecutor } = await import("./executor-6ZDSDZ6V.js"));
+      ({ DerivationExecutor } = await import("./executor-WLFDUTOM.js"));
     }
     const ctx = { vault: accessor.getReadOnlyFacade() };
     const result = await DerivationExecutor.run(spec, sourceWithId, 0, strategyHash, ctx);
@@ -848,6 +876,15 @@ async function resolveStaleOnRead(accessor, outputCollection, id) {
 }
 
 // src/collection.ts
+function selfWriteFieldEqual(a, b) {
+  if (a === b) return true;
+  if (a === null || b === null || typeof a !== "object" || typeof b !== "object") return false;
+  try {
+    return JSON.stringify(a) === JSON.stringify(b);
+  } catch {
+    return false;
+  }
+}
 var fallbackWarned = /* @__PURE__ */ new Set();
 function warnOnceFallback(adapterName) {
   if (fallbackWarned.has(adapterName)) return;
@@ -1035,6 +1072,25 @@ var Collection = class {
    * is inactive for this collection; a frozen `Set` otherwise.
    */
   deterministicFields;
+  /**
+   * Per-record CEK opt-in (`perRecordKeys: true`). When set, writes mint /
+   * reuse a per-record content-encryption key and stamp `_cek` on the
+   * envelope (see {@link EncryptedEnvelope._cek}). OFF by default — a
+   * non-adopting collection takes the byte-identical legacy path. The READ
+   * path does not consult this flag: `_cek` presence on the envelope is the
+   * format discriminant, so a mixed vault (and a recipient that never set the
+   * flag) still decrypts CEK records.
+   */
+  perRecordCek;
+  /**
+   * Session-scoped `(id) → CEK` cache for this collection. Lets updates
+   * reuse a record's stable CEK and lets repeated reads skip the AES-KW
+   * unwrap. Bounded by LRU; never persisted. Dropped when the owning
+   * collection instance is discarded — `vault.load()` clears the
+   * collectionCache, so a keyring refresh drops every CEK alongside the
+   * DEK cache. `null` unless `perRecordCek` is set.
+   */
+  cekCache;
   /**
    * declared tiers for this collection. `null` when
    * tier-aware methods are disabled. Tier 0 is implicit and never
@@ -1181,19 +1237,24 @@ var Collection = class {
     } else {
       this.deterministicFields = null;
     }
+    this.perRecordCek = opts.perRecordKeys === true;
+    this.cekCache = this.perRecordCek ? new Lru({ maxRecords: 4096 }) : null;
     if (opts.crdt && opts.onRegisterConflictResolver) {
       const crdtMode = opts.crdt;
-      const crdtResolver = async (_id, local, remote) => {
+      const crdtResolver = async (id, local, remote) => {
         if (crdtMode === "yjs") {
           return local._v >= remote._v ? local : remote;
         }
-        const localJson = await this.decryptJsonString(local);
-        const remoteJson = await this.decryptJsonString(remote);
+        const localJson = await this.decryptJsonString(local, id);
+        const remoteJson = await this.decryptJsonString(remote, id);
+        if (localJson === null) return local;
+        if (remoteJson === null) return remote;
         const localState = JSON.parse(localJson);
         const remoteState = JSON.parse(remoteJson);
         const merged = this.crdtStrategy.mergeCrdtStates(localState, remoteState);
         const mergedVersion = Math.max(local._v, remote._v) + 1;
-        return this.encryptJsonString(JSON.stringify(merged), mergedVersion);
+        const cek = this.perRecordCek ? await this.resolveRecordCek(id) : void 0;
+        return this.encryptJsonString(JSON.stringify(merged), mergedVersion, cek);
       };
       opts.onRegisterConflictResolver(this.name, crdtResolver);
     }
@@ -1233,12 +1294,15 @@ var Collection = class {
         });
       } else {
         const mergeFn = policy;
-        resolver = async (_id, local, remote) => {
-          const localRecord = await this.decryptRecord(local, { skipValidation: true });
-          const remoteRecord = await this.decryptRecord(remote, { skipValidation: true });
+        resolver = async (id, local, remote) => {
+          const localRecord = await this.decryptRecord(local, { skipValidation: true, id });
+          const remoteRecord = await this.decryptRecord(remote, { skipValidation: true, id });
+          if (localRecord === null) return local;
+          if (remoteRecord === null) return remote;
           const merged = mergeFn(localRecord, remoteRecord);
           const mergedVersion = Math.max(local._v, remote._v) + 1;
-          return this.encryptRecord(merged, mergedVersion);
+          const cek = this.perRecordCek ? await this.resolveRecordCek(id) : void 0;
+          return this.encryptRecord(merged, mergedVersion, cek);
         };
       }
       opts.onRegisterConflictResolver(collectionName, resolver);
@@ -1319,7 +1383,7 @@ var Collection = class {
       }
     }
     if (this.materializedViewSource !== void 0) {
-      const { resolveStaleMVOnRead } = await import("./stale-W5PQTRYH.js");
+      const { resolveStaleMVOnRead } = await import("./stale-PGTEGJDI.js");
       await resolveStaleMVOnRead(this.materializedViewSource, this.name);
     }
     let record;
@@ -1330,7 +1394,9 @@ var Collection = class {
       } else {
         const envelope = await this.adapter.get(this.vault, this.name, id);
         if (!envelope) return null;
-        record = await this.decryptRecord(envelope);
+        if (isTombstone(envelope, this.encrypted)) return null;
+        record = await this.decryptRecord(envelope, { id });
+        if (record === null) return null;
         this.lru.set(id, { record, version: envelope._v }, estimateRecordBytes(record));
       }
     } else {
@@ -1357,6 +1423,7 @@ var Collection = class {
     const envelope = await this.adapter.get(this.vault, this.name, id);
     if (!envelope) return null;
     const json = await this.decryptJsonString(envelope);
+    if (json === null) return null;
     return JSON.parse(json);
   }
   /**
@@ -1445,7 +1512,7 @@ var Collection = class {
       if (cached2) return { record: cached2.record, version: cached2.version };
       const env = await this.adapter.get(this.vault, this.name, id);
       if (!env) return { record: null, version: 0 };
-      return { record: await this.decryptRecord(env, { skipValidation: true }), version: env._v };
+      return { record: await this.decryptRecord(env, { skipValidation: true }) ?? null, version: env._v };
     }
     await this.ensureHydrated();
     const cached = this.cache.get(id);
@@ -1558,9 +1625,11 @@ var Collection = class {
         let existingState;
         if (existingEnvelope) {
           const prevJson = await this.decryptJsonString(existingEnvelope);
-          const prevParsed = JSON.parse(prevJson);
-          if (prevParsed !== null && typeof prevParsed === "object" && "_crdt" in prevParsed) {
-            existingState = prevParsed;
+          if (prevJson !== null) {
+            const prevParsed = JSON.parse(prevJson);
+            if (prevParsed !== null && typeof prevParsed === "object" && "_crdt" in prevParsed) {
+              existingState = prevParsed;
+            }
           }
         }
         crdtState = this.crdtStrategy.buildLwwMapState(record, existingState, now);
@@ -1568,9 +1637,11 @@ var Collection = class {
         let existingState;
         if (existingEnvelope) {
           const prevJson = await this.decryptJsonString(existingEnvelope);
-          const prevParsed = JSON.parse(prevJson);
-          if (prevParsed !== null && typeof prevParsed === "object" && "_crdt" in prevParsed) {
-            existingState = prevParsed;
+          if (prevJson !== null) {
+            const prevParsed = JSON.parse(prevJson);
+            if (prevParsed !== null && typeof prevParsed === "object" && "_crdt" in prevParsed) {
+              existingState = prevParsed;
+            }
           }
         }
         const arr = Array.isArray(record) ? record : [record];
@@ -1579,12 +1650,14 @@ var Collection = class {
         crdtState = { _crdt: "yjs", update: record };
       }
       const version2 = existingVersion + 1;
-      const envelope2 = await this.encryptJsonString(JSON.stringify(crdtState), version2);
+      const cek2 = this.perRecordCek ? await this.resolveRecordCek(id) : void 0;
+      const envelope2 = await this.encryptJsonString(JSON.stringify(crdtState), version2, cek2);
       await this.adapter.put(this.vault, this.name, id, envelope2);
       const resolvedRecord = this.crdtStrategy.resolveCrdtSnapshot(crdtState);
-      const existingResolved = existingEnvelope ? { record: await this.decryptRecord(existingEnvelope, { skipValidation: true }), version: existingVersion } : void 0;
+      const existingResolvedRecord = existingEnvelope ? await this.decryptRecord(existingEnvelope, { skipValidation: true }) : null;
+      const existingResolved = existingResolvedRecord !== null ? { record: existingResolvedRecord, version: existingVersion } : void 0;
       if (existingResolved && this.historyConfig.enabled !== false) {
-        const histEnvelope = await this.encryptRecord(existingResolved.record, existingResolved.version);
+        const histEnvelope = await this.encryptRecord(existingResolved.record, existingResolved.version, cek2);
         await this.historyStrategy.saveHistory(this.adapter, this.vault, this.name, id, histEnvelope);
         this.emitter.emit("history:save", { vault: this.vault, collection: this.name, id, version: existingResolved.version });
         if (this.historyConfig.maxVersions) {
@@ -1630,7 +1703,9 @@ var Collection = class {
         const previousEnvelope = await this.adapter.get(this.vault, this.name, id);
         if (previousEnvelope) {
           const previousRecord = await this.decryptRecord(previousEnvelope);
-          existing = { record: previousRecord, version: previousEnvelope._v };
+          if (previousRecord !== null) {
+            existing = { record: previousRecord, version: previousEnvelope._v };
+          }
         }
       }
     } else {
@@ -1639,8 +1714,9 @@ var Collection = class {
     }
     const version = existing ? existing.version + 1 : 1;
     this.uniqueConstraints?.check(id, record);
+    const cek = this.perRecordCek ? await this.resolveRecordCek(id) : void 0;
     if (existing && this.historyConfig.enabled !== false) {
-      const historyEnvelope = await this.encryptRecord(existing.record, existing.version);
+      const historyEnvelope = await this.encryptRecord(existing.record, existing.version, cek);
       await this.historyStrategy.saveHistory(this.adapter, this.vault, this.name, id, historyEnvelope);
       this.emitter.emit("history:save", {
         vault: this.vault,
@@ -1654,7 +1730,7 @@ var Collection = class {
         });
       }
     }
-    const envelope = await this.encryptRecord(record, version);
+    const envelope = await this.encryptRecord(record, version, cek);
     await this.adapter.put(this.vault, this.name, id, envelope);
     if (this.ledger) {
       const appendInput = {
@@ -1717,7 +1793,7 @@ var Collection = class {
       if (mode === "eager") {
         if (executor === null) {
           ;
-          ({ MaterializedViewExecutor: executor } = await import("./executor-AZLS3KBK.js"));
+          ({ MaterializedViewExecutor: executor } = await import("./executor-IZ2NVXCY.js"));
         }
         await executor.refresh(reg, {
           getCollection: (name) => this.materializedViewSource.getCollection(name),
@@ -1726,7 +1802,7 @@ var Collection = class {
         });
       } else if (mode === "lazy") {
         if (staleHelpers === null) {
-          staleHelpers = await import("./stale-W5PQTRYH.js");
+          staleHelpers = await import("./stale-PGTEGJDI.js");
         }
         staleHelpers.markMVStale(registry, reg.spec.name);
       }
@@ -1743,6 +1819,111 @@ var Collection = class {
    * output (carries `_derivedFrom`) — defensive guard against missed
    * cycle detection.
    */
+  /**
+   * @internal #376 — the RAW stored record (canonical-money form, i18n maps
+   * intact), WITHOUT the locale resolution `get()` applies. Used as the
+   * patch base for self-write reverse-denorm so writing back never clobbers
+   * an i18n map or re-quantizes money incorrectly. Returns null for
+   * missing / tombstoned records.
+   */
+  async _getStoredRecord(id) {
+    let raw;
+    if (this.lazy && this.lru) {
+      const cached = this.lru.get(id);
+      if (cached) raw = cached.record;
+      else {
+        const env = await this.adapter.get(this.vault, this.name, id);
+        if (!env || isTombstone(env, this.encrypted)) return null;
+        raw = await this.decryptRecord(env, { id });
+        if (raw === null) return null;
+        this.lru.set(id, { record: raw, version: env._v }, estimateRecordBytes(raw));
+      }
+    } else {
+      await this.ensureHydrated();
+      raw = this.cache.get(id)?.record ?? null;
+    }
+    if (raw === null) return null;
+    return canonicalizeStoredMoney(raw, this.moneyFields);
+  }
+  /**
+   * @internal #376 — ids of records whose top-level `field` equals `value`.
+   * Uses the FK index when the field is indexed (O(matches)); otherwise a
+   * linear scan (O(N) — fine for small child sets; index the FK to scale).
+   */
+  async _findMatchingIds(field, value) {
+    const hit = this.getIndexes()?.lookupEqual(field, value);
+    if (hit) return [...hit];
+    const target = String(value);
+    const matches = (rec) => {
+      const fv = rec[field];
+      return (typeof fv === "string" || typeof fv === "number") && String(fv) === target;
+    };
+    if (!this.lazy) {
+      await this.ensureHydrated();
+      const out2 = [];
+      for (const [rid, e] of this.cache) {
+        if (matches(e.record)) out2.push(rid);
+      }
+      return out2;
+    }
+    const ids = await this.adapter.list(this.vault, this.name);
+    const out = [];
+    for (const rid of ids) {
+      const raw = await this._getStoredRecord(rid);
+      if (raw !== null && matches(raw)) out.push(rid);
+    }
+    return out;
+  }
+  /**
+   * @internal #376 slice 2 — recompute a rollup aggregate onto the parent.
+   * Gathers every child of `parentId`, runs `compute`, and patches only the
+   * rollup `field` onto the parent's raw stored record (value-equality
+   * guarded). No-op when the parent record does not exist.
+   */
+  async recomputeRollup(spec, parentId) {
+    if (this.derivationSource === void 0 || spec.rollup === void 0) return;
+    const { from, key, field, compute } = spec.rollup;
+    const into = spec.source;
+    const intoColl = this.derivationSource.getCollection(into);
+    const base = await intoColl._getStoredRecord(parentId);
+    if (base === null) return;
+    const fromColl = this.derivationSource.getCollection(from);
+    const childIds = await fromColl._findMatchingIds(key, parentId);
+    const children = [];
+    for (const cid of childIds) {
+      const c = await fromColl.get(cid);
+      if (c !== null && c !== void 0) children.push(c);
+    }
+    const newValue = compute(children);
+    if (selfWriteFieldEqual(base[field], newValue)) return;
+    const patched = { ...base, [field]: newValue };
+    const txCtx = this.derivationSource.getActiveTxContext();
+    if (txCtx !== null) {
+      const prior = await this.adapter.get(this.vault, into, parentId);
+      txCtx._executed.push({
+        op: { type: "put", vaultName: this.vault, collectionName: into, id: parentId },
+        priorEnvelope: prior
+      });
+    }
+    await intoColl.put(parentId, patched);
+  }
+  /**
+   * @internal #376 slice 2 — fire any rollups for which THIS collection is the
+   * child `from`, recomputing the affected parent after a child delete. Called
+   * from the delete path with the just-removed record's key value. Other
+   * derivation kinds do not react to deletes (unchanged).
+   */
+  async dispatchRollupsOnDelete(deleted) {
+    if (this.derivationSource === void 0) return;
+    const registry = this.derivationSource.registry();
+    const rec = deleted;
+    for (const { spec } of registry.strategiesForSource(this.name)) {
+      if (!spec.rollup || spec.rollup.from !== this.name) continue;
+      const kv = rec[spec.rollup.key];
+      if (typeof kv !== "string" && typeof kv !== "number") continue;
+      await this.recomputeRollup(spec, String(kv));
+    }
+  }
   async dispatchDerivations(id, record, version) {
     if (this.derivationSource === void 0) return;
     const incoming = canonicalizeStoredMoney(record, this.moneyFields);
@@ -1753,29 +1934,60 @@ var Collection = class {
     let DerivationExecutor = null;
     for (const { spec, strategyHash } of strategies) {
       const mode = typeof spec.lifecycle === "string" ? spec.lifecycle : spec.lifecycle.mode;
-      if (mode === "eager") {
-        if (DerivationExecutor === null) {
-          ({ DerivationExecutor } = await import("./executor-6ZDSDZ6V.js"));
-        }
-        let sourceWithId;
-        let sourceVersion = version;
-        if (spec.source === this.name) {
-          sourceWithId = { ...incoming, id };
+      if (spec.rollup) {
+        if (mode !== "eager") continue;
+        let parentId;
+        if (this.name === spec.rollup.from) {
+          const kv = incoming[spec.rollup.key];
+          parentId = typeof kv === "string" || typeof kv === "number" ? String(kv) : null;
         } else {
-          const primary = await this.derivationSource.getCollection(spec.source).get(id);
-          if (primary === null || primary === void 0) continue;
-          sourceWithId = { ...primary, id };
-          sourceVersion = 0;
+          parentId = id;
+        }
+        if (parentId !== null) await this.recomputeRollup(spec, parentId);
+        continue;
+      }
+      const isSource = spec.source === this.name;
+      const isSibling = !isSource && (spec.sources?.includes(this.name) ?? false);
+      const trigger = !isSource && !isSibling ? spec.triggerBy?.find((t) => t.collection === this.name) : void 0;
+      const runs = [];
+      if (isSource) {
+        runs.push({ input: { ...incoming, id }, base: incoming, runId: id, version });
+      } else if (isSibling) {
+        const p = await this.derivationSource.getCollection(spec.source).get(id);
+        if (p !== null && p !== void 0) {
+          const raw = await this.derivationSource.getCollection(spec.source)._getStoredRecord(id);
+          runs.push({ input: { ...p, id }, base: raw ?? p, runId: id, version: 0 });
+        }
+      } else if (trigger) {
+        const srcColl = this.derivationSource.getCollection(spec.source);
+        const ids = await srcColl._findMatchingIds(trigger.on, id);
+        if (trigger.maxFanout !== void 0 && ids.length > trigger.maxFanout) {
+          throw new DerivationCapExceededError(`triggerBy ${this.name}\u2192${spec.source}`, ids.length, trigger.maxFanout);
+        }
+        for (const sid of ids) {
+          const raw = await srcColl._getStoredRecord(sid);
+          if (raw === null) continue;
+          runs.push({ input: { ...raw, id: sid }, base: raw, runId: sid, version: 0 });
         }
+      }
+      if (runs.length === 0) continue;
+      if (mode !== "eager") {
+        for (const run of runs) await markStale(registry, spec, run.runId);
+        continue;
+      }
+      if (DerivationExecutor === null) {
+        ({ DerivationExecutor } = await import("./executor-WLFDUTOM.js"));
+      }
+      for (const run of runs) {
         const ctx = { vault: this.derivationSource.getReadOnlyFacade() };
-        const result = await DerivationExecutor.run(spec, sourceWithId, sourceVersion, strategyHash, ctx);
+        const result = await DerivationExecutor.run(spec, run.input, run.version, strategyHash, ctx);
         for (const key of Object.keys(spec.outputs)) {
           const out = result.outputs[key];
           if (!out) continue;
           if (out.kind === "failed") {
             const err = out.error;
             if (spec.strict) throw err;
-            console.warn(`[derivation] output "${key}" for source "${spec.source}" id="${id}" failed:`, err);
+            console.warn(`[derivation] output "${key}" for source "${spec.source}" id="${run.runId}" failed:`, err);
             continue;
           }
           const outSpec = spec.outputs[key];
@@ -1783,12 +1995,12 @@ var Collection = class {
           const outputCollection = this.derivationSource.getCollection(outSpec.collection);
           const txCtx = this.derivationSource.getActiveTxContext();
           if (out.kind === "array") {
-            const { loadFanoutSidecar, saveFanoutSidecar } = await import("./fanout-sidecar-67CMI3UT.js");
+            const { loadFanoutSidecar, saveFanoutSidecar } = await import("./fanout-sidecar-JGHXAJO5.js");
             const prior = await loadFanoutSidecar(
               this.adapter,
               this.vault,
               spec.source,
-              id,
+              run.runId,
               key
             );
             const prevKeys = new Set(prior?.keys ?? []);
@@ -1815,7 +2027,7 @@ var Collection = class {
             }
             await saveFanoutSidecar(this.adapter, this.vault, {
               source: spec.source,
-              sourceId: id,
+              sourceId: run.runId,
               outputKey: key,
               outputCollection: outSpec.collection,
               keys: newKeysList
@@ -1823,25 +2035,44 @@ var Collection = class {
             continue;
           }
           if (out.skipped === true) {
-            await outputCollection._internalDelete(id, txCtx);
+            await outputCollection._internalDelete(run.runId, txCtx);
+            continue;
+          }
+          if (outSpec.shape === "record" && outSpec.denorm !== void 0 && outSpec.collection === spec.source) {
+            const value = out.value;
+            const patched = { ...run.base };
+            let changed = false;
+            for (const f of outSpec.denorm) {
+              if (!selfWriteFieldEqual(run.base[f], value[f])) {
+                patched[f] = value[f];
+                changed = true;
+              }
+            }
+            if (!changed) continue;
+            if (txCtx !== null) {
+              const prior = await this.adapter.get(this.vault, outSpec.collection, run.runId);
+              txCtx._executed.push({
+                op: { type: "put", vaultName: this.vault, collectionName: outSpec.collection, id: run.runId },
+                priorEnvelope: prior
+              });
+            }
+            await outputCollection.put(run.runId, patched);
             continue;
           }
           if (txCtx !== null) {
-            const prior = await this.adapter.get(this.vault, outSpec.collection, id);
+            const prior = await this.adapter.get(this.vault, outSpec.collection, run.runId);
             txCtx._executed.push({
               op: {
                 type: "put",
                 vaultName: this.vault,
                 collectionName: outSpec.collection,
-                id
+                id: run.runId
               },
               priorEnvelope: prior
             });
           }
-          await outputCollection.put(id, out.value);
+          await outputCollection.put(run.runId, out.value);
         }
-      } else {
-        await markStale(registry, spec, id);
       }
     }
   }
@@ -1890,11 +2121,14 @@ var Collection = class {
     let count = 0;
     for (const id of ids) {
       const env = await this.adapter.get(this.vault, this.name, id);
-      if (!env) continue;
-      const record = await this.decryptRecord(env, { skipValidation: true });
+      if (!env || isTombstone(env, this.encrypted)) continue;
+      const decoded = await this.decryptRecord(env, { skipValidation: true, id });
+      if (decoded === null) continue;
+      const record = decoded;
       const next = transform(record);
       const nextVersion = (env._v ?? 0) + 1;
-      const newEnv = await this.encryptRecord(next, nextVersion);
+      const cek = this.perRecordCek ? await this.resolveRecordCek(id) : void 0;
+      const newEnv = await this.encryptRecord(next, nextVersion, cek);
       await this.adapter.put(this.vault, this.name, id, newEnv);
       await this._invalidateCacheEntry(id);
       if (this.ledger) {
@@ -2006,14 +2240,17 @@ var Collection = class {
         const previousEnvelope2 = await this.adapter.get(this.vault, this.name, id);
         if (previousEnvelope2) {
           const previousRecord = await this.decryptRecord(previousEnvelope2);
-          existing = { record: previousRecord, version: previousEnvelope2._v };
+          if (previousRecord !== null) {
+            existing = { record: previousRecord, version: previousEnvelope2._v };
+          }
         }
       }
     } else {
       existing = this.cache.get(id);
     }
     if (existing && this.historyConfig.enabled !== false) {
-      const historyEnvelope = await this.encryptRecord(existing.record, existing.version);
+      const cek = this.perRecordCek ? await this.resolveRecordCek(id) : void 0;
+      const historyEnvelope = await this.encryptRecord(existing.record, existing.version, cek);
       await this.historyStrategy.saveHistory(this.adapter, this.vault, this.name, id, historyEnvelope);
     }
     const previousEnvelope = await this.adapter.get(this.vault, this.name, id);
@@ -2052,8 +2289,53 @@ var Collection = class {
     if (!internal) {
       await this.dispatchMaterializedViewsOnDelete(id);
       await this.dispatchArrayDerivationsOnDelete(id);
+      if (existing) await this.dispatchRollupsOnDelete(existing.record);
+    }
+  }
+  /**
+   * @internal — GDPR crypto-shred a LIVE record to a tombstone (#304).
+   *
+   * Rewrites the on-disk envelope to `{ _noydb, _v, _ts, _by, _iv:'', _data:'' }`,
+   * dropping `_iv`/`_data`/`_cek`/`_det`. The wrapped per-record CEK is gone, so
+   * the body — and (via {@link tombstoneHistory}) every history version under
+   * the same CEK — is permanently undecryptable; the collection DEK and every
+   * other record are untouched. `_det` is stripped too, so `findByDet` no
+   * longer matches the shredded record (avoiding a post-shred TamperedError).
+   *
+   * Unlike `delete()`/`_internalDelete`, this:
+   *   - does NOT fire onDelete guards / MV / derivation dispatch (a shred is an
+   *     erasure, not a domain delete — re-running those would be wrong),
+   *   - does NOT append a per-record ledger entry (`vault.forget()` appends a
+   *     single `op:'forget'` summary for the whole subject),
+   *   - keeps the record KEY present (it's an overwrite, not an adapter delete)
+   *     so the version counter + "record existed" survive for audit.
+   *
+   * Idempotent: returns `null` when the record is absent or already a tombstone.
+   * Otherwise returns `{ previousVersion }`. Invalidates the eager cache, the
+   * lazy LRU, and the per-record CEK cache for this id.
+   */
+  /**
+   * @internal — decrypt an envelope to a plain record for subject-index
+   * rebuild (#304). Returns `null` for a tombstone or unreadable envelope.
+   * Skips schema validation — the rebuild only reads the subject field.
+   */
+  async _decodeEnvelope(envelope, id) {
+    try {
+      const rec = await this.decryptRecord(envelope, { skipValidation: true, id });
+      return rec === null ? null : rec;
+    } catch {
+      return null;
     }
   }
+  async _writeTombstone(id, actor) {
+    const live = await this.adapter.get(this.vault, this.name, id);
+    if (!live || isTombstone(live, this.encrypted)) return null;
+    await this.adapter.put(this.vault, this.name, id, buildTombstone(live._v, actor));
+    this.cache.delete(id);
+    this.lru?.remove(id);
+    this.cekCache?.remove(id);
+    return { previousVersion: live._v };
+  }
   /**
    * Cascade deletes of array-shape derived rows when a source row is
    * deleted. Reads each registered strategy's fanout sidecar
@@ -2076,7 +2358,7 @@ var Collection = class {
       for (const [outputKey, outSpec] of Object.entries(spec.outputs)) {
         if (outSpec.shape !== "array") continue;
         if (helpers === null) {
-          helpers = await import("./fanout-sidecar-67CMI3UT.js");
+          helpers = await import("./fanout-sidecar-JGHXAJO5.js");
         }
         const sidecar = await helpers.loadFanoutSidecar(
           this.adapter,
@@ -2116,7 +2398,7 @@ var Collection = class {
       if (mode === "eager") {
         if (executor === null) {
           ;
-          ({ MaterializedViewExecutor: executor } = await import("./executor-AZLS3KBK.js"));
+          ({ MaterializedViewExecutor: executor } = await import("./executor-IZ2NVXCY.js"));
         }
         await executor.refresh(reg, {
           getCollection: (name) => this.materializedViewSource.getCollection(name),
@@ -2125,7 +2407,7 @@ var Collection = class {
         });
       } else if (mode === "lazy") {
         if (staleHelpers === null) {
-          staleHelpers = await import("./stale-W5PQTRYH.js");
+          staleHelpers = await import("./stale-PGTEGJDI.js");
         }
         staleHelpers.markMVStale(registry, reg.spec.name);
       }
@@ -2148,7 +2430,7 @@ var Collection = class {
       );
     }
     if (this.materializedViewSource !== void 0) {
-      const { resolveStaleMVOnRead } = await import("./stale-W5PQTRYH.js");
+      const { resolveStaleMVOnRead } = await import("./stale-PGTEGJDI.js");
       await resolveStaleMVOnRead(this.materializedViewSource, this.name);
     }
     await this.ensureHydrated();
@@ -2466,6 +2748,7 @@ var Collection = class {
     const entries = [];
     for (const env of envelopes) {
       const record = await this.decryptRecord(env, { skipValidation: true });
+      if (record === null) continue;
       entries.push({
         version: env._v,
         timestamp: env._ts,
@@ -2602,6 +2885,7 @@ var Collection = class {
       const envelope = await this.adapter.get(this.vault, this.name, id);
       if (envelope) {
         const record = await this.decryptRecord(envelope);
+        if (record === null) continue;
         items.push(record);
         if (!this.lazy && !this.cache.has(id)) {
           this.cache.set(id, { record, version: envelope._v });
@@ -2678,6 +2962,7 @@ var Collection = class {
     const out = [];
     for (const { id, envelope } of items) {
       const record = await this.decryptRecord(envelope);
+      if (record === null) continue;
       out.push({ id, record, version: envelope._v });
     }
     return out;
@@ -2699,6 +2984,18 @@ var Collection = class {
    * the cache entry (record still present) or deletes it (record was
    * gone before the tx and the revert deleted it again).
    */
+  /**
+   * @internal — evict ONLY the per-record CEK cache entry for `id`. Used by
+   * `vault.rotateRecordCek()`: after a hard CEK rotation the cached unwrapped
+   * CEK is stale (it would decrypt the pre-rotation body and fail GCM auth on
+   * the post-rotation body). Eviction must be synchronous with the live-envelope
+   * rewrite so no concurrent read observes the old CEK. Paired with
+   * {@link _invalidateCacheEntry} (which refreshes the decrypted-record cache).
+   * No-op when the collection is not `perRecordKeys`.
+   */
+  _invalidateCekCacheEntry(id) {
+    this.cekCache?.remove(id);
+  }
   async _invalidateCacheEntry(id) {
     if (this.lazy && this.lru) {
       this.lru.remove(id);
@@ -2716,6 +3013,14 @@ var Collection = class {
       return;
     }
     const record = await this.decryptRecord(envelope);
+    if (record === null) {
+      this.cache.delete(id);
+      if (previous) {
+        this.indexes?.remove(id, previous.record);
+        this.uniqueConstraints?.remove(id, previous.record);
+      }
+      return;
+    }
     this.cache.set(id, { record, version: envelope._v });
     this.indexes?.upsert(id, record, previous ? previous.record : null);
     this.uniqueConstraints?.upsert(id, record, previous?.record);
@@ -2740,8 +3045,9 @@ var Collection = class {
     const ids = await this.adapter.list(this.vault, this.name);
     for (const id of ids) {
       const envelope = await this.adapter.get(this.vault, this.name, id);
-      if (envelope) {
-        const record = await this.decryptRecord(envelope);
+      if (envelope && !isTombstone(envelope, this.encrypted)) {
+        const record = await this.decryptRecord(envelope, { id });
+        if (record === null) continue;
         this.cache.set(id, { record, version: envelope._v });
       }
     }
@@ -2752,7 +3058,9 @@ var Collection = class {
   /** Hydrate from a pre-loaded snapshot (used by Vault). */
   async hydrateFromSnapshot(records) {
     for (const [id, envelope] of Object.entries(records)) {
-      const record = await this.decryptRecord(envelope);
+      if (isTombstone(envelope, this.encrypted)) continue;
+      const record = await this.decryptRecord(envelope, { id });
+      if (record === null) continue;
       this.cache.set(id, { record, version: envelope._v });
     }
     this.hydrated = true;
@@ -2840,6 +3148,7 @@ var Collection = class {
       const envelope = await this.adapter.get(this.vault, this.name, recordId);
       if (!envelope) continue;
       const record = await this.decryptRecord(envelope, { skipValidation: true });
+      if (record === null) continue;
       await this.maintainPersistedIndexesOnPut(recordId, record, null, envelope._v);
     }
     this.persistedIndexesLoaded = true;
@@ -2890,8 +3199,13 @@ var Collection = class {
       const env = await this.adapter.get(this.vault, this.name, id);
       if (!env) continue;
       try {
-        const body = JSON.parse(await this.decryptJsonString(env));
-        sidecar.set(decoded.recordId, body.value);
+        const sidecarJson = await this.decryptJsonString(env);
+        if (sidecarJson === null) {
+          sidecar.set(decoded.recordId, void 0);
+        } else {
+          const body = JSON.parse(sidecarJson);
+          sidecar.set(decoded.recordId, body.value);
+        }
       } catch {
         sidecar.set(decoded.recordId, void 0);
       }
@@ -2905,6 +3219,7 @@ var Collection = class {
       const env = await this.adapter.get(this.vault, this.name, id);
       if (!env) continue;
       const record = await this.decryptRecord(env, { skipValidation: true });
+      if (record === null) continue;
       const live = readPersistedValue(record, field);
       const stored = sidecar.get(id);
       const hasSidecar = sidecarIds.has(id);
@@ -2987,7 +3302,8 @@ var Collection = class {
       recordId: id,
       getDEK: this.getDEK,
       encrypted: this.encrypted,
-      userId: this.keyring.userId
+      userId: this.keyring.userId,
+      erasableBlobs: this.perRecordCek
     });
   }
   /** Get all records as encrypted envelopes (for dump). */
@@ -2995,7 +3311,8 @@ var Collection = class {
     await this.ensureHydrated();
     const result = {};
     for (const [id, entry] of this.cache) {
-      result[id] = await this.encryptRecord(entry.record, entry.version);
+      const cek = this.perRecordCek ? await this.resolveRecordCek(id) : void 0;
+      result[id] = await this.encryptRecord(entry.record, entry.version, cek);
     }
     return result;
   }
@@ -3023,23 +3340,37 @@ var Collection = class {
     if (hasMoney && this.moneyFields) {
       result = decodeMoneyFields(result, this.moneyFields, typeof locale === "string" ? locale : void 0);
     }
-    if (!locale) return result;
-    if (hasI18n && this.i18nFields) {
-      result = this.i18nStrategy.applyI18nLocale(result, this.i18nFields, locale, localeOpts?.fallback);
+    const hasStaticDisplay = hasDict && this.dictKeyFields !== void 0 && Object.values(this.dictKeyFields).some(
+      (d) => isStaticDictDescriptor(d) && d.displayLocale !== void 0
+    );
+    if (!locale && !hasStaticDisplay) return result;
+    const layer = localeOpts?._layer ?? "read";
+    if (locale && hasI18n && this.i18nFields) {
+      result = this.i18nStrategy.applyI18nLocale(result, this.i18nFields, locale, localeOpts?.fallback, layer);
     }
     if (hasDict && this.dictKeyFields && this.dictLabelResolver && locale !== "raw") {
       const withLabels = { ...result };
       const resolver = this.dictLabelResolver;
       for (const [field, desc] of Object.entries(this.dictKeyFields)) {
-        const policy = desc.onMissing ? resolvePolicy(desc.onMissing, "read") : "null";
+        const policy = desc.onMissing ? resolvePolicy(desc.onMissing, layer) : "null";
         const fallback = policy === "substitute" ? localeOpts?.fallback ?? desc.substitute : localeOpts?.fallback;
+        const effLocale = locale ?? (isStaticDictDescriptor(desc) ? desc.displayLocale : void 0);
         const resolveKey = async (key) => {
-          const label = await resolver(desc.name, key, locale, fallback);
+          if (!effLocale) {
+            if (policy === "throw") {
+              throw new LocaleNotSpecifiedError(
+                field,
+                `dictKey "${field}": no locale active to resolve key "${key}".`
+              );
+            }
+            return null;
+          }
+          const label = await resolver(desc.name, key, effLocale, fallback);
           if (label === void 0) {
             if (policy === "throw") {
               throw new LocaleNotSpecifiedError(
                 field,
-                `dictKey "${field}": no label for key "${key}" in locale "${locale}".`
+                `dictKey "${field}": no label for key "${key}" in locale "${effLocale}".`
               );
             }
             return null;
@@ -3196,6 +3527,7 @@ var Collection = class {
       if (!envelope) continue;
       try {
         const json = await this.decryptJsonString(envelope);
+        if (json === null) continue;
         const body = JSON.parse(json);
         if (typeof body.recordId !== "string") continue;
         const rows = byField.get(decoded.field) ?? [];
@@ -3305,7 +3637,31 @@ var Collection = class {
     };
     return new LazyQuery(source);
   }
-  async encryptJsonString(json, version) {
+  /**
+   * Resolve the stable CEK for a record on the WRITE path — see
+   * {@link resolveStableCek}. Thin delegate that supplies the collection's
+   * CEK cache, live-envelope reader, and DEK resolver.
+   */
+  resolveRecordCek(id) {
+    return resolveStableCek(
+      {
+        cache: this.cekCache,
+        getLive: (rid) => this.adapter.get(this.vault, this.name, rid),
+        getDEK: () => this.getDEK(this.name)
+      },
+      id
+    );
+  }
+  /**
+   * Encrypt a JSON body into an envelope.
+   *
+   * When `cek` is supplied (per-record CEK collections), the body is
+   * encrypted under the CEK and the CEK is AES-KW-wrapped under the
+   * collection DEK and stamped on `_cek`. When `cek` is omitted, the legacy
+   * path encrypts the body directly under the collection DEK — byte-identical
+   * to pre-CEK behaviour, so non-adopting collections pay nothing.
+   */
+  async encryptJsonString(json, version, cek) {
     const by = this.keyring.userId;
     if (!this.encrypted) {
       return {
@@ -3318,6 +3674,19 @@ var Collection = class {
       };
     }
     const dek = await this.getDEK(this.name);
+    if (cek !== void 0) {
+      const { iv: iv2, data: data2 } = await encrypt(json, cek);
+      const wrapped = await wrapCek(cek, dek);
+      return {
+        _noydb: NOYDB_FORMAT_VERSION,
+        _v: version,
+        _ts: (/* @__PURE__ */ new Date()).toISOString(),
+        _iv: iv2,
+        _data: data2,
+        _by: by,
+        _cek: wrapped
+      };
+    }
     const { iv, data } = await encrypt(json, dek);
     return {
       _noydb: NOYDB_FORMAT_VERSION,
@@ -3328,8 +3697,8 @@ var Collection = class {
       _by: by
     };
   }
-  async encryptRecord(record, version) {
-    const base = await this.encryptJsonString(JSON.stringify(record), version);
+  async encryptRecord(record, version, cek) {
+    const base = await this.encryptJsonString(JSON.stringify(record), version, cek);
     if (!this.deterministicFields || !this.encrypted) return base;
     const dek = await this.getDEK(this.name);
     const rec = record;
@@ -3407,7 +3776,8 @@ var Collection = class {
       const env = await this.adapter.get(this.vault, this.name, id);
       if (!env || !env._det) continue;
       if (env._det[field] === target) {
-        matches.push(await this.decryptRecord(env));
+        const rec = await this.decryptRecord(env);
+        if (rec !== null) matches.push(rec);
       }
     }
     return matches;
@@ -3508,7 +3878,14 @@ var Collection = class {
       return null;
     }
     const dek = await this.getDEK(key);
-    const plaintext = await decrypt(envelope._iv, envelope._data, dek);
+    let plaintext;
+    if (envelope._cek !== void 0) {
+      const cek = await unwrapCek(envelope._cek, dek);
+      this.cekCache?.set(id, cek, 1);
+      plaintext = await decrypt(envelope._iv, envelope._data, cek);
+    } else {
+      plaintext = await decrypt(envelope._iv, envelope._data, dek);
+    }
     const record = JSON.parse(plaintext);
     this.emitCrossTierEvent({
       actor: this.keyring.userId,
@@ -3564,18 +3941,19 @@ var Collection = class {
     const toKey = dekKey(this.name, toTier);
     const fromDek = await this.getDEK(fromKey);
     const toDek = await this.getDEK(toKey);
-    const plaintext = await decrypt(envelope._iv, envelope._data, fromDek);
-    const { iv, data } = await encrypt(plaintext, toDek);
     const now = (/* @__PURE__ */ new Date()).toISOString();
+    const body = await rewrapBodyToDek(envelope, fromDek, toDek);
+    if (body.cek) this.cekCache?.set(id, body.cek, 1);
     const next = {
       _noydb: NOYDB_FORMAT_VERSION,
       _v: envelope._v + 1,
       _ts: now,
-      _iv: iv,
-      _data: data,
+      _iv: body._iv,
+      _data: body._data,
       _by: this.keyring.userId,
       _tier: toTier,
-      _elevatedBy: this.keyring.userId
+      _elevatedBy: this.keyring.userId,
+      ...body._cek !== void 0 ? { _cek: body._cek } : {}
     };
     await this.adapter.put(this.vault, this.name, id, next);
     this.emitCrossTierEvent({
@@ -3611,17 +3989,18 @@ var Collection = class {
     if (toTier > 0) this.assertDeclaredTier(toTier);
     const fromDek = await this.getDEK(dekKey(this.name, fromTier));
     const toDek = await this.getDEK(dekKey(this.name, toTier));
-    const plaintext = await decrypt(envelope._iv, envelope._data, fromDek);
-    const { iv, data } = await encrypt(plaintext, toDek);
     const now = (/* @__PURE__ */ new Date()).toISOString();
+    const body = await rewrapBodyToDek(envelope, fromDek, toDek);
+    if (body.cek) this.cekCache?.set(id, body.cek, 1);
     const next = {
       _noydb: NOYDB_FORMAT_VERSION,
       _v: envelope._v + 1,
       _ts: now,
-      _iv: iv,
-      _data: data,
+      _iv: body._iv,
+      _data: body._data,
       _by: this.keyring.userId,
-      ...toTier > 0 && { _tier: toTier }
+      ...toTier > 0 && { _tier: toTier },
+      ...body._cek !== void 0 ? { _cek: body._cek } : {}
     };
     await this.adapter.put(this.vault, this.name, id, next);
     this.emitCrossTierEvent({
@@ -3643,10 +4022,30 @@ var Collection = class {
     } catch {
     }
   }
-  /** Low-level: decrypt an envelope and return the raw JSON string. */
-  async decryptJsonString(envelope) {
+  /**
+   * Low-level: decrypt an envelope and return the raw JSON string.
+   *
+   * `_cek` presence is the format discriminant (NOT `this.perRecordCek`),
+   * so a mixed vault — and a recipient that never opted into
+   * `perRecordKeys` — decrypts both legacy and CEK records:
+   *  - `_cek` present → unwrap the CEK under the collection DEK, decrypt the
+   *    body under the CEK (cache the unwrapped CEK so repeated reads skip it).
+   *  - `_cek` absent → legacy path, body decrypts directly under the
+   *    collection DEK.
+   *
+   * The optional `id` lets reads populate the CEK cache; it is omitted by
+   * callers (history, conflict merge) that have only the envelope.
+   */
+  async decryptJsonString(envelope, id) {
+    if (isTombstone(envelope, this.encrypted)) return null;
     if (!this.encrypted) return envelope._data;
     const dek = await this.getDEK(this.name);
+    if (envelope._cek !== void 0) {
+      const cached = id !== void 0 ? this.cekCache?.get(id) : void 0;
+      const cek = cached ?? await unwrapCek(envelope._cek, dek);
+      if (cached === void 0 && id !== void 0) this.cekCache?.set(id, cek, 1);
+      return decrypt(envelope._iv, envelope._data, cek);
+    }
     return decrypt(envelope._iv, envelope._data, dek);
   }
   /**
@@ -3665,7 +4064,8 @@ var Collection = class {
    * false positive. Every non-history read leaves this flag `false`.
    */
   async decryptRecord(envelope, opts = {}) {
-    const json = await this.decryptJsonString(envelope);
+    const json = await this.decryptJsonString(envelope, opts.id);
+    if (json === null) return null;
     let parsed = JSON.parse(json);
     if (this.crdtMode && parsed !== null && typeof parsed === "object" && "_crdt" in parsed) {
       parsed = this.crdtStrategy.resolveCrdtSnapshot(parsed);
@@ -3793,6 +4193,38 @@ function withArchive(opts) {
 // src/sequence/index.ts
 var SEQUENCE_COLLECTION = "_sequences";
 var MAX_NEXT_ATTEMPTS = 16;
+var SEQ_FORMAT_TOKEN = /\{([^{}]*)\}/g;
+var SEQ_PAD_TOKEN = /^seq:0(\d+)$/;
+var SEQ_PARTITION_TOKEN = /^partition\.(\d+)$/;
+function compileSequenceFormat(format, series, partition) {
+  const parts = partition ?? [];
+  for (const m of format.matchAll(SEQ_FORMAT_TOKEN)) {
+    const token = m[1] ?? "";
+    if (token === "seq") continue;
+    if (SEQ_PAD_TOKEN.test(token)) continue;
+    const partMatch = SEQ_PARTITION_TOKEN.exec(token);
+    if (partMatch) {
+      const idx = Number(partMatch[1]);
+      if (idx >= parts.length) {
+        throw new ValidationError(
+          `sequence("${series}"): format token "{${token}}" references partition index ${idx}, but only ${parts.length} partition component(s) were supplied.`
+        );
+      }
+      continue;
+    }
+    throw new ValidationError(
+      `sequence("${series}"): format contains unknown token "{${token}}". Accepted tokens: {seq}, {seq:0N}, {partition.i}.`
+    );
+  }
+  return (serial) => format.replace(SEQ_FORMAT_TOKEN, (full, token) => {
+    if (token === "seq") return String(serial);
+    const padMatch = SEQ_PAD_TOKEN.exec(token);
+    if (padMatch) return String(serial).padStart(Number(padMatch[1]), "0");
+    const partMatch = SEQ_PARTITION_TOKEN.exec(token);
+    if (partMatch) return String(parts[Number(partMatch[1])]);
+    return full;
+  });
+}
 function resolveSequenceKey(series, opts) {
   const partition = opts?.partition;
   if (!partition || partition.length === 0) return series;
@@ -4112,6 +4544,9 @@ var NO_PERIODS = {
 };
 
 // src/refs.ts
+function isRefArray(desc) {
+  return desc.isArray === true;
+}
 var RefIntegrityError = class extends NoydbError {
   collection;
   id;
@@ -4148,6 +4583,17 @@ function ref(target, mode = "strict") {
   }
   return { target, mode };
 }
+function refArray(target, mode = "strict") {
+  if (target.includes("/")) {
+    throw new RefScopeError(target);
+  }
+  if (!target || target.startsWith("_")) {
+    throw new Error(
+      `refArray(): target collection name must be non-empty and cannot start with '_' (reserved for internal collections). Got "${target}".`
+    );
+  }
+  return { target, mode, isArray: true };
+}
 var RefRegistry = class {
   outbound = /* @__PURE__ */ new Map();
   inbound = /* @__PURE__ */ new Map();
@@ -4172,7 +4618,7 @@ var RefRegistry = class {
       for (const k of existingKeys) {
         const a = existing[k];
         const b = refs[k];
-        if (!a || !b || a.target !== b.target || a.mode !== b.mode) {
+        if (!a || !b || a.target !== b.target || a.mode !== b.mode || a.isArray !== b.isArray) {
           throw new Error(
             `RefRegistry: conflicting ref declarations for collection "${collection}" field "${k}"`
           );
@@ -4183,7 +4629,7 @@ var RefRegistry = class {
     this.outbound.set(collection, { ...refs });
     for (const [field, desc] of Object.entries(refs)) {
       const list = this.inbound.get(desc.target) ?? [];
-      list.push({ collection, field, mode: desc.mode });
+      list.push({ collection, field, mode: desc.mode, ...desc.isArray ? { isArray: true } : {} });
       this.inbound.set(desc.target, list);
     }
   }
@@ -4211,6 +4657,141 @@ var RefRegistry = class {
   }
 };
 
+// src/links/link-set.ts
+var LINK_COLLECTION_PREFIX = "_links_";
+function linkCollectionName(name) {
+  return `${LINK_COLLECTION_PREFIX}${name}`;
+}
+function isLinkCollectionName(name) {
+  return name.startsWith(LINK_COLLECTION_PREFIX);
+}
+function linkRowKey(aId, bId) {
+  return `${encodeURIComponent(aId)}|${encodeURIComponent(bId)}`;
+}
+var LinkSet = class {
+  constructor(adapter, vault, name, spec, encrypted, getDEK, actor, emitter, endpointExists) {
+    this.adapter = adapter;
+    this.vault = vault;
+    this.name = name;
+    this.spec = spec;
+    this.encrypted = encrypted;
+    this.getDEK = getDEK;
+    this.actor = actor;
+    this.emitter = emitter;
+    this.endpointExists = endpointExists;
+    this.collName = linkCollectionName(name);
+  }
+  adapter;
+  vault;
+  name;
+  spec;
+  encrypted;
+  getDEK;
+  actor;
+  emitter;
+  endpointExists;
+  collName;
+  dekPromise = null;
+  dek() {
+    if (!this.dekPromise) this.dekPromise = this.getDEK(this.collName);
+    return this.dekPromise;
+  }
+  async encryptEntry(entry, version) {
+    const json = JSON.stringify(entry);
+    const base = { _noydb: NOYDB_FORMAT_VERSION, _v: version, _ts: (/* @__PURE__ */ new Date()).toISOString(), _by: this.actor };
+    if (!this.encrypted) return { ...base, _iv: "", _data: json };
+    const { iv, data } = await encrypt(json, await this.dek());
+    return { ...base, _iv: iv, _data: data };
+  }
+  async decryptEntry(env) {
+    const json = this.encrypted ? await decrypt(env._iv, env._data, await this.dek()) : env._data;
+    return JSON.parse(json);
+  }
+  async connect(aId, bId, meta) {
+    if (!await this.endpointExists(this.spec.a, aId)) {
+      throw new LinkEndpointError(this.name, this.spec.a, aId);
+    }
+    if (!await this.endpointExists(this.spec.b, bId)) {
+      throw new LinkEndpointError(this.name, this.spec.b, bId);
+    }
+    const key = linkRowKey(aId, bId);
+    const entry = meta !== void 0 ? { a: aId, b: bId, meta } : { a: aId, b: bId };
+    const existing = await this.adapter.get(this.vault, this.collName, key);
+    const env = await this.encryptEntry(entry, (existing?._v ?? 0) + 1);
+    await this.adapter.put(this.vault, this.collName, key, env, existing?._v);
+    this.emitter.emit("change", { vault: this.vault, collection: this.collName, id: key, action: "put" });
+  }
+  async disconnect(aId, bId) {
+    const key = linkRowKey(aId, bId);
+    const existing = await this.adapter.get(this.vault, this.collName, key);
+    if (!existing) return;
+    await this.adapter.delete(this.vault, this.collName, key);
+    this.emitter.emit("change", { vault: this.vault, collection: this.collName, id: key, action: "delete" });
+  }
+  async has(aId, bId) {
+    return await this.adapter.get(this.vault, this.collName, linkRowKey(aId, bId)) !== null;
+  }
+  async of(id) {
+    const rows = await this.list();
+    return rows.filter((r) => r.a === id || r.b === id);
+  }
+  async list() {
+    const keys = await this.adapter.list(this.vault, this.collName);
+    const out = [];
+    for (const key of keys) {
+      const env = await this.adapter.get(this.vault, this.collName, key);
+      if (!env) continue;
+      const e = await this.decryptEntry(env);
+      out.push(e.meta !== void 0 ? { a: e.a, b: e.b, meta: e.meta } : { a: e.a, b: e.b });
+    }
+    return out;
+  }
+  // ── Vault-internal cascade helpers ──────────────────────────────────
+  /** @internal — rows where the deleted endpoint id matches the relevant slot. */
+  async _rowsTouchingEndpoint(collection, id) {
+    const rows = await this.list();
+    return rows.filter(
+      (r) => this.spec.a === collection && r.a === id || this.spec.b === collection && r.b === id
+    );
+  }
+  /** @internal — the storage collection name (for tx pre-image capture). */
+  get _collectionName() {
+    return this.collName;
+  }
+};
+var LinkEndpointError = class extends NoydbError {
+  link;
+  endpoint;
+  missingId;
+  constructor(link, endpoint, missingId) {
+    super(
+      "LINK_ENDPOINT",
+      `link("${link}").connect: endpoint "${endpoint}" has no record "${missingId}".`
+    );
+    this.name = "LinkEndpointError";
+    this.link = link;
+    this.endpoint = endpoint;
+    this.missingId = missingId;
+  }
+};
+var LinkIntegrityError = class extends NoydbError {
+  link;
+  endpoint;
+  id;
+  count;
+  constructor(link, endpoint, id, count) {
+    super(
+      "LINK_INTEGRITY",
+      `Cannot delete "${endpoint}"/"${id}": ${count} link(s) in "${link}" still reference it (onDelete: 'strict').`
+    );
+    this.name = "LinkIntegrityError";
+    this.link = link;
+    this.endpoint = endpoint;
+    this.id = id;
+    this.count = count;
+  }
+};
+
 // src/meta/user-envelope/api.ts
 var UserApi = class {
   constructor(adapter, vaultName, writerKeyringId, getDek, checkGate2) {
@@ -5149,6 +5730,19 @@ function summariseAggregateOp(value) {
 }
 
 // src/vault.ts
+function resolveLabelFromMap(labels, locale, fallback) {
+  if (labels[locale] !== void 0) return labels[locale];
+  const chain = Array.isArray(fallback) ? fallback : fallback ? [fallback] : [];
+  for (const fb of chain) {
+    if (fb === "any") {
+      const any = Object.values(labels)[0];
+      if (any !== void 0) return any;
+    } else if (labels[fb] !== void 0) {
+      return labels[fb];
+    }
+  }
+  return void 0;
+}
 var Vault = class {
   adapter;
   /** The vault's name as passed to `openVault()`. Stable for the instance lifetime. */
@@ -5192,6 +5786,7 @@ var Vault = class {
   periodsStrategy;
   shadowStrategy;
   historyStrategy;
+  forgetStrategy;
   i18nStrategy;
   syncStrategy;
   /**
@@ -5221,13 +5816,17 @@ var Vault = class {
    */
   overlayedViewRegistry = null;
   /**
-   * Cached read-only facade handed to guard callbacks via `ctx.vault`,
-   * and to derivation callbacks via `derive(source, ctx)`. Allocated
-   * eagerly inside `_initGuards()` and/or `_initDerivations()` so read
+   * Cached read-only facades handed to guard callbacks via `ctx.vault`
+   * and to derivation callbacks via `derive(source, ctx)`. Split by
+   * resolution layer (#285): the guard facade reads at `layer:'guard'`,
+   * the derivation facade at `layer:'derivation'`, so i18nText / dictKey
+   * fields resolve under that layer's `onMissing` policy. Allocated
+   * eagerly inside `_initGuards()` / `_initDerivations()` so read
    * accessors stay synchronous (callers in `tx/transaction.ts` rely on
-   * that). Stays `null` for vaults with neither subsystem configured.
+   * that). Each stays `null` for vaults without that subsystem.
    */
-  readOnlyFacade = null;
+  guardFacade = null;
+  derivationFacade = null;
   getDEK;
   /**
    * Per-principal user envelope API.
@@ -5358,6 +5957,27 @@ var Vault = class {
    * Populated by `collection()` when the `dictKeyFields` option is passed.
    */
   dictKeyFieldRegistry = /* @__PURE__ */ new Map();
+  /**
+   * Names of dictionaries backed by a `staticDict()` descriptor (#291).
+   * A static dict skips the `dictKeyFieldRegistry` rename machinery, but the
+   * vault must still *know* a name is static so `vault.dictionary(name)` can
+   * refuse mutation (`StaticDictReadonlyError`). Populated at `collection()`
+   * config time whenever a `StaticDictDescriptor` is seen.
+   */
+  staticDictNames = /* @__PURE__ */ new Set();
+  /**
+   * Static-dict descriptors keyed by dictionary name (#291). Backs the
+   * read-path label resolver (resolve from the in-memory table) and the
+   * query-seam `resolveDictSource` snapshot. Last writer wins when the same
+   * name is registered by multiple collections (identical-across-vaults by
+   * construction, so the tables match).
+   */
+  staticByName = /* @__PURE__ */ new Map();
+  /**
+   * Per-collection map of field name → StaticDictDescriptor (#291). Used by
+   * `enforceStaticDictOnPut` to validate stored codes against `desc.keys`.
+   */
+  staticDescriptorByField = /* @__PURE__ */ new Map();
   /**
    * Registry of i18nText fields declared across all collections. Keyed
    * by collection name → field name → I18nTextDescriptor. Used by
@@ -5368,6 +5988,10 @@ var Vault = class {
   i18nFieldRegistry = /* @__PURE__ */ new Map();
   /** Cache of DictionaryHandle instances, one per dictionary name. */
   dictionaryCache = /* @__PURE__ */ new Map();
+  /** Registered link specs (#377-B), keyed by link name; set by `vault.link()`. */
+  linkRegistry = /* @__PURE__ */ new Map();
+  /** Cache of LinkSet handles, one per link name. */
+  linkSetCache = /* @__PURE__ */ new Map();
   /** — subscribers for cross-tier access events. */
   crossTierSubs = /* @__PURE__ */ new Set();
   /** — currently-active elevation, or null. One per vault. */
@@ -5404,6 +6028,7 @@ var Vault = class {
     this.periodsStrategy = opts.periodsStrategy ?? NO_PERIODS;
     this.shadowStrategy = opts.shadowStrategy ?? NO_SHADOW;
     this.historyStrategy = opts.historyStrategy ?? NO_HISTORY;
+    this.forgetStrategy = opts.forgetStrategy ?? NO_FORGET;
     this.i18nStrategy = opts.i18nStrategy ?? NO_I18N;
     this.syncStrategy = opts.syncStrategy ?? NO_SYNC;
     void opts.guardStrategies;
@@ -5483,6 +6108,9 @@ var Vault = class {
     if (collectionName === SEQUENCE_COLLECTION) {
       throw new ReservedCollectionNameError(collectionName);
     }
+    if (isLinkCollectionName(collectionName)) {
+      throw new ReservedCollectionNameError(collectionName);
+    }
     let coll = this.collectionCache.get(collectionName);
     if (coll && options?.moneyFields) {
       coll._applyMoneyFields(options.moneyFields);
@@ -5508,10 +6136,22 @@ var Vault = class {
       }
       if (options?.dictKeyFields) {
         const dictFieldMap = {};
+        const staticFieldMap = {};
         for (const [field, desc] of Object.entries(options.dictKeyFields)) {
-          dictFieldMap[field] = desc.name;
+          if (isStaticDictDescriptor(desc)) {
+            staticFieldMap[field] = desc;
+            this.staticDictNames.add(desc.name);
+            this.staticByName.set(desc.name, desc);
+          } else {
+            dictFieldMap[field] = desc.name;
+          }
+        }
+        if (Object.keys(dictFieldMap).length > 0) {
+          this.dictKeyFieldRegistry.set(collectionName, dictFieldMap);
+        }
+        if (Object.keys(staticFieldMap).length > 0) {
+          this.staticDescriptorByField.set(collectionName, staticFieldMap);
         }
-        this.dictKeyFieldRegistry.set(collectionName, dictFieldMap);
       }
       if ((options?.schemaUpdate?.length ?? 0) > 0) {
         this.#schemaUpdateNames.set(collectionName, (options.schemaUpdate ?? []).map((s) => s.name));
@@ -5542,6 +6182,7 @@ var Vault = class {
         }));
         schemaUpdateGate = new SchemaUpdateGate(work);
       }
+      const effectiveHistoryConfig = options?.historyConfig ?? this.historyConfig;
       const collOpts = {
         adapter: this.adapter,
         vault: this.name,
@@ -5557,7 +6198,7 @@ var Vault = class {
         schemaFence: this.schemaFence,
         getDEK: this.getDEK,
         onDirty: this.onDirty,
-        historyConfig: this.historyConfig,
+        historyConfig: effectiveHistoryConfig,
         // thread the vault-wide blob strategy into every
         // collection. `undefined` is intentionally preserved so the
         // Collection constructor uses its NO_BLOBS default.
@@ -5568,7 +6209,11 @@ var Vault = class {
         historyStrategy: this.historyStrategy,
         i18nStrategy: this.i18nStrategy,
         syncStrategy: this.syncStrategy,
-        ledger: this.getLedgerOrNull() ?? void 0,
+        // Per-collection ledger opt-out (#361): when this collection sets
+        // `historyConfig.ledger: false`, withhold the ledger reference so all
+        // four `if (this.ledger)` append sites in Collection no-op. The chain
+        // stays valid — it simply never receives this collection's entries.
+        ledger: effectiveHistoryConfig.ledger === false ? void 0 : this.getLedgerOrNull() ?? void 0,
         refEnforcer: this,
         joinResolver: this,
         defaultLocale: this.locale,
@@ -5613,6 +6258,17 @@ var Vault = class {
       if (options?.acknowledgeDeterministicRisk !== void 0) {
         collOpts.acknowledgeDeterministicRisk = options.acknowledgeDeterministicRisk;
       }
+      if (options?.perRecordKeys !== void 0) {
+        collOpts.perRecordKeys = options.perRecordKeys;
+      }
+      if (this.forgetStrategy.subjects[collectionName] !== void 0) {
+        if (options?.perRecordKeys === false) {
+          console.warn(
+            `[noy-db] Collection "${collectionName}" is declared in withForgetCascade but opened with perRecordKeys: false. Forcing perRecordKeys: true \u2014 GDPR crypto-shred requires per-record CEKs.`
+          );
+        }
+        collOpts.perRecordKeys = true;
+      }
       if (options?.tiers !== void 0) collOpts.tiers = options.tiers;
       if (options?.tierMode !== void 0) collOpts.tierMode = options.tierMode;
       collOpts.onCrossTierAccess = (event) => this.emitCrossTier(event);
@@ -5622,6 +6278,11 @@ var Vault = class {
       if (options?.computed !== void 0) collOpts.computed = options.computed;
       if (options?.dictKeyFields !== void 0) {
         collOpts.dictLabelResolver = async (dictName, key, locale, fallback) => {
+          const stat = this.staticByName.get(dictName);
+          if (stat) {
+            const labels = stat.table[key];
+            return labels ? resolveLabelFromMap(labels, locale, fallback) : void 0;
+          }
           const handle = this.dictionary(dictName);
           return handle.resolveLabel(key, locale, fallback);
         };
@@ -5630,6 +6291,7 @@ var Vault = class {
       if (options?.i18nFields !== void 0 || options?.dictKeyFields !== void 0) {
         collOpts.i18nPutValidator = (record) => {
           this.enforceI18nOnPut(collectionName, record);
+          this.enforceStaticDictOnPut(collectionName, record);
         };
       }
       if (options?.i18nFields !== void 0 && this.translateText) {
@@ -5769,6 +6431,34 @@ var Vault = class {
       }
     }
   }
+  /**
+   * Validate staticDict codes on a `put()` (#291). For each `staticDict()`
+   * field, every stored code must be a declared key of the descriptor's
+   * table, else `UnknownDictCodeError`. Opt out per descriptor with
+   * `{ validateCodes: false }`. Supports scalar, dotted, and `[].`-wildcard
+   * field paths via `getAtPath` (same path support as i18n validation).
+   */
+  enforceStaticDictOnPut(collectionName, record) {
+    const staticFields = this.staticDescriptorByField.get(collectionName);
+    if (!staticFields || Object.keys(staticFields).length === 0) return;
+    if (!record || typeof record !== "object") return;
+    const obj = record;
+    for (const [field, desc] of Object.entries(staticFields)) {
+      if (desc.validateCodes === false) continue;
+      const known = new Set(desc.keys);
+      const values = getAtPath(obj, field);
+      for (const value of values) {
+        if (value === void 0 || value === null) continue;
+        const codes = Array.isArray(value) ? value : [value];
+        for (const code of codes) {
+          if (typeof code !== "string") continue;
+          if (!known.has(code)) {
+            throw new UnknownDictCodeError(desc.name, field, code);
+          }
+        }
+      }
+    }
+  }
   /**
    * Apply locale resolution to a record for the given collection.
    *
@@ -5777,14 +6467,18 @@ var Vault = class {
    */
   async applyLocale(collectionName, record, localeOpts) {
     const locale = localeOpts.locale ?? this.locale;
-    if (!locale) return record;
+    const staticFields = this.staticDescriptorByField.get(collectionName);
+    const hasStaticDisplay = staticFields !== void 0 && Object.values(staticFields).some((d) => d.displayLocale !== void 0);
+    if (!locale && !hasStaticDisplay) return record;
     let result = record;
-    const i18nFields = this.i18nFieldRegistry.get(collectionName);
-    if (i18nFields && Object.keys(i18nFields).length > 0) {
-      result = this.i18nStrategy.applyI18nLocale(result, i18nFields, locale, localeOpts.fallback);
+    if (locale) {
+      const i18nFields = this.i18nFieldRegistry.get(collectionName);
+      if (i18nFields && Object.keys(i18nFields).length > 0) {
+        result = this.i18nStrategy.applyI18nLocale(result, i18nFields, locale, localeOpts.fallback);
+      }
     }
     const dictFields = this.dictKeyFieldRegistry.get(collectionName);
-    if (dictFields && Object.keys(dictFields).length > 0 && locale !== "raw") {
+    if (locale && dictFields && Object.keys(dictFields).length > 0 && locale !== "raw") {
       const withLabels = { ...result };
       for (const [field, dictName] of Object.entries(dictFields)) {
         const key = result[field];
@@ -5797,6 +6491,22 @@ var Vault = class {
       }
       result = withLabels;
     }
+    if (staticFields && Object.keys(staticFields).length > 0 && locale !== "raw") {
+      const withLabels = { ...result };
+      for (const [field, desc] of Object.entries(staticFields)) {
+        const effLocale = locale ?? desc.displayLocale;
+        if (!effLocale) continue;
+        const key = result[field];
+        if (typeof key !== "string") continue;
+        const labels = desc.table[key];
+        if (!labels) continue;
+        const label = resolveLabelFromMap(labels, effLocale, localeOpts.fallback ?? desc.substitute);
+        if (label !== void 0) {
+          withLabels[`${field}Label`] = label;
+        }
+      }
+      result = withLabels;
+    }
     return result;
   }
   /**
@@ -5818,6 +6528,9 @@ var Vault = class {
    * ```
    */
   dictionary(name, options = {}) {
+    if (this.staticDictNames.has(name)) {
+      throw new StaticDictReadonlyError(name);
+    }
     let handle = this.dictionaryCache.get(name);
     if (!handle) {
       handle = this.i18nStrategy.buildDictionaryHandle({
@@ -5861,6 +6574,68 @@ var Vault = class {
     }
     return handle;
   }
+  /**
+   * Declare a managed many-to-many link set (#377-B). Registers a
+   * `_links_<name>` junction between two endpoint collections; access its
+   * rows via `vault.links(name)`. Idempotent for an identical re-declaration;
+   * a conflicting one throws. See {@link links}.
+   *
+   * ```ts
+   * vault.link('saleLineLinks', { a: ref('saleLines'), b: ref('purchaseLines'), onDelete: 'cascade' })
+   * ```
+   *
+   * `a` / `b` accept either a collection name or a `ref(target)` descriptor
+   * (only its `target` is used — links manage their own integrity). `onDelete`
+   * governs what happens to link rows when an endpoint record is deleted
+   * (`'cascade'` default, `'strict'`, `'warn'`).
+   */
+  link(name, spec) {
+    const a = typeof spec.a === "string" ? spec.a : spec.a.target;
+    const b = typeof spec.b === "string" ? spec.b : spec.b.target;
+    for (const [slot, target] of [["a", a], ["b", b]]) {
+      if (!target || target.startsWith("_") || target.includes("/")) {
+        throw new ValidationError(
+          `vault.link("${name}"): endpoint "${slot}" must be a simple collection name, got "${target}".`
+        );
+      }
+    }
+    const resolved = { a, b, ...spec.onDelete ? { onDelete: spec.onDelete } : {} };
+    const existing = this.linkRegistry.get(name);
+    if (existing) {
+      if (existing.a !== resolved.a || existing.b !== resolved.b || (existing.onDelete ?? "cascade") !== (resolved.onDelete ?? "cascade")) {
+        throw new ValidationError(`vault.link("${name}"): conflicting re-declaration.`);
+      }
+      return;
+    }
+    this.linkRegistry.set(name, resolved);
+  }
+  /**
+   * Access a declared link set (#377-B). Throws if `name` was not first
+   * declared via {@link link}. Returns a cached {@link LinkSetHandle}:
+   * `connect(a, b, meta?)`, `disconnect(a, b)`, `has(a, b)`, `of(id)`, `list()`.
+   */
+  links(name) {
+    let handle = this.linkSetCache.get(name);
+    if (!handle) {
+      const spec = this.linkRegistry.get(name);
+      if (!spec) {
+        throw new ValidationError(`vault.links("${name}"): not declared. Call vault.link("${name}", { a, b }) first.`);
+      }
+      handle = new LinkSet(
+        this.adapter,
+        this.name,
+        name,
+        spec,
+        this.encrypted,
+        this.getDEK,
+        this.keyring.userId,
+        this.emitter,
+        async (collection, id) => await this.collection(collection).get(id) !== null
+      );
+      this.linkSetCache.set(name, handle);
+    }
+    return handle;
+  }
   /**
    * Build a `JoinableSource` for a dictKey field, for use in dict joins
    *. Returns a source whose snapshot contains `{ key, ...labels }`
@@ -5887,6 +6662,26 @@ var Vault = class {
    * Returns `null` when `field` is not a dictKey in `leftCollection`.
    */
   resolveDictSource(leftCollection, field) {
+    const staticFields = this.staticDescriptorByField.get(leftCollection);
+    if (staticFields && field in staticFields) {
+      const desc = staticFields[field];
+      const rows = Object.entries(desc.table).map(
+        ([key, labels]) => ({ key, labels, ...labels })
+      );
+      const source = {
+        snapshot() {
+          return rows;
+        },
+        lookupById(id) {
+          return rows.find((e) => e["key"] === id);
+        }
+      };
+      if (desc.displayLocale !== void 0) {
+        ;
+        source.displayLocale = desc.displayLocale;
+      }
+      return source;
+    }
     const dictFields = this.dictKeyFieldRegistry.get(leftCollection);
     if (!dictFields || !(field in dictFields)) return null;
     const dictName = dictFields[field];
@@ -6000,65 +6795,16 @@ var Vault = class {
       });
     }
   }
-  /**
-   * Bulk blob extraction primitive.
-   *
-   * Returns an async-iterable handle over every blob attached to
-   * records in the vault. Single capability check (`plaintext/blob`)
-   * at handle creation; single audit entry to `_export_audit` before
-   * the first yield. Per-blob decryption happens lazily as the
-   * consumer pulls tuples.
-   *
-   * ```ts
-   * const handle = vault.exportBlobs({
-   *   collections: ['invoiceScans'],
-   *   where: (rec) => (rec as { clientId?: string }).clientId === 'c-123',
-   * })
-   * for await (const { bytes, meta, recordRef } of handle) {
-   *   await uploadToColdStorage(bytes, recordRef)
-   * }
-   * ```
-   *
-   * @see `@noy-db/hub/store/export-blobs` for the full option surface.
-   */
-  /**
-   * Evict blob slots per the per-collection `blobFields` retention
-   * policy.
-   *
-   * Iterates every collection declared with `{ blobFields: {...} }`.
-   * For each record, checks every configured slot against its
-   * policy — `retainDays` (age-based TTL) and/or `evictWhen(record)`
-   * (predicate) — and evicts matching slots. Every eviction writes
-   * one entry to `_blob_eviction_audit` (actor + eTag + reason +
-   * timestamp, no plaintext). Consumer-scheduled; noy-db never runs
-   * this on its own.
-   *
-   * ```ts
-   * await vault.compact()                                   // run full pass
-   * await vault.compact({ dryRun: true })                   // preview counts
-   * await vault.compact({ maxEvictions: 1000 })             // cap batch
-   * ```
-   */
-  /**
-   * Atomic, gap-free numbering. `vault.sequence('invoice-2026').next()`
-   * returns 1, 2, 3, … with no gaps or duplicates under concurrency, via
-   * an optimistic-CAS counter at `_sequences/<name>`. Each name is an
-   * independent sequence.
-   *
-   * **Online-only:** `next()` throws `SequenceOfflineError` unless the
-   * store advertises `capabilities.casAtomic` — gap-free numbering cannot
-   * be serialized by an offline / non-CAS writer.
-   *
-   * ```ts
-   * const n = await vault.sequence('invoice-2026').next()   // 1, then 2, …
-   * const cur = await vault.sequence('invoice-2026').peek()  // current value, no allocation
-   * ```
-   */
   sequence(series, opts) {
     if (series.includes("\0")) {
       throw new ValidationError(`sequence("${series}"): series name must not contain a null byte (\\x00).`);
     }
     if (this.numberingConfigs.has(series)) {
+      if (opts?.format !== void 0) {
+        throw new ValidationError(
+          `sequence("${series}") is a deferred-numbering series; the format option applies to CAS sequences only.`
+        );
+      }
       const eng = this.deferred();
       return {
         next: async (nextOpts) => {
@@ -6082,7 +6828,17 @@ var Vault = class {
         actor: this.keyring.userId
       });
     }
-    return this.sequenceStore.handle(resolveSequenceKey(series, opts));
+    const handle = this.sequenceStore.handle(resolveSequenceKey(series, opts));
+    if (opts?.format === void 0) return handle;
+    const render = compileSequenceFormat(opts.format, series, opts.partition);
+    return {
+      next: async (nextOpts) => {
+        const serial = await handle.next(nextOpts);
+        return { serial, formatted: render(serial) };
+      },
+      peek: () => handle.peek(),
+      seedTo: (n) => handle.seedTo(n)
+    };
   }
   /** @internal — lazily build the deferred-numbering engine with a cache-coherent stamp. */
   deferred() {
@@ -6197,12 +6953,12 @@ var Vault = class {
     if (!fieldSchema) {
       throw new AttestationError(`issueAttestation: collection '${collectionName}' has no attestation field-schema. Declare it via vault.collection('${collectionName}', { attestation: { fields: [...] } }).`);
     }
-    const { issueAttestationCore } = await import("./issue-RZP3VI6O.js");
+    const { issueAttestationCore } = await import("./issue-R2MWQO6K.js");
     const out = await issueAttestationCore(this.makeIssueContext(), { collection: collectionName, id, fieldSchema });
     return { docId: out.docId, qr: out.qr, keyId: out.keyId, publicKeyB64: out.publicKeyB64 };
   }
   async getDocumentSigningPublicKey() {
-    const { loadSigner, loadOrCreateSigner } = await import("./signer-DCMNKXSF.js");
+    const { loadSigner, loadOrCreateSigner } = await import("./signer-HAVDLGOK.js");
     const existing = await loadSigner(this.adapter, this.name, this.getDEK);
     if (existing) return { keyId: existing.keyId, publicKeyB64: existing.publicKeyB64 };
     if (this.keyring.role !== "owner") {
@@ -6228,19 +6984,19 @@ var Vault = class {
     };
   }
   async revokeAttestation(docId) {
-    const { revokeDocCore } = await import("./revoke-HNMQZSCL.js");
+    const { revokeDocCore } = await import("./revoke-7LCWE2AH.js");
     await revokeDocCore(this.makeRevokeContext(), docId);
   }
   async unrevokeAttestation(docId) {
-    const { unrevokeDocCore } = await import("./revoke-HNMQZSCL.js");
+    const { unrevokeDocCore } = await import("./revoke-7LCWE2AH.js");
     await unrevokeDocCore(this.makeRevokeContext(), docId);
   }
   async getRevokedDocIds() {
-    const { getRevokedDocIdsCore } = await import("./revoke-HNMQZSCL.js");
+    const { getRevokedDocIdsCore } = await import("./revoke-7LCWE2AH.js");
     return getRevokedDocIdsCore(this.makeRevokeContext());
   }
   async publishRevocationList() {
-    const { publishRevocationListCore } = await import("./revoke-HNMQZSCL.js");
+    const { publishRevocationListCore } = await import("./revoke-7LCWE2AH.js");
     return publishRevocationListCore(this.makeRevokeContext());
   }
   makeRevokeContext() {
@@ -6309,6 +7065,43 @@ var Vault = class {
       if (descriptor.mode !== "strict") continue;
       const rawId = obj[field];
       if (rawId === null || rawId === void 0) continue;
+      if (isRefArray(descriptor)) {
+        if (!Array.isArray(rawId)) {
+          throw new RefIntegrityError({
+            collection: collectionName,
+            id: obj["id"] ?? "<unknown>",
+            field,
+            refTo: descriptor.target,
+            refId: null,
+            message: `Array ref field "${collectionName}.${field}" must be an array, got ${typeof rawId}.`
+          });
+        }
+        const arrTarget = this.collection(descriptor.target);
+        for (const el of rawId) {
+          if (typeof el !== "string" && typeof el !== "number") {
+            throw new RefIntegrityError({
+              collection: collectionName,
+              id: obj["id"] ?? "<unknown>",
+              field,
+              refTo: descriptor.target,
+              refId: null,
+              message: `Array ref "${collectionName}.${field}" elements must be strings or numbers, got ${typeof el}.`
+            });
+          }
+          const elId = String(el);
+          if (!await arrTarget.get(elId)) {
+            throw new RefIntegrityError({
+              collection: collectionName,
+              id: obj["id"] ?? "<unknown>",
+              field,
+              refTo: descriptor.target,
+              refId: elId,
+              message: `Strict array ref "${collectionName}.${field}" \u2192 "${descriptor.target}" cannot be satisfied: element id "${elId}" not found in "${descriptor.target}".`
+            });
+          }
+        }
+        continue;
+      }
       if (typeof rawId !== "string" && typeof rawId !== "number") {
         throw new RefIntegrityError({
           collection: collectionName,
@@ -6358,6 +7151,11 @@ var Vault = class {
         const allRecords = await fromCollection.list();
         const matches = allRecords.filter((rec) => {
           const raw = rec[rule.field];
+          if (rule.isArray) {
+            return Array.isArray(raw) && raw.some(
+              (el) => (typeof el === "string" || typeof el === "number") && String(el) === id
+            );
+          }
           if (typeof raw !== "string" && typeof raw !== "number") return false;
           return String(raw) === id;
         });
@@ -6396,10 +7194,45 @@ var Vault = class {
           }
         }
       }
+      await this.enforceLinksOnDelete(collectionName, id);
     } finally {
       this.cascadeInProgress.delete(key);
     }
   }
+  /**
+   * @internal — apply link `onDelete` policy when an endpoint record is
+   * deleted (#377-B). `'strict'` throws (blocks the delete), `'cascade'`
+   * removes the touching link rows (tx-atomic when a transaction is active),
+   * `'warn'` leaves orphans for `checkIntegrity()`.
+   */
+  async enforceLinksOnDelete(collectionName, id) {
+    for (const [name, spec] of this.linkRegistry) {
+      if (spec.a !== collectionName && spec.b !== collectionName) continue;
+      const handle = this.links(name);
+      const touching = await handle._rowsTouchingEndpoint(collectionName, id);
+      if (touching.length === 0) continue;
+      const mode = spec.onDelete ?? "cascade";
+      if (mode === "warn") continue;
+      if (mode === "strict") {
+        throw new LinkIntegrityError(name, collectionName, id, touching.length);
+      }
+      const linkColl = handle._collectionName;
+      const txCtx = this.noydb._activeTxContextOrNull;
+      for (const row of touching) {
+        const rowKey = linkRowKey(row.a, row.b);
+        if (txCtx !== null) {
+          const prior = await this.adapter.get(this.name, linkColl, rowKey);
+          if (prior !== null) {
+            txCtx._executed.push({
+              op: { type: "delete", vaultName: this.name, collectionName: linkColl, id: rowKey },
+              priorEnvelope: prior
+            });
+          }
+        }
+        await handle.disconnect(row.a, row.b);
+      }
+    }
+  }
   // ─── Join resolver) ────────────────────
   /**
    * Look up the `RefDescriptor` the left collection declared for a
@@ -6460,6 +7293,23 @@ var Vault = class {
         for (const [field, descriptor] of Object.entries(refs)) {
           const rawId = record[field];
           if (rawId === null || rawId === void 0) continue;
+          const target = this.collection(descriptor.target);
+          if (isRefArray(descriptor)) {
+            if (!Array.isArray(rawId)) {
+              violations.push({ collection: collectionName, id: recId, field, refTo: descriptor.target, refId: rawId, mode: descriptor.mode });
+              continue;
+            }
+            for (const el of rawId) {
+              if (typeof el !== "string" && typeof el !== "number") {
+                violations.push({ collection: collectionName, id: recId, field, refTo: descriptor.target, refId: el, mode: descriptor.mode });
+                continue;
+              }
+              if (!await target.get(String(el))) {
+                violations.push({ collection: collectionName, id: recId, field, refTo: descriptor.target, refId: el, mode: descriptor.mode });
+              }
+            }
+            continue;
+          }
           if (typeof rawId !== "string" && typeof rawId !== "number") {
             violations.push({
               collection: collectionName,
@@ -6472,7 +7322,6 @@ var Vault = class {
             continue;
           }
           const refId = String(rawId);
-          const target = this.collection(descriptor.target);
           const exists = await target.get(refId);
           if (!exists) {
             violations.push({
@@ -6487,6 +7336,19 @@ var Vault = class {
         }
       }
     }
+    for (const [name, spec] of this.linkRegistry) {
+      const linkColl = linkCollectionName(name);
+      const rows = await this.links(name).list();
+      for (const row of rows) {
+        const rowKey = linkRowKey(row.a, row.b);
+        if (await this.collection(spec.a).get(row.a) === null) {
+          violations.push({ collection: linkColl, id: rowKey, field: "a", refTo: spec.a, refId: row.a, mode: spec.onDelete ?? "cascade" });
+        }
+        if (await this.collection(spec.b).get(row.b) === null) {
+          violations.push({ collection: linkColl, id: rowKey, field: "b", refTo: spec.b, refId: row.b, mode: spec.onDelete ?? "cascade" });
+        }
+      }
+    }
     return { violations };
   }
   /**
@@ -6530,6 +7392,218 @@ var Vault = class {
     }
     return this.ledgerStore;
   }
+  // ─── GDPR right-to-erasure (#304) ────────────────────────────────
+  /** @internal — add a subject→record ref to the encrypted subject index. */
+  async _addSubjectRef(subjectId, ref2) {
+    await addSubjectRef(this.adapter, this.name, this.getDEK, this.encrypted, subjectId, ref2);
+  }
+  /** @internal — drop a subject→record ref from the encrypted subject index. */
+  async _removeSubjectRef(subjectId, ref2) {
+    await removeSubjectRef(this.adapter, this.name, this.getDEK, this.encrypted, subjectId, ref2);
+  }
+  /**
+   * Rebuild the encrypted subject index from canonical records. The recovery
+   * path for the documented read-modify-write race (RISK #3). Returns the
+   * number of distinct subjects re-indexed.
+   */
+  async rebuildSubjectIndex() {
+    if (Object.keys(this.forgetStrategy.subjects).length === 0) {
+      throw new ForgetStrategyNotConfiguredError();
+    }
+    return rebuildSubjectIndex(
+      this.adapter,
+      this.name,
+      this.getDEK,
+      this.encrypted,
+      this.forgetStrategy.subjects,
+      async (collectionName, id, env) => {
+        const coll = this.collection(collectionName);
+        return coll._decodeEnvelope(env, id);
+      }
+    );
+  }
+  /**
+   * GDPR crypto-shred of a data subject (#304). Consults the encrypted subject
+   * index and, per matching record:
+   *   - rewrites the LIVE envelope to a tombstone (drops `_iv`/`_data`/`_cek`/`_det`),
+   *   - tombstones every `_history` version of the record,
+   * so the body and all prior versions become permanently undecryptable while
+   * the collection DEK and every OTHER record stay intact. Then appends ONE
+   * `op:'forget'` ledger entry whose `payloadHash` is `sha256Hex(subjectId)` —
+   * the chain still `verify()`s, PROVING the subject existed and was erased
+   * without retaining any plaintext.
+   *
+   * Reports — but does not silently swallow — two completeness gaps:
+   *   - `unmigratedRecords`: a record whose body was NOT yet migrated to a
+   *     per-record CEK (legacy body still under the shared collection DEK). It
+   *     is still tombstoned, but its pre-shred ciphertext (if leaked to a
+   *     backup before migration) stays decryptable. Migrate, then re-forget.
+   *   - `blobResidueCollections`: a shredded record still has blob attachments,
+   *     which are keyed off a separate `_blob` DEK and are out of scope here.
+   *
+   * @throws ForgetStrategyNotConfiguredError when no `withForgetCascade` was set.
+   */
+  async forget(subjectId) {
+    if (Object.keys(this.forgetStrategy.subjects).length === 0) {
+      throw new ForgetStrategyNotConfiguredError();
+    }
+    const refs = await lookupSubject(this.adapter, this.name, this.getDEK, this.encrypted, subjectId);
+    let recordsShredded = 0;
+    let historyVersionsShredded = 0;
+    const collections = /* @__PURE__ */ new Set();
+    const unmigratedRecords = [];
+    const blobResidueCollections = /* @__PURE__ */ new Set();
+    let blobsShredded = 0;
+    let blobsRetainedShared = 0;
+    const blobsEnabled = this.blobStrategy !== void 0;
+    const actor = this.keyring.userId;
+    for (const ref2 of refs) {
+      const coll = this.collection(ref2.collection);
+      const perRecordKeys = this.forgetStrategy.subjects[ref2.collection] !== void 0;
+      const live = await this.adapter.get(this.name, ref2.collection, ref2.id);
+      if (perRecordKeys && live && live._data && live._cek === void 0) {
+        unmigratedRecords.push(`${ref2.collection}:${ref2.id}`);
+      }
+      const shred = await coll._writeTombstone(ref2.id, actor);
+      if (shred !== null) {
+        recordsShredded++;
+        collections.add(ref2.collection);
+      }
+      historyVersionsShredded += await this.historyStrategy.tombstoneHistory(
+        this.adapter,
+        this.name,
+        ref2.collection,
+        ref2.id,
+        actor
+      );
+      if (blobsEnabled) {
+        const r = await this.collection(ref2.collection).blob(ref2.id).shredAllForRecord();
+        blobsShredded += r.shredded.length;
+        blobsRetainedShared += r.retainedShared.length;
+        if (r.residue.length > 0) blobResidueCollections.add(ref2.collection);
+      } else {
+        try {
+          const slotIds = await this.adapter.list(this.name, `_blob_slots_${ref2.collection}`);
+          if (slotIds.includes(ref2.id)) blobResidueCollections.add(ref2.collection);
+        } catch {
+        }
+      }
+      await this._removeSubjectRef(subjectId, ref2);
+    }
+    const subjectHash = await sha256Hex2(subjectId);
+    const ledger = this.getLedgerOrNull();
+    if (!ledger) {
+      throw new Error(
+        'vault.forget() requires the history strategy for the erasure-proof ledger entry. Pass `historyStrategy: withHistory()` from "@noy-db/hub/history" to createNoydb().'
+      );
+    }
+    const ledgerEntry = await ledger.append({
+      op: "forget",
+      collection: "",
+      id: "",
+      version: 0,
+      actor,
+      payloadHash: subjectHash,
+      reason: JSON.stringify({
+        recordsShredded,
+        historyVersionsShredded,
+        collections: [...collections],
+        unmigratedCount: unmigratedRecords.length,
+        blobsShredded,
+        blobsRetainedShared,
+        blobResidueCollections: [...blobResidueCollections]
+      })
+    });
+    return {
+      subject: subjectId,
+      recordsShredded,
+      historyVersionsShredded,
+      collections: [...collections],
+      unmigratedRecords,
+      blobsShredded,
+      blobsRetainedShared,
+      blobResidueCollections: [...blobResidueCollections],
+      ledgerEntry
+    };
+  }
+  // ─── Record-scoped CEK sealing (#306 slices 2-3) ──────────────────────
+  /**
+   * Seal ONE record's content-encryption key (CEK) to an `at-*` host so that
+   * host — and only that host — can decrypt exactly that record, with no
+   * access to the vault DEK and no ability to read any other record.
+   *
+   * The grantor (this caller, who holds the collection DEK) reads the record's
+   * live `_cek`, unwraps it under the collection DEK, exports the raw CEK
+   * bytes, builds a {@link SealedCekBinding} `{collection, id, cek, expiresAt}`,
+   * seals that binding for the recipient host via the host's published hint,
+   * and persists a thin {@link SealedCekDeliveryEnvelope} at
+   * `_sealed_cek/<collection>/<id>/<pid>`. The binding (not the delivery
+   * envelope) is the security boundary: the host re-verifies `{collection, id}`
+   * and `expiresAt` from inside the sealed payload.
+   *
+   * Only works on a `perRecordKeys` record — a legacy record has no `_cek` to
+   * seal (its body is under the shared collection DEK, which is never exposed
+   * by sealing) → {@link RecordCekNotFoundError}.
+   *
+   * @param collection Collection holding the record.
+   * @param id         Record id.
+   * @param hostSealer The recipient host's {@link RecipientSealer}.
+   * @param opts.expiresAt REQUIRED authoritative expiry (ISO 8601), sealed into
+   *   the binding the host verifies.
+   * @returns `{ pid, envelopeKey }` — the host provider id and the
+   *   `<collection>/<id>/<pid>` key the delivery envelope was written under.
+   */
+  async sealRecordToHost(collection, id, hostSealer, opts) {
+    return sealRecordToHost(this.sealingContext(), collection, id, hostSealer, opts);
+  }
+  /**
+   * Revoke a single sealed-CEK delivery envelope by deleting it from the store.
+   * A soft revocation: it removes the host's copy of the sealed CEK, but a host
+   * that already fetched the envelope keeps whatever it cached. For a hard
+   * revocation that makes the live record undecryptable to every prior grant,
+   * use {@link rotateRecordCek}.
+   */
+  async revokeSealedRecord(collection, id, pid) {
+    return revokeSealedRecord(this.sealingContext(), collection, id, pid);
+  }
+  /**
+   * HARD-rotate a record's CEK: decrypt the live body under the old CEK,
+   * re-encrypt it under a freshly-minted CEK, write the new live envelope, evict
+   * the in-memory caches, and delete EVERY sealed-CEK delivery envelope for the
+   * record. After this, any host holding a previously-sealed CEK can still
+   * decrypt PRE-rotation history versions (they keep their old `_cek`) but NOT
+   * the rotated live record (its body is under the new CEK → the old CEK fails
+   * the AES-GCM auth tag → `TamperedError`). That asymmetry IS the revocation:
+   * old grants lose the live record.
+   *
+   * Administrative path — bypasses `Collection.put` deliberately (no guards, no
+   * history snapshot, no materialized-view refresh): rotation is a key-rotation
+   * operation, not a business write, and must not version-bump history (which
+   * would re-encrypt the prior version under the NEW CEK and defeat the point).
+   *
+   * @throws {@link RecordCekNotFoundError} if the record is missing or has no `_cek`.
+   */
+  async rotateRecordCek(collection, id) {
+    return rotateRecordCek(this.sealingContext(), collection, id);
+  }
+  /**
+   * Build the {@link SealingContext} the record-keys grantor functions need:
+   * the vault-bound adapter, DEK resolver, actor, and the dual-cache eviction
+   * `rotateRecordCek` performs (per-record CEK cache + decrypted-record cache).
+   */
+  sealingContext() {
+    return {
+      adapter: this.adapter,
+      vault: this.name,
+      getDEK: (collection) => this.getDEK(collection),
+      actor: this.keyring.userId,
+      invalidateRecordCaches: async (collection, id) => {
+        const coll = this.collection(collection);
+        coll._invalidateCekCacheEntry(id);
+        await coll._invalidateCacheEntry(id);
+      }
+    };
+  }
   /**
    * @internal — called by `Noydb.openVault` after construction.
    * Dynamic-imports `GuardRegistry` + `ReadOnlyVaultFacade` and seeds
@@ -6545,12 +7619,12 @@ var Vault = class {
     if (handles.length === 0) return;
     const [{ GuardRegistry }, { ReadOnlyVaultFacade }] = await Promise.all([
       import("./registry-DKEXOJVO.js"),
-      import("./read-only-facade-ITU6L7BL.js")
+      import("./read-only-facade-EX6WZZBP.js")
     ]);
     const registry = new GuardRegistry();
     for (const h of handles) registry.register(h.spec);
     this.guardRegistry = registry;
-    this.readOnlyFacade = new ReadOnlyVaultFacade(this);
+    this.guardFacade = new ReadOnlyVaultFacade(this, "guard");
   }
   /**
    * @internal — The gate handler in Noydb.#registerGuardGate calls into
@@ -6572,8 +7646,8 @@ var Vault = class {
   async _initDerivations(handles) {
     if (handles.length === 0) return;
     const [{ DerivationRegistry }, { ReadOnlyVaultFacade }] = await Promise.all([
-      import("./registry-EB6SISTA.js"),
-      import("./read-only-facade-ITU6L7BL.js")
+      import("./registry-DMS7OKBM.js"),
+      import("./read-only-facade-EX6WZZBP.js")
     ]);
     const registry = new DerivationRegistry();
     for (const h of handles) {
@@ -6581,8 +7655,8 @@ var Vault = class {
     }
     registry.validate();
     this.derivationRegistry = registry;
-    if (this.readOnlyFacade === null) {
-      this.readOnlyFacade = new ReadOnlyVaultFacade(this);
+    if (this.derivationFacade === null) {
+      this.derivationFacade = new ReadOnlyVaultFacade(this, "derivation");
     }
   }
   /**
@@ -6603,7 +7677,7 @@ var Vault = class {
    */
   async _initMaterializedViews(handles) {
     if (handles.length === 0) return;
-    const { MaterializedViewRegistry } = await import("./registry-UTA4CLQS.js");
+    const { MaterializedViewRegistry } = await import("./registry-WVXO6NH5.js");
     const registry = new MaterializedViewRegistry();
     this.materializedViewRegistry = registry;
     const db = this;
@@ -6627,7 +7701,7 @@ var Vault = class {
    */
   async _initOverlayedViews(handles) {
     if (handles.length === 0) return;
-    const { OverlayedViewRegistry } = await import("./registry-IUZQVVBB.js");
+    const { OverlayedViewRegistry } = await import("./registry-3T2RZC5A.js");
     const registry = new OverlayedViewRegistry();
     const mvRegistry = this.materializedViewRegistry;
     const overlayNames = /* @__PURE__ */ new Set();
@@ -6674,13 +7748,13 @@ var Vault = class {
     if (!reg) {
       throw new Error(`refreshView: no MV registered with name "${name}"`);
     }
-    const { MaterializedViewExecutor } = await import("./executor-AZLS3KBK.js");
+    const { MaterializedViewExecutor } = await import("./executor-IZ2NVXCY.js");
     const result = await MaterializedViewExecutor.refresh(reg, {
       getCollection: (n) => this.collection(n),
       getActiveTxContext: () => this.noydb._activeTxContextOrNull,
       getQueryContext: () => this
     });
-    const { clearMVStale } = await import("./stale-W5PQTRYH.js");
+    const { clearMVStale } = await import("./stale-PGTEGJDI.js");
     clearMVStale(registry, name);
     return result;
   }
@@ -6696,10 +7770,10 @@ var Vault = class {
     if (registry === null) return { derived: 0, failed: 0 };
     const strategies = registry.strategiesForSource(sourceCollection);
     if (strategies.length === 0) return { derived: 0, failed: 0 };
-    const { DerivationExecutor } = await import("./executor-6ZDSDZ6V.js");
+    const { DerivationExecutor } = await import("./executor-WLFDUTOM.js");
     const sourceColl = this.collection(sourceCollection);
     const records = await sourceColl.list();
-    const ctx = { vault: this.readOnlyFacade ?? new (await import("./read-only-facade-ITU6L7BL.js")).ReadOnlyVaultFacade(this) };
+    const ctx = { vault: this.derivationFacade ?? new (await import("./read-only-facade-EX6WZZBP.js")).ReadOnlyVaultFacade(this, "derivation") };
     let derived = 0;
     let failed = 0;
     for (const record of records) {
@@ -6721,7 +7795,7 @@ var Vault = class {
           if (!outSpec) continue;
           const outputColl = this.collection(outSpec.collection);
           if (out.kind === "array") {
-            const { loadFanoutSidecar, saveFanoutSidecar } = await import("./fanout-sidecar-67CMI3UT.js");
+            const { loadFanoutSidecar, saveFanoutSidecar } = await import("./fanout-sidecar-JGHXAJO5.js");
             const prior = await loadFanoutSidecar(this.adapter, this.name, spec.source, id, key);
             const prevKeys = new Set(prior?.keys ?? []);
             const newKeysList = out.entries.map((e) => e.key);
@@ -6764,17 +7838,18 @@ var Vault = class {
    * never see null).
    */
   _getReadOnlyFacade() {
-    return this.readOnlyFacade;
+    return this.guardFacade;
   }
   /**
-   * Internal lazy-allocator for the read-only facade. Used as a
-   * defensive fallback; in practice `_initGuards()` eagerly
-   * instantiates this, so the lazy path is a no-op.
+   * Internal lazy-allocator for the derivation read-only facade
+   * (`layer:'derivation'`). Used as a defensive fallback; in practice
+   * `_initDerivations()` eagerly instantiates this, so the lazy path is
+   * a no-op.
    */
   _ensureReadOnlyFacade() {
-    if (this.readOnlyFacade !== null) return this.readOnlyFacade;
+    if (this.derivationFacade !== null) return this.derivationFacade;
     throw new Error(
-      "Vault: guard hook fired before _initGuards() completed. This typically means the vault was opened via the sync fallback path (Noydb.vault(name)) without first calling await db.openVault(name). See issue #132."
+      "Vault: derivation hook fired before _initDerivations() completed. This typically means the vault was opened via the sync fallback path (Noydb.vault(name)) without first calling await db.openVault(name). See issue #132."
     );
   }
   /**
@@ -6942,7 +8017,7 @@ var Vault = class {
    * collection.
    */
   async delegate(opts) {
-    const { issueDelegation, DELEGATIONS_COLLECTION } = await import("./delegation-NIQ43IPU.js");
+    const { issueDelegation, DELEGATIONS_COLLECTION } = await import("./delegation-FMXNUWE6.js");
     if (!this.keyring.kek) {
       throw new ValidationError(
         "issueDelegation: keyring.kek is null \u2014 issuing a delegation requires a tier-1 unlock. Re-authenticate at tier 1 (passphrase) first."
@@ -6964,7 +8039,7 @@ var Vault = class {
    * if the id does not exist.
    */
   async revokeDelegation(id) {
-    const { revokeDelegation, DELEGATIONS_COLLECTION } = await import("./delegation-NIQ43IPU.js");
+    const { revokeDelegation, DELEGATIONS_COLLECTION } = await import("./delegation-FMXNUWE6.js");
     await revokeDelegation(this.adapter, this.name, id);
     void DELEGATIONS_COLLECTION;
   }
@@ -7433,7 +8508,7 @@ var Vault = class {
    * @see docs/subsystems/public-envelope.md
    */
   async getPublicEnvelope(opts = {}) {
-    const { readPublicEnvelope: readPublicEnvelope2 } = await import("./public-envelope-YP2UWMLG.js");
+    const { readPublicEnvelope: readPublicEnvelope2 } = await import("./public-envelope-HXOFHY4N.js");
     return readPublicEnvelope2(this.adapter, this.name, opts);
   }
   /**
@@ -8977,6 +10052,7 @@ var Noydb = class {
   policyEnforcers = /* @__PURE__ */ new Map();
   vaultTemplates = /* @__PURE__ */ new Map();
   txStrategy;
+  forgetStrategy;
   sessionStrategy;
   syncStrategy;
   snapshotStrategy;
@@ -9004,6 +10080,7 @@ var Noydb = class {
   constructor(options) {
     this.options = options;
     this.txStrategy = options.txStrategy ?? NO_TX;
+    this.forgetStrategy = options.forgetStrategy ?? NO_FORGET;
     this.sessionStrategy = options.sessionStrategy ?? NO_SESSION;
     this.syncStrategy = options.syncStrategy ?? NO_SYNC;
     this.snapshotStrategy = options.snapshotStrategy ?? NO_SNAPSHOTS;
@@ -9014,8 +10091,61 @@ var Noydb = class {
     }
     this.#registerGuardGate();
     this.#registerPeriodGate();
+    this.#registerForgetHooks();
     this.resetSessionTimer();
   }
+  /** @internal — resolved forget strategy (NO_FORGET when not configured). */
+  get _forgetStrategy() {
+    return this.forgetStrategy;
+  }
+  // #304 — GDPR subject-index maintenance. When `withForgetCascade` declares
+  // any subject fields, keep the encrypted `_subject_index` in lock-step with
+  // writes so `vault.forget(subjectId)` can find every record for a subject.
+  //
+  // Two consumers are required because they cover disjoint events:
+  //   - onAfterWrite fires on create/update (NOT delete) — add the new ref;
+  //     on an update that changed the subject value, drop the stale ref.
+  //   - the subsystemBus `afterDelete` observer fires on delete (onAfterWrite
+  //     does NOT) — drop the ref so a deleted record never lingers in the
+  //     index (RISK #2). Without it, forget() would try to shred a ghost.
+  #registerForgetHooks() {
+    const subjects = this.forgetStrategy.subjects;
+    if (Object.keys(subjects).length === 0) return;
+    const subjectFieldFor = (collection) => subjects[collection];
+    this.writeHooks.onAfterWrite(async (event) => {
+      const field = subjectFieldFor(event.collection);
+      if (field === void 0) return;
+      const vault = this.vaultCache.get(event.vault);
+      if (!vault) return;
+      if (event.after !== null && typeof event.after === "object") {
+        const subjectValue = readDottedPath(event.after, field);
+        if (subjectValue !== void 0 && subjectValue !== null) {
+          await vault._addSubjectRef(coerceSubjectId(subjectValue), { collection: event.collection, id: event.docId });
+        }
+      }
+      if (event.op === "update" && event.before !== null && typeof event.before === "object") {
+        const beforeValue = readDottedPath(event.before, field);
+        const afterValue = event.after !== null && typeof event.after === "object" ? readDottedPath(event.after, field) : void 0;
+        const beforeId = beforeValue === void 0 || beforeValue === null ? void 0 : coerceSubjectId(beforeValue);
+        const afterId = afterValue === void 0 || afterValue === null ? void 0 : coerceSubjectId(afterValue);
+        if (beforeId !== void 0 && beforeId !== afterId) {
+          await vault._removeSubjectRef(beforeId, { collection: event.collection, id: event.docId });
+        }
+      }
+    });
+    this.subsystemBus.register("afterDelete", async (event) => {
+      const field = subjectFieldFor(event.collection);
+      if (field === void 0) return;
+      const vault = this.vaultCache.get(event.vault);
+      if (!vault) return;
+      if (event.before !== null && typeof event.before === "object") {
+        const subjectValue = readDottedPath(event.before, field);
+        if (subjectValue !== void 0 && subjectValue !== null) {
+          await vault._removeSubjectRef(coerceSubjectId(subjectValue), { collection: event.collection, id: event.docId });
+        }
+      }
+    });
+  }
   // Track A — guards migration. Registers record-lock / field-freeze / onDelete
   // / amendment-collect as gate-bus handlers (only when guards are opted in, so
   // the write path is zero-cost otherwise). Resolves the live vault's
@@ -9043,7 +10173,7 @@ var Noydb = class {
       if (!facade) return;
       const ctx = { existing, vault: facade, userId: e.userId, role: e.role };
       await registry.runChecks(e.collection, incoming, ctx);
-      const { GuardExecutor } = await import("./executor-IDZDAFNH.js");
+      const { GuardExecutor } = await import("./executor-THSEYEJG.js");
       for (const g of guards) {
         await GuardExecutor.checkFrozenFields(g, e.docId, existing, incoming, e.computedFieldNames);
       }
@@ -9236,6 +10366,7 @@ var Noydb = class {
       ...this.options.syncStrategy !== void 0 ? { syncStrategy: this.options.syncStrategy } : {},
       ...this.options.guardStrategies !== void 0 ? { guardStrategies: this.options.guardStrategies } : {},
       ...this.options.numbering !== void 0 ? { numberingConfigs: this.options.numbering } : {},
+      forgetStrategy: this.forgetStrategy,
       locale: opts?.locale,
       // Thread the translator hook so Collection.put() can invoke it
       plaintextTranslator: this.options.plaintextTranslator ? (text, from, to, field, collection) => this.invokeTranslator(text, from, to, field, collection) : void 0,
@@ -9290,7 +10421,8 @@ var Noydb = class {
         ...this.options.i18nStrategy !== void 0 ? { i18nStrategy: this.options.i18nStrategy } : {},
         ...this.options.syncStrategy !== void 0 ? { syncStrategy: this.options.syncStrategy } : {},
         ...this.options.guardStrategies !== void 0 ? { guardStrategies: this.options.guardStrategies } : {},
-        ...this.options.numbering !== void 0 ? { numberingConfigs: this.options.numbering } : {}
+        ...this.options.numbering !== void 0 ? { numberingConfigs: this.options.numbering } : {},
+        forgetStrategy: this.forgetStrategy
       });
       this.vaultCache.set(name, comp2);
       return comp2;
@@ -9642,11 +10774,11 @@ var Noydb = class {
     if (name === STATE_VAULT_NAME) throw new ReservedVaultNameError(name);
     const template = this.vaultTemplates.get(opts.sharding.vaultTemplate);
     if (!template) throw new VaultTemplateNotFoundError(opts.sharding.vaultTemplate);
-    const { VaultGroup } = await import("./vault-group-DX2HFQMX.js");
-    const { StateManagementVault } = await import("./state-vault-TMXZRTY5.js");
+    const { VaultGroup } = await import("./vault-group-DPZVFRI5.js");
+    const { StateManagementVault } = await import("./state-vault-QKQKN3H3.js");
     const stateVault = opts.registry ? void 0 : await StateManagementVault.open(this);
     const registry = opts.registry ?? stateVault.registry;
-    const group = new VaultGroup(this, name, registry, opts.sharding, template);
+    const group = new VaultGroup(this, name, registry, opts.sharding, template, opts.migrateOnOpen ?? false);
     if (stateVault) {
       group._attachStateVault(stateVault);
       await stateVault.recordManifest(opts.sharding.vaultTemplate, template);
@@ -9670,7 +10802,7 @@ var Noydb = class {
    */
   async openStateManagementVault() {
     if (this.closed) throw new ValidationError("Instance is closed");
-    const { StateManagementVault } = await import("./state-vault-TMXZRTY5.js");
+    const { StateManagementVault } = await import("./state-vault-QKQKN3H3.js");
     return StateManagementVault.open(this);
   }
   /**
@@ -11172,6 +12304,7 @@ function normalizeSyncTargets(sync) {
 
 export {
   withArchive,
+  compileSequenceFormat,
   resolveSequenceKey,
   SequenceStore,
   validateSchemaInput,
@@ -11179,10 +12312,15 @@ export {
   isZodSchema,
   derivePersistedSchema,
   persistSchemaIfNeeded,
+  isRefArray,
   RefIntegrityError,
   RefScopeError,
   ref,
+  refArray,
   RefRegistry,
+  isLinkCollectionName,
+  LinkEndpointError,
+  LinkIntegrityError,
   QuickUnlockStore,
   UserApi,
   META_COLLECTION,
@@ -11211,4 +12349,4 @@ export {
   Noydb,
   createNoydb
 };
-//# sourceMappingURL=chunk-667MB6AH.js.map
+//# sourceMappingURL=chunk-F2IJ2HGD.js.map