@noy-db/hub 0.2.0-pre.16 → 0.2.0-pre.18

package/dist/team/index.d.cts

@@ -1,10 +1,12 @@
-import { a$ as NoydbStore, aZ as UnlockedKeyring } from '../types-Bze6vkwm.cjs';
-export { bp as BundleRecipient, ct as EnrollAuthenticatorOptions, cu as EnrollAuthenticatorWrappingDEKsOptions, cv as EnrollAuthenticatorWrappingKEKOptions, d0 as ListUsersOptions, ds as PaperRecoveryEntry, dA as PresenceHandle, dV as RecoverPassphraseInput, dW as RecoverPassphraseResult, dX as RecoverUserOptions, dY as RecoveryProof, d$ as RotatePassphraseInput, ek as SlotRewrapCeremony, el as SlotRewrapContext, eu as SyncEngine, eC as SyncTransaction, eS as UpdateAuthenticatorOptions, fa as WrappedDeksBlob, fg as buildRecipientKeyringFile, fh as burnPaperRecoveryEntry, g5 as changeSecret, g6 as createOwnerKeyring, fk as deriveMagicLinkContentKey, fl as enrollAuthenticator, g7 as ensureCollectionDEK, fo as evaluateExportCapability, fp as evaluateImportCapability, fq as findAuthenticator, g8 as grant, fr as hasExportCapability, fs as hasImportCapability, fu as isMagicLinkGrantExpired, fz as listMagicLinkGrants, fA as listUsers, fB as listUsersWithEnvelopes, g9 as loadKeyring, fD as loadPaperRecoveryEntries, fG as magicLinkGrantRecordId, fH as mintPaperRecoveryEntry, fJ as mintWrappedDeksBlob, ga as persistKeyring, fL as readMagicLinkGrantRecord, fx as recoverPassphrase, fM as recoverUser, fN as removeAuthenticator, gb as revoke, fR as revokeMagicLinkGrant, fy as rotatePassphrase, fT as savePaperRecoveryEntries, fW as unwrapDeksFromBlob, fX as unwrapDeksFromPaperEntry, fZ as unwrapMagicLinkGrant, gc as updateAuthenticator, gd as updateKeyringIdentity, g4 as writeMagicLinkGrant } from '../types-Bze6vkwm.cjs';
+import { b2 as NoydbStore, b0 as UnlockedKeyring } from '../types-BpLPqyaO.cjs';
+export { bm as BundleRecipient, cs as EnrollAuthenticatorOptions, ct as EnrollAuthenticatorWrappingDEKsOptions, cu as EnrollAuthenticatorWrappingKEKOptions, d7 as ListUsersOptions, dA as PaperRecoveryEntry, dI as PresenceHandle, e1 as RecoverPassphraseInput, e2 as RecoverPassphraseResult, e3 as RecoverUserOptions, e4 as RecoveryProof, e8 as RotatePassphraseInput, et as SlotRewrapCeremony, eu as SlotRewrapContext, eD as SyncEngine, eL as SyncTransaction, e$ as UpdateAuthenticatorOptions, fj as WrappedDeksBlob, fq as buildRecipientKeyringFile, fr as burnPaperRecoveryEntry, gj as changeSecret, gk as createOwnerKeyring, fv as deriveMagicLinkContentKey, fw as enrollAuthenticator, gl as ensureCollectionDEK, fz as evaluateExportCapability, fA as evaluateImportCapability, fB as findAuthenticator, gm as grant, fC as hasExportCapability, fD as hasImportCapability, fG as isMagicLinkGrantExpired, fL as listMagicLinkGrants, fM as listUsers, fN as listUsersWithEnvelopes, gn as loadKeyring, fP as loadPaperRecoveryEntries, fS as magicLinkGrantRecordId, fT as mintPaperRecoveryEntry, fV as mintWrappedDeksBlob, go as persistKeyring, fY as readMagicLinkGrantRecord, fJ as recoverPassphrase, fZ as recoverUser, f_ as removeAuthenticator, gp as revoke, g2 as revokeMagicLinkGrant, fK as rotatePassphrase, g4 as savePaperRecoveryEntries, g8 as unwrapDeksFromBlob, g9 as unwrapDeksFromPaperEntry, gb as unwrapMagicLinkGrant, gq as updateAuthenticator, gr as updateKeyringIdentity, gi as writeMagicLinkGrant } from '../types-BpLPqyaO.cjs';
 import '../lazy-builder-eYZzLEL1.cjs';
 import '../predicate-BmhBSPCH.cjs';
-import '../strategy-BtW8fAjz.cjs';
+import '../strategy-nuyN8K5N.cjs';
+import '../errors-DUTlAt3Y.cjs';
 import '../strategy-BSxFXGzb.cjs';
-import '../index-C8Bk3-VF.cjs';
+import '../index-C-SSRIxP.cjs';
+import '../index-C6lgoUhK.cjs';
 import '@noy-db/attestation';
 
 /**

package/dist/team/index.d.ts

@@ -1,10 +1,12 @@
-import { a$ as NoydbStore, aZ as UnlockedKeyring } from '../types-DrmBTscX.js';
-export { bp as BundleRecipient, ct as EnrollAuthenticatorOptions, cu as EnrollAuthenticatorWrappingDEKsOptions, cv as EnrollAuthenticatorWrappingKEKOptions, d0 as ListUsersOptions, ds as PaperRecoveryEntry, dA as PresenceHandle, dV as RecoverPassphraseInput, dW as RecoverPassphraseResult, dX as RecoverUserOptions, dY as RecoveryProof, d$ as RotatePassphraseInput, ek as SlotRewrapCeremony, el as SlotRewrapContext, eu as SyncEngine, eC as SyncTransaction, eS as UpdateAuthenticatorOptions, fa as WrappedDeksBlob, fg as buildRecipientKeyringFile, fh as burnPaperRecoveryEntry, g5 as changeSecret, g6 as createOwnerKeyring, fk as deriveMagicLinkContentKey, fl as enrollAuthenticator, g7 as ensureCollectionDEK, fo as evaluateExportCapability, fp as evaluateImportCapability, fq as findAuthenticator, g8 as grant, fr as hasExportCapability, fs as hasImportCapability, fu as isMagicLinkGrantExpired, fz as listMagicLinkGrants, fA as listUsers, fB as listUsersWithEnvelopes, g9 as loadKeyring, fD as loadPaperRecoveryEntries, fG as magicLinkGrantRecordId, fH as mintPaperRecoveryEntry, fJ as mintWrappedDeksBlob, ga as persistKeyring, fL as readMagicLinkGrantRecord, fx as recoverPassphrase, fM as recoverUser, fN as removeAuthenticator, gb as revoke, fR as revokeMagicLinkGrant, fy as rotatePassphrase, fT as savePaperRecoveryEntries, fW as unwrapDeksFromBlob, fX as unwrapDeksFromPaperEntry, fZ as unwrapMagicLinkGrant, gc as updateAuthenticator, gd as updateKeyringIdentity, g4 as writeMagicLinkGrant } from '../types-DrmBTscX.js';
+import { b2 as NoydbStore, b0 as UnlockedKeyring } from '../types-Diqc2caK.js';
+export { bm as BundleRecipient, cs as EnrollAuthenticatorOptions, ct as EnrollAuthenticatorWrappingDEKsOptions, cu as EnrollAuthenticatorWrappingKEKOptions, d7 as ListUsersOptions, dA as PaperRecoveryEntry, dI as PresenceHandle, e1 as RecoverPassphraseInput, e2 as RecoverPassphraseResult, e3 as RecoverUserOptions, e4 as RecoveryProof, e8 as RotatePassphraseInput, et as SlotRewrapCeremony, eu as SlotRewrapContext, eD as SyncEngine, eL as SyncTransaction, e$ as UpdateAuthenticatorOptions, fj as WrappedDeksBlob, fq as buildRecipientKeyringFile, fr as burnPaperRecoveryEntry, gj as changeSecret, gk as createOwnerKeyring, fv as deriveMagicLinkContentKey, fw as enrollAuthenticator, gl as ensureCollectionDEK, fz as evaluateExportCapability, fA as evaluateImportCapability, fB as findAuthenticator, gm as grant, fC as hasExportCapability, fD as hasImportCapability, fG as isMagicLinkGrantExpired, fL as listMagicLinkGrants, fM as listUsers, fN as listUsersWithEnvelopes, gn as loadKeyring, fP as loadPaperRecoveryEntries, fS as magicLinkGrantRecordId, fT as mintPaperRecoveryEntry, fV as mintWrappedDeksBlob, go as persistKeyring, fY as readMagicLinkGrantRecord, fJ as recoverPassphrase, fZ as recoverUser, f_ as removeAuthenticator, gp as revoke, g2 as revokeMagicLinkGrant, fK as rotatePassphrase, g4 as savePaperRecoveryEntries, g8 as unwrapDeksFromBlob, g9 as unwrapDeksFromPaperEntry, gb as unwrapMagicLinkGrant, gq as updateAuthenticator, gr as updateKeyringIdentity, gi as writeMagicLinkGrant } from '../types-Diqc2caK.js';
 import '../lazy-builder-ChSqcF5t.js';
 import '../predicate-BmhBSPCH.js';
-import '../strategy-BtW8fAjz.js';
+import '../strategy-Diwh5lzS.js';
+import '../errors-DUTlAt3Y.js';
 import '../strategy-BSxFXGzb.js';
-import '../index-nP99bXLg.js';
+import '../index-C-SSRIxP.js';
+import '../index-DP1JTWHZ.js';
 import '@noy-db/attestation';
 
 /**

package/dist/team/index.js

@@ -5,7 +5,7 @@ import {
   getCredential,
   listCredentials,
   putCredential
-} from "../chunk-SCJPI4Z5.js";
+} from "../chunk-LQ3GD5LL.js";
 import {
   burnPaperRecoveryEntry,
   deriveMagicLinkContentKey,
@@ -29,13 +29,13 @@ import {
   unwrapMagicLinkGrant,
   updateAuthenticator,
   writeMagicLinkGrant
-} from "../chunk-DLZ2ONOD.js";
-import "../chunk-4TBBMHVC.js";
+} from "../chunk-IQ4GMEYZ.js";
+import "../chunk-6YEC7LLO.js";
 import {
   PresenceHandle,
   SyncEngine,
   SyncTransaction
-} from "../chunk-BI6ETQPF.js";
+} from "../chunk-DR5I7Q6N.js";
 import {
   buildRecipientKeyringFile,
   changeSecret,
@@ -52,11 +52,11 @@ import {
   persistKeyring,
   revoke,
   updateKeyringIdentity
-} from "../chunk-6H2ZUNR7.js";
+} from "../chunk-FQRAYDS4.js";
 import "../chunk-2QR2PQTT.js";
-import "../chunk-F3BPIPLS.js";
-import "../chunk-YULZKK4F.js";
-import "../chunk-535SSHBS.js";
+import "../chunk-LGPSCKWZ.js";
+import "../chunk-QJKZ5WUP.js";
+import "../chunk-HMFC6M2G.js";
 export {
   PresenceHandle,
   SYNC_CREDENTIALS_COLLECTION,

package/dist/transition-guard--t3exQHF.d.cts

@@ -0,0 +1,165 @@
+import { av as GuardStrategy, az as GuardStrategyHandle, aw as GuardChange, ax as GuardContext } from './types-BpLPqyaO.cjs';
+
+/**
+ * Register a guard for a collection. Guards run on every `put()` /
+ * `delete()` for the named collection (after permissions, before
+ * encryption) and may:
+ *
+ *   - `check` — block writes by throwing (typically `RecordLockedError`)
+ *   - `frozenFields` — freeze specific fields once a condition is true
+ *   - `amendment` — declare an authorized-override path with invariant
+ *
+ * Pass the returned handle to `createNoydb({ strategies: [...] })`.
+ *
+ * @see docs/superpowers/specs/2026-05-18-guards-design.md
+ */
+declare function withGuard<T extends Record<string, unknown>>(strategy: GuardStrategy<T>): GuardStrategyHandle<T>;
+
+/**
+ * `immutableGuard` — declarative WORM / append-only sugar over the guard
+ * subsystem.
+ *
+ * Issued fiscal documents (invoices, DDTs) must be immutable after issue.
+ * That is expressible today with a hand-rolled `withGuard` (block on
+ * `check`/`onDelete`, allow an admin `amendment`), but the boilerplate is
+ * repetitive and easy to get subtly wrong. `immutableGuard` generates
+ * exactly that guard from a declarative config, reusing the guard
+ * machinery wholesale — `check`/`onDelete` rejection, the ledgered
+ * `amendment` override, and composition with `periods`/`history`.
+ *
+ * ```ts
+ * createNoydb({ guardStrategies: [
+ *   immutableGuard({
+ *     collection: 'invoices',
+ *     after: (r) => r.status === 'issued',   // immutable once issued
+ *   }),
+ * ] })
+ * ```
+ *
+ * A record is mutable until `after(record)` holds; from then on, updates
+ * and deletes throw `RecordLockedError` unless performed inside an
+ * `amendment` transaction by an authorized role (the override is
+ * ledgered by the guard amendment mechanism). `appendOnly: true` is
+ * shorthand for `after: () => true` — immutable from creation.
+ */
+
+interface ImmutableGuardConfig<T extends Record<string, unknown>> {
+    /** The collection to make WORM. */
+    collection: string;
+    /**
+     * A record becomes immutable once this predicate holds. Evaluated on
+     * the *existing* (already-persisted) record, so the write that first
+     * makes it true is still allowed; subsequent writes are blocked.
+     * Mutually exclusive with `appendOnly`.
+     */
+    after?: (record: T) => boolean;
+    /** Shorthand for `after: () => true` — immutable from creation. */
+    appendOnly?: boolean;
+    /** Roles permitted to override via an amendment transaction. Default `['admin', 'owner']`. */
+    amendmentRoles?: ReadonlyArray<'admin' | 'owner'>;
+    /**
+     * Optional set-level invariant run over the amendment change-set after
+     * the writes execute. Signature matches `GuardStrategy.amendment.invariant`
+     * exactly: it receives every {before, after} pair touching this
+     * collection in the amendment plus the guard context; throwing reverts
+     * the whole amendment and surfaces as `InvariantError`.
+     *
+     * Use this to keep a constraint inviolable EVEN under amendment — e.g.
+     * forbid deleting an issued document by re-throwing on any
+     * `before !== null && after === null` change, or assert a cross-record
+     * sum is preserved. When omitted the amendment is unconditionally
+     * allowed (the amendment itself is the sanctioned, ledgered override) —
+     * this is the backward-compatible default.
+     */
+    amendmentInvariant?: (changes: ReadonlyArray<GuardChange<T>>, ctx: GuardContext<T>) => Promise<void> | void;
+}
+/**
+ * Build an immutability guard. Pass the returned handle to
+ * `createNoydb({ guardStrategies: [...] })`.
+ */
+declare function immutableGuard<T extends Record<string, unknown>>(config: ImmutableGuardConfig<T>): GuardStrategyHandle<T>;
+
+/**
+ * `transitionGuard` — declarative state-machine sugar over the guard
+ * subsystem.
+ *
+ * Any record with a lifecycle field (invoice `status`, order state,
+ * ticket workflow, subscription phase) needs transition validation: a
+ * write may only move the field along a declared arc. That is expressible
+ * with a hand-rolled `withGuard({ check })`, but every consumer
+ * re-implements the same graph lookup + error. `transitionGuard`
+ * generates exactly that guard from a state graph, reusing the guard
+ * machinery wholesale — `check` rejection, the ledgered `amendment`
+ * override, and composition with `periods`/`history`.
+ *
+ * It generalizes {@link immutableGuard}: WORM is the special case "every
+ * state has no outgoing arcs", i.e. `transitions` mapping each state to `[]`.
+ *
+ * ```ts
+ * createNoydb({ guardStrategies: [
+ *   transitionGuard<Sale>({
+ *     collection: 'sales', field: 'status',
+ *     transitions: {                          // absence of an arc = forbidden
+ *       draft: ['to_verify', 'cancelled'],
+ *       to_verify: ['proforma', 'draft', 'cancelled'],
+ *       proforma: ['invoiced', 'cancelled'],
+ *       invoiced: ['paid'], paid: [], cancelled: [],
+ *     },
+ *     initial: ['draft', 'to_verify'],        // allowed status on insert
+ *   }),
+ * ] })
+ * ```
+ *
+ * Semantics:
+ * - **Insert** (`ctx.existing === null`): `incoming[field]` must be in
+ *   `initial`. When `initial` is omitted, any value is allowed on insert.
+ * - **Update**: the arc `(existing[field] → incoming[field])` must be
+ *   listed in `transitions[from]`, else `IllegalTransitionError`. A
+ *   same-value write (`from === to`) is allowed when `allowIdempotent`
+ *   (default `true`) — so writes that touch other fields without moving
+ *   state pass.
+ * - **Override**: inside an `amendment` transaction by an authorized role
+ *   the check is skipped and the change is ledgered (mirrors every guard).
+ *
+ * The status graph is caller-supplied data — no UI, no domain logic.
+ */
+
+interface TransitionGuardConfig<T extends Record<string, unknown>> {
+    /** The collection whose state field is governed. */
+    collection: string;
+    /** The state field on the record (e.g. `'status'`). */
+    field: keyof T & string;
+    /**
+     * The transition graph: each state maps to the states it may move to.
+     * A state absent from the map (or mapped to `[]`) is terminal — no
+     * outgoing arc, so any non-idempotent write from it is rejected.
+     */
+    transitions: Readonly<Record<string, readonly string[]>>;
+    /**
+     * States allowed as the initial value on insert (`existing === null`).
+     * Omit to allow any value on insert.
+     */
+    initial?: readonly string[];
+    /**
+     * Allow a same-value write (`from === to`) on update. Default `true` —
+     * lets a put that changes other fields, but not the state, through.
+     */
+    allowIdempotent?: boolean;
+    /** Roles permitted to override via an amendment transaction. Default `['admin', 'owner']`. */
+    amendmentRoles?: ReadonlyArray<'admin' | 'owner'>;
+    /**
+     * Optional set-level invariant run over the amendment change-set after
+     * the writes execute. Signature matches `GuardStrategy.amendment.invariant`
+     * exactly. When omitted the amendment is unconditionally allowed (the
+     * amendment itself is the sanctioned, ledgered override) — the
+     * backward-compatible default. Mirrors {@link immutableGuard}.
+     */
+    amendmentInvariant?: (changes: ReadonlyArray<GuardChange<T>>, ctx: GuardContext<T>) => Promise<void> | void;
+}
+/**
+ * Build a state-machine transition guard. Pass the returned handle to
+ * `createNoydb({ guardStrategies: [...] })`.
+ */
+declare function transitionGuard<T extends Record<string, unknown>>(config: TransitionGuardConfig<T>): GuardStrategyHandle<T>;
+
+export { type ImmutableGuardConfig as I, type TransitionGuardConfig as T, immutableGuard as i, transitionGuard as t, withGuard as w };

package/dist/transition-guard-BlI9Oy5K.d.ts

@@ -0,0 +1,165 @@
+import { av as GuardStrategy, az as GuardStrategyHandle, aw as GuardChange, ax as GuardContext } from './types-Diqc2caK.js';
+
+/**
+ * Register a guard for a collection. Guards run on every `put()` /
+ * `delete()` for the named collection (after permissions, before
+ * encryption) and may:
+ *
+ *   - `check` — block writes by throwing (typically `RecordLockedError`)
+ *   - `frozenFields` — freeze specific fields once a condition is true
+ *   - `amendment` — declare an authorized-override path with invariant
+ *
+ * Pass the returned handle to `createNoydb({ strategies: [...] })`.
+ *
+ * @see docs/superpowers/specs/2026-05-18-guards-design.md
+ */
+declare function withGuard<T extends Record<string, unknown>>(strategy: GuardStrategy<T>): GuardStrategyHandle<T>;
+
+/**
+ * `immutableGuard` — declarative WORM / append-only sugar over the guard
+ * subsystem.
+ *
+ * Issued fiscal documents (invoices, DDTs) must be immutable after issue.
+ * That is expressible today with a hand-rolled `withGuard` (block on
+ * `check`/`onDelete`, allow an admin `amendment`), but the boilerplate is
+ * repetitive and easy to get subtly wrong. `immutableGuard` generates
+ * exactly that guard from a declarative config, reusing the guard
+ * machinery wholesale — `check`/`onDelete` rejection, the ledgered
+ * `amendment` override, and composition with `periods`/`history`.
+ *
+ * ```ts
+ * createNoydb({ guardStrategies: [
+ *   immutableGuard({
+ *     collection: 'invoices',
+ *     after: (r) => r.status === 'issued',   // immutable once issued
+ *   }),
+ * ] })
+ * ```
+ *
+ * A record is mutable until `after(record)` holds; from then on, updates
+ * and deletes throw `RecordLockedError` unless performed inside an
+ * `amendment` transaction by an authorized role (the override is
+ * ledgered by the guard amendment mechanism). `appendOnly: true` is
+ * shorthand for `after: () => true` — immutable from creation.
+ */
+
+interface ImmutableGuardConfig<T extends Record<string, unknown>> {
+    /** The collection to make WORM. */
+    collection: string;
+    /**
+     * A record becomes immutable once this predicate holds. Evaluated on
+     * the *existing* (already-persisted) record, so the write that first
+     * makes it true is still allowed; subsequent writes are blocked.
+     * Mutually exclusive with `appendOnly`.
+     */
+    after?: (record: T) => boolean;
+    /** Shorthand for `after: () => true` — immutable from creation. */
+    appendOnly?: boolean;
+    /** Roles permitted to override via an amendment transaction. Default `['admin', 'owner']`. */
+    amendmentRoles?: ReadonlyArray<'admin' | 'owner'>;
+    /**
+     * Optional set-level invariant run over the amendment change-set after
+     * the writes execute. Signature matches `GuardStrategy.amendment.invariant`
+     * exactly: it receives every {before, after} pair touching this
+     * collection in the amendment plus the guard context; throwing reverts
+     * the whole amendment and surfaces as `InvariantError`.
+     *
+     * Use this to keep a constraint inviolable EVEN under amendment — e.g.
+     * forbid deleting an issued document by re-throwing on any
+     * `before !== null && after === null` change, or assert a cross-record
+     * sum is preserved. When omitted the amendment is unconditionally
+     * allowed (the amendment itself is the sanctioned, ledgered override) —
+     * this is the backward-compatible default.
+     */
+    amendmentInvariant?: (changes: ReadonlyArray<GuardChange<T>>, ctx: GuardContext<T>) => Promise<void> | void;
+}
+/**
+ * Build an immutability guard. Pass the returned handle to
+ * `createNoydb({ guardStrategies: [...] })`.
+ */
+declare function immutableGuard<T extends Record<string, unknown>>(config: ImmutableGuardConfig<T>): GuardStrategyHandle<T>;
+
+/**
+ * `transitionGuard` — declarative state-machine sugar over the guard
+ * subsystem.
+ *
+ * Any record with a lifecycle field (invoice `status`, order state,
+ * ticket workflow, subscription phase) needs transition validation: a
+ * write may only move the field along a declared arc. That is expressible
+ * with a hand-rolled `withGuard({ check })`, but every consumer
+ * re-implements the same graph lookup + error. `transitionGuard`
+ * generates exactly that guard from a state graph, reusing the guard
+ * machinery wholesale — `check` rejection, the ledgered `amendment`
+ * override, and composition with `periods`/`history`.
+ *
+ * It generalizes {@link immutableGuard}: WORM is the special case "every
+ * state has no outgoing arcs", i.e. `transitions` mapping each state to `[]`.
+ *
+ * ```ts
+ * createNoydb({ guardStrategies: [
+ *   transitionGuard<Sale>({
+ *     collection: 'sales', field: 'status',
+ *     transitions: {                          // absence of an arc = forbidden
+ *       draft: ['to_verify', 'cancelled'],
+ *       to_verify: ['proforma', 'draft', 'cancelled'],
+ *       proforma: ['invoiced', 'cancelled'],
+ *       invoiced: ['paid'], paid: [], cancelled: [],
+ *     },
+ *     initial: ['draft', 'to_verify'],        // allowed status on insert
+ *   }),
+ * ] })
+ * ```
+ *
+ * Semantics:
+ * - **Insert** (`ctx.existing === null`): `incoming[field]` must be in
+ *   `initial`. When `initial` is omitted, any value is allowed on insert.
+ * - **Update**: the arc `(existing[field] → incoming[field])` must be
+ *   listed in `transitions[from]`, else `IllegalTransitionError`. A
+ *   same-value write (`from === to`) is allowed when `allowIdempotent`
+ *   (default `true`) — so writes that touch other fields without moving
+ *   state pass.
+ * - **Override**: inside an `amendment` transaction by an authorized role
+ *   the check is skipped and the change is ledgered (mirrors every guard).
+ *
+ * The status graph is caller-supplied data — no UI, no domain logic.
+ */
+
+interface TransitionGuardConfig<T extends Record<string, unknown>> {
+    /** The collection whose state field is governed. */
+    collection: string;
+    /** The state field on the record (e.g. `'status'`). */
+    field: keyof T & string;
+    /**
+     * The transition graph: each state maps to the states it may move to.
+     * A state absent from the map (or mapped to `[]`) is terminal — no
+     * outgoing arc, so any non-idempotent write from it is rejected.
+     */
+    transitions: Readonly<Record<string, readonly string[]>>;
+    /**
+     * States allowed as the initial value on insert (`existing === null`).
+     * Omit to allow any value on insert.
+     */
+    initial?: readonly string[];
+    /**
+     * Allow a same-value write (`from === to`) on update. Default `true` —
+     * lets a put that changes other fields, but not the state, through.
+     */
+    allowIdempotent?: boolean;
+    /** Roles permitted to override via an amendment transaction. Default `['admin', 'owner']`. */
+    amendmentRoles?: ReadonlyArray<'admin' | 'owner'>;
+    /**
+     * Optional set-level invariant run over the amendment change-set after
+     * the writes execute. Signature matches `GuardStrategy.amendment.invariant`
+     * exactly. When omitted the amendment is unconditionally allowed (the
+     * amendment itself is the sanctioned, ledgered override) — the
+     * backward-compatible default. Mirrors {@link immutableGuard}.
+     */
+    amendmentInvariant?: (changes: ReadonlyArray<GuardChange<T>>, ctx: GuardContext<T>) => Promise<void> | void;
+}
+/**
+ * Build a state-machine transition guard. Pass the returned handle to
+ * `createNoydb({ guardStrategies: [...] })`.
+ */
+declare function transitionGuard<T extends Record<string, unknown>>(config: TransitionGuardConfig<T>): GuardStrategyHandle<T>;
+
+export { type ImmutableGuardConfig as I, type TransitionGuardConfig as T, immutableGuard as i, transitionGuard as t, withGuard as w };