@noy-db/hub 0.2.0-pre.16 → 0.2.0-pre.18

package/dist/{types-DrmBTscX.d.ts → types-Diqc2caK.d.ts}

@@ -1,7 +1,9 @@
 import { I as IndexStrategy, d as LazyQuery } from './lazy-builder-ChSqcF5t.js';
-import { a7 as NoydbError, o as LiveAggregation, f as AggregateSpec, e as AggregateResult, av as MoneyDescriptor, A as AggregateStrategy } from './strategy-BtW8fAjz.js';
+import { L as LiveAggregation, b as AggregateSpec, a as AggregateResult, v as MoneyDescriptor, A as AggregateStrategy } from './strategy-Diwh5lzS.js';
 import { C as CrdtStrategy, a as CrdtMode, b as CrdtState } from './strategy-BSxFXGzb.js';
-import { L as LiveQuery, Q as Query, c as JoinStrategy, j as RefRegistry, R as RefDescriptor, d as JoinableSource, l as RefViolation, S as ScanBuilder } from './index-nP99bXLg.js';
+import { L as LedgerEntry, F as ForgetStrategy, S as SubjectRef, b as ForgetResult } from './index-C-SSRIxP.js';
+import { N as NoydbError } from './errors-DUTlAt3Y.js';
+import { L as LiveQuery, Q as Query, c as JoinStrategy, j as RefRegistry, R as RefDescriptor, d as JoinableSource, l as RefViolation, S as ScanBuilder } from './index-DP1JTWHZ.js';
 import { I as IndexDef, O as Operator, F as FieldClause, C as CollectionIndexes } from './predicate-BmhBSPCH.js';
 import { AttestationFieldSchema, RevocationList } from '@noy-db/attestation';
 
@@ -415,6 +417,7 @@ declare class BlobSet {
     private readonly encrypted;
     private readonly userId;
     private readonly maxBlobBytes;
+    private readonly erasableBlobs;
     constructor(opts: {
         store: NoydbStore;
         vault: string;
@@ -424,7 +427,18 @@ declare class BlobSet {
         encrypted: boolean;
         userId?: string;
         maxBlobBytes?: number;
+        erasableBlobs?: boolean;
     });
+    /**
+     * Resolve the key the blob's CHUNKS are encrypted under.
+     *
+     * - `_cek` present (erasable blob) → unwrap the per-blob content CEK under
+     *   the `_blob` DEK. Deleting the BlobObject (at `refCount → 0`) makes this
+     *   key unrecoverable → the chunks are crypto-shredded.
+     * - `_cek` absent (legacy) → the `_blob` DEK encrypts chunks directly.
+     * - unencrypted vault → `null` (chunks stored as plaintext base64).
+     */
+    private resolveChunkKey;
     /** The internal collection that holds slot metadata for this collection's blobs. */
     private get slotsCollection();
     /** The internal collection that holds published versions for this collection's blobs. */
@@ -442,6 +456,73 @@ declare class BlobSet {
      * CAS retry loop for refCount changes on a BlobObject.
      */
     private casUpdateRefCount;
+    /**
+     * Release `n` references to a blob and reclaim it at refCount 0 (#365 slice 4).
+     *
+     * The single reclaim choke point for every reference-drop path — slot
+     * delete/overwrite, published-version delete, and `forget()` shred — so the
+     * refCount-0 policy is uniform:
+     *  - **erasable blob** (`_cek` present) → delete the `BlobObject` (the SOLE
+     *    copy of the wrapped content CEK → chunks permanently undecryptable) and
+     *    reclaim the chunks. The crypto-shred is EAGER on every path: GDPR erasure
+     *    must not wait on orphan retention.
+     *  - **legacy blob** (no `_cek`) → reclaimed only when `reclaimLegacy` (the
+     *    `forget()` erasure path); otherwise left for deferred GC so the existing
+     *    `BlobLifecyclePolicy.orphanRetentionDays` semantics are preserved.
+     *
+     * @returns `'shredded'` (erasable, refCount 0, chunks dead) · `'retainedShared'`
+     *   (erasable, still referenced) · `'residue'` (legacy — not a crypto-shred).
+     */
+    private releaseRef;
+    /**
+     * Crypto-shred this record's blob attachments (#365 slice 2) — called by
+     * `vault.forget()`.
+     *
+     * For each distinct eTag the record references (a record may attach the same
+     * content under several slot names → several refCount holds): decrement the
+     * blob's refCount by that many. When it reaches 0:
+     *  - **erasable blob** (`_cek` present) → delete the `BlobObject` (the SOLE
+     *    recoverable copy of the wrapped content CEK → chunks permanently
+     *    undecryptable) and reclaim the chunk bytes. This is the crypto-shred.
+     *  - **legacy blob** (no `_cek`) → chunks are under the shared `_blob` DEK and
+     *    stay decryptable until byte-deleted; we delete the orphaned chunks +
+     *    index but report it as residue, not a cryptographic erasure.
+     * When refCount stays > 0 the content legitimately persists for its other
+     * owner — reported as `retainedShared` (or `residue` if legacy).
+     *
+     * Finally drops the record's slot map, severing the subject's link.
+     */
+    shredAllForRecord(): Promise<{
+        shredded: string[];
+        retainedShared: string[];
+        residue: string[];
+    }>;
+    /** CAS retry loop for an arbitrary BlobObject mutation. */
+    private casUpdateBlobObject;
+    /**
+     * Migrate this record's LEGACY blobs (no `_cek`, chunks under the shared
+     * `_blob` DEK) to per-blob content CEKs so they become crypto-shreddable
+     * (#365 slice 3). Returns the eTags migrated vs. already-erasable.
+     *
+     * **Explicit maintenance pass** (mirrors the record-CEK migration posture):
+     * re-encrypts the existing compressed chunks IN PLACE under a fresh content
+     * CEK — preserving the eTag, chunkCount, chunkSize, and compression — then
+     * flips the `_cek` discriminant. Crash-safe + idempotent via `_cekPending`:
+     *   1. persist the wrapped content CEK in `_cekPending` (readers ignore it →
+     *      the blob stays readable under the `_blob` DEK; the key survives a crash);
+     *   2. re-encrypt each chunk under the content CEK (a resume reads an
+     *      already-migrated chunk under the content CEK, else under the `_blob` DEK);
+     *   3. promote `_cekPending` → `_cek` (atomic flip). Reads now use the CEK.
+     * A re-run after a crash resumes from whichever phase was reached.
+     *
+     * Dedup-safe: migrating a shared blob (refCount > 1) re-keys it for every
+     * referencer at once; a non-erasable collection still reads it (it unwraps
+     * `_cek` under the `_blob` DEK it holds).
+     */
+    migrate(): Promise<{
+        migrated: string[];
+        alreadyErasable: string[];
+    }>;
     private writeChunk;
     private readChunk;
     private versionKey;
@@ -598,6 +679,13 @@ interface BlobStrategyOpenArgs {
     readonly getDEK: (collectionName: string) => Promise<CryptoKey>;
     readonly encrypted: boolean;
     readonly userId: string;
+    /**
+     * Collection opts into per-record keys (`perRecordKeys`), so its blobs are
+     * erasable: new uploads mint a per-blob content CEK (crypto-shreddable at
+     * `refCount → 0`). Off → legacy shared-`_blob`-DEK chunks. See the per-blob
+     * CEK design spec.
+     */
+    readonly erasableBlobs?: boolean;
 }
 /**
  * The seam interface. `@internal` — do not build public APIs on this
@@ -807,224 +895,6 @@ interface ConsentStrategy {
     read(adapter: NoydbStore, vault: string, encrypted: boolean, getDEK: (collectionName: string) => Promise<CryptoKey>, filter?: ConsentAuditFilter): Promise<ConsentAuditEntry[]>;
 }
 
-/**
- * Ledger entry shape + canonical JSON + sha256 helpers.
- *
- * This file holds the PURE primitives used by the hash-chained ledger:
- * the entry type, the deterministic (sort-stable) JSON encoder, and
- * the sha256 hasher that produces `prevHash` and `ledger.head()`.
- *
- * Everything here is validator-free and side-effect free — the only
- * runtime dep is Web Crypto's `subtle.digest` for the sha256 call,
- * which we already use for every other hashing operation in the core.
- *
- * The hash chain property works like this:
- *
- *   hash(entry[i])       = sha256(canonicalJSON(entry[i]))
- *   entry[i+1].prevHash  = hash(entry[i])
- *
- * Any modification to `entry[i]` (field values, field order, whitespace)
- * produces a different `hash(entry[i])`, which means `entry[i+1]`'s
- * stored `prevHash` no longer matches the recomputed hash, which means
- * `verify()` returns `{ ok: false, divergedAt: i + 1 }`. The chain is
- * append-only and tamper-evident without external anchoring.
- */
-/**
- * A single ledger entry in its plaintext form — what gets serialized,
- * hashed, and then encrypted with the ledger DEK before being written
- * to the `_ledger/` adapter collection.
- *
- * ## Why hash the ciphertext, not the plaintext?
- *
- * `payloadHash` is the sha256 of the record's ENCRYPTED envelope bytes,
- * not its plaintext. This matters:
- *
- *   1. **Zero-knowledge preserved.** A user (or a third party) can
- *      verify the ledger against the stored envelopes without any
- *      decryption keys. The adapter layer already holds only
- *      ciphertext, so hashing the ciphertext keeps the ledger at the
- *      same privacy level as the adapter.
- *
- *   2. **Determinism.** Plaintext → ciphertext is randomized by the
- *      fresh per-write IV, so `hash(plaintext)` would need extra
- *      normalization. `hash(ciphertext)` is already deterministic and
- *      unique per write.
- *
- *   3. **Detection property.** If an attacker modifies even one byte of
- *      the stored ciphertext (trying to flip a record), the hash
- *      changes, the ledger's recorded `payloadHash` no longer matches,
- *      and a data-integrity check fails. We don't do that check in
- *      `verify()` today, but the
- *      hook is there for a future `verifyIntegrity()` follow-up.
- *
- * Fields marked `op`, `collection`, `id`, `version`, `ts`, `actor` are
- * plaintext METADATA about the operation — NOT the record itself. The
- * entry is still encrypted at rest via the ledger DEK, but adapters
- * could theoretically infer operation patterns from the sizes and
- * timestamps. This is an accepted trade-off for the tamper-evidence
- * property; full ORAM-level privacy is out of scope for noy-db.
- */
-interface LedgerEntry {
-    /**
-     * Zero-based sequential position of this entry in the chain. The
-     * canonical adapter key is this number zero-padded to 10 digits
-     * (`"0000000001"`) so lexicographic ordering matches numeric order.
-     */
-    readonly index: number;
-    /**
-     * Hex-encoded sha256 of the canonical JSON of the PREVIOUS entry.
-     * The genesis entry (index 0) has `prevHash === ''` — the first
-     * entry in a fresh vault has nothing to point back to.
-     */
-    readonly prevHash: string;
-    /**
-     * Which kind of mutation this entry records. only supports
-     * data operations (`put`, `delete`, `amendment`). Access-control
-     * operations (`grant`, `revoke`, `rotate`) will be added in a
-     * follow-up once the keyring write path is instrumented — that's
-     * tracked in the epic issue.
-     *
-     * `'amendment'` is the multi-record audit entry written by the
-     * guards subsystem when an admin/owner uses `withTransactions(...)`
-     * to repair a constraint-violating state. See `amendment` field
-     * below for the structured payload.
-     *
-     * `'lifecycle'` records a non-data audit event (e.g. partition
-     * handover) — `collection`/`id` are empty and the event detail
-     * lives in `reason` (e.g. `'partition-handed-over:<sealId>'`). Like
-     * `amendment`, it carries no data envelope, so `verifyBackupIntegrity`
-     * skips it in the data cross-check (it still participates in the
-     * tamper-evident chain).
-     */
-    readonly op: 'put' | 'delete' | 'amendment' | 'lifecycle' | 'migration';
-    /** The collection the mutation targeted. */
-    readonly collection: string;
-    /** The record id the mutation targeted. */
-    readonly id: string;
-    /**
-     * The record version AFTER this mutation. For `put` this is the
-     * newly assigned version; for `delete` this is the version that
-     * was deleted (the last version visible to reads).
-     */
-    readonly version: number;
-    /** ISO timestamp of the mutation. */
-    readonly ts: string;
-    /** User id of the actor who performed the mutation. */
-    readonly actor: string;
-    /**
-     * Hex-encoded sha256 of the encrypted envelope's `_data` field.
-     * For `put`, this is the hash of the new ciphertext. For `delete`,
-     * it's the hash of the last visible ciphertext at deletion time,
-     * or the empty string if nothing was there to delete. Hashing the
-     * ciphertext (not the plaintext) preserves zero-knowledge — see
-     * the file docstring.
-     */
-    readonly payloadHash: string;
-    /**
-     * Optional human-readable tag describing why this mutation happened.
-     * Threaded through `collection.put(_, _, { reason })`. Common
-     * values include `'import:csv'`, `'import:json'`, `'import:xlsx'` from
-     * `as-*` ImportPlan.apply(), but consumers can use any string for
-     * domain-specific audit filtering. Auto-strip via `canonicalJson` —
-     * absent on the wire, never serialized as `null`.
-     *
-     * Audit consumers filter: `entries.filter(e => e.reason?.startsWith('import:'))`.
-     */
-    readonly reason?: string;
-    /**
-     * Optional hex-encoded sha256 of the encrypted JSON Patch delta
-     * blob stored alongside this entry in `_ledger_deltas/`. Present
-     * only for `put` operations that had a previous version — the
-     * genesis put of a new record, and every `delete`, leave this
-     * field undefined.
-     *
-     * The delta payload itself lives in a sibling internal collection
-     * (`_ledger_deltas/<paddedIndex>`) and is encrypted with the
-     * ledger DEK. Callers use `ledger.loadDelta(index)` to decrypt and
-     * deserialize it when reconstructing a historical version.
-     *
-     * Why optional instead of always-present: the first put of a
-     * record has no previous version to diff against, so storing an
-     * empty patch would be noise. For deletes there's no "next" state
-     * to describe with a delta. Both cases set this field to undefined.
-     *
-     * Note: the canonical-JSON hasher treats `undefined` as invalid
-     * (it's one of the guard rails), so on the wire this field is
-     * either `{ deltaHash: '<hex>' }` or absent from the JSON
-     * entirely — never `{ deltaHash: undefined }`.
-     */
-    readonly deltaHash?: string;
-    /**
-     * Present only when `op === 'amendment'`. Records the human reason,
-     * the role of the actor, the (collection, id, vBefore, vAfter) tuple
-     * for every record touched, and which guard invariants passed.
-     *
-     * See docs/superpowers/specs/2026-05-18-guards-design.md.
-     */
-    readonly amendment?: {
-        readonly reason: string;
-        readonly role: 'admin' | 'owner';
-        readonly changes: ReadonlyArray<{
-            readonly collection: string;
-            readonly id: string;
-            readonly vBefore: number;
-            readonly vAfter: number;
-        }>;
-        readonly invariantsPassed: ReadonlyArray<string>;
-    };
-}
-/**
- * Canonical (sort-stable) JSON encoder.
- *
- * This function is the load-bearing primitive of the hash chain:
- * `sha256(canonicalJSON(entry))` must produce the same hex string
- * every time, on every machine, for the same logical entry — otherwise
- * `verify()` would return `{ ok: false }` on cross-platform reads.
- *
- * JavaScript's `JSON.stringify` is almost canonical, but NOT quite:
- * it preserves the insertion order of object keys, which means
- * `{a:1,b:2}` and `{b:2,a:1}` serialize differently. We fix this by
- * recursively walking objects and sorting their keys before
- * concatenation.
- *
- * Arrays keep their original order (reordering them would change
- * semantics). Numbers, strings, booleans, and `null` use the default
- * JSON encoding. `undefined` and functions are rejected — ledger
- * entries are plain data, and silently dropping `undefined` would
- * break the "same input → same hash" property if a caller forgot to
- * omit a field.
- *
- * Performance: one pass per nesting level; O(n log n) for key sorting
- * at each object. Entries are small (< 1 KB) so this is negligible
- * compared to the sha256 call.
- */
-declare function canonicalJson(value: unknown): string;
-/**
- * Compute a hex-encoded sha256 of a string via Web Crypto's subtle API.
- *
- * We use hex (not base64) for hashes because hex is case-insensitive,
- * fixed-length (64 chars), and easier to compare visually in debug
- * output. Base64 would save a few bytes in storage but every encrypted
- * ledger entry is already much larger than the hash itself.
- */
-declare function sha256Hex(input: string): Promise<string>;
-/**
- * Compute the canonical hash of a ledger entry. Short wrapper around
- * `canonicalJson` + `sha256Hex`; callers use this instead of composing
- * the two functions every time, so any future change to the hashing
- * pipeline (e.g., adding a domain-separation prefix) lives in one place.
- */
-declare function hashEntry(entry: LedgerEntry): Promise<string>;
-/**
- * Pad an index to the canonical 10-digit form used as the adapter key.
- * Ten digits is enough for ~10 billion ledger entries per vault
- * — far beyond any realistic use case, but cheap enough that the extra
- * digits don't hurt storage.
- */
-declare function paddedIndex(index: number): string;
-/** Parse a padded adapter key back into a number. Returns NaN on malformed input. */
-declare function parseIndex(key: string): number;
-
 /**
  * RFC 6902 JSON Patch — compute + apply.
  *
@@ -1888,12 +1758,14 @@ interface I18nTextOptions {
      * export). Default `'throw'` — today's behavior, zero breaking change.
      * See {@link OnMissingPolicy}.
      *
-     * NOTE (current wiring): the `read` layer (`get`/`list`) is enforced.
-     * Guard, derivation, mv, join and export reads currently resolve
-     * through the same read path and so observe the `read`/scalar policy;
-     * dedicated per-layer enforcement for those contexts is a tracked
-     * follow-up (mv/join additionally require resolution to be injected
-     * into the query/aggregate pipeline, which today reads raw maps).
+     * NOTE (current wiring): the `read` (`get`/`list`), `guard` and
+     * `derivation` layers are enforced — guard / derivation `ctx.vault`
+     * reads resolve under their own layer policy (`guard` defaults to the
+     * lenient `'substitute'`). The `mv`, `join` and `export` layers are NOT
+     * yet wired: mv/join read raw `{locale}` maps in the query/aggregate
+     * pipeline (no resolution call site), so injecting resolution there is a
+     * tracked follow-up (#285 D2/D3). Until then those reads observe the raw
+     * map, not this policy.
      */
     readonly onMissing?: OnMissingPolicy;
     /**
@@ -2572,6 +2444,88 @@ declare function dictKey<Keys extends string>(name: string, keys?: readonly Keys
 }): DictKeyDescriptor<Keys>;
 /** Runtime predicate for detecting a DictKeyDescriptor. */
 declare function isDictKeyDescriptor(x: unknown): x is DictKeyDescriptor;
+/**
+ * Descriptor returned by `staticDict()`. A sibling to {@link DictKeyDescriptor}
+ * for **closed, defined-in-code, identical-across-vaults** enums (honorific,
+ * civil-status, gender, religion, ContactTitle, status…).
+ *
+ * Unlike `dictKey`, the labels are supplied **at registration in code** and
+ * resolved through the *same* label machinery, but with **no `_dict_*`
+ * per-vault encrypted copy** and **no `rename()`**. The record stores only
+ * the **code**; a static dict has no mutation surface.
+ *
+ * **Hybrid resolution.** Because a static dict is pure code with no
+ * vault-locale dependency, it can — via a configured `displayLocale` — emit a
+ * `<field>Label` even under a **locale-less read** (the property a locale-less
+ * consumer needs and `dictKey` cannot provide). When a locale *is* active it
+ * behaves exactly like `dictKey` (honoring `onMissing`/`substitute`).
+ *
+ * ```ts
+ * const workers = vault.collection<Worker>('workers', {
+ *   dictKeyFields: {
+ *     civilStatus: staticDict('civilStatus', {
+ *       adultMale:   { th: 'นาย',    en: 'Mr'  },
+ *       adultFemale: { th: 'นาง',    en: 'Mrs' },
+ *     }, { displayLocale: 'th' }),
+ *   },
+ * })
+ * ```
+ */
+interface StaticDictDescriptor<Keys extends string = string> {
+    readonly _noydbStaticDict: true;
+    /** Which dictionary this field references (the registry name). */
+    readonly name: string;
+    /** The in-code label table: key → { locale → label }. */
+    readonly table: Readonly<Record<Keys, Readonly<Record<string, string>>>>;
+    /** Declared valid keys — derived from `Object.keys(table)`. */
+    readonly keys: readonly Keys[];
+    /**
+     * Locale used to emit `<field>Label` under a **locale-less** read — the
+     * hybrid hinge. When unset, a static dict behaves like `dictKey` under a
+     * locale-less read (no label); a locale-less consumer almost always wants
+     * it set.
+     */
+    readonly displayLocale?: string;
+    /** Same `onMissing` policy engine as `dictKey`. Default `'null'`. */
+    readonly onMissing?: OnMissingPolicy;
+    /** Ordered preferred-substitute locales for label resolution. */
+    readonly substitute?: readonly string[];
+    /**
+     * Validate the stored code against `keys` on every `put()`. Default `true`
+     * — codes are closed by construction, so an unknown code is a bug. Set
+     * `false` to allow open codes (skips the `UnknownDictCodeError` guard).
+     */
+    readonly validateCodes?: boolean;
+}
+/**
+ * Create a `StaticDictDescriptor` for a code-provided enum field — a sibling
+ * to {@link dictKey} for closed, code-defined, identical-across-vaults enums.
+ *
+ * The labels live in `table` (no `_dict_*` collection, no `rename()`); the
+ * record stores only the stable code. Pass `displayLocale` so `<field>Label`
+ * resolves even under a locale-less read.
+ *
+ * @param name   The dictionary name (used for the readonly-guard registry and
+ *               the query label seam — never creates a `_dict_<name>` key).
+ * @param table  `{ key: { locale: label } }` map.
+ * @param opts   `displayLocale` (locale-less label), `onMissing`, `substitute`.
+ *
+ * @example
+ * ```ts
+ * staticDict('civilStatus', {
+ *   adultMale:   { th: 'นาย',    en: 'Mr'  },
+ *   adultFemale: { th: 'นาง',    en: 'Mrs' },
+ * }, { displayLocale: 'th' })
+ * ```
+ */
+declare function staticDict<const T extends Record<string, Record<string, string>>>(name: string, table: T, opts?: {
+    displayLocale?: string;
+    onMissing?: OnMissingPolicy;
+    substitute?: readonly string[];
+    validateCodes?: boolean;
+}): StaticDictDescriptor<Extract<keyof T, string>>;
+/** Runtime predicate for detecting a StaticDictDescriptor. */
+declare function isStaticDictDescriptor(x: unknown): x is StaticDictDescriptor;
 /**
  * One entry in a `_dict_*` collection. The record `id` (adapter-side
  * key) IS the stable dictionary key (e.g. `'paid'`). The `labels`
@@ -3475,6 +3429,12 @@ interface HistoryStrategy {
      * `NO_HISTORY`.
      */
     clearHistory(adapter: NoydbStore, vault: string, collection?: string, recordId?: string): Promise<number>;
+    /**
+     * Crypto-shred (overwrite-to-tombstone) every `_history` version of a
+     * record for GDPR erasure (#304). Returns the number of versions newly
+     * tombstoned, or `0` under `NO_HISTORY` (no history = nothing to shred).
+     */
+    tombstoneHistory(adapter: NoydbStore, vault: string, collection: string, recordId: string, actor: string): Promise<number>;
     /**
      * Compute the SHA-256 hash of an envelope's encrypted payload, used
      * by `LedgerStore.append` to track tamper-evidence. Returns the
@@ -3792,6 +3752,25 @@ interface VaultGroupOptions<T> {
      */
     readonly registry?: Collection<VaultRegistryRow>;
     readonly sharding: ShardingConfig<T>;
+    /**
+     * Lazy migrate-on-open (#271 fleet migration). When `true`, opening a shard
+     * whose registry `schemaVersion` is behind the template's version runs that
+     * shard's cutover inline (via `migrateShard`) before surfacing the handle.
+     * Zero cost for shards never opened. Default `false` (use `migrateFleet`).
+     */
+    readonly migrateOnOpen?: boolean;
+}
+/** Result of `VaultGroup.migrateFleet` (#271 active batch runner). */
+interface FleetMigrationResult {
+    /** The version migrated toward (the template's current version). */
+    readonly target: number;
+    /** vaultIds successfully migrated (or already current). */
+    readonly migrated: string[];
+    /** vaultIds whose cutover failed, with the error message. */
+    readonly failed: {
+        readonly vaultId: string;
+        readonly error: string;
+    }[];
 }
 /** Options for a cross-shard fan-out read. */
 interface FanoutQueryOptions {
@@ -3836,6 +3815,48 @@ interface CrossVaultLiveAggregation<R> extends LiveAggregation<R> {
     readonly skippedVaults: readonly SkippedVault[];
     readonly ready: Promise<void>;
 }
+/**
+ * Context passed to a cross-vault `derive` callback (#271 Insight Vault).
+ * One call per shard; identifies which shard the records came from.
+ */
+interface CrossVaultDerivationContext {
+    /** The shard's vault id (e.g. `firm-clients--acme`). */
+    readonly vaultId: string;
+    /** The shard's partition key (e.g. `acme`). */
+    readonly partitionKey: string;
+    /** The shard's schema/template version, from its registry row. */
+    readonly schemaVersion: number;
+}
+/**
+ * A push-model cross-vault derivation (#271, Insight Vault — Layer 4).
+ *
+ * For each eligible shard, `refreshInsights()` reads the shard's `source`
+ * collection, runs `derive` on that shard's records, and writes the returned
+ * summary row into a separate analytics ("Insight") vault — keyed by partition
+ * key, one row per shard. The summary is re-encrypted under the Insight Vault's
+ * own DEK; the shard's ciphertext never leaves its DEK boundary (the push model
+ * that resolves the cross-vault DEK conflict). See the ZK note in the spec —
+ * the Insight Vault backend sees aggregated structure across shards, a weaker
+ * profile than per-shard vaults; opt-in.
+ */
+interface CrossVaultDerivationSpec<R = Record<string, unknown>, S = Record<string, unknown>> {
+    /** Collection read from each shard. */
+    readonly source: string;
+    /** Destination Insight Vault + collection for the per-shard summary rows. */
+    readonly target: {
+        readonly vault: string;
+        readonly collection: string;
+    };
+    /** Per-shard reducer: that shard's source records + context → one summary row. */
+    readonly derive: (records: R[], ctx: CrossVaultDerivationContext) => S;
+}
+/** The result of `refreshInsights()`. */
+interface RefreshInsightsResult {
+    /** Number of summary rows written (one per eligible shard × registered derivation). */
+    readonly written: number;
+    /** Shards excluded (schema-drift, unprovisioned, or read error). */
+    readonly skippedVaults: SkippedVault[];
+}
 /** A serializable blueprint captured from a VaultTemplate.configure run. */
 interface CapturedBlueprint {
     /** Sorted collection names declared by the template. */
@@ -3860,12 +3881,34 @@ interface SchemaManifestRow {
 interface DeploymentEvent {
     readonly id: string;
     readonly ts: number;
-    readonly type: 'shard-created' | 'manifest-recorded' | 'group-opened';
+    readonly type: 'shard-created' | 'manifest-recorded' | 'group-opened' | 'migration-started' | 'migration-completed' | 'migration-failed';
     readonly group: string;
     readonly vaultId?: string;
     readonly templateName?: string;
     readonly version?: number;
     readonly actor?: string;
+    /** Free-form detail (e.g. migration error message). */
+    readonly detail?: string;
+}
+/**
+ * One row in the StateManagement `migration-status` collection (#271 fleet
+ * schema-migration runner), keyed by `vaultId`. Tracks each shard's progress
+ * toward the template's current version so the active batch runner is
+ * resumable and the staged rollout can verify a cohort before proceeding.
+ */
+interface MigrationStatusRow {
+    readonly vaultId: string;
+    readonly group: string;
+    /** The shard's registry schemaVersion at the time of this status. */
+    readonly currentVersion: number;
+    /** The version the runner is moving this shard to (the template's version). */
+    readonly targetVersion: number;
+    readonly status: 'pending' | 'running' | 'done' | 'failed';
+    readonly startedAt?: number;
+    readonly finishedAt?: number;
+    /** Records migrated by the per-shard cutover (when status `done`). */
+    readonly migrated?: number;
+    readonly error?: string;
 }
 
 /**
@@ -3880,8 +3923,14 @@ declare class StateManagementVault {
     readonly registry: Collection<VaultRegistryRow>;
     readonly schemaManifest: Collection<SchemaManifestRow>;
     private constructor();
-    /** Idempotently open the reserved state vault and bind the three control-plane collections. */
+    /** Idempotently open the reserved state vault and bind the control-plane collections. */
     static open(db: Noydb): Promise<StateManagementVault>;
+    /** Read one shard's migration status (or null). */
+    getMigrationStatus(vaultId: string): Promise<MigrationStatusRow | null>;
+    /** All migration-status rows (hydrates first). */
+    listMigrationStatus(): Promise<MigrationStatusRow[]>;
+    /** Upsert one shard's migration status (keyed by vaultId). */
+    upsertMigrationStatus(row: MigrationStatusRow): Promise<void>;
     /** Read-only query over the append-only deployment-events log. */
     queryEvents(): Query<DeploymentEvent>;
     /**
@@ -5586,12 +5635,14 @@ declare class VaultGroup<T> {
     /** @internal */ readonly registry: Collection<VaultRegistryRow>;
     /** @internal */ readonly sharding: ShardingConfig<T>;
     /** @internal */ readonly template: VaultTemplate;
+    /** @internal — lazy migrate-on-open (#271). */ readonly migrateOnOpen: boolean;
     constructor(
     /** @internal */ db: Noydb, 
     /** @internal */ name: string, 
     /** @internal */ registry: Collection<VaultRegistryRow>, 
     /** @internal */ sharding: ShardingConfig<T>, 
-    /** @internal */ template: VaultTemplate);
+    /** @internal */ template: VaultTemplate, 
+    /** @internal — lazy migrate-on-open (#271). */ migrateOnOpen?: boolean);
     /** @internal — set when the group is managed (no explicit registry). */
     private stateVault;
     /** @internal */
@@ -5614,8 +5665,14 @@ declare class VaultGroup<T> {
      * `liveBinding().isRelevant` already applies to the reactive path.
      */
     allRows(): Promise<VaultRegistryRow[]>;
-    /** Open an existing shard and apply the template. */
+    /**
+     * Open an existing shard and apply the template. When `migrateOnOpen` is set
+     * (#271) and the shard's registry version is behind the template, its cutover
+     * runs inline first — so a behind shard never surfaces a stale handle.
+     */
     openShard(partitionKey: string): Promise<Vault>;
+    /** @internal — open + configure with no migrate-on-open hook (used by the migration path itself to avoid recursion). */
+    private _openShardRaw;
     /**
      * Idempotently provision a shard for `partitionKey`. Returns the
      * configured vault handle.
@@ -5640,6 +5697,69 @@ declare class VaultGroup<T> {
         eligible: VaultRegistryRow[];
         skipped: SkippedVault[];
     }>;
+    /** @internal — registered push-model cross-vault derivations (#271 Insight Vault). */
+    private readonly crossVaultDerivations;
+    /**
+     * Register a push-model cross-vault derivation — the Insight Vault pattern
+     * (#271, Layer 4). Drive it with {@link refreshInsights}.
+     *
+     * For each shard, `derive(records, ctx)` runs on that shard's `source`
+     * records and its return value is written into the analytics
+     * (`target.vault` / `target.collection`) vault, keyed by partition key —
+     * one summary row per shard. The derivation runs in-process under THIS
+     * group's `Noydb` (which already holds both the shard and Insight Vault
+     * keyrings); the shard's decrypted records are reduced to a summary that is
+     * re-encrypted under the Insight Vault's own DEK, so no shard ciphertext
+     * crosses a DEK boundary.
+     *
+     * **Zero-knowledge note:** the Insight Vault backend sees aggregated
+     * structure (totals, counts, timestamps) drawn from many shards — a weaker
+     * ZK profile than the per-shard vaults. Opt-in; keep summaries to aggregate
+     * scalars (no embeddings / no raw records).
+     *
+     * v1 is explicit-refresh (no write-path push); call `refreshInsights()`
+     * after a batch of writes, or on a schedule.
+     */
+    withCrossVaultDerivation<R = Record<string, unknown>, S = Record<string, unknown>>(spec: CrossVaultDerivationSpec<R, S>): void;
+    /**
+     * Run every registered {@link withCrossVaultDerivation}: read each eligible
+     * shard's source records, derive a per-shard summary, and write it into the
+     * Insight Vault keyed by partition key. Shards behind `minVersion`,
+     * unprovisioned, or whose read errors are reported in `skippedVaults` and
+     * are not written (a stale summary is never left behind for a failed shard).
+     */
+    refreshInsights(options?: {
+        minVersion?: number;
+        concurrency?: number;
+    }): Promise<RefreshInsightsResult>;
+    /** @internal — the control-plane vault for migration status; lazily opened. */
+    private ensureStateVault;
+    /**
+     * Migrate ONE shard to the template's current version (#271 fleet runner,
+     * per-shard step). Opens the shard (applying the template, which arms the
+     * M12 cutover), drains schema-write detection, runs `vault.runSchemaCutover()`
+     * (the per-vault drain-barrier-transform protocol), then advances the
+     * registry row's `schemaVersion` and records `migration-status`. A shard
+     * already at the template version is a no-op (`status: 'done'`, migrated 0).
+     * Never throws on a cutover failure — it records `status: 'failed'` and
+     * returns the row, so a fleet run continues past a bad shard.
+     */
+    migrateShard(partitionKey: string): Promise<MigrationStatusRow>;
+    /**
+     * Active batch runner (#271): migrate every shard behind the template version
+     * to it, in controlled batches. **Resumable + crash-safe** — shards already at
+     * the target are skipped (the registry version is the source of truth), so a
+     * re-run after a crash only picks up the unfinished + previously-failed shards.
+     *
+     * - `cohort` — restrict to these partition keys (the staged / canary rollout:
+     *   migrate a small cohort, verify the Insight Vault, then run the rest).
+     * - `batchSize` — max shards migrated concurrently per batch (back-pressure).
+     *   Default 4. Batches run sequentially; shards within a batch run in parallel.
+     */
+    migrateFleet(options?: {
+        cohort?: readonly string[];
+        batchSize?: number;
+    }): Promise<FleetMigrationResult>;
 }
 declare class ShardedCollection<T, R = T> {
     private readonly group;
@@ -5737,6 +5857,7 @@ declare class Noydb {
     private readonly policyEnforcers;
     private readonly vaultTemplates;
     private readonly txStrategy;
+    private readonly forgetStrategy;
     private readonly sessionStrategy;
     private readonly syncStrategy;
     private readonly snapshotStrategy;
@@ -5761,6 +5882,8 @@ declare class Noydb {
     /** Audit log for all translator invocations in this session. Cleared on `close()`. */
     private readonly _translatorAuditLog;
     constructor(options: NoydbOptions);
+    /** @internal — resolved forget strategy (NO_FORGET when not configured). */
+    get _forgetStrategy(): ForgetStrategy;
     private resetSessionTimer;
     /**
      * Attach a policy enforcer for a vault.
@@ -6901,6 +7024,27 @@ interface RecordOutputSpec {
      * `DerivationOutputShapeError` — same as v1.
      */
     optional?: boolean;
+    /**
+     * Field-level provenance for a **self-write** output (#376) — an output
+     * whose `collection` equals the strategy's `source`, used by
+     * reverse-denormalization (`triggerBy`) to patch a denormalized field
+     * back onto the source record.
+     *
+     * `denorm` names the ONLY top-level fields the derivation owns on that
+     * record. The engine merges just those fields from the `derive` return
+     * value onto the current stored record (`{ ...current, ...pick(out, denorm) }`)
+     * — the rest of the user's record is never clobbered by a stale snapshot.
+     * The whole-record `_derivedFrom` provenance tag is NOT applied (the
+     * record stays user-owned); the derivation only claims `denorm`.
+     *
+     * Cycle break is value-level: if the patch changes nothing, no write is
+     * issued — so the self-write that re-fires the source-path derivation
+     * terminates after one idempotent pass.
+     *
+     * REQUIRED when `collection === source` (validated at construction);
+     * ignored for outputs to a different collection.
+     */
+    denorm?: readonly string[];
 }
 /**
  * Array-shape output — one source row produces a variable-length
@@ -6981,6 +7125,52 @@ interface DerivationStrategy<TSource extends Record<string, unknown>, TOutputs e
      * (validated at `withDerivation()` construction time).
      */
     sources?: ReadonlyArray<string>;
+    /**
+     * Foreign-key-keyed triggers for reverse-denormalization (#376). Unlike
+     * `sources[]` (which re-fires at the SAME id), a `triggerBy` entry fans a
+     * write to a PARENT collection OUT to every source record whose FK matches
+     * the written parent's id.
+     *
+     * `{ collection, on }`: a write to `collection` (the parent, e.g.
+     * `'buyers'`) re-fires this derivation once per source record where
+     * `source[on] === writtenParentId` (`on` is the FK field ON the source,
+     * e.g. `'buyerId'`). The matched source record — not the parent — is
+     * passed to `derive`.
+     *
+     * Typical use: keep a denormalized field on the source in sync with a
+     * parent change (a buyer rename → refresh `buyerName` on all their sales),
+     * via a self-write output (`collection === source`) declaring `denorm`.
+     *
+     * Fan-out runs through `ctx.vault.collection(source).query().where(on,'==',id)`,
+     * which uses the FK index when the source declares `withIndexing()` on
+     * `on` (O(children)) and otherwise scans (O(N) — fine for small child
+     * sets). Set `maxFanout` as a safety rail; exceeding it throws
+     * `DerivationCapExceededError` before any write. `triggerBy` collections
+     * participate in cycle detection like `source`/`sources`.
+     *
+     * Each `collection` must be non-empty and not equal `source`; `on` must
+     * be a non-empty field name (validated at construction).
+     */
+    triggerBy?: ReadonlyArray<{
+        collection: string;
+        on: string;
+        maxFanout?: number;
+    }>;
+    /**
+     * @internal — set by `withRollup()` (#376 slice 2). Marks this strategy as
+     * an aggregate-onto-parent rollup: a write OR delete of a `from` (child)
+     * record recomputes `compute(children where child[key] === parentId)` and
+     * patches it onto `source[field]` of the parent at `parentId` (= child[key]).
+     * `source` is the parent (`into`) collection; the synthetic self-write
+     * output carries `denorm: [field]`. Dispatch handles rollup specially (it
+     * does not run the executor). Eager-only in this slice.
+     */
+    rollup?: {
+        readonly from: string;
+        readonly key: string;
+        readonly field: string;
+        readonly compute: (children: any[]) => unknown;
+    };
     /** v1: only deterministic derivations supported. */
     deterministic: true;
     /**
@@ -7602,7 +7792,43 @@ interface NextOptions {
 interface SequenceOptions {
     /** Partition tuple. Each component is URI-encoded and `'/'`-joined. */
     readonly partition?: readonly (string | number)[];
+    /**
+     * Render template for the serial string (#375). When set, `vault.sequence`
+     * returns a {@link FormattedSequenceHandle} whose `next()` resolves to
+     * `{ serial, formatted }`. Tokens:
+     * - `{seq}` — the allocated integer
+     * - `{seq:0N}` — zero-padded to width N (e.g. `{seq:04}` → `0001`)
+     * - `{partition.i}` — the i-th `partition` component (original value)
+     *
+     * Any other token, or a `{partition.i}` index beyond the supplied
+     * `partition`, throws `ValidationError` at `vault.sequence()` construction.
+     * Per-partition reset is inherent: a new partition tuple starts at 1.
+     */
+    readonly format?: string;
+}
+/**
+ * A formatted sequence handle (#375). Identical to {@link SequenceHandle}
+ * except `next()` also returns the rendered `formatted` string. `peek()` /
+ * `seedTo()` operate on the underlying integer counter, unchanged.
+ */
+interface FormattedSequenceHandle {
+    /** Allocate the next value and return it with its rendered serial string. */
+    next(opts?: NextOptions): Promise<{
+        serial: number;
+        formatted: string;
+    }>;
+    /** Read the current integer value without allocating. Returns 0 if never used. */
+    peek(): Promise<number>;
+    /** Set-if-greater on the underlying integer counter. See {@link SequenceHandle.seedTo}. */
+    seedTo(n: number): Promise<void>;
 }
+/**
+ * Validate a sequence `format` against the supplied partition and return a
+ * pure `(serial) => string` renderer. Eager validation: every token is
+ * checked now, so a bad pattern throws `ValidationError` at construction —
+ * never at `next()` time.
+ */
+declare function compileSequenceFormat(format: string, series: string, partition: readonly (string | number)[] | undefined): (serial: number) => string;
 /**
  * Resolve the CAS storage key for a (series, partition) pair.
  *
@@ -7678,6 +7904,78 @@ interface Assignment {
     serial: number;
 }
 
+/**
+ * `_links_*` reserved collections — managed bidirectional many-to-many
+ * junctions (#377 design B).
+ *
+ * Where `refArray` (design A) stores an id-array on one owning record,
+ * `vault.link()` creates a first-class junction: a dedicated encrypted
+ * `_links_<name>` collection whose rows are `{ a, b, meta? }` link tuples.
+ * It is queryable from BOTH sides (`of(id)`), carries optional per-link
+ * metadata, and cascades on endpoint delete.
+ *
+ * Each link is slot-typed: `a` is an id in the `a` endpoint collection,
+ * `b` an id in the `b` endpoint collection (they may be the same
+ * collection for self-links). A link's identity is the ordered pair
+ * `(a, b)`; `of(id)` matches either slot.
+ *
+ * Rows are encrypted under a dedicated `_links_<name>` DEK — same
+ * zero-knowledge stack as every other collection (the store sees only
+ * ciphertext). Backup/restore rides the normal `loadAll` path.
+ */
+
+/** True for any reserved link-collection name. */
+declare function isLinkCollectionName(name: string): boolean;
+/** What happens to a link's rows when one of its endpoint records is deleted. */
+type LinkOnDelete = 'cascade' | 'strict' | 'warn';
+/**
+ * Declaration for a link set, passed to `vault.link(name, spec)`. `a` and
+ * `b` are the endpoint collection names (slot-typed). `onDelete` governs
+ * what happens to link rows when an endpoint record is deleted:
+ * `'cascade'` (default) removes the touching link rows, `'strict'` blocks
+ * the endpoint delete while links exist, `'warn'` leaves orphan rows
+ * (surfaced by `vault.checkIntegrity()`).
+ */
+interface LinkSpec {
+    readonly a: string;
+    readonly b: string;
+    readonly onDelete?: LinkOnDelete;
+}
+/** One link tuple as returned by `of()` / `list()`. */
+interface LinkRow {
+    readonly a: string;
+    readonly b: string;
+    readonly meta?: Record<string, unknown>;
+}
+/** Public handle returned by `vault.links(name)`. */
+interface LinkSetHandle {
+    /** Create (or overwrite the metadata of) the link `(aId, bId)`. Validates both endpoints exist. */
+    connect(aId: string, bId: string, meta?: Record<string, unknown>): Promise<void>;
+    /** Remove the link `(aId, bId)`. Idempotent — a no-op if it doesn't exist. */
+    disconnect(aId: string, bId: string): Promise<void>;
+    /** Whether the link `(aId, bId)` exists. */
+    has(aId: string, bId: string): Promise<boolean>;
+    /** All links touching `id` on EITHER endpoint. */
+    of(id: string): Promise<LinkRow[]>;
+    /** All links in the set. */
+    list(): Promise<LinkRow[]>;
+}
+/** Thrown by `connect()` when an endpoint record does not exist. */
+declare class LinkEndpointError extends NoydbError {
+    readonly link: string;
+    readonly endpoint: string;
+    readonly missingId: string;
+    constructor(link: string, endpoint: string, missingId: string);
+}
+/** Thrown when a `strict` link blocks deletion of an endpoint that still has links. */
+declare class LinkIntegrityError extends NoydbError {
+    readonly link: string;
+    readonly endpoint: string;
+    readonly id: string;
+    readonly count: number;
+    constructor(link: string, endpoint: string, id: string, count: number);
+}
+
 /**
  * Vault-internal singleton that holds the guard graph and dispatches
  * per-collection guard execution. Owned by `Vault`; not exported.
@@ -7747,12 +8045,25 @@ declare class GuardRegistry {
 
 /**
  * Minimal read-only wrapper over a `Vault`. Used as `ctx.vault` inside
- * guard callbacks so they can fetch related records without acquiring
- * any write capability.
+ * guard / derivation callbacks so they can fetch related records without
+ * acquiring any write capability.
+ *
+ * The `layer` tags every `get`/`list` read with the resolution layer it
+ * belongs to (#285). A guard-seeded facade reads at `'guard'`, a
+ * derivation-seeded one at `'derivation'`, so i18nText / dictKey fields
+ * resolve under that layer's `onMissing` policy instead of the `'read'`
+ * policy — e.g. a guard read can `substitute` a missing locale (lenient
+ * default) while the same field `throw`s on an ordinary app read.
+ *
+ * `query()` is left untagged: the query/aggregate pipeline reads raw
+ * `{locale}` maps (no resolution call site), so a layer tag there would be
+ * inert. Routing `mv`/`join` resolution through the pipeline is tracked
+ * separately (#285 D2/D3).
  */
 declare class ReadOnlyVaultFacade implements ReadOnlyVaultFacade$1 {
     private readonly _vault;
-    constructor(vault: Vault);
+    private readonly _layer;
+    constructor(vault: Vault, layer?: Layer);
     collection<T = unknown>(name: string): {
         get(id: string): Promise<T | null>;
         list(): Promise<T[]>;
@@ -7761,45 +8072,326 @@ declare class ReadOnlyVaultFacade implements ReadOnlyVaultFacade$1 {
 }
 
 /**
- * `vault.exportBlobs()` — bulk blob extraction primitive.
+ * Managed-passphrase mode — rubber-hose-resistant vaults.
  *
- * Async-iterable handle over every blob attached to records in a
- * vault, optionally filtered by collection allowlist and per-record
- * predicate. Emits tuples of `{ blobId, recordRef, bytes, meta }` so
- * the consumer can pipe into any sink (zip stream, S3 multipart, USB
- * copy, cold-storage tape) without pulling the whole export into
- * memory.
+ * A vault mode where the passphrase is machine-generated and never
+ * exposed to the user, sealed under a developer-provided
+ * {@link SealingKeyProvider} (macOS Keychain, Windows Credential
+ * Manager, libsecret, AWS KMS, …). The user has no secret to give
+ * up to coercion — they can't reveal what they don't know.
  *
- * ## Auth + audit
+ * ## Components in this file
  *
- * - Capability check runs **once** at handle creation via
- *   `Vault.assertCanExport('plaintext', 'blob')`. An operator whose
- *   keyring lacks that bit fails before a single byte of ciphertext
- *   is decrypted.
- * - Audit entry lands in `_export_audit` at handle creation: the
- *   actor, start timestamp, target collections, predicate presence,
- *   and batch mechanism. **No content hashes** — per the spec
- *   non-correlation invariant.
+ *   - {@link SealingKeyProvider} — the interface concrete providers
+ *     implement. Provider implementations live OUTSIDE hub (per-
+ *     platform packages).
+ *   - {@link MemorySealingKeyProvider} — in-memory test provider; uses
+ *     a deterministic per-instance "key" so two providers with
+ *     different ids cannot unseal each other's outputs.
+ *   - {@link RecipientHint} — public material a sender uses to seal
+ *     plaintext for a specific recipient; published by
+ *     {@link RecipientSealer.publishRecipientHint} and transported
+ *     out-of-band to the sender before bundle writes.
+ *   - {@link RecipientSealer} — interface for asymmetric/granted
+ *     providers that support recipient-target sealing (RSA-OAEP,
+ *     cloud-KMS asymmetric, etc.); distinct from self-only
+ *     {@link SealingKeyProvider} (macOS Keychain, WebAuthn-PRF).
+ *   - {@link MemoryRecipientSealer} — in-process reference
+ *     implementation of both `RecipientSealer` and
+ *     `SealingKeyProvider` using real WebCrypto RSA-OAEP + AES-GCM;
+ *     safe for tests and same-process sender/recipient scenarios.
+ *   - {@link loadSealedPassphrase} / {@link saveSealedPassphrase} —
+ *     plaintext envelope storage at `_meta/sealed-passphrase`.
+ *     Mirrors the `_meta/handle` and `_meta/public-envelope` AES-
+ *     GCM-bypassed patterns. The sealing layer (provider's job)
+ *     is the security boundary; hub doesn't have a key to encrypt
+ *     with at this layer — that's the whole point of the design.
+ *   - {@link resolveManagedSecret} — orchestrates the "generate +
+ *     seal + persist on first open; unseal on reopen" flow.
+ *     Returns the plaintext passphrase string that the rest of the
+ *     `createNoydb` keyring path consumes.
  *
- * ## Abort + resume
+ * Deferred to follow-ups:
+ *   - Block `rotate-passphrase` policy gate under managed mode.
+ *   - Mandatory strong-recovery enforcement.
+ *   - Recovery flow under managed mode (generates fresh sealed phrase).
  *
- * - `handle.abort()` flips the internal signal; the next iteration
- *   boundary throws `AbortError`. Consumers already in `for await`
- *   can catch and exit cleanly.
- * - Restart after a partial failure with `{ afterBlobId }` — the
- *   iterator skips tuples up to (and including) that blob id before
- *   yielding again. Combined with a blob-count ceiling it supports
- *   idempotent batch re-runs.
+ * @see docs/subsystems/session-tiers.md → Managed-passphrase mode
  *
  * @module
  */
 
-interface ExportBlobsOptions {
+/**
+ * The contract concrete providers (per-platform key stores) implement
+ * to seal and unseal a hub-generated random passphrase. The plaintext
+ * passphrase NEVER leaves hub-controlled memory in unsealed form —
+ * the provider receives the bytes, returns opaque sealed bytes, and
+ * later reverses the operation. Hub treats the sealed bytes as
+ * fully opaque.
+ *
+ * Implementations live OUTSIDE `@noy-db/hub` (separate packages
+ * per the issue's "Concrete providers (live outside hub)" note):
+ *
+ * | Platform | Package (TBD) | Backing |
+ * |---|---|---|
+ * | macOS | `@noy-db/seal-macos-keychain` | Security.framework |
+ * | Windows | `@noy-db/seal-wincred` | Credential Manager |
+ * | Linux | `@noy-db/seal-libsecret` | libsecret / secret-service |
+ * | Cloud / server | `@noy-db/seal-aws-kms` | AWS KMS Decrypt |
+ */
+interface SealingKeyProvider {
     /**
-     * Collection allowlist. Omit to export blobs from every collection
-     * the caller has read access to.
+     * Non-sensitive identifier disclosed in the persisted envelope.
+     * Surfaced to consumers via `loadSealedPassphrase().providerId` so
+     * a vault opened with the wrong provider class can detect the
+     * mismatch and surface a clear error. NOT secret — fine to log.
+     *
+     * Suggested format: `<family>:<scope>` — e.g. `macos-keychain:com.acme.app`,
+     * `aws-kms:arn:aws:kms:us-east-1:123:key/abc`. The hub never
+     * parses this; it's purely audit metadata.
      */
-    readonly collections?: readonly string[];
+    readonly id: string;
+    /** Seal raw passphrase bytes. Output bytes are opaque to hub. */
+    seal(passphrase: Uint8Array): Promise<Uint8Array>;
+    /**
+     * Reverse {@link seal}. MUST throw on tamper, wrong-provider, or
+     * any other failure — hub treats a thrown error as "this provider
+     * cannot unlock this vault" and surfaces it to the caller.
+     */
+    unseal(sealed: Uint8Array): Promise<Uint8Array>;
+}
+/**
+ * In-memory test provider. NOT secure — uses a deterministic
+ * per-instance "key" (16-byte SHA-256 of `id`) XOR'd over the
+ * passphrase plus a 4-byte provider-id fingerprint prefix. The XOR is
+ * sufficient to make different `id` values produce mutually-unsealable
+ * outputs (the contract tests for that), but offers ZERO real
+ * confidentiality — never use outside tests.
+ *
+ * Replace with a real platform provider in production.
+ */
+declare class MemorySealingKeyProvider implements SealingKeyProvider {
+    readonly id: string;
+    private readonly fingerprint;
+    private readonly keyBytes;
+    constructor(opts: {
+        id: string;
+    });
+    seal(passphrase: Uint8Array): Promise<Uint8Array>;
+    unseal(sealed: Uint8Array): Promise<Uint8Array>;
+}
+/**
+ * Public material a sender uses to seal-for-this-recipient. Published by
+ * a recipient's RecipientSealer; transported to the sender out-of-band
+ * (email, S3, in-app message). The sender obtains the hint, supplies it
+ * to writeNoydbBundle's sealedCredentials.perUser[userId].hint, and the
+ * hub seals each user's credential against it. Per foundation §11.4.
+ */
+type RecipientHint = {
+    readonly v: 1;
+    /** Recipient's provider id; matches the SealedAutoUnlockEntry.pid they'll unseal under. */
+    readonly pid: string;
+    /** Algorithm the sender uses to produce the seal. Slice 1 ships RSA-OAEP-SHA256 only. */
+    readonly alg: 'rsa-oaep-sha256';
+    /** Public material — alg-specific. For 'rsa-oaep-sha256': { publicKeyPem: string }. */
+    readonly material: Readonly<Record<string, unknown>>;
+};
+/**
+ * Handover-capable provider. Implemented additionally by asymmetric/granted
+ * providers (cloud-KMS asymmetric, Azure RSA Key Vault, AWS KMS with grant).
+ * Self-only providers (macOS Keychain, env-var, WebAuthn-PRF) do NOT
+ * implement this — the §11.2 capability matrix lives in the type system.
+ *
+ * Per foundation §11.4. A function that requires recipient-target sealing
+ * takes `RecipientSealer`, not `SealingKeyProvider` — the compiler rejects
+ * passing a self-only provider at the spec site.
+ */
+interface RecipientSealer {
+    readonly id: string;
+    /** Produce hint material a sender uses to seal-for-this-recipient. */
+    publishRecipientHint(): Promise<RecipientHint>;
+    /**
+     * Seal plaintext for the recipient described by `hint`. Returns opaque
+     * bytes — same contract as `SealingKeyProvider.seal()`. The bundle
+     * layer base64-encodes the bytes into `SealedAutoUnlockEntry.sealed`
+     * without inspecting them.
+     */
+    sealForRecipient(plaintext: Uint8Array, hint: RecipientHint): Promise<Uint8Array>;
+}
+/**
+ * Shared RSA-OAEP-SHA256 + AES-GCM seal in the canonical recipient-target
+ * TLV wire format. Mints a fresh 32-byte CEK, AES-GCM-encrypts `plaintext`
+ * under it, RSA-OAEP-SHA256-wraps the CEK to `publicKeyPem`, and packs:
+ *
+ *   byte  0       : version (0x01)
+ *   bytes 1..256  : RSA-OAEP-wrapped CEK (fixed 256 bytes at RSA-2048)
+ *   bytes 257..268: AES-GCM IV (12 bytes)
+ *   bytes 269..   : AES-GCM ciphertext ‖ 16-byte tag
+ *
+ * This is the single source of truth for the wire format — both
+ * {@link MemoryRecipientSealer} and external sealers (e.g. `@noy-db/at-aws-kms`'s
+ * asymmetric-KMS recipient sealer) call it so a blob sealed by one unseals
+ * by the other. WebCrypto RSA-OAEP/SHA-256 here is wire-compatible with
+ * AWS KMS `RSAES_OAEP_SHA_256` (both RSAES-OAEP, SHA-256 hash, MGF1-SHA256,
+ * empty label).
+ *
+ * @public — re-exported from the hub barrel for external sealer packages.
+ */
+declare function sealRsaOaepTlv(plaintext: Uint8Array, publicKeyPem: string): Promise<Uint8Array>;
+/**
+ * Parse a {@link sealRsaOaepTlv} blob into its three segments without
+ * decrypting. The `wrapped` CEK is RSA-OAEP-SHA256 ciphertext over a
+ * 32-byte CEK — the unwrap step is pluggable: {@link MemoryRecipientSealer}
+ * decrypts it with a local RSA private key; `@noy-db/at-aws-kms` hands it to
+ * KMS `Decrypt`. After unwrapping, pass the CEK + `iv` + `ct` to
+ * {@link aesGcmOpen}.
+ *
+ * @public — re-exported from the hub barrel for external sealer packages.
+ */
+declare function parseRsaOaepTlv(bytes: Uint8Array): {
+    wrapped: Uint8Array;
+    iv: Uint8Array;
+    ct: Uint8Array;
+};
+/**
+ * AES-GCM-decrypt the `ct` segment of a {@link parseRsaOaepTlv} result under
+ * the unwrapped 32-byte CEK and its `iv`. Throws on a bad tag (tamper) — the
+ * same authenticated-decryption guarantee the TLV relies on.
+ *
+ * @public — re-exported from the hub barrel for external sealer packages.
+ */
+declare function aesGcmOpen(cekBytes: Uint8Array, iv: Uint8Array, ct: Uint8Array): Promise<Uint8Array>;
+/**
+ * Reference implementation of `RecipientSealer` + `SealingKeyProvider`.
+ * Uses WebCrypto RSA-OAEP-SHA256 (2048-bit) to wrap a fresh 32-byte
+ * AES-GCM CEK, AES-GCM-encrypts plaintext under it, and packs the
+ * result into a self-describing TLV:
+ *
+ *   byte  0       : version (0x01)
+ *   bytes 1..256  : RSA-OAEP-wrapped CEK (fixed 256 bytes at RSA-2048)
+ *   bytes 257..268: AES-GCM IV (12 bytes)
+ *   bytes 269..   : AES-GCM ciphertext ‖ 16-byte tag
+ *
+ * Implements BOTH interfaces. `seal(plaintext)` (self-target) is just
+ * `sealForRecipient(plaintext, this own hint)` — same TLV. Convenient
+ * for tests where one provider plays both ends. Real cloud providers
+ * (`at-aws-kms`, etc.) will pick their own internal layouts; the only
+ * contract is round-trip identity.
+ *
+ * SAFE for production within its scope — the cryptography is real
+ * (RSA-OAEP + AES-GCM via WebCrypto), but the keypair lives in-process
+ * and is regenerated on every construction. Not suitable as a managed
+ * keychain; use it for tests and for shipping bundles where the
+ * recipient instance lives in the same process as the sender (rare).
+ */
+declare class MemoryRecipientSealer implements SealingKeyProvider, RecipientSealer {
+    readonly id: string;
+    private readonly keypair;
+    constructor(opts: {
+        id: string;
+    });
+    publishRecipientHint(): Promise<RecipientHint>;
+    sealForRecipient(plaintext: Uint8Array, hint: RecipientHint): Promise<Uint8Array>;
+    seal(plaintext: Uint8Array): Promise<Uint8Array>;
+    unseal(bytes: Uint8Array): Promise<Uint8Array>;
+}
+/** Reserved id for the managed-passphrase envelope under `_meta`. */
+declare const SEALED_PASSPHRASE_RECORD_ID: "sealed-passphrase";
+/** Plaintext payload stored inside the `_meta/sealed-passphrase` envelope. */
+interface SealedPassphrase {
+    readonly _noydb_sealed: 1;
+    readonly providerId: string;
+    /** Sealed bytes. Base64-encoded on the wire; decoded on load. */
+    readonly sealed: Uint8Array;
+}
+/**
+ * Wire-format envelope persisted at `_meta/sealed-passphrase` for
+ * managed-mode vaults. The provider produces raw sealed bytes via
+ * {@link SealingKeyProvider.seal}; this wrapper carries the dispatch
+ * metadata hub needs to pick the right provider on the unseal path.
+ *
+ * Stability boundary: once shipped, the wire format only grows by
+ * adding optional fields. See the at-* sealing dimension foundation
+ * doc, §11.9.1.
+ *
+ * v1 shape (this release): `{ v: 1, _noydb_sealed: 1, pid, payload }`.
+ *
+ * Legacy shape (earlier releases): `{ _noydb_sealed: 1, providerId, sealed }`
+ * — accepted on read for backwards compatibility; never produced on
+ * write going forward.
+ */
+interface SealedEnvelope {
+    /** Envelope schema version. v1 is the current shape. */
+    readonly v: 1;
+    /** Magic marker for forensics + legacy-shape detection. */
+    readonly _noydb_sealed: 1;
+    /** Matches the producing provider's `.id`. Dispatch key on unseal. */
+    readonly pid: string;
+    /** Sealed bytes from the provider, base64-encoded on the wire. */
+    readonly payload: string;
+}
+/**
+ * Parse a `_meta/sealed-passphrase` `_data` JSON string into the
+ * in-memory {@link SealedPassphrase} representation. Accepts both:
+ *
+ *   1. v1 wire format `{ v: 1, _noydb_sealed: 1, pid, payload }` —
+ *      the current shape.
+ *   2. Legacy wire format `{ _noydb_sealed: 1, providerId, sealed }` —
+ *      read-only; never written
+ *      going forward.
+ *
+ * Returns `undefined` for any input that doesn't match either shape,
+ * so callers can fall back to "no managed-mode envelope present."
+ *
+ * @internal — exported only for the migration safety-net test suite.
+ */
+declare function parseSealedEnvelope(raw: unknown): SealedPassphrase | undefined;
+declare function saveSealedPassphrase(store: NoydbStore, vault: string, payload: {
+    readonly providerId: string;
+    readonly sealed: Uint8Array;
+}): Promise<void>;
+declare function loadSealedPassphrase(store: NoydbStore, vault: string): Promise<SealedPassphrase | undefined>;
+
+/**
+ * `vault.exportBlobs()` — bulk blob extraction primitive.
+ *
+ * Async-iterable handle over every blob attached to records in a
+ * vault, optionally filtered by collection allowlist and per-record
+ * predicate. Emits tuples of `{ blobId, recordRef, bytes, meta }` so
+ * the consumer can pipe into any sink (zip stream, S3 multipart, USB
+ * copy, cold-storage tape) without pulling the whole export into
+ * memory.
+ *
+ * ## Auth + audit
+ *
+ * - Capability check runs **once** at handle creation via
+ *   `Vault.assertCanExport('plaintext', 'blob')`. An operator whose
+ *   keyring lacks that bit fails before a single byte of ciphertext
+ *   is decrypted.
+ * - Audit entry lands in `_export_audit` at handle creation: the
+ *   actor, start timestamp, target collections, predicate presence,
+ *   and batch mechanism. **No content hashes** — per the spec
+ *   non-correlation invariant.
+ *
+ * ## Abort + resume
+ *
+ * - `handle.abort()` flips the internal signal; the next iteration
+ *   boundary throws `AbortError`. Consumers already in `for await`
+ *   can catch and exit cleanly.
+ * - Restart after a partial failure with `{ afterBlobId }` — the
+ *   iterator skips tuples up to (and including) that blob id before
+ *   yielding again. Combined with a blob-count ceiling it supports
+ *   idempotent batch re-runs.
+ *
+ * @module
+ */
+
+interface ExportBlobsOptions {
+    /**
+     * Collection allowlist. Omit to export blobs from every collection
+     * the caller has read access to.
+     */
+    readonly collections?: readonly string[];
     /**
      * Per-record predicate. Called on the decrypted record BEFORE any
      * blob bytes are read for that record — returning false skips the
@@ -8638,6 +9230,7 @@ declare class Vault {
     private readonly periodsStrategy;
     private readonly shadowStrategy;
     private readonly historyStrategy;
+    private readonly forgetStrategy;
     private readonly i18nStrategy;
     private readonly syncStrategy;
     /**
@@ -8667,13 +9260,17 @@ declare class Vault {
      */
     private overlayedViewRegistry;
     /**
-     * Cached read-only facade handed to guard callbacks via `ctx.vault`,
-     * and to derivation callbacks via `derive(source, ctx)`. Allocated
-     * eagerly inside `_initGuards()` and/or `_initDerivations()` so read
+     * Cached read-only facades handed to guard callbacks via `ctx.vault`
+     * and to derivation callbacks via `derive(source, ctx)`. Split by
+     * resolution layer (#285): the guard facade reads at `layer:'guard'`,
+     * the derivation facade at `layer:'derivation'`, so i18nText / dictKey
+     * fields resolve under that layer's `onMissing` policy. Allocated
+     * eagerly inside `_initGuards()` / `_initDerivations()` so read
      * accessors stay synchronous (callers in `tx/transaction.ts` rely on
-     * that). Stays `null` for vaults with neither subsystem configured.
+     * that). Each stays `null` for vaults without that subsystem.
      */
-    private readOnlyFacade;
+    private guardFacade;
+    private derivationFacade;
     private getDEK;
     /**
      * Per-principal user envelope API.
@@ -8799,6 +9396,27 @@ declare class Vault {
      * Populated by `collection()` when the `dictKeyFields` option is passed.
      */
     private readonly dictKeyFieldRegistry;
+    /**
+     * Names of dictionaries backed by a `staticDict()` descriptor (#291).
+     * A static dict skips the `dictKeyFieldRegistry` rename machinery, but the
+     * vault must still *know* a name is static so `vault.dictionary(name)` can
+     * refuse mutation (`StaticDictReadonlyError`). Populated at `collection()`
+     * config time whenever a `StaticDictDescriptor` is seen.
+     */
+    private readonly staticDictNames;
+    /**
+     * Static-dict descriptors keyed by dictionary name (#291). Backs the
+     * read-path label resolver (resolve from the in-memory table) and the
+     * query-seam `resolveDictSource` snapshot. Last writer wins when the same
+     * name is registered by multiple collections (identical-across-vaults by
+     * construction, so the tables match).
+     */
+    private readonly staticByName;
+    /**
+     * Per-collection map of field name → StaticDictDescriptor (#291). Used by
+     * `enforceStaticDictOnPut` to validate stored codes against `desc.keys`.
+     */
+    private readonly staticDescriptorByField;
     /**
      * Registry of i18nText fields declared across all collections. Keyed
      * by collection name → field name → I18nTextDescriptor. Used by
@@ -8809,6 +9427,10 @@ declare class Vault {
     private readonly i18nFieldRegistry;
     /** Cache of DictionaryHandle instances, one per dictionary name. */
     private readonly dictionaryCache;
+    /** Registered link specs (#377-B), keyed by link name; set by `vault.link()`. */
+    private readonly linkRegistry;
+    /** Cache of LinkSet handles, one per link name. */
+    private readonly linkSetCache;
     /** — subscribers for cross-tier access events. */
     private readonly crossTierSubs;
     /** — currently-active elevation, or null. One per vault. */
@@ -8858,6 +9480,7 @@ declare class Vault {
         syncStrategy?: SyncStrategy | undefined;
         guardStrategies?: ReadonlyArray<GuardStrategyHandleAny> | undefined;
         numberingConfigs?: ReadonlyArray<DeferredNumberingConfig> | undefined;
+        forgetStrategy?: ForgetStrategy | undefined;
     });
     /**
      * Construct (or reconstruct) the lazy DEK resolver. Captures the
@@ -8907,8 +9530,8 @@ declare class Vault {
         refs?: Record<string, RefDescriptor>;
         /** — declare i18nText fields for locale-aware reads. */
         i18nFields?: Record<string, I18nTextDescriptor>;
-        /** — declare dictKey fields for label resolution on reads. */
-        dictKeyFields?: Record<string, DictKeyDescriptor>;
+        /** — declare dictKey / staticDict fields for label resolution on reads. */
+        dictKeyFields?: Record<string, DictKeyDescriptor | StaticDictDescriptor>;
         /** — declare money() fields for currency-safe decimal storage/formatting. */
         moneyFields?: Record<string, MoneyDescriptor>;
         /** — declare computed scalar fields, evaluated on write (schema-owned). */
@@ -8925,6 +9548,14 @@ declare class Vault {
         deterministicFields?: readonly string[];
         /** — explicit ack that deterministic encryption leaks equality. */
         acknowledgeDeterministicRisk?: boolean;
+        /**
+         * — per-record content-encryption keys. When `true`, every record
+         * body is encrypted under a fresh per-record CEK wrapped under the
+         * collection DEK (`_cek`), stable across versions. Foundation for
+         * per-record erasure (#304) / record-scoped sealing (#306). Off by
+         * default; non-adopting collections take the legacy path unchanged.
+         */
+        perRecordKeys?: boolean;
         /**
          * declarative blob retention / TTL policy per slot
          * name. Values are `{ retainDays?, evictWhen? }`. Evaluated only
@@ -8959,6 +9590,17 @@ declare class Vault {
         schemaUpdate?: readonly SchemaUpdateStrategy[];
         /** — declare the per-field schema for document attestation (issue side). */
         attestation?: AttestationFieldSchema;
+        /**
+         * Per-collection history & tamper-ledger scoping. Overrides the
+         * vault-wide `history` config for THIS collection only (wholesale, not
+         * merged). `enabled: false` suppresses per-record snapshots for this
+         * collection; `ledger: false` excludes its writes from the vault-wide
+         * hash-chained tamper ledger. Lets you confine version snapshots +
+         * tamper-evidence to the few collections where they carry legal weight,
+         * without paying snapshot + ledger-entry-per-write across operational /
+         * derived collections. Defaults to the vault-wide `history` config. See #361.
+         */
+        historyConfig?: HistoryConfig;
     }): Collection<T>;
     /**
      * Await all background persisted-schema writes triggered by
@@ -9011,6 +9653,14 @@ declare class Vault {
      * `MissingTranslationError` when a required translation is absent.
      */
     enforceI18nOnPut(collectionName: string, record: unknown): void;
+    /**
+     * Validate staticDict codes on a `put()` (#291). For each `staticDict()`
+     * field, every stored code must be a declared key of the descriptor's
+     * table, else `UnknownDictCodeError`. Opt out per descriptor with
+     * `{ validateCodes: false }`. Supports scalar, dotted, and `[].`-wildcard
+     * field paths via `getAtPath` (same path support as i18n validation).
+     */
+    enforceStaticDictOnPut(collectionName: string, record: unknown): void;
     /**
      * Apply locale resolution to a record for the given collection.
      *
@@ -9037,6 +9687,32 @@ declare class Vault {
      * ```
      */
     dictionary<Keys extends string = string>(name: string, options?: DictionaryOptions): DictionaryHandle<Keys>;
+    /**
+     * Declare a managed many-to-many link set (#377-B). Registers a
+     * `_links_<name>` junction between two endpoint collections; access its
+     * rows via `vault.links(name)`. Idempotent for an identical re-declaration;
+     * a conflicting one throws. See {@link links}.
+     *
+     * ```ts
+     * vault.link('saleLineLinks', { a: ref('saleLines'), b: ref('purchaseLines'), onDelete: 'cascade' })
+     * ```
+     *
+     * `a` / `b` accept either a collection name or a `ref(target)` descriptor
+     * (only its `target` is used — links manage their own integrity). `onDelete`
+     * governs what happens to link rows when an endpoint record is deleted
+     * (`'cascade'` default, `'strict'`, `'warn'`).
+     */
+    link(name: string, spec: {
+        a: string | RefDescriptor;
+        b: string | RefDescriptor;
+        onDelete?: LinkSpec['onDelete'];
+    }): void;
+    /**
+     * Access a declared link set (#377-B). Throws if `name` was not first
+     * declared via {@link link}. Returns a cached {@link LinkSetHandle}:
+     * `connect(a, b, meta?)`, `disconnect(a, b)`, `has(a, b)`, `of(id)`, `list()`.
+     */
+    links(name: string): LinkSetHandle;
     /**
      * Build a `JoinableSource` for a dictKey field, for use in dict joins
      *. Returns a source whose snapshot contains `{ key, ...labels }`
@@ -9192,7 +9868,19 @@ declare class Vault {
      * const n = await vault.sequence('invoice-2026').next()   // 1, then 2, …
      * const cur = await vault.sequence('invoice-2026').peek()  // current value, no allocation
      * ```
+     *
+     * Pass a `format` (#375) to emit a serial string instead of a bare
+     * integer — `next()` then returns `{ serial, formatted }`. Per-partition
+     * reset is inherent (a new partition tuple starts at 1):
+     *
+     * ```ts
+     * const seq = vault.sequence('fatture', { partition: [2026], format: '{partition.0}/{seq:04}' })
+     * await seq.next()   // { serial: 1, formatted: '2026/0001' }
+     * ```
      */
+    sequence(series: string, opts: SequenceOptions & {
+        format: string;
+    }): FormattedSequenceHandle;
     sequence(series: string, opts?: SequenceOptions): SequenceHandle;
     /** @internal — lazily build the deferred-numbering engine with a cache-coherent stamp. */
     private deferred;
@@ -9285,6 +9973,13 @@ declare class Vault {
      * mutually-cascading collections don't recurse forever.
      */
     enforceRefsOnDelete(collectionName: string, id: string): Promise<void>;
+    /**
+     * @internal — apply link `onDelete` policy when an endpoint record is
+     * deleted (#377-B). `'strict'` throws (blocks the delete), `'cascade'`
+     * removes the touching link rows (tx-atomic when a transaction is active),
+     * `'warn'` leaves orphans for `checkIntegrity()`.
+     */
+    private enforceLinksOnDelete;
     /**
      * Look up the `RefDescriptor` the left collection declared for a
      * given field name. Returns `null` when the field has no ref
@@ -9351,6 +10046,102 @@ declare class Vault {
      * throws on null; this one stays silent so the off-path no-ops.
      */
     private getLedgerOrNull;
+    /** @internal — add a subject→record ref to the encrypted subject index. */
+    _addSubjectRef(subjectId: string, ref: SubjectRef): Promise<void>;
+    /** @internal — drop a subject→record ref from the encrypted subject index. */
+    _removeSubjectRef(subjectId: string, ref: SubjectRef): Promise<void>;
+    /**
+     * Rebuild the encrypted subject index from canonical records. The recovery
+     * path for the documented read-modify-write race (RISK #3). Returns the
+     * number of distinct subjects re-indexed.
+     */
+    rebuildSubjectIndex(): Promise<number>;
+    /**
+     * GDPR crypto-shred of a data subject (#304). Consults the encrypted subject
+     * index and, per matching record:
+     *   - rewrites the LIVE envelope to a tombstone (drops `_iv`/`_data`/`_cek`/`_det`),
+     *   - tombstones every `_history` version of the record,
+     * so the body and all prior versions become permanently undecryptable while
+     * the collection DEK and every OTHER record stay intact. Then appends ONE
+     * `op:'forget'` ledger entry whose `payloadHash` is `sha256Hex(subjectId)` —
+     * the chain still `verify()`s, PROVING the subject existed and was erased
+     * without retaining any plaintext.
+     *
+     * Reports — but does not silently swallow — two completeness gaps:
+     *   - `unmigratedRecords`: a record whose body was NOT yet migrated to a
+     *     per-record CEK (legacy body still under the shared collection DEK). It
+     *     is still tombstoned, but its pre-shred ciphertext (if leaked to a
+     *     backup before migration) stays decryptable. Migrate, then re-forget.
+     *   - `blobResidueCollections`: a shredded record still has blob attachments,
+     *     which are keyed off a separate `_blob` DEK and are out of scope here.
+     *
+     * @throws ForgetStrategyNotConfiguredError when no `withForgetCascade` was set.
+     */
+    forget(subjectId: string): Promise<ForgetResult>;
+    /**
+     * Seal ONE record's content-encryption key (CEK) to an `at-*` host so that
+     * host — and only that host — can decrypt exactly that record, with no
+     * access to the vault DEK and no ability to read any other record.
+     *
+     * The grantor (this caller, who holds the collection DEK) reads the record's
+     * live `_cek`, unwraps it under the collection DEK, exports the raw CEK
+     * bytes, builds a {@link SealedCekBinding} `{collection, id, cek, expiresAt}`,
+     * seals that binding for the recipient host via the host's published hint,
+     * and persists a thin {@link SealedCekDeliveryEnvelope} at
+     * `_sealed_cek/<collection>/<id>/<pid>`. The binding (not the delivery
+     * envelope) is the security boundary: the host re-verifies `{collection, id}`
+     * and `expiresAt` from inside the sealed payload.
+     *
+     * Only works on a `perRecordKeys` record — a legacy record has no `_cek` to
+     * seal (its body is under the shared collection DEK, which is never exposed
+     * by sealing) → {@link RecordCekNotFoundError}.
+     *
+     * @param collection Collection holding the record.
+     * @param id         Record id.
+     * @param hostSealer The recipient host's {@link RecipientSealer}.
+     * @param opts.expiresAt REQUIRED authoritative expiry (ISO 8601), sealed into
+     *   the binding the host verifies.
+     * @returns `{ pid, envelopeKey }` — the host provider id and the
+     *   `<collection>/<id>/<pid>` key the delivery envelope was written under.
+     */
+    sealRecordToHost(collection: string, id: string, hostSealer: RecipientSealer, opts: {
+        expiresAt: string;
+    }): Promise<{
+        pid: string;
+        envelopeKey: string;
+    }>;
+    /**
+     * Revoke a single sealed-CEK delivery envelope by deleting it from the store.
+     * A soft revocation: it removes the host's copy of the sealed CEK, but a host
+     * that already fetched the envelope keeps whatever it cached. For a hard
+     * revocation that makes the live record undecryptable to every prior grant,
+     * use {@link rotateRecordCek}.
+     */
+    revokeSealedRecord(collection: string, id: string, pid: string): Promise<void>;
+    /**
+     * HARD-rotate a record's CEK: decrypt the live body under the old CEK,
+     * re-encrypt it under a freshly-minted CEK, write the new live envelope, evict
+     * the in-memory caches, and delete EVERY sealed-CEK delivery envelope for the
+     * record. After this, any host holding a previously-sealed CEK can still
+     * decrypt PRE-rotation history versions (they keep their old `_cek`) but NOT
+     * the rotated live record (its body is under the new CEK → the old CEK fails
+     * the AES-GCM auth tag → `TamperedError`). That asymmetry IS the revocation:
+     * old grants lose the live record.
+     *
+     * Administrative path — bypasses `Collection.put` deliberately (no guards, no
+     * history snapshot, no materialized-view refresh): rotation is a key-rotation
+     * operation, not a business write, and must not version-bump history (which
+     * would re-encrypt the prior version under the NEW CEK and defeat the point).
+     *
+     * @throws {@link RecordCekNotFoundError} if the record is missing or has no `_cek`.
+     */
+    rotateRecordCek(collection: string, id: string): Promise<void>;
+    /**
+     * Build the {@link SealingContext} the record-keys grantor functions need:
+     * the vault-bound adapter, DEK resolver, actor, and the dual-cache eviction
+     * `rotateRecordCek` performs (per-record CEK cache + decrypted-record cache).
+     */
+    private sealingContext;
     /**
      * @internal — called by `Noydb.openVault` after construction.
      * Dynamic-imports `GuardRegistry` + `ReadOnlyVaultFacade` and seeds
@@ -9449,9 +10240,10 @@ declare class Vault {
      */
     _getReadOnlyFacade(): ReadOnlyVaultFacade | null;
     /**
-     * Internal lazy-allocator for the read-only facade. Used as a
-     * defensive fallback; in practice `_initGuards()` eagerly
-     * instantiates this, so the lazy path is a no-op.
+     * Internal lazy-allocator for the derivation read-only facade
+     * (`layer:'derivation'`). Used as a defensive fallback; in practice
+     * `_initDerivations()` eagerly instantiates this, so the lazy path is
+     * a no-op.
      */
     private _ensureReadOnlyFacade;
     /**
@@ -10343,6 +11135,25 @@ declare class Collection<T> {
      * is inactive for this collection; a frozen `Set` otherwise.
      */
     private readonly deterministicFields;
+    /**
+     * Per-record CEK opt-in (`perRecordKeys: true`). When set, writes mint /
+     * reuse a per-record content-encryption key and stamp `_cek` on the
+     * envelope (see {@link EncryptedEnvelope._cek}). OFF by default — a
+     * non-adopting collection takes the byte-identical legacy path. The READ
+     * path does not consult this flag: `_cek` presence on the envelope is the
+     * format discriminant, so a mixed vault (and a recipient that never set the
+     * flag) still decrypts CEK records.
+     */
+    private readonly perRecordCek;
+    /**
+     * Session-scoped `(id) → CEK` cache for this collection. Lets updates
+     * reuse a record's stable CEK and lets repeated reads skip the AES-KW
+     * unwrap. Bounded by LRU; never persisted. Dropped when the owning
+     * collection instance is discarded — `vault.load()` clears the
+     * collectionCache, so a keyring refresh drops every CEK alongside the
+     * DEK cache. `null` unless `perRecordCek` is set.
+     */
+    private readonly cekCache;
     /**
      * declared tiers for this collection. `null` when
      * tier-aware methods are disabled. Tier 0 is implicit and never
@@ -10563,7 +11374,7 @@ declare class Collection<T> {
         /** — i18nText field descriptors for locale-aware reads. */
         i18nFields?: Record<string, I18nTextDescriptor> | undefined;
         /** — dictKey field descriptors for label resolution on reads. */
-        dictKeyFields?: Record<string, DictKeyDescriptor> | undefined;
+        dictKeyFields?: Record<string, DictKeyDescriptor | StaticDictDescriptor> | undefined;
         moneyFields?: Record<string, MoneyDescriptor> | undefined;
         computed?: ComputedFields | undefined;
         /**
@@ -10646,6 +11457,15 @@ declare class Collection<T> {
          * any deterministic field is declared. Any other value throws.
          */
         acknowledgeDeterministicRisk?: boolean | undefined;
+        /**
+         * Per-record content-encryption keys. When `true`, every record body
+         * (and every history version of it) is encrypted under a fresh
+         * per-record CEK, AES-KW-wrapped under the collection DEK and stored
+         * on the envelope's `_cek`. Off by default. Foundation for per-record
+         * erasure (#304) and record-scoped sealing (#306). `_det` slots stay
+         * keyed to the collection DEK regardless.
+         */
+        perRecordKeys?: boolean | undefined;
         /**
          * declared tiers this collection supports. An
          * undefined or empty list disables the hierarchical-tier surface
@@ -10811,7 +11631,35 @@ declare class Collection<T> {
      * output (carries `_derivedFrom`) — defensive guard against missed
      * cycle detection.
      */
-    private dispatchDerivations;
+    /**
+     * @internal #376 — the RAW stored record (canonical-money form, i18n maps
+     * intact), WITHOUT the locale resolution `get()` applies. Used as the
+     * patch base for self-write reverse-denorm so writing back never clobbers
+     * an i18n map or re-quantizes money incorrectly. Returns null for
+     * missing / tombstoned records.
+     */
+    _getStoredRecord(id: string): Promise<T | null>;
+    /**
+     * @internal #376 — ids of records whose top-level `field` equals `value`.
+     * Uses the FK index when the field is indexed (O(matches)); otherwise a
+     * linear scan (O(N) — fine for small child sets; index the FK to scale).
+     */
+    _findMatchingIds(field: string, value: unknown): Promise<string[]>;
+    /**
+     * @internal #376 slice 2 — recompute a rollup aggregate onto the parent.
+     * Gathers every child of `parentId`, runs `compute`, and patches only the
+     * rollup `field` onto the parent's raw stored record (value-equality
+     * guarded). No-op when the parent record does not exist.
+     */
+    private recomputeRollup;
+    /**
+     * @internal #376 slice 2 — fire any rollups for which THIS collection is the
+     * child `from`, recomputing the affected parent after a child delete. Called
+     * from the delete path with the just-removed record's key value. Other
+     * derivation kinds do not react to deletes (unchanged).
+     */
+    private dispatchRollupsOnDelete;
+    private dispatchDerivations;
     /**
      * Delete a record by ID. Runs inside the hub's write-queue tracker
      * so `hub.writeQueue.pending` reflects this write.
@@ -10865,6 +11713,37 @@ declare class Collection<T> {
      */
     _internalDelete(id: string, txCtx?: TxContext | null): Promise<void>;
     private _doDelete;
+    /**
+     * @internal — GDPR crypto-shred a LIVE record to a tombstone (#304).
+     *
+     * Rewrites the on-disk envelope to `{ _noydb, _v, _ts, _by, _iv:'', _data:'' }`,
+     * dropping `_iv`/`_data`/`_cek`/`_det`. The wrapped per-record CEK is gone, so
+     * the body — and (via {@link tombstoneHistory}) every history version under
+     * the same CEK — is permanently undecryptable; the collection DEK and every
+     * other record are untouched. `_det` is stripped too, so `findByDet` no
+     * longer matches the shredded record (avoiding a post-shred TamperedError).
+     *
+     * Unlike `delete()`/`_internalDelete`, this:
+     *   - does NOT fire onDelete guards / MV / derivation dispatch (a shred is an
+     *     erasure, not a domain delete — re-running those would be wrong),
+     *   - does NOT append a per-record ledger entry (`vault.forget()` appends a
+     *     single `op:'forget'` summary for the whole subject),
+     *   - keeps the record KEY present (it's an overwrite, not an adapter delete)
+     *     so the version counter + "record existed" survive for audit.
+     *
+     * Idempotent: returns `null` when the record is absent or already a tombstone.
+     * Otherwise returns `{ previousVersion }`. Invalidates the eager cache, the
+     * lazy LRU, and the per-record CEK cache for this id.
+     */
+    /**
+     * @internal — decrypt an envelope to a plain record for subject-index
+     * rebuild (#304). Returns `null` for a tombstone or unreadable envelope.
+     * Skips schema validation — the rebuild only reads the subject field.
+     */
+    _decodeEnvelope(envelope: EncryptedEnvelope, id: string): Promise<Record<string, unknown> | null>;
+    _writeTombstone(id: string, actor: string): Promise<{
+        previousVersion: number;
+    } | null>;
     /**
      * Cascade deletes of array-shape derived rows when a source row is
      * deleted. Reads each registered strategy's fanout sidecar
@@ -11166,6 +12045,16 @@ declare class Collection<T> {
      * the cache entry (record still present) or deletes it (record was
      * gone before the tx and the revert deleted it again).
      */
+    /**
+     * @internal — evict ONLY the per-record CEK cache entry for `id`. Used by
+     * `vault.rotateRecordCek()`: after a hard CEK rotation the cached unwrapped
+     * CEK is stale (it would decrypt the pre-rotation body and fail GCM auth on
+     * the post-rotation body). Eviction must be synchronous with the live-envelope
+     * rewrite so no concurrent read observes the old CEK. Paired with
+     * {@link _invalidateCacheEntry} (which refreshes the decrypted-record cache).
+     * No-op when the collection is not `perRecordKeys`.
+     */
+    _invalidateCekCacheEntry(id: string): void;
     _invalidateCacheEntry(id: string): Promise<void>;
     /**
      * Apply a peer tab's committed write to THIS tab's in-memory view:
@@ -11378,6 +12267,21 @@ declare class Collection<T> {
      * query with no index would need to enumerate the whole collection.
      */
     lazyQuery(): LazyQuery<T>;
+    /**
+     * Resolve the stable CEK for a record on the WRITE path — see
+     * {@link resolveStableCek}. Thin delegate that supplies the collection's
+     * CEK cache, live-envelope reader, and DEK resolver.
+     */
+    private resolveRecordCek;
+    /**
+     * Encrypt a JSON body into an envelope.
+     *
+     * When `cek` is supplied (per-record CEK collections), the body is
+     * encrypted under the CEK and the CEK is AES-KW-wrapped under the
+     * collection DEK and stamped on `_cek`. When `cek` is omitted, the legacy
+     * path encrypts the body directly under the collection DEK — byte-identical
+     * to pre-CEK behaviour, so non-adopting collections pay nothing.
+     */
     private encryptJsonString;
     private encryptRecord;
     /**
@@ -11459,7 +12363,20 @@ declare class Collection<T> {
     demote(id: string, toTier: number): Promise<void>;
     private isElevatorOrOwner;
     private emitCrossTierEvent;
-    /** Low-level: decrypt an envelope and return the raw JSON string. */
+    /**
+     * Low-level: decrypt an envelope and return the raw JSON string.
+     *
+     * `_cek` presence is the format discriminant (NOT `this.perRecordCek`),
+     * so a mixed vault — and a recipient that never opted into
+     * `perRecordKeys` — decrypts both legacy and CEK records:
+     *  - `_cek` present → unwrap the CEK under the collection DEK, decrypt the
+     *    body under the CEK (cache the unwrapped CEK so repeated reads skip it).
+     *  - `_cek` absent → legacy path, body decrypts directly under the
+     *    collection DEK.
+     *
+     * The optional `id` lets reads populate the CEK cache; it is omitted by
+     * callers (history, conflict merge) that have only the envelope.
+     */
     private decryptJsonString;
     /**
      * Decrypt an envelope into a record of type `T`.
@@ -11736,244 +12653,6 @@ interface SessionStrategy {
     revokeAllSessions(): void;
 }
 
-/**
- * Managed-passphrase mode — rubber-hose-resistant vaults.
- *
- * A vault mode where the passphrase is machine-generated and never
- * exposed to the user, sealed under a developer-provided
- * {@link SealingKeyProvider} (macOS Keychain, Windows Credential
- * Manager, libsecret, AWS KMS, …). The user has no secret to give
- * up to coercion — they can't reveal what they don't know.
- *
- * ## Components in this file
- *
- *   - {@link SealingKeyProvider} — the interface concrete providers
- *     implement. Provider implementations live OUTSIDE hub (per-
- *     platform packages).
- *   - {@link MemorySealingKeyProvider} — in-memory test provider; uses
- *     a deterministic per-instance "key" so two providers with
- *     different ids cannot unseal each other's outputs.
- *   - {@link RecipientHint} — public material a sender uses to seal
- *     plaintext for a specific recipient; published by
- *     {@link RecipientSealer.publishRecipientHint} and transported
- *     out-of-band to the sender before bundle writes.
- *   - {@link RecipientSealer} — interface for asymmetric/granted
- *     providers that support recipient-target sealing (RSA-OAEP,
- *     cloud-KMS asymmetric, etc.); distinct from self-only
- *     {@link SealingKeyProvider} (macOS Keychain, WebAuthn-PRF).
- *   - {@link MemoryRecipientSealer} — in-process reference
- *     implementation of both `RecipientSealer` and
- *     `SealingKeyProvider` using real WebCrypto RSA-OAEP + AES-GCM;
- *     safe for tests and same-process sender/recipient scenarios.
- *   - {@link loadSealedPassphrase} / {@link saveSealedPassphrase} —
- *     plaintext envelope storage at `_meta/sealed-passphrase`.
- *     Mirrors the `_meta/handle` and `_meta/public-envelope` AES-
- *     GCM-bypassed patterns. The sealing layer (provider's job)
- *     is the security boundary; hub doesn't have a key to encrypt
- *     with at this layer — that's the whole point of the design.
- *   - {@link resolveManagedSecret} — orchestrates the "generate +
- *     seal + persist on first open; unseal on reopen" flow.
- *     Returns the plaintext passphrase string that the rest of the
- *     `createNoydb` keyring path consumes.
- *
- * Deferred to follow-ups:
- *   - Block `rotate-passphrase` policy gate under managed mode.
- *   - Mandatory strong-recovery enforcement.
- *   - Recovery flow under managed mode (generates fresh sealed phrase).
- *
- * @see docs/subsystems/session-tiers.md → Managed-passphrase mode
- *
- * @module
- */
-
-/**
- * The contract concrete providers (per-platform key stores) implement
- * to seal and unseal a hub-generated random passphrase. The plaintext
- * passphrase NEVER leaves hub-controlled memory in unsealed form —
- * the provider receives the bytes, returns opaque sealed bytes, and
- * later reverses the operation. Hub treats the sealed bytes as
- * fully opaque.
- *
- * Implementations live OUTSIDE `@noy-db/hub` (separate packages
- * per the issue's "Concrete providers (live outside hub)" note):
- *
- * | Platform | Package (TBD) | Backing |
- * |---|---|---|
- * | macOS | `@noy-db/seal-macos-keychain` | Security.framework |
- * | Windows | `@noy-db/seal-wincred` | Credential Manager |
- * | Linux | `@noy-db/seal-libsecret` | libsecret / secret-service |
- * | Cloud / server | `@noy-db/seal-aws-kms` | AWS KMS Decrypt |
- */
-interface SealingKeyProvider {
-    /**
-     * Non-sensitive identifier disclosed in the persisted envelope.
-     * Surfaced to consumers via `loadSealedPassphrase().providerId` so
-     * a vault opened with the wrong provider class can detect the
-     * mismatch and surface a clear error. NOT secret — fine to log.
-     *
-     * Suggested format: `<family>:<scope>` — e.g. `macos-keychain:com.acme.app`,
-     * `aws-kms:arn:aws:kms:us-east-1:123:key/abc`. The hub never
-     * parses this; it's purely audit metadata.
-     */
-    readonly id: string;
-    /** Seal raw passphrase bytes. Output bytes are opaque to hub. */
-    seal(passphrase: Uint8Array): Promise<Uint8Array>;
-    /**
-     * Reverse {@link seal}. MUST throw on tamper, wrong-provider, or
-     * any other failure — hub treats a thrown error as "this provider
-     * cannot unlock this vault" and surfaces it to the caller.
-     */
-    unseal(sealed: Uint8Array): Promise<Uint8Array>;
-}
-/**
- * In-memory test provider. NOT secure — uses a deterministic
- * per-instance "key" (16-byte SHA-256 of `id`) XOR'd over the
- * passphrase plus a 4-byte provider-id fingerprint prefix. The XOR is
- * sufficient to make different `id` values produce mutually-unsealable
- * outputs (the contract tests for that), but offers ZERO real
- * confidentiality — never use outside tests.
- *
- * Replace with a real platform provider in production.
- */
-declare class MemorySealingKeyProvider implements SealingKeyProvider {
-    readonly id: string;
-    private readonly fingerprint;
-    private readonly keyBytes;
-    constructor(opts: {
-        id: string;
-    });
-    seal(passphrase: Uint8Array): Promise<Uint8Array>;
-    unseal(sealed: Uint8Array): Promise<Uint8Array>;
-}
-/**
- * Public material a sender uses to seal-for-this-recipient. Published by
- * a recipient's RecipientSealer; transported to the sender out-of-band
- * (email, S3, in-app message). The sender obtains the hint, supplies it
- * to writeNoydbBundle's sealedCredentials.perUser[userId].hint, and the
- * hub seals each user's credential against it. Per foundation §11.4.
- */
-type RecipientHint = {
-    readonly v: 1;
-    /** Recipient's provider id; matches the SealedAutoUnlockEntry.pid they'll unseal under. */
-    readonly pid: string;
-    /** Algorithm the sender uses to produce the seal. Slice 1 ships RSA-OAEP-SHA256 only. */
-    readonly alg: 'rsa-oaep-sha256';
-    /** Public material — alg-specific. For 'rsa-oaep-sha256': { publicKeyPem: string }. */
-    readonly material: Readonly<Record<string, unknown>>;
-};
-/**
- * Handover-capable provider. Implemented additionally by asymmetric/granted
- * providers (cloud-KMS asymmetric, Azure RSA Key Vault, AWS KMS with grant).
- * Self-only providers (macOS Keychain, env-var, WebAuthn-PRF) do NOT
- * implement this — the §11.2 capability matrix lives in the type system.
- *
- * Per foundation §11.4. A function that requires recipient-target sealing
- * takes `RecipientSealer`, not `SealingKeyProvider` — the compiler rejects
- * passing a self-only provider at the spec site.
- */
-interface RecipientSealer {
-    readonly id: string;
-    /** Produce hint material a sender uses to seal-for-this-recipient. */
-    publishRecipientHint(): Promise<RecipientHint>;
-    /**
-     * Seal plaintext for the recipient described by `hint`. Returns opaque
-     * bytes — same contract as `SealingKeyProvider.seal()`. The bundle
-     * layer base64-encodes the bytes into `SealedAutoUnlockEntry.sealed`
-     * without inspecting them.
-     */
-    sealForRecipient(plaintext: Uint8Array, hint: RecipientHint): Promise<Uint8Array>;
-}
-/**
- * Reference implementation of `RecipientSealer` + `SealingKeyProvider`.
- * Uses WebCrypto RSA-OAEP-SHA256 (2048-bit) to wrap a fresh 32-byte
- * AES-GCM CEK, AES-GCM-encrypts plaintext under it, and packs the
- * result into a self-describing TLV:
- *
- *   byte  0       : version (0x01)
- *   bytes 1..256  : RSA-OAEP-wrapped CEK (fixed 256 bytes at RSA-2048)
- *   bytes 257..268: AES-GCM IV (12 bytes)
- *   bytes 269..   : AES-GCM ciphertext ‖ 16-byte tag
- *
- * Implements BOTH interfaces. `seal(plaintext)` (self-target) is just
- * `sealForRecipient(plaintext, this own hint)` — same TLV. Convenient
- * for tests where one provider plays both ends. Real cloud providers
- * (`at-aws-kms`, etc.) will pick their own internal layouts; the only
- * contract is round-trip identity.
- *
- * SAFE for production within its scope — the cryptography is real
- * (RSA-OAEP + AES-GCM via WebCrypto), but the keypair lives in-process
- * and is regenerated on every construction. Not suitable as a managed
- * keychain; use it for tests and for shipping bundles where the
- * recipient instance lives in the same process as the sender (rare).
- */
-declare class MemoryRecipientSealer implements SealingKeyProvider, RecipientSealer {
-    readonly id: string;
-    private readonly keypair;
-    constructor(opts: {
-        id: string;
-    });
-    publishRecipientHint(): Promise<RecipientHint>;
-    sealForRecipient(plaintext: Uint8Array, hint: RecipientHint): Promise<Uint8Array>;
-    seal(plaintext: Uint8Array): Promise<Uint8Array>;
-    unseal(bytes: Uint8Array): Promise<Uint8Array>;
-}
-/** Reserved id for the managed-passphrase envelope under `_meta`. */
-declare const SEALED_PASSPHRASE_RECORD_ID: "sealed-passphrase";
-/** Plaintext payload stored inside the `_meta/sealed-passphrase` envelope. */
-interface SealedPassphrase {
-    readonly _noydb_sealed: 1;
-    readonly providerId: string;
-    /** Sealed bytes. Base64-encoded on the wire; decoded on load. */
-    readonly sealed: Uint8Array;
-}
-/**
- * Wire-format envelope persisted at `_meta/sealed-passphrase` for
- * managed-mode vaults. The provider produces raw sealed bytes via
- * {@link SealingKeyProvider.seal}; this wrapper carries the dispatch
- * metadata hub needs to pick the right provider on the unseal path.
- *
- * Stability boundary: once shipped, the wire format only grows by
- * adding optional fields. See the at-* sealing dimension foundation
- * doc, §11.9.1.
- *
- * v1 shape (this release): `{ v: 1, _noydb_sealed: 1, pid, payload }`.
- *
- * Legacy shape (earlier releases): `{ _noydb_sealed: 1, providerId, sealed }`
- * — accepted on read for backwards compatibility; never produced on
- * write going forward.
- */
-interface SealedEnvelope {
-    /** Envelope schema version. v1 is the current shape. */
-    readonly v: 1;
-    /** Magic marker for forensics + legacy-shape detection. */
-    readonly _noydb_sealed: 1;
-    /** Matches the producing provider's `.id`. Dispatch key on unseal. */
-    readonly pid: string;
-    /** Sealed bytes from the provider, base64-encoded on the wire. */
-    readonly payload: string;
-}
-/**
- * Parse a `_meta/sealed-passphrase` `_data` JSON string into the
- * in-memory {@link SealedPassphrase} representation. Accepts both:
- *
- *   1. v1 wire format `{ v: 1, _noydb_sealed: 1, pid, payload }` —
- *      the current shape.
- *   2. Legacy wire format `{ _noydb_sealed: 1, providerId, sealed }` —
- *      read-only; never written
- *      going forward.
- *
- * Returns `undefined` for any input that doesn't match either shape,
- * so callers can fall back to "no managed-mode envelope present."
- *
- * @internal — exported only for the migration safety-net test suite.
- */
-declare function parseSealedEnvelope(raw: unknown): SealedPassphrase | undefined;
-declare function saveSealedPassphrase(store: NoydbStore, vault: string, payload: {
-    readonly providerId: string;
-    readonly sealed: Uint8Array;
-}): Promise<void>;
-declare function loadSealedPassphrase(store: NoydbStore, vault: string): Promise<SealedPassphrase | undefined>;
-
 /**
  * Core types — the {@link NoydbStore} interface, envelope format, roles, and
  * all configuration shapes consumed by {@link createNoydb}.
@@ -12070,6 +12749,27 @@ interface EncryptedEnvelope {
      * side channel.
      */
     readonly _det?: Record<string, string>;
+    /**
+     * Per-record content-encryption key (CEK), base64 AES-KW-wrapped under
+     * the collection (or tier) DEK. Present only on records written by a
+     * collection opened with `perRecordKeys: true`. When present, the body
+     * (`_iv`/`_data`) is encrypted under the unwrapped CEK rather than the
+     * collection DEK directly.
+     *
+     * Presence is the format discriminant: `_cek` absent → legacy body
+     * keyed off the collection DEK (read unchanged); `_cek` present →
+     * unwrap under the collection DEK, then decrypt the body under the CEK.
+     *
+     * The CEK is stable across every version of a record (insert mints it;
+     * updates and history snapshots reuse it), so all `_history` envelopes
+     * for a record carry the same `_cek`. This is the foundation for
+     * per-record erasure (#304) and record-scoped sealing (#306).
+     *
+     * `_det` slots are deliberately NOT keyed off the CEK — they remain
+     * keyed to the collection DEK so blind-equality search keeps working
+     * across records.
+     */
+    readonly _cek?: string;
 }
 /**
  * Placeholder returned by `getAtTier()` in `'ghost'` mode when a
@@ -13146,6 +13846,15 @@ interface LocaleReadOptions {
      * element to fall back to any present translation.
      */
     readonly fallback?: string | readonly string[];
+    /**
+     * @internal — the resolution layer this read belongs to (`'read'` by
+     * default). Threaded by layer-tagged read facades (guard / derivation)
+     * so `applyI18nLocale` and dictKey `resolvePolicy` select that layer's
+     * `onMissing` policy instead of the `'read'` policy. Not part of the
+     * public read API — callers select policy via the field's `onMissing`
+     * map, not by setting this. See #285.
+     */
+    readonly _layer?: Layer;
 }
 /**
  * Context passed to the consumer-supplied `plaintextTranslator` function.
@@ -13288,6 +13997,25 @@ interface BlobObject {
     readonly createdAt: string;
     /** Live reference count — slots + published versions pointing to this blob. */
     readonly refCount: number;
+    /**
+     * Base64 AES-KW-wrapped per-blob **content CEK** (wrapped under the `_blob`
+     * DEK). Present on erasable-collection blobs (`perRecordKeys`): the chunks
+     * are encrypted under this content CEK rather than directly under the `_blob`
+     * DEK, so deleting this BlobObject at `refCount → 0` crypto-shreds the chunks
+     * (they become permanently undecryptable). Absent → legacy blob, chunks
+     * decrypt directly under the `_blob` DEK (read unchanged). See
+     * docs/superpowers/specs/2026-06-13-per-blob-cek-design.md.
+     */
+    readonly _cek?: string;
+    /**
+     * Transient migration marker (#365 slice 3). Present only while a legacy
+     * blob is being migrated to a content CEK: it holds the wrapped content CEK
+     * BEFORE the chunks have been re-encrypted under it. Readers **ignore**
+     * `_cekPending` (they key off `_cek`), so the blob stays readable under the
+     * `_blob` DEK during migration AND the content CEK survives a crash → a
+     * re-run resumes and promotes `_cekPending` → `_cek`. Never set on a settled blob.
+     */
+    readonly _cekPending?: string;
     /**
      * Hint indicating which store holds the chunk data.
      * Used by `routeStore` size-tiered routing: `'default'` for small blobs
@@ -13519,6 +14247,19 @@ interface NoydbOptions {
      * @internal
      */
     readonly historyStrategy?: HistoryStrategy;
+    /**
+     * GDPR right-to-erasure (#304). Pass `withForgetCascade({ subjects })`
+     * from `@noy-db/hub/forget` to declare which collections carry erasable
+     * subject data and the record field naming the data subject. Enables
+     * `vault.forget(subjectId)` crypto-shred (rewrite-to-tombstone of the live
+     * record + every history version → body permanently undecryptable, single
+     * `op:'forget'` ledger entry, chain still verifies). Each declared
+     * collection is forced to `perRecordKeys: true`. When omitted (the
+     * `NO_FORGET` default), `vault.forget()` throws
+     * `ForgetStrategyNotConfiguredError` and no subject-index write hooks run.
+     * Requires `historyStrategy` (the ledger) for the erasure-proof entry.
+     */
+    readonly forgetStrategy?: ForgetStrategy;
     /**
      * tree-shake seam — optional i18n strategy. Pass `withI18n()`
      * from `@noy-db/hub/i18n` to enable `i18nText`/`dictKey` field
@@ -13806,6 +14547,16 @@ interface HistoryConfig {
     readonly enabled?: boolean;
     /** Maximum history entries per record. Oldest pruned on overflow. Default: unlimited. */
     readonly maxVersions?: number;
+    /**
+     * Participate in the vault-wide hash-chained tamper ledger. Default:
+     * `true` (every write of this collection appends a ledger entry when
+     * `withHistory()` is active). Set `false` to exclude this collection's
+     * writes from the chain — its puts/deletes leave no ledger entry,
+     * confining tamper-evidence to the collections where it carries weight.
+     * Independent of `enabled`, which gates per-record snapshots. Has no
+     * effect when `withHistory()` is not active (there is no ledger). See #361.
+     */
+    readonly ledger?: boolean;
 }
 /** Options for querying history. */
 interface HistoryOptions {
@@ -13874,4 +14625,4 @@ interface DeleteManyResult {
     }>;
 }
 
-export { type ExportBlobsAuditEntry as $, BLOB_COLLECTION as A, type BlobStrategy as B, BLOB_EVICTION_AUDIT_COLLECTION as C, DICT_COLLECTION_PREFIX as D, BLOB_INDEX_COLLECTION as E, BLOB_SLOTS_PREFIX as F, BLOB_VERSIONS_PREFIX as G, type BlobEvictionEntry as H, type I18nStrategy as I, type BlobFieldPolicy as J, type BlobFieldsConfig as K, type Layer as L, type BlobObject as M, type BlobPutOptions as N, type OnMissing as O, PolicyEnforcer as P, type BlobResponseOptions as Q, type ResolveI18nOptions as R, type ScriptWarning as S, BlobSet as T, type BlobStrategyOpenArgs as U, type CompactRunOptions as V, type CompactionContext as W, type CompactionResult as X, DEFAULT_CHUNK_SIZE as Y, EXPORT_AUDIT_COLLECTION as Z, ExportBlobsAbortedError as _, type DictEntry as a, type NoydbStore as a$, type ExportBlobsHandle as a0, type ExportBlobsOptions as a1, type ExportedBlob as a2, type SlotInfo as a3, type SlotRecord as a4, type VersionRecord as a5, createExportBlobsHandle as a6, runCompaction as a7, type ConsentStrategy as a8, CONSENT_AUDIT_COLLECTION as a9, VaultFrame as aA, type NoydbBundleStore as aB, type RetentionPolicy as aC, type SnapshotPolicy as aD, type SnapshotStrategy as aE, type SnapshotMeta as aF, type SnapshotMode as aG, type DerivationStrategy as aH, type DerivationContext as aI, type ArrayOutputSpec as aJ, DerivationRegistry as aK, type DerivationStrategyHandle as aL, type DerivedFromMeta as aM, type OutputSpec as aN, type RecordOutputSpec as aO, type MaterializedViewStrategy as aP, type MaterializedViewStrategyHandle as aQ, type OverlayedViewStrategy as aR, Collection as aS, type OverlayFieldMergeMode as aT, type OverlayFieldMergeRule as aU, OverlayedViewRegistry as aV, type OverlayedViewStrategyHandle as aW, type SyncStrategy as aX, type Role as aY, type UnlockedKeyring as aZ, type HistoryStrategy as a_, type ConsentAuditEntry as aa, type ConsentAuditFilter as ab, type ConsentContext as ac, type ConsentOp as ad, loadConsentEntries as ae, writeConsentEntry as af, type PeriodsStrategy as ag, type CarryForwardContext as ah, type ClosePeriodOptions as ai, type OpenPeriodOptions as aj, PERIODS_COLLECTION as ak, type PeriodRecord as al, type ReadOnlyCollection as am, appendPeriodLedgerEntry as an, assertTsWritable as ao, chainAnchor as ap, loadPeriods as aq, validatePeriodName as ar, type GuardStrategy as as, type GuardChange as at, type GuardContext as au, GuardRegistry as av, type GuardStrategyHandle as aw, ReadOnlyVaultFacade as ax, type ShadowStrategy as ay, CollectionFrame as az, type DictKeyDescriptor as b, type CollectionChangeEvent as b$, type HistoryOptions as b0, type EncryptedEnvelope as b1, type PruneOptions as b2, type AppendInput as b3, type ChangeType as b4, CollectionInstant as b5, type DiffEntry as b6, type JsonPatch as b7, type JsonPatchOp as b8, type LedgerEntry as b9, type MaterializedViewOutput as bA, type UnionArmJoin as bB, type UnionSource as bC, type UserEnvelope as bD, type GateName as bE, type GatePolicy as bF, type VaultPolicy as bG, type ActiveTier as bH, type FactorProof as bI, type SchemaUpdateStrategy as bJ, type TransformFn as bK, type PersistedSchemaEnvelope as bL, type UpdateDecision as bM, type DirectoryConfig as bN, type UserVisibility as bO, type AccessibleVault as bP, type AffectedDocument as bQ, type ArchivePolicy as bR, type ArchiveResult as bS, type ArchiveRunOptions as bT, type ArchiveStrategy as bU, BUNDLE_STORE_POLICY as bV, type BuiltInGateName as bW, type CacheOptions as bX, type CacheStats as bY, type CapturedBlueprint as bZ, type ChangeEvent as b_, LedgerStore as ba, type VaultEngine as bb, VaultInstant as bc, type VerifyResult as bd, applyPatch as be, canonicalJson as bf, computePatch as bg, diff as bh, formatDiff as bi, hashEntry as bj, paddedIndex as bk, parseIndex as bl, sha256Hex as bm, type PublicEnvelope as bn, type SealingKeyProvider as bo, type BundleRecipient as bp, type RecipientSealer as bq, type RecipientHint as br, Vault as bs, type RecoveryEnrollmentInput as bt, type ShamirRecoveryProvider as bu, TxContext as bv, type MVQueryContext as bw, type RegisteredMV as bx, MaterializedViewRegistry as by, type MaterializedFromMeta as bz, DictionaryHandle as c, type ListPageResult as c$, type CollectionConflictResolver as c0, type CollectionDescriptor as c1, type CollectionStats as c2, ComputedFieldError as c3, type ComputedFields as c4, type ComputedFn as c5, type Conflict as c6, type ConflictPolicy as c7, type ConflictStrategy as c8, type CrossTierAccessEvent as c9, type ExportStreamOptions as cA, type FactorKind as cB, type FactorProofBundle as cC, type FactorRequirement as cD, type FanoutQueryOptions as cE, type FanoutResult as cF, type FenceDoc as cG, type FenceState as cH, type FieldChange as cI, type FieldDescriptor as cJ, type FieldSource as cK, type GhostRecord as cL, type GrantOptions as cM, type GuardViolation as cN, type HistoryConfig as cO, type HistoryEntry as cP, INDEXED_STORE_POLICY as cQ, type ImportCapability as cR, type InferOutput as cS, type InternalCollectionStats as cT, type IssueDelegationOptions as cU, type IssueMagicLinkGrantOptions as cV, type KeyringAuthenticator as cW, type KeyringAuthenticatorWrappingDEKs as cX, type KeyringAuthenticatorWrappingKEK as cY, type KeyringFile as cZ, type ListAccessibleVaultsOptions as c_, CrossVaultAggregation as ca, CrossVaultGroupedAggregation as cb, type GroupedRow as cc, type CrossVaultLiveAggregation as cd, type CrossVaultLiveQuery as ce, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as cf, DELEGATIONS_COLLECTION as cg, type DeepPartial as ch, type DeepPartialOrNull as ci, type DeferredNumberingConfig as cj, type DelegationToken as ck, type DeleteManyResult as cl, type DeploymentEvent as cm, type DerivationDescriptor as cn, type DirtyEntry as co, type DryRunResult as cp, type DumpSchemaOptions as cq, ELEVATION_AUDIT_COLLECTION as cr, ElevatedHandle as cs, type EnrollAuthenticatorOptions as ct, type EnrollAuthenticatorWrappingDEKsOptions as cu, type EnrollAuthenticatorWrappingKEKOptions as cv, type EnrollRecoveryResult as cw, type ExportCapability as cx, type ExportChunk as cy, type ExportFormat as cz, type DictionaryOptions as d, type RotatePassphraseInput as d$, type ListUsersOptions as d0, type LiveQueryOptions as d1, type LiveUserEnvelope as d2, type LocaleReadOptions as d3, Lru as d4, type LruOptions as d5, type LruStats as d6, MAGIC_LINK_CONTENT_INFO_PREFIX as d7, MAGIC_LINK_GRANTS_COLLECTION as d8, MAGIC_LINK_KEK_INFO_PREFIX as d9, PresenceHandle as dA, type PresencePeer as dB, type PublicEnvelopeField as dC, type PublicEnvelopeSchema as dD, type PublicEnvelopeText as dE, type PullMode as dF, type PullOptions as dG, type PullPolicy as dH, type PullResult as dI, type PushMode as dJ, type PushOptions as dK, type PushPolicy as dL, type PushResult as dM, type PutManyItemOptions as dN, type PutManyOptions as dO, type PutManyResult as dP, type QueryAcrossOptions as dQ, type QueryAcrossResult as dR, type QuickUnlockState as dS, QuickUnlockStore as dT, type ReAuthOperation as dU, type RecoverPassphraseInput as dV, type RecoverPassphraseResult as dW, type RecoverUserOptions as dX, type RecoveryProof as dY, type ResolvedPublicEnvelopeSchema as dZ, type RevokeOptions as d_, type MagicLinkGrantPayload as da, type MagicLinkGrantRecord as db, type MaterializedViewDescriptor as dc, MemoryRecipientSealer as dd, MemorySealingKeyProvider as de, NOYDB_BACKUP_VERSION as df, NOYDB_FORMAT_VERSION as dg, NOYDB_KEYRING_VERSION as dh, NOYDB_SYNC_VERSION as di, type NextOptions as dj, Noydb as dk, type NoydbEventMap as dl, type NoydbOptions as dm, type Assignment as dn, type OverlayViewDescriptor as dp, PUBLIC_ENVELOPE_FIELDS as dq, type PaperRecoveryDoc as dr, type PaperRecoveryEntry as ds, type PassphrasePolicy as dt, type PassphraseValidationResult as du, type Permission as dv, type Permissions as dw, type PersistedSchemaKind as dx, type PlaintextTranslatorContext as dy, type PlaintextTranslatorFn as dz, type I18nMap as e, VaultGroup as e$, type RotateRecoveryOptions as e0, type RotateRecoveryResult as e1, SEALED_PASSPHRASE_RECORD_ID as e2, type SchemaDelta as e3, type SchemaIntrospection as e4, type SchemaManifestRow as e5, type SealedEnvelope as e6, type SealedPassphrase as e7, type SequenceHandle as e8, type SequenceOptions as e9, type SyncTarget as eA, type SyncTargetRole as eB, SyncTransaction as eC, type SyncTransactionResult as eD, type TabChannel as eE, type TabCoordinationOptions as eF, type TabLockManager as eG, type TabPresence as eH, type TabRole as eI, type TierMode as eJ, type TransactionInvariant as eK, type TranslatorAuditEntry as eL, TxCollection as eM, type TxOp as eN, TxVault as eO, USER_ENVELOPE_COLLECTION as eP, USER_ENVELOPE_MAX_BYTES as eQ, type Unsubscribe as eR, type UpdateAuthenticatorOptions as eS, type UpdateContext as eT, type UpdateUserOptions as eU, UserApi as eV, type UserEnvelopeCheckGate as eW, UserEnvelopeOversizedError as eX, type UserEnvelopePresented as eY, type UserInfo as eZ, type VaultBackup as e_, SequenceStore as ea, type SessionPolicy as eb, type SetPublicEnvelopeInput as ec, type ShamirRecoveryDoc as ed, type ShamirRecoveryEntry as ee, ShardedCollection as ef, ShardedGroupedQuery as eg, ShardedQuery as eh, type ShardingConfig as ei, type SkippedVault as ej, type SlotRewrapCeremony as ek, type SlotRewrapContext as el, type StandardSchemaV1 as em, type StandardSchemaV1Issue as en, type StandardSchemaV1SyncResult as eo, StateManagementVault as ep, type StoreAuth as eq, type StoreAuthKind as er, type StoreCapabilities as es, type StoreTime as et, SyncEngine as eu, type SyncMetadata as ev, type SyncPolicy as ew, SyncScheduler as ex, type SyncSchedulerStatus as ey, type SyncStatus as ez, type I18nTextDescriptor as f, validatePublicEnvelopeInput as f$, type VaultGroupOptions as f0, type VaultPolicyOnDisk as f1, type VaultRegistryRow as f2, type VaultSchemaSnapshot as f3, type VaultSnapshot as f4, type VaultTemplate as f5, type WarningRules as f6, WeakPassphraseError as f7, type WeakPassphraseReason as f8, type WithArchiveOptions as f9, listUsers as fA, listUsersWithEnvelopes as fB, loadActiveDelegations as fC, loadPaperRecoveryEntries as fD, loadSealedPassphrase as fE, loadShamirRecoveryEntries as fF, magicLinkGrantRecordId as fG, mintPaperRecoveryEntry as fH, mintShamirRecoveryEntry as fI, mintWrappedDeksBlob as fJ, parseSealedEnvelope as fK, readMagicLinkGrantRecord as fL, recoverUser as fM, removeAuthenticator as fN, resolveSchema as fO, resolveSequenceKey as fP, revokeDelegation as fQ, revokeMagicLinkGrant as fR, runTransaction as fS, savePaperRecoveryEntries as fT, saveSealedPassphrase as fU, saveShamirRecoveryEntries as fV, unwrapDeksFromBlob as fW, unwrapDeksFromPaperEntry as fX, unwrapDeksFromShamirEntry as fY, unwrapMagicLinkGrant as fZ, validatePassphrase as f_, type WrappedDeksBlob as fa, type WriteConflict as fb, type WriteEvent as fc, type WriteHook as fd, type WriteQueue as fe, assertStrongPassphrase as ff, buildRecipientKeyringFile as fg, burnPaperRecoveryEntry as fh, createNoydb as fi, createStore as fj, deriveMagicLinkContentKey as fk, enrollAuthenticator as fl, estimateEntropy as fm, evalComputedFields as fn, evaluateExportCapability as fo, evaluateImportCapability as fp, findAuthenticator as fq, hasExportCapability as fr, hasImportCapability as fs, hasRecoveryEnrolled as ft, isMagicLinkGrantExpired as fu, isPublicEnvelope as fv, issueDelegation as fw, recoverPassphrase as fx, rotatePassphrase as fy, listMagicLinkGrants as fz, type I18nTextOptions as g, validateSchemaInput as g0, validateSchemaOutput as g1, withArchive as g2, withDeferredNumbering as g3, writeMagicLinkGrant as g4, changeSecret as g5, createOwnerKeyring as g6, ensureCollectionDEK as g7, grant as g8, loadKeyring as g9, persistKeyring as ga, revoke as gb, updateAuthenticator as gc, updateKeyringIdentity as gd, type TxStrategy as ge, type AmendmentTxOptions as gf, type OnMissingPolicy as h, applyI18nLocale as i, dictCollectionName as j, dictKey as k, enforceScript as l, getAtPath as m, i18nText as n, inferScripts as o, isDictCollectionName as p, isDictKeyDescriptor as q, isI18nTextDescriptor as r, resolveI18nText as s, resolvePolicy as t, setAtPathInPlace as u, validateI18nTextValue as v, type SessionStrategy as w, createEnforcer as x, validateSessionPolicy as y, BLOB_CHUNKS_COLLECTION as z };
+export { DEFAULT_CHUNK_SIZE as $, createEnforcer as A, validateSessionPolicy as B, type BlobStrategy as C, DICT_COLLECTION_PREFIX as D, BLOB_CHUNKS_COLLECTION as E, BLOB_COLLECTION as F, BLOB_EVICTION_AUDIT_COLLECTION as G, BLOB_INDEX_COLLECTION as H, type I18nStrategy as I, BLOB_SLOTS_PREFIX as J, BLOB_VERSIONS_PREFIX as K, type Layer as L, type BlobEvictionEntry as M, type BlobFieldPolicy as N, type OnMissing as O, PolicyEnforcer as P, type BlobFieldsConfig as Q, type ResolveI18nOptions as R, type ScriptWarning as S, type BlobObject as T, type BlobPutOptions as U, type BlobResponseOptions as V, BlobSet as W, type BlobStrategyOpenArgs as X, type CompactRunOptions as Y, type CompactionContext as Z, type CompactionResult as _, type DictEntry as a, type Role as a$, EXPORT_AUDIT_COLLECTION as a0, ExportBlobsAbortedError as a1, type ExportBlobsAuditEntry as a2, type ExportBlobsHandle as a3, type ExportBlobsOptions as a4, type ExportedBlob as a5, type SlotInfo as a6, type SlotRecord as a7, type VersionRecord as a8, createExportBlobsHandle as a9, ReadOnlyVaultFacade as aA, type ShadowStrategy as aB, CollectionFrame as aC, VaultFrame as aD, type NoydbBundleStore as aE, type RetentionPolicy as aF, type SnapshotPolicy as aG, type SnapshotStrategy as aH, type SnapshotMeta as aI, type SnapshotMode as aJ, type DerivationStrategy as aK, type DerivationContext as aL, type ArrayOutputSpec as aM, DerivationRegistry as aN, type DerivationStrategyHandle as aO, type DerivedFromMeta as aP, type OutputSpec as aQ, type RecordOutputSpec as aR, type MaterializedViewStrategy as aS, type MaterializedViewStrategyHandle as aT, type OverlayedViewStrategy as aU, Collection as aV, type OverlayFieldMergeMode as aW, type OverlayFieldMergeRule as aX, OverlayedViewRegistry as aY, type OverlayedViewStrategyHandle as aZ, type SyncStrategy as a_, runCompaction as aa, type ConsentStrategy as ab, CONSENT_AUDIT_COLLECTION as ac, type ConsentAuditEntry as ad, type ConsentAuditFilter as ae, type ConsentContext as af, type ConsentOp as ag, loadConsentEntries as ah, writeConsentEntry as ai, type PeriodsStrategy as aj, type CarryForwardContext as ak, type ClosePeriodOptions as al, type OpenPeriodOptions as am, PERIODS_COLLECTION as an, type PeriodRecord as ao, type ReadOnlyCollection as ap, appendPeriodLedgerEntry as aq, assertTsWritable as ar, chainAnchor as as, loadPeriods as at, validatePeriodName as au, type GuardStrategy as av, type GuardChange as aw, type GuardContext as ax, GuardRegistry as ay, type GuardStrategyHandle as az, type DictKeyDescriptor as b, type CollectionStats as b$, type UnlockedKeyring as b0, type HistoryStrategy as b1, type NoydbStore as b2, type HistoryOptions as b3, type EncryptedEnvelope as b4, type PruneOptions as b5, type AppendInput as b6, type ChangeType as b7, CollectionInstant as b8, type DiffEntry as b9, type UserEnvelope as bA, type GateName as bB, type GatePolicy as bC, type VaultPolicy as bD, type ActiveTier as bE, type FactorProof as bF, type SchemaUpdateStrategy as bG, type TransformFn as bH, type PersistedSchemaEnvelope as bI, type UpdateDecision as bJ, type DirectoryConfig as bK, type UserVisibility as bL, type AccessibleVault as bM, type AffectedDocument as bN, type ArchivePolicy as bO, type ArchiveResult as bP, type ArchiveRunOptions as bQ, type ArchiveStrategy as bR, BUNDLE_STORE_POLICY as bS, type BuiltInGateName as bT, type CacheOptions as bU, type CacheStats as bV, type CapturedBlueprint as bW, type ChangeEvent as bX, type CollectionChangeEvent as bY, type CollectionConflictResolver as bZ, type CollectionDescriptor as b_, type JsonPatch as ba, type JsonPatchOp as bb, LedgerStore as bc, type VaultEngine as bd, VaultInstant as be, type VerifyResult as bf, applyPatch as bg, computePatch as bh, diff as bi, formatDiff as bj, type PublicEnvelope as bk, type SealingKeyProvider as bl, type BundleRecipient as bm, type RecipientSealer as bn, type RecipientHint as bo, Vault as bp, type RecoveryEnrollmentInput as bq, type ShamirRecoveryProvider as br, TxContext as bs, type MVQueryContext as bt, type RegisteredMV as bu, MaterializedViewRegistry as bv, type MaterializedFromMeta as bw, type MaterializedViewOutput as bx, type UnionArmJoin as by, type UnionSource as bz, DictionaryHandle as c, LinkEndpointError as c$, ComputedFieldError as c0, type ComputedFields as c1, type ComputedFn as c2, type Conflict as c3, type ConflictPolicy as c4, type ConflictStrategy as c5, type CrossTierAccessEvent as c6, CrossVaultAggregation as c7, type CrossVaultDerivationContext as c8, type CrossVaultDerivationSpec as c9, type FactorKind as cA, type FactorProofBundle as cB, type FactorRequirement as cC, type FanoutQueryOptions as cD, type FanoutResult as cE, type FenceDoc as cF, type FenceState as cG, type FieldChange as cH, type FieldDescriptor as cI, type FieldSource as cJ, type FleetMigrationResult as cK, type FormattedSequenceHandle as cL, type GhostRecord as cM, type GrantOptions as cN, type GuardViolation as cO, type HistoryConfig as cP, type HistoryEntry as cQ, INDEXED_STORE_POLICY as cR, type ImportCapability as cS, type InferOutput as cT, type InternalCollectionStats as cU, type IssueDelegationOptions as cV, type IssueMagicLinkGrantOptions as cW, type KeyringAuthenticator as cX, type KeyringAuthenticatorWrappingDEKs as cY, type KeyringAuthenticatorWrappingKEK as cZ, type KeyringFile as c_, CrossVaultGroupedAggregation as ca, type GroupedRow as cb, type CrossVaultLiveAggregation as cc, type CrossVaultLiveQuery as cd, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as ce, DELEGATIONS_COLLECTION as cf, type DeepPartial as cg, type DeepPartialOrNull as ch, type DeferredNumberingConfig as ci, type DelegationToken as cj, type DeleteManyResult as ck, type DeploymentEvent as cl, type DerivationDescriptor as cm, type DirtyEntry as cn, type DryRunResult as co, type DumpSchemaOptions as cp, ELEVATION_AUDIT_COLLECTION as cq, ElevatedHandle as cr, type EnrollAuthenticatorOptions as cs, type EnrollAuthenticatorWrappingDEKsOptions as ct, type EnrollAuthenticatorWrappingKEKOptions as cu, type EnrollRecoveryResult as cv, type ExportCapability as cw, type ExportChunk as cx, type ExportFormat as cy, type ExportStreamOptions as cz, type DictionaryOptions as d, QuickUnlockStore as d$, LinkIntegrityError as d0, type LinkOnDelete as d1, type LinkRow as d2, type LinkSetHandle as d3, type LinkSpec as d4, type ListAccessibleVaultsOptions as d5, type ListPageResult as d6, type ListUsersOptions as d7, type LiveQueryOptions as d8, type LiveUserEnvelope as d9, type PaperRecoveryEntry as dA, type PassphrasePolicy as dB, type PassphraseValidationResult as dC, type Permission as dD, type Permissions as dE, type PersistedSchemaKind as dF, type PlaintextTranslatorContext as dG, type PlaintextTranslatorFn as dH, PresenceHandle as dI, type PresencePeer as dJ, type PublicEnvelopeField as dK, type PublicEnvelopeSchema as dL, type PublicEnvelopeText as dM, type PullMode as dN, type PullOptions as dO, type PullPolicy as dP, type PullResult as dQ, type PushMode as dR, type PushOptions as dS, type PushPolicy as dT, type PushResult as dU, type PutManyItemOptions as dV, type PutManyOptions as dW, type PutManyResult as dX, type QueryAcrossOptions as dY, type QueryAcrossResult as dZ, type QuickUnlockState as d_, type LocaleReadOptions as da, Lru as db, type LruOptions as dc, type LruStats as dd, MAGIC_LINK_CONTENT_INFO_PREFIX as de, MAGIC_LINK_GRANTS_COLLECTION as df, MAGIC_LINK_KEK_INFO_PREFIX as dg, type MagicLinkGrantPayload as dh, type MagicLinkGrantRecord as di, type MaterializedViewDescriptor as dj, MemoryRecipientSealer as dk, MemorySealingKeyProvider as dl, type MigrationStatusRow as dm, NOYDB_BACKUP_VERSION as dn, NOYDB_FORMAT_VERSION as dp, NOYDB_KEYRING_VERSION as dq, NOYDB_SYNC_VERSION as dr, type NextOptions as ds, Noydb as dt, type NoydbEventMap as du, type NoydbOptions as dv, type Assignment as dw, type OverlayViewDescriptor as dx, PUBLIC_ENVELOPE_FIELDS as dy, type PaperRecoveryDoc as dz, type I18nMap as e, type UpdateAuthenticatorOptions as e$, type ReAuthOperation as e0, type RecoverPassphraseInput as e1, type RecoverPassphraseResult as e2, type RecoverUserOptions as e3, type RecoveryProof as e4, type RefreshInsightsResult as e5, type ResolvedPublicEnvelopeSchema as e6, type RevokeOptions as e7, type RotatePassphraseInput as e8, type RotateRecoveryOptions as e9, type StoreAuthKind as eA, type StoreCapabilities as eB, type StoreTime as eC, SyncEngine as eD, type SyncMetadata as eE, type SyncPolicy as eF, SyncScheduler as eG, type SyncSchedulerStatus as eH, type SyncStatus as eI, type SyncTarget as eJ, type SyncTargetRole as eK, SyncTransaction as eL, type SyncTransactionResult as eM, type TabChannel as eN, type TabCoordinationOptions as eO, type TabLockManager as eP, type TabPresence as eQ, type TabRole as eR, type TierMode as eS, type TransactionInvariant as eT, type TranslatorAuditEntry as eU, TxCollection as eV, type TxOp as eW, TxVault as eX, USER_ENVELOPE_COLLECTION as eY, USER_ENVELOPE_MAX_BYTES as eZ, type Unsubscribe as e_, type RotateRecoveryResult as ea, SEALED_PASSPHRASE_RECORD_ID as eb, type SchemaDelta as ec, type SchemaIntrospection as ed, type SchemaManifestRow as ee, type SealedEnvelope as ef, type SealedPassphrase as eg, type SequenceHandle as eh, type SequenceOptions as ei, SequenceStore as ej, type SessionPolicy as ek, type SetPublicEnvelopeInput as el, type ShamirRecoveryDoc as em, type ShamirRecoveryEntry as en, ShardedCollection as eo, ShardedGroupedQuery as ep, ShardedQuery as eq, type ShardingConfig as er, type SkippedVault as es, type SlotRewrapCeremony as et, type SlotRewrapContext as eu, type StandardSchemaV1 as ev, type StandardSchemaV1Issue as ew, type StandardSchemaV1SyncResult as ex, StateManagementVault as ey, type StoreAuth as ez, type I18nTextDescriptor as f, resolveSchema as f$, type UpdateContext as f0, type UpdateUserOptions as f1, UserApi as f2, type UserEnvelopeCheckGate as f3, UserEnvelopeOversizedError as f4, type UserEnvelopePresented as f5, type UserInfo as f6, type VaultBackup as f7, VaultGroup as f8, type VaultGroupOptions as f9, evaluateImportCapability as fA, findAuthenticator as fB, hasExportCapability as fC, hasImportCapability as fD, hasRecoveryEnrolled as fE, isLinkCollectionName as fF, isMagicLinkGrantExpired as fG, isPublicEnvelope as fH, issueDelegation as fI, recoverPassphrase as fJ, rotatePassphrase as fK, listMagicLinkGrants as fL, listUsers as fM, listUsersWithEnvelopes as fN, loadActiveDelegations as fO, loadPaperRecoveryEntries as fP, loadSealedPassphrase as fQ, loadShamirRecoveryEntries as fR, magicLinkGrantRecordId as fS, mintPaperRecoveryEntry as fT, mintShamirRecoveryEntry as fU, mintWrappedDeksBlob as fV, parseRsaOaepTlv as fW, parseSealedEnvelope as fX, readMagicLinkGrantRecord as fY, recoverUser as fZ, removeAuthenticator as f_, type VaultPolicyOnDisk as fa, type VaultRegistryRow as fb, type VaultSchemaSnapshot as fc, type VaultSnapshot as fd, type VaultTemplate as fe, type WarningRules as ff, WeakPassphraseError as fg, type WeakPassphraseReason as fh, type WithArchiveOptions as fi, type WrappedDeksBlob as fj, type WriteConflict as fk, type WriteEvent as fl, type WriteHook as fm, type WriteQueue as fn, aesGcmOpen as fo, assertStrongPassphrase as fp, buildRecipientKeyringFile as fq, burnPaperRecoveryEntry as fr, compileSequenceFormat as fs, createNoydb as ft, createStore as fu, deriveMagicLinkContentKey as fv, enrollAuthenticator as fw, estimateEntropy as fx, evalComputedFields as fy, evaluateExportCapability as fz, type I18nTextOptions as g, resolveSequenceKey as g0, revokeDelegation as g1, revokeMagicLinkGrant as g2, runTransaction as g3, savePaperRecoveryEntries as g4, saveSealedPassphrase as g5, saveShamirRecoveryEntries as g6, sealRsaOaepTlv as g7, unwrapDeksFromBlob as g8, unwrapDeksFromPaperEntry as g9, unwrapDeksFromShamirEntry as ga, unwrapMagicLinkGrant as gb, validatePassphrase as gc, validatePublicEnvelopeInput as gd, validateSchemaInput as ge, validateSchemaOutput as gf, withArchive as gg, withDeferredNumbering as gh, writeMagicLinkGrant as gi, changeSecret as gj, createOwnerKeyring as gk, ensureCollectionDEK as gl, grant as gm, loadKeyring as gn, persistKeyring as go, revoke as gp, updateAuthenticator as gq, updateKeyringIdentity as gr, type TxStrategy as gs, type AmendmentTxOptions as gt, type OnMissingPolicy as h, type StaticDictDescriptor as i, applyI18nLocale as j, dictCollectionName as k, dictKey as l, enforceScript as m, getAtPath as n, i18nText as o, inferScripts as p, isDictCollectionName as q, isDictKeyDescriptor as r, isI18nTextDescriptor as s, isStaticDictDescriptor as t, resolveI18nText as u, resolvePolicy as v, setAtPathInPlace as w, staticDict as x, validateI18nTextValue as y, type SessionStrategy as z };