@noy-db/hub 0.2.0-pre.16 → 0.2.0-pre.18

package/dist/bundle/index.cjs

@@ -31,7 +31,7 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/errors.ts
-var NoydbError, DecryptionError, TamperedError, InvalidKeyError, KeyringCorruptError, NoAccessError, ReadOnlyError, PermissionDeniedError, ExportCapabilityError, KeyringExpiredError, ImportCapabilityError, StoreCapabilityError, PrivilegeEscalationError, ReservedVaultNameError, FieldFrozenError, InvariantError, AmendmentForbiddenError, TierNotGrantedError, ElevationExpiredError, AlreadyElevatedError, TierDemoteDeniedError, DelegationTargetMissingError, ConflictError, LedgerContentionError, SequenceContentionError, SequenceOfflineError, NumberingUncertaintyError, BundleVersionConflictError, ValidationError, SchemaValidationError, SchemaUpdateError, SchemaFenceError, MigrationRequiredError, QuiesceTimeoutError, GroupCardinalityError, IndexRequiredError, UniqueConstraintError, UnsupportedIndexOptionError, IndexWriteFailureError, BundleIntegrityError, BundleSealMismatchError, ReservedCollectionNameError, LocaleNotSpecifiedError, TranslatorNotConfiguredError, BackupLedgerError, BackupCorruptedError, PartitionExtractionError, TransferSealError, AdoptionStateError, AttestationError, JoinTooLargeError, CrossJoinTooLargeError, CrossJoinSourceUnknownError, DanglingReferenceError, DerivationCycleError, DerivationOutputShapeError, DerivationCapExceededError, MaterializedViewCycleError, MaterializedViewSourceUnknownError, MaterializedViewTooLargeError, OverlayBaseIsVirtualError, OverlayCollectionUnavailableError, OverlayNameCollisionError, OverlayIdMismatchError, UnknownShardError, ShardProvisioningError, CrossShardJoinError, VaultTemplateNotFoundError;
+var NoydbError, DecryptionError, TamperedError, InvalidKeyError, KeyringCorruptError, NoAccessError, ReadOnlyError, PermissionDeniedError, ExportCapabilityError, KeyringExpiredError, ImportCapabilityError, StoreCapabilityError, PrivilegeEscalationError, ReservedVaultNameError, FieldFrozenError, InvariantError, AmendmentForbiddenError, TierNotGrantedError, ElevationExpiredError, AlreadyElevatedError, TierDemoteDeniedError, DelegationTargetMissingError, ConflictError, LedgerContentionError, SequenceContentionError, SequenceOfflineError, NumberingUncertaintyError, BundleVersionConflictError, ValidationError, SchemaValidationError, SchemaUpdateError, SchemaFenceError, MigrationRequiredError, QuiesceTimeoutError, GroupCardinalityError, IndexRequiredError, UniqueConstraintError, UnsupportedIndexOptionError, IndexWriteFailureError, BundleIntegrityError, BundleSealMismatchError, ReservedCollectionNameError, LocaleNotSpecifiedError, StaticDictReadonlyError, UnknownDictCodeError, TranslatorNotConfiguredError, BackupLedgerError, BackupCorruptedError, PartitionExtractionError, TransferSealError, AdoptionStateError, AttestationError, JoinTooLargeError, CrossJoinTooLargeError, CrossJoinSourceUnknownError, DanglingReferenceError, DerivationCycleError, DerivationOutputShapeError, DerivationCapExceededError, MaterializedViewCycleError, MaterializedViewSourceUnknownError, MaterializedViewTooLargeError, OverlayBaseIsVirtualError, OverlayCollectionUnavailableError, OverlayNameCollisionError, OverlayIdMismatchError, UnknownShardError, ShardProvisioningError, CrossShardJoinError, VaultTemplateNotFoundError, ForgetStrategyNotConfiguredError, RecordCekNotFoundError;
 var init_errors = __esm({
   "src/errors.ts"() {
     "use strict";
@@ -485,6 +485,36 @@ Resolutions:
         this.field = field;
       }
     };
+    StaticDictReadonlyError = class extends NoydbError {
+      /** The static dictionary name that was the target of the mutation. */
+      dictionaryName;
+      constructor(dictionaryName) {
+        super(
+          "STATIC_DICT_READONLY",
+          `Dictionary "${dictionaryName}" is a staticDict \u2014 its labels are code constants with no mutation surface. put/putAll/rename/delete are not supported; change the label in the staticDict() table and redeploy.`
+        );
+        this.name = "StaticDictReadonlyError";
+        this.dictionaryName = dictionaryName;
+      }
+    };
+    UnknownDictCodeError = class extends NoydbError {
+      /** The static dictionary name. */
+      dictionaryName;
+      /** The field that carried the unknown code. */
+      field;
+      /** The offending code value. */
+      code;
+      constructor(dictionaryName, field, code) {
+        super(
+          "UNKNOWN_DICT_CODE",
+          `Field "${field}": code "${code}" is not a known key of staticDict "${dictionaryName}". Use a declared code, or pass { validateCodes: false } on the descriptor to allow open codes.`
+        );
+        this.name = "UnknownDictCodeError";
+        this.dictionaryName = dictionaryName;
+        this.field = field;
+        this.code = code;
+      }
+    };
     TranslatorNotConfiguredError = class extends NoydbError {
       /** The field that requested auto-translation. */
       field;
@@ -763,6 +793,25 @@ Resolutions:
         this.templateName = templateName;
       }
     };
+    ForgetStrategyNotConfiguredError = class extends NoydbError {
+      constructor(message = 'vault.forget() requires a forget strategy. Pass `forgetStrategy: withForgetCascade({ subjects: { <collection>: <subjectField> } })` from "@noy-db/hub/forget" to createNoydb().') {
+        super("FORGET_NOT_CONFIGURED", message);
+        this.name = "ForgetStrategyNotConfiguredError";
+      }
+    };
+    RecordCekNotFoundError = class extends NoydbError {
+      collection;
+      id;
+      constructor(collection, id) {
+        super(
+          "RECORD_CEK_NOT_FOUND",
+          `No per-record CEK for ${collection}/${id}. The record is missing, or its collection was not opened with { perRecordKeys: true } \u2014 only per-record-key records carry a sealable CEK.`
+        );
+        this.name = "RecordCekNotFoundError";
+        this.collection = collection;
+        this.id = id;
+      }
+    };
   }
 });
 
@@ -1016,6 +1065,39 @@ async function unwrapKey(wrappedBase64, kek) {
     throw new InvalidKeyError();
   }
 }
+async function asKwKey(dek) {
+  const rawDek = await subtle.exportKey("raw", dek);
+  const hkdfKey = await subtle.importKey("raw", rawDek, "HKDF", false, ["deriveBits"]);
+  const salt = new TextEncoder().encode("noydb-cek-wrap");
+  const info = new TextEncoder().encode("v1");
+  const bits = await subtle.deriveBits(
+    { name: "HKDF", hash: "SHA-256", salt, info },
+    hkdfKey,
+    KEY_BITS
+  );
+  return subtle.importKey("raw", bits, "AES-KW", false, ["wrapKey", "unwrapKey"]);
+}
+async function wrapCek(cek, dek) {
+  const kw = await asKwKey(dek);
+  const wrapped = await subtle.wrapKey("raw", cek, kw, "AES-KW");
+  return bufferToBase64(wrapped);
+}
+async function unwrapCek(wrappedBase64, dek) {
+  const kw = await asKwKey(dek);
+  try {
+    return await subtle.unwrapKey(
+      "raw",
+      base64ToBuffer(wrappedBase64),
+      kw,
+      "AES-KW",
+      { name: "AES-GCM", length: KEY_BITS },
+      true,
+      ["encrypt", "decrypt"]
+    );
+  } catch {
+    throw new InvalidKeyError();
+  }
+}
 async function encrypt(plaintext, dek) {
   const iv = generateIV();
   const encoded = new TextEncoder().encode(plaintext);
@@ -1112,6 +1194,163 @@ var init_crypto = __esm({
   }
 });
 
+// src/record-keys/tombstone.ts
+function isTombstone(envelope, encrypted) {
+  if (!encrypted) return false;
+  return !envelope._data && envelope._cek === void 0;
+}
+function buildTombstone(version, actor) {
+  return {
+    _noydb: NOYDB_FORMAT_VERSION,
+    _v: version,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    _iv: "",
+    _data: "",
+    ...actor ? { _by: actor } : {}
+  };
+}
+var init_tombstone = __esm({
+  "src/record-keys/tombstone.ts"() {
+    "use strict";
+    init_types();
+  }
+});
+
+// src/record-keys/lifecycle.ts
+async function resolveStableCek(deps, id) {
+  const cached = deps.cache?.get(id);
+  if (cached) return cached;
+  const live = await deps.getLive(id);
+  if (live?._cek !== void 0) {
+    const cek = await unwrapCek(live._cek, await deps.getDEK());
+    deps.cache?.set(id, cek, 1);
+    return cek;
+  }
+  const fresh = await generateDEK();
+  deps.cache?.set(id, fresh, 1);
+  return fresh;
+}
+async function rewrapBodyToDek(envelope, fromDek, toDek) {
+  if (envelope._cek !== void 0) {
+    const cek = await unwrapCek(envelope._cek, fromDek);
+    const plaintext2 = await decrypt(envelope._iv, envelope._data, cek);
+    const { iv: iv2, data: data2 } = await encrypt(plaintext2, cek);
+    return { _iv: iv2, _data: data2, _cek: await wrapCek(cek, toDek), cek };
+  }
+  const plaintext = await decrypt(envelope._iv, envelope._data, fromDek);
+  const { iv, data } = await encrypt(plaintext, toDek);
+  return { _iv: iv, _data: data, cek: null };
+}
+var init_lifecycle = __esm({
+  "src/record-keys/lifecycle.ts"() {
+    "use strict";
+    init_crypto();
+  }
+});
+
+// src/record-keys/sealing.ts
+async function sealRecordToHost(ctx, collection, id, hostSealer, opts) {
+  if (collection.includes("/")) throw new ValidationError(`sealRecordToHost: collection "${collection}" must not contain "/"`);
+  if (id.includes("/")) throw new ValidationError(`sealRecordToHost: id "${id}" must not contain "/"`);
+  const live = await ctx.adapter.get(ctx.vault, collection, id);
+  if (!live || live._cek === void 0) {
+    throw new RecordCekNotFoundError(collection, id);
+  }
+  const dek = await ctx.getDEK(collection);
+  const cek = await unwrapCek(live._cek, dek);
+  const rawCek = await subtle2.exportKey("raw", cek);
+  const cekB64 = bufferToBase64(rawCek);
+  const hint = await hostSealer.publishRecipientHint();
+  if (hint.pid.includes("/")) throw new ValidationError(`sealRecordToHost: recipient pid "${hint.pid}" must not contain "/"`);
+  const binding = {
+    collection,
+    id,
+    cek: cekB64,
+    expiresAt: opts.expiresAt
+  };
+  const sealed = await hostSealer.sealForRecipient(
+    new TextEncoder().encode(JSON.stringify(binding)),
+    hint
+  );
+  const delivery = {
+    v: 1,
+    _noydb_sealed_cek: 1,
+    pid: hint.pid,
+    payload: bufferToBase64(sealed),
+    expiresAt: opts.expiresAt
+  };
+  const envelopeKey = `${collection}/${id}/${hint.pid}`;
+  const prior = await ctx.adapter.get(ctx.vault, SEALED_CEK_NS, envelopeKey);
+  const env = {
+    _noydb: NOYDB_FORMAT_VERSION,
+    _v: (prior?._v ?? 0) + 1,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    // AES-GCM bypassed — the sealing layer is the security boundary, exactly
+    // like the managed-passphrase `_meta/sealed-passphrase` envelope.
+    _iv: "",
+    _data: JSON.stringify(delivery),
+    ...ctx.actor ? { _by: ctx.actor } : {}
+  };
+  await ctx.adapter.put(ctx.vault, SEALED_CEK_NS, envelopeKey, env);
+  return { pid: hint.pid, envelopeKey };
+}
+async function revokeSealedRecord(ctx, collection, id, pid) {
+  await ctx.adapter.delete(ctx.vault, SEALED_CEK_NS, `${collection}/${id}/${pid}`);
+}
+async function rotateRecordCek(ctx, collection, id) {
+  const live = await ctx.adapter.get(ctx.vault, collection, id);
+  if (!live || live._cek === void 0) {
+    throw new RecordCekNotFoundError(collection, id);
+  }
+  const dek = await ctx.getDEK(collection);
+  const oldCek = await unwrapCek(live._cek, dek);
+  const json = await decrypt(live._iv, live._data, oldCek);
+  const newCek = await generateDEK();
+  const { iv, data } = await encrypt(json, newCek);
+  const env = {
+    _noydb: NOYDB_FORMAT_VERSION,
+    _v: live._v + 1,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    _iv: iv,
+    _data: data,
+    _cek: await wrapCek(newCek, dek),
+    ...ctx.actor ? { _by: ctx.actor } : {},
+    ...live._tier !== void 0 ? { _tier: live._tier } : {},
+    ...live._det !== void 0 ? { _det: live._det } : {}
+  };
+  await ctx.adapter.put(ctx.vault, collection, id, env);
+  await ctx.invalidateRecordCaches(collection, id);
+  const prefix = `${collection}/${id}/`;
+  const keys = await ctx.adapter.list(ctx.vault, SEALED_CEK_NS);
+  for (const key of keys) {
+    if (key.startsWith(prefix)) {
+      await ctx.adapter.delete(ctx.vault, SEALED_CEK_NS, key);
+    }
+  }
+}
+var subtle2, SEALED_CEK_NS;
+var init_sealing = __esm({
+  "src/record-keys/sealing.ts"() {
+    "use strict";
+    init_crypto();
+    init_types();
+    init_errors();
+    subtle2 = globalThis.crypto.subtle;
+    SEALED_CEK_NS = "_sealed_cek";
+  }
+});
+
+// src/record-keys/index.ts
+var init_record_keys = __esm({
+  "src/record-keys/index.ts"() {
+    "use strict";
+    init_crypto();
+    init_tombstone();
+    init_lifecycle();
+    init_sealing();
+  }
+});
+
 // src/persisted-schemas/storage.ts
 async function loadPersistedSchema(store, vault, collection, dek) {
   const envelope = await store.get(vault, SCHEMAS_COLLECTION, collection);
@@ -2815,11 +3054,11 @@ async function mintWrappedDeksBlob(deks, credential) {
   const wrappingKey = await deriveWrappingKey(credential, salt);
   const exported = {};
   for (const [coll, dek] of deks) {
-    const raw = await subtle2.exportKey("raw", dek);
+    const raw = await subtle3.exportKey("raw", dek);
     exported[coll] = bytesToBase643(new Uint8Array(raw));
   }
   const plaintext = new TextEncoder().encode(JSON.stringify({ deks: exported }));
-  const ciphertext = await subtle2.encrypt(
+  const ciphertext = await subtle3.encrypt(
     { name: "AES-GCM", iv },
     wrappingKey,
     plaintext
@@ -2832,7 +3071,7 @@ async function mintWrappedDeksBlob(deks, credential) {
 }
 async function unwrapDeksFromBlob(blob, credential) {
   const wrappingKey = await deriveWrappingKey(credential, base64ToBytes3(blob.salt));
-  const plaintext = await subtle2.decrypt(
+  const plaintext = await subtle3.decrypt(
     { name: "AES-GCM", iv: base64ToBytes3(blob.iv) },
     wrappingKey,
     base64ToBytes3(blob.wrappedDeks)
@@ -2841,7 +3080,7 @@ async function unwrapDeksFromBlob(blob, credential) {
   const deks = /* @__PURE__ */ new Map();
   for (const [coll, b64] of Object.entries(parsed.deks)) {
     const raw = base64ToBytes3(b64);
-    const key = await subtle2.importKey(
+    const key = await subtle3.importKey(
       "raw",
       raw,
       { name: "AES-GCM", length: 256 },
@@ -2853,14 +3092,14 @@ async function unwrapDeksFromBlob(blob, credential) {
   return deks;
 }
 async function deriveWrappingKey(credential, salt) {
-  const ikm = await subtle2.importKey(
+  const ikm = await subtle3.importKey(
     "raw",
     new TextEncoder().encode(credential),
     "PBKDF2",
     false,
     ["deriveKey"]
   );
-  return subtle2.deriveKey(
+  return subtle3.deriveKey(
     {
       name: "PBKDF2",
       salt,
@@ -2884,14 +3123,14 @@ function base64ToBytes3(b64) {
   for (let i = 0; i < s.length; i++) out[i] = s.charCodeAt(i);
   return out;
 }
-var PBKDF2_ITERATIONS2, SALT_BYTES2, IV_BYTES2, subtle2;
+var PBKDF2_ITERATIONS2, SALT_BYTES2, IV_BYTES2, subtle3;
 var init_wrapped_deks = __esm({
   "src/team/wrapped-deks.ts"() {
     "use strict";
     PBKDF2_ITERATIONS2 = 6e5;
     SALT_BYTES2 = 32;
     IV_BYTES2 = 12;
-    subtle2 = globalThis.crypto.subtle;
+    subtle3 = globalThis.crypto.subtle;
   }
 });
 
@@ -3696,6 +3935,21 @@ var init_core = __esm({
   }
 });
 
+// src/i18n/dictionary.ts
+function isDictCollectionName(name) {
+  return name.startsWith(DICT_COLLECTION_PREFIX);
+}
+function isStaticDictDescriptor(x) {
+  return typeof x === "object" && x !== null && x._noydbStaticDict === true;
+}
+var DICT_COLLECTION_PREFIX;
+var init_dictionary = __esm({
+  "src/i18n/dictionary.ts"() {
+    "use strict";
+    DICT_COLLECTION_PREFIX = "_dict_";
+  }
+});
+
 // src/money/fixed-point.ts
 function expandExponent(s) {
   const m = /^([+-]?)(\d+)(?:\.(\d+))?[eE]([+-]?\d+)$/.exec(s);
@@ -4089,6 +4343,21 @@ function formatCurrency(decimal, currency, scale, locale) {
   });
   return fmt.format(decimal);
 }
+function moneyScaledValue(stored, desc) {
+  let raw;
+  if (desc.mode === "fixed") {
+    raw = stored;
+  } else {
+    if (!isMoneyValueObject(stored)) return null;
+    raw = stored.amount;
+  }
+  if (typeof raw !== "string" && typeof raw !== "number") return null;
+  try {
+    return BigInt(String(raw));
+  } catch {
+    return null;
+  }
+}
 function decodeValue(stored, desc) {
   let currency;
   let scaledIntString;
@@ -4315,6 +4584,9 @@ var init_strategy3 = __esm({
       async clearHistory() {
         return 0;
       },
+      async tombstoneHistory() {
+        return 0;
+      },
       async envelopePayloadHash() {
         return "";
       },
@@ -5043,7 +5315,7 @@ function executePlanWithSource(source, plan, joinContext) {
     result = remainingClauses.length === 0 ? [...candidates] : filterRecords(candidates, remainingClauses, fnViewDecoder(source));
   }
   if (plan.orderBy.length > 0) {
-    result = sortRecords(result, plan.orderBy);
+    result = sortRecords(result, plan.orderBy, source.moneyFields);
   }
   if (plan.offset > 0) {
     result = result.slice(plan.offset);
@@ -5182,17 +5454,25 @@ function applyCrossJoin(leftRel, clause, rightSource) {
   }
   return expanded;
 }
-function sortRecords(records, orderBy) {
+function sortRecords(records, orderBy, moneyFields) {
   return [...records].sort((a, b) => {
     for (const { field, direction } of orderBy) {
       const av = readField(a, field);
       const bv = readField(b, field);
-      const cmp = compareValues(av, bv);
+      const desc = moneyFields?.[field];
+      const cmp = desc ? compareMoney(av, bv, desc) : compareValues(av, bv);
       if (cmp !== 0) return direction === "asc" ? cmp : -cmp;
     }
     return 0;
   });
 }
+function compareMoney(a, b, desc) {
+  const av = moneyScaledValue(a, desc);
+  const bv = moneyScaledValue(b, desc);
+  if (av === null) return bv === null ? 0 : 1;
+  if (bv === null) return -1;
+  return av < bv ? -1 : av > bv ? 1 : 0;
+}
 function readField(record, field) {
   if (record === null || record === void 0) return void 0;
   if (!field.includes(".")) {
@@ -5279,6 +5559,7 @@ function buildDictLabelResolver(joinCtx, field) {
   const dictSource = joinCtx.resolveDictSource(field);
   if (!dictSource) return void 0;
   const snapshot = dictSource.snapshot();
+  const displayLocale = dictSource.displayLocale;
   const dictMap = /* @__PURE__ */ new Map();
   for (const entry of snapshot) {
     const k = entry["key"];
@@ -5288,9 +5569,11 @@ function buildDictLabelResolver(joinCtx, field) {
     }
   }
   return async (key, locale, fallback) => {
+    const effLocale = locale || displayLocale;
+    if (!effLocale) return void 0;
     const labels = dictMap.get(key);
     if (!labels) return void 0;
-    if (labels[locale] !== void 0) return labels[locale];
+    if (labels[effLocale] !== void 0) return labels[effLocale];
     const chain = Array.isArray(fallback) ? fallback : fallback ? [fallback] : [];
     for (const fb of chain) {
       if (fb === "any") {
@@ -8012,6 +8295,15 @@ var init_fanout_sidecar = __esm({
 });
 
 // src/collection.ts
+function selfWriteFieldEqual(a, b) {
+  if (a === b) return true;
+  if (a === null || b === null || typeof a !== "object" || typeof b !== "object") return false;
+  try {
+    return JSON.stringify(a) === JSON.stringify(b);
+  } catch {
+    return false;
+  }
+}
 function warnOnceFallback(adapterName) {
   if (fallbackWarned.has(adapterName)) return;
   fallbackWarned.add(adapterName);
@@ -8064,12 +8356,14 @@ var init_collection = __esm({
     init_types();
     init_strategy();
     init_core();
+    init_dictionary();
     init_normalize();
     init_paths();
     init_computed();
     init_strategy2();
     init_policy();
     init_crypto();
+    init_record_keys();
     init_errors();
     init_tiers();
     init_keyring();
@@ -8267,6 +8561,25 @@ var init_collection = __esm({
        * is inactive for this collection; a frozen `Set` otherwise.
        */
       deterministicFields;
+      /**
+       * Per-record CEK opt-in (`perRecordKeys: true`). When set, writes mint /
+       * reuse a per-record content-encryption key and stamp `_cek` on the
+       * envelope (see {@link EncryptedEnvelope._cek}). OFF by default — a
+       * non-adopting collection takes the byte-identical legacy path. The READ
+       * path does not consult this flag: `_cek` presence on the envelope is the
+       * format discriminant, so a mixed vault (and a recipient that never set the
+       * flag) still decrypts CEK records.
+       */
+      perRecordCek;
+      /**
+       * Session-scoped `(id) → CEK` cache for this collection. Lets updates
+       * reuse a record's stable CEK and lets repeated reads skip the AES-KW
+       * unwrap. Bounded by LRU; never persisted. Dropped when the owning
+       * collection instance is discarded — `vault.load()` clears the
+       * collectionCache, so a keyring refresh drops every CEK alongside the
+       * DEK cache. `null` unless `perRecordCek` is set.
+       */
+      cekCache;
       /**
        * declared tiers for this collection. `null` when
        * tier-aware methods are disabled. Tier 0 is implicit and never
@@ -8413,19 +8726,24 @@ var init_collection = __esm({
         } else {
           this.deterministicFields = null;
         }
+        this.perRecordCek = opts.perRecordKeys === true;
+        this.cekCache = this.perRecordCek ? new Lru({ maxRecords: 4096 }) : null;
         if (opts.crdt && opts.onRegisterConflictResolver) {
           const crdtMode = opts.crdt;
-          const crdtResolver = async (_id, local, remote) => {
+          const crdtResolver = async (id, local, remote) => {
             if (crdtMode === "yjs") {
               return local._v >= remote._v ? local : remote;
             }
-            const localJson = await this.decryptJsonString(local);
-            const remoteJson = await this.decryptJsonString(remote);
+            const localJson = await this.decryptJsonString(local, id);
+            const remoteJson = await this.decryptJsonString(remote, id);
+            if (localJson === null) return local;
+            if (remoteJson === null) return remote;
             const localState = JSON.parse(localJson);
             const remoteState = JSON.parse(remoteJson);
             const merged = this.crdtStrategy.mergeCrdtStates(localState, remoteState);
             const mergedVersion = Math.max(local._v, remote._v) + 1;
-            return this.encryptJsonString(JSON.stringify(merged), mergedVersion);
+            const cek = this.perRecordCek ? await this.resolveRecordCek(id) : void 0;
+            return this.encryptJsonString(JSON.stringify(merged), mergedVersion, cek);
           };
           opts.onRegisterConflictResolver(this.name, crdtResolver);
         }
@@ -8465,12 +8783,15 @@ var init_collection = __esm({
             });
           } else {
             const mergeFn = policy;
-            resolver = async (_id, local, remote) => {
-              const localRecord = await this.decryptRecord(local, { skipValidation: true });
-              const remoteRecord = await this.decryptRecord(remote, { skipValidation: true });
+            resolver = async (id, local, remote) => {
+              const localRecord = await this.decryptRecord(local, { skipValidation: true, id });
+              const remoteRecord = await this.decryptRecord(remote, { skipValidation: true, id });
+              if (localRecord === null) return local;
+              if (remoteRecord === null) return remote;
               const merged = mergeFn(localRecord, remoteRecord);
               const mergedVersion = Math.max(local._v, remote._v) + 1;
-              return this.encryptRecord(merged, mergedVersion);
+              const cek = this.perRecordCek ? await this.resolveRecordCek(id) : void 0;
+              return this.encryptRecord(merged, mergedVersion, cek);
             };
           }
           opts.onRegisterConflictResolver(collectionName, resolver);
@@ -8562,7 +8883,9 @@ var init_collection = __esm({
           } else {
             const envelope = await this.adapter.get(this.vault, this.name, id);
             if (!envelope) return null;
-            record = await this.decryptRecord(envelope);
+            if (isTombstone(envelope, this.encrypted)) return null;
+            record = await this.decryptRecord(envelope, { id });
+            if (record === null) return null;
             this.lru.set(id, { record, version: envelope._v }, estimateRecordBytes(record));
           }
         } else {
@@ -8589,6 +8912,7 @@ var init_collection = __esm({
         const envelope = await this.adapter.get(this.vault, this.name, id);
         if (!envelope) return null;
         const json = await this.decryptJsonString(envelope);
+        if (json === null) return null;
         return JSON.parse(json);
       }
       /**
@@ -8677,7 +9001,7 @@ var init_collection = __esm({
           if (cached2) return { record: cached2.record, version: cached2.version };
           const env = await this.adapter.get(this.vault, this.name, id);
           if (!env) return { record: null, version: 0 };
-          return { record: await this.decryptRecord(env, { skipValidation: true }), version: env._v };
+          return { record: await this.decryptRecord(env, { skipValidation: true }) ?? null, version: env._v };
         }
         await this.ensureHydrated();
         const cached = this.cache.get(id);
@@ -8790,9 +9114,11 @@ var init_collection = __esm({
             let existingState;
             if (existingEnvelope) {
               const prevJson = await this.decryptJsonString(existingEnvelope);
-              const prevParsed = JSON.parse(prevJson);
-              if (prevParsed !== null && typeof prevParsed === "object" && "_crdt" in prevParsed) {
-                existingState = prevParsed;
+              if (prevJson !== null) {
+                const prevParsed = JSON.parse(prevJson);
+                if (prevParsed !== null && typeof prevParsed === "object" && "_crdt" in prevParsed) {
+                  existingState = prevParsed;
+                }
               }
             }
             crdtState = this.crdtStrategy.buildLwwMapState(record, existingState, now);
@@ -8800,9 +9126,11 @@ var init_collection = __esm({
             let existingState;
             if (existingEnvelope) {
               const prevJson = await this.decryptJsonString(existingEnvelope);
-              const prevParsed = JSON.parse(prevJson);
-              if (prevParsed !== null && typeof prevParsed === "object" && "_crdt" in prevParsed) {
-                existingState = prevParsed;
+              if (prevJson !== null) {
+                const prevParsed = JSON.parse(prevJson);
+                if (prevParsed !== null && typeof prevParsed === "object" && "_crdt" in prevParsed) {
+                  existingState = prevParsed;
+                }
               }
             }
             const arr = Array.isArray(record) ? record : [record];
@@ -8811,12 +9139,14 @@ var init_collection = __esm({
             crdtState = { _crdt: "yjs", update: record };
           }
           const version2 = existingVersion + 1;
-          const envelope2 = await this.encryptJsonString(JSON.stringify(crdtState), version2);
+          const cek2 = this.perRecordCek ? await this.resolveRecordCek(id) : void 0;
+          const envelope2 = await this.encryptJsonString(JSON.stringify(crdtState), version2, cek2);
           await this.adapter.put(this.vault, this.name, id, envelope2);
           const resolvedRecord = this.crdtStrategy.resolveCrdtSnapshot(crdtState);
-          const existingResolved = existingEnvelope ? { record: await this.decryptRecord(existingEnvelope, { skipValidation: true }), version: existingVersion } : void 0;
+          const existingResolvedRecord = existingEnvelope ? await this.decryptRecord(existingEnvelope, { skipValidation: true }) : null;
+          const existingResolved = existingResolvedRecord !== null ? { record: existingResolvedRecord, version: existingVersion } : void 0;
           if (existingResolved && this.historyConfig.enabled !== false) {
-            const histEnvelope = await this.encryptRecord(existingResolved.record, existingResolved.version);
+            const histEnvelope = await this.encryptRecord(existingResolved.record, existingResolved.version, cek2);
             await this.historyStrategy.saveHistory(this.adapter, this.vault, this.name, id, histEnvelope);
             this.emitter.emit("history:save", { vault: this.vault, collection: this.name, id, version: existingResolved.version });
             if (this.historyConfig.maxVersions) {
@@ -8862,7 +9192,9 @@ var init_collection = __esm({
             const previousEnvelope = await this.adapter.get(this.vault, this.name, id);
             if (previousEnvelope) {
               const previousRecord = await this.decryptRecord(previousEnvelope);
-              existing = { record: previousRecord, version: previousEnvelope._v };
+              if (previousRecord !== null) {
+                existing = { record: previousRecord, version: previousEnvelope._v };
+              }
             }
           }
         } else {
@@ -8871,8 +9203,9 @@ var init_collection = __esm({
         }
         const version = existing ? existing.version + 1 : 1;
         this.uniqueConstraints?.check(id, record);
+        const cek = this.perRecordCek ? await this.resolveRecordCek(id) : void 0;
         if (existing && this.historyConfig.enabled !== false) {
-          const historyEnvelope = await this.encryptRecord(existing.record, existing.version);
+          const historyEnvelope = await this.encryptRecord(existing.record, existing.version, cek);
           await this.historyStrategy.saveHistory(this.adapter, this.vault, this.name, id, historyEnvelope);
           this.emitter.emit("history:save", {
             vault: this.vault,
@@ -8886,7 +9219,7 @@ var init_collection = __esm({
             });
           }
         }
-        const envelope = await this.encryptRecord(record, version);
+        const envelope = await this.encryptRecord(record, version, cek);
         await this.adapter.put(this.vault, this.name, id, envelope);
         if (this.ledger) {
           const appendInput = {
@@ -8975,6 +9308,111 @@ var init_collection = __esm({
        * output (carries `_derivedFrom`) — defensive guard against missed
        * cycle detection.
        */
+      /**
+       * @internal #376 — the RAW stored record (canonical-money form, i18n maps
+       * intact), WITHOUT the locale resolution `get()` applies. Used as the
+       * patch base for self-write reverse-denorm so writing back never clobbers
+       * an i18n map or re-quantizes money incorrectly. Returns null for
+       * missing / tombstoned records.
+       */
+      async _getStoredRecord(id) {
+        let raw;
+        if (this.lazy && this.lru) {
+          const cached = this.lru.get(id);
+          if (cached) raw = cached.record;
+          else {
+            const env = await this.adapter.get(this.vault, this.name, id);
+            if (!env || isTombstone(env, this.encrypted)) return null;
+            raw = await this.decryptRecord(env, { id });
+            if (raw === null) return null;
+            this.lru.set(id, { record: raw, version: env._v }, estimateRecordBytes(raw));
+          }
+        } else {
+          await this.ensureHydrated();
+          raw = this.cache.get(id)?.record ?? null;
+        }
+        if (raw === null) return null;
+        return canonicalizeStoredMoney(raw, this.moneyFields);
+      }
+      /**
+       * @internal #376 — ids of records whose top-level `field` equals `value`.
+       * Uses the FK index when the field is indexed (O(matches)); otherwise a
+       * linear scan (O(N) — fine for small child sets; index the FK to scale).
+       */
+      async _findMatchingIds(field, value) {
+        const hit = this.getIndexes()?.lookupEqual(field, value);
+        if (hit) return [...hit];
+        const target = String(value);
+        const matches = (rec) => {
+          const fv = rec[field];
+          return (typeof fv === "string" || typeof fv === "number") && String(fv) === target;
+        };
+        if (!this.lazy) {
+          await this.ensureHydrated();
+          const out2 = [];
+          for (const [rid, e] of this.cache) {
+            if (matches(e.record)) out2.push(rid);
+          }
+          return out2;
+        }
+        const ids = await this.adapter.list(this.vault, this.name);
+        const out = [];
+        for (const rid of ids) {
+          const raw = await this._getStoredRecord(rid);
+          if (raw !== null && matches(raw)) out.push(rid);
+        }
+        return out;
+      }
+      /**
+       * @internal #376 slice 2 — recompute a rollup aggregate onto the parent.
+       * Gathers every child of `parentId`, runs `compute`, and patches only the
+       * rollup `field` onto the parent's raw stored record (value-equality
+       * guarded). No-op when the parent record does not exist.
+       */
+      async recomputeRollup(spec, parentId) {
+        if (this.derivationSource === void 0 || spec.rollup === void 0) return;
+        const { from, key, field, compute } = spec.rollup;
+        const into = spec.source;
+        const intoColl = this.derivationSource.getCollection(into);
+        const base = await intoColl._getStoredRecord(parentId);
+        if (base === null) return;
+        const fromColl = this.derivationSource.getCollection(from);
+        const childIds = await fromColl._findMatchingIds(key, parentId);
+        const children = [];
+        for (const cid of childIds) {
+          const c = await fromColl.get(cid);
+          if (c !== null && c !== void 0) children.push(c);
+        }
+        const newValue = compute(children);
+        if (selfWriteFieldEqual(base[field], newValue)) return;
+        const patched = { ...base, [field]: newValue };
+        const txCtx = this.derivationSource.getActiveTxContext();
+        if (txCtx !== null) {
+          const prior = await this.adapter.get(this.vault, into, parentId);
+          txCtx._executed.push({
+            op: { type: "put", vaultName: this.vault, collectionName: into, id: parentId },
+            priorEnvelope: prior
+          });
+        }
+        await intoColl.put(parentId, patched);
+      }
+      /**
+       * @internal #376 slice 2 — fire any rollups for which THIS collection is the
+       * child `from`, recomputing the affected parent after a child delete. Called
+       * from the delete path with the just-removed record's key value. Other
+       * derivation kinds do not react to deletes (unchanged).
+       */
+      async dispatchRollupsOnDelete(deleted) {
+        if (this.derivationSource === void 0) return;
+        const registry = this.derivationSource.registry();
+        const rec = deleted;
+        for (const { spec } of registry.strategiesForSource(this.name)) {
+          if (!spec.rollup || spec.rollup.from !== this.name) continue;
+          const kv = rec[spec.rollup.key];
+          if (typeof kv !== "string" && typeof kv !== "number") continue;
+          await this.recomputeRollup(spec, String(kv));
+        }
+      }
       async dispatchDerivations(id, record, version) {
         if (this.derivationSource === void 0) return;
         const incoming = canonicalizeStoredMoney(record, this.moneyFields);
@@ -8985,29 +9423,60 @@ var init_collection = __esm({
         let DerivationExecutor2 = null;
         for (const { spec, strategyHash } of strategies) {
           const mode = typeof spec.lifecycle === "string" ? spec.lifecycle : spec.lifecycle.mode;
-          if (mode === "eager") {
-            if (DerivationExecutor2 === null) {
-              ({ DerivationExecutor: DerivationExecutor2 } = await Promise.resolve().then(() => (init_executor(), executor_exports)));
-            }
-            let sourceWithId;
-            let sourceVersion = version;
-            if (spec.source === this.name) {
-              sourceWithId = { ...incoming, id };
+          if (spec.rollup) {
+            if (mode !== "eager") continue;
+            let parentId;
+            if (this.name === spec.rollup.from) {
+              const kv = incoming[spec.rollup.key];
+              parentId = typeof kv === "string" || typeof kv === "number" ? String(kv) : null;
             } else {
-              const primary = await this.derivationSource.getCollection(spec.source).get(id);
-              if (primary === null || primary === void 0) continue;
-              sourceWithId = { ...primary, id };
-              sourceVersion = 0;
+              parentId = id;
+            }
+            if (parentId !== null) await this.recomputeRollup(spec, parentId);
+            continue;
+          }
+          const isSource = spec.source === this.name;
+          const isSibling = !isSource && (spec.sources?.includes(this.name) ?? false);
+          const trigger = !isSource && !isSibling ? spec.triggerBy?.find((t) => t.collection === this.name) : void 0;
+          const runs = [];
+          if (isSource) {
+            runs.push({ input: { ...incoming, id }, base: incoming, runId: id, version });
+          } else if (isSibling) {
+            const p = await this.derivationSource.getCollection(spec.source).get(id);
+            if (p !== null && p !== void 0) {
+              const raw = await this.derivationSource.getCollection(spec.source)._getStoredRecord(id);
+              runs.push({ input: { ...p, id }, base: raw ?? p, runId: id, version: 0 });
+            }
+          } else if (trigger) {
+            const srcColl = this.derivationSource.getCollection(spec.source);
+            const ids = await srcColl._findMatchingIds(trigger.on, id);
+            if (trigger.maxFanout !== void 0 && ids.length > trigger.maxFanout) {
+              throw new DerivationCapExceededError(`triggerBy ${this.name}\u2192${spec.source}`, ids.length, trigger.maxFanout);
             }
+            for (const sid of ids) {
+              const raw = await srcColl._getStoredRecord(sid);
+              if (raw === null) continue;
+              runs.push({ input: { ...raw, id: sid }, base: raw, runId: sid, version: 0 });
+            }
+          }
+          if (runs.length === 0) continue;
+          if (mode !== "eager") {
+            for (const run of runs) await markStale(registry, spec, run.runId);
+            continue;
+          }
+          if (DerivationExecutor2 === null) {
+            ({ DerivationExecutor: DerivationExecutor2 } = await Promise.resolve().then(() => (init_executor(), executor_exports)));
+          }
+          for (const run of runs) {
             const ctx = { vault: this.derivationSource.getReadOnlyFacade() };
-            const result = await DerivationExecutor2.run(spec, sourceWithId, sourceVersion, strategyHash, ctx);
+            const result = await DerivationExecutor2.run(spec, run.input, run.version, strategyHash, ctx);
             for (const key of Object.keys(spec.outputs)) {
               const out = result.outputs[key];
               if (!out) continue;
               if (out.kind === "failed") {
                 const err = out.error;
                 if (spec.strict) throw err;
-                console.warn(`[derivation] output "${key}" for source "${spec.source}" id="${id}" failed:`, err);
+                console.warn(`[derivation] output "${key}" for source "${spec.source}" id="${run.runId}" failed:`, err);
                 continue;
               }
               const outSpec = spec.outputs[key];
@@ -9020,7 +9489,7 @@ var init_collection = __esm({
                   this.adapter,
                   this.vault,
                   spec.source,
-                  id,
+                  run.runId,
                   key
                 );
                 const prevKeys = new Set(prior?.keys ?? []);
@@ -9047,7 +9516,7 @@ var init_collection = __esm({
                 }
                 await saveFanoutSidecar2(this.adapter, this.vault, {
                   source: spec.source,
-                  sourceId: id,
+                  sourceId: run.runId,
                   outputKey: key,
                   outputCollection: outSpec.collection,
                   keys: newKeysList
@@ -9055,25 +9524,44 @@ var init_collection = __esm({
                 continue;
               }
               if (out.skipped === true) {
-                await outputCollection._internalDelete(id, txCtx);
+                await outputCollection._internalDelete(run.runId, txCtx);
+                continue;
+              }
+              if (outSpec.shape === "record" && outSpec.denorm !== void 0 && outSpec.collection === spec.source) {
+                const value = out.value;
+                const patched = { ...run.base };
+                let changed = false;
+                for (const f of outSpec.denorm) {
+                  if (!selfWriteFieldEqual(run.base[f], value[f])) {
+                    patched[f] = value[f];
+                    changed = true;
+                  }
+                }
+                if (!changed) continue;
+                if (txCtx !== null) {
+                  const prior = await this.adapter.get(this.vault, outSpec.collection, run.runId);
+                  txCtx._executed.push({
+                    op: { type: "put", vaultName: this.vault, collectionName: outSpec.collection, id: run.runId },
+                    priorEnvelope: prior
+                  });
+                }
+                await outputCollection.put(run.runId, patched);
                 continue;
               }
               if (txCtx !== null) {
-                const prior = await this.adapter.get(this.vault, outSpec.collection, id);
+                const prior = await this.adapter.get(this.vault, outSpec.collection, run.runId);
                 txCtx._executed.push({
                   op: {
                     type: "put",
                     vaultName: this.vault,
                     collectionName: outSpec.collection,
-                    id
+                    id: run.runId
                   },
                   priorEnvelope: prior
                 });
               }
-              await outputCollection.put(id, out.value);
+              await outputCollection.put(run.runId, out.value);
             }
-          } else {
-            await markStale(registry, spec, id);
           }
         }
       }
@@ -9122,11 +9610,14 @@ var init_collection = __esm({
         let count = 0;
         for (const id of ids) {
           const env = await this.adapter.get(this.vault, this.name, id);
-          if (!env) continue;
-          const record = await this.decryptRecord(env, { skipValidation: true });
+          if (!env || isTombstone(env, this.encrypted)) continue;
+          const decoded = await this.decryptRecord(env, { skipValidation: true, id });
+          if (decoded === null) continue;
+          const record = decoded;
           const next = transform(record);
           const nextVersion = (env._v ?? 0) + 1;
-          const newEnv = await this.encryptRecord(next, nextVersion);
+          const cek = this.perRecordCek ? await this.resolveRecordCek(id) : void 0;
+          const newEnv = await this.encryptRecord(next, nextVersion, cek);
           await this.adapter.put(this.vault, this.name, id, newEnv);
           await this._invalidateCacheEntry(id);
           if (this.ledger) {
@@ -9238,14 +9729,17 @@ var init_collection = __esm({
             const previousEnvelope2 = await this.adapter.get(this.vault, this.name, id);
             if (previousEnvelope2) {
               const previousRecord = await this.decryptRecord(previousEnvelope2);
-              existing = { record: previousRecord, version: previousEnvelope2._v };
+              if (previousRecord !== null) {
+                existing = { record: previousRecord, version: previousEnvelope2._v };
+              }
             }
           }
         } else {
           existing = this.cache.get(id);
         }
         if (existing && this.historyConfig.enabled !== false) {
-          const historyEnvelope = await this.encryptRecord(existing.record, existing.version);
+          const cek = this.perRecordCek ? await this.resolveRecordCek(id) : void 0;
+          const historyEnvelope = await this.encryptRecord(existing.record, existing.version, cek);
           await this.historyStrategy.saveHistory(this.adapter, this.vault, this.name, id, historyEnvelope);
         }
         const previousEnvelope = await this.adapter.get(this.vault, this.name, id);
@@ -9284,8 +9778,53 @@ var init_collection = __esm({
         if (!internal) {
           await this.dispatchMaterializedViewsOnDelete(id);
           await this.dispatchArrayDerivationsOnDelete(id);
+          if (existing) await this.dispatchRollupsOnDelete(existing.record);
         }
       }
+      /**
+       * @internal — GDPR crypto-shred a LIVE record to a tombstone (#304).
+       *
+       * Rewrites the on-disk envelope to `{ _noydb, _v, _ts, _by, _iv:'', _data:'' }`,
+       * dropping `_iv`/`_data`/`_cek`/`_det`. The wrapped per-record CEK is gone, so
+       * the body — and (via {@link tombstoneHistory}) every history version under
+       * the same CEK — is permanently undecryptable; the collection DEK and every
+       * other record are untouched. `_det` is stripped too, so `findByDet` no
+       * longer matches the shredded record (avoiding a post-shred TamperedError).
+       *
+       * Unlike `delete()`/`_internalDelete`, this:
+       *   - does NOT fire onDelete guards / MV / derivation dispatch (a shred is an
+       *     erasure, not a domain delete — re-running those would be wrong),
+       *   - does NOT append a per-record ledger entry (`vault.forget()` appends a
+       *     single `op:'forget'` summary for the whole subject),
+       *   - keeps the record KEY present (it's an overwrite, not an adapter delete)
+       *     so the version counter + "record existed" survive for audit.
+       *
+       * Idempotent: returns `null` when the record is absent or already a tombstone.
+       * Otherwise returns `{ previousVersion }`. Invalidates the eager cache, the
+       * lazy LRU, and the per-record CEK cache for this id.
+       */
+      /**
+       * @internal — decrypt an envelope to a plain record for subject-index
+       * rebuild (#304). Returns `null` for a tombstone or unreadable envelope.
+       * Skips schema validation — the rebuild only reads the subject field.
+       */
+      async _decodeEnvelope(envelope, id) {
+        try {
+          const rec = await this.decryptRecord(envelope, { skipValidation: true, id });
+          return rec === null ? null : rec;
+        } catch {
+          return null;
+        }
+      }
+      async _writeTombstone(id, actor) {
+        const live = await this.adapter.get(this.vault, this.name, id);
+        if (!live || isTombstone(live, this.encrypted)) return null;
+        await this.adapter.put(this.vault, this.name, id, buildTombstone(live._v, actor));
+        this.cache.delete(id);
+        this.lru?.remove(id);
+        this.cekCache?.remove(id);
+        return { previousVersion: live._v };
+      }
       /**
        * Cascade deletes of array-shape derived rows when a source row is
        * deleted. Reads each registered strategy's fanout sidecar
@@ -9698,6 +10237,7 @@ var init_collection = __esm({
         const entries = [];
         for (const env of envelopes) {
           const record = await this.decryptRecord(env, { skipValidation: true });
+          if (record === null) continue;
           entries.push({
             version: env._v,
             timestamp: env._ts,
@@ -9834,6 +10374,7 @@ var init_collection = __esm({
           const envelope = await this.adapter.get(this.vault, this.name, id);
           if (envelope) {
             const record = await this.decryptRecord(envelope);
+            if (record === null) continue;
             items.push(record);
             if (!this.lazy && !this.cache.has(id)) {
               this.cache.set(id, { record, version: envelope._v });
@@ -9910,6 +10451,7 @@ var init_collection = __esm({
         const out = [];
         for (const { id, envelope } of items) {
           const record = await this.decryptRecord(envelope);
+          if (record === null) continue;
           out.push({ id, record, version: envelope._v });
         }
         return out;
@@ -9931,6 +10473,18 @@ var init_collection = __esm({
        * the cache entry (record still present) or deletes it (record was
        * gone before the tx and the revert deleted it again).
        */
+      /**
+       * @internal — evict ONLY the per-record CEK cache entry for `id`. Used by
+       * `vault.rotateRecordCek()`: after a hard CEK rotation the cached unwrapped
+       * CEK is stale (it would decrypt the pre-rotation body and fail GCM auth on
+       * the post-rotation body). Eviction must be synchronous with the live-envelope
+       * rewrite so no concurrent read observes the old CEK. Paired with
+       * {@link _invalidateCacheEntry} (which refreshes the decrypted-record cache).
+       * No-op when the collection is not `perRecordKeys`.
+       */
+      _invalidateCekCacheEntry(id) {
+        this.cekCache?.remove(id);
+      }
       async _invalidateCacheEntry(id) {
         if (this.lazy && this.lru) {
           this.lru.remove(id);
@@ -9948,6 +10502,14 @@ var init_collection = __esm({
           return;
         }
         const record = await this.decryptRecord(envelope);
+        if (record === null) {
+          this.cache.delete(id);
+          if (previous) {
+            this.indexes?.remove(id, previous.record);
+            this.uniqueConstraints?.remove(id, previous.record);
+          }
+          return;
+        }
         this.cache.set(id, { record, version: envelope._v });
         this.indexes?.upsert(id, record, previous ? previous.record : null);
         this.uniqueConstraints?.upsert(id, record, previous?.record);
@@ -9972,8 +10534,9 @@ var init_collection = __esm({
         const ids = await this.adapter.list(this.vault, this.name);
         for (const id of ids) {
           const envelope = await this.adapter.get(this.vault, this.name, id);
-          if (envelope) {
-            const record = await this.decryptRecord(envelope);
+          if (envelope && !isTombstone(envelope, this.encrypted)) {
+            const record = await this.decryptRecord(envelope, { id });
+            if (record === null) continue;
             this.cache.set(id, { record, version: envelope._v });
           }
         }
@@ -9984,7 +10547,9 @@ var init_collection = __esm({
       /** Hydrate from a pre-loaded snapshot (used by Vault). */
       async hydrateFromSnapshot(records) {
         for (const [id, envelope] of Object.entries(records)) {
-          const record = await this.decryptRecord(envelope);
+          if (isTombstone(envelope, this.encrypted)) continue;
+          const record = await this.decryptRecord(envelope, { id });
+          if (record === null) continue;
           this.cache.set(id, { record, version: envelope._v });
         }
         this.hydrated = true;
@@ -10072,6 +10637,7 @@ var init_collection = __esm({
           const envelope = await this.adapter.get(this.vault, this.name, recordId2);
           if (!envelope) continue;
           const record = await this.decryptRecord(envelope, { skipValidation: true });
+          if (record === null) continue;
           await this.maintainPersistedIndexesOnPut(recordId2, record, null, envelope._v);
         }
         this.persistedIndexesLoaded = true;
@@ -10122,8 +10688,13 @@ var init_collection = __esm({
           const env = await this.adapter.get(this.vault, this.name, id);
           if (!env) continue;
           try {
-            const body = JSON.parse(await this.decryptJsonString(env));
-            sidecar.set(decoded.recordId, body.value);
+            const sidecarJson = await this.decryptJsonString(env);
+            if (sidecarJson === null) {
+              sidecar.set(decoded.recordId, void 0);
+            } else {
+              const body = JSON.parse(sidecarJson);
+              sidecar.set(decoded.recordId, body.value);
+            }
           } catch {
             sidecar.set(decoded.recordId, void 0);
           }
@@ -10137,6 +10708,7 @@ var init_collection = __esm({
           const env = await this.adapter.get(this.vault, this.name, id);
           if (!env) continue;
           const record = await this.decryptRecord(env, { skipValidation: true });
+          if (record === null) continue;
           const live = readPersistedValue(record, field);
           const stored = sidecar.get(id);
           const hasSidecar = sidecarIds.has(id);
@@ -10219,7 +10791,8 @@ var init_collection = __esm({
           recordId: id,
           getDEK: this.getDEK,
           encrypted: this.encrypted,
-          userId: this.keyring.userId
+          userId: this.keyring.userId,
+          erasableBlobs: this.perRecordCek
         });
       }
       /** Get all records as encrypted envelopes (for dump). */
@@ -10227,7 +10800,8 @@ var init_collection = __esm({
         await this.ensureHydrated();
         const result = {};
         for (const [id, entry] of this.cache) {
-          result[id] = await this.encryptRecord(entry.record, entry.version);
+          const cek = this.perRecordCek ? await this.resolveRecordCek(id) : void 0;
+          result[id] = await this.encryptRecord(entry.record, entry.version, cek);
         }
         return result;
       }
@@ -10255,23 +10829,37 @@ var init_collection = __esm({
         if (hasMoney && this.moneyFields) {
           result = decodeMoneyFields(result, this.moneyFields, typeof locale === "string" ? locale : void 0);
         }
-        if (!locale) return result;
-        if (hasI18n && this.i18nFields) {
-          result = this.i18nStrategy.applyI18nLocale(result, this.i18nFields, locale, localeOpts?.fallback);
+        const hasStaticDisplay = hasDict && this.dictKeyFields !== void 0 && Object.values(this.dictKeyFields).some(
+          (d) => isStaticDictDescriptor(d) && d.displayLocale !== void 0
+        );
+        if (!locale && !hasStaticDisplay) return result;
+        const layer = localeOpts?._layer ?? "read";
+        if (locale && hasI18n && this.i18nFields) {
+          result = this.i18nStrategy.applyI18nLocale(result, this.i18nFields, locale, localeOpts?.fallback, layer);
         }
         if (hasDict && this.dictKeyFields && this.dictLabelResolver && locale !== "raw") {
           const withLabels = { ...result };
           const resolver = this.dictLabelResolver;
           for (const [field, desc] of Object.entries(this.dictKeyFields)) {
-            const policy = desc.onMissing ? resolvePolicy(desc.onMissing, "read") : "null";
+            const policy = desc.onMissing ? resolvePolicy(desc.onMissing, layer) : "null";
             const fallback = policy === "substitute" ? localeOpts?.fallback ?? desc.substitute : localeOpts?.fallback;
+            const effLocale = locale ?? (isStaticDictDescriptor(desc) ? desc.displayLocale : void 0);
             const resolveKey = async (key) => {
-              const label = await resolver(desc.name, key, locale, fallback);
+              if (!effLocale) {
+                if (policy === "throw") {
+                  throw new LocaleNotSpecifiedError(
+                    field,
+                    `dictKey "${field}": no locale active to resolve key "${key}".`
+                  );
+                }
+                return null;
+              }
+              const label = await resolver(desc.name, key, effLocale, fallback);
               if (label === void 0) {
                 if (policy === "throw") {
                   throw new LocaleNotSpecifiedError(
                     field,
-                    `dictKey "${field}": no label for key "${key}" in locale "${locale}".`
+                    `dictKey "${field}": no label for key "${key}" in locale "${effLocale}".`
                   );
                 }
                 return null;
@@ -10428,6 +11016,7 @@ var init_collection = __esm({
           if (!envelope) continue;
           try {
             const json = await this.decryptJsonString(envelope);
+            if (json === null) continue;
             const body = JSON.parse(json);
             if (typeof body.recordId !== "string") continue;
             const rows = byField.get(decoded.field) ?? [];
@@ -10537,7 +11126,31 @@ var init_collection = __esm({
         };
         return new LazyQuery(source);
       }
-      async encryptJsonString(json, version) {
+      /**
+       * Resolve the stable CEK for a record on the WRITE path — see
+       * {@link resolveStableCek}. Thin delegate that supplies the collection's
+       * CEK cache, live-envelope reader, and DEK resolver.
+       */
+      resolveRecordCek(id) {
+        return resolveStableCek(
+          {
+            cache: this.cekCache,
+            getLive: (rid) => this.adapter.get(this.vault, this.name, rid),
+            getDEK: () => this.getDEK(this.name)
+          },
+          id
+        );
+      }
+      /**
+       * Encrypt a JSON body into an envelope.
+       *
+       * When `cek` is supplied (per-record CEK collections), the body is
+       * encrypted under the CEK and the CEK is AES-KW-wrapped under the
+       * collection DEK and stamped on `_cek`. When `cek` is omitted, the legacy
+       * path encrypts the body directly under the collection DEK — byte-identical
+       * to pre-CEK behaviour, so non-adopting collections pay nothing.
+       */
+      async encryptJsonString(json, version, cek) {
         const by = this.keyring.userId;
         if (!this.encrypted) {
           return {
@@ -10550,6 +11163,19 @@ var init_collection = __esm({
           };
         }
         const dek = await this.getDEK(this.name);
+        if (cek !== void 0) {
+          const { iv: iv2, data: data2 } = await encrypt(json, cek);
+          const wrapped = await wrapCek(cek, dek);
+          return {
+            _noydb: NOYDB_FORMAT_VERSION,
+            _v: version,
+            _ts: (/* @__PURE__ */ new Date()).toISOString(),
+            _iv: iv2,
+            _data: data2,
+            _by: by,
+            _cek: wrapped
+          };
+        }
         const { iv, data } = await encrypt(json, dek);
         return {
           _noydb: NOYDB_FORMAT_VERSION,
@@ -10560,8 +11186,8 @@ var init_collection = __esm({
           _by: by
         };
       }
-      async encryptRecord(record, version) {
-        const base = await this.encryptJsonString(JSON.stringify(record), version);
+      async encryptRecord(record, version, cek) {
+        const base = await this.encryptJsonString(JSON.stringify(record), version, cek);
         if (!this.deterministicFields || !this.encrypted) return base;
         const dek = await this.getDEK(this.name);
         const rec = record;
@@ -10639,7 +11265,8 @@ var init_collection = __esm({
           const env = await this.adapter.get(this.vault, this.name, id);
           if (!env || !env._det) continue;
           if (env._det[field] === target) {
-            matches.push(await this.decryptRecord(env));
+            const rec = await this.decryptRecord(env);
+            if (rec !== null) matches.push(rec);
           }
         }
         return matches;
@@ -10740,7 +11367,14 @@ var init_collection = __esm({
           return null;
         }
         const dek = await this.getDEK(key);
-        const plaintext = await decrypt(envelope._iv, envelope._data, dek);
+        let plaintext;
+        if (envelope._cek !== void 0) {
+          const cek = await unwrapCek(envelope._cek, dek);
+          this.cekCache?.set(id, cek, 1);
+          plaintext = await decrypt(envelope._iv, envelope._data, cek);
+        } else {
+          plaintext = await decrypt(envelope._iv, envelope._data, dek);
+        }
         const record = JSON.parse(plaintext);
         this.emitCrossTierEvent({
           actor: this.keyring.userId,
@@ -10796,18 +11430,19 @@ var init_collection = __esm({
         const toKey = dekKey(this.name, toTier);
         const fromDek = await this.getDEK(fromKey);
         const toDek = await this.getDEK(toKey);
-        const plaintext = await decrypt(envelope._iv, envelope._data, fromDek);
-        const { iv, data } = await encrypt(plaintext, toDek);
         const now = (/* @__PURE__ */ new Date()).toISOString();
+        const body = await rewrapBodyToDek(envelope, fromDek, toDek);
+        if (body.cek) this.cekCache?.set(id, body.cek, 1);
         const next = {
           _noydb: NOYDB_FORMAT_VERSION,
           _v: envelope._v + 1,
           _ts: now,
-          _iv: iv,
-          _data: data,
+          _iv: body._iv,
+          _data: body._data,
           _by: this.keyring.userId,
           _tier: toTier,
-          _elevatedBy: this.keyring.userId
+          _elevatedBy: this.keyring.userId,
+          ...body._cek !== void 0 ? { _cek: body._cek } : {}
         };
         await this.adapter.put(this.vault, this.name, id, next);
         this.emitCrossTierEvent({
@@ -10843,17 +11478,18 @@ var init_collection = __esm({
         if (toTier > 0) this.assertDeclaredTier(toTier);
         const fromDek = await this.getDEK(dekKey(this.name, fromTier));
         const toDek = await this.getDEK(dekKey(this.name, toTier));
-        const plaintext = await decrypt(envelope._iv, envelope._data, fromDek);
-        const { iv, data } = await encrypt(plaintext, toDek);
         const now = (/* @__PURE__ */ new Date()).toISOString();
+        const body = await rewrapBodyToDek(envelope, fromDek, toDek);
+        if (body.cek) this.cekCache?.set(id, body.cek, 1);
         const next = {
           _noydb: NOYDB_FORMAT_VERSION,
           _v: envelope._v + 1,
           _ts: now,
-          _iv: iv,
-          _data: data,
+          _iv: body._iv,
+          _data: body._data,
           _by: this.keyring.userId,
-          ...toTier > 0 && { _tier: toTier }
+          ...toTier > 0 && { _tier: toTier },
+          ...body._cek !== void 0 ? { _cek: body._cek } : {}
         };
         await this.adapter.put(this.vault, this.name, id, next);
         this.emitCrossTierEvent({
@@ -10875,10 +11511,30 @@ var init_collection = __esm({
         } catch {
         }
       }
-      /** Low-level: decrypt an envelope and return the raw JSON string. */
-      async decryptJsonString(envelope) {
+      /**
+       * Low-level: decrypt an envelope and return the raw JSON string.
+       *
+       * `_cek` presence is the format discriminant (NOT `this.perRecordCek`),
+       * so a mixed vault — and a recipient that never opted into
+       * `perRecordKeys` — decrypts both legacy and CEK records:
+       *  - `_cek` present → unwrap the CEK under the collection DEK, decrypt the
+       *    body under the CEK (cache the unwrapped CEK so repeated reads skip it).
+       *  - `_cek` absent → legacy path, body decrypts directly under the
+       *    collection DEK.
+       *
+       * The optional `id` lets reads populate the CEK cache; it is omitted by
+       * callers (history, conflict merge) that have only the envelope.
+       */
+      async decryptJsonString(envelope, id) {
+        if (isTombstone(envelope, this.encrypted)) return null;
         if (!this.encrypted) return envelope._data;
         const dek = await this.getDEK(this.name);
+        if (envelope._cek !== void 0) {
+          const cached = id !== void 0 ? this.cekCache?.get(id) : void 0;
+          const cek = cached ?? await unwrapCek(envelope._cek, dek);
+          if (cached === void 0 && id !== void 0) this.cekCache?.set(id, cek, 1);
+          return decrypt(envelope._iv, envelope._data, cek);
+        }
         return decrypt(envelope._iv, envelope._data, dek);
       }
       /**
@@ -10897,7 +11553,8 @@ var init_collection = __esm({
        * false positive. Every non-history read leaves this flag `false`.
        */
       async decryptRecord(envelope, opts = {}) {
-        const json = await this.decryptJsonString(envelope);
+        const json = await this.decryptJsonString(envelope, opts.id);
+        if (json === null) return null;
         let parsed = JSON.parse(json);
         if (this.crdtMode && parsed !== null && typeof parsed === "object" && "_crdt" in parsed) {
           parsed = this.crdtStrategy.resolveCrdtSnapshot(parsed);
@@ -11204,6 +11861,35 @@ var init_archive = __esm({
 });
 
 // src/sequence/index.ts
+function compileSequenceFormat(format, series, partition) {
+  const parts = partition ?? [];
+  for (const m of format.matchAll(SEQ_FORMAT_TOKEN)) {
+    const token = m[1] ?? "";
+    if (token === "seq") continue;
+    if (SEQ_PAD_TOKEN.test(token)) continue;
+    const partMatch = SEQ_PARTITION_TOKEN.exec(token);
+    if (partMatch) {
+      const idx = Number(partMatch[1]);
+      if (idx >= parts.length) {
+        throw new ValidationError(
+          `sequence("${series}"): format token "{${token}}" references partition index ${idx}, but only ${parts.length} partition component(s) were supplied.`
+        );
+      }
+      continue;
+    }
+    throw new ValidationError(
+      `sequence("${series}"): format contains unknown token "{${token}}". Accepted tokens: {seq}, {seq:0N}, {partition.i}.`
+    );
+  }
+  return (serial) => format.replace(SEQ_FORMAT_TOKEN, (full, token) => {
+    if (token === "seq") return String(serial);
+    const padMatch = SEQ_PAD_TOKEN.exec(token);
+    if (padMatch) return String(serial).padStart(Number(padMatch[1]), "0");
+    const partMatch = SEQ_PARTITION_TOKEN.exec(token);
+    if (partMatch) return String(parts[Number(partMatch[1])]);
+    return full;
+  });
+}
 function resolveSequenceKey(series, opts) {
   const partition = opts?.partition;
   if (!partition || partition.length === 0) return series;
@@ -11224,7 +11910,7 @@ async function sleepBackoff2(attempt) {
   const ms = Math.floor(Math.random() * ceil);
   await new Promise((r) => setTimeout(r, ms));
 }
-var SEQUENCE_COLLECTION, MAX_NEXT_ATTEMPTS, SequenceStore;
+var SEQUENCE_COLLECTION, MAX_NEXT_ATTEMPTS, SEQ_FORMAT_TOKEN, SEQ_PAD_TOKEN, SEQ_PARTITION_TOKEN, SequenceStore;
 var init_sequence = __esm({
   "src/sequence/index.ts"() {
     "use strict";
@@ -11233,6 +11919,9 @@ var init_sequence = __esm({
     init_errors();
     SEQUENCE_COLLECTION = "_sequences";
     MAX_NEXT_ATTEMPTS = 16;
+    SEQ_FORMAT_TOKEN = /\{([^{}]*)\}/g;
+    SEQ_PAD_TOKEN = /^seq:0(\d+)$/;
+    SEQ_PARTITION_TOKEN = /^partition\.(\d+)$/;
     SequenceStore = class {
       adapter;
       vault;
@@ -11502,9 +12191,125 @@ var init_numbering = __esm({
   }
 });
 
+// src/forget/strategy.ts
+var NO_FORGET;
+var init_strategy7 = __esm({
+  "src/forget/strategy.ts"() {
+    "use strict";
+    NO_FORGET = { subjects: {} };
+  }
+});
+
+// src/forget/subject-index.ts
+async function sha256HexString(input) {
+  const bytes = new TextEncoder().encode(input);
+  const digest = await globalThis.crypto.subtle.digest("SHA-256", bytes);
+  return Array.from(new Uint8Array(digest)).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function subjectKey(subjectId) {
+  return sha256HexString(subjectId);
+}
+async function readRefs(adapter, vault, getDEK, encrypted, key) {
+  const env = await adapter.get(vault, SUBJECT_INDEX_COLLECTION, key);
+  if (!env || !env._data) return [];
+  if (!encrypted) return JSON.parse(env._data);
+  const dek = await getDEK(SUBJECT_INDEX_COLLECTION);
+  const json = await decrypt(env._iv, env._data, dek);
+  return JSON.parse(json);
+}
+async function writeRefs(adapter, vault, getDEK, encrypted, key, refs) {
+  const json = JSON.stringify(refs);
+  let env;
+  if (!encrypted) {
+    env = { _noydb: NOYDB_FORMAT_VERSION, _v: 1, _ts: (/* @__PURE__ */ new Date()).toISOString(), _iv: "", _data: json };
+  } else {
+    const dek = await getDEK(SUBJECT_INDEX_COLLECTION);
+    const { iv, data } = await encrypt(json, dek);
+    env = { _noydb: NOYDB_FORMAT_VERSION, _v: 1, _ts: (/* @__PURE__ */ new Date()).toISOString(), _iv: iv, _data: data };
+  }
+  await adapter.put(vault, SUBJECT_INDEX_COLLECTION, key, env);
+}
+async function addSubjectRef(adapter, vault, getDEK, encrypted, subjectId, ref) {
+  const key = await subjectKey(subjectId);
+  const refs = await readRefs(adapter, vault, getDEK, encrypted, key);
+  if (refs.some((r) => r.collection === ref.collection && r.id === ref.id)) return;
+  refs.push(ref);
+  await writeRefs(adapter, vault, getDEK, encrypted, key, refs);
+}
+async function removeSubjectRef(adapter, vault, getDEK, encrypted, subjectId, ref) {
+  const key = await subjectKey(subjectId);
+  const refs = await readRefs(adapter, vault, getDEK, encrypted, key);
+  const next = refs.filter((r) => !(r.collection === ref.collection && r.id === ref.id));
+  if (next.length === refs.length) return;
+  if (next.length === 0) {
+    await adapter.delete(vault, SUBJECT_INDEX_COLLECTION, key);
+    return;
+  }
+  await writeRefs(adapter, vault, getDEK, encrypted, key, next);
+}
+async function lookupSubject(adapter, vault, getDEK, encrypted, subjectId) {
+  const key = await subjectKey(subjectId);
+  return readRefs(adapter, vault, getDEK, encrypted, key);
+}
+async function rebuildSubjectIndex(adapter, vault, getDEK, encrypted, subjects, decodeRecord) {
+  const existing = await adapter.list(vault, SUBJECT_INDEX_COLLECTION);
+  for (const k of existing) {
+    await adapter.delete(vault, SUBJECT_INDEX_COLLECTION, k);
+  }
+  const bySubject = /* @__PURE__ */ new Map();
+  for (const [collection, field] of Object.entries(subjects)) {
+    const ids = await adapter.list(vault, collection);
+    for (const id of ids) {
+      if (id.startsWith("_")) continue;
+      const env = await adapter.get(vault, collection, id);
+      if (!env || !env._data) continue;
+      const record = await decodeRecord(collection, id, env);
+      if (record === null) continue;
+      const subjectValue = readDottedPath(record, field);
+      if (subjectValue === void 0 || subjectValue === null) continue;
+      const subjectId = coerceSubjectId(subjectValue);
+      const list = bySubject.get(subjectId) ?? [];
+      list.push({ collection, id });
+      bySubject.set(subjectId, list);
+    }
+  }
+  let entries = 0;
+  for (const [subjectId, refs] of bySubject) {
+    const key = await subjectKey(subjectId);
+    await writeRefs(adapter, vault, getDEK, encrypted, key, refs);
+    entries++;
+  }
+  return entries;
+}
+function coerceSubjectId(value) {
+  if (typeof value === "string") return value;
+  if (typeof value === "number" || typeof value === "boolean" || typeof value === "bigint") {
+    return String(value);
+  }
+  return JSON.stringify(value);
+}
+function readDottedPath(record, field) {
+  if (!field.includes(".")) return record[field];
+  let cursor = record;
+  for (const segment of field.split(".")) {
+    if (cursor === null || cursor === void 0) return void 0;
+    cursor = cursor[segment];
+  }
+  return cursor;
+}
+var SUBJECT_INDEX_COLLECTION;
+var init_subject_index = __esm({
+  "src/forget/subject-index.ts"() {
+    "use strict";
+    init_crypto();
+    init_types();
+    SUBJECT_INDEX_COLLECTION = "_subject_index";
+  }
+});
+
 // src/shadow/strategy.ts
 var NOT_ENABLED3, NO_SHADOW;
-var init_strategy7 = __esm({
+var init_strategy8 = __esm({
   "src/shadow/strategy.ts"() {
     "use strict";
     NOT_ENABLED3 = new Error(
@@ -11520,7 +12325,7 @@ var init_strategy7 = __esm({
 
 // src/consent/strategy.ts
 var NO_CONSENT;
-var init_strategy8 = __esm({
+var init_strategy9 = __esm({
   "src/consent/strategy.ts"() {
     "use strict";
     NO_CONSENT = {
@@ -11535,7 +12340,7 @@ var init_strategy8 = __esm({
 
 // src/periods/strategy.ts
 var NOT_ENABLED4, NO_PERIODS;
-var init_strategy9 = __esm({
+var init_strategy10 = __esm({
   "src/periods/strategy.ts"() {
     "use strict";
     NOT_ENABLED4 = new Error(
@@ -11561,6 +12366,9 @@ var init_strategy9 = __esm({
 });
 
 // src/refs.ts
+function isRefArray(desc) {
+  return desc.isArray === true;
+}
 var RefIntegrityError, RefRegistry;
 var init_refs = __esm({
   "src/refs.ts"() {
@@ -11606,7 +12414,7 @@ var init_refs = __esm({
           for (const k of existingKeys) {
             const a = existing[k];
             const b = refs[k];
-            if (!a || !b || a.target !== b.target || a.mode !== b.mode) {
+            if (!a || !b || a.target !== b.target || a.mode !== b.mode || a.isArray !== b.isArray) {
               throw new Error(
                 `RefRegistry: conflicting ref declarations for collection "${collection}" field "${k}"`
               );
@@ -11617,7 +12425,7 @@ var init_refs = __esm({
         this.outbound.set(collection, { ...refs });
         for (const [field, desc] of Object.entries(refs)) {
           const list = this.inbound.get(desc.target) ?? [];
-          list.push({ collection, field, mode: desc.mode });
+          list.push({ collection, field, mode: desc.mode, ...desc.isArray ? { isArray: true } : {} });
           this.inbound.set(desc.target, list);
         }
       }
@@ -11647,15 +12455,147 @@ var init_refs = __esm({
   }
 });
 
-// src/i18n/dictionary.ts
-function isDictCollectionName(name) {
-  return name.startsWith(DICT_COLLECTION_PREFIX);
+// src/links/link-set.ts
+function linkCollectionName(name) {
+  return `${LINK_COLLECTION_PREFIX}${name}`;
 }
-var DICT_COLLECTION_PREFIX;
-var init_dictionary = __esm({
-  "src/i18n/dictionary.ts"() {
+function isLinkCollectionName(name) {
+  return name.startsWith(LINK_COLLECTION_PREFIX);
+}
+function linkRowKey(aId, bId) {
+  return `${encodeURIComponent(aId)}|${encodeURIComponent(bId)}`;
+}
+var LINK_COLLECTION_PREFIX, LinkSet, LinkEndpointError, LinkIntegrityError;
+var init_link_set = __esm({
+  "src/links/link-set.ts"() {
     "use strict";
-    DICT_COLLECTION_PREFIX = "_dict_";
+    init_types();
+    init_crypto();
+    init_errors();
+    LINK_COLLECTION_PREFIX = "_links_";
+    LinkSet = class {
+      constructor(adapter, vault, name, spec, encrypted, getDEK, actor, emitter, endpointExists) {
+        this.adapter = adapter;
+        this.vault = vault;
+        this.name = name;
+        this.spec = spec;
+        this.encrypted = encrypted;
+        this.getDEK = getDEK;
+        this.actor = actor;
+        this.emitter = emitter;
+        this.endpointExists = endpointExists;
+        this.collName = linkCollectionName(name);
+      }
+      adapter;
+      vault;
+      name;
+      spec;
+      encrypted;
+      getDEK;
+      actor;
+      emitter;
+      endpointExists;
+      collName;
+      dekPromise = null;
+      dek() {
+        if (!this.dekPromise) this.dekPromise = this.getDEK(this.collName);
+        return this.dekPromise;
+      }
+      async encryptEntry(entry, version) {
+        const json = JSON.stringify(entry);
+        const base = { _noydb: NOYDB_FORMAT_VERSION, _v: version, _ts: (/* @__PURE__ */ new Date()).toISOString(), _by: this.actor };
+        if (!this.encrypted) return { ...base, _iv: "", _data: json };
+        const { iv, data } = await encrypt(json, await this.dek());
+        return { ...base, _iv: iv, _data: data };
+      }
+      async decryptEntry(env) {
+        const json = this.encrypted ? await decrypt(env._iv, env._data, await this.dek()) : env._data;
+        return JSON.parse(json);
+      }
+      async connect(aId, bId, meta) {
+        if (!await this.endpointExists(this.spec.a, aId)) {
+          throw new LinkEndpointError(this.name, this.spec.a, aId);
+        }
+        if (!await this.endpointExists(this.spec.b, bId)) {
+          throw new LinkEndpointError(this.name, this.spec.b, bId);
+        }
+        const key = linkRowKey(aId, bId);
+        const entry = meta !== void 0 ? { a: aId, b: bId, meta } : { a: aId, b: bId };
+        const existing = await this.adapter.get(this.vault, this.collName, key);
+        const env = await this.encryptEntry(entry, (existing?._v ?? 0) + 1);
+        await this.adapter.put(this.vault, this.collName, key, env, existing?._v);
+        this.emitter.emit("change", { vault: this.vault, collection: this.collName, id: key, action: "put" });
+      }
+      async disconnect(aId, bId) {
+        const key = linkRowKey(aId, bId);
+        const existing = await this.adapter.get(this.vault, this.collName, key);
+        if (!existing) return;
+        await this.adapter.delete(this.vault, this.collName, key);
+        this.emitter.emit("change", { vault: this.vault, collection: this.collName, id: key, action: "delete" });
+      }
+      async has(aId, bId) {
+        return await this.adapter.get(this.vault, this.collName, linkRowKey(aId, bId)) !== null;
+      }
+      async of(id) {
+        const rows = await this.list();
+        return rows.filter((r) => r.a === id || r.b === id);
+      }
+      async list() {
+        const keys = await this.adapter.list(this.vault, this.collName);
+        const out = [];
+        for (const key of keys) {
+          const env = await this.adapter.get(this.vault, this.collName, key);
+          if (!env) continue;
+          const e = await this.decryptEntry(env);
+          out.push(e.meta !== void 0 ? { a: e.a, b: e.b, meta: e.meta } : { a: e.a, b: e.b });
+        }
+        return out;
+      }
+      // ── Vault-internal cascade helpers ──────────────────────────────────
+      /** @internal — rows where the deleted endpoint id matches the relevant slot. */
+      async _rowsTouchingEndpoint(collection, id) {
+        const rows = await this.list();
+        return rows.filter(
+          (r) => this.spec.a === collection && r.a === id || this.spec.b === collection && r.b === id
+        );
+      }
+      /** @internal — the storage collection name (for tx pre-image capture). */
+      get _collectionName() {
+        return this.collName;
+      }
+    };
+    LinkEndpointError = class extends NoydbError {
+      link;
+      endpoint;
+      missingId;
+      constructor(link, endpoint, missingId) {
+        super(
+          "LINK_ENDPOINT",
+          `link("${link}").connect: endpoint "${endpoint}" has no record "${missingId}".`
+        );
+        this.name = "LinkEndpointError";
+        this.link = link;
+        this.endpoint = endpoint;
+        this.missingId = missingId;
+      }
+    };
+    LinkIntegrityError = class extends NoydbError {
+      link;
+      endpoint;
+      id;
+      count;
+      constructor(link, endpoint, id, count) {
+        super(
+          "LINK_INTEGRITY",
+          `Cannot delete "${endpoint}"/"${id}": ${count} link(s) in "${link}" still reference it (onDelete: 'strict').`
+        );
+        this.name = "LinkIntegrityError";
+        this.link = link;
+        this.endpoint = endpoint;
+        this.id = id;
+        this.count = count;
+      }
+    };
   }
 });
 
@@ -13334,14 +14274,17 @@ var init_read_only_facade = __esm({
     "use strict";
     ReadOnlyVaultFacade = class {
       _vault;
-      constructor(vault) {
+      _layer;
+      constructor(vault, layer = "read") {
         this._vault = vault;
+        this._layer = layer;
       }
       collection(name) {
         const c = this._vault.collection(name);
+        const layer = this._layer;
         return {
-          get: (id) => c.get(id),
-          list: () => c.list(),
+          get: (id) => c.get(id, { _layer: layer }),
+          list: () => c.list({ _layer: layer }),
           query: () => c.query()
         };
       }
@@ -13397,6 +14340,16 @@ var init_registry3 = __esm({
           if (fromExtra) fromExtra.push(reg);
           else this._bySource.set(extra, [reg]);
         }
+        for (const t of spec.triggerBy ?? []) {
+          const fromTrigger = this._bySource.get(t.collection);
+          if (fromTrigger) fromTrigger.push(reg);
+          else this._bySource.set(t.collection, [reg]);
+        }
+        if (spec.rollup) {
+          const fromRollup = this._bySource.get(spec.rollup.from);
+          if (fromRollup) fromRollup.push(reg);
+          else this._bySource.set(spec.rollup.from, [reg]);
+        }
         for (const key of outputKeys) {
           const output = spec.outputs[key];
           if (!output) continue;
@@ -13450,6 +14403,9 @@ var init_registry3 = __esm({
               for (const key of Object.keys(s.spec.outputs)) {
                 const output = s.spec.outputs[key];
                 if (!output) continue;
+                if (output.shape === "record" && output.collection === s.spec.source && output.denorm !== void 0) {
+                  continue;
+                }
                 visit(output.collection);
               }
             }
@@ -13627,6 +14583,19 @@ var init_delegation = __esm({
 });
 
 // src/vault.ts
+function resolveLabelFromMap(labels, locale, fallback) {
+  if (labels[locale] !== void 0) return labels[locale];
+  const chain = Array.isArray(fallback) ? fallback : fallback ? [fallback] : [];
+  for (const fb of chain) {
+    if (fb === "any") {
+      const any = Object.values(labels)[0];
+      if (any !== void 0) return any;
+    } else if (labels[fb] !== void 0) {
+      return labels[fb];
+    }
+  }
+  return void 0;
+}
 var Vault, ELEVATION_AUDIT_COLLECTION, ElevatedHandle;
 var init_vault = __esm({
   "src/vault.ts"() {
@@ -13645,16 +14614,21 @@ var init_vault = __esm({
     init_entry();
     init_strategy3();
     init_strategy7();
+    init_subject_index();
+    init_errors();
     init_strategy8();
     init_strategy9();
+    init_strategy10();
     init_refs();
     init_dictionary();
+    init_link_set();
     init_core();
     init_strategy2();
     init_sync_strategy();
     init_errors();
     init_periods2();
     init_crypto();
+    init_record_keys();
     init_export_blobs();
     init_blob_compaction();
     init_magic_link_grant();
@@ -13710,6 +14684,7 @@ var init_vault = __esm({
       periodsStrategy;
       shadowStrategy;
       historyStrategy;
+      forgetStrategy;
       i18nStrategy;
       syncStrategy;
       /**
@@ -13739,13 +14714,17 @@ var init_vault = __esm({
        */
       overlayedViewRegistry = null;
       /**
-       * Cached read-only facade handed to guard callbacks via `ctx.vault`,
-       * and to derivation callbacks via `derive(source, ctx)`. Allocated
-       * eagerly inside `_initGuards()` and/or `_initDerivations()` so read
+       * Cached read-only facades handed to guard callbacks via `ctx.vault`
+       * and to derivation callbacks via `derive(source, ctx)`. Split by
+       * resolution layer (#285): the guard facade reads at `layer:'guard'`,
+       * the derivation facade at `layer:'derivation'`, so i18nText / dictKey
+       * fields resolve under that layer's `onMissing` policy. Allocated
+       * eagerly inside `_initGuards()` / `_initDerivations()` so read
        * accessors stay synchronous (callers in `tx/transaction.ts` rely on
-       * that). Stays `null` for vaults with neither subsystem configured.
+       * that). Each stays `null` for vaults without that subsystem.
        */
-      readOnlyFacade = null;
+      guardFacade = null;
+      derivationFacade = null;
       getDEK;
       /**
        * Per-principal user envelope API.
@@ -13876,6 +14855,27 @@ var init_vault = __esm({
        * Populated by `collection()` when the `dictKeyFields` option is passed.
        */
       dictKeyFieldRegistry = /* @__PURE__ */ new Map();
+      /**
+       * Names of dictionaries backed by a `staticDict()` descriptor (#291).
+       * A static dict skips the `dictKeyFieldRegistry` rename machinery, but the
+       * vault must still *know* a name is static so `vault.dictionary(name)` can
+       * refuse mutation (`StaticDictReadonlyError`). Populated at `collection()`
+       * config time whenever a `StaticDictDescriptor` is seen.
+       */
+      staticDictNames = /* @__PURE__ */ new Set();
+      /**
+       * Static-dict descriptors keyed by dictionary name (#291). Backs the
+       * read-path label resolver (resolve from the in-memory table) and the
+       * query-seam `resolveDictSource` snapshot. Last writer wins when the same
+       * name is registered by multiple collections (identical-across-vaults by
+       * construction, so the tables match).
+       */
+      staticByName = /* @__PURE__ */ new Map();
+      /**
+       * Per-collection map of field name → StaticDictDescriptor (#291). Used by
+       * `enforceStaticDictOnPut` to validate stored codes against `desc.keys`.
+       */
+      staticDescriptorByField = /* @__PURE__ */ new Map();
       /**
        * Registry of i18nText fields declared across all collections. Keyed
        * by collection name → field name → I18nTextDescriptor. Used by
@@ -13886,6 +14886,10 @@ var init_vault = __esm({
       i18nFieldRegistry = /* @__PURE__ */ new Map();
       /** Cache of DictionaryHandle instances, one per dictionary name. */
       dictionaryCache = /* @__PURE__ */ new Map();
+      /** Registered link specs (#377-B), keyed by link name; set by `vault.link()`. */
+      linkRegistry = /* @__PURE__ */ new Map();
+      /** Cache of LinkSet handles, one per link name. */
+      linkSetCache = /* @__PURE__ */ new Map();
       /** — subscribers for cross-tier access events. */
       crossTierSubs = /* @__PURE__ */ new Set();
       /** — currently-active elevation, or null. One per vault. */
@@ -13922,6 +14926,7 @@ var init_vault = __esm({
         this.periodsStrategy = opts.periodsStrategy ?? NO_PERIODS;
         this.shadowStrategy = opts.shadowStrategy ?? NO_SHADOW;
         this.historyStrategy = opts.historyStrategy ?? NO_HISTORY;
+        this.forgetStrategy = opts.forgetStrategy ?? NO_FORGET;
         this.i18nStrategy = opts.i18nStrategy ?? NO_I18N;
         this.syncStrategy = opts.syncStrategy ?? NO_SYNC;
         void opts.guardStrategies;
@@ -14001,6 +15006,9 @@ var init_vault = __esm({
         if (collectionName === SEQUENCE_COLLECTION) {
           throw new ReservedCollectionNameError(collectionName);
         }
+        if (isLinkCollectionName(collectionName)) {
+          throw new ReservedCollectionNameError(collectionName);
+        }
         let coll = this.collectionCache.get(collectionName);
         if (coll && options?.moneyFields) {
           coll._applyMoneyFields(options.moneyFields);
@@ -14026,10 +15034,22 @@ var init_vault = __esm({
           }
           if (options?.dictKeyFields) {
             const dictFieldMap = {};
+            const staticFieldMap = {};
             for (const [field, desc] of Object.entries(options.dictKeyFields)) {
-              dictFieldMap[field] = desc.name;
+              if (isStaticDictDescriptor(desc)) {
+                staticFieldMap[field] = desc;
+                this.staticDictNames.add(desc.name);
+                this.staticByName.set(desc.name, desc);
+              } else {
+                dictFieldMap[field] = desc.name;
+              }
+            }
+            if (Object.keys(dictFieldMap).length > 0) {
+              this.dictKeyFieldRegistry.set(collectionName, dictFieldMap);
+            }
+            if (Object.keys(staticFieldMap).length > 0) {
+              this.staticDescriptorByField.set(collectionName, staticFieldMap);
             }
-            this.dictKeyFieldRegistry.set(collectionName, dictFieldMap);
           }
           if ((options?.schemaUpdate?.length ?? 0) > 0) {
             this.#schemaUpdateNames.set(collectionName, (options.schemaUpdate ?? []).map((s) => s.name));
@@ -14060,6 +15080,7 @@ var init_vault = __esm({
             }));
             schemaUpdateGate = new SchemaUpdateGate(work);
           }
+          const effectiveHistoryConfig = options?.historyConfig ?? this.historyConfig;
           const collOpts = {
             adapter: this.adapter,
             vault: this.name,
@@ -14075,7 +15096,7 @@ var init_vault = __esm({
             schemaFence: this.schemaFence,
             getDEK: this.getDEK,
             onDirty: this.onDirty,
-            historyConfig: this.historyConfig,
+            historyConfig: effectiveHistoryConfig,
             // thread the vault-wide blob strategy into every
             // collection. `undefined` is intentionally preserved so the
             // Collection constructor uses its NO_BLOBS default.
@@ -14086,7 +15107,11 @@ var init_vault = __esm({
             historyStrategy: this.historyStrategy,
             i18nStrategy: this.i18nStrategy,
             syncStrategy: this.syncStrategy,
-            ledger: this.getLedgerOrNull() ?? void 0,
+            // Per-collection ledger opt-out (#361): when this collection sets
+            // `historyConfig.ledger: false`, withhold the ledger reference so all
+            // four `if (this.ledger)` append sites in Collection no-op. The chain
+            // stays valid — it simply never receives this collection's entries.
+            ledger: effectiveHistoryConfig.ledger === false ? void 0 : this.getLedgerOrNull() ?? void 0,
             refEnforcer: this,
             joinResolver: this,
             defaultLocale: this.locale,
@@ -14131,6 +15156,17 @@ var init_vault = __esm({
           if (options?.acknowledgeDeterministicRisk !== void 0) {
             collOpts.acknowledgeDeterministicRisk = options.acknowledgeDeterministicRisk;
           }
+          if (options?.perRecordKeys !== void 0) {
+            collOpts.perRecordKeys = options.perRecordKeys;
+          }
+          if (this.forgetStrategy.subjects[collectionName] !== void 0) {
+            if (options?.perRecordKeys === false) {
+              console.warn(
+                `[noy-db] Collection "${collectionName}" is declared in withForgetCascade but opened with perRecordKeys: false. Forcing perRecordKeys: true \u2014 GDPR crypto-shred requires per-record CEKs.`
+              );
+            }
+            collOpts.perRecordKeys = true;
+          }
           if (options?.tiers !== void 0) collOpts.tiers = options.tiers;
           if (options?.tierMode !== void 0) collOpts.tierMode = options.tierMode;
           collOpts.onCrossTierAccess = (event) => this.emitCrossTier(event);
@@ -14140,6 +15176,11 @@ var init_vault = __esm({
           if (options?.computed !== void 0) collOpts.computed = options.computed;
           if (options?.dictKeyFields !== void 0) {
             collOpts.dictLabelResolver = async (dictName, key, locale, fallback) => {
+              const stat = this.staticByName.get(dictName);
+              if (stat) {
+                const labels = stat.table[key];
+                return labels ? resolveLabelFromMap(labels, locale, fallback) : void 0;
+              }
               const handle = this.dictionary(dictName);
               return handle.resolveLabel(key, locale, fallback);
             };
@@ -14148,6 +15189,7 @@ var init_vault = __esm({
           if (options?.i18nFields !== void 0 || options?.dictKeyFields !== void 0) {
             collOpts.i18nPutValidator = (record) => {
               this.enforceI18nOnPut(collectionName, record);
+              this.enforceStaticDictOnPut(collectionName, record);
             };
           }
           if (options?.i18nFields !== void 0 && this.translateText) {
@@ -14287,6 +15329,34 @@ var init_vault = __esm({
           }
         }
       }
+      /**
+       * Validate staticDict codes on a `put()` (#291). For each `staticDict()`
+       * field, every stored code must be a declared key of the descriptor's
+       * table, else `UnknownDictCodeError`. Opt out per descriptor with
+       * `{ validateCodes: false }`. Supports scalar, dotted, and `[].`-wildcard
+       * field paths via `getAtPath` (same path support as i18n validation).
+       */
+      enforceStaticDictOnPut(collectionName, record) {
+        const staticFields = this.staticDescriptorByField.get(collectionName);
+        if (!staticFields || Object.keys(staticFields).length === 0) return;
+        if (!record || typeof record !== "object") return;
+        const obj = record;
+        for (const [field, desc] of Object.entries(staticFields)) {
+          if (desc.validateCodes === false) continue;
+          const known = new Set(desc.keys);
+          const values = getAtPath(obj, field);
+          for (const value of values) {
+            if (value === void 0 || value === null) continue;
+            const codes = Array.isArray(value) ? value : [value];
+            for (const code of codes) {
+              if (typeof code !== "string") continue;
+              if (!known.has(code)) {
+                throw new UnknownDictCodeError(desc.name, field, code);
+              }
+            }
+          }
+        }
+      }
       /**
        * Apply locale resolution to a record for the given collection.
        *
@@ -14295,14 +15365,18 @@ var init_vault = __esm({
        */
       async applyLocale(collectionName, record, localeOpts) {
         const locale = localeOpts.locale ?? this.locale;
-        if (!locale) return record;
+        const staticFields = this.staticDescriptorByField.get(collectionName);
+        const hasStaticDisplay = staticFields !== void 0 && Object.values(staticFields).some((d) => d.displayLocale !== void 0);
+        if (!locale && !hasStaticDisplay) return record;
         let result = record;
-        const i18nFields = this.i18nFieldRegistry.get(collectionName);
-        if (i18nFields && Object.keys(i18nFields).length > 0) {
-          result = this.i18nStrategy.applyI18nLocale(result, i18nFields, locale, localeOpts.fallback);
+        if (locale) {
+          const i18nFields = this.i18nFieldRegistry.get(collectionName);
+          if (i18nFields && Object.keys(i18nFields).length > 0) {
+            result = this.i18nStrategy.applyI18nLocale(result, i18nFields, locale, localeOpts.fallback);
+          }
         }
         const dictFields = this.dictKeyFieldRegistry.get(collectionName);
-        if (dictFields && Object.keys(dictFields).length > 0 && locale !== "raw") {
+        if (locale && dictFields && Object.keys(dictFields).length > 0 && locale !== "raw") {
           const withLabels = { ...result };
           for (const [field, dictName] of Object.entries(dictFields)) {
             const key = result[field];
@@ -14315,6 +15389,22 @@ var init_vault = __esm({
           }
           result = withLabels;
         }
+        if (staticFields && Object.keys(staticFields).length > 0 && locale !== "raw") {
+          const withLabels = { ...result };
+          for (const [field, desc] of Object.entries(staticFields)) {
+            const effLocale = locale ?? desc.displayLocale;
+            if (!effLocale) continue;
+            const key = result[field];
+            if (typeof key !== "string") continue;
+            const labels = desc.table[key];
+            if (!labels) continue;
+            const label = resolveLabelFromMap(labels, effLocale, localeOpts.fallback ?? desc.substitute);
+            if (label !== void 0) {
+              withLabels[`${field}Label`] = label;
+            }
+          }
+          result = withLabels;
+        }
         return result;
       }
       /**
@@ -14336,6 +15426,9 @@ var init_vault = __esm({
        * ```
        */
       dictionary(name, options = {}) {
+        if (this.staticDictNames.has(name)) {
+          throw new StaticDictReadonlyError(name);
+        }
         let handle = this.dictionaryCache.get(name);
         if (!handle) {
           handle = this.i18nStrategy.buildDictionaryHandle({
@@ -14379,6 +15472,68 @@ var init_vault = __esm({
         }
         return handle;
       }
+      /**
+       * Declare a managed many-to-many link set (#377-B). Registers a
+       * `_links_<name>` junction between two endpoint collections; access its
+       * rows via `vault.links(name)`. Idempotent for an identical re-declaration;
+       * a conflicting one throws. See {@link links}.
+       *
+       * ```ts
+       * vault.link('saleLineLinks', { a: ref('saleLines'), b: ref('purchaseLines'), onDelete: 'cascade' })
+       * ```
+       *
+       * `a` / `b` accept either a collection name or a `ref(target)` descriptor
+       * (only its `target` is used — links manage their own integrity). `onDelete`
+       * governs what happens to link rows when an endpoint record is deleted
+       * (`'cascade'` default, `'strict'`, `'warn'`).
+       */
+      link(name, spec) {
+        const a = typeof spec.a === "string" ? spec.a : spec.a.target;
+        const b = typeof spec.b === "string" ? spec.b : spec.b.target;
+        for (const [slot, target] of [["a", a], ["b", b]]) {
+          if (!target || target.startsWith("_") || target.includes("/")) {
+            throw new ValidationError(
+              `vault.link("${name}"): endpoint "${slot}" must be a simple collection name, got "${target}".`
+            );
+          }
+        }
+        const resolved = { a, b, ...spec.onDelete ? { onDelete: spec.onDelete } : {} };
+        const existing = this.linkRegistry.get(name);
+        if (existing) {
+          if (existing.a !== resolved.a || existing.b !== resolved.b || (existing.onDelete ?? "cascade") !== (resolved.onDelete ?? "cascade")) {
+            throw new ValidationError(`vault.link("${name}"): conflicting re-declaration.`);
+          }
+          return;
+        }
+        this.linkRegistry.set(name, resolved);
+      }
+      /**
+       * Access a declared link set (#377-B). Throws if `name` was not first
+       * declared via {@link link}. Returns a cached {@link LinkSetHandle}:
+       * `connect(a, b, meta?)`, `disconnect(a, b)`, `has(a, b)`, `of(id)`, `list()`.
+       */
+      links(name) {
+        let handle = this.linkSetCache.get(name);
+        if (!handle) {
+          const spec = this.linkRegistry.get(name);
+          if (!spec) {
+            throw new ValidationError(`vault.links("${name}"): not declared. Call vault.link("${name}", { a, b }) first.`);
+          }
+          handle = new LinkSet(
+            this.adapter,
+            this.name,
+            name,
+            spec,
+            this.encrypted,
+            this.getDEK,
+            this.keyring.userId,
+            this.emitter,
+            async (collection, id) => await this.collection(collection).get(id) !== null
+          );
+          this.linkSetCache.set(name, handle);
+        }
+        return handle;
+      }
       /**
        * Build a `JoinableSource` for a dictKey field, for use in dict joins
        *. Returns a source whose snapshot contains `{ key, ...labels }`
@@ -14405,6 +15560,26 @@ var init_vault = __esm({
        * Returns `null` when `field` is not a dictKey in `leftCollection`.
        */
       resolveDictSource(leftCollection, field) {
+        const staticFields = this.staticDescriptorByField.get(leftCollection);
+        if (staticFields && field in staticFields) {
+          const desc = staticFields[field];
+          const rows = Object.entries(desc.table).map(
+            ([key, labels]) => ({ key, labels, ...labels })
+          );
+          const source = {
+            snapshot() {
+              return rows;
+            },
+            lookupById(id) {
+              return rows.find((e) => e["key"] === id);
+            }
+          };
+          if (desc.displayLocale !== void 0) {
+            ;
+            source.displayLocale = desc.displayLocale;
+          }
+          return source;
+        }
         const dictFields = this.dictKeyFieldRegistry.get(leftCollection);
         if (!dictFields || !(field in dictFields)) return null;
         const dictName = dictFields[field];
@@ -14518,65 +15693,16 @@ var init_vault = __esm({
           });
         }
       }
-      /**
-       * Bulk blob extraction primitive.
-       *
-       * Returns an async-iterable handle over every blob attached to
-       * records in the vault. Single capability check (`plaintext/blob`)
-       * at handle creation; single audit entry to `_export_audit` before
-       * the first yield. Per-blob decryption happens lazily as the
-       * consumer pulls tuples.
-       *
-       * ```ts
-       * const handle = vault.exportBlobs({
-       *   collections: ['invoiceScans'],
-       *   where: (rec) => (rec as { clientId?: string }).clientId === 'c-123',
-       * })
-       * for await (const { bytes, meta, recordRef } of handle) {
-       *   await uploadToColdStorage(bytes, recordRef)
-       * }
-       * ```
-       *
-       * @see `@noy-db/hub/store/export-blobs` for the full option surface.
-       */
-      /**
-       * Evict blob slots per the per-collection `blobFields` retention
-       * policy.
-       *
-       * Iterates every collection declared with `{ blobFields: {...} }`.
-       * For each record, checks every configured slot against its
-       * policy — `retainDays` (age-based TTL) and/or `evictWhen(record)`
-       * (predicate) — and evicts matching slots. Every eviction writes
-       * one entry to `_blob_eviction_audit` (actor + eTag + reason +
-       * timestamp, no plaintext). Consumer-scheduled; noy-db never runs
-       * this on its own.
-       *
-       * ```ts
-       * await vault.compact()                                   // run full pass
-       * await vault.compact({ dryRun: true })                   // preview counts
-       * await vault.compact({ maxEvictions: 1000 })             // cap batch
-       * ```
-       */
-      /**
-       * Atomic, gap-free numbering. `vault.sequence('invoice-2026').next()`
-       * returns 1, 2, 3, … with no gaps or duplicates under concurrency, via
-       * an optimistic-CAS counter at `_sequences/<name>`. Each name is an
-       * independent sequence.
-       *
-       * **Online-only:** `next()` throws `SequenceOfflineError` unless the
-       * store advertises `capabilities.casAtomic` — gap-free numbering cannot
-       * be serialized by an offline / non-CAS writer.
-       *
-       * ```ts
-       * const n = await vault.sequence('invoice-2026').next()   // 1, then 2, …
-       * const cur = await vault.sequence('invoice-2026').peek()  // current value, no allocation
-       * ```
-       */
       sequence(series, opts) {
         if (series.includes("\0")) {
           throw new ValidationError(`sequence("${series}"): series name must not contain a null byte (\\x00).`);
         }
         if (this.numberingConfigs.has(series)) {
+          if (opts?.format !== void 0) {
+            throw new ValidationError(
+              `sequence("${series}") is a deferred-numbering series; the format option applies to CAS sequences only.`
+            );
+          }
           const eng = this.deferred();
           return {
             next: async (nextOpts) => {
@@ -14600,7 +15726,17 @@ var init_vault = __esm({
             actor: this.keyring.userId
           });
         }
-        return this.sequenceStore.handle(resolveSequenceKey(series, opts));
+        const handle = this.sequenceStore.handle(resolveSequenceKey(series, opts));
+        if (opts?.format === void 0) return handle;
+        const render = compileSequenceFormat(opts.format, series, opts.partition);
+        return {
+          next: async (nextOpts) => {
+            const serial = await handle.next(nextOpts);
+            return { serial, formatted: render(serial) };
+          },
+          peek: () => handle.peek(),
+          seedTo: (n) => handle.seedTo(n)
+        };
       }
       /** @internal — lazily build the deferred-numbering engine with a cache-coherent stamp. */
       deferred() {
@@ -14827,6 +15963,43 @@ var init_vault = __esm({
           if (descriptor.mode !== "strict") continue;
           const rawId = obj[field];
           if (rawId === null || rawId === void 0) continue;
+          if (isRefArray(descriptor)) {
+            if (!Array.isArray(rawId)) {
+              throw new RefIntegrityError({
+                collection: collectionName,
+                id: obj["id"] ?? "<unknown>",
+                field,
+                refTo: descriptor.target,
+                refId: null,
+                message: `Array ref field "${collectionName}.${field}" must be an array, got ${typeof rawId}.`
+              });
+            }
+            const arrTarget = this.collection(descriptor.target);
+            for (const el of rawId) {
+              if (typeof el !== "string" && typeof el !== "number") {
+                throw new RefIntegrityError({
+                  collection: collectionName,
+                  id: obj["id"] ?? "<unknown>",
+                  field,
+                  refTo: descriptor.target,
+                  refId: null,
+                  message: `Array ref "${collectionName}.${field}" elements must be strings or numbers, got ${typeof el}.`
+                });
+              }
+              const elId = String(el);
+              if (!await arrTarget.get(elId)) {
+                throw new RefIntegrityError({
+                  collection: collectionName,
+                  id: obj["id"] ?? "<unknown>",
+                  field,
+                  refTo: descriptor.target,
+                  refId: elId,
+                  message: `Strict array ref "${collectionName}.${field}" \u2192 "${descriptor.target}" cannot be satisfied: element id "${elId}" not found in "${descriptor.target}".`
+                });
+              }
+            }
+            continue;
+          }
           if (typeof rawId !== "string" && typeof rawId !== "number") {
             throw new RefIntegrityError({
               collection: collectionName,
@@ -14876,6 +16049,11 @@ var init_vault = __esm({
             const allRecords = await fromCollection.list();
             const matches = allRecords.filter((rec) => {
               const raw = rec[rule.field];
+              if (rule.isArray) {
+                return Array.isArray(raw) && raw.some(
+                  (el) => (typeof el === "string" || typeof el === "number") && String(el) === id
+                );
+              }
               if (typeof raw !== "string" && typeof raw !== "number") return false;
               return String(raw) === id;
             });
@@ -14914,10 +16092,45 @@ var init_vault = __esm({
               }
             }
           }
+          await this.enforceLinksOnDelete(collectionName, id);
         } finally {
           this.cascadeInProgress.delete(key);
         }
       }
+      /**
+       * @internal — apply link `onDelete` policy when an endpoint record is
+       * deleted (#377-B). `'strict'` throws (blocks the delete), `'cascade'`
+       * removes the touching link rows (tx-atomic when a transaction is active),
+       * `'warn'` leaves orphans for `checkIntegrity()`.
+       */
+      async enforceLinksOnDelete(collectionName, id) {
+        for (const [name, spec] of this.linkRegistry) {
+          if (spec.a !== collectionName && spec.b !== collectionName) continue;
+          const handle = this.links(name);
+          const touching = await handle._rowsTouchingEndpoint(collectionName, id);
+          if (touching.length === 0) continue;
+          const mode = spec.onDelete ?? "cascade";
+          if (mode === "warn") continue;
+          if (mode === "strict") {
+            throw new LinkIntegrityError(name, collectionName, id, touching.length);
+          }
+          const linkColl = handle._collectionName;
+          const txCtx = this.noydb._activeTxContextOrNull;
+          for (const row of touching) {
+            const rowKey = linkRowKey(row.a, row.b);
+            if (txCtx !== null) {
+              const prior = await this.adapter.get(this.name, linkColl, rowKey);
+              if (prior !== null) {
+                txCtx._executed.push({
+                  op: { type: "delete", vaultName: this.name, collectionName: linkColl, id: rowKey },
+                  priorEnvelope: prior
+                });
+              }
+            }
+            await handle.disconnect(row.a, row.b);
+          }
+        }
+      }
       // ─── Join resolver) ────────────────────
       /**
        * Look up the `RefDescriptor` the left collection declared for a
@@ -14978,6 +16191,23 @@ var init_vault = __esm({
             for (const [field, descriptor] of Object.entries(refs)) {
               const rawId = record[field];
               if (rawId === null || rawId === void 0) continue;
+              const target = this.collection(descriptor.target);
+              if (isRefArray(descriptor)) {
+                if (!Array.isArray(rawId)) {
+                  violations.push({ collection: collectionName, id: recId, field, refTo: descriptor.target, refId: rawId, mode: descriptor.mode });
+                  continue;
+                }
+                for (const el of rawId) {
+                  if (typeof el !== "string" && typeof el !== "number") {
+                    violations.push({ collection: collectionName, id: recId, field, refTo: descriptor.target, refId: el, mode: descriptor.mode });
+                    continue;
+                  }
+                  if (!await target.get(String(el))) {
+                    violations.push({ collection: collectionName, id: recId, field, refTo: descriptor.target, refId: el, mode: descriptor.mode });
+                  }
+                }
+                continue;
+              }
               if (typeof rawId !== "string" && typeof rawId !== "number") {
                 violations.push({
                   collection: collectionName,
@@ -14990,7 +16220,6 @@ var init_vault = __esm({
                 continue;
               }
               const refId = String(rawId);
-              const target = this.collection(descriptor.target);
               const exists = await target.get(refId);
               if (!exists) {
                 violations.push({
@@ -15005,6 +16234,19 @@ var init_vault = __esm({
             }
           }
         }
+        for (const [name, spec] of this.linkRegistry) {
+          const linkColl = linkCollectionName(name);
+          const rows = await this.links(name).list();
+          for (const row of rows) {
+            const rowKey = linkRowKey(row.a, row.b);
+            if (await this.collection(spec.a).get(row.a) === null) {
+              violations.push({ collection: linkColl, id: rowKey, field: "a", refTo: spec.a, refId: row.a, mode: spec.onDelete ?? "cascade" });
+            }
+            if (await this.collection(spec.b).get(row.b) === null) {
+              violations.push({ collection: linkColl, id: rowKey, field: "b", refTo: spec.b, refId: row.b, mode: spec.onDelete ?? "cascade" });
+            }
+          }
+        }
         return { violations };
       }
       /**
@@ -15048,6 +16290,218 @@ var init_vault = __esm({
         }
         return this.ledgerStore;
       }
+      // ─── GDPR right-to-erasure (#304) ────────────────────────────────
+      /** @internal — add a subject→record ref to the encrypted subject index. */
+      async _addSubjectRef(subjectId, ref) {
+        await addSubjectRef(this.adapter, this.name, this.getDEK, this.encrypted, subjectId, ref);
+      }
+      /** @internal — drop a subject→record ref from the encrypted subject index. */
+      async _removeSubjectRef(subjectId, ref) {
+        await removeSubjectRef(this.adapter, this.name, this.getDEK, this.encrypted, subjectId, ref);
+      }
+      /**
+       * Rebuild the encrypted subject index from canonical records. The recovery
+       * path for the documented read-modify-write race (RISK #3). Returns the
+       * number of distinct subjects re-indexed.
+       */
+      async rebuildSubjectIndex() {
+        if (Object.keys(this.forgetStrategy.subjects).length === 0) {
+          throw new ForgetStrategyNotConfiguredError();
+        }
+        return rebuildSubjectIndex(
+          this.adapter,
+          this.name,
+          this.getDEK,
+          this.encrypted,
+          this.forgetStrategy.subjects,
+          async (collectionName, id, env) => {
+            const coll = this.collection(collectionName);
+            return coll._decodeEnvelope(env, id);
+          }
+        );
+      }
+      /**
+       * GDPR crypto-shred of a data subject (#304). Consults the encrypted subject
+       * index and, per matching record:
+       *   - rewrites the LIVE envelope to a tombstone (drops `_iv`/`_data`/`_cek`/`_det`),
+       *   - tombstones every `_history` version of the record,
+       * so the body and all prior versions become permanently undecryptable while
+       * the collection DEK and every OTHER record stay intact. Then appends ONE
+       * `op:'forget'` ledger entry whose `payloadHash` is `sha256Hex(subjectId)` —
+       * the chain still `verify()`s, PROVING the subject existed and was erased
+       * without retaining any plaintext.
+       *
+       * Reports — but does not silently swallow — two completeness gaps:
+       *   - `unmigratedRecords`: a record whose body was NOT yet migrated to a
+       *     per-record CEK (legacy body still under the shared collection DEK). It
+       *     is still tombstoned, but its pre-shred ciphertext (if leaked to a
+       *     backup before migration) stays decryptable. Migrate, then re-forget.
+       *   - `blobResidueCollections`: a shredded record still has blob attachments,
+       *     which are keyed off a separate `_blob` DEK and are out of scope here.
+       *
+       * @throws ForgetStrategyNotConfiguredError when no `withForgetCascade` was set.
+       */
+      async forget(subjectId) {
+        if (Object.keys(this.forgetStrategy.subjects).length === 0) {
+          throw new ForgetStrategyNotConfiguredError();
+        }
+        const refs = await lookupSubject(this.adapter, this.name, this.getDEK, this.encrypted, subjectId);
+        let recordsShredded = 0;
+        let historyVersionsShredded = 0;
+        const collections = /* @__PURE__ */ new Set();
+        const unmigratedRecords = [];
+        const blobResidueCollections = /* @__PURE__ */ new Set();
+        let blobsShredded = 0;
+        let blobsRetainedShared = 0;
+        const blobsEnabled = this.blobStrategy !== void 0;
+        const actor = this.keyring.userId;
+        for (const ref of refs) {
+          const coll = this.collection(ref.collection);
+          const perRecordKeys = this.forgetStrategy.subjects[ref.collection] !== void 0;
+          const live = await this.adapter.get(this.name, ref.collection, ref.id);
+          if (perRecordKeys && live && live._data && live._cek === void 0) {
+            unmigratedRecords.push(`${ref.collection}:${ref.id}`);
+          }
+          const shred = await coll._writeTombstone(ref.id, actor);
+          if (shred !== null) {
+            recordsShredded++;
+            collections.add(ref.collection);
+          }
+          historyVersionsShredded += await this.historyStrategy.tombstoneHistory(
+            this.adapter,
+            this.name,
+            ref.collection,
+            ref.id,
+            actor
+          );
+          if (blobsEnabled) {
+            const r = await this.collection(ref.collection).blob(ref.id).shredAllForRecord();
+            blobsShredded += r.shredded.length;
+            blobsRetainedShared += r.retainedShared.length;
+            if (r.residue.length > 0) blobResidueCollections.add(ref.collection);
+          } else {
+            try {
+              const slotIds = await this.adapter.list(this.name, `_blob_slots_${ref.collection}`);
+              if (slotIds.includes(ref.id)) blobResidueCollections.add(ref.collection);
+            } catch {
+            }
+          }
+          await this._removeSubjectRef(subjectId, ref);
+        }
+        const subjectHash = await sha256Hex3(subjectId);
+        const ledger = this.getLedgerOrNull();
+        if (!ledger) {
+          throw new Error(
+            'vault.forget() requires the history strategy for the erasure-proof ledger entry. Pass `historyStrategy: withHistory()` from "@noy-db/hub/history" to createNoydb().'
+          );
+        }
+        const ledgerEntry = await ledger.append({
+          op: "forget",
+          collection: "",
+          id: "",
+          version: 0,
+          actor,
+          payloadHash: subjectHash,
+          reason: JSON.stringify({
+            recordsShredded,
+            historyVersionsShredded,
+            collections: [...collections],
+            unmigratedCount: unmigratedRecords.length,
+            blobsShredded,
+            blobsRetainedShared,
+            blobResidueCollections: [...blobResidueCollections]
+          })
+        });
+        return {
+          subject: subjectId,
+          recordsShredded,
+          historyVersionsShredded,
+          collections: [...collections],
+          unmigratedRecords,
+          blobsShredded,
+          blobsRetainedShared,
+          blobResidueCollections: [...blobResidueCollections],
+          ledgerEntry
+        };
+      }
+      // ─── Record-scoped CEK sealing (#306 slices 2-3) ──────────────────────
+      /**
+       * Seal ONE record's content-encryption key (CEK) to an `at-*` host so that
+       * host — and only that host — can decrypt exactly that record, with no
+       * access to the vault DEK and no ability to read any other record.
+       *
+       * The grantor (this caller, who holds the collection DEK) reads the record's
+       * live `_cek`, unwraps it under the collection DEK, exports the raw CEK
+       * bytes, builds a {@link SealedCekBinding} `{collection, id, cek, expiresAt}`,
+       * seals that binding for the recipient host via the host's published hint,
+       * and persists a thin {@link SealedCekDeliveryEnvelope} at
+       * `_sealed_cek/<collection>/<id>/<pid>`. The binding (not the delivery
+       * envelope) is the security boundary: the host re-verifies `{collection, id}`
+       * and `expiresAt` from inside the sealed payload.
+       *
+       * Only works on a `perRecordKeys` record — a legacy record has no `_cek` to
+       * seal (its body is under the shared collection DEK, which is never exposed
+       * by sealing) → {@link RecordCekNotFoundError}.
+       *
+       * @param collection Collection holding the record.
+       * @param id         Record id.
+       * @param hostSealer The recipient host's {@link RecipientSealer}.
+       * @param opts.expiresAt REQUIRED authoritative expiry (ISO 8601), sealed into
+       *   the binding the host verifies.
+       * @returns `{ pid, envelopeKey }` — the host provider id and the
+       *   `<collection>/<id>/<pid>` key the delivery envelope was written under.
+       */
+      async sealRecordToHost(collection, id, hostSealer, opts) {
+        return sealRecordToHost(this.sealingContext(), collection, id, hostSealer, opts);
+      }
+      /**
+       * Revoke a single sealed-CEK delivery envelope by deleting it from the store.
+       * A soft revocation: it removes the host's copy of the sealed CEK, but a host
+       * that already fetched the envelope keeps whatever it cached. For a hard
+       * revocation that makes the live record undecryptable to every prior grant,
+       * use {@link rotateRecordCek}.
+       */
+      async revokeSealedRecord(collection, id, pid) {
+        return revokeSealedRecord(this.sealingContext(), collection, id, pid);
+      }
+      /**
+       * HARD-rotate a record's CEK: decrypt the live body under the old CEK,
+       * re-encrypt it under a freshly-minted CEK, write the new live envelope, evict
+       * the in-memory caches, and delete EVERY sealed-CEK delivery envelope for the
+       * record. After this, any host holding a previously-sealed CEK can still
+       * decrypt PRE-rotation history versions (they keep their old `_cek`) but NOT
+       * the rotated live record (its body is under the new CEK → the old CEK fails
+       * the AES-GCM auth tag → `TamperedError`). That asymmetry IS the revocation:
+       * old grants lose the live record.
+       *
+       * Administrative path — bypasses `Collection.put` deliberately (no guards, no
+       * history snapshot, no materialized-view refresh): rotation is a key-rotation
+       * operation, not a business write, and must not version-bump history (which
+       * would re-encrypt the prior version under the NEW CEK and defeat the point).
+       *
+       * @throws {@link RecordCekNotFoundError} if the record is missing or has no `_cek`.
+       */
+      async rotateRecordCek(collection, id) {
+        return rotateRecordCek(this.sealingContext(), collection, id);
+      }
+      /**
+       * Build the {@link SealingContext} the record-keys grantor functions need:
+       * the vault-bound adapter, DEK resolver, actor, and the dual-cache eviction
+       * `rotateRecordCek` performs (per-record CEK cache + decrypted-record cache).
+       */
+      sealingContext() {
+        return {
+          adapter: this.adapter,
+          vault: this.name,
+          getDEK: (collection) => this.getDEK(collection),
+          actor: this.keyring.userId,
+          invalidateRecordCaches: async (collection, id) => {
+            const coll = this.collection(collection);
+            coll._invalidateCekCacheEntry(id);
+            await coll._invalidateCacheEntry(id);
+          }
+        };
+      }
       /**
        * @internal — called by `Noydb.openVault` after construction.
        * Dynamic-imports `GuardRegistry` + `ReadOnlyVaultFacade` and seeds
@@ -15068,7 +16522,7 @@ var init_vault = __esm({
         const registry = new GuardRegistry2();
         for (const h of handles) registry.register(h.spec);
         this.guardRegistry = registry;
-        this.readOnlyFacade = new ReadOnlyVaultFacade2(this);
+        this.guardFacade = new ReadOnlyVaultFacade2(this, "guard");
       }
       /**
        * @internal — The gate handler in Noydb.#registerGuardGate calls into
@@ -15099,8 +16553,8 @@ var init_vault = __esm({
         }
         registry.validate();
         this.derivationRegistry = registry;
-        if (this.readOnlyFacade === null) {
-          this.readOnlyFacade = new ReadOnlyVaultFacade2(this);
+        if (this.derivationFacade === null) {
+          this.derivationFacade = new ReadOnlyVaultFacade2(this, "derivation");
         }
       }
       /**
@@ -15217,7 +16671,7 @@ var init_vault = __esm({
         const { DerivationExecutor: DerivationExecutor2 } = await Promise.resolve().then(() => (init_executor(), executor_exports));
         const sourceColl = this.collection(sourceCollection);
         const records = await sourceColl.list();
-        const ctx = { vault: this.readOnlyFacade ?? new (await Promise.resolve().then(() => (init_read_only_facade(), read_only_facade_exports))).ReadOnlyVaultFacade(this) };
+        const ctx = { vault: this.derivationFacade ?? new (await Promise.resolve().then(() => (init_read_only_facade(), read_only_facade_exports))).ReadOnlyVaultFacade(this, "derivation") };
         let derived = 0;
         let failed = 0;
         for (const record of records) {
@@ -15282,17 +16736,18 @@ var init_vault = __esm({
        * never see null).
        */
       _getReadOnlyFacade() {
-        return this.readOnlyFacade;
+        return this.guardFacade;
       }
       /**
-       * Internal lazy-allocator for the read-only facade. Used as a
-       * defensive fallback; in practice `_initGuards()` eagerly
-       * instantiates this, so the lazy path is a no-op.
+       * Internal lazy-allocator for the derivation read-only facade
+       * (`layer:'derivation'`). Used as a defensive fallback; in practice
+       * `_initDerivations()` eagerly instantiates this, so the lazy path is
+       * a no-op.
        */
       _ensureReadOnlyFacade() {
-        if (this.readOnlyFacade !== null) return this.readOnlyFacade;
+        if (this.derivationFacade !== null) return this.derivationFacade;
         throw new Error(
-          "Vault: guard hook fired before _initGuards() completed. This typically means the vault was opened via the sync fallback path (Noydb.vault(name)) without first calling await db.openVault(name). See issue #132."
+          "Vault: derivation hook fired before _initDerivations() completed. This typically means the vault was opened via the sync fallback path (Noydb.vault(name)) without first calling await db.openVault(name). See issue #132."
         );
       }
       /**
@@ -17150,7 +18605,7 @@ var init_unlock_state = __esm({
 
 // src/snapshots/strategy.ts
 var NOT_ENABLED5, NO_SNAPSHOTS;
-var init_strategy10 = __esm({
+var init_strategy11 = __esm({
   "src/snapshots/strategy.ts"() {
     "use strict";
     NOT_ENABLED5 = new Error(
@@ -17291,7 +18746,7 @@ var init_scheduler = __esm({
 
 // src/tx/strategy.ts
 var NOT_ENABLED6, NO_TX;
-var init_strategy11 = __esm({
+var init_strategy12 = __esm({
   "src/tx/strategy.ts"() {
     "use strict";
     NOT_ENABLED6 = new Error(
@@ -17327,7 +18782,7 @@ function notEnabled4(op) {
   );
 }
 var NO_SESSION;
-var init_strategy12 = __esm({
+var init_strategy13 = __esm({
   "src/session/strategy.ts"() {
     "use strict";
     NO_SESSION = {
@@ -17691,6 +19146,177 @@ var init_executor3 = __esm({
   }
 });
 
+// src/federation/schema-manifest.ts
+function captureBlueprint(configure) {
+  const recorded = [];
+  const collectionStub = new Proxy(
+    {},
+    {
+      get: () => () => collectionStub
+    }
+  );
+  const proxy = new Proxy(
+    {},
+    {
+      get: (_t, prop) => {
+        if (prop === "collection") {
+          return (name, opts) => {
+            recorded.push({
+              name,
+              indexes: opts?.indexes ?? [],
+              persistJsonSchema: !!opts?.persistJsonSchema
+            });
+            return collectionStub;
+          };
+        }
+        return () => proxy;
+      }
+    }
+  );
+  configure(proxy);
+  const sorted = [...recorded].sort((a, b) => a.name.localeCompare(b.name));
+  const indexes = {};
+  const persistJsonSchema = [];
+  for (const c of sorted) {
+    indexes[c.name] = c.indexes;
+    if (c.persistJsonSchema) persistJsonSchema.push(c.name);
+  }
+  return {
+    // `persistJsonSchema` is already name-sorted: it is populated while
+    // iterating `sorted` (collections in name order).
+    collections: sorted.map((c) => c.name),
+    indexes,
+    persistJsonSchema
+  };
+}
+function canonical(value) {
+  if (value === null || typeof value !== "object") return JSON.stringify(value);
+  if (Array.isArray(value)) return `[${value.map(canonical).join(",")}]`;
+  const obj = value;
+  const keys = Object.keys(obj).sort();
+  return `{${keys.map((k) => `${JSON.stringify(k)}:${canonical(obj[k])}`).join(",")}}`;
+}
+async function fingerprintBlueprint(bp) {
+  return sha256Hex2(new TextEncoder().encode(canonical(bp)));
+}
+var init_schema_manifest = __esm({
+  "src/federation/schema-manifest.ts"() {
+    "use strict";
+    init_crypto();
+  }
+});
+
+// src/federation/state-vault.ts
+var state_vault_exports = {};
+__export(state_vault_exports, {
+  STATE_VAULT_NAME: () => STATE_VAULT_NAME,
+  StateManagementVault: () => StateManagementVault
+});
+var REGISTRY, MANIFEST, EVENTS, MIGRATION_STATUS, StateManagementVault;
+var init_state_vault = __esm({
+  "src/federation/state-vault.ts"() {
+    "use strict";
+    init_schema_manifest();
+    init_constants2();
+    init_ulid();
+    init_constants2();
+    REGISTRY = "vaultRegistry";
+    MANIFEST = "schemaManifest";
+    EVENTS = "deploymentEvents";
+    MIGRATION_STATUS = "migrationStatus";
+    StateManagementVault = class _StateManagementVault {
+      constructor(registry, schemaManifest, events, migrationStatus) {
+        this.registry = registry;
+        this.schemaManifest = schemaManifest;
+        this.#events = events;
+        this.#migrationStatus = migrationStatus;
+      }
+      registry;
+      schemaManifest;
+      /**
+       * The append-only deployment-events log is kept truly private so the raw
+       * mutable Collection is never surfaced — events may only be written via
+       * `appendEvent` and read via `queryEvents`. (`registry` and
+       * `schemaManifest` are deliberately public: consumers read and write them.)
+       */
+      #events;
+      /** Per-shard fleet-migration progress (#271). Surfaced via typed methods only. */
+      #migrationStatus;
+      /** Idempotently open the reserved state vault and bind the control-plane collections. */
+      static async open(db) {
+        const vault = await db.openVault(STATE_VAULT_NAME);
+        return new _StateManagementVault(
+          vault.collection(REGISTRY),
+          vault.collection(MANIFEST),
+          vault.collection(EVENTS),
+          vault.collection(MIGRATION_STATUS)
+        );
+      }
+      /** Read one shard's migration status (or null). */
+      async getMigrationStatus(vaultId) {
+        return this.#migrationStatus.get(vaultId);
+      }
+      /** All migration-status rows (hydrates first). */
+      async listMigrationStatus() {
+        await this.#migrationStatus.list();
+        return this.#migrationStatus.query().toArray();
+      }
+      /** Upsert one shard's migration status (keyed by vaultId). */
+      async upsertMigrationStatus(row) {
+        await this.#migrationStatus.put(row.vaultId, row);
+      }
+      /** Read-only query over the append-only deployment-events log. */
+      queryEvents() {
+        return this.#events.query();
+      }
+      /**
+       * Append a deployment event with a fresh unique (ULID) id. This is the
+       * only write path to the events log; no update/delete is exposed.
+       * Callers should treat failures as non-fatal — this method does not
+       * swallow errors, so wrap the call site in try/catch where appropriate.
+       */
+      async appendEvent(event) {
+        const ts = event.ts ?? Date.now();
+        const id = generateULID();
+        await this.#events.put(id, { ...event, id, ts });
+      }
+      /**
+       * Ensure a manifest row exists for `(templateName, template.version)`.
+       * Safe to call repeatedly: the `fingerprint` is a deterministic hash of
+       * the template's declared shape (stable across calls), though each call
+       * refreshes `recordedAt`.
+       */
+      async recordManifest(templateName, template) {
+        const bp = captureBlueprint(template.configure);
+        const fingerprint = await fingerprintBlueprint(bp);
+        await this.schemaManifest.put(`${templateName}:${template.version}`, {
+          templateName,
+          version: template.version,
+          collections: bp.collections,
+          indexes: bp.indexes,
+          persistJsonSchema: bp.persistJsonSchema,
+          fingerprint,
+          recordedAt: Date.now()
+        });
+        return fingerprint;
+      }
+      /**
+       * True when `template`'s current declared shape does not match the recorded
+       * manifest for `(templateName, template.version)`. Because shards carry no
+       * schema state independent of their template, this catches "a template's
+       * shape changed without bumping `version`" — not independent per-shard drift.
+       * A missing manifest is treated as drift (nothing to verify against).
+       */
+      async detectDrift(templateName, template) {
+        const row = await this.schemaManifest.get(`${templateName}:${template.version}`);
+        if (!row) return true;
+        const current = await fingerprintBlueprint(captureBlueprint(template.configure));
+        return current !== row.fingerprint;
+      }
+    };
+  }
+});
+
 // src/federation/classify-skip.ts
 function classifyShardSkip(err) {
   return err instanceof NoAccessError ? "no-grant" : "error";
@@ -17975,6 +19601,7 @@ var SHARD_SEPARATOR, SAFE_PARTITION_KEY, VaultGroup, ShardedCollection, ShardedQ
 var init_vault_group = __esm({
   "src/federation/vault-group.ts"() {
     "use strict";
+    init_state_vault();
     init_errors();
     init_constants2();
     init_classify_skip();
@@ -17984,12 +19611,13 @@ var init_vault_group = __esm({
     SHARD_SEPARATOR = "--";
     SAFE_PARTITION_KEY = /^[A-Za-z0-9._-]+$/;
     VaultGroup = class {
-      constructor(db, name, registry, sharding, template) {
+      constructor(db, name, registry, sharding, template, migrateOnOpen = false) {
         this.db = db;
         this.name = name;
         this.registry = registry;
         this.sharding = sharding;
         this.template = template;
+        this.migrateOnOpen = migrateOnOpen;
         if (name.includes(SHARD_SEPARATOR)) {
           throw new ValidationError(
             `VaultGroup name "${name}" must not contain "--" (reserved shard vault-id separator).`
@@ -18001,6 +19629,7 @@ var init_vault_group = __esm({
       registry;
       sharding;
       template;
+      migrateOnOpen;
       /** @internal — set when the group is managed (no explicit registry). */
       stateVault;
       /** @internal */
@@ -18034,8 +19663,22 @@ var init_vault_group = __esm({
         const rows = this.registry.query().toArray();
         return rows.filter((r) => r.group === this.name);
       }
-      /** Open an existing shard and apply the template. */
+      /**
+       * Open an existing shard and apply the template. When `migrateOnOpen` is set
+       * (#271) and the shard's registry version is behind the template, its cutover
+       * runs inline first — so a behind shard never surfaces a stale handle.
+       */
       async openShard(partitionKey) {
+        if (this.migrateOnOpen) {
+          const row = await this.registry.get(this.registryId(partitionKey));
+          if (row && row.schemaVersion < this.template.version) {
+            await this.migrateShard(partitionKey);
+          }
+        }
+        return this._openShardRaw(partitionKey);
+      }
+      /** @internal — open + configure with no migrate-on-open hook (used by the migration path itself to avoid recursion). */
+      async _openShardRaw(partitionKey) {
         const vault = await this.db.openVault(this.shardVaultId(partitionKey), { create: false });
         this.template.configure(vault);
         return vault;
@@ -18113,6 +19756,161 @@ var init_vault_group = __esm({
         });
         return { eligible, skipped };
       }
+      /** @internal — registered push-model cross-vault derivations (#271 Insight Vault). */
+      crossVaultDerivations = [];
+      /**
+       * Register a push-model cross-vault derivation — the Insight Vault pattern
+       * (#271, Layer 4). Drive it with {@link refreshInsights}.
+       *
+       * For each shard, `derive(records, ctx)` runs on that shard's `source`
+       * records and its return value is written into the analytics
+       * (`target.vault` / `target.collection`) vault, keyed by partition key —
+       * one summary row per shard. The derivation runs in-process under THIS
+       * group's `Noydb` (which already holds both the shard and Insight Vault
+       * keyrings); the shard's decrypted records are reduced to a summary that is
+       * re-encrypted under the Insight Vault's own DEK, so no shard ciphertext
+       * crosses a DEK boundary.
+       *
+       * **Zero-knowledge note:** the Insight Vault backend sees aggregated
+       * structure (totals, counts, timestamps) drawn from many shards — a weaker
+       * ZK profile than the per-shard vaults. Opt-in; keep summaries to aggregate
+       * scalars (no embeddings / no raw records).
+       *
+       * v1 is explicit-refresh (no write-path push); call `refreshInsights()`
+       * after a batch of writes, or on a schedule.
+       */
+      withCrossVaultDerivation(spec) {
+        this.crossVaultDerivations.push(spec);
+      }
+      /**
+       * Run every registered {@link withCrossVaultDerivation}: read each eligible
+       * shard's source records, derive a per-shard summary, and write it into the
+       * Insight Vault keyed by partition key. Shards behind `minVersion`,
+       * unprovisioned, or whose read errors are reported in `skippedVaults` and
+       * are not written (a stale summary is never left behind for a failed shard).
+       */
+      async refreshInsights(options = {}) {
+        if (this.crossVaultDerivations.length === 0) return { written: 0, skippedVaults: [] };
+        const { eligible, skipped } = await this.resolveEligible(
+          options.minVersion !== void 0 ? { minVersion: options.minVersion } : {}
+        );
+        let written = 0;
+        for (const spec of this.crossVaultDerivations) {
+          const results = await this.db.queryAcross(
+            eligible.map((r) => r.vaultId),
+            async (vault) => {
+              this.template.configure(vault);
+              return vault.collection(spec.source).list();
+            },
+            { create: false, ...options.concurrency !== void 0 ? { concurrency: options.concurrency } : {} }
+          );
+          const insight = await this.db.openVault(spec.target.vault);
+          const out = insight.collection(spec.target.collection);
+          for (let i = 0; i < eligible.length; i++) {
+            const row = eligible[i];
+            const res = results[i];
+            if (!res || res.result === void 0) {
+              skipped.push({ vaultId: row.vaultId, reason: "error", ...res?.error ? { error: res.error } : {} });
+              continue;
+            }
+            const ctx = {
+              vaultId: row.vaultId,
+              partitionKey: row.partitionKey,
+              schemaVersion: row.schemaVersion
+            };
+            const summary = spec.derive(res.result, ctx);
+            await out.put(row.partitionKey, summary);
+            written++;
+          }
+        }
+        return { written, skippedVaults: skipped };
+      }
+      /** @internal — the control-plane vault for migration status; lazily opened. */
+      async ensureStateVault() {
+        if (!this.stateVault) this.stateVault = await StateManagementVault.open(this.db);
+        return this.stateVault;
+      }
+      /**
+       * Migrate ONE shard to the template's current version (#271 fleet runner,
+       * per-shard step). Opens the shard (applying the template, which arms the
+       * M12 cutover), drains schema-write detection, runs `vault.runSchemaCutover()`
+       * (the per-vault drain-barrier-transform protocol), then advances the
+       * registry row's `schemaVersion` and records `migration-status`. A shard
+       * already at the template version is a no-op (`status: 'done'`, migrated 0).
+       * Never throws on a cutover failure — it records `status: 'failed'` and
+       * returns the row, so a fleet run continues past a bad shard.
+       */
+      async migrateShard(partitionKey) {
+        const vaultId = this.shardVaultId(partitionKey);
+        const row = await this.registry.get(this.registryId(partitionKey));
+        if (!row) throw new UnknownShardError(partitionKey, this.name);
+        const target = this.template.version;
+        const sv = await this.ensureStateVault();
+        const base = { vaultId, group: this.name, currentVersion: row.schemaVersion, targetVersion: target };
+        if (row.schemaVersion >= target) {
+          const done = { ...base, status: "done", migrated: 0, finishedAt: Date.now() };
+          await sv.upsertMigrationStatus(done);
+          return done;
+        }
+        await sv.upsertMigrationStatus({ ...base, status: "running", startedAt: Date.now() });
+        try {
+          await sv.appendEvent({ type: "migration-started", group: this.name, vaultId, version: target });
+        } catch {
+        }
+        try {
+          const vault = await this._openShardRaw(partitionKey);
+          await vault._drainPendingSchemaWrites();
+          const { migrated } = await vault.runSchemaCutover();
+          await this.registry.put(this.registryId(partitionKey), { ...row, schemaVersion: target });
+          const done = { ...base, currentVersion: target, status: "done", migrated, finishedAt: Date.now() };
+          await sv.upsertMigrationStatus(done);
+          try {
+            await sv.appendEvent({ type: "migration-completed", group: this.name, vaultId, version: target });
+          } catch {
+          }
+          return done;
+        } catch (err) {
+          const error = err instanceof Error ? err.message : String(err);
+          const failed = { ...base, status: "failed", error, finishedAt: Date.now() };
+          await sv.upsertMigrationStatus(failed);
+          try {
+            await sv.appendEvent({ type: "migration-failed", group: this.name, vaultId, version: target, detail: error });
+          } catch {
+          }
+          return failed;
+        }
+      }
+      /**
+       * Active batch runner (#271): migrate every shard behind the template version
+       * to it, in controlled batches. **Resumable + crash-safe** — shards already at
+       * the target are skipped (the registry version is the source of truth), so a
+       * re-run after a crash only picks up the unfinished + previously-failed shards.
+       *
+       * - `cohort` — restrict to these partition keys (the staged / canary rollout:
+       *   migrate a small cohort, verify the Insight Vault, then run the rest).
+       * - `batchSize` — max shards migrated concurrently per batch (back-pressure).
+       *   Default 4. Batches run sequentially; shards within a batch run in parallel.
+       */
+      async migrateFleet(options = {}) {
+        const target = this.template.version;
+        const rows = await this.allRows();
+        const cohort = options.cohort;
+        const todo = rows.filter(
+          (r) => r.schemaVersion < target && (cohort === void 0 || cohort.includes(r.partitionKey))
+        );
+        const batchSize = Math.max(1, options.batchSize ?? 4);
+        const migrated = [];
+        const failed = [];
+        for (let i = 0; i < todo.length; i += batchSize) {
+          const batch = todo.slice(i, i + batchSize);
+          const settled = await Promise.all(batch.map((r) => this.migrateShard(r.partitionKey)));
+          for (const res of settled) {
+            if (res.status === "done") migrated.push(res.vaultId);
+            else failed.push({ vaultId: res.vaultId, error: res.error ?? "unknown" });
+          }
+        }
+        return { target, migrated, failed };
+      }
     };
     ShardedCollection = class {
       constructor(group, collectionName) {
@@ -18320,159 +20118,6 @@ var init_vault_group = __esm({
   }
 });
 
-// src/federation/schema-manifest.ts
-function captureBlueprint(configure) {
-  const recorded = [];
-  const collectionStub = new Proxy(
-    {},
-    {
-      get: () => () => collectionStub
-    }
-  );
-  const proxy = new Proxy(
-    {},
-    {
-      get: (_t, prop) => {
-        if (prop === "collection") {
-          return (name, opts) => {
-            recorded.push({
-              name,
-              indexes: opts?.indexes ?? [],
-              persistJsonSchema: !!opts?.persistJsonSchema
-            });
-            return collectionStub;
-          };
-        }
-        return () => proxy;
-      }
-    }
-  );
-  configure(proxy);
-  const sorted = [...recorded].sort((a, b) => a.name.localeCompare(b.name));
-  const indexes = {};
-  const persistJsonSchema = [];
-  for (const c of sorted) {
-    indexes[c.name] = c.indexes;
-    if (c.persistJsonSchema) persistJsonSchema.push(c.name);
-  }
-  return {
-    // `persistJsonSchema` is already name-sorted: it is populated while
-    // iterating `sorted` (collections in name order).
-    collections: sorted.map((c) => c.name),
-    indexes,
-    persistJsonSchema
-  };
-}
-function canonical(value) {
-  if (value === null || typeof value !== "object") return JSON.stringify(value);
-  if (Array.isArray(value)) return `[${value.map(canonical).join(",")}]`;
-  const obj = value;
-  const keys = Object.keys(obj).sort();
-  return `{${keys.map((k) => `${JSON.stringify(k)}:${canonical(obj[k])}`).join(",")}}`;
-}
-async function fingerprintBlueprint(bp) {
-  return sha256Hex2(new TextEncoder().encode(canonical(bp)));
-}
-var init_schema_manifest = __esm({
-  "src/federation/schema-manifest.ts"() {
-    "use strict";
-    init_crypto();
-  }
-});
-
-// src/federation/state-vault.ts
-var state_vault_exports = {};
-__export(state_vault_exports, {
-  STATE_VAULT_NAME: () => STATE_VAULT_NAME,
-  StateManagementVault: () => StateManagementVault
-});
-var REGISTRY, MANIFEST, EVENTS, StateManagementVault;
-var init_state_vault = __esm({
-  "src/federation/state-vault.ts"() {
-    "use strict";
-    init_schema_manifest();
-    init_constants2();
-    init_ulid();
-    init_constants2();
-    REGISTRY = "vaultRegistry";
-    MANIFEST = "schemaManifest";
-    EVENTS = "deploymentEvents";
-    StateManagementVault = class _StateManagementVault {
-      constructor(registry, schemaManifest, events) {
-        this.registry = registry;
-        this.schemaManifest = schemaManifest;
-        this.#events = events;
-      }
-      registry;
-      schemaManifest;
-      /**
-       * The append-only deployment-events log is kept truly private so the raw
-       * mutable Collection is never surfaced — events may only be written via
-       * `appendEvent` and read via `queryEvents`. (`registry` and
-       * `schemaManifest` are deliberately public: consumers read and write them.)
-       */
-      #events;
-      /** Idempotently open the reserved state vault and bind the three control-plane collections. */
-      static async open(db) {
-        const vault = await db.openVault(STATE_VAULT_NAME);
-        return new _StateManagementVault(
-          vault.collection(REGISTRY),
-          vault.collection(MANIFEST),
-          vault.collection(EVENTS)
-        );
-      }
-      /** Read-only query over the append-only deployment-events log. */
-      queryEvents() {
-        return this.#events.query();
-      }
-      /**
-       * Append a deployment event with a fresh unique (ULID) id. This is the
-       * only write path to the events log; no update/delete is exposed.
-       * Callers should treat failures as non-fatal — this method does not
-       * swallow errors, so wrap the call site in try/catch where appropriate.
-       */
-      async appendEvent(event) {
-        const ts = event.ts ?? Date.now();
-        const id = generateULID();
-        await this.#events.put(id, { ...event, id, ts });
-      }
-      /**
-       * Ensure a manifest row exists for `(templateName, template.version)`.
-       * Safe to call repeatedly: the `fingerprint` is a deterministic hash of
-       * the template's declared shape (stable across calls), though each call
-       * refreshes `recordedAt`.
-       */
-      async recordManifest(templateName, template) {
-        const bp = captureBlueprint(template.configure);
-        const fingerprint = await fingerprintBlueprint(bp);
-        await this.schemaManifest.put(`${templateName}:${template.version}`, {
-          templateName,
-          version: template.version,
-          collections: bp.collections,
-          indexes: bp.indexes,
-          persistJsonSchema: bp.persistJsonSchema,
-          fingerprint,
-          recordedAt: Date.now()
-        });
-        return fingerprint;
-      }
-      /**
-       * True when `template`'s current declared shape does not match the recorded
-       * manifest for `(templateName, template.version)`. Because shards carry no
-       * schema state independent of their template, this catches "a template's
-       * shape changed without bumping `version`" — not independent per-shard drift.
-       * A missing manifest is treated as drift (nothing to verify against).
-       */
-      async detectDrift(templateName, template) {
-        const row = await this.schemaManifest.get(`${templateName}:${template.version}`);
-        if (!row) return true;
-        const current = await fingerprintBlueprint(captureBlueprint(template.configure));
-        return current !== row.fingerprint;
-      }
-    };
-  }
-});
-
 // src/noydb.ts
 var noydb_exports = {};
 __export(noydb_exports, {
@@ -18553,12 +20198,14 @@ var init_noydb = __esm({
     init_authenticators();
     init_unlock_state();
     init_sync_strategy();
-    init_strategy10();
+    init_strategy11();
     init_scheduler();
     init_transaction();
-    init_strategy11();
-    init_sync_policy();
     init_strategy12();
+    init_strategy7();
+    init_subject_index();
+    init_sync_policy();
+    init_strategy13();
     init_policy3();
     ROLE_RANK = {
       client: 1,
@@ -18614,6 +20261,7 @@ var init_noydb = __esm({
       policyEnforcers = /* @__PURE__ */ new Map();
       vaultTemplates = /* @__PURE__ */ new Map();
       txStrategy;
+      forgetStrategy;
       sessionStrategy;
       syncStrategy;
       snapshotStrategy;
@@ -18641,6 +20289,7 @@ var init_noydb = __esm({
       constructor(options) {
         this.options = options;
         this.txStrategy = options.txStrategy ?? NO_TX;
+        this.forgetStrategy = options.forgetStrategy ?? NO_FORGET;
         this.sessionStrategy = options.sessionStrategy ?? NO_SESSION;
         this.syncStrategy = options.syncStrategy ?? NO_SYNC;
         this.snapshotStrategy = options.snapshotStrategy ?? NO_SNAPSHOTS;
@@ -18651,8 +20300,61 @@ var init_noydb = __esm({
         }
         this.#registerGuardGate();
         this.#registerPeriodGate();
+        this.#registerForgetHooks();
         this.resetSessionTimer();
       }
+      /** @internal — resolved forget strategy (NO_FORGET when not configured). */
+      get _forgetStrategy() {
+        return this.forgetStrategy;
+      }
+      // #304 — GDPR subject-index maintenance. When `withForgetCascade` declares
+      // any subject fields, keep the encrypted `_subject_index` in lock-step with
+      // writes so `vault.forget(subjectId)` can find every record for a subject.
+      //
+      // Two consumers are required because they cover disjoint events:
+      //   - onAfterWrite fires on create/update (NOT delete) — add the new ref;
+      //     on an update that changed the subject value, drop the stale ref.
+      //   - the subsystemBus `afterDelete` observer fires on delete (onAfterWrite
+      //     does NOT) — drop the ref so a deleted record never lingers in the
+      //     index (RISK #2). Without it, forget() would try to shred a ghost.
+      #registerForgetHooks() {
+        const subjects = this.forgetStrategy.subjects;
+        if (Object.keys(subjects).length === 0) return;
+        const subjectFieldFor = (collection) => subjects[collection];
+        this.writeHooks.onAfterWrite(async (event) => {
+          const field = subjectFieldFor(event.collection);
+          if (field === void 0) return;
+          const vault = this.vaultCache.get(event.vault);
+          if (!vault) return;
+          if (event.after !== null && typeof event.after === "object") {
+            const subjectValue = readDottedPath(event.after, field);
+            if (subjectValue !== void 0 && subjectValue !== null) {
+              await vault._addSubjectRef(coerceSubjectId(subjectValue), { collection: event.collection, id: event.docId });
+            }
+          }
+          if (event.op === "update" && event.before !== null && typeof event.before === "object") {
+            const beforeValue = readDottedPath(event.before, field);
+            const afterValue = event.after !== null && typeof event.after === "object" ? readDottedPath(event.after, field) : void 0;
+            const beforeId = beforeValue === void 0 || beforeValue === null ? void 0 : coerceSubjectId(beforeValue);
+            const afterId = afterValue === void 0 || afterValue === null ? void 0 : coerceSubjectId(afterValue);
+            if (beforeId !== void 0 && beforeId !== afterId) {
+              await vault._removeSubjectRef(beforeId, { collection: event.collection, id: event.docId });
+            }
+          }
+        });
+        this.subsystemBus.register("afterDelete", async (event) => {
+          const field = subjectFieldFor(event.collection);
+          if (field === void 0) return;
+          const vault = this.vaultCache.get(event.vault);
+          if (!vault) return;
+          if (event.before !== null && typeof event.before === "object") {
+            const subjectValue = readDottedPath(event.before, field);
+            if (subjectValue !== void 0 && subjectValue !== null) {
+              await vault._removeSubjectRef(coerceSubjectId(subjectValue), { collection: event.collection, id: event.docId });
+            }
+          }
+        });
+      }
       // Track A — guards migration. Registers record-lock / field-freeze / onDelete
       // / amendment-collect as gate-bus handlers (only when guards are opted in, so
       // the write path is zero-cost otherwise). Resolves the live vault's
@@ -18873,6 +20575,7 @@ var init_noydb = __esm({
           ...this.options.syncStrategy !== void 0 ? { syncStrategy: this.options.syncStrategy } : {},
           ...this.options.guardStrategies !== void 0 ? { guardStrategies: this.options.guardStrategies } : {},
           ...this.options.numbering !== void 0 ? { numberingConfigs: this.options.numbering } : {},
+          forgetStrategy: this.forgetStrategy,
           locale: opts?.locale,
           // Thread the translator hook so Collection.put() can invoke it
           plaintextTranslator: this.options.plaintextTranslator ? (text, from, to, field, collection) => this.invokeTranslator(text, from, to, field, collection) : void 0,
@@ -18927,7 +20630,8 @@ var init_noydb = __esm({
             ...this.options.i18nStrategy !== void 0 ? { i18nStrategy: this.options.i18nStrategy } : {},
             ...this.options.syncStrategy !== void 0 ? { syncStrategy: this.options.syncStrategy } : {},
             ...this.options.guardStrategies !== void 0 ? { guardStrategies: this.options.guardStrategies } : {},
-            ...this.options.numbering !== void 0 ? { numberingConfigs: this.options.numbering } : {}
+            ...this.options.numbering !== void 0 ? { numberingConfigs: this.options.numbering } : {},
+            forgetStrategy: this.forgetStrategy
           });
           this.vaultCache.set(name, comp2);
           return comp2;
@@ -19283,7 +20987,7 @@ var init_noydb = __esm({
         const { StateManagementVault: StateManagementVault2 } = await Promise.resolve().then(() => (init_state_vault(), state_vault_exports));
         const stateVault = opts.registry ? void 0 : await StateManagementVault2.open(this);
         const registry = opts.registry ?? stateVault.registry;
-        const group = new VaultGroup2(this, name, registry, opts.sharding, template);
+        const group = new VaultGroup2(this, name, registry, opts.sharding, template, opts.migrateOnOpen ?? false);
         if (stateVault) {
           group._attachStateVault(stateVault);
           await stateVault.recordManifest(opts.sharding.vaultTemplate, template);
@@ -21712,6 +23416,7 @@ async function describeExtraction(vault, opts) {
 // src/bundle/extract-partition.ts
 init_types();
 init_crypto();
+init_record_keys();
 init_errors();
 init_ulid();
 init_storage2();
@@ -21731,6 +23436,14 @@ async function reKeyClosure(vault, closure) {
     for (const id of ids) {
       const env = await adapter.get(vaultName, collectionName, id);
       if (!env) continue;
+      if (env._cek !== void 0) {
+        const cek = await unwrapCek(env._cek, srcDek);
+        const plaintext2 = await decrypt(env._iv, env._data, cek);
+        const { iv: iv2, data: data2 } = await encrypt(plaintext2, cek);
+        const wrapped = await wrapCek(cek, destDek);
+        out[id] = { ...env, _iv: iv2, _data: data2, _cek: wrapped };
+        continue;
+      }
       const plaintext = await decrypt(env._iv, env._data, srcDek);
       const { iv, data } = await encrypt(plaintext, destDek);
       out[id] = { ...env, _iv: iv, _data: data };