@noy-db/hub 0.2.0-pre.17 → 0.2.0-pre.19

package/dist/team/index.d.cts

@@ -1,12 +1,12 @@
-import { b2 as NoydbStore, b0 as UnlockedKeyring } from '../types-CrSpRDuG.cjs';
-export { bm as BundleRecipient, cq as EnrollAuthenticatorOptions, cr as EnrollAuthenticatorWrappingDEKsOptions, cs as EnrollAuthenticatorWrappingKEKOptions, cZ as ListUsersOptions, dp as PaperRecoveryEntry, dx as PresenceHandle, dS as RecoverPassphraseInput, dT as RecoverPassphraseResult, dU as RecoverUserOptions, dV as RecoveryProof, dY as RotatePassphraseInput, eh as SlotRewrapCeremony, ei as SlotRewrapContext, er as SyncEngine, ez as SyncTransaction, eP as UpdateAuthenticatorOptions, f7 as WrappedDeksBlob, fe as buildRecipientKeyringFile, ff as burnPaperRecoveryEntry, g5 as changeSecret, g6 as createOwnerKeyring, fi as deriveMagicLinkContentKey, fj as enrollAuthenticator, g7 as ensureCollectionDEK, fm as evaluateExportCapability, fn as evaluateImportCapability, fo as findAuthenticator, g8 as grant, fp as hasExportCapability, fq as hasImportCapability, fs as isMagicLinkGrantExpired, fx as listMagicLinkGrants, fy as listUsers, fz as listUsersWithEnvelopes, g9 as loadKeyring, fB as loadPaperRecoveryEntries, fE as magicLinkGrantRecordId, fF as mintPaperRecoveryEntry, fH as mintWrappedDeksBlob, ga as persistKeyring, fK as readMagicLinkGrantRecord, fv as recoverPassphrase, fL as recoverUser, fM as removeAuthenticator, gb as revoke, fQ as revokeMagicLinkGrant, fw as rotatePassphrase, fS as savePaperRecoveryEntries, fW as unwrapDeksFromBlob, fX as unwrapDeksFromPaperEntry, fZ as unwrapMagicLinkGrant, gc as updateAuthenticator, gd as updateKeyringIdentity, g4 as writeMagicLinkGrant } from '../types-CrSpRDuG.cjs';
+import { aP as NoydbStore, aN as UnlockedKeyring } from '../types-D-gr5t0G.cjs';
+export { b7 as BundleRecipient, cd as EnrollAuthenticatorOptions, ce as EnrollAuthenticatorWrappingDEKsOptions, cf as EnrollAuthenticatorWrappingKEKOptions, cU as ListUsersOptions, dk as PaperRecoveryEntry, dt as PresenceHandle, dO as RecoverPassphraseInput, dP as RecoverPassphraseResult, dQ as RecoverUserOptions, dR as RecoveryProof, dV as RotatePassphraseInput, eh as SlotRewrapCeremony, ei as SlotRewrapContext, er as SyncEngine, ez as SyncTransaction, eP as UpdateAuthenticatorOptions, f7 as WrappedDeksBlob, fe as buildRecipientKeyringFile, ff as burnPaperRecoveryEntry, g7 as changeSecret, g8 as createOwnerKeyring, fj as deriveMagicLinkContentKey, fk as enrollAuthenticator, g9 as ensureCollectionDEK, fn as evaluateExportCapability, fo as evaluateImportCapability, fp as findAuthenticator, ga as grant, fq as hasExportCapability, fr as hasImportCapability, fu as isMagicLinkGrantExpired, fz as listMagicLinkGrants, fA as listUsers, fB as listUsersWithEnvelopes, gb as loadKeyring, fD as loadPaperRecoveryEntries, fG as magicLinkGrantRecordId, fH as mintPaperRecoveryEntry, fJ as mintWrappedDeksBlob, gc as persistKeyring, fM as readMagicLinkGrantRecord, fx as recoverPassphrase, fN as recoverUser, fO as removeAuthenticator, gd as revoke, fS as revokeMagicLinkGrant, fy as rotatePassphrase, fU as savePaperRecoveryEntries, fY as unwrapDeksFromBlob, fZ as unwrapDeksFromPaperEntry, f$ as unwrapMagicLinkGrant, ge as updateAuthenticator, gf as updateKeyringIdentity, g6 as writeMagicLinkGrant } from '../types-D-gr5t0G.cjs';
 import '../lazy-builder-eYZzLEL1.cjs';
 import '../predicate-BmhBSPCH.cjs';
-import '../strategy-CLC1j79g.cjs';
-import '../errors-Dz64FA65.cjs';
+import '../strategy-C5ol6NdV.cjs';
+import '../errors-DL-zTrrF.cjs';
 import '../strategy-BSxFXGzb.cjs';
-import '../index-C-SSRIxP.cjs';
-import '../index-u-kWzSrL.cjs';
+import '../index-BMmajblo.cjs';
+import '../index-BM7O48Ur.cjs';
 import '@noy-db/attestation';
 
 /**

package/dist/team/index.d.ts

@@ -1,12 +1,12 @@
-import { b2 as NoydbStore, b0 as UnlockedKeyring } from '../types-CljIHm_J.js';
-export { bm as BundleRecipient, cq as EnrollAuthenticatorOptions, cr as EnrollAuthenticatorWrappingDEKsOptions, cs as EnrollAuthenticatorWrappingKEKOptions, cZ as ListUsersOptions, dp as PaperRecoveryEntry, dx as PresenceHandle, dS as RecoverPassphraseInput, dT as RecoverPassphraseResult, dU as RecoverUserOptions, dV as RecoveryProof, dY as RotatePassphraseInput, eh as SlotRewrapCeremony, ei as SlotRewrapContext, er as SyncEngine, ez as SyncTransaction, eP as UpdateAuthenticatorOptions, f7 as WrappedDeksBlob, fe as buildRecipientKeyringFile, ff as burnPaperRecoveryEntry, g5 as changeSecret, g6 as createOwnerKeyring, fi as deriveMagicLinkContentKey, fj as enrollAuthenticator, g7 as ensureCollectionDEK, fm as evaluateExportCapability, fn as evaluateImportCapability, fo as findAuthenticator, g8 as grant, fp as hasExportCapability, fq as hasImportCapability, fs as isMagicLinkGrantExpired, fx as listMagicLinkGrants, fy as listUsers, fz as listUsersWithEnvelopes, g9 as loadKeyring, fB as loadPaperRecoveryEntries, fE as magicLinkGrantRecordId, fF as mintPaperRecoveryEntry, fH as mintWrappedDeksBlob, ga as persistKeyring, fK as readMagicLinkGrantRecord, fv as recoverPassphrase, fL as recoverUser, fM as removeAuthenticator, gb as revoke, fQ as revokeMagicLinkGrant, fw as rotatePassphrase, fS as savePaperRecoveryEntries, fW as unwrapDeksFromBlob, fX as unwrapDeksFromPaperEntry, fZ as unwrapMagicLinkGrant, gc as updateAuthenticator, gd as updateKeyringIdentity, g4 as writeMagicLinkGrant } from '../types-CljIHm_J.js';
+import { aP as NoydbStore, aN as UnlockedKeyring } from '../types-CraiZOyO.js';
+export { b7 as BundleRecipient, cd as EnrollAuthenticatorOptions, ce as EnrollAuthenticatorWrappingDEKsOptions, cf as EnrollAuthenticatorWrappingKEKOptions, cU as ListUsersOptions, dk as PaperRecoveryEntry, dt as PresenceHandle, dO as RecoverPassphraseInput, dP as RecoverPassphraseResult, dQ as RecoverUserOptions, dR as RecoveryProof, dV as RotatePassphraseInput, eh as SlotRewrapCeremony, ei as SlotRewrapContext, er as SyncEngine, ez as SyncTransaction, eP as UpdateAuthenticatorOptions, f7 as WrappedDeksBlob, fe as buildRecipientKeyringFile, ff as burnPaperRecoveryEntry, g7 as changeSecret, g8 as createOwnerKeyring, fj as deriveMagicLinkContentKey, fk as enrollAuthenticator, g9 as ensureCollectionDEK, fn as evaluateExportCapability, fo as evaluateImportCapability, fp as findAuthenticator, ga as grant, fq as hasExportCapability, fr as hasImportCapability, fu as isMagicLinkGrantExpired, fz as listMagicLinkGrants, fA as listUsers, fB as listUsersWithEnvelopes, gb as loadKeyring, fD as loadPaperRecoveryEntries, fG as magicLinkGrantRecordId, fH as mintPaperRecoveryEntry, fJ as mintWrappedDeksBlob, gc as persistKeyring, fM as readMagicLinkGrantRecord, fx as recoverPassphrase, fN as recoverUser, fO as removeAuthenticator, gd as revoke, fS as revokeMagicLinkGrant, fy as rotatePassphrase, fU as savePaperRecoveryEntries, fY as unwrapDeksFromBlob, fZ as unwrapDeksFromPaperEntry, f$ as unwrapMagicLinkGrant, ge as updateAuthenticator, gf as updateKeyringIdentity, g6 as writeMagicLinkGrant } from '../types-CraiZOyO.js';
 import '../lazy-builder-ChSqcF5t.js';
 import '../predicate-BmhBSPCH.js';
-import '../strategy-4M9jo172.js';
-import '../errors-Dz64FA65.js';
+import '../strategy-BDxQnnTX.js';
+import '../errors-DL-zTrrF.js';
 import '../strategy-BSxFXGzb.js';
-import '../index-C-SSRIxP.js';
-import '../index-DpU6KWof.js';
+import '../index-BMmajblo.js';
+import '../index-BelbyUwz.js';
 import '@noy-db/attestation';
 
 /**

package/dist/team/index.js

@@ -5,7 +5,7 @@ import {
   getCredential,
   listCredentials,
   putCredential
-} from "../chunk-E77UKJYL.js";
+} from "../chunk-FPHRTW2Z.js";
 import {
   burnPaperRecoveryEntry,
   deriveMagicLinkContentKey,
@@ -29,13 +29,13 @@ import {
   unwrapMagicLinkGrant,
   updateAuthenticator,
   writeMagicLinkGrant
-} from "../chunk-QHM6XEAH.js";
-import "../chunk-5LIROIDM.js";
+} from "../chunk-S22UOMHM.js";
+import "../chunk-FBLAWK6A.js";
 import {
   PresenceHandle,
   SyncEngine,
   SyncTransaction
-} from "../chunk-XMVHEWF6.js";
+} from "../chunk-MI36HL5G.js";
 import {
   buildRecipientKeyringFile,
   changeSecret,
@@ -52,11 +52,11 @@ import {
   persistKeyring,
   revoke,
   updateKeyringIdentity
-} from "../chunk-BSZOCSDZ.js";
+} from "../chunk-M3FPNTO2.js";
 import "../chunk-2QR2PQTT.js";
-import "../chunk-SISBMAPO.js";
-import "../chunk-UNTGHX5A.js";
-import "../chunk-ZEGSDPB7.js";
+import "../chunk-SHIUFIPW.js";
+import "../chunk-OKOKPYWH.js";
+import "../chunk-DJF3FXW5.js";
 export {
   PresenceHandle,
   SYNC_CREDENTIALS_COLLECTION,

package/dist/transition-guard-B1N82hMf.d.cts

@@ -0,0 +1,165 @@
+import { ag as GuardStrategy, ak as GuardStrategyHandle, ah as GuardChange, ai as GuardContext } from './types-D-gr5t0G.cjs';
+
+/**
+ * Register a guard for a collection. Guards run on every `put()` /
+ * `delete()` for the named collection (after permissions, before
+ * encryption) and may:
+ *
+ *   - `check` — block writes by throwing (typically `RecordLockedError`)
+ *   - `frozenFields` — freeze specific fields once a condition is true
+ *   - `amendment` — declare an authorized-override path with invariant
+ *
+ * Pass the returned handle to `createNoydb({ strategies: [...] })`.
+ *
+ * @see docs/superpowers/specs/2026-05-18-guards-design.md
+ */
+declare function withGuard<T extends Record<string, unknown>>(strategy: GuardStrategy<T>): GuardStrategyHandle<T>;
+
+/**
+ * `immutableGuard` — declarative WORM / append-only sugar over the guard
+ * subsystem.
+ *
+ * Issued fiscal documents (invoices, DDTs) must be immutable after issue.
+ * That is expressible today with a hand-rolled `withGuard` (block on
+ * `check`/`onDelete`, allow an admin `amendment`), but the boilerplate is
+ * repetitive and easy to get subtly wrong. `immutableGuard` generates
+ * exactly that guard from a declarative config, reusing the guard
+ * machinery wholesale — `check`/`onDelete` rejection, the ledgered
+ * `amendment` override, and composition with `periods`/`history`.
+ *
+ * ```ts
+ * createNoydb({ guardStrategies: [
+ *   immutableGuard({
+ *     collection: 'invoices',
+ *     after: (r) => r.status === 'issued',   // immutable once issued
+ *   }),
+ * ] })
+ * ```
+ *
+ * A record is mutable until `after(record)` holds; from then on, updates
+ * and deletes throw `RecordLockedError` unless performed inside an
+ * `amendment` transaction by an authorized role (the override is
+ * ledgered by the guard amendment mechanism). `appendOnly: true` is
+ * shorthand for `after: () => true` — immutable from creation.
+ */
+
+interface ImmutableGuardConfig<T extends Record<string, unknown>> {
+    /** The collection to make WORM. */
+    collection: string;
+    /**
+     * A record becomes immutable once this predicate holds. Evaluated on
+     * the *existing* (already-persisted) record, so the write that first
+     * makes it true is still allowed; subsequent writes are blocked.
+     * Mutually exclusive with `appendOnly`.
+     */
+    after?: (record: T) => boolean;
+    /** Shorthand for `after: () => true` — immutable from creation. */
+    appendOnly?: boolean;
+    /** Roles permitted to override via an amendment transaction. Default `['admin', 'owner']`. */
+    amendmentRoles?: ReadonlyArray<'admin' | 'owner'>;
+    /**
+     * Optional set-level invariant run over the amendment change-set after
+     * the writes execute. Signature matches `GuardStrategy.amendment.invariant`
+     * exactly: it receives every {before, after} pair touching this
+     * collection in the amendment plus the guard context; throwing reverts
+     * the whole amendment and surfaces as `InvariantError`.
+     *
+     * Use this to keep a constraint inviolable EVEN under amendment — e.g.
+     * forbid deleting an issued document by re-throwing on any
+     * `before !== null && after === null` change, or assert a cross-record
+     * sum is preserved. When omitted the amendment is unconditionally
+     * allowed (the amendment itself is the sanctioned, ledgered override) —
+     * this is the backward-compatible default.
+     */
+    amendmentInvariant?: (changes: ReadonlyArray<GuardChange<T>>, ctx: GuardContext<T>) => Promise<void> | void;
+}
+/**
+ * Build an immutability guard. Pass the returned handle to
+ * `createNoydb({ guardStrategies: [...] })`.
+ */
+declare function immutableGuard<T extends Record<string, unknown>>(config: ImmutableGuardConfig<T>): GuardStrategyHandle<T>;
+
+/**
+ * `transitionGuard` — declarative state-machine sugar over the guard
+ * subsystem.
+ *
+ * Any record with a lifecycle field (invoice `status`, order state,
+ * ticket workflow, subscription phase) needs transition validation: a
+ * write may only move the field along a declared arc. That is expressible
+ * with a hand-rolled `withGuard({ check })`, but every consumer
+ * re-implements the same graph lookup + error. `transitionGuard`
+ * generates exactly that guard from a state graph, reusing the guard
+ * machinery wholesale — `check` rejection, the ledgered `amendment`
+ * override, and composition with `periods`/`history`.
+ *
+ * It generalizes {@link immutableGuard}: WORM is the special case "every
+ * state has no outgoing arcs", i.e. `transitions` mapping each state to `[]`.
+ *
+ * ```ts
+ * createNoydb({ guardStrategies: [
+ *   transitionGuard<Sale>({
+ *     collection: 'sales', field: 'status',
+ *     transitions: {                          // absence of an arc = forbidden
+ *       draft: ['to_verify', 'cancelled'],
+ *       to_verify: ['proforma', 'draft', 'cancelled'],
+ *       proforma: ['invoiced', 'cancelled'],
+ *       invoiced: ['paid'], paid: [], cancelled: [],
+ *     },
+ *     initial: ['draft', 'to_verify'],        // allowed status on insert
+ *   }),
+ * ] })
+ * ```
+ *
+ * Semantics:
+ * - **Insert** (`ctx.existing === null`): `incoming[field]` must be in
+ *   `initial`. When `initial` is omitted, any value is allowed on insert.
+ * - **Update**: the arc `(existing[field] → incoming[field])` must be
+ *   listed in `transitions[from]`, else `IllegalTransitionError`. A
+ *   same-value write (`from === to`) is allowed when `allowIdempotent`
+ *   (default `true`) — so writes that touch other fields without moving
+ *   state pass.
+ * - **Override**: inside an `amendment` transaction by an authorized role
+ *   the check is skipped and the change is ledgered (mirrors every guard).
+ *
+ * The status graph is caller-supplied data — no UI, no domain logic.
+ */
+
+interface TransitionGuardConfig<T extends Record<string, unknown>> {
+    /** The collection whose state field is governed. */
+    collection: string;
+    /** The state field on the record (e.g. `'status'`). */
+    field: keyof T & string;
+    /**
+     * The transition graph: each state maps to the states it may move to.
+     * A state absent from the map (or mapped to `[]`) is terminal — no
+     * outgoing arc, so any non-idempotent write from it is rejected.
+     */
+    transitions: Readonly<Record<string, readonly string[]>>;
+    /**
+     * States allowed as the initial value on insert (`existing === null`).
+     * Omit to allow any value on insert.
+     */
+    initial?: readonly string[];
+    /**
+     * Allow a same-value write (`from === to`) on update. Default `true` —
+     * lets a put that changes other fields, but not the state, through.
+     */
+    allowIdempotent?: boolean;
+    /** Roles permitted to override via an amendment transaction. Default `['admin', 'owner']`. */
+    amendmentRoles?: ReadonlyArray<'admin' | 'owner'>;
+    /**
+     * Optional set-level invariant run over the amendment change-set after
+     * the writes execute. Signature matches `GuardStrategy.amendment.invariant`
+     * exactly. When omitted the amendment is unconditionally allowed (the
+     * amendment itself is the sanctioned, ledgered override) — the
+     * backward-compatible default. Mirrors {@link immutableGuard}.
+     */
+    amendmentInvariant?: (changes: ReadonlyArray<GuardChange<T>>, ctx: GuardContext<T>) => Promise<void> | void;
+}
+/**
+ * Build a state-machine transition guard. Pass the returned handle to
+ * `createNoydb({ guardStrategies: [...] })`.
+ */
+declare function transitionGuard<T extends Record<string, unknown>>(config: TransitionGuardConfig<T>): GuardStrategyHandle<T>;
+
+export { type ImmutableGuardConfig as I, type TransitionGuardConfig as T, immutableGuard as i, transitionGuard as t, withGuard as w };

package/dist/transition-guard-C__YeF3_.d.ts

@@ -0,0 +1,165 @@
+import { ag as GuardStrategy, ak as GuardStrategyHandle, ah as GuardChange, ai as GuardContext } from './types-CraiZOyO.js';
+
+/**
+ * Register a guard for a collection. Guards run on every `put()` /
+ * `delete()` for the named collection (after permissions, before
+ * encryption) and may:
+ *
+ *   - `check` — block writes by throwing (typically `RecordLockedError`)
+ *   - `frozenFields` — freeze specific fields once a condition is true
+ *   - `amendment` — declare an authorized-override path with invariant
+ *
+ * Pass the returned handle to `createNoydb({ strategies: [...] })`.
+ *
+ * @see docs/superpowers/specs/2026-05-18-guards-design.md
+ */
+declare function withGuard<T extends Record<string, unknown>>(strategy: GuardStrategy<T>): GuardStrategyHandle<T>;
+
+/**
+ * `immutableGuard` — declarative WORM / append-only sugar over the guard
+ * subsystem.
+ *
+ * Issued fiscal documents (invoices, DDTs) must be immutable after issue.
+ * That is expressible today with a hand-rolled `withGuard` (block on
+ * `check`/`onDelete`, allow an admin `amendment`), but the boilerplate is
+ * repetitive and easy to get subtly wrong. `immutableGuard` generates
+ * exactly that guard from a declarative config, reusing the guard
+ * machinery wholesale — `check`/`onDelete` rejection, the ledgered
+ * `amendment` override, and composition with `periods`/`history`.
+ *
+ * ```ts
+ * createNoydb({ guardStrategies: [
+ *   immutableGuard({
+ *     collection: 'invoices',
+ *     after: (r) => r.status === 'issued',   // immutable once issued
+ *   }),
+ * ] })
+ * ```
+ *
+ * A record is mutable until `after(record)` holds; from then on, updates
+ * and deletes throw `RecordLockedError` unless performed inside an
+ * `amendment` transaction by an authorized role (the override is
+ * ledgered by the guard amendment mechanism). `appendOnly: true` is
+ * shorthand for `after: () => true` — immutable from creation.
+ */
+
+interface ImmutableGuardConfig<T extends Record<string, unknown>> {
+    /** The collection to make WORM. */
+    collection: string;
+    /**
+     * A record becomes immutable once this predicate holds. Evaluated on
+     * the *existing* (already-persisted) record, so the write that first
+     * makes it true is still allowed; subsequent writes are blocked.
+     * Mutually exclusive with `appendOnly`.
+     */
+    after?: (record: T) => boolean;
+    /** Shorthand for `after: () => true` — immutable from creation. */
+    appendOnly?: boolean;
+    /** Roles permitted to override via an amendment transaction. Default `['admin', 'owner']`. */
+    amendmentRoles?: ReadonlyArray<'admin' | 'owner'>;
+    /**
+     * Optional set-level invariant run over the amendment change-set after
+     * the writes execute. Signature matches `GuardStrategy.amendment.invariant`
+     * exactly: it receives every {before, after} pair touching this
+     * collection in the amendment plus the guard context; throwing reverts
+     * the whole amendment and surfaces as `InvariantError`.
+     *
+     * Use this to keep a constraint inviolable EVEN under amendment — e.g.
+     * forbid deleting an issued document by re-throwing on any
+     * `before !== null && after === null` change, or assert a cross-record
+     * sum is preserved. When omitted the amendment is unconditionally
+     * allowed (the amendment itself is the sanctioned, ledgered override) —
+     * this is the backward-compatible default.
+     */
+    amendmentInvariant?: (changes: ReadonlyArray<GuardChange<T>>, ctx: GuardContext<T>) => Promise<void> | void;
+}
+/**
+ * Build an immutability guard. Pass the returned handle to
+ * `createNoydb({ guardStrategies: [...] })`.
+ */
+declare function immutableGuard<T extends Record<string, unknown>>(config: ImmutableGuardConfig<T>): GuardStrategyHandle<T>;
+
+/**
+ * `transitionGuard` — declarative state-machine sugar over the guard
+ * subsystem.
+ *
+ * Any record with a lifecycle field (invoice `status`, order state,
+ * ticket workflow, subscription phase) needs transition validation: a
+ * write may only move the field along a declared arc. That is expressible
+ * with a hand-rolled `withGuard({ check })`, but every consumer
+ * re-implements the same graph lookup + error. `transitionGuard`
+ * generates exactly that guard from a state graph, reusing the guard
+ * machinery wholesale — `check` rejection, the ledgered `amendment`
+ * override, and composition with `periods`/`history`.
+ *
+ * It generalizes {@link immutableGuard}: WORM is the special case "every
+ * state has no outgoing arcs", i.e. `transitions` mapping each state to `[]`.
+ *
+ * ```ts
+ * createNoydb({ guardStrategies: [
+ *   transitionGuard<Sale>({
+ *     collection: 'sales', field: 'status',
+ *     transitions: {                          // absence of an arc = forbidden
+ *       draft: ['to_verify', 'cancelled'],
+ *       to_verify: ['proforma', 'draft', 'cancelled'],
+ *       proforma: ['invoiced', 'cancelled'],
+ *       invoiced: ['paid'], paid: [], cancelled: [],
+ *     },
+ *     initial: ['draft', 'to_verify'],        // allowed status on insert
+ *   }),
+ * ] })
+ * ```
+ *
+ * Semantics:
+ * - **Insert** (`ctx.existing === null`): `incoming[field]` must be in
+ *   `initial`. When `initial` is omitted, any value is allowed on insert.
+ * - **Update**: the arc `(existing[field] → incoming[field])` must be
+ *   listed in `transitions[from]`, else `IllegalTransitionError`. A
+ *   same-value write (`from === to`) is allowed when `allowIdempotent`
+ *   (default `true`) — so writes that touch other fields without moving
+ *   state pass.
+ * - **Override**: inside an `amendment` transaction by an authorized role
+ *   the check is skipped and the change is ledgered (mirrors every guard).
+ *
+ * The status graph is caller-supplied data — no UI, no domain logic.
+ */
+
+interface TransitionGuardConfig<T extends Record<string, unknown>> {
+    /** The collection whose state field is governed. */
+    collection: string;
+    /** The state field on the record (e.g. `'status'`). */
+    field: keyof T & string;
+    /**
+     * The transition graph: each state maps to the states it may move to.
+     * A state absent from the map (or mapped to `[]`) is terminal — no
+     * outgoing arc, so any non-idempotent write from it is rejected.
+     */
+    transitions: Readonly<Record<string, readonly string[]>>;
+    /**
+     * States allowed as the initial value on insert (`existing === null`).
+     * Omit to allow any value on insert.
+     */
+    initial?: readonly string[];
+    /**
+     * Allow a same-value write (`from === to`) on update. Default `true` —
+     * lets a put that changes other fields, but not the state, through.
+     */
+    allowIdempotent?: boolean;
+    /** Roles permitted to override via an amendment transaction. Default `['admin', 'owner']`. */
+    amendmentRoles?: ReadonlyArray<'admin' | 'owner'>;
+    /**
+     * Optional set-level invariant run over the amendment change-set after
+     * the writes execute. Signature matches `GuardStrategy.amendment.invariant`
+     * exactly. When omitted the amendment is unconditionally allowed (the
+     * amendment itself is the sanctioned, ledgered override) — the
+     * backward-compatible default. Mirrors {@link immutableGuard}.
+     */
+    amendmentInvariant?: (changes: ReadonlyArray<GuardChange<T>>, ctx: GuardContext<T>) => Promise<void> | void;
+}
+/**
+ * Build a state-machine transition guard. Pass the returned handle to
+ * `createNoydb({ guardStrategies: [...] })`.
+ */
+declare function transitionGuard<T extends Record<string, unknown>>(config: TransitionGuardConfig<T>): GuardStrategyHandle<T>;
+
+export { type ImmutableGuardConfig as I, type TransitionGuardConfig as T, immutableGuard as i, transitionGuard as t, withGuard as w };