@noy-db/hub 0.2.0-pre.3 → 0.2.0-pre.5

package/dist/{chunk-T6HQMVML.js → chunk-BT7544RM.js}

@@ -4,34 +4,34 @@ import {
 import {
   TxContext,
   revertExecuted
-} from "./chunk-GVXBHCZ2.js";
+} from "./chunk-LJO6Q3X6.js";
 import {
   OverlayedCollection
-} from "./chunk-NGSPBLLE.js";
+} from "./chunk-34XGYMQT.js";
 import {
   LazyQuery,
   decodeIdxId,
   encodeIdxId
-} from "./chunk-WRLHNG6H.js";
+} from "./chunk-RIHZBSWJ.js";
 import {
   SCHEMAS_COLLECTION,
   loadPersistedSchema,
   resolveManagedSecret,
   savePersistedSchema,
   saveSealedPassphrase
-} from "./chunk-4X2S7PBF.js";
+} from "./chunk-E225X5CQ.js";
 import {
   loadPublicEnvelope,
   readPublicEnvelope,
   savePublicEnvelope,
   validatePublicEnvelopeInput
-} from "./chunk-FS7A4XNF.js";
+} from "./chunk-WEA4TDTJ.js";
 import {
   PERIODS_COLLECTION
-} from "./chunk-GAUBWHAF.js";
+} from "./chunk-ZQMYB56Z.js";
 import {
   isDictCollectionName
-} from "./chunk-KMI2NBBF.js";
+} from "./chunk-YZ6JETII.js";
 import {
   ManagedRecoveryNotEnrolledError,
   PolicyDeniedError,
@@ -53,11 +53,11 @@ import {
   saveShamirRecoveryEntries,
   updateAuthenticator,
   writeMagicLinkGrant
-} from "./chunk-2EYC3WDT.js";
+} from "./chunk-Y3P5DEMZ.js";
 import {
   assertTierAccess,
   dekKey
-} from "./chunk-6S3LLAQ5.js";
+} from "./chunk-TNBIWSQ7.js";
 import {
   USER_ENVELOPE_COLLECTION,
   buildRecipientKeyringFile,
@@ -81,7 +81,7 @@ import {
   rotateKeys,
   saveUserEnvelope,
   updateKeyringIdentity
-} from "./chunk-TLFUDXVV.js";
+} from "./chunk-T6MTNGBM.js";
 import {
   INDEXED_STORE_POLICY
 } from "./chunk-2QR2PQTT.js";
@@ -91,30 +91,30 @@ import {
 import {
   LEDGER_COLLECTION,
   LEDGER_DELTAS_COLLECTION
-} from "./chunk-74JEQFMT.js";
+} from "./chunk-6A4AMQ2H.js";
 import {
   sha256Hex as sha256Hex2
-} from "./chunk-NCO2JGKK.js";
+} from "./chunk-Z6FNBOTC.js";
 import {
   NO_AGGREGATE,
   Query,
   ScanBuilder
-} from "./chunk-4UBOTYP5.js";
+} from "./chunk-XDW37COG.js";
 import {
   EXPORT_AUDIT_COLLECTION,
   createExportBlobsHandle,
   runCompaction
-} from "./chunk-LOL725S4.js";
+} from "./chunk-JSYTGEX4.js";
 import {
   NOYDB_BACKUP_VERSION,
   NOYDB_FORMAT_VERSION
-} from "./chunk-FXQYZNOW.js";
+} from "./chunk-5OVIFUQE.js";
 import {
   decrypt,
   encrypt,
   encryptDeterministic,
   sha256Hex
-} from "./chunk-UOF74WQY.js";
+} from "./chunk-EKTOYEZ3.js";
 import {
   AlreadyElevatedError,
   AttestationError,
@@ -141,7 +141,7 @@ import {
   TierNotGrantedError,
   TranslatorNotConfiguredError,
   ValidationError
-} from "./chunk-YDLAFP36.js";
+} from "./chunk-6HJ2ZALB.js";
 
 // src/policy/storage.ts
 var META_COLLECTION = "_meta";
@@ -644,7 +644,7 @@ async function resolveStaleOnRead(accessor, outputCollection, id) {
     }
     const sourceWithId = { ...source, id };
     if (DerivationExecutor === null) {
-      ({ DerivationExecutor } = await import("./executor-GFZFDQXV.js"));
+      ({ DerivationExecutor } = await import("./executor-SOLEQVUB.js"));
     }
     const ctx = { vault: accessor.getReadOnlyFacade() };
     const result = await DerivationExecutor.run(spec, sourceWithId, 0, strategyHash, ctx);
@@ -664,7 +664,7 @@ async function resolveStaleOnRead(accessor, outputCollection, id) {
       }
       if (out.kind === "array") {
         console.warn(
-          `[derivation] unexpected array-shape output "${key}" in lazy resolve path; array-shape derivations require lifecycle: "eager" (#200 slice 1).`
+          `[derivation] unexpected array-shape output "${key}" in lazy resolve path; array-shape derivations require lifecycle: "eager".`
         );
         continue;
       }
@@ -702,6 +702,7 @@ var Collection = class {
   schemaUpdateGate;
   schemaFence;
   writeHooks;
+  subsystemBus;
   activeTxId;
   getDEK;
   onDirty;
@@ -890,42 +891,14 @@ var Collection = class {
   syncAdapter;
   /** — consent-audit hook, no-op when no scope is active. */
   onAccess;
-  /**
-   * accounting-period write guard. Called BEFORE any
-   * adapter write with:
-   *   - `existing` — the prior envelope's `_ts` and decrypted record
-   *     (or `null` if no prior envelope exists)
-   *   - `incoming` — the record being written (or `null` for delete)
-   *
-   * Throws `PeriodClosedError` if either side falls inside a closed
-   * period. Installed by Vault; no-op when no period has been closed.
-   * Async so the Vault can lazy-load the period list from the
-   * adapter on first use.
-   */
-  periodGuard;
-  /**
-   * Optional back-reference to the owning vault's guard registry + a
-   * read-only vault facade. When present, `Collection.put` and
-   * `Collection.delete` consult the registry for guards declared
-   * against this collection and run their `check` + `frozenFields`
-   * before the adapter write. Absent in unit tests that construct
-   * a Collection directly; production code always sets it via
-   * `Vault.collection()`.
-   *
-   * Typed structurally rather than as `Vault` to avoid a circular
-   * import (mirrors the `refEnforcer` / `joinResolver` pattern).
-   */
-  guardSource;
   /**
    * Vault-internal hook for derivation dispatch. When set,
    * `Collection.put` consults the registry after the source-write
    * commits and writes derived outputs through `getCollection(name).put`.
-   * Same structural-interface pattern as `guardSource` to avoid a
-   * circular Vault import.
    */
   derivationSource;
   /**
-   * Vault-internal hook for materialized-view dispatch (#143/#150).
+   * Vault-internal hook for materialized-view dispatch.
    * Parallel to `derivationSource` — when set, `Collection.put` fires
    * `MaterializedViewRegistry.onSourceWrite` after the source-write
    * commits + after `dispatchDerivations` has run.
@@ -981,6 +954,7 @@ var Collection = class {
     this.schemaUpdateGate = opts.schemaUpdateGate;
     this.schemaFence = opts.schemaFence;
     this.writeHooks = opts.writeHooks;
+    this.subsystemBus = opts.subsystemBus;
     this.activeTxId = opts.activeTxId;
     this.blobStrategy = opts.blobStrategy ?? NO_BLOBS;
     this.aggregateStrategy = opts.aggregateStrategy ?? NO_AGGREGATE;
@@ -1005,8 +979,6 @@ var Collection = class {
     this.crdtMode = opts.crdt;
     this.syncAdapter = opts.syncAdapter;
     this.onAccess = opts.onAccess;
-    this.periodGuard = opts.periodGuard;
-    this.guardSource = opts.guardSource;
     this.derivationSource = opts.derivationSource;
     this.materializedViewSource = opts.materializedViewSource;
     this.tiers = opts.tiers && opts.tiers.length > 0 ? new Set(opts.tiers) : null;
@@ -1140,7 +1112,7 @@ var Collection = class {
       }
     }
     if (this.materializedViewSource !== void 0) {
-      const { resolveStaleMVOnRead } = await import("./stale-PAGCS4K5.js");
+      const { resolveStaleMVOnRead } = await import("./stale-74WGLVZ2.js");
       await resolveStaleMVOnRead(this.materializedViewSource, this.name);
     }
     let record;
@@ -1208,21 +1180,23 @@ var Collection = class {
   }
   /**
    * Create or update a record. Runs inside the hub's write-queue tracker
-   * (#227) so `hub.writeQueue.pending` reflects this write.
+   * so `hub.writeQueue.pending` reflects this write.
    *
    * @param id      Record identifier.
    * @param record  The record body (validated by the collection's schema
    *                if one was attached at `vault.collection(...)` time).
    * @param options Optional metadata for audit + import workflows.
    *                `reason` is stamped onto the resulting ledger entry
-   *                (see #1) so audit consumers can filter via
+   *                so audit consumers can filter via
    *                `entries.filter(e => e.reason?.startsWith('import:'))`.
    */
   async put(id, record, options) {
     await this.schemaUpdateGate?.assertWritable();
     await this.schemaFence?.assertWritable(this.name);
+    const hooksActive = this.#hooksActive();
+    const busAfterPut = (this.subsystemBus?.hasHandlers("afterPut") ?? false) && !(this.subsystemBus?.dispatching ?? false);
     let event;
-    if (this.#hooksActive()) {
+    if (hooksActive || busAfterPut) {
       const prior = await this.#priorForHook(id);
       event = {
         op: prior.record === null ? "create" : "update",
@@ -1237,23 +1211,26 @@ var Collection = class {
         baseVersion: prior.version,
         version: prior.version + 1
       };
-      await this.writeHooks.runBefore(event);
+      if (hooksActive) await this.writeHooks.runBefore(event);
     }
     if (this.writeQueue) await this.writeQueue.track(() => this.putInternal(id, record, options));
     else await this.putInternal(id, record, options);
-    if (event) await this.writeHooks.runAfter(event);
+    if (event) {
+      if (hooksActive) await this.writeHooks.runAfter(event);
+      if (busAfterPut) await this.subsystemBus.dispatch("afterPut", event);
+    }
   }
-  /** @internal #230 — true when hooks should fire for this write (handlers exist, not re-entrant). */
+  /** @internal — true when hooks should fire for this write (handlers exist, not re-entrant). */
   #hooksActive() {
     return this.writeHooks !== void 0 && this.writeHooks.hasHandlers && !this.writeHooks.suppressed;
   }
   /**
-   * @internal #230/#228c — resolve the prior record for a hook's `before` and
+   * @internal — resolve the prior record for a hook's `before` and
    * its version. Critically, this uses the SAME basis `putInternal` writes from
    * (the in-memory cache in eager mode; lru-then-adapter in lazy) — NOT a fresh
    * store read — so `baseVersion`/`version` match the version actually written.
    * A separate store read would diverge once another tab has advanced the shared
-   * store past this tab's cache, breaking #228c conflict detection.
+   * store past this tab's cache, breaking cross-tab conflict detection.
    */
   async #priorForHook(id) {
     if (this.lazy && this.lru) {
@@ -1275,52 +1252,28 @@ var Collection = class {
     if (!hasWritePermission(this.keyring, this.name)) {
       throw new ReadOnlyError();
     }
-    if (this.guardSource) {
-      const registry = this.guardSource.registry();
-      const guards = registry.guardsFor(this.name);
-      if (guards.length > 0) {
-        const existingEnv = await this.adapter.get(this.vault, this.name, id);
-        let existingRecord = null;
-        if (existingEnv) {
-          try {
-            existingRecord = await this.decryptRecord(existingEnv, { skipValidation: true });
-          } catch {
-            existingRecord = null;
-          }
-        }
-        const incomingRecord = record;
-        const ctx = {
-          existing: existingRecord,
-          vault: this.guardSource.readOnlyVault(),
-          userId: this.keyring.userId,
-          role: this.keyring.role
-        };
-        if (registry.isAmendmentActive()) {
-          const vBefore = existingEnv?._v ?? 0;
-          registry.collectChange(this.name, id, existingRecord, incomingRecord, vBefore, vBefore + 1);
-        } else {
-          await registry.runChecks(this.name, incomingRecord, ctx);
-          const { GuardExecutor } = await import("./executor-BZKFZVRC.js");
-          for (const g of guards) {
-            await GuardExecutor.checkFrozenFields(g, id, existingRecord, incomingRecord);
-          }
-        }
-      }
-    }
-    if (this.periodGuard !== void 0) {
+    if (this.subsystemBus?.hasGateHandlers("beforePut")) {
       const existingEnv = await this.adapter.get(this.vault, this.name, id);
-      let priorRecord = null;
+      let existingRecord = null;
       if (existingEnv) {
         try {
-          priorRecord = await this.decryptRecord(existingEnv, { skipValidation: true });
+          existingRecord = await this.decryptRecord(existingEnv, { skipValidation: true });
         } catch {
-          priorRecord = null;
+          existingRecord = null;
         }
       }
-      await this.periodGuard(
-        existingEnv ? { ts: existingEnv._ts, record: priorRecord } : null,
-        record
-      );
+      await this.subsystemBus.dispatchGate("beforePut", {
+        op: existingEnv ? "update" : "create",
+        vault: this.vault,
+        collection: this.name,
+        docId: id,
+        incoming: record,
+        existing: existingRecord,
+        existingVersion: existingEnv?._v ?? 0,
+        existingTs: existingEnv?._ts,
+        userId: this.keyring.userId,
+        role: this.keyring.role
+      });
     }
     if (this.schema !== void 0) {
       record = await validateSchemaInput(this.schema, record, `put(${id})`);
@@ -1506,7 +1459,7 @@ var Collection = class {
    * Fire registered MV strategies whose dependency set includes this
    * collection. Eager-mode MVs re-materialize inline via
    * `MaterializedViewExecutor.refresh`; lazy / manual modes are
-   * no-ops in the foundation (subtask #150) — wired in #151.
+   * no-ops in the foundation; wired in the lazy-mode implementation.
    *
    * Skips entirely when the record being written is itself an
    * MV-emitted row (carries `_materializedFrom`) — defensive guard
@@ -1529,7 +1482,7 @@ var Collection = class {
       if (mode === "eager") {
         if (executor === null) {
           ;
-          ({ MaterializedViewExecutor: executor } = await import("./executor-KT2IOZVP.js"));
+          ({ MaterializedViewExecutor: executor } = await import("./executor-RWICJI7J.js"));
         }
         await executor.refresh(reg, {
           getCollection: (name) => this.materializedViewSource.getCollection(name),
@@ -1538,7 +1491,7 @@ var Collection = class {
         });
       } else if (mode === "lazy") {
         if (staleHelpers === null) {
-          staleHelpers = await import("./stale-PAGCS4K5.js");
+          staleHelpers = await import("./stale-74WGLVZ2.js");
         }
         staleHelpers.markMVStale(registry, reg.spec.name);
       }
@@ -1567,7 +1520,7 @@ var Collection = class {
       const mode = typeof spec.lifecycle === "string" ? spec.lifecycle : spec.lifecycle.mode;
       if (mode === "eager") {
         if (DerivationExecutor === null) {
-          ({ DerivationExecutor } = await import("./executor-GFZFDQXV.js"));
+          ({ DerivationExecutor } = await import("./executor-SOLEQVUB.js"));
         }
         const sourceWithId = { ...incoming, id };
         const ctx = { vault: this.derivationSource.getReadOnlyFacade() };
@@ -1586,7 +1539,7 @@ var Collection = class {
           const outputCollection = this.derivationSource.getCollection(outSpec.collection);
           const txCtx = this.derivationSource.getActiveTxContext();
           if (out.kind === "array") {
-            const { loadFanoutSidecar, saveFanoutSidecar } = await import("./fanout-sidecar-NRBWSLRK.js");
+            const { loadFanoutSidecar, saveFanoutSidecar } = await import("./fanout-sidecar-EVICRM46.js");
             const prior = await loadFanoutSidecar(
               this.adapter,
               this.vault,
@@ -1650,13 +1603,15 @@ var Collection = class {
   }
   /**
    * Delete a record by ID. Runs inside the hub's write-queue tracker
-   * (#227) so `hub.writeQueue.pending` reflects this write.
+   * so `hub.writeQueue.pending` reflects this write.
    */
   async delete(id) {
     await this.schemaUpdateGate?.assertWritable();
     await this.schemaFence?.assertWritable(this.name);
+    const hooksActive = this.#hooksActive();
+    const busAfterDelete = (this.subsystemBus?.hasHandlers("afterDelete") ?? false) && !(this.subsystemBus?.dispatching ?? false);
     let event;
-    if (this.#hooksActive()) {
+    if (hooksActive || busAfterDelete) {
       const prior = await this.#priorForHook(id);
       event = {
         op: "delete",
@@ -1671,14 +1626,17 @@ var Collection = class {
         baseVersion: prior.version,
         version: prior.version + 1
       };
-      await this.writeHooks.runBefore(event);
+      if (hooksActive) await this.writeHooks.runBefore(event);
     }
     if (this.writeQueue) await this.writeQueue.track(() => this.deleteInternal(id));
     else await this.deleteInternal(id);
-    if (event) await this.writeHooks.runAfter(event);
+    if (event) {
+      if (hooksActive) await this.writeHooks.runAfter(event);
+      if (busAfterDelete) await this.subsystemBus.dispatch("afterDelete", event);
+    }
   }
   /**
-   * @internal #232 — bulk-rewrite every record through a cutover transform.
+   * @internal — bulk-rewrite every record through a cutover transform.
    * Raw adapter path (bypasses the write gate + guards — the transform is
    * trusted and runs only during the `migrating` phase). Bumps each
    * record's `_v` and appends a ledger `op:'migration'` entry.
@@ -1717,8 +1675,7 @@ var Collection = class {
   }
   /**
    * @internal — system-internal delete that bypasses user-facing
-   * delete hooks (`onDelete`, accounting-period guard, FK ref
-   * enforcer). Used by derivation tombstones (#144) and MV refresh
+   * delete hooks (`onDelete`, FK ref enforcer). Used by derivation tombstones and MV refresh
    * (Dim 14 v2) — system housekeeping shouldn't trip user invariants
    * registered against the output collection. The ledger entry and
    * history snapshot still fire so backup integrity and time-travel
@@ -1730,7 +1687,7 @@ var Collection = class {
    *
    * When a `txCtx` is supplied, the prior envelope is captured and
    * pushed onto `txCtx._executed` BEFORE the delete fires — mirrors
-   * the #133 rollback hardening for puts. Callers outside a
+   * the rollback hardening for puts. Callers outside a
    * multi-record transaction pass `null` and skip the tracking.
    *
    * Amendment composition: if `_internalDelete` runs while a vault's
@@ -1773,58 +1730,27 @@ var Collection = class {
     if (!hasWritePermission(this.keyring, this.name)) {
       throw new ReadOnlyError();
     }
-    if (this.guardSource) {
-      const registry = this.guardSource.registry();
-      const guards = registry.guardsFor(this.name);
-      if (guards.length > 0) {
-        const existingEnv = await this.adapter.get(this.vault, this.name, id);
-        if (existingEnv) {
-          let existingRecord = null;
-          try {
-            existingRecord = await this.decryptRecord(existingEnv, { skipValidation: true });
-          } catch {
-            existingRecord = null;
-          }
-          if (registry.isAmendmentActive()) {
-            const vBefore = existingEnv._v;
-            registry.collectChange(
-              this.name,
-              id,
-              existingRecord,
-              null,
-              vBefore,
-              vBefore
-            );
-          } else if (!internal) {
-            const ctx = {
-              existing: existingRecord,
-              vault: this.guardSource.readOnlyVault(),
-              userId: this.keyring.userId,
-              role: this.keyring.role
-            };
-            await registry.runOnDelete(
-              this.name,
-              existingRecord ?? {},
-              ctx
-            );
-          }
-        }
-      }
-    }
-    if (!internal && this.periodGuard !== void 0) {
+    if (this.subsystemBus?.hasGateHandlers("beforeDelete")) {
       const existingEnv = await this.adapter.get(this.vault, this.name, id);
-      let priorRecord = null;
       if (existingEnv) {
+        let existingRecord = null;
         try {
-          priorRecord = await this.decryptRecord(existingEnv, { skipValidation: true });
+          existingRecord = await this.decryptRecord(existingEnv, { skipValidation: true });
         } catch {
-          priorRecord = null;
+          existingRecord = null;
         }
+        await this.subsystemBus.dispatchGate("beforeDelete", {
+          vault: this.vault,
+          collection: this.name,
+          docId: id,
+          existing: existingRecord,
+          existingVersion: existingEnv._v,
+          existingTs: existingEnv._ts,
+          internal,
+          userId: this.keyring.userId,
+          role: this.keyring.role
+        });
       }
-      await this.periodGuard(
-        existingEnv ? { ts: existingEnv._ts, record: priorRecord } : null,
-        null
-      );
     }
     if (!internal && this.refEnforcer !== void 0) {
       await this.refEnforcer.enforceRefsOnDelete(this.name, id);
@@ -1885,7 +1811,7 @@ var Collection = class {
   }
   /**
    * Cascade deletes of array-shape derived rows when a source row is
-   * deleted (#200). Reads each registered strategy's fanout sidecar
+   * deleted. Reads each registered strategy's fanout sidecar
    * for this source id, deletes every listed derived row, then
    * deletes the sidecar itself.
    *
@@ -1905,7 +1831,7 @@ var Collection = class {
       for (const [outputKey, outSpec] of Object.entries(spec.outputs)) {
         if (outSpec.shape !== "array") continue;
         if (helpers === null) {
-          helpers = await import("./fanout-sidecar-NRBWSLRK.js");
+          helpers = await import("./fanout-sidecar-EVICRM46.js");
         }
         const sidecar = await helpers.loadFanoutSidecar(
           this.adapter,
@@ -1924,8 +1850,8 @@ var Collection = class {
     }
   }
   /**
-   * Mirror of {@link dispatchMaterializedViews} for the delete path
-   * (#181). No record content is available (it's gone), so the
+   * Mirror of {@link dispatchMaterializedViews} for the delete path.
+   * No record content is available (it's gone), so the
    * `_materializedFrom` skip used by the put-side dispatch doesn't
    * apply here — instead, the recursion guard is the `internal` gate
    * at the `_doDelete` call site above.
@@ -1945,7 +1871,7 @@ var Collection = class {
       if (mode === "eager") {
         if (executor === null) {
           ;
-          ({ MaterializedViewExecutor: executor } = await import("./executor-KT2IOZVP.js"));
+          ({ MaterializedViewExecutor: executor } = await import("./executor-RWICJI7J.js"));
         }
         await executor.refresh(reg, {
           getCollection: (name) => this.materializedViewSource.getCollection(name),
@@ -1954,7 +1880,7 @@ var Collection = class {
         });
       } else if (mode === "lazy") {
         if (staleHelpers === null) {
-          staleHelpers = await import("./stale-PAGCS4K5.js");
+          staleHelpers = await import("./stale-74WGLVZ2.js");
         }
         staleHelpers.markMVStale(registry, reg.spec.name);
       }
@@ -1977,7 +1903,7 @@ var Collection = class {
       );
     }
     if (this.materializedViewSource !== void 0) {
-      const { resolveStaleMVOnRead } = await import("./stale-PAGCS4K5.js");
+      const { resolveStaleMVOnRead } = await import("./stale-74WGLVZ2.js");
       await resolveStaleMVOnRead(this.materializedViewSource, this.name);
     }
     await this.ensureHydrated();
@@ -2455,7 +2381,7 @@ var Collection = class {
    *   .aggregate({ total: sum('amount'), n: count() })
    * ```
    *
-   * **Lazy-MV gap (#157):** `scan()` is synchronous-build and does
+   * **Lazy-MV gap:** `scan()` is synchronous-build and does
    * NOT trigger lazy materialized-view resolve-on-read. For lazy
    * MVs, call `list()` (which DOES resolve) or `vault.refreshView(name)`
    * before scanning. Same shape as the `query()` limitation.
@@ -2536,7 +2462,7 @@ var Collection = class {
     this.indexes?.upsert(id, record, previous ? previous.record : null);
   }
   /**
-   * #228b — apply a peer tab's committed write to THIS tab's in-memory view:
+   * Apply a peer tab's committed write to THIS tab's in-memory view:
    * re-read the (already-persisted) envelope from the shared store + refresh
    * cache/indexes, then emit a `change` event so reactive consumers re-render.
    * Never writes to the store and never fires write hooks, so it cannot loop.
@@ -2545,7 +2471,7 @@ var Collection = class {
     await this._invalidateCacheEntry(id);
     this.emitter.emit("change", { vault: this.vault, collection: this.name, id, action });
   }
-  /** @internal #228c — the current in-memory record without a store read (for conflict capture). */
+  /** @internal — the current in-memory record without a store read (for conflict capture). */
   _peekCached(id) {
     const entry = this.lazy && this.lru ? this.lru.get(id) : this.cache.get(id);
     return entry ? entry.record : null;
@@ -3648,7 +3574,7 @@ var UserApi = class {
    * the envelope on first call. Optimistic-concurrency safe — a stale
    * `_v` (parallel writer on another device) throws `ConflictError`.
    *
-   * Patch semantics (#57):
+   * Patch semantics:
    *   - `undefined` (or omitted key) — skip; existing value preserved
    *   - `null` — delete the field from the merged result
    *   - any other value — overwrite (deep-merge for plain objects,
@@ -3704,7 +3630,7 @@ var UserApi = class {
     this.fireChange(this.writerKeyringId, written);
     return written;
   }
-  // ─── Visibility (#122) ───────────────────────────────────────────────
+  // ─── Visibility ──────────────────────────────────────────────────────
   /**
    * Read the current user's visibility flag from
    * `_meta/visibility/<keyringId>`. Returns `{ hidden: false }` when no
@@ -4554,23 +4480,23 @@ var Vault = class {
    * `null` for vaults that never register any guard strategy. The
    * runtime class is dynamic-imported on demand so consumers that
    * never use guards don't pull `GuardRegistry`/`GuardExecutor` into
-   * their bundle (#130).
+   * their bundle.
    */
   guardRegistry = null;
   /**
    * Per-vault derivation registry. Same lazy-load contract as
    * `guardRegistry` — `null` until `_initDerivations()` runs with at
-   * least one strategy handle. See #130 for the bundle motivation.
+   * least one strategy handle.
    */
   derivationRegistry = null;
   /**
-   * Per-vault materialized-view registry (#143/#150). Same lazy-load
+   * Per-vault materialized-view registry. Same lazy-load
    * contract as `derivationRegistry` — `null` until
    * `_initMaterializedViews()` runs with at least one MV handle.
    */
   materializedViewRegistry = null;
   /**
-   * Per-vault overlay registry (#154). Same lazy-load contract as
+   * Per-vault overlay registry. Same lazy-load contract as
    * `materializedViewRegistry` — `null` until `_initOverlayedViews()`
    * runs with at least one handle.
    */
@@ -4591,7 +4517,7 @@ var Vault = class {
    *   target this vault session's keyringId. There is no method to write
    *   another principal's envelope (own-only write rule, structural).
    * - Read-anyone: `get(keyringId)`, `list()` — read other principals'
-   *   envelopes, subject to the `view-team-profiles` policy gate (#22).
+   *   envelopes, subject to the `view-team-profiles` policy gate.
    * - Reactive: `subscribe(id, cb)`, `live(id)` — fire on local writes.
    *
    * @see docs/superpowers/specs/2026-05-05-user-envelope-design.md
@@ -4611,12 +4537,12 @@ var Vault = class {
    */
   reloadKeyring;
   collectionCache = /* @__PURE__ */ new Map();
-  /** #232 — vault-level schema cutover fence/controller. */
+  /** Vault-level schema cutover fence/controller. */
   schemaFence;
-  /** #232 — per-client heartbeat/watcher; started lazily on cutover registration. */
+  /** Per-client heartbeat/watcher; started lazily on cutover registration. */
   #fenceWatcher;
   #fenceCoordinationStarted = false;
-  /** #229 — per-collection registered schema-update strategy names. */
+  /** Per-collection registered schema-update strategy names. */
   #schemaUpdateNames = /* @__PURE__ */ new Map();
   /**
    * per-collection `blobFields` retention/TTL config.
@@ -4690,8 +4616,7 @@ var Vault = class {
    * Cache of closed/opened accounting periods.
    * Populated on first `closePeriod` / `openPeriod` / `listPeriods` /
    * per-collection write call. Kept in memory as an ordered list (by
-   * `closedAt`) so the `periodGuard` hook runs synchronously against
-   * each collection's put/delete path.
+   * `closedAt`) so period checks run fast when the gate bus fires.
    *
    * Sentinel `null` means "not yet loaded" — the first consumer
    * triggers a one-time `loadPeriods()` pass. Every subsequent
@@ -4886,6 +4811,7 @@ var Vault = class {
         emitter: this.emitter,
         writeQueue: this.noydb._writeQueueTracker,
         writeHooks: this.noydb._writeHooks,
+        subsystemBus: this.noydb._subsystemBus,
         activeTxId: () => this.noydb._activeTxContextOrNull?.txId ?? null,
         schemaUpdateGate,
         schemaFence: this.schemaFence,
@@ -4908,18 +4834,12 @@ var Vault = class {
         defaultLocale: this.locale,
         onRegisterConflictResolver: this.onRegisterConflictResolver,
         onAccess: (op, id) => this._logConsent(op, collectionName, id),
-        periodGuard: (existing, incoming) => this._assertTsWritable(existing, incoming),
-        // Guard / derivation sources are only wired when the
-        // corresponding registry has been initialised. Vaults without
-        // guards/derivations skip this entirely so `Collection.put`'s
-        // `if (this.guardSource)` / `if (this.derivationSource)`
-        // branches no-op without ever touching the subsystem code.
-        ...this.guardRegistry !== null ? {
-          guardSource: {
-            registry: () => this.guardRegistry,
-            readOnlyVault: () => this._ensureReadOnlyFacade()
-          }
-        } : {},
+        // Derivation source is only wired when the corresponding registry
+        // has been initialised. Guard source was removed in Track A slice 3b
+        // — guards now run via the gate bus in Noydb.#registerGuardGate.
+        // Vaults without derivations skip this so `Collection.put`'s
+        // `if (this.derivationSource)` branch no-ops without touching the
+        // derivation subsystem code.
         ...this.derivationRegistry !== null ? {
           derivationSource: {
             registry: () => this.derivationRegistry,
@@ -5009,7 +4929,7 @@ var Vault = class {
     await Promise.allSettled(pending);
   }
   /**
-   * Run a coordinated schema cutover (#232). Drains pending writes, waits
+   * Run a coordinated schema cutover. Drains pending writes, waits
    * for the active client set to quiesce (the ack-barrier), applies every
    * pending collection transform in bulk, bumps the vault schema generation,
    * and clears the fence. Returns the count of collections migrated.
@@ -5027,9 +4947,9 @@ var Vault = class {
     await coll._applyCutoverTransform(transform);
   }
   /**
-   * #228b — refresh a loaded collection's view of one document from a peer
+   * Refresh a loaded collection's view of one document from a peer
    * tab's broadcast. No-op when the collection isn't loaded in this tab
-   * (it will read fresh on next open). Mirrors #runCutoverTransform's guard.
+   * (it will read fresh on next open). Mirrors `#runCutoverTransform`'s guard.
    */
   async _applyRemoteWrite(collectionName, docId, action) {
     const coll = this.collectionCache.get(collectionName);
@@ -5037,9 +4957,9 @@ var Vault = class {
     await coll._applyRemoteChange(docId, action);
   }
   /**
-   * #228c — for a detected conflict: capture this tab's clobbered record,
+   * For a detected conflict: capture this tab's clobbered record,
    * read the common ancestor from history, converge the cache to the store's
-   * authoritative value (the (b) re-read), and return all three for the
+   * authoritative value (the re-read), and return all three for the
    * WriteConflict payload. Returns null when the collection isn't loaded.
    */
   async _captureAndConverge(collectionName, docId, action, baseV) {
@@ -5056,15 +4976,15 @@ var Vault = class {
     const remote = await coll.get(docId);
     return { local, remote, base };
   }
-  /** Recover a stuck cutover fence (#232) — reset to normal without bumping. */
+  /** Recover a stuck cutover fence — reset to normal without bumping. */
   async abortSchemaCutover() {
     await this.schemaFence.abort();
   }
-  /** Current schema-cutover fence state for this vault (#232/#233). Thin live read. */
+  /** Current schema-cutover fence state for this vault. Thin live read. */
   async schemaFenceState() {
     return loadFence(this.adapter, this.name);
   }
-  /** @internal Start the per-client heartbeat + fence watcher once a cutover is registered (#232). */
+  /** @internal Start the per-client heartbeat + fence watcher once a cutover is registered. */
   _ensureFenceCoordination() {
     if (this.#fenceCoordinationStarted) return;
     this.#fenceCoordinationStarted = true;
@@ -5414,12 +5334,12 @@ var Vault = class {
     if (!fieldSchema) {
       throw new AttestationError(`issueAttestation: collection '${collectionName}' has no attestation field-schema. Declare it via vault.collection('${collectionName}', { attestation: { fields: [...] } }).`);
     }
-    const { issueAttestationCore } = await import("./issue-BAJ7ZB4S.js");
+    const { issueAttestationCore } = await import("./issue-IODMTPME.js");
     const out = await issueAttestationCore(this.makeIssueContext(), { collection: collectionName, id, fieldSchema });
     return { docId: out.docId, qr: out.qr, keyId: out.keyId, publicKeyB64: out.publicKeyB64 };
   }
   async getDocumentSigningPublicKey() {
-    const { loadSigner, loadOrCreateSigner } = await import("./signer-M4K5HBLD.js");
+    const { loadSigner, loadOrCreateSigner } = await import("./signer-WGDJNWSU.js");
     const existing = await loadSigner(this.adapter, this.name, this.getDEK);
     if (existing) return { keyId: existing.keyId, publicKeyB64: existing.publicKeyB64 };
     if (this.keyring.role !== "owner") {
@@ -5445,19 +5365,19 @@ var Vault = class {
     };
   }
   async revokeAttestation(docId) {
-    const { revokeDocCore } = await import("./revoke-7JOVLZFD.js");
+    const { revokeDocCore } = await import("./revoke-R5NIQ74J.js");
     await revokeDocCore(this.makeRevokeContext(), docId);
   }
   async unrevokeAttestation(docId) {
-    const { unrevokeDocCore } = await import("./revoke-7JOVLZFD.js");
+    const { unrevokeDocCore } = await import("./revoke-R5NIQ74J.js");
     await unrevokeDocCore(this.makeRevokeContext(), docId);
   }
   async getRevokedDocIds() {
-    const { getRevokedDocIdsCore } = await import("./revoke-7JOVLZFD.js");
+    const { getRevokedDocIdsCore } = await import("./revoke-R5NIQ74J.js");
     return getRevokedDocIdsCore(this.makeRevokeContext());
   }
   async publishRevocationList() {
-    const { publishRevocationListCore } = await import("./revoke-7JOVLZFD.js");
+    const { publishRevocationListCore } = await import("./revoke-R5NIQ74J.js");
     return publishRevocationListCore(this.makeRevokeContext());
   }
   makeRevokeContext() {
@@ -5737,7 +5657,7 @@ var Vault = class {
    * Dynamic-imports `GuardRegistry` + `ReadOnlyVaultFacade` and seeds
    * the registry with the supplied strategy handles. No-op when the
    * handles array is empty — keeps the guard subsystem out of the
-   * floor bundle for consumers that don't use guards (#130).
+   * floor bundle for consumers that don't use guards.
    *
    * The read-only facade is eagerly instantiated here so the sync
    * accessor `_getReadOnlyFacade()` (called from the tx amendment
@@ -5746,7 +5666,7 @@ var Vault = class {
   async _initGuards(handles) {
     if (handles.length === 0) return;
     const [{ GuardRegistry }, { ReadOnlyVaultFacade }] = await Promise.all([
-      import("./registry-2IEARCGT.js"),
+      import("./registry-DKEXOJVO.js"),
       import("./read-only-facade-ITU6L7BL.js")
     ]);
     const registry = new GuardRegistry();
@@ -5755,10 +5675,9 @@ var Vault = class {
     this.readOnlyFacade = new ReadOnlyVaultFacade(this);
   }
   /**
-   * @internal — Collection.put calls into this. Returns `null` for
-   * vaults that never registered any guard strategy. Callers MUST
-   * gate on null (the existing `if (this.guardSource)` branches in
-   * `Collection` already do this transitively).
+   * @internal — The gate handler in Noydb.#registerGuardGate calls into
+   * this. Returns `null` for vaults that never registered any guard
+   * strategy. Callers MUST gate on null.
    */
   _getGuardRegistry() {
     return this.guardRegistry;
@@ -5769,13 +5688,13 @@ var Vault = class {
    * derivation strategies (async because `strategyHash` computation
    * goes through `crypto.subtle.digest`). No-op when the handles
    * array is empty — keeps the derivation subsystem out of the floor
-   * bundle for consumers that don't use derivations (#130). Throws
+   * bundle for consumers that don't use derivations. Throws
    * `DerivationCycleError` if a cycle is detected after registration.
    */
   async _initDerivations(handles) {
     if (handles.length === 0) return;
     const [{ DerivationRegistry }, { ReadOnlyVaultFacade }] = await Promise.all([
-      import("./registry-EMGLZGR6.js"),
+      import("./registry-446I2NMN.js"),
       import("./read-only-facade-ITU6L7BL.js")
     ]);
     const registry = new DerivationRegistry();
@@ -5801,12 +5720,12 @@ var Vault = class {
    * MV spec (which invokes its `query()` once for dependency
    * analysis), then runs the unified cycle detection across the MV +
    * derivation graphs. No-op when the handles array is empty — keeps
-   * the MV subsystem out of the floor bundle (mirrors v1 #130).
+   * the MV subsystem out of the floor bundle (mirrors the derivation lazy-import pattern).
    * Throws `MaterializedViewCycleError` if a cycle is detected.
    */
   async _initMaterializedViews(handles) {
     if (handles.length === 0) return;
-    const { MaterializedViewRegistry } = await import("./registry-CDHASH73.js");
+    const { MaterializedViewRegistry } = await import("./registry-4NEW7LQY.js");
     const registry = new MaterializedViewRegistry();
     this.materializedViewRegistry = registry;
     const db = this;
@@ -5830,7 +5749,7 @@ var Vault = class {
    */
   async _initOverlayedViews(handles) {
     if (handles.length === 0) return;
-    const { OverlayedViewRegistry } = await import("./registry-NQALYR77.js");
+    const { OverlayedViewRegistry } = await import("./registry-524KJZG4.js");
     const registry = new OverlayedViewRegistry();
     const mvRegistry = this.materializedViewRegistry;
     const overlayNames = /* @__PURE__ */ new Set();
@@ -5858,13 +5777,13 @@ var Vault = class {
     return this.overlayedViewRegistry;
   }
   /**
-   * Manual re-materialize for a single registered MV (#151). Useful
+   * Manual re-materialize for a single registered MV. Useful
    * for `refresh: 'manual'` MVs (whose consumer drives refreshes
    * externally), for stale-bit recovery on vault re-open, and as the
    * explicit bulk-recompute escape hatch after a strategy change.
    *
-   * Returns `{ written, deleted, failed }`. `deleted` is always 0 in
-   * foundation + this sub-issue — tombstoning lands in #152.
+   * Returns `{ written, deleted, failed }`. `deleted` is always 0
+   * when tombstoning is not enabled.
    *
    * Throws if `name` is not a registered MV.
    */
@@ -5877,13 +5796,13 @@ var Vault = class {
     if (!reg) {
       throw new Error(`refreshView: no MV registered with name "${name}"`);
     }
-    const { MaterializedViewExecutor } = await import("./executor-KT2IOZVP.js");
+    const { MaterializedViewExecutor } = await import("./executor-RWICJI7J.js");
     const result = await MaterializedViewExecutor.refresh(reg, {
       getCollection: (n) => this.collection(n),
       getActiveTxContext: () => this.noydb._activeTxContextOrNull,
       getQueryContext: () => this
     });
-    const { clearMVStale } = await import("./stale-PAGCS4K5.js");
+    const { clearMVStale } = await import("./stale-74WGLVZ2.js");
     clearMVStale(registry, name);
     return result;
   }
@@ -5899,7 +5818,7 @@ var Vault = class {
     if (registry === null) return { derived: 0, failed: 0 };
     const strategies = registry.strategiesForSource(sourceCollection);
     if (strategies.length === 0) return { derived: 0, failed: 0 };
-    const { DerivationExecutor } = await import("./executor-GFZFDQXV.js");
+    const { DerivationExecutor } = await import("./executor-SOLEQVUB.js");
     const sourceColl = this.collection(sourceCollection);
     const records = await sourceColl.list();
     const ctx = { vault: this.readOnlyFacade ?? new (await import("./read-only-facade-ITU6L7BL.js")).ReadOnlyVaultFacade(this) };
@@ -5924,7 +5843,7 @@ var Vault = class {
           if (!outSpec) continue;
           const outputColl = this.collection(outSpec.collection);
           if (out.kind === "array") {
-            const { loadFanoutSidecar, saveFanoutSidecar } = await import("./fanout-sidecar-NRBWSLRK.js");
+            const { loadFanoutSidecar, saveFanoutSidecar } = await import("./fanout-sidecar-EVICRM46.js");
             const prior = await loadFanoutSidecar(this.adapter, this.name, spec.source, id, key);
             const prevKeys = new Set(prior?.keys ?? []);
             const newKeysList = out.entries.map((e) => e.key);
@@ -5960,22 +5879,19 @@ var Vault = class {
   /**
    * @internal — exposed for `runTransaction({ amendment: true })` so
    * the amendment invariant runner can pass the SAME read-only vault
-   * facade that the per-record `Collection.put` guard hook uses
-   * (`guardSource.readOnlyVault()` above). Eagerly instantiated by
-   * `_initGuards()` so this accessor stays synchronous; returns
-   * `null` for vaults that never registered any guard (amendments
-   * require at least one guard, so the caller should never see null).
+   * facade that the gate handler in Noydb.#registerGuardGate uses.
+   * Eagerly instantiated by `_initGuards()` so this accessor stays
+   * synchronous; returns `null` for vaults that never registered any
+   * guard (amendments require at least one guard, so the caller should
+   * never see null).
    */
   _getReadOnlyFacade() {
     return this.readOnlyFacade;
   }
   /**
-   * Internal lazy-allocator for the read-only facade. Used by the
-   * per-collection `guardSource.readOnlyVault` callback when guards
-   * ARE configured but `_initGuards()` raced with the first guard
-   * invocation (theoretically impossible — `Noydb.openVault` awaits
-   * `_initGuards` before returning — but we keep the defensive lazy
-   * path so the closure's contract stays "always returns a facade").
+   * Internal lazy-allocator for the read-only facade. Used as a
+   * defensive fallback; in practice `_initGuards()` eagerly
+   * instantiates this, so the lazy path is a no-op.
    */
   _ensureReadOnlyFacade() {
     if (this.readOnlyFacade !== null) return this.readOnlyFacade;
@@ -6148,7 +6064,7 @@ var Vault = class {
    * collection.
    */
   async delegate(opts) {
-    const { issueDelegation, DELEGATIONS_COLLECTION } = await import("./delegation-QSC7G5QC.js");
+    const { issueDelegation, DELEGATIONS_COLLECTION } = await import("./delegation-42LO4WFO.js");
     if (!this.keyring.kek) {
       throw new ValidationError(
         "issueDelegation: keyring.kek is null \u2014 issuing a delegation requires a tier-1 unlock. Re-authenticate at tier 1 (passphrase) first."
@@ -6170,7 +6086,7 @@ var Vault = class {
    * if the id does not exist.
    */
   async revokeDelegation(id) {
-    const { revokeDelegation, DELEGATIONS_COLLECTION } = await import("./delegation-QSC7G5QC.js");
+    const { revokeDelegation, DELEGATIONS_COLLECTION } = await import("./delegation-42LO4WFO.js");
     await revokeDelegation(this.adapter, this.name, id);
     void DELEGATIONS_COLLECTION;
   }
@@ -6430,7 +6346,7 @@ var Vault = class {
     const all = await this._loadPeriodsCache();
     return all.find((p) => p.name === name) ?? null;
   }
-  /** @internal — periodGuard callback installed on every Collection. */
+  /** @internal — called by the gate bus before put/delete. */
   async _assertTsWritable(existing, incoming) {
     if (existing === null && incoming === null) return;
     if (this.periodCache === null) {
@@ -6518,7 +6434,7 @@ var Vault = class {
     return dumpVaultSchema(this, opts);
   }
   /**
-   * Lightweight read of the vault's registered schema (#229): collections
+   * Lightweight read of the vault's registered schema: collections
    * (+ doc counts), guards, materialized views, schema-update strategies,
    * and the unlocked user's grants. Cheap — one `adapter.list` per
    * collection, no decryption. For a full snapshot + stats use dumpSchema().
@@ -6639,7 +6555,7 @@ var Vault = class {
    * @see docs/subsystems/public-envelope.md
    */
   async getPublicEnvelope(opts = {}) {
-    const { readPublicEnvelope: readPublicEnvelope2 } = await import("./public-envelope-OHQ5UZFM.js");
+    const { readPublicEnvelope: readPublicEnvelope2 } = await import("./public-envelope-YKHKP74C.js");
     return readPublicEnvelope2(this.adapter, this.name, opts);
   }
   /**
@@ -7305,6 +7221,110 @@ var WriteHookRegistry = class {
   }
 };
 
+// src/subsystem-bus.ts
+var SubsystemBus = class {
+  #handlers = /* @__PURE__ */ new Map();
+  #gateHandlers = /* @__PURE__ */ new Map();
+  #depth = 0;
+  /** Register a handler for an observe point. Returns an unsubscribe fn. */
+  register(point, handler) {
+    let arr = this.#handlers.get(point);
+    if (!arr) {
+      arr = [];
+      this.#handlers.set(point, arr);
+    }
+    arr.push(handler);
+    return () => {
+      const a = this.#handlers.get(point);
+      if (!a) return;
+      const i = a.indexOf(handler);
+      if (i >= 0) a.splice(i, 1);
+    };
+  }
+  /** Cheap gate for the write path — true when any handler is registered for the point. */
+  hasHandlers(point) {
+    const a = this.#handlers.get(point);
+    return a !== void 0 && a.length > 0;
+  }
+  /**
+   * True while one or more dispatches are in flight. Backed by a depth counter
+   * so that two concurrent async dispatches (`Promise.all([put('a'), put('b')])`
+   * each captured `busAfterPut=true` at their respective put() tops while depth
+   * was 0) both proceed independently — the counter stays > 0 until BOTH finish,
+   * so any nested write attempted by a handler still sees `dispatching === true`
+   * and is suppressed by the write-path gate in `collection.ts`
+   * (`busAfterPut = hasHandlers('afterPut') && !dispatching`). Re-entrancy
+   * suppression lives exclusively on that write-path gate; concurrent independent
+   * dispatches must not drop each other's events.
+   */
+  get dispatching() {
+    return this.#depth > 0;
+  }
+  /**
+   * Dispatch in registration order, awaited. Per-handler errors are warned, not
+   * thrown — an observe handler must never abort a completed write. A
+   * re-entrancy guard suppresses nested firing so a handler that itself writes
+   * cannot loop (same rationale as WriteHookRegistry.#suppressed).
+   */
+  async dispatch(point, event) {
+    const a = this.#handlers.get(point);
+    if (!a || a.length === 0) return;
+    this.#depth++;
+    try {
+      for (const h of a.slice()) {
+        try {
+          await h(event);
+        } catch (err) {
+          console.warn(
+            `[noy-db] subsystem observe handler failed at ${point}: ` + (err instanceof Error ? err.message : String(err))
+          );
+        }
+      }
+    } finally {
+      this.#depth--;
+    }
+  }
+  /** Register a write-gating handler. A throw from the handler ABORTS the write. Returns an unsubscribe fn. */
+  registerGate(point, handler) {
+    let arr = this.#gateHandlers.get(point);
+    if (!arr) {
+      arr = [];
+      this.#gateHandlers.set(point, arr);
+    }
+    arr.push(handler);
+    return () => {
+      const a = this.#gateHandlers.get(point);
+      if (!a) return;
+      const i = a.indexOf(handler);
+      if (i >= 0) a.splice(i, 1);
+    };
+  }
+  /** Cheap gate for the write path — true when any gate handler is registered for the point. */
+  hasGateHandlers(point) {
+    const a = this.#gateHandlers.get(point);
+    return a !== void 0 && a.length > 0;
+  }
+  /**
+   * Run gate handlers in registration order, awaited. Unlike `dispatch`
+   * (observe), a handler throw is NOT swallowed — it PROPAGATES, aborting the
+   * write before it reaches the store. The first throw stops the remaining
+   * handlers (fail-fast). This is the seam guards/periods migrate onto.
+   *
+   * Note: gate handlers are validators that read, not write. A gate handler
+   * that writes back into the same collection would re-enter the write path
+   * and re-dispatch this point; loop-suppression for that case is deferred to
+   * the migration slice (contract: gate handlers must not perform writes that
+   * re-trigger their own point).
+   */
+  async dispatchGate(point, event) {
+    const a = this.#gateHandlers.get(point);
+    if (!a || a.length === 0) return;
+    for (const h of a.slice()) {
+      await h(event);
+    }
+  }
+};
+
 // src/tab-coordination.ts
 var TabCoordinator = class {
   tabId;
@@ -7661,9 +7681,9 @@ var PERSONAL_POLICY = Object.freeze({
       minTier: 1,
       enabled: true
     },
-    // rotate-recovery (#121): deliberate paper-sheet regeneration
-    // when the user remembers their passphrase. PERSONAL matches the
-    // pre-#121 low-level flow's bar — knowing the passphrase is enough.
+    // rotate-recovery: deliberate paper-sheet regeneration
+    // when the user remembers their passphrase. PERSONAL allows tier-1 —
+    // knowing the passphrase is enough.
     "rotate-recovery": { minTier: 1 },
     "enroll-authenticator": { minTier: 1 },
     "remove-authenticator": { minTier: 1 },
@@ -7697,7 +7717,7 @@ var PERSONAL_POLICY = Object.freeze({
       minTier: 1,
       enabled: false
     },
-    // ─── User envelope gates (#22) ────────────────────────────────────
+    // ─── User envelope gates ──────────────────────────────────────────
     // edit-own-profile: tier 3 floor — any active session can edit their
     //   own profile/preferences. Tightening to require a TOTP for
     //   profile changes is a one-line override.
@@ -7724,7 +7744,7 @@ var STRICT_POLICY = Object.freeze({
       minTier: 1,
       enabled: true
     },
-    // rotate-recovery (#121): STRICT requires an off-device factor —
+    // rotate-recovery: STRICT requires an off-device factor —
     // rotating recovery is an off-site-trust event; a stolen unlocked
     // laptop must not be able to silently mint a new sheet for the
     // attacker. Matches the `peer-recover-user` STRICT default.
@@ -7797,7 +7817,7 @@ var STRICT_POLICY = Object.freeze({
       minTier: 1,
       enabled: false
     },
-    // ─── User envelope gates (#22) ────────────────────────────────────
+    // ─── User envelope gates ──────────────────────────────────────────
     // STRICT: profile edits require a TOTP/email-OTP factor (typical
     // shared-workstation hardening — your name/avatar shouldn't change
     // without a fresh second-factor proof).
@@ -7908,13 +7928,14 @@ var Noydb = class {
   emitter = new NoydbEventEmitter();
   writeQueueTracker = new WriteQueueTracker();
   writeHooks = new WriteHookRegistry();
+  subsystemBus = new SubsystemBus();
   clientId = generateULID();
   vaultCache = /* @__PURE__ */ new Map();
   keyringCache = /* @__PURE__ */ new Map();
   syncEngines = /* @__PURE__ */ new Map();
   /**
    * Per-vault active session tier — defaults to `1` after a passphrase
-   * unlock; tier-2 / tier-3 unlocks (issue #11) downgrade it. Used by
+   * unlock; tier-2 / tier-3 unlocks downgrade it. Used by
    * {@link checkGate} to evaluate `gate.minTier`.
    */
   activeTier = /* @__PURE__ */ new Map();
@@ -7924,14 +7945,14 @@ var Noydb = class {
    */
   policyCache = /* @__PURE__ */ new Map();
   /**
-   * One-shot bypass for the managed-mode strong-recovery check (#195).
+   * One-shot bypass for the managed-mode strong-recovery check.
    * Set true by {@link openVaultAndEnrollRecovery} for the duration of
    * the bootstrap window so the keyring can be created before the
    * strong recovery is enrolled. Always cleared (try/finally).
    * @internal
    */
   _skipNextManagedRecoveryCheck = false;
-  /** Per-vault tier-3 (PIN / quick-resume) state — issue #11. */
+  /** Per-vault tier-3 (PIN / quick-resume) state. */
   quickUnlock = new QuickUnlockStore();
   /**
    * Resolved public-envelope schema. Lazily computed once from
@@ -7941,9 +7962,9 @@ var Noydb = class {
   publicEnvelopeSchema;
   closed = false;
   sessionTimer = null;
-  /** Same-device multi-tab coordinator (#228); created on `enableTabCoordination()`. */
+  /** Same-device multi-tab coordinator; created on `enableTabCoordination()`. */
   tabCoordinator;
-  /** Cross-tab write relay (#228b); created on `enableTabCoordination()`. */
+  /** Cross-tab write relay; created on `enableTabCoordination()`. */
   writeRelay;
   /** Per-vault policy enforcers. */
   policyEnforcers = /* @__PURE__ */ new Map();
@@ -7956,8 +7977,8 @@ var Noydb = class {
    * the same function's `finally` block. Side-effect writes triggered
    * during a staged op's `Collection.put` (today: eager derivation
    * outputs) register their pre-write envelope on `_executed` here so
-   * a mid-batch failure rolls them back alongside the main staged ops
-   * (#133). `null` outside of Phase 2.
+   * a mid-batch failure rolls them back alongside the main staged ops.
+   * `null` outside of Phase 2.
    * @internal
    */
   _activeTxContext = null;
@@ -7978,8 +7999,95 @@ var Noydb = class {
     if (options.sessionPolicy) {
       this.sessionStrategy.validateSessionPolicy(options.sessionPolicy);
     }
+    this.#registerGuardGate();
+    this.#registerPeriodGate();
     this.resetSessionTimer();
   }
+  // Track A — guards migration. Registers record-lock / field-freeze / onDelete
+  // / amendment-collect as gate-bus handlers (only when guards are opted in, so
+  // the write path is zero-cost otherwise). Resolves the live vault's
+  // GuardRegistry per dispatch. Registered BEFORE the period gate so guard
+  // checks run first. The amendment branch is a side-effect (collectChange),
+  // NOT a throw — and runs even for internal deletes (an amendment invariant
+  // must see system housekeeping tombstones); onDelete/checks run only for
+  // user (non-internal) operations.
+  #registerGuardGate() {
+    if (this.options.guardStrategies === void 0) return;
+    this.subsystemBus.registerGate("beforePut", async (e) => {
+      const v = this.vaultCache.get(e.vault);
+      if (!v) return;
+      const registry = v._getGuardRegistry();
+      if (!registry) return;
+      const guards = registry.guardsFor(e.collection);
+      if (guards.length === 0) return;
+      const existing = e.existing ?? null;
+      const incoming = e.incoming;
+      if (registry.isAmendmentActive()) {
+        registry.collectChange(e.collection, e.docId, existing, incoming, e.existingVersion, e.existingVersion + 1);
+        return;
+      }
+      const facade = v._getReadOnlyFacade();
+      if (!facade) return;
+      const ctx = { existing, vault: facade, userId: e.userId, role: e.role };
+      await registry.runChecks(e.collection, incoming, ctx);
+      const { GuardExecutor } = await import("./executor-AWCHQ2KN.js");
+      for (const g of guards) {
+        await GuardExecutor.checkFrozenFields(g, e.docId, existing, incoming);
+      }
+    });
+    this.subsystemBus.registerGate("beforeDelete", async (e) => {
+      const v = this.vaultCache.get(e.vault);
+      if (!v) return;
+      const registry = v._getGuardRegistry();
+      if (!registry) return;
+      const guards = registry.guardsFor(e.collection);
+      if (guards.length === 0) return;
+      const existing = e.existing ?? null;
+      if (registry.isAmendmentActive()) {
+        registry.collectChange(e.collection, e.docId, existing, null, e.existingVersion, e.existingVersion);
+        return;
+      }
+      if (e.internal) return;
+      const facade = v._getReadOnlyFacade();
+      if (!facade) return;
+      const ctx = { existing, vault: facade, userId: e.userId, role: e.role };
+      await registry.runOnDelete(e.collection, existing ?? {}, ctx);
+    });
+  }
+  /**
+   * Register closed-period write guards on the subsystem bus when a
+   * periodsStrategy is configured.  Handlers resolve the live Vault from
+   * vaultCache so they always use the up-to-date period cache.
+   */
+  // Track A — periods migration. Registers the closed-period write guard as a
+  // gate-bus handler (only when periods is opted in, so the write path is
+  // zero-cost otherwise). Each handler resolves the LIVE vault from the cache
+  // per dispatch and delegates to its `_assertTsWritable`, which owns all
+  // period logic. Resolving the live vault makes eviction/re-creation
+  // transparent. Semantics note: if a write reaches the gate through a retained
+  // collection handle whose vault has been evicted from `vaultCache` (e.g. a
+  // post-revocation write on a stale handle), the period check is skipped — the
+  // guard binds to the live vault, not a captured instance. Periods is a
+  // write-integrity guard, not a security boundary, and a re-open reloads the
+  // period cache; the trade-off is intentional.
+  #registerPeriodGate() {
+    if (this.options.periodsStrategy === void 0) return;
+    this.subsystemBus.registerGate("beforePut", async (e) => {
+      const v = this.vaultCache.get(e.vault);
+      if (!v) return;
+      const existing = e.op === "create" ? null : { ts: e.existingTs ?? null, record: e.existing ?? null };
+      await v._assertTsWritable(existing, e.incoming);
+    });
+    this.subsystemBus.registerGate("beforeDelete", async (e) => {
+      if (e.internal) return;
+      const v = this.vaultCache.get(e.vault);
+      if (!v) return;
+      await v._assertTsWritable(
+        { ts: e.existingTs ?? null, record: e.existing ?? null },
+        null
+      );
+    });
+  }
   resetSessionTimer() {
     if (this.sessionTimer) clearTimeout(this.sessionTimer);
     const idleMs = this.options.sessionPolicy?.idleTimeoutMs ?? this.options.sessionTimeout;
@@ -8269,8 +8377,6 @@ var Noydb = class {
    * @throws `NoAccessError` when no keyring exists for the target.
    * @throws `PermissionDeniedError` when the role hierarchy rejects.
    * @throws `ValidationError` when no field is provided.
-   *
-   * @see #54
    */
   async updateUser(vault, options, factors) {
     await this.checkGate(vault, "update-user", factors);
@@ -8606,7 +8712,7 @@ var Noydb = class {
    * Phase 2. `Collection.dispatchDerivations` consults this so a
    * recursive derived-output write inside `Collection.put` can register
    * its envelope onto `ctx._executed` and roll back with the main
-   * staged ops on mid-batch failure (#133).
+   * staged ops on mid-batch failure.
    *
    * @internal
    */
@@ -8635,7 +8741,7 @@ var Noydb = class {
    * `Collection.putManyAtomic` (via `derivationSource.createTxContext`)
    * to publish an active context for the duration of its bulk-atomic
    * Phase 2 loop, so recursive derivation-output writes register on
-   * `ctx._executed` and roll back together with the source ops (#133).
+   * `ctx._executed` and roll back together with the source ops.
    *
    * @internal
    */
@@ -8706,26 +8812,26 @@ var Noydb = class {
     return this.writeQueueTracker;
   }
   /**
-   * Register a hook that runs before each write (#230). Awaited; a throw
+   * Register a hook that runs before each write. Awaited; a throw
    * aborts the write. Returns an unsubscribe function.
    */
   onBeforeWrite(handler) {
     return this.writeHooks.onBeforeWrite(handler);
   }
   /**
-   * Register a hook that runs after each committed write (#230). Awaited;
+   * Register a hook that runs after each committed write. Awaited;
    * a handler error is warned, never rolled back. Returns an unsubscribe fn.
    */
   onAfterWrite(handler) {
     return this.writeHooks.onAfterWrite(handler);
   }
-  /** Subscribe to cross-tab write conflicts (#228c). Returns an unsubscribe. */
+  /** Subscribe to cross-tab write conflicts. Returns an unsubscribe. */
   onWriteConflict(fn) {
     this.on("write:conflict", fn);
     return () => this.off("write:conflict", fn);
   }
   /**
-   * Enable same-device multi-tab coordination (#228): primary/secondary
+   * Enable same-device multi-tab coordination: primary/secondary
    * election + presence. Browser-only — a graceful no-op (role 'unknown')
    * when Web Locks / BroadcastChannel are unavailable and nothing is
    * injected. Idempotent; returns a disposer.
@@ -8808,7 +8914,11 @@ var Noydb = class {
   get _writeHooks() {
     return this.writeHooks;
   }
-  /** @internal Stable per-instance id for schema-cutover coordination (#232). */
+  /** @internal The observe bus, threaded into every Collection. */
+  get _subsystemBus() {
+    return this.subsystemBus;
+  }
+  /** @internal Stable per-instance id for schema-cutover coordination. */
   get _clientId() {
     return this.clientId;
   }
@@ -8828,10 +8938,6 @@ var Noydb = class {
    * survives lock; nothing about it changes when DEKs are scrubbed).
    *
    * No-op when `vault` is not currently in cache (idempotent).
-   *
-   * Unblocks vLannaAi/niwat#33.
-   *
-   * @see #17
    */
   lockVault(vault) {
     this.syncEngines.get(vault)?.stopAutoSync();
@@ -8946,7 +9052,7 @@ var Noydb = class {
     return merged;
   }
   /**
-   * Read the current vault-level user-directory toggle (#122). Returns
+   * Read the current vault-level user-directory toggle. Returns
    * the default-on shape (`{ enabled: true }`) when no `_meta/directory`
    * document has been persisted yet.
    *
@@ -8958,7 +9064,7 @@ var Noydb = class {
     return persisted?.enabled ?? true;
   }
   /**
-   * Toggle the vault's user-directory listing on or off (#122).
+   * Toggle the vault's user-directory listing on or off.
    * Owner-only. When disabled, `listUsersWithEnvelopes()` throws
    * {@link import('./errors.js').DirectoryDisabledError} for callers
    * whose role is neither `owner` nor `admin`.
@@ -9018,7 +9124,7 @@ var Noydb = class {
    *
    * Two enforcement modes:
    *
-   * 1. **Managed-mode mandatory strong-recovery (#195).** When
+   * 1. **Managed-mode mandatory strong-recovery.** When
    *    `passphraseMode === 'managed'`, the vault MUST have at least
    *    one **strong** recovery profile (Shamir today). Paper alone is
    *    rejected because under managed mode the user has no memorized
@@ -9052,14 +9158,14 @@ var Noydb = class {
     throw new RecoveryNotEnrolledError();
   }
   /**
-   * Internal accessor used by tier-2/tier-3 unlock paths (issue #11)
+   * Internal accessor used by tier-2/tier-3 unlock paths
    * to mark the active session tier.
    * @internal
    */
   _setActiveTier(vault, tier) {
     this.activeTier.set(vault, tier);
   }
-  // ─── Tier-2 enroll / remove (issue #11) ────────────────────────
+  // ─── Tier-2 enroll / remove ─────────────────────────────────────
   /**
    * Add a tier-2 authenticator slot to the calling user's keyring.
    * Each slot independently wraps the SAME KEK under a method-specific
@@ -9089,7 +9195,7 @@ var Noydb = class {
     const next = await removeAuthenticator(this.options.store, vault, keyring, slotId);
     this.keyringCache.set(vault, next);
   }
-  /** Read the slot list for a vault. Internal — `describeAuthConfig` (#13) consumes this. */
+  /** Read the slot list for a vault. Internal — `describeAuthConfig` consumes this. */
   async listAuthenticators(vault) {
     const keyring = await this.getKeyringInternal(vault);
     return keyring.authenticators;
@@ -9101,7 +9207,7 @@ var Noydb = class {
    * are immutable through this method. Anti-slot-swap is structural,
    * not gate-driven.
    *
-   * `meta` patch semantics (#57-aligned):
+   * `meta` patch semantics (top-level merge):
    *   - Top-level merge — absent keys preserved
    *   - `null` value — delete that meta key
    *   - Other values — replace verbatim
@@ -9119,8 +9225,6 @@ var Noydb = class {
    *
    * @throws `NoAccessError` when no slot with the given id exists.
    * @throws `ValidationError` when no patch field is provided.
-   *
-   * @see #55
    */
   async updateAuthenticator(vault, slotId, options, factors) {
     await this.checkGate(vault, "update-authenticator", factors);
@@ -9129,7 +9233,7 @@ var Noydb = class {
     this.keyringCache.set(vault, next);
   }
   /**
-   * Native WebAuthn enrollment using the **real** internal keyring (#16).
+   * Native WebAuthn enrollment using the **real** internal keyring.
    *
    * Why this exists: when a consumer is using `createNoydb({ secret })`,
    * they cannot reach the live `UnlockedKeyring` to feed it to
@@ -9172,8 +9276,6 @@ var Noydb = class {
    * a server-side allowlist).
    *
    * Gated by `enroll-authenticator` like `enrollAuthenticator()` itself.
-   *
-   * @see #16
    */
   async enrollWebAuthn(vault, ceremony, factors) {
     await this.checkGate(vault, "enroll-authenticator", factors);
@@ -9200,8 +9302,6 @@ var Noydb = class {
    * deciding when a new device prompt should appear. Identity is
    * `id` + `enrolled_at`; the `meta.credentialId` (base64) is used by
    * `allowCredentials` at unlock time.
-   *
-   * @see #16
    */
   async listWebAuthnSlots(vault) {
     const keyring = await this.getKeyringInternal(vault);
@@ -9283,7 +9383,7 @@ var Noydb = class {
   async getPublicEnvelope(vault, opts = {}) {
     return readPublicEnvelope(this.options.store, vault, opts);
   }
-  // ─── Auth introspection (issue #13) ────────────────────────────
+  // ─── Auth introspection ─────────────────────────────────────────
   /** English summary of the configured auth model. */
   async describeAuthConfig(vault) {
     return describeAuthConfig(this.options.store, vault);
@@ -9306,7 +9406,7 @@ var Noydb = class {
     await this.checkGate(vault, "view-user-auth", factors);
     return describeAllUsersAuth(this.options.store, vault);
   }
-  // ─── Tier-1 change flows (issue #10) ───────────────────────────
+  // ─── Tier-1 change flows ────────────────────────────────────────
   /**
    * Rotate the user's passphrase (user remembers old). Validates the
    * new phrase against the configured `passphrase` policy, runs the
@@ -9314,8 +9414,7 @@ var Noydb = class {
    *
    * Tier-2 authenticator slots are dropped — each slot wraps the old
    * KEK and would need its derivation key to be re-presented. Re-enrol
-   * via `db.enrollAuthenticator` after rotation. Tracked as a
-   * v0.1.0-pre.5 limitation.
+   * via `db.enrollAuthenticator` after rotation.
    *
    * @throws `WeakPassphraseError` on a weak new phrase.
    * @throws `PolicyDeniedError` when the gate denies (missing factor, …).
@@ -9337,8 +9436,8 @@ var Noydb = class {
   }
   /**
    * Reset the passphrase using a recovery proof (user forgot the old).
-   * v0.1.0-pre.5 supports the `'paper'` profile end-to-end; the
-   * other three profiles throw {@link RecoveryProfileNotImplementedError}.
+   * Currently supports the `'paper'` profile end-to-end; the
+   * other profiles throw {@link RecoveryProfileNotImplementedError}.
    *
    * Burns the used recovery entry on success.
    */
@@ -9367,7 +9466,7 @@ var Noydb = class {
     return { newCodes: codes };
   }
   /**
-   * Deliberate paper-recovery-code regeneration (#121). User knows their
+   * Deliberate paper-recovery-code regeneration. User knows their
    * passphrase but wants a fresh sheet — they lost the printout or
    * suspect compromise of the off-site copy.
    *
@@ -9377,7 +9476,7 @@ var Noydb = class {
    *
    * Gated by the `rotate-recovery` policy gate:
    *   - PERSONAL_POLICY: `{ minTier: 1 }` — knowing the passphrase
-   *     suffices, matching the pre-#121 low-level flow's bar.
+   *     suffices, matching the lower-level flow's bar.
    *   - STRICT_POLICY: `{ minTier: 1, factors: [{ anyOf: ['totp',
    *     'email-otp', 'webauthn-roaming'] }] }` — rotation is an
    *     off-site-trust event; require an off-device factor so a
@@ -9482,7 +9581,7 @@ var Noydb = class {
     return { newShares: shareStrings, entryId: targetEntryId };
   }
   /**
-   * **Atomic create-and-enroll for managed-mode vaults (#195).**
+   * **Atomic create-and-enroll for managed-mode vaults.**
    *
    * Bootstraps a managed-mode vault and enrolls strong recovery in
    * a single ceremony. Under `passphraseMode: 'managed'`, every
@@ -9553,7 +9652,7 @@ var Noydb = class {
     return { vault: vaultHandle, recoveryEnrollments };
   }
   /**
-   * **Recovery flow under managed-passphrase mode (#195).**
+   * **Recovery flow under managed-passphrase mode.**
    *
    * Replaces the sealed passphrase of a managed-mode vault with a
    * fresh 256-bit random, sealed under the configured
@@ -9570,7 +9669,7 @@ var Noydb = class {
    *   5. Drop the keyring cache so the next operation re-derives.
    *
    * The vault's strong-recovery enrollment is preserved across
-   * recovery (Shamir entries are not burned on use — see #196).
+   * recovery (Shamir entries are not burned on use).
    *
    * @throws ValidationError if the Noydb instance is not in managed mode.
    */
@@ -9618,7 +9717,7 @@ var Noydb = class {
   }
   /**
    * Atomic peer-recovery — re-wraps an EXISTING user's keyring under
-   * a fresh temp passphrase in a single store write. Closes #34's
+   * a fresh temp passphrase in a single store write. Closes the
    * partial-failure window (the previous compose-from-primitives
    * pattern was `db.revoke + db.grant`, two writes — if the issuer
    * cancelled between them the target was locked out entirely).
@@ -9628,7 +9727,7 @@ var Noydb = class {
    *   - Same `userId`, role, permissions, capabilities preserved.
    *   - DEKs unchanged → every other principal in the vault keeps
    *     access. No key rotation.
-   *   - Allows owner→owner natively (#33). The existing
+   *   - Allows owner→owner natively. The existing
    *     `db.revoke` retains its block — peer-recovery is a separate,
    *     intentionally-named operation.
    *   - Tier-2 slots dropped (they wrap the old KEK).
@@ -9657,7 +9756,6 @@ var Noydb = class {
    * @throws `PrivilegeEscalationError` when the caller lacks a DEK
    *         the target previously had access to.
    *
-   * @see #33 #34 — the issues this method closes.
    */
   async recoverUser(vault, options, factors) {
     await this.checkGate(vault, "peer-recover-user", factors);
@@ -9668,7 +9766,7 @@ var Noydb = class {
     }
   }
   /**
-   * Persist a recovery enrollment. v0.1.0-pre.5 accepts the `'paper'`
+   * Persist a recovery enrollment. Accepts the `'paper'`
    * profile.
    *
    * The hub wraps the user's DEK set (not the KEK) under a code-derived
@@ -9688,7 +9786,7 @@ var Noydb = class {
    * showCodesToUser(codes)
    * ```
    *
-   * As of pre.8, `@noy-db/on-recovery`'s `generateRecoveryCodeSet`
+   * `@noy-db/on-recovery`'s `generateRecoveryCodeSet`
    * delegates to `mintPaperRecoveryEntry` internally — its output is
    * fed directly to this API. Pick whichever fits your code-gen layer:
    *
@@ -9728,13 +9826,13 @@ var Noydb = class {
       "#196"
     );
   }
-  /** Read the persisted recovery entries (paper + Shamir). Used by `describeAuthConfig` (#13). */
+  /** Read the persisted recovery entries (paper + Shamir). Used by `describeAuthConfig`. */
   async listRecoveryEntries(vault) {
     const paper = await loadPaperRecoveryEntries(this.options.store, vault);
     const shamir = await loadShamirRecoveryEntries(this.options.store, vault);
     return { paper, shamir };
   }
-  // ─── Tier-3 enroll / unlock (issue #11) ────────────────────────
+  // ─── Tier-3 enroll / unlock ─────────────────────────────────────
   /**
    * Register a tier-3 quick-unlock state for the vault. The state is
    * an opaque blob produced by `@noy-db/on-pin/enrollPin` (or any
@@ -9770,11 +9868,11 @@ var Noydb = class {
     this.quickUnlock.delete(vault);
   }
   /**
-   * Public accessor for the unlocked keyring of a vault — issue #28.
+   * Public accessor for the unlocked keyring of a vault.
    *
    * Returns a **defensive shallow copy** so consumers can read the DEK
    * map and authenticator list without the risk of mutating the hub's
-   * internal cache (#88). Internal hub code paths use a live reference
+   * internal cache. Internal hub code paths use a live reference
    * via `getKeyringInternal`; ceremonies and external consumers always
    * get a snapshot.
    *
@@ -9957,4 +10055,4 @@ export {
   Noydb,
   createNoydb
 };
-//# sourceMappingURL=chunk-T6HQMVML.js.map
+//# sourceMappingURL=chunk-BT7544RM.js.map