@noy-db/hub 0.2.0-pre.3 → 0.2.0-pre.5

package/dist/index.cjs

@@ -3542,7 +3542,7 @@ var init_registry2 = __esm({
       guardsFor(collection) {
         return this._byCollection.get(collection) ?? [];
       }
-      /** Per-collection guard counts, for introspection (#229). */
+      /** Per-collection guard counts, for introspection. */
       summary() {
         return [...this._byCollection.entries()].map(([collection, guards]) => ({
           collection,
@@ -8084,7 +8084,7 @@ async function changeSecret(adapter, vault, keyring, newPassphrase, passphraseOp
     // Tier-2 slots are NOT preserved through `changeSecret` —
     // each slot wraps the OLD KEK, so the new keyring has no
     // authenticator slots until the user re-enrolls. The higher-level
-    // `db.rotatePassphrase()` (#10) preserves slots by rewrapping the
+    // `db.rotatePassphrase()` preserves slots by rewrapping the
     // KEK reference, not the KEK itself.
     authenticators: [],
     ...keyring.policy !== void 0 && { policy: keyring.policy }
@@ -8976,7 +8976,7 @@ var UserApi = class {
    * the envelope on first call. Optimistic-concurrency safe — a stale
    * `_v` (parallel writer on another device) throws `ConflictError`.
    *
-   * Patch semantics (#57):
+   * Patch semantics:
    *   - `undefined` (or omitted key) — skip; existing value preserved
    *   - `null` — delete the field from the merged result
    *   - any other value — overwrite (deep-merge for plain objects,
@@ -9032,7 +9032,7 @@ var UserApi = class {
     this.fireChange(this.writerKeyringId, written);
     return written;
   }
-  // ─── Visibility (#122) ───────────────────────────────────────────────
+  // ─── Visibility ──────────────────────────────────────────────────────
   /**
    * Read the current user's visibility flag from
    * `_meta/visibility/<keyringId>`. Returns `{ hidden: false }` when no
@@ -10028,7 +10028,7 @@ var Query = class _Query {
   /**
    * @internal — clone this Query with a declared-predicate map
    * attached. Used by the materialized-view registry to enable
-   * `.wherePredicate(name, ctx?)` for the MV's query callback (#153).
+   * `.wherePredicate(name, ctx?)` for the MV's query callback.
    * Consumers don't call this directly.
    */
   _withPredicates(predicates) {
@@ -10041,7 +10041,7 @@ var Query = class _Query {
     );
   }
   /**
-   * Filter by a registered deterministic predicate (#153). Requires
+   * Filter by a registered deterministic predicate. Requires
    * the Query to have been augmented with a predicates map (typically
    * via the materialized-view registry — bare Queries constructed
    * outside an MV throw on `.wherePredicate()`).
@@ -11695,7 +11695,7 @@ var NO_BLOBS = {
 init_errors();
 init_ulid();
 var TxContext = class {
-  /** Stable id for this transaction; shared by all writes it performs (#230). */
+  /** Stable id for this transaction; shared by all writes it performs. */
   txId = generateULID();
   /** @internal */
   _ops = [];
@@ -11705,7 +11705,7 @@ var TxContext = class {
    * restore prior state via `revertExecuted`. Side-effect writes (e.g.
    * recursive derivation outputs fired inside `Collection.put`) are
    * appended here in execution order so they roll back alongside the
-   * main staged ops (#133).
+   * main staged ops.
    */
   _executed = [];
   /** @internal */
@@ -12027,7 +12027,7 @@ async function resolveStaleOnRead(accessor, outputCollection, id) {
       }
       if (out.kind === "array") {
         console.warn(
-          `[derivation] unexpected array-shape output "${key}" in lazy resolve path; array-shape derivations require lifecycle: "eager" (#200 slice 1).`
+          `[derivation] unexpected array-shape output "${key}" in lazy resolve path; array-shape derivations require lifecycle: "eager".`
         );
         continue;
       }
@@ -12065,6 +12065,7 @@ var Collection = class {
   schemaUpdateGate;
   schemaFence;
   writeHooks;
+  subsystemBus;
   activeTxId;
   getDEK;
   onDirty;
@@ -12253,42 +12254,14 @@ var Collection = class {
   syncAdapter;
   /** — consent-audit hook, no-op when no scope is active. */
   onAccess;
-  /**
-   * accounting-period write guard. Called BEFORE any
-   * adapter write with:
-   *   - `existing` — the prior envelope's `_ts` and decrypted record
-   *     (or `null` if no prior envelope exists)
-   *   - `incoming` — the record being written (or `null` for delete)
-   *
-   * Throws `PeriodClosedError` if either side falls inside a closed
-   * period. Installed by Vault; no-op when no period has been closed.
-   * Async so the Vault can lazy-load the period list from the
-   * adapter on first use.
-   */
-  periodGuard;
-  /**
-   * Optional back-reference to the owning vault's guard registry + a
-   * read-only vault facade. When present, `Collection.put` and
-   * `Collection.delete` consult the registry for guards declared
-   * against this collection and run their `check` + `frozenFields`
-   * before the adapter write. Absent in unit tests that construct
-   * a Collection directly; production code always sets it via
-   * `Vault.collection()`.
-   *
-   * Typed structurally rather than as `Vault` to avoid a circular
-   * import (mirrors the `refEnforcer` / `joinResolver` pattern).
-   */
-  guardSource;
   /**
    * Vault-internal hook for derivation dispatch. When set,
    * `Collection.put` consults the registry after the source-write
    * commits and writes derived outputs through `getCollection(name).put`.
-   * Same structural-interface pattern as `guardSource` to avoid a
-   * circular Vault import.
    */
   derivationSource;
   /**
-   * Vault-internal hook for materialized-view dispatch (#143/#150).
+   * Vault-internal hook for materialized-view dispatch.
    * Parallel to `derivationSource` — when set, `Collection.put` fires
    * `MaterializedViewRegistry.onSourceWrite` after the source-write
    * commits + after `dispatchDerivations` has run.
@@ -12344,6 +12317,7 @@ var Collection = class {
     this.schemaUpdateGate = opts.schemaUpdateGate;
     this.schemaFence = opts.schemaFence;
     this.writeHooks = opts.writeHooks;
+    this.subsystemBus = opts.subsystemBus;
     this.activeTxId = opts.activeTxId;
     this.blobStrategy = opts.blobStrategy ?? NO_BLOBS;
     this.aggregateStrategy = opts.aggregateStrategy ?? NO_AGGREGATE;
@@ -12368,8 +12342,6 @@ var Collection = class {
     this.crdtMode = opts.crdt;
     this.syncAdapter = opts.syncAdapter;
     this.onAccess = opts.onAccess;
-    this.periodGuard = opts.periodGuard;
-    this.guardSource = opts.guardSource;
     this.derivationSource = opts.derivationSource;
     this.materializedViewSource = opts.materializedViewSource;
     this.tiers = opts.tiers && opts.tiers.length > 0 ? new Set(opts.tiers) : null;
@@ -12571,21 +12543,23 @@ var Collection = class {
   }
   /**
    * Create or update a record. Runs inside the hub's write-queue tracker
-   * (#227) so `hub.writeQueue.pending` reflects this write.
+   * so `hub.writeQueue.pending` reflects this write.
    *
    * @param id      Record identifier.
    * @param record  The record body (validated by the collection's schema
    *                if one was attached at `vault.collection(...)` time).
    * @param options Optional metadata for audit + import workflows.
    *                `reason` is stamped onto the resulting ledger entry
-   *                (see #1) so audit consumers can filter via
+   *                so audit consumers can filter via
    *                `entries.filter(e => e.reason?.startsWith('import:'))`.
    */
   async put(id, record, options) {
     await this.schemaUpdateGate?.assertWritable();
     await this.schemaFence?.assertWritable(this.name);
+    const hooksActive = this.#hooksActive();
+    const busAfterPut = (this.subsystemBus?.hasHandlers("afterPut") ?? false) && !(this.subsystemBus?.dispatching ?? false);
     let event;
-    if (this.#hooksActive()) {
+    if (hooksActive || busAfterPut) {
       const prior = await this.#priorForHook(id);
       event = {
         op: prior.record === null ? "create" : "update",
@@ -12600,23 +12574,26 @@ var Collection = class {
         baseVersion: prior.version,
         version: prior.version + 1
       };
-      await this.writeHooks.runBefore(event);
+      if (hooksActive) await this.writeHooks.runBefore(event);
     }
     if (this.writeQueue) await this.writeQueue.track(() => this.putInternal(id, record, options));
     else await this.putInternal(id, record, options);
-    if (event) await this.writeHooks.runAfter(event);
+    if (event) {
+      if (hooksActive) await this.writeHooks.runAfter(event);
+      if (busAfterPut) await this.subsystemBus.dispatch("afterPut", event);
+    }
   }
-  /** @internal #230 — true when hooks should fire for this write (handlers exist, not re-entrant). */
+  /** @internal — true when hooks should fire for this write (handlers exist, not re-entrant). */
   #hooksActive() {
     return this.writeHooks !== void 0 && this.writeHooks.hasHandlers && !this.writeHooks.suppressed;
   }
   /**
-   * @internal #230/#228c — resolve the prior record for a hook's `before` and
+   * @internal — resolve the prior record for a hook's `before` and
    * its version. Critically, this uses the SAME basis `putInternal` writes from
    * (the in-memory cache in eager mode; lru-then-adapter in lazy) — NOT a fresh
    * store read — so `baseVersion`/`version` match the version actually written.
    * A separate store read would diverge once another tab has advanced the shared
-   * store past this tab's cache, breaking #228c conflict detection.
+   * store past this tab's cache, breaking cross-tab conflict detection.
    */
   async #priorForHook(id) {
     if (this.lazy && this.lru) {
@@ -12638,52 +12615,28 @@ var Collection = class {
     if (!hasWritePermission(this.keyring, this.name)) {
       throw new ReadOnlyError();
     }
-    if (this.guardSource) {
-      const registry = this.guardSource.registry();
-      const guards = registry.guardsFor(this.name);
-      if (guards.length > 0) {
-        const existingEnv = await this.adapter.get(this.vault, this.name, id);
-        let existingRecord = null;
-        if (existingEnv) {
-          try {
-            existingRecord = await this.decryptRecord(existingEnv, { skipValidation: true });
-          } catch {
-            existingRecord = null;
-          }
-        }
-        const incomingRecord = record;
-        const ctx = {
-          existing: existingRecord,
-          vault: this.guardSource.readOnlyVault(),
-          userId: this.keyring.userId,
-          role: this.keyring.role
-        };
-        if (registry.isAmendmentActive()) {
-          const vBefore = existingEnv?._v ?? 0;
-          registry.collectChange(this.name, id, existingRecord, incomingRecord, vBefore, vBefore + 1);
-        } else {
-          await registry.runChecks(this.name, incomingRecord, ctx);
-          const { GuardExecutor: GuardExecutor2 } = await Promise.resolve().then(() => (init_executor(), executor_exports));
-          for (const g of guards) {
-            await GuardExecutor2.checkFrozenFields(g, id, existingRecord, incomingRecord);
-          }
-        }
-      }
-    }
-    if (this.periodGuard !== void 0) {
+    if (this.subsystemBus?.hasGateHandlers("beforePut")) {
       const existingEnv = await this.adapter.get(this.vault, this.name, id);
-      let priorRecord = null;
+      let existingRecord = null;
       if (existingEnv) {
         try {
-          priorRecord = await this.decryptRecord(existingEnv, { skipValidation: true });
+          existingRecord = await this.decryptRecord(existingEnv, { skipValidation: true });
         } catch {
-          priorRecord = null;
+          existingRecord = null;
         }
       }
-      await this.periodGuard(
-        existingEnv ? { ts: existingEnv._ts, record: priorRecord } : null,
-        record
-      );
+      await this.subsystemBus.dispatchGate("beforePut", {
+        op: existingEnv ? "update" : "create",
+        vault: this.vault,
+        collection: this.name,
+        docId: id,
+        incoming: record,
+        existing: existingRecord,
+        existingVersion: existingEnv?._v ?? 0,
+        existingTs: existingEnv?._ts,
+        userId: this.keyring.userId,
+        role: this.keyring.role
+      });
     }
     if (this.schema !== void 0) {
       record = await validateSchemaInput(this.schema, record, `put(${id})`);
@@ -12869,7 +12822,7 @@ var Collection = class {
    * Fire registered MV strategies whose dependency set includes this
    * collection. Eager-mode MVs re-materialize inline via
    * `MaterializedViewExecutor.refresh`; lazy / manual modes are
-   * no-ops in the foundation (subtask #150) — wired in #151.
+   * no-ops in the foundation; wired in the lazy-mode implementation.
    *
    * Skips entirely when the record being written is itself an
    * MV-emitted row (carries `_materializedFrom`) — defensive guard
@@ -13013,13 +12966,15 @@ var Collection = class {
   }
   /**
    * Delete a record by ID. Runs inside the hub's write-queue tracker
-   * (#227) so `hub.writeQueue.pending` reflects this write.
+   * so `hub.writeQueue.pending` reflects this write.
    */
   async delete(id) {
     await this.schemaUpdateGate?.assertWritable();
     await this.schemaFence?.assertWritable(this.name);
+    const hooksActive = this.#hooksActive();
+    const busAfterDelete = (this.subsystemBus?.hasHandlers("afterDelete") ?? false) && !(this.subsystemBus?.dispatching ?? false);
     let event;
-    if (this.#hooksActive()) {
+    if (hooksActive || busAfterDelete) {
       const prior = await this.#priorForHook(id);
       event = {
         op: "delete",
@@ -13034,14 +12989,17 @@ var Collection = class {
         baseVersion: prior.version,
         version: prior.version + 1
       };
-      await this.writeHooks.runBefore(event);
+      if (hooksActive) await this.writeHooks.runBefore(event);
     }
     if (this.writeQueue) await this.writeQueue.track(() => this.deleteInternal(id));
     else await this.deleteInternal(id);
-    if (event) await this.writeHooks.runAfter(event);
+    if (event) {
+      if (hooksActive) await this.writeHooks.runAfter(event);
+      if (busAfterDelete) await this.subsystemBus.dispatch("afterDelete", event);
+    }
   }
   /**
-   * @internal #232 — bulk-rewrite every record through a cutover transform.
+   * @internal — bulk-rewrite every record through a cutover transform.
    * Raw adapter path (bypasses the write gate + guards — the transform is
    * trusted and runs only during the `migrating` phase). Bumps each
    * record's `_v` and appends a ledger `op:'migration'` entry.
@@ -13080,8 +13038,7 @@ var Collection = class {
   }
   /**
    * @internal — system-internal delete that bypasses user-facing
-   * delete hooks (`onDelete`, accounting-period guard, FK ref
-   * enforcer). Used by derivation tombstones (#144) and MV refresh
+   * delete hooks (`onDelete`, FK ref enforcer). Used by derivation tombstones and MV refresh
    * (Dim 14 v2) — system housekeeping shouldn't trip user invariants
    * registered against the output collection. The ledger entry and
    * history snapshot still fire so backup integrity and time-travel
@@ -13093,7 +13050,7 @@ var Collection = class {
    *
    * When a `txCtx` is supplied, the prior envelope is captured and
    * pushed onto `txCtx._executed` BEFORE the delete fires — mirrors
-   * the #133 rollback hardening for puts. Callers outside a
+   * the rollback hardening for puts. Callers outside a
    * multi-record transaction pass `null` and skip the tracking.
    *
    * Amendment composition: if `_internalDelete` runs while a vault's
@@ -13136,58 +13093,27 @@ var Collection = class {
     if (!hasWritePermission(this.keyring, this.name)) {
       throw new ReadOnlyError();
     }
-    if (this.guardSource) {
-      const registry = this.guardSource.registry();
-      const guards = registry.guardsFor(this.name);
-      if (guards.length > 0) {
-        const existingEnv = await this.adapter.get(this.vault, this.name, id);
-        if (existingEnv) {
-          let existingRecord = null;
-          try {
-            existingRecord = await this.decryptRecord(existingEnv, { skipValidation: true });
-          } catch {
-            existingRecord = null;
-          }
-          if (registry.isAmendmentActive()) {
-            const vBefore = existingEnv._v;
-            registry.collectChange(
-              this.name,
-              id,
-              existingRecord,
-              null,
-              vBefore,
-              vBefore
-            );
-          } else if (!internal) {
-            const ctx = {
-              existing: existingRecord,
-              vault: this.guardSource.readOnlyVault(),
-              userId: this.keyring.userId,
-              role: this.keyring.role
-            };
-            await registry.runOnDelete(
-              this.name,
-              existingRecord ?? {},
-              ctx
-            );
-          }
-        }
-      }
-    }
-    if (!internal && this.periodGuard !== void 0) {
+    if (this.subsystemBus?.hasGateHandlers("beforeDelete")) {
       const existingEnv = await this.adapter.get(this.vault, this.name, id);
-      let priorRecord = null;
       if (existingEnv) {
+        let existingRecord = null;
         try {
-          priorRecord = await this.decryptRecord(existingEnv, { skipValidation: true });
+          existingRecord = await this.decryptRecord(existingEnv, { skipValidation: true });
         } catch {
-          priorRecord = null;
+          existingRecord = null;
         }
+        await this.subsystemBus.dispatchGate("beforeDelete", {
+          vault: this.vault,
+          collection: this.name,
+          docId: id,
+          existing: existingRecord,
+          existingVersion: existingEnv._v,
+          existingTs: existingEnv._ts,
+          internal,
+          userId: this.keyring.userId,
+          role: this.keyring.role
+        });
       }
-      await this.periodGuard(
-        existingEnv ? { ts: existingEnv._ts, record: priorRecord } : null,
-        null
-      );
     }
     if (!internal && this.refEnforcer !== void 0) {
       await this.refEnforcer.enforceRefsOnDelete(this.name, id);
@@ -13248,7 +13174,7 @@ var Collection = class {
   }
   /**
    * Cascade deletes of array-shape derived rows when a source row is
-   * deleted (#200). Reads each registered strategy's fanout sidecar
+   * deleted. Reads each registered strategy's fanout sidecar
    * for this source id, deletes every listed derived row, then
    * deletes the sidecar itself.
    *
@@ -13287,8 +13213,8 @@ var Collection = class {
     }
   }
   /**
-   * Mirror of {@link dispatchMaterializedViews} for the delete path
-   * (#181). No record content is available (it's gone), so the
+   * Mirror of {@link dispatchMaterializedViews} for the delete path.
+   * No record content is available (it's gone), so the
    * `_materializedFrom` skip used by the put-side dispatch doesn't
    * apply here — instead, the recursion guard is the `internal` gate
    * at the `_doDelete` call site above.
@@ -13818,7 +13744,7 @@ var Collection = class {
    *   .aggregate({ total: sum('amount'), n: count() })
    * ```
    *
-   * **Lazy-MV gap (#157):** `scan()` is synchronous-build and does
+   * **Lazy-MV gap:** `scan()` is synchronous-build and does
    * NOT trigger lazy materialized-view resolve-on-read. For lazy
    * MVs, call `list()` (which DOES resolve) or `vault.refreshView(name)`
    * before scanning. Same shape as the `query()` limitation.
@@ -13899,7 +13825,7 @@ var Collection = class {
     this.indexes?.upsert(id, record, previous ? previous.record : null);
   }
   /**
-   * #228b — apply a peer tab's committed write to THIS tab's in-memory view:
+   * Apply a peer tab's committed write to THIS tab's in-memory view:
    * re-read the (already-persisted) envelope from the shared store + refresh
    * cache/indexes, then emit a `change` event so reactive consumers re-render.
    * Never writes to the store and never fires write hooks, so it cannot loop.
@@ -13908,7 +13834,7 @@ var Collection = class {
     await this._invalidateCacheEntry(id);
     this.emitter.emit("change", { vault: this.vault, collection: this.name, id, action });
   }
-  /** @internal #228c — the current in-memory record without a store read (for conflict capture). */
+  /** @internal — the current in-memory record without a store read (for conflict capture). */
   _peekCached(id) {
     const entry = this.lazy && this.lru ? this.lru.get(id) : this.cache.get(id);
     return entry ? entry.record : null;
@@ -14959,7 +14885,7 @@ var OverlayedCollection = class {
   // error pointing at the relevant issue — so consumers don't hit a
   // cryptic `undefined is not a function` runtime crash.
   //
-  // Closes niwat-review of PR #160.
+  // Throw-stubs so consumers get actionable errors rather than cryptic crashes.
   /** @throws — chainable Query<T> over a virtual collection is deferred. */
   query() {
     throw new Error(
@@ -16270,23 +16196,23 @@ var Vault = class {
    * `null` for vaults that never register any guard strategy. The
    * runtime class is dynamic-imported on demand so consumers that
    * never use guards don't pull `GuardRegistry`/`GuardExecutor` into
-   * their bundle (#130).
+   * their bundle.
    */
   guardRegistry = null;
   /**
    * Per-vault derivation registry. Same lazy-load contract as
    * `guardRegistry` — `null` until `_initDerivations()` runs with at
-   * least one strategy handle. See #130 for the bundle motivation.
+   * least one strategy handle.
    */
   derivationRegistry = null;
   /**
-   * Per-vault materialized-view registry (#143/#150). Same lazy-load
+   * Per-vault materialized-view registry. Same lazy-load
    * contract as `derivationRegistry` — `null` until
    * `_initMaterializedViews()` runs with at least one MV handle.
    */
   materializedViewRegistry = null;
   /**
-   * Per-vault overlay registry (#154). Same lazy-load contract as
+   * Per-vault overlay registry. Same lazy-load contract as
    * `materializedViewRegistry` — `null` until `_initOverlayedViews()`
    * runs with at least one handle.
    */
@@ -16307,7 +16233,7 @@ var Vault = class {
    *   target this vault session's keyringId. There is no method to write
    *   another principal's envelope (own-only write rule, structural).
    * - Read-anyone: `get(keyringId)`, `list()` — read other principals'
-   *   envelopes, subject to the `view-team-profiles` policy gate (#22).
+   *   envelopes, subject to the `view-team-profiles` policy gate.
    * - Reactive: `subscribe(id, cb)`, `live(id)` — fire on local writes.
    *
    * @see docs/superpowers/specs/2026-05-05-user-envelope-design.md
@@ -16327,12 +16253,12 @@ var Vault = class {
    */
   reloadKeyring;
   collectionCache = /* @__PURE__ */ new Map();
-  /** #232 — vault-level schema cutover fence/controller. */
+  /** Vault-level schema cutover fence/controller. */
   schemaFence;
-  /** #232 — per-client heartbeat/watcher; started lazily on cutover registration. */
+  /** Per-client heartbeat/watcher; started lazily on cutover registration. */
   #fenceWatcher;
   #fenceCoordinationStarted = false;
-  /** #229 — per-collection registered schema-update strategy names. */
+  /** Per-collection registered schema-update strategy names. */
   #schemaUpdateNames = /* @__PURE__ */ new Map();
   /**
    * per-collection `blobFields` retention/TTL config.
@@ -16406,8 +16332,7 @@ var Vault = class {
    * Cache of closed/opened accounting periods.
    * Populated on first `closePeriod` / `openPeriod` / `listPeriods` /
    * per-collection write call. Kept in memory as an ordered list (by
-   * `closedAt`) so the `periodGuard` hook runs synchronously against
-   * each collection's put/delete path.
+   * `closedAt`) so period checks run fast when the gate bus fires.
    *
    * Sentinel `null` means "not yet loaded" — the first consumer
    * triggers a one-time `loadPeriods()` pass. Every subsequent
@@ -16602,6 +16527,7 @@ var Vault = class {
         emitter: this.emitter,
         writeQueue: this.noydb._writeQueueTracker,
         writeHooks: this.noydb._writeHooks,
+        subsystemBus: this.noydb._subsystemBus,
         activeTxId: () => this.noydb._activeTxContextOrNull?.txId ?? null,
         schemaUpdateGate,
         schemaFence: this.schemaFence,
@@ -16624,18 +16550,12 @@ var Vault = class {
         defaultLocale: this.locale,
         onRegisterConflictResolver: this.onRegisterConflictResolver,
         onAccess: (op, id) => this._logConsent(op, collectionName, id),
-        periodGuard: (existing, incoming) => this._assertTsWritable(existing, incoming),
-        // Guard / derivation sources are only wired when the
-        // corresponding registry has been initialised. Vaults without
-        // guards/derivations skip this entirely so `Collection.put`'s
-        // `if (this.guardSource)` / `if (this.derivationSource)`
-        // branches no-op without ever touching the subsystem code.
-        ...this.guardRegistry !== null ? {
-          guardSource: {
-            registry: () => this.guardRegistry,
-            readOnlyVault: () => this._ensureReadOnlyFacade()
-          }
-        } : {},
+        // Derivation source is only wired when the corresponding registry
+        // has been initialised. Guard source was removed in Track A slice 3b
+        // — guards now run via the gate bus in Noydb.#registerGuardGate.
+        // Vaults without derivations skip this so `Collection.put`'s
+        // `if (this.derivationSource)` branch no-ops without touching the
+        // derivation subsystem code.
         ...this.derivationRegistry !== null ? {
           derivationSource: {
             registry: () => this.derivationRegistry,
@@ -16725,7 +16645,7 @@ var Vault = class {
     await Promise.allSettled(pending);
   }
   /**
-   * Run a coordinated schema cutover (#232). Drains pending writes, waits
+   * Run a coordinated schema cutover. Drains pending writes, waits
    * for the active client set to quiesce (the ack-barrier), applies every
    * pending collection transform in bulk, bumps the vault schema generation,
    * and clears the fence. Returns the count of collections migrated.
@@ -16743,9 +16663,9 @@ var Vault = class {
     await coll._applyCutoverTransform(transform);
   }
   /**
-   * #228b — refresh a loaded collection's view of one document from a peer
+   * Refresh a loaded collection's view of one document from a peer
    * tab's broadcast. No-op when the collection isn't loaded in this tab
-   * (it will read fresh on next open). Mirrors #runCutoverTransform's guard.
+   * (it will read fresh on next open). Mirrors `#runCutoverTransform`'s guard.
    */
   async _applyRemoteWrite(collectionName, docId, action) {
     const coll = this.collectionCache.get(collectionName);
@@ -16753,9 +16673,9 @@ var Vault = class {
     await coll._applyRemoteChange(docId, action);
   }
   /**
-   * #228c — for a detected conflict: capture this tab's clobbered record,
+   * For a detected conflict: capture this tab's clobbered record,
    * read the common ancestor from history, converge the cache to the store's
-   * authoritative value (the (b) re-read), and return all three for the
+   * authoritative value (the re-read), and return all three for the
    * WriteConflict payload. Returns null when the collection isn't loaded.
    */
   async _captureAndConverge(collectionName, docId, action, baseV) {
@@ -16772,15 +16692,15 @@ var Vault = class {
     const remote = await coll.get(docId);
     return { local, remote, base };
   }
-  /** Recover a stuck cutover fence (#232) — reset to normal without bumping. */
+  /** Recover a stuck cutover fence — reset to normal without bumping. */
   async abortSchemaCutover() {
     await this.schemaFence.abort();
   }
-  /** Current schema-cutover fence state for this vault (#232/#233). Thin live read. */
+  /** Current schema-cutover fence state for this vault. Thin live read. */
   async schemaFenceState() {
     return loadFence(this.adapter, this.name);
   }
-  /** @internal Start the per-client heartbeat + fence watcher once a cutover is registered (#232). */
+  /** @internal Start the per-client heartbeat + fence watcher once a cutover is registered. */
   _ensureFenceCoordination() {
     if (this.#fenceCoordinationStarted) return;
     this.#fenceCoordinationStarted = true;
@@ -17453,7 +17373,7 @@ var Vault = class {
    * Dynamic-imports `GuardRegistry` + `ReadOnlyVaultFacade` and seeds
    * the registry with the supplied strategy handles. No-op when the
    * handles array is empty — keeps the guard subsystem out of the
-   * floor bundle for consumers that don't use guards (#130).
+   * floor bundle for consumers that don't use guards.
    *
    * The read-only facade is eagerly instantiated here so the sync
    * accessor `_getReadOnlyFacade()` (called from the tx amendment
@@ -17471,10 +17391,9 @@ var Vault = class {
     this.readOnlyFacade = new ReadOnlyVaultFacade2(this);
   }
   /**
-   * @internal — Collection.put calls into this. Returns `null` for
-   * vaults that never registered any guard strategy. Callers MUST
-   * gate on null (the existing `if (this.guardSource)` branches in
-   * `Collection` already do this transitively).
+   * @internal — The gate handler in Noydb.#registerGuardGate calls into
+   * this. Returns `null` for vaults that never registered any guard
+   * strategy. Callers MUST gate on null.
    */
   _getGuardRegistry() {
     return this.guardRegistry;
@@ -17485,7 +17404,7 @@ var Vault = class {
    * derivation strategies (async because `strategyHash` computation
    * goes through `crypto.subtle.digest`). No-op when the handles
    * array is empty — keeps the derivation subsystem out of the floor
-   * bundle for consumers that don't use derivations (#130). Throws
+   * bundle for consumers that don't use derivations. Throws
    * `DerivationCycleError` if a cycle is detected after registration.
    */
   async _initDerivations(handles) {
@@ -17517,7 +17436,7 @@ var Vault = class {
    * MV spec (which invokes its `query()` once for dependency
    * analysis), then runs the unified cycle detection across the MV +
    * derivation graphs. No-op when the handles array is empty — keeps
-   * the MV subsystem out of the floor bundle (mirrors v1 #130).
+   * the MV subsystem out of the floor bundle (mirrors the derivation lazy-import pattern).
    * Throws `MaterializedViewCycleError` if a cycle is detected.
    */
   async _initMaterializedViews(handles) {
@@ -17574,13 +17493,13 @@ var Vault = class {
     return this.overlayedViewRegistry;
   }
   /**
-   * Manual re-materialize for a single registered MV (#151). Useful
+   * Manual re-materialize for a single registered MV. Useful
    * for `refresh: 'manual'` MVs (whose consumer drives refreshes
    * externally), for stale-bit recovery on vault re-open, and as the
    * explicit bulk-recompute escape hatch after a strategy change.
    *
-   * Returns `{ written, deleted, failed }`. `deleted` is always 0 in
-   * foundation + this sub-issue — tombstoning lands in #152.
+   * Returns `{ written, deleted, failed }`. `deleted` is always 0
+   * when tombstoning is not enabled.
    *
    * Throws if `name` is not a registered MV.
    */
@@ -17676,22 +17595,19 @@ var Vault = class {
   /**
    * @internal — exposed for `runTransaction({ amendment: true })` so
    * the amendment invariant runner can pass the SAME read-only vault
-   * facade that the per-record `Collection.put` guard hook uses
-   * (`guardSource.readOnlyVault()` above). Eagerly instantiated by
-   * `_initGuards()` so this accessor stays synchronous; returns
-   * `null` for vaults that never registered any guard (amendments
-   * require at least one guard, so the caller should never see null).
+   * facade that the gate handler in Noydb.#registerGuardGate uses.
+   * Eagerly instantiated by `_initGuards()` so this accessor stays
+   * synchronous; returns `null` for vaults that never registered any
+   * guard (amendments require at least one guard, so the caller should
+   * never see null).
    */
   _getReadOnlyFacade() {
     return this.readOnlyFacade;
   }
   /**
-   * Internal lazy-allocator for the read-only facade. Used by the
-   * per-collection `guardSource.readOnlyVault` callback when guards
-   * ARE configured but `_initGuards()` raced with the first guard
-   * invocation (theoretically impossible — `Noydb.openVault` awaits
-   * `_initGuards` before returning — but we keep the defensive lazy
-   * path so the closure's contract stays "always returns a facade").
+   * Internal lazy-allocator for the read-only facade. Used as a
+   * defensive fallback; in practice `_initGuards()` eagerly
+   * instantiates this, so the lazy path is a no-op.
    */
   _ensureReadOnlyFacade() {
     if (this.readOnlyFacade !== null) return this.readOnlyFacade;
@@ -18146,7 +18062,7 @@ var Vault = class {
     const all = await this._loadPeriodsCache();
     return all.find((p) => p.name === name) ?? null;
   }
-  /** @internal — periodGuard callback installed on every Collection. */
+  /** @internal — called by the gate bus before put/delete. */
   async _assertTsWritable(existing, incoming) {
     if (existing === null && incoming === null) return;
     if (this.periodCache === null) {
@@ -18234,7 +18150,7 @@ var Vault = class {
     return dumpVaultSchema(this, opts);
   }
   /**
-   * Lightweight read of the vault's registered schema (#229): collections
+   * Lightweight read of the vault's registered schema: collections
    * (+ doc counts), guards, materialized views, schema-update strategies,
    * and the unlocked user's grants. Cheap — one `adapter.list` per
    * collection, no decryption. For a full snapshot + stats use dumpSchema().
@@ -19021,6 +18937,110 @@ var WriteHookRegistry = class {
   }
 };
 
+// src/subsystem-bus.ts
+var SubsystemBus = class {
+  #handlers = /* @__PURE__ */ new Map();
+  #gateHandlers = /* @__PURE__ */ new Map();
+  #depth = 0;
+  /** Register a handler for an observe point. Returns an unsubscribe fn. */
+  register(point, handler) {
+    let arr = this.#handlers.get(point);
+    if (!arr) {
+      arr = [];
+      this.#handlers.set(point, arr);
+    }
+    arr.push(handler);
+    return () => {
+      const a = this.#handlers.get(point);
+      if (!a) return;
+      const i = a.indexOf(handler);
+      if (i >= 0) a.splice(i, 1);
+    };
+  }
+  /** Cheap gate for the write path — true when any handler is registered for the point. */
+  hasHandlers(point) {
+    const a = this.#handlers.get(point);
+    return a !== void 0 && a.length > 0;
+  }
+  /**
+   * True while one or more dispatches are in flight. Backed by a depth counter
+   * so that two concurrent async dispatches (`Promise.all([put('a'), put('b')])`
+   * each captured `busAfterPut=true` at their respective put() tops while depth
+   * was 0) both proceed independently — the counter stays > 0 until BOTH finish,
+   * so any nested write attempted by a handler still sees `dispatching === true`
+   * and is suppressed by the write-path gate in `collection.ts`
+   * (`busAfterPut = hasHandlers('afterPut') && !dispatching`). Re-entrancy
+   * suppression lives exclusively on that write-path gate; concurrent independent
+   * dispatches must not drop each other's events.
+   */
+  get dispatching() {
+    return this.#depth > 0;
+  }
+  /**
+   * Dispatch in registration order, awaited. Per-handler errors are warned, not
+   * thrown — an observe handler must never abort a completed write. A
+   * re-entrancy guard suppresses nested firing so a handler that itself writes
+   * cannot loop (same rationale as WriteHookRegistry.#suppressed).
+   */
+  async dispatch(point, event) {
+    const a = this.#handlers.get(point);
+    if (!a || a.length === 0) return;
+    this.#depth++;
+    try {
+      for (const h of a.slice()) {
+        try {
+          await h(event);
+        } catch (err) {
+          console.warn(
+            `[noy-db] subsystem observe handler failed at ${point}: ` + (err instanceof Error ? err.message : String(err))
+          );
+        }
+      }
+    } finally {
+      this.#depth--;
+    }
+  }
+  /** Register a write-gating handler. A throw from the handler ABORTS the write. Returns an unsubscribe fn. */
+  registerGate(point, handler) {
+    let arr = this.#gateHandlers.get(point);
+    if (!arr) {
+      arr = [];
+      this.#gateHandlers.set(point, arr);
+    }
+    arr.push(handler);
+    return () => {
+      const a = this.#gateHandlers.get(point);
+      if (!a) return;
+      const i = a.indexOf(handler);
+      if (i >= 0) a.splice(i, 1);
+    };
+  }
+  /** Cheap gate for the write path — true when any gate handler is registered for the point. */
+  hasGateHandlers(point) {
+    const a = this.#gateHandlers.get(point);
+    return a !== void 0 && a.length > 0;
+  }
+  /**
+   * Run gate handlers in registration order, awaited. Unlike `dispatch`
+   * (observe), a handler throw is NOT swallowed — it PROPAGATES, aborting the
+   * write before it reaches the store. The first throw stops the remaining
+   * handlers (fail-fast). This is the seam guards/periods migrate onto.
+   *
+   * Note: gate handlers are validators that read, not write. A gate handler
+   * that writes back into the same collection would re-enter the write path
+   * and re-dispatch this point; loop-suppression for that case is deferred to
+   * the migration slice (contract: gate handlers must not perform writes that
+   * re-trigger their own point).
+   */
+  async dispatchGate(point, event) {
+    const a = this.#gateHandlers.get(point);
+    if (!a || a.length === 0) return;
+    for (const h of a.slice()) {
+      await h(event);
+    }
+  }
+};
+
 // src/tab-coordination.ts
 var TabCoordinator = class {
   tabId;
@@ -19336,9 +19356,9 @@ var PERSONAL_POLICY = Object.freeze({
       minTier: 1,
       enabled: true
     },
-    // rotate-recovery (#121): deliberate paper-sheet regeneration
-    // when the user remembers their passphrase. PERSONAL matches the
-    // pre-#121 low-level flow's bar — knowing the passphrase is enough.
+    // rotate-recovery: deliberate paper-sheet regeneration
+    // when the user remembers their passphrase. PERSONAL allows tier-1 —
+    // knowing the passphrase is enough.
     "rotate-recovery": { minTier: 1 },
     "enroll-authenticator": { minTier: 1 },
     "remove-authenticator": { minTier: 1 },
@@ -19372,7 +19392,7 @@ var PERSONAL_POLICY = Object.freeze({
       minTier: 1,
       enabled: false
     },
-    // ─── User envelope gates (#22) ────────────────────────────────────
+    // ─── User envelope gates ──────────────────────────────────────────
     // edit-own-profile: tier 3 floor — any active session can edit their
     //   own profile/preferences. Tightening to require a TOTP for
     //   profile changes is a one-line override.
@@ -19399,7 +19419,7 @@ var STRICT_POLICY = Object.freeze({
       minTier: 1,
       enabled: true
     },
-    // rotate-recovery (#121): STRICT requires an off-device factor —
+    // rotate-recovery: STRICT requires an off-device factor —
     // rotating recovery is an off-site-trust event; a stolen unlocked
     // laptop must not be able to silently mint a new sheet for the
     // attacker. Matches the `peer-recover-user` STRICT default.
@@ -19472,7 +19492,7 @@ var STRICT_POLICY = Object.freeze({
       minTier: 1,
       enabled: false
     },
-    // ─── User envelope gates (#22) ────────────────────────────────────
+    // ─── User envelope gates ──────────────────────────────────────────
     // STRICT: profile edits require a TOTP/email-OTP factor (typical
     // shared-workstation hardening — your name/avatar shouldn't change
     // without a fresh second-factor proof).
@@ -19583,13 +19603,14 @@ var Noydb = class {
   emitter = new NoydbEventEmitter();
   writeQueueTracker = new WriteQueueTracker();
   writeHooks = new WriteHookRegistry();
+  subsystemBus = new SubsystemBus();
   clientId = generateULID();
   vaultCache = /* @__PURE__ */ new Map();
   keyringCache = /* @__PURE__ */ new Map();
   syncEngines = /* @__PURE__ */ new Map();
   /**
    * Per-vault active session tier — defaults to `1` after a passphrase
-   * unlock; tier-2 / tier-3 unlocks (issue #11) downgrade it. Used by
+   * unlock; tier-2 / tier-3 unlocks downgrade it. Used by
    * {@link checkGate} to evaluate `gate.minTier`.
    */
   activeTier = /* @__PURE__ */ new Map();
@@ -19599,14 +19620,14 @@ var Noydb = class {
    */
   policyCache = /* @__PURE__ */ new Map();
   /**
-   * One-shot bypass for the managed-mode strong-recovery check (#195).
+   * One-shot bypass for the managed-mode strong-recovery check.
    * Set true by {@link openVaultAndEnrollRecovery} for the duration of
    * the bootstrap window so the keyring can be created before the
    * strong recovery is enrolled. Always cleared (try/finally).
    * @internal
    */
   _skipNextManagedRecoveryCheck = false;
-  /** Per-vault tier-3 (PIN / quick-resume) state — issue #11. */
+  /** Per-vault tier-3 (PIN / quick-resume) state. */
   quickUnlock = new QuickUnlockStore();
   /**
    * Resolved public-envelope schema. Lazily computed once from
@@ -19616,9 +19637,9 @@ var Noydb = class {
   publicEnvelopeSchema;
   closed = false;
   sessionTimer = null;
-  /** Same-device multi-tab coordinator (#228); created on `enableTabCoordination()`. */
+  /** Same-device multi-tab coordinator; created on `enableTabCoordination()`. */
   tabCoordinator;
-  /** Cross-tab write relay (#228b); created on `enableTabCoordination()`. */
+  /** Cross-tab write relay; created on `enableTabCoordination()`. */
   writeRelay;
   /** Per-vault policy enforcers. */
   policyEnforcers = /* @__PURE__ */ new Map();
@@ -19631,8 +19652,8 @@ var Noydb = class {
    * the same function's `finally` block. Side-effect writes triggered
    * during a staged op's `Collection.put` (today: eager derivation
    * outputs) register their pre-write envelope on `_executed` here so
-   * a mid-batch failure rolls them back alongside the main staged ops
-   * (#133). `null` outside of Phase 2.
+   * a mid-batch failure rolls them back alongside the main staged ops.
+   * `null` outside of Phase 2.
    * @internal
    */
   _activeTxContext = null;
@@ -19653,8 +19674,95 @@ var Noydb = class {
     if (options.sessionPolicy) {
       this.sessionStrategy.validateSessionPolicy(options.sessionPolicy);
     }
+    this.#registerGuardGate();
+    this.#registerPeriodGate();
     this.resetSessionTimer();
   }
+  // Track A — guards migration. Registers record-lock / field-freeze / onDelete
+  // / amendment-collect as gate-bus handlers (only when guards are opted in, so
+  // the write path is zero-cost otherwise). Resolves the live vault's
+  // GuardRegistry per dispatch. Registered BEFORE the period gate so guard
+  // checks run first. The amendment branch is a side-effect (collectChange),
+  // NOT a throw — and runs even for internal deletes (an amendment invariant
+  // must see system housekeeping tombstones); onDelete/checks run only for
+  // user (non-internal) operations.
+  #registerGuardGate() {
+    if (this.options.guardStrategies === void 0) return;
+    this.subsystemBus.registerGate("beforePut", async (e) => {
+      const v = this.vaultCache.get(e.vault);
+      if (!v) return;
+      const registry = v._getGuardRegistry();
+      if (!registry) return;
+      const guards = registry.guardsFor(e.collection);
+      if (guards.length === 0) return;
+      const existing = e.existing ?? null;
+      const incoming = e.incoming;
+      if (registry.isAmendmentActive()) {
+        registry.collectChange(e.collection, e.docId, existing, incoming, e.existingVersion, e.existingVersion + 1);
+        return;
+      }
+      const facade = v._getReadOnlyFacade();
+      if (!facade) return;
+      const ctx = { existing, vault: facade, userId: e.userId, role: e.role };
+      await registry.runChecks(e.collection, incoming, ctx);
+      const { GuardExecutor: GuardExecutor2 } = await Promise.resolve().then(() => (init_executor(), executor_exports));
+      for (const g of guards) {
+        await GuardExecutor2.checkFrozenFields(g, e.docId, existing, incoming);
+      }
+    });
+    this.subsystemBus.registerGate("beforeDelete", async (e) => {
+      const v = this.vaultCache.get(e.vault);
+      if (!v) return;
+      const registry = v._getGuardRegistry();
+      if (!registry) return;
+      const guards = registry.guardsFor(e.collection);
+      if (guards.length === 0) return;
+      const existing = e.existing ?? null;
+      if (registry.isAmendmentActive()) {
+        registry.collectChange(e.collection, e.docId, existing, null, e.existingVersion, e.existingVersion);
+        return;
+      }
+      if (e.internal) return;
+      const facade = v._getReadOnlyFacade();
+      if (!facade) return;
+      const ctx = { existing, vault: facade, userId: e.userId, role: e.role };
+      await registry.runOnDelete(e.collection, existing ?? {}, ctx);
+    });
+  }
+  /**
+   * Register closed-period write guards on the subsystem bus when a
+   * periodsStrategy is configured.  Handlers resolve the live Vault from
+   * vaultCache so they always use the up-to-date period cache.
+   */
+  // Track A — periods migration. Registers the closed-period write guard as a
+  // gate-bus handler (only when periods is opted in, so the write path is
+  // zero-cost otherwise). Each handler resolves the LIVE vault from the cache
+  // per dispatch and delegates to its `_assertTsWritable`, which owns all
+  // period logic. Resolving the live vault makes eviction/re-creation
+  // transparent. Semantics note: if a write reaches the gate through a retained
+  // collection handle whose vault has been evicted from `vaultCache` (e.g. a
+  // post-revocation write on a stale handle), the period check is skipped — the
+  // guard binds to the live vault, not a captured instance. Periods is a
+  // write-integrity guard, not a security boundary, and a re-open reloads the
+  // period cache; the trade-off is intentional.
+  #registerPeriodGate() {
+    if (this.options.periodsStrategy === void 0) return;
+    this.subsystemBus.registerGate("beforePut", async (e) => {
+      const v = this.vaultCache.get(e.vault);
+      if (!v) return;
+      const existing = e.op === "create" ? null : { ts: e.existingTs ?? null, record: e.existing ?? null };
+      await v._assertTsWritable(existing, e.incoming);
+    });
+    this.subsystemBus.registerGate("beforeDelete", async (e) => {
+      if (e.internal) return;
+      const v = this.vaultCache.get(e.vault);
+      if (!v) return;
+      await v._assertTsWritable(
+        { ts: e.existingTs ?? null, record: e.existing ?? null },
+        null
+      );
+    });
+  }
   resetSessionTimer() {
     if (this.sessionTimer) clearTimeout(this.sessionTimer);
     const idleMs = this.options.sessionPolicy?.idleTimeoutMs ?? this.options.sessionTimeout;
@@ -19944,8 +20052,6 @@ var Noydb = class {
    * @throws `NoAccessError` when no keyring exists for the target.
    * @throws `PermissionDeniedError` when the role hierarchy rejects.
    * @throws `ValidationError` when no field is provided.
-   *
-   * @see #54
    */
   async updateUser(vault, options, factors) {
     await this.checkGate(vault, "update-user", factors);
@@ -20281,7 +20387,7 @@ var Noydb = class {
    * Phase 2. `Collection.dispatchDerivations` consults this so a
    * recursive derived-output write inside `Collection.put` can register
    * its envelope onto `ctx._executed` and roll back with the main
-   * staged ops on mid-batch failure (#133).
+   * staged ops on mid-batch failure.
    *
    * @internal
    */
@@ -20310,7 +20416,7 @@ var Noydb = class {
    * `Collection.putManyAtomic` (via `derivationSource.createTxContext`)
    * to publish an active context for the duration of its bulk-atomic
    * Phase 2 loop, so recursive derivation-output writes register on
-   * `ctx._executed` and roll back together with the source ops (#133).
+   * `ctx._executed` and roll back together with the source ops.
    *
    * @internal
    */
@@ -20381,26 +20487,26 @@ var Noydb = class {
     return this.writeQueueTracker;
   }
   /**
-   * Register a hook that runs before each write (#230). Awaited; a throw
+   * Register a hook that runs before each write. Awaited; a throw
    * aborts the write. Returns an unsubscribe function.
    */
   onBeforeWrite(handler) {
     return this.writeHooks.onBeforeWrite(handler);
   }
   /**
-   * Register a hook that runs after each committed write (#230). Awaited;
+   * Register a hook that runs after each committed write. Awaited;
    * a handler error is warned, never rolled back. Returns an unsubscribe fn.
    */
   onAfterWrite(handler) {
     return this.writeHooks.onAfterWrite(handler);
   }
-  /** Subscribe to cross-tab write conflicts (#228c). Returns an unsubscribe. */
+  /** Subscribe to cross-tab write conflicts. Returns an unsubscribe. */
   onWriteConflict(fn) {
     this.on("write:conflict", fn);
     return () => this.off("write:conflict", fn);
   }
   /**
-   * Enable same-device multi-tab coordination (#228): primary/secondary
+   * Enable same-device multi-tab coordination: primary/secondary
    * election + presence. Browser-only — a graceful no-op (role 'unknown')
    * when Web Locks / BroadcastChannel are unavailable and nothing is
    * injected. Idempotent; returns a disposer.
@@ -20483,7 +20589,11 @@ var Noydb = class {
   get _writeHooks() {
     return this.writeHooks;
   }
-  /** @internal Stable per-instance id for schema-cutover coordination (#232). */
+  /** @internal The observe bus, threaded into every Collection. */
+  get _subsystemBus() {
+    return this.subsystemBus;
+  }
+  /** @internal Stable per-instance id for schema-cutover coordination. */
   get _clientId() {
     return this.clientId;
   }
@@ -20503,10 +20613,6 @@ var Noydb = class {
    * survives lock; nothing about it changes when DEKs are scrubbed).
    *
    * No-op when `vault` is not currently in cache (idempotent).
-   *
-   * Unblocks vLannaAi/niwat#33.
-   *
-   * @see #17
    */
   lockVault(vault) {
     this.syncEngines.get(vault)?.stopAutoSync();
@@ -20621,7 +20727,7 @@ var Noydb = class {
     return merged;
   }
   /**
-   * Read the current vault-level user-directory toggle (#122). Returns
+   * Read the current vault-level user-directory toggle. Returns
    * the default-on shape (`{ enabled: true }`) when no `_meta/directory`
    * document has been persisted yet.
    *
@@ -20633,7 +20739,7 @@ var Noydb = class {
     return persisted?.enabled ?? true;
   }
   /**
-   * Toggle the vault's user-directory listing on or off (#122).
+   * Toggle the vault's user-directory listing on or off.
    * Owner-only. When disabled, `listUsersWithEnvelopes()` throws
    * {@link import('./errors.js').DirectoryDisabledError} for callers
    * whose role is neither `owner` nor `admin`.
@@ -20693,7 +20799,7 @@ var Noydb = class {
    *
    * Two enforcement modes:
    *
-   * 1. **Managed-mode mandatory strong-recovery (#195).** When
+   * 1. **Managed-mode mandatory strong-recovery.** When
    *    `passphraseMode === 'managed'`, the vault MUST have at least
    *    one **strong** recovery profile (Shamir today). Paper alone is
    *    rejected because under managed mode the user has no memorized
@@ -20727,14 +20833,14 @@ var Noydb = class {
     throw new RecoveryNotEnrolledError();
   }
   /**
-   * Internal accessor used by tier-2/tier-3 unlock paths (issue #11)
+   * Internal accessor used by tier-2/tier-3 unlock paths
    * to mark the active session tier.
    * @internal
    */
   _setActiveTier(vault, tier) {
     this.activeTier.set(vault, tier);
   }
-  // ─── Tier-2 enroll / remove (issue #11) ────────────────────────
+  // ─── Tier-2 enroll / remove ─────────────────────────────────────
   /**
    * Add a tier-2 authenticator slot to the calling user's keyring.
    * Each slot independently wraps the SAME KEK under a method-specific
@@ -20764,7 +20870,7 @@ var Noydb = class {
     const next = await removeAuthenticator(this.options.store, vault, keyring, slotId);
     this.keyringCache.set(vault, next);
   }
-  /** Read the slot list for a vault. Internal — `describeAuthConfig` (#13) consumes this. */
+  /** Read the slot list for a vault. Internal — `describeAuthConfig` consumes this. */
   async listAuthenticators(vault) {
     const keyring = await this.getKeyringInternal(vault);
     return keyring.authenticators;
@@ -20776,7 +20882,7 @@ var Noydb = class {
    * are immutable through this method. Anti-slot-swap is structural,
    * not gate-driven.
    *
-   * `meta` patch semantics (#57-aligned):
+   * `meta` patch semantics (top-level merge):
    *   - Top-level merge — absent keys preserved
    *   - `null` value — delete that meta key
    *   - Other values — replace verbatim
@@ -20794,8 +20900,6 @@ var Noydb = class {
    *
    * @throws `NoAccessError` when no slot with the given id exists.
    * @throws `ValidationError` when no patch field is provided.
-   *
-   * @see #55
    */
   async updateAuthenticator(vault, slotId, options, factors) {
     await this.checkGate(vault, "update-authenticator", factors);
@@ -20804,7 +20908,7 @@ var Noydb = class {
     this.keyringCache.set(vault, next);
   }
   /**
-   * Native WebAuthn enrollment using the **real** internal keyring (#16).
+   * Native WebAuthn enrollment using the **real** internal keyring.
    *
    * Why this exists: when a consumer is using `createNoydb({ secret })`,
    * they cannot reach the live `UnlockedKeyring` to feed it to
@@ -20847,8 +20951,6 @@ var Noydb = class {
    * a server-side allowlist).
    *
    * Gated by `enroll-authenticator` like `enrollAuthenticator()` itself.
-   *
-   * @see #16
    */
   async enrollWebAuthn(vault, ceremony, factors) {
     await this.checkGate(vault, "enroll-authenticator", factors);
@@ -20875,8 +20977,6 @@ var Noydb = class {
    * deciding when a new device prompt should appear. Identity is
    * `id` + `enrolled_at`; the `meta.credentialId` (base64) is used by
    * `allowCredentials` at unlock time.
-   *
-   * @see #16
    */
   async listWebAuthnSlots(vault) {
     const keyring = await this.getKeyringInternal(vault);
@@ -20958,7 +21058,7 @@ var Noydb = class {
   async getPublicEnvelope(vault, opts = {}) {
     return readPublicEnvelope(this.options.store, vault, opts);
   }
-  // ─── Auth introspection (issue #13) ────────────────────────────
+  // ─── Auth introspection ─────────────────────────────────────────
   /** English summary of the configured auth model. */
   async describeAuthConfig(vault) {
     return describeAuthConfig(this.options.store, vault);
@@ -20981,7 +21081,7 @@ var Noydb = class {
     await this.checkGate(vault, "view-user-auth", factors);
     return describeAllUsersAuth(this.options.store, vault);
   }
-  // ─── Tier-1 change flows (issue #10) ───────────────────────────
+  // ─── Tier-1 change flows ────────────────────────────────────────
   /**
    * Rotate the user's passphrase (user remembers old). Validates the
    * new phrase against the configured `passphrase` policy, runs the
@@ -20989,8 +21089,7 @@ var Noydb = class {
    *
    * Tier-2 authenticator slots are dropped — each slot wraps the old
    * KEK and would need its derivation key to be re-presented. Re-enrol
-   * via `db.enrollAuthenticator` after rotation. Tracked as a
-   * v0.1.0-pre.5 limitation.
+   * via `db.enrollAuthenticator` after rotation.
    *
    * @throws `WeakPassphraseError` on a weak new phrase.
    * @throws `PolicyDeniedError` when the gate denies (missing factor, …).
@@ -21012,8 +21111,8 @@ var Noydb = class {
   }
   /**
    * Reset the passphrase using a recovery proof (user forgot the old).
-   * v0.1.0-pre.5 supports the `'paper'` profile end-to-end; the
-   * other three profiles throw {@link RecoveryProfileNotImplementedError}.
+   * Currently supports the `'paper'` profile end-to-end; the
+   * other profiles throw {@link RecoveryProfileNotImplementedError}.
    *
    * Burns the used recovery entry on success.
    */
@@ -21042,7 +21141,7 @@ var Noydb = class {
     return { newCodes: codes };
   }
   /**
-   * Deliberate paper-recovery-code regeneration (#121). User knows their
+   * Deliberate paper-recovery-code regeneration. User knows their
    * passphrase but wants a fresh sheet — they lost the printout or
    * suspect compromise of the off-site copy.
    *
@@ -21052,7 +21151,7 @@ var Noydb = class {
    *
    * Gated by the `rotate-recovery` policy gate:
    *   - PERSONAL_POLICY: `{ minTier: 1 }` — knowing the passphrase
-   *     suffices, matching the pre-#121 low-level flow's bar.
+   *     suffices, matching the lower-level flow's bar.
    *   - STRICT_POLICY: `{ minTier: 1, factors: [{ anyOf: ['totp',
    *     'email-otp', 'webauthn-roaming'] }] }` — rotation is an
    *     off-site-trust event; require an off-device factor so a
@@ -21157,7 +21256,7 @@ var Noydb = class {
     return { newShares: shareStrings, entryId: targetEntryId };
   }
   /**
-   * **Atomic create-and-enroll for managed-mode vaults (#195).**
+   * **Atomic create-and-enroll for managed-mode vaults.**
    *
    * Bootstraps a managed-mode vault and enrolls strong recovery in
    * a single ceremony. Under `passphraseMode: 'managed'`, every
@@ -21228,7 +21327,7 @@ var Noydb = class {
     return { vault: vaultHandle, recoveryEnrollments };
   }
   /**
-   * **Recovery flow under managed-passphrase mode (#195).**
+   * **Recovery flow under managed-passphrase mode.**
    *
    * Replaces the sealed passphrase of a managed-mode vault with a
    * fresh 256-bit random, sealed under the configured
@@ -21245,7 +21344,7 @@ var Noydb = class {
    *   5. Drop the keyring cache so the next operation re-derives.
    *
    * The vault's strong-recovery enrollment is preserved across
-   * recovery (Shamir entries are not burned on use — see #196).
+   * recovery (Shamir entries are not burned on use).
    *
    * @throws ValidationError if the Noydb instance is not in managed mode.
    */
@@ -21293,7 +21392,7 @@ var Noydb = class {
   }
   /**
    * Atomic peer-recovery — re-wraps an EXISTING user's keyring under
-   * a fresh temp passphrase in a single store write. Closes #34's
+   * a fresh temp passphrase in a single store write. Closes the
    * partial-failure window (the previous compose-from-primitives
    * pattern was `db.revoke + db.grant`, two writes — if the issuer
    * cancelled between them the target was locked out entirely).
@@ -21303,7 +21402,7 @@ var Noydb = class {
    *   - Same `userId`, role, permissions, capabilities preserved.
    *   - DEKs unchanged → every other principal in the vault keeps
    *     access. No key rotation.
-   *   - Allows owner→owner natively (#33). The existing
+   *   - Allows owner→owner natively. The existing
    *     `db.revoke` retains its block — peer-recovery is a separate,
    *     intentionally-named operation.
    *   - Tier-2 slots dropped (they wrap the old KEK).
@@ -21332,7 +21431,6 @@ var Noydb = class {
    * @throws `PrivilegeEscalationError` when the caller lacks a DEK
    *         the target previously had access to.
    *
-   * @see #33 #34 — the issues this method closes.
    */
   async recoverUser(vault, options, factors) {
     await this.checkGate(vault, "peer-recover-user", factors);
@@ -21343,7 +21441,7 @@ var Noydb = class {
     }
   }
   /**
-   * Persist a recovery enrollment. v0.1.0-pre.5 accepts the `'paper'`
+   * Persist a recovery enrollment. Accepts the `'paper'`
    * profile.
    *
    * The hub wraps the user's DEK set (not the KEK) under a code-derived
@@ -21363,7 +21461,7 @@ var Noydb = class {
    * showCodesToUser(codes)
    * ```
    *
-   * As of pre.8, `@noy-db/on-recovery`'s `generateRecoveryCodeSet`
+   * `@noy-db/on-recovery`'s `generateRecoveryCodeSet`
    * delegates to `mintPaperRecoveryEntry` internally — its output is
    * fed directly to this API. Pick whichever fits your code-gen layer:
    *
@@ -21403,13 +21501,13 @@ var Noydb = class {
       "#196"
     );
   }
-  /** Read the persisted recovery entries (paper + Shamir). Used by `describeAuthConfig` (#13). */
+  /** Read the persisted recovery entries (paper + Shamir). Used by `describeAuthConfig`. */
   async listRecoveryEntries(vault) {
     const paper = await loadPaperRecoveryEntries(this.options.store, vault);
     const shamir = await loadShamirRecoveryEntries(this.options.store, vault);
     return { paper, shamir };
   }
-  // ─── Tier-3 enroll / unlock (issue #11) ────────────────────────
+  // ─── Tier-3 enroll / unlock ─────────────────────────────────────
   /**
    * Register a tier-3 quick-unlock state for the vault. The state is
    * an opaque blob produced by `@noy-db/on-pin/enrollPin` (or any
@@ -21445,11 +21543,11 @@ var Noydb = class {
     this.quickUnlock.delete(vault);
   }
   /**
-   * Public accessor for the unlocked keyring of a vault — issue #28.
+   * Public accessor for the unlocked keyring of a vault.
    *
    * Returns a **defensive shallow copy** so consumers can read the DEK
    * map and authenticator list without the risk of mutating the hub's
-   * internal cache (#88). Internal hub code paths use a live reference
+   * internal cache. Internal hub code paths use a live reference
    * via `getKeyringInternal`; ceremonies and external consumers always
    * get a snapshot.
    *
@@ -22388,7 +22486,7 @@ function withDerivation(spec) {
     if (outputSpec.shape === "array") {
       if (lifecycleMode !== "eager") {
         throw new ValidationError(
-          `withDerivation: shape 'array' supports lifecycle 'eager' only in this release (#200 slice 1). Output "${outputKey}" declared lifecycle '${lifecycleMode}'. Switch to \`lifecycle: "eager"\` or use shape: "record".`
+          `withDerivation: shape 'array' supports lifecycle 'eager' only in this release Output "${outputKey}" declared lifecycle '${lifecycleMode}'. Switch to \`lifecycle: "eager"\` or use shape: "record".`
         );
       }
       if (typeof outputSpec.key !== "function") {