@noy-db/hub 0.2.0-pre.4 → 0.2.0-pre.5

package/dist/{types-D9eB0Rvh.d.ts → types-BV4AZKmx.d.ts}

@@ -1,8 +1,8 @@
-import { I as IndexStrategy, d as LazyQuery } from './lazy-builder-Rpd-V3jP.js';
+import { I as IndexStrategy, d as LazyQuery } from './lazy-builder-D1MyR1qH.js';
 import { b as AggregateSpec, A as AggregateStrategy } from './strategy-DSTrsZ8t.js';
 import { C as CrdtStrategy, a as CrdtMode, b as CrdtState } from './strategy-BSxFXGzb.js';
-import { N as NoydbError, Q as Query, ar as RefRegistry, ao as RefDescriptor, a2 as JoinableSource, at as RefViolation, au as ScanBuilder } from './index-BF1B2HB9.js';
-import { F as FieldClause, I as IndexDef, C as CollectionIndexes } from './predicate-Dnu81tsS.js';
+import { N as NoydbError, Q as Query, ar as RefRegistry, ao as RefDescriptor, a2 as JoinableSource, at as RefViolation, au as ScanBuilder } from './index-fIPPh5dg.js';
+import { F as FieldClause, I as IndexDef, C as CollectionIndexes } from './predicate-B0IKeBXx.js';
 import { AttestationFieldSchema, RevocationList } from '@noy-db/attestation';
 
 /**
@@ -797,7 +797,7 @@ interface LedgerEntry {
      * below for the structured payload.
      *
      * `'lifecycle'` records a non-data audit event (e.g. partition
-     * handover, #226) — `collection`/`id` are empty and the event detail
+     * handover) — `collection`/`id` are empty and the event detail
      * lives in `reason` (e.g. `'partition-handed-over:<sealId>'`). Like
      * `amendment`, it carries no data envelope, so `verifyBackupIntegrity`
      * skips it in the data cross-check (it still participates in the
@@ -828,8 +828,8 @@ interface LedgerEntry {
      */
     readonly payloadHash: string;
     /**
-     * Optional human-readable tag describing why this mutation happened
-     * (#1). Threaded through `collection.put(_, _, { reason })`. Common
+     * Optional human-readable tag describing why this mutation happened.
+     * Threaded through `collection.put(_, _, { reason })`. Common
      * values include `'import:csv'`, `'import:json'`, `'import:xlsx'` from
      * `as-*` ImportPlan.apply(), but consumers can use any string for
      * domain-specific audit filtering. Auto-strip via `canonicalJson` —
@@ -1106,8 +1106,8 @@ interface AppendInput {
      */
     amendment?: LedgerEntry['amendment'];
     /**
-     * Optional human-readable tag describing why this mutation happened
-     * (#1). Threaded from `collection.put(_, _, { reason })`.
+     * Optional human-readable tag describing why this mutation happened.
+     * Threaded from `collection.put(_, _, { reason })`.
      * Carried verbatim onto the resulting ledger entry's `reason` field;
      * omitted from canonical JSON when undefined.
      */
@@ -1848,7 +1848,6 @@ interface PassphrasePolicy {
      * double-space). For non-space-delimited word semantics, use
      * {@link customValidator} instead.
      *
-     * Added in pre.8 (#31).
      */
     readonly pattern?: RegExp;
     /**
@@ -1866,7 +1865,6 @@ interface PassphrasePolicy {
      * {@link assertStrongPassphrase} dispatches on — `ok: true` accepts;
      * `ok: false` throws `WeakPassphraseError` with the supplied reason.
      *
-     * Added in pre.8 (#31).
      */
     readonly customValidator?: (phrase: string) => PassphraseValidationResult;
 }
@@ -1983,7 +1981,7 @@ interface UnlockedKeyring {
      *   - Unencrypted mode (no KEK exists)
      *   - Tier-3 PIN quick-resume (`@noy-db/on-pin`)
      *   - Wrap-DEKs tier-2 unlock (`@noy-db/on-password`'s
-     *     `verifyPasswordSlot` after #26 Path C)
+     *     `verifyPasswordSlot`)
      *   - Session-state restore (`session/session.ts`)
      *   - Dev-unlock fixture (`session/dev-unlock.ts`)
      *
@@ -1992,9 +1990,8 @@ interface UnlockedKeyring {
      * null-check and throw a clear error if absent — re-authenticate
      * at tier 1 first to recover the KEK.
      *
-     * Tightened from `CryptoKey` to `CryptoKey | null` in pre.8 (#41).
-     * The runtime contract has always allowed null; the type now
-     * matches reality.
+     * Tightened from `CryptoKey` to `CryptoKey | null`; the runtime
+     * contract has always allowed null, the type now matches reality.
      */
     readonly kek: CryptoKey | null;
     readonly salt: Uint8Array;
@@ -2015,7 +2012,7 @@ interface UnlockedKeyring {
     /**
      * Tier-2 authenticator slots — readonly snapshot loaded from the
      * keyring file. Mutations go through `enrollAuthenticator` /
-     * `removeAuthenticator` (issue #11), which write back via
+     * `removeAuthenticator`, which write back via
      * `persistKeyring`. Always defined; loads with an empty array for
      * keyrings written before the multi-slot extension landed.
      */
@@ -2068,7 +2065,6 @@ declare function revoke(adapter: NoydbStore, vault: string, callerKeyring: Unloc
  * @throws `PermissionDeniedError` when the role hierarchy rejects.
  * @throws `ValidationError` when the diff is empty (nothing to update).
  *
- * @see #54
  */
 declare function updateKeyringIdentity(adapter: NoydbStore, vault: string, callerKeyring: UnlockedKeyring, options: UpdateUserOptions): Promise<void>;
 /**
@@ -2163,7 +2159,7 @@ interface ListUsersOptions {
  * `userEnvelopeDek` is the vault's `_users` collection DEK
  * (`vault.getDEK('_users')`); used to decrypt every envelope.
  *
- * `callerRole` (#122) drives the directory-visibility checks:
+ * `callerRole` drives the directory-visibility checks:
  *
  *  - When the vault's `_meta/directory` document has `enabled: false`,
  *    only `owner` and `admin` callers may enumerate; anyone else gets
@@ -2173,7 +2169,7 @@ interface ListUsersOptions {
  *    `{ includeHidden: true }` to see them; lower roles passing that
  *    option get `PermissionDeniedError`.
  *
- * Honest caveat (#122): these filters are a UX hint, not a security
+ * Honest caveat: these filters are a UX hint, not a security
  * boundary. The keyring file is still listed at `_keyring/*` and the
  * envelope ciphertext at `_users/*`. A caller with direct store access
  * — or a caller that calls this function with `callerRole: 'owner'`
@@ -2550,7 +2546,7 @@ interface I18nStrategy {
 }
 
 /**
- * Observable write-queue (#227, M12 Slice 1).
+ * Observable write-queue.
  *
  * Tracks outstanding in-flight *logical* writes (a full Collection.put /
  * delete, including ledger + cache + derivation + MV dispatch — not just
@@ -2597,7 +2593,7 @@ declare class WriteQueueTracker implements WriteQueue {
 }
 
 /**
- * Hub-level write lifecycle hooks (#230). `onBeforeWrite` may abort (throw);
+ * Hub-level write lifecycle hooks. `onBeforeWrite` may abort (throw);
  * `onAfterWrite` is awaited and its errors are warned, not thrown. A
  * re-entrancy flag suppresses nested firing so a handler that writes can't
  * loop. Held on the Noydb instance, threaded into every Collection.
@@ -2616,15 +2612,15 @@ interface WriteEvent {
     readonly txId: string;
 }
 type WriteHook = (event: WriteEvent) => void | Promise<void>;
-type Unsubscribe$2 = () => void;
+type Unsubscribe$3 = () => void;
 declare class WriteHookRegistry {
     #private;
     /** True while handlers are running — used by the write path to skip nested firing. */
     get suppressed(): boolean;
     /** True when any hook is registered (cheap gate for the write path). */
     get hasHandlers(): boolean;
-    onBeforeWrite(handler: WriteHook): Unsubscribe$2;
-    onAfterWrite(handler: WriteHook): Unsubscribe$2;
+    onBeforeWrite(handler: WriteHook): Unsubscribe$3;
+    onAfterWrite(handler: WriteHook): Unsubscribe$3;
     /** Run before-hooks (awaited, in order). A throw propagates and aborts the write. */
     runBefore(event: WriteEvent): Promise<void>;
     /** Run after-hooks (awaited, in order). Per-handler errors are warned, not thrown. */
@@ -2632,7 +2628,113 @@ declare class WriteHookRegistry {
 }
 
 /**
- * Schema-update strategy framework types (#245, M12 §3a).
+ * Generic per-instance **observe** bus. Observe-class
+ * subsystems (devtools inspector, audit, sync-dirty notification) register
+ * handlers against named lifecycle points instead of the kernel naming each
+ * subsystem. Mirrors the registry pattern of {@link WriteHookRegistry} but is
+ * internal and keyed by lifecycle point.
+ *
+ * OBSERVE SEMANTICS: handlers react to a write that already happened. A
+ * handler throw is warned, not propagated — it can never abort a write. Write-
+ * *gating* subsystems (guards, periods) need a throw-propagating gate bus.
+ * Add observe points by extending {@link LifecycleEventMap}. Write-*gating*
+ * subsystems use the sibling gate API on this same class
+ * (`registerGate`/`dispatchGate`, throw-propagating); see {@link GateEventMap}.
+ *
+ * @module
+ */
+
+/** Typed map of OBSERVE lifecycle point → event payload. Extend by adding keys. */
+interface LifecycleEventMap {
+    afterPut: WriteEvent;
+    afterDelete: WriteEvent;
+}
+type LifecyclePoint = keyof LifecycleEventMap;
+type BusHandler<P extends LifecyclePoint> = (event: LifecycleEventMap[P]) => void | Promise<void>;
+type Unsubscribe$2 = () => void;
+/** Payload for a `beforePut` gate — carries the data guards and periods need to validate or reject a write. */
+interface GatePutEvent {
+    readonly op: 'create' | 'update';
+    readonly vault: string;
+    readonly collection: string;
+    readonly docId: string;
+    /** The record about to be written (pre schema-validation). */
+    readonly incoming: unknown;
+    /** Decrypted prior record, or null on create / when prior is unreadable. */
+    readonly existing: unknown;
+    /** Prior envelope version, or 0 when none. */
+    readonly existingVersion: number;
+    /** Prior envelope timestamp (`_ts` ISO string), or undefined when none — periods compares against this. */
+    readonly existingTs: string | undefined;
+    readonly userId: string;
+    readonly role: Role;
+}
+/** Payload for a `beforeDelete` gate. Like {@link GatePutEvent} without `incoming`. */
+interface GateDeleteEvent {
+    readonly vault: string;
+    readonly collection: string;
+    readonly docId: string;
+    /** True for system-internal (housekeeping) deletes — handlers branch on this. */
+    readonly internal: boolean;
+    readonly existing: unknown;
+    readonly existingVersion: number;
+    readonly existingTs: string | undefined;
+    readonly userId: string;
+    readonly role: Role;
+}
+/** Typed map of GATE lifecycle point → event payload. Extend by adding keys. */
+interface GateEventMap {
+    beforePut: GatePutEvent;
+    beforeDelete: GateDeleteEvent;
+}
+type GatePoint = keyof GateEventMap;
+type GateHandler<P extends GatePoint> = (event: GateEventMap[P]) => void | Promise<void>;
+declare class SubsystemBus {
+    #private;
+    /** Register a handler for an observe point. Returns an unsubscribe fn. */
+    register<P extends LifecyclePoint>(point: P, handler: BusHandler<P>): Unsubscribe$2;
+    /** Cheap gate for the write path — true when any handler is registered for the point. */
+    hasHandlers(point: LifecyclePoint): boolean;
+    /**
+     * True while one or more dispatches are in flight. Backed by a depth counter
+     * so that two concurrent async dispatches (`Promise.all([put('a'), put('b')])`
+     * each captured `busAfterPut=true` at their respective put() tops while depth
+     * was 0) both proceed independently — the counter stays > 0 until BOTH finish,
+     * so any nested write attempted by a handler still sees `dispatching === true`
+     * and is suppressed by the write-path gate in `collection.ts`
+     * (`busAfterPut = hasHandlers('afterPut') && !dispatching`). Re-entrancy
+     * suppression lives exclusively on that write-path gate; concurrent independent
+     * dispatches must not drop each other's events.
+     */
+    get dispatching(): boolean;
+    /**
+     * Dispatch in registration order, awaited. Per-handler errors are warned, not
+     * thrown — an observe handler must never abort a completed write. A
+     * re-entrancy guard suppresses nested firing so a handler that itself writes
+     * cannot loop (same rationale as WriteHookRegistry.#suppressed).
+     */
+    dispatch<P extends LifecyclePoint>(point: P, event: LifecycleEventMap[P]): Promise<void>;
+    /** Register a write-gating handler. A throw from the handler ABORTS the write. Returns an unsubscribe fn. */
+    registerGate<P extends GatePoint>(point: P, handler: GateHandler<P>): Unsubscribe$2;
+    /** Cheap gate for the write path — true when any gate handler is registered for the point. */
+    hasGateHandlers(point: GatePoint): boolean;
+    /**
+     * Run gate handlers in registration order, awaited. Unlike `dispatch`
+     * (observe), a handler throw is NOT swallowed — it PROPAGATES, aborting the
+     * write before it reaches the store. The first throw stops the remaining
+     * handlers (fail-fast). This is the seam guards/periods migrate onto.
+     *
+     * Note: gate handlers are validators that read, not write. A gate handler
+     * that writes back into the same collection would re-enter the write path
+     * and re-dispatch this point; loop-suppression for that case is deferred to
+     * the migration slice (contract: gate handlers must not perform writes that
+     * re-trigger their own point).
+     */
+    dispatchGate<P extends GatePoint>(point: P, event: GateEventMap[P]): Promise<void>;
+}
+
+/**
+ * Schema-update strategy framework types (M12 §3a).
  *
  * The hub core detects a schema change (SchemaDelta) and dispatches it
  * through a collection's ordered strategy list. Strategies decide what
@@ -2661,13 +2763,13 @@ interface SchemaDelta {
 interface UpdateContext {
     readonly collection: string;
 }
-/** Bulk transform run by the coordinatedCutover strategy (#232). */
+/** Bulk transform run by the coordinatedCutover strategy. */
 type TransformFn = (doc: Record<string, unknown>) => Record<string, unknown>;
 /**
  * A strategy's verdict on a detected schema change.
  * - `allow`   — no objection; the dispatcher falls through to the next strategy.
  * - `reject`  — terminal: refuse the change; `error` is thrown at the write path.
- * - `cutover` — terminal: run a coordinated drain-barrier (handled by #232).
+ * - `cutover` — terminal: run a coordinated drain-barrier (handled by coordinatedCutover).
  * New terminal actions may be added without breaking existing strategies.
  */
 type UpdateDecision = {
@@ -2686,7 +2788,7 @@ interface SchemaUpdateStrategy {
 }
 
 /**
- * Per-collection write gate (#245). Holds the (async) update decision
+ * Per-collection write gate. Holds the (async) update decision
  * computed at registration; `Collection.put`/`delete` await it before
  * writing and throw the strategy's rejection error.
  *
@@ -2703,7 +2805,7 @@ declare class SchemaUpdateGate {
 }
 
 /**
- * Schema-fence document (#232). Vault-level generation counter + drain
+ * Schema-fence document. Vault-level generation counter + drain
  * state, stored at `_meta/schema-fence` using the plaintext-envelope
  * pattern of `_meta/policy` (no PII — a counter + a state enum).
  */
@@ -2715,7 +2817,7 @@ interface FenceDoc {
 }
 
 /**
- * Vault-level schema-fence controller (#232).
+ * Vault-level schema-fence controller.
  *
  * Owns the open-time generation snapshot, the pending-cutover registry,
  * and the cutover orchestration. 3a: single-client (the caller is the
@@ -3313,7 +3415,7 @@ declare class SyncEngine {
 }
 
 /**
- * **Wrap-DEKs primitive (#44)** — a single canonical shape for the
+ * **Wrap-DEKs primitive** — a single canonical shape for the
  * pattern of "serialize a DEK set, encrypt it under a credential-derived
  * AES-GCM key." Used by:
  *
@@ -3331,7 +3433,7 @@ declare class SyncEngine {
  * `PIN_PBKDF2_ITERATIONS` and the threat-model rationale in its
  * module docstring.
  *
- * Before #44, the same crypto lived in two places: `mintPaperRecoveryEntry`
+ * Previously, the same crypto lived in two places: `mintPaperRecoveryEntry`
  * (in `team/recovery.ts`) and `enrollPasswordAuthenticator` (in
  * `@noy-db/on-password`). Both functions did identical work — PBKDF2
  * the credential, AES-GCM-encrypt the JSON-serialized DEK set — but
@@ -3358,7 +3460,7 @@ declare class SyncEngine {
  * Composition: `PaperRecoveryEntry extends WrappedDeksBlob` plus
  * `{ codeId, enrolledAt }`. `KeyringAuthenticatorWrappingDEKs`
  * carries the same three fields with `salt` stored in `meta` for
- * slot-format back-compat (#44 defers moving it to top-level).
+ * slot-format back-compat (defers moving it to top-level).
  */
 interface WrappedDeksBlob {
     /** Base64 PBKDF2 salt for the credential-derived wrapping key. */
@@ -3415,9 +3517,9 @@ interface ShamirRecoveryProvider {
 }
 
 /**
- * Recovery profile persistence + dispatch — issue #10.
+ * Recovery profile persistence + dispatch.
  *
- * v0.1.0-pre.5 wires the **paper** profile end-to-end through
+ * Wires the **paper** profile end-to-end through
  * `@noy-db/on-recovery`. The other three profiles (Shamir,
  * multi-channel, admin-mediated) ship the API surface and throw
  * {@link RecoveryProfileNotImplementedError} during use; per-profile
@@ -3454,7 +3556,7 @@ interface ShamirRecoveryProvider {
  * PBKDF2-derived key), and it sidesteps the non-extractable-KEK
  * constraint cleanly.
  *
- * Type-level composition (#44): `PaperRecoveryEntry extends
+ * Type-level composition: `PaperRecoveryEntry extends
  * WrappedDeksBlob` — the three crypto fields (`salt`, `iv`,
  * `wrappedDeks`) come from the shared primitive; `codeId` and
  * `enrolledAt` are paper-recovery's own metadata. Wire format
@@ -3568,7 +3670,7 @@ declare function unwrapDeksFromShamirEntry(provider: ShamirRecoveryProvider, ent
  * {@link savePaperRecoveryEntries}). The recovery flow unwraps the
  * DEK set, then mints a fresh KEK from the user's new passphrase.
  *
- * Thin wrapper over {@link mintWrappedDeksBlob} (#44) — the crypto
+ * Thin wrapper over {@link mintWrappedDeksBlob} — the crypto
  * lives in the shared primitive; this function just adds paper-
  * recovery's own metadata (`codeId`, `enrolledAt`).
  *
@@ -3583,14 +3685,14 @@ declare function mintPaperRecoveryEntry(deks: Map<string, CryptoKey>, code: stri
  * Decrypt a recovery entry to recover the raw DEK set. Used by the
  * `recoverPassphrase` flow after the user's code has been parsed.
  *
- * Thin wrapper over {@link unwrapDeksFromBlob} (#44).
+ * Thin wrapper over {@link unwrapDeksFromBlob}.
  *
  * @throws when the code does not match the entry (AES-GCM auth tag fail).
  */
 declare function unwrapDeksFromPaperEntry(entry: PaperRecoveryEntry, code: string): Promise<Map<string, CryptoKey>>;
 
 /**
- * Tier-2 authenticator slot management — issue #11.
+ * Tier-2 authenticator slot management.
  *
  * Each slot independently wraps the SAME KEK under a method-specific
  * derived key (LUKS pattern). Enrolling adds a slot; removing drops
@@ -3640,15 +3742,14 @@ type EnrollAuthenticatorOptions = EnrollAuthenticatorWrappingKEKOptions | Enroll
  */
 declare function enrollAuthenticator(store: NoydbStore, vault: string, keyring: UnlockedKeyring, options: EnrollAuthenticatorOptions): Promise<UnlockedKeyring>;
 /**
- * Caller payload for {@link updateAuthenticator} (#55). Mutates only
+ * Caller payload for {@link updateAuthenticator}. Mutates only
  * `meta` — the slot's id, method, and wrap material are immutable
  * through this primitive, preserving the anti-slot-swap guard.
  *
  * `meta` is **merged** at the top level: keys absent from the patch
  * are preserved, keys present overwrite. To clear a meta key, pass
- * `null` for that key explicitly. (Same semantics as #57's
- * `UserApi.updateMe`, scoped to this top-level merge — no recursion
- * into nested meta values.)
+ * `null` for that key explicitly. (Same top-level merge semantics as
+ * `UserApi.updateMe`, non-recursive — meta is a flat label bag.)
  */
 interface UpdateAuthenticatorOptions {
     readonly meta?: Record<string, unknown>;
@@ -3670,7 +3771,6 @@ interface UpdateAuthenticatorOptions {
  * @throws `NoAccessError` when no slot with the given id exists.
  * @throws `ValidationError` when no patch field is provided.
  *
- * @see #55
  */
 declare function updateAuthenticator(store: NoydbStore, vault: string, keyring: UnlockedKeyring, slotId: string, options: UpdateAuthenticatorOptions): Promise<UnlockedKeyring>;
 /**
@@ -3687,7 +3787,7 @@ declare function findAuthenticator(keyring: UnlockedKeyring, slotId: string): Ke
 
 /**
  * Tier-1 change flows — `rotatePassphrase` (user remembers old) and
- * `recoverPassphrase` (user supplies a recovery proof). Issue #10.
+ * `recoverPassphrase` (user supplies a recovery proof).
  *
  * The two flows share the post-verification half — fresh salt, fresh
  * KEK, rewrap every DEK — and differ only in how they re-derive the
@@ -3753,10 +3853,9 @@ interface RotatePassphraseInput {
      * Map of slot id → re-enrolment ceremony. Slots whose id appears
      * here are PRESERVED across rotation (the ceremony re-derives the
      * method-specific wrapping under the new keyring); slots whose id
-     * is absent are DROPPED (the pre-#29 behavior).
+     * is absent are DROPPED (the pre-slot-ceremony behavior).
      *
-     * Without this map, `rotatePassphrase` retains the pre-pre.8
-     * behavior of wiping every tier-2 slot. Consumers building a
+     * Without this map, `rotatePassphrase` wipes every tier-2 slot. Consumers building a
      * "rotate without losing my biometric" flow supply ceremonies for
      * each slot they want to keep.
      *
@@ -3764,7 +3863,7 @@ interface RotatePassphraseInput {
      * state. Callers wrap individual ceremonies in try/catch + return
      * a sentinel if they want graceful degradation per slot.
      *
-     * Added in pre.8 (#29).
+     * Added when slot-ceremony rewrapping landed.
      */
     readonly slotCeremonies?: {
         readonly [slotId: string]: SlotRewrapCeremony;
@@ -3775,10 +3874,10 @@ interface RotatePassphraseInput {
  * under a freshly-derived KEK from `newPassphrase`, and persist.
  *
  * Tier-2 authenticator slots are dropped UNLESS the caller supplies
- * a `slotCeremonies` map (#29) — each ceremony re-derives its
+ * a `slotCeremonies` map — each ceremony re-derives its
  * method-specific wrapping under the new keyring, and hub persists
  * the rewrapped slots atomically with the rotation. Slots whose id
- * isn't in the map are still dropped (pre-pre.8 behavior).
+ * isn't in the map are still dropped.
  *
  * @throws `InvalidKeyError` if `oldPassphrase` does not unwrap the keyring.
  * @throws `WeakPassphraseError` if `newPassphrase` fails the strength rule.
@@ -3789,7 +3888,7 @@ declare function rotatePassphrase(store: NoydbStore, vault: string, userId: stri
 /**
  * Caller payload for {@link recoverPassphrase}.
  *
- * As of #196 slice 1, `paper` and `shamir` are wired end-to-end.
+ * `paper` and `shamir` are wired end-to-end.
  * The remaining two profiles (`multi-channel`, `admin-mediated`)
  * stay outside the union and throw
  * {@link RecoveryProfileNotImplementedError} at the runtime guard
@@ -3819,7 +3918,7 @@ interface RecoverPassphraseInput {
      * After a successful paper-recovery, replace ALL remaining recovery
      * entries with freshly-minted ones. Defaults to `true` (defensive).
      *
-     * Rationale (issue #36): the user just demonstrated they had access
+     * Rationale: the user just demonstrated they had access
      * to AT LEAST one code. The remaining codes from the same printed
      * sheet may also be compromised — photographed, leaked via a
      * screen-share slip, or in the hands of whoever stole the sheet.
@@ -3869,7 +3968,7 @@ interface RecoverPassphraseResult {
     readonly newCodes: readonly string[];
 }
 /**
- * Input for {@link Noydb.rotateRecovery} (#121) — deliberate
+ * Input for {@link Noydb.rotateRecovery} — deliberate
  * recovery-credential regeneration when the user knows their
  * passphrase but wants a fresh sheet (paper) or fresh shares
  * (shamir). Symmetric to {@link RotatePassphraseInput}.
@@ -3920,7 +4019,7 @@ interface EnrollRecoveryResult {
 }
 /**
  * Input shape for {@link Noydb.enrollRecovery} and
- * {@link Noydb.openVaultAndEnrollRecovery} (#195). Discriminated
+ * {@link Noydb.openVaultAndEnrollRecovery}. Discriminated
  * union over recovery profiles.
  *
  * - `paper`: caller pre-mints entries (typically via
@@ -3946,9 +4045,8 @@ type RecoveryEnrollmentInput = {
     readonly entryId?: string;
 };
 /**
- * Reset the user's passphrase using a recovery proof. v0.1.0-pre.5
- * supports the `'paper'` profile via `@noy-db/on-recovery` entries
- * persisted in `_meta/recovery-paper`. The other three profiles throw
+ * Reset the user's passphrase using a recovery proof.
+ * Supports `'paper'` and `'shamir'` profiles. The other profiles throw
  * {@link RecoveryProfileNotImplementedError}.
  *
  * On success, the used recovery entry is burned (deleted from the
@@ -3957,7 +4055,7 @@ type RecoveryEnrollmentInput = {
 declare function recoverPassphrase(provider: ShamirRecoveryProvider | undefined, store: NoydbStore, vault: string, userId: string, input: RecoverPassphraseInput): Promise<UnlockedKeyring>;
 
 /**
- * Atomic peer-recovery primitive — issues #33 + #34.
+ * Atomic peer-recovery primitive.
  *
  * `recoverUser` is a SEPARATE operation from `revoke + grant`. It
  * exists because peer-recovery has different semantics than account
@@ -3986,7 +4084,7 @@ declare function recoverPassphrase(provider: ShamirRecoveryProvider | undefined,
  *
  * Caller must be at least as privileged as the target. The hub
  * `db.recoverUser` method gates this with the `peer-recover-user`
- * policy gate (#33's factor-proof requirement); the function below
+ * policy gate (the `peer-recover-user` factor-proof requirement); the function below
  * enforces only the role + anti-privilege-escalation invariants.
  *
  * @module
@@ -4142,7 +4240,7 @@ declare function validatePublicEnvelopeInput(input: SetPublicEnvelopeInput, sche
 declare function isPublicEnvelope(x: unknown): x is PublicEnvelope;
 
 /**
- * Multi-tab coordination (#228a): primary/secondary election (Web Locks)
+ * Multi-tab coordination: primary/secondary election (Web Locks)
  * + presence heartbeat (BroadcastChannel). Browser-only; opt-in; no-op
  * when the APIs are absent. The lock/channel interfaces are hub-local
  * (structurally compatible with @noy-db/by-peer + @noy-db/by-tabs, but
@@ -4186,20 +4284,20 @@ interface TabCoordinationOptions {
      */
     readonly closeChannelOnDispose?: boolean;
     /**
-     * Also propagate committed writes to other tabs (#228b). Default true:
+     * Also propagate committed writes to other tabs. Default true:
      * when tab coordination is enabled and a channel is available, a write in
      * one tab refreshes that document in every other tab. Set false to opt out.
      */
     readonly propagateWrites?: boolean;
     /**
-     * Channel for write propagation (#228b) — distinct from the presence
+     * Channel for write propagation — distinct from the presence
      * channel. Default: an inline BroadcastChannel on `noydb:tab-writes`.
      */
     readonly writeChannel?: TabChannel;
 }
 
 /**
- * Per-vault tier-3 (PIN / quick-resume) state — issue #11.
+ * Per-vault tier-3 (PIN / quick-resume) state.
  *
  * The hub holds a `PinResumeState`-shaped record in memory, keyed by
  * vault. `enrollUnlock` populates it; `unlockViaPin` consumes it via
@@ -4315,7 +4413,7 @@ interface StagedOp {
     expectedVersion?: number;
     /**
      * Optional human-readable tag forwarded to the resulting ledger
-     * entry's `reason` field (#1). Set by callers via
+     * entry's `reason` field. Set by callers via
      * `tx.vault(v).collection(c).put(id, record, { reason })`.
      */
     reason?: string;
@@ -4347,7 +4445,7 @@ interface AmendmentTxOptions {
  * facade; its `put`/`delete`/`get` calls stage ops against the tx.
  */
 declare class TxContext {
-    /** Stable id for this transaction; shared by all writes it performs (#230). */
+    /** Stable id for this transaction; shared by all writes it performs. */
     readonly txId: string;
     /** @internal */
     readonly _ops: StagedOp[];
@@ -4357,7 +4455,7 @@ declare class TxContext {
      * restore prior state via `revertExecuted`. Side-effect writes (e.g.
      * recursive derivation outputs fired inside `Collection.put`) are
      * appended here in execution order so they roll back alongside the
-     * main staged ops (#133).
+     * main staged ops.
      */
     readonly _executed: ExecutedOp[];
     /** @internal */
@@ -4429,12 +4527,12 @@ declare class TxCollection<T> {
  * in `noydb.ts`. `Collection.putManyAtomic` runs its own Phase 2 loop
  * but shares the `_activeTxContext` mechanism (and the `revertExecuted`
  * helper) so nested side-effect derivation writes get registered for
- * revert alongside the bulk-put source ops (#133).
+ * revert alongside the bulk-put source ops.
  */
 declare function runTransaction<T>(db: Noydb, fn: (tx: TxContext) => Promise<T> | T, options?: AmendmentTxOptions): Promise<T>;
 
 /**
- * Dry-run transactions (#231). Runs the tx body to STAGE ops, then builds
+ * Dry-run transactions. Runs the tx body to STAGE ops, then builds
  * the directly-affected diff (before = current committed via collection.get,
  * after = staged record) and collects guard violations — without executing
  * phase 2. No adapter writes, no write-hooks, no commit. MV/derivation
@@ -4462,7 +4560,7 @@ interface DryRunResult {
 }
 
 /**
- * Policy gate DSL types — issue #9.
+ * Policy gate DSL types.
  *
  * Sensitive operations (rotate the passphrase, enroll an authenticator,
  * export plaintext, grant a user, …) are gated by a typed policy
@@ -4496,12 +4594,10 @@ interface DryRunResult {
  * devices — policies can require ANY of them or insist on a count of 2
  * to force a mix.
  *
- * Added in pre.8 (#30): `webauthn-platform`, `password`, `pin` —
- * previously consumers with no off-device infrastructure (no TOTP,
- * no email-OTP, paper recovery not enrolled) had to disable the
- * factor requirement entirely on `rotate-passphrase`. Now they can
- * pin "any second factor I have wired" without losing the freshness
- * guarantee.
+ * `webauthn-platform`, `password`, `pin` — for consumers with no
+ * off-device infrastructure (no TOTP, no email-OTP, paper recovery not
+ * enrolled) who want to require "any second factor I have wired"
+ * without losing the freshness guarantee.
  */
 type FactorKind = 'totp' | 'email-otp' | 'recovery' | 'shamir' | 'webauthn-roaming' | 'webauthn-platform' | 'password' | 'pin';
 /**
@@ -4545,7 +4641,7 @@ interface GatePolicy {
 type BuiltInGateName = 'rotate-passphrase' | 'recover-passphrase' | 'enroll-authenticator' | 'remove-authenticator'
 /**
  * Authorize a deliberate paper-recovery-code regeneration —
- * `db.rotateRecovery` (#121). Symmetric to `rotate-passphrase` for
+ * `db.rotateRecovery`. Symmetric to `rotate-passphrase` for
  * the case where the user remembers their passphrase but wants a
  * fresh sheet (lost the printout, suspect compromise of the off-site
  * copy). PERSONAL allows tier-1; STRICT requires an off-device
@@ -4555,19 +4651,19 @@ type BuiltInGateName = 'rotate-passphrase' | 'recover-passphrase' | 'enroll-auth
  | 'rotate-recovery'
 /**
  * Authorize a meta-only mutation on an existing authenticator slot —
- * `db.updateAuthenticator` (#55). The slot's wrap material, id, and
+ * `db.updateAuthenticator`. The slot's wrap material, id, and
  * method are immutable through this gate; only the `meta` blob
  * (nicknames, method-specific labels) can change. Anti-slot-swap
  * guard is preserved structurally regardless of this gate's
  * settings.
  */
  | 'update-authenticator' | 'rotate-unlock' | 'enroll-user' | 'revoke-user' | 'export-bundle' | 'export-plaintext' | 'view-user-auth'
-/** Authorize a write to one's own user envelope (#22). */
+/** Authorize a write to one's own user envelope. */
  | 'edit-own-profile'
-/** Authorize reading other principals' user envelopes (#22). */
+/** Authorize reading other principals' user envelopes. */
  | 'view-team-profiles'
 /**
- * Authorize an atomic peer-recovery — `db.recoverUser` (#33, #34).
+ * Authorize an atomic peer-recovery — `db.recoverUser`.
  * Distinct from `revoke-user` because peer-recovery is intentional
  * re-issuance of someone's keyring under a temp passphrase, NOT
  * removal. Allows owner→owner natively (matches the threat model:
@@ -4577,7 +4673,7 @@ type BuiltInGateName = 'rotate-passphrase' | 'recover-passphrase' | 'enroll-auth
  */
  | 'peer-recover-user'
 /**
- * Authorize a post-grant identity mutation — `db.updateUser` (#54).
+ * Authorize a post-grant identity mutation — `db.updateUser`.
  * Covers `role`, `displayName`, `permissions` changes on an existing
  * keyring. Pure plaintext-header rewrite — no DEKs touched, no KEK
  * required. The role-elevation guard inside the implementation
@@ -4590,7 +4686,7 @@ type GateName = BuiltInGateName | `app:${string}`;
 /**
  * Top-level policy object. Persisted at `_meta/policy` once at vault
  * creation. The `passphrase` block configures the strength rules
- * applied at every passphrase ingress (issue #7); `gates` configures
+ * applied at every passphrase ingress; `gates` configures
  * the action-level requirements.
  */
 interface VaultPolicy {
@@ -4614,7 +4710,7 @@ interface FactorProof {
  * `db.recoverUser`, `db.enrollUnlock`, `db.describeUserAuth`,
  * `db.describeAllUsersAuth`.
  *
- * Pre-#89 this type was inlined at every call site as
+ * Previously this type was inlined at every call site as
  * `{ factors?: ReadonlyArray<FactorProof>; sharedDevice?: boolean }`
  * and parameter names alternated between `factors` and `presented`.
  * Now exported so consumers can name their helpers and so the param
@@ -4634,13 +4730,14 @@ declare class Noydb {
     private readonly emitter;
     private readonly writeQueueTracker;
     private readonly writeHooks;
+    private readonly subsystemBus;
     private readonly clientId;
     private readonly vaultCache;
     private readonly keyringCache;
     private readonly syncEngines;
     /**
      * Per-vault active session tier — defaults to `1` after a passphrase
-     * unlock; tier-2 / tier-3 unlocks (issue #11) downgrade it. Used by
+     * unlock; tier-2 / tier-3 unlocks downgrade it. Used by
      * {@link checkGate} to evaluate `gate.minTier`.
      */
     private readonly activeTier;
@@ -4650,14 +4747,14 @@ declare class Noydb {
      */
     private readonly policyCache;
     /**
-     * One-shot bypass for the managed-mode strong-recovery check (#195).
+     * One-shot bypass for the managed-mode strong-recovery check.
      * Set true by {@link openVaultAndEnrollRecovery} for the duration of
      * the bootstrap window so the keyring can be created before the
      * strong recovery is enrolled. Always cleared (try/finally).
      * @internal
      */
     private _skipNextManagedRecoveryCheck;
-    /** Per-vault tier-3 (PIN / quick-resume) state — issue #11. */
+    /** Per-vault tier-3 (PIN / quick-resume) state. */
     private readonly quickUnlock;
     /**
      * Resolved public-envelope schema. Lazily computed once from
@@ -4667,9 +4764,9 @@ declare class Noydb {
     private readonly publicEnvelopeSchema;
     private closed;
     private sessionTimer;
-    /** Same-device multi-tab coordinator (#228); created on `enableTabCoordination()`. */
+    /** Same-device multi-tab coordinator; created on `enableTabCoordination()`. */
     private tabCoordinator;
-    /** Cross-tab write relay (#228b); created on `enableTabCoordination()`. */
+    /** Cross-tab write relay; created on `enableTabCoordination()`. */
     private writeRelay;
     /** Per-vault policy enforcers. */
     private readonly policyEnforcers;
@@ -4682,8 +4779,8 @@ declare class Noydb {
      * the same function's `finally` block. Side-effect writes triggered
      * during a staged op's `Collection.put` (today: eager derivation
      * outputs) register their pre-write envelope on `_executed` here so
-     * a mid-batch failure rolls them back alongside the main staged ops
-     * (#133). `null` outside of Phase 2.
+     * a mid-batch failure rolls them back alongside the main staged ops.
+     * `null` outside of Phase 2.
      * @internal
      */
     private _activeTxContext;
@@ -4786,8 +4883,6 @@ declare class Noydb {
      * @throws `NoAccessError` when no keyring exists for the target.
      * @throws `PermissionDeniedError` when the role hierarchy rejects.
      * @throws `ValidationError` when no field is provided.
-     *
-     * @see #54
      */
     updateUser(vault: string, options: UpdateUserOptions, factors?: FactorProofBundle): Promise<void>;
     /**
@@ -4975,7 +5070,7 @@ declare class Noydb {
      */
     transaction<T>(options: AmendmentTxOptions, fn: (tx: TxContext) => Promise<T> | T): Promise<T>;
     /**
-     * Dry-run a transaction (#231): run the body to stage ops, then return
+     * Dry-run a transaction: run the body to stage ops, then return
      * the directly-affected diff + collected guard violations WITHOUT
      * committing (no adapter writes, no write hooks). MV/derivation cascade
      * is not simulated. Requires `withTransactions()`.
@@ -5003,7 +5098,7 @@ declare class Noydb {
      * Phase 2. `Collection.dispatchDerivations` consults this so a
      * recursive derived-output write inside `Collection.put` can register
      * its envelope onto `ctx._executed` and roll back with the main
-     * staged ops on mid-batch failure (#133).
+     * staged ops on mid-batch failure.
      *
      * @internal
      */
@@ -5028,7 +5123,7 @@ declare class Noydb {
      * `Collection.putManyAtomic` (via `derivationSource.createTxContext`)
      * to publish an active context for the duration of its bulk-atomic
      * Phase 2 loop, so recursive derivation-output writes register on
-     * `ctx._executed` and roll back together with the source ops (#133).
+     * `ctx._executed` and roll back together with the source ops.
      *
      * @internal
      */
@@ -5064,19 +5159,19 @@ declare class Noydb {
      */
     get _writeQueueTracker(): WriteQueueTracker;
     /**
-     * Register a hook that runs before each write (#230). Awaited; a throw
+     * Register a hook that runs before each write. Awaited; a throw
      * aborts the write. Returns an unsubscribe function.
      */
-    onBeforeWrite(handler: WriteHook): Unsubscribe$2;
+    onBeforeWrite(handler: WriteHook): Unsubscribe$3;
     /**
-     * Register a hook that runs after each committed write (#230). Awaited;
+     * Register a hook that runs after each committed write. Awaited;
      * a handler error is warned, never rolled back. Returns an unsubscribe fn.
      */
-    onAfterWrite(handler: WriteHook): Unsubscribe$2;
-    /** Subscribe to cross-tab write conflicts (#228c). Returns an unsubscribe. */
-    onWriteConflict(fn: (c: WriteConflict) => void): Unsubscribe$2;
+    onAfterWrite(handler: WriteHook): Unsubscribe$3;
+    /** Subscribe to cross-tab write conflicts. Returns an unsubscribe. */
+    onWriteConflict(fn: (c: WriteConflict) => void): Unsubscribe$3;
     /**
-     * Enable same-device multi-tab coordination (#228): primary/secondary
+     * Enable same-device multi-tab coordination: primary/secondary
      * election + presence. Browser-only — a graceful no-op (role 'unknown')
      * when Web Locks / BroadcastChannel are unavailable and nothing is
      * injected. Idempotent; returns a disposer.
@@ -5087,11 +5182,13 @@ declare class Noydb {
     private disableTabCoordination;
     get tabRole(): TabRole;
     activeTabs(): TabPresence[];
-    onTabRoleChange(fn: (r: TabRole) => void): Unsubscribe$2;
-    onActiveTabsChange(fn: (t: TabPresence[]) => void): Unsubscribe$2;
+    onTabRoleChange(fn: (r: TabRole) => void): Unsubscribe$3;
+    onActiveTabsChange(fn: (t: TabPresence[]) => void): Unsubscribe$3;
     /** @internal The write-hook registry, threaded into each Collection. */
     get _writeHooks(): WriteHookRegistry;
-    /** @internal Stable per-instance id for schema-cutover coordination (#232). */
+    /** @internal The observe bus, threaded into every Collection. */
+    get _subsystemBus(): SubsystemBus;
+    /** @internal Stable per-instance id for schema-cutover coordination. */
     get _clientId(): string;
     /**
      * Soft-lock a single vault: clear its in-memory keyring, DEKs, vault
@@ -5109,10 +5206,6 @@ declare class Noydb {
      * survives lock; nothing about it changes when DEKs are scrubbed).
      *
      * No-op when `vault` is not currently in cache (idempotent).
-     *
-     * Unblocks vLannaAi/niwat#33.
-     *
-     * @see #17
      */
     lockVault(vault: string): void;
     close(): void;
@@ -5146,7 +5239,7 @@ declare class Noydb {
      */
     updatePolicy(vault: string, override: Partial<VaultPolicy>): Promise<VaultPolicy>;
     /**
-     * Read the current vault-level user-directory toggle (#122). Returns
+     * Read the current vault-level user-directory toggle. Returns
      * the default-on shape (`{ enabled: true }`) when no `_meta/directory`
      * document has been persisted yet.
      *
@@ -5154,7 +5247,7 @@ declare class Noydb {
      */
     getDirectoryEnabled(vault: string): Promise<boolean>;
     /**
-     * Toggle the vault's user-directory listing on or off (#122).
+     * Toggle the vault's user-directory listing on or off.
      * Owner-only. When disabled, `listUsersWithEnvelopes()` throws
      * {@link import('./errors.js').DirectoryDisabledError} for callers
      * whose role is neither `owner` nor `admin`.
@@ -5186,7 +5279,7 @@ declare class Noydb {
      *
      * Two enforcement modes:
      *
-     * 1. **Managed-mode mandatory strong-recovery (#195).** When
+     * 1. **Managed-mode mandatory strong-recovery.** When
      *    `passphraseMode === 'managed'`, the vault MUST have at least
      *    one **strong** recovery profile (Shamir today). Paper alone is
      *    rejected because under managed mode the user has no memorized
@@ -5206,7 +5299,7 @@ declare class Noydb {
      */
     private assertRecoveryEnrolled;
     /**
-     * Internal accessor used by tier-2/tier-3 unlock paths (issue #11)
+     * Internal accessor used by tier-2/tier-3 unlock paths
      * to mark the active session tier.
      * @internal
      */
@@ -5230,7 +5323,7 @@ declare class Noydb {
      * `remove-authenticator`.
      */
     removeAuthenticator(vault: string, slotId: string, factors?: FactorProofBundle): Promise<void>;
-    /** Read the slot list for a vault. Internal — `describeAuthConfig` (#13) consumes this. */
+    /** Read the slot list for a vault. Internal — `describeAuthConfig` consumes this. */
     listAuthenticators(vault: string): Promise<ReadonlyArray<KeyringAuthenticator>>;
     /**
      * Mutate the `meta` blob on an existing authenticator slot — slot
@@ -5239,7 +5332,7 @@ declare class Noydb {
      * are immutable through this method. Anti-slot-swap is structural,
      * not gate-driven.
      *
-     * `meta` patch semantics (#57-aligned):
+     * `meta` patch semantics (top-level merge):
      *   - Top-level merge — absent keys preserved
      *   - `null` value — delete that meta key
      *   - Other values — replace verbatim
@@ -5257,12 +5350,10 @@ declare class Noydb {
      *
      * @throws `NoAccessError` when no slot with the given id exists.
      * @throws `ValidationError` when no patch field is provided.
-     *
-     * @see #55
      */
     updateAuthenticator(vault: string, slotId: string, options: UpdateAuthenticatorOptions, factors?: FactorProofBundle): Promise<void>;
     /**
-     * Native WebAuthn enrollment using the **real** internal keyring (#16).
+     * Native WebAuthn enrollment using the **real** internal keyring.
      *
      * Why this exists: when a consumer is using `createNoydb({ secret })`,
      * they cannot reach the live `UnlockedKeyring` to feed it to
@@ -5305,8 +5396,6 @@ declare class Noydb {
      * a server-side allowlist).
      *
      * Gated by `enroll-authenticator` like `enrollAuthenticator()` itself.
-     *
-     * @see #16
      */
     enrollWebAuthn(vault: string, ceremony: (keyring: UnlockedKeyring) => Promise<EnrollAuthenticatorOptions>, factors?: FactorProofBundle): Promise<{
         credentialId: string;
@@ -5317,8 +5406,6 @@ declare class Noydb {
      * deciding when a new device prompt should appear. Identity is
      * `id` + `enrolled_at`; the `meta.credentialId` (base64) is used by
      * `allowCredentials` at unlock time.
-     *
-     * @see #16
      */
     listWebAuthnSlots(vault: string): Promise<ReadonlyArray<{
         id: string;
@@ -5382,8 +5469,7 @@ declare class Noydb {
      *
      * Tier-2 authenticator slots are dropped — each slot wraps the old
      * KEK and would need its derivation key to be re-presented. Re-enrol
-     * via `db.enrollAuthenticator` after rotation. Tracked as a
-     * v0.1.0-pre.5 limitation.
+     * via `db.enrollAuthenticator` after rotation.
      *
      * @throws `WeakPassphraseError` on a weak new phrase.
      * @throws `PolicyDeniedError` when the gate denies (missing factor, …).
@@ -5392,14 +5478,14 @@ declare class Noydb {
     rotatePassphrase(vault: string, input: RotatePassphraseInput, factors?: FactorProofBundle): Promise<void>;
     /**
      * Reset the passphrase using a recovery proof (user forgot the old).
-     * v0.1.0-pre.5 supports the `'paper'` profile end-to-end; the
-     * other three profiles throw {@link RecoveryProfileNotImplementedError}.
+     * Currently supports the `'paper'` profile end-to-end; the
+     * other profiles throw {@link RecoveryProfileNotImplementedError}.
      *
      * Burns the used recovery entry on success.
      */
     recoverPassphrase(vault: string, input: RecoverPassphraseInput, factors?: FactorProofBundle): Promise<RecoverPassphraseResult>;
     /**
-     * Deliberate paper-recovery-code regeneration (#121). User knows their
+     * Deliberate paper-recovery-code regeneration. User knows their
      * passphrase but wants a fresh sheet — they lost the printout or
      * suspect compromise of the off-site copy.
      *
@@ -5409,7 +5495,7 @@ declare class Noydb {
      *
      * Gated by the `rotate-recovery` policy gate:
      *   - PERSONAL_POLICY: `{ minTier: 1 }` — knowing the passphrase
-     *     suffices, matching the pre-#121 low-level flow's bar.
+     *     suffices, matching the lower-level flow's bar.
      *   - STRICT_POLICY: `{ minTier: 1, factors: [{ anyOf: ['totp',
      *     'email-otp', 'webauthn-roaming'] }] }` — rotation is an
      *     off-site-trust event; require an off-device factor so a
@@ -5445,7 +5531,7 @@ declare class Noydb {
     private rotateRecoveryPaper;
     private rotateRecoveryShamir;
     /**
-     * **Atomic create-and-enroll for managed-mode vaults (#195).**
+     * **Atomic create-and-enroll for managed-mode vaults.**
      *
      * Bootstraps a managed-mode vault and enrolls strong recovery in
      * a single ceremony. Under `passphraseMode: 'managed'`, every
@@ -5490,7 +5576,7 @@ declare class Noydb {
         readonly recoveryEnrollments: ReadonlyArray<EnrollRecoveryResult>;
     }>;
     /**
-     * **Recovery flow under managed-passphrase mode (#195).**
+     * **Recovery flow under managed-passphrase mode.**
      *
      * Replaces the sealed passphrase of a managed-mode vault with a
      * fresh 256-bit random, sealed under the configured
@@ -5507,7 +5593,7 @@ declare class Noydb {
      *   5. Drop the keyring cache so the next operation re-derives.
      *
      * The vault's strong-recovery enrollment is preserved across
-     * recovery (Shamir entries are not burned on use — see #196).
+     * recovery (Shamir entries are not burned on use).
      *
      * @throws ValidationError if the Noydb instance is not in managed mode.
      */
@@ -5517,7 +5603,7 @@ declare class Noydb {
     }): Promise<void>;
     /**
      * Atomic peer-recovery — re-wraps an EXISTING user's keyring under
-     * a fresh temp passphrase in a single store write. Closes #34's
+     * a fresh temp passphrase in a single store write. Closes the
      * partial-failure window (the previous compose-from-primitives
      * pattern was `db.revoke + db.grant`, two writes — if the issuer
      * cancelled between them the target was locked out entirely).
@@ -5527,7 +5613,7 @@ declare class Noydb {
      *   - Same `userId`, role, permissions, capabilities preserved.
      *   - DEKs unchanged → every other principal in the vault keeps
      *     access. No key rotation.
-     *   - Allows owner→owner natively (#33). The existing
+     *   - Allows owner→owner natively. The existing
      *     `db.revoke` retains its block — peer-recovery is a separate,
      *     intentionally-named operation.
      *   - Tier-2 slots dropped (they wrap the old KEK).
@@ -5556,11 +5642,10 @@ declare class Noydb {
      * @throws `PrivilegeEscalationError` when the caller lacks a DEK
      *         the target previously had access to.
      *
-     * @see #33 #34 — the issues this method closes.
      */
     recoverUser(vault: string, options: RecoverUserOptions, factors?: FactorProofBundle): Promise<void>;
     /**
-     * Persist a recovery enrollment. v0.1.0-pre.5 accepts the `'paper'`
+     * Persist a recovery enrollment. Accepts the `'paper'`
      * profile.
      *
      * The hub wraps the user's DEK set (not the KEK) under a code-derived
@@ -5580,7 +5665,7 @@ declare class Noydb {
      * showCodesToUser(codes)
      * ```
      *
-     * As of pre.8, `@noy-db/on-recovery`'s `generateRecoveryCodeSet`
+     * `@noy-db/on-recovery`'s `generateRecoveryCodeSet`
      * delegates to `mintPaperRecoveryEntry` internally — its output is
      * fed directly to this API. Pick whichever fits your code-gen layer:
      *
@@ -5591,7 +5676,7 @@ declare class Noydb {
      * ```
      */
     enrollRecovery(vault: string, enrollment: RecoveryEnrollmentInput): Promise<EnrollRecoveryResult>;
-    /** Read the persisted recovery entries (paper + Shamir). Used by `describeAuthConfig` (#13). */
+    /** Read the persisted recovery entries (paper + Shamir). Used by `describeAuthConfig`. */
     listRecoveryEntries(vault: string): Promise<{
         paper: ReadonlyArray<PaperRecoveryEntry>;
         shamir: ReadonlyArray<ShamirRecoveryEntry>;
@@ -5619,11 +5704,11 @@ declare class Noydb {
     /** Drop the tier-3 state for a vault — explicit logout. */
     clearQuickUnlock(vault: string): void;
     /**
-     * Public accessor for the unlocked keyring of a vault — issue #28.
+     * Public accessor for the unlocked keyring of a vault.
      *
      * Returns a **defensive shallow copy** so consumers can read the DEK
      * map and authenticator list without the risk of mutating the hub's
-     * internal cache (#88). Internal hub code paths use a live reference
+     * internal cache. Internal hub code paths use a live reference
      * via `getKeyringInternal`; ceremonies and external consumers always
      * get a snapshot.
      *
@@ -5864,8 +5949,8 @@ interface GuardStrategy<T extends Record<string, unknown>> {
      * })
      * ```
      *
-     * Also skipped on system-internal deletes (derivation tombstones from
-     * #144, MV refresh from Dim 14 v2) — those use `_internalDelete`
+     * Also skipped on system-internal deletes (derivation tombstones,
+     * MV refresh from Dim 14 v2) — those use `_internalDelete`
      * which bypasses every user-facing delete hook. Housekeeping ops are
      * NOT user-initiated and should not trip user invariants.
      *
@@ -5924,14 +6009,14 @@ interface RecordOutputSpec {
      * `undefined`) for this output key. The executor interprets that as
      * "no output for this invocation": a previously-emitted output at
      * the same id is deleted (mirroring the empty-group / empty-aggregate
-     * semantics flagged in #142); a never-emitted output is a silent
+     * semantics for empty groups); a never-emitted output is a silent
      * no-op. When `false` (default), returning `null` throws
      * `DerivationOutputShapeError` — same as v1.
      */
     optional?: boolean;
 }
 /**
- * Array-shape output (#200) — one source row produces a variable-length
+ * Array-shape output — one source row produces a variable-length
  * list of output rows, each with its own id (from the `key` extractor).
  *
  * On every source-row change, the dispatcher diffs the previously
@@ -6154,7 +6239,7 @@ interface MaterializedViewStrategy<TRow extends Record<string, unknown>> {
      */
     query?: (db: MVQueryContext) => Query<TRow>;
     /**
-     * UNION-form sources (#165): an explicit list of sibling collections
+     * UNION-form sources: an explicit list of sibling collections
      * that contribute rows to a single MV. Each arm's `map` projects a
      * source row into the MV's unified row shape; the mapped streams are
      * concatenated, then {@link groupBy} + {@link aggregate} run on the
@@ -6170,7 +6255,7 @@ interface MaterializedViewStrategy<TRow extends Record<string, unknown>> {
      */
     unionSources?: ReadonlyArray<UnionSource<TRow>>;
     /**
-     * Group-key field(s) for UNION mode (#165). Applied to the
+     * Group-key field(s) for UNION mode. Applied to the
      * concatenated mapped-row stream from {@link unionSources} before
      * {@link aggregate} runs. Accepts a single field name or a tuple of
      * field names for multi-key grouping (same shape as
@@ -6182,7 +6267,7 @@ interface MaterializedViewStrategy<TRow extends Record<string, unknown>> {
      */
     groupBy?: string | ReadonlyArray<string>;
     /**
-     * Aggregation spec for UNION mode (#165). Applied per-group after
+     * Aggregation spec for UNION mode. Applied per-group after
      * {@link groupBy} buckets the concatenated mapped-row stream from
      * {@link unionSources}. Same shape as the `AggregateSpec` passed to
      * `Query.aggregate()`.
@@ -6193,11 +6278,11 @@ interface MaterializedViewStrategy<TRow extends Record<string, unknown>> {
     /**
      * Pure function from a materialized row → stable id used in the
      * output collection. Required — explicit always beats default-with-pitfalls
-     * (see niwat-review of #149 round 1 for the slash-collision rationale).
+     * (explicit always beats default-with-pitfalls; see the slash-collision rationale).
      */
     rowKey: (row: TRow) => string;
     /**
-     * Explicit source collections (#152). Required when `query()` returns
+     * Explicit source collections. Required when `query()` returns
      * an `Aggregation` or `GroupedAggregation` rather than a `Query<T>`
      * — the dependency analyzer can't introspect through `groupBy().aggregate()`
      * back to the source. Optional for plain `Query<T>` results — the
@@ -6207,7 +6292,7 @@ interface MaterializedViewStrategy<TRow extends Record<string, unknown>> {
      */
     sources?: ReadonlyArray<string>;
     /**
-     * Declared deterministic predicates (#153). Each entry pairs a
+     * Declared deterministic predicates. Each entry pairs a
      * consumer-stable `hash` with a function. The `query()` callback's
      * Query<T> can invoke them via `.wherePredicate(name, ctx?)`. The
      * predicate's `hash` + a canonical-JSON hash of `ctx` both fold
@@ -6244,8 +6329,8 @@ interface MaterializedViewStrategy<TRow extends Record<string, unknown>> {
      *
      * - `'delete'` (default) — tombstone the prior MV row via
      *   `Collection._internalDelete` (system housekeeping bypasses user
-     *   `onDelete` guards on the output collection — see PR #148's
-     *   composition fix).
+     *   `onDelete` guards on the output collection — the housekeeping
+     *   bypass composition fix).
      * - `'keep'` — leave the prior MV row in place. Useful when zero
      *   is a meaningful state.
      */
@@ -6253,7 +6338,7 @@ interface MaterializedViewStrategy<TRow extends Record<string, unknown>> {
     /**
      * `true` re-throws on any row-write failure → composes with
      * `withTransactions` to roll back the source-write atomically via
-     * `revertExecuted` (#133). Default `false` (failed rows are
+     * `revertExecuted`. Default `false` (failed rows are
      * isolated; other rows commit).
      */
     strict?: boolean;
@@ -6287,7 +6372,7 @@ interface RegisteredMV {
      * Top-level FieldClauses on the partition field, captured at
      * registration time. Used by the cycle detector to resolve
      * same-collection-as-source edges via the partition-discriminator
-     * check (#152). Empty when `spec.output?.partition` is undefined.
+     * check. Empty when `spec.output?.partition` is undefined.
      */
     readonly partitionClauses: readonly FieldClause[];
 }
@@ -6339,7 +6424,7 @@ declare class MaterializedViewRegistry {
 }
 
 /**
- * Read-shadow overlay primitive (#154, MV v2 spec § Composition with
+ * Read-shadow overlay primitive (MV v2 spec § Composition with
  * operator-editable lifecycle). Binds an MV's read-only base output
  * to a separate user-writable overlay collection; reads merge via a
  * single shadow predicate, writes route to the overlay.
@@ -6442,7 +6527,7 @@ declare class GuardRegistry {
     register<T extends Record<string, unknown>>(spec: GuardStrategy<T>): void;
     /** All guards registered against `collection` in registration order. */
     guardsFor(collection: string): ReadonlyArray<AnyGuard>;
-    /** Per-collection guard counts, for introspection (#229). */
+    /** Per-collection guard counts, for introspection. */
     summary(): {
         collection: string;
         count: number;
@@ -6883,7 +6968,7 @@ declare function magicLinkGrantRecordId(token: string, index: number): string;
 declare function isMagicLinkGrantExpired(payload: MagicLinkGrantPayload, now?: Date): boolean;
 
 /**
- * Type surface for the user-list visibility subsystem (#122).
+ * Type surface for the user-list visibility subsystem.
  *
  * Two complementary flags:
  *  - {@link DirectoryConfig} — vault-level "is the directory listing
@@ -6934,7 +7019,7 @@ interface UserVisibility {
  *    own keyringId. **Own-only write rule** is structural — no method
  *    exists to write someone else's envelope.
  *  - Read-anyone: `get` / `list` — read other principals' envelopes
- *    (subject to `view-team-profiles` policy gate, wired in #22).
+ *    (subject to `view-team-profiles` policy gate).
  *  - Reactive: `subscribe` / `live` — in-process event emission on local
  *    writes. Cross-instance updates land via the team/sync engine and
  *    surface to subscribers when the sync diff replays through this API.
@@ -6954,7 +7039,7 @@ type DeepPartial<T> = T extends object ? {
 } : T;
 /**
  * Recursive partial with `null` allowed at every level — used by
- * `updateMe` (#57) to express deletion intent in addition to merge.
+ * `updateMe` to express deletion intent in addition to merge.
  *
  * Semantics inside `updateMe`:
  *   - `undefined` (or absent key) — skip; source value preserved
@@ -6963,8 +7048,8 @@ type DeepPartial<T> = T extends object ? {
  *     replace for primitives / arrays)
  *
  * Matches lodash `_.merge` behavior on `null` and Firestore's
- * `FieldValue.delete()` semantics. Loosened from `DeepPartial<T>` per
- * #57; consumers wanting the original "merge-only" surface can keep
+ * `FieldValue.delete()` semantics. Loosened from `DeepPartial<T>`.
+ * Consumers wanting the original "merge-only" surface can keep
  * importing `DeepPartial` and avoid passing `null`.
  */
 type DeepPartialOrNull<T> = T extends object ? {
@@ -7036,7 +7121,7 @@ declare class UserApi {
      * the envelope on first call. Optimistic-concurrency safe — a stale
      * `_v` (parallel writer on another device) throws `ConflictError`.
      *
-     * Patch semantics (#57):
+     * Patch semantics:
      *   - `undefined` (or omitted key) — skip; existing value preserved
      *   - `null` — delete the field from the merged result
      *   - any other value — overwrite (deep-merge for plain objects,
@@ -7190,7 +7275,7 @@ interface PersistedSchemaEnvelope {
  * @module
  */
 
-/** Flat snapshot of a vault's registered schema (#229). */
+/** Flat snapshot of a vault's registered schema. */
 interface SchemaIntrospection {
     readonly collections: ReadonlyArray<{
         name: string;
@@ -7367,23 +7452,23 @@ declare class Vault {
      * `null` for vaults that never register any guard strategy. The
      * runtime class is dynamic-imported on demand so consumers that
      * never use guards don't pull `GuardRegistry`/`GuardExecutor` into
-     * their bundle (#130).
+     * their bundle.
      */
     private guardRegistry;
     /**
      * Per-vault derivation registry. Same lazy-load contract as
      * `guardRegistry` — `null` until `_initDerivations()` runs with at
-     * least one strategy handle. See #130 for the bundle motivation.
+     * least one strategy handle.
      */
     private derivationRegistry;
     /**
-     * Per-vault materialized-view registry (#143/#150). Same lazy-load
+     * Per-vault materialized-view registry. Same lazy-load
      * contract as `derivationRegistry` — `null` until
      * `_initMaterializedViews()` runs with at least one MV handle.
      */
     private materializedViewRegistry;
     /**
-     * Per-vault overlay registry (#154). Same lazy-load contract as
+     * Per-vault overlay registry. Same lazy-load contract as
      * `materializedViewRegistry` — `null` until `_initOverlayedViews()`
      * runs with at least one handle.
      */
@@ -7404,7 +7489,7 @@ declare class Vault {
      *   target this vault session's keyringId. There is no method to write
      *   another principal's envelope (own-only write rule, structural).
      * - Read-anyone: `get(keyringId)`, `list()` — read other principals'
-     *   envelopes, subject to the `view-team-profiles` policy gate (#22).
+     *   envelopes, subject to the `view-team-profiles` policy gate.
      * - Reactive: `subscribe(id, cb)`, `live(id)` — fire on local writes.
      *
      * @see docs/superpowers/specs/2026-05-05-user-envelope-design.md
@@ -7424,7 +7509,7 @@ declare class Vault {
      */
     private readonly reloadKeyring;
     private readonly collectionCache;
-    /** #232 — vault-level schema cutover fence/controller. */
+    /** Vault-level schema cutover fence/controller. */
     readonly schemaFence: SchemaFenceController;
     /**
      * per-collection `blobFields` retention/TTL config.
@@ -7498,8 +7583,7 @@ declare class Vault {
      * Cache of closed/opened accounting periods.
      * Populated on first `closePeriod` / `openPeriod` / `listPeriods` /
      * per-collection write call. Kept in memory as an ordered list (by
-     * `closedAt`) so the `periodGuard` hook runs synchronously against
-     * each collection's put/delete path.
+     * `closedAt`) so period checks run fast when the gate bus fires.
      *
      * Sentinel `null` means "not yet loaded" — the first consumer
      * triggers a one-time `loadPeriods()` pass. Every subsequent
@@ -7659,7 +7743,7 @@ declare class Vault {
          */
         persistJsonSchema?: boolean;
         /**
-         * Ordered schema-update strategies (#245). On a detected schema
+         * Ordered schema-update strategies. On a detected schema
          * change, evaluated in order; the first non-`allow` decision wins.
          * A `reject` is enforced at the write path (`put`/`delete` throw).
          * Requires `persistJsonSchema: true` (detection needs the baseline).
@@ -7675,7 +7759,7 @@ declare class Vault {
      */
     _drainPendingSchemaWrites(): Promise<void>;
     /**
-     * Run a coordinated schema cutover (#232). Drains pending writes, waits
+     * Run a coordinated schema cutover. Drains pending writes, waits
      * for the active client set to quiesce (the ack-barrier), applies every
      * pending collection transform in bulk, bumps the vault schema generation,
      * and clears the fence. Returns the count of collections migrated.
@@ -7687,15 +7771,15 @@ declare class Vault {
         migrated: number;
     }>;
     /**
-     * #228b — refresh a loaded collection's view of one document from a peer
+     * Refresh a loaded collection's view of one document from a peer
      * tab's broadcast. No-op when the collection isn't loaded in this tab
-     * (it will read fresh on next open). Mirrors #runCutoverTransform's guard.
+     * (it will read fresh on next open). Mirrors `#runCutoverTransform`'s guard.
      */
     _applyRemoteWrite(collectionName: string, docId: string, action: 'put' | 'delete'): Promise<void>;
     /**
-     * #228c — for a detected conflict: capture this tab's clobbered record,
+     * For a detected conflict: capture this tab's clobbered record,
      * read the common ancestor from history, converge the cache to the store's
-     * authoritative value (the (b) re-read), and return all three for the
+     * authoritative value (the re-read), and return all three for the
      * WriteConflict payload. Returns null when the collection isn't loaded.
      */
     _captureAndConverge(collectionName: string, docId: string, action: 'put' | 'delete', baseV: number): Promise<{
@@ -7703,11 +7787,11 @@ declare class Vault {
         remote: unknown;
         base: unknown;
     } | null>;
-    /** Recover a stuck cutover fence (#232) — reset to normal without bumping. */
+    /** Recover a stuck cutover fence — reset to normal without bumping. */
     abortSchemaCutover(): Promise<void>;
-    /** Current schema-cutover fence state for this vault (#232/#233). Thin live read. */
+    /** Current schema-cutover fence state for this vault. Thin live read. */
     schemaFenceState(): Promise<FenceDoc>;
-    /** @internal Start the per-client heartbeat + fence watcher once a cutover is registered (#232). */
+    /** @internal Start the per-client heartbeat + fence watcher once a cutover is registered. */
     _ensureFenceCoordination(): void;
     /** @internal Stop the heartbeat/watcher (vault lock/close). */
     _stopFenceCoordination(): void;
@@ -8023,7 +8107,7 @@ declare class Vault {
      * Dynamic-imports `GuardRegistry` + `ReadOnlyVaultFacade` and seeds
      * the registry with the supplied strategy handles. No-op when the
      * handles array is empty — keeps the guard subsystem out of the
-     * floor bundle for consumers that don't use guards (#130).
+     * floor bundle for consumers that don't use guards.
      *
      * The read-only facade is eagerly instantiated here so the sync
      * accessor `_getReadOnlyFacade()` (called from the tx amendment
@@ -8031,10 +8115,9 @@ declare class Vault {
      */
     _initGuards(handles: ReadonlyArray<GuardStrategyHandleAny>): Promise<void>;
     /**
-     * @internal — Collection.put calls into this. Returns `null` for
-     * vaults that never registered any guard strategy. Callers MUST
-     * gate on null (the existing `if (this.guardSource)` branches in
-     * `Collection` already do this transitively).
+     * @internal — The gate handler in Noydb.#registerGuardGate calls into
+     * this. Returns `null` for vaults that never registered any guard
+     * strategy. Callers MUST gate on null.
      */
     _getGuardRegistry(): GuardRegistry | null;
     /**
@@ -8043,7 +8126,7 @@ declare class Vault {
      * derivation strategies (async because `strategyHash` computation
      * goes through `crypto.subtle.digest`). No-op when the handles
      * array is empty — keeps the derivation subsystem out of the floor
-     * bundle for consumers that don't use derivations (#130). Throws
+     * bundle for consumers that don't use derivations. Throws
      * `DerivationCycleError` if a cycle is detected after registration.
      */
     _initDerivations(handles: ReadonlyArray<DerivationStrategyHandle>): Promise<void>;
@@ -8058,7 +8141,7 @@ declare class Vault {
      * MV spec (which invokes its `query()` once for dependency
      * analysis), then runs the unified cycle detection across the MV +
      * derivation graphs. No-op when the handles array is empty — keeps
-     * the MV subsystem out of the floor bundle (mirrors v1 #130).
+     * the MV subsystem out of the floor bundle (mirrors the derivation lazy-import pattern).
      * Throws `MaterializedViewCycleError` if a cycle is detected.
      */
     _initMaterializedViews(handles: ReadonlyArray<MaterializedViewStrategyHandle>): Promise<void>;
@@ -8080,13 +8163,13 @@ declare class Vault {
      */
     _getOverlayedViewRegistry(): OverlayedViewRegistry | null;
     /**
-     * Manual re-materialize for a single registered MV (#151). Useful
+     * Manual re-materialize for a single registered MV. Useful
      * for `refresh: 'manual'` MVs (whose consumer drives refreshes
      * externally), for stale-bit recovery on vault re-open, and as the
      * explicit bulk-recompute escape hatch after a strategy change.
      *
-     * Returns `{ written, deleted, failed }`. `deleted` is always 0 in
-     * foundation + this sub-issue — tombstoning lands in #152.
+     * Returns `{ written, deleted, failed }`. `deleted` is always 0
+     * when tombstoning is not enabled.
      *
      * Throws if `name` is not a registered MV.
      */
@@ -8109,20 +8192,17 @@ declare class Vault {
     /**
      * @internal — exposed for `runTransaction({ amendment: true })` so
      * the amendment invariant runner can pass the SAME read-only vault
-     * facade that the per-record `Collection.put` guard hook uses
-     * (`guardSource.readOnlyVault()` above). Eagerly instantiated by
-     * `_initGuards()` so this accessor stays synchronous; returns
-     * `null` for vaults that never registered any guard (amendments
-     * require at least one guard, so the caller should never see null).
+     * facade that the gate handler in Noydb.#registerGuardGate uses.
+     * Eagerly instantiated by `_initGuards()` so this accessor stays
+     * synchronous; returns `null` for vaults that never registered any
+     * guard (amendments require at least one guard, so the caller should
+     * never see null).
      */
     _getReadOnlyFacade(): ReadOnlyVaultFacade | null;
     /**
-     * Internal lazy-allocator for the read-only facade. Used by the
-     * per-collection `guardSource.readOnlyVault` callback when guards
-     * ARE configured but `_initGuards()` raced with the first guard
-     * invocation (theoretically impossible — `Noydb.openVault` awaits
-     * `_initGuards` before returning — but we keep the defensive lazy
-     * path so the closure's contract stays "always returns a facade").
+     * Internal lazy-allocator for the read-only facade. Used as a
+     * defensive fallback; in practice `_initGuards()` eagerly
+     * instantiates this, so the lazy path is a no-op.
      */
     private _ensureReadOnlyFacade;
     /**
@@ -8329,7 +8409,7 @@ declare class Vault {
     listPeriods(): Promise<readonly PeriodRecord[]>;
     /** Look up a single period by name. Returns `null` if not found. */
     getPeriod(name: string): Promise<PeriodRecord | null>;
-    /** @internal — periodGuard callback installed on every Collection. */
+    /** @internal — called by the gate bus before put/delete. */
     _assertTsWritable(existing: {
         ts: string | null;
         record: Record<string, unknown> | null;
@@ -8360,7 +8440,7 @@ declare class Vault {
      */
     dumpSchema(opts?: DumpSchemaOptions): Promise<VaultSchemaSnapshot>;
     /**
-     * Lightweight read of the vault's registered schema (#229): collections
+     * Lightweight read of the vault's registered schema: collections
      * (+ doc counts), guards, materialized views, schema-update strategies,
      * and the unlocked user's grants. Cheap — one `adapter.list` per
      * collection, no decryption. For a full snapshot + stats use dumpSchema().
@@ -8854,6 +8934,7 @@ declare class Collection<T> {
     private readonly schemaUpdateGate;
     private readonly schemaFence;
     private readonly writeHooks;
+    private readonly subsystemBus;
     private readonly activeTxId;
     private readonly getDEK;
     private readonly onDirty;
@@ -9035,42 +9116,14 @@ declare class Collection<T> {
     private readonly syncAdapter;
     /** — consent-audit hook, no-op when no scope is active. */
     private readonly onAccess;
-    /**
-     * accounting-period write guard. Called BEFORE any
-     * adapter write with:
-     *   - `existing` — the prior envelope's `_ts` and decrypted record
-     *     (or `null` if no prior envelope exists)
-     *   - `incoming` — the record being written (or `null` for delete)
-     *
-     * Throws `PeriodClosedError` if either side falls inside a closed
-     * period. Installed by Vault; no-op when no period has been closed.
-     * Async so the Vault can lazy-load the period list from the
-     * adapter on first use.
-     */
-    private readonly periodGuard;
-    /**
-     * Optional back-reference to the owning vault's guard registry + a
-     * read-only vault facade. When present, `Collection.put` and
-     * `Collection.delete` consult the registry for guards declared
-     * against this collection and run their `check` + `frozenFields`
-     * before the adapter write. Absent in unit tests that construct
-     * a Collection directly; production code always sets it via
-     * `Vault.collection()`.
-     *
-     * Typed structurally rather than as `Vault` to avoid a circular
-     * import (mirrors the `refEnforcer` / `joinResolver` pattern).
-     */
-    private readonly guardSource;
     /**
      * Vault-internal hook for derivation dispatch. When set,
      * `Collection.put` consults the registry after the source-write
      * commits and writes derived outputs through `getCollection(name).put`.
-     * Same structural-interface pattern as `guardSource` to avoid a
-     * circular Vault import.
      */
     private readonly derivationSource;
     /**
-     * Vault-internal hook for materialized-view dispatch (#143/#150).
+     * Vault-internal hook for materialized-view dispatch.
      * Parallel to `derivationSource` — when set, `Collection.put` fires
      * `MaterializedViewRegistry.onSourceWrite` after the source-write
      * commits + after `dispatchDerivations` has run.
@@ -9123,19 +9176,21 @@ declare class Collection<T> {
         encrypted: boolean;
         emitter: NoydbEventEmitter;
         /**
-         * Vault-level in-flight write tracker (#227). When present,
+         * Vault-level in-flight write tracker. When present,
          * `put`/`delete` run inside `writeQueue.track()` so `hub.writeQueue`
          * reflects outstanding writes. Optional so direct Collection
          * construction in tests still works untracked.
          */
         writeQueue?: WriteQueueTracker | undefined;
-        /** #245 — per-collection schema-update gate; `put`/`delete` await it. */
+        /** Per-collection schema-update gate; `put`/`delete` await it. */
         schemaUpdateGate?: SchemaUpdateGate | undefined;
-        /** #232 — vault-level fence controller; `put`/`delete` consult it. */
+        /** Vault-level fence controller; `put`/`delete` consult it. */
         schemaFence?: SchemaFenceController | undefined;
-        /** #230 — hub-level write-hook registry; fired around put/delete. */
+        /** Hub-level write-hook registry; fired around put/delete. */
         writeHooks?: WriteHookRegistry | undefined;
-        /** #230 — active transaction id supplier (null outside a transaction). */
+        /** The observe bus, threaded from Noydb. */
+        subsystemBus?: SubsystemBus | undefined;
+        /** Active transaction id supplier (null outside a transaction). */
         activeTxId?: (() => string | null) | undefined;
         getDEK: (collectionName: string) => Promise<CryptoKey>;
         historyConfig?: HistoryConfig | undefined;
@@ -9340,33 +9395,19 @@ declare class Collection<T> {
          * to the ledger.
          */
         onCrossTierAccess?: ((event: CrossTierAccessEvent) => void) | undefined;
-        periodGuard?: (existing: {
-            ts: string | null;
-            record: Record<string, unknown> | null;
-        } | null, incoming: Record<string, unknown> | null) => Promise<void>;
         /**
-         * Optional back-reference to the owning vault's guard registry +
-         * read-only facade. When present, put/delete consult registered
-         * guards for this collection. Same structural-interface pattern
-         * as `refEnforcer` to avoid a circular Vault import.
-         */
-        guardSource?: {
-            registry(): GuardRegistry;
-            readOnlyVault(): ReadOnlyVaultFacade$1;
-        } | undefined;
         /**
          * Optional back-reference to the owning vault's derivation
          * registry + collection accessor. When present, successful
          * `put()` dispatches registered derivation strategies for the
-         * source collection. Same structural-interface pattern as
-         * `guardSource` to avoid a circular Vault import.
+         * source collection.
          */
         derivationSource?: {
             registry(): DerivationRegistry;
             getCollection(name: string): Collection<Record<string, unknown>>;
             /**
              * Read-only vault facade handed to `derive(source, ctx)` so a
-             * derivation can fetch sibling records (#147). Same shape and
+             * derivation can fetch sibling records. Same shape and
              * instance the guards subsystem uses for `check(incoming, ctx)`.
              */
             getReadOnlyFacade(): ReadOnlyVaultFacade$1;
@@ -9375,13 +9416,13 @@ declare class Collection<T> {
              * transaction context, or `null` when no transaction is running.
              * `dispatchDerivations` consults this so a recursive derived-output
              * write can register its pre-write envelope onto `ctx._executed`
-             * and roll back alongside the source op on mid-batch failure (#133).
+             * and roll back alongside the source op on mid-batch failure.
              */
             getActiveTxContext(): TxContext | null;
             /**
              * Construct a transient TxContext bound to the owning Noydb. Used
              * by `Collection.putManyAtomic` to publish an active context for
-             * its Phase 2 loop (#133).
+             * its Phase 2 loop.
              */
             createTxContext(): TxContext;
             /** Publish a TxContext for the duration of a bulk-atomic loop. */
@@ -9390,7 +9431,7 @@ declare class Collection<T> {
             clearActiveTxContext(ctx: TxContext): void;
         } | undefined;
         /**
-         * Vault-internal hook for materialized-view dispatch (#143/#150).
+         * Vault-internal hook for materialized-view dispatch.
          * Parallel to `derivationSource`. When set, `Collection.put` fires
          * registered MV `onSourceWrite` after the standard derivation
          * dispatch.
@@ -9453,14 +9494,14 @@ declare class Collection<T> {
     }): PresenceHandle<P>;
     /**
      * Create or update a record. Runs inside the hub's write-queue tracker
-     * (#227) so `hub.writeQueue.pending` reflects this write.
+     * so `hub.writeQueue.pending` reflects this write.
      *
      * @param id      Record identifier.
      * @param record  The record body (validated by the collection's schema
      *                if one was attached at `vault.collection(...)` time).
      * @param options Optional metadata for audit + import workflows.
      *                `reason` is stamped onto the resulting ledger entry
-     *                (see #1) so audit consumers can filter via
+     *                so audit consumers can filter via
      *                `entries.filter(e => e.reason?.startsWith('import:'))`.
      */
     put(id: string, record: T, options?: {
@@ -9472,7 +9513,7 @@ declare class Collection<T> {
      * Fire registered MV strategies whose dependency set includes this
      * collection. Eager-mode MVs re-materialize inline via
      * `MaterializedViewExecutor.refresh`; lazy / manual modes are
-     * no-ops in the foundation (subtask #150) — wired in #151.
+     * no-ops in the foundation; wired in the lazy-mode implementation.
      *
      * Skips entirely when the record being written is itself an
      * MV-emitted row (carries `_materializedFrom`) — defensive guard
@@ -9495,11 +9536,11 @@ declare class Collection<T> {
     private dispatchDerivations;
     /**
      * Delete a record by ID. Runs inside the hub's write-queue tracker
-     * (#227) so `hub.writeQueue.pending` reflects this write.
+     * so `hub.writeQueue.pending` reflects this write.
      */
     delete(id: string): Promise<void>;
     /**
-     * @internal #232 — bulk-rewrite every record through a cutover transform.
+     * @internal — bulk-rewrite every record through a cutover transform.
      * Raw adapter path (bypasses the write gate + guards — the transform is
      * trusted and runs only during the `migrating` phase). Bumps each
      * record's `_v` and appends a ledger `op:'migration'` entry.
@@ -9509,8 +9550,7 @@ declare class Collection<T> {
     private deleteInternal;
     /**
      * @internal — system-internal delete that bypasses user-facing
-     * delete hooks (`onDelete`, accounting-period guard, FK ref
-     * enforcer). Used by derivation tombstones (#144) and MV refresh
+     * delete hooks (`onDelete`, FK ref enforcer). Used by derivation tombstones and MV refresh
      * (Dim 14 v2) — system housekeeping shouldn't trip user invariants
      * registered against the output collection. The ledger entry and
      * history snapshot still fire so backup integrity and time-travel
@@ -9522,7 +9562,7 @@ declare class Collection<T> {
      *
      * When a `txCtx` is supplied, the prior envelope is captured and
      * pushed onto `txCtx._executed` BEFORE the delete fires — mirrors
-     * the #133 rollback hardening for puts. Callers outside a
+     * the rollback hardening for puts. Callers outside a
      * multi-record transaction pass `null` and skip the tracking.
      *
      * Amendment composition: if `_internalDelete` runs while a vault's
@@ -9549,7 +9589,7 @@ declare class Collection<T> {
     private _doDelete;
     /**
      * Cascade deletes of array-shape derived rows when a source row is
-     * deleted (#200). Reads each registered strategy's fanout sidecar
+     * deleted. Reads each registered strategy's fanout sidecar
      * for this source id, deletes every listed derived row, then
      * deletes the sidecar itself.
      *
@@ -9560,8 +9600,8 @@ declare class Collection<T> {
      */
     private dispatchArrayDerivationsOnDelete;
     /**
-     * Mirror of {@link dispatchMaterializedViews} for the delete path
-     * (#181). No record content is available (it's gone), so the
+     * Mirror of {@link dispatchMaterializedViews} for the delete path.
+     * No record content is available (it's gone), so the
      * `_materializedFrom` skip used by the put-side dispatch doesn't
      * apply here — instead, the recursion guard is the `internal` gate
      * at the `_doDelete` call site above.
@@ -9643,7 +9683,7 @@ declare class Collection<T> {
      * the filtered records directly (the API). Prefer the chainable
      * form for new code.
      *
-     * **Lazy-MV gap (#157):** `query()` is synchronous and does NOT
+     * **Lazy-MV gap:** `query()` is synchronous and does NOT
      * trigger lazy materialized-view resolve-on-read. If this
      * collection is a lazy MV's output and the MV is currently stale,
      * `query().toArray()` returns the pre-stale snapshot. To force a
@@ -9804,7 +9844,7 @@ declare class Collection<T> {
      *   .aggregate({ total: sum('amount'), n: count() })
      * ```
      *
-     * **Lazy-MV gap (#157):** `scan()` is synchronous-build and does
+     * **Lazy-MV gap:** `scan()` is synchronous-build and does
      * NOT trigger lazy materialized-view resolve-on-read. For lazy
      * MVs, call `list()` (which DOES resolve) or `vault.refreshView(name)`
      * before scanning. Same shape as the `query()` limitation.
@@ -9844,13 +9884,13 @@ declare class Collection<T> {
      */
     _invalidateCacheEntry(id: string): Promise<void>;
     /**
-     * #228b — apply a peer tab's committed write to THIS tab's in-memory view:
+     * Apply a peer tab's committed write to THIS tab's in-memory view:
      * re-read the (already-persisted) envelope from the shared store + refresh
      * cache/indexes, then emit a `change` event so reactive consumers re-render.
      * Never writes to the store and never fires write hooks, so it cannot loop.
      */
     _applyRemoteChange(id: string, action: 'put' | 'delete'): Promise<void>;
-    /** @internal #228c — the current in-memory record without a store read (for conflict capture). */
+    /** @internal — the current in-memory record without a store read (for conflict capture). */
     _peekCached(id: string): T | null;
     private ensureHydrated;
     /** Hydrate from a pre-loaded snapshot (used by Vault). */
@@ -10408,7 +10448,7 @@ interface SessionStrategy {
 }
 
 /**
- * Managed-passphrase mode — issue #14, rubber-hose-resistant vaults.
+ * Managed-passphrase mode — rubber-hose-resistant vaults.
  *
  * A vault mode where the passphrase is machine-generated and never
  * exposed to the user, sealed under a developer-provided
@@ -10447,9 +10487,9 @@ interface SessionStrategy {
  *     Returns the plaintext passphrase string that the rest of the
  *     `createNoydb` keyring path consumes.
  *
- * Slice 1 of #14. Deferred to follow-ups:
+ * Deferred to follow-ups:
  *   - Block `rotate-passphrase` policy gate under managed mode.
- *   - Mandatory strong-recovery enforcement (depends on #10).
+ *   - Mandatory strong-recovery enforcement.
  *   - Recovery flow under managed mode (generates fresh sealed phrase).
  *
  * @see docs/subsystems/session-tiers.md → Managed-passphrase mode
@@ -10609,12 +10649,12 @@ interface SealedPassphrase {
  *
  * v1 shape (this release): `{ v: 1, _noydb_sealed: 1, pid, payload }`.
  *
- * Legacy shape (pre.14, pre.15): `{ _noydb_sealed: 1, providerId, sealed }`
+ * Legacy shape (earlier releases): `{ _noydb_sealed: 1, providerId, sealed }`
  * — accepted on read for backwards compatibility; never produced on
  * write going forward.
  */
 interface SealedEnvelope {
-    /** Envelope schema version. v1 is the shape shipped in pre.16. */
+    /** Envelope schema version. v1 is the current shape. */
     readonly v: 1;
     /** Magic marker for forensics + legacy-shape detection. */
     readonly _noydb_sealed: 1;
@@ -10628,9 +10668,9 @@ interface SealedEnvelope {
  * in-memory {@link SealedPassphrase} representation. Accepts both:
  *
  *   1. v1 wire format `{ v: 1, _noydb_sealed: 1, pid, payload }` —
- *      the shape produced from pre.16 onward.
+ *      the current shape.
  *   2. Legacy wire format `{ _noydb_sealed: 1, providerId, sealed }` —
- *      the shape produced in pre.14/pre.15. Read-only; never written
+ *      read-only; never written
  *      going forward.
  *
  * Returns `undefined` for any input that doesn't match either shape,
@@ -11015,9 +11055,9 @@ interface ImportCapability {
  */
 type VaultPolicyOnDisk = Record<string, unknown>;
 /**
- * Recovery profile enrolled at vault creation (issue #10).
+ * Recovery profile enrolled at vault creation.
  *
- * - `paper` — `on-recovery` codes (the only end-to-end profile in v0.1.0-pre.5).
+ * - `paper` — `on-recovery` codes (the standard end-to-end profile).
  * - `shamir` / `multi-channel` / `admin-mediated` — API surface ships;
  *   per-profile dispatch lands in follow-up issues. Calling
  *   `db.recoverPassphrase` against these throws
@@ -11080,7 +11120,7 @@ interface KeyringAuthenticatorBase {
  * extractable KEK from its own credential — WebAuthn (PRF-derived
  * wrapping key) and split-key OIDC.
  *
- * `wrapKind` is optional/absent on slots written before pre.8 — those
+ * `wrapKind` is optional/absent on older slots — those
  * legacy slots are treated as wrap-KEK by default at unlock time.
  */
 interface KeyringAuthenticatorWrappingKEK extends KeyringAuthenticatorBase {
@@ -11143,11 +11183,11 @@ interface KeyringFile {
     readonly granted_by: string;
     /**
      * Passphrase canary — base64 AES-KW-wrapped form of a known constant
-     * 256-bit value, wrapped under the keyring's KEK (#113).
+     * 256-bit value, wrapped under the keyring's KEK.
      *
-     * Optional: pre-#113 keyrings load with no canary and fall back to
-     * the multi-DEK corruption heuristic from #82. Keyrings written after
-     * #113 carry one and let `loadKeyring` distinguish wrong-passphrase
+     * Optional: older keyrings load with no canary and fall back to
+     * the multi-DEK corruption heuristic. Newer keyrings
+     * carry one and let `loadKeyring` distinguish wrong-passphrase
      * from corruption even when ALL DEKs (including a single-DEK keyring's
      * sole DEK) are corrupted.
      *
@@ -11370,7 +11410,7 @@ interface Conflict {
     readonly resolve?: (winner: EncryptedEnvelope | null) => void;
 }
 /**
- * #228c — a same-device cross-tab write conflict: another tab overwrote a
+ * A same-device cross-tab write conflict: another tab overwrote a
  * document this tab had written, having diverged from an older base. Records
  * are decrypted (cross-tab handlers reconcile in plaintext). `base` is the
  * common ancestor from history, or null when history is unavailable.
@@ -11473,8 +11513,8 @@ interface NoydbEventMap {
     'change': ChangeEvent;
     'error': Error;
     /**
-     * Same-instance signal that this vault's schema-fence state changed
-     * (#232). For UI integration (#233). Cross-client coordination goes
+     * Same-instance signal that this vault's schema-fence state changed.
+     * For UI integration. Cross-client coordination goes
      * through the store, not this event.
      */
     'schema:fence-changed': {
@@ -11580,7 +11620,7 @@ interface GrantOptions {
     readonly initialProfile?: unknown;
 }
 /**
- * Caller payload for `db.updateUser` (#54). Mutate one or more
+ * Caller payload for `db.updateUser`. Mutate one or more
  * identity fields on an existing keyring without rotating any keys.
  *
  * `role`, `displayName`, and `permissions` live in the plaintext header
@@ -11594,7 +11634,7 @@ interface GrantOptions {
  * `null` on `displayName` clears the field (stored as the empty string;
  * UI consumers typically render the empty case by falling back to the
  * user id). `undefined` / absent leaves the field untouched. Mirrors
- * the `null`-as-clear convention `UserApi.updateMe` uses (#57).
+ * the `null`-as-clear convention `UserApi.updateMe` uses.
  *
  * `permissions`, however, is a **full replacement** at the map level —
  * passing `{ invoices: 'rw' }` REPLACES the entire permissions map,
@@ -11608,8 +11648,6 @@ interface GrantOptions {
  * do anything. Non-admin callers (operator/viewer/client) cannot call
  * `db.updateUser` at all — for self-displayName changes, use
  * `vault.user.updateMe` (the user-envelope API).
- *
- * @see #54
  */
 interface UpdateUserOptions {
     readonly userId: string;
@@ -12201,7 +12239,7 @@ interface NoydbOptions {
      */
     readonly derivationStrategies?: ReadonlyArray<DerivationStrategyHandle>;
     /**
-     * Optional materialized-view strategies (#143, foundation in #150).
+     * Optional materialized-view strategies.
      * Each handle returned by `withMaterializedView()` from
      * `@noy-db/hub/materialized-views`. The vault runs unified cycle
      * detection across the MV + derivation graphs at `openVault`; a
@@ -12209,7 +12247,7 @@ interface NoydbOptions {
      */
     readonly materializedViewStrategies?: ReadonlyArray<MaterializedViewStrategyHandle>;
     /**
-     * Optional overlay strategies (#154). Each handle returned by
+     * Optional overlay strategies. Each handle returned by
      * `withOverlayedView()` from `@noy-db/hub/overlay-views`. The vault
      * validates name uniqueness + base concreteness + overlay
      * availability at `openVault`; a clash throws one of the
@@ -12262,7 +12300,7 @@ interface NoydbOptions {
      */
     readonly getKeyring?: (vault: string) => Promise<UnlockedKeyring>;
     /**
-     * Passphrase mode (#14). Default `'standard'`.
+     * Passphrase mode. Default `'standard'`.
      *
      *   - `'standard'` — the legacy flow. `secret` supplies the
      *     plaintext passphrase, the user knows it, and the policy gate
@@ -12323,14 +12361,14 @@ interface NoydbOptions {
     readonly sessionPolicy?: SessionPolicy;
     /**
      * Validate passphrase strength against the phrase format
-     * (`@noy-db/hub` issue #7) on first-time keyring creation. When
+     * on first-time keyring creation. When
      * `true`, weak phrases throw {@link WeakPassphraseError} from
      * `createNoydb()` / `db.rotatePassphrase()`. Default: `false` for
-     * back-compat in v0.1.x; planned to flip to `true` at v1.0.
+     * back-compat; planned to flip to `true` in a future major release.
      */
     readonly validatePassphrase?: boolean;
     /**
-     * Vault-level policy gate document (issue #9). When present, the hub
+     * Vault-level policy gate document. When present, the hub
      * persists the merged policy at `_meta/policy` on first-time vault
      * creation and gates sensitive operations (`db.rotatePassphrase`,
      * `db.export*`, …) against it. Omitted ⇒ the engine uses
@@ -12346,14 +12384,14 @@ interface NoydbOptions {
      */
     readonly policy?: VaultPolicy;
     /**
-     * Mandatory recovery profile enrollment (issue #10). Vaults with
+     * Mandatory recovery profile enrollment. Vaults with
      * `recover-passphrase` enabled MUST register at least one profile
      * before being production-ready, otherwise `createNoydb()` throws
      * {@link RecoveryNotEnrolledError}. Set
      * `policy.gates['recover-passphrase'].enabled = false` to
      * deliberately opt out of recovery (passphrase loss = data loss).
      *
-     * v0.1.0-pre.5 supports the `'paper'` profile end-to-end. Other
+     * The `'paper'` profile is supported end-to-end. Other
      * profiles ship the API shape and throw
      * {@link RecoveryProfileNotImplementedError} during use.
      */
@@ -12361,9 +12399,9 @@ interface NoydbOptions {
     /**
      * When `true`, `createNoydb` rejects vaults with no recovery
      * entries persisted (per the spec's mandatory-enrollment
-     * requirement). Default `false` for v0.1.x back-compat; planned to
-     * flip to `true` at v1.0. Apps in regulated environments should
-     * turn this on now.
+     * requirement). Default `false` for back-compat; planned to
+     * flip to `true` in a future major release. Apps in regulated
+     * environments should turn this on now.
      */
     readonly requireRecovery?: boolean;
     /**