@noy-db/hub 0.2.0-pre.4 → 0.2.0-pre.5

package/dist/bundle/index.cjs

@@ -1724,7 +1724,7 @@ async function changeSecret(adapter, vault, keyring, newPassphrase, passphraseOp
     // Tier-2 slots are NOT preserved through `changeSecret` —
     // each slot wraps the OLD KEK, so the new keyring has no
     // authenticator slots until the user re-enrolls. The higher-level
-    // `db.rotatePassphrase()` (#10) preserves slots by rewrapping the
+    // `db.rotatePassphrase()` preserves slots by rewrapping the
     // KEK reference, not the KEK itself.
     authenticators: [],
     ...keyring.policy !== void 0 && { policy: keyring.policy }
@@ -4173,7 +4173,7 @@ var init_builder = __esm({
       /**
        * @internal — clone this Query with a declared-predicate map
        * attached. Used by the materialized-view registry to enable
-       * `.wherePredicate(name, ctx?)` for the MV's query callback (#153).
+       * `.wherePredicate(name, ctx?)` for the MV's query callback.
        * Consumers don't call this directly.
        */
       _withPredicates(predicates) {
@@ -4186,7 +4186,7 @@ var init_builder = __esm({
         );
       }
       /**
-       * Filter by a registered deterministic predicate (#153). Requires
+       * Filter by a registered deterministic predicate. Requires
        * the Query to have been augmented with a predicates map (typically
        * via the materialized-view registry — bare Queries constructed
        * outside an MV throw on `.wherePredicate()`).
@@ -5604,7 +5604,7 @@ var init_transaction = __esm({
     init_errors();
     init_ulid();
     TxContext = class {
-      /** Stable id for this transaction; shared by all writes it performs (#230). */
+      /** Stable id for this transaction; shared by all writes it performs. */
       txId = generateULID();
       /** @internal */
       _ops = [];
@@ -5614,7 +5614,7 @@ var init_transaction = __esm({
        * restore prior state via `revertExecuted`. Side-effect writes (e.g.
        * recursive derivation outputs fired inside `Collection.put`) are
        * appended here in execution order so they roll back alongside the
-       * main staged ops (#133).
+       * main staged ops.
        */
       _executed = [];
       /** @internal */
@@ -5914,7 +5914,7 @@ async function resolveStaleOnRead(accessor, outputCollection, id) {
       }
       if (out.kind === "array") {
         console.warn(
-          `[derivation] unexpected array-shape output "${key}" in lazy resolve path; array-shape derivations require lifecycle: "eager" (#200 slice 1).`
+          `[derivation] unexpected array-shape output "${key}" in lazy resolve path; array-shape derivations require lifecycle: "eager".`
         );
         continue;
       }
@@ -6436,81 +6436,6 @@ var init_stale2 = __esm({
   }
 });
 
-// src/guards/executor.ts
-var executor_exports3 = {};
-__export(executor_exports3, {
-  GuardExecutor: () => GuardExecutor
-});
-function deepEqual(a, b) {
-  if (a === b) return true;
-  if (a === null || b === null) return a === b;
-  if (typeof a !== typeof b) return false;
-  if (typeof a !== "object") return a === b;
-  if (Array.isArray(a) !== Array.isArray(b)) return false;
-  if (Array.isArray(a)) {
-    const aa = a;
-    const bb = b;
-    if (aa.length !== bb.length) return false;
-    for (let i = 0; i < aa.length; i++) if (!deepEqual(aa[i], bb[i])) return false;
-    return true;
-  }
-  const ao = a;
-  const bo = b;
-  const ak = Object.keys(ao);
-  const bk = Object.keys(bo);
-  if (ak.length !== bk.length) return false;
-  for (const k of ak) {
-    if (!Object.prototype.hasOwnProperty.call(bo, k)) return false;
-    if (!deepEqual(ao[k], bo[k])) return false;
-  }
-  return true;
-}
-var GuardExecutor;
-var init_executor3 = __esm({
-  "src/guards/executor.ts"() {
-    "use strict";
-    init_errors();
-    GuardExecutor = {
-      /**
-       * Compare existing vs incoming for each `frozenFields.fields` entry
-       * when `frozenFields.when(existing)` is true. Throws
-       * `FieldFrozenError` listing every changed frozen field.
-       */
-      async checkFrozenFields(guard, id, existing, incoming) {
-        const ff = guard.frozenFields;
-        if (!ff) return;
-        if (existing === null) return;
-        if (!ff.when(existing)) return;
-        const changed = [];
-        for (const f of ff.fields) {
-          if (existing[f] !== incoming[f]) {
-            if (!deepEqual(existing[f], incoming[f])) changed.push(String(f));
-          }
-        }
-        if (changed.length > 0) {
-          throw new FieldFrozenError(guard.collection, id, changed);
-        }
-      },
-      /**
-       * Run a single guard's invariant over its slice of the change-set.
-       * Any throw is converted to `InvariantError` unless it already is one.
-       */
-      async runInvariant(guard, changes, ctx) {
-        const amendment = guard.amendment;
-        if (!amendment) return;
-        try {
-          await amendment.invariant(changes, ctx);
-        } catch (err) {
-          if (err instanceof InvariantError) throw err;
-          throw new InvariantError(
-            err instanceof Error ? err.message : `invariant violated: ${String(err)}`
-          );
-        }
-      }
-    };
-  }
-});
-
 // src/derivations/fanout-sidecar.ts
 var fanout_sidecar_exports = {};
 __export(fanout_sidecar_exports, {
@@ -6648,6 +6573,7 @@ var init_collection = __esm({
       schemaUpdateGate;
       schemaFence;
       writeHooks;
+      subsystemBus;
       activeTxId;
       getDEK;
       onDirty;
@@ -6836,42 +6762,14 @@ var init_collection = __esm({
       syncAdapter;
       /** — consent-audit hook, no-op when no scope is active. */
       onAccess;
-      /**
-       * accounting-period write guard. Called BEFORE any
-       * adapter write with:
-       *   - `existing` — the prior envelope's `_ts` and decrypted record
-       *     (or `null` if no prior envelope exists)
-       *   - `incoming` — the record being written (or `null` for delete)
-       *
-       * Throws `PeriodClosedError` if either side falls inside a closed
-       * period. Installed by Vault; no-op when no period has been closed.
-       * Async so the Vault can lazy-load the period list from the
-       * adapter on first use.
-       */
-      periodGuard;
-      /**
-       * Optional back-reference to the owning vault's guard registry + a
-       * read-only vault facade. When present, `Collection.put` and
-       * `Collection.delete` consult the registry for guards declared
-       * against this collection and run their `check` + `frozenFields`
-       * before the adapter write. Absent in unit tests that construct
-       * a Collection directly; production code always sets it via
-       * `Vault.collection()`.
-       *
-       * Typed structurally rather than as `Vault` to avoid a circular
-       * import (mirrors the `refEnforcer` / `joinResolver` pattern).
-       */
-      guardSource;
       /**
        * Vault-internal hook for derivation dispatch. When set,
        * `Collection.put` consults the registry after the source-write
        * commits and writes derived outputs through `getCollection(name).put`.
-       * Same structural-interface pattern as `guardSource` to avoid a
-       * circular Vault import.
        */
       derivationSource;
       /**
-       * Vault-internal hook for materialized-view dispatch (#143/#150).
+       * Vault-internal hook for materialized-view dispatch.
        * Parallel to `derivationSource` — when set, `Collection.put` fires
        * `MaterializedViewRegistry.onSourceWrite` after the source-write
        * commits + after `dispatchDerivations` has run.
@@ -6927,6 +6825,7 @@ var init_collection = __esm({
         this.schemaUpdateGate = opts.schemaUpdateGate;
         this.schemaFence = opts.schemaFence;
         this.writeHooks = opts.writeHooks;
+        this.subsystemBus = opts.subsystemBus;
         this.activeTxId = opts.activeTxId;
         this.blobStrategy = opts.blobStrategy ?? NO_BLOBS;
         this.aggregateStrategy = opts.aggregateStrategy ?? NO_AGGREGATE;
@@ -6951,8 +6850,6 @@ var init_collection = __esm({
         this.crdtMode = opts.crdt;
         this.syncAdapter = opts.syncAdapter;
         this.onAccess = opts.onAccess;
-        this.periodGuard = opts.periodGuard;
-        this.guardSource = opts.guardSource;
         this.derivationSource = opts.derivationSource;
         this.materializedViewSource = opts.materializedViewSource;
         this.tiers = opts.tiers && opts.tiers.length > 0 ? new Set(opts.tiers) : null;
@@ -7154,21 +7051,23 @@ var init_collection = __esm({
       }
       /**
        * Create or update a record. Runs inside the hub's write-queue tracker
-       * (#227) so `hub.writeQueue.pending` reflects this write.
+       * so `hub.writeQueue.pending` reflects this write.
        *
        * @param id      Record identifier.
        * @param record  The record body (validated by the collection's schema
        *                if one was attached at `vault.collection(...)` time).
        * @param options Optional metadata for audit + import workflows.
        *                `reason` is stamped onto the resulting ledger entry
-       *                (see #1) so audit consumers can filter via
+       *                so audit consumers can filter via
        *                `entries.filter(e => e.reason?.startsWith('import:'))`.
        */
       async put(id, record, options) {
         await this.schemaUpdateGate?.assertWritable();
         await this.schemaFence?.assertWritable(this.name);
+        const hooksActive = this.#hooksActive();
+        const busAfterPut = (this.subsystemBus?.hasHandlers("afterPut") ?? false) && !(this.subsystemBus?.dispatching ?? false);
         let event;
-        if (this.#hooksActive()) {
+        if (hooksActive || busAfterPut) {
           const prior = await this.#priorForHook(id);
           event = {
             op: prior.record === null ? "create" : "update",
@@ -7183,23 +7082,26 @@ var init_collection = __esm({
             baseVersion: prior.version,
             version: prior.version + 1
           };
-          await this.writeHooks.runBefore(event);
+          if (hooksActive) await this.writeHooks.runBefore(event);
         }
         if (this.writeQueue) await this.writeQueue.track(() => this.putInternal(id, record, options));
         else await this.putInternal(id, record, options);
-        if (event) await this.writeHooks.runAfter(event);
+        if (event) {
+          if (hooksActive) await this.writeHooks.runAfter(event);
+          if (busAfterPut) await this.subsystemBus.dispatch("afterPut", event);
+        }
       }
-      /** @internal #230 — true when hooks should fire for this write (handlers exist, not re-entrant). */
+      /** @internal — true when hooks should fire for this write (handlers exist, not re-entrant). */
       #hooksActive() {
         return this.writeHooks !== void 0 && this.writeHooks.hasHandlers && !this.writeHooks.suppressed;
       }
       /**
-       * @internal #230/#228c — resolve the prior record for a hook's `before` and
+       * @internal — resolve the prior record for a hook's `before` and
        * its version. Critically, this uses the SAME basis `putInternal` writes from
        * (the in-memory cache in eager mode; lru-then-adapter in lazy) — NOT a fresh
        * store read — so `baseVersion`/`version` match the version actually written.
        * A separate store read would diverge once another tab has advanced the shared
-       * store past this tab's cache, breaking #228c conflict detection.
+       * store past this tab's cache, breaking cross-tab conflict detection.
        */
       async #priorForHook(id) {
         if (this.lazy && this.lru) {
@@ -7221,52 +7123,28 @@ var init_collection = __esm({
         if (!hasWritePermission(this.keyring, this.name)) {
           throw new ReadOnlyError();
         }
-        if (this.guardSource) {
-          const registry = this.guardSource.registry();
-          const guards = registry.guardsFor(this.name);
-          if (guards.length > 0) {
-            const existingEnv = await this.adapter.get(this.vault, this.name, id);
-            let existingRecord = null;
-            if (existingEnv) {
-              try {
-                existingRecord = await this.decryptRecord(existingEnv, { skipValidation: true });
-              } catch {
-                existingRecord = null;
-              }
-            }
-            const incomingRecord = record;
-            const ctx = {
-              existing: existingRecord,
-              vault: this.guardSource.readOnlyVault(),
-              userId: this.keyring.userId,
-              role: this.keyring.role
-            };
-            if (registry.isAmendmentActive()) {
-              const vBefore = existingEnv?._v ?? 0;
-              registry.collectChange(this.name, id, existingRecord, incomingRecord, vBefore, vBefore + 1);
-            } else {
-              await registry.runChecks(this.name, incomingRecord, ctx);
-              const { GuardExecutor: GuardExecutor2 } = await Promise.resolve().then(() => (init_executor3(), executor_exports3));
-              for (const g of guards) {
-                await GuardExecutor2.checkFrozenFields(g, id, existingRecord, incomingRecord);
-              }
-            }
-          }
-        }
-        if (this.periodGuard !== void 0) {
+        if (this.subsystemBus?.hasGateHandlers("beforePut")) {
           const existingEnv = await this.adapter.get(this.vault, this.name, id);
-          let priorRecord = null;
+          let existingRecord = null;
           if (existingEnv) {
             try {
-              priorRecord = await this.decryptRecord(existingEnv, { skipValidation: true });
+              existingRecord = await this.decryptRecord(existingEnv, { skipValidation: true });
             } catch {
-              priorRecord = null;
+              existingRecord = null;
             }
           }
-          await this.periodGuard(
-            existingEnv ? { ts: existingEnv._ts, record: priorRecord } : null,
-            record
-          );
+          await this.subsystemBus.dispatchGate("beforePut", {
+            op: existingEnv ? "update" : "create",
+            vault: this.vault,
+            collection: this.name,
+            docId: id,
+            incoming: record,
+            existing: existingRecord,
+            existingVersion: existingEnv?._v ?? 0,
+            existingTs: existingEnv?._ts,
+            userId: this.keyring.userId,
+            role: this.keyring.role
+          });
         }
         if (this.schema !== void 0) {
           record = await validateSchemaInput(this.schema, record, `put(${id})`);
@@ -7452,7 +7330,7 @@ var init_collection = __esm({
        * Fire registered MV strategies whose dependency set includes this
        * collection. Eager-mode MVs re-materialize inline via
        * `MaterializedViewExecutor.refresh`; lazy / manual modes are
-       * no-ops in the foundation (subtask #150) — wired in #151.
+       * no-ops in the foundation; wired in the lazy-mode implementation.
        *
        * Skips entirely when the record being written is itself an
        * MV-emitted row (carries `_materializedFrom`) — defensive guard
@@ -7596,13 +7474,15 @@ var init_collection = __esm({
       }
       /**
        * Delete a record by ID. Runs inside the hub's write-queue tracker
-       * (#227) so `hub.writeQueue.pending` reflects this write.
+       * so `hub.writeQueue.pending` reflects this write.
        */
       async delete(id) {
         await this.schemaUpdateGate?.assertWritable();
         await this.schemaFence?.assertWritable(this.name);
+        const hooksActive = this.#hooksActive();
+        const busAfterDelete = (this.subsystemBus?.hasHandlers("afterDelete") ?? false) && !(this.subsystemBus?.dispatching ?? false);
         let event;
-        if (this.#hooksActive()) {
+        if (hooksActive || busAfterDelete) {
           const prior = await this.#priorForHook(id);
           event = {
             op: "delete",
@@ -7617,14 +7497,17 @@ var init_collection = __esm({
             baseVersion: prior.version,
             version: prior.version + 1
           };
-          await this.writeHooks.runBefore(event);
+          if (hooksActive) await this.writeHooks.runBefore(event);
         }
         if (this.writeQueue) await this.writeQueue.track(() => this.deleteInternal(id));
         else await this.deleteInternal(id);
-        if (event) await this.writeHooks.runAfter(event);
+        if (event) {
+          if (hooksActive) await this.writeHooks.runAfter(event);
+          if (busAfterDelete) await this.subsystemBus.dispatch("afterDelete", event);
+        }
       }
       /**
-       * @internal #232 — bulk-rewrite every record through a cutover transform.
+       * @internal — bulk-rewrite every record through a cutover transform.
        * Raw adapter path (bypasses the write gate + guards — the transform is
        * trusted and runs only during the `migrating` phase). Bumps each
        * record's `_v` and appends a ledger `op:'migration'` entry.
@@ -7663,8 +7546,7 @@ var init_collection = __esm({
       }
       /**
        * @internal — system-internal delete that bypasses user-facing
-       * delete hooks (`onDelete`, accounting-period guard, FK ref
-       * enforcer). Used by derivation tombstones (#144) and MV refresh
+       * delete hooks (`onDelete`, FK ref enforcer). Used by derivation tombstones and MV refresh
        * (Dim 14 v2) — system housekeeping shouldn't trip user invariants
        * registered against the output collection. The ledger entry and
        * history snapshot still fire so backup integrity and time-travel
@@ -7676,7 +7558,7 @@ var init_collection = __esm({
        *
        * When a `txCtx` is supplied, the prior envelope is captured and
        * pushed onto `txCtx._executed` BEFORE the delete fires — mirrors
-       * the #133 rollback hardening for puts. Callers outside a
+       * the rollback hardening for puts. Callers outside a
        * multi-record transaction pass `null` and skip the tracking.
        *
        * Amendment composition: if `_internalDelete` runs while a vault's
@@ -7719,58 +7601,27 @@ var init_collection = __esm({
         if (!hasWritePermission(this.keyring, this.name)) {
           throw new ReadOnlyError();
         }
-        if (this.guardSource) {
-          const registry = this.guardSource.registry();
-          const guards = registry.guardsFor(this.name);
-          if (guards.length > 0) {
-            const existingEnv = await this.adapter.get(this.vault, this.name, id);
-            if (existingEnv) {
-              let existingRecord = null;
-              try {
-                existingRecord = await this.decryptRecord(existingEnv, { skipValidation: true });
-              } catch {
-                existingRecord = null;
-              }
-              if (registry.isAmendmentActive()) {
-                const vBefore = existingEnv._v;
-                registry.collectChange(
-                  this.name,
-                  id,
-                  existingRecord,
-                  null,
-                  vBefore,
-                  vBefore
-                );
-              } else if (!internal) {
-                const ctx = {
-                  existing: existingRecord,
-                  vault: this.guardSource.readOnlyVault(),
-                  userId: this.keyring.userId,
-                  role: this.keyring.role
-                };
-                await registry.runOnDelete(
-                  this.name,
-                  existingRecord ?? {},
-                  ctx
-                );
-              }
-            }
-          }
-        }
-        if (!internal && this.periodGuard !== void 0) {
+        if (this.subsystemBus?.hasGateHandlers("beforeDelete")) {
           const existingEnv = await this.adapter.get(this.vault, this.name, id);
-          let priorRecord = null;
           if (existingEnv) {
+            let existingRecord = null;
             try {
-              priorRecord = await this.decryptRecord(existingEnv, { skipValidation: true });
+              existingRecord = await this.decryptRecord(existingEnv, { skipValidation: true });
             } catch {
-              priorRecord = null;
+              existingRecord = null;
             }
+            await this.subsystemBus.dispatchGate("beforeDelete", {
+              vault: this.vault,
+              collection: this.name,
+              docId: id,
+              existing: existingRecord,
+              existingVersion: existingEnv._v,
+              existingTs: existingEnv._ts,
+              internal,
+              userId: this.keyring.userId,
+              role: this.keyring.role
+            });
           }
-          await this.periodGuard(
-            existingEnv ? { ts: existingEnv._ts, record: priorRecord } : null,
-            null
-          );
         }
         if (!internal && this.refEnforcer !== void 0) {
           await this.refEnforcer.enforceRefsOnDelete(this.name, id);
@@ -7831,7 +7682,7 @@ var init_collection = __esm({
       }
       /**
        * Cascade deletes of array-shape derived rows when a source row is
-       * deleted (#200). Reads each registered strategy's fanout sidecar
+       * deleted. Reads each registered strategy's fanout sidecar
        * for this source id, deletes every listed derived row, then
        * deletes the sidecar itself.
        *
@@ -7870,8 +7721,8 @@ var init_collection = __esm({
         }
       }
       /**
-       * Mirror of {@link dispatchMaterializedViews} for the delete path
-       * (#181). No record content is available (it's gone), so the
+       * Mirror of {@link dispatchMaterializedViews} for the delete path.
+       * No record content is available (it's gone), so the
        * `_materializedFrom` skip used by the put-side dispatch doesn't
        * apply here — instead, the recursion guard is the `internal` gate
        * at the `_doDelete` call site above.
@@ -8401,7 +8252,7 @@ var init_collection = __esm({
        *   .aggregate({ total: sum('amount'), n: count() })
        * ```
        *
-       * **Lazy-MV gap (#157):** `scan()` is synchronous-build and does
+       * **Lazy-MV gap:** `scan()` is synchronous-build and does
        * NOT trigger lazy materialized-view resolve-on-read. For lazy
        * MVs, call `list()` (which DOES resolve) or `vault.refreshView(name)`
        * before scanning. Same shape as the `query()` limitation.
@@ -8482,7 +8333,7 @@ var init_collection = __esm({
         this.indexes?.upsert(id, record, previous ? previous.record : null);
       }
       /**
-       * #228b — apply a peer tab's committed write to THIS tab's in-memory view:
+       * Apply a peer tab's committed write to THIS tab's in-memory view:
        * re-read the (already-persisted) envelope from the shared store + refresh
        * cache/indexes, then emit a `change` event so reactive consumers re-render.
        * Never writes to the store and never fires write hooks, so it cannot loop.
@@ -8491,7 +8342,7 @@ var init_collection = __esm({
         await this._invalidateCacheEntry(id);
         this.emitter.emit("change", { vault: this.vault, collection: this.name, id, action });
       }
-      /** @internal #228c — the current in-memory record without a store read (for conflict capture). */
+      /** @internal — the current in-memory record without a store read (for conflict capture). */
       _peekCached(id) {
         const entry = this.lazy && this.lru ? this.lru.get(id) : this.cache.get(id);
         return entry ? entry.record : null;
@@ -9511,7 +9362,7 @@ var init_virtual_collection = __esm({
       // error pointing at the relevant issue — so consumers don't hit a
       // cryptic `undefined is not a function` runtime crash.
       //
-      // Closes niwat-review of PR #160.
+      // Throw-stubs so consumers get actionable errors rather than cryptic crashes.
       /** @throws — chainable Query<T> over a virtual collection is deferred. */
       query() {
         throw new Error(
@@ -10087,7 +9938,7 @@ var init_api = __esm({
        * the envelope on first call. Optimistic-concurrency safe — a stale
        * `_v` (parallel writer on another device) throws `ConflictError`.
        *
-       * Patch semantics (#57):
+       * Patch semantics:
        *   - `undefined` (or omitted key) — skip; existing value preserved
        *   - `null` — delete the field from the merged result
        *   - any other value — overwrite (deep-merge for plain objects,
@@ -10143,7 +9994,7 @@ var init_api = __esm({
         this.fireChange(this.writerKeyringId, written);
         return written;
       }
-      // ─── Visibility (#122) ───────────────────────────────────────────────
+      // ─── Visibility ──────────────────────────────────────────────────────
       /**
        * Read the current user's visibility flag from
        * `_meta/visibility/<keyringId>`. Returns `{ hidden: false }` when no
@@ -11204,7 +11055,7 @@ var init_registry2 = __esm({
       guardsFor(collection) {
         return this._byCollection.get(collection) ?? [];
       }
-      /** Per-collection guard counts, for introspection (#229). */
+      /** Per-collection guard counts, for introspection. */
       summary() {
         return [...this._byCollection.entries()].map(([collection, guards]) => ({
           collection,
@@ -11662,23 +11513,23 @@ var init_vault = __esm({
        * `null` for vaults that never register any guard strategy. The
        * runtime class is dynamic-imported on demand so consumers that
        * never use guards don't pull `GuardRegistry`/`GuardExecutor` into
-       * their bundle (#130).
+       * their bundle.
        */
       guardRegistry = null;
       /**
        * Per-vault derivation registry. Same lazy-load contract as
        * `guardRegistry` — `null` until `_initDerivations()` runs with at
-       * least one strategy handle. See #130 for the bundle motivation.
+       * least one strategy handle.
        */
       derivationRegistry = null;
       /**
-       * Per-vault materialized-view registry (#143/#150). Same lazy-load
+       * Per-vault materialized-view registry. Same lazy-load
        * contract as `derivationRegistry` — `null` until
        * `_initMaterializedViews()` runs with at least one MV handle.
        */
       materializedViewRegistry = null;
       /**
-       * Per-vault overlay registry (#154). Same lazy-load contract as
+       * Per-vault overlay registry. Same lazy-load contract as
        * `materializedViewRegistry` — `null` until `_initOverlayedViews()`
        * runs with at least one handle.
        */
@@ -11699,7 +11550,7 @@ var init_vault = __esm({
        *   target this vault session's keyringId. There is no method to write
        *   another principal's envelope (own-only write rule, structural).
        * - Read-anyone: `get(keyringId)`, `list()` — read other principals'
-       *   envelopes, subject to the `view-team-profiles` policy gate (#22).
+       *   envelopes, subject to the `view-team-profiles` policy gate.
        * - Reactive: `subscribe(id, cb)`, `live(id)` — fire on local writes.
        *
        * @see docs/superpowers/specs/2026-05-05-user-envelope-design.md
@@ -11719,12 +11570,12 @@ var init_vault = __esm({
        */
       reloadKeyring;
       collectionCache = /* @__PURE__ */ new Map();
-      /** #232 — vault-level schema cutover fence/controller. */
+      /** Vault-level schema cutover fence/controller. */
       schemaFence;
-      /** #232 — per-client heartbeat/watcher; started lazily on cutover registration. */
+      /** Per-client heartbeat/watcher; started lazily on cutover registration. */
       #fenceWatcher;
       #fenceCoordinationStarted = false;
-      /** #229 — per-collection registered schema-update strategy names. */
+      /** Per-collection registered schema-update strategy names. */
       #schemaUpdateNames = /* @__PURE__ */ new Map();
       /**
        * per-collection `blobFields` retention/TTL config.
@@ -11798,8 +11649,7 @@ var init_vault = __esm({
        * Cache of closed/opened accounting periods.
        * Populated on first `closePeriod` / `openPeriod` / `listPeriods` /
        * per-collection write call. Kept in memory as an ordered list (by
-       * `closedAt`) so the `periodGuard` hook runs synchronously against
-       * each collection's put/delete path.
+       * `closedAt`) so period checks run fast when the gate bus fires.
        *
        * Sentinel `null` means "not yet loaded" — the first consumer
        * triggers a one-time `loadPeriods()` pass. Every subsequent
@@ -11994,6 +11844,7 @@ var init_vault = __esm({
             emitter: this.emitter,
             writeQueue: this.noydb._writeQueueTracker,
             writeHooks: this.noydb._writeHooks,
+            subsystemBus: this.noydb._subsystemBus,
             activeTxId: () => this.noydb._activeTxContextOrNull?.txId ?? null,
             schemaUpdateGate,
             schemaFence: this.schemaFence,
@@ -12016,18 +11867,12 @@ var init_vault = __esm({
             defaultLocale: this.locale,
             onRegisterConflictResolver: this.onRegisterConflictResolver,
             onAccess: (op, id) => this._logConsent(op, collectionName, id),
-            periodGuard: (existing, incoming) => this._assertTsWritable(existing, incoming),
-            // Guard / derivation sources are only wired when the
-            // corresponding registry has been initialised. Vaults without
-            // guards/derivations skip this entirely so `Collection.put`'s
-            // `if (this.guardSource)` / `if (this.derivationSource)`
-            // branches no-op without ever touching the subsystem code.
-            ...this.guardRegistry !== null ? {
-              guardSource: {
-                registry: () => this.guardRegistry,
-                readOnlyVault: () => this._ensureReadOnlyFacade()
-              }
-            } : {},
+            // Derivation source is only wired when the corresponding registry
+            // has been initialised. Guard source was removed in Track A slice 3b
+            // — guards now run via the gate bus in Noydb.#registerGuardGate.
+            // Vaults without derivations skip this so `Collection.put`'s
+            // `if (this.derivationSource)` branch no-ops without touching the
+            // derivation subsystem code.
             ...this.derivationRegistry !== null ? {
               derivationSource: {
                 registry: () => this.derivationRegistry,
@@ -12117,7 +11962,7 @@ var init_vault = __esm({
         await Promise.allSettled(pending);
       }
       /**
-       * Run a coordinated schema cutover (#232). Drains pending writes, waits
+       * Run a coordinated schema cutover. Drains pending writes, waits
        * for the active client set to quiesce (the ack-barrier), applies every
        * pending collection transform in bulk, bumps the vault schema generation,
        * and clears the fence. Returns the count of collections migrated.
@@ -12135,9 +11980,9 @@ var init_vault = __esm({
         await coll._applyCutoverTransform(transform);
       }
       /**
-       * #228b — refresh a loaded collection's view of one document from a peer
+       * Refresh a loaded collection's view of one document from a peer
        * tab's broadcast. No-op when the collection isn't loaded in this tab
-       * (it will read fresh on next open). Mirrors #runCutoverTransform's guard.
+       * (it will read fresh on next open). Mirrors `#runCutoverTransform`'s guard.
        */
       async _applyRemoteWrite(collectionName, docId, action) {
         const coll = this.collectionCache.get(collectionName);
@@ -12145,9 +11990,9 @@ var init_vault = __esm({
         await coll._applyRemoteChange(docId, action);
       }
       /**
-       * #228c — for a detected conflict: capture this tab's clobbered record,
+       * For a detected conflict: capture this tab's clobbered record,
        * read the common ancestor from history, converge the cache to the store's
-       * authoritative value (the (b) re-read), and return all three for the
+       * authoritative value (the re-read), and return all three for the
        * WriteConflict payload. Returns null when the collection isn't loaded.
        */
       async _captureAndConverge(collectionName, docId, action, baseV) {
@@ -12164,15 +12009,15 @@ var init_vault = __esm({
         const remote = await coll.get(docId);
         return { local, remote, base };
       }
-      /** Recover a stuck cutover fence (#232) — reset to normal without bumping. */
+      /** Recover a stuck cutover fence — reset to normal without bumping. */
       async abortSchemaCutover() {
         await this.schemaFence.abort();
       }
-      /** Current schema-cutover fence state for this vault (#232/#233). Thin live read. */
+      /** Current schema-cutover fence state for this vault. Thin live read. */
       async schemaFenceState() {
         return loadFence(this.adapter, this.name);
       }
-      /** @internal Start the per-client heartbeat + fence watcher once a cutover is registered (#232). */
+      /** @internal Start the per-client heartbeat + fence watcher once a cutover is registered. */
       _ensureFenceCoordination() {
         if (this.#fenceCoordinationStarted) return;
         this.#fenceCoordinationStarted = true;
@@ -12845,7 +12690,7 @@ var init_vault = __esm({
        * Dynamic-imports `GuardRegistry` + `ReadOnlyVaultFacade` and seeds
        * the registry with the supplied strategy handles. No-op when the
        * handles array is empty — keeps the guard subsystem out of the
-       * floor bundle for consumers that don't use guards (#130).
+       * floor bundle for consumers that don't use guards.
        *
        * The read-only facade is eagerly instantiated here so the sync
        * accessor `_getReadOnlyFacade()` (called from the tx amendment
@@ -12863,10 +12708,9 @@ var init_vault = __esm({
         this.readOnlyFacade = new ReadOnlyVaultFacade2(this);
       }
       /**
-       * @internal — Collection.put calls into this. Returns `null` for
-       * vaults that never registered any guard strategy. Callers MUST
-       * gate on null (the existing `if (this.guardSource)` branches in
-       * `Collection` already do this transitively).
+       * @internal — The gate handler in Noydb.#registerGuardGate calls into
+       * this. Returns `null` for vaults that never registered any guard
+       * strategy. Callers MUST gate on null.
        */
       _getGuardRegistry() {
         return this.guardRegistry;
@@ -12877,7 +12721,7 @@ var init_vault = __esm({
        * derivation strategies (async because `strategyHash` computation
        * goes through `crypto.subtle.digest`). No-op when the handles
        * array is empty — keeps the derivation subsystem out of the floor
-       * bundle for consumers that don't use derivations (#130). Throws
+       * bundle for consumers that don't use derivations. Throws
        * `DerivationCycleError` if a cycle is detected after registration.
        */
       async _initDerivations(handles) {
@@ -12909,7 +12753,7 @@ var init_vault = __esm({
        * MV spec (which invokes its `query()` once for dependency
        * analysis), then runs the unified cycle detection across the MV +
        * derivation graphs. No-op when the handles array is empty — keeps
-       * the MV subsystem out of the floor bundle (mirrors v1 #130).
+       * the MV subsystem out of the floor bundle (mirrors the derivation lazy-import pattern).
        * Throws `MaterializedViewCycleError` if a cycle is detected.
        */
       async _initMaterializedViews(handles) {
@@ -12966,13 +12810,13 @@ var init_vault = __esm({
         return this.overlayedViewRegistry;
       }
       /**
-       * Manual re-materialize for a single registered MV (#151). Useful
+       * Manual re-materialize for a single registered MV. Useful
        * for `refresh: 'manual'` MVs (whose consumer drives refreshes
        * externally), for stale-bit recovery on vault re-open, and as the
        * explicit bulk-recompute escape hatch after a strategy change.
        *
-       * Returns `{ written, deleted, failed }`. `deleted` is always 0 in
-       * foundation + this sub-issue — tombstoning lands in #152.
+       * Returns `{ written, deleted, failed }`. `deleted` is always 0
+       * when tombstoning is not enabled.
        *
        * Throws if `name` is not a registered MV.
        */
@@ -13068,22 +12912,19 @@ var init_vault = __esm({
       /**
        * @internal — exposed for `runTransaction({ amendment: true })` so
        * the amendment invariant runner can pass the SAME read-only vault
-       * facade that the per-record `Collection.put` guard hook uses
-       * (`guardSource.readOnlyVault()` above). Eagerly instantiated by
-       * `_initGuards()` so this accessor stays synchronous; returns
-       * `null` for vaults that never registered any guard (amendments
-       * require at least one guard, so the caller should never see null).
+       * facade that the gate handler in Noydb.#registerGuardGate uses.
+       * Eagerly instantiated by `_initGuards()` so this accessor stays
+       * synchronous; returns `null` for vaults that never registered any
+       * guard (amendments require at least one guard, so the caller should
+       * never see null).
        */
       _getReadOnlyFacade() {
         return this.readOnlyFacade;
       }
       /**
-       * Internal lazy-allocator for the read-only facade. Used by the
-       * per-collection `guardSource.readOnlyVault` callback when guards
-       * ARE configured but `_initGuards()` raced with the first guard
-       * invocation (theoretically impossible — `Noydb.openVault` awaits
-       * `_initGuards` before returning — but we keep the defensive lazy
-       * path so the closure's contract stays "always returns a facade").
+       * Internal lazy-allocator for the read-only facade. Used as a
+       * defensive fallback; in practice `_initGuards()` eagerly
+       * instantiates this, so the lazy path is a no-op.
        */
       _ensureReadOnlyFacade() {
         if (this.readOnlyFacade !== null) return this.readOnlyFacade;
@@ -13538,7 +13379,7 @@ var init_vault = __esm({
         const all = await this._loadPeriodsCache();
         return all.find((p) => p.name === name) ?? null;
       }
-      /** @internal — periodGuard callback installed on every Collection. */
+      /** @internal — called by the gate bus before put/delete. */
       async _assertTsWritable(existing, incoming) {
         if (existing === null && incoming === null) return;
         if (this.periodCache === null) {
@@ -13626,7 +13467,7 @@ var init_vault = __esm({
         return dumpVaultSchema(this, opts);
       }
       /**
-       * Lightweight read of the vault's registered schema (#229): collections
+       * Lightweight read of the vault's registered schema: collections
        * (+ doc counts), guards, materialized views, schema-update strategies,
        * and the unlocked user's grants. Cheap — one `adapter.list` per
        * collection, no decryption. For a full snapshot + stats use dumpSchema().
@@ -14433,6 +14274,116 @@ var init_write_hooks = __esm({
   }
 });
 
+// src/subsystem-bus.ts
+var SubsystemBus;
+var init_subsystem_bus = __esm({
+  "src/subsystem-bus.ts"() {
+    "use strict";
+    SubsystemBus = class {
+      #handlers = /* @__PURE__ */ new Map();
+      #gateHandlers = /* @__PURE__ */ new Map();
+      #depth = 0;
+      /** Register a handler for an observe point. Returns an unsubscribe fn. */
+      register(point, handler) {
+        let arr = this.#handlers.get(point);
+        if (!arr) {
+          arr = [];
+          this.#handlers.set(point, arr);
+        }
+        arr.push(handler);
+        return () => {
+          const a = this.#handlers.get(point);
+          if (!a) return;
+          const i = a.indexOf(handler);
+          if (i >= 0) a.splice(i, 1);
+        };
+      }
+      /** Cheap gate for the write path — true when any handler is registered for the point. */
+      hasHandlers(point) {
+        const a = this.#handlers.get(point);
+        return a !== void 0 && a.length > 0;
+      }
+      /**
+       * True while one or more dispatches are in flight. Backed by a depth counter
+       * so that two concurrent async dispatches (`Promise.all([put('a'), put('b')])`
+       * each captured `busAfterPut=true` at their respective put() tops while depth
+       * was 0) both proceed independently — the counter stays > 0 until BOTH finish,
+       * so any nested write attempted by a handler still sees `dispatching === true`
+       * and is suppressed by the write-path gate in `collection.ts`
+       * (`busAfterPut = hasHandlers('afterPut') && !dispatching`). Re-entrancy
+       * suppression lives exclusively on that write-path gate; concurrent independent
+       * dispatches must not drop each other's events.
+       */
+      get dispatching() {
+        return this.#depth > 0;
+      }
+      /**
+       * Dispatch in registration order, awaited. Per-handler errors are warned, not
+       * thrown — an observe handler must never abort a completed write. A
+       * re-entrancy guard suppresses nested firing so a handler that itself writes
+       * cannot loop (same rationale as WriteHookRegistry.#suppressed).
+       */
+      async dispatch(point, event) {
+        const a = this.#handlers.get(point);
+        if (!a || a.length === 0) return;
+        this.#depth++;
+        try {
+          for (const h of a.slice()) {
+            try {
+              await h(event);
+            } catch (err) {
+              console.warn(
+                `[noy-db] subsystem observe handler failed at ${point}: ` + (err instanceof Error ? err.message : String(err))
+              );
+            }
+          }
+        } finally {
+          this.#depth--;
+        }
+      }
+      /** Register a write-gating handler. A throw from the handler ABORTS the write. Returns an unsubscribe fn. */
+      registerGate(point, handler) {
+        let arr = this.#gateHandlers.get(point);
+        if (!arr) {
+          arr = [];
+          this.#gateHandlers.set(point, arr);
+        }
+        arr.push(handler);
+        return () => {
+          const a = this.#gateHandlers.get(point);
+          if (!a) return;
+          const i = a.indexOf(handler);
+          if (i >= 0) a.splice(i, 1);
+        };
+      }
+      /** Cheap gate for the write path — true when any gate handler is registered for the point. */
+      hasGateHandlers(point) {
+        const a = this.#gateHandlers.get(point);
+        return a !== void 0 && a.length > 0;
+      }
+      /**
+       * Run gate handlers in registration order, awaited. Unlike `dispatch`
+       * (observe), a handler throw is NOT swallowed — it PROPAGATES, aborting the
+       * write before it reaches the store. The first throw stops the remaining
+       * handlers (fail-fast). This is the seam guards/periods migrate onto.
+       *
+       * Note: gate handlers are validators that read, not write. A gate handler
+       * that writes back into the same collection would re-enter the write path
+       * and re-dispatch this point; loop-suppression for that case is deferred to
+       * the migration slice (contract: gate handlers must not perform writes that
+       * re-trigger their own point).
+       */
+      async dispatchGate(point, event) {
+        const a = this.#gateHandlers.get(point);
+        if (!a || a.length === 0) return;
+        for (const h of a.slice()) {
+          await h(event);
+        }
+      }
+    };
+  }
+});
+
 // src/tab-coordination.ts
 function isPresenceMsg(x) {
   if (x === null || typeof x !== "object") return false;
@@ -14935,9 +14886,9 @@ var init_presets = __esm({
           minTier: 1,
           enabled: true
         },
-        // rotate-recovery (#121): deliberate paper-sheet regeneration
-        // when the user remembers their passphrase. PERSONAL matches the
-        // pre-#121 low-level flow's bar — knowing the passphrase is enough.
+        // rotate-recovery: deliberate paper-sheet regeneration
+        // when the user remembers their passphrase. PERSONAL allows tier-1 —
+        // knowing the passphrase is enough.
         "rotate-recovery": { minTier: 1 },
         "enroll-authenticator": { minTier: 1 },
         "remove-authenticator": { minTier: 1 },
@@ -14971,7 +14922,7 @@ var init_presets = __esm({
           minTier: 1,
           enabled: false
         },
-        // ─── User envelope gates (#22) ────────────────────────────────────
+        // ─── User envelope gates ──────────────────────────────────────────
         // edit-own-profile: tier 3 floor — any active session can edit their
         //   own profile/preferences. Tightening to require a TOTP for
         //   profile changes is a one-line override.
@@ -14998,7 +14949,7 @@ var init_presets = __esm({
           minTier: 1,
           enabled: true
         },
-        // rotate-recovery (#121): STRICT requires an off-device factor —
+        // rotate-recovery: STRICT requires an off-device factor —
         // rotating recovery is an off-site-trust event; a stolen unlocked
         // laptop must not be able to silently mint a new sheet for the
         // attacker. Matches the `peer-recover-user` STRICT default.
@@ -15071,7 +15022,7 @@ var init_presets = __esm({
           minTier: 1,
           enabled: false
         },
-        // ─── User envelope gates (#22) ────────────────────────────────────
+        // ─── User envelope gates ──────────────────────────────────────────
         // STRICT: profile edits require a TOTP/email-OTP factor (typical
         // shared-workstation hardening — your name/avatar shouldn't change
         // without a fresh second-factor proof).
@@ -15154,6 +15105,81 @@ var init_policy2 = __esm({
   }
 });
 
+// src/guards/executor.ts
+var executor_exports3 = {};
+__export(executor_exports3, {
+  GuardExecutor: () => GuardExecutor
+});
+function deepEqual(a, b) {
+  if (a === b) return true;
+  if (a === null || b === null) return a === b;
+  if (typeof a !== typeof b) return false;
+  if (typeof a !== "object") return a === b;
+  if (Array.isArray(a) !== Array.isArray(b)) return false;
+  if (Array.isArray(a)) {
+    const aa = a;
+    const bb = b;
+    if (aa.length !== bb.length) return false;
+    for (let i = 0; i < aa.length; i++) if (!deepEqual(aa[i], bb[i])) return false;
+    return true;
+  }
+  const ao = a;
+  const bo = b;
+  const ak = Object.keys(ao);
+  const bk = Object.keys(bo);
+  if (ak.length !== bk.length) return false;
+  for (const k of ak) {
+    if (!Object.prototype.hasOwnProperty.call(bo, k)) return false;
+    if (!deepEqual(ao[k], bo[k])) return false;
+  }
+  return true;
+}
+var GuardExecutor;
+var init_executor3 = __esm({
+  "src/guards/executor.ts"() {
+    "use strict";
+    init_errors();
+    GuardExecutor = {
+      /**
+       * Compare existing vs incoming for each `frozenFields.fields` entry
+       * when `frozenFields.when(existing)` is true. Throws
+       * `FieldFrozenError` listing every changed frozen field.
+       */
+      async checkFrozenFields(guard, id, existing, incoming) {
+        const ff = guard.frozenFields;
+        if (!ff) return;
+        if (existing === null) return;
+        if (!ff.when(existing)) return;
+        const changed = [];
+        for (const f of ff.fields) {
+          if (existing[f] !== incoming[f]) {
+            if (!deepEqual(existing[f], incoming[f])) changed.push(String(f));
+          }
+        }
+        if (changed.length > 0) {
+          throw new FieldFrozenError(guard.collection, id, changed);
+        }
+      },
+      /**
+       * Run a single guard's invariant over its slice of the change-set.
+       * Any throw is converted to `InvariantError` unless it already is one.
+       */
+      async runInvariant(guard, changes, ctx) {
+        const amendment = guard.amendment;
+        if (!amendment) return;
+        try {
+          await amendment.invariant(changes, ctx);
+        } catch (err) {
+          if (err instanceof InvariantError) throw err;
+          throw new InvariantError(
+            err instanceof Error ? err.message : `invariant violated: ${String(err)}`
+          );
+        }
+      }
+    };
+  }
+});
+
 // src/noydb.ts
 var noydb_exports = {};
 __export(noydb_exports, {
@@ -15226,6 +15252,7 @@ var init_noydb = __esm({
     init_events();
     init_write_queue();
     init_write_hooks();
+    init_subsystem_bus();
     init_tab_coordination();
     init_tab_write_relay();
     init_keyring();
@@ -15249,13 +15276,14 @@ var init_noydb = __esm({
       emitter = new NoydbEventEmitter();
       writeQueueTracker = new WriteQueueTracker();
       writeHooks = new WriteHookRegistry();
+      subsystemBus = new SubsystemBus();
       clientId = generateULID();
       vaultCache = /* @__PURE__ */ new Map();
       keyringCache = /* @__PURE__ */ new Map();
       syncEngines = /* @__PURE__ */ new Map();
       /**
        * Per-vault active session tier — defaults to `1` after a passphrase
-       * unlock; tier-2 / tier-3 unlocks (issue #11) downgrade it. Used by
+       * unlock; tier-2 / tier-3 unlocks downgrade it. Used by
        * {@link checkGate} to evaluate `gate.minTier`.
        */
       activeTier = /* @__PURE__ */ new Map();
@@ -15265,14 +15293,14 @@ var init_noydb = __esm({
        */
       policyCache = /* @__PURE__ */ new Map();
       /**
-       * One-shot bypass for the managed-mode strong-recovery check (#195).
+       * One-shot bypass for the managed-mode strong-recovery check.
        * Set true by {@link openVaultAndEnrollRecovery} for the duration of
        * the bootstrap window so the keyring can be created before the
        * strong recovery is enrolled. Always cleared (try/finally).
        * @internal
        */
       _skipNextManagedRecoveryCheck = false;
-      /** Per-vault tier-3 (PIN / quick-resume) state — issue #11. */
+      /** Per-vault tier-3 (PIN / quick-resume) state. */
       quickUnlock = new QuickUnlockStore();
       /**
        * Resolved public-envelope schema. Lazily computed once from
@@ -15282,9 +15310,9 @@ var init_noydb = __esm({
       publicEnvelopeSchema;
       closed = false;
       sessionTimer = null;
-      /** Same-device multi-tab coordinator (#228); created on `enableTabCoordination()`. */
+      /** Same-device multi-tab coordinator; created on `enableTabCoordination()`. */
       tabCoordinator;
-      /** Cross-tab write relay (#228b); created on `enableTabCoordination()`. */
+      /** Cross-tab write relay; created on `enableTabCoordination()`. */
       writeRelay;
       /** Per-vault policy enforcers. */
       policyEnforcers = /* @__PURE__ */ new Map();
@@ -15297,8 +15325,8 @@ var init_noydb = __esm({
        * the same function's `finally` block. Side-effect writes triggered
        * during a staged op's `Collection.put` (today: eager derivation
        * outputs) register their pre-write envelope on `_executed` here so
-       * a mid-batch failure rolls them back alongside the main staged ops
-       * (#133). `null` outside of Phase 2.
+       * a mid-batch failure rolls them back alongside the main staged ops.
+       * `null` outside of Phase 2.
        * @internal
        */
       _activeTxContext = null;
@@ -15319,8 +15347,95 @@ var init_noydb = __esm({
         if (options.sessionPolicy) {
           this.sessionStrategy.validateSessionPolicy(options.sessionPolicy);
         }
+        this.#registerGuardGate();
+        this.#registerPeriodGate();
         this.resetSessionTimer();
       }
+      // Track A — guards migration. Registers record-lock / field-freeze / onDelete
+      // / amendment-collect as gate-bus handlers (only when guards are opted in, so
+      // the write path is zero-cost otherwise). Resolves the live vault's
+      // GuardRegistry per dispatch. Registered BEFORE the period gate so guard
+      // checks run first. The amendment branch is a side-effect (collectChange),
+      // NOT a throw — and runs even for internal deletes (an amendment invariant
+      // must see system housekeeping tombstones); onDelete/checks run only for
+      // user (non-internal) operations.
+      #registerGuardGate() {
+        if (this.options.guardStrategies === void 0) return;
+        this.subsystemBus.registerGate("beforePut", async (e) => {
+          const v = this.vaultCache.get(e.vault);
+          if (!v) return;
+          const registry = v._getGuardRegistry();
+          if (!registry) return;
+          const guards = registry.guardsFor(e.collection);
+          if (guards.length === 0) return;
+          const existing = e.existing ?? null;
+          const incoming = e.incoming;
+          if (registry.isAmendmentActive()) {
+            registry.collectChange(e.collection, e.docId, existing, incoming, e.existingVersion, e.existingVersion + 1);
+            return;
+          }
+          const facade = v._getReadOnlyFacade();
+          if (!facade) return;
+          const ctx = { existing, vault: facade, userId: e.userId, role: e.role };
+          await registry.runChecks(e.collection, incoming, ctx);
+          const { GuardExecutor: GuardExecutor2 } = await Promise.resolve().then(() => (init_executor3(), executor_exports3));
+          for (const g of guards) {
+            await GuardExecutor2.checkFrozenFields(g, e.docId, existing, incoming);
+          }
+        });
+        this.subsystemBus.registerGate("beforeDelete", async (e) => {
+          const v = this.vaultCache.get(e.vault);
+          if (!v) return;
+          const registry = v._getGuardRegistry();
+          if (!registry) return;
+          const guards = registry.guardsFor(e.collection);
+          if (guards.length === 0) return;
+          const existing = e.existing ?? null;
+          if (registry.isAmendmentActive()) {
+            registry.collectChange(e.collection, e.docId, existing, null, e.existingVersion, e.existingVersion);
+            return;
+          }
+          if (e.internal) return;
+          const facade = v._getReadOnlyFacade();
+          if (!facade) return;
+          const ctx = { existing, vault: facade, userId: e.userId, role: e.role };
+          await registry.runOnDelete(e.collection, existing ?? {}, ctx);
+        });
+      }
+      /**
+       * Register closed-period write guards on the subsystem bus when a
+       * periodsStrategy is configured.  Handlers resolve the live Vault from
+       * vaultCache so they always use the up-to-date period cache.
+       */
+      // Track A — periods migration. Registers the closed-period write guard as a
+      // gate-bus handler (only when periods is opted in, so the write path is
+      // zero-cost otherwise). Each handler resolves the LIVE vault from the cache
+      // per dispatch and delegates to its `_assertTsWritable`, which owns all
+      // period logic. Resolving the live vault makes eviction/re-creation
+      // transparent. Semantics note: if a write reaches the gate through a retained
+      // collection handle whose vault has been evicted from `vaultCache` (e.g. a
+      // post-revocation write on a stale handle), the period check is skipped — the
+      // guard binds to the live vault, not a captured instance. Periods is a
+      // write-integrity guard, not a security boundary, and a re-open reloads the
+      // period cache; the trade-off is intentional.
+      #registerPeriodGate() {
+        if (this.options.periodsStrategy === void 0) return;
+        this.subsystemBus.registerGate("beforePut", async (e) => {
+          const v = this.vaultCache.get(e.vault);
+          if (!v) return;
+          const existing = e.op === "create" ? null : { ts: e.existingTs ?? null, record: e.existing ?? null };
+          await v._assertTsWritable(existing, e.incoming);
+        });
+        this.subsystemBus.registerGate("beforeDelete", async (e) => {
+          if (e.internal) return;
+          const v = this.vaultCache.get(e.vault);
+          if (!v) return;
+          await v._assertTsWritable(
+            { ts: e.existingTs ?? null, record: e.existing ?? null },
+            null
+          );
+        });
+      }
       resetSessionTimer() {
         if (this.sessionTimer) clearTimeout(this.sessionTimer);
         const idleMs = this.options.sessionPolicy?.idleTimeoutMs ?? this.options.sessionTimeout;
@@ -15610,8 +15725,6 @@ var init_noydb = __esm({
        * @throws `NoAccessError` when no keyring exists for the target.
        * @throws `PermissionDeniedError` when the role hierarchy rejects.
        * @throws `ValidationError` when no field is provided.
-       *
-       * @see #54
        */
       async updateUser(vault, options, factors) {
         await this.checkGate(vault, "update-user", factors);
@@ -15947,7 +16060,7 @@ var init_noydb = __esm({
        * Phase 2. `Collection.dispatchDerivations` consults this so a
        * recursive derived-output write inside `Collection.put` can register
        * its envelope onto `ctx._executed` and roll back with the main
-       * staged ops on mid-batch failure (#133).
+       * staged ops on mid-batch failure.
        *
        * @internal
        */
@@ -15976,7 +16089,7 @@ var init_noydb = __esm({
        * `Collection.putManyAtomic` (via `derivationSource.createTxContext`)
        * to publish an active context for the duration of its bulk-atomic
        * Phase 2 loop, so recursive derivation-output writes register on
-       * `ctx._executed` and roll back together with the source ops (#133).
+       * `ctx._executed` and roll back together with the source ops.
        *
        * @internal
        */
@@ -16047,26 +16160,26 @@ var init_noydb = __esm({
         return this.writeQueueTracker;
       }
       /**
-       * Register a hook that runs before each write (#230). Awaited; a throw
+       * Register a hook that runs before each write. Awaited; a throw
        * aborts the write. Returns an unsubscribe function.
        */
       onBeforeWrite(handler) {
         return this.writeHooks.onBeforeWrite(handler);
       }
       /**
-       * Register a hook that runs after each committed write (#230). Awaited;
+       * Register a hook that runs after each committed write. Awaited;
        * a handler error is warned, never rolled back. Returns an unsubscribe fn.
        */
       onAfterWrite(handler) {
         return this.writeHooks.onAfterWrite(handler);
       }
-      /** Subscribe to cross-tab write conflicts (#228c). Returns an unsubscribe. */
+      /** Subscribe to cross-tab write conflicts. Returns an unsubscribe. */
       onWriteConflict(fn) {
         this.on("write:conflict", fn);
         return () => this.off("write:conflict", fn);
       }
       /**
-       * Enable same-device multi-tab coordination (#228): primary/secondary
+       * Enable same-device multi-tab coordination: primary/secondary
        * election + presence. Browser-only — a graceful no-op (role 'unknown')
        * when Web Locks / BroadcastChannel are unavailable and nothing is
        * injected. Idempotent; returns a disposer.
@@ -16149,7 +16262,11 @@ var init_noydb = __esm({
       get _writeHooks() {
         return this.writeHooks;
       }
-      /** @internal Stable per-instance id for schema-cutover coordination (#232). */
+      /** @internal The observe bus, threaded into every Collection. */
+      get _subsystemBus() {
+        return this.subsystemBus;
+      }
+      /** @internal Stable per-instance id for schema-cutover coordination. */
       get _clientId() {
         return this.clientId;
       }
@@ -16169,10 +16286,6 @@ var init_noydb = __esm({
        * survives lock; nothing about it changes when DEKs are scrubbed).
        *
        * No-op when `vault` is not currently in cache (idempotent).
-       *
-       * Unblocks vLannaAi/niwat#33.
-       *
-       * @see #17
        */
       lockVault(vault) {
         this.syncEngines.get(vault)?.stopAutoSync();
@@ -16287,7 +16400,7 @@ var init_noydb = __esm({
         return merged;
       }
       /**
-       * Read the current vault-level user-directory toggle (#122). Returns
+       * Read the current vault-level user-directory toggle. Returns
        * the default-on shape (`{ enabled: true }`) when no `_meta/directory`
        * document has been persisted yet.
        *
@@ -16299,7 +16412,7 @@ var init_noydb = __esm({
         return persisted?.enabled ?? true;
       }
       /**
-       * Toggle the vault's user-directory listing on or off (#122).
+       * Toggle the vault's user-directory listing on or off.
        * Owner-only. When disabled, `listUsersWithEnvelopes()` throws
        * {@link import('./errors.js').DirectoryDisabledError} for callers
        * whose role is neither `owner` nor `admin`.
@@ -16359,7 +16472,7 @@ var init_noydb = __esm({
        *
        * Two enforcement modes:
        *
-       * 1. **Managed-mode mandatory strong-recovery (#195).** When
+       * 1. **Managed-mode mandatory strong-recovery.** When
        *    `passphraseMode === 'managed'`, the vault MUST have at least
        *    one **strong** recovery profile (Shamir today). Paper alone is
        *    rejected because under managed mode the user has no memorized
@@ -16393,14 +16506,14 @@ var init_noydb = __esm({
         throw new RecoveryNotEnrolledError();
       }
       /**
-       * Internal accessor used by tier-2/tier-3 unlock paths (issue #11)
+       * Internal accessor used by tier-2/tier-3 unlock paths
        * to mark the active session tier.
        * @internal
        */
       _setActiveTier(vault, tier) {
         this.activeTier.set(vault, tier);
       }
-      // ─── Tier-2 enroll / remove (issue #11) ────────────────────────
+      // ─── Tier-2 enroll / remove ─────────────────────────────────────
       /**
        * Add a tier-2 authenticator slot to the calling user's keyring.
        * Each slot independently wraps the SAME KEK under a method-specific
@@ -16430,7 +16543,7 @@ var init_noydb = __esm({
         const next = await removeAuthenticator(this.options.store, vault, keyring, slotId);
         this.keyringCache.set(vault, next);
       }
-      /** Read the slot list for a vault. Internal — `describeAuthConfig` (#13) consumes this. */
+      /** Read the slot list for a vault. Internal — `describeAuthConfig` consumes this. */
       async listAuthenticators(vault) {
         const keyring = await this.getKeyringInternal(vault);
         return keyring.authenticators;
@@ -16442,7 +16555,7 @@ var init_noydb = __esm({
        * are immutable through this method. Anti-slot-swap is structural,
        * not gate-driven.
        *
-       * `meta` patch semantics (#57-aligned):
+       * `meta` patch semantics (top-level merge):
        *   - Top-level merge — absent keys preserved
        *   - `null` value — delete that meta key
        *   - Other values — replace verbatim
@@ -16460,8 +16573,6 @@ var init_noydb = __esm({
        *
        * @throws `NoAccessError` when no slot with the given id exists.
        * @throws `ValidationError` when no patch field is provided.
-       *
-       * @see #55
        */
       async updateAuthenticator(vault, slotId, options, factors) {
         await this.checkGate(vault, "update-authenticator", factors);
@@ -16470,7 +16581,7 @@ var init_noydb = __esm({
         this.keyringCache.set(vault, next);
       }
       /**
-       * Native WebAuthn enrollment using the **real** internal keyring (#16).
+       * Native WebAuthn enrollment using the **real** internal keyring.
        *
        * Why this exists: when a consumer is using `createNoydb({ secret })`,
        * they cannot reach the live `UnlockedKeyring` to feed it to
@@ -16513,8 +16624,6 @@ var init_noydb = __esm({
        * a server-side allowlist).
        *
        * Gated by `enroll-authenticator` like `enrollAuthenticator()` itself.
-       *
-       * @see #16
        */
       async enrollWebAuthn(vault, ceremony, factors) {
         await this.checkGate(vault, "enroll-authenticator", factors);
@@ -16541,8 +16650,6 @@ var init_noydb = __esm({
        * deciding when a new device prompt should appear. Identity is
        * `id` + `enrolled_at`; the `meta.credentialId` (base64) is used by
        * `allowCredentials` at unlock time.
-       *
-       * @see #16
        */
       async listWebAuthnSlots(vault) {
         const keyring = await this.getKeyringInternal(vault);
@@ -16624,7 +16731,7 @@ var init_noydb = __esm({
       async getPublicEnvelope(vault, opts = {}) {
         return readPublicEnvelope(this.options.store, vault, opts);
       }
-      // ─── Auth introspection (issue #13) ────────────────────────────
+      // ─── Auth introspection ─────────────────────────────────────────
       /** English summary of the configured auth model. */
       async describeAuthConfig(vault) {
         return describeAuthConfig(this.options.store, vault);
@@ -16647,7 +16754,7 @@ var init_noydb = __esm({
         await this.checkGate(vault, "view-user-auth", factors);
         return describeAllUsersAuth(this.options.store, vault);
       }
-      // ─── Tier-1 change flows (issue #10) ───────────────────────────
+      // ─── Tier-1 change flows ────────────────────────────────────────
       /**
        * Rotate the user's passphrase (user remembers old). Validates the
        * new phrase against the configured `passphrase` policy, runs the
@@ -16655,8 +16762,7 @@ var init_noydb = __esm({
        *
        * Tier-2 authenticator slots are dropped — each slot wraps the old
        * KEK and would need its derivation key to be re-presented. Re-enrol
-       * via `db.enrollAuthenticator` after rotation. Tracked as a
-       * v0.1.0-pre.5 limitation.
+       * via `db.enrollAuthenticator` after rotation.
        *
        * @throws `WeakPassphraseError` on a weak new phrase.
        * @throws `PolicyDeniedError` when the gate denies (missing factor, …).
@@ -16678,8 +16784,8 @@ var init_noydb = __esm({
       }
       /**
        * Reset the passphrase using a recovery proof (user forgot the old).
-       * v0.1.0-pre.5 supports the `'paper'` profile end-to-end; the
-       * other three profiles throw {@link RecoveryProfileNotImplementedError}.
+       * Currently supports the `'paper'` profile end-to-end; the
+       * other profiles throw {@link RecoveryProfileNotImplementedError}.
        *
        * Burns the used recovery entry on success.
        */
@@ -16708,7 +16814,7 @@ var init_noydb = __esm({
         return { newCodes: codes };
       }
       /**
-       * Deliberate paper-recovery-code regeneration (#121). User knows their
+       * Deliberate paper-recovery-code regeneration. User knows their
        * passphrase but wants a fresh sheet — they lost the printout or
        * suspect compromise of the off-site copy.
        *
@@ -16718,7 +16824,7 @@ var init_noydb = __esm({
        *
        * Gated by the `rotate-recovery` policy gate:
        *   - PERSONAL_POLICY: `{ minTier: 1 }` — knowing the passphrase
-       *     suffices, matching the pre-#121 low-level flow's bar.
+       *     suffices, matching the lower-level flow's bar.
        *   - STRICT_POLICY: `{ minTier: 1, factors: [{ anyOf: ['totp',
        *     'email-otp', 'webauthn-roaming'] }] }` — rotation is an
        *     off-site-trust event; require an off-device factor so a
@@ -16823,7 +16929,7 @@ var init_noydb = __esm({
         return { newShares: shareStrings, entryId: targetEntryId };
       }
       /**
-       * **Atomic create-and-enroll for managed-mode vaults (#195).**
+       * **Atomic create-and-enroll for managed-mode vaults.**
        *
        * Bootstraps a managed-mode vault and enrolls strong recovery in
        * a single ceremony. Under `passphraseMode: 'managed'`, every
@@ -16894,7 +17000,7 @@ var init_noydb = __esm({
         return { vault: vaultHandle, recoveryEnrollments };
       }
       /**
-       * **Recovery flow under managed-passphrase mode (#195).**
+       * **Recovery flow under managed-passphrase mode.**
        *
        * Replaces the sealed passphrase of a managed-mode vault with a
        * fresh 256-bit random, sealed under the configured
@@ -16911,7 +17017,7 @@ var init_noydb = __esm({
        *   5. Drop the keyring cache so the next operation re-derives.
        *
        * The vault's strong-recovery enrollment is preserved across
-       * recovery (Shamir entries are not burned on use — see #196).
+       * recovery (Shamir entries are not burned on use).
        *
        * @throws ValidationError if the Noydb instance is not in managed mode.
        */
@@ -16959,7 +17065,7 @@ var init_noydb = __esm({
       }
       /**
        * Atomic peer-recovery — re-wraps an EXISTING user's keyring under
-       * a fresh temp passphrase in a single store write. Closes #34's
+       * a fresh temp passphrase in a single store write. Closes the
        * partial-failure window (the previous compose-from-primitives
        * pattern was `db.revoke + db.grant`, two writes — if the issuer
        * cancelled between them the target was locked out entirely).
@@ -16969,7 +17075,7 @@ var init_noydb = __esm({
        *   - Same `userId`, role, permissions, capabilities preserved.
        *   - DEKs unchanged → every other principal in the vault keeps
        *     access. No key rotation.
-       *   - Allows owner→owner natively (#33). The existing
+       *   - Allows owner→owner natively. The existing
        *     `db.revoke` retains its block — peer-recovery is a separate,
        *     intentionally-named operation.
        *   - Tier-2 slots dropped (they wrap the old KEK).
@@ -16998,7 +17104,6 @@ var init_noydb = __esm({
        * @throws `PrivilegeEscalationError` when the caller lacks a DEK
        *         the target previously had access to.
        *
-       * @see #33 #34 — the issues this method closes.
        */
       async recoverUser(vault, options, factors) {
         await this.checkGate(vault, "peer-recover-user", factors);
@@ -17009,7 +17114,7 @@ var init_noydb = __esm({
         }
       }
       /**
-       * Persist a recovery enrollment. v0.1.0-pre.5 accepts the `'paper'`
+       * Persist a recovery enrollment. Accepts the `'paper'`
        * profile.
        *
        * The hub wraps the user's DEK set (not the KEK) under a code-derived
@@ -17029,7 +17134,7 @@ var init_noydb = __esm({
        * showCodesToUser(codes)
        * ```
        *
-       * As of pre.8, `@noy-db/on-recovery`'s `generateRecoveryCodeSet`
+       * `@noy-db/on-recovery`'s `generateRecoveryCodeSet`
        * delegates to `mintPaperRecoveryEntry` internally — its output is
        * fed directly to this API. Pick whichever fits your code-gen layer:
        *
@@ -17069,13 +17174,13 @@ var init_noydb = __esm({
           "#196"
         );
       }
-      /** Read the persisted recovery entries (paper + Shamir). Used by `describeAuthConfig` (#13). */
+      /** Read the persisted recovery entries (paper + Shamir). Used by `describeAuthConfig`. */
       async listRecoveryEntries(vault) {
         const paper = await loadPaperRecoveryEntries(this.options.store, vault);
         const shamir = await loadShamirRecoveryEntries(this.options.store, vault);
         return { paper, shamir };
       }
-      // ─── Tier-3 enroll / unlock (issue #11) ────────────────────────
+      // ─── Tier-3 enroll / unlock ─────────────────────────────────────
       /**
        * Register a tier-3 quick-unlock state for the vault. The state is
        * an opaque blob produced by `@noy-db/on-pin/enrollPin` (or any
@@ -17111,11 +17216,11 @@ var init_noydb = __esm({
         this.quickUnlock.delete(vault);
       }
       /**
-       * Public accessor for the unlocked keyring of a vault — issue #28.
+       * Public accessor for the unlocked keyring of a vault.
        *
        * Returns a **defensive shallow copy** so consumers can read the DEK
        * map and authenticator list without the risk of mutating the hub's
-       * internal cache (#88). Internal hub code paths use a live reference
+       * internal cache. Internal hub code paths use a live reference
        * via `getKeyringInternal`; ceremonies and external consumers always
        * get a snapshot.
        *