@noy-db/hub 0.2.0-pre.4 → 0.2.0-pre.6

package/dist/{types-D9eB0Rvh.d.ts → types-DlnZh1_i.d.ts}

@@ -1,8 +1,8 @@
-import { I as IndexStrategy, d as LazyQuery } from './lazy-builder-Rpd-V3jP.js';
+import { I as IndexStrategy, d as LazyQuery } from './lazy-builder-D1MyR1qH.js';
 import { b as AggregateSpec, A as AggregateStrategy } from './strategy-DSTrsZ8t.js';
 import { C as CrdtStrategy, a as CrdtMode, b as CrdtState } from './strategy-BSxFXGzb.js';
-import { N as NoydbError, Q as Query, ar as RefRegistry, ao as RefDescriptor, a2 as JoinableSource, at as RefViolation, au as ScanBuilder } from './index-BF1B2HB9.js';
-import { F as FieldClause, I as IndexDef, C as CollectionIndexes } from './predicate-Dnu81tsS.js';
+import { N as NoydbError, Q as Query, ar as RefRegistry, ao as RefDescriptor, a2 as JoinableSource, at as RefViolation, au as ScanBuilder } from './index-fIPPh5dg.js';
+import { F as FieldClause, I as IndexDef, C as CollectionIndexes } from './predicate-B0IKeBXx.js';
 import { AttestationFieldSchema, RevocationList } from '@noy-db/attestation';
 
 /**
@@ -797,7 +797,7 @@ interface LedgerEntry {
      * below for the structured payload.
      *
      * `'lifecycle'` records a non-data audit event (e.g. partition
-     * handover, #226) — `collection`/`id` are empty and the event detail
+     * handover) — `collection`/`id` are empty and the event detail
      * lives in `reason` (e.g. `'partition-handed-over:<sealId>'`). Like
      * `amendment`, it carries no data envelope, so `verifyBackupIntegrity`
      * skips it in the data cross-check (it still participates in the
@@ -828,8 +828,8 @@ interface LedgerEntry {
      */
     readonly payloadHash: string;
     /**
-     * Optional human-readable tag describing why this mutation happened
-     * (#1). Threaded through `collection.put(_, _, { reason })`. Common
+     * Optional human-readable tag describing why this mutation happened.
+     * Threaded through `collection.put(_, _, { reason })`. Common
      * values include `'import:csv'`, `'import:json'`, `'import:xlsx'` from
      * `as-*` ImportPlan.apply(), but consumers can use any string for
      * domain-specific audit filtering. Auto-strip via `canonicalJson` —
@@ -1106,8 +1106,8 @@ interface AppendInput {
      */
     amendment?: LedgerEntry['amendment'];
     /**
-     * Optional human-readable tag describing why this mutation happened
-     * (#1). Threaded from `collection.put(_, _, { reason })`.
+     * Optional human-readable tag describing why this mutation happened.
+     * Threaded from `collection.put(_, _, { reason })`.
      * Carried verbatim onto the resulting ledger entry's `reason` field;
      * omitted from canonical JSON when undefined.
      */
@@ -1769,17 +1769,34 @@ declare function validateI18nTextValue(value: unknown, field: string, descriptor
  */
 declare function resolveI18nText(value: Record<string, string>, locale: string, fallback?: string | readonly string[], field?: string): string | Record<string, string>;
 /**
- * Apply locale resolution to a single record, in-place over a copy.
+ * Return all leaf values at `path`, expanding `[].` array wildcards.
+ *
+ * - `'name'`              → `[obj.name]`
+ * - `'address.lineOne'`   → `[obj.address.lineOne]`
+ * - `'contacts[].title'`  → `[obj.contacts[0].title, obj.contacts[1].title, …]`
+ *
+ * Returns an empty array when the path does not resolve (missing key,
+ * wrong type, etc.). Used by `enforceI18nOnPut` to validate nested fields.
+ */
+declare function getAtPath(obj: Record<string, unknown>, path: string): unknown[];
+/**
+ * Mutate `obj` in-place, setting `value` at the nested `path`.
+ * Supports dot notation (`'address.lineOne'`) but not array wildcards —
+ * auto-translate on `contacts[].title` style paths is not supported.
+ */
+declare function setAtPathInPlace(obj: Record<string, unknown>, path: string, value: unknown): void;
+/**
+ * Apply locale resolution to a single record, returning a new copy.
  *
  * For each field registered as an `i18nText` descriptor:
  * - If `locale === 'raw'`, the field value is left as the stored map.
  * - Otherwise, the field value is replaced with the resolved string.
  *
- * Records that are not plain objects (null, array, primitives) are
- * returned unchanged.
+ * Field paths support dot notation (`'address.lineOne'`) and array
+ * wildcards (`'contacts[].title'`). Top-level fields work as before.
  *
  * @param record      The decrypted record.
- * @param i18nFields  Map of field name → `I18nTextDescriptor`.
+ * @param i18nFields  Map of field path → `I18nTextDescriptor`.
  * @param locale      The requested locale (or `'raw'`).
  * @param fallback    Fallback chain (optional).
  */
@@ -1848,7 +1865,6 @@ interface PassphrasePolicy {
      * double-space). For non-space-delimited word semantics, use
      * {@link customValidator} instead.
      *
-     * Added in pre.8 (#31).
      */
     readonly pattern?: RegExp;
     /**
@@ -1866,7 +1882,6 @@ interface PassphrasePolicy {
      * {@link assertStrongPassphrase} dispatches on — `ok: true` accepts;
      * `ok: false` throws `WeakPassphraseError` with the supplied reason.
      *
-     * Added in pre.8 (#31).
      */
     readonly customValidator?: (phrase: string) => PassphraseValidationResult;
 }
@@ -1983,7 +1998,7 @@ interface UnlockedKeyring {
      *   - Unencrypted mode (no KEK exists)
      *   - Tier-3 PIN quick-resume (`@noy-db/on-pin`)
      *   - Wrap-DEKs tier-2 unlock (`@noy-db/on-password`'s
-     *     `verifyPasswordSlot` after #26 Path C)
+     *     `verifyPasswordSlot`)
      *   - Session-state restore (`session/session.ts`)
      *   - Dev-unlock fixture (`session/dev-unlock.ts`)
      *
@@ -1992,9 +2007,8 @@ interface UnlockedKeyring {
      * null-check and throw a clear error if absent — re-authenticate
      * at tier 1 first to recover the KEK.
      *
-     * Tightened from `CryptoKey` to `CryptoKey | null` in pre.8 (#41).
-     * The runtime contract has always allowed null; the type now
-     * matches reality.
+     * Tightened from `CryptoKey` to `CryptoKey | null`; the runtime
+     * contract has always allowed null, the type now matches reality.
      */
     readonly kek: CryptoKey | null;
     readonly salt: Uint8Array;
@@ -2015,7 +2029,7 @@ interface UnlockedKeyring {
     /**
      * Tier-2 authenticator slots — readonly snapshot loaded from the
      * keyring file. Mutations go through `enrollAuthenticator` /
-     * `removeAuthenticator` (issue #11), which write back via
+     * `removeAuthenticator`, which write back via
      * `persistKeyring`. Always defined; loads with an empty array for
      * keyrings written before the multi-slot extension landed.
      */
@@ -2068,7 +2082,6 @@ declare function revoke(adapter: NoydbStore, vault: string, callerKeyring: Unloc
  * @throws `PermissionDeniedError` when the role hierarchy rejects.
  * @throws `ValidationError` when the diff is empty (nothing to update).
  *
- * @see #54
  */
 declare function updateKeyringIdentity(adapter: NoydbStore, vault: string, callerKeyring: UnlockedKeyring, options: UpdateUserOptions): Promise<void>;
 /**
@@ -2163,7 +2176,7 @@ interface ListUsersOptions {
  * `userEnvelopeDek` is the vault's `_users` collection DEK
  * (`vault.getDEK('_users')`); used to decrypt every envelope.
  *
- * `callerRole` (#122) drives the directory-visibility checks:
+ * `callerRole` drives the directory-visibility checks:
  *
  *  - When the vault's `_meta/directory` document has `enabled: false`,
  *    only `owner` and `admin` callers may enumerate; anyone else gets
@@ -2173,7 +2186,7 @@ interface ListUsersOptions {
  *    `{ includeHidden: true }` to see them; lower roles passing that
  *    option get `PermissionDeniedError`.
  *
- * Honest caveat (#122): these filters are a UX hint, not a security
+ * Honest caveat: these filters are a UX hint, not a security
  * boundary. The keyring file is still listed at `_keyring/*` and the
  * envelope ciphertext at `_users/*`. A caller with direct store access
  * — or a caller that calls this function with `callerRole: 'owner'`
@@ -2550,7 +2563,7 @@ interface I18nStrategy {
 }
 
 /**
- * Observable write-queue (#227, M12 Slice 1).
+ * Observable write-queue.
  *
  * Tracks outstanding in-flight *logical* writes (a full Collection.put /
  * delete, including ledger + cache + derivation + MV dispatch — not just
@@ -2597,7 +2610,7 @@ declare class WriteQueueTracker implements WriteQueue {
 }
 
 /**
- * Hub-level write lifecycle hooks (#230). `onBeforeWrite` may abort (throw);
+ * Hub-level write lifecycle hooks. `onBeforeWrite` may abort (throw);
  * `onAfterWrite` is awaited and its errors are warned, not thrown. A
  * re-entrancy flag suppresses nested firing so a handler that writes can't
  * loop. Held on the Noydb instance, threaded into every Collection.
@@ -2616,15 +2629,15 @@ interface WriteEvent {
     readonly txId: string;
 }
 type WriteHook = (event: WriteEvent) => void | Promise<void>;
-type Unsubscribe$2 = () => void;
+type Unsubscribe$3 = () => void;
 declare class WriteHookRegistry {
     #private;
     /** True while handlers are running — used by the write path to skip nested firing. */
     get suppressed(): boolean;
     /** True when any hook is registered (cheap gate for the write path). */
     get hasHandlers(): boolean;
-    onBeforeWrite(handler: WriteHook): Unsubscribe$2;
-    onAfterWrite(handler: WriteHook): Unsubscribe$2;
+    onBeforeWrite(handler: WriteHook): Unsubscribe$3;
+    onAfterWrite(handler: WriteHook): Unsubscribe$3;
     /** Run before-hooks (awaited, in order). A throw propagates and aborts the write. */
     runBefore(event: WriteEvent): Promise<void>;
     /** Run after-hooks (awaited, in order). Per-handler errors are warned, not thrown. */
@@ -2632,7 +2645,113 @@ declare class WriteHookRegistry {
 }
 
 /**
- * Schema-update strategy framework types (#245, M12 §3a).
+ * Generic per-instance **observe** bus. Observe-class
+ * subsystems (devtools inspector, audit, sync-dirty notification) register
+ * handlers against named lifecycle points instead of the kernel naming each
+ * subsystem. Mirrors the registry pattern of {@link WriteHookRegistry} but is
+ * internal and keyed by lifecycle point.
+ *
+ * OBSERVE SEMANTICS: handlers react to a write that already happened. A
+ * handler throw is warned, not propagated — it can never abort a write. Write-
+ * *gating* subsystems (guards, periods) need a throw-propagating gate bus.
+ * Add observe points by extending {@link LifecycleEventMap}. Write-*gating*
+ * subsystems use the sibling gate API on this same class
+ * (`registerGate`/`dispatchGate`, throw-propagating); see {@link GateEventMap}.
+ *
+ * @module
+ */
+
+/** Typed map of OBSERVE lifecycle point → event payload. Extend by adding keys. */
+interface LifecycleEventMap {
+    afterPut: WriteEvent;
+    afterDelete: WriteEvent;
+}
+type LifecyclePoint = keyof LifecycleEventMap;
+type BusHandler<P extends LifecyclePoint> = (event: LifecycleEventMap[P]) => void | Promise<void>;
+type Unsubscribe$2 = () => void;
+/** Payload for a `beforePut` gate — carries the data guards and periods need to validate or reject a write. */
+interface GatePutEvent {
+    readonly op: 'create' | 'update';
+    readonly vault: string;
+    readonly collection: string;
+    readonly docId: string;
+    /** The record about to be written (pre schema-validation). */
+    readonly incoming: unknown;
+    /** Decrypted prior record, or null on create / when prior is unreadable. */
+    readonly existing: unknown;
+    /** Prior envelope version, or 0 when none. */
+    readonly existingVersion: number;
+    /** Prior envelope timestamp (`_ts` ISO string), or undefined when none — periods compares against this. */
+    readonly existingTs: string | undefined;
+    readonly userId: string;
+    readonly role: Role;
+}
+/** Payload for a `beforeDelete` gate. Like {@link GatePutEvent} without `incoming`. */
+interface GateDeleteEvent {
+    readonly vault: string;
+    readonly collection: string;
+    readonly docId: string;
+    /** True for system-internal (housekeeping) deletes — handlers branch on this. */
+    readonly internal: boolean;
+    readonly existing: unknown;
+    readonly existingVersion: number;
+    readonly existingTs: string | undefined;
+    readonly userId: string;
+    readonly role: Role;
+}
+/** Typed map of GATE lifecycle point → event payload. Extend by adding keys. */
+interface GateEventMap {
+    beforePut: GatePutEvent;
+    beforeDelete: GateDeleteEvent;
+}
+type GatePoint = keyof GateEventMap;
+type GateHandler<P extends GatePoint> = (event: GateEventMap[P]) => void | Promise<void>;
+declare class SubsystemBus {
+    #private;
+    /** Register a handler for an observe point. Returns an unsubscribe fn. */
+    register<P extends LifecyclePoint>(point: P, handler: BusHandler<P>): Unsubscribe$2;
+    /** Cheap gate for the write path — true when any handler is registered for the point. */
+    hasHandlers(point: LifecyclePoint): boolean;
+    /**
+     * True while one or more dispatches are in flight. Backed by a depth counter
+     * so that two concurrent async dispatches (`Promise.all([put('a'), put('b')])`
+     * each captured `busAfterPut=true` at their respective put() tops while depth
+     * was 0) both proceed independently — the counter stays > 0 until BOTH finish,
+     * so any nested write attempted by a handler still sees `dispatching === true`
+     * and is suppressed by the write-path gate in `collection.ts`
+     * (`busAfterPut = hasHandlers('afterPut') && !dispatching`). Re-entrancy
+     * suppression lives exclusively on that write-path gate; concurrent independent
+     * dispatches must not drop each other's events.
+     */
+    get dispatching(): boolean;
+    /**
+     * Dispatch in registration order, awaited. Per-handler errors are warned, not
+     * thrown — an observe handler must never abort a completed write. A
+     * re-entrancy guard suppresses nested firing so a handler that itself writes
+     * cannot loop (same rationale as WriteHookRegistry.#suppressed).
+     */
+    dispatch<P extends LifecyclePoint>(point: P, event: LifecycleEventMap[P]): Promise<void>;
+    /** Register a write-gating handler. A throw from the handler ABORTS the write. Returns an unsubscribe fn. */
+    registerGate<P extends GatePoint>(point: P, handler: GateHandler<P>): Unsubscribe$2;
+    /** Cheap gate for the write path — true when any gate handler is registered for the point. */
+    hasGateHandlers(point: GatePoint): boolean;
+    /**
+     * Run gate handlers in registration order, awaited. Unlike `dispatch`
+     * (observe), a handler throw is NOT swallowed — it PROPAGATES, aborting the
+     * write before it reaches the store. The first throw stops the remaining
+     * handlers (fail-fast). This is the seam guards/periods migrate onto.
+     *
+     * Note: gate handlers are validators that read, not write. A gate handler
+     * that writes back into the same collection would re-enter the write path
+     * and re-dispatch this point; loop-suppression for that case is deferred to
+     * the migration slice (contract: gate handlers must not perform writes that
+     * re-trigger their own point).
+     */
+    dispatchGate<P extends GatePoint>(point: P, event: GateEventMap[P]): Promise<void>;
+}
+
+/**
+ * Schema-update strategy framework types (M12 §3a).
  *
  * The hub core detects a schema change (SchemaDelta) and dispatches it
  * through a collection's ordered strategy list. Strategies decide what
@@ -2661,13 +2780,13 @@ interface SchemaDelta {
 interface UpdateContext {
     readonly collection: string;
 }
-/** Bulk transform run by the coordinatedCutover strategy (#232). */
+/** Bulk transform run by the coordinatedCutover strategy. */
 type TransformFn = (doc: Record<string, unknown>) => Record<string, unknown>;
 /**
  * A strategy's verdict on a detected schema change.
  * - `allow`   — no objection; the dispatcher falls through to the next strategy.
  * - `reject`  — terminal: refuse the change; `error` is thrown at the write path.
- * - `cutover` — terminal: run a coordinated drain-barrier (handled by #232).
+ * - `cutover` — terminal: run a coordinated drain-barrier (handled by coordinatedCutover).
  * New terminal actions may be added without breaking existing strategies.
  */
 type UpdateDecision = {
@@ -2686,7 +2805,7 @@ interface SchemaUpdateStrategy {
 }
 
 /**
- * Per-collection write gate (#245). Holds the (async) update decision
+ * Per-collection write gate. Holds the (async) update decision
  * computed at registration; `Collection.put`/`delete` await it before
  * writing and throw the strategy's rejection error.
  *
@@ -2703,7 +2822,7 @@ declare class SchemaUpdateGate {
 }
 
 /**
- * Schema-fence document (#232). Vault-level generation counter + drain
+ * Schema-fence document. Vault-level generation counter + drain
  * state, stored at `_meta/schema-fence` using the plaintext-envelope
  * pattern of `_meta/policy` (no PII — a counter + a state enum).
  */
@@ -2715,7 +2834,7 @@ interface FenceDoc {
 }
 
 /**
- * Vault-level schema-fence controller (#232).
+ * Vault-level schema-fence controller.
  *
  * Owns the open-time generation snapshot, the pending-cutover registry,
  * and the cutover orchestration. 3a: single-client (the caller is the
@@ -3313,7 +3432,7 @@ declare class SyncEngine {
 }
 
 /**
- * **Wrap-DEKs primitive (#44)** — a single canonical shape for the
+ * **Wrap-DEKs primitive** — a single canonical shape for the
  * pattern of "serialize a DEK set, encrypt it under a credential-derived
  * AES-GCM key." Used by:
  *
@@ -3331,7 +3450,7 @@ declare class SyncEngine {
  * `PIN_PBKDF2_ITERATIONS` and the threat-model rationale in its
  * module docstring.
  *
- * Before #44, the same crypto lived in two places: `mintPaperRecoveryEntry`
+ * Previously, the same crypto lived in two places: `mintPaperRecoveryEntry`
  * (in `team/recovery.ts`) and `enrollPasswordAuthenticator` (in
  * `@noy-db/on-password`). Both functions did identical work — PBKDF2
  * the credential, AES-GCM-encrypt the JSON-serialized DEK set — but
@@ -3358,7 +3477,7 @@ declare class SyncEngine {
  * Composition: `PaperRecoveryEntry extends WrappedDeksBlob` plus
  * `{ codeId, enrolledAt }`. `KeyringAuthenticatorWrappingDEKs`
  * carries the same three fields with `salt` stored in `meta` for
- * slot-format back-compat (#44 defers moving it to top-level).
+ * slot-format back-compat (defers moving it to top-level).
  */
 interface WrappedDeksBlob {
     /** Base64 PBKDF2 salt for the credential-derived wrapping key. */
@@ -3415,9 +3534,9 @@ interface ShamirRecoveryProvider {
 }
 
 /**
- * Recovery profile persistence + dispatch — issue #10.
+ * Recovery profile persistence + dispatch.
  *
- * v0.1.0-pre.5 wires the **paper** profile end-to-end through
+ * Wires the **paper** profile end-to-end through
  * `@noy-db/on-recovery`. The other three profiles (Shamir,
  * multi-channel, admin-mediated) ship the API surface and throw
  * {@link RecoveryProfileNotImplementedError} during use; per-profile
@@ -3454,7 +3573,7 @@ interface ShamirRecoveryProvider {
  * PBKDF2-derived key), and it sidesteps the non-extractable-KEK
  * constraint cleanly.
  *
- * Type-level composition (#44): `PaperRecoveryEntry extends
+ * Type-level composition: `PaperRecoveryEntry extends
  * WrappedDeksBlob` — the three crypto fields (`salt`, `iv`,
  * `wrappedDeks`) come from the shared primitive; `codeId` and
  * `enrolledAt` are paper-recovery's own metadata. Wire format
@@ -3568,7 +3687,7 @@ declare function unwrapDeksFromShamirEntry(provider: ShamirRecoveryProvider, ent
  * {@link savePaperRecoveryEntries}). The recovery flow unwraps the
  * DEK set, then mints a fresh KEK from the user's new passphrase.
  *
- * Thin wrapper over {@link mintWrappedDeksBlob} (#44) — the crypto
+ * Thin wrapper over {@link mintWrappedDeksBlob} — the crypto
  * lives in the shared primitive; this function just adds paper-
  * recovery's own metadata (`codeId`, `enrolledAt`).
  *
@@ -3583,14 +3702,14 @@ declare function mintPaperRecoveryEntry(deks: Map<string, CryptoKey>, code: stri
  * Decrypt a recovery entry to recover the raw DEK set. Used by the
  * `recoverPassphrase` flow after the user's code has been parsed.
  *
- * Thin wrapper over {@link unwrapDeksFromBlob} (#44).
+ * Thin wrapper over {@link unwrapDeksFromBlob}.
  *
  * @throws when the code does not match the entry (AES-GCM auth tag fail).
  */
 declare function unwrapDeksFromPaperEntry(entry: PaperRecoveryEntry, code: string): Promise<Map<string, CryptoKey>>;
 
 /**
- * Tier-2 authenticator slot management — issue #11.
+ * Tier-2 authenticator slot management.
  *
  * Each slot independently wraps the SAME KEK under a method-specific
  * derived key (LUKS pattern). Enrolling adds a slot; removing drops
@@ -3640,15 +3759,14 @@ type EnrollAuthenticatorOptions = EnrollAuthenticatorWrappingKEKOptions | Enroll
  */
 declare function enrollAuthenticator(store: NoydbStore, vault: string, keyring: UnlockedKeyring, options: EnrollAuthenticatorOptions): Promise<UnlockedKeyring>;
 /**
- * Caller payload for {@link updateAuthenticator} (#55). Mutates only
+ * Caller payload for {@link updateAuthenticator}. Mutates only
  * `meta` — the slot's id, method, and wrap material are immutable
  * through this primitive, preserving the anti-slot-swap guard.
  *
  * `meta` is **merged** at the top level: keys absent from the patch
  * are preserved, keys present overwrite. To clear a meta key, pass
- * `null` for that key explicitly. (Same semantics as #57's
- * `UserApi.updateMe`, scoped to this top-level merge — no recursion
- * into nested meta values.)
+ * `null` for that key explicitly. (Same top-level merge semantics as
+ * `UserApi.updateMe`, non-recursive — meta is a flat label bag.)
  */
 interface UpdateAuthenticatorOptions {
     readonly meta?: Record<string, unknown>;
@@ -3670,7 +3788,6 @@ interface UpdateAuthenticatorOptions {
  * @throws `NoAccessError` when no slot with the given id exists.
  * @throws `ValidationError` when no patch field is provided.
  *
- * @see #55
  */
 declare function updateAuthenticator(store: NoydbStore, vault: string, keyring: UnlockedKeyring, slotId: string, options: UpdateAuthenticatorOptions): Promise<UnlockedKeyring>;
 /**
@@ -3687,7 +3804,7 @@ declare function findAuthenticator(keyring: UnlockedKeyring, slotId: string): Ke
 
 /**
  * Tier-1 change flows — `rotatePassphrase` (user remembers old) and
- * `recoverPassphrase` (user supplies a recovery proof). Issue #10.
+ * `recoverPassphrase` (user supplies a recovery proof).
  *
  * The two flows share the post-verification half — fresh salt, fresh
  * KEK, rewrap every DEK — and differ only in how they re-derive the
@@ -3753,10 +3870,9 @@ interface RotatePassphraseInput {
      * Map of slot id → re-enrolment ceremony. Slots whose id appears
      * here are PRESERVED across rotation (the ceremony re-derives the
      * method-specific wrapping under the new keyring); slots whose id
-     * is absent are DROPPED (the pre-#29 behavior).
+     * is absent are DROPPED (the pre-slot-ceremony behavior).
      *
-     * Without this map, `rotatePassphrase` retains the pre-pre.8
-     * behavior of wiping every tier-2 slot. Consumers building a
+     * Without this map, `rotatePassphrase` wipes every tier-2 slot. Consumers building a
      * "rotate without losing my biometric" flow supply ceremonies for
      * each slot they want to keep.
      *
@@ -3764,7 +3880,7 @@ interface RotatePassphraseInput {
      * state. Callers wrap individual ceremonies in try/catch + return
      * a sentinel if they want graceful degradation per slot.
      *
-     * Added in pre.8 (#29).
+     * Added when slot-ceremony rewrapping landed.
      */
     readonly slotCeremonies?: {
         readonly [slotId: string]: SlotRewrapCeremony;
@@ -3775,10 +3891,10 @@ interface RotatePassphraseInput {
  * under a freshly-derived KEK from `newPassphrase`, and persist.
  *
  * Tier-2 authenticator slots are dropped UNLESS the caller supplies
- * a `slotCeremonies` map (#29) — each ceremony re-derives its
+ * a `slotCeremonies` map — each ceremony re-derives its
  * method-specific wrapping under the new keyring, and hub persists
  * the rewrapped slots atomically with the rotation. Slots whose id
- * isn't in the map are still dropped (pre-pre.8 behavior).
+ * isn't in the map are still dropped.
  *
  * @throws `InvalidKeyError` if `oldPassphrase` does not unwrap the keyring.
  * @throws `WeakPassphraseError` if `newPassphrase` fails the strength rule.
@@ -3789,7 +3905,7 @@ declare function rotatePassphrase(store: NoydbStore, vault: string, userId: stri
 /**
  * Caller payload for {@link recoverPassphrase}.
  *
- * As of #196 slice 1, `paper` and `shamir` are wired end-to-end.
+ * `paper` and `shamir` are wired end-to-end.
  * The remaining two profiles (`multi-channel`, `admin-mediated`)
  * stay outside the union and throw
  * {@link RecoveryProfileNotImplementedError} at the runtime guard
@@ -3819,7 +3935,7 @@ interface RecoverPassphraseInput {
      * After a successful paper-recovery, replace ALL remaining recovery
      * entries with freshly-minted ones. Defaults to `true` (defensive).
      *
-     * Rationale (issue #36): the user just demonstrated they had access
+     * Rationale: the user just demonstrated they had access
      * to AT LEAST one code. The remaining codes from the same printed
      * sheet may also be compromised — photographed, leaked via a
      * screen-share slip, or in the hands of whoever stole the sheet.
@@ -3869,7 +3985,7 @@ interface RecoverPassphraseResult {
     readonly newCodes: readonly string[];
 }
 /**
- * Input for {@link Noydb.rotateRecovery} (#121) — deliberate
+ * Input for {@link Noydb.rotateRecovery} — deliberate
  * recovery-credential regeneration when the user knows their
  * passphrase but wants a fresh sheet (paper) or fresh shares
  * (shamir). Symmetric to {@link RotatePassphraseInput}.
@@ -3920,7 +4036,7 @@ interface EnrollRecoveryResult {
 }
 /**
  * Input shape for {@link Noydb.enrollRecovery} and
- * {@link Noydb.openVaultAndEnrollRecovery} (#195). Discriminated
+ * {@link Noydb.openVaultAndEnrollRecovery}. Discriminated
  * union over recovery profiles.
  *
  * - `paper`: caller pre-mints entries (typically via
@@ -3946,9 +4062,8 @@ type RecoveryEnrollmentInput = {
     readonly entryId?: string;
 };
 /**
- * Reset the user's passphrase using a recovery proof. v0.1.0-pre.5
- * supports the `'paper'` profile via `@noy-db/on-recovery` entries
- * persisted in `_meta/recovery-paper`. The other three profiles throw
+ * Reset the user's passphrase using a recovery proof.
+ * Supports `'paper'` and `'shamir'` profiles. The other profiles throw
  * {@link RecoveryProfileNotImplementedError}.
  *
  * On success, the used recovery entry is burned (deleted from the
@@ -3957,7 +4072,7 @@ type RecoveryEnrollmentInput = {
 declare function recoverPassphrase(provider: ShamirRecoveryProvider | undefined, store: NoydbStore, vault: string, userId: string, input: RecoverPassphraseInput): Promise<UnlockedKeyring>;
 
 /**
- * Atomic peer-recovery primitive — issues #33 + #34.
+ * Atomic peer-recovery primitive.
  *
  * `recoverUser` is a SEPARATE operation from `revoke + grant`. It
  * exists because peer-recovery has different semantics than account
@@ -3986,7 +4101,7 @@ declare function recoverPassphrase(provider: ShamirRecoveryProvider | undefined,
  *
  * Caller must be at least as privileged as the target. The hub
  * `db.recoverUser` method gates this with the `peer-recover-user`
- * policy gate (#33's factor-proof requirement); the function below
+ * policy gate (the `peer-recover-user` factor-proof requirement); the function below
  * enforces only the role + anti-privilege-escalation invariants.
  *
  * @module
@@ -4142,7 +4257,7 @@ declare function validatePublicEnvelopeInput(input: SetPublicEnvelopeInput, sche
 declare function isPublicEnvelope(x: unknown): x is PublicEnvelope;
 
 /**
- * Multi-tab coordination (#228a): primary/secondary election (Web Locks)
+ * Multi-tab coordination: primary/secondary election (Web Locks)
  * + presence heartbeat (BroadcastChannel). Browser-only; opt-in; no-op
  * when the APIs are absent. The lock/channel interfaces are hub-local
  * (structurally compatible with @noy-db/by-peer + @noy-db/by-tabs, but
@@ -4186,20 +4301,20 @@ interface TabCoordinationOptions {
      */
     readonly closeChannelOnDispose?: boolean;
     /**
-     * Also propagate committed writes to other tabs (#228b). Default true:
+     * Also propagate committed writes to other tabs. Default true:
      * when tab coordination is enabled and a channel is available, a write in
      * one tab refreshes that document in every other tab. Set false to opt out.
      */
     readonly propagateWrites?: boolean;
     /**
-     * Channel for write propagation (#228b) — distinct from the presence
+     * Channel for write propagation — distinct from the presence
      * channel. Default: an inline BroadcastChannel on `noydb:tab-writes`.
      */
     readonly writeChannel?: TabChannel;
 }
 
 /**
- * Per-vault tier-3 (PIN / quick-resume) state — issue #11.
+ * Per-vault tier-3 (PIN / quick-resume) state.
  *
  * The hub holds a `PinResumeState`-shaped record in memory, keyed by
  * vault. `enrollUnlock` populates it; `unlockViaPin` consumes it via
@@ -4315,7 +4430,7 @@ interface StagedOp {
     expectedVersion?: number;
     /**
      * Optional human-readable tag forwarded to the resulting ledger
-     * entry's `reason` field (#1). Set by callers via
+     * entry's `reason` field. Set by callers via
      * `tx.vault(v).collection(c).put(id, record, { reason })`.
      */
     reason?: string;
@@ -4347,7 +4462,7 @@ interface AmendmentTxOptions {
  * facade; its `put`/`delete`/`get` calls stage ops against the tx.
  */
 declare class TxContext {
-    /** Stable id for this transaction; shared by all writes it performs (#230). */
+    /** Stable id for this transaction; shared by all writes it performs. */
     readonly txId: string;
     /** @internal */
     readonly _ops: StagedOp[];
@@ -4357,7 +4472,7 @@ declare class TxContext {
      * restore prior state via `revertExecuted`. Side-effect writes (e.g.
      * recursive derivation outputs fired inside `Collection.put`) are
      * appended here in execution order so they roll back alongside the
-     * main staged ops (#133).
+     * main staged ops.
      */
     readonly _executed: ExecutedOp[];
     /** @internal */
@@ -4429,12 +4544,12 @@ declare class TxCollection<T> {
  * in `noydb.ts`. `Collection.putManyAtomic` runs its own Phase 2 loop
  * but shares the `_activeTxContext` mechanism (and the `revertExecuted`
  * helper) so nested side-effect derivation writes get registered for
- * revert alongside the bulk-put source ops (#133).
+ * revert alongside the bulk-put source ops.
  */
 declare function runTransaction<T>(db: Noydb, fn: (tx: TxContext) => Promise<T> | T, options?: AmendmentTxOptions): Promise<T>;
 
 /**
- * Dry-run transactions (#231). Runs the tx body to STAGE ops, then builds
+ * Dry-run transactions. Runs the tx body to STAGE ops, then builds
  * the directly-affected diff (before = current committed via collection.get,
  * after = staged record) and collects guard violations — without executing
  * phase 2. No adapter writes, no write-hooks, no commit. MV/derivation
@@ -4462,7 +4577,7 @@ interface DryRunResult {
 }
 
 /**
- * Policy gate DSL types — issue #9.
+ * Policy gate DSL types.
  *
  * Sensitive operations (rotate the passphrase, enroll an authenticator,
  * export plaintext, grant a user, …) are gated by a typed policy
@@ -4496,12 +4611,10 @@ interface DryRunResult {
  * devices — policies can require ANY of them or insist on a count of 2
  * to force a mix.
  *
- * Added in pre.8 (#30): `webauthn-platform`, `password`, `pin` —
- * previously consumers with no off-device infrastructure (no TOTP,
- * no email-OTP, paper recovery not enrolled) had to disable the
- * factor requirement entirely on `rotate-passphrase`. Now they can
- * pin "any second factor I have wired" without losing the freshness
- * guarantee.
+ * `webauthn-platform`, `password`, `pin` — for consumers with no
+ * off-device infrastructure (no TOTP, no email-OTP, paper recovery not
+ * enrolled) who want to require "any second factor I have wired"
+ * without losing the freshness guarantee.
  */
 type FactorKind = 'totp' | 'email-otp' | 'recovery' | 'shamir' | 'webauthn-roaming' | 'webauthn-platform' | 'password' | 'pin';
 /**
@@ -4545,7 +4658,7 @@ interface GatePolicy {
 type BuiltInGateName = 'rotate-passphrase' | 'recover-passphrase' | 'enroll-authenticator' | 'remove-authenticator'
 /**
  * Authorize a deliberate paper-recovery-code regeneration —
- * `db.rotateRecovery` (#121). Symmetric to `rotate-passphrase` for
+ * `db.rotateRecovery`. Symmetric to `rotate-passphrase` for
  * the case where the user remembers their passphrase but wants a
  * fresh sheet (lost the printout, suspect compromise of the off-site
  * copy). PERSONAL allows tier-1; STRICT requires an off-device
@@ -4555,19 +4668,19 @@ type BuiltInGateName = 'rotate-passphrase' | 'recover-passphrase' | 'enroll-auth
  | 'rotate-recovery'
 /**
  * Authorize a meta-only mutation on an existing authenticator slot —
- * `db.updateAuthenticator` (#55). The slot's wrap material, id, and
+ * `db.updateAuthenticator`. The slot's wrap material, id, and
  * method are immutable through this gate; only the `meta` blob
  * (nicknames, method-specific labels) can change. Anti-slot-swap
  * guard is preserved structurally regardless of this gate's
  * settings.
  */
  | 'update-authenticator' | 'rotate-unlock' | 'enroll-user' | 'revoke-user' | 'export-bundle' | 'export-plaintext' | 'view-user-auth'
-/** Authorize a write to one's own user envelope (#22). */
+/** Authorize a write to one's own user envelope. */
  | 'edit-own-profile'
-/** Authorize reading other principals' user envelopes (#22). */
+/** Authorize reading other principals' user envelopes. */
  | 'view-team-profiles'
 /**
- * Authorize an atomic peer-recovery — `db.recoverUser` (#33, #34).
+ * Authorize an atomic peer-recovery — `db.recoverUser`.
  * Distinct from `revoke-user` because peer-recovery is intentional
  * re-issuance of someone's keyring under a temp passphrase, NOT
  * removal. Allows owner→owner natively (matches the threat model:
@@ -4577,7 +4690,7 @@ type BuiltInGateName = 'rotate-passphrase' | 'recover-passphrase' | 'enroll-auth
  */
  | 'peer-recover-user'
 /**
- * Authorize a post-grant identity mutation — `db.updateUser` (#54).
+ * Authorize a post-grant identity mutation — `db.updateUser`.
  * Covers `role`, `displayName`, `permissions` changes on an existing
  * keyring. Pure plaintext-header rewrite — no DEKs touched, no KEK
  * required. The role-elevation guard inside the implementation
@@ -4590,7 +4703,7 @@ type GateName = BuiltInGateName | `app:${string}`;
 /**
  * Top-level policy object. Persisted at `_meta/policy` once at vault
  * creation. The `passphrase` block configures the strength rules
- * applied at every passphrase ingress (issue #7); `gates` configures
+ * applied at every passphrase ingress; `gates` configures
  * the action-level requirements.
  */
 interface VaultPolicy {
@@ -4614,7 +4727,7 @@ interface FactorProof {
  * `db.recoverUser`, `db.enrollUnlock`, `db.describeUserAuth`,
  * `db.describeAllUsersAuth`.
  *
- * Pre-#89 this type was inlined at every call site as
+ * Previously this type was inlined at every call site as
  * `{ factors?: ReadonlyArray<FactorProof>; sharedDevice?: boolean }`
  * and parameter names alternated between `factors` and `presented`.
  * Now exported so consumers can name their helpers and so the param
@@ -4634,13 +4747,14 @@ declare class Noydb {
     private readonly emitter;
     private readonly writeQueueTracker;
     private readonly writeHooks;
+    private readonly subsystemBus;
     private readonly clientId;
     private readonly vaultCache;
     private readonly keyringCache;
     private readonly syncEngines;
     /**
      * Per-vault active session tier — defaults to `1` after a passphrase
-     * unlock; tier-2 / tier-3 unlocks (issue #11) downgrade it. Used by
+     * unlock; tier-2 / tier-3 unlocks downgrade it. Used by
      * {@link checkGate} to evaluate `gate.minTier`.
      */
     private readonly activeTier;
@@ -4650,14 +4764,14 @@ declare class Noydb {
      */
     private readonly policyCache;
     /**
-     * One-shot bypass for the managed-mode strong-recovery check (#195).
+     * One-shot bypass for the managed-mode strong-recovery check.
      * Set true by {@link openVaultAndEnrollRecovery} for the duration of
      * the bootstrap window so the keyring can be created before the
      * strong recovery is enrolled. Always cleared (try/finally).
      * @internal
      */
     private _skipNextManagedRecoveryCheck;
-    /** Per-vault tier-3 (PIN / quick-resume) state — issue #11. */
+    /** Per-vault tier-3 (PIN / quick-resume) state. */
     private readonly quickUnlock;
     /**
      * Resolved public-envelope schema. Lazily computed once from
@@ -4667,9 +4781,9 @@ declare class Noydb {
     private readonly publicEnvelopeSchema;
     private closed;
     private sessionTimer;
-    /** Same-device multi-tab coordinator (#228); created on `enableTabCoordination()`. */
+    /** Same-device multi-tab coordinator; created on `enableTabCoordination()`. */
     private tabCoordinator;
-    /** Cross-tab write relay (#228b); created on `enableTabCoordination()`. */
+    /** Cross-tab write relay; created on `enableTabCoordination()`. */
     private writeRelay;
     /** Per-vault policy enforcers. */
     private readonly policyEnforcers;
@@ -4682,8 +4796,8 @@ declare class Noydb {
      * the same function's `finally` block. Side-effect writes triggered
      * during a staged op's `Collection.put` (today: eager derivation
      * outputs) register their pre-write envelope on `_executed` here so
-     * a mid-batch failure rolls them back alongside the main staged ops
-     * (#133). `null` outside of Phase 2.
+     * a mid-batch failure rolls them back alongside the main staged ops.
+     * `null` outside of Phase 2.
      * @internal
      */
     private _activeTxContext;
@@ -4786,8 +4900,6 @@ declare class Noydb {
      * @throws `NoAccessError` when no keyring exists for the target.
      * @throws `PermissionDeniedError` when the role hierarchy rejects.
      * @throws `ValidationError` when no field is provided.
-     *
-     * @see #54
      */
     updateUser(vault: string, options: UpdateUserOptions, factors?: FactorProofBundle): Promise<void>;
     /**
@@ -4975,7 +5087,7 @@ declare class Noydb {
      */
     transaction<T>(options: AmendmentTxOptions, fn: (tx: TxContext) => Promise<T> | T): Promise<T>;
     /**
-     * Dry-run a transaction (#231): run the body to stage ops, then return
+     * Dry-run a transaction: run the body to stage ops, then return
      * the directly-affected diff + collected guard violations WITHOUT
      * committing (no adapter writes, no write hooks). MV/derivation cascade
      * is not simulated. Requires `withTransactions()`.
@@ -5003,7 +5115,7 @@ declare class Noydb {
      * Phase 2. `Collection.dispatchDerivations` consults this so a
      * recursive derived-output write inside `Collection.put` can register
      * its envelope onto `ctx._executed` and roll back with the main
-     * staged ops on mid-batch failure (#133).
+     * staged ops on mid-batch failure.
      *
      * @internal
      */
@@ -5028,7 +5140,7 @@ declare class Noydb {
      * `Collection.putManyAtomic` (via `derivationSource.createTxContext`)
      * to publish an active context for the duration of its bulk-atomic
      * Phase 2 loop, so recursive derivation-output writes register on
-     * `ctx._executed` and roll back together with the source ops (#133).
+     * `ctx._executed` and roll back together with the source ops.
      *
      * @internal
      */
@@ -5064,19 +5176,19 @@ declare class Noydb {
      */
     get _writeQueueTracker(): WriteQueueTracker;
     /**
-     * Register a hook that runs before each write (#230). Awaited; a throw
+     * Register a hook that runs before each write. Awaited; a throw
      * aborts the write. Returns an unsubscribe function.
      */
-    onBeforeWrite(handler: WriteHook): Unsubscribe$2;
+    onBeforeWrite(handler: WriteHook): Unsubscribe$3;
     /**
-     * Register a hook that runs after each committed write (#230). Awaited;
+     * Register a hook that runs after each committed write. Awaited;
      * a handler error is warned, never rolled back. Returns an unsubscribe fn.
      */
-    onAfterWrite(handler: WriteHook): Unsubscribe$2;
-    /** Subscribe to cross-tab write conflicts (#228c). Returns an unsubscribe. */
-    onWriteConflict(fn: (c: WriteConflict) => void): Unsubscribe$2;
+    onAfterWrite(handler: WriteHook): Unsubscribe$3;
+    /** Subscribe to cross-tab write conflicts. Returns an unsubscribe. */
+    onWriteConflict(fn: (c: WriteConflict) => void): Unsubscribe$3;
     /**
-     * Enable same-device multi-tab coordination (#228): primary/secondary
+     * Enable same-device multi-tab coordination: primary/secondary
      * election + presence. Browser-only — a graceful no-op (role 'unknown')
      * when Web Locks / BroadcastChannel are unavailable and nothing is
      * injected. Idempotent; returns a disposer.
@@ -5087,11 +5199,13 @@ declare class Noydb {
     private disableTabCoordination;
     get tabRole(): TabRole;
     activeTabs(): TabPresence[];
-    onTabRoleChange(fn: (r: TabRole) => void): Unsubscribe$2;
-    onActiveTabsChange(fn: (t: TabPresence[]) => void): Unsubscribe$2;
+    onTabRoleChange(fn: (r: TabRole) => void): Unsubscribe$3;
+    onActiveTabsChange(fn: (t: TabPresence[]) => void): Unsubscribe$3;
     /** @internal The write-hook registry, threaded into each Collection. */
     get _writeHooks(): WriteHookRegistry;
-    /** @internal Stable per-instance id for schema-cutover coordination (#232). */
+    /** @internal The observe bus, threaded into every Collection. */
+    get _subsystemBus(): SubsystemBus;
+    /** @internal Stable per-instance id for schema-cutover coordination. */
     get _clientId(): string;
     /**
      * Soft-lock a single vault: clear its in-memory keyring, DEKs, vault
@@ -5109,10 +5223,6 @@ declare class Noydb {
      * survives lock; nothing about it changes when DEKs are scrubbed).
      *
      * No-op when `vault` is not currently in cache (idempotent).
-     *
-     * Unblocks vLannaAi/niwat#33.
-     *
-     * @see #17
      */
     lockVault(vault: string): void;
     close(): void;
@@ -5146,7 +5256,7 @@ declare class Noydb {
      */
     updatePolicy(vault: string, override: Partial<VaultPolicy>): Promise<VaultPolicy>;
     /**
-     * Read the current vault-level user-directory toggle (#122). Returns
+     * Read the current vault-level user-directory toggle. Returns
      * the default-on shape (`{ enabled: true }`) when no `_meta/directory`
      * document has been persisted yet.
      *
@@ -5154,7 +5264,7 @@ declare class Noydb {
      */
     getDirectoryEnabled(vault: string): Promise<boolean>;
     /**
-     * Toggle the vault's user-directory listing on or off (#122).
+     * Toggle the vault's user-directory listing on or off.
      * Owner-only. When disabled, `listUsersWithEnvelopes()` throws
      * {@link import('./errors.js').DirectoryDisabledError} for callers
      * whose role is neither `owner` nor `admin`.
@@ -5186,7 +5296,7 @@ declare class Noydb {
      *
      * Two enforcement modes:
      *
-     * 1. **Managed-mode mandatory strong-recovery (#195).** When
+     * 1. **Managed-mode mandatory strong-recovery.** When
      *    `passphraseMode === 'managed'`, the vault MUST have at least
      *    one **strong** recovery profile (Shamir today). Paper alone is
      *    rejected because under managed mode the user has no memorized
@@ -5206,7 +5316,7 @@ declare class Noydb {
      */
     private assertRecoveryEnrolled;
     /**
-     * Internal accessor used by tier-2/tier-3 unlock paths (issue #11)
+     * Internal accessor used by tier-2/tier-3 unlock paths
      * to mark the active session tier.
      * @internal
      */
@@ -5230,7 +5340,7 @@ declare class Noydb {
      * `remove-authenticator`.
      */
     removeAuthenticator(vault: string, slotId: string, factors?: FactorProofBundle): Promise<void>;
-    /** Read the slot list for a vault. Internal — `describeAuthConfig` (#13) consumes this. */
+    /** Read the slot list for a vault. Internal — `describeAuthConfig` consumes this. */
     listAuthenticators(vault: string): Promise<ReadonlyArray<KeyringAuthenticator>>;
     /**
      * Mutate the `meta` blob on an existing authenticator slot — slot
@@ -5239,7 +5349,7 @@ declare class Noydb {
      * are immutable through this method. Anti-slot-swap is structural,
      * not gate-driven.
      *
-     * `meta` patch semantics (#57-aligned):
+     * `meta` patch semantics (top-level merge):
      *   - Top-level merge — absent keys preserved
      *   - `null` value — delete that meta key
      *   - Other values — replace verbatim
@@ -5257,12 +5367,10 @@ declare class Noydb {
      *
      * @throws `NoAccessError` when no slot with the given id exists.
      * @throws `ValidationError` when no patch field is provided.
-     *
-     * @see #55
      */
     updateAuthenticator(vault: string, slotId: string, options: UpdateAuthenticatorOptions, factors?: FactorProofBundle): Promise<void>;
     /**
-     * Native WebAuthn enrollment using the **real** internal keyring (#16).
+     * Native WebAuthn enrollment using the **real** internal keyring.
      *
      * Why this exists: when a consumer is using `createNoydb({ secret })`,
      * they cannot reach the live `UnlockedKeyring` to feed it to
@@ -5305,8 +5413,6 @@ declare class Noydb {
      * a server-side allowlist).
      *
      * Gated by `enroll-authenticator` like `enrollAuthenticator()` itself.
-     *
-     * @see #16
      */
     enrollWebAuthn(vault: string, ceremony: (keyring: UnlockedKeyring) => Promise<EnrollAuthenticatorOptions>, factors?: FactorProofBundle): Promise<{
         credentialId: string;
@@ -5317,8 +5423,6 @@ declare class Noydb {
      * deciding when a new device prompt should appear. Identity is
      * `id` + `enrolled_at`; the `meta.credentialId` (base64) is used by
      * `allowCredentials` at unlock time.
-     *
-     * @see #16
      */
     listWebAuthnSlots(vault: string): Promise<ReadonlyArray<{
         id: string;
@@ -5382,8 +5486,7 @@ declare class Noydb {
      *
      * Tier-2 authenticator slots are dropped — each slot wraps the old
      * KEK and would need its derivation key to be re-presented. Re-enrol
-     * via `db.enrollAuthenticator` after rotation. Tracked as a
-     * v0.1.0-pre.5 limitation.
+     * via `db.enrollAuthenticator` after rotation.
      *
      * @throws `WeakPassphraseError` on a weak new phrase.
      * @throws `PolicyDeniedError` when the gate denies (missing factor, …).
@@ -5392,14 +5495,14 @@ declare class Noydb {
     rotatePassphrase(vault: string, input: RotatePassphraseInput, factors?: FactorProofBundle): Promise<void>;
     /**
      * Reset the passphrase using a recovery proof (user forgot the old).
-     * v0.1.0-pre.5 supports the `'paper'` profile end-to-end; the
-     * other three profiles throw {@link RecoveryProfileNotImplementedError}.
+     * Currently supports the `'paper'` profile end-to-end; the
+     * other profiles throw {@link RecoveryProfileNotImplementedError}.
      *
      * Burns the used recovery entry on success.
      */
     recoverPassphrase(vault: string, input: RecoverPassphraseInput, factors?: FactorProofBundle): Promise<RecoverPassphraseResult>;
     /**
-     * Deliberate paper-recovery-code regeneration (#121). User knows their
+     * Deliberate paper-recovery-code regeneration. User knows their
      * passphrase but wants a fresh sheet — they lost the printout or
      * suspect compromise of the off-site copy.
      *
@@ -5409,7 +5512,7 @@ declare class Noydb {
      *
      * Gated by the `rotate-recovery` policy gate:
      *   - PERSONAL_POLICY: `{ minTier: 1 }` — knowing the passphrase
-     *     suffices, matching the pre-#121 low-level flow's bar.
+     *     suffices, matching the lower-level flow's bar.
      *   - STRICT_POLICY: `{ minTier: 1, factors: [{ anyOf: ['totp',
      *     'email-otp', 'webauthn-roaming'] }] }` — rotation is an
      *     off-site-trust event; require an off-device factor so a
@@ -5445,7 +5548,7 @@ declare class Noydb {
     private rotateRecoveryPaper;
     private rotateRecoveryShamir;
     /**
-     * **Atomic create-and-enroll for managed-mode vaults (#195).**
+     * **Atomic create-and-enroll for managed-mode vaults.**
      *
      * Bootstraps a managed-mode vault and enrolls strong recovery in
      * a single ceremony. Under `passphraseMode: 'managed'`, every
@@ -5490,7 +5593,7 @@ declare class Noydb {
         readonly recoveryEnrollments: ReadonlyArray<EnrollRecoveryResult>;
     }>;
     /**
-     * **Recovery flow under managed-passphrase mode (#195).**
+     * **Recovery flow under managed-passphrase mode.**
      *
      * Replaces the sealed passphrase of a managed-mode vault with a
      * fresh 256-bit random, sealed under the configured
@@ -5507,7 +5610,7 @@ declare class Noydb {
      *   5. Drop the keyring cache so the next operation re-derives.
      *
      * The vault's strong-recovery enrollment is preserved across
-     * recovery (Shamir entries are not burned on use — see #196).
+     * recovery (Shamir entries are not burned on use).
      *
      * @throws ValidationError if the Noydb instance is not in managed mode.
      */
@@ -5517,7 +5620,7 @@ declare class Noydb {
     }): Promise<void>;
     /**
      * Atomic peer-recovery — re-wraps an EXISTING user's keyring under
-     * a fresh temp passphrase in a single store write. Closes #34's
+     * a fresh temp passphrase in a single store write. Closes the
      * partial-failure window (the previous compose-from-primitives
      * pattern was `db.revoke + db.grant`, two writes — if the issuer
      * cancelled between them the target was locked out entirely).
@@ -5527,7 +5630,7 @@ declare class Noydb {
      *   - Same `userId`, role, permissions, capabilities preserved.
      *   - DEKs unchanged → every other principal in the vault keeps
      *     access. No key rotation.
-     *   - Allows owner→owner natively (#33). The existing
+     *   - Allows owner→owner natively. The existing
      *     `db.revoke` retains its block — peer-recovery is a separate,
      *     intentionally-named operation.
      *   - Tier-2 slots dropped (they wrap the old KEK).
@@ -5556,11 +5659,10 @@ declare class Noydb {
      * @throws `PrivilegeEscalationError` when the caller lacks a DEK
      *         the target previously had access to.
      *
-     * @see #33 #34 — the issues this method closes.
      */
     recoverUser(vault: string, options: RecoverUserOptions, factors?: FactorProofBundle): Promise<void>;
     /**
-     * Persist a recovery enrollment. v0.1.0-pre.5 accepts the `'paper'`
+     * Persist a recovery enrollment. Accepts the `'paper'`
      * profile.
      *
      * The hub wraps the user's DEK set (not the KEK) under a code-derived
@@ -5580,7 +5682,7 @@ declare class Noydb {
      * showCodesToUser(codes)
      * ```
      *
-     * As of pre.8, `@noy-db/on-recovery`'s `generateRecoveryCodeSet`
+     * `@noy-db/on-recovery`'s `generateRecoveryCodeSet`
      * delegates to `mintPaperRecoveryEntry` internally — its output is
      * fed directly to this API. Pick whichever fits your code-gen layer:
      *
@@ -5591,7 +5693,7 @@ declare class Noydb {
      * ```
      */
     enrollRecovery(vault: string, enrollment: RecoveryEnrollmentInput): Promise<EnrollRecoveryResult>;
-    /** Read the persisted recovery entries (paper + Shamir). Used by `describeAuthConfig` (#13). */
+    /** Read the persisted recovery entries (paper + Shamir). Used by `describeAuthConfig`. */
     listRecoveryEntries(vault: string): Promise<{
         paper: ReadonlyArray<PaperRecoveryEntry>;
         shamir: ReadonlyArray<ShamirRecoveryEntry>;
@@ -5619,11 +5721,11 @@ declare class Noydb {
     /** Drop the tier-3 state for a vault — explicit logout. */
     clearQuickUnlock(vault: string): void;
     /**
-     * Public accessor for the unlocked keyring of a vault — issue #28.
+     * Public accessor for the unlocked keyring of a vault.
      *
      * Returns a **defensive shallow copy** so consumers can read the DEK
      * map and authenticator list without the risk of mutating the hub's
-     * internal cache (#88). Internal hub code paths use a live reference
+     * internal cache. Internal hub code paths use a live reference
      * via `getKeyringInternal`; ceremonies and external consumers always
      * get a snapshot.
      *
@@ -5864,8 +5966,8 @@ interface GuardStrategy<T extends Record<string, unknown>> {
      * })
      * ```
      *
-     * Also skipped on system-internal deletes (derivation tombstones from
-     * #144, MV refresh from Dim 14 v2) — those use `_internalDelete`
+     * Also skipped on system-internal deletes (derivation tombstones,
+     * MV refresh from Dim 14 v2) — those use `_internalDelete`
      * which bypasses every user-facing delete hook. Housekeeping ops are
      * NOT user-initiated and should not trip user invariants.
      *
@@ -5924,14 +6026,14 @@ interface RecordOutputSpec {
      * `undefined`) for this output key. The executor interprets that as
      * "no output for this invocation": a previously-emitted output at
      * the same id is deleted (mirroring the empty-group / empty-aggregate
-     * semantics flagged in #142); a never-emitted output is a silent
+     * semantics for empty groups); a never-emitted output is a silent
      * no-op. When `false` (default), returning `null` throws
      * `DerivationOutputShapeError` — same as v1.
      */
     optional?: boolean;
 }
 /**
- * Array-shape output (#200) — one source row produces a variable-length
+ * Array-shape output — one source row produces a variable-length
  * list of output rows, each with its own id (from the `key` extractor).
  *
  * On every source-row change, the dispatcher diffs the previously
@@ -6154,7 +6256,7 @@ interface MaterializedViewStrategy<TRow extends Record<string, unknown>> {
      */
     query?: (db: MVQueryContext) => Query<TRow>;
     /**
-     * UNION-form sources (#165): an explicit list of sibling collections
+     * UNION-form sources: an explicit list of sibling collections
      * that contribute rows to a single MV. Each arm's `map` projects a
      * source row into the MV's unified row shape; the mapped streams are
      * concatenated, then {@link groupBy} + {@link aggregate} run on the
@@ -6170,7 +6272,7 @@ interface MaterializedViewStrategy<TRow extends Record<string, unknown>> {
      */
     unionSources?: ReadonlyArray<UnionSource<TRow>>;
     /**
-     * Group-key field(s) for UNION mode (#165). Applied to the
+     * Group-key field(s) for UNION mode. Applied to the
      * concatenated mapped-row stream from {@link unionSources} before
      * {@link aggregate} runs. Accepts a single field name or a tuple of
      * field names for multi-key grouping (same shape as
@@ -6182,7 +6284,7 @@ interface MaterializedViewStrategy<TRow extends Record<string, unknown>> {
      */
     groupBy?: string | ReadonlyArray<string>;
     /**
-     * Aggregation spec for UNION mode (#165). Applied per-group after
+     * Aggregation spec for UNION mode. Applied per-group after
      * {@link groupBy} buckets the concatenated mapped-row stream from
      * {@link unionSources}. Same shape as the `AggregateSpec` passed to
      * `Query.aggregate()`.
@@ -6193,11 +6295,11 @@ interface MaterializedViewStrategy<TRow extends Record<string, unknown>> {
     /**
      * Pure function from a materialized row → stable id used in the
      * output collection. Required — explicit always beats default-with-pitfalls
-     * (see niwat-review of #149 round 1 for the slash-collision rationale).
+     * (explicit always beats default-with-pitfalls; see the slash-collision rationale).
      */
     rowKey: (row: TRow) => string;
     /**
-     * Explicit source collections (#152). Required when `query()` returns
+     * Explicit source collections. Required when `query()` returns
      * an `Aggregation` or `GroupedAggregation` rather than a `Query<T>`
      * — the dependency analyzer can't introspect through `groupBy().aggregate()`
      * back to the source. Optional for plain `Query<T>` results — the
@@ -6207,7 +6309,7 @@ interface MaterializedViewStrategy<TRow extends Record<string, unknown>> {
      */
     sources?: ReadonlyArray<string>;
     /**
-     * Declared deterministic predicates (#153). Each entry pairs a
+     * Declared deterministic predicates. Each entry pairs a
      * consumer-stable `hash` with a function. The `query()` callback's
      * Query<T> can invoke them via `.wherePredicate(name, ctx?)`. The
      * predicate's `hash` + a canonical-JSON hash of `ctx` both fold
@@ -6244,8 +6346,8 @@ interface MaterializedViewStrategy<TRow extends Record<string, unknown>> {
      *
      * - `'delete'` (default) — tombstone the prior MV row via
      *   `Collection._internalDelete` (system housekeeping bypasses user
-     *   `onDelete` guards on the output collection — see PR #148's
-     *   composition fix).
+     *   `onDelete` guards on the output collection — the housekeeping
+     *   bypass composition fix).
      * - `'keep'` — leave the prior MV row in place. Useful when zero
      *   is a meaningful state.
      */
@@ -6253,7 +6355,7 @@ interface MaterializedViewStrategy<TRow extends Record<string, unknown>> {
     /**
      * `true` re-throws on any row-write failure → composes with
      * `withTransactions` to roll back the source-write atomically via
-     * `revertExecuted` (#133). Default `false` (failed rows are
+     * `revertExecuted`. Default `false` (failed rows are
      * isolated; other rows commit).
      */
     strict?: boolean;
@@ -6287,7 +6389,7 @@ interface RegisteredMV {
      * Top-level FieldClauses on the partition field, captured at
      * registration time. Used by the cycle detector to resolve
      * same-collection-as-source edges via the partition-discriminator
-     * check (#152). Empty when `spec.output?.partition` is undefined.
+     * check. Empty when `spec.output?.partition` is undefined.
      */
     readonly partitionClauses: readonly FieldClause[];
 }
@@ -6339,7 +6441,7 @@ declare class MaterializedViewRegistry {
 }
 
 /**
- * Read-shadow overlay primitive (#154, MV v2 spec § Composition with
+ * Read-shadow overlay primitive (MV v2 spec § Composition with
  * operator-editable lifecycle). Binds an MV's read-only base output
  * to a separate user-writable overlay collection; reads merge via a
  * single shadow predicate, writes route to the overlay.
@@ -6442,7 +6544,7 @@ declare class GuardRegistry {
     register<T extends Record<string, unknown>>(spec: GuardStrategy<T>): void;
     /** All guards registered against `collection` in registration order. */
     guardsFor(collection: string): ReadonlyArray<AnyGuard>;
-    /** Per-collection guard counts, for introspection (#229). */
+    /** Per-collection guard counts, for introspection. */
     summary(): {
         collection: string;
         count: number;
@@ -6883,7 +6985,7 @@ declare function magicLinkGrantRecordId(token: string, index: number): string;
 declare function isMagicLinkGrantExpired(payload: MagicLinkGrantPayload, now?: Date): boolean;
 
 /**
- * Type surface for the user-list visibility subsystem (#122).
+ * Type surface for the user-list visibility subsystem.
  *
  * Two complementary flags:
  *  - {@link DirectoryConfig} — vault-level "is the directory listing
@@ -6934,7 +7036,7 @@ interface UserVisibility {
  *    own keyringId. **Own-only write rule** is structural — no method
  *    exists to write someone else's envelope.
  *  - Read-anyone: `get` / `list` — read other principals' envelopes
- *    (subject to `view-team-profiles` policy gate, wired in #22).
+ *    (subject to `view-team-profiles` policy gate).
  *  - Reactive: `subscribe` / `live` — in-process event emission on local
  *    writes. Cross-instance updates land via the team/sync engine and
  *    surface to subscribers when the sync diff replays through this API.
@@ -6954,7 +7056,7 @@ type DeepPartial<T> = T extends object ? {
 } : T;
 /**
  * Recursive partial with `null` allowed at every level — used by
- * `updateMe` (#57) to express deletion intent in addition to merge.
+ * `updateMe` to express deletion intent in addition to merge.
  *
  * Semantics inside `updateMe`:
  *   - `undefined` (or absent key) — skip; source value preserved
@@ -6963,8 +7065,8 @@ type DeepPartial<T> = T extends object ? {
  *     replace for primitives / arrays)
  *
  * Matches lodash `_.merge` behavior on `null` and Firestore's
- * `FieldValue.delete()` semantics. Loosened from `DeepPartial<T>` per
- * #57; consumers wanting the original "merge-only" surface can keep
+ * `FieldValue.delete()` semantics. Loosened from `DeepPartial<T>`.
+ * Consumers wanting the original "merge-only" surface can keep
  * importing `DeepPartial` and avoid passing `null`.
  */
 type DeepPartialOrNull<T> = T extends object ? {
@@ -7036,7 +7138,7 @@ declare class UserApi {
      * the envelope on first call. Optimistic-concurrency safe — a stale
      * `_v` (parallel writer on another device) throws `ConflictError`.
      *
-     * Patch semantics (#57):
+     * Patch semantics:
      *   - `undefined` (or omitted key) — skip; existing value preserved
      *   - `null` — delete the field from the merged result
      *   - any other value — overwrite (deep-merge for plain objects,
@@ -7190,7 +7292,7 @@ interface PersistedSchemaEnvelope {
  * @module
  */
 
-/** Flat snapshot of a vault's registered schema (#229). */
+/** Flat snapshot of a vault's registered schema. */
 interface SchemaIntrospection {
     readonly collections: ReadonlyArray<{
         name: string;
@@ -7367,23 +7469,23 @@ declare class Vault {
      * `null` for vaults that never register any guard strategy. The
      * runtime class is dynamic-imported on demand so consumers that
      * never use guards don't pull `GuardRegistry`/`GuardExecutor` into
-     * their bundle (#130).
+     * their bundle.
      */
     private guardRegistry;
     /**
      * Per-vault derivation registry. Same lazy-load contract as
      * `guardRegistry` — `null` until `_initDerivations()` runs with at
-     * least one strategy handle. See #130 for the bundle motivation.
+     * least one strategy handle.
      */
     private derivationRegistry;
     /**
-     * Per-vault materialized-view registry (#143/#150). Same lazy-load
+     * Per-vault materialized-view registry. Same lazy-load
      * contract as `derivationRegistry` — `null` until
      * `_initMaterializedViews()` runs with at least one MV handle.
      */
     private materializedViewRegistry;
     /**
-     * Per-vault overlay registry (#154). Same lazy-load contract as
+     * Per-vault overlay registry. Same lazy-load contract as
      * `materializedViewRegistry` — `null` until `_initOverlayedViews()`
      * runs with at least one handle.
      */
@@ -7404,7 +7506,7 @@ declare class Vault {
      *   target this vault session's keyringId. There is no method to write
      *   another principal's envelope (own-only write rule, structural).
      * - Read-anyone: `get(keyringId)`, `list()` — read other principals'
-     *   envelopes, subject to the `view-team-profiles` policy gate (#22).
+     *   envelopes, subject to the `view-team-profiles` policy gate.
      * - Reactive: `subscribe(id, cb)`, `live(id)` — fire on local writes.
      *
      * @see docs/superpowers/specs/2026-05-05-user-envelope-design.md
@@ -7424,7 +7526,7 @@ declare class Vault {
      */
     private readonly reloadKeyring;
     private readonly collectionCache;
-    /** #232 — vault-level schema cutover fence/controller. */
+    /** Vault-level schema cutover fence/controller. */
     readonly schemaFence: SchemaFenceController;
     /**
      * per-collection `blobFields` retention/TTL config.
@@ -7498,8 +7600,7 @@ declare class Vault {
      * Cache of closed/opened accounting periods.
      * Populated on first `closePeriod` / `openPeriod` / `listPeriods` /
      * per-collection write call. Kept in memory as an ordered list (by
-     * `closedAt`) so the `periodGuard` hook runs synchronously against
-     * each collection's put/delete path.
+     * `closedAt`) so period checks run fast when the gate bus fires.
      *
      * Sentinel `null` means "not yet loaded" — the first consumer
      * triggers a one-time `loadPeriods()` pass. Every subsequent
@@ -7659,7 +7760,7 @@ declare class Vault {
          */
         persistJsonSchema?: boolean;
         /**
-         * Ordered schema-update strategies (#245). On a detected schema
+         * Ordered schema-update strategies. On a detected schema
          * change, evaluated in order; the first non-`allow` decision wins.
          * A `reject` is enforced at the write path (`put`/`delete` throw).
          * Requires `persistJsonSchema: true` (detection needs the baseline).
@@ -7675,7 +7776,7 @@ declare class Vault {
      */
     _drainPendingSchemaWrites(): Promise<void>;
     /**
-     * Run a coordinated schema cutover (#232). Drains pending writes, waits
+     * Run a coordinated schema cutover. Drains pending writes, waits
      * for the active client set to quiesce (the ack-barrier), applies every
      * pending collection transform in bulk, bumps the vault schema generation,
      * and clears the fence. Returns the count of collections migrated.
@@ -7687,15 +7788,15 @@ declare class Vault {
         migrated: number;
     }>;
     /**
-     * #228b — refresh a loaded collection's view of one document from a peer
+     * Refresh a loaded collection's view of one document from a peer
      * tab's broadcast. No-op when the collection isn't loaded in this tab
-     * (it will read fresh on next open). Mirrors #runCutoverTransform's guard.
+     * (it will read fresh on next open). Mirrors `#runCutoverTransform`'s guard.
      */
     _applyRemoteWrite(collectionName: string, docId: string, action: 'put' | 'delete'): Promise<void>;
     /**
-     * #228c — for a detected conflict: capture this tab's clobbered record,
+     * For a detected conflict: capture this tab's clobbered record,
      * read the common ancestor from history, converge the cache to the store's
-     * authoritative value (the (b) re-read), and return all three for the
+     * authoritative value (the re-read), and return all three for the
      * WriteConflict payload. Returns null when the collection isn't loaded.
      */
     _captureAndConverge(collectionName: string, docId: string, action: 'put' | 'delete', baseV: number): Promise<{
@@ -7703,11 +7804,11 @@ declare class Vault {
         remote: unknown;
         base: unknown;
     } | null>;
-    /** Recover a stuck cutover fence (#232) — reset to normal without bumping. */
+    /** Recover a stuck cutover fence — reset to normal without bumping. */
     abortSchemaCutover(): Promise<void>;
-    /** Current schema-cutover fence state for this vault (#232/#233). Thin live read. */
+    /** Current schema-cutover fence state for this vault. Thin live read. */
     schemaFenceState(): Promise<FenceDoc>;
-    /** @internal Start the per-client heartbeat + fence watcher once a cutover is registered (#232). */
+    /** @internal Start the per-client heartbeat + fence watcher once a cutover is registered. */
     _ensureFenceCoordination(): void;
     /** @internal Stop the heartbeat/watcher (vault lock/close). */
     _stopFenceCoordination(): void;
@@ -8023,7 +8124,7 @@ declare class Vault {
      * Dynamic-imports `GuardRegistry` + `ReadOnlyVaultFacade` and seeds
      * the registry with the supplied strategy handles. No-op when the
      * handles array is empty — keeps the guard subsystem out of the
-     * floor bundle for consumers that don't use guards (#130).
+     * floor bundle for consumers that don't use guards.
      *
      * The read-only facade is eagerly instantiated here so the sync
      * accessor `_getReadOnlyFacade()` (called from the tx amendment
@@ -8031,10 +8132,9 @@ declare class Vault {
      */
     _initGuards(handles: ReadonlyArray<GuardStrategyHandleAny>): Promise<void>;
     /**
-     * @internal — Collection.put calls into this. Returns `null` for
-     * vaults that never registered any guard strategy. Callers MUST
-     * gate on null (the existing `if (this.guardSource)` branches in
-     * `Collection` already do this transitively).
+     * @internal — The gate handler in Noydb.#registerGuardGate calls into
+     * this. Returns `null` for vaults that never registered any guard
+     * strategy. Callers MUST gate on null.
      */
     _getGuardRegistry(): GuardRegistry | null;
     /**
@@ -8043,7 +8143,7 @@ declare class Vault {
      * derivation strategies (async because `strategyHash` computation
      * goes through `crypto.subtle.digest`). No-op when the handles
      * array is empty — keeps the derivation subsystem out of the floor
-     * bundle for consumers that don't use derivations (#130). Throws
+     * bundle for consumers that don't use derivations. Throws
      * `DerivationCycleError` if a cycle is detected after registration.
      */
     _initDerivations(handles: ReadonlyArray<DerivationStrategyHandle>): Promise<void>;
@@ -8058,7 +8158,7 @@ declare class Vault {
      * MV spec (which invokes its `query()` once for dependency
      * analysis), then runs the unified cycle detection across the MV +
      * derivation graphs. No-op when the handles array is empty — keeps
-     * the MV subsystem out of the floor bundle (mirrors v1 #130).
+     * the MV subsystem out of the floor bundle (mirrors the derivation lazy-import pattern).
      * Throws `MaterializedViewCycleError` if a cycle is detected.
      */
     _initMaterializedViews(handles: ReadonlyArray<MaterializedViewStrategyHandle>): Promise<void>;
@@ -8080,13 +8180,13 @@ declare class Vault {
      */
     _getOverlayedViewRegistry(): OverlayedViewRegistry | null;
     /**
-     * Manual re-materialize for a single registered MV (#151). Useful
+     * Manual re-materialize for a single registered MV. Useful
      * for `refresh: 'manual'` MVs (whose consumer drives refreshes
      * externally), for stale-bit recovery on vault re-open, and as the
      * explicit bulk-recompute escape hatch after a strategy change.
      *
-     * Returns `{ written, deleted, failed }`. `deleted` is always 0 in
-     * foundation + this sub-issue — tombstoning lands in #152.
+     * Returns `{ written, deleted, failed }`. `deleted` is always 0
+     * when tombstoning is not enabled.
      *
      * Throws if `name` is not a registered MV.
      */
@@ -8109,20 +8209,17 @@ declare class Vault {
     /**
      * @internal — exposed for `runTransaction({ amendment: true })` so
      * the amendment invariant runner can pass the SAME read-only vault
-     * facade that the per-record `Collection.put` guard hook uses
-     * (`guardSource.readOnlyVault()` above). Eagerly instantiated by
-     * `_initGuards()` so this accessor stays synchronous; returns
-     * `null` for vaults that never registered any guard (amendments
-     * require at least one guard, so the caller should never see null).
+     * facade that the gate handler in Noydb.#registerGuardGate uses.
+     * Eagerly instantiated by `_initGuards()` so this accessor stays
+     * synchronous; returns `null` for vaults that never registered any
+     * guard (amendments require at least one guard, so the caller should
+     * never see null).
      */
     _getReadOnlyFacade(): ReadOnlyVaultFacade | null;
     /**
-     * Internal lazy-allocator for the read-only facade. Used by the
-     * per-collection `guardSource.readOnlyVault` callback when guards
-     * ARE configured but `_initGuards()` raced with the first guard
-     * invocation (theoretically impossible — `Noydb.openVault` awaits
-     * `_initGuards` before returning — but we keep the defensive lazy
-     * path so the closure's contract stays "always returns a facade").
+     * Internal lazy-allocator for the read-only facade. Used as a
+     * defensive fallback; in practice `_initGuards()` eagerly
+     * instantiates this, so the lazy path is a no-op.
      */
     private _ensureReadOnlyFacade;
     /**
@@ -8329,7 +8426,7 @@ declare class Vault {
     listPeriods(): Promise<readonly PeriodRecord[]>;
     /** Look up a single period by name. Returns `null` if not found. */
     getPeriod(name: string): Promise<PeriodRecord | null>;
-    /** @internal — periodGuard callback installed on every Collection. */
+    /** @internal — called by the gate bus before put/delete. */
     _assertTsWritable(existing: {
         ts: string | null;
         record: Record<string, unknown> | null;
@@ -8360,7 +8457,7 @@ declare class Vault {
      */
     dumpSchema(opts?: DumpSchemaOptions): Promise<VaultSchemaSnapshot>;
     /**
-     * Lightweight read of the vault's registered schema (#229): collections
+     * Lightweight read of the vault's registered schema: collections
      * (+ doc counts), guards, materialized views, schema-update strategies,
      * and the unlocked user's grants. Cheap — one `adapter.list` per
      * collection, no decryption. For a full snapshot + stats use dumpSchema().
@@ -8854,6 +8951,7 @@ declare class Collection<T> {
     private readonly schemaUpdateGate;
     private readonly schemaFence;
     private readonly writeHooks;
+    private readonly subsystemBus;
     private readonly activeTxId;
     private readonly getDEK;
     private readonly onDirty;
@@ -9035,42 +9133,14 @@ declare class Collection<T> {
     private readonly syncAdapter;
     /** — consent-audit hook, no-op when no scope is active. */
     private readonly onAccess;
-    /**
-     * accounting-period write guard. Called BEFORE any
-     * adapter write with:
-     *   - `existing` — the prior envelope's `_ts` and decrypted record
-     *     (or `null` if no prior envelope exists)
-     *   - `incoming` — the record being written (or `null` for delete)
-     *
-     * Throws `PeriodClosedError` if either side falls inside a closed
-     * period. Installed by Vault; no-op when no period has been closed.
-     * Async so the Vault can lazy-load the period list from the
-     * adapter on first use.
-     */
-    private readonly periodGuard;
-    /**
-     * Optional back-reference to the owning vault's guard registry + a
-     * read-only vault facade. When present, `Collection.put` and
-     * `Collection.delete` consult the registry for guards declared
-     * against this collection and run their `check` + `frozenFields`
-     * before the adapter write. Absent in unit tests that construct
-     * a Collection directly; production code always sets it via
-     * `Vault.collection()`.
-     *
-     * Typed structurally rather than as `Vault` to avoid a circular
-     * import (mirrors the `refEnforcer` / `joinResolver` pattern).
-     */
-    private readonly guardSource;
     /**
      * Vault-internal hook for derivation dispatch. When set,
      * `Collection.put` consults the registry after the source-write
      * commits and writes derived outputs through `getCollection(name).put`.
-     * Same structural-interface pattern as `guardSource` to avoid a
-     * circular Vault import.
      */
     private readonly derivationSource;
     /**
-     * Vault-internal hook for materialized-view dispatch (#143/#150).
+     * Vault-internal hook for materialized-view dispatch.
      * Parallel to `derivationSource` — when set, `Collection.put` fires
      * `MaterializedViewRegistry.onSourceWrite` after the source-write
      * commits + after `dispatchDerivations` has run.
@@ -9123,19 +9193,21 @@ declare class Collection<T> {
         encrypted: boolean;
         emitter: NoydbEventEmitter;
         /**
-         * Vault-level in-flight write tracker (#227). When present,
+         * Vault-level in-flight write tracker. When present,
          * `put`/`delete` run inside `writeQueue.track()` so `hub.writeQueue`
          * reflects outstanding writes. Optional so direct Collection
          * construction in tests still works untracked.
          */
         writeQueue?: WriteQueueTracker | undefined;
-        /** #245 — per-collection schema-update gate; `put`/`delete` await it. */
+        /** Per-collection schema-update gate; `put`/`delete` await it. */
         schemaUpdateGate?: SchemaUpdateGate | undefined;
-        /** #232 — vault-level fence controller; `put`/`delete` consult it. */
+        /** Vault-level fence controller; `put`/`delete` consult it. */
         schemaFence?: SchemaFenceController | undefined;
-        /** #230 — hub-level write-hook registry; fired around put/delete. */
+        /** Hub-level write-hook registry; fired around put/delete. */
         writeHooks?: WriteHookRegistry | undefined;
-        /** #230 — active transaction id supplier (null outside a transaction). */
+        /** The observe bus, threaded from Noydb. */
+        subsystemBus?: SubsystemBus | undefined;
+        /** Active transaction id supplier (null outside a transaction). */
         activeTxId?: (() => string | null) | undefined;
         getDEK: (collectionName: string) => Promise<CryptoKey>;
         historyConfig?: HistoryConfig | undefined;
@@ -9340,33 +9412,19 @@ declare class Collection<T> {
          * to the ledger.
          */
         onCrossTierAccess?: ((event: CrossTierAccessEvent) => void) | undefined;
-        periodGuard?: (existing: {
-            ts: string | null;
-            record: Record<string, unknown> | null;
-        } | null, incoming: Record<string, unknown> | null) => Promise<void>;
         /**
-         * Optional back-reference to the owning vault's guard registry +
-         * read-only facade. When present, put/delete consult registered
-         * guards for this collection. Same structural-interface pattern
-         * as `refEnforcer` to avoid a circular Vault import.
-         */
-        guardSource?: {
-            registry(): GuardRegistry;
-            readOnlyVault(): ReadOnlyVaultFacade$1;
-        } | undefined;
         /**
          * Optional back-reference to the owning vault's derivation
          * registry + collection accessor. When present, successful
          * `put()` dispatches registered derivation strategies for the
-         * source collection. Same structural-interface pattern as
-         * `guardSource` to avoid a circular Vault import.
+         * source collection.
          */
         derivationSource?: {
             registry(): DerivationRegistry;
             getCollection(name: string): Collection<Record<string, unknown>>;
             /**
              * Read-only vault facade handed to `derive(source, ctx)` so a
-             * derivation can fetch sibling records (#147). Same shape and
+             * derivation can fetch sibling records. Same shape and
              * instance the guards subsystem uses for `check(incoming, ctx)`.
              */
             getReadOnlyFacade(): ReadOnlyVaultFacade$1;
@@ -9375,13 +9433,13 @@ declare class Collection<T> {
              * transaction context, or `null` when no transaction is running.
              * `dispatchDerivations` consults this so a recursive derived-output
              * write can register its pre-write envelope onto `ctx._executed`
-             * and roll back alongside the source op on mid-batch failure (#133).
+             * and roll back alongside the source op on mid-batch failure.
              */
             getActiveTxContext(): TxContext | null;
             /**
              * Construct a transient TxContext bound to the owning Noydb. Used
              * by `Collection.putManyAtomic` to publish an active context for
-             * its Phase 2 loop (#133).
+             * its Phase 2 loop.
              */
             createTxContext(): TxContext;
             /** Publish a TxContext for the duration of a bulk-atomic loop. */
@@ -9390,7 +9448,7 @@ declare class Collection<T> {
             clearActiveTxContext(ctx: TxContext): void;
         } | undefined;
         /**
-         * Vault-internal hook for materialized-view dispatch (#143/#150).
+         * Vault-internal hook for materialized-view dispatch.
          * Parallel to `derivationSource`. When set, `Collection.put` fires
          * registered MV `onSourceWrite` after the standard derivation
          * dispatch.
@@ -9453,14 +9511,14 @@ declare class Collection<T> {
     }): PresenceHandle<P>;
     /**
      * Create or update a record. Runs inside the hub's write-queue tracker
-     * (#227) so `hub.writeQueue.pending` reflects this write.
+     * so `hub.writeQueue.pending` reflects this write.
      *
      * @param id      Record identifier.
      * @param record  The record body (validated by the collection's schema
      *                if one was attached at `vault.collection(...)` time).
      * @param options Optional metadata for audit + import workflows.
      *                `reason` is stamped onto the resulting ledger entry
-     *                (see #1) so audit consumers can filter via
+     *                so audit consumers can filter via
      *                `entries.filter(e => e.reason?.startsWith('import:'))`.
      */
     put(id: string, record: T, options?: {
@@ -9472,7 +9530,7 @@ declare class Collection<T> {
      * Fire registered MV strategies whose dependency set includes this
      * collection. Eager-mode MVs re-materialize inline via
      * `MaterializedViewExecutor.refresh`; lazy / manual modes are
-     * no-ops in the foundation (subtask #150) — wired in #151.
+     * no-ops in the foundation; wired in the lazy-mode implementation.
      *
      * Skips entirely when the record being written is itself an
      * MV-emitted row (carries `_materializedFrom`) — defensive guard
@@ -9495,11 +9553,11 @@ declare class Collection<T> {
     private dispatchDerivations;
     /**
      * Delete a record by ID. Runs inside the hub's write-queue tracker
-     * (#227) so `hub.writeQueue.pending` reflects this write.
+     * so `hub.writeQueue.pending` reflects this write.
      */
     delete(id: string): Promise<void>;
     /**
-     * @internal #232 — bulk-rewrite every record through a cutover transform.
+     * @internal — bulk-rewrite every record through a cutover transform.
      * Raw adapter path (bypasses the write gate + guards — the transform is
      * trusted and runs only during the `migrating` phase). Bumps each
      * record's `_v` and appends a ledger `op:'migration'` entry.
@@ -9509,8 +9567,7 @@ declare class Collection<T> {
     private deleteInternal;
     /**
      * @internal — system-internal delete that bypasses user-facing
-     * delete hooks (`onDelete`, accounting-period guard, FK ref
-     * enforcer). Used by derivation tombstones (#144) and MV refresh
+     * delete hooks (`onDelete`, FK ref enforcer). Used by derivation tombstones and MV refresh
      * (Dim 14 v2) — system housekeeping shouldn't trip user invariants
      * registered against the output collection. The ledger entry and
      * history snapshot still fire so backup integrity and time-travel
@@ -9522,7 +9579,7 @@ declare class Collection<T> {
      *
      * When a `txCtx` is supplied, the prior envelope is captured and
      * pushed onto `txCtx._executed` BEFORE the delete fires — mirrors
-     * the #133 rollback hardening for puts. Callers outside a
+     * the rollback hardening for puts. Callers outside a
      * multi-record transaction pass `null` and skip the tracking.
      *
      * Amendment composition: if `_internalDelete` runs while a vault's
@@ -9549,7 +9606,7 @@ declare class Collection<T> {
     private _doDelete;
     /**
      * Cascade deletes of array-shape derived rows when a source row is
-     * deleted (#200). Reads each registered strategy's fanout sidecar
+     * deleted. Reads each registered strategy's fanout sidecar
      * for this source id, deletes every listed derived row, then
      * deletes the sidecar itself.
      *
@@ -9560,8 +9617,8 @@ declare class Collection<T> {
      */
     private dispatchArrayDerivationsOnDelete;
     /**
-     * Mirror of {@link dispatchMaterializedViews} for the delete path
-     * (#181). No record content is available (it's gone), so the
+     * Mirror of {@link dispatchMaterializedViews} for the delete path.
+     * No record content is available (it's gone), so the
      * `_materializedFrom` skip used by the put-side dispatch doesn't
      * apply here — instead, the recursion guard is the `internal` gate
      * at the `_doDelete` call site above.
@@ -9643,7 +9700,7 @@ declare class Collection<T> {
      * the filtered records directly (the API). Prefer the chainable
      * form for new code.
      *
-     * **Lazy-MV gap (#157):** `query()` is synchronous and does NOT
+     * **Lazy-MV gap:** `query()` is synchronous and does NOT
      * trigger lazy materialized-view resolve-on-read. If this
      * collection is a lazy MV's output and the MV is currently stale,
      * `query().toArray()` returns the pre-stale snapshot. To force a
@@ -9804,7 +9861,7 @@ declare class Collection<T> {
      *   .aggregate({ total: sum('amount'), n: count() })
      * ```
      *
-     * **Lazy-MV gap (#157):** `scan()` is synchronous-build and does
+     * **Lazy-MV gap:** `scan()` is synchronous-build and does
      * NOT trigger lazy materialized-view resolve-on-read. For lazy
      * MVs, call `list()` (which DOES resolve) or `vault.refreshView(name)`
      * before scanning. Same shape as the `query()` limitation.
@@ -9844,13 +9901,13 @@ declare class Collection<T> {
      */
     _invalidateCacheEntry(id: string): Promise<void>;
     /**
-     * #228b — apply a peer tab's committed write to THIS tab's in-memory view:
+     * Apply a peer tab's committed write to THIS tab's in-memory view:
      * re-read the (already-persisted) envelope from the shared store + refresh
      * cache/indexes, then emit a `change` event so reactive consumers re-render.
      * Never writes to the store and never fires write hooks, so it cannot loop.
      */
     _applyRemoteChange(id: string, action: 'put' | 'delete'): Promise<void>;
-    /** @internal #228c — the current in-memory record without a store read (for conflict capture). */
+    /** @internal — the current in-memory record without a store read (for conflict capture). */
     _peekCached(id: string): T | null;
     private ensureHydrated;
     /** Hydrate from a pre-loaded snapshot (used by Vault). */
@@ -10408,7 +10465,7 @@ interface SessionStrategy {
 }
 
 /**
- * Managed-passphrase mode — issue #14, rubber-hose-resistant vaults.
+ * Managed-passphrase mode — rubber-hose-resistant vaults.
  *
  * A vault mode where the passphrase is machine-generated and never
  * exposed to the user, sealed under a developer-provided
@@ -10447,9 +10504,9 @@ interface SessionStrategy {
  *     Returns the plaintext passphrase string that the rest of the
  *     `createNoydb` keyring path consumes.
  *
- * Slice 1 of #14. Deferred to follow-ups:
+ * Deferred to follow-ups:
  *   - Block `rotate-passphrase` policy gate under managed mode.
- *   - Mandatory strong-recovery enforcement (depends on #10).
+ *   - Mandatory strong-recovery enforcement.
  *   - Recovery flow under managed mode (generates fresh sealed phrase).
  *
  * @see docs/subsystems/session-tiers.md → Managed-passphrase mode
@@ -10609,12 +10666,12 @@ interface SealedPassphrase {
  *
  * v1 shape (this release): `{ v: 1, _noydb_sealed: 1, pid, payload }`.
  *
- * Legacy shape (pre.14, pre.15): `{ _noydb_sealed: 1, providerId, sealed }`
+ * Legacy shape (earlier releases): `{ _noydb_sealed: 1, providerId, sealed }`
  * — accepted on read for backwards compatibility; never produced on
  * write going forward.
  */
 interface SealedEnvelope {
-    /** Envelope schema version. v1 is the shape shipped in pre.16. */
+    /** Envelope schema version. v1 is the current shape. */
     readonly v: 1;
     /** Magic marker for forensics + legacy-shape detection. */
     readonly _noydb_sealed: 1;
@@ -10628,9 +10685,9 @@ interface SealedEnvelope {
  * in-memory {@link SealedPassphrase} representation. Accepts both:
  *
  *   1. v1 wire format `{ v: 1, _noydb_sealed: 1, pid, payload }` —
- *      the shape produced from pre.16 onward.
+ *      the current shape.
  *   2. Legacy wire format `{ _noydb_sealed: 1, providerId, sealed }` —
- *      the shape produced in pre.14/pre.15. Read-only; never written
+ *      read-only; never written
  *      going forward.
  *
  * Returns `undefined` for any input that doesn't match either shape,
@@ -11015,9 +11072,9 @@ interface ImportCapability {
  */
 type VaultPolicyOnDisk = Record<string, unknown>;
 /**
- * Recovery profile enrolled at vault creation (issue #10).
+ * Recovery profile enrolled at vault creation.
  *
- * - `paper` — `on-recovery` codes (the only end-to-end profile in v0.1.0-pre.5).
+ * - `paper` — `on-recovery` codes (the standard end-to-end profile).
  * - `shamir` / `multi-channel` / `admin-mediated` — API surface ships;
  *   per-profile dispatch lands in follow-up issues. Calling
  *   `db.recoverPassphrase` against these throws
@@ -11080,7 +11137,7 @@ interface KeyringAuthenticatorBase {
  * extractable KEK from its own credential — WebAuthn (PRF-derived
  * wrapping key) and split-key OIDC.
  *
- * `wrapKind` is optional/absent on slots written before pre.8 — those
+ * `wrapKind` is optional/absent on older slots — those
  * legacy slots are treated as wrap-KEK by default at unlock time.
  */
 interface KeyringAuthenticatorWrappingKEK extends KeyringAuthenticatorBase {
@@ -11143,11 +11200,11 @@ interface KeyringFile {
     readonly granted_by: string;
     /**
      * Passphrase canary — base64 AES-KW-wrapped form of a known constant
-     * 256-bit value, wrapped under the keyring's KEK (#113).
+     * 256-bit value, wrapped under the keyring's KEK.
      *
-     * Optional: pre-#113 keyrings load with no canary and fall back to
-     * the multi-DEK corruption heuristic from #82. Keyrings written after
-     * #113 carry one and let `loadKeyring` distinguish wrong-passphrase
+     * Optional: older keyrings load with no canary and fall back to
+     * the multi-DEK corruption heuristic. Newer keyrings
+     * carry one and let `loadKeyring` distinguish wrong-passphrase
      * from corruption even when ALL DEKs (including a single-DEK keyring's
      * sole DEK) are corrupted.
      *
@@ -11370,7 +11427,7 @@ interface Conflict {
     readonly resolve?: (winner: EncryptedEnvelope | null) => void;
 }
 /**
- * #228c — a same-device cross-tab write conflict: another tab overwrote a
+ * A same-device cross-tab write conflict: another tab overwrote a
  * document this tab had written, having diverged from an older base. Records
  * are decrypted (cross-tab handlers reconcile in plaintext). `base` is the
  * common ancestor from history, or null when history is unavailable.
@@ -11473,8 +11530,8 @@ interface NoydbEventMap {
     'change': ChangeEvent;
     'error': Error;
     /**
-     * Same-instance signal that this vault's schema-fence state changed
-     * (#232). For UI integration (#233). Cross-client coordination goes
+     * Same-instance signal that this vault's schema-fence state changed.
+     * For UI integration. Cross-client coordination goes
      * through the store, not this event.
      */
     'schema:fence-changed': {
@@ -11580,7 +11637,7 @@ interface GrantOptions {
     readonly initialProfile?: unknown;
 }
 /**
- * Caller payload for `db.updateUser` (#54). Mutate one or more
+ * Caller payload for `db.updateUser`. Mutate one or more
  * identity fields on an existing keyring without rotating any keys.
  *
  * `role`, `displayName`, and `permissions` live in the plaintext header
@@ -11594,7 +11651,7 @@ interface GrantOptions {
  * `null` on `displayName` clears the field (stored as the empty string;
  * UI consumers typically render the empty case by falling back to the
  * user id). `undefined` / absent leaves the field untouched. Mirrors
- * the `null`-as-clear convention `UserApi.updateMe` uses (#57).
+ * the `null`-as-clear convention `UserApi.updateMe` uses.
  *
  * `permissions`, however, is a **full replacement** at the map level —
  * passing `{ invoices: 'rw' }` REPLACES the entire permissions map,
@@ -11608,8 +11665,6 @@ interface GrantOptions {
  * do anything. Non-admin callers (operator/viewer/client) cannot call
  * `db.updateUser` at all — for self-displayName changes, use
  * `vault.user.updateMe` (the user-envelope API).
- *
- * @see #54
  */
 interface UpdateUserOptions {
     readonly userId: string;
@@ -12201,7 +12256,7 @@ interface NoydbOptions {
      */
     readonly derivationStrategies?: ReadonlyArray<DerivationStrategyHandle>;
     /**
-     * Optional materialized-view strategies (#143, foundation in #150).
+     * Optional materialized-view strategies.
      * Each handle returned by `withMaterializedView()` from
      * `@noy-db/hub/materialized-views`. The vault runs unified cycle
      * detection across the MV + derivation graphs at `openVault`; a
@@ -12209,7 +12264,7 @@ interface NoydbOptions {
      */
     readonly materializedViewStrategies?: ReadonlyArray<MaterializedViewStrategyHandle>;
     /**
-     * Optional overlay strategies (#154). Each handle returned by
+     * Optional overlay strategies. Each handle returned by
      * `withOverlayedView()` from `@noy-db/hub/overlay-views`. The vault
      * validates name uniqueness + base concreteness + overlay
      * availability at `openVault`; a clash throws one of the
@@ -12262,7 +12317,7 @@ interface NoydbOptions {
      */
     readonly getKeyring?: (vault: string) => Promise<UnlockedKeyring>;
     /**
-     * Passphrase mode (#14). Default `'standard'`.
+     * Passphrase mode. Default `'standard'`.
      *
      *   - `'standard'` — the legacy flow. `secret` supplies the
      *     plaintext passphrase, the user knows it, and the policy gate
@@ -12323,14 +12378,14 @@ interface NoydbOptions {
     readonly sessionPolicy?: SessionPolicy;
     /**
      * Validate passphrase strength against the phrase format
-     * (`@noy-db/hub` issue #7) on first-time keyring creation. When
+     * on first-time keyring creation. When
      * `true`, weak phrases throw {@link WeakPassphraseError} from
      * `createNoydb()` / `db.rotatePassphrase()`. Default: `false` for
-     * back-compat in v0.1.x; planned to flip to `true` at v1.0.
+     * back-compat; planned to flip to `true` in a future major release.
      */
     readonly validatePassphrase?: boolean;
     /**
-     * Vault-level policy gate document (issue #9). When present, the hub
+     * Vault-level policy gate document. When present, the hub
      * persists the merged policy at `_meta/policy` on first-time vault
      * creation and gates sensitive operations (`db.rotatePassphrase`,
      * `db.export*`, …) against it. Omitted ⇒ the engine uses
@@ -12346,14 +12401,14 @@ interface NoydbOptions {
      */
     readonly policy?: VaultPolicy;
     /**
-     * Mandatory recovery profile enrollment (issue #10). Vaults with
+     * Mandatory recovery profile enrollment. Vaults with
      * `recover-passphrase` enabled MUST register at least one profile
      * before being production-ready, otherwise `createNoydb()` throws
      * {@link RecoveryNotEnrolledError}. Set
      * `policy.gates['recover-passphrase'].enabled = false` to
      * deliberately opt out of recovery (passphrase loss = data loss).
      *
-     * v0.1.0-pre.5 supports the `'paper'` profile end-to-end. Other
+     * The `'paper'` profile is supported end-to-end. Other
      * profiles ship the API shape and throw
      * {@link RecoveryProfileNotImplementedError} during use.
      */
@@ -12361,9 +12416,9 @@ interface NoydbOptions {
     /**
      * When `true`, `createNoydb` rejects vaults with no recovery
      * entries persisted (per the spec's mandatory-enrollment
-     * requirement). Default `false` for v0.1.x back-compat; planned to
-     * flip to `true` at v1.0. Apps in regulated environments should
-     * turn this on now.
+     * requirement). Default `false` for back-compat; planned to
+     * flip to `true` in a future major release. Apps in regulated
+     * environments should turn this on now.
      */
     readonly requireRecovery?: boolean;
     /**
@@ -12490,4 +12545,4 @@ interface DeleteManyResult {
     }>;
 }
 
-export { type ConsentAuditEntry as $, type BlobObject as A, type BlobStrategy as B, type BlobPutOptions as C, DICT_COLLECTION_PREFIX as D, type BlobResponseOptions as E, BlobSet as F, type BlobStrategyOpenArgs as G, type CompactRunOptions as H, type I18nStrategy as I, type CompactionContext as J, type CompactionResult as K, DEFAULT_CHUNK_SIZE as L, EXPORT_AUDIT_COLLECTION as M, ExportBlobsAbortedError as N, type ExportBlobsAuditEntry as O, PolicyEnforcer as P, type ExportBlobsHandle as Q, type ExportBlobsOptions as R, type SessionStrategy as S, type ExportedBlob as T, type SlotInfo as U, type SlotRecord as V, type VersionRecord as W, createExportBlobsHandle as X, runCompaction as Y, type ConsentStrategy as Z, CONSENT_AUDIT_COLLECTION as _, type DictEntry as a, VaultInstant as a$, type ConsentAuditFilter as a0, type ConsentContext as a1, type ConsentOp as a2, loadConsentEntries as a3, writeConsentEntry as a4, type PeriodsStrategy as a5, type CarryForwardContext as a6, type ClosePeriodOptions as a7, type OpenPeriodOptions as a8, PERIODS_COLLECTION as a9, type DerivationStrategyHandle as aA, type DerivedFromMeta as aB, type OutputSpec as aC, type RecordOutputSpec as aD, type MaterializedViewStrategy as aE, type MaterializedViewStrategyHandle as aF, type OverlayedViewStrategy as aG, Collection as aH, OverlayedViewRegistry as aI, type OverlayedViewStrategyHandle as aJ, type SyncStrategy as aK, type Role as aL, type UnlockedKeyring as aM, type HistoryStrategy as aN, type NoydbStore as aO, type HistoryOptions as aP, type EncryptedEnvelope as aQ, type PruneOptions as aR, type AppendInput as aS, type ChangeType as aT, CollectionInstant as aU, type DiffEntry as aV, type JsonPatch as aW, type JsonPatchOp as aX, type LedgerEntry as aY, LedgerStore as aZ, type VaultEngine as a_, type PeriodRecord as aa, type ReadOnlyCollection as ab, appendPeriodLedgerEntry as ac, assertTsWritable as ad, chainAnchor as ae, loadPeriods as af, validatePeriodName as ag, type GuardStrategy as ah, type GuardChange as ai, type GuardContext as aj, GuardRegistry as ak, type GuardStrategyHandle as al, ReadOnlyVaultFacade as am, type ShadowStrategy as an, CollectionFrame as ao, VaultFrame as ap, type TxStrategy as aq, type AmendmentTxOptions as ar, TxCollection as as, TxContext as at, TxVault as au, runTransaction as av, type DerivationStrategy as aw, type DerivationContext as ax, type ArrayOutputSpec as ay, DerivationRegistry as az, type DictKeyDescriptor as b, type EnrollAuthenticatorOptions as b$, type VerifyResult as b0, applyPatch as b1, canonicalJson as b2, computePatch as b3, diff as b4, formatDiff as b5, hashEntry as b6, paddedIndex as b7, parseIndex as b8, sha256Hex as b9, type AccessibleVault as bA, type AffectedDocument as bB, BUNDLE_STORE_POLICY as bC, type BuiltInGateName as bD, type CacheOptions as bE, type CacheStats as bF, type ChangeEvent as bG, type CollectionChangeEvent as bH, type CollectionConflictResolver as bI, type CollectionDescriptor as bJ, type CollectionStats as bK, type Conflict as bL, type ConflictPolicy as bM, type ConflictStrategy as bN, type CrossTierAccessEvent as bO, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as bP, DELEGATIONS_COLLECTION as bQ, type DeepPartial as bR, type DeepPartialOrNull as bS, type DelegationToken as bT, type DeleteManyResult as bU, type DerivationDescriptor as bV, type DirtyEntry as bW, type DryRunResult as bX, type DumpSchemaOptions as bY, ELEVATION_AUDIT_COLLECTION as bZ, ElevatedHandle as b_, type PublicEnvelope as ba, type SealingKeyProvider as bb, type BundleRecipient as bc, type RecipientSealer as bd, type RecipientHint as be, Vault as bf, type RecoveryEnrollmentInput as bg, type ShamirRecoveryProvider as bh, type MVQueryContext as bi, type RegisteredMV as bj, MaterializedViewRegistry as bk, type MaterializedFromMeta as bl, type MaterializedViewOutput as bm, type UnionSource as bn, type UserEnvelope as bo, type GateName as bp, type GatePolicy as bq, type VaultPolicy as br, type ActiveTier as bs, type FactorProof as bt, type SchemaUpdateStrategy as bu, type TransformFn as bv, type PersistedSchemaEnvelope as bw, type UpdateDecision as bx, type DirectoryConfig as by, type UserVisibility as bz, DictionaryHandle as c, type PlaintextTranslatorContext as c$, type EnrollAuthenticatorWrappingDEKsOptions as c0, type EnrollAuthenticatorWrappingKEKOptions as c1, type EnrollRecoveryResult as c2, type ExportCapability as c3, type ExportChunk as c4, type ExportFormat as c5, type ExportStreamOptions as c6, type FactorKind as c7, type FactorProofBundle as c8, type FactorRequirement as c9, type LruOptions as cA, type LruStats as cB, MAGIC_LINK_CONTENT_INFO_PREFIX as cC, MAGIC_LINK_GRANTS_COLLECTION as cD, MAGIC_LINK_KEK_INFO_PREFIX as cE, type MagicLinkGrantPayload as cF, type MagicLinkGrantRecord as cG, type MaterializedViewDescriptor as cH, MemoryRecipientSealer as cI, MemorySealingKeyProvider as cJ, NOYDB_BACKUP_VERSION as cK, NOYDB_FORMAT_VERSION as cL, NOYDB_KEYRING_VERSION as cM, NOYDB_SYNC_VERSION as cN, Noydb as cO, type NoydbBundleStore as cP, type NoydbEventMap as cQ, type NoydbOptions as cR, type OverlayViewDescriptor as cS, PUBLIC_ENVELOPE_FIELDS as cT, type PaperRecoveryDoc as cU, type PaperRecoveryEntry as cV, type PassphrasePolicy as cW, type PassphraseValidationResult as cX, type Permission as cY, type Permissions as cZ, type PersistedSchemaKind as c_, type FenceDoc as ca, type FenceState as cb, type FieldChange as cc, type FieldDescriptor as cd, type FieldSource as ce, type GhostRecord as cf, type GrantOptions as cg, type GuardViolation as ch, type HistoryConfig as ci, type HistoryEntry as cj, INDEXED_STORE_POLICY as ck, type ImportCapability as cl, type InferOutput as cm, type InternalCollectionStats as cn, type IssueDelegationOptions as co, type IssueMagicLinkGrantOptions as cp, type KeyringAuthenticator as cq, type KeyringAuthenticatorWrappingDEKs as cr, type KeyringAuthenticatorWrappingKEK as cs, type KeyringFile as ct, type ListAccessibleVaultsOptions as cu, type ListPageResult as cv, type ListUsersOptions as cw, type LiveUserEnvelope as cx, type LocaleReadOptions as cy, Lru as cz, type DictionaryOptions as d, type TabRole as d$, type PlaintextTranslatorFn as d0, PresenceHandle as d1, type PresencePeer as d2, type PublicEnvelopeField as d3, type PublicEnvelopeSchema as d4, type PublicEnvelopeText as d5, type PullMode as d6, type PullOptions as d7, type PullPolicy as d8, type PullResult as d9, type SealedPassphrase as dA, type SessionPolicy as dB, type SetPublicEnvelopeInput as dC, type ShamirRecoveryDoc as dD, type ShamirRecoveryEntry as dE, type SlotRewrapCeremony as dF, type SlotRewrapContext as dG, type StandardSchemaV1 as dH, type StandardSchemaV1Issue as dI, type StandardSchemaV1SyncResult as dJ, type StoreAuth as dK, type StoreAuthKind as dL, type StoreCapabilities as dM, SyncEngine as dN, type SyncMetadata as dO, type SyncPolicy as dP, SyncScheduler as dQ, type SyncSchedulerStatus as dR, type SyncStatus as dS, type SyncTarget as dT, type SyncTargetRole as dU, SyncTransaction as dV, type SyncTransactionResult as dW, type TabChannel as dX, type TabCoordinationOptions as dY, type TabLockManager as dZ, type TabPresence as d_, type PushMode as da, type PushOptions as db, type PushPolicy as dc, type PushResult as dd, type PutManyItemOptions as de, type PutManyOptions as df, type PutManyResult as dg, type QueryAcrossOptions as dh, type QueryAcrossResult as di, type QuickUnlockState as dj, QuickUnlockStore as dk, type ReAuthOperation as dl, type RecoverPassphraseInput as dm, type RecoverPassphraseResult as dn, type RecoverUserOptions as dp, type RecoveryProof as dq, type ResolvedPublicEnvelopeSchema as dr, type RevokeOptions as ds, type RotatePassphraseInput as dt, type RotateRecoveryOptions as du, type RotateRecoveryResult as dv, SEALED_PASSPHRASE_RECORD_ID as dw, type SchemaDelta as dx, type SchemaIntrospection as dy, type SealedEnvelope as dz, type I18nTextDescriptor as e, savePaperRecoveryEntries as e$, type TierMode as e0, type TranslatorAuditEntry as e1, type TxOp as e2, USER_ENVELOPE_COLLECTION as e3, USER_ENVELOPE_MAX_BYTES as e4, type Unsubscribe as e5, type UpdateAuthenticatorOptions as e6, type UpdateContext as e7, type UpdateUserOptions as e8, UserApi as e9, findAuthenticator as eA, hasExportCapability as eB, hasImportCapability as eC, hasRecoveryEnrolled as eD, isMagicLinkGrantExpired as eE, isPublicEnvelope as eF, issueDelegation as eG, recoverPassphrase as eH, rotatePassphrase as eI, listMagicLinkGrants as eJ, listUsers as eK, listUsersWithEnvelopes as eL, loadActiveDelegations as eM, loadPaperRecoveryEntries as eN, loadSealedPassphrase as eO, loadShamirRecoveryEntries as eP, magicLinkGrantRecordId as eQ, mintPaperRecoveryEntry as eR, mintShamirRecoveryEntry as eS, mintWrappedDeksBlob as eT, parseSealedEnvelope as eU, readMagicLinkGrantRecord as eV, recoverUser as eW, removeAuthenticator as eX, resolveSchema as eY, revokeDelegation as eZ, revokeMagicLinkGrant as e_, type UserEnvelopeCheckGate as ea, UserEnvelopeOversizedError as eb, type UserEnvelopePresented as ec, type UserInfo as ed, type VaultBackup as ee, type VaultPolicyOnDisk as ef, type VaultSchemaSnapshot as eg, type VaultSnapshot as eh, type WarningRules as ei, WeakPassphraseError as ej, type WeakPassphraseReason as ek, type WrappedDeksBlob as el, type WriteConflict as em, type WriteEvent as en, type WriteHook as eo, type WriteQueue as ep, assertStrongPassphrase as eq, buildRecipientKeyringFile as er, burnPaperRecoveryEntry as es, createNoydb as et, createStore as eu, deriveMagicLinkContentKey as ev, enrollAuthenticator as ew, estimateEntropy as ex, evaluateExportCapability as ey, evaluateImportCapability as ez, type I18nTextOptions as f, saveSealedPassphrase as f0, saveShamirRecoveryEntries as f1, unwrapDeksFromBlob as f2, unwrapDeksFromPaperEntry as f3, unwrapDeksFromShamirEntry as f4, unwrapMagicLinkGrant as f5, validatePassphrase as f6, validatePublicEnvelopeInput as f7, validateSchemaInput as f8, validateSchemaOutput as f9, writeMagicLinkGrant as fa, changeSecret as fb, createOwnerKeyring as fc, ensureCollectionDEK as fd, grant as fe, loadKeyring as ff, persistKeyring as fg, revoke as fh, updateAuthenticator as fi, updateKeyringIdentity as fj, applyI18nLocale as g, dictCollectionName as h, dictKey as i, i18nText as j, isDictCollectionName as k, isDictKeyDescriptor as l, isI18nTextDescriptor as m, createEnforcer as n, validateSessionPolicy as o, BLOB_CHUNKS_COLLECTION as p, BLOB_COLLECTION as q, resolveI18nText as r, BLOB_EVICTION_AUDIT_COLLECTION as s, BLOB_INDEX_COLLECTION as t, BLOB_SLOTS_PREFIX as u, validateI18nTextValue as v, BLOB_VERSIONS_PREFIX as w, type BlobEvictionEntry as x, type BlobFieldPolicy as y, type BlobFieldsConfig as z };
+export { type ConsentStrategy as $, type BlobFieldPolicy as A, type BlobStrategy as B, type BlobFieldsConfig as C, DICT_COLLECTION_PREFIX as D, type BlobObject as E, type BlobPutOptions as F, type BlobResponseOptions as G, BlobSet as H, type I18nStrategy as I, type BlobStrategyOpenArgs as J, type CompactRunOptions as K, type CompactionContext as L, type CompactionResult as M, DEFAULT_CHUNK_SIZE as N, EXPORT_AUDIT_COLLECTION as O, PolicyEnforcer as P, ExportBlobsAbortedError as Q, type ExportBlobsAuditEntry as R, type SessionStrategy as S, type ExportBlobsHandle as T, type ExportBlobsOptions as U, type ExportedBlob as V, type SlotInfo as W, type SlotRecord as X, type VersionRecord as Y, createExportBlobsHandle as Z, runCompaction as _, type DictEntry as a, LedgerStore as a$, CONSENT_AUDIT_COLLECTION as a0, type ConsentAuditEntry as a1, type ConsentAuditFilter as a2, type ConsentContext as a3, type ConsentOp as a4, loadConsentEntries as a5, writeConsentEntry as a6, type PeriodsStrategy as a7, type CarryForwardContext as a8, type ClosePeriodOptions as a9, type ArrayOutputSpec as aA, DerivationRegistry as aB, type DerivationStrategyHandle as aC, type DerivedFromMeta as aD, type OutputSpec as aE, type RecordOutputSpec as aF, type MaterializedViewStrategy as aG, type MaterializedViewStrategyHandle as aH, type OverlayedViewStrategy as aI, Collection as aJ, OverlayedViewRegistry as aK, type OverlayedViewStrategyHandle as aL, type SyncStrategy as aM, type Role as aN, type UnlockedKeyring as aO, type HistoryStrategy as aP, type NoydbStore as aQ, type HistoryOptions as aR, type EncryptedEnvelope as aS, type PruneOptions as aT, type AppendInput as aU, type ChangeType as aV, CollectionInstant as aW, type DiffEntry as aX, type JsonPatch as aY, type JsonPatchOp as aZ, type LedgerEntry as a_, type OpenPeriodOptions as aa, PERIODS_COLLECTION as ab, type PeriodRecord as ac, type ReadOnlyCollection as ad, appendPeriodLedgerEntry as ae, assertTsWritable as af, chainAnchor as ag, loadPeriods as ah, validatePeriodName as ai, type GuardStrategy as aj, type GuardChange as ak, type GuardContext as al, GuardRegistry as am, type GuardStrategyHandle as an, ReadOnlyVaultFacade as ao, type ShadowStrategy as ap, CollectionFrame as aq, VaultFrame as ar, type TxStrategy as as, type AmendmentTxOptions as at, TxCollection as au, TxContext as av, TxVault as aw, runTransaction as ax, type DerivationStrategy as ay, type DerivationContext as az, type DictKeyDescriptor as b, ELEVATION_AUDIT_COLLECTION as b$, type VaultEngine as b0, VaultInstant as b1, type VerifyResult as b2, applyPatch as b3, canonicalJson as b4, computePatch as b5, diff as b6, formatDiff as b7, hashEntry as b8, paddedIndex as b9, type DirectoryConfig as bA, type UserVisibility as bB, type AccessibleVault as bC, type AffectedDocument as bD, BUNDLE_STORE_POLICY as bE, type BuiltInGateName as bF, type CacheOptions as bG, type CacheStats as bH, type ChangeEvent as bI, type CollectionChangeEvent as bJ, type CollectionConflictResolver as bK, type CollectionDescriptor as bL, type CollectionStats as bM, type Conflict as bN, type ConflictPolicy as bO, type ConflictStrategy as bP, type CrossTierAccessEvent as bQ, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as bR, DELEGATIONS_COLLECTION as bS, type DeepPartial as bT, type DeepPartialOrNull as bU, type DelegationToken as bV, type DeleteManyResult as bW, type DerivationDescriptor as bX, type DirtyEntry as bY, type DryRunResult as bZ, type DumpSchemaOptions as b_, parseIndex as ba, sha256Hex as bb, type PublicEnvelope as bc, type SealingKeyProvider as bd, type BundleRecipient as be, type RecipientSealer as bf, type RecipientHint as bg, Vault as bh, type RecoveryEnrollmentInput as bi, type ShamirRecoveryProvider as bj, type MVQueryContext as bk, type RegisteredMV as bl, MaterializedViewRegistry as bm, type MaterializedFromMeta as bn, type MaterializedViewOutput as bo, type UnionSource as bp, type UserEnvelope as bq, type GateName as br, type GatePolicy as bs, type VaultPolicy as bt, type ActiveTier as bu, type FactorProof as bv, type SchemaUpdateStrategy as bw, type TransformFn as bx, type PersistedSchemaEnvelope as by, type UpdateDecision as bz, DictionaryHandle as c, type Permissions as c$, ElevatedHandle as c0, type EnrollAuthenticatorOptions as c1, type EnrollAuthenticatorWrappingDEKsOptions as c2, type EnrollAuthenticatorWrappingKEKOptions as c3, type EnrollRecoveryResult as c4, type ExportCapability as c5, type ExportChunk as c6, type ExportFormat as c7, type ExportStreamOptions as c8, type FactorKind as c9, type LocaleReadOptions as cA, Lru as cB, type LruOptions as cC, type LruStats as cD, MAGIC_LINK_CONTENT_INFO_PREFIX as cE, MAGIC_LINK_GRANTS_COLLECTION as cF, MAGIC_LINK_KEK_INFO_PREFIX as cG, type MagicLinkGrantPayload as cH, type MagicLinkGrantRecord as cI, type MaterializedViewDescriptor as cJ, MemoryRecipientSealer as cK, MemorySealingKeyProvider as cL, NOYDB_BACKUP_VERSION as cM, NOYDB_FORMAT_VERSION as cN, NOYDB_KEYRING_VERSION as cO, NOYDB_SYNC_VERSION as cP, Noydb as cQ, type NoydbBundleStore as cR, type NoydbEventMap as cS, type NoydbOptions as cT, type OverlayViewDescriptor as cU, PUBLIC_ENVELOPE_FIELDS as cV, type PaperRecoveryDoc as cW, type PaperRecoveryEntry as cX, type PassphrasePolicy as cY, type PassphraseValidationResult as cZ, type Permission as c_, type FactorProofBundle as ca, type FactorRequirement as cb, type FenceDoc as cc, type FenceState as cd, type FieldChange as ce, type FieldDescriptor as cf, type FieldSource as cg, type GhostRecord as ch, type GrantOptions as ci, type GuardViolation as cj, type HistoryConfig as ck, type HistoryEntry as cl, INDEXED_STORE_POLICY as cm, type ImportCapability as cn, type InferOutput as co, type InternalCollectionStats as cp, type IssueDelegationOptions as cq, type IssueMagicLinkGrantOptions as cr, type KeyringAuthenticator as cs, type KeyringAuthenticatorWrappingDEKs as ct, type KeyringAuthenticatorWrappingKEK as cu, type KeyringFile as cv, type ListAccessibleVaultsOptions as cw, type ListPageResult as cx, type ListUsersOptions as cy, type LiveUserEnvelope as cz, type DictionaryOptions as d, type TabLockManager as d$, type PersistedSchemaKind as d0, type PlaintextTranslatorContext as d1, type PlaintextTranslatorFn as d2, PresenceHandle as d3, type PresencePeer as d4, type PublicEnvelopeField as d5, type PublicEnvelopeSchema as d6, type PublicEnvelopeText as d7, type PullMode as d8, type PullOptions as d9, type SchemaIntrospection as dA, type SealedEnvelope as dB, type SealedPassphrase as dC, type SessionPolicy as dD, type SetPublicEnvelopeInput as dE, type ShamirRecoveryDoc as dF, type ShamirRecoveryEntry as dG, type SlotRewrapCeremony as dH, type SlotRewrapContext as dI, type StandardSchemaV1 as dJ, type StandardSchemaV1Issue as dK, type StandardSchemaV1SyncResult as dL, type StoreAuth as dM, type StoreAuthKind as dN, type StoreCapabilities as dO, SyncEngine as dP, type SyncMetadata as dQ, type SyncPolicy as dR, SyncScheduler as dS, type SyncSchedulerStatus as dT, type SyncStatus as dU, type SyncTarget as dV, type SyncTargetRole as dW, SyncTransaction as dX, type SyncTransactionResult as dY, type TabChannel as dZ, type TabCoordinationOptions as d_, type PullPolicy as da, type PullResult as db, type PushMode as dc, type PushOptions as dd, type PushPolicy as de, type PushResult as df, type PutManyItemOptions as dg, type PutManyOptions as dh, type PutManyResult as di, type QueryAcrossOptions as dj, type QueryAcrossResult as dk, type QuickUnlockState as dl, QuickUnlockStore as dm, type ReAuthOperation as dn, type RecoverPassphraseInput as dp, type RecoverPassphraseResult as dq, type RecoverUserOptions as dr, type RecoveryProof as ds, type ResolvedPublicEnvelopeSchema as dt, type RevokeOptions as du, type RotatePassphraseInput as dv, type RotateRecoveryOptions as dw, type RotateRecoveryResult as dx, SEALED_PASSPHRASE_RECORD_ID as dy, type SchemaDelta as dz, type I18nTextDescriptor as e, revokeDelegation as e$, type TabPresence as e0, type TabRole as e1, type TierMode as e2, type TranslatorAuditEntry as e3, type TxOp as e4, USER_ENVELOPE_COLLECTION as e5, USER_ENVELOPE_MAX_BYTES as e6, type Unsubscribe as e7, type UpdateAuthenticatorOptions as e8, type UpdateContext as e9, evaluateExportCapability as eA, evaluateImportCapability as eB, findAuthenticator as eC, hasExportCapability as eD, hasImportCapability as eE, hasRecoveryEnrolled as eF, isMagicLinkGrantExpired as eG, isPublicEnvelope as eH, issueDelegation as eI, recoverPassphrase as eJ, rotatePassphrase as eK, listMagicLinkGrants as eL, listUsers as eM, listUsersWithEnvelopes as eN, loadActiveDelegations as eO, loadPaperRecoveryEntries as eP, loadSealedPassphrase as eQ, loadShamirRecoveryEntries as eR, magicLinkGrantRecordId as eS, mintPaperRecoveryEntry as eT, mintShamirRecoveryEntry as eU, mintWrappedDeksBlob as eV, parseSealedEnvelope as eW, readMagicLinkGrantRecord as eX, recoverUser as eY, removeAuthenticator as eZ, resolveSchema as e_, type UpdateUserOptions as ea, UserApi as eb, type UserEnvelopeCheckGate as ec, UserEnvelopeOversizedError as ed, type UserEnvelopePresented as ee, type UserInfo as ef, type VaultBackup as eg, type VaultPolicyOnDisk as eh, type VaultSchemaSnapshot as ei, type VaultSnapshot as ej, type WarningRules as ek, WeakPassphraseError as el, type WeakPassphraseReason as em, type WrappedDeksBlob as en, type WriteConflict as eo, type WriteEvent as ep, type WriteHook as eq, type WriteQueue as er, assertStrongPassphrase as es, buildRecipientKeyringFile as et, burnPaperRecoveryEntry as eu, createNoydb as ev, createStore as ew, deriveMagicLinkContentKey as ex, enrollAuthenticator as ey, estimateEntropy as ez, type I18nTextOptions as f, revokeMagicLinkGrant as f0, savePaperRecoveryEntries as f1, saveSealedPassphrase as f2, saveShamirRecoveryEntries as f3, unwrapDeksFromBlob as f4, unwrapDeksFromPaperEntry as f5, unwrapDeksFromShamirEntry as f6, unwrapMagicLinkGrant as f7, validatePassphrase as f8, validatePublicEnvelopeInput as f9, validateSchemaInput as fa, validateSchemaOutput as fb, writeMagicLinkGrant as fc, changeSecret as fd, createOwnerKeyring as fe, ensureCollectionDEK as ff, grant as fg, loadKeyring as fh, persistKeyring as fi, revoke as fj, updateAuthenticator as fk, updateKeyringIdentity as fl, applyI18nLocale as g, dictCollectionName as h, dictKey as i, getAtPath as j, i18nText as k, isDictCollectionName as l, isDictKeyDescriptor as m, isI18nTextDescriptor as n, createEnforcer as o, validateSessionPolicy as p, BLOB_CHUNKS_COLLECTION as q, resolveI18nText as r, setAtPathInPlace as s, BLOB_COLLECTION as t, BLOB_EVICTION_AUDIT_COLLECTION as u, validateI18nTextValue as v, BLOB_INDEX_COLLECTION as w, BLOB_SLOTS_PREFIX as x, BLOB_VERSIONS_PREFIX as y, type BlobEvictionEntry as z };