v0.1.0-pre.9 — consumer-iteration batch (#53–#57)

v0.1.0-pre.9 — consumer-iteration batch on pre.8 APIs

5-issue follow-up surfaced after the first production consumer (Niwat) shipped pre.8 to production. No new subsystems; surgical extensions to APIs that landed in pre.8.

What's new

• db.updateUser(vault, options, factors?) (#54) — post-grant identity mutation for role, displayName, and permissions. Pure plaintext-header rewrite (no DEK rewrap, no KEK required, no authenticator slots touched). Tier-2 enrollments and recovery codes survive. New update-user policy gate. Two-sided role-elevation guard mirrors db.grant's hierarchy.
• db.updateAuthenticator(vault, slotId, options, factors?) (#55) — meta-only mutation for slot rename / label changes. Anti-slot-swap is structural (UpdateAuthenticatorOptions only carries meta; wrap material / id / method are unreachable). New update-authenticator policy gate.
• webAuthnSlotRewrapCeremony from @noy-db/on-webauthn (#56) — fills the placeholder in #29's slotCeremonies API. Single ceremony, two crypto operations under one assertion. Closes the "rotate phrase without losing my biometric" UX promise.
• UserApi.updateMe<T>(patch) accepts null to clear fields (#57) — matches lodash _.merge and Firestore FieldValue.delete() semantics. New DeepPartialOrNull<T> type.
• @noy-db/on-magic-link acceptInvite forwards passphrasePolicy (#53) — unblocks consumers using non-default phrase shapes (Thai/EN-mixed, hyphen-separated, BIP-39 word lists).

Install

pnpm add @noy-db/hub@next

Compatibility

Same wire format as pre.8 (_keyring / _meta/policy / _meta/user/* / _meta/invite-audit-* envelopes unchanged). Existing pre.8 vaults work unchanged.

Closed issues

#53, #54, #55, #56, #57