npm - latticesql - Versions diffs - 1.13.2 → 1.13.3 - Mend

latticesql 1.13.2 → 1.13.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md CHANGED Viewed

@@ -2086,6 +2086,10 @@ The convergence means you don't need to duplicate entity-context definitions in
 **Switch vs. migrate (v1.13.2+ wording).** "Connect to existing cloud" _switches_ the project's `db:` line to point at the cloud; the local SQLite file stays on disk and you can switch back by editing the YAML or via the Databases catalog under User Config. Use "Migrate to cloud" only when you want to _push_ the local data into a fresh empty target.
+**Upgrade to team cloud — works against direct Postgres URLs (v1.13.3+).** The "Upgrade to team cloud" action previously HTTP-POSTed to `/api/auth/register` on the cloud URL, which fails with `Request cannot be constructed from a URL that includes credentials` when the cloud URL is a Postgres connection string. v1.13.3 dispatches on URL scheme: `http(s)://` keeps the HTTP path; `postgres(ql)://` calls the new `registerDirectViaPostgres()` helper that drives the same INSERT sequence directly against the cloud Postgres. Same invariants enforced both ways.
+**Dashboard renders every entity (v1.13.3+).** Previously the dashboard cards filtered through a hardcoded entity list (`meetings`, `people`, `messages`, `projects`, `repositories`, `files`). Installs whose YAML declared different names saw a blank dashboard. Now every first-class entity gets a card; the hardcoded list survives as an ordering preference only.
 **Views**
 - **Dashboard** (`#/`) — one card per first-class entity with live row counts.

package/dist/cli.js CHANGED Viewed

@@ -6247,12 +6247,46 @@ var guiAppHtml = `<!doctype html>
     // Dashboard
     // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
     function renderDashboard(content) {
-      var cards = DASHBOARD_ORDER.map(function (name) {
-        var t = tableByName(name);
-        if (!t) return '';
-        var d = displayFor(name);
+      // Show every first-class (non-junction, non-system) entity. The
+      // previous implementation used DASHBOARD_ORDER as the filter \u2014 meaning
+      // installs whose YAML declared tables outside the hardcoded list
+      // (e.g. clients / students / vendors) saw a blank dashboard with no
+      // hint why. DASHBOARD_ORDER is now a preference for ordering only;
+      // tables not in it appear after, in declaration order.
+      var preferenceRank = function (name) {
+        var idx = DASHBOARD_ORDER.indexOf(name);
+        return idx === -1 ? DASHBOARD_ORDER.length : idx;
+      };
+      var firstClass = (state.entities.tables || [])
+        .filter(function (t) {
+          // Junctions belong on the Data Model page, not as dashboard cards.
+          if (isJunction(t)) return false;
+          // System tables (_lattice_gui_*, __lattice_*) are hidden.
+          if (t.name.charAt(0) === '_') return false;
+          return true;
+        })
+        .slice()
+        .sort(function (a, b) {
+          var ra = preferenceRank(a.name);
+          var rb = preferenceRank(b.name);
+          if (ra !== rb) return ra - rb;
+          // Same preference rank \u2014 keep declaration order from the API.
+          return 0;
+        });
+      if (firstClass.length === 0) {
+        content.innerHTML =
+          '<div class="placeholder">' +
+            '<h2>No entities yet</h2>' +
+            '<p>Define entities in your <code>lattice.config.yml</code> or register them via <code>db.define()</code>, then reload.</p>' +
+          '</div>';
+        return;
+      }
+      var cards = firstClass.map(function (t) {
+        var d = displayFor(t.name);
         var count = (t.rowCount != null) ? t.rowCount : 0;
-        return '<a class="card" href="#/objects/' + name + '">' +
+        return '<a class="card" href="#/objects/' + t.name + '">' +
           '<div class="card-icon">' + d.icon + '</div>' +
           '<div class="card-label">' + escapeHtml(d.label) + '</div>' +
           '<div class="card-count">' + count + '</div>' +
@@ -8035,6 +8069,81 @@ var guiAppHtml = `<!doctype html>
       };
     }
+    // Detect common Supabase pooler URL mistakes the form gives no hint
+    // about. Returns an array of human-readable hints, or [] when the
+    // form looks plausible. Conservative \u2014 only flags clear patterns.
+    function detectSupabasePoolerMistakes(body) {
+      var hints = [];
+      var host = (body.host || '').toLowerCase();
+      if (host.indexOf('pooler.supabase') !== -1) {
+        // Pooler requires the tenant-prefixed user form postgres.<ref>.
+        if (body.user && body.user.indexOf('.') === -1) {
+          hints.push(
+            'Supabase pooler hosts require a tenant-prefixed user like ' +
+            '<code>postgres.&lt;project-ref&gt;</code>. You entered <code>' +
+            escapeHtml(body.user) + '</code> \u2014 Supabase will reject SCRAM ' +
+            'auth with a misleading "password authentication failed" error.'
+          );
+        }
+        // Session-mode is on 5432; transaction-mode on 6543. latticesql
+        // wants session-mode (transactions span multiple statements).
+        if (Number(body.port) === 6543) {
+          hints.push(
+            'Supabase pooler port <code>6543</code> is transaction mode. ' +
+            'Lattice needs session mode \u2014 use port <code>5432</code> on ' +
+            'the same pooler host.'
+          );
+        }
+      } else if (host.indexOf('.supabase.co') !== -1 && host.indexOf('pooler') === -1) {
+        // Direct host form uses bare postgres user, not the tenant-
+        // prefixed pooler form. Easy to mix up.
+        if (body.user && body.user.indexOf('.') !== -1) {
+          hints.push(
+            'The direct host <code>db.&lt;project-ref&gt;.supabase.co</code> ' +
+            'uses a bare <code>postgres</code> user (no tenant prefix). ' +
+            'You entered <code>' + escapeHtml(body.user) + '</code> \u2014 ' +
+            'Supabase will reject SCRAM auth with "password authentication ' +
+            'failed".'
+          );
+        }
+      }
+      return hints;
+    }
+    // Probe the cloud and validate Supabase form patterns. Resolves to
+    // the probe result on success; rejects with a human-readable error
+    // when the form has obvious mistakes or the probe is unreachable.
+    // Shared by Migrate + Connect so the credential is never saved
+    // without first proving the form values can actually connect.
+    function probeBeforeCredentialSave(body, msgEl) {
+      var hints = detectSupabasePoolerMistakes(body);
+      if (hints.length > 0) {
+        // Block submit until the form is fixed. Show the hints inline.
+        msgEl.innerHTML =
+          '<strong style="color:var(--warn)">Connection looks wrong:</strong>' +
+          '<ul style="margin:6px 0 0 18px;padding:0;color:var(--warn)">' +
+          hints.map(function (h) { return '<li>' + h + '</li>'; }).join('') +
+          '</ul>';
+        return Promise.reject(new Error('Fix the issues above and try again.'));
+      }
+      msgEl.textContent = 'Testing connection\u2026';
+      return fetch('/api/dbconfig/probe', {
+        method: 'POST',
+        headers: { 'content-type': 'application/json' },
+        body: JSON.stringify(body),
+      })
+        .then(function (r) { return r.json(); })
+        .then(function (probe) {
+          if (!probe.reachable) {
+            throw new Error(
+              'Cloud unreachable: ' + (probe.error || 'unknown error') +
+              '. Double-check host, port, user, and password.'
+            );
+          }
+          return probe;
+        });
+    }
     function showMigrateToCloudModal(onClose) {
       var bodyHtml =
         '<p style="margin:0 0 12px;font-size:13px;color:var(--text-muted)">' +
@@ -8050,15 +8159,30 @@ var guiAppHtml = `<!doctype html>
         onSubmit: function () {
           var body = readPostgresWizardForm();
           var msg = document.getElementById('w-msg');
-          msg.textContent = 'Migrating\u2026 (this may take a moment for large DBs)';
-          return fetch('/api/dbconfig/migrate-to-cloud', {
-            method: 'POST', headers: { 'content-type': 'application/json' }, body: JSON.stringify(body),
-          })
-            .then(function (r) { return r.json().then(function (d) { return { status: r.status, body: d }; }); })
-            .then(function (r) {
-              if (!r.body.ok) throw new Error(r.body.error || ('HTTP ' + r.status));
-              if (onClose) onClose();
-            });
+          // Validate Supabase URL pattern + probe the cloud before
+          // persisting a credential that would just blow up on the next
+          // open. Saves users from the "Migrate succeeded, switch back
+          // later fails" trap that strikes when the saved credential
+          // has a wrong host/port/user.
+          return probeBeforeCredentialSave(body, msg).then(function (probe) {
+            if (probe.teamEnabled) {
+              throw new Error(
+                'Target is already a teams DB' +
+                (probe.teamName ? ' (' + probe.teamName + ')' : '') +
+                '. Migrate-to-cloud only works against fresh empty targets \u2014 ' +
+                'use Connect to existing cloud instead.'
+              );
+            }
+            msg.textContent = 'Migrating\u2026 (this may take a moment for large DBs)';
+            return fetch('/api/dbconfig/migrate-to-cloud', {
+              method: 'POST', headers: { 'content-type': 'application/json' }, body: JSON.stringify(body),
+            })
+              .then(function (r) { return r.json().then(function (d) { return { status: r.status, body: d }; }); })
+              .then(function (r) {
+                if (!r.body.ok) throw new Error(r.body.error || ('HTTP ' + r.status));
+                if (onClose) onClose();
+              });
+          });
         },
       });
     }
@@ -8084,14 +8208,12 @@ var guiAppHtml = `<!doctype html>
         onSubmit: function () {
           var body = readPostgresWizardForm();
           var msg = document.getElementById('w-msg');
-          msg.textContent = 'Probing\u2026';
-          // First probe; if team, require token before the actual connect.
-          return fetch('/api/dbconfig/probe', {
-            method: 'POST', headers: { 'content-type': 'application/json' }, body: JSON.stringify(body),
-          })
-            .then(function (r) { return r.json(); })
+          // probeBeforeCredentialSave validates Supabase form patterns
+          // before sending the probe; surfaces inline warnings (with
+          // hints) when the user clearly has e.g. the wrong port or
+          // missing tenant prefix in the pooler user.
+          return probeBeforeCredentialSave(body, msg)
             .then(function (probe) {
-              if (!probe.reachable) throw new Error('Unreachable: ' + (probe.error || 'unknown'));
               if (probe.teamEnabled && !teamZoneShown) {
                 var zone = document.getElementById('w-team-zone');
                 zone.innerHTML =
@@ -9787,6 +9909,86 @@ async function probeCloud(targetUrl) {
   }
 }
+// src/teams/register-direct.ts
+function isPostgresUrl(url) {
+  return /^postgres(ql)?:\/\//i.test(url);
+}
+async function registerDirectViaPostgres(cloudUrl, email, name, teamName) {
+  if (!isPostgresUrl(cloudUrl)) {
+    throw new Error(
+      `registerDirectViaPostgres: cloudUrl must be a postgres:// URL (got ${cloudUrl.slice(0, 12)}\u2026)`
+    );
+  }
+  const db = new Lattice(cloudUrl);
+  try {
+    await db.init();
+    for (const [table, def] of Object.entries(CLOUD_INTERNAL_TABLE_DEFS)) {
+      await db.defineLate(table, def);
+    }
+    const existing = await db.query("__lattice_users", {
+      filters: [{ col: "deleted_at", op: "isNull" }],
+      limit: 1
+    });
+    if (existing.length > 0) {
+      throw new Error(
+        "Registration is disabled. This cloud already has users \u2014 join via invitation."
+      );
+    }
+    let identity = null;
+    try {
+      identity = await db.get("__lattice_team_identity", "singleton");
+    } catch {
+      identity = null;
+    }
+    if (identity) {
+      throw new Error("This cloud already has a team. Use Connect to existing cloud instead.");
+    }
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const userId = await db.insert("__lattice_users", {
+      email,
+      name,
+      created_at: now,
+      updated_at: now
+    });
+    const { raw, hash } = generateToken();
+    await db.insert("__lattice_api_tokens", {
+      user_id: userId,
+      token_hash: hash,
+      name: `creator:${teamName}`,
+      created_at: now
+    });
+    const teamId = await db.insert("__lattice_team", {
+      name: teamName,
+      created_by_user_id: userId,
+      created_at: now,
+      updated_at: now
+    });
+    await db.insert("__lattice_team_members", {
+      team_id: teamId,
+      user_id: userId,
+      role: "creator",
+      joined_at: now
+    });
+    await db.insert("__lattice_team_identity", {
+      id: "singleton",
+      team_id: teamId,
+      team_name: teamName,
+      creator_email: email,
+      created_at: now
+    });
+    return {
+      user: { id: userId, email, name },
+      raw_token: raw,
+      team: { id: teamId, name: teamName, role: "creator" }
+    };
+  } finally {
+    try {
+      db.close();
+    } catch {
+    }
+  }
+}
 // src/teams/client.ts
 var TeamsClient = class {
   constructor(local) {
@@ -9882,15 +10084,22 @@ var TeamsClient = class {
     return { probe };
   }
   /**
-   * Upgrade an already-connected cloud DB to a team DB. Runs the
-   * atomic `POST /api/auth/register` flow against the cloud URL
-   * stored under `label`. Writes the resulting bearer to
-   * `~/.lattice/keys/<label>.token`. Caller is expected to call
-   * `saveConnection` if they also want the local
-   * `__lattice_team_connections` row populated.
+   * Upgrade an already-connected cloud DB to a team DB. Two paths
+   * depending on the cloud URL's scheme:
+   *
+   *   - `http(s)://…` — POST to the cloud's `/api/auth/register` endpoint
+   *     (`lattice serve --team-cloud` is fronting the Postgres).
+   *   - `postgres(ql)://…` — drive the same INSERT sequence directly
+   *     against the cloud Postgres via {@link registerDirectViaPostgres}.
+   *     The HTTP path can't be used here because the browser's Fetch
+   *     API refuses URLs with embedded credentials.
+   *
+   * On success writes the bearer token to `~/.lattice/keys/<label>.token`.
+   * Caller is expected to call `saveConnection` if they also want the
+   * local `__lattice_team_connections` row populated.
    */
   async upgradeToTeamCloud(opts) {
-    const reg = await this.register(opts.cloudUrl, opts.email, opts.displayName, opts.teamName);
+    const reg = isPostgresUrl(opts.cloudUrl) ? await registerDirectViaPostgres(opts.cloudUrl, opts.email, opts.displayName, opts.teamName) : await this.register(opts.cloudUrl, opts.email, opts.displayName, opts.teamName);
     writeToken(opts.label, reg.raw_token);
     return reg;
   }
@@ -11649,8 +11858,16 @@ async function openConfig(configPath, outputDir) {
   db.define("__lattice_user_identity", {
     columns: {
       id: "TEXT PRIMARY KEY",
-      display_name: 'TEXT NOT NULL DEFAULT ""',
-      email: 'TEXT NOT NULL DEFAULT ""',
+      // Single-quoted empty-string defaults below — not double-quoted!
+      // SQLite leniently accepts `DEFAULT ""` as an empty string literal,
+      // but PostgreSQL treats `""` as a zero-length delimited identifier
+      // (i.e. an empty column name), which throws `zero-length delimited
+      // identifier at or near """""` from the parser before any rows are
+      // inserted. This is the standard-conformant behavior — single
+      // quotes are for string literals; double quotes are for
+      // identifiers. Use `''` so the CREATE TABLE works on both engines.
+      display_name: "TEXT NOT NULL DEFAULT ''",
+      email: "TEXT NOT NULL DEFAULT ''",
       updated_at: "TEXT NOT NULL DEFAULT (datetime('now'))"
     },
     primaryKey: "id",
@@ -12126,7 +12343,20 @@ async function startGuiServer(options) {
             sendJson5(res, { error: `Config not found: ${newPath}` }, 400);
             return;
           }
-          const next = await openConfig(newPath, active.outputDir);
+          let next;
+          try {
+            next = await openConfig(newPath, active.outputDir);
+          } catch (e) {
+            const err = e;
+            console.error(`[dbconfig.switch] openConfig(${newPath}) failed:`, err);
+            const codePrefix = err.code ? `[${err.code}] ` : "";
+            sendJson5(
+              res,
+              { error: `Failed to switch to ${newPath}: ${codePrefix}${err.message}` },
+              500
+            );
+            return;
+          }
           active.db.close();
           active = next;
           sendJson5(res, { ok: true, path: active.configPath });

package/dist/index.cjs CHANGED Viewed

@@ -64,6 +64,7 @@ __export(index_exports, {
   getOrCreateMasterKey: () => getOrCreateMasterKey,
   hashFile: () => hashFile,
   isEncrypted: () => isEncrypted,
+  isPostgresUrl: () => isPostgresUrl,
   isV1EntityFiles: () => isV1EntityFiles,
   listDbCredentials: () => listDbCredentials,
   listTokens: () => listTokens,
@@ -81,6 +82,7 @@ __export(index_exports, {
   readIdentity: () => readIdentity,
   readManifest: () => readManifest,
   readToken: () => readToken,
+  registerDirectViaPostgres: () => registerDirectViaPostgres,
   registerNativeEntities: () => registerNativeEntities,
   saveDbCredential: () => saveDbCredential,
   slugify: () => slugify,
@@ -5568,9 +5570,142 @@ async function attachBlob(srcPath, latticeRoot) {
 }
 // src/teams/client.ts
-var import_node_crypto8 = require("crypto");
+var import_node_crypto9 = require("crypto");
 // src/teams/internal-tables.ts
+var CLOUD_INTERNAL_TABLE_DEFS = {
+  __lattice_users: {
+    columns: {
+      id: "TEXT PRIMARY KEY",
+      email: "TEXT NOT NULL",
+      name: "TEXT",
+      created_at: "TEXT NOT NULL",
+      updated_at: "TEXT NOT NULL",
+      deleted_at: "TEXT"
+    },
+    // Uniqueness enforced at the route layer (we soft-delete by setting
+    // deleted_at, so a column-level UNIQUE blocks re-registration after
+    // a delete). The register/redeem handlers check for an existing
+    // non-deleted user with the same email before insert.
+    render: () => "",
+    outputFile: ".lattice-teams/users.md"
+  },
+  __lattice_api_tokens: {
+    columns: {
+      id: "TEXT PRIMARY KEY",
+      user_id: "TEXT NOT NULL",
+      token_hash: "TEXT NOT NULL UNIQUE",
+      name: "TEXT",
+      created_at: "TEXT NOT NULL",
+      last_used_at: "TEXT",
+      revoked_at: "TEXT"
+    },
+    render: () => "",
+    outputFile: ".lattice-teams/tokens.md"
+  },
+  __lattice_team: {
+    columns: {
+      id: "TEXT PRIMARY KEY",
+      name: "TEXT NOT NULL",
+      created_by_user_id: "TEXT NOT NULL",
+      created_at: "TEXT NOT NULL",
+      updated_at: "TEXT NOT NULL",
+      deleted_at: "TEXT"
+    },
+    render: () => "",
+    outputFile: ".lattice-teams/teams.md"
+  },
+  // Singleton mirror of __lattice_team — populated by `createTeam` when
+  // the first (and only) team is established on this cloud. One row per
+  // DB, id='singleton'. Lets GET /api/team / DELETE /api/team / POST
+  // /api/team/invitations resolve the active team without scanning.
+  // The multi-team `__lattice_team` table remains the source of truth
+  // for the row/object/changes routes until Step 8 deprecates them.
+  __lattice_team_identity: {
+    columns: {
+      id: "TEXT PRIMARY KEY",
+      team_id: "TEXT NOT NULL",
+      team_name: "TEXT NOT NULL",
+      creator_email: "TEXT NOT NULL",
+      created_at: "TEXT NOT NULL"
+    },
+    primaryKey: "id",
+    render: () => "",
+    outputFile: ".lattice-teams/team-identity.md"
+  },
+  __lattice_team_members: {
+    columns: {
+      team_id: "TEXT NOT NULL",
+      user_id: "TEXT NOT NULL",
+      role: "TEXT NOT NULL CHECK (role IN ('creator', 'member'))",
+      joined_at: "TEXT NOT NULL"
+    },
+    primaryKey: ["team_id", "user_id"],
+    render: () => "",
+    outputFile: ".lattice-teams/members.md"
+  },
+  __lattice_invitations: {
+    columns: {
+      id: "TEXT PRIMARY KEY",
+      team_id: "TEXT NOT NULL",
+      token_hash: "TEXT NOT NULL UNIQUE",
+      // Email the invitation is addressed to — redeem requires the
+      // caller's identity email to match. Email-binding makes invite
+      // codes safe to share over a channel that's not strongly
+      // authenticated; the recipient still has to be the recipient.
+      invitee_email: "TEXT NOT NULL",
+      invited_by_user_id: "TEXT NOT NULL",
+      created_at: "TEXT NOT NULL",
+      expires_at: "TEXT",
+      redeemed_at: "TEXT",
+      redeemed_by_user_id: "TEXT"
+    },
+    render: () => "",
+    outputFile: ".lattice-teams/invitations.md"
+  },
+  __lattice_shared_objects: {
+    columns: {
+      team_id: "TEXT NOT NULL",
+      table_name: "TEXT NOT NULL",
+      schema_spec_json: "TEXT NOT NULL",
+      schema_version: "INTEGER NOT NULL",
+      created_by_user_id: "TEXT NOT NULL",
+      created_at: "TEXT NOT NULL",
+      updated_at: "TEXT NOT NULL",
+      deleted_at: "TEXT"
+    },
+    primaryKey: ["team_id", "table_name"],
+    render: () => "",
+    outputFile: ".lattice-teams/shared-objects.md"
+  },
+  __lattice_change_log: {
+    columns: {
+      id: "TEXT PRIMARY KEY",
+      seq: "INTEGER NOT NULL",
+      team_id: "TEXT NOT NULL",
+      table_name: "TEXT",
+      pk: "TEXT",
+      op: "TEXT NOT NULL",
+      payload_json: "TEXT",
+      owner_user_id: "TEXT",
+      created_at: "TEXT NOT NULL"
+    },
+    render: () => "",
+    outputFile: ".lattice-teams/change-log.md"
+  },
+  __lattice_row_links: {
+    columns: {
+      team_id: "TEXT NOT NULL",
+      table_name: "TEXT NOT NULL",
+      pk: "TEXT NOT NULL",
+      owner_user_id: "TEXT NOT NULL",
+      linked_at: "TEXT NOT NULL"
+    },
+    primaryKey: ["team_id", "table_name", "pk"],
+    render: () => "",
+    outputFile: ".lattice-teams/row-links.md"
+  }
+};
 var LOCAL_INTERNAL_TABLE_DEFS = {
   __lattice_team_connections: {
     columns: {
@@ -5753,6 +5888,98 @@ async function probeCloud(targetUrl) {
   }
 }
+// src/teams/server/auth.ts
+var import_node_crypto8 = require("crypto");
+var TOKEN_PREFIX = "lat_";
+var TOKEN_BYTES = 32;
+function hashToken(rawToken) {
+  return (0, import_node_crypto8.createHash)("sha256").update(rawToken).digest("hex");
+}
+function generateToken() {
+  const raw = `${TOKEN_PREFIX}${(0, import_node_crypto8.randomBytes)(TOKEN_BYTES).toString("hex")}`;
+  return { raw, hash: hashToken(raw) };
+}
+// src/teams/register-direct.ts
+function isPostgresUrl(url) {
+  return /^postgres(ql)?:\/\//i.test(url);
+}
+async function registerDirectViaPostgres(cloudUrl, email, name, teamName) {
+  if (!isPostgresUrl(cloudUrl)) {
+    throw new Error(
+      `registerDirectViaPostgres: cloudUrl must be a postgres:// URL (got ${cloudUrl.slice(0, 12)}\u2026)`
+    );
+  }
+  const db = new Lattice(cloudUrl);
+  try {
+    await db.init();
+    for (const [table, def] of Object.entries(CLOUD_INTERNAL_TABLE_DEFS)) {
+      await db.defineLate(table, def);
+    }
+    const existing = await db.query("__lattice_users", {
+      filters: [{ col: "deleted_at", op: "isNull" }],
+      limit: 1
+    });
+    if (existing.length > 0) {
+      throw new Error(
+        "Registration is disabled. This cloud already has users \u2014 join via invitation."
+      );
+    }
+    let identity = null;
+    try {
+      identity = await db.get("__lattice_team_identity", "singleton");
+    } catch {
+      identity = null;
+    }
+    if (identity) {
+      throw new Error("This cloud already has a team. Use Connect to existing cloud instead.");
+    }
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const userId = await db.insert("__lattice_users", {
+      email,
+      name,
+      created_at: now,
+      updated_at: now
+    });
+    const { raw, hash } = generateToken();
+    await db.insert("__lattice_api_tokens", {
+      user_id: userId,
+      token_hash: hash,
+      name: `creator:${teamName}`,
+      created_at: now
+    });
+    const teamId = await db.insert("__lattice_team", {
+      name: teamName,
+      created_by_user_id: userId,
+      created_at: now,
+      updated_at: now
+    });
+    await db.insert("__lattice_team_members", {
+      team_id: teamId,
+      user_id: userId,
+      role: "creator",
+      joined_at: now
+    });
+    await db.insert("__lattice_team_identity", {
+      id: "singleton",
+      team_id: teamId,
+      team_name: teamName,
+      creator_email: email,
+      created_at: now
+    });
+    return {
+      user: { id: userId, email, name },
+      raw_token: raw,
+      team: { id: teamId, name: teamName, role: "creator" }
+    };
+  } finally {
+    try {
+      db.close();
+    } catch {
+    }
+  }
+}
 // src/teams/client.ts
 var TeamsClient = class {
   constructor(local) {
@@ -5848,15 +6075,22 @@ var TeamsClient = class {
     return { probe };
   }
   /**
-   * Upgrade an already-connected cloud DB to a team DB. Runs the
-   * atomic `POST /api/auth/register` flow against the cloud URL
-   * stored under `label`. Writes the resulting bearer to
-   * `~/.lattice/keys/<label>.token`. Caller is expected to call
-   * `saveConnection` if they also want the local
-   * `__lattice_team_connections` row populated.
+   * Upgrade an already-connected cloud DB to a team DB. Two paths
+   * depending on the cloud URL's scheme:
+   *
+   *   - `http(s)://…` — POST to the cloud's `/api/auth/register` endpoint
+   *     (`lattice serve --team-cloud` is fronting the Postgres).
+   *   - `postgres(ql)://…` — drive the same INSERT sequence directly
+   *     against the cloud Postgres via {@link registerDirectViaPostgres}.
+   *     The HTTP path can't be used here because the browser's Fetch
+   *     API refuses URLs with embedded credentials.
+   *
+   * On success writes the bearer token to `~/.lattice/keys/<label>.token`.
+   * Caller is expected to call `saveConnection` if they also want the
+   * local `__lattice_team_connections` row populated.
    */
   async upgradeToTeamCloud(opts) {
-    const reg = await this.register(opts.cloudUrl, opts.email, opts.displayName, opts.teamName);
+    const reg = isPostgresUrl(opts.cloudUrl) ? await registerDirectViaPostgres(opts.cloudUrl, opts.email, opts.displayName, opts.teamName) : await this.register(opts.cloudUrl, opts.email, opts.displayName, opts.teamName);
     writeToken(opts.label, reg.raw_token);
     return reg;
   }
@@ -6161,7 +6395,7 @@ var TeamsClient = class {
       if (conn.my_user_id !== link.owner_user_id) continue;
       const now = (/* @__PURE__ */ new Date()).toISOString();
       await this.local.insert("__lattice_team_outbox", {
-        id: (0, import_node_crypto8.randomUUID)(),
+        id: (0, import_node_crypto9.randomUUID)(),
         team_id: link.team_id,
         table_name: ctx.table,
         pk: ctx.pk,
@@ -6270,7 +6504,7 @@ var TeamsClient = class {
             totalApplied++;
           } catch (e) {
             await this.local.insert("__lattice_team_dlq", {
-              id: (0, import_node_crypto8.randomUUID)(),
+              id: (0, import_node_crypto9.randomUUID)(),
               team_id: connection.team_id,
               envelope_json: JSON.stringify(env),
               error: e.message,
@@ -6524,6 +6758,7 @@ function archiveLocalSqlite(dbPath) {
   getOrCreateMasterKey,
   hashFile,
   isEncrypted,
+  isPostgresUrl,
   isV1EntityFiles,
   listDbCredentials,
   listTokens,
@@ -6541,6 +6776,7 @@ function archiveLocalSqlite(dbPath) {
   readIdentity,
   readManifest,
   readToken,
+  registerDirectViaPostgres,
   registerNativeEntities,
   saveDbCredential,
   slugify,

package/dist/index.d.cts CHANGED Viewed

@@ -3017,12 +3017,19 @@ declare class TeamsClient {
         };
     }>;
     /**
-     * Upgrade an already-connected cloud DB to a team DB. Runs the
-     * atomic `POST /api/auth/register` flow against the cloud URL
-     * stored under `label`. Writes the resulting bearer to
-     * `~/.lattice/keys/<label>.token`. Caller is expected to call
-     * `saveConnection` if they also want the local
-     * `__lattice_team_connections` row populated.
+     * Upgrade an already-connected cloud DB to a team DB. Two paths
+     * depending on the cloud URL's scheme:
+     *
+     *   - `http(s)://…` — POST to the cloud's `/api/auth/register` endpoint
+     *     (`lattice serve --team-cloud` is fronting the Postgres).
+     *   - `postgres(ql)://…` — drive the same INSERT sequence directly
+     *     against the cloud Postgres via {@link registerDirectViaPostgres}.
+     *     The HTTP path can't be used here because the browser's Fetch
+     *     API refuses URLs with embedded credentials.
+     *
+     * On success writes the bearer token to `~/.lattice/keys/<label>.token`.
+     * Caller is expected to call `saveConnection` if they also want the
+     * local `__lattice_team_connections` row populated.
      */
     upgradeToTeamCloud(opts: {
         label: string;
@@ -3263,4 +3270,54 @@ declare function openTargetLatticeForMigration(configPath: string, targetUrl: st
  */
 declare function archiveLocalSqlite(dbPath: string): string;
-export { type ApplyWriteResult, type AuditEvent, type AutoUpdateResult, type BelongsToRelation, type BelongsToSource, type BlobMetadata, type BuiltinTemplateName, type ChangeEntry, type ChangelogOptions, type CleanupOptions, type CleanupResult, type CloudProbeResult, type CountOptions, type CustomSource, DEFAULT_ENTRY_TYPES, DEFAULT_TYPE_ALIASES, type EmbeddingsConfig, type EnrichedSource, type EnrichmentLookup, type EntityContextDefinition, type EntityContextManifestEntry, type EntityFileManifestInfo, type EntityFileSource, type EntityFileSpec, type EntityProfileField, type EntityProfileSection, type EntityProfileTemplate, type EntityRenderSpec, type EntityRenderTemplate, type EntitySectionPerRow, type EntitySectionsTemplate, type EntityTableColumn, type EntityTableTemplate, type Filter, type FilterOp, type HasManyRelation, type HasManySource, InMemoryStateStore, type InitOptions, type InviteResponse, Lattice, type LatticeConfig, type LatticeConfigInput, type LatticeEntityDef, type LatticeEntityRenderSpec, type LatticeFieldDef, type LatticeFieldType, type LatticeManifest, type LatticeOptions, type LinkOptions, type ManyToManySource, type MarkdownTableColumn, type MemberSummary, type Migration, type MigrationOptions, type MigrationProgress, type MigrationResult, type MultiTableDefinition, NATIVE_ENTITY_DEFS, type OrderBySpec, type ParseError, type ParseResult, type ParsedConfig, type PkLookup, PostgresAdapter, type PostgresAdapterOptions, type PreparedStatement, type PrimaryKey, type QueryOptions, READ_ONLY_HEADER, type ReadOnlyHeaderOptions, type ReconcileOptions, type ReconcileResult, type RedeemResponse, type RegisterResponse, type Relation, type RenderHooks, type RenderResult, type RenderSpec, type ReportConfig, type ReportResult, type ReportSection, type ReportSectionResult, type ReverseSeedDetection, type ReverseSeedResult, type ReverseSeedTableResult, type ReverseSyncError, type ReverseSyncResult, type ReverseSyncUpdate, type RewardScores, type Row, SQLiteAdapter, type SearchOptions, type SearchResult, type SecurityOptions, type SeedConfig, type SeedLinkSpec, type SeedResult, type SelfSource, type SessionEntry, type SessionParseOptions, type SessionWriteEntry, type SessionWriteOp, type SessionWriteParseResult, type SourceQueryOptions, type StopFn, type StorageAdapter, type SyncResult, type TableDefinition, type TeamConnection, type TeamSummary, TeamsClient, TeamsHttpError, type TemplateRenderSpec, type UpsertByNaturalKeyOptions, type UserIdentity, type WatchOptions, type WriteHook, type WriteHookContext, type WritebackDefinition, type WritebackStateStore, type WritebackValidationResult, applyTokenBudget, applyWriteEntry, archiveLocalSqlite, attachBlob, autoUpdate, configDir, contentHash, createReadOnlyHeader, createSQLiteStateStore, decrypt, deleteDbCredential, deleteToken, deriveKey, encrypt, entityFileNames, estimateTokens, fixSchemaConflicts, frontmatter, generateEntryId, generateWriteEntryId, getDbCredential, getOrCreateMasterKey, hashFile, isEncrypted, isV1EntityFiles, listDbCredentials, listTokens, manifestPath, markdownTable, migrateLatticeData, normalizeEntityFiles, openTargetLatticeForMigration, parseConfigFile, parseConfigString, parseMarkdownEntries, parseSessionMD, parseSessionWrites, probeCloud, readIdentity, readManifest, readToken, registerNativeEntities, saveDbCredential, slugify, truncate, validateEntryId, writeIdentity, writeManifest, writeToken };
+/**
+ * Shape returned by both the HTTP register path and the Postgres-direct
+ * register path. Kept aligned with `RegisterResponse` in
+ * `src/teams/client.ts`.
+ */
+interface DirectRegisterResult {
+    user: {
+        id: string;
+        email: string;
+        name: string;
+    };
+    raw_token: string;
+    team: {
+        id: string;
+        name: string;
+        role: 'creator';
+    };
+}
+/**
+ * True iff `url` parses as a `postgres://` / `postgresql://` URL — used
+ * by the GUI's upgrade flow to decide between HTTP `register` and the
+ * direct-Postgres path implemented here.
+ */
+declare function isPostgresUrl(url: string): boolean;
+/**
+ * Direct-Postgres equivalent of the cloud's `POST /api/auth/register`.
+ *
+ * The HTTP teams-cloud server (`lattice serve --team-cloud`) handles
+ * `register` by running an INSERT sequence inside its own request
+ * handler. This helper does the same sequence locally by opening the
+ * cloud Postgres directly — useful when the GUI's "Migrate to cloud"
+ * or "Connect to existing cloud" flow has saved the **Postgres URL**
+ * as the cloud credential (no HTTP teams server in front).
+ *
+ * Hard browser limitation that motivates this: when `cloudUrl` is a
+ * Postgres URL with embedded credentials, the HTTP path's `fetch(url)`
+ * throws "Request cannot be constructed from a URL that includes
+ * credentials" before any network IO happens. We have to drive the
+ * register flow against the database protocol, not HTTP.
+ *
+ * Mirrors `handleRegister`'s invariants:
+ *   - Refuses if any non-deleted user already exists on the cloud.
+ *   - Refuses if the `__lattice_team_identity` singleton already exists.
+ *
+ * On success returns the same shape the HTTP route returns so the
+ * caller (`TeamsClient.upgradeToTeamCloud`) can use either path
+ * interchangeably.
+ */
+declare function registerDirectViaPostgres(cloudUrl: string, email: string, name: string, teamName: string): Promise<DirectRegisterResult>;
+export { type ApplyWriteResult, type AuditEvent, type AutoUpdateResult, type BelongsToRelation, type BelongsToSource, type BlobMetadata, type BuiltinTemplateName, type ChangeEntry, type ChangelogOptions, type CleanupOptions, type CleanupResult, type CloudProbeResult, type CountOptions, type CustomSource, DEFAULT_ENTRY_TYPES, DEFAULT_TYPE_ALIASES, type DirectRegisterResult, type EmbeddingsConfig, type EnrichedSource, type EnrichmentLookup, type EntityContextDefinition, type EntityContextManifestEntry, type EntityFileManifestInfo, type EntityFileSource, type EntityFileSpec, type EntityProfileField, type EntityProfileSection, type EntityProfileTemplate, type EntityRenderSpec, type EntityRenderTemplate, type EntitySectionPerRow, type EntitySectionsTemplate, type EntityTableColumn, type EntityTableTemplate, type Filter, type FilterOp, type HasManyRelation, type HasManySource, InMemoryStateStore, type InitOptions, type InviteResponse, Lattice, type LatticeConfig, type LatticeConfigInput, type LatticeEntityDef, type LatticeEntityRenderSpec, type LatticeFieldDef, type LatticeFieldType, type LatticeManifest, type LatticeOptions, type LinkOptions, type ManyToManySource, type MarkdownTableColumn, type MemberSummary, type Migration, type MigrationOptions, type MigrationProgress, type MigrationResult, type MultiTableDefinition, NATIVE_ENTITY_DEFS, type OrderBySpec, type ParseError, type ParseResult, type ParsedConfig, type PkLookup, PostgresAdapter, type PostgresAdapterOptions, type PreparedStatement, type PrimaryKey, type QueryOptions, READ_ONLY_HEADER, type ReadOnlyHeaderOptions, type ReconcileOptions, type ReconcileResult, type RedeemResponse, type RegisterResponse, type Relation, type RenderHooks, type RenderResult, type RenderSpec, type ReportConfig, type ReportResult, type ReportSection, type ReportSectionResult, type ReverseSeedDetection, type ReverseSeedResult, type ReverseSeedTableResult, type ReverseSyncError, type ReverseSyncResult, type ReverseSyncUpdate, type RewardScores, type Row, SQLiteAdapter, type SearchOptions, type SearchResult, type SecurityOptions, type SeedConfig, type SeedLinkSpec, type SeedResult, type SelfSource, type SessionEntry, type SessionParseOptions, type SessionWriteEntry, type SessionWriteOp, type SessionWriteParseResult, type SourceQueryOptions, type StopFn, type StorageAdapter, type SyncResult, type TableDefinition, type TeamConnection, type TeamSummary, TeamsClient, TeamsHttpError, type TemplateRenderSpec, type UpsertByNaturalKeyOptions, type UserIdentity, type WatchOptions, type WriteHook, type WriteHookContext, type WritebackDefinition, type WritebackStateStore, type WritebackValidationResult, applyTokenBudget, applyWriteEntry, archiveLocalSqlite, attachBlob, autoUpdate, configDir, contentHash, createReadOnlyHeader, createSQLiteStateStore, decrypt, deleteDbCredential, deleteToken, deriveKey, encrypt, entityFileNames, estimateTokens, fixSchemaConflicts, frontmatter, generateEntryId, generateWriteEntryId, getDbCredential, getOrCreateMasterKey, hashFile, isEncrypted, isPostgresUrl, isV1EntityFiles, listDbCredentials, listTokens, manifestPath, markdownTable, migrateLatticeData, normalizeEntityFiles, openTargetLatticeForMigration, parseConfigFile, parseConfigString, parseMarkdownEntries, parseSessionMD, parseSessionWrites, probeCloud, readIdentity, readManifest, readToken, registerDirectViaPostgres, registerNativeEntities, saveDbCredential, slugify, truncate, validateEntryId, writeIdentity, writeManifest, writeToken };

package/dist/index.d.ts CHANGED Viewed

@@ -3017,12 +3017,19 @@ declare class TeamsClient {
         };
     }>;
     /**
-     * Upgrade an already-connected cloud DB to a team DB. Runs the
-     * atomic `POST /api/auth/register` flow against the cloud URL
-     * stored under `label`. Writes the resulting bearer to
-     * `~/.lattice/keys/<label>.token`. Caller is expected to call
-     * `saveConnection` if they also want the local
-     * `__lattice_team_connections` row populated.
+     * Upgrade an already-connected cloud DB to a team DB. Two paths
+     * depending on the cloud URL's scheme:
+     *
+     *   - `http(s)://…` — POST to the cloud's `/api/auth/register` endpoint
+     *     (`lattice serve --team-cloud` is fronting the Postgres).
+     *   - `postgres(ql)://…` — drive the same INSERT sequence directly
+     *     against the cloud Postgres via {@link registerDirectViaPostgres}.
+     *     The HTTP path can't be used here because the browser's Fetch
+     *     API refuses URLs with embedded credentials.
+     *
+     * On success writes the bearer token to `~/.lattice/keys/<label>.token`.
+     * Caller is expected to call `saveConnection` if they also want the
+     * local `__lattice_team_connections` row populated.
      */
     upgradeToTeamCloud(opts: {
         label: string;
@@ -3263,4 +3270,54 @@ declare function openTargetLatticeForMigration(configPath: string, targetUrl: st
  */
 declare function archiveLocalSqlite(dbPath: string): string;
-export { type ApplyWriteResult, type AuditEvent, type AutoUpdateResult, type BelongsToRelation, type BelongsToSource, type BlobMetadata, type BuiltinTemplateName, type ChangeEntry, type ChangelogOptions, type CleanupOptions, type CleanupResult, type CloudProbeResult, type CountOptions, type CustomSource, DEFAULT_ENTRY_TYPES, DEFAULT_TYPE_ALIASES, type EmbeddingsConfig, type EnrichedSource, type EnrichmentLookup, type EntityContextDefinition, type EntityContextManifestEntry, type EntityFileManifestInfo, type EntityFileSource, type EntityFileSpec, type EntityProfileField, type EntityProfileSection, type EntityProfileTemplate, type EntityRenderSpec, type EntityRenderTemplate, type EntitySectionPerRow, type EntitySectionsTemplate, type EntityTableColumn, type EntityTableTemplate, type Filter, type FilterOp, type HasManyRelation, type HasManySource, InMemoryStateStore, type InitOptions, type InviteResponse, Lattice, type LatticeConfig, type LatticeConfigInput, type LatticeEntityDef, type LatticeEntityRenderSpec, type LatticeFieldDef, type LatticeFieldType, type LatticeManifest, type LatticeOptions, type LinkOptions, type ManyToManySource, type MarkdownTableColumn, type MemberSummary, type Migration, type MigrationOptions, type MigrationProgress, type MigrationResult, type MultiTableDefinition, NATIVE_ENTITY_DEFS, type OrderBySpec, type ParseError, type ParseResult, type ParsedConfig, type PkLookup, PostgresAdapter, type PostgresAdapterOptions, type PreparedStatement, type PrimaryKey, type QueryOptions, READ_ONLY_HEADER, type ReadOnlyHeaderOptions, type ReconcileOptions, type ReconcileResult, type RedeemResponse, type RegisterResponse, type Relation, type RenderHooks, type RenderResult, type RenderSpec, type ReportConfig, type ReportResult, type ReportSection, type ReportSectionResult, type ReverseSeedDetection, type ReverseSeedResult, type ReverseSeedTableResult, type ReverseSyncError, type ReverseSyncResult, type ReverseSyncUpdate, type RewardScores, type Row, SQLiteAdapter, type SearchOptions, type SearchResult, type SecurityOptions, type SeedConfig, type SeedLinkSpec, type SeedResult, type SelfSource, type SessionEntry, type SessionParseOptions, type SessionWriteEntry, type SessionWriteOp, type SessionWriteParseResult, type SourceQueryOptions, type StopFn, type StorageAdapter, type SyncResult, type TableDefinition, type TeamConnection, type TeamSummary, TeamsClient, TeamsHttpError, type TemplateRenderSpec, type UpsertByNaturalKeyOptions, type UserIdentity, type WatchOptions, type WriteHook, type WriteHookContext, type WritebackDefinition, type WritebackStateStore, type WritebackValidationResult, applyTokenBudget, applyWriteEntry, archiveLocalSqlite, attachBlob, autoUpdate, configDir, contentHash, createReadOnlyHeader, createSQLiteStateStore, decrypt, deleteDbCredential, deleteToken, deriveKey, encrypt, entityFileNames, estimateTokens, fixSchemaConflicts, frontmatter, generateEntryId, generateWriteEntryId, getDbCredential, getOrCreateMasterKey, hashFile, isEncrypted, isV1EntityFiles, listDbCredentials, listTokens, manifestPath, markdownTable, migrateLatticeData, normalizeEntityFiles, openTargetLatticeForMigration, parseConfigFile, parseConfigString, parseMarkdownEntries, parseSessionMD, parseSessionWrites, probeCloud, readIdentity, readManifest, readToken, registerNativeEntities, saveDbCredential, slugify, truncate, validateEntryId, writeIdentity, writeManifest, writeToken };
+/**
+ * Shape returned by both the HTTP register path and the Postgres-direct
+ * register path. Kept aligned with `RegisterResponse` in
+ * `src/teams/client.ts`.
+ */
+interface DirectRegisterResult {
+    user: {
+        id: string;
+        email: string;
+        name: string;
+    };
+    raw_token: string;
+    team: {
+        id: string;
+        name: string;
+        role: 'creator';
+    };
+}
+/**
+ * True iff `url` parses as a `postgres://` / `postgresql://` URL — used
+ * by the GUI's upgrade flow to decide between HTTP `register` and the
+ * direct-Postgres path implemented here.
+ */
+declare function isPostgresUrl(url: string): boolean;
+/**
+ * Direct-Postgres equivalent of the cloud's `POST /api/auth/register`.
+ *
+ * The HTTP teams-cloud server (`lattice serve --team-cloud`) handles
+ * `register` by running an INSERT sequence inside its own request
+ * handler. This helper does the same sequence locally by opening the
+ * cloud Postgres directly — useful when the GUI's "Migrate to cloud"
+ * or "Connect to existing cloud" flow has saved the **Postgres URL**
+ * as the cloud credential (no HTTP teams server in front).
+ *
+ * Hard browser limitation that motivates this: when `cloudUrl` is a
+ * Postgres URL with embedded credentials, the HTTP path's `fetch(url)`
+ * throws "Request cannot be constructed from a URL that includes
+ * credentials" before any network IO happens. We have to drive the
+ * register flow against the database protocol, not HTTP.
+ *
+ * Mirrors `handleRegister`'s invariants:
+ *   - Refuses if any non-deleted user already exists on the cloud.
+ *   - Refuses if the `__lattice_team_identity` singleton already exists.
+ *
+ * On success returns the same shape the HTTP route returns so the
+ * caller (`TeamsClient.upgradeToTeamCloud`) can use either path
+ * interchangeably.
+ */
+declare function registerDirectViaPostgres(cloudUrl: string, email: string, name: string, teamName: string): Promise<DirectRegisterResult>;
+export { type ApplyWriteResult, type AuditEvent, type AutoUpdateResult, type BelongsToRelation, type BelongsToSource, type BlobMetadata, type BuiltinTemplateName, type ChangeEntry, type ChangelogOptions, type CleanupOptions, type CleanupResult, type CloudProbeResult, type CountOptions, type CustomSource, DEFAULT_ENTRY_TYPES, DEFAULT_TYPE_ALIASES, type DirectRegisterResult, type EmbeddingsConfig, type EnrichedSource, type EnrichmentLookup, type EntityContextDefinition, type EntityContextManifestEntry, type EntityFileManifestInfo, type EntityFileSource, type EntityFileSpec, type EntityProfileField, type EntityProfileSection, type EntityProfileTemplate, type EntityRenderSpec, type EntityRenderTemplate, type EntitySectionPerRow, type EntitySectionsTemplate, type EntityTableColumn, type EntityTableTemplate, type Filter, type FilterOp, type HasManyRelation, type HasManySource, InMemoryStateStore, type InitOptions, type InviteResponse, Lattice, type LatticeConfig, type LatticeConfigInput, type LatticeEntityDef, type LatticeEntityRenderSpec, type LatticeFieldDef, type LatticeFieldType, type LatticeManifest, type LatticeOptions, type LinkOptions, type ManyToManySource, type MarkdownTableColumn, type MemberSummary, type Migration, type MigrationOptions, type MigrationProgress, type MigrationResult, type MultiTableDefinition, NATIVE_ENTITY_DEFS, type OrderBySpec, type ParseError, type ParseResult, type ParsedConfig, type PkLookup, PostgresAdapter, type PostgresAdapterOptions, type PreparedStatement, type PrimaryKey, type QueryOptions, READ_ONLY_HEADER, type ReadOnlyHeaderOptions, type ReconcileOptions, type ReconcileResult, type RedeemResponse, type RegisterResponse, type Relation, type RenderHooks, type RenderResult, type RenderSpec, type ReportConfig, type ReportResult, type ReportSection, type ReportSectionResult, type ReverseSeedDetection, type ReverseSeedResult, type ReverseSeedTableResult, type ReverseSyncError, type ReverseSyncResult, type ReverseSyncUpdate, type RewardScores, type Row, SQLiteAdapter, type SearchOptions, type SearchResult, type SecurityOptions, type SeedConfig, type SeedLinkSpec, type SeedResult, type SelfSource, type SessionEntry, type SessionParseOptions, type SessionWriteEntry, type SessionWriteOp, type SessionWriteParseResult, type SourceQueryOptions, type StopFn, type StorageAdapter, type SyncResult, type TableDefinition, type TeamConnection, type TeamSummary, TeamsClient, TeamsHttpError, type TemplateRenderSpec, type UpsertByNaturalKeyOptions, type UserIdentity, type WatchOptions, type WriteHook, type WriteHookContext, type WritebackDefinition, type WritebackStateStore, type WritebackValidationResult, applyTokenBudget, applyWriteEntry, archiveLocalSqlite, attachBlob, autoUpdate, configDir, contentHash, createReadOnlyHeader, createSQLiteStateStore, decrypt, deleteDbCredential, deleteToken, deriveKey, encrypt, entityFileNames, estimateTokens, fixSchemaConflicts, frontmatter, generateEntryId, generateWriteEntryId, getDbCredential, getOrCreateMasterKey, hashFile, isEncrypted, isPostgresUrl, isV1EntityFiles, listDbCredentials, listTokens, manifestPath, markdownTable, migrateLatticeData, normalizeEntityFiles, openTargetLatticeForMigration, parseConfigFile, parseConfigString, parseMarkdownEntries, parseSessionMD, parseSessionWrites, probeCloud, readIdentity, readManifest, readToken, registerDirectViaPostgres, registerNativeEntities, saveDbCredential, slugify, truncate, validateEntryId, writeIdentity, writeManifest, writeToken };

package/dist/index.js CHANGED Viewed

@@ -5499,6 +5499,139 @@ async function attachBlob(srcPath, latticeRoot) {
 import { randomUUID } from "crypto";
 // src/teams/internal-tables.ts
+var CLOUD_INTERNAL_TABLE_DEFS = {
+  __lattice_users: {
+    columns: {
+      id: "TEXT PRIMARY KEY",
+      email: "TEXT NOT NULL",
+      name: "TEXT",
+      created_at: "TEXT NOT NULL",
+      updated_at: "TEXT NOT NULL",
+      deleted_at: "TEXT"
+    },
+    // Uniqueness enforced at the route layer (we soft-delete by setting
+    // deleted_at, so a column-level UNIQUE blocks re-registration after
+    // a delete). The register/redeem handlers check for an existing
+    // non-deleted user with the same email before insert.
+    render: () => "",
+    outputFile: ".lattice-teams/users.md"
+  },
+  __lattice_api_tokens: {
+    columns: {
+      id: "TEXT PRIMARY KEY",
+      user_id: "TEXT NOT NULL",
+      token_hash: "TEXT NOT NULL UNIQUE",
+      name: "TEXT",
+      created_at: "TEXT NOT NULL",
+      last_used_at: "TEXT",
+      revoked_at: "TEXT"
+    },
+    render: () => "",
+    outputFile: ".lattice-teams/tokens.md"
+  },
+  __lattice_team: {
+    columns: {
+      id: "TEXT PRIMARY KEY",
+      name: "TEXT NOT NULL",
+      created_by_user_id: "TEXT NOT NULL",
+      created_at: "TEXT NOT NULL",
+      updated_at: "TEXT NOT NULL",
+      deleted_at: "TEXT"
+    },
+    render: () => "",
+    outputFile: ".lattice-teams/teams.md"
+  },
+  // Singleton mirror of __lattice_team — populated by `createTeam` when
+  // the first (and only) team is established on this cloud. One row per
+  // DB, id='singleton'. Lets GET /api/team / DELETE /api/team / POST
+  // /api/team/invitations resolve the active team without scanning.
+  // The multi-team `__lattice_team` table remains the source of truth
+  // for the row/object/changes routes until Step 8 deprecates them.
+  __lattice_team_identity: {
+    columns: {
+      id: "TEXT PRIMARY KEY",
+      team_id: "TEXT NOT NULL",
+      team_name: "TEXT NOT NULL",
+      creator_email: "TEXT NOT NULL",
+      created_at: "TEXT NOT NULL"
+    },
+    primaryKey: "id",
+    render: () => "",
+    outputFile: ".lattice-teams/team-identity.md"
+  },
+  __lattice_team_members: {
+    columns: {
+      team_id: "TEXT NOT NULL",
+      user_id: "TEXT NOT NULL",
+      role: "TEXT NOT NULL CHECK (role IN ('creator', 'member'))",
+      joined_at: "TEXT NOT NULL"
+    },
+    primaryKey: ["team_id", "user_id"],
+    render: () => "",
+    outputFile: ".lattice-teams/members.md"
+  },
+  __lattice_invitations: {
+    columns: {
+      id: "TEXT PRIMARY KEY",
+      team_id: "TEXT NOT NULL",
+      token_hash: "TEXT NOT NULL UNIQUE",
+      // Email the invitation is addressed to — redeem requires the
+      // caller's identity email to match. Email-binding makes invite
+      // codes safe to share over a channel that's not strongly
+      // authenticated; the recipient still has to be the recipient.
+      invitee_email: "TEXT NOT NULL",
+      invited_by_user_id: "TEXT NOT NULL",
+      created_at: "TEXT NOT NULL",
+      expires_at: "TEXT",
+      redeemed_at: "TEXT",
+      redeemed_by_user_id: "TEXT"
+    },
+    render: () => "",
+    outputFile: ".lattice-teams/invitations.md"
+  },
+  __lattice_shared_objects: {
+    columns: {
+      team_id: "TEXT NOT NULL",
+      table_name: "TEXT NOT NULL",
+      schema_spec_json: "TEXT NOT NULL",
+      schema_version: "INTEGER NOT NULL",
+      created_by_user_id: "TEXT NOT NULL",
+      created_at: "TEXT NOT NULL",
+      updated_at: "TEXT NOT NULL",
+      deleted_at: "TEXT"
+    },
+    primaryKey: ["team_id", "table_name"],
+    render: () => "",
+    outputFile: ".lattice-teams/shared-objects.md"
+  },
+  __lattice_change_log: {
+    columns: {
+      id: "TEXT PRIMARY KEY",
+      seq: "INTEGER NOT NULL",
+      team_id: "TEXT NOT NULL",
+      table_name: "TEXT",
+      pk: "TEXT",
+      op: "TEXT NOT NULL",
+      payload_json: "TEXT",
+      owner_user_id: "TEXT",
+      created_at: "TEXT NOT NULL"
+    },
+    render: () => "",
+    outputFile: ".lattice-teams/change-log.md"
+  },
+  __lattice_row_links: {
+    columns: {
+      team_id: "TEXT NOT NULL",
+      table_name: "TEXT NOT NULL",
+      pk: "TEXT NOT NULL",
+      owner_user_id: "TEXT NOT NULL",
+      linked_at: "TEXT NOT NULL"
+    },
+    primaryKey: ["team_id", "table_name", "pk"],
+    render: () => "",
+    outputFile: ".lattice-teams/row-links.md"
+  }
+};
 var LOCAL_INTERNAL_TABLE_DEFS = {
   __lattice_team_connections: {
     columns: {
@@ -5681,6 +5814,98 @@ async function probeCloud(targetUrl) {
   }
 }
+// src/teams/server/auth.ts
+import { createHash as createHash5, randomBytes as randomBytes4, timingSafeEqual } from "crypto";
+var TOKEN_PREFIX = "lat_";
+var TOKEN_BYTES = 32;
+function hashToken(rawToken) {
+  return createHash5("sha256").update(rawToken).digest("hex");
+}
+function generateToken() {
+  const raw = `${TOKEN_PREFIX}${randomBytes4(TOKEN_BYTES).toString("hex")}`;
+  return { raw, hash: hashToken(raw) };
+}
+// src/teams/register-direct.ts
+function isPostgresUrl(url) {
+  return /^postgres(ql)?:\/\//i.test(url);
+}
+async function registerDirectViaPostgres(cloudUrl, email, name, teamName) {
+  if (!isPostgresUrl(cloudUrl)) {
+    throw new Error(
+      `registerDirectViaPostgres: cloudUrl must be a postgres:// URL (got ${cloudUrl.slice(0, 12)}\u2026)`
+    );
+  }
+  const db = new Lattice(cloudUrl);
+  try {
+    await db.init();
+    for (const [table, def] of Object.entries(CLOUD_INTERNAL_TABLE_DEFS)) {
+      await db.defineLate(table, def);
+    }
+    const existing = await db.query("__lattice_users", {
+      filters: [{ col: "deleted_at", op: "isNull" }],
+      limit: 1
+    });
+    if (existing.length > 0) {
+      throw new Error(
+        "Registration is disabled. This cloud already has users \u2014 join via invitation."
+      );
+    }
+    let identity = null;
+    try {
+      identity = await db.get("__lattice_team_identity", "singleton");
+    } catch {
+      identity = null;
+    }
+    if (identity) {
+      throw new Error("This cloud already has a team. Use Connect to existing cloud instead.");
+    }
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const userId = await db.insert("__lattice_users", {
+      email,
+      name,
+      created_at: now,
+      updated_at: now
+    });
+    const { raw, hash } = generateToken();
+    await db.insert("__lattice_api_tokens", {
+      user_id: userId,
+      token_hash: hash,
+      name: `creator:${teamName}`,
+      created_at: now
+    });
+    const teamId = await db.insert("__lattice_team", {
+      name: teamName,
+      created_by_user_id: userId,
+      created_at: now,
+      updated_at: now
+    });
+    await db.insert("__lattice_team_members", {
+      team_id: teamId,
+      user_id: userId,
+      role: "creator",
+      joined_at: now
+    });
+    await db.insert("__lattice_team_identity", {
+      id: "singleton",
+      team_id: teamId,
+      team_name: teamName,
+      creator_email: email,
+      created_at: now
+    });
+    return {
+      user: { id: userId, email, name },
+      raw_token: raw,
+      team: { id: teamId, name: teamName, role: "creator" }
+    };
+  } finally {
+    try {
+      db.close();
+    } catch {
+    }
+  }
+}
 // src/teams/client.ts
 var TeamsClient = class {
   constructor(local) {
@@ -5776,15 +6001,22 @@ var TeamsClient = class {
     return { probe };
   }
   /**
-   * Upgrade an already-connected cloud DB to a team DB. Runs the
-   * atomic `POST /api/auth/register` flow against the cloud URL
-   * stored under `label`. Writes the resulting bearer to
-   * `~/.lattice/keys/<label>.token`. Caller is expected to call
-   * `saveConnection` if they also want the local
-   * `__lattice_team_connections` row populated.
+   * Upgrade an already-connected cloud DB to a team DB. Two paths
+   * depending on the cloud URL's scheme:
+   *
+   *   - `http(s)://…` — POST to the cloud's `/api/auth/register` endpoint
+   *     (`lattice serve --team-cloud` is fronting the Postgres).
+   *   - `postgres(ql)://…` — drive the same INSERT sequence directly
+   *     against the cloud Postgres via {@link registerDirectViaPostgres}.
+   *     The HTTP path can't be used here because the browser's Fetch
+   *     API refuses URLs with embedded credentials.
+   *
+   * On success writes the bearer token to `~/.lattice/keys/<label>.token`.
+   * Caller is expected to call `saveConnection` if they also want the
+   * local `__lattice_team_connections` row populated.
    */
   async upgradeToTeamCloud(opts) {
-    const reg = await this.register(opts.cloudUrl, opts.email, opts.displayName, opts.teamName);
+    const reg = isPostgresUrl(opts.cloudUrl) ? await registerDirectViaPostgres(opts.cloudUrl, opts.email, opts.displayName, opts.teamName) : await this.register(opts.cloudUrl, opts.email, opts.displayName, opts.teamName);
     writeToken(opts.label, reg.raw_token);
     return reg;
   }
@@ -6451,6 +6683,7 @@ export {
   getOrCreateMasterKey,
   hashFile,
   isEncrypted,
+  isPostgresUrl,
   isV1EntityFiles,
   listDbCredentials,
   listTokens,
@@ -6468,6 +6701,7 @@ export {
   readIdentity,
   readManifest,
   readToken,
+  registerDirectViaPostgres,
   registerNativeEntities,
   saveDbCredential,
   slugify,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "latticesql",
-  "version": "1.13.2",
+  "version": "1.13.3",
   "description": "Persistent structured memory for AI agent systems — pluggable SQLite or Postgres backend, LLM context bridge",
   "type": "module",
   "main": "./dist/index.js",