latticesql 1.13.3 → 1.13.4

package/dist/cli.js

@@ -5943,6 +5943,30 @@ var guiAppHtml = `<!doctype html>
         .replace(/"/g, '&quot;').replace(/'/g, '&#39;');
     }
 
+    // Redact the userinfo portion of a connection URL so the password
+    // never reaches the rendered DOM. Used for every place the GUI
+    // displays a cloud_url field (team cards, connection list, etc).
+    // Defensive fallback returns the input as-is when it doesn't parse
+    // as a URL \u2014 better to render a non-credential string verbatim than
+    // to silently swallow the value.
+    function redactUrlCredentials(url) {
+      if (url == null) return '';
+      var s = String(url);
+      try {
+        var u = new URL(s);
+        if (u.password) {
+          // Preserve the username (often useful for identification \u2014
+          // e.g. tenant prefixes like postgres.<ref>) but mask the
+          // password portion. URL.password is the decoded form.
+          u.password = '\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022';
+          return u.toString();
+        }
+        return s;
+      } catch (_) {
+        return s;
+      }
+    }
+
     function truncate(s, n) {
       if (s == null) return '';
       s = String(s);
@@ -7759,7 +7783,7 @@ var guiAppHtml = `<!doctype html>
               '<button class="btn danger-btn" data-act="signout">Sign out</button>' +
             '</h3>' +
             '<div class="team-meta">' +
-              'Cloud: <code>' + escapeHtml(c.cloud_url) + '</code> \xB7 ' +
+              'Cloud: <code>' + escapeHtml(redactUrlCredentials(c.cloud_url)) + '</code> \xB7 ' +
               'User id: <code>' + escapeHtml(c.my_user_id) + '</code> \xB7 ' +
               'Joined ' + escapeHtml(c.joined_at) +
             '</div>' +
@@ -8281,37 +8305,76 @@ var guiAppHtml = `<!doctype html>
     }
 
     function renderTeamCard(card, conn) {
-      // Fetch status + shared + members in parallel; members may 403 for
-      // non-creators (only members can list, but we still try and ignore).
+      // Fetch status + shared + members in parallel. The members fetch
+      // can fail two ways: HTTP 403 for non-creators (only members can
+      // list \u2014 though in practice every active member can), or the
+      // cloud is genuinely unreachable. We track which case we're in so
+      // the role pill says something more useful than "unknown".
       var teamId = conn.team_id;
+      var membersFailed = false;
       Promise.all([
         fetchJson('/api/teams-gui/teams/' + teamId + '/status'),
         fetchJson('/api/teams-gui/teams/' + teamId + '/shared').catch(function () { return { objects: [] }; }),
-        fetchJson('/api/teams-gui/teams/' + teamId + '/members').catch(function () { return { members: [] }; }),
+        fetchJson('/api/teams-gui/teams/' + teamId + '/members').catch(function () {
+          membersFailed = true;
+          return { members: [] };
+        }),
       ]).then(function (results) {
         var status = results[0];
         var shared = results[1].objects;
         var members = results[2].members;
         var myMembership = members.find(function (m) { return m.user_id === conn.my_user_id; });
-        var isCreator = myMembership && myMembership.role === 'creator';
-        var rolePill = '<span class="role-tag' + (isCreator ? '' : ' role-member') + '">' + (myMembership ? myMembership.role : 'unknown') + '</span>';
-
-        var lastSeq = status.last_change_seq == null ? '(never)' : status.last_change_seq;
+        // Resolve the role label with a three-step fallback chain that
+        // distinguishes "we know what the role is" from "we couldn't ask
+        // the cloud" from "the cloud answered but didn't recognize us".
+        // The pre-v1.13.4 implementation collapsed all three into
+        // "unknown" \u2014 confusing when (a) the user just created the
+        // team and IS the creator on the cloud side, or (b) the cloud
+        // briefly hiccupped. Use saveConnection's own data as the
+        // authoritative source when we have it on the local row.
+        var roleLabel;
+        var isCreator;
+        if (myMembership) {
+          roleLabel = myMembership.role;
+          isCreator = myMembership.role === 'creator';
+        } else if (membersFailed) {
+          // Cloud listMembers couldn't be reached. We don't know who
+          // we are remotely, but the local connection row knows we
+          // joined this team \u2014 surface that, with a soft warning.
+          roleLabel = '(cloud unreachable)';
+          isCreator = false;
+        } else {
+          // listMembers returned a list, but our user_id wasn't in it.
+          // Either we were kicked or the local my_user_id is stale.
+          roleLabel = '(not in member list)';
+          isCreator = false;
+        }
+        var rolePill = '<span class="role-tag' + (isCreator ? '' : ' role-member') + '">' +
+          escapeHtml(roleLabel) +
+        '</span>';
+
+        // v1.13.4: no manual-sync button and no Last seq / Outbox / DLQ /
+        // Local links stats. Lattice is realtime against its canonical
+        // store \u2014 every read and every write the GUI does hits the
+        // active DB directly. When the project's db: line points at a
+        // Postgres URL, that IS the cloud DB; when it's local SQLite,
+        // it's the canonical local. There's nothing for the user to
+        // "sync" \u2014 operations either succeed live or fail gracefully
+        // when the connection is down. The outbox/change-log machinery
+        // is an HTTP-mode-only internal that the CLI still exposes
+        // (lattice teams sync) for power users; the GUI no longer
+        // pretends it's a user-facing action.
+        // Reference status once so eslint no-unused-vars stays happy
+        // even though we've intentionally dropped its display.
+        void status;
         card.innerHTML =
           '<h3>' + escapeHtml(conn.team_name) + ' ' + rolePill +
-            '<span style="font-size:11px;color:var(--text-muted);font-weight:normal">' + escapeHtml(conn.cloud_url) + '</span>' +
+            '<span style="font-size:11px;color:var(--text-muted);font-weight:normal">' + escapeHtml(redactUrlCredentials(conn.cloud_url)) + '</span>' +
           '</h3>' +
           '<div class="team-meta">team-id: <code>' + escapeHtml(teamId) + '</code></div>' +
-          '<div class="team-stats">' +
-            '<div class="team-stat"><div class="stat-label">Last seq</div><div class="stat-value">' + lastSeq + '</div></div>' +
-            '<div class="team-stat"><div class="stat-label">Outbox</div><div class="stat-value">' + status.outbox_depth + '</div></div>' +
-            '<div class="team-stat"><div class="stat-label">DLQ</div><div class="stat-value">' + status.dlq_depth + '</div></div>' +
-            '<div class="team-stat"><div class="stat-label">Local links</div><div class="stat-value">' + status.local_links + '</div></div>' +
-          '</div>' +
           '<div class="team-actions">' +
-            '<button class="btn primary" data-act="sync">Sync now</button>' +
             (isCreator
-              ? '<button class="btn" data-act="invite">Generate invite token</button>'
+              ? '<button class="btn primary" data-act="invite">Generate invite token</button>'
               : '') +
             '<button class="btn" data-act="leave">' + (isCreator ? 'Destroy team' : 'Leave team') + '</button>' +
           '</div>' +
@@ -8359,11 +8422,9 @@ var guiAppHtml = `<!doctype html>
 
     function wireTeamCardActions(card, conn, isCreator) {
       var teamId = conn.team_id;
-      card.querySelector('[data-act="sync"]').addEventListener('click', function () {
-        fetchJson('/api/teams-gui/teams/' + teamId + '/sync', { method: 'POST' })
-          .then(function () { renderTeamCard(card, conn); })
-          .catch(function (err) { alert('Sync failed: ' + err.message); });
-      });
+      // v1.13.4: no Sync button anymore. The CLI command lattice teams
+      // sync remains for HTTP-mode operators who need to nudge their
+      // outbox; the GUI is realtime against the canonical store.
       var inviteBtn = card.querySelector('[data-act="invite"]');
       if (inviteBtn) inviteBtn.addEventListener('click', function () {
         showInviteByEmailModal(teamId);
@@ -9989,6 +10050,74 @@ async function registerDirectViaPostgres(cloudUrl, email, name, teamName) {
   }
 }
 
+// src/teams/direct-ops.ts
+async function listMembersDirect(db, teamId) {
+  const members = await db.query("__lattice_team_members", {
+    filters: [{ col: "team_id", op: "eq", val: teamId }]
+  });
+  if (members.length === 0) return [];
+  const users = await db.query("__lattice_users", {
+    filters: [
+      { col: "id", op: "in", val: members.map((m) => m.user_id) },
+      { col: "deleted_at", op: "isNull" }
+    ]
+  });
+  const userById = new Map(users.map((u) => [u.id, u]));
+  const out = [];
+  for (const m of members) {
+    const u = userById.get(m.user_id);
+    if (!u) continue;
+    out.push({
+      user_id: m.user_id,
+      email: u.email,
+      name: u.name,
+      role: m.role,
+      joined_at: m.joined_at
+    });
+  }
+  return out;
+}
+async function inviteDirect(db, teamId, inviterUserId, inviteeEmail, expiresInHours = 7 * 24) {
+  const team = await db.get("__lattice_team", teamId);
+  if (!team || team.deleted_at) {
+    throw new Error(`Team not found: ${teamId}`);
+  }
+  const expiresAt = new Date(Date.now() + expiresInHours * 36e5).toISOString();
+  const { raw, hash } = generateInviteToken();
+  const id = await db.insert("__lattice_invitations", {
+    team_id: teamId,
+    token_hash: hash,
+    invitee_email: inviteeEmail,
+    invited_by_user_id: inviterUserId,
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    expires_at: expiresAt
+  });
+  return {
+    id,
+    raw_token: raw,
+    expires_at: expiresAt,
+    team_name: team.name,
+    invitee_email: inviteeEmail
+  };
+}
+async function kickMemberDirect(db, teamId, userId) {
+  await db.delete("__lattice_team_members", { team_id: teamId, user_id: userId });
+}
+async function destroyTeamDirect(db) {
+  const identityRow = await db.get("__lattice_team_identity", "singleton");
+  if (identityRow && typeof identityRow.team_id === "string") {
+    const teamId = identityRow.team_id;
+    const members = await db.query("__lattice_team_members", {
+      filters: [{ col: "team_id", op: "eq", val: teamId }]
+    });
+    for (const m of members) {
+      await db.delete("__lattice_team_members", { team_id: teamId, user_id: m.user_id });
+    }
+    await db.update("__lattice_team", teamId, { deleted_at: (/* @__PURE__ */ new Date()).toISOString() });
+  }
+  await db.delete("__lattice_team_identity", "singleton");
+}
+
 // src/teams/client.ts
 var TeamsClient = class {
   constructor(local) {
@@ -10075,6 +10204,13 @@ var TeamsClient = class {
       const redeem = await this.redeemInvite(opts.cloudUrl, inviteToken, email, name);
       saveDbCredential(opts.label, opts.cloudUrl);
       writeToken(opts.label, redeem.raw_token);
+      await this.saveConnection({
+        team_id: redeem.team.id,
+        team_name: redeem.team.name,
+        cloud_url: opts.cloudUrl,
+        my_user_id: redeem.user.id,
+        api_token: redeem.raw_token
+      });
       return {
         probe,
         joinedAsMember: { user_id: redeem.user.id, team_id: redeem.team.id }
@@ -10094,21 +10230,51 @@ var TeamsClient = class {
    *     The HTTP path can't be used here because the browser's Fetch
    *     API refuses URLs with embedded credentials.
    *
-   * On success writes the bearer token to `~/.lattice/keys/<label>.token`.
-   * Caller is expected to call `saveConnection` if they also want the
-   * local `__lattice_team_connections` row populated.
+   * On success writes the bearer token to `~/.lattice/keys/<label>.token`
+   * **and** persists the local `__lattice_team_connections` row so the
+   * GUI's team-management API calls can authenticate immediately
+   * afterward (members, invites, kick, destroy). v1.13.4 added the
+   * connection-row write — the older v1.13 implementation only wrote
+   * the token file, leaving GUI authenticated calls with no
+   * `cloud_url` + `my_user_id` + `api_token_encrypted` row to read.
    */
   async upgradeToTeamCloud(opts) {
     const reg = isPostgresUrl(opts.cloudUrl) ? await registerDirectViaPostgres(opts.cloudUrl, opts.email, opts.displayName, opts.teamName) : await this.register(opts.cloudUrl, opts.email, opts.displayName, opts.teamName);
     writeToken(opts.label, reg.raw_token);
+    await this.saveConnection({
+      team_id: reg.team.id,
+      team_name: reg.team.name,
+      cloud_url: opts.cloudUrl,
+      my_user_id: reg.user.id,
+      api_token: reg.raw_token
+    });
     return reg;
   }
-  // ── Cloud HTTP calls (authenticated) ────────────────────────────────────
+  // ── Cloud team operations (dispatch on URL scheme) ──────────────────────
+  // For HTTP cloud URLs (`http://lattice-server:port`), every operation
+  // round-trips through the team server's authenticated REST API. For
+  // direct-Postgres cloud URLs (`postgres://...`), the user's `this.local`
+  // Lattice IS the cloud DB — operations dispatch through `direct-ops.ts`
+  // helpers that run the same INSERT / UPDATE / DELETE / SELECT logic
+  // against `this.local` directly. The Fetch API can't handle
+  // credentials-in-URL anyway, so the dispatch isn't optional.
+  //
+  // Authorization model: for HTTP clouds, the server gates by bearer
+  // token + membership row. For direct-Postgres, possession of the
+  // connection credential is the implicit gate — the operator is
+  // already reading/writing the canonical data.
   /** Destroy the singleton team. Creator-only on the cloud side. */
   async destroyTeam(cloudUrl, token) {
+    if (isPostgresUrl(cloudUrl)) {
+      await destroyTeamDirect(this.local);
+      return;
+    }
     await this.fetchAuthed(cloudUrl, token, "DELETE", "/api/team");
   }
   async listMembers(cloudUrl, token, teamId) {
+    if (isPostgresUrl(cloudUrl)) {
+      return listMembersDirect(this.local, teamId);
+    }
     const r = await this.fetchAuthed(
       cloudUrl,
       token,
@@ -10117,7 +10283,15 @@ var TeamsClient = class {
     );
     return r.members;
   }
-  async invite(cloudUrl, token, teamId, inviteeEmail, expiresInHours) {
+  async invite(cloudUrl, token, teamId, inviteeEmail, expiresInHours, inviterUserId) {
+    if (isPostgresUrl(cloudUrl)) {
+      if (!inviterUserId) {
+        throw new Error(
+          "invite: inviterUserId is required for direct-Postgres cloud URLs (read it from __lattice_team_connections.my_user_id)"
+        );
+      }
+      return inviteDirect(this.local, teamId, inviterUserId, inviteeEmail, expiresInHours);
+    }
     const body = { invitee_email: inviteeEmail };
     if (expiresInHours !== void 0) body.expires_in_hours = expiresInHours;
     return this.fetchAuthed(
@@ -10129,6 +10303,10 @@ var TeamsClient = class {
     );
   }
   async kickMember(cloudUrl, token, teamId, userId) {
+    if (isPostgresUrl(cloudUrl)) {
+      await kickMemberDirect(this.local, teamId, userId);
+      return;
+    }
     await this.fetchAuthed(
       cloudUrl,
       token,
@@ -10182,6 +10360,9 @@ var TeamsClient = class {
    * `has_more` flag tells callers to loop until drained before sleeping.
    */
   async fetchChangeBatch(cloudUrl, token, teamId, since = 0, limit = 500) {
+    if (isPostgresUrl(cloudUrl)) {
+      return { envelopes: [], has_more: false };
+    }
     return this.fetchAuthed(
       cloudUrl,
       token,
@@ -10789,7 +10970,8 @@ async function dispatchTeamSubroute(req, res, ctx, teamId, subpath) {
       conn.api_token,
       teamId,
       inviteeEmail,
-      hours
+      hours,
+      conn.my_user_id
     );
     sendJson2(res, invite);
     return;
@@ -12282,23 +12464,23 @@ async function startGuiServer(options) {
           return;
         }
         if (method === "GET" && pathname === "/api/system-tables") {
-          const rows = await (async () => {
-            const adapter = active.db._adapter;
-            if (!adapter.allAsync) return [];
-            return adapter.allAsync(
-              `SELECT name FROM sqlite_master
-               WHERE type='table' AND name LIKE '\\_%' ESCAPE '\\'
-               ORDER BY name`
-            );
-          })();
+          const adapter = active.db._adapter;
+          let rows = [];
+          if (adapter.allAsync) {
+            const listSql = adapter.dialect === "postgres" ? (
+              // pg_tables is the public-schema-only counterpart to
+              // sqlite_master. We filter to public + the same `\_%`
+              // ESCAPE pattern so the result is identical to SQLite.
+              // Underscore is a LIKE wildcard in both engines.
+              `SELECT tablename AS name FROM pg_tables WHERE schemaname = 'public' AND tablename LIKE '\\_%' ESCAPE '\\' ORDER BY tablename`
+            ) : `SELECT name FROM sqlite_master WHERE type='table' AND name LIKE '\\_%' ESCAPE '\\' ORDER BY name`;
+            rows = await adapter.allAsync(listSql);
+          }
           const tables = [];
           for (const r of rows) {
-            const cols = await (async () => {
-              const adapter = active.db._adapter;
-              return adapter.allAsync?.(`PRAGMA table_info("${r.name}")`) ?? Promise.resolve([]);
-            })();
+            const cols = await active.db.introspectColumns(r.name);
             const rowCount = await active.db.count(r.name);
-            tables.push({ name: r.name, columns: cols.map((c) => c.name), rowCount });
+            tables.push({ name: r.name, columns: cols, rowCount });
           }
           sendJson5(res, { tables });
           return;

package/dist/index.cjs

@@ -5891,7 +5891,9 @@ async function probeCloud(targetUrl) {
 // src/teams/server/auth.ts
 var import_node_crypto8 = require("crypto");
 var TOKEN_PREFIX = "lat_";
+var INVITE_PREFIX = "latinv_";
 var TOKEN_BYTES = 32;
+var INVITE_BYTES = 24;
 function hashToken(rawToken) {
   return (0, import_node_crypto8.createHash)("sha256").update(rawToken).digest("hex");
 }
@@ -5899,6 +5901,10 @@ function generateToken() {
   const raw = `${TOKEN_PREFIX}${(0, import_node_crypto8.randomBytes)(TOKEN_BYTES).toString("hex")}`;
   return { raw, hash: hashToken(raw) };
 }
+function generateInviteToken() {
+  const raw = `${INVITE_PREFIX}${(0, import_node_crypto8.randomBytes)(INVITE_BYTES).toString("hex")}`;
+  return { raw, hash: hashToken(raw) };
+}
 
 // src/teams/register-direct.ts
 function isPostgresUrl(url) {
@@ -5980,6 +5986,74 @@ async function registerDirectViaPostgres(cloudUrl, email, name, teamName) {
   }
 }
 
+// src/teams/direct-ops.ts
+async function listMembersDirect(db, teamId) {
+  const members = await db.query("__lattice_team_members", {
+    filters: [{ col: "team_id", op: "eq", val: teamId }]
+  });
+  if (members.length === 0) return [];
+  const users = await db.query("__lattice_users", {
+    filters: [
+      { col: "id", op: "in", val: members.map((m) => m.user_id) },
+      { col: "deleted_at", op: "isNull" }
+    ]
+  });
+  const userById = new Map(users.map((u) => [u.id, u]));
+  const out = [];
+  for (const m of members) {
+    const u = userById.get(m.user_id);
+    if (!u) continue;
+    out.push({
+      user_id: m.user_id,
+      email: u.email,
+      name: u.name,
+      role: m.role,
+      joined_at: m.joined_at
+    });
+  }
+  return out;
+}
+async function inviteDirect(db, teamId, inviterUserId, inviteeEmail, expiresInHours = 7 * 24) {
+  const team = await db.get("__lattice_team", teamId);
+  if (!team || team.deleted_at) {
+    throw new Error(`Team not found: ${teamId}`);
+  }
+  const expiresAt = new Date(Date.now() + expiresInHours * 36e5).toISOString();
+  const { raw, hash } = generateInviteToken();
+  const id = await db.insert("__lattice_invitations", {
+    team_id: teamId,
+    token_hash: hash,
+    invitee_email: inviteeEmail,
+    invited_by_user_id: inviterUserId,
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    expires_at: expiresAt
+  });
+  return {
+    id,
+    raw_token: raw,
+    expires_at: expiresAt,
+    team_name: team.name,
+    invitee_email: inviteeEmail
+  };
+}
+async function kickMemberDirect(db, teamId, userId) {
+  await db.delete("__lattice_team_members", { team_id: teamId, user_id: userId });
+}
+async function destroyTeamDirect(db) {
+  const identityRow = await db.get("__lattice_team_identity", "singleton");
+  if (identityRow && typeof identityRow.team_id === "string") {
+    const teamId = identityRow.team_id;
+    const members = await db.query("__lattice_team_members", {
+      filters: [{ col: "team_id", op: "eq", val: teamId }]
+    });
+    for (const m of members) {
+      await db.delete("__lattice_team_members", { team_id: teamId, user_id: m.user_id });
+    }
+    await db.update("__lattice_team", teamId, { deleted_at: (/* @__PURE__ */ new Date()).toISOString() });
+  }
+  await db.delete("__lattice_team_identity", "singleton");
+}
+
 // src/teams/client.ts
 var TeamsClient = class {
   constructor(local) {
@@ -6066,6 +6140,13 @@ var TeamsClient = class {
       const redeem = await this.redeemInvite(opts.cloudUrl, inviteToken, email, name);
       saveDbCredential(opts.label, opts.cloudUrl);
       writeToken(opts.label, redeem.raw_token);
+      await this.saveConnection({
+        team_id: redeem.team.id,
+        team_name: redeem.team.name,
+        cloud_url: opts.cloudUrl,
+        my_user_id: redeem.user.id,
+        api_token: redeem.raw_token
+      });
       return {
         probe,
         joinedAsMember: { user_id: redeem.user.id, team_id: redeem.team.id }
@@ -6085,21 +6166,51 @@ var TeamsClient = class {
    *     The HTTP path can't be used here because the browser's Fetch
    *     API refuses URLs with embedded credentials.
    *
-   * On success writes the bearer token to `~/.lattice/keys/<label>.token`.
-   * Caller is expected to call `saveConnection` if they also want the
-   * local `__lattice_team_connections` row populated.
+   * On success writes the bearer token to `~/.lattice/keys/<label>.token`
+   * **and** persists the local `__lattice_team_connections` row so the
+   * GUI's team-management API calls can authenticate immediately
+   * afterward (members, invites, kick, destroy). v1.13.4 added the
+   * connection-row write — the older v1.13 implementation only wrote
+   * the token file, leaving GUI authenticated calls with no
+   * `cloud_url` + `my_user_id` + `api_token_encrypted` row to read.
    */
   async upgradeToTeamCloud(opts) {
     const reg = isPostgresUrl(opts.cloudUrl) ? await registerDirectViaPostgres(opts.cloudUrl, opts.email, opts.displayName, opts.teamName) : await this.register(opts.cloudUrl, opts.email, opts.displayName, opts.teamName);
     writeToken(opts.label, reg.raw_token);
+    await this.saveConnection({
+      team_id: reg.team.id,
+      team_name: reg.team.name,
+      cloud_url: opts.cloudUrl,
+      my_user_id: reg.user.id,
+      api_token: reg.raw_token
+    });
     return reg;
   }
-  // ── Cloud HTTP calls (authenticated) ────────────────────────────────────
+  // ── Cloud team operations (dispatch on URL scheme) ──────────────────────
+  // For HTTP cloud URLs (`http://lattice-server:port`), every operation
+  // round-trips through the team server's authenticated REST API. For
+  // direct-Postgres cloud URLs (`postgres://...`), the user's `this.local`
+  // Lattice IS the cloud DB — operations dispatch through `direct-ops.ts`
+  // helpers that run the same INSERT / UPDATE / DELETE / SELECT logic
+  // against `this.local` directly. The Fetch API can't handle
+  // credentials-in-URL anyway, so the dispatch isn't optional.
+  //
+  // Authorization model: for HTTP clouds, the server gates by bearer
+  // token + membership row. For direct-Postgres, possession of the
+  // connection credential is the implicit gate — the operator is
+  // already reading/writing the canonical data.
   /** Destroy the singleton team. Creator-only on the cloud side. */
   async destroyTeam(cloudUrl, token) {
+    if (isPostgresUrl(cloudUrl)) {
+      await destroyTeamDirect(this.local);
+      return;
+    }
     await this.fetchAuthed(cloudUrl, token, "DELETE", "/api/team");
   }
   async listMembers(cloudUrl, token, teamId) {
+    if (isPostgresUrl(cloudUrl)) {
+      return listMembersDirect(this.local, teamId);
+    }
     const r = await this.fetchAuthed(
       cloudUrl,
       token,
@@ -6108,7 +6219,15 @@ var TeamsClient = class {
     );
     return r.members;
   }
-  async invite(cloudUrl, token, teamId, inviteeEmail, expiresInHours) {
+  async invite(cloudUrl, token, teamId, inviteeEmail, expiresInHours, inviterUserId) {
+    if (isPostgresUrl(cloudUrl)) {
+      if (!inviterUserId) {
+        throw new Error(
+          "invite: inviterUserId is required for direct-Postgres cloud URLs (read it from __lattice_team_connections.my_user_id)"
+        );
+      }
+      return inviteDirect(this.local, teamId, inviterUserId, inviteeEmail, expiresInHours);
+    }
     const body = { invitee_email: inviteeEmail };
     if (expiresInHours !== void 0) body.expires_in_hours = expiresInHours;
     return this.fetchAuthed(
@@ -6120,6 +6239,10 @@ var TeamsClient = class {
     );
   }
   async kickMember(cloudUrl, token, teamId, userId) {
+    if (isPostgresUrl(cloudUrl)) {
+      await kickMemberDirect(this.local, teamId, userId);
+      return;
+    }
     await this.fetchAuthed(
       cloudUrl,
       token,
@@ -6173,6 +6296,9 @@ var TeamsClient = class {
    * `has_more` flag tells callers to loop until drained before sleeping.
    */
   async fetchChangeBatch(cloudUrl, token, teamId, since = 0, limit = 500) {
+    if (isPostgresUrl(cloudUrl)) {
+      return { envelopes: [], has_more: false };
+    }
     return this.fetchAuthed(
       cloudUrl,
       token,

package/dist/index.d.cts

@@ -3027,9 +3027,13 @@ declare class TeamsClient {
      *     The HTTP path can't be used here because the browser's Fetch
      *     API refuses URLs with embedded credentials.
      *
-     * On success writes the bearer token to `~/.lattice/keys/<label>.token`.
-     * Caller is expected to call `saveConnection` if they also want the
-     * local `__lattice_team_connections` row populated.
+     * On success writes the bearer token to `~/.lattice/keys/<label>.token`
+     * **and** persists the local `__lattice_team_connections` row so the
+     * GUI's team-management API calls can authenticate immediately
+     * afterward (members, invites, kick, destroy). v1.13.4 added the
+     * connection-row write — the older v1.13 implementation only wrote
+     * the token file, leaving GUI authenticated calls with no
+     * `cloud_url` + `my_user_id` + `api_token_encrypted` row to read.
      */
     upgradeToTeamCloud(opts: {
         label: string;
@@ -3041,7 +3045,7 @@ declare class TeamsClient {
     /** Destroy the singleton team. Creator-only on the cloud side. */
     destroyTeam(cloudUrl: string, token: string): Promise<void>;
     listMembers(cloudUrl: string, token: string, teamId: string): Promise<MemberSummary[]>;
-    invite(cloudUrl: string, token: string, teamId: string, inviteeEmail: string, expiresInHours?: number): Promise<InviteResponse>;
+    invite(cloudUrl: string, token: string, teamId: string, inviteeEmail: string, expiresInHours?: number, inviterUserId?: string): Promise<InviteResponse>;
     kickMember(cloudUrl: string, token: string, teamId: string, userId: string): Promise<void>;
     me(cloudUrl: string, token: string): Promise<{
         user: {

package/dist/index.d.ts

@@ -3027,9 +3027,13 @@ declare class TeamsClient {
      *     The HTTP path can't be used here because the browser's Fetch
      *     API refuses URLs with embedded credentials.
      *
-     * On success writes the bearer token to `~/.lattice/keys/<label>.token`.
-     * Caller is expected to call `saveConnection` if they also want the
-     * local `__lattice_team_connections` row populated.
+     * On success writes the bearer token to `~/.lattice/keys/<label>.token`
+     * **and** persists the local `__lattice_team_connections` row so the
+     * GUI's team-management API calls can authenticate immediately
+     * afterward (members, invites, kick, destroy). v1.13.4 added the
+     * connection-row write — the older v1.13 implementation only wrote
+     * the token file, leaving GUI authenticated calls with no
+     * `cloud_url` + `my_user_id` + `api_token_encrypted` row to read.
      */
     upgradeToTeamCloud(opts: {
         label: string;
@@ -3041,7 +3045,7 @@ declare class TeamsClient {
     /** Destroy the singleton team. Creator-only on the cloud side. */
     destroyTeam(cloudUrl: string, token: string): Promise<void>;
     listMembers(cloudUrl: string, token: string, teamId: string): Promise<MemberSummary[]>;
-    invite(cloudUrl: string, token: string, teamId: string, inviteeEmail: string, expiresInHours?: number): Promise<InviteResponse>;
+    invite(cloudUrl: string, token: string, teamId: string, inviteeEmail: string, expiresInHours?: number, inviterUserId?: string): Promise<InviteResponse>;
     kickMember(cloudUrl: string, token: string, teamId: string, userId: string): Promise<void>;
     me(cloudUrl: string, token: string): Promise<{
         user: {

package/dist/index.js

@@ -5817,7 +5817,9 @@ async function probeCloud(targetUrl) {
 // src/teams/server/auth.ts
 import { createHash as createHash5, randomBytes as randomBytes4, timingSafeEqual } from "crypto";
 var TOKEN_PREFIX = "lat_";
+var INVITE_PREFIX = "latinv_";
 var TOKEN_BYTES = 32;
+var INVITE_BYTES = 24;
 function hashToken(rawToken) {
   return createHash5("sha256").update(rawToken).digest("hex");
 }
@@ -5825,6 +5827,10 @@ function generateToken() {
   const raw = `${TOKEN_PREFIX}${randomBytes4(TOKEN_BYTES).toString("hex")}`;
   return { raw, hash: hashToken(raw) };
 }
+function generateInviteToken() {
+  const raw = `${INVITE_PREFIX}${randomBytes4(INVITE_BYTES).toString("hex")}`;
+  return { raw, hash: hashToken(raw) };
+}
 
 // src/teams/register-direct.ts
 function isPostgresUrl(url) {
@@ -5906,6 +5912,74 @@ async function registerDirectViaPostgres(cloudUrl, email, name, teamName) {
   }
 }
 
+// src/teams/direct-ops.ts
+async function listMembersDirect(db, teamId) {
+  const members = await db.query("__lattice_team_members", {
+    filters: [{ col: "team_id", op: "eq", val: teamId }]
+  });
+  if (members.length === 0) return [];
+  const users = await db.query("__lattice_users", {
+    filters: [
+      { col: "id", op: "in", val: members.map((m) => m.user_id) },
+      { col: "deleted_at", op: "isNull" }
+    ]
+  });
+  const userById = new Map(users.map((u) => [u.id, u]));
+  const out = [];
+  for (const m of members) {
+    const u = userById.get(m.user_id);
+    if (!u) continue;
+    out.push({
+      user_id: m.user_id,
+      email: u.email,
+      name: u.name,
+      role: m.role,
+      joined_at: m.joined_at
+    });
+  }
+  return out;
+}
+async function inviteDirect(db, teamId, inviterUserId, inviteeEmail, expiresInHours = 7 * 24) {
+  const team = await db.get("__lattice_team", teamId);
+  if (!team || team.deleted_at) {
+    throw new Error(`Team not found: ${teamId}`);
+  }
+  const expiresAt = new Date(Date.now() + expiresInHours * 36e5).toISOString();
+  const { raw, hash } = generateInviteToken();
+  const id = await db.insert("__lattice_invitations", {
+    team_id: teamId,
+    token_hash: hash,
+    invitee_email: inviteeEmail,
+    invited_by_user_id: inviterUserId,
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    expires_at: expiresAt
+  });
+  return {
+    id,
+    raw_token: raw,
+    expires_at: expiresAt,
+    team_name: team.name,
+    invitee_email: inviteeEmail
+  };
+}
+async function kickMemberDirect(db, teamId, userId) {
+  await db.delete("__lattice_team_members", { team_id: teamId, user_id: userId });
+}
+async function destroyTeamDirect(db) {
+  const identityRow = await db.get("__lattice_team_identity", "singleton");
+  if (identityRow && typeof identityRow.team_id === "string") {
+    const teamId = identityRow.team_id;
+    const members = await db.query("__lattice_team_members", {
+      filters: [{ col: "team_id", op: "eq", val: teamId }]
+    });
+    for (const m of members) {
+      await db.delete("__lattice_team_members", { team_id: teamId, user_id: m.user_id });
+    }
+    await db.update("__lattice_team", teamId, { deleted_at: (/* @__PURE__ */ new Date()).toISOString() });
+  }
+  await db.delete("__lattice_team_identity", "singleton");
+}
+
 // src/teams/client.ts
 var TeamsClient = class {
   constructor(local) {
@@ -5992,6 +6066,13 @@ var TeamsClient = class {
       const redeem = await this.redeemInvite(opts.cloudUrl, inviteToken, email, name);
       saveDbCredential(opts.label, opts.cloudUrl);
       writeToken(opts.label, redeem.raw_token);
+      await this.saveConnection({
+        team_id: redeem.team.id,
+        team_name: redeem.team.name,
+        cloud_url: opts.cloudUrl,
+        my_user_id: redeem.user.id,
+        api_token: redeem.raw_token
+      });
       return {
         probe,
         joinedAsMember: { user_id: redeem.user.id, team_id: redeem.team.id }
@@ -6011,21 +6092,51 @@ var TeamsClient = class {
    *     The HTTP path can't be used here because the browser's Fetch
    *     API refuses URLs with embedded credentials.
    *
-   * On success writes the bearer token to `~/.lattice/keys/<label>.token`.
-   * Caller is expected to call `saveConnection` if they also want the
-   * local `__lattice_team_connections` row populated.
+   * On success writes the bearer token to `~/.lattice/keys/<label>.token`
+   * **and** persists the local `__lattice_team_connections` row so the
+   * GUI's team-management API calls can authenticate immediately
+   * afterward (members, invites, kick, destroy). v1.13.4 added the
+   * connection-row write — the older v1.13 implementation only wrote
+   * the token file, leaving GUI authenticated calls with no
+   * `cloud_url` + `my_user_id` + `api_token_encrypted` row to read.
    */
   async upgradeToTeamCloud(opts) {
     const reg = isPostgresUrl(opts.cloudUrl) ? await registerDirectViaPostgres(opts.cloudUrl, opts.email, opts.displayName, opts.teamName) : await this.register(opts.cloudUrl, opts.email, opts.displayName, opts.teamName);
     writeToken(opts.label, reg.raw_token);
+    await this.saveConnection({
+      team_id: reg.team.id,
+      team_name: reg.team.name,
+      cloud_url: opts.cloudUrl,
+      my_user_id: reg.user.id,
+      api_token: reg.raw_token
+    });
     return reg;
   }
-  // ── Cloud HTTP calls (authenticated) ────────────────────────────────────
+  // ── Cloud team operations (dispatch on URL scheme) ──────────────────────
+  // For HTTP cloud URLs (`http://lattice-server:port`), every operation
+  // round-trips through the team server's authenticated REST API. For
+  // direct-Postgres cloud URLs (`postgres://...`), the user's `this.local`
+  // Lattice IS the cloud DB — operations dispatch through `direct-ops.ts`
+  // helpers that run the same INSERT / UPDATE / DELETE / SELECT logic
+  // against `this.local` directly. The Fetch API can't handle
+  // credentials-in-URL anyway, so the dispatch isn't optional.
+  //
+  // Authorization model: for HTTP clouds, the server gates by bearer
+  // token + membership row. For direct-Postgres, possession of the
+  // connection credential is the implicit gate — the operator is
+  // already reading/writing the canonical data.
   /** Destroy the singleton team. Creator-only on the cloud side. */
   async destroyTeam(cloudUrl, token) {
+    if (isPostgresUrl(cloudUrl)) {
+      await destroyTeamDirect(this.local);
+      return;
+    }
     await this.fetchAuthed(cloudUrl, token, "DELETE", "/api/team");
   }
   async listMembers(cloudUrl, token, teamId) {
+    if (isPostgresUrl(cloudUrl)) {
+      return listMembersDirect(this.local, teamId);
+    }
     const r = await this.fetchAuthed(
       cloudUrl,
       token,
@@ -6034,7 +6145,15 @@ var TeamsClient = class {
     );
     return r.members;
   }
-  async invite(cloudUrl, token, teamId, inviteeEmail, expiresInHours) {
+  async invite(cloudUrl, token, teamId, inviteeEmail, expiresInHours, inviterUserId) {
+    if (isPostgresUrl(cloudUrl)) {
+      if (!inviterUserId) {
+        throw new Error(
+          "invite: inviterUserId is required for direct-Postgres cloud URLs (read it from __lattice_team_connections.my_user_id)"
+        );
+      }
+      return inviteDirect(this.local, teamId, inviterUserId, inviteeEmail, expiresInHours);
+    }
     const body = { invitee_email: inviteeEmail };
     if (expiresInHours !== void 0) body.expires_in_hours = expiresInHours;
     return this.fetchAuthed(
@@ -6046,6 +6165,10 @@ var TeamsClient = class {
     );
   }
   async kickMember(cloudUrl, token, teamId, userId) {
+    if (isPostgresUrl(cloudUrl)) {
+      await kickMemberDirect(this.local, teamId, userId);
+      return;
+    }
     await this.fetchAuthed(
       cloudUrl,
       token,
@@ -6099,6 +6222,9 @@ var TeamsClient = class {
    * `has_more` flag tells callers to loop until drained before sleeping.
    */
   async fetchChangeBatch(cloudUrl, token, teamId, since = 0, limit = 500) {
+    if (isPostgresUrl(cloudUrl)) {
+      return { envelopes: [], has_more: false };
+    }
     return this.fetchAuthed(
       cloudUrl,
       token,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "latticesql",
-  "version": "1.13.3",
+  "version": "1.13.4",
   "description": "Persistent structured memory for AI agent systems — pluggable SQLite or Postgres backend, LLM context bridge",
   "type": "module",
   "main": "./dist/index.js",