latticesql 2.1.1 → 2.2.0

package/dist/cli.js

@@ -4374,6 +4374,12 @@ function buildAdapter(dbPath, options) {
   return new SQLiteAdapter(sqlitePath, adapterOpts);
 }
 var NOT_DELETED2 = "(deleted_at IS NULL OR deleted_at = '')";
+function rowAclVisibleExists(teamExpr, tableExpr, pkExpr) {
+  return `EXISTS (SELECT 1 FROM "__lattice_row_acl" la WHERE la."team_id" = ${teamExpr} AND la."table_name" = ${tableExpr} AND la."pk" = ${pkExpr} AND (la."owner_user_id" = ? OR la."visibility" = 'everyone' OR (la."visibility" = 'custom' AND EXISTS (SELECT 1 FROM "__lattice_row_grants" lg WHERE lg."team_id" = la."team_id" AND lg."table_name" = la."table_name" AND lg."pk" = la."pk" AND lg."grantee_user_id" = ?))))`;
+}
+function rowAclAbsent(teamExpr, tableExpr, pkExpr) {
+  return `NOT EXISTS (SELECT 1 FROM "__lattice_row_acl" la2 WHERE la2."team_id" = ${teamExpr} AND la2."table_name" = ${tableExpr} AND la2."pk" = ${pkExpr})`;
+}
 var Lattice = class _Lattice {
   _adapter;
   _changelogService;
@@ -5473,6 +5479,131 @@ var Lattice = class _Lattice {
     const rows = await allAsyncOrSync(this._adapter, sql, params);
     return this._decryptRows(table, rows);
   }
+  /**
+   * Row-level-security list read for Lattice Teams (2.2). Returns only the
+   * rows of `table` that `userId` may see in team `teamId`, evaluated
+   * entirely in SQL (indexed, bounded — never "load every row then filter
+   * in JS"). A row is visible iff it has a `__lattice_row_acl` entry owned by
+   * the user or marked 'everyone', or a 'custom' entry with a matching
+   * `__lattice_row_grants` row, OR it has no ACL entry at all and the caller
+   * passes `noAclVisible` (the table default is 'everyone', or the user owns
+   * the table — the pre-2.2 / never-narrowed case). Soft-deleted rows are
+   * excluded by default; results reuse the same decrypt path as `query()`.
+   *
+   * The ACL predicate joins on the table's primary-key column cast to TEXT
+   * (ACL pks are stored as TEXT), so it is correct regardless of the user
+   * table's pk type and works on both SQLite and Postgres. The teams layer's
+   * `listVisibleRows` (src/teams/row-access.ts) is the intended caller.
+   */
+  async queryVisible(table, opts) {
+    const notInit = this._notInitError();
+    if (notInit) return notInit;
+    this._assertIdent(table);
+    if (opts.orderBy) this._assertIdent(table, opts.orderBy);
+    const cols = this._ensureColumnCache(table);
+    const pkCol = this._schema.getPrimaryKey(table)[0] ?? "id";
+    let softDelete = "";
+    if (cols.has("deleted_at") && opts.deleted !== "any") {
+      softDelete = opts.deleted === "only" ? `t."deleted_at" IS NOT NULL AND ` : `t."deleted_at" IS NULL AND `;
+    }
+    const pkExpr = `CAST(t."${pkCol}" AS TEXT)`;
+    let sql = `SELECT t.* FROM "${table}" t WHERE ${softDelete}(${rowAclVisibleExists("?", "?", pkExpr)}`;
+    const params = [opts.teamId, table, opts.userId, opts.userId];
+    if (opts.noAclVisible) {
+      sql += ` OR ${rowAclAbsent("?", "?", pkExpr)}`;
+      params.push(opts.teamId, table);
+    }
+    sql += `)`;
+    if (opts.orderBy && cols.has(opts.orderBy)) {
+      const dir = opts.orderDir === "desc" ? "DESC" : "ASC";
+      sql += ` ORDER BY t."${opts.orderBy}" ${dir}`;
+    }
+    if (opts.limit !== void 0 && Number.isFinite(opts.limit)) {
+      sql += ` LIMIT ${Math.trunc(opts.limit).toString()}`;
+    }
+    if (opts.offset !== void 0 && Number.isFinite(opts.offset)) {
+      if (opts.limit === void 0 && this.getDialect() === "sqlite") sql += " LIMIT -1";
+      sql += ` OFFSET ${Math.trunc(opts.offset).toString()}`;
+    }
+    const rows = await allAsyncOrSync(this._adapter, sql, params);
+    return this._decryptRows(table, rows);
+  }
+  /**
+   * Visible-row counts for MANY tables in a single round-trip, using the same
+   * ACL predicate as {@link queryVisible} — so dashboard tiles agree with what
+   * the rows view lists and a physical count never reveals the existence or
+   * volume of rows the user can't see. One aggregated
+   * `SELECT (SELECT COUNT(*) …) AS c0, …` statement (no per-table fan-out, so
+   * a session pooler with few slots survives concurrent refreshes), capped at
+   * 50 tables per pass; overflow is logged and skipped (no silent truncation)
+   * and those tables count as absent — the caller renders "—". Soft-deleted
+   * rows are excluded wherever the table carries `deleted_at`, matching the
+   * default rows view.
+   */
+  async countVisibleMany(specs, opts) {
+    const out = /* @__PURE__ */ new Map();
+    const notInit = this._notInitError();
+    if (notInit) return notInit;
+    if (specs.length === 0) return out;
+    const VISIBLE_COUNT_CAP = 50;
+    let bounded = specs;
+    if (bounded.length > VISIBLE_COUNT_CAP) {
+      const dropped = bounded.length - VISIBLE_COUNT_CAP;
+      console.warn(
+        `[lattice] visible-count pass capped at ${String(VISIBLE_COUNT_CAP)} tables; ${String(dropped)} table(s) report no count this pass`
+      );
+      bounded = bounded.slice(0, VISIBLE_COUNT_CAP);
+    }
+    const selects = [];
+    const params = [];
+    for (const [i, spec] of bounded.entries()) {
+      this._assertIdent(spec.table);
+      const cols = this._ensureColumnCache(spec.table);
+      const pkCol = this._schema.getPrimaryKey(spec.table)[0] ?? "id";
+      const softDelete = cols.has("deleted_at") ? `t."deleted_at" IS NULL AND ` : "";
+      const pkExpr = `CAST(t."${pkCol}" AS TEXT)`;
+      let predicate = rowAclVisibleExists("?", "?", pkExpr);
+      params.push(opts.teamId, spec.table, opts.userId, opts.userId);
+      if (spec.noAclVisible) {
+        predicate += ` OR ${rowAclAbsent("?", "?", pkExpr)}`;
+        params.push(opts.teamId, spec.table);
+      }
+      selects.push(
+        `(SELECT COUNT(*) FROM "${spec.table}" t WHERE ${softDelete}(${predicate})) AS c${String(i)}`
+      );
+    }
+    const row = await getAsyncOrSync(this._adapter, `SELECT ${selects.join(", ")}`, params);
+    if (!row) return out;
+    for (const [i, spec] of bounded.entries()) {
+      const raw = row[`c${String(i)}`];
+      const n = typeof raw === "bigint" ? Number(raw) : Number(raw);
+      if (Number.isFinite(n) && n >= 0) out.set(spec.table, n);
+    }
+    return out;
+  }
+  /**
+   * Hosted-sync change-log pull, filtered per recipient for 2.2 row-level
+   * security (the hosted server's sole enforcement mechanism). Returns
+   * `__lattice_change_log` rows with seq > `since` for team `teamId` that
+   * `userId` is permitted to receive:
+   *   - targeted envelopes (`recipient_user_id = userId`), plus
+   *   - broadcast envelopes (`recipient_user_id IS NULL`) that are either
+   *     table-level (`pk IS NULL` — schema / unshare, delivered to all) or
+   *     whose row is currently visible to the user via `__lattice_row_acl` /
+   *     `__lattice_row_grants` (or has no ACL entry and the table defaults to
+   *     'everyone').
+   * Ordered by seq, capped at `limit`. Raw SQL because the predicate needs
+   * OR / EXISTS that the `query()` API can't express; bounded by the seq
+   * window and indexed ACL point-lookups. Mirrors {@link queryVisible}'s
+   * visibility logic so a member never pulls the bytes of a row they can't see.
+   */
+  async listChangesForRecipient(teamId, since, userId, limit) {
+    const notInit = this._notInitError();
+    if (notInit) return notInit;
+    const sql = `SELECT cl.* FROM "__lattice_change_log" cl WHERE cl."team_id" = ? AND cl."seq" > ? AND (cl."recipient_user_id" = ? OR (cl."recipient_user_id" IS NULL AND (cl."pk" IS NULL OR ${rowAclVisibleExists('cl."team_id"', 'cl."table_name"', 'cl."pk"')} OR (${rowAclAbsent('cl."team_id"', 'cl."table_name"', 'cl."pk"')} AND EXISTS (SELECT 1 FROM "__lattice_shared_objects" so WHERE so."team_id" = cl."team_id" AND so."table_name" = cl."table_name" AND so."deleted_at" IS NULL AND so."default_row_visibility" = 'everyone'))))) ORDER BY cl."seq" ASC LIMIT ${Math.trunc(limit).toString()}`;
+    const params = [teamId, since, userId, userId, userId];
+    return allAsyncOrSync(this._adapter, sql, params);
+  }
   async count(table, opts = {}) {
     const notInit = this._notInitError();
     if (notInit) return notInit;
@@ -7347,7 +7478,7 @@ var css = `
     .view-header .actions { margin-left: auto; display: flex; gap: 8px; }
 
     /* Row delete / restore controls */
-    .row-actions { width: 64px; text-align: center; white-space: nowrap; }
+    .row-actions { width: 88px; text-align: center; white-space: nowrap; }
     .row-delete, .row-restore {
       background: transparent; border: none; color: var(--text-muted);
       font-size: 16px; cursor: pointer; padding: 4px 6px;
@@ -7358,6 +7489,43 @@ var css = `
     .row-restore:hover { background: var(--accent-soft); color: var(--accent); }
     tr.row-deleted td { background: rgba(251, 146, 60, 0.08); color: var(--text-muted); }
     tr.row-deleted:hover td { background: #fcf5e3; }
+    /* Per-row visibility indicator (2.2). Reuses the team share colour
+       language \u2014 yellow (#eab308) = visible to everyone, red (#ef4444) =
+       private \u2014 matching the .sw-shared / .sw-private swatches. Owner =
+       interactive toggle; non-owner = faded + inert (status only). */
+    .row-vis {
+      background: transparent; border: none; padding: 4px 6px; border-radius: 4px;
+      font-size: 14px; line-height: 1; cursor: pointer; text-decoration: none;
+      color: #eab308;
+    }
+    .row-vis:hover { filter: brightness(1.18); }
+    .row-vis-private { color: #ef4444; }
+    .row-vis-disabled { cursor: default; pointer-events: none; opacity: 0.45; }
+    /* Grants checklist (detail view, owner-only): who can see a
+       shared-with-specific-people row. Checkboxes post straight to the
+       row-grant endpoints. */
+    .grants-panel {
+      margin: 4px 0 10px; padding: 10px 12px; max-width: 420px;
+      border: 1px solid var(--border); border-radius: 6px; background: var(--surface-2);
+      font-size: 13px;
+    }
+    .grants-panel .grants-title { font-weight: 600; margin-bottom: 6px; }
+    .grants-panel .grants-row { display: flex; align-items: center; gap: 8px; padding: 3px 0; cursor: pointer; }
+    .grants-panel .grants-row input { accent-color: var(--accent); }
+    /* Deprecation banner: shown when the workspace holds a grandfathered
+       direct database cloud connection (no row-level security). Amber so
+       it reads as a warning, not an error. */
+    .deprecation-banner {
+      display: flex; align-items: center; gap: 12px;
+      padding: 8px 16px; font-size: 13px;
+      background: rgba(234, 179, 8, 0.12); color: var(--text);
+      border-bottom: 1px solid rgba(234, 179, 8, 0.45);
+    }
+    .deprecation-banner button {
+      margin-left: auto; background: transparent; border: none; cursor: pointer;
+      color: var(--text-muted); font-size: 13px; padding: 2px 6px; border-radius: 4px;
+    }
+    .deprecation-banner button:hover { background: rgba(234, 179, 8, 0.18); }
 
     /* Inline create-row at the bottom of every table */
     tr.create-row td { background: var(--surface-2); }
@@ -8848,6 +9016,27 @@ var appJs = `
 
     window.addEventListener('hashchange', renderRoute);
 
+    // Deprecation banner: a grandfathered direct database cloud connection
+    // bypasses the hosted server's row security entirely \u2014 say so up front.
+    // Dismiss hides it for this browser session only.
+    function initDeprecationBanner() {
+      if (sessionStorage.getItem('lattice-direct-banner-dismissed')) return;
+      fetchJson('/api/dbconfig').then(function (d) {
+        if (!d || !d.directCloud) return;
+        var banner = document.getElementById('deprecation-banner');
+        var text = document.getElementById('deprecation-banner-text');
+        if (!banner || !text) return;
+        text.textContent = "Direct database cloud connections are deprecated and don't support row-level security. Migrate to a hosted workspace.";
+        banner.hidden = false;
+        var dismiss = document.getElementById('deprecation-banner-dismiss');
+        if (dismiss) dismiss.addEventListener('click', function () {
+          banner.hidden = true;
+          sessionStorage.setItem('lattice-direct-banner-dismissed', '1');
+        });
+      }).catch(function () { /* dbconfig unavailable (e.g. team-cloud server mode) \u2014 no banner */ });
+    }
+    initDeprecationBanner();
+
     // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
     // Sidebar
     // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
@@ -9203,6 +9392,31 @@ var appJs = `
           .map(function (h) { return '<th>' + escapeHtml(h) + '</th>'; }).join('');
         headers += '<th class="row-actions"></th>';
 
+        // Per-row visibility indicator (2.2 row-level permissions). Reads the
+        // server-attached _access summary (team clouds only); absent yields ''.
+        // U+25C9 = everyone (yellow) / private (red, by colour); U+25CE =
+        // custom (shared with specific people). Owner = interactive toggle;
+        // non-owner = faded + inert status.
+        function rowVisMarkup(tbl, r) {
+          var a = r._access;
+          if (!a) return '';
+          var vis = a.visibility;
+          var glyph = vis === 'custom' ? '\u25CE' : '\u25C9';
+          if (!a.ownedByMe) {
+            var seen = vis === 'custom' ? 'Shared with you' : 'Visible to everyone';
+            return '<span class="row-vis row-vis-disabled" title="' + escapeHtml(seen) + '">' + glyph + '</span>';
+          }
+          if (vis === 'custom') {
+            return '<a class="row-vis" href="#/objects/' + encodeURIComponent(tbl) + '/' + encodeURIComponent(r.id) +
+              '" title="Shared with specific people \u2014 open to manage">' + glyph + '</a>';
+          }
+          var cls = vis === 'private' ? 'row-vis row-vis-private' : 'row-vis';
+          var title = vis === 'everyone'
+            ? 'Visible to everyone \u2014 click to make private'
+            : 'Private to you \u2014 click to share with everyone';
+          return '<button class="' + cls + '" data-vis-toggle="' + escapeHtml(r.id) +
+            '" data-vis-cur="' + vis + '" title="' + escapeHtml(title) + '">' + glyph + '</button>';
+        }
         var bodyRows;
         if (rows.length === 0) {
           bodyRows = '';
@@ -9233,7 +9447,8 @@ var appJs = `
                 '<button class="row-delete" title="Delete permanently" data-hard-del="' + escapeHtml(r.id) + '">\u2715</button>' +
                 '</td>');
             } else {
-              tds.push('<td class="row-actions"><button class="row-delete" title="Delete" data-del="' + escapeHtml(r.id) + '">\u2715</button></td>');
+              tds.push('<td class="row-actions">' + rowVisMarkup(tableName, r) +
+                '<button class="row-delete" title="Delete" data-del="' + escapeHtml(r.id) + '">\u2715</button></td>');
             }
             return '<tr data-id="' + escapeHtml(r.id) + '"' + (viewMode === 'trash' ? ' class="row-deleted"' : '') + '>' + tds.join('') + '</tr>';
           }).join('');
@@ -9342,6 +9557,30 @@ var appJs = `
           });
         });
 
+        content.querySelectorAll('button[data-vis-toggle]').forEach(function (btn) {
+          btn.addEventListener('click', function (e) {
+            e.stopPropagation();
+            var id = btn.getAttribute('data-vis-toggle');
+            var cur = btn.getAttribute('data-vis-cur');
+            var next = cur === 'everyone' ? 'private' : 'everyone';
+            withBusy(btn, function () {
+              return fetchJson('/api/tables/' + encodeURIComponent(tableName) + '/rows/' + encodeURIComponent(id) + '/visibility', {
+                method: 'POST',
+                headers: { 'content-type': 'application/json' },
+                body: JSON.stringify({ visibility: next }),
+              }).then(function () {
+                invalidate(tableName);
+                return refreshEntities();
+              }).then(function () {
+                renderTable(content, tableName);
+                showToast(next === 'everyone' ? 'Row shared with everyone' : 'Row made private', {});
+              }).catch(function (err) {
+                showToast('Visibility update failed: ' + err.message, {});
+              });
+            });
+          });
+        });
+
         content.querySelectorAll('tr[data-id]').forEach(function (tr) {
           tr.addEventListener('click', function (e) {
             // Let chip-link anchors and the delete button handle their own click.
@@ -9468,6 +9707,39 @@ var appJs = `
       });
     }
 
+    // Detail-view row visibility line (2.2). Owner: status + everyone/private
+    // toggle + a "Specific people\u2026" / "Manage access" control that opens the
+    // grants checklist (the table view's "open to manage" affordance lands
+    // here). Non-owner: read-only status.
+    function detailVisLineEl(row) {
+      var a = row._access;
+      if (!a) return '';
+      var vis = a.visibility;
+      var labelMap = { everyone: 'Visible to everyone', private: 'Private to you', custom: 'Shared with specific people' };
+      if (!a.ownedByMe) {
+        var seen = vis === 'custom' ? 'Shared with you' : (labelMap[vis] || '');
+        return '<div class="detail-vis muted" style="margin:6px 0;font-size:13px">' + escapeHtml(seen) + '</div>';
+      }
+      var info = labelMap[vis] || '';
+      if (vis === 'custom' && a.grantees) info += ' (' + a.grantees.length + ')';
+      var buttons;
+      if (vis === 'custom') {
+        // Leaving custom stops the grant list from applying \u2014 the toggle
+        // handler asks for confirmation. The grants themselves are kept
+        // server-side, so reopening "Manage access" restores the list.
+        buttons = '<button class="btn" id="detail-vis-manage">Manage access</button>' +
+          '<button class="btn" id="detail-vis-toggle" data-vis-cur="custom" data-vis-next="everyone">Share with everyone</button>';
+      } else {
+        var btnLabel = vis === 'everyone' ? 'Make private' : 'Share with everyone';
+        var next = vis === 'everyone' ? 'private' : 'everyone';
+        buttons = '<button class="btn" id="detail-vis-toggle" data-vis-cur="' + vis + '" data-vis-next="' + next + '">' + btnLabel + '</button>' +
+          '<button class="btn" id="detail-vis-manage">Specific people\u2026</button>';
+      }
+      return '<div class="detail-vis" style="display:flex;align-items:center;gap:8px;margin:6px 0;font-size:13px;flex-wrap:wrap">' +
+        '<span class="muted" id="detail-vis-info">' + escapeHtml(info) + '</span>' + buttons +
+        '</div>' +
+        '<div class="grants-panel" id="grants-panel" hidden></div>';
+    }
     function renderDetail(content, tableName, id) {
       var t = tableByName(tableName);
       if (!t) {
@@ -9566,6 +9838,7 @@ var appJs = `
               '<h1>' + escapeHtml(displayNameFor(row) || d.label) + '</h1>' +
               '<div class="actions">' + actions + '</div>' +
             '</div>' +
+            detailVisLineEl(row) +
             lastEditedLineEl(tableName, id) +
             (tableName === 'files' ? '<div class="file-preview" id="file-preview"></div>' : '') +
             '<div class="detail"><dl class="' + (editing ? 'editing' : '') + '">' + rows.join('') + '</dl></div>' +
@@ -9578,6 +9851,93 @@ var appJs = `
           if (!editing) loadRowContext(tableName, id);
           if (!editing && tableName === 'files') renderFilePreview(row);
 
+          function postVisibility(next) {
+            return fetchJson('/api/tables/' + encodeURIComponent(tableName) + '/rows/' + encodeURIComponent(id) + '/visibility', {
+              method: 'POST',
+              headers: { 'content-type': 'application/json' },
+              body: JSON.stringify({ visibility: next }),
+            });
+          }
+          var detailVisBtn = content.querySelector('#detail-vis-toggle');
+          if (detailVisBtn) detailVisBtn.addEventListener('click', function () {
+            var cur = detailVisBtn.getAttribute('data-vis-cur');
+            var next = detailVisBtn.getAttribute('data-vis-next') || (cur === 'everyone' ? 'private' : 'everyone');
+            if (cur === 'custom') {
+              // Non-destructive guard: the grant rows survive server-side, but
+              // the custom list stops applying the moment visibility changes.
+              var cnt = (row._access && row._access.grantees ? row._access.grantees.length : 0);
+              var who = cnt === 1 ? '1 specific person' : cnt + ' specific people';
+              if (!confirm('This row is shared with ' + who + '. The custom list will stop applying (it is kept and reapplies if you return to specific people). Continue?')) return;
+            }
+            withBusy(detailVisBtn, function () {
+              return postVisibility(next).then(function () {
+                invalidate(tableName);
+                renderDetail(content, tableName, id);
+                showToast(next === 'everyone' ? 'Shared with everyone' : 'Made private', {});
+              }).catch(function (e) { showToast('Visibility update failed: ' + e.message, {}); });
+            });
+          });
+
+          // Grants checklist ("Specific people\u2026" / "Manage access"): member
+          // checkboxes wired to the row-grant endpoints. Opening it on a
+          // non-custom row first narrows visibility to custom so an empty
+          // checklist is a coherent state (owner-only until people are added).
+          var detailVisManage = content.querySelector('#detail-vis-manage');
+          if (detailVisManage) detailVisManage.addEventListener('click', function () {
+            var panel = content.querySelector('#grants-panel');
+            if (!panel) return;
+            if (!panel.hidden) { panel.hidden = true; return; }
+            var access = row._access || {};
+            var ensure = access.visibility === 'custom'
+              ? Promise.resolve()
+              : postVisibility('custom').then(function () { access.visibility = 'custom'; });
+            withBusy(detailVisManage, function () {
+              return ensure.then(function () {
+                return fetchJson('/api/team/users');
+              }).then(function (d) {
+                var users = ((d && d.users) || []).filter(function (u) { return u.id !== access.owner_user_id; });
+                var granted = {};
+                (access.grantees || []).forEach(function (g) { granted[g] = true; });
+                if (users.length === 0) {
+                  panel.innerHTML = '<div class="muted">No other members in this workspace yet.</div>';
+                } else {
+                  panel.innerHTML = '<div class="grants-title">Who can see this</div>' + users.map(function (u) {
+                    var label = u.name || u.email || u.id;
+                    return '<label class="grants-row"><input type="checkbox" data-grant-user="' + escapeHtml(u.id) + '"' +
+                      (granted[u.id] ? ' checked' : '') + '> ' + escapeHtml(label) + '</label>';
+                  }).join('');
+                }
+                panel.hidden = false;
+                panel.querySelectorAll('[data-grant-user]').forEach(function (cb) {
+                  cb.addEventListener('change', function () {
+                    var uid = cb.getAttribute('data-grant-user');
+                    var base = '/api/tables/' + encodeURIComponent(tableName) + '/rows/' + encodeURIComponent(id) + '/grants';
+                    var req = cb.checked
+                      ? fetchJson(base, { method: 'POST', headers: { 'content-type': 'application/json' }, body: JSON.stringify({ user_id: uid }) })
+                      : fetchJson(base + '/' + encodeURIComponent(uid), { method: 'DELETE' });
+                    cb.disabled = true;
+                    req.then(function () {
+                      var list = access.grantees || (access.grantees = []);
+                      var at = list.indexOf(uid);
+                      if (cb.checked && at === -1) list.push(uid);
+                      if (!cb.checked && at !== -1) list.splice(at, 1);
+                      var infoEl = content.querySelector('#detail-vis-info');
+                      if (infoEl) infoEl.textContent = 'Shared with specific people (' + list.length + ')';
+                      invalidate(tableName);
+                    }).catch(function (e) {
+                      cb.checked = !cb.checked; // revert the failed change
+                      showToast('Access update failed: ' + e.message, {});
+                    }).then(function () { cb.disabled = false; });
+                  });
+                });
+                if (access.visibility === 'custom') {
+                  var infoEl = content.querySelector('#detail-vis-info');
+                  if (infoEl) infoEl.textContent = 'Shared with specific people (' + (access.grantees || []).length + ')';
+                }
+              }).catch(function (e) { showToast('Could not load members: ' + e.message, {}); });
+            });
+          });
+
           // Junction link/unlink handlers (active in both read and edit modes).
           content.querySelectorAll('.remove-link').forEach(function (btn) {
             btn.addEventListener('click', function (e) {
@@ -11007,6 +11367,18 @@ var appJs = `
             '</span>' +
           '</div>'
         : '';
+      // Owner-only "new rows default to" control, shown for a shared table.
+      var defaultVis = (t && t.defaultRowVisibility) || 'private';
+      var defaultVisRow = canShare && isShared
+        ? '<label>New rows default to</label>' +
+          '<div style="display:flex;align-items:center;gap:8px;flex-wrap:wrap">' +
+            '<select id="dm-rowvis-select">' +
+              '<option value="private"' + (defaultVis === 'private' ? ' selected' : '') + '>Private (owner only)</option>' +
+              '<option value="everyone"' + (defaultVis === 'everyone' ? ' selected' : '') + '>Everyone on the workspace</option>' +
+            '</select>' +
+            '<span style="font-size:12px;color:var(--text-muted)">Visibility new rows in this table are created with.</span>' +
+          '</div>'
+        : '';
       panel.innerHTML =
         '<h3>' + d.icon + ' ' + escapeHtml(d.label) + '</h3>' +
         '<div class="dm-edit-grid">' +
@@ -11021,6 +11393,7 @@ var appJs = `
             '<button class="btn" id="dm-icon-btn" style="margin-top:6px;">Save</button>' +
           '</div>' +
           shareRow +
+          defaultVisRow +
           '<label>Columns</label>' +
           '<div>' +
             '<div class="dm-cols">' + (columnsHtml || '<span class="muted">No columns</span>') + '</div>' +
@@ -11072,6 +11445,22 @@ var appJs = `
           }).catch(function (e) { showToast('Share update failed: ' + e.message, {}); });
         });
       });
+
+      var rowvisSelect = panel.querySelector('#dm-rowvis-select');
+      if (rowvisSelect) rowvisSelect.addEventListener('change', function () {
+        var next = rowvisSelect.value;
+        withBusy(rowvisSelect, function () {
+          return fetchJson('/api/schema/entities/' + encodeURIComponent(tableName) + '/default-row-visibility', {
+            method: 'POST',
+            headers: { 'content-type': 'application/json' },
+            body: JSON.stringify({ visibility: next }),
+          }).then(function () {
+            return dmRefreshPanel(tableName, false);
+          }).then(function () {
+            showToast(next === 'everyone' ? 'New rows now default to everyone' : 'New rows now default to private', {});
+          }).catch(function (e) { showToast('Default visibility update failed: ' + e.message, {}); });
+        });
+      });
     }
 
     /**
@@ -11759,6 +12148,7 @@ var appJs = `
       // enters per-DB things (cloud URL + DB name) in this modal.
       fetchJson('/api/userconfig/identity').then(function (id) {
         var bodyHtml =
+          '<p style="font-size:12px;color:#ef4444;margin:0 0 8px">Direct postgres:// connections are deprecated and do not enforce row-level permissions \u2014 use a hosted Lattice Teams URL (https://\u2026) instead.</p>' +
           '<div class="field"><label>Cloud URL</label>' +
             '<input name="cloud_url" placeholder="postgres://postgres.&lt;ref&gt;:password@aws-x-region.pooler.supabase.com:5432/postgres" autocapitalize="off" autocorrect="off" spellcheck="false" />' +
           '</div>' +
@@ -11786,6 +12176,7 @@ var appJs = `
     function showJoinTeamModal(kind) {
       fetchJson('/api/userconfig/identity').then(function (id) {
         var bodyHtml =
+          '<p style="font-size:12px;color:#ef4444;margin:0 0 8px">Direct postgres:// connections are deprecated and do not enforce row-level permissions \u2014 use a hosted Lattice Teams URL (https://\u2026) instead.</p>' +
           '<div class="field"><label>Cloud URL</label>' +
             '<input name="cloud_url" placeholder="postgres://postgres.&lt;ref&gt;:password@aws-x-region.pooler.supabase.com:5432/postgres" autocapitalize="off" autocorrect="off" spellcheck="false" />' +
           '</div>' +
@@ -13122,7 +13513,7 @@ var appJs = `
         // scheduleRealtimeRefresh is debounced (200ms) so a burst from one
         // ingest still coalesces into a single refetch \u2014 and on Postgres/cloud
         // it shares that debounce with the realtime 'change' handler (no double
-        // fetch). See Rule 28: /api/entities uses batched counts, not N queries.
+        // fetch). /api/entities batches its row counts into one query, not N.
         if (data && (data.table || data.op === 'schema')) {
           scheduleRealtimeRefresh();
         }
@@ -13768,6 +14159,10 @@ var guiAppHtml = `<!doctype html>
       </svg>
     </button>
   </header>
+  <div class="deprecation-banner" id="deprecation-banner" hidden>
+    <span id="deprecation-banner-text"></span>
+    <button id="deprecation-banner-dismiss" title="Dismiss for this session" aria-label="Dismiss">\u2715</button>
+  </div>
   <div class="layout">
     <nav class="sidebar">
       <label class="sidebar-advanced toggle" title="Advanced mode \u2014 row/table editor instead of the file workspace">
@@ -13962,7 +14357,13 @@ var CLOUD_INTERNAL_TABLE_DEFS = {
       // Client-generated idempotency key for offline replay: a queued edit
       // carries a stable edit_id, so re-sending it after a reconnect is a
       // no-op rather than a duplicate write. Nullable + additive.
-      edit_id: "TEXT"
+      edit_id: "TEXT",
+      // Per-recipient targeting for 2.2 hard row-level sync. NULL =
+      // broadcast (delivered to every member, then filtered at pull time
+      // against __lattice_row_acl); non-null = targeted to exactly this
+      // user (the grant / revoke / delete fan-out). Nullable + additive,
+      // same precedent as client_ts / edit_id.
+      recipient_user_id: "TEXT"
     },
     render: () => "",
     outputFile: ".lattice-teams/change-log.md"
@@ -13978,6 +14379,44 @@ var CLOUD_INTERNAL_TABLE_DEFS = {
     primaryKey: ["team_id", "table_name", "pk"],
     render: () => "",
     outputFile: ".lattice-teams/row-links.md"
+  },
+  // Per-row access control for a team cloud (2.2 row-level permissions).
+  // Mirrors __lattice_object_owners at row granularity: each shared row
+  // has an owner (its creator) and a visibility. Enforcement is at the
+  // application layer (see src/teams/row-access.ts) — every member shares
+  // the same physical DB, so a row a user can't see must be filtered out
+  // before its bytes reach them. Kept out-of-band (never injected into
+  // user tables) so the user's own schema stays untouched.
+  __lattice_row_acl: {
+    columns: {
+      team_id: "TEXT NOT NULL",
+      table_name: "TEXT NOT NULL",
+      pk: "TEXT NOT NULL",
+      owner_user_id: "TEXT NOT NULL",
+      // 'private' = owner only · 'everyone' = all team members ·
+      // 'custom' = the explicit grant list in __lattice_row_grants.
+      visibility: "TEXT NOT NULL CHECK (visibility IN ('private', 'everyone', 'custom'))",
+      created_at: "TEXT NOT NULL",
+      updated_at: "TEXT NOT NULL"
+    },
+    primaryKey: ["team_id", "table_name", "pk"],
+    render: () => "",
+    outputFile: ".lattice-teams/row-acl.md"
+  },
+  // Explicit per-row grant list, consulted only when the owning row's
+  // __lattice_row_acl.visibility = 'custom'. One row per (row, grantee).
+  __lattice_row_grants: {
+    columns: {
+      team_id: "TEXT NOT NULL",
+      table_name: "TEXT NOT NULL",
+      pk: "TEXT NOT NULL",
+      grantee_user_id: "TEXT NOT NULL",
+      granted_by_user_id: "TEXT NOT NULL",
+      granted_at: "TEXT NOT NULL"
+    },
+    primaryKey: ["team_id", "table_name", "pk", "grantee_user_id"],
+    render: () => "",
+    outputFile: ".lattice-teams/row-grants.md"
   }
 };
 var LOCAL_INTERNAL_TABLE_DEFS = {
@@ -14078,6 +14517,341 @@ async function installCloudInternalTriggers(db) {
   };
   await db.migrate([migration]);
 }
+async function installRowPermsSchema(db) {
+  const migrations = [
+    {
+      // 01 — per-table default visibility for newly-created rows. Born
+      // 'private' unless the table owner opts the table into 'everyone';
+      // the backfill (06) flips already-shared tables to preserve pre-2.2
+      // visibility. No IF NOT EXISTS: the version guard runs this exactly
+      // once, which is what SQLite's ADD COLUMN needs (it has no
+      // IF NOT EXISTS form).
+      version: "internal:row-perms:01-default-row-visibility:v1",
+      sql: `ALTER TABLE "__lattice_shared_objects" ADD COLUMN "default_row_visibility" TEXT NOT NULL DEFAULT 'private' CHECK ("default_row_visibility" IN ('private', 'everyone'))`
+    },
+    {
+      // 02-05 — indexes. One CREATE INDEX per migration (single-statement
+      // for the SQLite path). IF NOT EXISTS is valid in both dialects.
+      version: "internal:row-perms:02-idx-change-log-team-seq:v1",
+      sql: `CREATE INDEX IF NOT EXISTS "idx_lattice_change_log_team_seq" ON "__lattice_change_log" ("team_id", "seq")`
+    },
+    {
+      version: "internal:row-perms:03-idx-change-log-team-recipient-seq:v1",
+      sql: `CREATE INDEX IF NOT EXISTS "idx_lattice_change_log_team_recipient_seq" ON "__lattice_change_log" ("team_id", "recipient_user_id", "seq")`
+    },
+    {
+      version: "internal:row-perms:04-idx-change-log-team-table-pk:v1",
+      sql: `CREATE INDEX IF NOT EXISTS "idx_lattice_change_log_team_table_pk" ON "__lattice_change_log" ("team_id", "table_name", "pk")`
+    },
+    {
+      version: "internal:row-perms:05-idx-row-grants-grantee:v1",
+      sql: `CREATE INDEX IF NOT EXISTS "idx_lattice_row_grants_grantee" ON "__lattice_row_grants" ("team_id", "grantee_user_id", "table_name", "pk")`
+    },
+    {
+      // 06 — upgrade backfill. Every already-shared table defaults to
+      // 'everyone' so pre-2.2 rows stay visible to all members (nothing
+      // disappears on upgrade). Pre-2.2 rows have no __lattice_row_acl
+      // entry; resolveRowAcl() folds in this table default, so they read
+      // as 'everyone' until an owner narrows an individual row. Runs once.
+      version: "internal:row-perms:06-backfill-shared-defaults:v1",
+      sql: `UPDATE "__lattice_shared_objects" SET "default_row_visibility" = 'everyone' WHERE "deleted_at" IS NULL`
+    }
+  ];
+  await db.migrate(migrations);
+}
+
+// src/teams/row-access.ts
+var RowAccessError = class extends Error {
+  code = "row_access_denied";
+  constructor(message = "Row not accessible") {
+    super(message);
+    this.name = "RowAccessError";
+  }
+};
+var RowOwnerOnlyError = class extends Error {
+  code = "row_owner_only";
+  constructor(message = "Only the row owner may change its sharing") {
+    super(message);
+    this.name = "RowOwnerOnlyError";
+  }
+};
+function isRowVisibility(v) {
+  return v === "private" || v === "everyone" || v === "custom";
+}
+async function tableDefaultVisibility(db, teamId, table) {
+  const rows = await db.query("__lattice_shared_objects", {
+    filters: [
+      { col: "team_id", op: "eq", val: teamId },
+      { col: "table_name", op: "eq", val: table },
+      { col: "deleted_at", op: "isNull" }
+    ],
+    limit: 1
+  });
+  return rows[0]?.default_row_visibility === "everyone" ? "everyone" : "private";
+}
+async function tableOwner(db, teamId, table) {
+  const owners = await db.query("__lattice_object_owners", {
+    filters: [
+      { col: "team_id", op: "eq", val: teamId },
+      { col: "table_name", op: "eq", val: table }
+    ],
+    limit: 1
+  });
+  const ownerId = owners[0]?.owner_user_id;
+  if (typeof ownerId === "string" && ownerId) return ownerId;
+  const shared = await db.query("__lattice_shared_objects", {
+    filters: [
+      { col: "team_id", op: "eq", val: teamId },
+      { col: "table_name", op: "eq", val: table },
+      { col: "deleted_at", op: "isNull" }
+    ],
+    limit: 1
+  });
+  const createdBy = shared[0]?.created_by_user_id;
+  return typeof createdBy === "string" ? createdBy : "";
+}
+async function rawAclRow(db, teamId, table, pk) {
+  const rows = await db.query("__lattice_row_acl", {
+    filters: [
+      { col: "team_id", op: "eq", val: teamId },
+      { col: "table_name", op: "eq", val: table },
+      { col: "pk", op: "eq", val: pk }
+    ],
+    limit: 1
+  });
+  return rows[0];
+}
+async function resolveRowAcl(db, teamId, table, pk) {
+  const acl = await rawAclRow(db, teamId, table, pk);
+  if (acl && isRowVisibility(acl.visibility)) {
+    return { ownerUserId: String(acl.owner_user_id), visibility: acl.visibility };
+  }
+  const [visibility, owner] = await Promise.all([
+    tableDefaultVisibility(db, teamId, table),
+    tableOwner(db, teamId, table)
+  ]);
+  return { ownerUserId: owner, visibility };
+}
+async function hasRowGrant(db, teamId, table, pk, userId) {
+  if (!userId) return false;
+  const grants = await db.query("__lattice_row_grants", {
+    filters: [
+      { col: "team_id", op: "eq", val: teamId },
+      { col: "table_name", op: "eq", val: table },
+      { col: "pk", op: "eq", val: pk },
+      { col: "grantee_user_id", op: "eq", val: userId }
+    ],
+    limit: 1
+  });
+  return grants.length > 0;
+}
+async function canAccessRow(db, teamId, table, pk, userId) {
+  const acl = await resolveRowAcl(db, teamId, table, pk);
+  if (userId && acl.ownerUserId === userId) return true;
+  if (acl.visibility === "everyone") return true;
+  if (acl.visibility === "custom") return hasRowGrant(db, teamId, table, pk, userId);
+  return false;
+}
+async function listVisibleRows(db, teamId, table, userId, opts = {}) {
+  const [owner, def] = await Promise.all([
+    tableOwner(db, teamId, table),
+    tableDefaultVisibility(db, teamId, table)
+  ]);
+  const noAclVisible = def === "everyone" || userId !== "" && owner === userId;
+  return db.queryVisible(table, { teamId, userId, noAclVisible, ...opts });
+}
+async function recordRowAcl(db, teamId, table, pk, ownerUserId, visibility) {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const existing = await rawAclRow(db, teamId, table, pk);
+  await db.upsert("__lattice_row_acl", {
+    team_id: teamId,
+    table_name: table,
+    pk,
+    owner_user_id: ownerUserId,
+    visibility,
+    created_at: existing?.created_at ?? now,
+    updated_at: now
+  });
+}
+async function requireOwner(db, teamId, table, pk, actorUserId) {
+  const existing = await rawAclRow(db, teamId, table, pk);
+  const owner = existing ? String(existing.owner_user_id) : await tableOwner(db, teamId, table);
+  if (!actorUserId || owner !== actorUserId) throw new RowOwnerOnlyError();
+  return { existing, owner };
+}
+async function setRowVisibility(db, teamId, table, pk, actorUserId, visibility) {
+  const { existing, owner } = await requireOwner(db, teamId, table, pk, actorUserId);
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  await db.upsert("__lattice_row_acl", {
+    team_id: teamId,
+    table_name: table,
+    pk,
+    owner_user_id: owner,
+    visibility,
+    created_at: existing?.created_at ?? now,
+    updated_at: now
+  });
+}
+async function addRowGrant(db, teamId, table, pk, granteeUserId, grantedByUserId) {
+  const { existing, owner } = await requireOwner(db, teamId, table, pk, grantedByUserId);
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const currentVis = existing && isRowVisibility(existing.visibility) ? existing.visibility : await tableDefaultVisibility(db, teamId, table);
+  const nextVis = currentVis === "everyone" ? "everyone" : "custom";
+  await db.upsert("__lattice_row_acl", {
+    team_id: teamId,
+    table_name: table,
+    pk,
+    owner_user_id: owner,
+    visibility: nextVis,
+    created_at: existing?.created_at ?? now,
+    updated_at: now
+  });
+  await db.upsert("__lattice_row_grants", {
+    team_id: teamId,
+    table_name: table,
+    pk,
+    grantee_user_id: granteeUserId,
+    granted_by_user_id: grantedByUserId,
+    granted_at: now
+  });
+}
+async function removeRowGrant(db, teamId, table, pk, granteeUserId, actorUserId) {
+  await requireOwner(db, teamId, table, pk, actorUserId);
+  await db.delete("__lattice_row_grants", {
+    team_id: teamId,
+    table_name: table,
+    pk,
+    grantee_user_id: granteeUserId
+  });
+}
+async function rowAccessSummaries(db, teamId, table, userId, pks) {
+  const out = /* @__PURE__ */ new Map();
+  if (pks.length === 0) return out;
+  const acls = await db.query("__lattice_row_acl", {
+    filters: [
+      { col: "team_id", op: "eq", val: teamId },
+      { col: "table_name", op: "eq", val: table }
+    ]
+  });
+  const aclByPk = new Map(acls.map((a) => [String(a.pk), a]));
+  const [owner, def] = await Promise.all([
+    tableOwner(db, teamId, table),
+    tableDefaultVisibility(db, teamId, table)
+  ]);
+  for (const pk of pks) {
+    const a = aclByPk.get(pk);
+    const ownerUserId = a ? String(a.owner_user_id) : owner;
+    const visibility = a && isRowVisibility(a.visibility) ? a.visibility : def;
+    out.set(pk, { owner_user_id: ownerUserId, visibility, ownedByMe: ownerUserId === userId });
+  }
+  return out;
+}
+async function filterVisiblePks(db, teamId, table, userId, pks) {
+  const out = /* @__PURE__ */ new Set();
+  if (pks.length === 0) return out;
+  const acls = await db.query("__lattice_row_acl", {
+    filters: [
+      { col: "team_id", op: "eq", val: teamId },
+      { col: "table_name", op: "eq", val: table },
+      { col: "pk", op: "in", val: pks }
+    ]
+  });
+  const aclByPk = new Map(acls.map((a) => [String(a.pk), a]));
+  const [owner, def] = await Promise.all([
+    tableOwner(db, teamId, table),
+    tableDefaultVisibility(db, teamId, table)
+  ]);
+  const customPks = [];
+  for (const pk of pks) {
+    const a = aclByPk.get(pk);
+    const ownerUserId = a ? String(a.owner_user_id) : owner;
+    const visibility = a && isRowVisibility(a.visibility) ? a.visibility : def;
+    if (userId && ownerUserId === userId) {
+      out.add(pk);
+    } else if (visibility === "everyone") {
+      out.add(pk);
+    } else if (visibility === "custom" && userId) {
+      customPks.push(pk);
+    }
+  }
+  if (customPks.length > 0) {
+    const grants = await db.query("__lattice_row_grants", {
+      filters: [
+        { col: "team_id", op: "eq", val: teamId },
+        { col: "table_name", op: "eq", val: table },
+        { col: "grantee_user_id", op: "eq", val: userId },
+        { col: "pk", op: "in", val: customPks }
+      ]
+    });
+    for (const g of grants) out.add(String(g.pk));
+  }
+  return out;
+}
+async function usersWithRowAccess(db, teamId, table, pk, candidateUserIds) {
+  const out = [];
+  for (const uid of candidateUserIds) {
+    if (await canAccessRow(db, teamId, table, pk, uid)) out.push(uid);
+  }
+  return out;
+}
+async function deleteRowAcl(db, teamId, table, pk) {
+  await db.delete("__lattice_row_acl", { team_id: teamId, table_name: table, pk });
+  const grants = await db.query("__lattice_row_grants", {
+    filters: [
+      { col: "team_id", op: "eq", val: teamId },
+      { col: "table_name", op: "eq", val: table },
+      { col: "pk", op: "eq", val: pk }
+    ]
+  });
+  for (const g of grants) {
+    await db.delete("__lattice_row_grants", {
+      team_id: teamId,
+      table_name: table,
+      pk,
+      grantee_user_id: g.grantee_user_id
+    });
+  }
+}
+async function rowGrantees(db, teamId, table, pk) {
+  const grants = await db.query("__lattice_row_grants", {
+    filters: [
+      { col: "team_id", op: "eq", val: teamId },
+      { col: "table_name", op: "eq", val: table },
+      { col: "pk", op: "eq", val: pk }
+    ]
+  });
+  return grants.map((g) => String(g.grantee_user_id));
+}
+async function visibleRowEdits(db, teamId, table, userId, scanLimit = 2e3) {
+  const scan = await db.query("__lattice_change_log", {
+    filters: [
+      { col: "team_id", op: "eq", val: teamId },
+      { col: "table_name", op: "eq", val: table }
+    ],
+    orderBy: "seq",
+    orderDir: "desc",
+    limit: scanLimit
+  });
+  const visible = await listVisibleRows(db, teamId, table, userId, { limit: 5e3, deleted: "any" });
+  const visiblePks = new Set(visible.map((r) => String(r.id)));
+  const edits = {};
+  for (const r of scan) {
+    if (!r.pk || edits[r.pk] || !visiblePks.has(r.pk)) continue;
+    edits[r.pk] = { ownerUserId: r.owner_user_id, at: r.client_ts ?? r.created_at };
+  }
+  return edits;
+}
+async function setTableDefaultVisibility(db, teamId, table, actorUserId, visibility) {
+  const owner = await tableOwner(db, teamId, table);
+  if (!actorUserId || owner !== actorUserId) {
+    throw new RowOwnerOnlyError("Only the table owner may change the default row visibility");
+  }
+  await db.update(
+    "__lattice_shared_objects",
+    { team_id: teamId, table_name: table },
+    { default_row_visibility: visibility, updated_at: (/* @__PURE__ */ new Date()).toISOString() }
+  );
+}
 
 // src/teams/server/auth.ts
 import { createHash as createHash2, randomBytes as randomBytes4, timingSafeEqual } from "crypto";
@@ -14095,123 +14869,48 @@ function extractBearer(req) {
   return token;
 }
 function hashToken(rawToken) {
-  return createHash2("sha256").update(rawToken).digest("hex");
-}
-function generateToken() {
-  const raw = `${TOKEN_PREFIX}${randomBytes4(TOKEN_BYTES).toString("hex")}`;
-  return { raw, hash: hashToken(raw) };
-}
-function generateInviteToken() {
-  const raw = `${INVITE_PREFIX}${randomBytes4(INVITE_BYTES).toString("hex")}`;
-  return { raw, hash: hashToken(raw) };
-}
-async function authenticate(req, db) {
-  const raw = extractBearer(req);
-  if (!raw) return null;
-  const incomingHash = hashToken(raw);
-  const rows = await db.query("__lattice_api_tokens", {
-    filters: [
-      { col: "token_hash", op: "eq", val: incomingHash },
-      { col: "revoked_at", op: "isNull" }
-    ],
-    limit: 1
-  });
-  const tokenRow = rows[0];
-  if (!tokenRow) return null;
-  const storedBuf = Buffer.from(tokenRow.token_hash, "hex");
-  const incomingBuf = Buffer.from(incomingHash, "hex");
-  if (storedBuf.length !== incomingBuf.length || !timingSafeEqual(storedBuf, incomingBuf)) {
-    return null;
-  }
-  const userRow = await db.get("__lattice_users", tokenRow.user_id);
-  if (!userRow || userRow.deleted_at) return null;
-  db.update("__lattice_api_tokens", tokenRow.id, {
-    last_used_at: (/* @__PURE__ */ new Date()).toISOString()
-  }).catch(() => void 0);
-  return {
-    user: { id: userRow.id, email: userRow.email, name: userRow.name },
-    tokenId: tokenRow.id
-  };
-}
-
-// src/teams/register-direct.ts
-function isPostgresUrl(url) {
-  return /^postgres(ql)?:\/\//i.test(url);
-}
-async function registerDirectViaPostgres(cloudUrl, email, name, teamName) {
-  if (!isPostgresUrl(cloudUrl)) {
-    throw new Error(
-      `registerDirectViaPostgres: cloudUrl must be a postgres:// URL (got ${cloudUrl.slice(0, 12)}\u2026)`
-    );
-  }
-  const db = new Lattice(cloudUrl);
-  try {
-    await db.init();
-    for (const [table, def] of Object.entries(CLOUD_INTERNAL_TABLE_DEFS)) {
-      await db.defineLate(table, def);
-    }
-    const existing = await db.query("__lattice_users", {
-      filters: [{ col: "deleted_at", op: "isNull" }],
-      limit: 1
-    });
-    if (existing.length > 0) {
-      throw new Error(
-        "Registration is disabled. This cloud already has users \u2014 join via invitation."
-      );
-    }
-    let identity = null;
-    try {
-      identity = await db.get("__lattice_team_identity", "singleton");
-    } catch {
-      identity = null;
-    }
-    if (identity) {
-      throw new Error("This cloud already has a team. Use Connect to existing cloud instead.");
-    }
-    const now = (/* @__PURE__ */ new Date()).toISOString();
-    const userId = await db.insert("__lattice_users", {
-      email,
-      name,
-      created_at: now,
-      updated_at: now
-    });
-    const { raw, hash } = generateToken();
-    await db.insert("__lattice_api_tokens", {
-      user_id: userId,
-      token_hash: hash,
-      name: `creator:${teamName}`,
-      created_at: now
-    });
-    const teamId = await db.insert("__lattice_team", {
-      name: teamName,
-      created_by_user_id: userId,
-      created_at: now,
-      updated_at: now
-    });
-    await db.insert("__lattice_team_members", {
-      team_id: teamId,
-      user_id: userId,
-      role: "creator",
-      joined_at: now
-    });
-    await db.insert("__lattice_team_identity", {
-      id: "singleton",
-      team_id: teamId,
-      team_name: teamName,
-      creator_email: email,
-      created_at: now
-    });
-    return {
-      user: { id: userId, email, name },
-      raw_token: raw,
-      team: { id: teamId, name: teamName, role: "creator" }
-    };
-  } finally {
-    try {
-      db.close();
-    } catch {
-    }
+  return createHash2("sha256").update(rawToken).digest("hex");
+}
+function generateToken() {
+  const raw = `${TOKEN_PREFIX}${randomBytes4(TOKEN_BYTES).toString("hex")}`;
+  return { raw, hash: hashToken(raw) };
+}
+function generateInviteToken() {
+  const raw = `${INVITE_PREFIX}${randomBytes4(INVITE_BYTES).toString("hex")}`;
+  return { raw, hash: hashToken(raw) };
+}
+async function authenticate(req, db) {
+  const raw = extractBearer(req);
+  if (!raw) return null;
+  const incomingHash = hashToken(raw);
+  const rows = await db.query("__lattice_api_tokens", {
+    filters: [
+      { col: "token_hash", op: "eq", val: incomingHash },
+      { col: "revoked_at", op: "isNull" }
+    ],
+    limit: 1
+  });
+  const tokenRow = rows[0];
+  if (!tokenRow) return null;
+  const storedBuf = Buffer.from(tokenRow.token_hash, "hex");
+  const incomingBuf = Buffer.from(incomingHash, "hex");
+  if (storedBuf.length !== incomingBuf.length || !timingSafeEqual(storedBuf, incomingBuf)) {
+    return null;
   }
+  const userRow = await db.get("__lattice_users", tokenRow.user_id);
+  if (!userRow || userRow.deleted_at) return null;
+  db.update("__lattice_api_tokens", tokenRow.id, {
+    last_used_at: (/* @__PURE__ */ new Date()).toISOString()
+  }).catch(() => void 0);
+  return {
+    user: { id: userRow.id, email: userRow.email, name: userRow.name },
+    tokenId: tokenRow.id
+  };
+}
+
+// src/teams/register-direct.ts
+function isPostgresUrl(url) {
+  return /^postgres(ql)?:\/\//i.test(url);
 }
 
 // src/teams/schema-spec.ts
@@ -14483,7 +15182,8 @@ async function appendChangeEnvelope(db, entry) {
     owner_user_id: entry.owner_user_id ?? null,
     created_at: now,
     client_ts: entry.client_ts ?? now,
-    edit_id: entry.edit_id ?? null
+    edit_id: entry.edit_id ?? null,
+    recipient_user_id: entry.recipient_user_id ?? null
   });
   return seq;
 }
@@ -14533,7 +15233,14 @@ async function shareObject(db, teamId, createdByUserId, table, spec) {
       created_by_user_id: createdByUserId,
       created_at: prior?.created_at ?? now,
       updated_at: now,
-      deleted_at: null
+      deleted_at: null,
+      // 2.2: a freshly-shared table defaults to 'everyone' so the existing
+      // "share a table → every member sees its rows" contract is preserved.
+      // The owner can narrow the table default (or individual rows) afterward.
+      // Re-share (the branch above) intentionally omits this so an owner's
+      // earlier choice survives a schema bump (the upsert only sets the
+      // columns it lists).
+      default_row_visibility: "everyone"
     });
   }
   await applySchemaSpec(db, table, outSpec);
@@ -14627,88 +15334,26 @@ async function destroyTeamDirect(db) {
   }
   await db.delete("__lattice_team_identity", "singleton");
 }
-async function redeemInviteDirect(cloudUrl, inviteToken, email, name) {
-  if (!isPostgresUrl(cloudUrl)) {
-    throw new Error(
-      `redeemInviteDirect: cloudUrl must be a postgres:// URL (got ${cloudUrl.slice(0, 12)}\u2026)`
-    );
-  }
-  const db = new Lattice(cloudUrl);
-  try {
-    await db.init();
-    for (const [table, def] of Object.entries(CLOUD_INTERNAL_TABLE_DEFS)) {
-      await db.defineLate(table, def);
-    }
-    await installCloudInternalTriggers(db);
-    const invites = await db.query("__lattice_invitations", {
-      filters: [
-        { col: "token_hash", op: "eq", val: hashToken(inviteToken) },
-        { col: "redeemed_at", op: "isNull" }
-      ],
-      limit: 1
-    });
-    const invite = invites[0];
-    if (!invite) {
-      throw new Error("Invitation invalid or already used");
-    }
-    if (invite.expires_at && new Date(invite.expires_at).getTime() < Date.now()) {
-      throw new Error("Invitation expired");
-    }
-    if (invite.invitee_email && invite.invitee_email.toLowerCase() !== email.toLowerCase()) {
-      throw new Error("Invitation is addressed to a different email");
-    }
-    const team = await db.get("__lattice_team", invite.team_id);
-    if (!team || team.deleted_at) {
-      throw new Error("Team no longer exists");
-    }
-    const now = (/* @__PURE__ */ new Date()).toISOString();
-    const userId = await db.insert("__lattice_users", {
-      email,
-      name,
-      created_at: now,
-      updated_at: now
-    });
-    await db.insert("__lattice_team_members", {
-      team_id: invite.team_id,
-      user_id: userId,
-      role: "member",
-      joined_at: now
-    });
-    const { raw, hash } = generateToken();
-    await db.insert("__lattice_api_tokens", {
-      user_id: userId,
-      token_hash: hash,
-      name: `invited:${team.name}`,
-      created_at: now
-    });
-    await db.update("__lattice_invitations", invite.id, {
-      redeemed_at: now,
-      redeemed_by_user_id: userId
-    });
-    return {
-      user: { id: userId, email, name },
-      raw_token: raw,
-      team: { id: team.id, name: team.name }
-    };
-  } finally {
-    try {
-      db.close();
-    } catch {
-    }
-  }
-}
+var directDeprecationWarned = false;
 async function openCloud(cloudUrl) {
   if (!isPostgresUrl(cloudUrl)) {
     throw new Error(
       `direct-ops: cloudUrl must be a postgres:// URL (got ${cloudUrl.slice(0, 12)}\u2026)`
     );
   }
+  if (!directDeprecationWarned) {
+    directDeprecationWarned = true;
+    console.warn(
+      "[teams] Direct postgres:// team-cloud connection is deprecated and does NOT enforce 2.2 row-level security. Migrate to a hosted Lattice Teams server."
+    );
+  }
   const db = new Lattice(cloudUrl);
   await db.init();
   for (const [table, def] of Object.entries(CLOUD_INTERNAL_TABLE_DEFS)) {
     await db.defineLate(table, def);
   }
   await installCloudInternalTriggers(db);
+  await installRowPermsSchema(db);
   return db;
 }
 function closeQuiet(db) {
@@ -15189,6 +15834,23 @@ var FeedBus = class {
   }
 };
 
+// src/gui/search-acl.ts
+async function filterSearchGroupsByAcl(db, teamId, userId, result) {
+  const groups = [];
+  for (const group of result.groups) {
+    const visible = await filterVisiblePks(
+      db,
+      teamId,
+      group.table,
+      userId,
+      group.hits.map((h) => h.id)
+    );
+    const hits = group.hits.filter((h) => visible.has(h.id));
+    if (hits.length > 0) groups.push({ ...group, hits, count: hits.length });
+  }
+  return { ...result, groups };
+}
+
 // src/gui/mutations.ts
 function rowLabel2(row) {
   if (!row || typeof row !== "object") return null;
@@ -15318,6 +15980,10 @@ async function emitTeamEnvelope(ctx, table, pk, op, after) {
 async function createRow(ctx, table, values) {
   const id = await ctx.db.insert(table, values);
   const row = await ctx.db.get(table, id);
+  if (ctx.team) {
+    const vis = await tableDefaultVisibility(ctx.db, ctx.team.teamId, table);
+    await recordRowAcl(ctx.db, ctx.team.teamId, table, id, ctx.team.myUserId, vis);
+  }
   await appendAudit(ctx.db, ctx.feed, table, id, "insert", null, row, ctx.source, ctx.sessionId);
   await emitTeamEnvelope(ctx, table, id, "upsert", row);
   return { id, row };
@@ -15341,6 +16007,9 @@ async function updateRow(ctx, table, id, values) {
   if (before === null) {
     throw new Error(`Cannot update "${table}": no row with id "${id}"`);
   }
+  if (ctx.team && !await canAccessRow(ctx.db, ctx.team.teamId, table, id, ctx.team.myUserId)) {
+    throw new RowAccessError();
+  }
   await ctx.db.update(table, id, values);
   const after = await ctx.db.get(table, id);
   if (after != null) {
@@ -15370,6 +16039,9 @@ async function deleteRow(ctx, table, id, hard) {
   if (before === null) {
     throw new Error(`Cannot delete from "${table}": no row with id "${id}"`);
   }
+  if (ctx.team && !await canAccessRow(ctx.db, ctx.team.teamId, table, id, ctx.team.myUserId)) {
+    throw new RowAccessError();
+  }
   if (!hard && ctx.softDeletable.has(table)) {
     await ctx.db.update(table, id, { deleted_at: (/* @__PURE__ */ new Date()).toISOString() });
     const after = await ctx.db.get(table, id);
@@ -16426,25 +17098,30 @@ async function autoUnlinkUserRows(db, teamId, userId) {
     ]
   });
   for (const link of links) {
-    await db.delete("__lattice_row_links", {
-      team_id: link.team_id,
-      table_name: link.table_name,
-      pk: link.pk
-    });
-    try {
-      await db.delete(link.table_name, link.pk);
-    } catch {
-    }
+    await tearDownSharedRow(db, link.team_id, link.table_name, link.pk, link.owner_user_id);
+  }
+  return links.length;
+}
+async function tearDownSharedRow(db, teamId, tableName, pk, ownerUserId) {
+  const members = (await listTeamMembers(db, teamId)).map((m) => m.user_id);
+  const permitted = await usersWithRowAccess(db, teamId, tableName, pk, members);
+  await db.delete("__lattice_row_links", { team_id: teamId, table_name: tableName, pk });
+  try {
+    await db.delete(tableName, pk);
+  } catch {
+  }
+  for (const uid of permitted) {
     await appendChangeEnvelope(db, {
-      team_id: link.team_id,
-      table_name: link.table_name,
-      pk: link.pk,
+      team_id: teamId,
+      table_name: tableName,
+      pk,
       op: "unlink",
       payload_json: null,
-      owner_user_id: link.owner_user_id
+      owner_user_id: ownerUserId,
+      recipient_user_id: uid
     });
   }
-  return links.length;
+  await deleteRowAcl(db, teamId, tableName, pk);
 }
 async function isObjectShared(db, teamId, tableName) {
   const rows = await db.query("__lattice_shared_objects", {
@@ -16560,15 +17237,12 @@ async function handleListChanges(res, ctx, teamId, params) {
   const since = sinceRaw !== null && /^\d+$/.test(sinceRaw) ? Number(sinceRaw) : 0;
   const limitParsed = limitRaw !== null && /^\d+$/.test(limitRaw) ? Number(limitRaw) : 500;
   const limit = Math.min(Math.max(limitParsed, 1), 1e3);
-  const rows = await ctx.db.query("__lattice_change_log", {
-    filters: [
-      { col: "team_id", op: "eq", val: teamId },
-      { col: "seq", op: "gt", val: since }
-    ],
-    orderBy: "seq",
-    orderDir: "asc",
+  const rows = await ctx.db.listChangesForRecipient(
+    teamId,
+    since,
+    ctx.authContext.user.id,
     limit
-  });
+  );
   const envelopes = rows.map((r) => ({
     seq: r.seq,
     table_name: r.table_name,
@@ -16630,6 +17304,10 @@ async function handleLinkRow(req, res, ctx, teamId, tableName) {
     });
   }
   await ctx.db.upsert(tableName, snapshot);
+  if (!existing) {
+    const vis = await tableDefaultVisibility(ctx.db, teamId, tableName);
+    await recordRowAcl(ctx.db, teamId, tableName, pk, ctx.authContext.user.id, vis);
+  }
   await appendChangeEnvelope(ctx.db, {
     team_id: teamId,
     table_name: tableName,
@@ -16675,23 +17353,7 @@ async function handleUnlinkRow(res, ctx, teamId, tableName, pk) {
     sendJson2(res, { error: "Only the row owner or team creator can unlink" }, 403);
     return;
   }
-  await ctx.db.delete("__lattice_row_links", {
-    team_id: teamId,
-    table_name: tableName,
-    pk
-  });
-  try {
-    await ctx.db.delete(tableName, pk);
-  } catch {
-  }
-  await appendChangeEnvelope(ctx.db, {
-    team_id: teamId,
-    table_name: tableName,
-    pk,
-    op: "unlink",
-    payload_json: null,
-    owner_user_id: link.owner_user_id
-  });
+  await tearDownSharedRow(ctx.db, teamId, tableName, pk, link.owner_user_id);
   sendJson2(res, { ok: true });
 }
 async function handlePushRow(req, res, ctx, teamId, tableName) {
@@ -16762,23 +17424,7 @@ async function handleDeleteRow(res, ctx, teamId, tableName, pk) {
     sendJson2(res, { error: "Only the row owner can delete the row" }, 403);
     return;
   }
-  await ctx.db.delete("__lattice_row_links", {
-    team_id: teamId,
-    table_name: tableName,
-    pk
-  });
-  try {
-    await ctx.db.delete(tableName, pk);
-  } catch {
-  }
-  await appendChangeEnvelope(ctx.db, {
-    team_id: teamId,
-    table_name: tableName,
-    pk,
-    op: "unlink",
-    payload_json: null,
-    owner_user_id: link.owner_user_id
-  });
+  await tearDownSharedRow(ctx.db, teamId, tableName, pk, link.owner_user_id);
   sendJson2(res, { ok: true });
 }
 
@@ -16828,6 +17474,7 @@ async function probeCloud(targetUrl) {
 }
 
 // src/teams/client.ts
+var DIRECT_CLOUD_DEPRECATION_MESSAGE = "Direct postgres:// team-cloud connections are deprecated and do not support row-level security. Create or join a workspace through a hosted Lattice Teams server (an http(s):// URL) instead. Existing direct connections continue to work but should be migrated.";
 var TeamsClient = class {
   constructor(local) {
     this.local = local;
@@ -16860,6 +17507,9 @@ var TeamsClient = class {
    * members join via `redeemInvite`). Returns the new user + bearer
    * token + team summary so the caller can immediately save a
    * connection.
+   *
+   * @param teamName The workspace display name (stored as `team_name` for
+   * backward compatibility — a cloud IS a workspace with members).
    */
   async register(cloudUrl, email, name, teamName) {
     return this.fetchUnauthed(cloudUrl, "POST", "/api/auth/register", {
@@ -16870,7 +17520,7 @@ var TeamsClient = class {
   }
   async redeemInvite(cloudUrl, inviteToken, email, name) {
     if (isPostgresUrl(cloudUrl)) {
-      return redeemInviteDirect(cloudUrl, inviteToken, email, name);
+      throw new Error(DIRECT_CLOUD_DEPRECATION_MESSAGE);
     }
     return this.fetchUnauthed(cloudUrl, "POST", "/api/auth/redeem-invite", {
       invite_token: inviteToken,
@@ -16881,9 +17531,11 @@ var TeamsClient = class {
   // ── High-level orchestration (v1.13+) ───────────────────────────────────
   // Wraps the multi-step flows the GUI's Database panel + library
   // consumers both need: connecting to an existing cloud DB (with
-  // optional team join), and upgrading a non-team cloud into a team
-  // cloud. The HTTP routes in src/gui/dbconfig-routes.ts are thin
-  // shells over these methods.
+  // optional team join), and initializing a fresh cloud DB's owner so
+  // its members + per-table sharing surface exists. A cloud workspace IS
+  // a workspace with members — there is no separate "team" to convert to.
+  // The HTTP routes in src/gui/dbconfig-routes.ts are thin shells over
+  // these methods.
   /**
    * Connect a local project to an existing cloud DB by URL. Probes
    * the target for team status first; if it's a teams DB, the caller
@@ -16932,15 +17584,18 @@ var TeamsClient = class {
     return { probe };
   }
   /**
-   * Upgrade an already-connected cloud DB to a team DB. Two paths
-   * depending on the cloud URL's scheme:
+   * Initialize a fresh cloud DB's owner: register the first member (who
+   * becomes owner) so the cloud's members + per-table sharing surface
+   * exists. This is NOT a "convert a cloud into a team" step — a cloud
+   * workspace IS a workspace with members; this just bootstraps the owner
+   * the first time a cloud is opened. The hosted server path is the only
+   * supported one:
    *
    *   - `http(s)://…` — POST to the cloud's `/api/auth/register` endpoint
-   *     (`lattice serve --team-cloud` is fronting the Postgres).
-   *   - `postgres(ql)://…` — drive the same INSERT sequence directly
-   *     against the cloud Postgres via {@link registerDirectViaPostgres}.
-   *     The HTTP path can't be used here because the browser's Fetch
-   *     API refuses URLs with embedded credentials.
+   *     (a hosted `lattice serve` teams server is fronting the Postgres).
+   *   - `postgres(ql)://…` — rejected: direct postgres:// owner bootstrap
+   *     is deprecated. Row-level security is enforced by the hosted server,
+   *     so it is the only supported connection method for new workspaces.
    *
    * On success writes the bearer token to `~/.lattice/keys/<label>.token`
    * **and** persists the local `__lattice_team_connections` row so the
@@ -16950,8 +17605,11 @@ var TeamsClient = class {
    * the token file, leaving GUI authenticated calls with no
    * `cloud_url` + `my_user_id` + `api_token_encrypted` row to read.
    */
-  async upgradeToTeamCloud(opts) {
-    const reg = isPostgresUrl(opts.cloudUrl) ? await registerDirectViaPostgres(opts.cloudUrl, opts.email, opts.displayName, opts.teamName) : await this.register(opts.cloudUrl, opts.email, opts.displayName, opts.teamName);
+  async registerCloudOwner(opts) {
+    if (isPostgresUrl(opts.cloudUrl)) {
+      throw new Error(DIRECT_CLOUD_DEPRECATION_MESSAGE);
+    }
+    const reg = await this.register(opts.cloudUrl, opts.email, opts.displayName, opts.teamName);
     writeToken(opts.label, reg.raw_token);
     await this.saveConnection({
       team_id: reg.team.id,
@@ -16984,7 +17642,7 @@ var TeamsClient = class {
     }
     try {
       const displayName = opts.displayName?.trim() ? opts.displayName : opts.email;
-      await this.upgradeToTeamCloud({
+      await this.registerCloudOwner({
         label: opts.label,
         cloudUrl: opts.cloudUrl,
         teamName: opts.workspaceName,
@@ -18243,7 +18901,11 @@ async function handleRegisterAndCreate(req, res, ctx) {
     sendJson(res, { error: "cloud_url, email, user_name, team_name required" }, 400);
     return;
   }
-  const reg = isPostgresUrl(cloudUrl) ? await registerDirectViaPostgres(cloudUrl, email, userName, teamName) : await ctx.client.register(cloudUrl, email, userName, teamName);
+  if (isPostgresUrl(cloudUrl)) {
+    sendJson(res, { error: DIRECT_CLOUD_DEPRECATION_MESSAGE }, 400);
+    return;
+  }
+  const reg = await ctx.client.register(cloudUrl, email, userName, teamName);
   await ctx.client.saveConnection({
     team_id: reg.team.id,
     team_name: reg.team.name,
@@ -18669,7 +19331,10 @@ async function dispatchDbConfigRoute(req, res, ctx) {
         // without a local `__lattice_team_connections` row (which doesn't
         // exist when the team cloud itself is the active database).
         teamId: ctx.teamMembership?.teamId ?? null,
-        myUserId: ctx.teamMembership?.myUserId ?? null
+        myUserId: ctx.teamMembership?.myUserId ?? null,
+        // Deprecated direct postgres:// team connection present → the SPA
+        // shows the migrate-to-hosted deprecation banner.
+        directCloud: ctx.directCloud
       });
     });
     return true;
@@ -19872,7 +20537,10 @@ async function executeFunction(ctx, name, args) {
     db: ctx.db,
     feed: ctx.feed,
     softDeletable: ctx.softDeletable,
-    source: "ai"
+    source: "ai",
+    // Thread the team through so create/update/delete enforce the row ACL for
+    // the assistant exactly as they do for the HTTP API.
+    team: ctx.team ?? null
   };
   try {
     switch (name) {
@@ -19886,14 +20554,24 @@ async function executeFunction(ctx, name, args) {
       }
       case "list_rows": {
         const table = requireTable(args.table, ctx.validTables);
-        const opts = { limit: 200 };
-        if (ctx.softDeletable.has(table) && args.includeDeleted !== true) {
-          opts.filters = [{ col: "deleted_at", op: "isNull" }];
-        }
+        const includeDeleted = args.includeDeleted === true;
         const cols = ctx.db.getRegisteredColumns(table);
-        opts.orderBy = cols && "created_at" in cols ? "created_at" : ctx.db.getPrimaryKey(table)[0] ?? "id";
-        opts.orderDir = "asc";
-        const rows = await ctx.db.query(table, opts);
+        const orderBy = cols && "created_at" in cols ? "created_at" : ctx.db.getPrimaryKey(table)[0] ?? "id";
+        let rows;
+        if (ctx.team) {
+          rows = await listVisibleRows(ctx.db, ctx.team.teamId, table, ctx.team.myUserId, {
+            limit: 200,
+            orderBy,
+            orderDir: "asc",
+            deleted: ctx.softDeletable.has(table) && includeDeleted ? "any" : "exclude"
+          });
+        } else {
+          const opts = { limit: 200, orderBy, orderDir: "asc" };
+          if (ctx.softDeletable.has(table) && !includeDeleted) {
+            opts.filters = [{ col: "deleted_at", op: "isNull" }];
+          }
+          rows = await ctx.db.query(table, opts);
+        }
         const secretCols = await secretColumnsFor(ctx.db, table);
         return { ok: true, result: rows.map((r) => redactRow(r, secretCols)) };
       }
@@ -19902,6 +20580,9 @@ async function executeFunction(ctx, name, args) {
         const id = requireString3(args.id, "id");
         const row = await ctx.db.get(table, id);
         if (row === null) return { ok: false, error: "Row not found" };
+        if (ctx.team && !await canAccessRow(ctx.db, ctx.team.teamId, table, id, ctx.team.myUserId)) {
+          return { ok: false, error: "Row not found" };
+        }
         return { ok: true, result: redactRow(row, await secretColumnsFor(ctx.db, table)) };
       }
       case "search": {
@@ -19912,10 +20593,18 @@ async function executeFunction(ctx, name, args) {
           tables = tables.filter((t) => want.has(t));
         }
         const limit = typeof args.limit === "number" ? args.limit : 8;
-        const result = await fullTextSearch(ctx.db.adapter, tables, {
+        let result = await fullTextSearch(ctx.db.adapter, tables, {
           query,
           limitPerTable: limit
         });
+        if (ctx.team) {
+          result = await filterSearchGroupsByAcl(
+            ctx.db,
+            ctx.team.teamId,
+            ctx.team.myUserId,
+            result
+          );
+        }
         return { ok: true, result };
       }
       case "create_row": {
@@ -20673,6 +21362,7 @@ async function dispatchChatRoute(req, res, ctx) {
     validTables: new Set([...ctx.validTables].filter((t) => !ASSISTANT_HIDDEN_TABLES.has(t))),
     junctionTables: new Set([...ctx.junctionTables].filter((t) => !ASSISTANT_HIDDEN_TABLES.has(t))),
     softDeletable: ctx.softDeletable,
+    ...ctx.team ? { team: ctx.team } : {},
     ...ctx.createEntity ? { createEntity: ctx.createEntity } : {},
     ...ctx.createJunction ? { createJunction: ctx.createJunction } : {},
     ...ctx.deleteEntity ? { deleteEntity: ctx.deleteEntity } : {}
@@ -21795,6 +22485,41 @@ async function countManyPostgres(adapter, tableNames) {
   }
   return out;
 }
+var EXACT_COUNT_CAP = 50;
+async function exactCountMany(adapter, tableNames, softDeleteTables) {
+  const out = /* @__PURE__ */ new Map();
+  if (tableNames.length === 0) return out;
+  if (!adapter.getAsync) return out;
+  let names = tableNames;
+  if (names.length > EXACT_COUNT_CAP) {
+    const dropped = names.length - EXACT_COUNT_CAP;
+    console.warn(
+      `[count-many] exact-count subset capped at ${String(EXACT_COUNT_CAP)} tables; ${String(dropped)} suspicious table(s) keep their approximate count this pass`
+    );
+    names = names.slice(0, EXACT_COUNT_CAP);
+  }
+  const selects = names.map((name, i) => {
+    assertSafeIdentifier(name, "table");
+    const where = softDeleteTables.has(name) ? ` WHERE "deleted_at" IS NULL` : "";
+    return `(SELECT count(*) FROM "${name}"${where}) AS c${String(i)}`;
+  });
+  let row;
+  try {
+    row = await adapter.getAsync(`SELECT ${selects.join(", ")}`);
+  } catch (err) {
+    console.warn(
+      `[count-many] exact-count fallback skipped (${err.message}); using approximate counts`
+    );
+    return out;
+  }
+  if (!row) return out;
+  names.forEach((name, i) => {
+    const v = row[`c${String(i)}`];
+    const n = typeof v === "bigint" ? Number(v) : Number(v);
+    if (Number.isFinite(n) && n >= 0) out.set(name, n);
+  });
+  return out;
+}
 
 // src/gui/server.ts
 function sendText(res, body, status = 200, contentType = "text/plain; charset=utf-8") {
@@ -21853,17 +22578,64 @@ async function entitiesWithCounts(db, configPath, outputDir, teamContext) {
   if (teamContext) {
     allTables = allTables.filter((t) => isVisibleInTeam(t.name, teamContext));
   }
+  const rowVisDefaults = /* @__PURE__ */ new Map();
+  const sharedCreatedBy = /* @__PURE__ */ new Map();
+  if (teamContext) {
+    const sharedObjs = await db.query("__lattice_shared_objects", {
+      filters: [
+        { col: "team_id", op: "eq", val: teamContext.teamId },
+        { col: "deleted_at", op: "isNull" }
+      ]
+    });
+    for (const r of sharedObjs) {
+      rowVisDefaults.set(
+        String(r.table_name),
+        r.default_row_visibility === "everyone" ? "everyone" : "private"
+      );
+      if (typeof r.created_by_user_id === "string") {
+        sharedCreatedBy.set(String(r.table_name), r.created_by_user_id);
+      }
+    }
+  }
+  let visibleCounts = /* @__PURE__ */ new Map();
+  if (teamContext) {
+    const tc = teamContext;
+    const specs = allTables.map((t) => {
+      const def = rowVisDefaults.get(t.name) ?? "private";
+      const owner = tc.owners.get(t.name) ?? sharedCreatedBy.get(t.name) ?? "";
+      return {
+        table: t.name,
+        noAclVisible: def === "everyone" || tc.myUserId !== "" && owner === tc.myUserId
+      };
+    });
+    visibleCounts = await db.countVisibleMany(specs, {
+      teamId: tc.teamId,
+      userId: tc.myUserId
+    });
+  }
   const adapter = db._adapter;
-  const useBatched = adapter.dialect === "postgres" && typeof adapter.allAsync === "function";
+  const useBatched = !teamContext && adapter.dialect === "postgres" && typeof adapter.allAsync === "function";
   const approxCounts = useBatched ? await countManyPostgres(
     adapter,
     allTables.map((t) => t.name)
   ) : /* @__PURE__ */ new Map();
+  let exactCounts = /* @__PURE__ */ new Map();
+  if (useBatched) {
+    const suspicious = allTables.map((t) => t.name).filter((n) => (approxCounts.get(n) ?? 0) === 0);
+    if (suspicious.length > 0) {
+      const softDeleteTables = new Set(
+        allTables.filter((t) => t.columns.includes("deleted_at")).map((t) => t.name)
+      );
+      exactCounts = await exactCountMany(adapter, suspicious, softDeleteTables);
+    }
+  }
   const enrichedTables = await Promise.all(
     allTables.map(async (t) => {
       let rowCount;
-      if (useBatched) {
-        rowCount = approxCounts.get(t.name) ?? null;
+      if (teamContext) {
+        rowCount = visibleCounts.get(t.name) ?? null;
+      } else if (useBatched) {
+        rowCount = exactCounts.get(t.name) ?? approxCounts.get(t.name) ?? null;
       } else {
         rowCount = t.columns.includes("deleted_at") ? await db.count(t.name, { filters: [{ col: "deleted_at", op: "isNull" }] }) : await db.count(t.name);
       }
@@ -21877,6 +22649,8 @@ async function entitiesWithCounts(db, configPath, outputDir, teamContext) {
         base.ownedByMe = teamContext.owners.get(t.name) === teamContext.myUserId;
         const ver = teamContext.sharedVersions.get(t.name);
         if (ver !== void 0) base.schemaVersion = ver;
+        const dv = rowVisDefaults.get(t.name);
+        if (dv) base.defaultRowVisibility = dv;
       }
       return base;
     })
@@ -21885,6 +22659,14 @@ async function entitiesWithCounts(db, configPath, outputDir, teamContext) {
 }
 var FRESHNESS_COLS = ["updated_at", "created_at", "ts"];
 var DASHBOARD_STALE_DAYS = 14;
+function requireTeamContext(active, res) {
+  const ctx = active.teamContext;
+  if (!ctx) {
+    sendJson(res, { error: "Row permissions require a team cloud" }, 400);
+    return null;
+  }
+  return ctx;
+}
 function operatorOwnsTable(teamContext, table) {
   if (!teamContext) return true;
   return teamContext.owners.get(table) === teamContext.myUserId;
@@ -22174,6 +22956,13 @@ async function openConfig(configPath, outputDir, autoRender = false) {
       if (!isVisibleInTeam(name, teamContext)) validTables.delete(name);
     }
   }
+  let directTeamConnection = false;
+  try {
+    const conns = await teamsClient.listConnections();
+    directTeamConnection = conns.some((c) => isPostgresUrl(c.cloud_url));
+  } catch (e) {
+    console.warn("[openConfig] could not check for direct team connections:", e.message);
+  }
   let realtime = null;
   if (db.getDialect() === "postgres") {
     try {
@@ -22214,6 +23003,7 @@ async function openConfig(configPath, outputDir, autoRender = false) {
     teamsClient,
     validTables,
     teamContext,
+    directTeamConnection,
     junctionTables,
     entityContextByTable,
     manifest,
@@ -22317,6 +23107,18 @@ async function registerTeamCloudTables(db) {
     await db.defineLate(name, def);
   }
   await installCloudInternalTriggers(db);
+  await installRowPermsSchema(db);
+}
+async function emitRowChangeSignal(db, team, table, pk) {
+  const row = await db.get(table, pk);
+  await appendChangeEnvelope(db, {
+    team_id: team.teamId,
+    table_name: table,
+    pk,
+    op: "upsert",
+    payload_json: row ? JSON.stringify(row) : null,
+    owner_user_id: team.myUserId
+  });
 }
 async function syncUserIdentityRow(db) {
   const identity = readIdentity();
@@ -22642,10 +23444,19 @@ data: ${JSON.stringify(data)}
             );
             tables = tables.filter((t) => want.has(t));
           }
-          sendJson(
-            res,
-            await fullTextSearch(active.db.adapter, tables, { query: q, limitPerTable: limit })
-          );
+          let result = await fullTextSearch(active.db.adapter, tables, {
+            query: q,
+            limitPerTable: limit
+          });
+          if (active.teamContext) {
+            result = await filterSearchGroupsByAcl(
+              active.db,
+              active.teamContext.teamId,
+              active.teamContext.myUserId,
+              result
+            );
+          }
+          sendJson(res, result);
           return;
         }
         if (method === "GET" && pathname === "/api/team/users") {
@@ -22846,6 +23657,78 @@ data: ${JSON.stringify(data)}
           sendJson(res, result.body, result.status);
           return;
         }
+        {
+          const m = /^\/api\/tables\/([^/]+)\/rows\/([^/]+)\/visibility$/.exec(pathname);
+          if (method === "POST" && m) {
+            const ctx = requireTeamContext(active, res);
+            if (!ctx) return;
+            const table = decodeURIComponent(m[1] ?? "");
+            const rowId = decodeURIComponent(m[2] ?? "");
+            const body = await readJson(req);
+            const vis = body.visibility;
+            if (vis !== "private" && vis !== "everyone" && vis !== "custom") {
+              sendJson(res, { error: "visibility must be private, everyone, or custom" }, 400);
+              return;
+            }
+            await setRowVisibility(active.db, ctx.teamId, table, rowId, ctx.myUserId, vis);
+            await emitRowChangeSignal(active.db, ctx, table, rowId);
+            sendJson(res, { ok: true });
+            return;
+          }
+        }
+        {
+          const m = /^\/api\/tables\/([^/]+)\/rows\/([^/]+)\/grants$/.exec(pathname);
+          if (method === "POST" && m) {
+            const ctx = requireTeamContext(active, res);
+            if (!ctx) return;
+            const table = decodeURIComponent(m[1] ?? "");
+            const rowId = decodeURIComponent(m[2] ?? "");
+            const body = await readJson(req);
+            let granteeId = typeof body.user_id === "string" ? body.user_id : "";
+            if (!granteeId && typeof body.email === "string") {
+              granteeId = await resolveUserIdByEmail(active.db, body.email) ?? "";
+            }
+            if (!granteeId) {
+              sendJson(res, { error: "user_id or a resolvable email is required" }, 400);
+              return;
+            }
+            await addRowGrant(active.db, ctx.teamId, table, rowId, granteeId, ctx.myUserId);
+            await emitRowChangeSignal(active.db, ctx, table, rowId);
+            sendJson(res, { ok: true });
+            return;
+          }
+        }
+        {
+          const m = /^\/api\/tables\/([^/]+)\/rows\/([^/]+)\/grants\/([^/]+)$/.exec(pathname);
+          if (method === "DELETE" && m) {
+            const ctx = requireTeamContext(active, res);
+            if (!ctx) return;
+            const table = decodeURIComponent(m[1] ?? "");
+            const rowId = decodeURIComponent(m[2] ?? "");
+            const granteeId = decodeURIComponent(m[3] ?? "");
+            await removeRowGrant(active.db, ctx.teamId, table, rowId, granteeId, ctx.myUserId);
+            await emitRowChangeSignal(active.db, ctx, table, rowId);
+            sendJson(res, { ok: true });
+            return;
+          }
+        }
+        {
+          const m = /^\/api\/schema\/entities\/([^/]+)\/default-row-visibility$/.exec(pathname);
+          if (method === "POST" && m) {
+            const ctx = requireTeamContext(active, res);
+            if (!ctx) return;
+            const table = decodeURIComponent(m[1] ?? "");
+            const body = await readJson(req);
+            const vis = body.visibility;
+            if (vis !== "private" && vis !== "everyone") {
+              sendJson(res, { error: "visibility must be private or everyone" }, 400);
+              return;
+            }
+            await setTableDefaultVisibility(active.db, ctx.teamId, table, ctx.myUserId, vis);
+            sendJson(res, { ok: true });
+            return;
+          }
+        }
         if (method === "GET" && pathname === "/api/gui-meta/columns") {
           const rows = await active.db.query("_lattice_gui_column_meta", {});
           const out = {};
@@ -23940,6 +24823,10 @@ data: ${JSON.stringify(data)}
             sendJson(res, { error: `Unknown table: ${table}` }, 400);
             return;
           }
+          if (!await canAccessRow(active.db, tctx.teamId, table, rowId, tctx.myUserId)) {
+            sendJson(res, { error: "Row not found" }, 404);
+            return;
+          }
           const limit = Math.min(200, Math.max(1, Number(url2.searchParams.get("limit") ?? "50")));
           const rows = await active.db.query("__lattice_change_log", {
             filters: [
@@ -23974,20 +24861,7 @@ data: ${JSON.stringify(data)}
             sendJson(res, { error: `Unknown table: ${table}` }, 400);
             return;
           }
-          const scan = await active.db.query("__lattice_change_log", {
-            filters: [
-              { col: "team_id", op: "eq", val: tctx.teamId },
-              { col: "table_name", op: "eq", val: table }
-            ],
-            orderBy: "seq",
-            orderDir: "desc",
-            limit: 2e3
-          });
-          const edits = {};
-          for (const r of scan) {
-            if (!r.pk || edits[r.pk]) continue;
-            edits[r.pk] = { ownerUserId: r.owner_user_id, at: r.client_ts ?? r.created_at };
-          }
+          const edits = await visibleRowEdits(active.db, tctx.teamId, table, tctx.myUserId);
           sendJson(res, { edits });
           return;
         }
@@ -24029,13 +24903,31 @@ data: ${JSON.stringify(data)}
               const limit = Number(url2.searchParams.get("limit") ?? "500");
               const offset = Number(url2.searchParams.get("offset") ?? "0");
               const deletedMode = url2.searchParams.get("deleted");
-              const queryOpts = { limit, offset };
-              if (active.softDeletable.has(table) && deletedMode !== "any") {
-                queryOpts.filters = [
-                  { col: "deleted_at", op: deletedMode === "only" ? "isNotNull" : "isNull" }
-                ];
+              let rows;
+              if (active.teamContext) {
+                const tc = active.teamContext;
+                rows = await listVisibleRows(active.db, tc.teamId, table, tc.myUserId, {
+                  limit,
+                  offset,
+                  deleted: deletedMode === "any" ? "any" : deletedMode === "only" ? "only" : "exclude"
+                });
+                const summaries = await rowAccessSummaries(
+                  active.db,
+                  tc.teamId,
+                  table,
+                  tc.myUserId,
+                  rows.map((r) => String(r.id))
+                );
+                rows = rows.map((r) => ({ ...r, _access: summaries.get(String(r.id)) ?? null }));
+              } else {
+                const queryOpts = { limit, offset };
+                if (active.softDeletable.has(table) && deletedMode !== "any") {
+                  queryOpts.filters = [
+                    { col: "deleted_at", op: deletedMode === "only" ? "isNotNull" : "isNull" }
+                  ];
+                }
+                rows = await active.db.query(table, queryOpts);
               }
-              const rows = await active.db.query(table, queryOpts);
               sendJson(res, { rows });
               return;
             }
@@ -24052,6 +24944,19 @@ data: ${JSON.stringify(data)}
                 sendJson(res, { error: "Row not found" }, 404);
                 return;
               }
+              if (active.teamContext) {
+                const tc = active.teamContext;
+                if (!await canAccessRow(active.db, tc.teamId, table, id, tc.myUserId)) {
+                  sendJson(res, { error: "Row not found" }, 404);
+                  return;
+                }
+                const summary = (await rowAccessSummaries(active.db, tc.teamId, table, tc.myUserId, [id])).get(
+                  id
+                ) ?? null;
+                const access = summary?.ownedByMe ? { ...summary, grantees: await rowGrantees(active.db, tc.teamId, table, id) } : summary;
+                sendJson(res, { ...row, _access: access });
+                return;
+              }
               sendJson(res, row);
               return;
             }
@@ -24144,6 +25049,7 @@ data: ${JSON.stringify(data)}
             validTables: active.validTables,
             junctionTables: active.junctionTables,
             softDeletable: active.softDeletable,
+            team: active.teamContext ? { teamId: active.teamContext.teamId, myUserId: active.teamContext.myUserId } : null,
             // The assistant can create tables + relationships on request — same
             // audited, no-reopen primitives the Context Constructor uses.
             createEntity: (name, columns) => createUserEntity(active, name, columns, sessionId),
@@ -24193,6 +25099,7 @@ data: ${JSON.stringify(data)}
               teamId: active.teamContext.teamId,
               myUserId: active.teamContext.myUserId
             } : null,
+            directCloud: active.directTeamConnection,
             swap: async () => {
               const next = await openConfig(active.configPath, active.outputDir, autoRender);
               await disposeActive(active);
@@ -24204,6 +25111,14 @@ data: ${JSON.stringify(data)}
         sendJson(res, { error: "Not found" }, 404);
       } catch (err) {
         const e = err;
+        if (e.code === "row_access_denied") {
+          sendJson(res, { error: "Row not found" }, 404);
+          return;
+        }
+        if (e.code === "row_owner_only") {
+          sendJson(res, { error: e.message }, 403);
+          return;
+        }
         console.error(
           `[gui] ${req.method ?? "?"} ${req.url ?? "?"} failed: ${e.message}
 ${e.stack ?? ""}`
@@ -24916,7 +25831,7 @@ function printHelp() {
       "  status      Dry-run reconcile \u2014 show what would change without writing",
       "  watch       Poll for changes and re-render on each cycle",
       "  gui         Start a local browser GUI for exploring Lattice context",
-      "  serve       Start a server-mode lattice (use --team-cloud for Lattice Teams)",
+      "  serve       Start a server-mode lattice (add --team-cloud to host a shared cloud for remote members)",
       "  teams       Manage Lattice Teams (run `lattice teams help` for subcommands)",
       "  update      Upgrade latticesql to the latest version",
       "",
@@ -24961,7 +25876,11 @@ function printHelp() {
       "  --output <dir>         Output directory for rendered context (default: ./context)",
       "  --host <addr>          Bind address (default: 127.0.0.1; use 0.0.0.0 to expose)",
       "  --port <number>        Port (default: 4317; auto-increments if busy)",
-      "  --team-cloud           Enable Lattice Teams cloud mode (bearer auth required)",
+      "  --team-cloud           Host this cloud as a shared server for remote members (bearer auth).",
+      "                         A cloud already IS a workspace with members; this only adds the",
+      "                         auth-gated HTTP surface so other people can connect. Omit it to",
+      "                         open the cloud yourself (you connect directly; eye-icon row",
+      "                         permissions are active).",
       "",
       "Options (init / workspace):",
       "  --root <dir>           The .lattice root location (default: discovered or ./.lattice)",
@@ -25205,7 +26124,7 @@ async function runServe(args) {
       openBrowser: false,
       teamCloud: args.teamCloud
     });
-    const label = args.teamCloud ? "Lattice team cloud" : "Lattice server";
+    const label = args.teamCloud ? "Lattice shared cloud server" : "Lattice server";
     console.log(`${label} listening on ${args.host}:${String(handle.port)} (${handle.url})`);
     console.log("Press Ctrl+C to stop.");
     const shutdown = () => {