latticesql 3.0.0 → 3.1.0

package/dist/cli.js

@@ -3590,7 +3590,7 @@ var init_getProfileName = __esm({
 });
 
 // node_modules/@smithy/core/dist-es/submodules/config/shared-ini-file-loader/getSSOTokenFilepath.js
-import { createHash as createHash2 } from "crypto";
+import { createHash as createHash3 } from "crypto";
 import { join as join17 } from "path";
 var getSSOTokenFilepath;
 var init_getSSOTokenFilepath = __esm({
@@ -3598,7 +3598,7 @@ var init_getSSOTokenFilepath = __esm({
     "use strict";
     init_getHomeDir();
     getSSOTokenFilepath = (id) => {
-      const hasher = createHash2("sha1");
+      const hasher = createHash3("sha1");
       const cacheName = hasher.update(id).digest("hex");
       return join17(getHomeDir(), ".aws", "sso", "cache", `${cacheName}.json`);
     };
@@ -5374,7 +5374,7 @@ var init_endpoints2 = __esm({
 });
 
 // node_modules/@smithy/core/dist-es/submodules/serde/hash-node/hash-node.js
-import { createHash as createHash3, createHmac } from "crypto";
+import { createHash as createHash4, createHmac } from "crypto";
 function castSourceData(toCast, encoding) {
   if (Buffer.isBuffer(toCast)) {
     return toCast;
@@ -5409,7 +5409,7 @@ var init_hash_node = __esm({
         return Promise.resolve(this.hash.digest());
       }
       reset() {
-        this.hash = this.secret ? createHmac(this.algorithmIdentifier, castSourceData(this.secret)) : createHash3(this.algorithmIdentifier);
+        this.hash = this.secret ? createHmac(this.algorithmIdentifier, castSourceData(this.secret)) : createHash4(this.algorithmIdentifier);
       }
     };
   }
@@ -34053,7 +34053,7 @@ var init_signin = __esm({
 });
 
 // node_modules/@aws-sdk/credential-provider-login/dist-es/LoginCredentialsFetcher.js
-import { createHash as createHash4, createPrivateKey, createPublicKey, sign } from "crypto";
+import { createHash as createHash5, createPrivateKey, createPublicKey, sign } from "crypto";
 import { promises as fs2 } from "fs";
 import { homedir as homedir5 } from "os";
 import { dirname as dirname10, join as join22 } from "path";
@@ -34220,7 +34220,7 @@ var init_LoginCredentialsFetcher = __esm({
       getTokenFilePath() {
         const directory = process.env.AWS_LOGIN_CACHE_DIRECTORY ?? join22(homedir5(), ".aws", "login", "cache");
         const loginSessionBytes = Buffer.from(this.loginSession, "utf8");
-        const loginSessionSha256 = createHash4("sha256").update(loginSessionBytes).digest("hex");
+        const loginSessionSha256 = createHash5("sha256").update(loginSessionBytes).digest("hex");
         return join22(directory, `${loginSessionSha256}.json`);
       }
       derToRawSignature(derSignature) {
@@ -42123,7 +42123,42 @@ function cleanupEntityContexts(outputDir, entityContexts, currentSlugsByTable, m
   return result;
 }
 
+// src/render/progress.ts
+var THROTTLE_WINDOW_MS = 200;
+var ProgressThrottle = class {
+  cb;
+  windowMs;
+  lastEmit = 0;
+  constructor(cb, windowMs = THROTTLE_WINDOW_MS) {
+    this.cb = cb;
+    this.windowMs = windowMs;
+  }
+  /**
+   * Emit a `table-progress` event, but only if the window since the last
+   * passthrough has elapsed. Dropped events are simply not delivered — the next
+   * one that survives carries the latest running count.
+   */
+  tick(event) {
+    if (!this.cb) return;
+    const now = Date.now();
+    if (now - this.lastEmit < this.windowMs) return;
+    this.lastEmit = now;
+    this.cb(event);
+  }
+  /**
+   * Emit a lifecycle event immediately and reset the throttle window. Use for
+   * `table-start`, `table-done`, `done`, and `error` — none of which should
+   * ever be dropped. Resetting on `table-start` gives each table a clean budget.
+   */
+  force(event) {
+    if (!this.cb) return;
+    this.lastEmit = Date.now();
+    this.cb(event);
+  }
+};
+
 // src/render/engine.ts
+var YIELD_EVERY_ENTITIES = 200;
 var NOOP_RENDER = () => "";
 var RenderEngine = class {
   _schema;
@@ -42137,11 +42172,14 @@ var RenderEngine = class {
     this._getTaskContext = getTaskContext ?? (() => "");
     this._skipEmpty = options?.skipEmpty ?? false;
   }
-  async render(outputDir) {
+  async render(outputDir, opts = {}) {
     const start = Date.now();
     const filesWritten = [];
     const counters = { skipped: 0 };
+    const signal = opts.signal;
+    const throttle = new ProgressThrottle(opts.onProgress);
     for (const [name, def] of this._schema.getTables()) {
+      if (signal?.aborted) return this._abortedResult(filesWritten, counters, start);
       if (this._skipEmpty && def.render === NOOP_RENDER) continue;
       let rows = await this._schema.queryTable(this._adapter, name);
       if (def.relevanceFilter) {
@@ -42183,8 +42221,18 @@ var RenderEngine = class {
       } else {
         counters.skipped++;
       }
+      throttle.force({
+        kind: "table-done",
+        table: name,
+        entitiesRendered: rows.length,
+        entitiesTotal: rows.length,
+        tableIndex: 0,
+        tableCount: 0,
+        pct: 100
+      });
     }
-    for (const [, def] of this._schema.getMultis()) {
+    for (const [name, def] of this._schema.getMultis()) {
+      if (signal?.aborted) return this._abortedResult(filesWritten, counters, start);
       const keys = await def.keys();
       const tables = {};
       if (def.tables) {
@@ -42201,12 +42249,26 @@ var RenderEngine = class {
           counters.skipped++;
         }
       }
+      throttle.force({
+        kind: "table-done",
+        table: name,
+        entitiesRendered: keys.length,
+        entitiesTotal: keys.length,
+        tableIndex: 0,
+        tableCount: 0,
+        pct: 100
+      });
     }
     const entityContextManifest = await this._renderEntityContexts(
       outputDir,
       filesWritten,
-      counters
+      counters,
+      throttle,
+      signal
     );
+    if (entityContextManifest === null) {
+      return this._abortedResult(filesWritten, counters, start);
+    }
     if (this._schema.getEntityContexts().size > 0) {
       writeManifest(outputDir, {
         version: 2,
@@ -42214,6 +42276,29 @@ var RenderEngine = class {
         entityContexts: entityContextManifest
       });
     }
+    const result = {
+      filesWritten,
+      filesSkipped: counters.skipped,
+      durationMs: Date.now() - start
+    };
+    throttle.force({
+      kind: "done",
+      table: null,
+      entitiesRendered: 0,
+      entitiesTotal: 0,
+      tableIndex: 0,
+      tableCount: 0,
+      pct: 100,
+      durationMs: result.durationMs
+    });
+    return result;
+  }
+  /**
+   * Build the partial RenderResult to return when a render is aborted. No
+   * `done` event is emitted — the caller treats abort as "discard the partial
+   * tree", not as a successful completion.
+   */
+  _abortedResult(filesWritten, counters, start) {
     return {
       filesWritten,
       filesSkipped: counters.skipped,
@@ -42249,18 +42334,35 @@ var RenderEngine = class {
   /**
    * Render all entity context definitions.
    * Mutates `filesWritten` and `counters` in place.
-   * Returns manifest data for the entity contexts rendered this cycle.
+   * Returns manifest data for the entity contexts rendered this cycle, or
+   * `null` if the render was aborted mid-flight (the caller discards the
+   * partial tree). Progress is reported through `throttle`; abort is observed
+   * via `signal`.
    */
-  async _renderEntityContexts(outputDir, filesWritten, counters) {
+  async _renderEntityContexts(outputDir, filesWritten, counters, throttle, signal) {
     const manifestData = {};
     const protectedTables = /* @__PURE__ */ new Set();
     for (const [t8, d6] of this._schema.getEntityContexts()) {
       if (d6.protected) protectedTables.add(t8);
     }
-    for (const [table, def] of this._schema.getEntityContexts()) {
+    const entityTables = [...this._schema.getEntityContexts()];
+    const tableCount = entityTables.length;
+    for (let tableIndex = 0; tableIndex < tableCount; tableIndex++) {
+      if (signal?.aborted) return null;
+      const [table, def] = entityTables[tableIndex];
       const entityPk = this._schema.getPrimaryKey(table)[0] ?? "id";
       const allRows = await this._schema.queryTable(this._adapter, table);
       const directoryRoot = def.directoryRoot ?? table;
+      const entitiesTotal = allRows.length;
+      throttle.force({
+        kind: "table-start",
+        table,
+        entitiesRendered: 0,
+        entitiesTotal,
+        tableIndex,
+        tableCount,
+        pct: 0
+      });
       const manifestEntry = {
         directoryRoot,
         ...def.index ? { indexFile: def.index.outputFile } : {},
@@ -42276,7 +42378,12 @@ var RenderEngine = class {
           counters.skipped++;
         }
       }
-      for (const entityRow of allRows) {
+      for (let i6 = 0; i6 < allRows.length; i6++) {
+        const entityRow = allRows[i6];
+        if (signal?.aborted) return null;
+        if (i6 > 0 && i6 % YIELD_EVERY_ENTITIES === 0) {
+          await new Promise((r6) => setImmediate(r6));
+        }
         const rawSlug = def.slug(entityRow);
         const slug = rawSlug.replace(/[\u00A0\u2000-\u200B\u202F\u205F\u3000]/g, " ").replace(/[\u0000-\u001F\u007F]/g, "");
         if (/[^a-zA-Z0-9.\-_ @(),#&'+:;!~[\]]/.test(slug)) {
@@ -42321,6 +42428,7 @@ var RenderEngine = class {
         const entityFileHashes = {};
         const protection = protectedTables.size > 0 ? { protectedTables, currentTable: table } : void 0;
         for (const [filename, spec] of Object.entries(def.files)) {
+          if (signal?.aborted) return null;
           const mergeDefaults = def.sourceDefaults && spec.source.type !== "self" && spec.source.type !== "custom" && spec.source.type !== "enriched";
           const source = mergeDefaults ? { ...def.sourceDefaults, ...spec.source } : spec.source;
           const rows = await resolveEntitySource(
@@ -42368,8 +42476,27 @@ var RenderEngine = class {
           }
         }
         manifestEntry.entities[slug] = entityFileHashes;
+        const entitiesRendered = i6 + 1;
+        throttle.tick({
+          kind: "table-progress",
+          table,
+          entitiesRendered,
+          entitiesTotal,
+          tableIndex,
+          tableCount,
+          pct: entitiesTotal > 0 ? entitiesRendered / entitiesTotal * 100 : 100
+        });
       }
       manifestData[table] = manifestEntry;
+      throttle.force({
+        kind: "table-done",
+        table,
+        entitiesRendered: entitiesTotal,
+        entitiesTotal,
+        tableIndex,
+        tableCount,
+        pct: 100
+      });
     }
     return manifestData;
   }
@@ -44369,6 +44496,54 @@ var Lattice = class _Lattice {
   async insert(table, row, provenance) {
     const notInit = this._notInitError();
     if (notInit) return notInit;
+    const { sql, values, pkValue, rowWithPk } = this._prepareInsert(table, row);
+    await runAsyncOrSync(this._adapter, sql, values);
+    await this._afterInsert(table, pkValue, rowWithPk, provenance);
+    return pkValue;
+  }
+  /**
+   * Insert a row while atomically forcing its cloud row-visibility, regardless of
+   * the table's `default_row_visibility`. The per-table insert trigger reads a
+   * transaction-local GUC (`lattice.force_row_visibility`); we set it and run the
+   * INSERT inside a single transaction, so the row is stamped at `visibility` the
+   * instant it exists — it is never momentarily visible at the table default, and
+   * the change-feed `NOTIFY` (delivered only at COMMIT) fires when the row already
+   * carries this visibility. This closes the create-then-demote window that a
+   * plain `insert()` + `setRowVisibility()` would leave open.
+   *
+   * Postgres-only: SQLite is single-user (no cross-viewer leak) and has no trigger
+   * to read the GUC, so it degrades to a plain {@link insert}. A `never_share`
+   * table still wins — its rows are forced private even if `visibility` is
+   * `'everyone'` (the trigger enforces that precedence).
+   *
+   * @since 3.1.0
+   */
+  async insertForcingVisibility(table, row, visibility, provenance) {
+    const notInit = this._notInitError();
+    if (notInit) return notInit;
+    const vis = visibility;
+    if (vis !== "private" && vis !== "everyone") {
+      throw new Error(`lattice: invalid forced visibility "${vis}"`);
+    }
+    const withClient = this._adapter.withClient?.bind(this._adapter);
+    if (this.getDialect() !== "postgres" || !withClient) {
+      return this.insert(table, row, provenance);
+    }
+    const { sql, values, pkValue, rowWithPk } = this._prepareInsert(table, row);
+    await withClient(async (tx) => {
+      await tx.run(`SELECT set_config('lattice.force_row_visibility', ?, true)`, [visibility]);
+      await tx.run(sql, values);
+    });
+    await this._afterInsert(table, pkValue, rowWithPk, provenance);
+    return pkValue;
+  }
+  /**
+   * Build the INSERT statement + canonical pk for a row (sanitize → schema-filter →
+   * auto-pk → encrypt). Shared by {@link insert} and {@link insertForcingVisibility}
+   * so both produce byte-identical writes; the latter only differs in running it
+   * inside a GUC-scoped transaction.
+   */
+  _prepareInsert(table, row) {
     this._assertIdent(table);
     const sanitized = this._filterToSchemaColumns(table, this._sanitizer.sanitizeRow(row));
     const pkCols = this._schema.getPrimaryKey(table);
@@ -44384,12 +44559,17 @@ var Lattice = class _Lattice {
     const cols = Object.keys(encrypted).map((c6) => `"${c6}"`).join(", ");
     const placeholders = Object.keys(encrypted).map(() => "?").join(", ");
     const values = Object.values(encrypted);
-    await runAsyncOrSync(
-      this._adapter,
-      `INSERT INTO "${table}" (${cols}) VALUES (${placeholders})`,
-      values
-    );
     const pkValue = this._serializeRowPk(table, rowWithPk);
+    return {
+      sql: `INSERT INTO "${table}" (${cols}) VALUES (${placeholders})`,
+      values,
+      pkValue,
+      rowWithPk
+    };
+  }
+  /** Post-insert side effects (changelog, audit, write hooks, embedding sync),
+   *  identical for the plain and force-visibility insert paths. */
+  async _afterInsert(table, pkValue, rowWithPk, provenance) {
     await this._appendChangelog(
       table,
       pkValue,
@@ -44403,7 +44583,6 @@ var Lattice = class _Lattice {
     this._sanitizer.emitAudit(table, "insert", pkValue);
     await this._fireWriteHooks(table, "insert", rowWithPk, pkValue);
     this._syncEmbedding(table, "insert", rowWithPk, pkValue);
-    return pkValue;
   }
   /**
    * Insert a row and return the full inserted row (including auto-generated
@@ -44470,6 +44649,7 @@ var Lattice = class _Lattice {
     const sanitized = this._filterToSchemaColumns(table, this._sanitizer.sanitizeRow(row));
     const encrypted = this._encryptRow(table, sanitized);
     const setCols = Object.keys(encrypted).map((c6) => `"${c6}" = ?`).join(", ");
+    if (setCols === "") return;
     const { clause, params: pkParams } = this._pkWhere(table, id);
     let previousValues = null;
     if (this._changelogTables.has(table)) {
@@ -45086,13 +45266,32 @@ var Lattice = class _Lattice {
   // -------------------------------------------------------------------------
   // Sync
   // -------------------------------------------------------------------------
-  async render(outputDir) {
+  async render(outputDir, opts = {}) {
     const notInit = this._notInitError();
     if (notInit) return notInit;
-    const result = await this._render.render(outputDir);
+    const result = await this._render.render(outputDir, opts);
     for (const h6 of this._renderHandlers) h6(result);
     return result;
   }
+  /**
+   * Render into `outputDir` through the shared single-flight guard, intended to
+   * be called fire-and-forget (e.g. the GUI's instant-open background render).
+   *
+   * The guard ({@link _renderGuarded}) holds {@link _autoRenderInFlight} for the
+   * render's duration, so a data mutation that lands while this render is in
+   * flight is deferred by {@link _runAutoRender} and coalesced — when this
+   * render settles, `finally` clears the flag and re-arms exactly one follow-up
+   * render via {@link _rearmAutoRenderIfPending}. Net invariant: at most one
+   * render to a given dir at a time.
+   *
+   * Errors propagate to the caller (the GUI surfaces them, never silently swallowed); they are
+   * not swallowed here.
+   */
+  async renderInBackground(outputDir, opts = {}) {
+    const notInit = this._notInitError();
+    if (notInit) return notInit;
+    return this._renderGuarded(outputDir, opts);
+  }
   async sync(outputDir) {
     const notInit = this._notInitError();
     if (notInit) return notInit;
@@ -45434,6 +45633,30 @@ var Lattice = class _Lattice {
     }, this._autoRenderDebounceMs);
     this._autoRenderTimer.unref();
   }
+  /**
+   * Shared single-flight render path used by {@link renderInBackground}.
+   *
+   * Holds {@link _autoRenderInFlight} for the render's duration so the
+   * mutation-driven {@link _runAutoRender} defers while this render runs (it
+   * sees the flag and marks itself pending instead of starting a second,
+   * overlapping render). On settle, `finally` clears the flag and re-arms a
+   * single coalesced follow-up render if any mutation arrived mid-flight.
+   * Errors propagate to the caller; the flag is always cleared.
+   */
+  async _renderGuarded(outputDir, opts) {
+    while (this._autoRenderInFlight) {
+      await new Promise((r6) => setImmediate(r6));
+    }
+    this._autoRenderInFlight = true;
+    try {
+      const result = await this._render.render(outputDir, opts);
+      for (const h6 of this._renderHandlers) h6(result);
+      return result;
+    } finally {
+      this._autoRenderInFlight = false;
+      this._rearmAutoRenderIfPending();
+    }
+  }
   async _runAutoRender() {
     const dir = this._autoRenderDir;
     if (!dir || !this._initialized) return;
@@ -46580,6 +46803,12 @@ var css = `
     .db-button .db-status.is-cloud-connecting { background: var(--warn); }
     .db-button:hover { background: rgba(255, 255, 255, 0.08); }
     .db-button .db-caret { color: #9aa1ad; font-size: 10px; }
+    /* While a workspace switch is in flight, the stable header button shows a
+       spinner (swapped for the \u{1F4C2} icon) so the switch is visible for its whole
+       duration \u2014 POST + reloadEverything \u2014 not just while the dropdown is open. */
+    .db-button.is-switching { opacity: 0.85; cursor: progress; }
+    .db-button.is-switching .db-icon .spinner { margin-right: 0; }
+    .db-button.is-switching.is-switch-error .db-name { color: #ef4444; }
     .db-menu {
       position: absolute; top: 38px; left: 0;
       min-width: 260px; background: var(--glass-strong);
@@ -46744,6 +46973,7 @@ var css = `
       max-width: 1100px;
     }
     .card {
+      position: relative; overflow: hidden;
       background: var(--sheen), var(--surface); border: 1px solid var(--border);
       border-radius: 12px; padding: 22px;
       min-height: 160px;
@@ -46756,6 +46986,33 @@ var css = `
     .card-label { font-size: 15px; font-weight: 600; }
     .card-count { font-size: 28px; font-weight: 700; color: var(--text-muted); margin-top: auto; }
     .card-fresh { font-size: 11px; color: var(--text-muted); }
+    /* \u2500\u2500 Per-card background-render progress overlay \u2500\u2500\u2500\u2500\u2500
+       Hidden by default; .card.is-rendering reveals the bottom-edge bar + the
+       corner pill while the context tree is rendered in the background. The row
+       count dims so the live value reads as not-yet-final until completion. */
+    .card-render { display: none; }
+    .card.is-rendering .card-render { display: block; }
+    .card.is-rendering .card-count { opacity: 0.45; transition: opacity 0.2s ease; }
+    .card-render-fill {
+      position: absolute; left: 0; bottom: 0; height: 3px; width: 0%;
+      background: linear-gradient(90deg, var(--accent-deep), var(--accent));
+      transition: width 0.2s ease; pointer-events: none;
+    }
+    .card-render-pill {
+      position: absolute; top: 10px; right: 10px;
+      display: inline-flex; align-items: center; gap: 4px;
+      padding: 2px 8px; border-radius: 10px;
+      background: var(--accent-soft); color: var(--accent);
+      font-size: 11px; font-weight: 600; line-height: 1.4;
+      pointer-events: none;
+    }
+    /* The render pill reuses the shared .spinner + @keyframes lattice-spin. */
+    .card-render-pill .spinner { margin-right: 0; }
+    /* A render that errors out paints a red card state instead of a stuck
+       spinner (surface the failure, don't hide it). */
+    .card.is-render-error { border-color: #ef4444; }
+    .card.is-render-error .card-render-fill { background: #ef4444; }
+    .card.is-render-error .card-render-pill { background: rgba(239, 68, 68, 0.14); color: #ef4444; }
 
     /* \u2500\u2500 Table view \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 */
     .view-header {
@@ -47022,7 +47279,9 @@ var css = `
       padding: 10px 18px; border-radius: 999px;
       display: flex; align-items: center; gap: 14px;
       box-shadow: 0 8px 24px rgba(0, 0, 0, 0.2);
-      z-index: 200; font-size: 13.5px;
+      /* Above every overlay (.modal-backdrop is z-index 1000, drawers 120-130) so
+         an error thrown by an overlay screen is always visible on top. */
+      z-index: 2000; font-size: 13.5px;
       animation: toast-in 0.18s ease;
     }
     @keyframes toast-in {
@@ -47157,6 +47416,11 @@ var css = `
     .teams-page { padding: 24px 28px; max-width: 1000px; }
     .teams-page h2 { margin: 0 0 4px 0; font-size: 22px; }
     .teams-page .lead { color: var(--text-muted); margin-bottom: 24px; font-size: 13.5px; }
+    /* Workspace list (Lattice Settings): active row highlighted, others click-to-switch. */
+    .teams-page tr.ws-row { cursor: pointer; }
+    .teams-page tr.ws-row:hover td { background: var(--surface-2); }
+    .teams-page tr.ws-active td { background: var(--accent-soft); }
+    .teams-page tr.ws-active td:first-child { font-weight: 600; color: var(--accent); }
     .teams-actions { display: flex; gap: 8px; margin-bottom: 20px; flex-wrap: wrap; }
     .team-card {
       background: var(--sheen), var(--surface); border: 1px solid var(--border);
@@ -47601,6 +47865,13 @@ var css = `
     .rail-composer .composer-send:disabled { opacity: 0.4; cursor: default; box-shadow: none; }
     .rail-composer .composer-setup { font-size: 12.5px; color: var(--text-muted); text-align: center; }
     .rail-composer .composer-setup a { color: var(--accent); }
+    /* Private-mode toggle under the composer row. */
+    .rail-composer .composer-private {
+      display: flex; align-items: center; gap: 6px; flex-wrap: wrap;
+      margin-top: 6px; font-size: 12px; color: var(--text-muted); cursor: pointer;
+    }
+    .rail-composer .composer-private input { cursor: pointer; }
+    .rail-composer .composer-private-hint { color: var(--text-muted); opacity: 0.8; font-size: 11px; }
     .rail-composer .composer-mic {
       flex: 0 0 auto; height: 38px; width: 38px; font-size: 15px;
       border: 1px solid var(--border-strong); border-radius: 8px;
@@ -47905,8 +48176,6 @@ var appJs = `
         state.systemTables = (results[3] && results[3].tables) || [];
         state.preferences = results[4] || { show_system_tables: false, analytics: true };
         document.body.classList.toggle('advanced-mode', advancedMode());
-        var advToggle = document.getElementById('advanced-toggle');
-        if (advToggle) advToggle.checked = advancedMode();
         wireSettingsDrawer();
         renderWsSwitcher(results[5]);
         renderSidebar();
@@ -47914,6 +48183,7 @@ var appJs = `
         refreshHistoryState();
         renderRoute();
         startRealtime();
+        startRenderProgress();
         initSearch();
         initLastEdited();
         initOffline();
@@ -48274,6 +48544,153 @@ var appJs = `
       };
     }
 
+    // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    // Background-render progress \u2014 Server-Sent Events from
+    // /api/render/progress. A workspace opens/switches instantly and renders its
+    // context tree in the background; this paints a per-table % overlay on the
+    // dashboard cards (bottom-edge bar + \u27F3 pill) and dims the row count until
+    // each table completes. Row COUNTS come only from /api/entities \u2014 the render
+    // stream drives only the transient overlay and one reconciling refetch on
+    // completion. Mirrors the realtime EventSource pattern above.
+    // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    var renderSource = null;
+    // { [table]: { pct, rendered, total, done, error } } \u2014 the live render state,
+    // re-applied to cards after every dashboard rebuild (drawDashboard wipes the
+    // DOM overlays but not this map).
+    var renderProgress = {};
+    // Apply one table's render % to its matching card only (no full rebuild).
+    function applyCardProgress(table, pct) {
+      if (!table) return;
+      var sel = '.card[data-table="' + (window.CSS && CSS.escape ? CSS.escape(table) : table) + '"]';
+      var card = document.querySelector(sel);
+      if (!card) return;
+      var st = renderProgress[table];
+      if (st && st.error) {
+        card.classList.remove('is-rendering');
+        card.classList.add('is-render-error');
+        var perr = card.querySelector('.card-render-pct');
+        if (perr) perr.textContent = 'error';
+        return;
+      }
+      card.classList.remove('is-render-error');
+      var clamped = Math.max(0, Math.min(100, Math.round(pct || 0)));
+      card.classList.add('is-rendering');
+      var fill = card.querySelector('.card-render-fill');
+      if (fill) fill.style.width = clamped + '%';
+      var pctEl = card.querySelector('.card-render-pct');
+      if (pctEl) pctEl.textContent = clamped + '%';
+    }
+    // Clear the overlay for a finished/aborted table.
+    function clearCardProgress(table) {
+      if (!table) return;
+      var sel = '.card[data-table="' + (window.CSS && CSS.escape ? CSS.escape(table) : table) + '"]';
+      var card = document.querySelector(sel);
+      if (!card) return;
+      card.classList.remove('is-rendering', 'is-render-error');
+    }
+    // Repaint every still-in-flight card from the renderProgress map. Called at
+    // the end of drawDashboard so overlays survive a feed-triggered rebuild.
+    function reapplyRenderOverlays() {
+      Object.keys(renderProgress).forEach(function (table) {
+        var st = renderProgress[table];
+        if (!st) return;
+        if (st.done && !st.error) { clearCardProgress(table); return; }
+        applyCardProgress(table, st.pct);
+      });
+    }
+    // Fold one render event into the renderProgress map + paint the card.
+    function onRenderEvent(e) {
+      if (!e) return;
+      if (e.kind === 'error') {
+        var t = e.table;
+        if (t) {
+          renderProgress[t] = { pct: e.pct || 0, rendered: 0, total: 0, done: false, error: true };
+          applyCardProgress(t, e.pct || 0);
+        }
+        return;
+      }
+      if (e.kind === 'done') {
+        // Whole-render completion: clear every overlay and let the debounced
+        // refetch snap the counts to their real values.
+        Object.keys(renderProgress).forEach(function (table) {
+          var s = renderProgress[table];
+          if (s) s.done = true;
+          clearCardProgress(table);
+        });
+        scheduleRealtimeRefresh();
+        return;
+      }
+      if (!e.table) return;
+      var done = e.kind === 'table-done';
+      renderProgress[e.table] = {
+        pct: e.pct,
+        rendered: e.entitiesRendered,
+        total: e.entitiesTotal,
+        done: done,
+        error: false,
+      };
+      if (done) {
+        clearCardProgress(e.table);
+        // The count for this table is now final on the server; nudge one
+        // reconciling refetch from /api/entities (debounced, coalesced).
+        scheduleRealtimeRefresh();
+      } else {
+        applyCardProgress(e.table, e.pct);
+      }
+    }
+    // Paint from a full snapshot (initial connect / status fetch): the snapshot
+    // carries { phase, tables: { [t]: { pct, entitiesRendered, entitiesTotal,
+    // done } } }. Fold each table in and paint.
+    function applyRenderSnapshot(snap) {
+      if (!snap || !snap.tables) return;
+      Object.keys(snap.tables).forEach(function (table) {
+        var s = snap.tables[table];
+        if (!s) return;
+        renderProgress[table] = {
+          pct: s.pct,
+          rendered: s.entitiesRendered,
+          total: s.entitiesTotal,
+          done: !!s.done,
+          error: false,
+        };
+        if (s.done) clearCardProgress(table);
+        else applyCardProgress(table, s.pct);
+      });
+      if (snap.phase === 'error') {
+        // A whole-render failure with no table attribution still surfaces on the
+        // currently-rendering card if we know one.
+        if (snap.currentTable) {
+          renderProgress[snap.currentTable] = renderProgress[snap.currentTable] || { pct: 0 };
+          renderProgress[snap.currentTable].error = true;
+          applyCardProgress(snap.currentTable, renderProgress[snap.currentTable].pct);
+        }
+      }
+    }
+    function startRenderProgress() {
+      if (renderSource) {
+        try { renderSource.close(); } catch (_) { /* ignore */ }
+        renderSource = null;
+      }
+      if (typeof EventSource === 'undefined') return;
+      // On (re)connect, fetch the single-shot snapshot so a tab that connects
+      // mid- or post-render paints correctly even before the next event. The SSE
+      // endpoint ALSO replays a 'snapshot' event on connect, so both paths agree.
+      fetchJson('/api/render/status').then(applyRenderSnapshot).catch(function () { /* ignore */ });
+      renderSource = new EventSource('/api/render/progress');
+      renderSource.addEventListener('snapshot', function (ev) {
+        var snap = null;
+        try { snap = JSON.parse(ev.data); } catch (_) { /* ignore malformed */ }
+        if (snap) applyRenderSnapshot(snap);
+      });
+      renderSource.addEventListener('progress', function (ev) {
+        var e = null;
+        try { e = JSON.parse(ev.data); } catch (_) { /* ignore malformed */ }
+        if (e) onRenderEvent(e);
+      });
+      // EventSource auto-reconnects on error; the status refetch on the next
+      // open repaints from the authoritative snapshot.
+    }
+
     // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
     // Shared activity helpers \u2014 the operation-icon map and relative-time
     // formatter, used by Version History and the dashboard activity list. The
@@ -48503,9 +48920,58 @@ var appJs = `
         else renderRoute();
         loadedTables = {};
         startRealtime();
+        // A switch swaps the server-side render bus to the new workspace; drop the
+        // old workspace's overlay state and re-subscribe so the new render streams
+        // onto this workspace's cards.
+        renderProgress = {};
+        startRenderProgress();
       });
     }
 
+    // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    // Workspace-switch progress on the STABLE header button.
+    // The old menu-item spinner (withBusy on the open-menu db-item) is lost the
+    // moment the menu closes or rebuilds mid-switch. We additionally surface
+    // "switching" on the always-visible #ws-button for the ENTIRE switch (POST +
+    // reloadEverything), so the user always sees a live signal. The menu-item
+    // withBusy spinner is kept too.
+    // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    var wsSwitching = false;
+    function beginWsSwitching() {
+      wsSwitching = true;
+      var btn = document.getElementById('ws-button');
+      var nameEl = document.getElementById('ws-name');
+      var iconEl = btn && btn.querySelector('.db-icon');
+      if (btn) { btn.classList.add('is-switching'); btn.classList.remove('is-switch-error'); }
+      if (iconEl) iconEl.innerHTML = '<span class="spinner" aria-hidden="true"></span>';
+      if (nameEl) nameEl.textContent = 'Switching\u2026';
+    }
+    function endWsSwitching(failed) {
+      wsSwitching = false;
+      var btn = document.getElementById('ws-button');
+      var iconEl = btn && btn.querySelector('.db-icon');
+      if (iconEl) iconEl.textContent = '\u{1F4C2}';
+      if (btn) {
+        btn.classList.remove('is-switching');
+        if (failed) btn.classList.add('is-switch-error');
+        else btn.classList.remove('is-switch-error');
+      }
+      // The label writes inside reloadEverything ran while wsSwitching was still
+      // true (guarded out to preserve "Switching\u2026"), and they already completed
+      // BEFORE this call \u2014 so nothing else will apply the NEW workspace name. Now
+      // that the switch resolved, re-render the switcher so the real name lands
+      // (otherwise #ws-name stays stuck on "Switching\u2026").
+      if (!failed) {
+        fetchJson('/api/workspaces')
+          .then(function (d) {
+            if (d) renderWsSwitcher(d);
+          })
+          .catch(function () {
+            /* best-effort: the next reload re-renders the switcher anyway */
+          });
+      }
+    }
+
     var wsOutsideClickBound = false;
     function renderWsSwitcher(data) {
       var wrap = document.getElementById('ws-switcher');
@@ -48519,7 +48985,10 @@ var appJs = `
       wrap.hidden = false;
       var list = (data && data.workspaces) || [];
       var current = list.filter(function (w) { return w.id === (data && data.current); })[0];
-      nameEl.textContent = (current && current.label) || 'workspace';
+      // Don't clobber the "Switching\u2026" label/icon while a switch is in flight \u2014
+      // renderWsSwitcher runs mid-reload, and the new workspace label should only
+      // land once the switch resolves (endWsSwitching \u2192 next render).
+      if (!wsSwitching) nameEl.textContent = (current && current.label) || 'workspace';
       var curKind = (current && current.kind) || 'local';
       setStatusPill(curKind, curKind === 'cloud' ? 'connecting' : 'local');
 
@@ -48550,6 +49019,10 @@ var appJs = `
           b.addEventListener('click', function () {
             var id = b.getAttribute('data-id');
             if (id === currentId) { menu.hidden = true; return; }
+            // Surface "switching" on the stable header button for the WHOLE
+            // switch (POST + reloadEverything), independent of the ephemeral
+            // menu-item withBusy spinner \u2014 the menu can close/rebuild mid-switch.
+            beginWsSwitching();
             withBusy(b, function () {
               return fetchJson('/api/workspaces/switch', {
                 method: 'POST',
@@ -48566,6 +49039,7 @@ var appJs = `
                 return reloadEverything();
               }).then(function () {
                 menu.hidden = true;
+                endWsSwitching(false);
                 // Conversations + activity both live in the workspace DB. Drop
                 // the old workspace's thread + activity cards, reconnect the feed
                 // to THIS workspace, and reload its thread list (+ latest convo).
@@ -48574,7 +49048,7 @@ var appJs = `
                 startFeed();
                 refreshThreadList(true);
                 showToast('Switched workspace', {});
-              }).catch(function (err) { menu.hidden = true; showToast('Switch failed: ' + err.message, {}); });
+              }).catch(function (err) { menu.hidden = true; endWsSwitching(true); showToast('Switch failed: ' + err.message, {}); });
             });
           });
         });
@@ -48756,14 +49230,24 @@ var appJs = `
           ? '<div class="card-fresh" title="Last updated ' +
               escapeHtml(String(e.lastUpdatedAt)) + '">' + relTime(e.lastUpdatedAt) + '</div>'
           : '';
-        return '<a class="card" href="' + cardPrefix + e.name + '">' +
+        return '<a class="card" data-table="' + escapeHtml(e.name) + '" href="' + cardPrefix + e.name + '">' +
           '<div class="card-icon">' + disp.icon + '</div>' +
           '<div class="card-label">' + escapeHtml(disp.label) + '</div>' +
           '<div class="card-count">' + count + '</div>' +
           fresh +
+          // Hidden until a background render touches this table; revealed by the
+          // .is-rendering class applied in applyCardProgress(). The fill is the
+          // bottom-edge bar (width = %); the pill is the \u27F3 <pct>% corner badge.
+          '<div class="card-render" aria-hidden="true">' +
+            '<div class="card-render-fill"></div>' +
+            '<span class="card-render-pill"><span class="spinner" aria-hidden="true"></span><span class="card-render-pct">0%</span></span>' +
+          '</div>' +
           '</a>';
       }).join('');
       content.innerHTML = '<div class="dashboard">' + cards + '</div>';
+      // drawDashboard wiped the previous overlays; repaint any still-in-flight
+      // render state from the renderProgress map onto the freshly-built cards.
+      reapplyRenderOverlays();
     }
     function renderDashboard(content) {
       // Workspace overview: counts + freshness + recent activity from
@@ -50100,8 +50584,6 @@ var appJs = `
       if (!drawer || !backdrop) return;
       backdrop.hidden = false;
       drawer.hidden = false;
-      var toggle = document.getElementById('advanced-toggle');
-      if (toggle) toggle.checked = advancedMode();
       // Allow the elements to lay out before transitioning in.
       window.requestAnimationFrame(function () {
         drawer.classList.add('open');
@@ -50125,6 +50607,7 @@ var appJs = `
       var body = document.getElementById('drawer-body');
       if (!body) return;
       if (tab === 'database') renderDatabaseSettings(body);
+      else if (tab === 'chat') renderChatSettings(body);
       else if (tab === 'lattice') renderLatticeSettings(body);
       else renderUserConfig(body);
     }
@@ -50138,8 +50621,6 @@ var appJs = `
       document.querySelectorAll('.drawer-tab').forEach(function (b) {
         b.addEventListener('click', function () { selectDrawerTab(b.getAttribute('data-tab')); });
       });
-      var toggle = document.getElementById('advanced-toggle');
-      if (toggle) toggle.addEventListener('change', function () { setAdvancedMode(toggle.checked); });
       document.addEventListener('keydown', function (e) {
         if (e.key !== 'Escape') return;
         var drawer = document.getElementById('settings-drawer');
@@ -50955,17 +51436,32 @@ var appJs = `
           '</div>'
         : '';
       // Owner-only "new rows default to" control, shown for a shared table.
+      // A never-share table's rows are always private, so the default-visibility
+      // select is disabled while never-share is on.
       var defaultVis = (t && t.defaultRowVisibility) || 'private';
+      var neverShare = !!(t && t.neverShare);
       var defaultVisRow = canShare && isShared
         ? '<label>New rows default to</label>' +
           '<div style="display:flex;align-items:center;gap:8px;flex-wrap:wrap">' +
-            '<select id="dm-rowvis-select">' +
+            '<select id="dm-rowvis-select"' + (neverShare ? ' disabled' : '') + '>' +
               '<option value="private"' + (defaultVis === 'private' ? ' selected' : '') + '>Private (owner only)</option>' +
               '<option value="everyone"' + (defaultVis === 'everyone' ? ' selected' : '') + '>Everyone on the workspace</option>' +
             '</select>' +
             '<span style="font-size:12px;color:var(--text-muted)">Visibility new rows in this table are created with.</span>' +
           '</div>'
         : '';
+      // Owner-only "Never share" control, shown for a shared table. When on, the
+      // table's rows are always private to their owner regardless of the default
+      // visibility above \u2014 a hard floor the owner can set per shared table.
+      var neverShareRow = canShare && isShared
+        ? '<label>Never share</label>' +
+          '<div style="display:flex;align-items:center;gap:8px;flex-wrap:wrap">' +
+            '<label class="dm-secret-toggle">' +
+              '<input type="checkbox" id="dm-nevershare-check"' + (neverShare ? ' checked' : '') + ' /> Keep all rows private' +
+            '</label>' +
+            '<span style="font-size:12px;color:var(--text-muted)">When on, rows in this table are always private to their owner, ignoring the default above.</span>' +
+          '</div>'
+        : '';
       panel.innerHTML =
         '<h3>' + d.icon + ' ' + escapeHtml(d.label) + '</h3>' +
         '<div class="dm-edit-grid">' +
@@ -50981,6 +51477,7 @@ var appJs = `
           '</div>' +
           shareRow +
           defaultVisRow +
+          neverShareRow +
           '<label>Columns</label>' +
           '<div>' +
             '<div class="dm-cols">' + (columnsHtml || '<span class="muted">No columns</span>') + '</div>' +
@@ -51050,6 +51547,27 @@ var appJs = `
           }).catch(function (e) { showToast('Default visibility update failed: ' + e.message, {}); });
         });
       });
+
+      var neverShareCheck = panel.querySelector('#dm-nevershare-check');
+      if (neverShareCheck) neverShareCheck.addEventListener('change', function () {
+        var on = neverShareCheck.checked;
+        // Disable while the round-trip is in flight; dmRefreshPanel rebuilds the
+        // panel (and the default-visibility select's disabled state) on success.
+        neverShareCheck.disabled = true;
+        fetchJson('/api/schema/entities/' + encodeURIComponent(tableName) + '/never-share', {
+          method: 'POST',
+          headers: { 'content-type': 'application/json' },
+          body: JSON.stringify({ on: on }),
+        }).then(function () {
+          return dmRefreshPanel(tableName, false);
+        }).then(function () {
+          showToast(on ? 'Rows in "' + tableName + '" are now always private' : 'Rows in "' + tableName + '" follow the default visibility', {});
+        }).catch(function (e) {
+          neverShareCheck.disabled = false;
+          neverShareCheck.checked = !on;
+          showToast('Never-share update failed: ' + e.message, {});
+        });
+      });
     }
 
     /**
@@ -51723,28 +52241,35 @@ var appJs = `
 
     function showJoinTeamModal(kind) {
       void kind;
-      // v3: join a cloud by connecting DIRECTLY with the scoped credentials the
-      // owner gave you (the invite blob). No invite token, no email binding \u2014
-      // the database (row-level security) enforces what your role can see.
+      // Join a cloud with the email-bound invite token the owner sent you. The
+      // token decrypts LOCALLY with your email to the same scoped credential \u2014
+      // the member UI never handles a postgres:// string. You then connect
+      // directly with your own scoped role; the database (RLS) enforces access.
       var bodyHtml =
         '<p style="margin:0 0 12px;font-size:13px;color:var(--text-muted)">' +
-          'Paste the connection credentials the cloud owner sent you. You connect ' +
-          'directly with your own scoped Postgres role \u2014 access is enforced by the ' +
-          'database, not a server.' +
+          'Enter the email this invite was sent to and the invite token the cloud ' +
+          'owner gave you.' +
         '</p>' +
-        postgresFormHtml({}) +
+        '<div class="field"><label>Email</label>' +
+          '<input id="join-email" type="email" placeholder="you@example.com" autocapitalize="off" autocorrect="off" spellcheck="false" style="width:100%"></div>' +
+        '<div class="field" style="margin-top:8px"><label>Invite token</label>' +
+          '<textarea id="join-token" rows="4" placeholder="paste the invite token" autocapitalize="off" autocorrect="off" spellcheck="false" style="width:100%;resize:vertical;font-family:JetBrains Mono,monospace;font-size:12px"></textarea></div>' +
         '<div id="join-msg" style="margin-top:10px;font-size:12px;color:var(--text-muted)"></div>';
       showModal('Join a cloud', bodyHtml, {
         primaryLabel: 'Join',
         onSubmit: function (scope) {
           void scope;
-          var body = readPostgresWizardForm();
+          var emailEl = document.getElementById('join-email');
+          var tokenEl = document.getElementById('join-token');
+          var email = (emailEl && emailEl.value ? emailEl.value : '').trim();
+          var token = (tokenEl && tokenEl.value ? tokenEl.value : '').trim();
+          if (!email || !token) throw new Error('Enter your email and the invite token');
           var msg = document.getElementById('join-msg');
           if (msg) msg.textContent = 'Connecting\u2026';
-          return fetch('/api/dbconfig/connect-existing', {
+          return fetch('/api/cloud/redeem-invite', {
             method: 'POST',
             headers: { 'content-type': 'application/json' },
-            body: JSON.stringify(body),
+            body: JSON.stringify({ email: email, token: token }),
           })
             .then(function (r) { return r.json().then(function (d) { return { status: r.status, body: d }; }); })
             .then(function (r) {
@@ -51796,7 +52321,7 @@ var appJs = `
           '</div>';
         }
         // Only the selected provider's key input is shown (declutter). 'auto'
-        // ("Select provider\u2026") shows no key row until a provider is chosen.
+        // ("No Voice") shows no key row and disables voice \u2014 no STT provider.
         function voiceRowHtml(provider) {
           if (provider === 'openai') {
             return rowHtml('asst-openai', 'OpenAI Whisper key', !!cfg.hasOpenaiKey, 'sk-\u2026');
@@ -51838,7 +52363,7 @@ var appJs = `
             '<div style="margin:6px 0 8px;display:flex;align-items:center;gap:8px">' +
               '<span style="font-size:12px;color:var(--text-muted)">Use for voice:</span>' +
               '<select id="asst-stt" style="background:var(--surface-2);color:var(--text);border:1px solid var(--border);border-radius:6px;font-size:12px;padding:3px 6px">' +
-                '<option value="auto">Select provider\u2026</option>' +
+                '<option value="auto">No Voice</option>' +
                 '<option value="openai">OpenAI</option>' +
                 '<option value="elevenlabs">ElevenLabs</option>' +
               '</select>' +
@@ -51892,7 +52417,9 @@ var appJs = `
               body: JSON.stringify({ provider: sttSel.value }),
             })
               .then(function (r) { if (!r.ok) throw new Error('save failed (' + r.status + ')'); return r.json(); })
-              .then(function () { msg.textContent = 'Saved.'; })
+              // Refresh the composer so the mic affordance disappears immediately
+              // when "No Voice" is selected (and reappears for a real provider).
+              .then(function () { msg.textContent = 'Saved.'; renderComposer(); })
               .catch(function (e) { msg.textContent = 'Failed: ' + e.message; });
           });
         }
@@ -52213,9 +52740,24 @@ var appJs = `
       content.innerHTML =
         '<div class="teams-page">' +
           '<h2>Lattice Settings</h2>' +
+          '<div class="dbconfig-panel" style="margin-bottom:14px;padding:14px;border:1px solid var(--border);border-radius:8px;background:var(--surface)">' +
+            '<label class="toggle" title="Advanced mode \u2014 row/table editor instead of the file workspace" style="display:inline-flex;align-items:center;gap:10px;cursor:pointer">' +
+              '<input type="checkbox" id="advanced-toggle">' +
+              '<span class="toggle-track"><span class="toggle-thumb"></span></span>' +
+              '<span class="toggle-label">Advanced View</span>' +
+            '</label>' +
+            '<p class="lead" style="margin:8px 0 0;font-size:12px;color:var(--text-muted)">Row/table editor instead of the file workspace.</p>' +
+          '</div>' +
           '<p class="lead">Every workspace this lattice can switch to. This is the same list as the header dropdown.</p>' +
           '<div id="lattice-dbs-host"><div class="placeholder" style="padding:18px">Loading workspaces\u2026</div></div>' +
         '</div>';
+      // Advanced View toggle lives here now (moved out of the sidebar). Wired on
+      // each render since renderLatticeSettings rebuilds the drawer body.
+      var advToggle = content.querySelector('#advanced-toggle');
+      if (advToggle) {
+        advToggle.checked = advancedMode();
+        advToggle.addEventListener('change', function () { setAdvancedMode(advToggle.checked); });
+      }
       var host = document.getElementById('lattice-dbs-host');
       // Single source of truth: the workspace registry (same as the header switcher).
       fetchJson('/api/workspaces').then(function (data) {
@@ -52225,7 +52767,8 @@ var appJs = `
           var isActive = w.id === currentId;
           var kind = w.kind === 'cloud' ? 'Cloud (Postgres)' : 'Local (SQLite)';
           // Rows are click-to-switch; deletion lives in Workspace Settings \u2192 Danger Zone.
-          return '<tr' + (isActive ? '' : ' class="ws-row" data-switch-id="' + escapeHtml(w.id) + '"') + '>' +
+          // The active row is highlighted (.ws-active) and not click-to-switch.
+          return '<tr class="' + (isActive ? 'ws-active' : 'ws-row') + '"' + (isActive ? '' : ' data-switch-id="' + escapeHtml(w.id) + '"') + '>' +
             '<td>' + escapeHtml(w.label) + (isActive ? ' <span class="role-tag">active</span>' : '') + '</td>' +
             '<td>' + kind + '</td>' +
             '<td><code>' + escapeHtml(w.dir || '') + '</code></td>' +
@@ -52245,10 +52788,13 @@ var appJs = `
         host.querySelectorAll('tr.ws-row[data-switch-id]').forEach(function (row) {
           row.addEventListener('click', function () {
             var id = row.getAttribute('data-switch-id');
+            // Switch the workspace AND close the settings drawer at the same time \u2014
+            // close immediately (concurrent with the switch) so it isn't left open.
+            closeSettingsDrawer();
             fetch('/api/workspaces/switch', { method: 'POST', headers: { 'content-type': 'application/json' }, body: JSON.stringify({ id: id }) })
               .then(function (r) { return r.json(); })
               .then(function () { return reloadEverything(); })
-              .then(function () { renderLatticeSettings(document.getElementById('content')); });
+              .catch(function (err) { showToast('Switch failed: ' + err.message, {}); });
           });
         });
         host.querySelector('#action-add-db').addEventListener('click', showCreateDatabaseWizard);
@@ -52327,7 +52873,6 @@ var appJs = `
           '</div>' +
           '<div class="team-actions" style="margin-top:10px">' +
             (isOwner ? '<button class="btn primary" data-act="open-invite">Invite a member</button>' : '') +
-            (isOwner ? '<button class="btn" data-act="open-system-prompt">Edit chat system prompt</button>' : '') +
           '</div>' +
           // Owner: invite affordance below. Member: a short note. Row-level
           // security is enforced by the database, not this panel \u2014 there is
@@ -52372,22 +52917,44 @@ var appJs = `
         showInviteMemberModal(info);
       });
 
-      // Owner-only: edit the cloud's chat system prompt (bundled into every
-      // member's chat; members can neither see nor edit it).
-      var promptBtn = host.querySelector('[data-act="open-system-prompt"]');
-      if (promptBtn) promptBtn.addEventListener('click', function () {
-        showSystemPromptModal();
-      });
-
-      // No members list to fetch. The owner sees the invite affordance (the
-      // button above); a member sees a short note that they're connected.
+      // Members list: the owner sees the owner + every member role; a member
+      // sees a short note. Backed by /api/cloud/members (the lattice_members
+      // group). The inline list itself is recovered from latticesql 1.14.0.
       var membersHost = host.querySelector('#db-members-host');
-      if (membersHost && info.state === 'cloud-member') {
-        membersHost.innerHTML = '<div style="font-size:12px;color:var(--text-muted)">You are a member of this cloud.</div>';
+      if (membersHost) {
+        if (info.state === 'cloud-member') {
+          membersHost.innerHTML = '<div style="font-size:12px;color:var(--text-muted)">You are a member of this cloud.</div>';
+        } else {
+          membersHost.innerHTML = '<div style="font-size:12px;color:var(--text-muted)">Loading members\u2026</div>';
+          fetchJson('/api/cloud/members').then(function (data) {
+            membersHost.innerHTML = renderMembersList((data && data.members) || []);
+          }).catch(function (e) {
+            membersHost.innerHTML = '<div style="font-size:12px;color:var(--warn)">Could not load members: ' + escapeHtml(e.message) + '</div>';
+          });
+        }
       }
       void isOwner;
     }
 
+    /** Members list (owner + member roles), recovered from latticesql 1.14.0
+     *  (commit 2862959), adapted to the RLS-cloud member model. */
+    function renderMembersList(members) {
+      if (!members.length) {
+        return '<div class="members-list"><h4>Members</h4>' +
+          '<div style="font-size:12px;color:var(--text-muted)">Just you.</div></div>';
+      }
+      var rows = members.map(function (m) {
+        var pill = m.isOwner ? 'Owner' : 'Member';
+        return '<div class="member-row" data-role="' + escapeHtml(m.role) + '">' +
+          '<span><code>' + escapeHtml(m.role) + '</code>' +
+            (m.isYou ? ' <span style="color:var(--accent);font-size:11px">(you)</span>' : '') +
+            ' <span class="role-tag' + (m.isOwner ? '' : ' role-member') + '">' + pill + '</span>' +
+          '</span>' +
+        '</div>';
+      }).join('');
+      return '<div class="members-list"><h4>Members</h4>' + rows + '</div>';
+    }
+
     // \u2500\u2500 v1.13 wizards \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
 
     function postgresFormHtml(prefill) {
@@ -52543,94 +53110,104 @@ var appJs = `
       });
     }
 
-    function showSystemPromptModal() {
-      // Owner-only editor for the cloud chat system prompt. Load the current value
-      // first (the GET returns the text ONLY to an owner), then open the editor.
+    // Chat settings (drawer tab): the cloud chat system prompt, edited INLINE
+    // with a Save button \u2014 no overlay. Owner-only (the GET returns the text only
+    // to an owner); members / local workspaces see a short note instead.
+    function renderChatSettings(content) {
+      content.innerHTML =
+        '<div class="teams-page">' +
+          '<h2>Chat</h2>' +
+          '<div id="chat-settings-host"><div class="placeholder" style="padding:18px">Loading\u2026</div></div>' +
+        '</div>';
+      var host = document.getElementById('chat-settings-host');
       fetchJson('/api/cloud/system-prompt').then(function (cfg) {
+        var panelOpen =
+          '<div class="dbconfig-panel" style="padding:14px;border:1px solid var(--border);border-radius:8px;background:var(--surface)">' +
+            '<h3 style="margin:0 0 8px">Chat system prompt</h3>';
         if (!cfg || cfg.canEdit !== true) {
-          showToast('Only a cloud owner can edit the chat system prompt');
+          host.innerHTML = panelOpen +
+            '<p style="font-size:12px;color:var(--text-muted);margin:0">' +
+            'The chat system prompt is owner-only and applies to a cloud workspace. ' +
+            'Nothing to edit here for this workspace.</p></div>';
           return;
         }
         var current = typeof cfg.prompt === 'string' ? cfg.prompt : '';
-        var bodyHtml =
-          '<p style="margin-top:0;font-size:13px;color:var(--text-muted)">' +
-          'Added to every member chat in this cloud. Members cannot see or edit it \u2014 only you, the owner, can.' +
-          '</p>' +
-          '<div class="field"><label>Chat system prompt</label>' +
-          '<textarea name="system-prompt" rows="10" style="width:100%;font-family:inherit;resize:vertical" ' +
-          'placeholder="e.g. Always answer in a formal tone. Our fiscal year starts in July.">' +
-          escapeHtml(current) +
-          '</textarea></div>';
-        showModal('Chat system prompt', bodyHtml, {
-          primaryLabel: 'Save',
-          onSubmit: function (scope) {
-            var ta = scope.querySelector('textarea[name="system-prompt"]');
-            var value = ta ? ta.value : '';
-            return fetchJson('/api/cloud/system-prompt', {
-              method: 'POST',
-              headers: { 'content-type': 'application/json' },
-              body: JSON.stringify({ prompt: value }),
-            }).then(function () {
-              showToast('Chat system prompt saved');
-            });
-          },
+        host.innerHTML = panelOpen +
+          '<p style="font-size:12px;color:var(--text-muted);margin:0 0 10px">' +
+            'Added to every member chat in this cloud. Members cannot see or edit it \u2014 only you, the owner, can.</p>' +
+          '<textarea id="chat-system-prompt" rows="10" style="width:100%;font-family:inherit;resize:vertical" ' +
+            'placeholder="e.g. Always answer in a formal tone. Our fiscal year starts in July.">' +
+            escapeHtml(current) + '</textarea>' +
+          '<div style="margin-top:10px;display:flex;align-items:center;gap:10px">' +
+            '<button class="btn primary" id="chat-prompt-save">Save</button>' +
+            '<span id="chat-prompt-msg" style="font-size:12px;color:var(--text-muted)"></span>' +
+          '</div>' +
+        '</div>';
+        var saveBtn = document.getElementById('chat-prompt-save');
+        var msg = document.getElementById('chat-prompt-msg');
+        if (saveBtn) saveBtn.addEventListener('click', function () {
+          var ta = document.getElementById('chat-system-prompt');
+          var value = ta ? ta.value : '';
+          if (msg) msg.textContent = 'Saving\u2026';
+          fetchJson('/api/cloud/system-prompt', {
+            method: 'POST',
+            headers: { 'content-type': 'application/json' },
+            body: JSON.stringify({ prompt: value }),
+          }).then(function () {
+            if (msg) msg.textContent = 'Saved.';
+          }).catch(function (e) {
+            if (msg) msg.textContent = 'Failed: ' + (e && e.message ? e.message : String(e));
+          });
         });
       }).catch(function (err) {
-        showToast('Failed to load: ' + (err && err.message ? err.message : String(err)));
+        host.innerHTML = '<div class="placeholder">Could not load: ' +
+          escapeHtml(err && err.message ? err.message : String(err)) + '</div>';
       });
     }
 
     function showInviteMemberModal(info) {
-      // v3 owner-only invite: the server provisions a scoped member role and
-      // returns a connection blob. That blob IS the invite \u2014 copy it and hand
-      // it to the new member, who pastes the fields into "Join a cloud". There
-      // is no per-table sharing here (rows are private-by-default, shared per
-      // row via the eye toggle).
+      // Owner-only invite: collect the invitee's email; the server provisions a
+      // scoped role and returns ONE email-bound token carrying its credential.
+      // The invitee redeems it with the same email in "Join a cloud" \u2014 no
+      // postgres:// fields ever change hands. (Recovered from 1.14.0's email
+      // invite flow, adapted to the RLS-cloud token.)
       info = info || {};
       var bodyHtml =
-        '<div class="field"><label>Member label</label>' +
-        '<input name="label" type="text" placeholder="bob" autocapitalize="off" autocorrect="off" spellcheck="false" /></div>' +
+        '<div class="field"><label>Invitee email</label>' +
+        '<input name="email" type="email" placeholder="bob@example.com" autocapitalize="off" autocorrect="off" spellcheck="false" /></div>' +
         '<p style="font-size:12px;color:var(--text-muted);margin:0">' +
-        'A short name for the scoped role you are provisioning. Lattice returns ' +
-        'connection credentials below \u2014 send them to the new member, who pastes ' +
-        'them into \u201CJoin a cloud\u201D.' +
+        'The invite is bound to this email \u2014 only the recipient can redeem it.' +
         '</p>';
       showModal('Invite a member', bodyHtml, {
         primaryLabel: 'Generate invite',
         onSubmit: function (scope) {
           var data = collectFormValues(scope);
-          if (!data.label) throw new Error('label is required');
+          if (!data.email) throw new Error('an invitee email is required');
           return fetchJson('/api/cloud/invite', {
             method: 'POST',
             headers: { 'content-type': 'application/json' },
-            body: JSON.stringify({ label: data.label }),
+            body: JSON.stringify({ email: data.email }),
           }).then(function (res) {
-            showInviteCredentialsModal((res && res.invite) || {});
+            showInviteTokenModal(res || {});
           });
         },
       });
     }
 
-    function showInviteCredentialsModal(invite) {
-      invite = invite || {};
-      // Render the returned connection blob in a single copyable block. The
-      // member pastes these fields into "Join a cloud".
-      var lines = [
-        'host=' + (invite.host || ''),
-        'port=' + (invite.port || 5432),
-        'dbname=' + (invite.dbname || ''),
-        'user=' + (invite.user || ''),
-        'password=' + (invite.password || ''),
-      ].join('\\n');
+    function showInviteTokenModal(res) {
+      res = res || {};
+      var token = res.token || '';
       var bodyHtml =
-        '<p style="margin-top:0">Send these credentials to your new member \u2014 they paste them into \u201CJoin a cloud\u201D.</p>' +
-        '<div class="copy-token" id="copy-invite" style="white-space:pre">' + escapeHtml(lines) + '</div>' +
-        '<p style="font-size:12px;color:var(--text-muted);margin-bottom:0">Click the block to copy.</p>';
-      var handle = showModal('Invite credentials', bodyHtml, { primaryLabel: 'Done', onSubmit: function () {} });
+        '<p style="margin-top:0">Send this invite token to <code>' + escapeHtml(res.email || '') +
+        '</code> (privately). They enter their email + this token in \u201CJoin a cloud\u201D. It expires in ~7 days.</p>' +
+        '<div class="copy-token" id="copy-invite" style="white-space:pre-wrap;word-break:break-all">' +
+        escapeHtml(token) + '</div>' +
+        '<p style="font-size:12px;color:var(--text-muted);margin-bottom:0">Click the token to copy.</p>';
+      var handle = showModal('Invite token', bodyHtml, { primaryLabel: 'Done', onSubmit: function () {} });
       var blockEl = document.getElementById('copy-invite');
       if (blockEl) {
         blockEl.addEventListener('click', function () {
-          navigator.clipboard.writeText(lines).then(function () {
+          navigator.clipboard.writeText(token).then(function () {
             var prev = blockEl.textContent;
             blockEl.textContent = 'Copied!';
             setTimeout(function () { blockEl.textContent = prev; }, 1200);
@@ -53168,9 +53745,13 @@ var appJs = `
       if (input) { input.value = ''; if (input._autoGrow) input._autoGrow(); else input.style.height = 'auto'; }
       if (sendBtn) sendBtn.disabled = true;
       var actx = null; var assembled = '';
+      // Private mode: when the composer checkbox is checked, items the assistant
+      // adds on this turn stay private to the current user.
+      var privEl = document.getElementById('chat-private');
+      var privateMode = !!(privEl && privEl.checked);
       fetch('/api/chat', {
         method: 'POST', headers: { 'content-type': 'application/json' },
-        body: JSON.stringify({ message: text, history: historyToSend, threadId: currentThreadId })
+        body: JSON.stringify({ message: text, history: historyToSend, threadId: currentThreadId, privateMode: privateMode })
       }).then(function (r) {
         if (!r.ok || !r.body) {
           return r.json().then(function (j) { throw new Error(j.error || ('HTTP ' + r.status)); });
@@ -53436,6 +54017,12 @@ var appJs = `
               '<textarea id="chat-input" rows="1" placeholder="Ask or instruct\u2026 (Enter to send)"></textarea>' +
               '<button class="composer-send" id="chat-send">Send</button>' +
             '</div>' +
+            // Private mode \u2014 when checked, items the assistant adds on this send
+            // stay private to me (passed as privateMode in the /api/chat body).
+            '<label class="composer-private">' +
+              '<input type="checkbox" id="chat-private" /> Private mode ' +
+              '<span class="composer-private-hint">New items I add stay private to you</span>' +
+            '</label>' +
             '<input type="file" id="chat-file" multiple style="display:none">';
           var input = document.getElementById('chat-input');
           var sendBtn = document.getElementById('chat-send');
@@ -53553,11 +54140,6 @@ var guiAppHtml = `<!doctype html>
   </header>
   <div class="layout">
     <nav class="sidebar">
-      <label class="sidebar-advanced toggle" title="Advanced mode \u2014 row/table editor instead of the file workspace">
-        <input type="checkbox" id="advanced-toggle">
-        <span class="toggle-track"><span class="toggle-thumb"></span></span>
-        <span class="toggle-label">Advanced View</span>
-      </label>
       <div class="section-label">Objects</div>
       <ul id="object-nav"></ul>
       <div id="system-section" hidden>
@@ -53589,6 +54171,7 @@ var guiAppHtml = `<!doctype html>
     </div>
     <div class="drawer-tabs" id="drawer-tabs">
       <button class="drawer-tab" data-tab="database">Workspace</button>
+      <button class="drawer-tab" data-tab="chat">Chat</button>
       <button class="drawer-tab" data-tab="lattice">Lattice</button>
       <button class="drawer-tab" data-tab="user">User</button>
     </div>
@@ -53846,6 +54429,681 @@ async function discoverCloudTables(db) {
   return out;
 }
 
+// src/cloud/members.ts
+import { randomBytes as randomBytes5 } from "crypto";
+
+// src/cloud/rls.ts
+function isPg(db) {
+  return db.getDialect() === "postgres";
+}
+function pkSqlExpr(pkCols, prefix) {
+  if (pkCols.length === 0) {
+    throw new Error("cloud RLS: cannot key a table with no primary key column");
+  }
+  return pkCols.map((c6) => `CAST(${prefix}"${c6}" AS TEXT)`).join(` || chr(9) || `);
+}
+var MEMBER_GROUP = "lattice_members";
+function pinDefinerSearchPath(sql, schema) {
+  const safe = schema.replace(/"/g, '""');
+  return sql.replace(
+    /SECURITY DEFINER AS/g,
+    `SECURITY DEFINER SET search_path = "${safe}", pg_temp AS`
+  );
+}
+async function cloudSchema(db) {
+  const row = await getAsyncOrSync(db.adapter, `SELECT current_schema() AS schema`);
+  const s2 = row?.schema;
+  if (typeof s2 !== "string" || s2.length === 0) {
+    throw new Error("cloud RLS: could not resolve current_schema() for search_path pinning");
+  }
+  return s2;
+}
+function revokeSchemaCreateSql(schema) {
+  const lit = `'${schema.replace(/'/g, "''")}'`;
+  return `
+DO $LATTICE_REVOKE$ BEGIN
+  EXECUTE format('REVOKE CREATE ON SCHEMA %I FROM PUBLIC', ${lit});
+EXCEPTION WHEN OTHERS THEN
+  NULL; -- not the schema owner, or already revoked
+END $LATTICE_REVOKE$;
+`;
+}
+var CLOUD_RLS_BOOTSTRAP_SQL = `
+-- Member group (NOLOGIN). Members inherit schema/connect/table privileges from it;
+-- RLS filters per the individual member's login role, so the group never widens
+-- what a member can see. Idempotent.
+DO $LATTICE$ BEGIN
+  IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '${MEMBER_GROUP}') THEN
+    CREATE ROLE ${MEMBER_GROUP} NOLOGIN;
+  END IF;
+  EXECUTE format('GRANT USAGE ON SCHEMA %I TO ${MEMBER_GROUP}', current_schema());
+  EXECUTE format('GRANT CONNECT ON DATABASE %I TO ${MEMBER_GROUP}', current_database());
+END $LATTICE$;
+
+CREATE TABLE IF NOT EXISTS "__lattice_owners" (
+  "table_name" text NOT NULL,
+  "pk"         text NOT NULL,
+  "owner_role" text NOT NULL,
+  "visibility" text NOT NULL DEFAULT 'private' CHECK ("visibility" IN ('private','everyone','custom')),
+  "created_at" timestamptz NOT NULL DEFAULT now(),
+  "updated_at" timestamptz NOT NULL DEFAULT now(),
+  PRIMARY KEY ("table_name", "pk")
+);
+
+CREATE TABLE IF NOT EXISTS "__lattice_row_grants" (
+  "table_name"   text NOT NULL,
+  "pk"           text NOT NULL,
+  "grantee_role" text NOT NULL,
+  "granted_by"   text NOT NULL,
+  "granted_at"   timestamptz NOT NULL DEFAULT now(),
+  PRIMARY KEY ("table_name", "pk", "grantee_role")
+);
+
+CREATE INDEX IF NOT EXISTS "idx_lattice_row_grants_grantee"
+  ON "__lattice_row_grants" ("grantee_role", "table_name", "pk");
+
+-- App-role assignments for the audience layer: maps a member's login role to the
+-- named app roles (e.g. 'hr') a fixed-policy column may require. Owner-managed;
+-- members cannot read or write it (no grant), so a member can't self-promote.
+CREATE TABLE IF NOT EXISTS "__lattice_member_roles" (
+  "member_role" text NOT NULL,
+  "app_role"    text NOT NULL,
+  "granted_by"  text NOT NULL DEFAULT session_user,
+  "granted_at"  timestamptz NOT NULL DEFAULT now(),
+  PRIMARY KEY ("member_role", "app_role")
+);
+
+-- Per-card audience overrides: a row owner can grant a SPECIFIC member access to
+-- a SPECIFIC masked cell (table + pk + column), without changing the column's
+-- schema-level audience. The generated mask view ORs this in. Owner-managed;
+-- members can't read or write it.
+CREATE TABLE IF NOT EXISTS "__lattice_cell_grants" (
+  "table_name"   text NOT NULL,
+  "pk"           text NOT NULL,
+  "column_name"  text NOT NULL,
+  "grantee_role" text NOT NULL,
+  "granted_by"   text NOT NULL DEFAULT session_user,
+  "granted_at"   timestamptz NOT NULL DEFAULT now(),
+  PRIMARY KEY ("table_name", "pk", "column_name", "grantee_role")
+);
+
+-- Per-table policy: the owner-controlled defaults that govern a whole table.
+-- default_row_visibility is the visibility NEW rows are stamped with (the insert
+-- trigger reads it); never_share is a hard exclusion \u2014 the share/grant functions
+-- refuse to elevate such a table and the trigger forces its rows private. Owner-
+-- managed; members have no grant (it never appears in their data API).
+CREATE TABLE IF NOT EXISTS "__lattice_table_policy" (
+  "table_name"             text PRIMARY KEY,
+  "default_row_visibility" text NOT NULL DEFAULT 'private'
+    CHECK ("default_row_visibility" IN ('private','everyone')),
+  "never_share"            boolean NOT NULL DEFAULT false,
+  "updated_by"             text NOT NULL DEFAULT session_user,
+  "updated_at"             timestamptz NOT NULL DEFAULT now()
+);
+
+-- Per-column audience policy: the CANONICAL store of which column carries which
+-- audience spec (role: / subject: / source: / owner / everyone). Previously the
+-- spec lived only in the owner's on-disk YAML and was compiled into the mask view
+-- once at init; storing it here makes it cloud-canonical and member-consistent.
+-- The generated <table>_v mask view is regenerated from THIS table on change.
+-- Owner-managed; members have no grant.
+CREATE TABLE IF NOT EXISTS "__lattice_column_policy" (
+  "table_name"  text NOT NULL,
+  "column_name" text NOT NULL,
+  "audience"    text NOT NULL,
+  "updated_by"  text NOT NULL DEFAULT session_user,
+  "updated_at"  timestamptz NOT NULL DEFAULT now(),
+  PRIMARY KEY ("table_name", "column_name")
+);
+
+-- Owner-only audit of issued member invites: which scoped role was minted for
+-- which email (HASHED \u2014 the plaintext email is never stored), when it expires,
+-- and whether it was redeemed/revoked. No plaintext password is ever stored
+-- (the credential lives only inside the email-bound token the owner delivers).
+-- Owner-managed; members have no grant. Named distinctly from any legacy
+-- team-model invitations table so a pre-existing cloud never collides.
+CREATE TABLE IF NOT EXISTS "__lattice_member_invites" (
+  "id"          text PRIMARY KEY,
+  "role"        text NOT NULL,
+  "email_hash"  text NOT NULL,
+  "created_by"  text NOT NULL DEFAULT session_user,
+  "created_at"  timestamptz NOT NULL DEFAULT now(),
+  "expires_at"  timestamptz NOT NULL,
+  "redeemed_at" timestamptz,
+  "revoked_at"  timestamptz
+);
+
+-- Visibility check. SECURITY DEFINER so it reads bookkeeping the member can't;
+-- keyed on session_user (the member's login role). A row with no ownership record
+-- is visible to nobody.
+CREATE OR REPLACE FUNCTION lattice_row_visible(p_table text, p_pk text)
+RETURNS boolean LANGUAGE sql STABLE SECURITY DEFINER AS $fn$
+  SELECT EXISTS (
+    SELECT 1 FROM "__lattice_owners" o
+     WHERE o."table_name" = p_table AND o."pk" = p_pk
+       AND ( o."owner_role" = session_user
+          OR o."visibility" = 'everyone'
+          OR ( o."visibility" = 'custom' AND EXISTS (
+                 SELECT 1 FROM "__lattice_row_grants" g
+                  WHERE g."table_name" = o."table_name" AND g."pk" = o."pk"
+                    AND g."grantee_role" = session_user)))
+  );
+$fn$;
+
+-- Owner-only: change a row's visibility. Raises if the caller is not the owner.
+CREATE OR REPLACE FUNCTION lattice_set_row_visibility(p_table text, p_pk text, p_visibility text)
+RETURNS void LANGUAGE plpgsql SECURITY DEFINER AS $fn$
+DECLARE v_owner text;
+BEGIN
+  IF p_visibility NOT IN ('private','everyone','custom') THEN
+    RAISE EXCEPTION 'lattice: invalid visibility %', p_visibility;
+  END IF;
+  IF p_visibility <> 'private'
+     AND COALESCE((SELECT "never_share" FROM "__lattice_table_policy" WHERE "table_name" = p_table), false) THEN
+    RAISE EXCEPTION 'lattice: "%" is a private-only table and cannot be shared', p_table;
+  END IF;
+  SELECT o."owner_role" INTO v_owner FROM "__lattice_owners" o
+    WHERE o."table_name" = p_table AND o."pk" = p_pk;
+  IF v_owner IS NULL THEN RAISE EXCEPTION 'lattice: no ownership record for %/%', p_table, p_pk; END IF;
+  IF v_owner <> session_user THEN RAISE EXCEPTION 'lattice: only the row owner may change its sharing'; END IF;
+  UPDATE "__lattice_owners" SET "visibility" = p_visibility, "updated_at" = now()
+    WHERE "table_name" = p_table AND "pk" = p_pk;
+END $fn$;
+
+-- Owner-only: grant a specific member access to a row (sets visibility = 'custom').
+CREATE OR REPLACE FUNCTION lattice_grant_row(p_table text, p_pk text, p_grantee text)
+RETURNS void LANGUAGE plpgsql SECURITY DEFINER AS $fn$
+DECLARE v_owner text;
+BEGIN
+  IF COALESCE((SELECT "never_share" FROM "__lattice_table_policy" WHERE "table_name" = p_table), false) THEN
+    RAISE EXCEPTION 'lattice: "%" is a private-only table and cannot be shared', p_table;
+  END IF;
+  SELECT o."owner_role" INTO v_owner FROM "__lattice_owners" o
+    WHERE o."table_name" = p_table AND o."pk" = p_pk;
+  IF v_owner IS NULL THEN RAISE EXCEPTION 'lattice: no ownership record for %/%', p_table, p_pk; END IF;
+  IF v_owner <> session_user THEN RAISE EXCEPTION 'lattice: only the row owner may grant access'; END IF;
+  UPDATE "__lattice_owners" SET "visibility" = 'custom', "updated_at" = now()
+    WHERE "table_name" = p_table AND "pk" = p_pk;
+  INSERT INTO "__lattice_row_grants" ("table_name","pk","grantee_role","granted_by")
+    VALUES (p_table, p_pk, p_grantee, session_user)
+    ON CONFLICT ("table_name","pk","grantee_role") DO NOTHING;
+END $fn$;
+
+-- Owner-only: revoke a member's access to a row.
+CREATE OR REPLACE FUNCTION lattice_revoke_row(p_table text, p_pk text, p_grantee text)
+RETURNS void LANGUAGE plpgsql SECURITY DEFINER AS $fn$
+DECLARE v_owner text;
+BEGIN
+  SELECT o."owner_role" INTO v_owner FROM "__lattice_owners" o
+    WHERE o."table_name" = p_table AND o."pk" = p_pk;
+  IF v_owner IS NULL THEN RAISE EXCEPTION 'lattice: no ownership record for %/%', p_table, p_pk; END IF;
+  IF v_owner <> session_user THEN RAISE EXCEPTION 'lattice: only the row owner may revoke access'; END IF;
+  DELETE FROM "__lattice_row_grants"
+    WHERE "table_name" = p_table AND "pk" = p_pk AND "grantee_role" = p_grantee;
+END $fn$;
+
+-- \u2500\u2500 Per-viewer audience helpers (Stage-0 scaffolding) \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+-- The predicates a generated per-column cell-masking view will call. ALL are
+-- SECURITY DEFINER and keyed on session_user (NEVER current_user / SECURITY
+-- INVOKER) so they bind to the real member even when an owner-rights view
+-- executes them \u2014 the identity invariant the whole cloud model depends on. They
+-- are not referenced by any policy or view yet, so they change NO behavior in
+-- Stage-0; a later stage wires them into generated views.
+
+-- Is the connected member the subject of this row (e.g. their own person row)?
+CREATE OR REPLACE FUNCTION lattice_is_subject(p_subject text)
+RETURNS boolean LANGUAGE sql STABLE SECURITY DEFINER AS $fn$
+  SELECT p_subject = session_user
+$fn$;
+
+-- Does the connected member hold a named app role? Reads the owner-managed
+-- member-roles table (which members can't see) keyed on session_user, so a
+-- member cannot grant themselves a role to unmask a column.
+CREATE OR REPLACE FUNCTION lattice_has_role(p_role text)
+RETURNS boolean LANGUAGE sql STABLE SECURITY DEFINER AS $fn$
+  SELECT EXISTS (
+    SELECT 1 FROM "__lattice_member_roles"
+     WHERE "member_role" = session_user AND "app_role" = p_role
+  )
+$fn$;
+
+-- Owner-only: assign an app role to a member (so a fixed-policy masked column
+-- becomes visible to them). Raises unless the caller can create roles (a cloud
+-- owner / DBA).
+CREATE OR REPLACE FUNCTION lattice_assign_role(p_member text, p_role text)
+RETURNS void LANGUAGE plpgsql SECURITY DEFINER AS $fn$
+BEGIN
+  IF NOT (SELECT rolcreaterole FROM pg_roles WHERE rolname = session_user) THEN
+    RAISE EXCEPTION 'lattice: only a cloud owner may assign app roles';
+  END IF;
+  INSERT INTO "__lattice_member_roles" ("member_role", "app_role")
+    VALUES (p_member, p_role) ON CONFLICT DO NOTHING;
+END $fn$;
+
+-- Owner-only: revoke an app role from a member.
+CREATE OR REPLACE FUNCTION lattice_revoke_role(p_member text, p_role text)
+RETURNS void LANGUAGE plpgsql SECURITY DEFINER AS $fn$
+BEGIN
+  IF NOT (SELECT rolcreaterole FROM pg_roles WHERE rolname = session_user) THEN
+    RAISE EXCEPTION 'lattice: only a cloud owner may revoke app roles';
+  END IF;
+  DELETE FROM "__lattice_member_roles"
+    WHERE "member_role" = p_member AND "app_role" = p_role;
+END $fn$;
+
+-- Per-card override check: does the connected member hold a specific-cell grant?
+-- The generated mask view ORs this into a masked column's predicate.
+CREATE OR REPLACE FUNCTION lattice_cell_visible(p_table text, p_pk text, p_column text)
+RETURNS boolean LANGUAGE sql STABLE SECURITY DEFINER AS $fn$
+  SELECT EXISTS (
+    SELECT 1 FROM "__lattice_cell_grants"
+     WHERE "table_name" = p_table AND "pk" = p_pk
+       AND "column_name" = p_column AND "grantee_role" = session_user
+  )
+$fn$;
+
+-- Owner-only: grant a member access to one masked cell (a per-card override).
+CREATE OR REPLACE FUNCTION lattice_grant_cell(p_table text, p_pk text, p_column text, p_grantee text)
+RETURNS void LANGUAGE plpgsql SECURITY DEFINER AS $fn$
+DECLARE v_owner text;
+BEGIN
+  IF COALESCE((SELECT "never_share" FROM "__lattice_table_policy" WHERE "table_name" = p_table), false) THEN
+    RAISE EXCEPTION 'lattice: "%" is a private-only table and cannot be shared', p_table;
+  END IF;
+  SELECT o."owner_role" INTO v_owner FROM "__lattice_owners" o
+    WHERE o."table_name" = p_table AND o."pk" = p_pk;
+  IF v_owner IS NULL OR v_owner <> session_user THEN
+    RAISE EXCEPTION 'lattice: only the row owner may set a per-cell audience';
+  END IF;
+  INSERT INTO "__lattice_cell_grants" ("table_name","pk","column_name","grantee_role")
+    VALUES (p_table, p_pk, p_column, p_grantee) ON CONFLICT DO NOTHING;
+END $fn$;
+
+-- Owner-only: revoke a per-cell override.
+CREATE OR REPLACE FUNCTION lattice_revoke_cell(p_table text, p_pk text, p_column text, p_grantee text)
+RETURNS void LANGUAGE plpgsql SECURITY DEFINER AS $fn$
+DECLARE v_owner text;
+BEGIN
+  SELECT o."owner_role" INTO v_owner FROM "__lattice_owners" o
+    WHERE o."table_name" = p_table AND o."pk" = p_pk;
+  IF v_owner IS NULL OR v_owner <> session_user THEN
+    RAISE EXCEPTION 'lattice: only the row owner may change a per-cell audience';
+  END IF;
+  DELETE FROM "__lattice_cell_grants"
+    WHERE "table_name" = p_table AND "pk" = p_pk
+      AND "column_name" = p_column AND "grantee_role" = p_grantee;
+END $fn$;
+
+-- Can the connected member see a source? Reduces to the source row's own RLS, so
+-- file-sharing drives enrichment visibility for free. p_source_ref is the
+-- source's primary key in the files table.
+CREATE OR REPLACE FUNCTION lattice_source_visible(p_source_ref text)
+RETURNS boolean LANGUAGE sql STABLE SECURITY DEFINER AS $fn$
+  SELECT lattice_row_visible('files', p_source_ref)
+$fn$;
+
+-- Is the connected member the OWNER of this row? Used by the "owner" column
+-- audience (a secret column reveals only to the row owner). SECURITY DEFINER +
+-- session_user, like the other predicates.
+CREATE OR REPLACE FUNCTION lattice_is_owner(p_table text, p_pk text)
+RETURNS boolean LANGUAGE sql STABLE SECURITY DEFINER AS $fn$
+  SELECT EXISTS (
+    SELECT 1 FROM "__lattice_owners" o
+     WHERE o."table_name" = p_table AND o."pk" = p_pk AND o."owner_role" = session_user
+  )
+$fn$;
+
+-- Owner-only: set a table's default row visibility for NEW rows. Raises unless the
+-- caller can create roles (a cloud owner / DBA), like lattice_assign_role. Rejects
+-- 'everyone' on a never-share table.
+CREATE OR REPLACE FUNCTION lattice_set_table_default_visibility(p_table text, p_visibility text)
+RETURNS void LANGUAGE plpgsql SECURITY DEFINER AS $fn$
+BEGIN
+  IF NOT (SELECT rolcreaterole FROM pg_roles WHERE rolname = session_user) THEN
+    RAISE EXCEPTION 'lattice: only a cloud owner may set a table''s default visibility';
+  END IF;
+  IF p_visibility NOT IN ('private','everyone') THEN
+    RAISE EXCEPTION 'lattice: invalid default visibility %', p_visibility;
+  END IF;
+  IF p_visibility = 'everyone'
+     AND COALESCE((SELECT "never_share" FROM "__lattice_table_policy" WHERE "table_name" = p_table), false) THEN
+    RAISE EXCEPTION 'lattice: "%" is a private-only table; its rows cannot default to everyone', p_table;
+  END IF;
+  INSERT INTO "__lattice_table_policy" ("table_name","default_row_visibility","updated_by","updated_at")
+    VALUES (p_table, p_visibility, session_user, now())
+    ON CONFLICT ("table_name") DO UPDATE
+      SET "default_row_visibility" = EXCLUDED."default_row_visibility",
+          "updated_by" = session_user, "updated_at" = now();
+END $fn$;
+
+-- Owner-only: mark a table never-shareable (Secrets/Messages-class). When true the
+-- share/grant functions raise and the insert trigger forces new rows private; the
+-- default visibility is also forced private. Turning it ON also RETROACTIVELY
+-- privatizes the table: any row currently shared ('everyone'/'custom') is reset to
+-- 'private' and every existing row/cell grant on the table is dropped \u2014 otherwise
+-- flagging a table never-share would leave already-leaked rows visible, defeating
+-- the point. Idempotent: re-running with already-private rows updates nothing.
+CREATE OR REPLACE FUNCTION lattice_set_table_never_share(p_table text, p_on boolean)
+RETURNS void LANGUAGE plpgsql SECURITY DEFINER AS $fn$
+BEGIN
+  IF NOT (SELECT rolcreaterole FROM pg_roles WHERE rolname = session_user) THEN
+    RAISE EXCEPTION 'lattice: only a cloud owner may change a table''s never-share flag';
+  END IF;
+  INSERT INTO "__lattice_table_policy" ("table_name","never_share","default_row_visibility","updated_by","updated_at")
+    VALUES (p_table, p_on, CASE WHEN p_on THEN 'private' ELSE 'private' END, session_user, now())
+    ON CONFLICT ("table_name") DO UPDATE
+      SET "never_share" = EXCLUDED."never_share",
+          "default_row_visibility" = CASE WHEN EXCLUDED."never_share"
+                                          THEN 'private' ELSE "__lattice_table_policy"."default_row_visibility" END,
+          "updated_by" = session_user, "updated_at" = now();
+  IF p_on THEN
+    UPDATE "__lattice_owners" SET "visibility" = 'private', "updated_at" = now()
+      WHERE "table_name" = p_table AND "visibility" <> 'private';
+    DELETE FROM "__lattice_row_grants"  WHERE "table_name" = p_table;
+    DELETE FROM "__lattice_cell_grants" WHERE "table_name" = p_table;
+  END IF;
+END $fn$;
+
+-- Owner-only: set (or clear) a column's audience spec in the canonical DB store.
+-- An empty/null spec removes the policy row (column becomes unmasked). The GUI/lib
+-- regenerates the table's mask view from this store after calling this.
+CREATE OR REPLACE FUNCTION lattice_set_column_audience(p_table text, p_column text, p_audience text)
+RETURNS void LANGUAGE plpgsql SECURITY DEFINER AS $fn$
+BEGIN
+  IF NOT (SELECT rolcreaterole FROM pg_roles WHERE rolname = session_user) THEN
+    RAISE EXCEPTION 'lattice: only a cloud owner may set a column audience';
+  END IF;
+  IF p_audience IS NULL OR btrim(p_audience) = '' THEN
+    DELETE FROM "__lattice_column_policy" WHERE "table_name" = p_table AND "column_name" = p_column;
+  ELSE
+    INSERT INTO "__lattice_column_policy" ("table_name","column_name","audience","updated_by","updated_at")
+      VALUES (p_table, p_column, p_audience, session_user, now())
+      ON CONFLICT ("table_name","column_name") DO UPDATE
+        SET "audience" = EXCLUDED."audience", "updated_by" = session_user, "updated_at" = now();
+  END IF;
+END $fn$;
+
+-- Append-only change feed. The per-table ownership trigger records one row per
+-- INSERT/UPDATE/DELETE; the AFTER INSERT trigger here fires pg_notify so a
+-- connected member's realtime broker refreshes. Members get no direct access \u2014
+-- the NOTIFY carries only (table, pk, op) metadata, and the SPA refetches the row
+-- itself through RLS, so another member's content is never broadcast.
+CREATE TABLE IF NOT EXISTS "__lattice_changes" (
+  "seq"        bigint GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
+  "table_name" text NOT NULL,
+  "pk"         text NOT NULL,
+  "op"         text NOT NULL CHECK ("op" IN ('upsert','delete')),
+  "owner_role" text NOT NULL,
+  "created_at" timestamptz NOT NULL DEFAULT now()
+);
+
+CREATE OR REPLACE FUNCTION lattice_notify_change() RETURNS trigger
+LANGUAGE plpgsql AS $fn$
+BEGIN
+  PERFORM pg_notify('lattice_changes', json_build_object(
+    'seq', NEW."seq",
+    'table_name', NEW."table_name",
+    'pk', NEW."pk",
+    'op', NEW."op",
+    'owner_role', NEW."owner_role",
+    'created_at', NEW."created_at"
+  )::text);
+  RETURN NEW;
+END $fn$;
+
+DROP TRIGGER IF EXISTS "lattice_notify_change_trg" ON "__lattice_changes";
+CREATE TRIGGER "lattice_notify_change_trg" AFTER INSERT ON "__lattice_changes"
+  FOR EACH ROW EXECUTE FUNCTION lattice_notify_change();
+`;
+function tableRlsSql(table, pkCols) {
+  const q3 = `"${table.replace(/"/g, '""')}"`;
+  const lit = `'${table.replace(/'/g, "''")}'`;
+  const pkNew = pkSqlExpr(pkCols, "NEW.");
+  const pkOld = pkSqlExpr(pkCols, "OLD.");
+  const pkRow = pkSqlExpr(pkCols, "");
+  const trg = `lattice_track_${table.replace(/[^A-Za-z0-9_]/g, "_")}`;
+  return `
+CREATE OR REPLACE FUNCTION "${trg}"() RETURNS trigger LANGUAGE plpgsql SECURITY DEFINER AS $fn$
+BEGIN
+  IF TG_OP = 'INSERT' THEN
+    INSERT INTO "__lattice_owners" ("table_name","pk","owner_role","visibility")
+      VALUES (${lit}, ${pkNew}, session_user,
+        CASE
+          -- never-share always wins: such a table's rows are private, full stop.
+          WHEN COALESCE((SELECT "never_share" FROM "__lattice_table_policy" WHERE "table_name" = ${lit}), false)
+            THEN 'private'
+          -- per-INSERT override: a caller forcing visibility for THIS write (e.g.
+          -- chat "private mode") sets the transaction-local lattice.force_row_visibility
+          -- GUC, so the row is stamped atomically at insert \u2014 never momentarily at
+          -- the table default, and the change-feed NOTIFY (deferred to COMMIT) only
+          -- fires once the row already carries this visibility.
+          WHEN NULLIF(current_setting('lattice.force_row_visibility', true), '') IN ('private','everyone')
+            THEN current_setting('lattice.force_row_visibility', true)
+          ELSE COALESCE((SELECT "default_row_visibility" FROM "__lattice_table_policy" WHERE "table_name" = ${lit}), 'private')
+        END)
+      ON CONFLICT ("table_name","pk") DO NOTHING;
+    INSERT INTO "__lattice_changes" ("table_name","pk","op","owner_role")
+      VALUES (${lit}, ${pkNew}, 'upsert', session_user);
+    RETURN NEW;
+  ELSIF TG_OP = 'UPDATE' THEN
+    INSERT INTO "__lattice_changes" ("table_name","pk","op","owner_role")
+      VALUES (${lit}, ${pkNew}, 'upsert', session_user);
+    RETURN NEW;
+  ELSIF TG_OP = 'DELETE' THEN
+    DELETE FROM "__lattice_owners"     WHERE "table_name" = ${lit} AND "pk" = ${pkOld};
+    DELETE FROM "__lattice_row_grants" WHERE "table_name" = ${lit} AND "pk" = ${pkOld};
+    INSERT INTO "__lattice_changes" ("table_name","pk","op","owner_role")
+      VALUES (${lit}, ${pkOld}, 'delete', session_user);
+    RETURN OLD;
+  END IF;
+  RETURN NEW;
+END $fn$;
+
+ALTER TABLE ${q3} ENABLE ROW LEVEL SECURITY;
+ALTER TABLE ${q3} FORCE ROW LEVEL SECURITY;
+GRANT SELECT, INSERT, UPDATE, DELETE ON ${q3} TO ${MEMBER_GROUP};
+
+DROP POLICY IF EXISTS "lattice_sel" ON ${q3};
+CREATE POLICY "lattice_sel" ON ${q3} FOR SELECT USING (lattice_row_visible(${lit}, ${pkRow}));
+DROP POLICY IF EXISTS "lattice_upd" ON ${q3};
+CREATE POLICY "lattice_upd" ON ${q3} FOR UPDATE USING (lattice_row_visible(${lit}, ${pkRow}))
+                                              WITH CHECK (lattice_row_visible(${lit}, ${pkRow}));
+DROP POLICY IF EXISTS "lattice_del" ON ${q3};
+CREATE POLICY "lattice_del" ON ${q3} FOR DELETE USING (lattice_row_visible(${lit}, ${pkRow}));
+DROP POLICY IF EXISTS "lattice_ins" ON ${q3};
+CREATE POLICY "lattice_ins" ON ${q3} FOR INSERT WITH CHECK (true);
+
+DROP TRIGGER IF EXISTS "${trg}" ON ${q3};
+CREATE TRIGGER "${trg}" AFTER INSERT OR UPDATE OR DELETE ON ${q3}
+  FOR EACH ROW EXECUTE FUNCTION "${trg}"();
+`;
+}
+async function installCloudRls(db) {
+  if (!isPg(db)) return;
+  const schema = await cloudSchema(db);
+  const migration = {
+    // v3 added the audience helpers; v4 the role model; v5 the per-card override
+    // model (__lattice_cell_grants + lattice_cell_visible / lattice_grant_cell);
+    // v6 added per-table policy (__lattice_table_policy: default_row_visibility +
+    // never_share, enforced in the insert trigger + share/grant guards), the
+    // canonical column-audience store (__lattice_column_policy), lattice_is_owner,
+    // and the owner-only setters; v7 pins search_path on every SECURITY DEFINER
+    // helper (closes the pg_temp-shadow RLS bypass) + revokes schema CREATE from
+    // PUBLIC. The bootstrap is fully idempotent.
+    version: "internal:cloud-rls:bootstrap:v7",
+    sql: pinDefinerSearchPath(CLOUD_RLS_BOOTSTRAP_SQL, schema) + revokeSchemaCreateSql(schema)
+  };
+  await db.migrate([migration]);
+}
+async function enableChangelogRls(db) {
+  if (!isPg(db)) return;
+  const migration = {
+    // v2: ground-truth/audit entries are owner-only (was lattice_row_visible),
+    // closing the masked-column-via-history leak. Bump re-installs the policy on
+    // existing clouds.
+    version: "internal:cloud-rls:changelog:v2",
+    sql: `
+ALTER TABLE "__lattice_changelog" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "__lattice_changelog" FORCE ROW LEVEL SECURITY;
+GRANT SELECT, INSERT ON "__lattice_changelog" TO ${MEMBER_GROUP};
+
+DROP POLICY IF EXISTS "lattice_changelog_sel" ON "__lattice_changelog";
+CREATE POLICY "lattice_changelog_sel" ON "__lattice_changelog" FOR SELECT USING (
+  CASE
+    WHEN "change_kind" = 'derived' THEN
+      "source_ref" IS NOT NULL
+      AND NOT EXISTS (
+        SELECT 1 FROM jsonb_array_elements_text("source_ref"::jsonb) AS src(sid)
+         WHERE NOT lattice_source_visible(src.sid)
+      )
+    ELSE lattice_is_owner("table_name", "row_id")
+  END
+);
+DROP POLICY IF EXISTS "lattice_changelog_ins" ON "__lattice_changelog";
+CREATE POLICY "lattice_changelog_ins" ON "__lattice_changelog" FOR INSERT WITH CHECK (true);
+`
+  };
+  await db.migrate([migration]);
+}
+async function enableRlsForTable(db, table, pkCols) {
+  if (!isPg(db)) return;
+  const schema = await cloudSchema(db);
+  const migration = {
+    version: `internal:cloud-rls:table:${table}:v3`,
+    sql: pinDefinerSearchPath(tableRlsSql(table, pkCols), schema)
+  };
+  await db.migrate([migration]);
+}
+async function backfillOwnership(db, table, pkCols) {
+  if (!isPg(db) || pkCols.length === 0) return;
+  const q3 = `"${table.replace(/"/g, '""')}"`;
+  const lit = `'${table.replace(/'/g, "''")}'`;
+  const pkRow = pkSqlExpr(pkCols, "");
+  await runAsyncOrSync(
+    db.adapter,
+    `INSERT INTO "__lattice_owners" ("table_name","pk","owner_role","visibility")
+       SELECT ${lit}, ${pkRow}, current_user, 'private' FROM ${q3}
+       ON CONFLICT ("table_name","pk") DO NOTHING`
+  );
+}
+
+// src/cloud/members.ts
+var ROLE_RE = /^[A-Za-z_][A-Za-z0-9_]{0,62}$/;
+var HEX_PW_RE = /^[0-9a-f]{16,}$/;
+function assertPg(db) {
+  if (db.getDialect() !== "postgres") {
+    throw new Error(
+      "lattice: cloud members require a Postgres cloud (SQLite is single-user/local)"
+    );
+  }
+}
+function generateMemberPassword() {
+  return randomBytes5(24).toString("hex");
+}
+function memberRoleName(label) {
+  const base = label.toLowerCase().replace(/[^a-z0-9]+/g, "_").replace(/^_+|_+$/g, "").slice(0, 48) || "member";
+  return `lm_${base}_${randomBytes5(3).toString("hex")}`.slice(0, 63);
+}
+async function provisionMemberRole(db, role, password) {
+  assertPg(db);
+  if (!ROLE_RE.test(role)) throw new Error(`lattice: invalid member role name "${role}"`);
+  if (!HEX_PW_RE.test(password)) {
+    throw new Error("lattice: member password must be hex \u2014 use generateMemberPassword()");
+  }
+  await runAsyncOrSync(
+    db.adapter,
+    `DO $LATTICE$ BEGIN
+       IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '${role}') THEN
+         CREATE ROLE "${role}" LOGIN NOSUPERUSER NOCREATEDB NOCREATEROLE PASSWORD '${password}';
+       ELSE
+         ALTER ROLE "${role}" WITH LOGIN NOSUPERUSER NOCREATEDB NOCREATEROLE PASSWORD '${password}';
+       END IF;
+     END $LATTICE$`
+  );
+  await runAsyncOrSync(db.adapter, `GRANT ${MEMBER_GROUP} TO "${role}"`);
+}
+var VISIBILITY = /* @__PURE__ */ new Set(["private", "everyone"]);
+async function setRowVisibility(db, table, pk, visibility) {
+  assertPg(db);
+  if (!VISIBILITY.has(visibility)) {
+    throw new Error(`lattice: invalid visibility "${visibility}" (expected private | everyone)`);
+  }
+  await runAsyncOrSync(db.adapter, `SELECT lattice_set_row_visibility(?, ?, ?)`, [
+    table,
+    pk,
+    visibility
+  ]);
+}
+async function rowAccessSummaries(db, table, pks) {
+  const out = /* @__PURE__ */ new Map();
+  if (db.getDialect() !== "postgres" || pks.length === 0) return out;
+  if (!await cloudRlsInstalled(db)) return out;
+  const placeholders = pks.map(() => "?").join(", ");
+  const owners = await allAsyncOrSync(
+    db.adapter,
+    `SELECT "pk", "visibility", ("owner_role" = session_user) AS owned
+       FROM "__lattice_owners"
+      WHERE "table_name" = ? AND "pk" IN (${placeholders})`,
+    [table, ...pks]
+  );
+  for (const o3 of owners) {
+    out.set(o3.pk, {
+      visibility: o3.visibility ?? "private",
+      ownedByMe: o3.owned === true || o3.owned === "t" || o3.owned === 1
+    });
+  }
+  const customPks = owners.filter((o3) => o3.visibility === "custom").map((o3) => o3.pk);
+  if (customPks.length > 0) {
+    const cph = customPks.map(() => "?").join(", ");
+    const grants = await allAsyncOrSync(
+      db.adapter,
+      `SELECT "pk", "grantee_role" FROM "__lattice_row_grants"
+         WHERE "table_name" = ? AND "pk" IN (${cph})`,
+      [table, ...customPks]
+    );
+    for (const g6 of grants) {
+      const a6 = out.get(g6.pk);
+      if (a6) (a6.grantees ??= []).push(g6.grantee_role);
+    }
+  }
+  return out;
+}
+async function assertScopedMemberRole(db, role) {
+  assertPg(db);
+  const row = await getAsyncOrSync(
+    db.adapter,
+    `SELECT rolsuper, rolcreaterole, rolbypassrls, (rolname = session_user) AS is_self
+       FROM pg_roles WHERE rolname = ?`,
+    [role]
+  );
+  if (!row) throw new Error(`lattice: role "${role}" does not exist`);
+  const truthy = (v2) => v2 === true || v2 === "t" || v2 === 1;
+  if (truthy(row.rolsuper) || truthy(row.rolcreaterole) || truthy(row.rolbypassrls)) {
+    throw new Error("lattice: refusing to embed a privileged role in an invite token");
+  }
+  if (truthy(row.is_self)) {
+    throw new Error("lattice: refusing to embed the cloud owner role in an invite token");
+  }
+}
+async function grantCell(db, table, pk, column, grantee) {
+  assertPg(db);
+  await runAsyncOrSync(db.adapter, `SELECT lattice_grant_cell(?, ?, ?, ?)`, [
+    table,
+    pk,
+    column,
+    grantee
+  ]);
+}
+async function revokeCell(db, table, pk, column, grantee) {
+  assertPg(db);
+  await runAsyncOrSync(db.adapter, `SELECT lattice_revoke_cell(?, ?, ?, ?)`, [
+    table,
+    pk,
+    column,
+    grantee
+  ]);
+}
+
 // src/gui/feed.ts
 import { EventEmitter as EventEmitter2 } from "events";
 var EVENT = "feed";
@@ -53897,6 +55155,132 @@ var FeedBus = class {
   }
 };
 
+// src/cloud/audience.ts
+var ROLE_NAME_RE = /^[A-Za-z0-9_-]{1,63}$/;
+var COL_RE = /^[A-Za-z_][A-Za-z0-9_]{0,62}$/;
+function isRowAudience(audience) {
+  const a6 = (audience ?? "").trim();
+  return a6 === "" || a6 === "everyone" || a6 === "row-audience";
+}
+function audiencePredicate(audience, ctx) {
+  if (isRowAudience(audience)) return "true";
+  const clauses = audience.split("+").map((c6) => c6.trim()).filter(Boolean);
+  const parts = [];
+  for (const clause of clauses) {
+    if (clause === "everyone" || clause === "row-audience") return "true";
+    if (clause === "owner") {
+      if (!ctx) throw new Error('lattice: the "owner" audience needs a row context');
+      parts.push(`lattice_is_owner(${ctx.tableLit}, ${ctx.pkExpr})`);
+      continue;
+    }
+    const idx = clause.indexOf(":");
+    const kind = idx === -1 ? clause : clause.slice(0, idx);
+    const arg = idx === -1 ? "" : clause.slice(idx + 1).trim();
+    if (kind === "role") {
+      if (!ROLE_NAME_RE.test(arg)) throw new Error(`lattice: invalid role in audience "${clause}"`);
+      parts.push(`lattice_has_role('${arg}')`);
+    } else if (kind === "subject") {
+      if (!COL_RE.test(arg))
+        throw new Error(`lattice: invalid subject column in audience "${clause}"`);
+      parts.push(`lattice_is_subject("${arg}")`);
+    } else if (kind === "source") {
+      if (!COL_RE.test(arg))
+        throw new Error(`lattice: invalid source column in audience "${clause}"`);
+      parts.push(`lattice_source_visible("${arg}")`);
+    } else {
+      throw new Error(`lattice: unknown audience clause "${clause}"`);
+    }
+  }
+  return parts.length > 0 ? parts.map((p3) => `(${p3})`).join(" OR ") : "true";
+}
+function tableNeedsAudienceView(columnAudience) {
+  return Object.values(columnAudience).some((a6) => !isRowAudience(a6));
+}
+function quoteIdent(s2) {
+  return `"${s2.replace(/"/g, '""')}"`;
+}
+function audienceViewSql(table, columns, pkCols, columnAudience) {
+  const view = quoteIdent(`${table}_v`);
+  const base = quoteIdent(table);
+  const lit = `'${table.replace(/'/g, "''")}'`;
+  const pkExpr = pkSqlExpr(pkCols, "");
+  const selectCols = columns.map((col) => {
+    const aud = columnAudience[col] ?? "";
+    if (isRowAudience(aud)) return quoteIdent(col);
+    const pred = audiencePredicate(aud, { tableLit: lit, pkExpr });
+    if (pred === "true") return quoteIdent(col);
+    const colLit = `'${col.replace(/'/g, "''")}'`;
+    const full = `(${pred}) OR lattice_cell_visible(${lit}, ${pkExpr}, ${colLit})`;
+    return `CASE WHEN ${full} THEN ${quoteIdent(col)} END AS ${quoteIdent(col)}`;
+  });
+  return [
+    `CREATE OR REPLACE VIEW ${view} AS SELECT ${selectCols.join(", ")} FROM ${base} WHERE lattice_row_visible(${lit}, ${pkSqlExpr(pkCols, "")});`,
+    `GRANT SELECT ON ${view} TO ${MEMBER_GROUP};`,
+    `REVOKE SELECT ON ${base} FROM ${MEMBER_GROUP};`
+  ].join("\n");
+}
+async function loadColumnPolicy(db, table) {
+  if (db.getDialect() !== "postgres") return {};
+  const rows = await allAsyncOrSync(
+    db.adapter,
+    `SELECT "column_name", "audience" FROM "__lattice_column_policy" WHERE "table_name" = ?`,
+    [table]
+  );
+  const out = {};
+  for (const r6 of rows) out[r6.column_name] = r6.audience;
+  return out;
+}
+async function seedColumnPolicyFromYaml(db, table, yamlAudience) {
+  if (db.getDialect() !== "postgres") return;
+  const marker = `internal:cloud-column-seed:${table}:v1`;
+  const already = await getAsyncOrSync(
+    db.adapter,
+    `SELECT 1 AS one FROM "__lattice_migrations" WHERE "version" = ?`,
+    [marker]
+  );
+  if (already) return;
+  for (const [col, aud] of Object.entries(yamlAudience)) {
+    if (isRowAudience(aud)) continue;
+    await runAsyncOrSync(
+      db.adapter,
+      `INSERT INTO "__lattice_column_policy" ("table_name","column_name","audience")
+         VALUES (?, ?, ?) ON CONFLICT ("table_name","column_name") DO NOTHING`,
+      [table, col, aud]
+    );
+  }
+  await runAsyncOrSync(
+    db.adapter,
+    `INSERT INTO "__lattice_migrations" ("version","applied_at") VALUES (?, ?)
+       ON CONFLICT ("version") DO NOTHING`,
+    [marker, (/* @__PURE__ */ new Date()).toISOString()]
+  );
+}
+async function regenerateAudienceViewFromDb(db, table, columns, pkCols) {
+  if (db.getDialect() !== "postgres") return;
+  if (pkCols.length === 0) return;
+  const spec = await loadColumnPolicy(db, table);
+  const view = quoteIdent(`${table}_v`);
+  const base = quoteIdent(table);
+  if (!tableNeedsAudienceView(spec)) {
+    await runAsyncOrSync(
+      db.adapter,
+      `DROP VIEW IF EXISTS ${view};
+GRANT SELECT ON ${base} TO ${MEMBER_GROUP};`
+    );
+    return;
+  }
+  await runAsyncOrSync(db.adapter, audienceViewSql(table, columns, pkCols, spec));
+}
+async function setColumnAudience(db, table, column, audience, columns, pkCols) {
+  if (db.getDialect() !== "postgres") return;
+  await runAsyncOrSync(db.adapter, `SELECT lattice_set_column_audience(?, ?, ?)`, [
+    table,
+    column,
+    audience
+  ]);
+  await regenerateAudienceViewFromDb(db, table, columns, pkCols);
+}
+
 // src/gui/mutations.ts
 function rowLabel2(row) {
   if (!row || typeof row !== "object") return null;
@@ -54010,8 +55394,44 @@ async function recordSchemaAudit(db, feed, table, operation2, before, after, sum
   });
   feed.publish({ table, op: "schema", rowId: null, source, summary });
 }
-async function createRow(ctx, table, values) {
-  const id = await ctx.db.insert(table, values);
+function inferColumnType(v2) {
+  if (typeof v2 === "number") return Number.isInteger(v2) ? "INTEGER" : "REAL";
+  if (typeof v2 === "boolean") return "INTEGER";
+  return "TEXT";
+}
+async function ensureColumns(db, table, values) {
+  if (table.startsWith("_lattice_") || table.startsWith("__lattice_")) return [];
+  const existing = db.getRegisteredColumns(table);
+  if (!existing) return [];
+  const added = Object.keys(values).filter((k6) => !(k6 in existing));
+  if (added.length === 0) return [];
+  for (const col of added) await db.addColumn(table, col, inferColumnType(values[col]));
+  if (db.getDialect() === "postgres" && await cloudRlsInstalled(db)) {
+    const cols = db.getRegisteredColumns(table);
+    const pk = db.getPrimaryKey(table);
+    if (cols && pk.length > 0) await regenerateAudienceViewFromDb(db, table, Object.keys(cols), pk);
+  }
+  return added;
+}
+async function announceAddedColumns(ctx, table, added) {
+  if (added.length === 0) return;
+  const summary = `Added column${added.length > 1 ? "s" : ""} ${added.join(", ")} to ${table}`;
+  await recordSchemaAudit(
+    ctx.db,
+    ctx.feed,
+    table,
+    "schema.add_column",
+    null,
+    { columns: added },
+    summary,
+    ctx.source,
+    ctx.sessionId
+  );
+}
+async function createRow(ctx, table, values, forceVisibility) {
+  const addedCols = await ensureColumns(ctx.db, table, values);
+  await announceAddedColumns(ctx, table, addedCols);
+  const id = forceVisibility !== void 0 ? await ctx.db.insertForcingVisibility(table, values, forceVisibility) : await ctx.db.insert(table, values);
   const row = await ctx.db.get(table, id);
   await appendAudit(ctx.db, ctx.feed, table, id, "insert", null, row, ctx.source, ctx.sessionId);
   return { id, row };
@@ -54035,6 +55455,8 @@ async function updateRow(ctx, table, id, values) {
   if (before === null) {
     throw new Error(`Cannot update "${table}": no row with id "${id}"`);
   }
+  const addedCols = await ensureColumns(ctx.db, table, values);
+  await announceAddedColumns(ctx, table, addedCols);
   await ctx.db.update(table, id, values);
   const after = await ctx.db.get(table, id);
   if (after != null) {
@@ -54746,376 +56168,6 @@ function resolveActiveS3Config(configPath) {
   return fromEnv();
 }
 
-// src/cloud/rls.ts
-function isPg(db) {
-  return db.getDialect() === "postgres";
-}
-function pkSqlExpr(pkCols, prefix) {
-  if (pkCols.length === 0) {
-    throw new Error("cloud RLS: cannot key a table with no primary key column");
-  }
-  return pkCols.map((c6) => `CAST(${prefix}"${c6}" AS TEXT)`).join(` || chr(9) || `);
-}
-var MEMBER_GROUP = "lattice_members";
-var CLOUD_RLS_BOOTSTRAP_SQL = `
--- Member group (NOLOGIN). Members inherit schema/connect/table privileges from it;
--- RLS filters per the individual member's login role, so the group never widens
--- what a member can see. Idempotent.
-DO $LATTICE$ BEGIN
-  IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '${MEMBER_GROUP}') THEN
-    CREATE ROLE ${MEMBER_GROUP} NOLOGIN;
-  END IF;
-  EXECUTE format('GRANT USAGE ON SCHEMA %I TO ${MEMBER_GROUP}', current_schema());
-  EXECUTE format('GRANT CONNECT ON DATABASE %I TO ${MEMBER_GROUP}', current_database());
-END $LATTICE$;
-
-CREATE TABLE IF NOT EXISTS "__lattice_owners" (
-  "table_name" text NOT NULL,
-  "pk"         text NOT NULL,
-  "owner_role" text NOT NULL,
-  "visibility" text NOT NULL DEFAULT 'private' CHECK ("visibility" IN ('private','everyone','custom')),
-  "created_at" timestamptz NOT NULL DEFAULT now(),
-  "updated_at" timestamptz NOT NULL DEFAULT now(),
-  PRIMARY KEY ("table_name", "pk")
-);
-
-CREATE TABLE IF NOT EXISTS "__lattice_row_grants" (
-  "table_name"   text NOT NULL,
-  "pk"           text NOT NULL,
-  "grantee_role" text NOT NULL,
-  "granted_by"   text NOT NULL,
-  "granted_at"   timestamptz NOT NULL DEFAULT now(),
-  PRIMARY KEY ("table_name", "pk", "grantee_role")
-);
-
-CREATE INDEX IF NOT EXISTS "idx_lattice_row_grants_grantee"
-  ON "__lattice_row_grants" ("grantee_role", "table_name", "pk");
-
--- App-role assignments for the audience layer: maps a member's login role to the
--- named app roles (e.g. 'hr') a fixed-policy column may require. Owner-managed;
--- members cannot read or write it (no grant), so a member can't self-promote.
-CREATE TABLE IF NOT EXISTS "__lattice_member_roles" (
-  "member_role" text NOT NULL,
-  "app_role"    text NOT NULL,
-  "granted_by"  text NOT NULL DEFAULT session_user,
-  "granted_at"  timestamptz NOT NULL DEFAULT now(),
-  PRIMARY KEY ("member_role", "app_role")
-);
-
--- Per-card audience overrides: a row owner can grant a SPECIFIC member access to
--- a SPECIFIC masked cell (table + pk + column), without changing the column's
--- schema-level audience. The generated mask view ORs this in. Owner-managed;
--- members can't read or write it.
-CREATE TABLE IF NOT EXISTS "__lattice_cell_grants" (
-  "table_name"   text NOT NULL,
-  "pk"           text NOT NULL,
-  "column_name"  text NOT NULL,
-  "grantee_role" text NOT NULL,
-  "granted_by"   text NOT NULL DEFAULT session_user,
-  "granted_at"   timestamptz NOT NULL DEFAULT now(),
-  PRIMARY KEY ("table_name", "pk", "column_name", "grantee_role")
-);
-
--- Visibility check. SECURITY DEFINER so it reads bookkeeping the member can't;
--- keyed on session_user (the member's login role). A row with no ownership record
--- is visible to nobody.
-CREATE OR REPLACE FUNCTION lattice_row_visible(p_table text, p_pk text)
-RETURNS boolean LANGUAGE sql STABLE SECURITY DEFINER AS $fn$
-  SELECT EXISTS (
-    SELECT 1 FROM "__lattice_owners" o
-     WHERE o."table_name" = p_table AND o."pk" = p_pk
-       AND ( o."owner_role" = session_user
-          OR o."visibility" = 'everyone'
-          OR ( o."visibility" = 'custom' AND EXISTS (
-                 SELECT 1 FROM "__lattice_row_grants" g
-                  WHERE g."table_name" = o."table_name" AND g."pk" = o."pk"
-                    AND g."grantee_role" = session_user)))
-  );
-$fn$;
-
--- Owner-only: change a row's visibility. Raises if the caller is not the owner.
-CREATE OR REPLACE FUNCTION lattice_set_row_visibility(p_table text, p_pk text, p_visibility text)
-RETURNS void LANGUAGE plpgsql SECURITY DEFINER AS $fn$
-DECLARE v_owner text;
-BEGIN
-  IF p_visibility NOT IN ('private','everyone','custom') THEN
-    RAISE EXCEPTION 'lattice: invalid visibility %', p_visibility;
-  END IF;
-  SELECT o."owner_role" INTO v_owner FROM "__lattice_owners" o
-    WHERE o."table_name" = p_table AND o."pk" = p_pk;
-  IF v_owner IS NULL THEN RAISE EXCEPTION 'lattice: no ownership record for %/%', p_table, p_pk; END IF;
-  IF v_owner <> session_user THEN RAISE EXCEPTION 'lattice: only the row owner may change its sharing'; END IF;
-  UPDATE "__lattice_owners" SET "visibility" = p_visibility, "updated_at" = now()
-    WHERE "table_name" = p_table AND "pk" = p_pk;
-END $fn$;
-
--- Owner-only: grant a specific member access to a row (sets visibility = 'custom').
-CREATE OR REPLACE FUNCTION lattice_grant_row(p_table text, p_pk text, p_grantee text)
-RETURNS void LANGUAGE plpgsql SECURITY DEFINER AS $fn$
-DECLARE v_owner text;
-BEGIN
-  SELECT o."owner_role" INTO v_owner FROM "__lattice_owners" o
-    WHERE o."table_name" = p_table AND o."pk" = p_pk;
-  IF v_owner IS NULL THEN RAISE EXCEPTION 'lattice: no ownership record for %/%', p_table, p_pk; END IF;
-  IF v_owner <> session_user THEN RAISE EXCEPTION 'lattice: only the row owner may grant access'; END IF;
-  UPDATE "__lattice_owners" SET "visibility" = 'custom', "updated_at" = now()
-    WHERE "table_name" = p_table AND "pk" = p_pk;
-  INSERT INTO "__lattice_row_grants" ("table_name","pk","grantee_role","granted_by")
-    VALUES (p_table, p_pk, p_grantee, session_user)
-    ON CONFLICT ("table_name","pk","grantee_role") DO NOTHING;
-END $fn$;
-
--- Owner-only: revoke a member's access to a row.
-CREATE OR REPLACE FUNCTION lattice_revoke_row(p_table text, p_pk text, p_grantee text)
-RETURNS void LANGUAGE plpgsql SECURITY DEFINER AS $fn$
-DECLARE v_owner text;
-BEGIN
-  SELECT o."owner_role" INTO v_owner FROM "__lattice_owners" o
-    WHERE o."table_name" = p_table AND o."pk" = p_pk;
-  IF v_owner IS NULL THEN RAISE EXCEPTION 'lattice: no ownership record for %/%', p_table, p_pk; END IF;
-  IF v_owner <> session_user THEN RAISE EXCEPTION 'lattice: only the row owner may revoke access'; END IF;
-  DELETE FROM "__lattice_row_grants"
-    WHERE "table_name" = p_table AND "pk" = p_pk AND "grantee_role" = p_grantee;
-END $fn$;
-
--- \u2500\u2500 Per-viewer audience helpers (Stage-0 scaffolding) \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
--- The predicates a generated per-column cell-masking view will call. ALL are
--- SECURITY DEFINER and keyed on session_user (NEVER current_user / SECURITY
--- INVOKER) so they bind to the real member even when an owner-rights view
--- executes them \u2014 the identity invariant the whole cloud model depends on. They
--- are not referenced by any policy or view yet, so they change NO behavior in
--- Stage-0; a later stage wires them into generated views.
-
--- Is the connected member the subject of this row (e.g. their own person row)?
-CREATE OR REPLACE FUNCTION lattice_is_subject(p_subject text)
-RETURNS boolean LANGUAGE sql STABLE SECURITY DEFINER AS $fn$
-  SELECT p_subject = session_user
-$fn$;
-
--- Does the connected member hold a named app role? Reads the owner-managed
--- member-roles table (which members can't see) keyed on session_user, so a
--- member cannot grant themselves a role to unmask a column.
-CREATE OR REPLACE FUNCTION lattice_has_role(p_role text)
-RETURNS boolean LANGUAGE sql STABLE SECURITY DEFINER AS $fn$
-  SELECT EXISTS (
-    SELECT 1 FROM "__lattice_member_roles"
-     WHERE "member_role" = session_user AND "app_role" = p_role
-  )
-$fn$;
-
--- Owner-only: assign an app role to a member (so a fixed-policy masked column
--- becomes visible to them). Raises unless the caller can create roles (a cloud
--- owner / DBA).
-CREATE OR REPLACE FUNCTION lattice_assign_role(p_member text, p_role text)
-RETURNS void LANGUAGE plpgsql SECURITY DEFINER AS $fn$
-BEGIN
-  IF NOT (SELECT rolcreaterole FROM pg_roles WHERE rolname = session_user) THEN
-    RAISE EXCEPTION 'lattice: only a cloud owner may assign app roles';
-  END IF;
-  INSERT INTO "__lattice_member_roles" ("member_role", "app_role")
-    VALUES (p_member, p_role) ON CONFLICT DO NOTHING;
-END $fn$;
-
--- Owner-only: revoke an app role from a member.
-CREATE OR REPLACE FUNCTION lattice_revoke_role(p_member text, p_role text)
-RETURNS void LANGUAGE plpgsql SECURITY DEFINER AS $fn$
-BEGIN
-  IF NOT (SELECT rolcreaterole FROM pg_roles WHERE rolname = session_user) THEN
-    RAISE EXCEPTION 'lattice: only a cloud owner may revoke app roles';
-  END IF;
-  DELETE FROM "__lattice_member_roles"
-    WHERE "member_role" = p_member AND "app_role" = p_role;
-END $fn$;
-
--- Per-card override check: does the connected member hold a specific-cell grant?
--- The generated mask view ORs this into a masked column's predicate.
-CREATE OR REPLACE FUNCTION lattice_cell_visible(p_table text, p_pk text, p_column text)
-RETURNS boolean LANGUAGE sql STABLE SECURITY DEFINER AS $fn$
-  SELECT EXISTS (
-    SELECT 1 FROM "__lattice_cell_grants"
-     WHERE "table_name" = p_table AND "pk" = p_pk
-       AND "column_name" = p_column AND "grantee_role" = session_user
-  )
-$fn$;
-
--- Owner-only: grant a member access to one masked cell (a per-card override).
-CREATE OR REPLACE FUNCTION lattice_grant_cell(p_table text, p_pk text, p_column text, p_grantee text)
-RETURNS void LANGUAGE plpgsql SECURITY DEFINER AS $fn$
-DECLARE v_owner text;
-BEGIN
-  SELECT o."owner_role" INTO v_owner FROM "__lattice_owners" o
-    WHERE o."table_name" = p_table AND o."pk" = p_pk;
-  IF v_owner IS NULL OR v_owner <> session_user THEN
-    RAISE EXCEPTION 'lattice: only the row owner may set a per-cell audience';
-  END IF;
-  INSERT INTO "__lattice_cell_grants" ("table_name","pk","column_name","grantee_role")
-    VALUES (p_table, p_pk, p_column, p_grantee) ON CONFLICT DO NOTHING;
-END $fn$;
-
--- Owner-only: revoke a per-cell override.
-CREATE OR REPLACE FUNCTION lattice_revoke_cell(p_table text, p_pk text, p_column text, p_grantee text)
-RETURNS void LANGUAGE plpgsql SECURITY DEFINER AS $fn$
-DECLARE v_owner text;
-BEGIN
-  SELECT o."owner_role" INTO v_owner FROM "__lattice_owners" o
-    WHERE o."table_name" = p_table AND o."pk" = p_pk;
-  IF v_owner IS NULL OR v_owner <> session_user THEN
-    RAISE EXCEPTION 'lattice: only the row owner may change a per-cell audience';
-  END IF;
-  DELETE FROM "__lattice_cell_grants"
-    WHERE "table_name" = p_table AND "pk" = p_pk
-      AND "column_name" = p_column AND "grantee_role" = p_grantee;
-END $fn$;
-
--- Can the connected member see a source? Reduces to the source row's own RLS, so
--- file-sharing drives enrichment visibility for free. p_source_ref is the
--- source's primary key in the files table.
-CREATE OR REPLACE FUNCTION lattice_source_visible(p_source_ref text)
-RETURNS boolean LANGUAGE sql STABLE SECURITY DEFINER AS $fn$
-  SELECT lattice_row_visible('files', p_source_ref)
-$fn$;
-
--- Append-only change feed. The per-table ownership trigger records one row per
--- INSERT/UPDATE/DELETE; the AFTER INSERT trigger here fires pg_notify so a
--- connected member's realtime broker refreshes. Members get no direct access \u2014
--- the NOTIFY carries only (table, pk, op) metadata, and the SPA refetches the row
--- itself through RLS, so another member's content is never broadcast.
-CREATE TABLE IF NOT EXISTS "__lattice_changes" (
-  "seq"        bigint GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
-  "table_name" text NOT NULL,
-  "pk"         text NOT NULL,
-  "op"         text NOT NULL CHECK ("op" IN ('upsert','delete')),
-  "owner_role" text NOT NULL,
-  "created_at" timestamptz NOT NULL DEFAULT now()
-);
-
-CREATE OR REPLACE FUNCTION lattice_notify_change() RETURNS trigger
-LANGUAGE plpgsql AS $fn$
-BEGIN
-  PERFORM pg_notify('lattice_changes', json_build_object(
-    'seq', NEW."seq",
-    'table_name', NEW."table_name",
-    'pk', NEW."pk",
-    'op', NEW."op",
-    'owner_role', NEW."owner_role",
-    'created_at', NEW."created_at"
-  )::text);
-  RETURN NEW;
-END $fn$;
-
-DROP TRIGGER IF EXISTS "lattice_notify_change_trg" ON "__lattice_changes";
-CREATE TRIGGER "lattice_notify_change_trg" AFTER INSERT ON "__lattice_changes"
-  FOR EACH ROW EXECUTE FUNCTION lattice_notify_change();
-`;
-function tableRlsSql(table, pkCols) {
-  const q3 = `"${table.replace(/"/g, '""')}"`;
-  const lit = `'${table.replace(/'/g, "''")}'`;
-  const pkNew = pkSqlExpr(pkCols, "NEW.");
-  const pkOld = pkSqlExpr(pkCols, "OLD.");
-  const pkRow = pkSqlExpr(pkCols, "");
-  const trg = `lattice_track_${table.replace(/[^A-Za-z0-9_]/g, "_")}`;
-  return `
-CREATE OR REPLACE FUNCTION "${trg}"() RETURNS trigger LANGUAGE plpgsql SECURITY DEFINER AS $fn$
-BEGIN
-  IF TG_OP = 'INSERT' THEN
-    INSERT INTO "__lattice_owners" ("table_name","pk","owner_role","visibility")
-      VALUES (${lit}, ${pkNew}, session_user, 'private')
-      ON CONFLICT ("table_name","pk") DO NOTHING;
-    INSERT INTO "__lattice_changes" ("table_name","pk","op","owner_role")
-      VALUES (${lit}, ${pkNew}, 'upsert', session_user);
-    RETURN NEW;
-  ELSIF TG_OP = 'UPDATE' THEN
-    INSERT INTO "__lattice_changes" ("table_name","pk","op","owner_role")
-      VALUES (${lit}, ${pkNew}, 'upsert', session_user);
-    RETURN NEW;
-  ELSIF TG_OP = 'DELETE' THEN
-    DELETE FROM "__lattice_owners"     WHERE "table_name" = ${lit} AND "pk" = ${pkOld};
-    DELETE FROM "__lattice_row_grants" WHERE "table_name" = ${lit} AND "pk" = ${pkOld};
-    INSERT INTO "__lattice_changes" ("table_name","pk","op","owner_role")
-      VALUES (${lit}, ${pkOld}, 'delete', session_user);
-    RETURN OLD;
-  END IF;
-  RETURN NEW;
-END $fn$;
-
-ALTER TABLE ${q3} ENABLE ROW LEVEL SECURITY;
-ALTER TABLE ${q3} FORCE ROW LEVEL SECURITY;
-GRANT SELECT, INSERT, UPDATE, DELETE ON ${q3} TO ${MEMBER_GROUP};
-
-DROP POLICY IF EXISTS "lattice_sel" ON ${q3};
-CREATE POLICY "lattice_sel" ON ${q3} FOR SELECT USING (lattice_row_visible(${lit}, ${pkRow}));
-DROP POLICY IF EXISTS "lattice_upd" ON ${q3};
-CREATE POLICY "lattice_upd" ON ${q3} FOR UPDATE USING (lattice_row_visible(${lit}, ${pkRow}))
-                                              WITH CHECK (lattice_row_visible(${lit}, ${pkRow}));
-DROP POLICY IF EXISTS "lattice_del" ON ${q3};
-CREATE POLICY "lattice_del" ON ${q3} FOR DELETE USING (lattice_row_visible(${lit}, ${pkRow}));
-DROP POLICY IF EXISTS "lattice_ins" ON ${q3};
-CREATE POLICY "lattice_ins" ON ${q3} FOR INSERT WITH CHECK (true);
-
-DROP TRIGGER IF EXISTS "${trg}" ON ${q3};
-CREATE TRIGGER "${trg}" AFTER INSERT OR UPDATE OR DELETE ON ${q3}
-  FOR EACH ROW EXECUTE FUNCTION "${trg}"();
-`;
-}
-async function installCloudRls(db) {
-  if (!isPg(db)) return;
-  const migration = {
-    // v3 added the audience helpers; v4 the role model; v5 the per-card override
-    // model (__lattice_cell_grants + lattice_cell_visible / lattice_grant_cell).
-    // The bootstrap is fully idempotent (CREATE OR REPLACE / IF NOT EXISTS).
-    version: "internal:cloud-rls:bootstrap:v5",
-    sql: CLOUD_RLS_BOOTSTRAP_SQL
-  };
-  await db.migrate([migration]);
-}
-async function enableChangelogRls(db) {
-  if (!isPg(db)) return;
-  const migration = {
-    version: "internal:cloud-rls:changelog:v1",
-    sql: `
-ALTER TABLE "__lattice_changelog" ENABLE ROW LEVEL SECURITY;
-ALTER TABLE "__lattice_changelog" FORCE ROW LEVEL SECURITY;
-GRANT SELECT, INSERT ON "__lattice_changelog" TO ${MEMBER_GROUP};
-
-DROP POLICY IF EXISTS "lattice_changelog_sel" ON "__lattice_changelog";
-CREATE POLICY "lattice_changelog_sel" ON "__lattice_changelog" FOR SELECT USING (
-  CASE
-    WHEN "change_kind" = 'derived' THEN
-      "source_ref" IS NOT NULL
-      AND NOT EXISTS (
-        SELECT 1 FROM jsonb_array_elements_text("source_ref"::jsonb) AS src(sid)
-         WHERE NOT lattice_source_visible(src.sid)
-      )
-    ELSE lattice_row_visible("table_name", "row_id")
-  END
-);
-DROP POLICY IF EXISTS "lattice_changelog_ins" ON "__lattice_changelog";
-CREATE POLICY "lattice_changelog_ins" ON "__lattice_changelog" FOR INSERT WITH CHECK (true);
-`
-  };
-  await db.migrate([migration]);
-}
-async function enableRlsForTable(db, table, pkCols) {
-  if (!isPg(db)) return;
-  const migration = {
-    version: `internal:cloud-rls:table:${table}:v2`,
-    sql: tableRlsSql(table, pkCols)
-  };
-  await db.migrate([migration]);
-}
-async function backfillOwnership(db, table, pkCols) {
-  if (!isPg(db) || pkCols.length === 0) return;
-  const q3 = `"${table.replace(/"/g, '""')}"`;
-  const lit = `'${table.replace(/'/g, "''")}'`;
-  const pkRow = pkSqlExpr(pkCols, "");
-  await runAsyncOrSync(
-    db.adapter,
-    `INSERT INTO "__lattice_owners" ("table_name","pk","owner_role","visibility")
-       SELECT ${lit}, ${pkRow}, current_user, 'private' FROM ${q3}
-       ON CONFLICT ("table_name","pk") DO NOTHING`
-  );
-}
-
 // src/cloud/settings.ts
 var CLOUD_SETTING_SYSTEM_PROMPT = "chat_system_prompt";
 var CLOUD_SETTINGS_BOOTSTRAP_SQL = `
@@ -55155,9 +56207,12 @@ END $fn$;
 `;
 async function installCloudSettings(db) {
   if (db.getDialect() !== "postgres") return;
+  const schema = await cloudSchema(db);
   const migration = {
-    version: "internal:cloud-settings:v1",
-    sql: CLOUD_SETTINGS_BOOTSTRAP_SQL
+    // v2 pins search_path on the two SECURITY DEFINER helpers (closes the
+    // pg_temp-shadow class of bypass on the settings getter/setter).
+    version: "internal:cloud-settings:v2",
+    sql: pinDefinerSearchPath(CLOUD_SETTINGS_BOOTSTRAP_SQL, schema)
   };
   await db.migrate([migration]);
 }
@@ -55185,89 +56240,6 @@ async function setCloudSetting(db, key, value) {
   await runAsyncOrSync(db.adapter, `SELECT lattice_set_cloud_setting(?, ?)`, [key, value]);
 }
 
-// src/cloud/audience.ts
-var ROLE_NAME_RE = /^[A-Za-z0-9_-]{1,63}$/;
-var COL_RE = /^[A-Za-z_][A-Za-z0-9_]{0,62}$/;
-function isRowAudience(audience) {
-  const a6 = (audience ?? "").trim();
-  return a6 === "" || a6 === "everyone" || a6 === "row-audience";
-}
-function audiencePredicate(audience) {
-  if (isRowAudience(audience)) return "true";
-  const clauses = audience.split("+").map((c6) => c6.trim()).filter(Boolean);
-  const parts = [];
-  for (const clause of clauses) {
-    if (clause === "everyone" || clause === "row-audience") return "true";
-    const idx = clause.indexOf(":");
-    const kind = idx === -1 ? clause : clause.slice(0, idx);
-    const arg = idx === -1 ? "" : clause.slice(idx + 1).trim();
-    if (kind === "role") {
-      if (!ROLE_NAME_RE.test(arg)) throw new Error(`lattice: invalid role in audience "${clause}"`);
-      parts.push(`lattice_has_role('${arg}')`);
-    } else if (kind === "subject") {
-      if (!COL_RE.test(arg))
-        throw new Error(`lattice: invalid subject column in audience "${clause}"`);
-      parts.push(`lattice_is_subject("${arg}")`);
-    } else if (kind === "source") {
-      if (!COL_RE.test(arg))
-        throw new Error(`lattice: invalid source column in audience "${clause}"`);
-      parts.push(`lattice_source_visible("${arg}")`);
-    } else {
-      throw new Error(`lattice: unknown audience clause "${clause}"`);
-    }
-  }
-  return parts.length > 0 ? parts.map((p3) => `(${p3})`).join(" OR ") : "true";
-}
-function tableNeedsAudienceView(columnAudience) {
-  return Object.values(columnAudience).some((a6) => !isRowAudience(a6));
-}
-function quoteIdent(s2) {
-  return `"${s2.replace(/"/g, '""')}"`;
-}
-function audienceViewSql(table, columns, pkCols, columnAudience) {
-  const view = quoteIdent(`${table}_v`);
-  const base = quoteIdent(table);
-  const lit = `'${table.replace(/'/g, "''")}'`;
-  const pkExpr = pkSqlExpr(pkCols, "");
-  const selectCols = columns.map((col) => {
-    const aud = columnAudience[col] ?? "";
-    if (isRowAudience(aud)) return quoteIdent(col);
-    const pred = audiencePredicate(aud);
-    if (pred === "true") return quoteIdent(col);
-    const colLit = `'${col.replace(/'/g, "''")}'`;
-    const full = `(${pred}) OR lattice_cell_visible(${lit}, ${pkExpr}, ${colLit})`;
-    return `CASE WHEN ${full} THEN ${quoteIdent(col)} END AS ${quoteIdent(col)}`;
-  });
-  return [
-    `CREATE OR REPLACE VIEW ${view} AS SELECT ${selectCols.join(", ")} FROM ${base} WHERE lattice_row_visible(${lit}, ${pkSqlExpr(pkCols, "")});`,
-    `GRANT SELECT ON ${view} TO ${MEMBER_GROUP};`,
-    `REVOKE SELECT ON ${base} FROM ${MEMBER_GROUP};`
-  ].join("\n");
-}
-function audienceVersionHash(columns, pkCols, columnAudience) {
-  const spec = JSON.stringify([
-    [...columns],
-    [...pkCols],
-    Object.keys(columnAudience).sort().map((k6) => [k6, columnAudience[k6]])
-  ]);
-  let h6 = 2166136261;
-  for (let i6 = 0; i6 < spec.length; i6++) {
-    h6 ^= spec.charCodeAt(i6);
-    h6 = Math.imul(h6, 16777619) >>> 0;
-  }
-  return h6.toString(16).padStart(8, "0");
-}
-async function enableAudienceView(db, table, columns, pkCols, columnAudience) {
-  if (db.getDialect() !== "postgres") return;
-  if (!tableNeedsAudienceView(columnAudience)) return;
-  if (pkCols.length === 0) return;
-  const migration = {
-    version: `internal:audience:table:${table}:v1:${audienceVersionHash(columns, pkCols, columnAudience)}`,
-    sql: audienceViewSql(table, columns, pkCols, columnAudience)
-  };
-  await db.migrate([migration]);
-}
-
 // src/cloud/setup.ts
 async function secureCloud(db) {
   if (db.getDialect() !== "postgres") return;
@@ -55275,7 +56247,8 @@ async function secureCloud(db) {
   await installCloudSettings(db);
   await db.ensureObservationSubstrate();
   await enableChangelogRls(db);
-  for (const table of db.getRegisteredTableNames()) {
+  const registered = db.getRegisteredTableNames();
+  for (const table of registered) {
     if (table.startsWith("__lattice_") || table.startsWith("_lattice_")) continue;
     const pk = db.getPrimaryKey(table);
     if (pk.length === 0) continue;
@@ -55283,78 +56256,113 @@ async function secureCloud(db) {
     await enableRlsForTable(db, table, pk);
     const cols = db.getRegisteredColumns(table);
     if (cols) {
-      await enableAudienceView(db, table, Object.keys(cols), pk, db.getColumnAudience(table));
+      await seedColumnPolicyFromYaml(db, table, db.getColumnAudience(table));
+      await regenerateAudienceViewFromDb(db, table, Object.keys(cols), pk);
     }
   }
-}
-
-// src/cloud/members.ts
-import { randomBytes as randomBytes5 } from "crypto";
-var ROLE_RE = /^[A-Za-z_][A-Za-z0-9_]{0,62}$/;
-var HEX_PW_RE = /^[0-9a-f]{16,}$/;
-function assertPg(db) {
-  if (db.getDialect() !== "postgres") {
-    throw new Error(
-      "lattice: cloud members require a Postgres cloud (SQLite is single-user/local)"
-    );
-  }
-}
-function generateMemberPassword() {
-  return randomBytes5(24).toString("hex");
-}
-function memberRoleName(label) {
-  const base = label.toLowerCase().replace(/[^a-z0-9]+/g, "_").replace(/^_+|_+$/g, "").slice(0, 48) || "member";
-  return `lm_${base}_${randomBytes5(3).toString("hex")}`.slice(0, 63);
-}
-async function provisionMemberRole(db, role, password) {
-  assertPg(db);
-  if (!ROLE_RE.test(role)) throw new Error(`lattice: invalid member role name "${role}"`);
-  if (!HEX_PW_RE.test(password)) {
-    throw new Error("lattice: member password must be hex \u2014 use generateMemberPassword()");
+  if (registered.includes("secrets")) {
+    await runAsyncOrSync(db.adapter, `SELECT lattice_set_table_never_share('secrets', true)`);
   }
   await runAsyncOrSync(
     db.adapter,
     `DO $LATTICE$ BEGIN
-       IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '${role}') THEN
-         CREATE ROLE "${role}" LOGIN NOSUPERUSER NOCREATEDB NOCREATEROLE PASSWORD '${password}';
-       ELSE
-         ALTER ROLE "${role}" WITH LOGIN NOSUPERUSER NOCREATEDB NOCREATEROLE PASSWORD '${password}';
+       IF to_regclass('__lattice_user_identity') IS NOT NULL THEN
+         EXECUTE 'GRANT SELECT, INSERT, UPDATE ON "__lattice_user_identity" TO ${MEMBER_GROUP}';
        END IF;
      END $LATTICE$`
   );
-  await runAsyncOrSync(db.adapter, `GRANT ${MEMBER_GROUP} TO "${role}"`);
 }
-var VISIBILITY = /* @__PURE__ */ new Set(["private", "everyone"]);
-async function setRowVisibility(db, table, pk, visibility) {
-  assertPg(db);
-  if (!VISIBILITY.has(visibility)) {
-    throw new Error(`lattice: invalid visibility "${visibility}" (expected private | everyone)`);
-  }
-  await runAsyncOrSync(db.adapter, `SELECT lattice_set_row_visibility(?, ?, ?)`, [
-    table,
-    pk,
-    visibility
-  ]);
-}
-async function grantCell(db, table, pk, column, grantee) {
-  assertPg(db);
-  await runAsyncOrSync(db.adapter, `SELECT lattice_grant_cell(?, ?, ?, ?)`, [
-    table,
-    pk,
-    column,
-    grantee
-  ]);
+
+// src/cloud/invite.ts
+import { randomBytes as randomBytes6, scryptSync as scryptSync2, hkdfSync, createCipheriv as createCipheriv2, createDecipheriv as createDecipheriv2 } from "crypto";
+var VERSION = 1;
+var SALT_LEN = 16;
+var SECRET_LEN = 32;
+var NONCE_LEN = 12;
+var TAG_LEN2 = 16;
+var KEY_LEN = 32;
+var HKDF_INFO = Buffer.from("lattice-invite-v1", "utf8");
+function normalizeEmail(email) {
+  return email.trim().toLowerCase();
+}
+function poolerAwareUser(host, role, ownerUser) {
+  if (!/\.pooler\.supabase\.com$/i.test(host)) return role;
+  const dot = ownerUser.indexOf(".");
+  const ref = dot >= 0 ? ownerUser.slice(dot + 1).trim() : "";
+  return ref ? `${role}.${ref}` : role;
+}
+function deriveKey2(tokenSecret, email, salt) {
+  const emailSalt = Buffer.from(scryptSync2(normalizeEmail(email), salt, KEY_LEN));
+  return Buffer.from(hkdfSync("sha256", tokenSecret, emailSalt, HKDF_INFO, KEY_LEN));
+}
+function mintInviteToken(input) {
+  const email = normalizeEmail(input.email);
+  if (!email) throw new Error("lattice: an invite must be bound to an email");
+  const salt = randomBytes6(SALT_LEN);
+  const tokenSecret = randomBytes6(SECRET_LEN);
+  const nonce = randomBytes6(NONCE_LEN);
+  const key = deriveKey2(tokenSecret, email, salt);
+  const payload = {
+    v: 1,
+    host: input.coords.host,
+    port: input.coords.port,
+    dbname: input.coords.dbname,
+    user: input.user,
+    password: input.password,
+    role: input.role,
+    email,
+    expires_at: input.expiresAt.toISOString()
+  };
+  const cipher = createCipheriv2("aes-256-gcm", key, nonce);
+  cipher.setAAD(Buffer.from(email, "utf8"));
+  const ct = Buffer.concat([cipher.update(JSON.stringify(payload), "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return Buffer.concat([Buffer.from([VERSION]), salt, tokenSecret, nonce, ct, tag]).toString(
+    "base64url"
+  );
 }
-async function revokeCell(db, table, pk, column, grantee) {
-  assertPg(db);
-  await runAsyncOrSync(db.adapter, `SELECT lattice_revoke_cell(?, ?, ?, ?)`, [
-    table,
-    pk,
-    column,
-    grantee
-  ]);
+function redeemInviteToken(email, token) {
+  const normEmail = normalizeEmail(email);
+  if (!normEmail) throw new Error("lattice: enter the email this invite was sent to");
+  const raw = Buffer.from(token.trim(), "base64url");
+  const minLen = 1 + SALT_LEN + SECRET_LEN + NONCE_LEN + TAG_LEN2;
+  if (raw.length < minLen || raw[0] !== VERSION) {
+    throw new Error("lattice: invite token is malformed or from an unsupported version");
+  }
+  let off = 1;
+  const salt = raw.subarray(off, off += SALT_LEN);
+  const tokenSecret = raw.subarray(off, off += SECRET_LEN);
+  const nonce = raw.subarray(off, off += NONCE_LEN);
+  const tag = raw.subarray(raw.length - TAG_LEN2);
+  const ct = raw.subarray(off, raw.length - TAG_LEN2);
+  const key = deriveKey2(tokenSecret, normEmail, salt);
+  const decipher = createDecipheriv2("aes-256-gcm", key, nonce);
+  decipher.setAAD(Buffer.from(normEmail, "utf8"));
+  decipher.setAuthTag(tag);
+  let plaintext;
+  try {
+    plaintext = Buffer.concat([decipher.update(ct), decipher.final()]).toString("utf8");
+  } catch {
+    throw new Error("lattice: invite token does not match this email (or is corrupt)");
+  }
+  let payload;
+  try {
+    payload = JSON.parse(plaintext);
+  } catch {
+    throw new Error("lattice: invite token payload is unreadable");
+  }
+  if (normalizeEmail(payload.email) !== normEmail) {
+    throw new Error("lattice: invite token does not match this email");
+  }
+  if (Number.isNaN(Date.parse(payload.expires_at)) || Date.parse(payload.expires_at) < Date.now()) {
+    throw new Error("lattice: this invite has expired \u2014 ask the owner for a new one");
+  }
+  return payload;
 }
 
+// src/gui/dbconfig-routes.ts
+import { createHash as createHash2, randomUUID } from "crypto";
+
 // src/framework/cloud-migration.ts
 import { existsSync as existsSync17, renameSync as renameSync3, unlinkSync as unlinkSync4 } from "fs";
 function isMigratable(tableName) {
@@ -55665,6 +56673,30 @@ function parseSaveBody(body) {
 function resolveRelativeToConfig(configPath, candidate) {
   return isAbsolute2(candidate) ? candidate : resolve7(configPath, "..", candidate);
 }
+async function joinCloudAsMember(ctx, res, fields, label) {
+  const url = buildPostgresUrl(fields);
+  const probe = await probeCloud(url);
+  if (!probe.reachable) {
+    sendJson(res, { ok: false, error: probe.error ?? "Cloud DB unreachable" }, 502);
+    return;
+  }
+  if (!probe.isCloud) {
+    sendJson(
+      res,
+      {
+        ok: false,
+        error: "That Postgres database is not a Lattice cloud yet. The owner must migrate a local Lattice into it first."
+      },
+      409
+    );
+    return;
+  }
+  saveDbCredential(label, url);
+  rewriteDbLine(ctx.configPath, "${LATTICE_DB:" + label + "}");
+  updateActiveWorkspaceToCloud(ctx.configPath, label);
+  await ctx.swap();
+  sendJson(res, { ok: true, label, isCloud: true });
+}
 async function dispatchDbConfigRoute(req, res, ctx) {
   const { pathname, method } = ctx;
   if (pathname === "/api/dbconfig" && method === "GET") {
@@ -55836,35 +56868,19 @@ async function dispatchDbConfigRoute(req, res, ctx) {
         sendJson(res, { error: "Invalid Postgres credentials" }, 400);
         return;
       }
-      const url = buildPostgresUrl({
-        host: parsed.host,
-        port: Number(parsed.port),
-        dbname: parsed.dbname,
-        user: parsed.user,
-        password: parsed.password
-      });
       try {
-        const probe = await probeCloud(url);
-        if (!probe.reachable) {
-          sendJson(res, { ok: false, error: probe.error ?? "Cloud DB unreachable" }, 502);
-          return;
-        }
-        if (!probe.isCloud) {
-          sendJson(
-            res,
-            {
-              ok: false,
-              error: "That Postgres database is not a Lattice cloud yet. The owner must migrate a local Lattice into it first."
-            },
-            409
-          );
-          return;
-        }
-        saveDbCredential(parsed.label, url);
-        rewriteDbLine(ctx.configPath, "${LATTICE_DB:" + parsed.label + "}");
-        updateActiveWorkspaceToCloud(ctx.configPath, parsed.label);
-        await ctx.swap();
-        sendJson(res, { ok: true, label: parsed.label, isCloud: true });
+        await joinCloudAsMember(
+          ctx,
+          res,
+          {
+            host: parsed.host,
+            port: Number(parsed.port),
+            dbname: parsed.dbname,
+            user: parsed.user,
+            password: parsed.password
+          },
+          parsed.label
+        );
       } catch (e6) {
         const status = e6.status ?? 500;
         sendJson(res, { ok: false, error: e6.message }, status);
@@ -55872,6 +56888,35 @@ async function dispatchDbConfigRoute(req, res, ctx) {
     });
     return true;
   }
+  if (pathname === "/api/cloud/members" && method === "GET") {
+    await tryHandler(res, async () => {
+      if (ctx.db.getDialect() !== "postgres" || !await cloudRlsInstalled(ctx.db)) {
+        sendJson(res, { members: [] });
+        return;
+      }
+      const me = await getAsyncOrSync(ctx.db.adapter, `SELECT session_user AS u`);
+      const owner = me?.u ?? "";
+      if (!await canManageRoles(ctx.db)) {
+        sendJson(res, { members: owner ? [{ role: owner, isOwner: false, isYou: true }] : [] });
+        return;
+      }
+      const rows = await allAsyncOrSync(
+        ctx.db.adapter,
+        `SELECT m.rolname AS role
+           FROM pg_auth_members am
+           JOIN pg_roles g ON g.oid = am.roleid AND g.rolname = ?
+           JOIN pg_roles m ON m.oid = am.member
+          ORDER BY m.rolname`,
+        [MEMBER_GROUP]
+      );
+      const members = [
+        ...owner ? [{ role: owner, isOwner: true, isYou: true }] : [],
+        ...rows.map((r6) => ({ role: r6.role, isOwner: false, isYou: r6.role === owner }))
+      ];
+      sendJson(res, { members });
+    });
+    return true;
+  }
   if (pathname === "/api/cloud/invite" && method === "POST") {
     await tryHandler(res, async () => {
       if (ctx.db.getDialect() !== "postgres" || !await cloudRlsInstalled(ctx.db)) {
@@ -55883,21 +56928,72 @@ async function dispatchDbConfigRoute(req, res, ctx) {
         return;
       }
       const body = await readJson(req);
-      const label = typeof body.label === "string" && body.label.trim() ? body.label.trim() : "member";
-      const role = memberRoleName(label);
+      const email = typeof body.email === "string" ? body.email.trim() : "";
+      if (!email || !/^[^@\s]+@[^@\s]+\.[^@\s]+$/.test(email)) {
+        sendJson(res, { error: "A valid invitee email is required" }, 400);
+        return;
+      }
+      const coords = activeCloudCoords(ctx.configPath);
+      if (!coords) {
+        sendJson(res, { error: "Could not resolve the cloud connection coordinates" }, 500);
+        return;
+      }
+      const role = memberRoleName(email);
       const password = generateMemberPassword();
       await provisionMemberRole(ctx.db, role, password);
-      const coords = activeCloudCoords(ctx.configPath);
-      sendJson(res, {
-        ok: true,
-        invite: {
-          host: coords?.host ?? null,
-          port: coords?.port ?? null,
-          dbname: coords?.dbname ?? null,
-          user: role,
-          password
-        }
-      });
+      await assertScopedMemberRole(ctx.db, role);
+      const me = await getAsyncOrSync(ctx.db.adapter, `SELECT session_user AS u`);
+      const user = poolerAwareUser(coords.host, role, me?.u ?? "");
+      const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1e3);
+      const token = mintInviteToken({ coords, user, password, role, email, expiresAt });
+      await runAsyncOrSync(
+        ctx.db.adapter,
+        `INSERT INTO "__lattice_member_invites" ("id","role","email_hash","expires_at")
+           VALUES (?, ?, ?, ?)`,
+        [
+          randomUUID(),
+          role,
+          createHash2("sha256").update(email.trim().toLowerCase()).digest("hex"),
+          expiresAt.toISOString()
+        ]
+      );
+      sendJson(res, { ok: true, token, role, email });
+    });
+    return true;
+  }
+  if (pathname === "/api/cloud/redeem-invite" && method === "POST") {
+    await tryHandler(res, async () => {
+      const body = await readJson(req);
+      const email = typeof body.email === "string" ? body.email.trim() : "";
+      const token = typeof body.token === "string" ? body.token.trim() : "";
+      if (!email || !token) {
+        sendJson(
+          res,
+          { ok: false, error: "Enter the email this invite was sent to and the invite token." },
+          400
+        );
+        return;
+      }
+      let payload;
+      try {
+        payload = redeemInviteToken(email, token);
+      } catch (e6) {
+        sendJson(res, { ok: false, error: e6.message }, 400);
+        return;
+      }
+      const label = typeof body.label === "string" && body.label.trim() ? body.label.trim() : "Cloud workspace";
+      await joinCloudAsMember(
+        ctx,
+        res,
+        {
+          host: payload.host,
+          port: payload.port,
+          dbname: payload.dbname,
+          user: payload.user,
+          password: payload.password
+        },
+        label
+      );
     });
     return true;
   }
@@ -56300,7 +57396,7 @@ async function transcribe(opts) {
 }
 
 // src/gui/ai/oauth.ts
-import { createHash as createHash5, randomBytes as randomBytes6 } from "crypto";
+import { createHash as createHash6, randomBytes as randomBytes7 } from "crypto";
 function readOAuthConfig(env2 = process.env) {
   const authorizeUrl = env2.ANTHROPIC_OAUTH_AUTHORIZE_URL;
   const tokenUrl = env2.ANTHROPIC_OAUTH_TOKEN_URL;
@@ -56314,13 +57410,13 @@ function oauthConfigured(env2 = process.env) {
   return readOAuthConfig(env2) !== null;
 }
 function generatePkceVerifier() {
-  return randomBytes6(48).toString("base64url");
+  return randomBytes7(48).toString("base64url");
 }
 function pkceChallengeFor(verifier) {
-  return createHash5("sha256").update(verifier).digest("base64url");
+  return createHash6("sha256").update(verifier).digest("base64url");
 }
 function generateState() {
-  return randomBytes6(24).toString("base64url");
+  return randomBytes7(24).toString("base64url");
 }
 function buildAuthorizeUrl(cfg, state2, codeChallenge) {
   const params = new URLSearchParams({
@@ -57153,7 +58249,12 @@ async function executeFunction(ctx, name, args) {
         if (!args.values || typeof args.values !== "object") {
           throw new Error("values object is required");
         }
-        const { id } = await createRow(mctx, table, args.values);
+        const { id } = await createRow(
+          mctx,
+          table,
+          args.values,
+          ctx.privateMode ? "private" : void 0
+        );
         return { ok: true, result: { id } };
       }
       case "update_row": {
@@ -57931,6 +59032,9 @@ async function dispatchChatRoute(req, res, ctx) {
   const dispatch = {
     db: ctx.db,
     feed: ctx.feed,
+    // "Private mode" chat toggle: force rows the assistant creates this turn private
+    // regardless of the table default (a transient per-request choice).
+    privateMode: body.privateMode === true,
     validTables: new Set([...ctx.validTables].filter((t8) => !ASSISTANT_HIDDEN_TABLES.has(t8))),
     junctionTables: new Set([...ctx.junctionTables].filter((t8) => !ASSISTANT_HIDDEN_TABLES.has(t8))),
     softDeletable: ctx.softDeletable,
@@ -58996,12 +60100,12 @@ async function renderViaPlaywright(url, timeoutMs) {
 }
 
 // src/framework/blob-store.ts
-import { createHash as createHash6 } from "crypto";
+import { createHash as createHash7 } from "crypto";
 import { createReadStream as createReadStream2, existsSync as existsSync20, mkdirSync as mkdirSync9, statSync as statSync6, copyFileSync as copyFileSync3 } from "fs";
 import { basename as basename9, join as join24 } from "path";
 async function hashFile(srcPath) {
   return new Promise((resolve11, reject) => {
-    const hash = createHash6("sha256");
+    const hash = createHash7("sha256");
     const stream = createReadStream2(srcPath);
     stream.on("data", (chunk) => hash.update(chunk));
     stream.on("error", reject);
@@ -59033,7 +60137,7 @@ async function attachBlob(srcPath, latticeRoot) {
 }
 
 // src/gui/ingest-routes.ts
-import { createHash as createHash7 } from "crypto";
+import { createHash as createHash8 } from "crypto";
 function fileSlug(name, id) {
   const base = slugify(name.replace(/\.[^./\\]+$/, "")) || "file";
   return `${base}-${id.slice(0, 8)}`;
@@ -59453,7 +60557,7 @@ async function dispatchIngestRoute(req, res, ctx) {
     let s3Status = null;
     const s3cfg = resolveActiveS3Config(ctx.configPath);
     if (s3cfg) {
-      const sha256 = blob?.sha256 ?? createHash7("sha256").update(buf).digest("hex");
+      const sha256 = blob?.sha256 ?? createHash8("sha256").update(buf).digest("hex");
       const key = s3Key(s3cfg.prefix, sha256);
       try {
         const store = await createS3Store(s3cfg);
@@ -59716,6 +60820,63 @@ async function exactCountMany(adapter, tableNames, softDeleteTables) {
   return out;
 }
 
+// src/gui/render-progress.ts
+import { EventEmitter as EventEmitter3 } from "events";
+var RenderProgressBus = class {
+  emitter = new EventEmitter3();
+  EVENT = "render-progress";
+  _latest = null;
+  constructor() {
+    this.emitter.setMaxListeners(64);
+  }
+  /** Publish a render progress event to all subscribers. */
+  publish(event) {
+    this._latest = event;
+    this.emitter.emit(this.EVENT, event);
+  }
+  /** Subscribe to future events. Returns an unsubscribe function. */
+  subscribe(handler) {
+    this.emitter.on(this.EVENT, handler);
+    return () => this.emitter.off(this.EVENT, handler);
+  }
+  /** The most recently published event, or null if none yet. */
+  latest() {
+    return this._latest;
+  }
+  /** Number of live subscribers (for diagnostics/tests). */
+  listenerCount() {
+    return this.emitter.listenerCount(this.EVENT);
+  }
+};
+
+// src/cloud/table-policy.ts
+async function getAllTablePolicies(db) {
+  if (db.getDialect() !== "postgres") return {};
+  const rows = await allAsyncOrSync(
+    db.adapter,
+    `SELECT "table_name", "default_row_visibility", "never_share" FROM "__lattice_table_policy"`
+  );
+  const out = {};
+  for (const r6 of rows) {
+    out[r6.table_name] = {
+      defaultRowVisibility: r6.default_row_visibility === "everyone" ? "everyone" : "private",
+      neverShare: r6.never_share === true
+    };
+  }
+  return out;
+}
+async function setTableDefaultVisibility(db, table, visibility) {
+  if (db.getDialect() !== "postgres") return;
+  await runAsyncOrSync(db.adapter, `SELECT lattice_set_table_default_visibility(?, ?)`, [
+    table,
+    visibility
+  ]);
+}
+async function setTableNeverShare(db, table, on) {
+  if (db.getDialect() !== "postgres") return;
+  await runAsyncOrSync(db.adapter, `SELECT lattice_set_table_never_share(?, ?)`, [table, on]);
+}
+
 // src/gui/server.ts
 function sendText(res, body, status = 200, contentType = "text/plain; charset=utf-8") {
   res.writeHead(status, { "content-type": contentType, "cache-control": "no-store" });
@@ -59802,6 +60963,14 @@ async function entitiesWithCounts(db, configPath, outputDir) {
       return base;
     })
   );
+  if (db.getDialect() === "postgres" && await cloudRlsInstalled(db) && await canManageRoles(db)) {
+    const policies = await getAllTablePolicies(db);
+    for (const t8 of enrichedTables) {
+      const policy = policies[t8.name];
+      t8.defaultRowVisibility = policy?.defaultRowVisibility ?? "private";
+      t8.neverShare = policy?.neverShare ?? false;
+    }
+  }
   return { ...payload, tables: enrichedTables };
 }
 var FRESHNESS_COLS = ["updated_at", "created_at", "ts"];
@@ -60053,11 +61222,6 @@ async function openConfig(configPath, outputDir, autoRender = false) {
   }
   if (autoRender) {
     db.enableAutoRender(outputDir);
-    try {
-      await db.render(outputDir);
-    } catch (e6) {
-      console.warn("[openConfig] initial render failed:", e6.message);
-    }
     if (!existsSync21(manifestPath(outputDir))) {
       writeManifest(outputDir, {
         version: 2,
@@ -60078,7 +61242,10 @@ async function openConfig(configPath, outputDir, autoRender = false) {
     realtime,
     feed: new FeedBus(),
     dbPath: parsed.dbPath,
-    autoRender
+    autoRender,
+    renderProgress: new RenderProgressBus(),
+    renderAbort: new AbortController(),
+    renderState: { phase: "idle", tables: {} }
   };
 }
 function friendlyConfigName(parsedName, configPath) {
@@ -60150,7 +61317,77 @@ function deleteDatabaseFiles(targetConfigPath) {
   }
   return { deletedConfig: basename11(targetConfigPath), deletedDbFile };
 }
+function startBackgroundRender(active) {
+  if (!active.autoRender) return;
+  if (active.renderState.phase === "running") return;
+  active.renderState.phase = "running";
+  const db = active.db;
+  const signal = active.renderAbort.signal;
+  const state2 = active.renderState;
+  const bus = active.renderProgress;
+  const startedAt = Date.now();
+  const onProgress = (e6) => {
+    if (signal.aborted) return;
+    if (e6.table) {
+      state2.tables[e6.table] = {
+        pct: e6.pct,
+        entitiesRendered: e6.entitiesRendered,
+        entitiesTotal: e6.entitiesTotal,
+        done: e6.kind === "table-done"
+      };
+      state2.currentTable = e6.table;
+      state2.tableIndex = e6.tableIndex;
+      state2.tableCount = e6.tableCount;
+    }
+    if (e6.kind === "done") {
+      state2.phase = "done";
+      state2.durationMs = e6.durationMs ?? Date.now() - startedAt;
+    } else if (e6.kind === "error") {
+      state2.phase = "error";
+      state2.error = e6.message ?? "render failed";
+      console.error("[render] background render error:", e6.message ?? "(no message)");
+    }
+    bus.publish(e6);
+  };
+  void db.renderInBackground(active.outputDir, { signal, onProgress }).then(
+    () => {
+    },
+    (err) => {
+      if (signal.aborted) return;
+      const message = err instanceof Error ? err.message : String(err);
+      state2.phase = "error";
+      state2.error = message;
+      console.error("[render] background render rejected:", message);
+      bus.publish({
+        kind: "error",
+        table: state2.currentTable ?? null,
+        entitiesRendered: 0,
+        entitiesTotal: 0,
+        tableIndex: state2.tableIndex ?? 0,
+        tableCount: state2.tableCount ?? 0,
+        pct: 0,
+        message
+      });
+    }
+  );
+}
+async function attachRowAccess(db, table, rows) {
+  if (rows.length === 0) return;
+  const pkCols = db.getPrimaryKey(table);
+  if (pkCols.length === 0) return;
+  const pkOf = (r6) => pkCols.map((c6) => String(r6[c6])).join("	");
+  const summaries = await rowAccessSummaries(db, table, rows.map(pkOf));
+  if (summaries.size === 0) return;
+  for (const r6 of rows) {
+    const a6 = summaries.get(pkOf(r6));
+    if (a6) r6._access = a6;
+  }
+}
 async function disposeActive(active) {
+  try {
+    active.renderAbort.abort();
+  } catch {
+  }
   if (active.realtime) {
     try {
       await active.realtime.stop();
@@ -60167,6 +61404,7 @@ async function reopenSameConfig(active, autoRender) {
   await disposeActive(active);
   const next = await openConfig(active.configPath, active.outputDir, autoRender);
   next.feed = feed;
+  startBackgroundRender(next);
   return next;
 }
 async function syncUserIdentityRow(db) {
@@ -60282,7 +61520,9 @@ async function applySchemaConfig(active, entry, direction, autoRender) {
   for (const sql of ddl) await execSql(active.db, sql);
   saveConfigDoc(active.configPath, doc);
   await disposeActive(active);
-  return openConfig(active.configPath, active.outputDir, autoRender);
+  const next = await openConfig(active.configPath, active.outputDir, autoRender);
+  startBackgroundRender(next);
+  return next;
 }
 function schemaReverseSummary(verb, entry) {
   const what = entry.operation.replace("schema.", "").replace(/_/g, " ");
@@ -60426,6 +61666,46 @@ data: ${JSON.stringify(data)}
           req.on("error", cleanup);
           return;
         }
+        if (method === "GET" && pathname === "/api/render/status") {
+          sendJson(res, active.renderState);
+          return;
+        }
+        if (method === "GET" && pathname === "/api/render/progress") {
+          res.writeHead(200, {
+            "content-type": "text/event-stream; charset=utf-8",
+            "cache-control": "no-store, no-transform",
+            connection: "keep-alive",
+            "x-accel-buffering": "no"
+          });
+          const writeEvent = (event, data) => {
+            try {
+              res.write(`event: ${event}
+data: ${JSON.stringify(data)}
+
+`);
+            } catch {
+            }
+          };
+          writeEvent("snapshot", active.renderState);
+          const keepalive = setInterval(() => {
+            try {
+              res.write(`: keepalive
+
+`);
+            } catch {
+            }
+          }, 25e3);
+          const offProgress = active.renderProgress.subscribe((e6) => {
+            writeEvent("progress", e6);
+          });
+          const cleanup = () => {
+            clearInterval(keepalive);
+            offProgress();
+          };
+          req.on("close", cleanup);
+          req.on("error", cleanup);
+          return;
+        }
         if (method === "GET" && pathname === "/api/project") {
           sendJson(res, getGuiProject(active.configPath, active.outputDir));
           return;
@@ -60660,9 +61940,68 @@ data: ${JSON.stringify(data)}
               updated_at: (/* @__PURE__ */ new Date()).toISOString()
             });
           }
+          if (active.db.getDialect() === "postgres") {
+            const columnNames = Object.keys(active.db.getRegisteredColumns(tableName) ?? {});
+            const pkCols = active.db.getPrimaryKey(tableName);
+            await setColumnAudience(
+              active.db,
+              tableName,
+              colName,
+              secret ? "owner" : "",
+              columnNames,
+              pkCols
+            );
+          }
           sendJson(res, { ok: true });
           return;
         }
+        if (method === "POST" && /^\/api\/schema\/entities\/[^/]+\/default-row-visibility$/.test(pathname)) {
+          const table = decodeURIComponent(pathname.split("/")[4] ?? "");
+          if (!active.validTables.has(table)) {
+            sendJson(res, { error: `Unknown table: ${table}` }, 400);
+            return;
+          }
+          if (active.db.getDialect() !== "postgres" || !await cloudRlsInstalled(active.db)) {
+            sendJson(res, { error: "The active database is not a Lattice cloud" }, 400);
+            return;
+          }
+          if (!await canManageRoles(active.db)) {
+            sendJson(res, { error: "Only a cloud owner can change default row visibility" }, 403);
+            return;
+          }
+          const body = await readJson(req);
+          const visibility = body.visibility === "everyone" ? "everyone" : "private";
+          if (body.visibility !== "everyone" && body.visibility !== "private") {
+            sendJson(res, { error: "visibility must be 'private' or 'everyone'" }, 400);
+            return;
+          }
+          await setTableDefaultVisibility(active.db, table, visibility);
+          sendJson(res, { ok: true, table, visibility });
+          return;
+        }
+        if (method === "POST" && /^\/api\/schema\/entities\/[^/]+\/never-share$/.test(pathname)) {
+          const table = decodeURIComponent(pathname.split("/")[4] ?? "");
+          if (!active.validTables.has(table)) {
+            sendJson(res, { error: `Unknown table: ${table}` }, 400);
+            return;
+          }
+          if (active.db.getDialect() !== "postgres" || !await cloudRlsInstalled(active.db)) {
+            sendJson(res, { error: "The active database is not a Lattice cloud" }, 400);
+            return;
+          }
+          if (!await canManageRoles(active.db)) {
+            sendJson(res, { error: "Only a cloud owner can change never-share" }, 403);
+            return;
+          }
+          const body = await readJson(req);
+          if (typeof body.on !== "boolean") {
+            sendJson(res, { error: "on must be a boolean" }, 400);
+            return;
+          }
+          await setTableNeverShare(active.db, table, body.on);
+          sendJson(res, { ok: true, table, on: body.on });
+          return;
+        }
         if (method === "POST" && /^\/api\/schema\/entities\/[^/]+\/rename$/.test(pathname)) {
           const oldName = decodeURIComponent(pathname.split("/")[4] ?? "");
           if (!active.validTables.has(oldName)) {
@@ -61297,6 +62636,7 @@ data: ${JSON.stringify(data)}
           setActiveWorkspace(latticeRoot, ws.id);
           await disposeActive(active);
           active = next;
+          startBackgroundRender(active);
           currentWorkspaceId = ws.id;
           sendJson(res, { ok: true, id: ws.id });
           return;
@@ -61336,6 +62676,7 @@ data: ${JSON.stringify(data)}
           setActiveWorkspace(latticeRoot, created.id);
           await disposeActive(active);
           active = newActive;
+          startBackgroundRender(active);
           currentWorkspaceId = created.id;
           sendJson(res, { ok: true, id: created.id });
           return;
@@ -61389,6 +62730,7 @@ data: ${JSON.stringify(data)}
             setActiveWorkspace(latticeRoot, fallback.id);
             await disposeActive(active);
             active = next;
+            startBackgroundRender(active);
             switchedTo = fallback.id;
             currentWorkspaceId = fallback.id;
           }
@@ -61467,6 +62809,7 @@ data: ${JSON.stringify(data)}
           }
           await disposeActive(active);
           active = next;
+          startBackgroundRender(active);
           sendJson(res, { ok: true, path: active.configPath });
           return;
         }
@@ -61484,6 +62827,7 @@ data: ${JSON.stringify(data)}
           );
           await disposeActive(active);
           active = next;
+          startBackgroundRender(active);
           sendJson(res, { ok: true, path: active.configPath });
           return;
         }
@@ -61534,6 +62878,7 @@ data: ${JSON.stringify(data)}
             }
             await disposeActive(active);
             active = next;
+            startBackgroundRender(active);
             switchedTo = active.configPath;
           }
           let deleted;
@@ -61667,6 +63012,7 @@ data: ${JSON.stringify(data)}
                 ];
               }
               const rows = await active.db.query(table, queryOpts);
+              await attachRowAccess(active.db, table, rows);
               sendJson(res, { rows });
               return;
             }
@@ -61683,6 +63029,7 @@ data: ${JSON.stringify(data)}
                 sendJson(res, { error: "Row not found" }, 404);
                 return;
               }
+              await attachRowAccess(active.db, table, [row]);
               sendJson(res, row);
               return;
             }
@@ -61803,6 +63150,7 @@ data: ${JSON.stringify(data)}
               const next = await openConfig(active.configPath, active.outputDir, autoRender);
               await disposeActive(active);
               active = next;
+              startBackgroundRender(active);
             }
           });
           if (handled) return;
@@ -61827,6 +63175,7 @@ ${e6.stack ?? ""}`
     })();
   });
   const port = await listenWithPortFallback(server, startPort, host);
+  startBackgroundRender(active);
   const displayHost = host === "0.0.0.0" || host === "::" ? "127.0.0.1" : host;
   const url = `http://${displayHost}:${String(port)}`;
   if (options.openBrowser ?? true) openUrl(url);